Catalyst 6500 Series Command Reference, 8.7
set port auxiliaryvlan to set rcp username
Download this chapter
set port auxiliaryvlan to set rcp usernameset port auxiliaryvlan to set rcp username
Download the complete book
Catalyst 6500 Series Switch Command Reference (Book-length PDF)Catalyst 6500 Series Switch Command Reference (Book-length PDF) (PDF - 18 MB)
give_us_feedback

Table Of Contents

set port auxiliaryvlan

set port broadcast

set port channel

set port cops

set port critical

set port debounce

set port description

set port dhcp-snooping

set port disable

set port dot1q-all-tagged

set port dot1q-ethertype

set port dot1qtunnel

set port dot1x

set port duplex

set port enable

set port eou

set port errdisable-timeout

set port errordetection

set port ethernet-cfm

set port ethernet-evc

set port ethernet-lmi

set port ethernet-oam

set port ethernet-oam action

set port ethernet-oam link-monitor

set port ethernet-oam mode

set port ethernet-oam remote-loopback

set port ethernet-uni

set port flexlink

set port flowcontrol

set port gmrp

set port gvrp

set port host

set port inlinepower

set port jumbo

set port l2protocol-tunnel

set port lacp-channel

set port mac-auth-bypass

set port macro

set port membership

set port mvrp

set port name

set port negotiation

set port protocol

set port qos

set port qos autoqos

set port qos cos

set port qos policy-source

set port qos trust

set port qos trust-device

set port qos trust-ext

set port rsvp dsbm-election

set port security

set port security-acl

set port speed

set port sync-restart-delay

set port trap

set port unicast-flood

set port vlan-mapping

set port voice interface dhcp

set port vtp

set port web-auth

set port web-auth initialize

set power redundancy

set prompt

set protocolfilter

set pvlan

set pvlan mapping

set qos

set qos acl default-action

set qos acl ip

set qos acl ipx

set qos acl mac

set qos acl map

set qos autoqos

set qos bridged-microflow-policing

set qos cos-cos-map

set qos cos-dscp-map

set qos drop-threshold

set qos dscp-cos-map

set qos dscp-mutation-map

set qos dscp-mutation-table-map

set qos dscp-rewrite

set qos ipprec-dscp-map

set qos mac-cos

set qos map

set qos policed-dscp-map

set qos policer

set qos policy-source

set qos rsvp

set qos rxq-ratio

set qos statistics export

set qos statistics export aggregate

set qos statistics export destination

set qos statistics export interval

set qos statistics export port

set qos txq-ratio

set qos wred

set qos wrr

set radius attribute

set radius auto-initialize

set radius deadtime

set radius keepalive

set radius key

set radius retransmit

set radius server

set radius timeout

set rate-limit

set rcp username


set port auxiliaryvlan

To configure the auxiliary VLAN ports, use the set port auxiliaryvlan command.

set port auxiliaryvlan mod[/port] {vlan | untagged | dot1p | none} [cdpverify {enable | disable}]

Syntax Description

mod[/port]

Number of the module and (optional) port or multiple ports.

vlan

Number of the VLAN; valid values are from 1 to 4094.

untagged

Specifies the connected device send and receive untagged packets without 802.1p priority.

dot1p

Specifies the connected device send and receive packets with 802.1p priority.

none

Specifies that the switch does not send any auxiliary VLAN information in the CDP packets from that port.

cdpverify

(Optional) Sets automatic detection of IP phones by using CDP.

enable

(Optional) Enables the automatic detection of IP phones.

disable

(Optional) Disables the automatic detection of IP phones.


Defaults

The default setting is none.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you do not specify a port, all ports are selected.The vlan option specifies that the connected device sends packets that are tagged with a specific VLAN.

If you enter the none option, voice information will not be sent or received.

Dynamic VLAN support for voice VLAN identifier (VVID) includes these restrictions to the following multiple VLAN access port (MVAP) configuration on the switch port:

You can configure any VVID on a dynamic port including dot1p and untagged, except when the VVID is equal to dot1p or untagged. If this is the case, you must configure VMPS with the MAC address of the IP phone. When you configure the VVID as dot1p or untagged on a dynamic port, this warning message is displayed: 

VMPS should be configured with the IP phone mac's.

For dynamic ports, the auxiliary VLAN ID cannot be the same as the native VLAN ID assigned by VMPS for the dynamic port.

You cannot configure trunk ports as dynamic ports, but an MVAP can be configured as a dynamic port.

The presence of an IP phone is determined through CDP packet exchange between the switch and the phone. This detection method is used for both inline-powered IP phones and wall-powered IP phones.

If the auxiliary VLAN ID equals the port-VLAN ID or when the auxiliary VLAN ID is configured as none, dot1p, or untagged, this feature cannot be applied to the port. If any command entry results in the auxiliary VLAN ID equaling the port-VLAN ID, the feature is disabled and the following warning message is displayed: 

cdpverify feature on port mod/port is disabled.

Examples

This example shows how to set the auxiliary VLAN port to untagged: 

Console> (enable) set port auxiliaryvlan 5/7 untagged

Port 5/7 allows the connected device send and receive untagged packets and 

without 802.1p priority.  

Console> (enable)

This example shows how to set the auxiliary VLAN port to dot1p: 

Console> (enable) set port auxiliaryvlan 5/9 dot1p

Port 5/9 allows the connected device send and receive packets with 802.1p priority.

Console> (enable)

This example shows how to set the auxiliary VLAN port to none: 

Console> (enable) set port auxiliaryvlan 5/12 none 

Port 5/12 will not allow sending CDP packets with AuxiliaryVLAN information.

Console> (enable)

This example shows how to set the auxiliary VLAN port to a specific module, port, and VLAN: 

Console> (enable) set port auxiliaryvlan 2/1-3 222 

Auxiliaryvlan 222 configuration successful.

AuxiliaryVlan AuxVlanStatus Mod/Ports

------------- ------------- -------------------------

222           active        1/2,2/1-3

Console> (enable)

Related Commands

show port auxiliaryvlan

set port broadcast

To set broadcast, multicast, or unicast suppression for one or more ports, use the set port broadcast command. The threshold limits the backplane traffic received from the module.

set port broadcast mod/port threshold% [violation {drop-packets | errdisable}]
[multicast {enable | disable}] [unicast {enable | disable}]

Syntax Description

mod/port

Number of the module and the port on the module.

threshold%

Percentage of total available bandwidth that can be used by traffic; valid values are decimal numbers from 0.00% to 100% or whole numbers from 0% to 100%.

violation

(Optional) Specifies an action when suppression occurs.

drop-packets

(Optional) Drops packets when suppression occurs.

errdisable

(Optional) Errdisables the port when suppression occurs.

multicast

(Optional) Specifies multicast suppression.

enable | disable

(Optional) Enables or disables the suppression type.

unicast

(Optional) Specifies unicast suppression.


Defaults

The default is 100% (no broadcast limit).

The default action is drop-packets if a broadcast violation occurs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

You can enter the threshold value in two ways:

A decimal number followed by a percent sign (for example 0.33%)

A whole number followed by a percent sign (for example 33%)

The percent sign (%) is required when entering the threshold value.

The multicast and unicast keywords are supported on Gigabit Ethernet modules only.

If you enter the command without using the multicast or unicast keyword, only broadcast traffic is suppressed. If you enter the multicast or unicast keyword, both broadcast and the selected traffic type are suppressed.

Examples

This example shows how to limit broadcast traffic to 20 percent: 

Console> (enable) set port broadcast 4/3 20%

Port 4/3 broadcast traffic limited to 20.00%.

Console> (enable)

This example shows how to limit broadcast traffic to 90 percent and to errdisable when suppression occurs: 

Console> (enable) set port broadcast 4/6 90% violation errdisable

Port 4/6 broadcast traffic limited to 90.00%.

On broadcast suppression port 4/6 is configured to move to errdisabled state.

Console> (enable)

This example shows how to allow a specific amount of multicast traffic to a range of ports: 

Console> (enable) set port broadcast 4/1-24 80% multicast enable

Port 4/1-24 multicast traffic limited to 80%.

Console> (enable)

This example shows how to limit broadcast and multicast traffic to 91 percent, to disable unicast traffic, and to errdisable when suppression occurs: 

Console> (enable) set port broadcast 4/2 91% violation errdisable multicast enable unicast 
disable 

Port 4/2 broadcast and multicast traffic limited to 91.00%.

On broadcast suppression port 4/2 is configured to move to errdisabled state.

Console> (enable)

This example shows how to limit broadcast, multicast, and unicast traffic to 91 percent: 

Console> (enable) set port broadcast 4/2 91% multicast enable unicast enable

Port 4/2 broadcast, multicast and unicast traffic limited to 91.00%.

Console> (enable)

Related Commands

clear port broadcast
show port broadcast

set port channel

To configure EtherChannel on Ethernet module ports, use the set port channel command.

set port channel mod/port [admin_group]

set port channel mod/port mode {on | off | desirable | auto} [silent | non-silent]

set port channel all mode off

set port channel all distribution {ip | mac} [source | destination | both]

set port channel all distribution {session} [source | destination | both]

set port channel all distribution {ip-vlan-session} [source | destination | both]

Syntax Description

mod/port

Number of the module and the port on the module.

admin_group

(Optional) Number of the administrative group; valid values are from 1 to 1024.

mode

Specifies the EtherChannel mode.

on

Enables and forces specified ports to channel without PAgP.

off

Prevents ports from channeling.

desirable

Sets a PAgP mode that places a port into an active negotiating state, in which the port initiates negotiations with other ports by sending PAgP packets.

auto

Sets a PAgP mode that places a port into a passive negotiating state, in which the port responds to PAgP packets it receives, but does not initiate PAgP packet negotiation.

silent

(Optional) Uses with auto or desirable when no traffic is expected from the other device to prevent the link from being reported to STP as down.

non-silent

(Optional) Uses with auto or desirable when traffic is expected from the other device.

all mode off

Turns off channeling on all ports globally.

all distribution

Applies frame distribution to all ports in the Catalyst 6500 series switch.

ip

Specifies the frame distribution method using IP address values.

mac

Specifies the frame distribution method using MAC address values.

source

(Optional) Specifies the frame distribution method using source address values.

destination

(Optional) Specifies the frame distribution method using destination address values.

both

(Optional) Specifies the frame distribution method using source and destination address values.

session

Allows frame distribution of Layer 4 traffic.

both

(Optional) Specifies the frame distribution method using source and destination Layer 4 port number.

ip-vlan-session

Specifies the frame distribution method based on the source or destination IP address, the forwarding index derived from the VLAN, and the source or destination Layer 4 port.


Defaults

The default is EtherChannel is set to auto and silent on all module ports. The defaults for frame distribution are ip and both.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

This command is not supported by non-EtherChannel-capable modules.

The set port channel all distribution session command is supported on systems configured with the Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2) and the Supervisor Engine 720.

Make sure that all ports in the channel are configured with the same port speed, duplex mode, and so forth. For more information on EtherChannel, refer to the Catalyst 6500 Series Software Configuration Guide.

With the on mode, a usable EtherChannel exists only when a port group in on mode is connected to another port group in on mode.

If you are running QoS, make sure that bundled ports are all of the same trust types and have similar queueing and drop capabilities.

Disable the port security feature on the channeled ports (see the set port security command). If you enable port security for a channeled port, the port shuts down when it receives packets with source addresses that do not match the secure address of the port.

You can configure up to eight ports on the same switch in each administrative group.

When you assign ports to an existing administrative group, the original ports associated with the administrative group will move to a new automatically picked administrative group. You cannot add ports to the same administrative group.

If you do not enter an admin_group value, a new administrative group is created with the admin_group value selected automatically. The next available administrative group is automatically selected.

If you do not enter the channel mode, the channel mode of the ports addressed are not modified.

The silent | non-silent parameters only apply if desirable or auto modes are entered.

If you do not specify silent or non-silent, the current setting is not affected.

The ip-vlan-session keyword is supported only on the Supervisor Engine 720.

Note With software releases 6.2(1) and earlier, the 6- and 9-slot Catalyst 6500 series switches support a maximum of 128 EtherChannels.

With software releases 6.2(2) and later, due to the port ID handling by the spanning tree feature, the maximum supported number of EtherChannels is 126 for a 6- or 9-slot chassis and 63 for a 13-slot chassis. Note that the 13-slot chassis was first supported in software release 6.2(2).

Examples

This example shows how to set the channel mode to desirable: 

Console> (enable) set port channel 2/2-8 mode desirable

Ports 2/2-8 channel mode set to desirable.

Console> (enable)

This example shows how to set the channel mode to auto: 

Console> (enable) set port channel 2/7-8,3/1 mode auto

Ports 2/7-8,3/1 channel mode set to auto.

Console> (enable)

This example shows how to group ports 4/1 through 4 in an administrative group: 

Console> (enable) set port channel 4/1-4 96

Port(s) 4/1-4 are assigned to admin group 96.

Console> (enable)

This example shows the display when the port list is exceeded: 

Console> (enable) set port channel 2/1-9 1

No more than 8 ports can be assigned to an admin group.

Console> (enable)

This example shows how to disable EtherChannel on module 4, ports 4 through 6: 

Console> (enable) set port channel 4/4-6 mode off

Port(s) 4/4-6 channel mode set to off.

Console> (enable)

This example shows the display output when you assign ports to an existing administrative group. This example moves ports in admin group 96 to another admin group and assigns ports 4/4 through 6 to admin group 96: 

Console> (enable) set port channel 4/4-6 96

Port(s) 4/1-3 are moved to admin group 97.

Port(s) 4/4-6 are assigned to admin group 96.

Console> (enable)

This example shows how to set the channel mode to off for ports 4/4 through 6 and assign ports 4/4 through 6 to an automatically selected administrative group: 

Console> (enable) set port channel 4/4-6 off

Port(s) 4/4-6 channel mode set to off.

Port(s) 4/4-6 are assigned to admin group 23.

Console> (enable)

This example shows how to configure the EtherChannel load-balancing feature: 

Console> (enable) set port channel all distribution ip destination

Channel distribution is set to ip destination.

Console> (enable)

Related Commands

show channel
show channel group
show port channel

set port cops

To create port roles, use the set port cops command.

set port cops mod/port roles role1 [role2]...

Syntax Description

mod/port

Number of the module and the port on the module.

roles role#

Specifies the roles.


Defaults

The default is all ports have a default role of null string, for example, the string of length 0.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

A port may have multiple roles. You can configure a maximum of 64 total roles per switch. You can specify multiple roles in a single command.

Examples

This example shows how to create roles on a port: 

Console> (enable) set port cops 3/1 roles backbone_port main_port

New role `backbone_port' created.

New role `main_port' created.

Roles added for port 3/1-4.

Console> (enable)

This example shows the display if you attempt to create a roll and exceed the maximum allowable number of roles: 

Console> (enable) set port cops 3/1 roles access_port

Unable to add new role. Maximum number of roles is 64.

Console> (enable)

Related Commands

clear port cops
show port cops

set port critical

To enable or disable the Inaccessible Authentication Bypass (IAB) feature on a port that is configured to use 802.1X, LPIP, MAC authentication bypass, or Web Authentication, use the set port critical command.

set port critical mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables IAB on the specified port.

disable

Disables IAB on the specified port.


Defaults

IAB is disabled.

Command Types

Switch.

Command Modes

Privileged.

Usage Guidelines

Use the set port critical command in place of the set port dot1x mod/port critical command.

Examples

This example show how to enable IAB on port 1, module 5: 

Console> (enable) set port critical 5/1 enable

Port, 5/1 Critical feature enabled.

Console> (enable)

Related Commands

show port critical
show port mac-auth-bypass
show port web-auth

set port debounce

To enable or disable the debounce timer or configure the timer setting on a per-port basis, use the set port debounce command.

set port debounce mod/port {enable | disable}

set port debounce mod/port delay time

Syntax Description

mod/port

Number of the module and the port on the module.

enable | disable

Enables or disables the debounce timer.

delay

Sets the debounce timer for gigabit fiber ports.

time

Amount of time the firmware waits before notifying the supervisor engine of a link change; valid values are 200 milliseconds or from 300 to 5000 milliseconds. This is supported on gigabit fiber ports only. See the "Usage Guidelines" section for more information.


Defaults

By default, the debounce timer is disabled on all ports.

When the debounce timer is disabled, the default debounce timer values are as follows:

10BASE-FL ports—300 milliseconds

10/100BASE-TX ports —300 milliseconds

100BASE-FX ports—300 milliseconds

10/100/1000BASE-TX ports—300 milliseconds

1000BASE-TX ports—300 milliseconds

Fiber Gigabit Ethernet ports—10 milliseconds

10-Gigabit Ethernet ports—10 milliseconds

When the debounce timer is enabled, the default debounce timer values are as follows:

10BASE-FL ports—3100 milliseconds

10/100BASE-TX ports —3100 milliseconds

100BASE-FX ports—3100 milliseconds

10/100/1000BASE-TX ports—3100 milliseconds

1000BASE-TX ports—3100 milliseconds

Fiber Gigabit Ethernet ports—100 milliseconds

10-Gigabit Ethernet ports—100 milliseconds

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The debounce timer is the time the firmware waits before notifying the supervisor engine of a link change at the physical layer.

Setting the debounce timer value to 200 milliseconds or from 300 to 5000 milliseconds is possible only for gigabit fiber ports. You do not need to enable the debounce timer on a gigabit fiber port before adjusting the timer. Any timer value that is greater than the default value in disabled state is considered a value that enables the timer.

For 10/100 ports and 100BASE-FX ports in the disabled state, the firmware may take up to 600 milliseconds to notify the supervisor engine of a link change because the firmware polling time is every 300 milliseconds.

For 10/100 ports and 100BASE-FX ports in the enabled state, the firmware may take up to 3400 milliseconds to notify the supervisor engine of a link change because the firmware polling time is every 300 milliseconds.

Examples

This example shows how to enable the debounce timer for a specific port on a specific module: 

Console> (enable) set port debounce 1/1 enable

Debounce is enabled on port 1/1.

Warning:Enabling port debounce causes Link Up/Down detections to be delayed.

It results in loss of data traffic during debouncing period, which might

affect the convergence/reconvergence of various Layer 2 and Layer 3

protocols.

Use with caution.

Console> (enable)

Related Commands

show port debounce

set port description

To include a description that identifies a port, use the set port description command.

set port description mod/port [port_description]

Syntax Description

mod/port

Number of the module and the port on the module.

port_description

(Optional) Description that identifies the specified port. See the "Usage Guidelines" section for more information.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set port description command adds another 43 characters to the existing limit of 21 characters that can be set when you enter the set port name command.

The set port description command is only supported in text configuration mode.

If you do not enter a port_description argument, the port description is cleared.

Examples

This example shows how to include a port description: 

Console> (enable) set port description 7/1 sarahtom 172.30.8.35 00-0a-5e-44-8b-8 2/2

Port 7/1 description set.

Console> (enable)

This example shows how to clear a port description: 

Console> (enable) set port description 7/1

Port 7/1 description cleared.

Console> (enable)

Related Commands

set port name
show config mode
show port description

set port dhcp-snooping

To configure DHCP snooping on a port, use the set port dhcp-snooping command.

set port dhcp-snooping mod/port {trust | source-guard} {enable | disable}

set port dhcp-snooping mod/port binding-limit count

set port dhcp-snooping mod/port add-binding ip-addr mac-addr [vlan]

Syntax Description

mod/port

Number of the module and port on the module.

trust

Specifies the trust feature.

source-guard

Specifies the IP Source Guard feature.

enable

Enables the specified DHCP-Snooping feature.

disable

Disables the specified DHCP-Snooping feature.

binding-limit

Specifies the number of IP-to-MAC bindings that are allowed on a port.

count

Number of bindings that are allowed on a port; valid values are from 1 to 100.

add-binding

Adds an IP-to-MAC binding.

ip-addr

IP address.

mac-addr

MAC address.

vlan

(Optional) Number of the VLAN.


Defaults

Trust and Source Guard are disabled.

The binding limit on a port is 32.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you enter the set port dhcp-snooping mod/ports trust disable command, the DHCP snooping feature performs checks on packets coming from the ports that you specify. If you enter the enable keyword, the feature trusts the packets from those ports and does not perform checks.

If you enter the set port dhcp-snooping mod/ports source-guard enable command, the IP addresses learned through DHCP snooping are the only source IP addresses allowed on incoming traffic. All packets that contain other IP addresses are dropped. If a new binding is added, the IP address associated with that binding is added to the port. If a binding is deleted, the IP address associated with that binding is removed from the port.

If DHCP snooping is disabled on a VLAN, the bindings for that VLAN are deleted.

If you enable IP Source Guard on a port, that port should be untrusted. Also, the security ACL mode should be port-based or merge-mode, and no PACLs should be on the port.

Note the following when configuring DHCP-related features:

IP Source Guard is supported only on the PFC3.

ARP inspection is supported on Supervisor Engine 2, Supervisor Engine 720, and Supervisor Engine 32, but not on Supervisor Engine 1.

DHCP snooping is supported on all supervisor engines.

IP Source Guard is supported on Supervisor Engine 720 and Supervisor Engine 32, but not on Supervisor Engine 1 or Supervisor Engine 2.

Dynamic ARP Inspection is support on Supervisor Engine 2, Supervisor Engine 720, and Supervisor Engine 32, but not on Supervisor Engine 1.

You must configure DHCP snooping on a server port when configured on per-port basis. The server port must be trusted.

You can enable IP Source Guard only when the ACL mode is port based.

Examples

This example shows how to enable DHCP trust on port 2 of module 2: 

Console> (enable) set port dhcp-snooping 2/2 trust enable

Port(s)  2/2 state set to trusted for DHCP Snooping.

Console> (enable)

This example shows how to enable IP Source Guard on port 2 of module 2: 

Console> (enable) set port dhcp-snooping 2/2 source-guard enable

Enabling IP Source Guard on port(s) 2/2.

Console> (enable)

This example shows how to limit the number of bindings to 48 on port 4 and port 5 of module 3: 

Console> (enable) set port dhcp-snooping 3/4-5 binding-limit 48

Ports 3/4-5 DHCP snooping binding limit is set to 48

Console> (enable)

This example show how to add a binding to a specified port: 

Console> (enable) set port dhcp-snooping 5/1 add-binding 172.20.52.18 00-50-f0-ac-30-54 1

DHCP Snooping Binding addition successful for Port 5/1, Vlan 1 

 IP addr 172.20.52.18, Mac Addr 00-50-f0-ac-30-54.

Console> (enable)

Related Commands

clear dhcp-snooping bindings
show port dhcp-snooping

set port disable

To disable a port or a range of ports, use the set port disable command.

set port disable mod/port

Syntax Description

mod/port

Number of the module and the port on the module.


Defaults

The default system configuration has all ports enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

It takes approximately 30 seconds for this command to take effect.

Examples

This example shows how to disable a port using the set port disable command: 

Console> (enable) set port disable 5/10

Port 5/10 disabled.

Console> (enable)

Related Commands

set port enable
show port

set port dot1q-all-tagged

To enable the 802.1Q tagging feature on specific ports, use the set port dot1q-all-tagged command.

set port dot1q-all-tagged {mod/port} {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables the dot1q-all-tagged feature.

disable

Disables the dot1q-all-tagged feature.


Defaults

The 802.1Q tagging feature is enabled on a per-port basis. See the "Usage Guidelines" section for more information.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Although 802.1Q tagging is enabled by default on a per-port basis, tagging only takes effect when you enable the feature globally by entering the set dot1q-all-tagged enable command. When the global command is enabled, if you do not want tagging on a specific port, you must disable the feature on that port.

Examples

This example shows how to enable the dot1q tagging feature on specific ports: 

Console> (enable) set port dot1q-all-tagged 1/1-2 enable

Packets on native vlan will be tagged on port(s) 1/1-2.

Console> (enable)

This example shows how to enable the dot1q tagging feature on all ports: 

Console> (enable) set port dot1q-all-tagged all enable

Packets on native vlan will be tagged on all applicable ports.

Console> (enable)

This example shows how to disable the dot1q tagging feature on specific ports: 

Console> (enable) set port dot1q-all-tagged 1/1-2 disable

Packets on native vlan will not be tagged for port(s) 1/1-2.

Console> (enable)

This example shows how to disable the dot1q tagging feature on all ports: 

Console> (enable) set port dot1q-all-tagged all disable

Packets on native vlan will not be tagged on all applicable ports.

Console> (enable)

Related Commands

set dot1q-all-tagged
show dot1q-all-tagged
show port dot1q-all-tagged

set port dot1q-ethertype

To set the EtherType field in the IEEE 802.1Q tag to a custom value, use the set port dot1q-ethertype command.

set port dot1q-ethertype mod/port {value | default}

Syntax Description

mod/port

Number of the module and the port on the module.

value

Hexadecimal number of the two-byte EtherType field.

default

Specifies the default value of 0x8100 for the two-byte EtherType field.


Defaults

The EtherType field is set to default.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you specify a custom EtherType field, your network can support Cisco and non-Cisco switches that do not use the standard 0x8100 EtherType to identify 802.1Q-tagged frames. When you specify a custom EtherType field, you can identify 802.1Q tagged frames and switch the frames to a specified VLAN. The two bytes immediately following the EtherType are interpreted as a standard 802.1Q tag. Specify the value of the two-byte EtherType field as a hexadecimal number.

To return the custom EtherType field to the default value (0x8100), use the set port dot1q-ethertype mod/port default command.

Note A custom 802.1Q EtherType field is supported on the following modules only: Supervisor Engine 2 and Supervisor Engine 720 uplink ports, WS-X6516-GBIC, WS-X6516A-GBIC, WS-X6516-GE-TX, WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6748-GE-TX, WS-X6724-SFP, WS-X6704-10GE, WS-X6501-10GEX4, and WS-X6502-10GE.

Note EtherChannels do not support a custom 802.1Q EtherType field. If you configure a port with a custom 802.1Q EtherType field, the port cannot join a channel. If a channel is already configured, you cannot change the 802.1Q EtherType on any of the channel ports.

Note On the WS-X6516A-GBIC, WS-X6516-GBIC, and WS-X6548-GE-TX modules, if you configure a port with a custom 802.1Q EtherType in the port groups 1 through 8 or 9 through 16, all ports in the group are configured with the custom 802.1Q EtherType. On the WS-X6516-GE-TX module, if you configure a port with a custom 802.1Q EtherType in the port groups 1 through 4, 5 through 8, 9 through 12, or 13 through 16, all ports in the group are configured with the custom 802.1Q EtherType.

Note You can use a custom 802.1Q EtherType field on trunk ports, 802.1Q access ports, and 802.1Q/802.1p multi-VLAN access ports. Additionally, you should configure the custom EtherType value the same on both ends of a link.

Examples

This example shows how to set the 802.1Q EtherType to 0x1234 on module 2, port 1: 

Console> (enable) set port dot1q-ethertype 2/1 1234

All the group ports 2/1-2 associated with port 2/1 will be modified.

Do you want to continue (y/n) [n]?y

Dot1q Ethertype value set to 0x1234 on ports 2/1-2.

Console> (enable)

This example shows how to return the 802.1Q EtherType field to the standard EtherType field (0x8100) on module 2, port 1: 

Console> (enable) set port dot1q-ethertype 2/1 default

All the group ports 2/1-2 associated with port 2/1 will be modified.

Do you want to continue (y/n) [n]?y

Dot1q Ethertype value set to 0x8100 on ports 2/1-2.

Console> (enable)

Related Commands

show port dot1q-ethertype

set port dot1qtunnel

To configure the dot1q tunnel mode for the port, use the set port dot1qtunnel command.

set port dot1qtunnel mod/port {access | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

access

Turns off the port trunking mode.

disable

Disables dot1q tunneling.


Defaults

Dot1q tunnel mode is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You cannot enable the dot1q tunneling feature on a port until dot1q-tagged-only mode is enabled.

You cannot disable dot1q-tagged-only mode on the switch until dot1q tunneling is disabled on all the ports on the switch.

You cannot set the dot1q tunnel mode to access if port security is enabled.

You cannot set the dot1q tunnel mode to access on a port with an auxiliary VLAN configured.

An interconnected network can have redundant paths to the same edge switch of ISP, but it cannot have redundant paths to two different edge switches of ISP.

Note PBF does not work with 802.1Q tunnel traffic. PBF is supported on Layer 3 IP unicast traffic, but it is not applicable to Layer 2 traffic. At the intermediate (PBF) switch, all 802.1Q tunnel traffic appears as Layer 2 traffic.

If you enable dot1q-tagged globally, the dot1q-tagged per-port setting controls whether or not the frames are tagged. If you disable dot-1q-tagged globally, the default group is never tagged and the per-port setting has no effect.

Examples

This example shows how to set dot1q tunneling on the port to access: 

Console> (enable) set port dot1qtunnel 4/1 access

Dot1q tunnel feature set to access mode on port 4/1.

Port 4/2 trunk mode set to off.

Console> (enable)

This example shows the output if you try to turn on trunking on a port that has dot1q tunneling mode set: 

Console> (enable) set trunk 4/1 on

Failed to set port 4/1 to trunk mode on.

The dot1q tunnel mode for the port is currently set to access.

Console> (enable)

Related Commands

show port dot1qtunnel

set port dot1x

To configure 802.1X on a port, use the set port dot1x command.

set port dot1x mod/port multiple-host {enable | disable}

set port dot1x mod/port port-control port_control_value

set port dot1x mod/port initialize

set port dot1x mod/port re-authenticate

set port dot1x mod/port re-authentication {enable | disable}

set port dot1x mod/port multiple-authentication {enable | disable}

set port dot1x mod/port guest-vlan {vlan | none}

set port dot1x mod/port shutdown-timeout {enable | disable}

set port dot1x mod/port port-control-direction {both | in}

set port dot1x mod/port auth-fail-vlan {vlan | none}

set port dot1x mod/port critical {enable | disable}

set port dot1x mod/port re-authperiod server {enable | disable}

set port dot1x mod/port ip-device-tracking {enable | disable}

Syntax Description

mod/port

Number of the module and port on the module.

multiple-host

Specifies multiple-user access; see the "Usage Guidelines" section for more information.

enable

Enables multiple-user access.

disable

Disables multiple-user access.

port-control port_control_value

Specifies the port control type; valid values are force-authorized, force-unauthorized, and auto.

initialize

Initializes 802.1X on the port.

re-authenticate

Manually initiates a reauthentication of the entity connected to the port.

re-authentication

Automatically initiates reauthentication of the entity connected to the port within the reauthentication time period; see the "Usage Guidelines" section for more information.

enable

Enables automatic reauthentication.

disable

Disables automatic reauthentication.

multiple-authentication

Specifies multiple authentications so that more than one host can gain access to the port; see the "Usage Guidelines" section for more information.

enable

Enables multiple authentication.

disable

Disables multiple authentication.

guest-vlan

Specifies an active VLAN as an 802.1X guest VLAN.

vlan

Number of the VLAN; valid values are from 1 to 4094.

none

Clears the guest VLAN on the port.

shutdown-timeout

Specifies the shutdown-timeout period for a port after a security violation. See the "Usage Guidelines" section for more information.

enable

Activates the automatic reenabling of a port after the shutdown timeout period.

disable

Deactivates the automatic reenabling of a port after the shutdown timeout period.

port-control-direction

Specifies the traffic control direction on a port.

both

Blocks traffic in both directions.

in

Blocks traffic only in the incoming direction.

auth-fail-vlan

Sets the VLAN that provides limited access to end hosts that have failed 802.1X authentication. See the "Usage Guidelines" section for more information.

none

Clears the authentication failure VLAN on a port.

critical

Sets the 802.1X port as a critical port. See the "Usage Guidelines" section for more information.

enable

Enables the critical option on the 802.1X port.

disable

Disables the critical option on the 802.1X port.

re-authperiod server

Sets session timeout override on the 802.1X port. See the "Usage Guidelines" section for more information.

enable

Applies the session timeout value that is received from the RADIUS server.

disable

Applies the reauthentication period value that was configured through the CLI.

ip-device tracking

Tracks the host using its IP address.

enable

Enables IP device tracking.

disable

Disables IP device tracking.


Defaults

The default settings are as follows:

The multiple host feature is disabled.

The port_control_value is set to force-authorized.

The reauthentication feature is disabled.

The multiple authentication feature is disabled.

The guest VLAN feature is set to none.

The shutdown-timeout feature is disabled.

The port control direction is set to both.

The auth-fail-vlan VLAN is set to none.

The critical option is disabled.

The re-authperiod server option is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The 802.1X port will not be allowed to become a trunk port, MVAP, channel port, dynamic port, or a secure port.

When setting the port control type, the following applies:

force-authorized forces the controlled port to transition to the authorized state unconditionally and is equivalent to disabling 802.1X restriction in the port.

force-unauthorized forces the controlled port to transit to the unauthorized state unconditionally and prevents the authorized services of the authenticator to the supplicant.

auto enables 802.1X control on the port.

If you disable the multiple host feature, once a 802.1X port is authorized through a successful authentication of a supplicant, only that particular host (MAC address) is allowed on that port. When the system detects another host (different MAC address) on the authorized port, it shuts down the port and displays a syslog message. This is the default system behavior.

If you enable the multiple host feature, once a 802.1X port is authorized through a successful authentication of a supplicant, any host (any MAC address) is allowed to send or receive traffic on that port.

If you enable reauthentication, you can set the reauthentication time period in seconds by entering the set dot1x re-authperiod seconds command. The default for the reauthentication time period is 3600 seconds.

You can enable either multiple host mode or multiple authentication mode.

On an 802.1X-enabled port, an administratively configured VLAN cannot be equal to an auxiliary VLAN.

To specify the number of seconds that a port is shut down after a security violation, enter the set dot1x shutdown-timeout command. Then enter the set port dot1x mod/port shutdown-timeout enable command to activate automatic reenabling of the port after the shutdown-timeout period has elapsed.

If you enter the set port dot1x mod/port port-control-direction in command, all incoming traffic is dropped. If you enter the set port dot1x mod/port port-control-direction both command, all incoming and outgoing traffic is dropped.

When you configure 802.1X unidirectional or bidirectional ports, follow these guidelines:

Auxiliary VLANs—To support auxiliary VLANs on a port when you configure the port as a unidirectional port, the auxiliary VLAN is moved to the spanning tree "forwarding" state to ensure that the connected IP phone is operational immediately. To prevent any disturbance of the incoming traffic, initially the port VLAN is also moved to the spanning tree "forwarding" state and then if any traffic is seen on the port VLAN, the port is moved to the spanning tree "blocking" state to drop all additional traffic. The connected host is then requested to get authorized to send any traffic.

Guest VLANs—Guest VLANs are supported only on ports configured as bidirectional ports. If a guest VLAN is enabled on a port, that port cannot be configured as a unidirectional port and vice versa.

Port mode—The port mode (single-authentication mode, multiple-host mode, or multiple-authentication mode) for a port configured as a unidirectional port must be single-authentication mode (the default port mode).

You can provide limited access to an end host that does not have valid credentials for 802.1X authentication. After three failed attempts at authentication, the end host will obtain network connectivity through a VLAN that you configure for users that fail authentication. To configure this VLAN, enter the set port dot1x mod/port auth-fail-vlan vlan command. To disable this feature, enter the set port dot1x mod/port auth-fail-vlan none command.

When configuring the authentication failure VLAN, follow these configuration guidelines and be aware of these restrictions:

After three failed 802.1X authentication attempts by the supplicant, the port is moved to the authentication failure VLAN where the supplicant can access the network. These three attempts introduce a delay of 3 minutes before the port is enabled in the authentication failure VLAN and the EAP success packet is sent to the supplicant (1 minute per failed attempt based on the default quiet period of 60 seconds after each failed attempt).

The number of failed 802.1X authentication attempts is counted from the time of the linkup to the point where the port is moved into the authentication failure VLAN. When the port moves into the authentication failure VLAN, the failed-attempts counter is reset.

Only the authenticated-failed users are moved to the authentication failure VLAN.

The authentication failure VLAN is supported only in the single-authentication mode (the default port mode).

The authentication failure VLAN is not supported on a port that is configured as a unidirectional port.

The supplicant's MAC address is added to the CAM table and only its MAC address is allowed on the authentication failure VLAN port. Any new MAC address that appears on the port is treated as a security violation.

The authentication failure VLAN port cannot be part of an RSPAN VLAN or a private VLAN.

On multiple VLAN access ports (MVAPs), the authentication failure VLAN and the auxiliary VLAN cannot be the same.

The authentication failure VLAN and port security features do not conflict with each other. Additionally, other security features such as Dynamic ARP Inspection (DAI), Dynamic Host Configuration Protocol (DHCP) snooping, and IP Source Guard can be enabled and disabled independently on the authentication failure VLAN.

The authentication failure VLAN is independent of the guest VLAN. However, the guest VLAN can be the same VLAN as the authentication failure VLAN. If you do not want to differentiate between the non-802.1X-capable hosts and the authentication-failed hosts, you may configure both to the same VLAN (either a guest VLAN or an authentication failure VLAN).

High availability is supported with the authentication failure VLAN.

When you enter the set port dot1x mod/port critical enable command, 802.1X still attempts to authenticate the specified port in the normal way. However, if attempts to reach the authentication server fail, the port is still given access to the network in the administratively-configured VLAN or in the native VLAN of the port. A port can only be configured as a critical port if it is in single-authentication mode.

After a critical port has been given access to the network, if the authentication server becomes available, the critical port returns to the unauthorized state. The normal authentication process is restarted, and after the port is authenticated, it is moved into the RADIUS server-specified VLAN. At this point, you need to initialize the port manually by entering the set port dot1x mod/port initialize command.

If the authentication server goes down after a host has already been authenticated through the normal authentication process, the switch checks to see if the port is a critical port. If the port is a critical port, the normal reauthentication process is temporarily disabled for the port. The port is given network access until the authentication server becomes active and restarts the authentication process.

By default, the session timeout value from the RADIUS server takes precedence over the reauthentication value that is configured by entering set dot1x re-authperiod seconds. With the session timeout override option, you can specify on a per-port basis which timeout value is applied. If session timeout override is enabled, the session timeout value from the RADIUS server is applied. If session timeout override is disabled, the configured reauthentication value is applied.

Examples

This example shows how to set the port control type automatically: 

Console> (enable) set port dot1x 4/1 port-control auto

Port 4/1 dot1x port-control is set to auto.

Console> (enable)

This example shows how to initialize 802.1X on a port: 

Console> (enable) set port dot1x 4/1 initialize

dot1x port 4/1 initializing...

dot1x initialized on port 4/1.

Console> (enable)

This example shows how to manually reauthenticate a port: 

Console> (enable) set port dot1x 4/1 re-authenticate

dot1x port 4/1 re-authenticating...

dot1x re-authentication successful...

dot1x port 4/1 authorized.

Console> (enable)

This example shows how to enable multiple-user access on a specific port: 

Console> (enable) set port dot1x 4/1 multiple-host enable

Multiple hosts allowed on port 4/1.

Console> (enable)

This example shows how to enable automatic reauthentication on a port: 

Console> (enable) set port dot1x 4/1 re-authentication enable

Port 4/1 re-authentication enabled.

Console> (enable)

This example shows how to activate automatic reenabling of a port after the shutdown-timeout period has elapsed: 

Console> (enable) set port dot1x 2/1 shutdown-timeout enable

Dot1x shutdown_timeout enabled

Console> (enable)

This example shows how to configure a port to drop all incoming traffic: 

Console> (enable) set port dot1x 3/1 port-control-direction in

Port 3/1 Port Control Direction set to In.

Console> (enable)

This example shows how to configure a port to drop both incoming and outgoing traffic: 

Console> (enable) set port dot1x 3/1 port-control-direction both

Port 3/1 Port Control Direction set to Both.

Console> (enable)

This example shows how to specify a VLAN on a port for users that have failed 802.1X authentication: 

Console> (enable) set port dot1x 3/33 auth-fail-vlan 81

Port 3/33 Auth Fail Vlan is set to 81

Console> (enable)

This example shows how to disable the 802.1X authentication failure VLAN feature on a port: 

Console> (enable) set port dot1x 2/1 auth-fail-vlan none

Port 2/1 Auth Fail Vlan is cleared

Console> (enable)

This example shows how to specify a port as a critical port: 

Console> (enable) set port dot1x 5/48 critical enable

Port 5/48 critical-port option is enabled

Console> (enable)

This example shows how to apply the session timeout value that is received from the RADIUS server on a port: 

Console> (enable) set port dot1x 5/10 re-authperiod server enable

Port 5/10 session-timeout-override option is enabled

Console> (enable)

This example shows how to enable IP device tracking for 802.1X on a port: 

Console> (enable) set port dot1x 2/15 ip-device-tracking enable

Port 2/15 ip-device-tracking option is enabled

Console>(enable)

Related Commands

set dot1x
show dot1x
show port dot1x

set port duplex

To configure the duplex type of an Ethernet port or a range of ports, use the set port duplex command.

set port duplex mod/port {full | half}

Syntax Description

mod/port

Number of the module and the port on the module.

full

Specifies full-duplex transmission.

half

Specifies half-duplex transmission.


Defaults

The default configuration for 10-Mbps and 100-Mbps modules has all Ethernet ports set to half duplex.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can configure Ethernet and Fast Ethernet interfaces to either full duplex or half duplex.

The set port duplex command is not supported on Gigabit Ethernet ports. Gigabit Ethernet ports support full-duplex mode only.

If the transmission speed on a 16-port RJ-45 Gigabit Ethernet port is set to 1000, duplex mode is set to full. If the transmission speed is changed to 10 or 100, the duplex mode stays at full. You must configure the correct duplex mode when transmission speed is changed to 10 or 100 from 1000.

Examples

This example shows how to set port 1 on module 2 to full duplex: 

Console> (enable) set port duplex 2/1 full

Port 2/1 set to full-duplex.

Console> (enable)

Related Commands

show port

set port enable

To enable a port or a range of ports, use the set port enable command.

set port enable mod/port

Syntax Description

mod/port

Number of the module and the port on the module.


Defaults

The default is all ports are enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

It takes approximately 30 seconds for this command to take effect.

Examples

This example shows how to enable port 3 on module 2: 

Console> (enable) set port enable 2/3

Port 2/3 enabled.

Console> (enable)

Related Commands

set port disable
show port

set port eou

To configure Extensible Authentication Protocol over User Datagram Protol (EoU) on a per-port basis, use the set port eou command.

set port eou mod/port {bypass | enable | disable}

set port eou mod/port initialize

set port eou mod/port revalidate

set port eou mod/port aaa-fail-policy policy-name

set port eou mod/port ip-device-tracking {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

bypass

Bypasses EoU on a specified port.

enable

Enables EoU on a specified port.

disable

Disables EoU on a specified port.

initialize

Initializes EoU for hosts on a specified port.

revalidate

Revalidates EoU credentials for hosts on a specified port.

aaa-fail-policy

Maps an AAA fail policy for EoU to a specified port.

policy-name

Policy name to be mapped to the port.

ip-device-tracking

Tracks the host using its IP address.

enable

Enables IP device tracking.

disable

Disables IP device tracking.


Defaults

EoU is disabled on a port.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Before you can use the set port eou mod/port aaa-fail-policy policy-name command, the template for the policy must be created.

After you have specified a policy template for a port, any changes to the policy template affect only those hosts that have been moved to AAA fail state after the policy template was changed. Hosts in already existing sessions use the policy template that was in place before any changes were made.

When you specify a different policy for a port, hosts in already existing sessions maintain the previously specified policy. The newly specified policy affects only new hosts entering AAA fail state.

Examples

This example shows how to enable EoU on a specified port: 

Console> (enable) set port eou 5/3 enable

EoU LPIP enabled on port 5/3

Console> (enable)

This example shows how to initialize EoU for hosts on specified ports: 

Console> (enable) set port eou 3/1-5 initialize

EoU LPIP restarted for ports 3/1-5

Console> (enable)

This example shows how to revalidate EoU credentials on specified ports: 

Console> (enable) set port eou 3/1-5 revalidate

EoU LPIP revalidation started for ports 3/1-5

Console> (enable)

This example shows how to enable IP device tracking for EoU-enabled port: 

Console> (enable) set port eou 2/25 ip-device-tracking enable

EOU device tracking enabled on port 2/25

Console> (enable)

Related Commands

clear eou
set eou
set security acl ip
show eou
show port eou

set port errdisable-timeout

To prevent an errdisabled port from being enabled, use the set port errdisable-timeout command.

set port errdisable-timeout mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables errdisable timeout.

disable

Disables errdisable timeout.


Defaults

By default, the errdisable timeout for each port is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When the global timer times out, the port will be reenabled. Use the set port errdisable-timeout command if you want the port to remain in the errdisabled state.

Examples

This example shows how to prevent port 3/3 from being enabled when it goes into errdisabled state: 

Console> (enable) set port errdisable-timeout 3/3 disable

Successfully disabled errdisable-timeout for port 3/3.

Console> (enable)

Related Commands

set errdisable-timeout
show errdisable-timeout
show port errdisable-timeout

set port errordetection

To enable or disable link error monitoring on an EtherChannel port, use the set port errordetection command.

set port errordetection mod/port {inerrors | rxcrc | txcrc} {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

inerrors

Specifies monitoring for inerrors on the port.

rxcrc

Specifies monitoring for RXCRC (CRCAlignErrors) errors on the port.

txcrc

Specifies monitoring for TXCRC errors on the port.

enable

Enables monitoring.

disable

Disables monitoring.


Defaults

Monitoring for inerrors is disabled.

Monitoring for RXCRC and TXCRC errors is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

All ports in an EtherChannel should have the same port error-detection settings.

Examples

This example shows how to enable RXCRC port error detection on port 3/1: 

Console> (enable) set port errordetection 3/1 rxcrc enable

Port(s)  3/1 set to errordetection rxcrc enable.

Console> (enable)

Related Commands

set errordetection
show errordetection
show port errordetection

set port ethernet-cfm

To enable or disable Connectivity Fault Management (CFM) on a port, to configure a port as a Maintenance End Point (MEP) for a specific maintenance level, to configure a port as a Maintenance Intermediate Point (MIP) for a specific domain or a specific maintenance level, or to configure the Alarm Indication Signal (AIS) parameter of the port, use the set port ethernet-cfm command.

set port ethernet-cfm mod/port {enable | disable | transparent}

set port ethernet-cfm mod/port mep mpid mpid domain domain-name vlan vlan-id

set port ethernet-cfm mod/port mip level level vlan vlan-id

set port ethernet-cfm mod/port ais {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables CFM on a port.

disable

Disables CFM on a port.

transparent

Specifies transparent mode. The port will be considered for Continuity Check (CC) flooding.

mep

Configures a MEP.

mpid mpid

Sets a CFM Maintenance Point Identification.

domain domain-name

Specifies the name of the domain.

vlan vlan-id

Specifies the number of the VLAN or range of VLANs to associate to an MEP; valid values are from 1 to 4094.

mip

Configures a MIP.

level level

Specifies a maintenance level for the MIP; valid values are from 0 to 7.

ais

Specifies the AIS server MEP configuration and the AIS generation on a port.


Defaults

The AIS is disabled on a port.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You must configure a MIP on the port before configuring a MEP. The MEP must be configured at a lower level than the level of the MIP.

The MPID string has a maximum of 256 characters. The MPID identifies the MEP on the network.

The interface defined as MEP or MIP must be a trunk or an 802.1Q tunnel port. If you specify a port that is not a trunk or an 802.1Q tunnel port, the set port ethernet-cfm command will fail.

A MIP or MEP can be a logical interface, such as a port channel.

You must enable CFM and AIS globally to configure the AIS on a port.

The IEEE 802.3ah Operations, Administrations, and Maintenance (OAM) feature on a specified port must be enabled for the server MEP to interact with an OAM link.

You must enable the Link-OAM on the port for the server MEP AIS functionality. If Ethernet-OAM is not operational on a port, the server MEP AIS will not be functional.

Examples

This example shows how to initialize a MIP at module 3, port 1, at level 50: 

Console> (enable) set port ethernet-cfm 3/1 mip level 50

Port 3/1 set to MIP with ME Level 50.

Console> (enable)

This example shows how to enable CFM AIS on a port: 

Console> (enable) set port ethernet-cfm 2/2 ais enable

Server MEP AIS generation is enabled on the port 2/2.

Console> (enable)

Related Commands

clear port ethernet-cfm

show port ethernet-cfm

set port ethernet-oam

set port ethernet-evc

To associate an Ethernet Virtual Connection (EVC) to a port and the corresponding CE-VLANs, use the set port ethernet-evc command.

set port ethernet-evc mod/port [evc-id]

Syntax Description

mod/port

Module number and the port number.

evc-id

(Optional) EVC identifier.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The command is rejected if the EVC ID that you specified is not created or the configuration is not complete. You must configure the Connectivity Fault Management (CFM) inward Maintenance End Point (MEP) on the specified ports to allow the Ethernet Local Management Interface (ELMI) to work as expected.

Examples

This example shows how to set the Ethernet EVC ID as EVC1 for module 7, port 1: 

Console> (enable) set port ethernet-evc 7/1 EVC1

EVC1 is associated to port 7/1.

Console> (enable)

Related Commands

clear port ethernet-evc

show port ethernet-evc

set port ethernet-lmi

To enable/disable Ethernet Local Management Interface (ELMI) processing on the port, use the set port ethernet-lmi command.

set port ethernet-lmi {mod/port} {enable | disable}

set port ethernet-lmi {mod/port} t391 {value | default | disable}

set port ethernet-lmi {mod/port} t392 {value | default | disable}

set port ethernet-lmi {mod/port} n391 {value | default}

set port ethernet-lmi {mod/port} n393 {value | default}

Syntax Description

mod/port

Module number and the port number.

enable

Enables ELMI on a particular port of a switch.

disable

Disables ELMI on a particular port of a switch.

t391

Specifies the polling timer to transmit the status enquiry. Range: 5 seconds to 30 seconds. Default: 10 seconds.

value

Timer value in seconds.

default

Specifies to configure the default value.

disable

Specifies to ensure T391 and T392 timers never expire and ensure the ELMI link is always up.

t392

Specifies the polling verification timer to verify the status inquiry received. Range: 5 seconds to 30 seconds. Default: 15 seconds.

n391

Specifies the polling counter that gives full status of the User to Network Interface (UNI) and all Ethernet Virtual Connections (EVC) polling counts. Range: 1 to 65000. Default: 360.

n393

Specifies the event counter that gives count of monitored events. Range: 1 to 10. Default: 4.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

T392 should be greater than T391.

T391 applies to the Customer Edge (CE) only.

T392 applies to the Provider Edge (PE) only.

N391 applies to CE only.

N393 applies to CE and PE.

Examples

These examples show how to set the ELMI port: 

Console> (enable) set port ethernet-lmi 3/1 enable

Ethernet LMI is enabled on port 3/1.

Console> (enable)


Console> (enable) set port ethernet-lmi 3/1 t392 30

Ethernet LMI polling verification timer is set to 30 seconds for port 3/1.

Console> (enable)

Related Commands

clear port ethernet-lmi

show port ethernet-lmi

set port ethernet-oam

To enable or disable the IEEE 802.3ah Operations, Administrations, and Maintenance (OAM) feature on a specified port, use the set port ethernet-oam command.

set port ethernet-oam mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables OAM on the specified port.

disable

Disables OAM on the specified port.


Defaults

OAM is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When OAM is disabled on a port, the system functions as if OAM is not configured on that port. When OAM is enabled, OAM on that port functions as if OAM had never been enabled before.

Examples

This example shows how to enable OAM on a specified port: 

Console> (enable) set port ethernet-oam 1/1 enable

OAM enabled on port 1/1

Console> (enable)

Related Commands

clear port ethernet-oam
set port ethernet-oam action
set port ethernet-oam link-monitor
set port ethernet-oam mode
set port ethernet-oam remote-loopback
show port ethernet-oam

set port ethernet-oam action

To configure an action for OAM link events, use the set port ethernet-oam action command.

set port ethernet-oam mod/port {link-fault | dying-gasp | critical-event} action {errordisable | none | warning | error-block}

Syntax Description

mod/port

Number of the module and the port on the module.

link-fault

Sets the link fault configuration.

dying-gasp

Sets the dying-gasp configuration. See the "Usage Guidelines" section for more information.

critical-event

Sets the critical event configuration.

action

Configures action that is taken for corresponding link events.

errordisable

Sends port to errordisable state.

none

Takes no action when corresponding link event occurs.

warning

Generates system message when corresponding link event occurs.

error-block

Sets the port to blocking state when a remote link failure flag is received and automatically changes the port to forwarding state whenthe remote link becomes operational.


Defaults

The system generates a warning message when a link event occurs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you specify the dying-gasp keyword, the errordisable option is not available.

Examples

This example shows how to configure the action that the specified port takes when a link fault occurs: 

Console> (enable) set port ethernet-oam 1/1 link-fault action errordisable

OAM link-fault event action set to errordisable.

Console> (enable)

This example shows how to configure the action to error-block for a port: 

Console> (enable) set port ethernet-oam 4/1 critical-event action error-block

Successfully updated OAM critical-event action on port(s) 4/1.

Console> (enable)

Related Commands

clear port ethernet-oam
set port ethernet-oam
set port ethernet-oam link-monitor
set port ethernet-oam mode
set port ethernet-oam remote-loopback
show port ethernet-oam

set port ethernet-oam link-monitor

To configure the OAM link monitoring feature on a port, use the set port ethernet-oam link-monitor command.

set port ethernet-oam mod/port link-monitor {enable | disable}

set port ethernet-oam mod/port link-monitor {symbol-period | frame | frame-period} window size

set port ethernet-oam mod/port link-monitor {symbol-period | frame | frame-period} low-threshold count [action {none | warning}]

set port ethernet-oam mod/port link-monitor {symbol-period | frame | frame-period} high-threshold count [action {errordisable | none | warning}]

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables the OAM link monitor feature.

disable

Disables the OAM link monitor feature.

symbol-period

Sets monitoring by the number of symbols with errors.

frame

Sets monitoring by the number of frames with errors.

frame-period

Sets monitoring by frame period.

window

Sets link monitor window size for corresponding link events.

size

symbol-period: valid values are from 1 to 1000000 (1 = 1 million symbols).

frame: valid values are from 10 to 65535 (in 100-millisecond increments).

frame-period: valid values are from 200 to 2000000000 frames.

low-threshold

Sets the low-threshold count for corresponding link events.

count

Valid values are from 0 to 65535.

action

(Optional) Configures action that is taken for corresponding link events.

none

Takes no action when corresponding link event occurs.

warning

Generates system message when corresponding link event occurs.

high-threshold

Sets the high-threshold count for corresponding link events.

count

Valid values are from 1 to 65535.

errordisable

Sends port to errordisable state.


Defaults

Link monitoring is enabled.

The symbol-period event is 625 million symbols.

The frame event is 30 seconds.

The frame-period event is 10 million frames.

The low-threshold is 1 error.

For low-threshold, the action is a warning.

The high-threshold is 10 million errors.

For high-threshold, the action is a warning.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to set the window size for symbol-period link monitoring: 

Console> (enable) set port ethernet-oam 1/1 link-monitor symbol-period window 100

OAM errored symbol period window set to 100M symbols on port 1/1

Console> (enable)

This example shows how to set the link monitoring low threshold for frame events to 10 errors: 

Console> (enable) set port ethernet-oam 1/1 link-monitor frame low-threshold 10

OAM errored frame low-threshold set to 10 errors

Console> (enable)

This example show how to set the link monitoring high threshold for frame-period events to 100 errors and to errordisable the port if the high threshold is reached: 

Console> (enable) set port ethernet-oam 1/1 link-monitor frame-period high-threshold 100 
action errordisable

OAM errored frame period high-threshold set to 100 errors on port 1/1, and action set to 
errordisable.

Console> (enable)

Related Commands

clear port ethernet-oam
set port ethernet-oam
set port ethernet-oam action
set port ethernet-oam mode
set port ethernet-oam remote-loopback
show port ethernet-oam

set port ethernet-oam mode

To set the OAM mode on a port, use the set port ethernet-oam mode command.

set port ethernet-oam mod/port mode {active | passive}

Syntax Description

mod/port

Number of the module and the number of the port on the module.

active

Sets the specified port to OAM active mode.

passive

Sets the specified port to OAM passive mode.


Defaults

OAM is active on all ports.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

An OAM entity can be in active or passive mode. An active-mode OAM entity can exert more control on its peer than a passive-mode OAM entity can. For example, an active-mode entity can put a passive-mode entity into loopback mode, but a passive-mode entity cannot put an active-mode entity into loopback mode.

Table 2-17 describes the functions that are allowed in active and passive modes.

Table 2-17 Functions Allowed in Active Mode and Passive Mode

Function
Active Entity
Passive Entity

Initiates OAM Discovery process

Yes

No

Reacts to OAM Discovery process initiation

Yes

Yes

Required to send informational OAMPDUs

Yes

Yes

Permitted to send Event Notification OAMPDUs

Yes

Yes

Permitted to send Variable Request OAMPDUs

Yes

Yes

Permitted to send Variable Response OAMPDUs

Yes1

Yes

Permitted to send Loopback Control OAMPDUs

Yes

No

Reacts to Loopback Control OAMPDUs

Yes1

Yes

Permitted to send organization specific OAMPDUs

Yes

Yes

1 The peer entity must be in active mode.


Examples

This example shows how to set the OAM on a specific port to active: 

Console> (enable) set port ethernet-oam 1/1 mode active

OAM mode set to active on port 1/1

Console> (enable)

Related Commands

clear port ethernet-oam
set port ethernet-oam
set port ethernet-oam action
set port ethernet-oam link-monitor
set port ethernet-oam remote-loopback
show port ethernet-oam

set port ethernet-oam remote-loopback

To configure the OAM remote loopback feature on a port, use the set port ethernet-oam remote-loopback command.

set port ethernet-oam mod/port remote-loopback {deny | permit}

set port ethernet-oam mod/port remote-loopback {enable | disable}

set port ethernet-oam mod/port remote-loopback test [number_of_packets [packet_size]]

Syntax Description

mod/port

Number of the module and the port on the module.

deny

Denies OAM remote loopback requests on the specified port.

permit

Permits OAM remote loopback requests on the specified port.

enable

Initiates the OAM remote loopback test on the specified port.

disable

Ends the OAM remote loopback test on the specified port.

test

Tests the OAM remote loopback feature.

number_of_packets

(Optional) Number of packets that are sent from the specified port.

packet_size

(Optional) Packet size in bytes.


Command Default

OAM remote loopback requests are permitted.

If you do not specify the number of packets or the packet size, 10,000 64-byte packets are sent.

Command Types

Switch command.

Command Modes

Privileged mode.

Usage Guidelines

The set port ethernet-oam mod/port remote-loopback {enable | disable} command initiates or ends a loopback test on a port. You should use this command only on a port for which the peer OAM entity is capable of performing in OAM remote-loopback mode. After you enter the disable keyword, the switch displays a remote-loopback summary.

The set port ethernet-oam mod/port remote-loopback {enable | disable} command is not a configuration command and is not saved in NVRAM.

The set port ethernet-oam mod/port remote-loopback test command should only be run on a port whose status shows "remote OAM in loopback." When a test is run, the specified number of packets are sent on the port. Ensure that those packets are looped back. A summary of the test is displayed after the test is finished.

The set port ethernet-oam mod/port remote-loopback test command is not a configuration command and is not saved in NVRAM.

Examples

This example shows how to deny remote loopback requests on a port: 

Console> (enable) set port ethernet-oam 1/1 remote-loopback deny

OAM remote loopback request will be denied on port 1/1

Console> (enable)

This example shows how to initiate a loopback test on a port: 

Console> (enable) set port ethernet-oam 1/1 remote-loopback enable

OAM remote loopback operation enabled on port 1/1

Warning:enabling OAM remote loopback operation moves the port into diagnostic mode.

Console> (enable)

This example shows how to end a loopback test on a port. When you disable the test, a summary of the loopback test is displayed: 

Console> (enable) set port ethernet-oam 1/1 remote-loopback disable

OAM remote loopback summary on port 1/1

Port  TxTotal    RxTotal    Error

----  ---------  ---------  --------

1/1   999999     999444     111


OAM remote loopback mode disabled on port 1/1

Console> (enable)

This example shows how to test the remote loopback feature on a port: 

Console> (enable) set port ethernet-oam 1/1 remote-loopback test 999999

Transmitting 999999 (64 byte) packets on port 1/1.

Please wait...

OAM remote loopback summary on port 1/1 (loopback master):

Port  TxTotal    RxTotal    Error

----  ---------  ---------  --------

1/1   999999     999444     111

Console> (enable)

Related Commands

clear port ethernet-oam
set port ethernet-oam
set port ethernet-oam action
set port ethernet-oam link-monitor
set port ethernet-oam mode
show port ethernet-oam

set port ethernet-uni

To set the User to Network Interface (UNI) ID for a particular port, use the set port ethernet-uni command.

sset port ethernet-uni {mod/port} id {uni-id}

set port ethernet-uni {mod/port} type [all-to-one | multiplex]

Syntax Description

mod/port

Number of the module and the port on the module.

id uni-id

Specifies a unique string set as a UNI ID for the port. The maximum length is 64 characters.

type

(Optional) Specifies the type of EVC. The following arguments are used with this keyword:

all-to-one: UNI supports only a single Ethernet Virtual Connection (EVC). Every CE-VLAN-ID is mapped to this single EVC.

multiplex: UNI supports one or more than one EVC. One or more than one CE-VLAN IDs (except every CE-VLAN ID) can be mapped to one EVC.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

An error message is displayed if a string is not unique on the switch.

It is not necessary to configure a UNI ID for ELMI to function. A UNI ID with a null value is a valid value. Some Customer Edge (CE) platforms are designed to discard ELMI frames if the UNI ID is null and the ELMI protocol link status may go down.

All-to-one bundling is supported only on dot1q-tunneled ports. Service multiplex with no bundling is supported on access and trunk ports.

Examples

This example shows how to set the Ethernet UNI ID as CUST_A_PORT1 for module 3, port 1: 

Console> (enable) set port ethernet-uni 3/1 id CUST_A_PORT1

UNI id CUST_A_PORT1 is configured on port 3/1

Console> (enable)

Related Commands

clear port ethernet-uni

show port ethernet-uni

set port flexlink

To specify a Flexlink active port and a backup (peer) port, use the set port flexlink command.

set port flexlink mod/port peer mod/port

Syntax Description

mod/port

Number of the module and the port on the module.

peer

Specifies the peer port for the Flexlink active port.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Flexlink redundancy allows you to specify two ports to form a redundant link capability. You configure one port as the active port and the other port is configured as the backup or peer port. The active port is in the forwarding state while the backup port is in the blocking state. The backup port does not allow traffic to pass.

When configuring Flexlink redundancy, follow these guidelines and restrictions:

The maximum number of Flexlink pairs (one active port and one backup port) is 16 per switch.

Flexlink ports cannot be part of an EtherChannel.

Flexlink ports do not join STP operations. Flexlink ports do not generate STP BPDUs, and they drop all received BPDUs.

Because it works with STP, VTP pruning does not work on Flexlink ports.

SPAN works with Flexlink ports.

IGMP works with Flexlink ports.

DTP can run on Flexlink ports.

Flexlink redundancy is for simple access topologies (two uplinks from a leaf node). You must ensure that there is a loop-free path from the wiring closet to the access network. Unlike STP, Flexlink is not designed to detect loops.

Deploying STP in the core while running Flexlink redundancy on the edge is an acceptable configuration.

Flexlink converges faster only if the directly connected link fails. Any other failure in the network is not improved by Flexlink fast convergence.

Examples

This example shows how to specify port 3/48 as the Flexlink active port and port 3/47 as the Flexlink backup (peer) port: 

Console> (enable) set port flexlink 3/48 peer 3/47

Flexlink is successfully set on the port 3/48 and 3/47

Console> (enable)

This example shows the message that is displayed if you try to specify the same port as the active and the backup port: 

Console> (enable) set port flexlink 2/2 peer 2/2

Port(s) can not backup itself.

Console> (enable)

Related Commands

clear port flexlink
show port flexlink

set port flowcontrol

To configure a port to send or receive pause frames, use the set port flowcontrol command. Pause frames are special packets that signal a source to stop sending frames for a specific period of time because the buffers are full.

set port flowcontrol mod/port {receive | send} {off | on | desired}

Syntax Description

mod/port

Number of the module and the port on the module.

receive

Specifies that a port processes pause frames.

send

Specifies that a port sends pause frames.

off

Prevents a local port from receiving and processing pause frames from remote ports or from sending pause frames to remote ports.

on

Enables a local port to receive and process pause frames from remote ports or send pause frames to remote ports.

desired

Obtains predictable results regardless of whether a remote port is set to on, off, or desired.


Defaults

Flow-control defaults vary depending upon port speed:

Gigabit Ethernet ports default to off for receive (Rx) and desired for transmit (Tx)

Fast Ethernet ports default to off for receive and on for transmit

On the 24-port 100BASE-FX and 48-port 10/100 BASE-TX RJ-45 modules, the default is off for receive and off for send.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

When you configure the 24-port 100BASE-FX and 48-port 10/100 BASE-TX RJ-45 modules, you can set the receive flow control to on or off and the send flow control to off.

All Catalyst Gigabit Ethernet ports can receive and process pause frames from remote devices.

To obtain predictable results, use these guidelines:

Use send on only when remote ports are set to receive on or receive desired.

Use send off only when remote ports are set to receive off or receive desired.

Use receive on only when remote ports are set to send on or send desired.

Use send off only when remote ports are set to receive off or receive desired.

Table 2-18 describes guidelines for different configurations of the send and receive keywords.

Table 2-18 send and receive Keyword Configurations

Configuration
Description

send on

Enables a local port to send pause frames to remote ports.

send off

Prevents a local port from sending pause frames to remote ports.

send desired

Obtains predictable results whether a remote port is set to receive on, receive off, or receive desired.

receive on

Enables a local port to process pause frames that a remote port sends.

receive off

Prevents a local port from sending pause frames to remote ports.

receive desired

Obtains predictable results whether a remote port is set to send on, send off, or send desired.


Examples

This example shows how to configure port 1 of module 5 to receive and process pause frames: 

Console> (enable) set port flowcontrol receive 5/1 on

Port 5/1 flow control receive administration status set to on

(port will require far end to send flowcontrol)

Console> (enable)

This example shows how to configure port 1 of module 5 to receive and process pause frames if the remote port is configured to send pause frames: 

Console> (enable) set port flowcontrol receive 5/1 desired

Port 5/1 flow control receive administration status set to desired

(port will allow far end to send flowcontrol if far end supports it)

Console> (enable)

This example shows how to configure port 1 of module 5 to receive but NOT process pause frames on port 1 of module 5: 

Console> (enable) set port flowcontrol receive 5/1 off

Port 5/1 flow control receive administration status set to off

(port will not allow far end to send flowcontrol)

Console> (enable)

This example shows how to configure port 1 of module 5 to send pause frames: 

Console> (enable) set port flowcontrol send 5/1 on

Port 5/1 flow control send administration status set to on

(port will send flowcontrol to far end)

Console> (enable)

This example shows how to configure port 1 of module 5 to send pause frames and yield predictable results even if the remote port is set to receive off: 

Console> (enable) set port flowcontrol send 5/1 desired

Port 5/1 flow control send administration status set to desired

(port will send flowcontrol to far end if far end supports it)

Console> (enable)

Related Commands

show port flowcontrol

set port gmrp

To enable or disable GMRP on the specified ports in all VLANs, use the set port gmrp command.

set port gmrp mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables GVRP on a specified port.

disable

Disables GVRP on a specified port.


Defaults

The default is GMRP is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

You can enter this command even when GMRP is not enabled, but the values come into effect only when you enable GMRP using the set gmrp enable command.

Examples

This example shows how to enable GMRP on module 3, port 1: 

Console> (enable) set port gmrp 3/1 enable

GMRP enabled on port(s) 3/1.

GMRP feature is currently disabled on the switch.

Console> (enable)

This example shows how to disable GMRP on module 3, ports 1 through 5: 

Console> (enable) set port gmrp 3/1-5 disable

GMRP disabled on port(s) 3/1-5.

Console> (enable)

Related Commands

show gmrp configuration

set port gvrp

To enable or disable GVRP on the specified ports in all VLANs, use the set port gvrp command.

set port gvrp mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables GVRP on a specified port.

disable

Disables GVRP on a specified port.


Defaults

The default is GVRP is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

When you enable VTP pruning, it runs on all the GVRP-disabled trunks.

To run GVRP on a trunk, you need to enable GVRP both globally on the switch and individually on the trunk.

You can configure GVRP on a port even when you globally enable GVRP. However, the port will not become a GVRP participant until you globally enable GVRP.

You can enable GVRP on an 802.1Q trunk only.

If you enter the set port gvrp command without specifying the port number, GVRP is affected globally in the switch.

Examples

This example shows how to enable GVRP on module 3, port 2: 

Console> (enable) set port gvrp 3/2 enable

GVRP enabled on 3/2.

Console> (enable)

This example shows how to disable GVRP on module 3, port 2: 

Console> (enable) set port gvrp 3/2 disable

GVRP disabled on 3/2.

Console> (enable)

This example shows what happens if you try to enable GVRP on a port that is not an 802.1Q trunk: 

Console> (enable) set port gvrp 4/1 enable

Failed to set port 4/1 to GVRP enable. Port not allow GVRP.

Console> (enable)

This example shows what happens if you try to enable GVRP on a specific port when GVRP has not first been enabled using the set gvrp command: 

Console> (enable) set port gvrp 5/1 enable

GVRP enabled on port(s) 5/1.

GVRP feature is currently disabled on the switch.

Console> (enable)

Related Commands

clear gvrp statistics
set gvrp
show gvrp configuration

set port host

To optimize the port configuration for a host connection, use the set port host command.

set port host mod/port

Syntax Description

mod/port

Number of the module and the port on the module.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

To optimize the port configuration, the set port host command sets channel mode to off, enables spanning tree PortFast, sets the trunk mode to off, and disables the dot1q tunnel feature. Only an end station can accept this configuration.

Because spanning tree PortFast is enabled, you should enter the set port host command only on ports connected to a single host. Connecting hubs, concentrators, switches, and bridges to a fast-start port can cause temporary spanning tree loops.

Enable the set port host command to decrease the time it takes to start up packet forwarding.

Examples

This example shows how to optimize the port configuration for end station/host connections on ports 2/1 and 3/1: 

Console> (enable) set port host 2/1,3/1


Warning: Span tree port fast start should only be enabled on ports connected to a single 
host.  Connecting hubs, concentrators, switches, bridges, etc. to a fast start port can 
cause temporary spanning tree loops.  Use with caution.


Spantree ports 2/1,3/1 fast start enabled.

Dot1q tunnel feature disabled on port(s)  4/1.

Port(s) 2/1,3/1 trunk mode set to off.

Port(s) 2/1 channel mode set to off.


Console> (enable)

Related Commands

clear port host

set port inlinepower

To set the inline power mode of a port or group of ports, use the set port inlinepower command.

set port inlinepower mod/port {auto | static | limit} [max-wattage]

set port inlinepower mod/port off

Syntax Description

mod/port

Number of the module and the port on the module.

auto

Powers up the port only if the switching module has discovered the phone.

static

Powers up the port to a preallocated value so that the port is guaranteed power. See the "Usage Guidelines" section for more information.

limit

Limits power on the specified port. See the "Usage Guidelines" section for more information.

max-wattage

(Optional) The maximum power allowed on the port in either auto or static mode; valid values are from 4000 to 15400 milliwatts.

off

Prevents the port from providing power to an external device.


Defaults

The default is auto.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you specify auto or static mode but do not specify a max-wattage argument, the maximum wattage that is supported by the hardware is used.

If you specify static mode, power is preallocated to the specified port even if no devices are connected to that port. Connecting any device to that port ensures priority of service because that port is guaranteed power.

If you enter the off keyword, the inline power-capable device is not detected.

Each port isin one of the following modes (configured through the set port inlinepower CLI command):

auto—The supervisor engine directs the switching module to power up the port only if the switching module discovers the phone. You can specify the maximum wattage that is allowed on the port. If you do not specify a wattage, then the switch will deliver no more than the hardware-supported maximum value.

static—The supervisor engine directs the switching module to power up the port to the wattage you specify only if the switching module discovers the phone. You can specify the maximum wattage that is allowed on the port. If you do not specify a wattage, then the switch allows the hardware-supported maximum value. The maximum wattage, whether determined by the switch or specified by you, is preallocated to the port. If the switch does not have enough power for the allocation, the command will fail.

limit—Discovery is enabled, and you can limit the power allocated for an external device. If the wattage value that you specify with the limit keyword is less than the power that is specified by IEEE classification, instead of denying power, the lesser of these two values is allocated. If the device consumes more than the configured value, the port is shut down and a syslog message is displayed. The limit keyword is supported only on modules with the WS-F6K-48-AF daughter card.

off—Prevents the port from providing the power to an external device. If the external device is wall-powered and inline power is off, the port should still link up, join the bridge group, and go to the STP forwarding state.

Each port also has a status, defined as one of the following:

on—Power is supplied by the port.

off—Power is not supplied by the port.

Power-deny—The supervisor engine does not have enough power to allocate to the port, or the power that is configured for the port is less than the power that is required by the port; the power is not being supplied by the port.

err-disable—The port is unable to provide the power to the connected device that is configured in Static mode.

faulty—The port failed the diagnostics tests.

If you enter this command on a port that does not support the IP phone power feature, an error message is displayed.

You can enter a single port or a range of ports, but you cannot enter the module number only.

Caution Damage can occur to equipment connected to the port if you are not using a phone that can be configured for the IP phone phantom power feature.

Examples

This example shows how to set the inline power to off: 

Console> (enable) set port inlinepower 2/5 off

Inline power for port 2/5 set to off.

Console> (enable)

This example shows the output if the inline power feature is not supported: 

Console> (enable) set port inlinepower 2/3-9 auto

Feature not supported on module 2.

Console> (enable)

Related Commands

set inlinepower
show environment
show port inlinepower

set port jumbo

To enable or disable the jumbo frame feature on a per-port basis, use the set port jumbo command.

set port jumbo mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables jumbo frames on a specified port.

disable

Disables jumbo frames on a specified port.


Defaults

If you enable the jumbo frame feature, the MTU size for packet acceptance is 9216 bytes for nontrunking ports.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM. The jumbo frame feature is supported on any Ethernet port and on the sc0 interface. The MSFC2 supports routing of jumbo frames. The Gigabit Switch Router (GSR) supports jumbo frames.

You can use the jumbo frame feature to transfer large frames or jumbo frames through Catalyst 6500 series switches to optimize server-to-server performance.

The Multilayer Switch Feature Card (MSFC) and the Multilayer Switch Module (MSM) do not support the routing of jumbo frames; if jumbo frames are sent to these routers, router performance is significantly degraded.

Examples

This example shows how to enable the jumbo frames feature on module 3, port 2: 

Console> (enable) set port jumbo 3/2 enable

Jumbo frames enabled on port 5/3.

Console> (enable)

This example shows how to disable the jumbo frames feature on module 3, port 2: 

Console> (enable) set port jumbo 3/2 disable

Jumbo frames disabled on port 3/2.

Console> (enable)

Related Commands

set trunk
show port jumbo

set port l2protocol-tunnel

To set Layer 2 protocol tunneling parameters, use the set port l2protocol-tunnel command.

set port l2protocol-tunnel mod/port {cdp | eoam | stp | vtp} {enable | disable}

set port l2protocol-tunnel mod/port {drop-threshold drop-threshold}
{shutdown-threshold shutdown-threshold} [cdp | eoam | stp | vtp]

Syntax Description

mod/port

Number of the module and the port or range of ports.

cdp | eoam | stp | vtp

Specifies the protocol type. See the "Usage Guidelines" section for more information.

enable | disable

Enables or disables the protocol.

drop-threshold drop-threshold

Specifies the drop threshold factor on a port or range of ports; valid values are from 0 to 65535. See the "Usage Guidelines" section for more information.

shutdown-threshold shutdown-threshold

Specifies the shutdown threshold factor on a port or range of ports; valid values are from 0 to 65535. See the "Usage Guidelines" section for more information.


Defaults

Protocol tunneling is disabled on all ports.

The default for the drop threshold and the shutdown threshold is 0. The 0 value indicates that no limit is set.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can specify more than one protocol type at a time. In the CLI, separate protocol types with a space.

The recommended maximum value for the shutdown threshold is 1000. This value reflects the number of PDUs an edge switch can handle per second (without dropping any) while performing egress and ingress tunneling. For an edge switch, the shutdown threshold value also determines the number of
Layer 2 protocol tunneling ports that can be connected to customer switches and the number of customer VLANs per Layer 2 protocol tunneling port. In determining the recommended maximum value of 1000, egress tunneling from the service provider network was also taken into consideration.

To determine the number of Layer 2 protocol tunneling ports (links) and the number of customer VLANs per Layer 2 protocol tunneling port (VLANs per link) that an edge switch can handle, use the following formula: Multiply the number of Layer 2 protocol tunneling ports by the number of VLANs and the result should be less than or equal to 1000. Some examples of acceptable configurations are as follows:

1 Layer 2 protocol tunneling port x 1000 VLANs

2 Layer 2 protocol tunneling port x 500 VLANs

5 Layer 2 protocol tunneling port x 200 VLANs

10 Layer 2 protocol tunneling port x 100 VLANs

20 Layer 2 protocol tunneling port x 50 VLANs

100 Layer 2 protocol tunneling port x 10 VLANs

Note The shutdown threshold factor should exceed the drop threshold factor. After reaching the drop threshold factor, the port or range of ports starts dropping PDUs. After reaching the shutdown threshold factor, the port or range of ports goes into errdisable state and is restored after timeout.

Note With software release 8.4(1) and later releases, you can specify the drop and shutdown thresholds for individual protocols on a per-port basis. If you configure thresholds only and do not specify a protocol, the packets are rate limited cumulatively irrespective of protocols. If you specify a threshold for a protocol on a port, the packets are rate limited on a cumulative basis, and then per-protocol thresholds are applied to the packets. The range for the per-port protocols drop threshold and shutdown threshold is from 0 to 65535.

Examples

This example shows how to enable CDP on a range of ports: 

Console> (enable)  set port l2protocol-tunnel 7/1-2 cdp enable

Layer 2 protocol tunneling enabled for CDP on ports 7/1-2.

Console> (enable)

This example shows how to enable STP and VTP on a range of ports: 

Console> (enable)  set port l2protocol-tunnel 7/1-2 stp vtp enable

Layer 2 protocol tunneling enabled for STP VTP on ports 7/1-2.

Console> (enable)

This example shows how to disable CDP, STP, and VTP on a range of ports: 

Console> (enable)  set port l2protocol-tunnel 7/1-2 cdp stp vtp disable

Layer 2 protocol tunneling disabled for CDP STP VTP on ports 7/1-2.

Console> (enable)

This example shows how to set the drop threshold to 1000 and the shutdown threshold to 20000 on a port: 

Console> (enable) set port l2protocol-tunnel 7/1 drop-threshold 1000 shutdown-threshold 
20000    

Drop Threshold=1000, Shutdown Threshold=20000 set on port 7/1.

Console> (enable)

This example shows how to specify a drop threshold of 100 and a shutdown threshold of 400 for CDP packets on a port: 

Console> (enable) set port l2protocol-tunnel 3/1 drop-threshold 200 shutdown-threshold 400 
cdp

Drop Threshold=200, Shutdown Threshold=400 set on port 3/1.

Console> (enable)

This example shows how to enable the EOAM protocol on a range of ports: 

Console> (enable)  set port l2protocol-tunnel 7/1-2 eoam enable

Layer 2 protocol tunneling enabled for EOAM on ports 7/1-2.

Console> (enable)

Related Commands

clear l2protocol-tunnel cos
clear l2protocol-tunnel statistics
set l2protocol-tunnel cos
show l2protocol-tunnel statistics
show port l2protocol-tunnel

set port lacp-channel

To set the priority value for physical ports, to assign an administrative key to a particular set of ports, or to change the channel mode for a set of ports that were previously assigned to the same administrative key, use the set port lacp-channel command.

set port lacp-channel mod/ports port-priority value

set port lacp-channel mod/ports [admin-key]

set port lacp-channel mod/ports mode {on | off | active | passive}

Syntax Description

mod/ports

Number of the module and the ports on the module.

port-priority

Specifies the priority for physical ports.

value

Number of the port priority; valid values are from 1 to 255. See the "Usage Guidelines" section for more information about the priority value.

admin-key

(Optional) Number of the administrative key; valid values are from 1 to 1024. See the "Usage Guidelines" section for more information about the administrative key.

mode

Specifies the channel mode for a set or ports.

on | off | active | passive

Specifies the status of the channel mode.


Defaults

LACP is supported on all Ethernet interfaces.

The default port priority value is 128.

The default mode is passive for all ports that are assigned to the administrative key.

For differences between PAgP and LACP, refer to the "Guidelines for Port Configuration" section of the "Configuring EtherChannel" chapter of the Catalyst 6500 Series Software Configuration Guide.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command can only be used for ports belonging to LACP modules. This command cannot be used on ports running in PAgP mode.

Higher priority values correspond to lower priority levels.

The following usage guidelines apply when you assign an administrative key to ports:

If you do not enter a value for the administrative key, the switch chooses a value automatically.

If you choose a value for the administrative key, but this value is already used in your switch, all the ports associated with this value are moved to a new administrative key that is assigned automatically. The previously used value is now associated with new ports.

You can assign a maximum of 8 ports to an administrative key.

If you assign an administrative key to a channel that was previously assigned a particular mode, the channel will maintain that mode after you enter the administrative key value.

Examples

This example shows how to set the priority of ports 1/1 to 1/4 and 2/6 to 2/8 to 10: 

Console> (enable) set port lacp-channel 4/1-4

Ports 4/1-4 being assigned admin key 96.

Console> (enable)

This example shows how to assign ports 4/1 to 4/4 to an administrative key that the switch automatically chooses: 

Console> (enable) set port lacp-channel 4/1-4

Ports 4/1-4 being assigned admin key 96.

Console> (enable)

This example shows how to assign ports 4/4 to 4/6 to administrative key 96 when that key was previously assigned to ports 4/1 to 4/3: 

Console> (enable) set port lacp-channel 4/4-6 96

admin key 96 already assigned to port 4/1-3.

Port(s) 4/1-3 being assigned to admin key 97.

Port(s) 4/4-6 being assigned to admin key 96.

Console> (enable)

Related Commands

clear lacp-channel statistics
set channelprotocol
set lacp-channel system-priority
set spantree channelcost
set spantree channelvlancost
show lacp-channel
show port lacp-channel

set port mac-auth-bypass

To configure the MAC authentication bypass feature on a port, use the set port mac-auth-bypass command.

set port mac-auth-bypass mod/port {enable | disable}

set port mac-auth-bypass mod/port {initialize | reauthenticate}

set port mac-auth-bypass mod/port ip-device-tracking {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables the MAC authentication bypass feature on a port.

disable

Disables the MAC authentication bypass feature on a port.

initialize

Initializes the MAC address authentication bypass state for a port so the port can participate in authentication again.

reauthenticate

Reauthenticates the MAC address of a port.

ip-device-tracking

Tracks the host using its IP address.

enable

Enables IP device tracking.

disable

Disables IP device tracking.


Defaults

The MAC authentication bypass feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you enable the MAC authentication bypass feature on a port, you automatically enable PortFast on that port. When you disable the MAC authenticaion bypass feature on a port, you automatically disable PortFast on that port.

When you enter set port mac-auth-bypass mod/port initialize, the specified port is moved to the waiting state and any required cleanup is performed (such as unauthorizing the port, cleaning up any static/trap CAM entries, and so on).

The set port mac-auth-bypass mod/port reauthenticate command is accepted only when the port is in authenticated state; otherwise, the command is ignored.

For more information about the states and events that are associated with the MAC authentication bypass feature, see the "Configuring MAC Address Authentication Bypass" chapter of the Catalyst 6500 Series Software Configuration Guide.

Examples

This example shows how to enable MAC address authentication bypass on a port: 

Console> (enable) set port mac-auth-bypass 3/1 enable

MAC-Auth-Bypass successfully enabled on 3/1.

Console> (enable)

This example shows how to initialize the MAC address authentication bypass state for a port so that the port can participate in authentication again: 

Console> (enable) set port mac-auth-bypass 3/1 initialize

Mac-Auth-Bypass successfully Initialized 3/1.

Console> (enable)

This example shows how to reauthenticate the MAC address of a port: 

Console> (enable) set port mac-auth-bypass 3/1 reauthenticate

Reauthenticating MAC address 00-00-00-00-00-01 on port 3/1 using Mac-Auth-Bypass.

Console> (enable)

This example shows how to enable IP device tracking on a MAB-enabled port: 

Console> (enable) set port mac-auth-bypass 2/15 ip-device-tracking enable

Mac-Auth-Bypass successfully enabled.

Console> (enable)

Related Commands

set mac-auth-bypass
show mac-auth-bypass
show port mac-auth-bypass

set port macro

To execute a configuration macro on a per-port basis, use the set port macro command.

set port macro mod/ports... ciscoipphone vlan vlan [auxvlan auxvlan]

set port macro mod/ports... ciscosoftphone vlan vlan

set port macro mod/ports... ciscodesktop vlan vlan

set port macro mod/ports... ciscorouter nativevlan nativevlan [allowedvlans vlan]

set port macro mod/ports... ciscoswitch nativevlan nativevlan [allowedvlans vlan]

set port macro mod/ports... macro_name

Syntax Description

mod/ports...

Number of the module and the ports on the module.

ciscoipphone

Specifies the Cisco IP Phone SmartPort configuration macro.

vlan

Specifies a VLAN interface.

vlan

Number of the VLAN or VLANs.

auxvlan

(Optional) Specifies an auxiliary VLAN.

auxvlan

(Optional) Number of the auxiliary VLAN.

ciscosoftphone

Specifies the Cisco Softphone SmartPort configuration macro.

ciscodesktop

Specifies the Cisco Desktop SmartPort configuration macro.

ciscorouter

Specifies the Cisco Router SmartPort configuration macro.

nativevlan

Specifies the native VLAN for IP phone traffic.

nativevlan

Number of the native VLAN.

allowedvlans

(Optional) Specifies the VLAN or VLANs that are allowed on the trunk.

ciscoswitch

Specifies the Cisco Switch SmartPort configuration macro.

macro_name

Name of a user-defined macro to apply to a port. See the "Usage Guidelines" section for more information about applying a user-defined macro.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you use automatic voice configuration with the ciscoipphone keyword, some of the QoS configuration requires phone-specific configuration (trust-ext, ext-cos), which is supported only on the following phones: Cisco IP Phone 7910, Cisco IP Phone 7940, Cisco IP Phone 7960, and Cisco IP Phone 7935. However, the ciscoipphone keyword is not exclusive to these models only; any phone can benefit from all the other QoS settings that are configured on the switch.

To configure the QoS settings and the trusted boundary feature on the Cisco IP Phone, you must enable Cisco Discovery Protocol (CDP) version 2 or later on the port. You need to enable CDP only for the ciscoipphone QoS configuration; CDP does not affect the other components of the automatic voice configuration feature.

The automatic voice configuration commands do not support channeling.

A PFC or PFC2 is not required for the ciscoipphone keyword.

A PFC or PFC2 is required for the ciscosoftphone keyword.

The ciscoipphone keyword is only supported on 10/100 and 10/100/1000 Ethernet ports.

The ciscosoftphone keyword is supported on all Ethernet ports.

To see the configuration that results in choosing the ciscodesktop, ciscorouter, or ciscoswitch keyword, see to the "Configuring a VoIP Network" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

When applying user-defined macros, follow these guidelines and restrictions:

If you attempt to apply a macro on a port and the macro has a variable that is not defined in its definition, the macro is not applied on the port and an appropriate error message is displayed. This does not affect the definition of the macro.

If you attempt to apply a macro on a port and the macro has some valid and some invalid commands in its definition, the macro is still applied on the port and an appropriate error message is displayed when the invalid command is executed. This does not affect the definition of the macro.

When you apply a macro, a record of the macro being applied is not stored in the configuration file or NVRAM. However, for each port there is a record of the latest macro that was applied to it.

Once a macro is applied to a port, you cannot clear the macro. However, one way to cancel a macro on a port is to define another macro that clears the configurations on the port, and then apply the newly created macro on the port.

For more information about user-defined Smartports macros, see the "Configuring a VoIP Network" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

Examples

This example shows how to execute the Cisco IP Phone configuration macro with an auxiliary VLAN: 

Console> (enable) set port macro 3/1 ciscoipphone vlan 2 auxvlan 3

Port 3/1 enabled.

Layer 2 protocol tunneling disabled for CDP STP VTP on port(s) 3/1.

Port 3/1 vlan assignment set to static.

Spantree port fast start option set to default for ports 3/1.

Port(s) 3/1 channel mode set to off.


Warning:Connecting Layer 2 devices to a fast start port can cause

temporary spanning tree loops. Use with caution.


Spantree port  3/1 fast start enabled.

Dot1q tunnel feature disabled on port(s)  3/1.

Port(s)  3/1 trunk mode set to off.

VLAN  Mod/Ports

---- -----------------------

2     2/1

      3/1

      16/1

AuxiliaryVlan Status   Mod/Ports

------------- --------

------------------------------------------------------

3             inactive 3/1


Vlan 3 is not active.

Inline power for port 3/1 set to auto.


CDP enabled globally

CDP enabled on port 3/1.

CDP version set to v2

........

All ingress and egress QoS scheduling parameters configured on all ports.

CoS to DSCP, DSCP to COS, IP Precedence to DSCP and policed dscp maps

configured.  Global QoS configured.

Port 3/1 ingress QoS configured for Cisco IP Phone.

Macro completed on port 3/1.

Console> (enable)

This example shows the warning message that appears when you do not specify an auxiliary VLAN: 

Console> (enable) set port macro 3/1 ciscoipphone vlan 2

Warning: All inbound QoS tagging information will be lost as no auxillary

vlan was specified.

Do you want to continue (y/n) [n]?

This example shows how to execute the Cisco Softphone configuration macro: 

Console> (enable) set port macro 3/1 ciscosoftphone vlan 32

Port 3/1 enabled.

Layer 2 protocol tunneling disabled for CDP STP VTP on port(s) 3/1.

Port 3/1 vlan assignment set to static.

Spantree port fast start option set to default for ports 3/1.

Port(s) 3/1 channel mode set to off.


Warning:Connecting Layer 2 devices to a fast start port can cause

temporary spanning tree loops. Use with caution.


Spantree port  3/1 fast start enabled.

Dot1q tunnel feature disabled on port(s)  3/1.

Port(s)  3/1 trunk mode set to off.

Vlan 32 configuration successful

VLAN 32 modified.

VLAN 2 modified.

VLAN  Mod/Ports

---- -----------------------

32    3/1

      16/1

Port 3/1 will not send out CDP packets with AuxiliaryVlan information.

Executing autoqos........

All ingress and egress QoS scheduling parameters configured on all ports.

CoS to DSCP, DSCP to COS, IP Precedence to DSCP and policed dscp maps

configured.  Global QoS configured.

Port 3/1 ingress QoS configured for Cisco Softphone.

Macro completed on port 3/1.

Console> (enable)

This example shows how to apply a user-defined macro named "videophone" to port 3/2: 

Console> (enable) set port macro 3/2 videophone

Before the macro is applied, variables are replaced by variables that are specified by entering the set macro variable command. The following commands that were included in the user-defined macro then are executed: 

set port enable 3/2

set vlan 3 3/2

set port auxiliaryvlan 3/2 4

set cdp enable

set cdp version v2

set qos autoqos

Console> (enable)

Related Commands

clear macro
set cdp
set macro
set macro ciscosmartports
set port qos autoqos
set qos autoqos
show macro

set port membership

To set the VLAN membership assignment to a port, use the set port membership command.

set port membership mod/port {dynamic | static}

Syntax Description

mod/port

Number of the module and the port on the module.

dynamic

Specifies that the port become a member of dynamic VLANs.

static

Specifies that the port become a member of static VLANs.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Dynamic VLAN support for VVID includes these restrictions to the following configuration of MVAP on the switch port:

You can configure any VVID on a dynamic port including dot1p and untagged, except when the VVID is equal to dot1p or untagged. If this is the case, then you must configure VMPS with the MAC address of the IP phone. When you configure the VVID as dot1p or untagged on a dynamic port, this warning message is displayed: 

VMPS should be configured with the IP phone mac's.

You cannot change the VVID of the port equal to PVID assigned by the VMPS for the dynamic port.

You cannot configure trunk ports as dynamic ports, but you can configure MVAP as a dynamic port.

Examples

This example shows how to set the port membership VLAN assignment to dynamic: 

Console> (enable) set port membership 5/5 dynamic

Port 5/5 vlan assignment set to dynamic.

Spantree port fast start option enabled for ports 5/5.

Console> (enable)

This example shows how to set the port membership VLAN assignment to static: 

Console> (enable) set port membership 5/5 static

Port 5/5 vlan assignment set to static.

Console> (enable)

Related Commands

set pvlan
set pvlan mapping
set vlan
set vlan mapping

set port mvrp

To configure MVRP on a particular trunk port, use the set port mvrp command.

set port mvrp mod/port {enable | disable}

set port mvrp mod/port {active | normal}

set port mvrp mod/port periodictimer {enable | disable}

set port mvrp timer mod/port {join | leave | leaveall} timer-value

set port mvrp mod/port registration {normal | fixed | forbidden}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables the MVRP feature on a specific port.

disable

Disables the MVRP feature on a specific port.

active

Sends out VLAN declarations even when the port is in STP blocking state.

normal

Does not send VLAN declarations when the port is in STP blocking state.

periodictimer

Defines the frequency in which the periodic events are generated.The value is preset to 1 second. The periodic timer value cannot be modified but can either be enabled or disabled.

join

Defines the interval between transmit opportunities. The value can range from 20 to 10000000, in centiseconds.

leave

Defines the waiting time before transiting to an empty state. The value can range from 60 to 10000000, in centiseconds.

leave all

Defines the frequency in which the leave all message is generated. The value can range from 1000 to 10000000, in centiseconds.

timer-value

Timer value in centiseconds on a specific port.

registration

Specifies to set the registrar in a MAD instance associated with the port to one of the three states.

normal

Responds to all MVRP requests and messages while retaining all registrations and deregistrations on the trunk port.

fixed

Ignores any further MVRP requests and messages while retaining all existing registrations on the trunk port.

forbidden

Deregisters all the VLANs (except VLAN1) and prevents any further VLAN creation or registration on the trunk port.


Defaults

MVRP is disabled on each ports.

The default applicant state is normal.

The default timer values are as follows:

Join timer-value: 20

Leave timer-value: 60

LeaveAll timer-value: 1000

The default registrar state is normal, in which the interface will respond to all incoming MVRP PDUs

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

A normal applicant sends out MVRP PDUs if and only if the port is in forwarding state in the spanning tree. An active applicant is not IEEE standard. If a port has its applicant in active state, it sends out MVRP PDUs even if the port is in blocking state.

Examples

This example shows how to enable MVRP on a particular trunk port: 

Console(enable) set port mvrp 3/48 enable

MVRP enabled on port 3/48

Console> (enable)

This example shows how to disable MVRP on a particular trunk port: 

console(enable) set port mvrp 3/48 disable

MVRP disabled on port 3/48

Console (enable)

This example shows how to enable periodic timer on a particular port: 

console(enable) set port mvrp 3/48 periodictimer enable 

MVRP periodic timer enabled on port(s) 3/48

console (enable)

This example shows how to disable periodic timer on a particular port: 

console(enable) set port mvrp 3/48 periodictimer disable 

MVRP periodic timer disabled on port 3/48

This example shows how to set join timer value on a particular port: 

console(enable) set port mvrp 3/48 timer join 50

MVRP/MRP join timer value is set to 50 centi seconds on port 3/48

console(enable)


Console> (enable)  set port mvrp 2/1 timer join 200

Failed to set MVRP/MRP join timer value.

Join timer must be greater than 1 and Leave timer must be greater than 2 * join timer.


Console> (enable) set port mvrp 2/1 timer leave 5000

Failed to set MVRP/MRP leave timer value.

Leave timer must be greater than 2 * join timer.

Leaveall timer must be greater than leave timer.

Console> (enable)


console(enable) set port mvrp 3/48 timer leave 1000

MVRP/MRP leave timer value is set to 1000 centi seconds on port 3/48

console(enable)


console(enable) set port mvrp 3/48 timer leaveall 10000

MVRP/MRP leaveAll timer value is set to 10000 centi seconds on port 3/48

console(enable)

This example shows how to set the Registrar in a MAD instance associated with the port in fixed state: 

console(enable) set port mvrp 3/48 registration fixed 

Registrar Administrative Control set to fixed on port(s) 3/48

console(enable).


This example shows how to set the Registrar in a MAD instance associated with the port in forbidden 
state:


console(enable) set port mvrp 3/48 registration forbidden 

Registrar Administrative Control set to forbidden on port(s) 3/48

console(enable).


This example shows how to set the Registrar in a MAD instance associated with the port in normal 
state:


console(enable) set port mvrp 3/48 registration normal

Registrar Administrative Control set to normal on port(s) 3/48.

console(enable)

set port name

To configure a name for a port, use the set port name command.

set port name mod/port [port_name]

Syntax Description

mod/port

Number of the module and the port on the module.

port_name

(Optional) Name of the port. See the "Usage Guidelines" section for more information.


Defaults

The default is no port name is configured for any port.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

The port_name argument must be fewer than 21 characters.

If you do not specify a port_name argument, the port name is cleared.

Examples

This example shows how to set port 1 on module 4 to Snowy: 

Console> (enable) set port name 4/1 Snowy

Port 4/1 name set.

Console> (enable)

Related Commands

set port description
show port
show port description

set port negotiation

To enable or disable the link negotiation protocol on the specified port, use the set port negotiation command.

set port negotiation mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables the link negotiation protocol.

disable

Disables the link negotiation protocol.


Defaults

The default is link negotiation protocol is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You cannot configure port negotiation on 1000BASE-T (copper) Gigabit Ethernet ports in this release. If a 1000BASE-T GBIC is inserted in the port that was previously configured as a negotiation-disabled port, the negotiation-disabled setting is ignored, and the port operates in negotiation-enabled mode.

The set port negotiation command is supported on Gigabit Ethernet ports only, except on WS-X6316-GE-TX and on WS-X6516-GE-TX.

If the port does not support this command, this message appears: 

Feature not supported on Port N/N.

where N/N is the module and port number.

In most cases, when you enable link negotiation, the system autonegotiates flow control, duplex mode, and remote fault information. The exception applies to 16-port 10/100/1000BASE-T Ethernet modules; when you enable link negotiation on these Ethernet modules, the system autonegotiates flow control only.

You must either enable or disable link negotiation on both ends of the link. Both ends of the link must be set to the same value or the link cannot connect.

Examples

This example shows how to disable link negotiation protocol on port 1, module 4: 

Console> (enable) set port negotiation 4/1 disable

Link negotiation protocol disabled on port 4/1.

Console> (enable)

Related Commands

show port negotiation

set port protocol

To enable or disable protocol membership of ports, use the set port protocol command.

set port protocol mod/port {ip | ipx | group} {on | off | auto}

Syntax Description

mod/port

Number of the module and the port on the module.

ip

Specifies IP.

ipx

Specifies IPX.

group

Specifies VINES, AppleTalk, and DECnet protocols.

on

Indicates the port will receive all the flood traffic for that protocol.

off

Indicates the port will not receive any flood traffic for that protocol.

auto

Specifies that the port is added to the group only after packets of the specific protocol are received on that port.


Defaults

The default is that the ports are configured to on for the IP protocol groups and auto for IPX and group protocols.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Protocol filtering is supported only on nontrunking EtherChannel ports. Trunking ports are always members of all the protocol groups.

If the port configuration is set to auto, the port initially does not receive any flood packets for that protocol. When the corresponding protocol packets are received on that port, the supervisor engine detects this and adds the port to the protocol group.

Ports configured as auto are removed from the protocol group if no packets are received for that protocol within a certain period of time. This aging time is set to 60 minutes. They are also removed from the protocol group on detection of a link down.

Examples

This example shows how to disable IPX protocol membership of port 1 on module 2: 

Console> (enable) set port protocol 2/1 ipx off

IPX protocol disabled on port 2/1.

Console> (enable)

This example shows how to enable automatic IP membership of port 1 on module 5: 

Console> (enable) set port protocol 5/1 ip auto

IP protocol set to auto mode on module 5/1.

Console> (enable)

Related Commands

show port protocol

set port qos

To specify whether an interface is interpreted as a physical port or as a VLAN, use the set port qos command.

set port qos mod/ports... port-based | vlan-based

Syntax Description

mod/ports...

Number of the module and the ports on the module.

port-based

Interprets the interface as a physical port.

vlan-based

Interprets the interface as part of a VLAN.


Defaults

The default is ports are port-based if QoS is enabled and VLAN-based if QoS is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

When you change a port from port-based QoS to VLAN-based QoS, all ACLs are detached from the port. Any ACLs attached to the VLAN apply to the port immediately.

When you set a port to VLAN-based QoS using the set port qos command with RSVP or COPS QoS enabled on that port, the QoS policy source is COPS, or DSBM-election is enabled. The VLAN-based setting is saved in NVRAM only.

Examples

This example shows how to specify an interface as a physical port: 

Console> (enable) set port qos 1/1-2 port-based

Updating configuration ...

QoS interface is set to port-based for ports 1/1-2.

Console> (enable)

This example shows how to specify an interface as a VLAN: 

Console> (enable) set port qos 3/1-48 vlan-based

Updating configuration ...

QoS interface is set to VLAN-based for ports 3/1-48.

Console> (enable)

This example shows the output if you change from port-based QoS to VLAN-based QoS with either RSVP or COPS enabled on the port: 

Console> (enable) set port qos 3/1-48 vlan

Qos interface is set to vlan-based for ports 3/1-48

Port(s) 3/1-48 - QoS policy-source is Cops or DSBM-election is enabled.

Vlan-based setting has been saved in NVRAM only.

Console> (enable)

Related Commands

set port qos cos
set port qos trust
show port qos
show qos info

set port qos autoqos

To apply the automatic QoS feature on a per-port basis, use the set port qos autoqos command.

set port qos mod/port autoqos trust {cos | dscp}

set port qos mod/port autoqos voip {ciscoipphone | ciscosoftphone}

Syntax Description

mod/port

Number of the module and ports on the module.

trust

Specifies AutoQoS for ports trusting all traffic markings.

cos

Trusts CoS-based markings of all inbound traffic.

dscp

Trusts DSCP-based markings of all inbound traffic.

voip

Specifies AutoQoS for voice applications.

ciscoipphone

Specifies AutoQoS for Cisco 79xx IP phones.

ciscosoftphone

Specifies AutoQoS for Cisco IP SoftPhones.


Defaults

The per-port AutoQos feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to trust CoS-based markings of inbound traffic on module 4, port 1: 

Console> (enable) set port qos 4/1 autoqos trust cos

Port 4/1 ingress QoS configured for trust cos.

Trusting all incoming CoS marking on port 4/1.

It is recommended to execute the "set qos autoqos" global command if not executed 
previously.

Console> (enable)

This example shows how to apply AutoQoS settings for Cisco 79xx IP phones on module 4, port 1: 

Console> (enable) set port qos 4/1 autoqos voip ciscoipphone

Port 4/1 ingress QoS configured for ciscoipphone.

It is recommended to execute the "set qos autoqos" global command if not executed 
previously.

Console> (enable)

This example shows how to apply AutoQoS settings for Cisco IP SoftPhones on module 4, port 1: 

Console> (enable) set port qos 4/1 autoqos voip ciscosoftphone

Port 4/1 ingress QoS configured for ciscosoftphone.  Policing configured on 4/1. 

It is recommended to execute the "set qos autoqos" global command if not executed 
previously.

Console> (enable)

Related Commands

clear port qos autoqos
clear qos autoqos
set qos autoqos
show port qos
show qos acl info

set port qos cos

To set the default value for all packets that have arrived through an untrusted port, use the set port qos cos command.

set port qos mod/ports cos cos_value

set port qos mod/ports cos-ext cos_value

Syntax Description

mod/ports

Number of the module and ports.

cos cos_value

Specifies the CoS value for a port; valid values are from 0 to 7.

cos-ext cos_value

Specifies the CoS extension for a phone port; valid values are from 0 to 8.


Defaults

The default is CoS 0.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is only supported on Ethernet modules.

This command has no effect when QoS is disabled. The port CoS setting takes effect when QoS is enabled.

Examples

This example shows how to set the CoS default value on a port: 

Console> (enable) set port qos 2/1 cos 3

Port 2/1 qos cos set to 3.

Console> (enable)

This example shows how to set the CoS-ext default value on a port: 

Console> (enable) set port qos 2/1 cos-ext 3

Port 2/1 qos cos-ext set to 3.

Console> (enable)

Related Commands

clear port qos cos
set port qos
set port qos trust
show port qos
show qos info

set port qos policy-source

To set the QoS policy source for all ports in the specified module, use the set port qos policy-source command.

set port qos policy-source mod/ports... local | cops

Syntax Description

mod/ports...

Number of the module and the ports on the module.

local

Sets the policy source to local NVRAM configuration.

cops

Sets the policy source to COPS configuration.


Defaults

The default is all ports are set to local.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you set the policy source to local, the QoS policy is taken from local configuration stored in NVRAM. If you set the policy source to local after it was set to COPS, the QoS policy reverts back to the local configuration stored in NVRAM.

Examples

This example shows how to set the policy source to local NVRAM: 

Console> (enable) set port qos 5/5 policy-source local

QoS policy source set to local on port(s) 5/1-48.

Console> (enable)

This example shows the output if you attempt to set the policy source to COPS and no COPS servers are available: 

Console> (enable) set port qos 5/5 policy-source cops

QoS policy source for the switch set to COPS.

Warning: No COPS servers configured. Use the `set cops server' command

to configure COPS servers.

Console> (enable)

This example shows the output if you set the policy source to COPS and the switch is set to local configuration (using the set qos policy-source command): 

Console> (enable) set port qos 5/5 policy-source cops

QoS policy source set to COPS on port(s) 5/1-48.

Warning: QoS policy source for the switch set to use local configuration.

Console> (enable)

Related Commands

clear qos config
show port qos

set port qos trust

To set the trusted state of a port, use the set port qos trust command; for example, whether or not the packets arriving at a port are trusted to carry the correct classification.

set port qos mod/ports... trust {untrusted | trust-cos | trust-ipprec | trust-dscp}

Syntax Description

mod/ports...

Number of the module and the ports on the module.

untrusted

Specifies that packets need to be reclassified from the matching access control entry (ACE).

trust-cos

Specifies that although the CoS bits in the incoming packets are trusted, the ToS is invalid and a valid value needs to be derived from the CoS bits.

trust-ipprec

Specifies that although the ToS and CoS bits in the incoming packets are trusted, the ToS is invalid and the ToS is set as IP precedence.

trust-dscp

Specifies that the ToS and CoS bits in the incoming packets can be accepted as is with no change.


Defaults

The default is untrusted; when you disable QoS, the default is trust-cos on Layer 2 switches and trust-dscp on Layer 3 switches.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you disable QoS, the default is trust-cos on Layer 2 switches and trust-dscp on Layer 3 switches.

This command is not supported by the NAM.

On 10/100 ports, you can use only the set port qos trust command to activate the receive-drop thresholds. To configure a trusted state, you have to convert the port to port-based QoS, define an ACL that defines all (or the desired subset) of ACEs to be trusted, and attach the ACL to that port.

Examples

This example shows how to set the port to a trusted state: 

Console> (enable) set port qos 3/7 trust trust-cos

Port 3/7 qos set to trust-cos.

Console> (enable)

This example shows the output if you try to set the trust state on a 10/100 port: 

Console> (enable) set port qos 3/28 trust trust-cos

Trust type trust-cos not supported on this port.

Receive thresholds are enabled on port 3/28.

Port  3/28 qos set to untrusted.

Console> (enable)

Related Commands

set port qos
set port qos cos
show port qos
show qos info

set port qos trust-device

To configure the trust mode on a port on a specific device or module, use the set port qos trust-device command.

set port qos mod/ports... trust-device {none | ciscoipphone}

Syntax Description

mod/ports...

Number of the module and the ports on the module.

none

Sets the device trust mode to disable.

ciscoipphone

Trusts only Cisco IP phones.


Defaults

By default, the device trust mode for each port is set to none.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to trust only Cisco IP phones on port 4/1: 

Console> (enable) set port qos 4/1 trust-device ciscoipphone

Port 4/1 set to only trust device of type ciscoIPPhone.

Console> (enable)

This example shows how to disable the device trust on port 4/1: 

Console> (enable) set port qos 4/1 trust-device none

Port 4/1 trust device feature disabled.

Console> (enable)

Related Commands

show port qos

set port qos trust-ext

To configure the access port on a Cisco IP phone connected to the switch port, use the set port qos trust-ext command.

set port qos mod/ports... trust-ext {trusted | untrusted}

Syntax Description

mod/ports...

Number of the module and the ports on the module.

trusted

Specifies that all traffic received through the access port passes through the phone switch unchanged.

untrusted

Specifies that all traffic in 802.1Q or 802.1p frames received through the access port is marked with a configured Layer 2 CoS value.


Defaults

The default when the phone is connected to a Cisco LAN switch is untrusted mode; trusted mode is the default when the phone is not connected to a Cisco LAN switch.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Traffic in frame types other than 802.1Q or 802.1p passes through the phone switch unchanged, regardless of the access port trust state.

Examples

This example shows how to set the trust extension on ports on the connected phone to a trusted state: 

Console> (enable) set port qos 3/7 trust-ext trusted

Port in the phone device connected to port 3/7 is configured to be trusted.

Console> (enable)

Related Commands

set port qos
set port qos cos
show qos info
show port qos

set port rsvp dsbm-election

To specify whether or not the switch participates in the Designated Subnet Bandwidth Manager (DSBM) election on that particular segment, use the set port rsvp dsbm-election command.

set port rsvp mod/port dsbm-election enable | disable [dsbm_priority]

Syntax Description

mod/port

Number of the module and the port.

enable

Enables participation in the DSBM election.

disable

Disables participation in the DSBM election.

dsbm_priority

(Optional) DSBM priority; valid values are from 128 to 255.


Defaults

The default is DSBM is disabled; the default dsbm_priority is 128.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Examples

This example shows how to enable participation in the DSBM election: 

Console> (enable) set port rsvp 2/1,3/2 dsbm-election enable 232

DSBM election enabled for ports 2/1,3/2.

DSBM priority set to 232 for ports 2/1,3/2.

This DSBM priority will be used during the next election process.

Console> (enable)

This example shows how to disable participation in the DSBM election: 

Console> (enable) set port rsvp 2/1 dsbm-election disable

DSBM election disabled for ports(s)  2/1.

Console> (enable)

This example shows the output when you enable participation in the DSBM election on a port that is not forwarding: 

Console> (enable) set port rsvp 2/1,3/2 dsbm-election enable 232

DSBM enabled and priority set to 232 for ports 2/1,3/2.

Warning: Port 2/1 not forwarding. DSBM negotiation will start after port starts forwarding 
on the native vlan.

Console> (enable)

Related Commands

show port rsvp

set port security

To configure port security on a port or range of ports, use the set port security command.

set port security mod[/port...] [enable | disable] [mac_addr] [age {age_time}]
[maximum {num_ of_mac}] [shutdown {shutdown_time}] [unicast-flood {enable | disable}]
[violation {shutdown | restrict}]

set port security mod/port timer-type {absolute | inactivity}

set port security auto-configure {enable | disable}

set port security mod/port mac_addr [vlan_list]

Syntax Description

mod[/port...]

Number of the module and optionally, the port on the module.

enable

(Optional) Enables port security or unicast flooding.

disable

(Optional) Disables port security or unicast flooding.

mac_addr

(Optional) Secure MAC address of the enabled port.

age age_time

(Optional) Specifies the duration for which addresses on the port will be secured; valid values are 0 (to disable) and from 1 to 1440 (minutes).

maximum num_of_mac

(Optional) Specifies the maximum number of MAC addresses to secure on the port; valid values are from 1 to 4097.

shutdown shutdown_time

(Optional) Specifies the duration for which a port will remain disabled in case of a security violation; valid values are 0 (to disable) and from 1 to 1440 (minutes).

unicast-flood

(Optional) Specifies unicast flooding.

violation

(Optional) Specifies the action to be taken in the event of a security violation.

shutdown

(Optional) Shuts down the port in the event of a security violation.

restrict

(Optional) Restricts packets from unsecure hosts.

mod/port

Number of the module and the port on the module.

timer-type

Specifies the type of aging to be applied to the autoconfigured addresses on a per-port basis.

absolute

Specifies absolute aging. See the "Usage Guidelines" section for more information.

inactivity

Specifies inactivity aging. See the "Usage Guidelines" section for more information.

auto-configure

Automatically configures all learned MAC addresses on a secure port. See the "Usage Guidelines" section for more information.

enable

Enables the automatic configuration feature.

disable

Disables the automatic configuration feature.

mac_addr

MAC address. See the "Usage Guidelines" section for more information.

vlan_list

(Optional) VLAN or list of VLANs. See the "Usage Guidelines" section for more information.


Defaults

The default port security configuration is as follows:

Port security is disabled.

Number of secure addresses per port is one.

Violation action is shutdown.

Age is permanent. (Addresses are not aged out.)

Shutdown time is indefinite.

Timer type is set to absolute aging.

Unicast flooding is enabled.

The automatic configuration feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

If you enter the set port security enable command but do not specify a MAC address, the first MAC address seen on the port becomes the secure MAC address.

You can specify the number of MAC addresses to secure on a port. You can add MAC addresses to this list of secure addresses. If you change the number of addresses to a value that is less than the current value, some configured addresses might be cleared. A warning message displays when you attempt to reduce the number of addresses.

The set port security violation command allows you to specify whether you want the port to shut down or to restrict access to insecure MAC addresses only. The shutdown time allows you to specify the duration of shutdown in the event of a security violation.

We recommend that you configure the age timer and the shutdown timer if you want to move a host from one port to another when port security is enabled on those ports. If the age_time value is less than or equal to the shutdown_time value, the moved host will function again in an amount of time equal to the shutdown_time value. The age timer begins upon learning the first MAC address, and the disable timer begins when there is a security violation.

If you disable unicast flooding on a port, the port will drop unicast flood packets when it reaches the maximum number of MAC addresses allowed.

You can secure only unicast MAC addresses through the CLI. Unicast MAC addresses can also be learned dynamically. Multicast MAC addresses cannot be secured.

You can apply one of two types of aging for automatically learned addresses on a secure port:

Absolute aging times out the MAC address after the age_time has been exceeded, regardless of the traffic pattern. This is the default for any secured port, and the age_time is set to 0.

Inactivity aging times out the MAC address only after the age_time of inactivity from the corresponding host has been exceeded.

Enabling the automatic configuration feature automatically configures learned MAC addresses on secure ports. If a secure port shuts down because of a violation, if the port is disabled, or if port security is disabled, all learned MAC addresses are converted to configured MAC addresses and retained on the port. If this feature is disabled and the secure port experiences any of the same conditions, all learned MAC addresses are cleared.

When you configure a MAC address on a port, you can associate a VLAN or multiple VLANs to that MAC address by enter the set port security mod/port mac_addr [vlan_list] command. If you do not specify a vlan_list argument, the MAC address is configured on the native VLAN of the specified port.

Examples

This example shows how to set port security with a learned MAC address: 

Console> (enable) set port security 3/1 enable

Port 3/1 port security enabled with the learned mac address.

Console> (enable)

This example shows how to set port security with a specific MAC address: 

Console> (enable) set port security 3/1 enable 00-02-03-04-05-06

Port 3/1 port security enabled with 00-02-03-04-05-06 as the secure mac address.

Console> (enable)

This example shows how to set the maximum MAC address limit to 10: 

Console> (enable) set port security 3/37 max 10

Setting the Maximum Addresses Limit to a value lesser than the 

current value might result in configured addresses getting cleared

Do you want to continue (y/n) [n]?y

Port 3/37 security maximum address 10.

Console> (enable)

This example shows how to set the shutdown time to 600 minutes on port 7/7: 

Console> (enable) set port security 7/7 shutdown 600

Secure address shutdown time set to 600 minutes for port 7/7.

Console> (enable)

This example shows how to configure the port to drop all packets that are coming in on the port from insecure hosts: 

Console> (enable) set port security 7/7 violation restrict

Port security violation on port 7/7 will cause insecure packets to be dropped.

Console> (enable)

This example shows how to enable unicast flooding on port 4/1: 

Console> (enable) set port security 4/1 unicast-flood enable

Port 4/1 security flood mode set to enable.

Console> (enable)

This example shows how to disable unicast flooding on port 4/1: 

Console> (enable) set port security 4/1 unicast-flood disable

WARNING: Trunking & Channelling will be disabled on the port. 

Port 4/1 security flood mode set to disable.

Console> (enable)

This example shows how to set the aging type on a port to absolute aging: 

Console> (enable) set port security 5/1 timer-type absolute 

Port 5/1 security timer type absolute. 

Console> (enable)

This example shows how to set the aging type on a port to inactivity aging: 

Console> (enable) set port security 5/1 timer-type inactivity

Port 5/1 security timer type inactive.

Console> (enable)

This example shows how to enable the automatic configuration feature: 

Console> (enable) set port security auto-configure enable

Automatic configuration of secure learnt addresses enabled.

Console> (enable)

This example shows how to associate a MAC address with a list of VLANs: 

Console> (enable) set port security 3/37 00-00-aa-00-00-aa 20,30

Mac address 00-00-aa-00-00-aa set for port 3/37 on vlan 20.

Mac address 00-00-aa-00-00-aa set for port 3/37 on vlan 30.

Console> (enable)

This example shows what happens if you configure a secure MAC address without specifying the vlan_list argument. Note that the MAC address is automatically configured on the native VLAN: 

Console> (enable) set port security 3/38 00-00-aa-00-00-aa

Mac address 00-00-aa-00-00-aa set for port 3/38 on vlan 1 

Console> (enable)

If a specified VLAN is not the native VLAN of the port (in the case of an access port) or if it is not an allowed VLAN on a trunk port, the command results in these messages: 

Console> (enable) set port security 3/38 00-00-aa-00-00-aa 20

Vlan 20 is not the native vlan for access port 3/38.

Console> (enable)


Console> (enable) set port security 3/37 00-00-aa-00-00-aa 20,30,100

Vlan 100 is not a configured vlan on trunk/vvid port 3/37

Console> (enable)

Related Commands

clear port security
show config
show port security

set port security-acl

To specify the port access control list (PACL) mode, use the set port security-acl command.

set port security-acl mod/ports... {port-based | vlan-based | merge}

Syntax Description

mod/ports...

Number of the module and the ports on the module.

port-based

Specifies the mode in which the PACL overrides the VACL and RACL.

vlan-based

Specifies the mode in which the VACL and RACL override the PACL.

merge

Specifies the mode in which the ingress PACL, VACL, and RACL merge.


Defaults

The port security ACL mode is vlan-based to keep the existing VACL configuration active.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configuring port access control lists is only available on PFC3-based forwarding engines.

For more information about PACLs, refer to the "Configuring Access Control" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

Examples

This example shows how to set the PACL mode to port-based mode on port 3/1: 

Console> (enable) set port security-acl 3/1 port-based

Warning: Vlan-based ACL features will be disabled on port(s) 3/1.

ACL interface is set to port-based mode for port(s) 3/1.

Console> (enable)

This example shows how to set the PACL mode to VLAN-based mode on port 3/1: 

Console> (enable) set port security-acl 3/1 vlan-based

ACL interface is set to vlan-based mode for port(s) 3/1.

Console> (enable)

This example shows how to set the PACL mode to merge mode on port 3/1: 

Console> (enable) set port security-acl 3/1 merge

ACL interface is set to merge mode for port(s) 3/1.

Console> (enable)

This example shows the message that displays when merge mode cannot work because a port is a trunk port: 

Console> (enable) set port security-acl 3/1-4 merge

ACL interface cannot be in merge mode on multi-vlan access port 3/1.

ACL interface is set to merge mode for port(s) 3/2.

ACL interface is set to merge mode for port(s) 3/3.

ACL interface is set to merge mode for port(s) 3/4.

Console> (enable)

Related Commands

show port security-acl

set port speed

To configure the speed of a port interface, use the set port speed command.

set port speed mod/port {10 | 100 | 1000 | auto | auto-10-100}

Syntax Description

mod/port

Number of the module and the port on the module.

10 | 100 | 1000

Sets a port speed for 10BASE-T, 100BASE-T, or 1000BASE-T ports.

auto

Specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet ports.

auto-10-100

Specifies autonegotiation for speed and duplex mode on 10/100/1000 Fast Ethernet ports. Only 10-Mbps and 100-Mbps Fast Ethernet ports are negotiated; 1000-Mbps Fast Ethernet ports are not negotiated.


Defaults

The default is auto.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

In most cases, autonegotiation manages transmission speed, duplex mode, the master link, and the slave link. The exception applies to 16-port 10/100/1000BASE-T Ethernet modules, where autonegotiation manages transmission speed only.

You can configure Fast Ethernet interfaces on the 10/100-Mbps Fast Ethernet switching module to either 10, 100, or 1000 Mbps, or to autosensing mode, allowing the interfaces to sense and distinguish between 10- and 100-Mbps port transmission speeds and full-duplex or half-duplex port transmission types at a remote port connection. If you set the interfaces to autosensing, they configure themselves automatically to operate at the proper speed and transmission type.

Examples

This example shows how to configure port 1, module 2 to auto: 

Console> (enable) set port speed 2/1 auto

Port 2/1 speed set to auto-sensing mode.

Console> (enable)

This example shows how to configure the port speed on port 2, module 2 to 10 Mbps: 

Console> (enable) set port speed 2/2 10

Port 2/2 speed set to 10 Mbps.

Console> (enable)

Related Commands

show port

set port sync-restart-delay

To specify the synchronization restart delay of a port, use the set port sync-restart-delay command.

set port sync-restart-delay mod/port delay

Syntax Description

mod/port

Number of the module and the port on the module.

delay

Delay time in milliseconds; the delay range is 200 to 60000 milliseconds (60 seconds).


Defaults

The default delay time is 210 milliseconds.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The more dense wavelength division multiplexing (DWDM) equipment you have in the network, usually the longer the synchronization delay should be.

The set port sync-restart-delay and show port sync-restart-delay commands are available in both binary mode and text configuration mode.

Use the clear config command to reset the synchronization delay to 210 milliseconds.

Examples

This example shows how to specify the synchronization restart delay for a specific port: 

Console> (enable) show port sync-restart-delay 

Port   Sync restart delay in ms    Sync restart delay in ms

                admin                       oper

-----  -------------------------  -------------------------

 1/1              210                      210

 1/2              210                      210

 1/3              210                      210

 1/4              210                      210

 1/5              210                      210

 1/6              210                      210

 1/7              210                      210

 1/8              210                      210

 1/9              210                      210

 1/10             210                      210

 1/11             210                      210

 1/12             210                      210

 1/13             210                      210

 1/14             210                      210

 1/15             210                      210

 1/16             210                      210

 2/1              210                      210

 2/2              210                      210

Related Commands

clear config
show port sync-restart-delay

set port trap

To enable or disable the operation of the standard Simple Network Management Protocol (SNMP) link trap (up or down) for a port or range of ports, use the set port trap command.

set port trap mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Activates the SNMP link trap.

disable

Deactivates the SNMP link trap.


Defaults

The default is all port traps are disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

To set SNMP traps, enter the set snmp trap command.

Examples

This example shows how to enable the SNMP link trap for module 1, port 2: 

Console> (enable) set port trap 1/2 enable

Port 1/2 up/down trap enabled.

Console> (enable)

Related Commands

show port trap

set port unicast-flood

To configure the switch to drop Unicast Flood traffic on an Ethernet port, use the set port unicast-flood command.

set port unicast-flood mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables unicast flood and disables unicast flood blocking.

disable

Disables unicast flood and enables unicast flood blocking.


Defaults

Unicast flood blocking is disabled on all ports.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Only Ethernet ports can block unicast flood traffic.

You must have a static CAM entry associated with the Ethernet port before you disable unicast flood on the port, or you will lose network connectivity when you disable unicast flood. You can verify a static CAM entry exists by entering the show cam static command.

You cannot configure a port channel on a unicast flood disabled port, and you cannot disable unicast flood on a port channel.

You cannot disable unicast flood on a SPAN destination port, and you cannot configure a SPAN destination on a unicast flood disabled port.

You cannot disable unicast flood on a trunk port. If you do, an error message will be displayed.

If you disable unicast flood on an Ethernet port that has port security enabled on it, the switch stops sending Unicast Flood packets to the port once the switch has learned the allowed maximum number of MAC addresses. When the learned MAC address count drops below the maximum number allowed, unicast flooding is automatically reenabled.

Unicast flood blocking and GARP VLAN Registration Protocol (GVRP) are mutually exclusive. You cannot disable unicast flood and exchange VLAN configuration information with GVRP switches at the same time.

Examples

This example shows how to enable unicast flood traffic on module 4, port 1 of a switch: 

Console> (enable) set port unicast-flood 4/1 disable

WARNING: Trunking & Channelling will be disabled on the port.

Unicast Flooding is successfully disabled on the port 4/1.

Console> (enable)

This example shows how to disable unicast flood traffic on module 4, port 1 of a switch: 

Console> (enable) set port unicast-flood 4/1 enable

Unicast Flooding is successfully enabled on the port 4/1. 

Console> (enable)

Related Commands

show port unicast-flood

set port vlan-mapping

To configure VLAN mapping on a per-port basis, use the set port vlan-mapping command.

set port vlan-mapping mod/port {enable | disable}

set port vlan-mapping mod/port source_vlan_id translated_vlan_id

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables VLAN mapping.

disable

Disables VLAN mapping.

source_vlan_id

Number of the source VLAN; valid values are from 1 to 4094.

translated_vlan_id

Number of the VLAN that is mapped to the source VLAN; valid values are from 1 to 4094.


Defaults

VLAN mapping is disabled on all ports.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

VLAN mapping occurs only if you enter the set port vlan-mapping mod/port enable command and only if the port is operationally trunking. The set port vlan-mapping mod/port source_vlan_id translated_vlan_id command takes effect only after VLAN mapping is enabled.

When you enable VLAN mapping and specify a source_vlan_id value and a translated_vlan_id value, traffic coming in on a trunk port with the source_vlan_id value is translated to the VLAN with the translated_vlan_id value. Also, any traffic internally tagged with the translated_vlan_id value is tagged with the source_vlan_id value before leaving the port.

Some port ASICs support VLAN mapping only on a per-ASIC basis, but VLAN mapping is enabled or disabled on a per-port basis. With these types of ASICs, the set port vlan-mapping mod/port {enable | disable} command is applied only to the port configuration and not to the ASIC.

You cannot enable global VLAN mapping and per-port/per-ASIC VLAN mapping simultaneously.

Examples

This example shows how to enable VLAN mapping on a specified port: 

Console> (enable) set port vlan-mapping 7/1 enable

VLAN mapping enabled on port 7/1.

Console> (enable)

This example shows how to enable port VLAN mapping and to configure VLAN mapping on an individual port. In this example, module 7 is the 48-port 10/100/1000 switching module (WS-X6748-GE-TX). This module supports per-ASIC VLAN mapping; 1 ASIC supports 12 ports. 

Console> (enable) set port vlan-mapping 7/1 enable

VLAN mapping enabled on port 7/1.

Console> (enable) set port vlan-mapping 7/1 2002 3003

VLAN 2002 mapped to VLAN 3003 on ports 7/1-12.

Console> (eanble)

In this example, module 5 is the 1-port 10GBASE-E serial 10-Gigabit Ethernet module (WS-X6502-10GE). This module supports per-port VLAN mapping. 

Console> (enable) set port vlan-mapping 5/1 2002 3003

VLAN 2002 mapped to VLAN 3003 on port 5/1.

Console> (enable)

In this example, module 7 is the 48-port 10/100/1000 switching module (WS-X6748-GE-TX). This module supports per-ASIC VLAN mapping; 1 ASIC supports 12 ports. In this example, ports 7/1-4 are part of an EtherChannel. 

Console>(enable) set port vlan-mapping 7/1 2002 3003 

VLAN 2002 mapped to VLAN 3003 on ports 7/1-12.

Console>(enable)

Related Commands

clear port vlan-mapping
show port vlan-mapping

set port voice interface dhcp

To set the port voice interface for the DHCP, TFTP, and DNS servers, use the set port voice interface dhcp command.

set port voice interface mod/port dhcp enable [vlan vlan]

set port voice interface mod/port dhcp disable {ipaddrspec} {tftp ipaddr} [vlan vlan]
[gateway ipaddr] [dns [ipaddr] [domain_name]]

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Activates the SNMP link trap.

vlan vlan

(Optional) Specifies a VLAN interface; valid values are from 1 to 4094.

disable

Deactivates the SNMP link trap.

ipaddrspec

IP address and mask; see the "Usage Guidelines" section for format instructions.

tftp ipaddr

Specifies the number of the TFTP server IP address or IP alias in dot notation a.b.c.d.

gateway ipaddr

(Optional) Specifies the number of the gateway server IP address or IP alias in dot notation a.b.c.d.

dns

(Optional) Specifies the DNS server.

ipaddr

(Optional) Number of the DNS IP address or IP alias in dot notation a.b.c.d.

domain_name

(Optional) Name of the domain.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The ipaddrspec format is {ipaddr} {mask} or {ipaddr}/{mask} {mask}. The mask is a dotted format (255.255.255.0) or number of bits (0 to 31).

You can specify a single port only when setting the IP address.

If you enable DHCP on a port, the port obtains all other configuration information from the TFTP server. When you disable DHCP on a port, the following mandatory parameters must be specified:

If you do not specify DNS parameters, the software uses the system DNS configuration on the supervisor engine to configure the port.

You cannot specify more than one port at a time because a unique IP address must be set for each port.

Examples

This example shows how to enable the port voice interface for the DHCP server: 

Console> (enable) set port voice interface 7/4-8 dhcp enable 

Port 7/4 DHCP enabled.

Console> (enable)

This example shows how to disable the set port voice interface DHCP server: 

Console> (enable) set port voice interface 7/3 dhcp disable 171.68.111.41/24 tftp 
173.32.43.11 dns 172.20.34.204 cisco.com

Port 7/3 dhcp disabled.

System DNS configurations applied.

Console> (enable)

This example shows how to enable the port voice interface for the DHCP server with a specified VLAN: 

Console> (enable) set port voice interface 7/4-6 dhcp enable vlan 3

Vlan 3 configuration successful

Ports 7/4-6 DHCP enabled.

Console> (enable)

This example shows how to enable the port voice interface for the TFTP, DHCP, and DNS servers: 

Console> (enable) set port voice interface dhcp enable 4/2 171.68.111.41 tftp 173.32.43.11 
dhcp 198.98.4.1 dns 189.69.24.192

Port 4/2 interface set.

IP address: 171.68.111.41 netmask 255.255.0.0

TFTP server: 173.32.43.11

DHCP server: 198.98.4.1

DNS server: 189.69.24.192

Console> (enable)

This example shows how to enable a single port voice interface: 

Console> (enable) set port voice interface 4/2-9 dhcp 123.23.32.1/24

Single port must be used when setting the IP address.

Console> (enable)

Related Commands

show port voice interface

set port vtp

To enable or disable VLAN Trunk Protocol (VTP) on a per-port basis, use the set port vtp command.

set port vtp mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Activates VTP.

disable

Deactivates VTP.


Defaults

VTP is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set port vtp command allows you to enable or disable any kind of VTP interaction on a per-port basis, which may be useful on trunks leading to non-trusted hosts. When a port is disabled, no VTP packet is sent on the port, and any VTP packet received on the port is dropped.

Examples

This example shows how to disable VTP on ports 1 and 2 on module 1: 

Console> (enable) set port vtp 1/1-2 disable

Port(s) 1/1-2 will no longer participate in VTP.

Console> (enable)

Related Commands

set vtp
show port vtp
show vtp

set port web-auth

To enable or disable web-based proxy authentication on a port or to specify an AAA fail policy for web-based proxy authentication, use the set port web-auth command.

set port web-auth mod/port {disable | enable}

set port web-auth mod/port aaa-fail-policy policy-name

set port web-auth mod/port ip-device-tracking {enable| disable}

Syntax Description

mod/port

Module and port number.

disable

Disables web-based proxy authentication on a port.

enable

Enables web-based proxy authentication on a port.

aaa-fail-policy

Maps an AAA fail policy for web-based proxy authentication to a specified port.

policy-name

Policy name to be mapped to the port.

ip-device-tracking

Tracks the host using its IP address.

disable

Disables IP device tracking.

enable

Enables IP device tracking.


Defaults

Disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Note If you have disabled web-based proxy authentication globally, web-based proxy authentication on a port may not start but will be stored in the configuration.

You must enable web-based proxy authentication globally before entering the set port web-auth command. To enable web-based proxy authentication globally, use the set web-auth command.

Before you can use the set port web-auth mod/port aaa-fail-policy policy-name command, the template for the policy must be created.

After you have specified a policy template for a port, any changes to the policy template affect only those hosts that have been moved to AAA fail state after the policy template was changed. Hosts in already existing sessions use the policy template as it was before any changes were made.

When you specify a different policy for a port, hosts in already existing sessions maintain the previously specified policy. The newly specified policy affects only new hosts entering AAA fail state.

Examples

This example shows how to enable web-based proxy authentication on a port: 

Console> (enable) set port web-auth 1/1 enable

web-authentication successfully enabled on Interface 1/1.

Console> (enable)

This example shows how to disable web-based proxy authentication on a port: 

Console> (enable) set port web-auth 1/1 disable

web-authentication successfully disabled on Interface 1/1.

This example shows how to enable IP device tracking for web-based proxy authentication on a port: 

Console> (enable) set port web-auth 2/25 ip-device-tracking enable

Port 2/25 Web-auth ip-device-tracking is enabled

Console> (enable)

Related Commands

clear web-auth
set port critical
set port web-auth initialize
set web-auth
set web-auth login-attempts
set web-auth login-fail-page
set web-auth login-page
set web-auth quiet-timeout
set web-auth session-timeout
show port web-auth
show web-auth summary

set port web-auth initialize

To initialize a web-based proxy authentication port for authentication again, use the set port web-auth initialize command.

set port web-auth mod/port initialize [ip_addr]

Syntax Description

mod/port

Module and port number.

ip_addr

(Optional) Host IP address.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you initialize the port by entering the set port web-auth initialize command, you are returning the port to the first state. In this state, the IP address of the host is registered with URL redirection for redirecting any HTTP packet from this host to the supervisor engine.

If you specify the ip_addr argument, web-based proxy authentication is initialized for that host only. If you do not specify the ip_addr argument, web-based proxy authentication is initialized for all hosts.

You must enable web-based proxy authentication globally and the individual port before you can initialize a web-based proxy authentication port for authentication again. To enable web-based proxy authentication globally, use the set web-auth command. To enable web-based proxy authentication for an individual port, use the set port web-auth command.

Examples

This example shows how to initialize web-based proxy authentication again for all hosts on a port: 

Console> (enable) set port web-auth 2/1 initialize

Initialized web-authentication for all hosts on port 2/1.

Console> (enable)

This example shows how to initialize web-based proxy authentication again for a specific host on a port: 

Console> (enable) set port web-auth 2/1 initialize 10.76.34.45

Initialized web authentication for 10.76.34.45 on port 2/1

Console> (enable)

Related Commands

clear web-auth
set port web-auth
set web-auth
set web-auth login-attempts
set web-auth login-fail-page
set web-auth login-page
set web-auth quiet-timeout
set web-auth session-timeout
show port web-auth
show web-auth summary

set power redundancy

To turn redundancy between the power supplies on or off, use the set power redundancy command.

set power redundancy {enable | disable}

Syntax Description

enable

Activates redundancy between the power supplies.

disable

Deactivates redundancy between the power supplies.


Defaults

The default is power redundancy is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

In a system with dual power supplies, this command turns redundancy on or off between the power supplies. In a redundant configuration, the power available to the system is the maximum power capability of the weakest power supply.

In a nonredundant configuration, the power available to the system is the sum of the power capability of both power supplies.

Examples

This example shows how to activate redundancy between power supplies: 

Console> (enable) set power redundancy enable

Power supply redundancy enabled.

Console> (enable)

This example shows how to deactivate redundancy between power supplies: 

Console> (enable) set power redundancy disable

Power supply redundancy disabled.

Console> (enable)

Related Commands

show environment
show system

set prompt

To change the prompt for the CLI, use the set prompt command.

set prompt prompt_string

Syntax Description

prompt_string

String to use as the command prompt.


Defaults

The default is the prompt is set to Console>.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use the set system name command to assign a name to the switch, the switch name is used as the prompt string. However, if you specify a different prompt string using the set prompt command, that string is used for the prompt.

Examples

This example shows how to set the prompt to system100>: 

Console> (enable) set prompt system100>

system100> (enable)

Related Commands

set system name

set protocolfilter

To activate or deactivate protocol filtering on Ethernet VLANs and on nontrunking Ethernet, Fast Ethernet, and Gigabit Ethernet ports, use the set protocolfilter command.

set protocolfilter {enable | disable}

Syntax Description

enable

Activates protocol filtering.

disable

Deactivates protocol filtering.


Defaults

The default is protocol filtering is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Protocol filtering is supported only on Ethernet VLANs and on nontrunking EtherChannel ports.

This feature is not supported on the Supervisor Engine 720 with PFC3.

Examples

This example shows how to activate protocol filtering: 

Console> (enable) set protocolfilter enable

Protocol filtering enabled on this switch.

Console> (enable)

This example shows how to deactivate protocol filtering: 

Console> (enable) set protocolfilter disable

Protocol filtering disabled on this switch.

Console> (enable)

Related Commands

show protocolfilter

set pvlan

To bind the isolated or community VLAN to the primary VLAN and assign the isolated or community ports to the private VLAN, use the set pvlan command.

set pvlan primary_vlan {isolated_vlan | community_vlan | twoway_community_vlan}
[mod/port | sc0]

Caution We recommend that you read and understand the "Configuring VLANs" chapter in the Catalyst 6500 Series Software Configuration Guide before using this command.

Syntax Description

primary_vlan

Number of the primary VLAN.

isolated_vlan

Number of the isolated VLAN.

community_vlan

Number of the community VLAN.

twoway_community_vlan

Number of the two-way community VLAN.

mod/port

(Optional) Module and port numbers of the isolated or community ports.

sc0

(Optional) Specifies the inband port sc0.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You must set the primary VLAN, isolated VLAN, and community VLANs using the set vlan pvlan-type pvlan_type command before making the association with the set pvlan command.

Each isolated or community VLAN can have only one primary VLAN associated with it. A primary VLAN may have one isolated or multiple community VLANs associated to it.

Although you can configure sc0 as a private port, you cannot configure sc0 as a promiscuous port.

Examples

This example shows how to map VLANs 901, 902, and 903 (isolated or community VLANs) to VLAN 7 (the primary VLAN): 

Console> (enable) set pvlan 7 901 4/3

Port 4/3 is successfully assigned to vlan 7, 901 and is made an isolated port.

Console> (enable) set pvlan 7 902 4/4-5

Ports 4/4-5 are successfully assigned to vlan 7, 902 and are made community ports.

Console> (enable) set pvlan 7 903 4/6-7

Ports 4/6-7 are successfully assigned to vlan 7, 903 and are made community ports.

Console> (enable) set pvlan 300 301 sc0

Successfully set the following ports to Private Vlan 300, 301:

sc0

Console> (enable)

This example shows the message that appears when VLAN port-provisioning verification is enabled: 

Console> (enable) set pvlan 20 30 2/2

Port Provisioning Verification is enabled on the switch.

To move port(s) into the VLAN

Use 'set pvlan <primary_vlan> <secondary_vlan> <port> <pri_vlan_name> <sec_vlan_name>' 
command.

Console> (enable)

Related Commands

clear config pvlan
clear pvlan mapping
clear vlan
set pvlan mapping
set vlan
set vlan verify-port-provisioning
show pvlan
show pvlan capability
show pvlan mapping
show vlan
show vlan verify-port-provisioning

set pvlan mapping

To map isolated or community VLANs to the primary VLAN on the promiscuous port, use the set pvlan mapping command.

set pvlan mapping primary_vlan {isolated_vlan | community_vlan | twoway_community_vlan} mod/port

Syntax Description

primary_vlan

Number of the primary VLAN.

isolated_vlan

Number of the isolated VLAN.

community_vlan

Number of the community VLAN.

twoway_community_vlan

Number of the two-way community VLAN.

mod/port

Module and port number of the promiscuous port.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You must set the primary VLAN, isolated VLANs, and community VLANs using the set vlan pvlan-type command combined with the set pvlan command before you can apply the VLANs on any of the promiscuous ports with the set pvlan mapping command.

You should connect the promiscuous port to an external device for the ports in the private VLAN to communicate with any other device outside the private VLAN.

You should apply this command for each primary or isolated (community) association in the private VLAN.

Examples

This example shows how to remap community VLAN 903 to the primary VLAN 901 on ports 3 through 5 on module 8: 

Console> (enable) set pvlan mapping 901 903 8/3-5

Successfully set mapping between 901 and 903 on 8/3-5.

Console> (enable)

Related Commands

clear pvlan mapping
clear vlan
set pvlan
set vlan
show pvlan
show pvlan mapping
show vlan

set qos

To turn on or turn off QoS functionality on the switch, use the set qos command.

set qos enable | disable

Syntax Description

enable

Activates QoS functionality.

disable

Deactivates QoS functionality.


Defaults

The default is QoS functionality is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Refer to the Catalyst 6500 Series Switch Software Configuration Guide for information on how to change the QoS default configurations.

When you enable and disable QoS in quick succession, a bus timeout might occur.

If you enable or disable QoS on channel ports with different port types, channels might break or form.

Examples

This example shows how to enable QoS: 

Console> (enable) set qos enable

QoS is enabled.

Console> (enable)Console> (enable)

This example shows how to disable QoS: 

Console> (enable) set qos disable

QoS is disabled.

Console> (enable)

Related Commands

show qos info

set qos acl default-action

To set the ACL default actions, use the set qos acl default-action command.

set qos acl default-action ip {{dscp dscp} | trust-cos | trust-ipprec | trust-dscp}
[{microflow microflow_name}] [{aggregate aggregate_name}] [input | output]

set qos acl default-action ipx {{dscp dscp} | trust-cos} [{microflow microflow_name}]
[{aggregate aggregate_name}]

set qos acl default-action {ipx | mac} {{dscp dscp} | trust-cos}
[{aggregate aggregate_name}] [input | output]

set qos acl default-action trust-override {enable | disable}

Syntax Description

ip

Specifies the IP ACL default actions.

dscp dscp

Sets the DSCP to be associated with packets matching this stream.

trust-cos

Specifies DSCP is derived from the packet CoS.

trust-ipprec

Specifies DSCP is derived from the packet IP precedence.

trust-dscp

Specifies DSCP is contained in the packet already.

microflow microflow_name

(Optional) Specifies the name of the microflow policing rule to be applied to packets matching the ACE.

aggregate aggregate_name

(Optional) Specifies the name of the aggregate policing rule to be applied to packets matching the ACE.

input

(Optional) Specifies the receive side.

output

(Optional) Specifies the transmit side.

ipx

Specifies the IPX ACL default actions.

mac

Specifies the MAC ACL default actions.

trust-override

Specifies the overriding of the QoS classification ACL trust.

enable

Enables the overriding of the QoS classification ACL trust.

disable

Disables the overriding of the QoS classification ACL trust.


Defaults

The default is no ACL is set up. When you enable QoS, the default-action is to classify everything to best effort and to do no policing. When you disable QoS, the default-action is trust-dscp on all packets and no policing.

The overriding of the QoS classification ACL trust is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and the switch and do not require that you enter the commit command.

Only PFC3 supports the input and output keywords.

Examples

This example shows how to set up the IP ACL default actions: 

Console> (enable) set qos acl default-action ip dscp 5 microflow micro aggregate agg 

QoS default-action for IP ACL is set successfully.

Console> (enable)

This example shows how to set up the IPX ACL default actions: 

Console> (enable) set qos acl default-action ipx dscp 5 microflow micro aggregate agg 

QoS default-action for IPX ACL is set successfully.

Console> (enable)

This example shows how to set up the MAC ACL default actions: 

Console> (enable) set qos acl default-action mac dscp 5 microflow micro aggregate agg 

QoS default-action for MAC ACL is set successfully.

Console> (enable)

Related Commands

clear qos acl
show qos acl info

set qos acl ip

To create or add IP access lists, use the set qos acl ip command.

set qos acl ip {acl_name} {{dscp dscp} | trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate aggregate_name] {src_ip_spec}
[precedence precedence | dscp-field dscp] [before editbuffer_index | modify editbuffer_index]

set qos acl ip {acl_name} {{dscp dscp} | trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate aggregate_name] {protocol} {src_ip_spec}
{dest_ip_spec} [precedence precedence | dscp-field dscp] [before editbuffer_index |
modify editbuffer_index]

set qos acl ip {acl_name} {{dscp dscp} | trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate aggregate_name] icmp {src_ip_spec}
{dest_ip_spec} [icmp_type [icmp_code] | icmp_message] [precedence precedence | dscp-field dscp] [before editbuffer_index | modify editbuffer_index]

set qos acl ip {acl_name} {{dscp dscp} | trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate aggregate_name] tcp {src_ip_spec} [{operator}
{port} [port]] {dest_ip_spec} [{operator} {port} [port]] [established]
[precedence precedence | dscp-field dscp] [before editbuffer_index | modify editbuffer_index]

set qos acl ip {acl_name} {{dscp dscp} | trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate aggregate_name] udp {src_ip_spec} [{operator}
{port} [port]] {dest_ip_spec} [{operator} {port} [port]] [precedence precedence | dscp-field dscp] [before editbuffer_index | modify editbuffer_index]

set qos acl ip {acl_name} {{dscp dscp} | trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate aggregate_name] igmp {src_ip_spec} {dest_ip_spec} [igmp_type] [precedence precedence | dscp-field dscp] [before editbuffer_index | modify editbuffer_index]

Syntax Description

acl_name

Unique name that identifies the list to which the entry belongs.

dscp dscp

Sets CoS and DSCP from configured DSCP values; valid values are from 0 to 63.

trust-cos

Specifies DSCP is derived from the packet CoS.

trust-ipprec

Specifies DSCP is derived from the packet IP precedence.

trust-dscp

Specifies DSCP is contained in the packet already.

microflow microflow_name

(Optional) Specifies the name of the microflow policing rule to be applied to packets matching the ACE.

aggregate aggregate_name

(Optional) Specifies the name of the aggregate policing rule to be applied to packets matching the ACE.

src_ip_spec

Source IP address and the source mask. See the "Usage Guidelines" section for the format.

precedence precedence

(Optional) Specifies the precedence level to compare with an incoming packet; valid values are from 0 to 7 or by name. See the "Usage Guidelines" section for a list of valid names.

dscp-field dscp

(Optional) Specifies the DSCP field level to compare with an incoming packet. Valid values are from 0 to 63.

before editbuffer_index

(Optional) Inserts the new ACE in front of another ACE.

modify editbuffer_index

(Optional) Replaces an ACE with the new ACE.

protocol

Keyword or number of an IP protocol; valid numbers are from 0 to 255 representing an IP protocol number. See the "Usage Guidelines" section for the list of valid keywords and corresponding numbers.

dest_ip_spec

Destination IP address and the destination mask. See the "Usage Guidelines" section for the format.

icmp

Specifies ICMP.

icmp-type

(Optional) ICMP message type; valid values are from 0 to 255.

icmp-code

(Optional) ICMP message code; valid values are from 0 to 255.

icmp-message

(Optional) ICMP message type name or ICMP message type and code name. See the "Usage Guidelines" section for a list of valid names.

tcp

Specifies TCP.

operator

(Optional) Operands; valid values include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

port

(Optional) TCP or UDP port number or name; valid port numbers are from 0 to 65535. See the "Usage Guidelines" section for a list of valid names.

established

(Optional) For TCP protocol only; specifies an established connection.

udp

Specifies UDP.

igmp

Specifies IGMP.

igmp_type

(Optional) IGMP message type; valid values are from 0 to 15.


Defaults

The default is there are no ACLs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering any of these commands are saved to NVRAM and the switch only after you enter the commit command. Enter ACEs in batches and then enter the commit command to save them in NVRAM and the switch.

Use the show qos acl info command to view the edit buffer.

The dscp dscp, trust-cos, trust-ipprec, and trust-dscp keywords and variables are used to select a marking rule. Refer to the Catalyst 6500 Series Switch Software Configuration Guide for additional marking rule information.

The optional microflow microflow_name and aggregate aggregate_name keywords and variables are used to configure policing in the ACE. Refer to the Catalyst 6500 Series Switch Software Configuration Guide for additional policing rule information.

The src_ip_spec, optional precedence precedence, or dscp-field dscp keywords and variables are used to configure filtering.

When you enter the ACL name, follow these naming conventions:

Maximum of 31 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

Must start with an alpha character and must be unique across all ACLs of all types

Case sensitive

Cannot be a number

Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

When you specify the source IP address and the source mask, use the form source_ip_address source_mask and follow these guidelines:

The source_mask is required; 0 indicates a "care" bit, and 1 indicates a "don't-care" bit.

Use a 32-bit quantity in four-part dotted-decimal format.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

When you enter a destination IP address and the destination mask, use the form destination_ip_address destination_mask. The destination mask is required.

Use a 32-bit quantity in a four-part dotted-decimal format

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255

Use host/source as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0

Valid names for precedence are critical, flash, flash-override, immediate, internet, network, priority, and routine.

Valid names for tos are max-reliability, max-throughput, min-delay, min-monetary-cost, and normal.

Valid protocol keywords include icmp (1), ip, ipinip (4), tcp (6), udp (17), igrp (9), eigrp (88), gre (47), nos (94), ospf (89), ahp (51), esp (50), pcp (108), and pim (103). The IP protocol number is displayed in parentheses. Use the keyword ip to match any Internet Protocol.

ICMP packets that are matched by ICMP message type can also be matched by the ICMP message code.

Valid names for icmp_type and icmp_code are administratively-prohibited, alternate-address, conversion-error, dod-host-prohibited, dod-net-prohibited, echo, echo-reply, general-parameter-problem, host-isolated, host-precedence-unreachable, host-redirect, host-tos-redirect, host-tos-unreachable, host-unknown, host-unreachable, information-reply, information-request, mask-reply, mask-request, mobile-redirect, net-redirect, net-tos-redirect, net-tos-unreachable, net-unreachable, network-unknown, no-room-for-option, option-missing, packet-too-big, parameter-problem, port-unreachable, precedence-unreachable, protocol-unreachable, reassembly-timeout, redirect, router-advertisement, router-solicitation, source-quench, source-route-failed, time-exceeded, timestamp-reply, timestamp-request, traceroute, ttl-exceeded, and unreachable.

If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number only.

TCP port names can be used only when filtering TCP. Valid names for TCP ports are bgp, chargen, daytime, discard, domain, echo, finger, ftp, ftp-data, gopher, hostname, irc, klogin, kshell, lpd, nntp, pop2, pop3, smtp, sunrpc, syslog, tacacs-ds, talk, telnet, time, uucp, whois, and www.

UDP port names can be used only when filtering UDP. Valid names for UDP ports are biff, bootpc, bootps, discard, dns, dnsix, echo, mobile-ip, nameserver, netbios-dgm, netbios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs-ds, talk, tftp, time, who, and xdmcp.

If no layer protocol number is entered, you can use this syntax:

set qos acl ip {acl_name} {dscp dscp | trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate aggregate_name] {src_ip_spec}
[before editbuffer_index | modify editbuffer_index]

If a Layer 4 protocol is specified, you can use this syntax:

set qos acl ip {acl_name} {dscp dscp | trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate aggregate_name] {protocol} {src_ip_spec}
{dest_ip_spec} [precedence precedence | dscp-field dscp] [before editbuffer_index |
modify editbuffer_index]

If ICMP is used, you can use this syntax:

set qos acl ip {acl_name} {dscp dscp | trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate aggregate_name] icmp {src_ip_spec}
{dest_ip_spec} [icmp_type [icmp_code] | icmp_message] [precedence precedence | dscp-field dscp] [before editbuffer_index | modify editbuffer_index]

If TCP is used, you can use this syntax:

set qos acl ip {acl_name} {dscp dscp | trust-cos | trust-ipprec | trust-dscp}
[microflow microflow_name] [aggregate aggregate_name] tcp {src_ip_spec} [{operator} {port} [port]] {dest_ip_spec} [{operator} {port} [port]] [established]
[precedence precedence | dscp-field dscp] [before editbuffer_index |
modify editbuffer_index]

If UDP is used, you can use this syntax:

set qos acl ip {acl_name} {dscp dscp | trust-cos | trust-ipprec | trust-dscp}
[[microflow microflow_name] [aggregate aggregate_name] udp {src_ip_spec} [{operator}
{port} [port]] {dest_ip_spec} [{operator {port} [port]] [precedence precedence | dscp-field dscp] [before editbuffer_index | modify editbuffer_index]

Examples

This example shows how to define a TCP access list: 

Console> (enable) set qos acl ip my_acl trust-dscp microflow my-micro tcp 1.2.3.4 
255.0.0.0 eq port 21 172.20.20.1 255.255.255.0 

my_acl editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to define an ICMP access list: 

Console> (enable) set qos acl ip icmp_acl trust-dscp my-micro icmp 1.2.3.4 255.255.0.0 
172.20.20.1 255.255.255.0 precedence 3 

my_acl editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

Related Commands

clear qos acl
commit
rollback
show qos acl info

set qos acl ipx

To define IPX access lists, use the set qos acl ipx command.

set qos acl ipx {acl_name} {dscp dscp | trust-cos} [aggregate aggregate_name] {protocol}
{src_net} [dest_net.[dest_node] [[dest_net_mask.]dest_node_mask]
[before editbuffer_index | modify editbuffer_index]

Syntax Description

acl_name

Unique name that identifies the list to which the entry belongs.

dscp dscp

Sets CoS and DSCP from configured DSCP values.

trust-cos

Specifies that the DSCP is derived from the packet CoS.

aggregate aggregate_name

(Optional) Specifies the name of the aggregate policing rule to be applied to packets matching the ACE.

protocol

Keyword or number of an IPX protocol; valid values are from 0 to 255 representing an IPX protocol number. See the "Usage Guidelines" section for a list of valid keywords and corresponding numbers.

src_net

Number of the network from which the packet is being sent. See the "Usage Guidelines" section for format guidelines.

dest_net.

(Optional) Mask to be applied to destination-node. See the "Usage Guidelines" section for format guidelines.

dest_node

(Optional) Node on destination-network of the packet being sent.

dest_net_mask.

(Optional) Mask to be applied to the destination network. See the "Usage Guidelines" section for format guidelines.

dest_node_mask

(Optional) Mask to be applied to destination-node. See the "Usage Guidelines" section for format guidelines.

before editbuffer_index

(Optional) Inserts the new ACE in front of another ACE.

modify editbuffer_index

(Optional) Replaces an ACE with the new ACE.


Defaults

There are no default ACL mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The dscp dscp and trust-cos keywords and variables are used to select a marking rule. Refer to the Catalyst 6500 Series Switch Software Configuration Guide for additional marking rule information.

The dscp dscp and trust-cos keywords and variables are not supported on systems configured with the Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2).

The optional aggregate aggregate_name keyword and variable are used to configure policing in the ACE. Refer to the Catalyst 6500 Series Switch Software Configuration Guide for additional policing rule information.

Use the show security acl command to display the list.

The src_ip_spec, optional precedence precedence, or dscp-field dscp keywords and variables, are used to configure filtering.

When you enter the ACL name, follow these naming conventions:

Maximum of 31 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

Must start with an alpha character and must be unique across all ACLs of all types

Case sensitive

Cannot be a number

Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

Valid protocol keywords include ncp (17), rip (1), sap (4), and spx (5). The IP network number is listed in parentheses.

The src_net and dest_net variables are eight-digit hexadecimal numbers that uniquely identify network cable segments. When you specify the src_net or dest_net, use the following guidelines:

It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all networks.

You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA.

The dest_node is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx).

The destination_mask is of the form N.H.H.H or H.H.H where N is the destination network mask and H is the node mask. It can be specified only when the destination node is also specified for the destination address.

The dest_net_mask is an eight-digit hexadecimal mask. Place ones in the bit positions you want to mask. The mask must be immediately followed by a period, which must in turn be immediately followed by destination-node-mask. You can enter this value only when dest_node is specified.

The dest_node_mask is a 48-bit value represented as a dotted triplet of 4-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. You can enter this value only when dest_node is specified.

The dest_net_mask is an eight-digit hexadecimal number that uniquely identifies the network cable segment. It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all networks. You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. Following are dest_net_mask examples:

123A

123A.1.2.3

123A.1.2.3 ffff.ffff.ffff

1.2.3.4 ffff.ffff.ffff.ffff

Note The PFC3 does not provide QoS support for IPX traffic.

Examples

This example shows how to create an IPX ACE: 

Console> (enable) set qos acl ipx my_IPXacl trust-cos aggregate my-agg -1

my_IPXacl editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

Related Commands

clear qos acl
commit
rollback
show qos acl info

set qos acl mac

To define MAC access lists, use the set qos acl mac command.

set qos acl mac {acl_name} {dscp dscp | trust-cos} [aggregate aggregate_name]
{src_mac_addr_spec} {dest_mac_addr_spec} [ethertype] [cos cos_value] [vlan vlan]
[before editbuffer_index | modify editbuffer_index]

Syntax Description

acl_name

Unique name that identifies the list to which the entry belongs.

dscp dscp

Sets CoS and DSCP from configured DSCP values.

trust-cos

Specifies that the DSCP is derived from the packet CoS.

aggregate aggregate_name

(Optional) Specifies the name of the aggregate policing rule to be applied to packets matching the ACE.

src_mac_addr_spec

Number of the source MAC address in the form source_mac_address source_mac_address_mask.

dest_mac_addr_spec

Number of the destination MAC address.

ethertype

(Optional) Name or number that matches the EtherType for Ethernet-encapsulated packets. See the "Usage Guidelines" section for a list of valid names and numbers.

cos cos_value

(Optional) Specifies the CoS value; valid values are from 0 to 7.

vlan vlan

(Optional) Specifies a VLAN; valid values are from 1 to 4094.

before editbuffer_index

(Optional) Inserts the new ACE in front of another ACE.

modify editbuffer_index

(Optional) Replaces an ACE with the new ACE.


Defaults

There are no default ACL mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The dscp dscp and trust-cos keywords and variables are used to select a marking rule. Refer to the Catalyst 6500 Series Switch Software Configuration Guide for additional marking rule information.

The dscp dscp and trust-cos keywords and variables are not supported on systems configured with the Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2).

The optional aggregate aggregate_name keyword and variable are used to configure policing in the ACE. Refer to the Catalyst 6500 Series Switch Software Configuration Guide for additional policing rule information.

When you enter the ACL name, follow these naming conventions:

Maximum of 31 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

Must start with an alpha character and must be unique across all ACLs of all types

Case sensitive

Cannot be a number

Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

The src_mac_addr_spec is a 48-bit source MAC address and mask and entered in the form of source_mac_address source_mac_address_mask (for example, 08-11-22-33-44-55 ff-ff-ff-ff-ff-ff). Place ones in the bit positions you want to mask. When you specify the src_mac_addr_spec, follow these guidelines:

The source_mask is required; 0 indicates a "care" bit, and 1 indicates a "don't-care" bit.

Use a 32-bit quantity in 4-part dotted-decimal format.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

The dest_mac_spec is a 48-bit destination MAC address and mask and entered in the form of dest_mac_address dest_mac_address_mask (for example, 08-00-00-00-02-00/ff-ff-ff-00-00-00). Place ones in the bit positions you want to mask. The destination mask is mandatory. When you specify the dest_mac_spec, use the following guidelines:

Use a 48-bit quantity in 6-part dotted-hexadecimal format for the source address and mask.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 ff-ff-ff-ff-ff-ff.

Use host source as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

Valid names for Ethertypes (and corresponding numbers) are Ethertalk (0x809B), AARP (0x8053), dec-mop-dump (0x6001), dec-mop-remote-console (0x6002), dec-phase-iv (0x6003), dec-lat (0x6004), dec-diagnostic-protocol (0x6005), dec-lavc-sca (0x6007), dec-amber (0x6008), dec-mumps (0x6009), dec-lanbridge (0x8038), dec-dsm (0x8039), dec-netbios (0x8040), dec-msdos (0x8041), banyan-vines-echo (0x0baf), xerox-ns-idp (0x0600), and xerox-address-translation (0x0601).

The ether-type is a 16-bit hexadecimal number written with a leading 0x.

Use the show security acl command to display the list.

Note The PFC3 does not provide QoS support for IPX traffic.

Examples

This example shows how to create a MAC access list: 

Console> (enable) set qos acl mac my_MACacl trust-cos aggregate my-agg any any


my_MACacl editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

Related Commands

clear qos acl
commit
rollback
show qos acl info

set qos acl map

To attach an ACL to a specified port or VLAN, use the set qos acl map command.

set qos acl map acl_name {mod/port | vlan} [input]

set qos acl map acl_name vlan output

Syntax Description

acl_name

Name of the list to which the entry belongs.

mod/port

Number of the module and the port on the module.

vlan

Number of the VLAN; valid values are from 1 to 4094.

input

(Optional) Attaches the ACL to the ingress interface. See the "Usage Guidelines" section for more information.

output

Attaches the ACL to the egress interface.


Defaults

There are no default ACL mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Caution This command may fail if you try to map an ACL to a VLAN and the NVRAM is full.
Caution Use the copy command to save the ACL configuration to Flash memory.

If you try to configure an ACL feature that is not supported on the input or the output interface, the set qos acl map command fails with an error message.

Only PFC3 supports the input and output keywords. If you do not specify a direction keyword (input or output), the system automatically specifies input.

Examples

This example shows how to attach an ACL to a port: 

Console> (enable) set qos acl map my_acl 2/1

ACL my_acl is attached to port 2/1.

Console> (enable)

This example shows how to attach an ACL to a VLAN: 

Console> (enable) set qos acl map ftp_acl 4

ACL ftp_acl is attached to vlan 4.

Console> (enable)

This example shows what happens if you try to attach an ACL that has not been committed: 

Console> (enable) set qos acl map new_acl 4

Commit ACL new_acl before mapping.

Console> (enable)

This example shows how to attach an ACL named "test" to the VLAN 1 ingress interface: 

Console> (enable) set qos acl map test 1

ACL test is successfully mapped to vlan 1 on input side.

Console> (enable)

This example shows how to attach an ACL named "test2" to the VLAN 1 egress interface: 

Console> (enable) set qos acl map test2 1 output

ACL test2 is successfully mapped to vlan 1 on output side.

Console> (enable)

Related Commands

clear qos acl
commit
rollback
show qos acl map

set qos autoqos

To apply automatic QoS settings to all ports on the switch, use the set qos autoqos command.

set qos autoqos

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When the switch has applied all global QoS settings successfully, the switch displays a prompt that shows the CLI for port-based AutoQoS commands that are currently supported.

Examples

This example shows how to apply all global QoS settings to all ports on the switch: 

Console> (enable) set qos autoqos

........

All ingress and egress QoS scheduling parameters configured on all ports.

CoS to DSCP, DSCP to COS and IP Precedence to DSCP maps configured.

Global QoS configured, port specific autoqos recommended:

    set port qos <mod/ports..> autoqos trust [cos|dscp]

    set port qos <mod/ports..> autoqos voip [ciscoipphone|ciscosoftphone]

Console> (enable)

Related Commands

clear port qos autoqos
clear qos autoqos
set port qos autoqos
show port qos
show qos info

set qos bridged-microflow-policing

To enable or disable microflow policing of bridged packets on a per-VLAN basis, use the set qos bridged-microflow-policing command.

set qos bridged-microflow-policing {enable | disable} vlanlist

Syntax Description

enable

Activates microflow policing functionality.

disable

Deactivates microflow policing functionality.

vlanlist

List of VLANs; valid values are from 1 to 4094.


Defaults

The default is intraVLAN QoS is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Layer 3 switching engine-based systems do not create NetFlow entries for bridged packets. Without a NetFlow entry, these packets cannot be policed at the microflow level. You must enter the set qos bridged-microflow-policing enable command if you want the bridged packets to be microflow policed.

This command is supported on systems configured with a Layer 3 switching engine only.

Examples

This example shows how to enable microflow policing: 

Console> (enable) set qos bridged-microflow-policing enable 1-1000

QoS microflow policing is enabled for bridged packets on vlans 1-1000.

Console> (enable)

This example shows how to disable microflow policing: 

Console> (enable) set qos bridged-microflow-policing disable 10

QoS microflow policing is disabled for bridged packets on VLAN 10. 

Console> (enable)

Related Commands

show qos bridged-microflow-policing

set qos cos-cos-map

To set the CoS-to-CoS mapping on a global basis, use the set qos cos-cos-map command.

set qos cos-cos-map cos1 cos2 ... cos8

Syntax Description

cos#

CoS value; valid values are from 0 to 7.


Defaults

The default CoS-to-CoS configuration is listed in Table 2-19.

Table 2-19 CoS-to-CoS Mapping

CoS

0

1

2

3

4

5

6

7

CoS

0

1

2

3

4

5

6

7


Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If QoS is disabled, this message displays when you attempt to define a CoS-to-CoS mapping: 

QoS is disabled, changes will take effect after QoS is enabled.

Examples

This example shows how to set the CoS-to-CoS mapping: 

Console> (enable) set qos cos-cos-map 0 1 2 3 4 4 6 7

QoS cos-cos-map set successfully.

Console> (enable)

Related Commands

clear qos cos-cos-map
show qos maps

set qos cos-dscp-map

To set the CoS-to-DSCP mapping, use the set qos cos-dscp-map command.

set qos cos-dscp-map dscp1 dscp2... dscp8

Syntax Description

dscp#

Number of the differentiated services code point (DSCP); valid values are from 0 to 63.


Defaults

The default CoS-to-DSCP configuration is listed in Table 2-20.

Table 2-20 CoS-to-DSCP Mapping

CoS

0

1

2

3

4

5

6

7

DSCP

0

8

16

24

32

40

48

56


Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The CoS-to-DSCP map is used to map the CoS of packets arriving on trusted ports (or flows) to a DSCP where the trust type is trust-cos. This map is a table of eight CoS values (0 through 7) and their corresponding DSCP values. The switch has one map.

This command is supported on systems configured with a Layer 3 switching engine only.

Examples

This example shows how to set the CoS-to-DSCP mapping: 

Console> (enable) set qos cos-dscp-map 20 30 1 43 63 12 13 8

QoS cos-dscp-map set successfully.

Console> (enable)

Related Commands

clear qos cos-dscp-map
show qos maps

set qos drop-threshold

To program the transmit-queue and receive-queue drop thresholds on all ports in the system, use the set qos drop-threshold command.

set qos drop-threshold 2q2t tx queue q# thr1 thr2

set qos drop-threshold {1q2t | 1q4t | 1p1q4t} rx queue q# thr1 thr2 thr3 thr4

Syntax Description

2q2t tx

Specifies the transmit-queue drop threshold.

1q2t | 1q4t | 1p1q4t rx

Specifies the receive-queue drop threshold.

queue q#

Specifies the queue; valid values are 1 and 2.

thr1, thr2, thr3, thr4

Threshold percentage; valid values are from 1 to 100.


Defaults

If you enable QoS, the following defaults apply:

Transmit-queue drop thresholds:

Queue 1—80%, 100%

Queue 2—80%, 100%

Receive-queue drop thresholds:

Queue 1—50%, 60%, 80%, 100% if the port is trusted

Queue 2—100%, 100%, 100%, 100% if the port is untrusted

If you disable QoS, the following defaults apply:

Transmit-queue drop thresholds:

Queue 1—100%, 100%

Queue 2—100%, 100%

Receive-queue drop thresholds: queue 1—100%, 100%, 100%, 100%

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The number preceding the t letter in the port type (2q2t, 1q2t, 1q4t, or 1p1q4t) determines the number of threshold values the hardware supports. For example, with 2q2t and 1q2t, the number of thresholds specified is two; with 1q4t and 1p1q4t, the number of thresholds specified is four. Due to the granularity of programming the hardware, the values set in hardware will be close approximations of the values provided.

The number preceding the q letter in the port type determines the number of the queues that the hardware supports. For example, with 2q2t, the number of queues specified is two; with 1q2t, 1q4t and 1p1q4t, the number of queues specified is one. The system defaults for the transmit queues attempt to keep the maximum latency through a port at a maximum of 10 milliseconds.

The number preceding the p letter in the 1p1q4t port types determines the threshold in the priority queue.

When you configure the drop threshold for 1p1q4t, the drop threshold for the second queue is 100 percent and is not configurable.

The thresholds are all specified as percentages; 10 indicates a threshold when the buffer is 10 percent full.

The single-port ATM OC-12 module does not support transmit-queue drop thresholds.

Examples

This example shows how to assign the transmit-queue drop threshold: 

Console> (enable) set qos drop-threshold 2q2t tx queue 1 40 80

Transmit drop thresholds for queue 1 set at 40% and 80%

Console> (enable)

These examples show how to assign the receive-queue drop threshold: 

Console> (enable) set qos drop-threshold 1q4t rx queue 1 40 50 60 100

Receive drop thresholds for queue 1 set at 40% 50% 60% 100%

Console> (enable) 


Console> (enable) set qos drop-threshold 1p1q4t rx queue 1 40 50 60 100

Receive drop thresholds for queue 1 set at 40% 50% 60% 100%

Console> (enable)

Related Commands

show qos info

set qos dscp-cos-map

To set the DSCP-to-CoS mapping, use the set qos dscp-cos-map command.

set qos dscp-cos-map dscp_list:cos_value ...

Syntax Description

dscp_list

Number of the DSCP; valid values are from 0 to 63.

cos_value...

Number of the CoS; valid values are from 0 to 7.


Defaults

The default DSCP-to-CoS configuration is listed in Table 2-21.

Table 2-21 DSCP-to-CoS Mapping

DSCP

0 to 7

8 to 15

16 to 23

24 to 31

32 to 39

40 to 47

48 to 55

56 to 63

CoS

0

1

2

3

4

5

6

7


Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The DSCP-to-CoS map is used to map the final DSCP classification to a final CoS. This final map determines the output queue and threshold to which the packet is assigned. The CoS map is written into the ISL header or 802.1Q tag of the transmitted packet on trunk ports and contains a table of 64 DSCP values and their corresponding CoS values. The switch has one map.

This command is supported on systems configured with a Layer 3 switching engine only.

Examples

This example shows how to set the DSCP-to-CoS mapping: 

Console> (enable) set qos dscp-cos-map 20-25:7 33-38:3

QoS dscp-cos-map set successfully.

Console> (enable)

Related Commands

clear qos map
show qos maps

set qos dscp-mutation-map

To configure a DSCP mutation map, use the set qos dscp-mutation-map command.

set qos dscp-mutation-map mutation_table_id old_dscp_list:new_dscp...

Syntax Description

mutation_table_id

Number of the mutation table; valid values are from 1 to 15.

old_dscp_list:new dscp...

Number of the DSCP mapping and number of the mutated DSCP mapping; valid values are from 0 to 63. See the "Usage Guidelines" section for more information.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The PFC3 supports 16 DSCP mutation maps. QoS uses one mutation map for the default mapping. You can configure 15 mutation maps.

You can specify of range of old DSCP mappings. Enter the range as integers separated by a hyphen and a comma (for example, 1-3,7 specifies mappings 1, 2, 3 and 7).

Examples

This example shows how to configure a DSCP mutation map: 

Console> (enable) set qos dscp-mutation-map 1 30:2

QoS dscp-mutation-map with mutation-table-id 1 has been set correctly.

Console> (enable)

Related Commands

clear qos dscp-mutation-map
clear qos dscp-mutation-table-map
set qos dscp-mutation-table-map
show qos maps

set qos dscp-mutation-table-map

To configure the DSCP mutation table map, use the set qos dscp-mutation-table-map command.

set qos dscp-mutation-table-map mutation_table_id vlan_list

Syntax Description

mutation_table_id

Number of the mutation table; valid values are from 1 to 15.

vlan_list

VLAN numbers that form a VLAN list; valid values are from 1 to 4094.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The PFC3 supports 16 DSCP mutation maps. QoS uses one mutation map for the default mapping. You can configure 15 mutation maps.

Examples

This example shows how to set DSCP mutation table map 1 for VLANs 1 through 10: 

Console> (enable) set qos dscp-mutation-table-map 1 1-10

VLANs 1-10 mapped to mutation-table-id 1.

Console> (enable)

Related Commands

clear qos dscp-mutation-map
clear qos dscp-mutation-table-map
set qos dscp-mutation-map
show qos maps

set qos dscp-rewrite

To globally enable or disable rewriting the differentiated services code point (DSCP) values of packets as they go through the switch, use the set qos dscp-rewrite command.

set qos dscp-rewrite {enable | disable}

Syntax Description

enable

Rewrites the DSCP values of packets.

disable

Maintains the DSCP values of packets so that the values are the same as when the packets came to the switch.


Defaults

The DSCP rewrite feature is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to globally disable the DSCP rewrite feature: 

Console> (enable) set qos dscp-rewrite disable

DSCP rewrite has been globally disabled.

Console> (enable)

This example shows how to globally enable the DSCP rewrite feature: 

Console> (enable) set qos dscp-rewrite enable

DSCP rewrite has been globally enabled.

Console> (enable)

Related Commands

show qos status

set qos ipprec-dscp-map

To set the IP precedence-to-DSCP map, use the set qos ipprec-dscp-map command. This command applies to all packets and all ports.

set qos ipprec-dscp-map dscp1 ... dscp8

Syntax Description

dscp1#

Number of the IP precedence value; up to eight values can be specified.


Defaults

The default IP precedence-to-DSCP configuration is listed in Table 2-22.

Table 2-22 IP Precedence-to-DSCP Mapping

IPPREC

0

1

2

3

4

5

6

7

DSCP

0

8

16

24

32

40

48

56


Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Use this command to map the IP precedence of IP packets arriving on trusted ports (or flows) to a DSCP when the trust type is trust-ipprec. This map is a table of eight precedence values (0 through 7) and their corresponding DSCP values. The switch has one map. The IP precedence values are as follows:

network 7

internet 6

critical 5

flash-override 4

flash 3

immediate 2

priority 1

routine 0

This command is supported on systems configured with a Layer 3 switching engine only.

Examples

This example shows how to assign IP precedence-to-DSCP mapping and return to the default: 

Console> (enable) set qos ipprec-dscp-map 20 30 1 43 63 12 13 8

QoS ipprec-dscp-map set successfully.

Console> (enable)

Related Commands

clear qos ipprec-dscp-map
show qos maps

set qos mac-cos

To set the CoS value to the MAC address and VLAN pair, use the set qos mac-cos command.

set qos mac-cos dest_mac vlan cos

Syntax Description

dest_mac

MAC address of the destination host.

vlan

Number of the VLAN; valid values are from 1 to 4094.

cos

CoS value; valid values are from 0 to 7, higher numbers represent higher priority.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command has no effect on a switch configured with a PFC since the Layer 3 switching engine's result always overrides the Layer 2 result. Instead, use the set qos acl command.

The set qos mac-cos command creates a permanent CAM entry in the CAM table until you reset the active supervisor engine.

The port associated with the MAC address is learned when the first packet with this source MAC address is received. These entries do not age out.

The CoS for a packet going to the specified MAC address is overwritten even if it is coming from a trusted port.

If you enter the show cam command, entries made with the set qos mac-cos command display as dynamic because QoS considers them to be dynamic, but they do not age out.

Examples

This example shows how to assign the CoS value 3 to VLAN 2: 

Console> (enable) set qos mac-cos 0f-ab-12-12-00-13 2 3

CoS 3 is assigned to 0f-ab-12-12-00-13 vlan 2.

Console> (enable)

Related Commands

clear qos mac-cos
show qos mac-cos

set qos map

To map a specific CoS value to the transmit- or receive-priority queues and the thresholds per available priority queue for all ports, use the set qos map command.

set qos map port_type tx | rx q# thr# cos coslist

set qos map port_type tx | rx q# cos coslist

Syntax Description

port_type

Port type; valid values are 2q2t, 1p2q2t, 1p3q1t, and 1p2q1t for transmit. Valid values are 1q2t, 1p1q4t, 1p1q0t, and 1p1q8t, 2q8t for receive. See the "Usage Guidelines" section for additional information.

tx

Specifies the transmit queue.

rx

Specifies the receive queue.

q#

Value determined by the number of priority queues provided at the transmit or receive end; valid values are 1 and 2, with the higher value indicating a higher priority queue.

thr#

Value determined by the number of drop thresholds available at a port; valid values are 1 and 2, with the higher value indicating lower chances of being dropped.

cos coslist

Specifies CoS values; valid values are from 0 through 7, with the higher numbers representing a higher priority.


Defaults

The default mappings for all ports are shown in Table 2-23 and Table 2-24.

Table 2-23 CoS-to-Queue-to-Threshold Mapping (TX)

Queue
Threshold
Cos Values1
QoS enabled

1

1

0, 1

2

1

2, 3, 4

3

1

6, 7

4

0

5

QoS disabled

1

0

0, 1, 2, 3, 4, 5, 6, 7

1 All CoS values, except CoS 5, are mapped to WRED. CoS 5, which is mapped to queue 4, does not have an associated WRED threshold.


Table 2-24 CoS-to-Queue Mapping (RX)

Queue
COS Values
QoS enabled

1

0, 1, 2, 3, 4, 6, 7

2

5

QoS disabled

1

0, 1, 2, 3, 4, 5, 6, 7


Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you enter the set qos map port_type tx | rx q# cos coslist command, the following is a list of possible port types available:

tx port_type = 1p3q1t and 1p2q1t

rx port_type = 1p1q0t and 2q8t

You can enter the cos_list variable as a single CoS value, multiple noncontiguous CoS values, a range of CoS values, or a mix of values. For example, you can enter any of the following: 0, or 0,2,3, or 0-3,7.

The priority queue number is 4 for transmit and queue number 2 for receive.

When specifying the priority queue for the 1p2q2t port type, the priority queue number is 3 and the threshold number is 1.

The receive- and transmit-drop thresholds have this relationship:

Receive-queue 1 (standard) threshold 1 = transmit-queue 1 (standard low priority) threshold 1

Receive-queue 1 (standard) threshold 2 = transmit-queue 1 (standard low priority) threshold 2

Receive-queue 1 (standard) threshold 3 = transmit-queue 2 (standard high priority) threshold 1

Receive-queue 1 (standard) threshold 4 = transmit-queue 2 (standard high priority) threshold 2

Refer to the Catalyst 6500 Series Switch Software Configuration Guide for additional usage guidelines.

Examples

This example shows how to assign the CoS values 1, 2, and 5 to the first queue and the first drop threshold in that queue: 

Console> (enable) set qos map 2q2t tx 1 1 cos 1,2,5

Qos tx priority queue and threshold mapped to cos successfully.

Console> (enable)

This example shows how to assign the CoS values to queue 1 and threshold 2 in that queue: 

Console> (enable) set qos map 2q2t tx 1 2 cos 3-4,7

Qos tx priority queue and threshold mapped to cos successfully.

Console> (enable)

This example shows how to map the CoS value 5 to strict-priority transmit-queue 3/drop-threshold 1: 

Console> (enable) set qos map 1p2q2t tx 3 1 cos 5


Qos tx strict queue and threshold mapped to cos successfully.

Console> (enable)

Related Commands

clear qos map
show qos info

set qos policed-dscp-map

To set the mapping of policed in-profile DSCPs, use the set qos policed-dscp-map command.

set qos policed-dscp-map [normal-rate | excess-rate] in_profile_dscp:policed_dscp...

Syntax Description

normal-rate

(Optional) Specifies normal rate policers.

excess-rate

(Optional) Specifies excess rate policers.

in_profile_dscp

Number of the in-profile DSCP; valid values are from 0 through 63.

:policed_dscp

Number of the policed DSCP; valid values are 0 through 63.


Defaults

The default map is no markdown.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can enter in_profile_dscp as a single DSCP, multiple DSCPs, or a range of DSCPs (for example, 1 or 1,2,3 or 1-3,7).

The colon between in_profile_dscp and policed_dscp is required.

This command is supported on systems configured with the Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2) only.

If you do not specify a rate, the system automatically specifies the normal rate.

Examples

This example shows how to set the mapping of policed in-profile DSCPs: 

Console> (enable) set qos policed-dscp-map 33:30

QoS normal-rate policed-dscp-map set successfully.

Console> (enable)

This example shows how to set the mapping of policed in-profile DSCPs for the excess rate: 

Console> (enable) set qos policed-dscp-map excess-rate 33:30

QoS excess-rate policed-dscp-map set successfully.

Console> (enable)

Related Commands

clear qos policed-dscp-map
show qos maps
show qos policer

set qos policer

To create a policing rule for ACL, use the set qos policer command.

set qos policer {microflow microflow_name} {rate rate} {burst burst} {drop | policed-dscp}

set qos policer {aggregate aggregate_name} {rate rate} {burst burst} {drop | policed-dscp}

set qos policer {aggregate aggregate_name} {rate rate} policed-dscp {erate erate} {drop | policed-dscp} burst burst [eburst eburst]

Syntax Description

microflow microflow_name

Specifies the name of the microflow policing rule.

rate rate

Specifies the average rate; valid values are 0 and from 32 kilobits per second to 32 gigabits per second.

burst burst

Specifies the burst size; valid values are 1 to 256000 kilobits.

drop

Specifies drop traffic.

policed-dscp

Specifies policed DSCP.

aggregate aggregate_name

Specifies the name of the aggregate policing rule.

erate erate

Specifies the excess rate value; valid values are 0 and from 32 kilobits per second to 8 gigabits per second.

eburst eburst

(Optional) Specifies the excess burst size; valid values are 1 to 256000 kilobits.


Defaults

The default is no policing rules or aggregates are configured.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Before microflow policing can occur, you must define a microflow policing rule. Policing allows the switch to limit the bandwidth consumed by a flow of traffic.

The Catalyst 6500 series switch supports up to 63 microflow policing rules. When a microflow policer is used in any ACL that is attached to any port or VLAN, the NetFlow flow mask is increased to full flow.

Before aggregate policing can occur, you must create an aggregate and a policing rule for that aggregate. The Catalyst 6500 series switch supports up to 1023 aggregates and 1023 policing rules.

When both normal and excess rates are zero, you can specify any burst size. If the normal rates and excess rates are zero, the value is ignored and set internally by hardware.

The excess rate must be greater than or equal to the normal rate.

The set qos policer aggregate command allows you to configure an aggregate flow and a policing rule for that aggregate. When you enter the microflow microflow_name rate rate burst burst, the range for the average rate is 32 kilobits per second to 8 gigabits per second, and the range for the burst size is 1 kilobit (entered as 1) to 32 megabits (entered as 32000). The burst can be set lower, higher, or equal to the rate. Modifying an existing aggregate rate limit entry causes that entry to be modified in NVRAM and in the switch if that entry is currently being used.

Note We recommend a 32-kilobit minimum value burst size. Due to the nature of the traffic at different customer sites, along with the hardware configuration, smaller values occasionally result in lower rates than the specified rate. If you experiment with smaller values but problems occur, increase the burst rate to this minimum recommended value.

When you modify an existing microflow or aggregate rate limit, that entry in NVRAM is modified, as well as in the switch if it is currently being used.

When you enter the policing name, follow these naming conventions:

Maximum of 31 characters long and may include a through z, A through Z, 0 through 9, the dash character (-), the underscore character (_), and the period character (.)

Must start with an alpha character and must be unique across all ACLs of all types

Case sensitive

Cannot be a number

Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

The burst keyword and the burst value and the optional eburst keyword and the eburst value set the token bucket sizes. To sustain a specific rate, set the token bucket size to be at least the rate divided by 4000, because tokens are removed from the bucket every 1/4000th of a second (0.25 milliseconds) and the bucket needs to be at least as large as the burst size to sustain the specified rate.

If you do not enter the eburst keyword and the eburst value, QoS sets both token buckets to the size configured with the burst keyword and the burst value.

Examples

This example shows how to create a microflow policing rule for ACL: 

Console> (enable) set qos policer microflow my-micro rate 1000 burst 10000 policed-dscp

QoS policer for microflow my-micro set successfully.

Console> (enable)

These examples show how to create an aggregate policing rule for ACL: 

Console> (enable) set qos policer aggregate my-agg rate 1000 burst 2000 drop

QoS policer for aggregate my-aggset successfully.

Console> (enable) 


Console> (enable) set qos policer aggregate test3 rate 64 policed-dscp erate 128 drop burst 96

QoS policer for aggregate test3 created successfully.

Console> (enable)

Related Commands

clear qos policer
show qos policer

set qos policy-source

To set the QoS policy source, use the set qos policy-source command.

set qos policy-source local | cops

Syntax Description

local

Sets the policy source to local NVRAM configuration.

cops

Sets the policy source to COPS-PR configuration.


Defaults

The default is all ports are set to local.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you set the policy source to local, the QoS policy is taken from local configuration stored in NVRAM. If you set the policy source to local after it was set to cops, the QoS policy reverts back to the local configuration stored in NVRAM.

When you set the policy source to cops, all global configurations to the device, such as the DSCP-to-marked-down DSCP, is taken from policy downloaded to the policy enforcement point (PEP) by the policy decision point (PDP). Configuration of each physical port, however, is taken from COPS-PR only if the policy source for that port has been set to cops.

Examples

This example shows how to set the policy source to COPS-PR: 

Console> (enable) set qos policy-source cops

QoS policy source for the switch set to COPS.

Console> (enable)

This example shows how to set the policy source to local NVRAM: 

Console> (enable) set qos policy-source local

QoS policy source for the switch set to local.

Console> (enable)

This example shows the output if you attempt to set the policy source to COPS-PR and no COPS-PR servers are available: 

Console> (enable) set qos policy-source cops

QoS policy source for the switch set to COPS.

Warning: No COPS servers configured. Use the `set cops server' command

to configure COPS servers.

Console> (enable)

Related Commands

clear qos config
show qos policy-source

set qos rsvp

To turn on or turn off the RSVP feature on the switch, to set the time in minutes after which the RSVP databases get flushed (when the policy server dies), and to set the local policy, use the set qos rsvp command.

set qos rsvp enable | disable

set qos rsvp policy-timeout timeout

set qos rsvp local-policy forward | reject

Syntax Description

enable

Activates the RSVP feature.

disable

Deactivates the RSVP feature.

policy-timeout timeout

Specifies the time in minutes after which the RSVP databases get flushed; valid values are from 1 to 65535 minutes.

local-policy forward | reject

Specifies the policy configuration local to the network device to either accept existing flows and forward them or not accept new flows.


Defaults

The default is the RSVP feature is disabled, policy-timeout is 30 minutes, and local policy is forward.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The local policy guidelines are as follows:

There is no connection with the policy server.

New flows that come up after connection with the policy server have been lost.

Old flows that come up after the PDP policy times out.

Examples

This example shows how to enable RSVP: 

Console> (enable) set qos rsvp enable

RSVP enabled. Only RSVP qualitative service supported.

QoS must be enabled for RSVP.

Console> (enable)

This example shows how to disable RSVP: 

Console> (enable) set qos rsvp disable

RSVP disabled on the switch.

Console> (enable)

This example shows how to set the policy timeout interval: 

Console> (enable) set qos rsvp policy-timeout 45

RSVP database policy timeout set to 45 minutes.

Console> (enable)

This example shows how to set the policy timeout interval: 

Console> (enable) set qos rsvp local-policy forward

RSVP local policy set to forward.

Console> (enable)

Related Commands

show qos rsvp

set qos rxq-ratio

To set the amount of packet buffer memory allocated to high-priority incoming traffic and low-priority incoming traffic, use the set qos rxq-ratio command.

set qos rxq-ratio port_type queue1_val queue2_val... queueN_val

Syntax Description

port_type

Port type; valid value is 1p1q0t and 1p1q8t.

queue1_val

Percentage of low-priority traffic; valid values are from 1 to 99 and must total 100 with the queue2_val value.

queue2_val

Percentage of high-priority traffic; valid values are from 1 to 99 and must total 100 with the queue1_val value.

queueN_val

Percentage of strict-priority traffic; valid values are from 1 to 99 and must total 100 with the queue1_val and queue1_val values.


Defaults

The default is 80:20 (queue 1 and queue 2) if you enable QoS and 100:0 (queue 1 and queue 2) if you disable QoS.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Caution Use caution when using this command. When entering the set qos rxq-ratio command, all ports go through a link up and link down condition.

The values set in hardware are close approximations of the values provided. For example, if you specify 0 percent, the actual value programmed is not necessarily 0.

The rxq ratio is determined by the traffic mix in the network. High-priority traffic is typically a smaller fraction of the traffic. Because the high-priority queue gets more service, you should set the high-priority queue lower than the low-priority queue.

The strict-priority queue requires no configuration.

For the strict-priority queue on 1p1q8t ingress ports, the minimum valid value is 3 percent.

Examples

This example shows how to set the receive-queue size ratio: 

Console> (enable) set qos rxq-ratio 1p1q0t 80 20

QoS rxq-ratio is set successfully.

Console> (enable)

Related Commands

show qos info

set qos statistics export

To globally enable or disable statistics data gathering from hardware, use the set qos statistics export command.

set qos statistics export {enable | disable}

Syntax Description

enable

Enables statistics data gathering.

disable

Disables statistics data gathering.


Defaults

The default is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Statistics polling does not occur if statistics are disabled, regardless of any other settings.

You must designate an export destination prior to entering this command. If an export destination is not set, this message is displayed: 

Warning: Export destination not set. Use the `set qos statistics export destination' 
command to configure the export destination.

Examples

This example shows how to enable statistics polling: 

Console> (enable) set qos statistics export enable

QoS statistics export enabled.

Export destination: Stargate, port 9996

Console> (enable)

Related Commands

show qos statistics export info

set qos statistics export aggregate

To enable or disable statistics data export on an aggregate policer, use the set qos statistics export aggregate command.

set qos statistics export aggregate name {enable | disable}

Syntax Description

name

(Optional) Name of the policer.

enable

Enables statistics data export for the named aggregate policer.

disable

Disables statistics data export for the named aggregate policer.


Defaults

The default is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

To export data, you need to enable statistics on the port. You also must globally enable statistics and data export. (See the set qos statistics export command.)

This command is supported on systems configured with the Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2) only.

Examples

This example shows how to enable statistics export: 

Console> (enable) set qos statistics export aggregate ipagg_3 enable

Statistics data export enabled for aggregate policer ipagg_3.

Export destination: 172.20.15.1 (Stargate), port 9996

Console> (enable)

Related Commands

set qos statistics export
show mac
show qos statistics export info

set qos statistics export destination

To specify the statistics data export destination address, use the set qos statistics export destination command.

set qos statistics export destination {host_name | host_ip} [port]

set qos statistics export destination {host_name | host_ip} [syslog [{facility severity}]]

Syntax Description

host_name

Host name.

host_ip

Host IP address.

port

(Optional) UDP port number.

syslog

(Optional) Specifies the syslog port.

facility

(Optional) Value to specify the type of facility to export; see the "Usage Guidelines" section for a list of valid values.

severity

(Optional) Value to specify the severity level to export; see the "Usage Guidelines" section for a list of valid values.


Defaults

The default is none unless syslog is specified. If syslog is specified, the defaults are as follows:

port is 514

facility is local6

severity is debug

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Valid facility values are kern, user, mail, daemon, auth, lpr, news, uucp, cron, local0, local1, local2, local3, local4, local5, local6, and local7.

Valid severity levels are emerg, alert, crit, err, warning, notice, info, and debug.

Examples

This example shows how to specify the statistics data export destination address: 

Console> (enable) set qos statistics export destination stargate 9996

Statistics data export destination set to stargate port 9996.

Console> (enable)

Related Commands

set qos statistics export
show qos statistics export info

set qos statistics export interval

To specify how often a port or aggregate policer statistics data is read and exported, use the set qos statistics export interval command.

set qos statistics export interval interval

Syntax Description

interval

Export time interval; valid values are from 30 seconds to 65535 seconds.


Defaults

The default is 30 seconds.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to set the export interval: 

Console> (enable) set qos statistics export interval 35

Statistics export interval set to 35 seconds.

Console> (enable)

Related Commands

show qos statistics export info

set qos statistics export port

To enable or disable statistics data export on a port, use the set qos statistics export port command.

set qos statistics export port mod/port {enable | disable}

Syntax Description

mod/port

(Optional) Number of the module and the port on the module.

enable

Enables statistics data export.

disable

Disables statistics data export.


Defaults

The default is disabled.

Command Types

Switch command.

Command Modes

Normal.

Usage Guidelines

For data export to be performed, you should enable statistics on the aggregate policer as well. You must globally enable statistics and data export (see the set qos statistics export command).

Examples

This example shows how to enable statistics export on a port: 

Console> (enable) set qos statistics export port 2/5 enable

Statistics data export enabled on port 2/5.

Console> (enable)

Related Commands

show qos statistics export info

set qos txq-ratio

To set the amount of packet buffer memory allocated to high-priority traffic and low-priority traffic, use the set qos txq-ratio command.

set qos txq-ratio port_type queue1_val queue2_val... queueN_val

Syntax Description

port_type

Port type; valid values are 2q2t, 1p2q2t, and 1p2q1t.

queue1_val

Percentage of low-priority traffic; valid values are from 1 to 99 and must total 100 with the queue2_val value.

queue2_val

Percentage of high-priority traffic; valid values are from 1 to 99 and must total 100 with the queue1_val value.

queueN_val

Percentage of strict-priority traffic; valid values are from 1 to 99 and must total 100.


Defaults

The default for 2q2t is 80:20 if you enable QoS and 100:0 if you disable QoS. The default for 1p2q2t is 70:15:15 if you enable QoS and 100:0:0 if you disable QoS.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Caution Use caution when using this command. When entering the set qos txq-ratio command, all ports go through a link up and down condition.

The values set in hardware will be close approximations of the values provided. For example, even if you specify 0 percent, the actual value programmed will not necessarily be 0.

The txq ratio is determined by the traffic mix in the network. Because high-priority traffic is typically a smaller fraction of the traffic and because the high-priority queue gets more service, you should set the high-priority queue lower than the low-priority queue.

The strict-priority queue requires no configuration. For the strict-priority queue on 1p2q1t egress ports, the minimum valid value is 5 percent.

Examples

This example shows how to set the transmit-queue size ratio: 

Console> (enable) set qos txq-ratio 2q2t 75 25

QoS txq-ratio is set successfully.

Console> (enable)

Related Commands

show qos info

set qos wred

To configure the WRED threshold parameters for the specified port type, use the set qos wred command.

set qos wred port_type [tx] queue q# {[thr1Lo:]thr1Hi} {[thr2Lo:]thr2Hi}...

Syntax Description

port_type

Port type; valid values are 1p2q2t, 1p2q1t, 1p3q1t, and 1p1q8t.

tx

(Optional) Specifies the parameters for output queuing.

queue q#

Keyword and variable to specify the queue to which the arguments apply; valid values are 1 through 3.

thr1Lo

(Optional) Percentage of the lower threshold size for the first WRED curve; valid values are from 1 to 100.

thr1Hi

Percentage of the upper threshold size for the first WRED curve; valid values are from 1 to 100.

thr2Lo

(Optional) Percentage of the lower threshold size for the second WRED curve; valid values are from 1 to 100.

thr2Hi

Percentage of the upper threshold size for the second WRED curve; valid values are from 1 to 100.


Defaults

The default thresholds are as follows:

For 1p2q2t = 40:70 (threshold1) and 70:100 (threshold2) (low:high percentage)/queue

For 1p3q1t = 70:100 (low:high)

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The queue values range from 1 to 3. Queue 4 is the strict-priority queue and does not have an associated WRED threshold. The thresholds are all specified as percentages ranging from 1 to 100. A value of 10 indicates a threshold when the buffer is 10 percent full.

The colon between the low and high threshold values is required.

Examples

This example shows how to configure lower and upper threshold values for queue 1: 

Console> (enable) set qos wred 1p2q2t queue 1 20:60 40:90

WRED thresholds for queue 1 set to 20:60 and 40:90 on all WRED-capable 1p2q2t ports.

Console> (enable)

This example shows how to configure the upper threshold value for queue 1: 

Console> (enable) set qos wred 1p3q1t tx queue 1 20   

WRED thresholds for queue 1 set to 0:20 on all WRED-capable 1p3q1t ports.

Console> (enable)

Related Commands

clear qos config
show qos info

set qos wrr

To specify the weights that determine how many packets will transmit out of one queue before switching to the other queue, use the set qos wrr command.

set qos wrr port_type queue1_val queue2_val... [srr]

Syntax Description

port_type

Port type; valid values are 2q2t, 1p2q2t, 1p3q1t, 1p2q1t, 1p3q8t,1p7q8t, 2q2t

queue#_val

Number of weights for queues 1, 2, or 3; valid values are from 1 to 255.

srr

(Optional) Specifies Shaped Round Robin (SRR).


Defaults

The default WRR with QoS enabled for port type 1p3q1t is as follows:

Queue 1 = 100

Queue 2 = 150

Queue 3 = 200

With QoS disabled, the default is 255 for all three queues.

The default WRR for port types 2q2t and 1p2q2t is 4:255.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The WRR weights are used to partition the bandwidth between the queues in the event all queues are not empty. For example, weights of 1:3 mean that one queue gets 25 percent of the bandwidth and the other gets 75 percent as long as both queues have data.

Weights of 1:3 do not necessarily lead to the same results as when the weights are 10:30. In the latter case, more data is serviced from each queue and the latency of packets serviced from the other queue goes up. For best results, set the weights so that at least one packet (maximum size) can be serviced from the lower priority queue at a time. For the higher priority queue, set the weights so that multiple packets are serviced at any one time.

The values set in hardware will be close approximations of the values provided. For example, even if you specify 0 percent, the actual value programmed will not necessarily be 0. Whatever weights you choose, make sure that the resulting byte values programmed (see the show qos info command with the runtime keyword) are at least equal to the MTU size.

The ratio achieved is only an approximation of what you specify since the cutoff is on a packet and midway through a packet. For example, if you specify that the ratio services 1000 bytes out of the low-priority queue, and there is a 1500-byte packet in the low-priority queue, the entire 1500-byte packet is transmitted because the hardware services an entire packet.

For 1p2q2t and 2q2t, only two queues can be set; the third queue is strict priority.

For 1p3q1t, three queues can be set; a fourth queue is strict priority.

SRR is only supported on switches with a PFC3. SRR is only supported with 1p3q8t.

Examples

This example shows how to specify the weights for queue 1 and queue 2 to 30 and 70: 

Console> (enable) set qos wrr 2q2t 30 70

QoS wrr ratio is set successfully.

Console> (enable)

This example shows how to specify the SRR link scheduling algorithm: 

Console> (enable) set qos wrr 1p3q8t 80 100 20 srr

QoS wrr and srr ratio is set successfully.

WRR/SRR absolute values are affected by hardware granularity.

Config> (enable)

Related Commands

show qos info
show qos statistics

set radius attribute

To set attributes to the RADIUS ACCESS_REQUEST packet, use the set radius attribute command.

set radius attribute {number | name} include-in-access-req {enable | disable}

Syntax Description

number

Attribute number; valid value is 8.

name

Attribute name; valid value is framed-ip-address.

include-in-access-req

Sets attributes to the ACCESS_REQUEST packet.

enable | disable

Enables or disables the attribute.


Defaults

All RADIUS attributes are disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set radius attribute command allows you to specify the transmission of optional attributes such as Framed-IP address, NAS-Port, Called-Station-Id, and Calling-Station-Id. You can set attribute transmission by either the attribute number or the attribute name.

Examples

This example shows how to specify and enable the Framed-IP address attribute by number: 

Console> (enable) set radius attribute 8 include-in-access-req enable

Transmission of Framed-ip address in access-request packet is enabled.

Console> (enable)

This example shows how to specify and disable the Framed-IP address attribute by name: 

Console> (enable) set radius attribute framed-ip-address include-in-access-req disable

Transmission of Framed-ip address in access-request packet is disabled.

Console> (enable)

Related Commands

show radius

set radius auto-initialize

To enable or disable the automatic initialization of all ports in AAA fail state when a RADIUS server becomes active, use the set radius auto-initialize command.

set radius auto-initialize {enable | disable}

Syntax Description

enable

Enables automatic initialization.

disable

Disables automatic initialization.


Defaults

Automatic initialization is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

With automatic initialization enabled, when AAA modules detect that at least one RADIUS server is active, all modules are notified of the AAA event. When notified, the EoU policy reviews the list of all ports in AAA fail state and begins to revalidate them without changing the existing fail policy. If rate limiting is enabled, sessions are rate limited. If rate limiting is disabled, all ports attempt to authenticate when a RADIUS server becomes active. When authentications are successful, the new authenticated policy replaces the existing fail policy.

Examples

This example shows how to enable automatic initialization of all ports in AAA fail state when a RADIUS server become active: 

Console> (enable) set radius auto-initialize enable

Radius Auto-initialize enabled.

Console> (enable)

set radius deadtime

To set the time to skip RADIUS servers that do not reply to an authentication request, use the set radius deadtime command.

set radius deadtime minutes

Syntax Description

minutes

Length of time a RADIUS server does not respond to an authentication request; valid values are from 0 to 1440 minutes.


Defaults

The default is 0 minutes.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If only one RADIUS server is configured or if all the configured servers are marked dead, deadtime will be ignored since no alternate servers are available. By default, the deadtime is 0 minutes; the RADIUS servers are not marked dead if they do not respond.

Examples

This example shows how to set the RADIUS deadtime to 10 minutes: 

Console> (enable) set radius deadtime 10

Radius deadtime set to 10 minutes.

Console> (enable)

Related Commands

show radius

set radius keepalive

To enable or disable the RADIUS keepalive timer and to configure the keepalive timer to check that status of configured RADIUS servers, use the set radius keepalive command.

set radius keepalive {enable | disable}

set radius keepalive time minutes

Syntax Description

enable

Enables the RADIUS keepalive timer.

disable

Disables the RADIUS keepalive timer.

time

Specifies the RADIUS keepalive timer interval.

minutes

Number of minutes between checks of configured RADIUS servers; valid values are from 1 to 65535 minutes.


Defaults

The timer is enabled and set to 5 minutes.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For every RADIUS keepalive timer interval, a test RADIUS request with username azbycx is sent to all configured RADIUS servers. If the server sends a response, the server is marked "Active." If no response is received during the timer interval and the server was already "Dead," the RADIUS server remains in the "Dead" state.

If the RADIUS server was previously "Active" but now does not send a response, the server is in the "Checkup" state. During the "Checkup" state interval, the test RADIUS request is resent. To specify the number of times that the request is sent, enter the set radius retransmit count command.

Examples

This example shows how to disable the RADIUS keepalive timer: 

Console> (enable) set radius keepalive disable

Radius Keepalive disabled.

Console> (enable)

This example show how to set the RADIUS keepalive timer interval to 60 minutes: 

Console> (enable) set radius keepalive time 60

Radius keepalive time set to 60 minutes.

Console> (enable)

Related Commands

set radius auto-initialize
set radius retransmit
show radius

set radius key

To set the encryption and authentication for all communication between the RADIUS client and the server, use the set radius key command.

set radius key key

Syntax Description

key

Name of the key to authenticate the transactions between the RADIUS client and the server.


Defaults

The default of the key is set to null.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The key you set must be the same one as configured in the RADIUS server. All leading spaces are ignored; spaces within and at the end of the key are not ignored. Double quotes are not required even if there are spaces in the key, unless the quotes themselves are part of the key. The length of the key is limited to 65 characters; it can include any printable ASCII characters except tabs.

If you configure a RADIUS key on the switch, make sure you configure an identical key on the RADIUS server.

Examples

This example shows how to set the RADIUS encryption and authentication key to Make my day: 

Console> (enable) set radius key Make my day

Radius key set to Make my day.

Console> (enable)

Related Commands

show radius

set radius retransmit

To specify the number of times the RADIUS servers are tried before giving up on the server, use the set radius retransmit command.

set radius retransmit count

Syntax Description

count

Number of times the RADIUS servers are tried before giving up on the server; valid values are from 1 to 100.


Defaults

The default is two times.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to set the retransmit attempts to 3: 

Console> (enable) set radius retransmit 3

Radius retransmit count set to 3.

Console> (enable)

Related Commands

set radius keepalive
show radius

set radius server

To set up the RADIUS server, use the set radius server command.

set radius server ipaddr [auth-port port] [acct-port port] [primary]

Syntax Description

ipaddr

Number of the IP address or IP alias in dot notation a.b.c.d.

auth-port port

(Optional) Specifies a destination User Datagram Protocol (UDP) port for RADIUS authentication messages.

acct-port port

(Optional) Specifies a destination UDP port for RADIUS accounting messages.

primary

(Optional) Specifies that this server be contacted first.


Defaults

The default auth-port is 181, and the default acct-port is 1813.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you configure multiple RADIUS servers, the first server configured is the primary. Authentication requests are sent to this server first. You can specify a particular server as primary by using the primary keyword. You can add up to three RADIUS servers.

The ipaddr value can be entered as an IP alias or an IP address in dot notation a.b.c.d.

If you set the auth-port port to 0, the RADIUS server will not be used for authentication. If you set the acct-port port to 0, the RADIUS server will not be used for accounting.

If you configure a RADIUS key on the switch, make sure you configure an identical key on the RADIUS server.

You must specify a RADIUS server before enabling RADIUS on the switch.

Examples

This example shows how to add a primary server using an IP alias: 

Console> (enable) set radius server everquest.com auth-port 0 acct-port 1646 primary

everquest.com added to RADIUS server table as primary server.

Console> (enable)

This example shows how to add a primary server using an IP address: 

Console> (enable) set radius server 172.22.11.12 auth-port 0 acct-port 1722 primary

172.22.11.12 added to RADIUS server table as primary server

Console> (enable)

Related Commands

show radius

set radius timeout

To set the time between retransmissions to the RADIUS server, use the set radius timeout command.

set radius timeout seconds

Syntax Description

seconds

Number of seconds to wait for a reply; valid values are from 1 to 1000 seconds.


Defaults

The default timeout is 5 seconds.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to set the time between retransmissions to 7 seconds: 

Console> (enable) set radius timeout 7 

Radius timeout set to 7 seconds.

Console> (enable)

Related Commands

show radius

set rate-limit

To enable, disable, or set the Layer 2 rate limiters, use the set rate-limit command.

set rate-limit {l2pdu | l2port-security | l2protocol-tunnel} {enable | disable}

set rate-limit {l2pdu | l2port-security | l2protocol-tunnel} rate rate

Syntax Description

l2pdu

Specifies rate limiting for the spanning-tree BPDUs—IEEE and SSTP, CDP, UDLD, VTP, and PAgP.

l2port-security

Specifies rate limiting for port security.

l2protocol-tunnel

Specifies rate limiting for the protocol tunnel-encapsulated PDUs.

enable

Enables Layer 2 rate limiting.

disable

Disables Layer 2 rate limiting.

rate rate

Specifies the rate-limiting threshold in packets per seconds; valid values are from 1 to 255.


Defaults

The defaults are as follows:

Rate limiting is disabled.

If enabled, the default rate is 1000 packets per second.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can configure a maximum of four rate limiters.

The following restrictions apply if you want to enable rate limiting:

Hardware-based rate limiters are supported on Catalyst 6500 series switches that are configured with a Distributed Forwarding Card 3A (DFC3A) or the Policy Feature Card 3 (PFC3) only.

The Catalyst 6500 series switch cannot be in truncated mode. If you attempt to enable rate limiting and you are in truncated mode, a message is displayed.

If the rate limiter is enabled and some events cause the system to go from nontruncated mode to truncated mode, rate limiting is disabled and a message is displayed.

Rate limiters control packets as follows:

The frames are classified as Layer 2 control frames by the destination MAC address. The destination MAC address used are as follows:

0180.C200.0000 for IEEE BPDU

0100.0CCC.CCCC for CDP

0100.0CCC.CCCD for PVST/SSTP BPDU

The software allocates an LTL index for the frames.

The LTL index is submitted to the forwarding engine for aggregate rate limiting of all the associated frames.

The Layer 2 control packets are as follows:

GVRP/GMRP

802.1X

BPDUs

CDP/DTP/PAgP/UDLD/LACP/VTP PDUs

PVST/SSTP PDUs

Examples

This example shows how to enable Layer 2 rate limiting for PDUs: 

Console>(enable) set rate-limit l2pdu enable

Layer 2 rate limiter for PDUs enabled on the switch.

Console>(enable)

This example shows how to enable Layer 2 rate limiting for port security: 

Console> (enable) set rate-limit l2port-security enable

l2port-security rate limiter enabled.

Console> (enable)

This example shows how to disable Layer 2 rate limiting for protocol tunnel-encapsulated PDUs: 

Console>(enable) set rate-limit l2protocol-tunnel disable

Layer 2 rate limiter for l2protocol-tunnel disabled on the switch.

Console>(enable)

This example shows how to set the Layer 2 rate limiter value for PDUs: 

Console>(enable) set rate-limit l2pdu rate 1000

Layer 2 rate limiter for PDU rate set to 1000.

Console>(enable)

This example shows how to set the Layer 2 rate limiter value for port security: 

Console> (enable) set rate-limit l2port-security rate 10000

l2port-security rate limiter rate set to 10000 pps.

Console> (enable)

Related Commands

show rate-limit

set rcp username

To specify your username for rcp file transfers, use the set rcp username command.

set rcp username username

Syntax Description

username

Username up to 14 characters long.


Defaults

There are no default settings for this command.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The username can be a maximum of 40 characters, must be different from "root," and not a null string.

The only case where you cannot configure the rcp username is for the VMPS database where you will use an rcp VMPS username. Use the set vmps downloadmethod command to specify the rcp VMPS username.

Examples

This example shows how to set the username for rcp: 

Console> (enable) set rcp username jdoe

Console> (enable)

Related Commands

clear rcp
set vmps downloadmethod
show rcp