Catalyst 6500 Series Command Reference, 8.7
set port auxiliaryvlan to set rcp username
Download this chapter
set port auxiliaryvlan to set rcp usernameset port auxiliaryvlan to set rcp username
Download the complete book
Catalyst 6500 Series Switch Command Reference (Book-length PDF)Catalyst 6500 Series Switch Command Reference (Book-length PDF) (PDF - 9 MB)
give_us_feedback

Table Of Contents

set port auxiliaryvlan

set port broadcast

set port channel

set port cops

set port critical

set port debounce

set port description

set port dhcp-snooping

set port disable

set port dot1q-all-tagged

set port dot1q-ethertype

set port dot1qtunnel

set port dot1x

set port duplex

set port enable

set port eou

set port errdisable-timeout

set port errordetection

set port ethernet-cfm

set port ethernet-evc

set port ethernet-lmi

set port ethernet-oam

set port ethernet-oam action

set port ethernet-oam link-monitor

set port ethernet-oam mode

set port ethernet-oam remote-loopback

set port ethernet-uni

set port flexlink

set port flowcontrol

set port gmrp

set port gvrp

set port host

set port inlinepower

set port jumbo

set port l2protocol-tunnel

set port lacp-channel

set port mac-auth-bypass

set port macro

set port membership

set port mvrp

set port name

set port negotiation

set port protocol

set port qos

set port qos autoqos

set port qos cos

set port qos policy-source

set port qos trust

set port qos trust-device

set port qos trust-ext

set port rsvp dsbm-election

set port security

set port security-acl

set port speed

set port sync-restart-delay

set port trap

set port unicast-flood

set port vlan-mapping

set port voice interface dhcp

set port vtp

set port web-auth

set port web-auth initialize

set power redundancy

set prompt

set protocolfilter

set pvlan

set pvlan mapping

set qos

set qos acl default-action

set qos acl ip

set qos acl ipx

set qos acl mac

set qos acl map

set qos autoqos

set qos bridged-microflow-policing

set qos cos-cos-map

set qos cos-dscp-map

set qos drop-threshold

set qos dscp-cos-map

set qos dscp-mutation-map

set qos dscp-mutation-table-map

set qos dscp-rewrite

set qos ipprec-dscp-map

set qos mac-cos

set qos map

set qos policed-dscp-map

set qos policer

set qos policy-source

set qos rsvp

set qos rxq-ratio

set qos statistics export

set qos statistics export aggregate

set qos statistics export destination

set qos statistics export interval

set qos statistics export port

set qos txq-ratio

set qos wred

set qos wrr

set radius attribute

set radius auto-initialize

set radius deadtime

set radius keepalive

set radius key

set radius retransmit

set radius server

set radius timeout

set rate-limit

set rcp username


set port auxiliaryvlan

To configure the auxiliary VLAN ports, use the set port auxiliaryvlan command.

set port auxiliaryvlan mod[/port] {vlan | untagged | dot1p | none} [cdpverify {enable | disable}]

Syntax Description

mod[/port]

Number of the module and (optional) port or multiple ports.

vlan

Number of the VLAN; valid values are from 1 to 4094.

untagged

Specifies the connected device send and receive untagged packets without 802.1p priority.

dot1p

Specifies the connected device send and receive packets with 802.1p priority.

none

Specifies that the switch does not send any auxiliary VLAN information in the CDP packets from that port.

cdpverify

(Optional) Sets automatic detection of IP phones by using CDP.

enable

(Optional) Enables the automatic detection of IP phones.

disable

(Optional) Disables the automatic detection of IP phones.


Defaults

The default setting is none.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you do not specify a port, all ports are selected.The vlan option specifies that the connected device sends packets that are tagged with a specific VLAN.

If you enter the none option, voice information will not be sent or received.

Dynamic VLAN support for voice VLAN identifier (VVID) includes these restrictions to the following multiple VLAN access port (MVAP) configuration on the switch port:

You can configure any VVID on a dynamic port including dot1p and untagged, except when the VVID is equal to dot1p or untagged. If this is the case, you must configure VMPS with the MAC address of the IP phone. When you configure the VVID as dot1p or untagged on a dynamic port, this warning message is displayed: 

VMPS should be configured with the IP phone mac's.

For dynamic ports, the auxiliary VLAN ID cannot be the same as the native VLAN ID assigned by VMPS for the dynamic port.

You cannot configure trunk ports as dynamic ports, but an MVAP can be configured as a dynamic port.

The presence of an IP phone is determined through CDP packet exchange between the switch and the phone. This detection method is used for both inline-powered IP phones and wall-powered IP phones.

If the auxiliary VLAN ID equals the port-VLAN ID or when the auxiliary VLAN ID is configured as none, dot1p, or untagged, this feature cannot be applied to the port. If any command entry results in the auxiliary VLAN ID equaling the port-VLAN ID, the feature is disabled and the following warning message is displayed: 

cdpverify feature on port mod/port is disabled.

Examples

This example shows how to set the auxiliary VLAN port to untagged: 

Console> (enable) set port auxiliaryvlan 5/7 untagged

Port 5/7 allows the connected device send and receive untagged packets and 

without 802.1p priority.  

Console> (enable)

This example shows how to set the auxiliary VLAN port to dot1p: 

Console> (enable) set port auxiliaryvlan 5/9 dot1p

Port 5/9 allows the connected device send and receive packets with 802.1p priority.

Console> (enable)

This example shows how to set the auxiliary VLAN port to none: 

Console> (enable) set port auxiliaryvlan 5/12 none 

Port 5/12 will not allow sending CDP packets with AuxiliaryVLAN information.

Console> (enable)

This example shows how to set the auxiliary VLAN port to a specific module, port, and VLAN: 

Console> (enable) set port auxiliaryvlan 2/1-3 222 

Auxiliaryvlan 222 configuration successful.

AuxiliaryVlan AuxVlanStatus Mod/Ports

------------- ------------- -------------------------

222           active        1/2,2/1-3

Console> (enable)

Related Commands

show port auxiliaryvlan

set port broadcast

To set broadcast, multicast, or unicast suppression for one or more ports, use the set port broadcast command. The threshold limits the backplane traffic received from the module.

set port broadcast mod/port threshold% [violation {drop-packets | errdisable}]
[multicast {enable | disable}] [unicast {enable | disable}]

Syntax Description

mod/port

Number of the module and the port on the module.

threshold%

Percentage of total available bandwidth that can be used by traffic; valid values are decimal numbers from 0.00% to 100% or whole numbers from 0% to 100%.

violation

(Optional) Specifies an action when suppression occurs.

drop-packets

(Optional) Drops packets when suppression occurs.

errdisable

(Optional) Errdisables the port when suppression occurs.

multicast

(Optional) Specifies multicast suppression.

enable | disable

(Optional) Enables or disables the suppression type.

unicast

(Optional) Specifies unicast suppression.


Defaults

The default is 100% (no broadcast limit).

The default action is drop-packets if a broadcast violation occurs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

You can enter the threshold value in two ways:

A decimal number followed by a percent sign (for example 0.33%)

A whole number followed by a percent sign (for example 33%)

The percent sign (%) is required when entering the threshold value.

The multicast and unicast keywords are supported on Gigabit Ethernet modules only.

If you enter the command without using the multicast or unicast keyword, only broadcast traffic is suppressed. If you enter the multicast or unicast keyword, both broadcast and the selected traffic type are suppressed.

Examples

This example shows how to limit broadcast traffic to 20 percent: 

Console> (enable) set port broadcast 4/3 20%

Port 4/3 broadcast traffic limited to 20.00%.

Console> (enable)

This example shows how to limit broadcast traffic to 90 percent and to errdisable when suppression occurs: 

Console> (enable) set port broadcast 4/6 90% violation errdisable

Port 4/6 broadcast traffic limited to 90.00%.

On broadcast suppression port 4/6 is configured to move to errdisabled state.

Console> (enable)

This example shows how to allow a specific amount of multicast traffic to a range of ports: 

Console> (enable) set port broadcast 4/1-24 80% multicast enable

Port 4/1-24 multicast traffic limited to 80%.

Console> (enable)

This example shows how to limit broadcast and multicast traffic to 91 percent, to disable unicast traffic, and to errdisable when suppression occurs: 

Console> (enable) set port broadcast 4/2 91% violation errdisable multicast enable unicast 
disable 

Port 4/2 broadcast and multicast traffic limited to 91.00%.

On broadcast suppression port 4/2 is configured to move to errdisabled state.

Console> (enable)

This example shows how to limit broadcast, multicast, and unicast traffic to 91 percent: 

Console> (enable) set port broadcast 4/2 91% multicast enable unicast enable

Port 4/2 broadcast, multicast and unicast traffic limited to 91.00%.

Console> (enable)

Related Commands

clear port broadcast
show port broadcast

set port channel

To configure EtherChannel on Ethernet module ports, use the set port channel command.

set port channel mod/port [admin_group]

set port channel mod/port mode {on | off | desirable | auto} [silent | non-silent]

set port channel all mode off

set port channel all distribution {ip | mac} [source | destination | both]

set port channel all distribution {session} [source | destination | both]

set port channel all distribution {ip-vlan-session} [source | destination | both]

Syntax Description

mod/port

Number of the module and the port on the module.

admin_group

(Optional) Number of the administrative group; valid values are from 1 to 1024.

mode

Specifies the EtherChannel mode.

on

Enables and forces specified ports to channel without PAgP.

off

Prevents ports from channeling.

desirable

Sets a PAgP mode that places a port into an active negotiating state, in which the port initiates negotiations with other ports by sending PAgP packets.

auto

Sets a PAgP mode that places a port into a passive negotiating state, in which the port responds to PAgP packets it receives, but does not initiate PAgP packet negotiation.

silent

(Optional) Uses with auto or desirable when no traffic is expected from the other device to prevent the link from being reported to STP as down.

non-silent

(Optional) Uses with auto or desirable when traffic is expected from the other device.

all mode off

Turns off channeling on all ports globally.

all distribution

Applies frame distribution to all ports in the Catalyst 6500 series switch.

ip

Specifies the frame distribution method using IP address values.

mac

Specifies the frame distribution method using MAC address values.

source

(Optional) Specifies the frame distribution method using source address values.

destination

(Optional) Specifies the frame distribution method using destination address values.

both

(Optional) Specifies the frame distribution method using source and destination address values.

session

Allows frame distribution of Layer 4 traffic.

both

(Optional) Specifies the frame distribution method using source and destination Layer 4 port number.

ip-vlan-session

Specifies the frame distribution method based on the source or destination IP address, the forwarding index derived from the VLAN, and the source or destination Layer 4 port.


Defaults

The default is EtherChannel is set to auto and silent on all module ports. The defaults for frame distribution are ip and both.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

This command is not supported by non-EtherChannel-capable modules.

The set port channel all distribution session command is supported on systems configured with the Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2) and the Supervisor Engine 720.

Make sure that all ports in the channel are configured with the same port speed, duplex mode, and so forth. For more information on EtherChannel, refer to the Catalyst 6500 Series Software Configuration Guide.

With the on mode, a usable EtherChannel exists only when a port group in on mode is connected to another port group in on mode.

If you are running QoS, make sure that bundled ports are all of the same trust types and have similar queueing and drop capabilities.

Disable the port security feature on the channeled ports (see the set port security command). If you enable port security for a channeled port, the port shuts down when it receives packets with source addresses that do not match the secure address of the port.

You can configure up to eight ports on the same switch in each administrative group.

When you assign ports to an existing administrative group, the original ports associated with the administrative group will move to a new automatically picked administrative group. You cannot add ports to the same administrative group.

If you do not enter an admin_group value, a new administrative group is created with the admin_group value selected automatically. The next available administrative group is automatically selected.

If you do not enter the channel mode, the channel mode of the ports addressed are not modified.

The silent | non-silent parameters only apply if desirable or auto modes are entered.

If you do not specify silent or non-silent, the current setting is not affected.

The ip-vlan-session keyword is supported only on the Supervisor Engine 720.

Note With software releases 6.2(1) and earlier, the 6- and 9-slot Catalyst 6500 series switches support a maximum of 128 EtherChannels.

With software releases 6.2(2) and later, due to the port ID handling by the spanning tree feature, the maximum supported number of EtherChannels is 126 for a 6- or 9-slot chassis and 63 for a 13-slot chassis. Note that the 13-slot chassis was first supported in software release 6.2(2).

Examples

This example shows how to set the channel mode to desirable: 

Console> (enable) set port channel 2/2-8 mode desirable

Ports 2/2-8 channel mode set to desirable.

Console> (enable)

This example shows how to set the channel mode to auto: 

Console> (enable) set port channel 2/7-8,3/1 mode auto

Ports 2/7-8,3/1 channel mode set to auto.

Console> (enable)

This example shows how to group ports 4/1 through 4 in an administrative group: 

Console> (enable) set port channel 4/1-4 96

Port(s) 4/1-4 are assigned to admin group 96.

Console> (enable)

This example shows the display when the port list is exceeded: 

Console> (enable) set port channel 2/1-9 1

No more than 8 ports can be assigned to an admin group.

Console> (enable)

This example shows how to disable EtherChannel on module 4, ports 4 through 6: 

Console> (enable) set port channel 4/4-6 mode off

Port(s) 4/4-6 channel mode set to off.

Console> (enable)

This example shows the display output when you assign ports to an existing administrative group. This example moves ports in admin group 96 to another admin group and assigns ports 4/4 through 6 to admin group 96: 

Console> (enable) set port channel 4/4-6 96

Port(s) 4/1-3 are moved to admin group 97.

Port(s) 4/4-6 are assigned to admin group 96.

Console> (enable)

This example shows how to set the channel mode to off for ports 4/4 through 6 and assign ports 4/4 through 6 to an automatically selected administrative group: 

Console> (enable) set port channel 4/4-6 off

Port(s) 4/4-6 channel mode set to off.

Port(s) 4/4-6 are assigned to admin group 23.

Console> (enable)

This example shows how to configure the EtherChannel load-balancing feature: 

Console> (enable) set port channel all distribution ip destination

Channel distribution is set to ip destination.

Console> (enable)

Related Commands

show channel
show channel group
show port channel

set port cops

To create port roles, use the set port cops command.

set port cops mod/port roles role1 [role2]...

Syntax Description

mod/port

Number of the module and the port on the module.

roles role#

Specifies the roles.


Defaults

The default is all ports have a default role of null string, for example, the string of length 0.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

A port may have multiple roles. You can configure a maximum of 64 total roles per switch. You can specify multiple roles in a single command.

Examples

This example shows how to create roles on a port: 

Console> (enable) set port cops 3/1 roles backbone_port main_port

New role `backbone_port' created.

New role `main_port' created.

Roles added for port 3/1-4.

Console> (enable)

This example shows the display if you attempt to create a roll and exceed the maximum allowable number of roles: 

Console> (enable) set port cops 3/1 roles access_port

Unable to add new role. Maximum number of roles is 64.

Console> (enable)

Related Commands

clear port cops
show port cops

set port critical

To enable or disable the Inaccessible Authentication Bypass (IAB) feature on a port that is configured to use 802.1X, LPIP, MAC authentication bypass, or Web Authentication, use the set port critical command.

set port critical mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables IAB on the specified port.

disable

Disables IAB on the specified port.


Defaults

IAB is disabled.

Command Types

Switch.

Command Modes

Privileged.

Usage Guidelines

Use the set port critical command in place of the set port dot1x mod/port critical command.

Examples

This example show how to enable IAB on port 1, module 5: 

Console> (enable) set port critical 5/1 enable

Port, 5/1 Critical feature enabled.

Console> (enable)

Related Commands

show port critical
show port mac-auth-bypass
show port web-auth

set port debounce

To enable or disable the debounce timer or configure the timer setting on a per-port basis, use the set port debounce command.

set port debounce mod/port {enable | disable}

set port debounce mod/port delay time

Syntax Description

mod/port

Number of the module and the port on the module.

enable | disable

Enables or disables the debounce timer.

delay

Sets the debounce timer for gigabit fiber ports.

time

Amount of time the firmware waits before notifying the supervisor engine of a link change; valid values are 200 milliseconds or from 300 to 5000 milliseconds. This is supported on gigabit fiber ports only. See the "Usage Guidelines" section for more information.


Defaults

By default, the debounce timer is disabled on all ports.

When the debounce timer is disabled, the default debounce timer values are as follows:

10BASE-FL ports—300 milliseconds

10/100BASE-TX ports —300 milliseconds

100BASE-FX ports—300 milliseconds

10/100/1000BASE-TX ports—300 milliseconds

1000BASE-TX ports—300 milliseconds

Fiber Gigabit Ethernet ports—10 milliseconds

10-Gigabit Ethernet ports—10 milliseconds

When the debounce timer is enabled, the default debounce timer values are as follows:

10BASE-FL ports—3100 milliseconds

10/100BASE-TX ports —3100 milliseconds

100BASE-FX ports—3100 milliseconds

10/100/1000BASE-TX ports—3100 milliseconds

1000BASE-TX ports—3100 milliseconds

Fiber Gigabit Ethernet ports—100 milliseconds

10-Gigabit Ethernet ports—100 milliseconds

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The debounce timer is the time the firmware waits before notifying the supervisor engine of a link change at the physical layer.

Setting the debounce timer value to 200 milliseconds or from 300 to 5000 milliseconds is possible only for gigabit fiber ports. You do not need to enable the debounce timer on a gigabit fiber port before adjusting the timer. Any timer value that is greater than the default value in disabled state is considered a value that enables the timer.

For 10/100 ports and 100BASE-FX ports in the disabled state, the firmware may take up to 600 milliseconds to notify the supervisor engine of a link change because the firmware polling time is every 300 milliseconds.

For 10/100 ports and 100BASE-FX ports in the enabled state, the firmware may take up to 3400 milliseconds to notify the supervisor engine of a link change because the firmware polling time is every 300 milliseconds.

Examples

This example shows how to enable the debounce timer for a specific port on a specific module: 

Console> (enable) set port debounce 1/1 enable

Debounce is enabled on port 1/1.

Warning:Enabling port debounce causes Link Up/Down detections to be delayed.

It results in loss of data traffic during debouncing period, which might

affect the convergence/reconvergence of various Layer 2 and Layer 3

protocols.

Use with caution.

Console> (enable)

Related Commands

show port debounce

set port description

To include a description that identifies a port, use the set port description command.

set port description mod/port [port_description]

Syntax Description

mod/port

Number of the module and the port on the module.

port_description

(Optional) Description that identifies the specified port. See the "Usage Guidelines" section for more information.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set port description command adds another 43 characters to the existing limit of 21 characters that can be set when you enter the set port name command.

The set port description command is only supported in text configuration mode.

If you do not enter a port_description argument, the port description is cleared.

Examples

This example shows how to include a port description: 

Console> (enable) set port description 7/1 sarahtom 172.30.8.35 00-0a-5e-44-8b-8 2/2

Port 7/1 description set.

Console> (enable)

This example shows how to clear a port description: 

Console> (enable) set port description 7/1

Port 7/1 description cleared.

Console> (enable)

Related Commands

set port name
show config mode
show port description

set port dhcp-snooping

To configure DHCP snooping on a port, use the set port dhcp-snooping command.

set port dhcp-snooping mod/port {trust | source-guard} {enable | disable}

set port dhcp-snooping mod/port binding-limit count

set port dhcp-snooping mod/port add-binding ip-addr mac-addr [vlan]

Syntax Description

mod/port

Number of the module and port on the module.

trust

Specifies the trust feature.

source-guard

Specifies the IP Source Guard feature.

enable

Enables the specified DHCP-Snooping feature.

disable

Disables the specified DHCP-Snooping feature.

binding-limit

Specifies the number of IP-to-MAC bindings that are allowed on a port.

count

Number of bindings that are allowed on a port; valid values are from 1 to 100.

add-binding

Adds an IP-to-MAC binding.

ip-addr

IP address.

mac-addr

MAC address.

vlan

(Optional) Number of the VLAN.


Defaults

Trust and Source Guard are disabled.

The binding limit on a port is 32.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you enter the set port dhcp-snooping mod/ports trust disable command, the DHCP snooping feature performs checks on packets coming from the ports that you specify. If you enter the enable keyword, the feature trusts the packets from those ports and does not perform checks.

If you enter the set port dhcp-snooping mod/ports source-guard enable command, the IP addresses learned through DHCP snooping are the only source IP addresses allowed on incoming traffic. All packets that contain other IP addresses are dropped. If a new binding is added, the IP address associated with that binding is added to the port. If a binding is deleted, the IP address associated with that binding is removed from the port.

If DHCP snooping is disabled on a VLAN, the bindings for that VLAN are deleted.

If you enable IP Source Guard on a port, that port should be untrusted. Also, the security ACL mode should be port-based or merge-mode, and no PACLs should be on the port.

Note the following when configuring DHCP-related features:

IP Source Guard is supported only on the PFC3.

ARP inspection is supported on Supervisor Engine 2, Supervisor Engine 720, and Supervisor Engine 32, but not on Supervisor Engine 1.

DHCP snooping is supported on all supervisor engines.

IP Source Guard is supported on Supervisor Engine 720 and Supervisor Engine 32, but not on Supervisor Engine 1 or Supervisor Engine 2.

Dynamic ARP Inspection is support on Supervisor Engine 2, Supervisor Engine 720, and Supervisor Engine 32, but not on Supervisor Engine 1.

You must configure DHCP snooping on a server port when configured on per-port basis. The server port must be trusted.

You can enable IP Source Guard only when the ACL mode is port based.

Examples

This example shows how to enable DHCP trust on port 2 of module 2: 

Console> (enable) set port dhcp-snooping 2/2 trust enable

Port(s)  2/2 state set to trusted for DHCP Snooping.

Console> (enable)

This example shows how to enable IP Source Guard on port 2 of module 2: 

Console> (enable) set port dhcp-snooping 2/2 source-guard enable

Enabling IP Source Guard on port(s) 2/2.

Console> (enable)

This example shows how to limit the number of bindings to 48 on port 4 and port 5 of module 3: 

Console> (enable) set port dhcp-snooping 3/4-5 binding-limit 48

Ports 3/4-5 DHCP snooping binding limit is set to 48

Console> (enable)

This example show how to add a binding to a specified port: 

Console> (enable) set port dhcp-snooping 5/1 add-binding 172.20.52.18 00-50-f0-ac-30-54 1

DHCP Snooping Binding addition successful for Port 5/1, Vlan 1 

 IP addr 172.20.52.18, Mac Addr 00-50-f0-ac-30-54.

Console> (enable)

Related Commands

clear dhcp-snooping bindings
show port dhcp-snooping

set port disable

To disable a port or a range of ports, use the set port disable command.

set port disable mod/port

Syntax Description

mod/port

Number of the module and the port on the module.


Defaults

The default system configuration has all ports enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

It takes approximately 30 seconds for this command to take effect.

Examples

This example shows how to disable a port using the set port disable command: 

Console> (enable) set port disable 5/10

Port 5/10 disabled.

Console> (enable)

Related Commands

set port enable
show port

set port dot1q-all-tagged

To enable the 802.1Q tagging feature on specific ports, use the set port dot1q-all-tagged command.

set port dot1q-all-tagged {mod/port} {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables the dot1q-all-tagged feature.

disable

Disables the dot1q-all-tagged feature.


Defaults

The 802.1Q tagging feature is enabled on a per-port basis. See the "Usage Guidelines" section for more information.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Although 802.1Q tagging is enabled by default on a per-port basis, tagging only takes effect when you enable the feature globally by entering the set dot1q-all-tagged enable command. When the global command is enabled, if you do not want tagging on a specific port, you must disable the feature on that port.

Examples

This example shows how to enable the dot1q tagging feature on specific ports: 

Console> (enable) set port dot1q-all-tagged 1/1-2 enable

Packets on native vlan will be tagged on port(s) 1/1-2.

Console> (enable)

This example shows how to enable the dot1q tagging feature on all ports: 

Console> (enable) set port dot1q-all-tagged all enable

Packets on native vlan will be tagged on all applicable ports.

Console> (enable)

This example shows how to disable the dot1q tagging feature on specific ports: 

Console> (enable) set port dot1q-all-tagged 1/1-2 disable

Packets on native vlan will not be tagged for port(s) 1/1-2.

Console> (enable)

This example shows how to disable the dot1q tagging feature on all ports: 

Console> (enable) set port dot1q-all-tagged all disable

Packets on native vlan will not be tagged on all applicable ports.

Console> (enable)

Related Commands

set dot1q-all-tagged
show dot1q-all-tagged
show port dot1q-all-tagged

set port dot1q-ethertype

To set the EtherType field in the IEEE 802.1Q tag to a custom value, use the set port dot1q-ethertype command.

set port dot1q-ethertype mod/port {value | default}

Syntax Description

mod/port

Number of the module and the port on the module.

value

Hexadecimal number of the two-byte EtherType field.

default

Specifies the default value of 0x8100 for the two-byte EtherType field.


Defaults

The EtherType field is set to default.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you specify a custom EtherType field, your network can support Cisco and non-Cisco switches that do not use the standard 0x8100 EtherType to identify 802.1Q-tagged frames. When you specify a custom EtherType field, you can identify 802.1Q tagged frames and switch the frames to a specified VLAN. The two bytes immediately following the EtherType are interpreted as a standard 802.1Q tag. Specify the value of the two-byte EtherType field as a hexadecimal number.

To return the custom EtherType field to the default value (0x8100), use the set port dot1q-ethertype mod/port default command.

Note A custom 802.1Q EtherType field is supported on the following modules only: Supervisor Engine 2 and Supervisor Engine 720 uplink ports, WS-X6516-GBIC, WS-X6516A-GBIC, WS-X6516-GE-TX, WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6748-GE-TX, WS-X6724-SFP, WS-X6704-10GE, WS-X6501-10GEX4, and WS-X6502-10GE.

Note EtherChannels do not support a custom 802.1Q EtherType field. If you configure a port with a custom 802.1Q EtherType field, the port cannot join a channel. If a channel is already configured, you cannot change the 802.1Q EtherType on any of the channel ports.

Note On the WS-X6516A-GBIC, WS-X6516-GBIC, and WS-X6548-GE-TX modules, if you configure a port with a custom 802.1Q EtherType in the port groups 1 through 8 or 9 through 16, all ports in the group are configured with the custom 802.1Q EtherType. On the WS-X6516-GE-TX module, if you configure a port with a custom 802.1Q EtherType in the port groups 1 through 4, 5 through 8, 9 through 12, or 13 through 16, all ports in the group are configured with the custom 802.1Q EtherType.

Note You can use a custom 802.1Q EtherType field on trunk ports, 802.1Q access ports, and 802.1Q/802.1p multi-VLAN access ports. Additionally, you should configure the custom EtherType value the same on both ends of a link.

Examples

This example shows how to set the 802.1Q EtherType to 0x1234 on module 2, port 1: 

Console> (enable) set port dot1q-ethertype 2/1 1234

All the group ports 2/1-2 associated with port 2/1 will be modified.

Do you want to continue (y/n) [n]?y

Dot1q Ethertype value set to 0x1234 on ports 2/1-2.

Console> (enable)

This example shows how to return the 802.1Q EtherType field to the standard EtherType field (0x8100) on module 2, port 1: 

Console> (enable) set port dot1q-ethertype 2/1 default

All the group ports 2/1-2 associated with port 2/1 will be modified.

Do you want to continue (y/n) [n]?y

Dot1q Ethertype value set to 0x8100 on ports 2/1-2.

Console> (enable)

Related Commands

show port dot1q-ethertype

set port dot1qtunnel

To configure the dot1q tunnel mode for the port, use the set port dot1qtunnel command.

set port dot1qtunnel mod/port {access | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

access

Turns off the port trunking mode.

disable

Disables dot1q tunneling.


Defaults

Dot1q tunnel mode is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You cannot enable the dot1q tunneling feature on a port until dot1q-tagged-only mode is enabled.

You cannot disable dot1q-tagged-only mode on the switch until dot1q tunneling is disabled on all the ports on the switch.

You cannot set the dot1q tunnel mode to access if port security is enabled.

You cannot set the dot1q tunnel mode to access on a port with an auxiliary VLAN configured.

An interconnected network can have redundant paths to the same edge switch of ISP, but it cannot have redundant paths to two different edge switches of ISP.

Note PBF does not work with 802.1Q tunnel traffic. PBF is supported on Layer 3 IP unicast traffic, but it is not applicable to Layer 2 traffic. At the intermediate (PBF) switch, all 802.1Q tunnel traffic appears as Layer 2 traffic.

If you enable dot1q-tagged globally, the dot1q-tagged per-port setting controls whether or not the frames are tagged. If you disable dot-1q-tagged globally, the default group is never tagged and the per-port setting has no effect.

Examples

This example shows how to set dot1q tunneling on the port to access: 

Console> (enable) set port dot1qtunnel 4/1 access

Dot1q tunnel feature set to access mode on port 4/1.

Port 4/2 trunk mode set to off.

Console> (enable)

This example shows the output if you try to turn on trunking on a port that has dot1q tunneling mode set: 

Console> (enable) set trunk 4/1 on

Failed to set port 4/1 to trunk mode on.

The dot1q tunnel mode for the port is currently set to access.

Console> (enable)

Related Commands

show port dot1qtunnel

set port dot1x

To configure 802.1X on a port, use the set port dot1x command.

set port dot1x mod/port multiple-host {enable | disable}

set port dot1x mod/port port-control port_control_value

set port dot1x mod/port initialize

set port dot1x mod/port re-authenticate

set port dot1x mod/port re-authentication {enable | disable}

set port dot1x mod/port multiple-authentication {enable | disable}

set port dot1x mod/port guest-vlan {vlan | none}

set port dot1x mod/port shutdown-timeout {enable | disable}

set port dot1x mod/port port-control-direction {both | in}

set port dot1x mod/port auth-fail-vlan {vlan | none}

set port dot1x mod/port critical {enable | disable}

set port dot1x mod/port re-authperiod server {enable | disable}

set port dot1x mod/port ip-device-tracking {enable | disable}

Syntax Description

mod/port

Number of the module and port on the module.

multiple-host

Specifies multiple-user access; see the "Usage Guidelines" section for more information.

enable

Enables multiple-user access.

disable

Disables multiple-user access.

port-control port_control_value

Specifies the port control type; valid values are force-authorized, force-unauthorized, and auto.

initialize

Initializes 802.1X on the port.

re-authenticate

Manually initiates a reauthentication of the entity connected to the port.

re-authentication

Automatically initiates reauthentication of the entity connected to the port within the reauthentication time period; see the "Usage Guidelines" section for more information.

enable

Enables automatic reauthentication.

disable

Disables automatic reauthentication.

multiple-authentication

Specifies multiple authentications so that more than one host can gain access to the port; see the "Usage Guidelines" section for more information.

enable

Enables multiple authentication.

disable

Disables multiple authentication.

guest-vlan

Specifies an active VLAN as an 802.1X guest VLAN.

vlan

Number of the VLAN; valid values are from 1 to 4094.

none

Clears the guest VLAN on the port.

shutdown-timeout

Specifies the shutdown-timeout period for a port after a security violation. See the "Usage Guidelines" section for more information.

enable

Activates the automatic reenabling of a port after the shutdown timeout period.

disable

Deactivates the automatic reenabling of a port after the shutdown timeout period.

port-control-direction

Specifies the traffic control direction on a port.

both

Blocks traffic in both directions.

in

Blocks traffic only in the incoming direction.

auth-fail-vlan

Sets the VLAN that provides limited access to end hosts that have failed 802.1X authentication. See the "Usage Guidelines" section for more information.

none

Clears the authentication failure VLAN on a port.

critical

Sets the 802.1X port as a critical port. See the "Usage Guidelines" section for more information.

enable

Enables the critical option on the 802.1X port.

disable

Disables the critical option on the 802.1X port.

re-authperiod server

Sets session timeout override on the 802.1X port. See the "Usage Guidelines" section for more information.

enable

Applies the session timeout value that is received from the RADIUS server.

disable

Applies the reauthentication period value that was configured through the CLI.

ip-device tracking

Tracks the host using its IP address.

enable

Enables IP device tracking.

disable

Disables IP device tracking.


Defaults

The default settings are as follows:

The multiple host feature is disabled.

The port_control_value is set to force-authorized.

The reauthentication feature is disabled.

The multiple authentication feature is disabled.

The guest VLAN feature is set to none.

The shutdown-timeout feature is disabled.

The port control direction is set to both.

The auth-fail-vlan VLAN is set to none.

The critical option is disabled.

The re-authperiod server option is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The 802.1X port will not be allowed to become a trunk port, MVAP, channel port, dynamic port, or a secure port.

When setting the port control type, the following applies:

force-authorized forces the controlled port to transition to the authorized state unconditionally and is equivalent to disabling 802.1X restriction in the port.

force-unauthorized forces the controlled port to transit to the unauthorized state unconditionally and prevents the authorized services of the authenticator to the supplicant.

auto enables 802.1X control on the port.

If you disable the multiple host feature, once a 802.1X port is authorized through a successful authentication of a supplicant, only that particular host (MAC address) is allowed on that port. When the system detects another host (different MAC address) on the authorized port, it shuts down the port and displays a syslog message. This is the default system behavior.

If you enable the multiple host feature, once a 802.1X port is authorized through a successful authentication of a supplicant, any host (any MAC address) is allowed to send or receive traffic on that port.

If you enable reauthentication, you can set the reauthentication time period in seconds by entering the set dot1x re-authperiod seconds command. The default for the reauthentication time period is 3600 seconds.

You can enable either multiple host mode or multiple authentication mode.

On an 802.1X-enabled port, an administratively configured VLAN cannot be equal to an auxiliary VLAN.

To specify the number of seconds that a port is shut down after a security violation, enter the set dot1x shutdown-timeout command. Then enter the set port dot1x mod/port shutdown-timeout enable command to activate automatic reenabling of the port after the shutdown-timeout period has elapsed.

If you enter the set port dot1x mod/port port-control-direction in command, all incoming traffic is dropped. If you enter the set port dot1x mod/port port-control-direction both command, all incoming and outgoing traffic is dropped.

When you configure 802.1X unidirectional or bidirectional ports, follow these guidelines:

Auxiliary VLANs—To support auxiliary VLANs on a port when you configure the port as a unidirectional port, the auxiliary VLAN is moved to the spanning tree "forwarding" state to ensure that the connected IP phone is operational immediately. To prevent any disturbance of the incoming traffic, initially the port VLAN is also moved to the spanning tree "forwarding" state and then if any traffic is seen on the port VLAN, the port is moved to the spanning tree "blocking" state to drop all additional traffic. The connected host is then requested to get authorized to send any traffic.

Guest VLANs—Guest VLANs are supported only on ports configured as bidirectional ports. If a guest VLAN is enabled on a port, that port cannot be configured as a unidirectional port and vice versa.

Port mode—The port mode (single-authentication mode, multiple-host mode, or multiple-authentication mode) for a port configured as a unidirectional port must be single-authentication mode (the default port mode).

You can provide limited access to an end host that does not have valid credentials for 802.1X authentication. After three failed attempts at authentication, the end host will obtain network connectivity through a VLAN that you configure for users that fail authentication. To configure this VLAN, enter the set port dot1x mod/port auth-fail-vlan vlan command. To disable this feature, enter the set port dot1x mod/port auth-fail-vlan none command.

When configuring the authentication failure VLAN, follow these configuration guidelines and be aware of these restrictions:

After three failed 802.1X authentication attempts by the supplicant, the port is moved to the authentication failure VLAN where the supplicant can access the network. These three attempts introduce a delay of 3 minutes before the port is enabled in the authentication failure VLAN and the EAP success packet is sent to the supplicant (1 minute per failed attempt based on the default quiet period of 60 seconds after each failed attempt).

The number of failed 802.1X authentication attempts is counted from the time of the linkup to the point where the port is moved into the authentication failure VLAN. When the port moves into the authentication failure VLAN, the failed-attempts counter is reset.

Only the authenticated-failed users are moved to the authentication failure VLAN.

The authentication failure VLAN is supported only in the single-authentication mode (the default port mode).

The authentication failure VLAN is not supported on a port that is configured as a unidirectional port.

The supplicant's MAC address is added to the CAM table and only its MAC address is allowed on the authentication failure VLAN port. Any new MAC address that appears on the port is treated as a security violation.

The authentication failure VLAN port cannot be part of an RSPAN VLAN or a private VLAN.

On multiple VLAN access ports (MVAPs), the authentication failure VLAN and the auxiliary VLAN cannot be the same.

The authentication failure VLAN and port security features do not conflict with each other. Additionally, other security features such as Dynamic ARP Inspection (DAI), Dynamic Host Configuration Protocol (DHCP) snooping, and IP Source Guard can be enabled and disabled independently on the authentication failure VLAN.

The authentication failure VLAN is independent of the guest VLAN. However, the guest VLAN can be the same VLAN as the authentication failure VLAN. If you do not want to differentiate between the non-802.1X-capable hosts and the authentication-failed hosts, you may configure both to the same VLAN (either a guest VLAN or an authentication failure VLAN).

High availability is supported with the authentication failure VLAN.

When you enter the set port dot1x mod/port critical enable command, 802.1X still attempts to authenticate the specified port in the normal way. However, if attempts to reach the authentication server fail, the port is still given access to the network in the administratively-configured VLAN or in the native VLAN of the port. A port can only be configured as a critical port if it is in single-authentication mode.

After a critical port has been given access to the network, if the authentication server becomes available, the critical port returns to the unauthorized state. The normal authentication process is restarted, and after the port is authenticated, it is moved into the RADIUS server-specified VLAN. At this point, you need to initialize the port manually by entering the set port dot1x mod/port initialize command.

If the authentication server goes down after a host has already been authenticated through the normal authentication process, the switch checks to see if the port is a critical port. If the port is a critical port, the normal reauthentication process is temporarily disabled for the port. The port is given network access until the authentication server becomes active and restarts the authentication process.

By default, the session timeout value from the RADIUS server takes precedence over the reauthentication value that is configured by entering set dot1x re-authperiod seconds. With the session timeout override option, you can specify on a per-port basis which timeout value is applied. If session timeout override is enabled, the session timeout value from the RADIUS server is applied. If session timeout override is disabled, the configured reauthentication value is applied.

Examples

This example shows how to set the port control type automatically: 

Console> (enable) set port dot1x 4/1 port-control auto

Port 4/1 dot1x port-control is set to auto.

Console> (enable)

This example shows how to initialize 802.1X on a port: 

Console> (enable) set port dot1x 4/1 initialize

dot1x port 4/1 initializing...

dot1x initialized on port 4/1.

Console> (enable)

This example shows how to manually reauthenticate a port: 

Console> (enable) set port dot1x 4/1 re-authenticate

dot1x port 4/1 re-authenticating...

dot1x re-authentication successful...

dot1x port 4/1 authorized.

Console> (enable)

This example shows how to enable multiple-user access on a specific port: 

Console> (enable) set port dot1x 4/1 multiple-host enable

Multiple hosts allowed on port 4/1.

Console> (enable)

This example shows how to enable automatic reauthentication on a port: 

Console> (enable) set port dot1x 4/1 re-authentication enable

Port 4/1 re-authentication enabled.

Console> (enable)

This example shows how to activate automatic reenabling of a port after the shutdown-timeout period has elapsed: 

Console> (enable) set port dot1x 2/1 shutdown-timeout enable

Dot1x shutdown_timeout enabled

Console> (enable)

This example shows how to configure a port to drop all incoming traffic: 

Console> (enable) set port dot1x 3/1 port-control-direction in

Port 3/1 Port Control Direction set to In.

Console> (enable)

This example shows how to configure a port to drop both incoming and outgoing traffic: 

Console> (enable) set port dot1x 3/1 port-control-direction both

Port 3/1 Port Control Direction set to Both.

Console> (enable)

This example shows how to specify a VLAN on a port for users that have failed 802.1X authentication: 

Console> (enable) set port dot1x 3/33 auth-fail-vlan 81

Port 3/33 Auth Fail Vlan is set to 81

Console> (enable)

This example shows how to disable the 802.1X authentication failure VLAN feature on a port: 

Console> (enable) set port dot1x 2/1 auth-fail-vlan none

Port 2/1 Auth Fail Vlan is cleared

Console> (enable)

This example shows how to specify a port as a critical port: 

Console> (enable) set port dot1x 5/48 critical enable

Port 5/48 critical-port option is enabled

Console> (enable)

This example shows how to apply the session timeout value that is received from the RADIUS server on a port: 

Console> (enable) set port dot1x 5/10 re-authperiod server enable

Port 5/10 session-timeout-override option is enabled

Console> (enable)

This example shows how to enable IP device tracking for 802.1X on a port: 

Console> (enable) set port dot1x 2/15 ip-device-tracking enable

Port 2/15 ip-device-tracking option is enabled

Console>(enable)

Related Commands

set dot1x
show dot1x
show port dot1x

set port duplex

To configure the duplex type of an Ethernet port or a range of ports, use the set port duplex command.

set port duplex mod/port {full | half}

Syntax Description

mod/port

Number of the module and the port on the module.

full

Specifies full-duplex transmission.

half

Specifies half-duplex transmission.


Defaults

The default configuration for 10-Mbps and 100-Mbps modules has all Ethernet ports set to half duplex.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can configure Ethernet and Fast Ethernet interfaces to either full duplex or half duplex.

The set port duplex command is not supported on Gigabit Ethernet ports. Gigabit Ethernet ports support full-duplex mode only.

If the transmission speed on a 16-port RJ-45 Gigabit Ethernet port is set to 1000, duplex mode is set to full. If the transmission speed is changed to 10 or 100, the duplex mode stays at full. You must configure the correct duplex mode when transmission speed is changed to 10 or 100 from 1000.

Examples

This example shows how to set port 1 on module 2 to full duplex: 

Console> (enable) set port duplex 2/1 full

Port 2/1 set to full-duplex.

Console> (enable)

Related Commands

show port

set port enable

To enable a port or a range of ports, use the set port enable command.

set port enable mod/port

Syntax Description

mod/port

Number of the module and the port on the module.


Defaults

The default is all ports are enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

It takes approximately 30 seconds for this command to take effect.

Examples

This example shows how to enable port 3 on module 2: 

Console> (enable) set port enable 2/3

Port 2/3 enabled.

Console> (enable)

Related Commands

set port disable
show port

set port eou

To configure Extensible Authentication Protocol over User Datagram Protol (EoU) on a per-port basis, use the set port eou command.

set port eou mod/port {bypass | enable | disable}

set port eou mod/port initialize

set port eou mod/port revalidate

set port eou mod/port aaa-fail-policy policy-name

set port eou mod/port ip-device-tracking {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

bypass

Bypasses EoU on a specified port.

enable

Enables EoU on a specified port.

disable

Disables EoU on a specified port.

initialize

Initializes EoU for hosts on a specified port.

revalidate

Revalidates EoU credentials for hosts on a specified port.

aaa-fail-policy

Maps an AAA fail policy for EoU to a specified port.

policy-name

Policy name to be mapped to the port.

ip-device-tracking

Tracks the host using its IP address.

enable

Enables IP device tracking.

disable

Disables IP device tracking.


Defaults

EoU is disabled on a port.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Before you can use the set port eou mod/port aaa-fail-policy policy-name command, the template for the policy must be created.

After you have specified a policy template for a port, any changes to the policy template affect only those hosts that have been moved to AAA fail state after the policy template was changed. Hosts in already existing sessions use the policy template that was in place before any changes were made.

When you specify a different policy for a port, hosts in already existing sessions maintain the previously specified policy. The newly specified policy affects only new hosts entering AAA fail state.

Examples

This example shows how to enable EoU on a specified port: 

Console> (enable) set port eou 5/3 enable

EoU LPIP enabled on port 5/3

Console> (enable)

This example shows how to initialize EoU for hosts on specified ports: 

Console> (enable) set port eou 3/1-5 initialize

EoU LPIP restarted for ports 3/1-5

Console> (enable)

This example shows how to revalidate EoU credentials on specified ports: 

Console> (enable) set port eou 3/1-5 revalidate

EoU LPIP revalidation started for ports 3/1-5

Console> (enable)

This example shows how to enable IP device tracking for EoU-enabled port: 

Console> (enable) set port eou 2/25 ip-device-tracking enable

EOU device tracking enabled on port 2/25

Console> (enable)

Related Commands

clear eou
set eou
set security acl ip
show eou
show port eou

set port errdisable-timeout

To prevent an errdisabled port from being enabled, use the set port errdisable-timeout command.

set port errdisable-timeout mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables errdisable timeout.

disable

Disables errdisable timeout.


Defaults

By default, the errdisable timeout for each port is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When the global timer times out, the port will be reenabled. Use the set port errdisable-timeout command if you want the port to remain in the errdisabled state.

Examples

This example shows how to prevent port 3/3 from being enabled when it goes into errdisabled state: 

Console> (enable) set port errdisable-timeout 3/3 disable

Successfully disabled errdisable-timeout for port 3/3.

Console> (enable)

Related Commands

set errdisable-timeout
show errdisable-timeout
show port errdisable-timeout

set port errordetection

To enable or disable link error monitoring on an EtherChannel port, use the set port errordetection command.

set port errordetection mod/port {inerrors | rxcrc | txcrc} {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

inerrors

Specifies monitoring for inerrors on the port.

rxcrc

Specifies monitoring for RXCRC (CRCAlignErrors) errors on the port.

txcrc

Specifies monitoring for TXCRC errors on the port.

enable

Enables monitoring.

disable

Disables monitoring.


Defaults

Monitoring for inerrors is disabled.

Monitoring for RXCRC and TXCRC errors is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

All ports in an EtherChannel should have the same port error-detection settings.

Examples

This example shows how to enable RXCRC port error detection on port 3/1: 

Console> (enable) set port errordetection 3/1 rxcrc enable

Port(s)  3/1 set to errordetection rxcrc enable.

Console> (enable)

Related Commands

set errordetection
show errordetection
show port errordetection

set port ethernet-cfm

To enable or disable Connectivity Fault Management (CFM) on a port, to configure a port as a Maintenance End Point (MEP) for a specific maintenance level, to configure a port as a Maintenance Intermediate Point (MIP) for a specific domain or a specific maintenance level, or to configure the Alarm Indication Signal (AIS) parameter of the port, use the set port ethernet-cfm command.

set port ethernet-cfm mod/port {enable | disable | transparent}

set port ethernet-cfm mod/port mep mpid mpid domain domain-name vlan vlan-id

set port ethernet-cfm mod/port mip level level vlan vlan-id

set port ethernet-cfm mod/port ais {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables CFM on a port.

disable

Disables CFM on a port.

transparent

Specifies transparent mode. The port will be considered for Continuity Check (CC) flooding.

mep

Configures a MEP.

mpid mpid

Sets a CFM Maintenance Point Identification.

domain domain-name

Specifies the name of the domain.

vlan vlan-id

Specifies the number of the VLAN or range of VLANs to associate to an MEP; valid values are from 1 to 4094.

mip

Configures a MIP.

level level

Specifies a maintenance level for the MIP; valid values are from 0 to 7.

ais

Specifies the AIS server MEP configuration and the AIS generation on a port.


Defaults

The AIS is disabled on a port.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You must configure a MIP on the port before configuring a MEP. The MEP must be configured at a lower level than the level of the MIP.

The MPID string has a maximum of 256 characters. The MPID identifies the MEP on the network.

The interface defined as MEP or MIP must be a trunk or an 802.1Q tunnel port. If you specify a port that is not a trunk or an 802.1Q tunnel port, the set port ethernet-cfm command will fail.

A MIP or MEP can be a logical interface, such as a port channel.

You must enable CFM and AIS globally to configure the AIS on a port.

The IEEE 802.3ah Operations, Administrations, and Maintenance (OAM) feature on a specified port must be enabled for the server MEP to interact with an OAM link.

You must enable the Link-OAM on the port for the server MEP AIS functionality. If Ethernet-OAM is not operational on a port, the server MEP AIS will not be functional.

Examples

This example shows how to initialize a MIP at module 3, port 1, at level 50: 

Console> (enable) set port ethernet-cfm 3/1 mip level 50

Port 3/1 set to MIP with ME Level 50.

Console> (enable)

This example shows how to enable CFM AIS on a port: 

Console> (enable) set port ethernet-cfm 2/2 ais enable

Server MEP AIS generation is enabled on the port 2/2.

Console> (enable)

Related Commands

clear port ethernet-cfm

show port ethernet-cfm

set port ethernet-oam

set port ethernet-evc

To associate an Ethernet Virtual Connection (EVC) to a port and the corresponding CE-VLANs, use the set port ethernet-evc command.

set port ethernet-evc mod/port [evc-id]

Syntax Description

mod/port

Module number and the port number.

evc-id

(Optional) EVC identifier.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The command is rejected if the EVC ID that you specified is not created or the configuration is not complete. You must configure the Connectivity Fault Management (CFM) inward Maintenance End Point (MEP) on the specified ports to allow the Ethernet Local Management Interface (ELMI) to work as expected.

Examples

This example shows how to set the Ethernet EVC ID as EVC1 for module 7, port 1: 

Console> (enable) set port ethernet-evc 7/1 EVC1

EVC1 is associated to port 7/1.

Console> (enable)

Related Commands

clear port ethernet-evc

show port ethernet-evc

set port ethernet-lmi

To enable/disable Ethernet Local Management Interface (ELMI) processing on the port, use the set port ethernet-lmi command.

set port ethernet-lmi {mod/port} {enable | disable}

set port ethernet-lmi {mod/port} t391 {value | default | disable}

set port ethernet-lmi {mod/port} t392 {value | default | disable}

set port ethernet-lmi {mod/port} n391 {value | default}

set port ethernet-lmi {mod/port} n393 {value | default}

Syntax Description

mod/port

Module number and the port number.

enable

Enables ELMI on a particular port of a switch.

disable

Disables ELMI on a particular port of a switch.

t391

Specifies the polling timer to transmit the status enquiry. Range: 5 seconds to 30 seconds. Default: 10 seconds.

value

Timer value in seconds.

default

Specifies to configure the default value.

disable

Specifies to ensure T391 and T392 timers never expire and ensure the ELMI link is always up.

t392

Specifies the polling verification timer to verify the status inquiry received. Range: 5 seconds to 30 seconds. Default: 15 seconds.

n391

Specifies the polling counter that gives full status of the User to Network Interface (UNI) and all Ethernet Virtual Connections (EVC) polling counts. Range: 1 to 65000. Default: 360.

n393

Specifies the event counter that gives count of monitored events. Range: 1 to 10. Default: 4.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

T392 should be greater than T391.

T391 applies to the Customer Edge (CE) only.

T392 applies to the Provider Edge (PE) only.

N391 applies to CE only.

N393 applies to CE and PE.

Examples

These examples show how to set the ELMI port: 

Console> (enable) set port ethernet-lmi 3/1 enable

Ethernet LMI is enabled on port 3/1.

Console> (enable)


Console> (enable) set port ethernet-lmi 3/1 t392 30

Ethernet LMI polling verification timer is set to 30 seconds for port 3/1.

Console> (enable)

Related Commands

clear port ethernet-lmi

show port ethernet-lmi

set port ethernet-oam

To enable or disable the IEEE 802.3ah Operations, Administrations, and Maintenance (OAM) feature on a specified port, use the set port ethernet-oam command.

set port ethernet-oam mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables OAM on the specified port.

disable

Disables OAM on the specified port.


Defaults

OAM is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When OAM is disabled on a port, the system functions as if OAM is not configured on that port. When OAM is enabled, OAM on that port functions as if OAM had never been enabled before.

Examples

This example shows how to enable OAM on a specified port: 

Console> (enable) set port ethernet-oam 1/1 enable

OAM enabled on port 1/1

Console> (enable)

Related Commands

clear port ethernet-oam
set port ethernet-oam action
set port ethernet-oam link-monitor
set port ethernet-oam mode
set port ethernet-oam remote-loopback
show port ethernet-oam

set port ethernet-oam action

To configure an action for OAM link events, use the set port ethernet-oam action command.

set port ethernet-oam mod/port {link-fault | dying-gasp | critical-event} action {errordisable | none | warning | error-block}

Syntax Description

mod/port

Number of the module and the port on the module.

link-fault

Sets the link fault configuration.

dying-gasp

Sets the dying-gasp configuration. See the "Usage Guidelines" section for more information.

critical-event

Sets the critical event configuration.

action

Configures action that is taken for corresponding link events.

errordisable

Sends port to errordisable state.

none

Takes no action when corresponding link event occurs.

warning

Generates system message when corresponding link event occurs.

error-block

Sets the port to blocking state when a remote link failure flag is received and automatically changes the port to forwarding state whenthe remote link becomes operational.


Defaults

The system generates a warning message when a link event occurs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you specify the dying-gasp keyword, the errordisable option is not available.

Examples

This example shows how to configure the action that the specified port takes when a link fault occurs: 

Console> (enable) set port ethernet-oam 1/1 link-fault action errordisable

OAM link-fault event action set to errordisable.

Console> (enable)

This example shows how to configure the action to error-block for a port: 

Console> (enable) set port ethernet-oam 4/1 critical-event action error-block

Successfully updated OAM critical-event action on port(s) 4/1.

Console> (enable)

Related Commands

clear port ethernet-oam
set port ethernet-oam
set port ethernet-oam link-monitor
set port ethernet-oam mode
set port ethernet-oam remote-loopback
show port ethernet-oam

set port ethernet-oam link-monitor

To configure the OAM link monitoring feature on a port, use the set port ethernet-oam link-monitor command.

set port ethernet-oam mod/port link-monitor {enable | disable}

set port ethernet-oam mod/port link-monitor {symbol-period | frame | frame-period} window size

set port ethernet-oam mod/port link-monitor {symbol-period | frame | frame-period} low-threshold count [action {none | warning}]

set port ethernet-oam mod/port link-monitor {symbol-period | frame | frame-period} high-threshold count [action {errordisable | none | warning}]

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables the OAM link monitor feature.

disable

Disables the OAM link monitor feature.

symbol-period

Sets monitoring by the number of symbols with errors.

frame

Sets monitoring by the number of frames with errors.

frame-period

Sets monitoring by frame period.

window

Sets link monitor window size for corresponding link events.

size

symbol-period: valid values are from 1 to 1000000 (1 = 1 million symbols).

frame: valid values are from 10 to 65535 (in 100-millisecond increments).

frame-period: valid values are from 200 to 2000000000 frames.

low-threshold

Sets the low-threshold count for corresponding link events.

count

Valid values are from 0 to 65535.

action

(Optional) Configures action that is taken for corresponding link events.

none

Takes no action when corresponding link event occurs.

warning

Generates system message when corresponding link event occurs.

high-threshold

Sets the high-threshold count for corresponding link events.

count

Valid values are from 1 to 65535.

errordisable

Sends port to errordisable state.


Defaults

Link monitoring is enabled.

The symbol-period event is 625 million symbols.

The frame event is 30 seconds.

The frame-period event is 10 million frames.

The low-threshold is 1 error.

For low-threshold, the action is a warning.

The high-threshold is 10 million errors.

For high-threshold, the action is a warning.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to set the window size for symbol-period link monitoring: 

Console> (enable) set port ethernet-oam 1/1 link-monitor symbol-period window 100

OAM errored symbol period window set to 100M symbols on port 1/1

Console> (enable)

This example shows how to set the link monitoring low threshold for frame events to 10 errors: 

Console> (enable) set port ethernet-oam 1/1 link-monitor frame low-threshold 10

OAM errored frame low-threshold set to 10 errors

Console> (enable)

This example show how to set the link monitoring high threshold for frame-period events to 100 errors and to errordisable the port if the high threshold is reached: 

Console> (enable) set port ethernet-oam 1/1 link-monitor frame-period high-threshold 100 
action errordisable

OAM errored frame period high-threshold set to 100 errors on port 1/1, and action set to 
errordisable.

Console> (enable)

Related Commands

clear port ethernet-oam
set port ethernet-oam
set port ethernet-oam action
set port ethernet-oam mode
set port ethernet-oam remote-loopback
show port ethernet-oam

set port ethernet-oam mode

To set the OAM mode on a port, use the set port ethernet-oam mode command.

set port ethernet-oam mod/port mode {active | passive}

Syntax Description

mod/port

Number of the module and the number of the port on the module.

active

Sets the specified port to OAM active mode.

passive

Sets the specified port to OAM passive mode.


Defaults

OAM is active on all ports.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

An OAM entity can be in active or passive mode. An active-mode OAM entity can exert more control on its peer than a passive-mode OAM entity can. For example, an active-mode entity can put a passive-mode entity into loopback mode, but a passive-mode entity cannot put an active-mode entity into loopback mode.

Table 2-17 describes the functions that are allowed in active and passive modes.

Table 2-17 Functions Allowed in Active Mode and Passive Mode

Function
Active Entity
Passive Entity

Initiates OAM Discovery process

Yes

No

Reacts to OAM Discovery process initiation

Yes

Yes

Required to send informational OAMPDUs

Yes

Yes

Permitted to send Event Notification OAMPDUs

Yes

Yes

Permitted to send Variable Request OAMPDUs

Yes

Yes

Permitted to send Variable Response OAMPDUs

Yes1

Yes

Permitted to send Loopback Control OAMPDUs

Yes

No

Reacts to Loopback Control OAMPDUs

Yes1

Yes

Permitted to send organization specific OAMPDUs

Yes

Yes

1 The peer entity must be in active mode.


Examples

This example shows how to set the OAM on a specific port to active: 

Console> (enable) set port ethernet-oam 1/1 mode active

OAM mode set to active on port 1/1

Console> (enable)

Related Commands

clear port ethernet-oam
set port ethernet-oam
set port ethernet-oam action
set port ethernet-oam link-monitor
set port ethernet-oam remote-loopback
show port ethernet-oam

set port ethernet-oam remote-loopback

To configure the OAM remote loopback feature on a port, use the set port ethernet-oam remote-loopback command.

set port ethernet-oam mod/port remote-loopback {deny | permit}

set port ethernet-oam mod/port remote-loopback {enable | disable}

set port ethernet-oam mod/port remote-loopback test [number_of_packets [packet_size]]

Syntax Description

mod/port

Number of the module and the port on the module.

deny

Denies OAM remote loopback requests on the specified port.

permit

Permits OAM remote loopback requests on the specified port.

enable

Initiates the OAM remote loopback test on the specified port.

disable

Ends the OAM remote loopback test on the specified port.

test

Tests the OAM remote loopback feature.

number_of_packets

(Optional) Number of packets that are sent from the specified port.

packet_size

(Optional) Packet size in bytes.


Command Default

OAM remote loopback requests are permitted.

If you do not specify the number of packets or the packet size, 10,000 64-byte packets are sent.

Command Types

Switch command.

Command Modes

Privileged mode.

Usage Guidelines

The set port ethernet-oam mod/port remote-loopback {enable | disable} command initiates or ends a loopback test on a port. You should use this command only on a port for which the peer OAM entity is capable of performing in OAM remote-loopback mode. After you enter the disable keyword, the switch displays a remote-loopback summary.

The set port ethernet-oam mod/port remote-loopback {enable | disable} command is not a configuration command and is not saved in NVRAM.

The set port ethernet-oam mod/port remote-loopback test command should only be run on a port whose status shows "remote OAM in loopback." When a test is run, the specified number of packets are sent on the port. Ensure that those packets are looped back. A summary of the test is displayed after the test is finished.

The set port ethernet-oam mod/port remote-loopback test command is not a configuration command and is not saved in NVRAM.

Examples

This example shows how to deny remote loopback requests on a port: 

Console> (enable) set port ethernet-oam 1/1 remote-loopback deny

OAM remote loopback request will be denied on port 1/1

Console> (enable)

This example shows how to initiate a loopback test on a port: 

Console> (enable) set port ethernet-oam 1/1 remote-loopback enable

OAM remote loopback operation enabled on port 1/1

Warning:enabling OAM remote loopback operation moves the port into diagnostic mode.

Console> (enable)

This example shows how to end a loopback test on a port. When you disable the test, a summary of the loopback test is displayed: 

Console> (enable) set port ethernet-oam 1/1 remote-loopback disable

OAM remote loopback summary on port 1/1

Port  TxTotal    RxTotal    Error

----  ---------  ---------  --------

1/1   999999     999444     111


OAM remote loopback mode disabled on port 1/1

Console> (enable)

This example shows how to test the remote loopback feature on a port: 

Console> (enable) set port ethernet-oam 1/1 remote-loopback test 999999

Transmitting 999999 (64 byte) packets on port 1/1.

Please wait...

OAM remote loopback summary on port 1/1 (loopback master):

Port  TxTotal    RxTotal    Error

----  ---------  ---------  --------

1/1   999999     999444     111

Console> (enable)

Related Commands

clear port ethernet-oam
set port ethernet-oam
set port ethernet-oam action
set port ethernet-oam link-monitor
set port ethernet-oam mode
show port ethernet-oam

set port ethernet-uni

To set the User to Network Interface (UNI) ID for a particular port, use the set port ethernet-uni command.

sset port ethernet-uni {mod/port} id {uni-id}

set port ethernet-uni {mod/port} type [all-to-one | multiplex]

Syntax Description

mod/port

Number of the module and the port on the module.

id uni-id

Specifies a unique string set as a UNI ID for the port. The maximum length is 64 characters.

type

(Optional) Specifies the type of EVC. The following arguments are used with this keyword:

all-to-one: UNI supports only a single Ethernet Virtual Connection (EVC). Every CE-VLAN-ID is mapped to this single EVC.

multiplex: UNI supports one or more than one EVC. One or more than one CE-VLAN IDs (except every CE-VLAN ID) can be mapped to one EVC.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

An error message is displayed if a string is not unique on the switch.

It is not necessary to configure a UNI ID for ELMI to function. A UNI ID with a null value is a valid value. Some Customer Edge (CE) platforms are designed to discard ELMI frames if the UNI ID is null and the ELMI protocol link status may go down.

All-to-one bundling is supported only on dot1q-tunneled ports. Service multiplex with no bundling is supported on access and trunk ports.

Examples

This example shows how to set the Ethernet UNI ID as CUST_A_PORT1 for module 3, port 1: 

Console> (enable) set port ethernet-uni 3/1 id CUST_A_PORT1

UNI id CUST_A_PORT1 is configured on port 3/1

Console> (enable)

Related Commands

clear port ethernet-uni

show port ethernet-uni

set port flexlink

To specify a Flexlink active port and a backup (peer) port, use the set port flexlink command.

set port flexlink mod/port peer mod/port

Syntax Description

mod/port

Number of the module and the port on the module.

peer

Specifies the peer port for the Flexlink active port.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Flexlink redundancy allows you to specify two ports to form a redundant link capability. You configure one port as the active port and the other port is configured as the backup or peer port. The active port is in the forwarding state while the backup port is in the blocking state. The backup port does not allow traffic to pass.

When configuring Flexlink redundancy, follow these guidelines and restrictions:

The maximum number of Flexlink pairs (one active port and one backup port) is 16 per switch.

Flexlink ports cannot be part of an EtherChannel.

Flexlink ports do not join STP operations. Flexlink ports do not generate STP BPDUs, and they drop all received BPDUs.

Because it works with STP, VTP pruning does not work on Flexlink ports.

SPAN works with Flexlink ports.

IGMP works with Flexlink ports.

DTP can run on Flexlink ports.

Flexlink redundancy is for simple access topologies (two uplinks from a leaf node). You must ensure that there is a loop-free path from the wiring closet to the access network. Unlike STP, Flexlink is not designed to detect loops.

Deploying STP in the core while running Flexlink redundancy on the edge is an acceptable configuration.

Flexlink converges faster only if the directly connected link fails. Any other failure in the network is not improved by Flexlink fast convergence.

Examples

This example shows how to specify port 3/48 as the Flexlink active port and port 3/47 as the Flexlink backup (peer) port: 

Console> (enable) set port flexlink 3/48 peer 3/47

Flexlink is successfully set on the port 3/48 and 3/47

Console> (enable)

This example shows the message that is displayed if you try to specify the same port as the active and the backup port: 

Console> (enable) set port flexlink 2/2 peer 2/2

Port(s) can not backup itself.

Console> (enable)

Related Commands

clear port flexlink
show port flexlink

set port flowcontrol

To configure a port to send or receive pause frames, use the set port flowcontrol command. Pause frames are special packets that signal a source to stop sending frames for a specific period of time because the buffers are full.

set port flowcontrol mod/port {receive | send} {off | on | desired}

Syntax Description

mod/port

Number of the module and the port on the module.

receive

Specifies that a port processes pause frames.

send

Specifies that a port sends pause frames.

off

Prevents a local port from receiving and processing pause frames from remote ports or from sending pause frames to remote ports.

on

Enables a local port to receive and process pause frames from remote ports or send pause frames to remote ports.

desired

Obtains predictable results regardless of whether a remote port is set to on, off, or desired.


Defaults

Flow-control defaults vary depending upon port speed:

Gigabit Ethernet ports default to off for receive (Rx) and desired for transmit (Tx)

Fast Ethernet ports default to off for receive and on for transmit

On the 24-port 100BASE-FX and 48-port 10/100 BASE-TX RJ-45 modules, the default is off for receive and off for send.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

When you configure the 24-port 100BASE-FX and 48-port 10/100 BASE-TX RJ-45 modules, you can set the receive flow control to on or off and the send flow control to off.

All Catalyst Gigabit Ethernet ports can receive and process pause frames from remote devices.

To obtain predictable results, use these guidelines:

Use send on only when remote ports are set to receive on or receive desired.

Use send off only when remote ports are set to receive off or receive desired.

Use receive on only when remote ports are set to send on or send desired.

Use send off only when remote ports are set to receive off or receive desired.

Table 2-18 describes guidelines for different configurations of the send and receive keywords.

Table 2-18 send and receive Keyword Configurations

Configuration
Description

send on

Enables a local port to send pause frames to remote ports.

send off

Prevents a local port from sending pause frames to remote ports.

send desired

Obtains predictable results whether a remote port is set to receive on, receive off, or receive desired.

receive on

Enables a local port to process pause frames that a remote port sends.

receive off

Prevents a local port from sending pause frames to remote ports.

receive desired

Obtains predictable results whether a remote port is set to send on, send off, or send desired.


Examples

This example shows how to configure port 1 of module 5 to receive and process pause frames: 

Console> (enable) set port flowcontrol receive 5/1 on

Port 5/1 flow control receive administration status set to on

(port will require far end to send flowcontrol)

Console> (enable)

This example shows how to configure port 1 of module 5 to receive and process pause frames if the remote port is configured to send pause frames: 

Console> (enable) set port flowcontrol receive 5/1 desired

Port 5/1 flow control receive administration status set to desired

(port will allow far end to send flowcontrol if far end supports it)

Console> (enable)

This example shows how to configure port 1 of module 5 to receive but NOT process pause frames on port 1 of module 5: 

Console> (enable) set port flowcontrol receive 5/1 off

Port 5/1 flow control receive administration status set to off

(port will not allow far end to send flowcontrol)

Console> (enable)

This example shows how to configure port 1 of module 5 to send pause frames: 

Console> (enable) set port flowcontrol send 5/1 on

Port 5/1 flow control send administration status set to on

(port will send flowcontrol to far end)

Console> (enable)

This example shows how to configure port 1 of module 5 to send pause frames and yield predictable results even if the remote port is set to receive off: 

Console> (enable) set port flowcontrol send 5/1 desired

Port 5/1 flow control send administration status set to desired

(port will send flowcontrol to far end if far end supports it)

Console> (enable)

Related Commands

show port flowcontrol

set port gmrp

To enable or disable GMRP on the specified ports in all VLANs, use the set port gmrp command.

set port gmrp mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables GVRP on a specified port.

disable

Disables GVRP on a specified port.


Defaults

The default is GMRP is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

You can enter this command even when GMRP is not enabled, but the values come into effect only when you enable GMRP using the set gmrp enable command.

Examples

This example shows how to enable GMRP on module 3, port 1: 

Console> (enable) set port gmrp 3/1 enable

GMRP enabled on port(s) 3/1.

GMRP feature is currently disabled on the switch.

Console> (enable)

This example shows how to disable GMRP on module 3, ports 1 through 5: 

Console> (enable) set port gmrp 3/1-5 disable

GMRP disabled on port(s) 3/1-5.

Console> (enable)

Related Commands

show gmrp configuration

set port gvrp

To enable or disable GVRP on the specified ports in all VLANs, use the set port gvrp command.

set port gvrp mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables GVRP on a specified port.

disable

Disables GVRP on a specified port.


Defaults

The default is GVRP is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

When you enable VTP pruning, it runs on all the GVRP-disabled trunks.

To run GVRP on a trunk, you need to enable GVRP both globally on the switch and individually on the trunk.

You can configure GVRP on a port even when you globally enable GVRP. However, the port will not become a GVRP participant until you globally enable GVRP.

You can enable GVRP on an 802.1Q trunk only.

If you enter the set port gvrp command without specifying the port number, GVRP is affected globally in the switch.

Examples

This example shows how to enable GVRP on module 3, port 2: 

Console> (enable) set port gvrp 3/2 enable

GVRP enabled on 3/2.

Console> (enable)

This example shows how to disable GVRP on module 3, port 2: 

Console> (enable) set port gvrp 3/2 disable

GVRP disabled on 3/2.

Console> (enable)

This example shows what happens if you try to enable GVRP on a port that is not an 802.1Q trunk: 

Console> (enable) set port gvrp 4/1 enable

Failed to set port 4/1 to GVRP enable. Port not allow GVRP.

Console> (enable)

This example shows what happens if you try to enable GVRP on a specific port when GVRP has not first been enabled using the set gvrp command: 

Console> (enable) set port gvrp 5/1 enable

GVRP enabled on port(s) 5/1.

GVRP feature is currently disabled on the switch.

Console> (enable)

Related Commands

clear gvrp statistics
set gvrp
show gvrp configuration

set port host

To optimize the port configuration for a host connection, use the set port host command.

set port host mod/port

Syntax Description

mod/port

Number of the module and the port on the module.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

To optimize the port configuration, the set port host command sets channel mode to off, enables spanning tree PortFast, sets the trunk mode to off, and disables the dot1q tunnel feature. Only an end station can accept this configuration.

Because spanning tree PortFast is enabled, you should enter the set port host command only on ports connected to a single host. Connecting hubs, concentrators, switches, and bridges to a fast-start port can cause temporary spanning tree loops.

Enable the set port host command to decrease the time it takes to start up packet forwarding.

Examples

This example shows how to optimize the port configuration for end station/host connections on ports 2/1 and 3/1: 

Console> (enable) set port host 2/1,3/1


Warning: Span tree port fast start should only be enabled on ports connected to a single 
host.  Connecting hubs, concentrators, switches, bridges, etc. to a fast start port can 
cause temporary spanning tree loops.  Use with caution.


Spantree ports 2/1,3/1 fast start enabled.

Dot1q tunnel feature disabled on port(s)  4/1.

Port(s) 2/1,3/1 trunk mode set to off.

Port(s) 2/1 channel mode set to off.


Console> (enable)

Related Commands

clear port host

set port inlinepower

To set the inline power mode of a port or group of ports, use the set port inlinepower command.

set port inlinepower mod/port {auto | static | limit} [max-wattage]

set port inlinepower mod/port off

Syntax Description

mod/port

Number of the module and the port on the module.

auto

Powers up the port only if the switching module has discovered the phone.

static

Powers up the port to a preallocated value so that the port is guaranteed power. See the "Usage Guidelines" section for more information.

limit

Limits power on the specified port. See the "Usage Guidelines" section for more information.

max-wattage

(Optional) The maximum power allowed on the port in either auto or static mode; valid values are from 4000 to 15400 milliwatts.

off

Prevents the port from providing power to an external device.


Defaults

The default is auto.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you specify auto or static mode but do not specify a max-wattage argument, the maximum wattage that is supported by the hardware is used.

If you specify static mode, power is preallocated to the specified port even if no devices are connected to that port. Connecting any device to that port ensures priority of service because that port is guaranteed power.

If you enter the off keyword, the inline power-capable device is not detected.

Each port isin one of the following modes (configured through the set port inlinepower CLI command):

auto—The supervisor engine directs the switching module to power up the port only if the switching module discovers the phone. You can specify the maximum wattage that is allowed on the port. If you do not specify a wattage, then the switch will deliver no more than the hardware-supported maximum value.

static—The supervisor engine directs the switching module to power up the port to the wattage you specify only if the switching module discovers the phone. You can specify the maximum wattage that is allowed on the port. If you do not specify a wattage, then the switch allows the hardware-supported maximum value. The maximum wattage, whether determined by the switch or specified by you, is preallocated to the port. If the switch does not have enough power for the allocation, the command will fail.

limit—Discovery is enabled, and you can limit the power allocated for an external device. If the wattage value that you specify with the limit keyword is less than the power that is specified by IEEE classification, instead of denying power, the lesser of these two values is allocated. If the device consumes more than the configured value, the port is shut down and a syslog message is displayed. The limit keyword is supported only on modules with the WS-F6K-48-AF daughter card.

off—Prevents the port from providing the power to an external device. If the external device is wall-powered and inline power is off, the port should still link up, join the bridge group, and go to the STP forwarding state.

Each port also has a status, defined as one of the following:

on—Power is supplied by the port.

off—Power is not supplied by the port.

Power-deny—The supervisor engine does not have enough power to allocate to the port, or the power that is configured for the port is less than the power that is required by the port; the power is not being supplied by the port.

err-disable—The port is unable to provide the power to the connected device that is configured in Static mode.

faulty—The port failed the diagnostics tests.

If you enter this command on a port that does not support the IP phone power feature, an error message is displayed.

You can enter a single port or a range of ports, but you cannot enter the module number only.

Caution Damage can occur to equipment connected to the port if you are not using a phone that can be configured for the IP phone phantom power feature.

Examples

This example shows how to set the inline power to off: 

Console> (enable) set port inlinepower 2/5 off

Inline power for port 2/5 set to off.

Console> (enable)

This example shows the output if the inline power feature is not supported: 

Console> (enable) set port inlinepower 2/3-9 auto

Feature not supported on module 2.

Console> (enable)

Related Commands

set inlinepower
show environment
show port inlinepower

set port jumbo

To enable or disable the jumbo frame feature on a per-port basis, use the set port jumbo command.

set port jumbo mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables jumbo frames on a specified port.

disable

Disables jumbo frames on a specified port.


Defaults

If you enable the jumbo frame feature, the MTU size for packet acceptance is 9216 bytes for nontrunking ports.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM. The jumbo frame feature is supported on any Ethernet port and on the sc0 interface. The MSFC2 supports routing of jumbo frames. The Gigabit Switch Router (GSR) supports jumbo frames.

You can use the jumbo frame feature to transfer large frames or jumbo frames through Catalyst 6500 series switches to optimize server-to-server performance.

The Multilayer Switch Feature Card (MSFC) and the Multilayer Switch Module (MSM) do not support the routing of jumbo frames; if jumbo frames are sent to these routers, router performance is significantly degraded.

Examples

This example shows how to enable the jumbo frames feature on module 3, port 2: 

Console> (enable) set port jumbo 3/2 enable

Jumbo frames enabled on port 5/3.

Console> (enable)

This example shows how to disable the jumbo frames feature on module 3, port 2: 

Console> (enable) set port jumbo 3/2 disable

Jumbo frames disabled on port 3/2.

Console> (enable)

Related Commands

set trunk
show port jumbo

set port l2protocol-tunnel

To set Layer 2 protocol tunneling parameters, use the set port l2protocol-tunnel command.

set port l2protocol-tunnel mod/port {cdp | eoam | stp | vtp} {enable | disable}

set port l2protocol-tunnel mod/port {drop-threshold drop-threshold}
{shutdown-threshold shutdown-threshold} [cdp | eoam | stp | vtp]

Syntax Description

mod/port

Number of the module and the port or range of ports.

cdp | eoam | stp | vtp

Specifies the protocol type. See the "Usage Guidelines" section for more information.

enable | disable

Enables or disables the protocol.

drop-threshold drop-threshold

Specifies the drop threshold factor on a port or range of ports; valid values are from 0 to 65535. See the "Usage Guidelines" section for more information.

shutdown-threshold shutdown-threshold

Specifies the shutdown threshold factor on a port or range of ports; valid values are from 0 to 65535. See the "Usage Guidelines" section for more information.


Defaults

Protocol tunneling is disabled on all ports.

The default for the drop threshold and the shutdown threshold is 0. The 0 value indicates that no limit is set.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can specify more than one protocol type at a time. In the CLI, separate protocol types with a space.

The recommended maximum value for the shutdown threshold is 1000. This value reflects the number of PDUs an edge switch can handle per second (without dropping any) while performing egress and ingress tunneling. For an edge switch, the shutdown threshold value also determines the number of
Layer 2 protocol tunneling ports that can be connected to customer switches and the number of customer VLANs per Layer 2 protocol tunneling port. In determining the recommended maximum value of 1000, egress tunneling from the service provider network was also taken into consideration.

To determine the number of Layer 2 protocol tunneling ports (links) and the number of customer VLANs per Layer 2 protocol tunneling port (VLANs per link) that an edge switch can handle, use the following formula: Multiply the number of Layer 2 protocol tunneling ports by the number of VLANs and the result should be less than or equal to 1000. Some examples of acceptable configurations are as follows:

1 Layer 2 protocol tunneling port x 1000 VLANs

2 Layer 2 protocol tunneling port x 500 VLANs

5 Layer 2 protocol tunneling port x 200 VLANs

10 Layer 2 protocol tunneling port x 100 VLANs

20 Layer 2 protocol tunneling port x 50 VLANs

100 Layer 2 protocol tunneling port x 10 VLANs

Note The shutdown threshold factor should exceed the drop threshold factor. After reaching the drop threshold factor, the port or range of ports starts dropping PDUs. After reaching the shutdown threshold factor, the port or range of ports goes into errdisable state and is restored after timeout.

Note With software release 8.4(1) and later releases, you can specify the drop and shutdown thresholds for individual protocols on a per-port basis. If you configure thresholds only and do not specify a protocol, the packets are rate limited cumulatively irrespective of protocols. If you specify a threshold for a protocol on a port, the packets are rate limited on a cumulative basis, and then per-protocol thresholds are applied to the packets. The range for the per-port protocols drop threshold and shutdown threshold is from 0 to 65535.

Examples

This example shows how to enable CDP on a range of ports: 

Console> (enable)  set port l2protocol-tunnel 7/1-2 cdp enable

Layer 2 protocol tunneling enabled for CDP on ports 7/1-2.

Console> (enable)

This example shows how to enable STP and VTP on a range of ports: 

Console> (enable)  set port l2protocol-tunnel 7/1-2 stp vtp enable

Layer 2 protocol tunneling enabled for STP VTP on ports 7/1-2.

Console> (enable)

This example shows how to disable CDP, STP, and VTP on a range of ports: 

Console> (enable)  set port l2protocol-tunnel 7/1-2 cdp stp vtp disable

Layer 2 protocol tunneling disabled for CDP STP VTP on ports 7/1-2.

Console> (enable)

This example shows how to set the drop threshold to 1000 and the shutdown threshold to 20000 on a port: 

Console> (enable) set port l2protocol-tunnel 7/1 drop-threshold 1000 shutdown-threshold 
20000    

Drop Threshold=1000, Shutdown Threshold=20000 set on port 7/1.

Console> (enable)

This example shows how to specify a drop threshold of 100 and a shutdown threshold of 400 for CDP packets on a port: 

Console> (enable) set port l2protocol-tunnel 3/1 drop-threshold 200 shutdown-threshold 400 
cdp

Drop Threshold=200, Shutdown Threshold=400 set on port 3/1.

Console> (enable)

This example shows how to enable the EOAM protocol on a range of ports: 

Console> (enable)  set port l2protocol-tunnel 7/1-2 eoam enable

Layer 2 protocol tunneling enabled for EOAM on ports 7/1-2.

Console> (enable)

Related Commands

clear l2protocol-tunnel cos
clear l2protocol-tunnel statistics
set l2protocol-tunnel cos
show l2protocol-tunnel statistics
show port l2protocol-tunnel

set port lacp-channel

To set the priority value for physical ports, to assign an administrative key to a particular set of ports, or to change the channel mode for a set of ports that were previously assigned to the same administrative key, use the set port lacp-channel command.

set port lacp-channel mod/ports port-priority value

set port lacp-channel mod/ports [admin-key]

set port lacp-channel mod/ports mode {on | off | active | passive}

Syntax Description

mod/ports

Number of the module and the ports on the module.

port-priority

Specifies the priority for physical ports.

value

Number of the port priority; valid values are from 1 to 255. See the "Usage Guidelines" section for more information about the priority value.

admin-key

(Optional) Number of the administrative key; valid values are from 1 to 1024. See the "Usage Guidelines" section for more information about the administrative key.

mode

Specifies the channel mode for a set or ports.

on | off | active | passive

Specifies the status of the channel mode.


Defaults

LACP is supported on all Ethernet interfaces.

The default port priority value is 128.

The default mode is passive for all ports that are assigned to the administrative key.

For differences between PAgP and LACP, refer to the "Guidelines for Port Configuration" section of the "Configuring EtherChannel" chapter of the Catalyst 6500 Series Software Configuration Guide.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command can only be used for ports belonging to LACP modules. This command cannot be used on ports running in PAgP mode.

Higher priority values correspond to lower priority levels.

The following usage guidelines apply when you assign an administrative key to ports:

If you do not enter a value for the administrative key, the switch chooses a value automatically.

If you choose a value for the administrative key, but this value is already used in your switch, all the ports associated with this value are moved to a new administrative key that is assigned automatically. The previously used value is now associated with new ports.

You can assign a maximum of 8 ports to an administrative key.

If you assign an administrative key to a channel that was previously assigned a particular mode, the channel will maintain that mode after you enter the administrative key value.

Examples

This example shows how to set the priority of ports 1/1 to 1/4 and 2/6 to 2/8 to 10: 

Console> (enable) set port lacp-channel 4/1-4

Ports 4/1-4 being assigned admin key 96.

Console> (enable)

This example shows how to assign ports 4/1 to 4/4 to an administrative key that the switch automatically chooses: 

Console> (enable) set port lacp-channel 4/1-4

Ports 4/1-4 being assigned admin key 96.

Console> (enable)

This example shows how to assign ports 4/4 to 4/6 to administrative key 96 when that key was previously assigned to ports 4/1 to 4/3: 

Console> (enable) set port lacp-channel 4/4-6 96

admin key 96 already assigned to port 4/1-3.

Port(s) 4/1-3 being assigned to admin key 97.

Port(s) 4/4-6 being assigned to admin key 96.

Console> (enable)

Related Commands

clear lacp-channel statistics
set channelprotocol
set lacp-channel system-priority
set spantree channelcost
set spantree channelvlancost
show lacp-channel
show port lacp-channel

set port mac-auth-bypass

To configure the MAC authentication bypass feature on a port, use the set port mac-auth-bypass command.

set port mac-auth-bypass mod/port {enable | disable}

set port mac-auth-bypass mod/port {initialize | reauthenticate}

set port mac-auth-bypass mod/port ip-device-tracking {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables the MAC authentication bypass feature on a port.

disable

Disables the MAC authentication bypass feature on a port.

initialize

Initializes the MAC address authentication bypass state for a port so the port can participate in authentication again.

reauthenticate

Reauthenticates the MAC address of a port.

ip-device-tracking

Tracks the host using its IP address.

enable

Enables IP device tracking.

disable

Disables IP device tracking.


Defaults

The MAC authentication bypass feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you enable the MAC authentication bypass feature on a port, you automatically enable PortFast on that port. When you disable the MAC authenticaion bypass feature on a port, you automatically disable PortFast on that port.

When you enter set port mac-auth-bypass mod/port initialize, the specified port is moved to the waiting state and any required cleanup is performed (such as unauthorizing the port, cleaning up any static/trap CAM entries, and so on).

The set port mac-auth-bypass mod/port reauthenticate command is accepted only when the port is in authenticated state; otherwise, the command is ignored.

For more information about the states and events that are associated with the MAC authentication bypass feature, see the "Configuring MAC Address Authentication Bypass" chapter of the Catalyst 6500 Series Software Configuration Guide.

Examples

This example shows how to enable MAC address authentication bypass on a port: 

Console> (enable) set port mac-auth-bypass 3/1 enable

MAC-Auth-Bypass successfully enabled on 3/1.

Console> (enable)

This example shows how to initialize the MAC address authentication bypass state for a port so that the port can participate in authentication again: 

Console> (enable) set port mac-auth-bypass 3/1 initialize

Mac-Auth-Bypass successfully Initialized 3/1.

Console> (enable)

This example shows how to reauthenticate the MAC address of a port: 

Console> (enable) set port mac-auth-bypass 3/1 reauthenticate

Reauthenticating MAC address 00-00-00-00-00-01 on port 3/1 using Mac-Auth-Bypass.

Console> (enable)

This example shows how to enable IP device tracking on a MAB-enabled port: 

Console> (enable) set port mac-auth-bypass 2/15 ip-device-tracking enable

Mac-Auth-Bypass successfully enabled.

Console> (enable)

Related Commands

set mac-auth-bypass
show mac-auth-bypass
show port mac-auth-bypass

set port macro

To execute a configuration macro on a per-port basis, use the set port macro command.

set port macro mod/ports... ciscoipphone vlan vlan [auxvlan auxvlan]

set port macro mod/ports... ciscosoftphone vlan vlan

set port macro mod/ports... ciscodesktop vlan vlan

set port macro mod/ports... ciscorouter nativevlan nativevlan [allowedvlans vlan]

set port macro mod/ports... ciscoswitch nativevlan nativevlan [allowedvlans vlan]

set port macro mod/ports... macro_name

Syntax Description

mod/ports...

Number of the module and the ports on the module.

ciscoipphone

Specifies the Cisco IP Phone SmartPort configuration macro.

vlan

Specifies a VLAN interface.

vlan

Number of the VLAN or VLANs.

auxvlan

(Optional) Specifies an auxiliary VLAN.

auxvlan

(Optional) Number of the auxiliary VLAN.

ciscosoftphone

Specifies the Cisco Softphone SmartPort configuration macro.

ciscodesktop

Specifies the Cisco Desktop SmartPort configuration macro.

ciscorouter

Specifies the Cisco Router SmartPort configuration macro.

nativevlan

Specifies the native VLAN for IP phone traffic.

nativevlan

Number of the native VLAN.

allowedvlans

(Optional) Specifies the VLAN or VLANs that are allowed on the trunk.

ciscoswitch

Specifies the Cisco Switch SmartPort configuration macro.

macro_name

Name of a user-defined macro to apply to a port. See the "Usage Guidelines" section for more information about applying a user-defined macro.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you use automatic voice configuration with the ciscoipphone keyword, some of the QoS configuration requires phone-specific configuration (trust-ext, ext-cos), which is supported only on the following phones: Cisco IP Phone 7910, Cisco IP Phone 7940, Cisco IP Phone 7960, and Cisco IP Phone 7935. However, the ciscoipphone keyword is not exclusive to these models only; any phone can benefit from all the other QoS settings that are configured on the switch.

To configure the QoS settings and the trusted boundary feature on the Cisco IP Phone, you must enable Cisco Discovery Protocol (CDP) version 2 or later on the port. You need to enable CDP only for the ciscoipphone QoS configuration; CDP does not affect the other components of the automatic voice configuration feature.

The automatic voice configuration commands do not support channeling.

A PFC or PFC2 is not required for the ciscoipphone keyword.

A PFC or PFC2 is required for the ciscosoftphone keyword.

The ciscoipphone keyword is only supported on 10/100 and 10/100/1000 Ethernet ports.

The ciscosoftphone keyword is supported on all Ethernet ports.

To see the configuration that results in choosing the ciscodesktop, ciscorouter, or ciscoswitch keyword, see to the "Configuring a VoIP Network" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

When applying user-defined macros, follow these guidelines and restrictions:

If you attempt to apply a macro on a port and the macro has a variable that is not defined in its definition, the macro is not applied on the port and an appropriate error message is displayed. This does not affect the definition of the macro.

If you attempt to apply a macro on a port and the macro has some valid and some invalid commands in its definition, the macro is still applied on the port and an appropriate error message is displayed when the invalid command is executed. This does not affect the definition of the macro.

When you apply a macro, a record of the macro being applied is not stored in the configuration file or NVRAM. However, for each port there is a record of the latest macro that was applied to it.

Once a macro is applied to a port, you cannot clear the macro. However, one way to cancel a macro on a port is to define another macro that clears the configurations on the port, and then apply the newly created macro on the port.

For more information about user-defined Smartports macros, see the "Configuring a VoIP Network" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

Examples

This example shows how to execute the Cisco IP Phone configuration macro with an auxiliary VLAN: 

Console> (enable) set port macro 3/1 ciscoipphone vlan 2 auxvlan 3

Port 3/1 enabled.

Layer 2 protocol tunneling disabled for CDP STP VTP on port(s) 3/1.

Port 3/1 vlan assignment set to static.

Spantree port fast start option set to default for ports 3/1.

Port(s) 3/1 channel mode set to off.


Warning:Connecting Layer 2 devices to a fast start port can cause

temporary spanning tree loops. Use with caution.


Spantree port  3/1 fast start enabled.

Dot1q tunnel feature disabled on port(s)  3/1.

Port(s)  3/1 trunk mode set to off.

VLAN  Mod/Ports

---- -----------------------

2     2/1

      3/1

      16/1

AuxiliaryVlan Status   Mod/Ports

------------- --------

------------------------------------------------------

3             inactive 3/1


Vlan 3 is not active.

Inline power for port 3/1 set to auto.


CDP enabled globally

CDP enabled on port 3/1.

CDP version set to v2

........

All ingress and egress QoS scheduling parameters configured on all ports.

CoS to DSCP, DSCP to COS, IP Precedence to DSCP and policed dscp maps

configured.  Global QoS configured.

Port 3/1 ingress QoS configured for Cisco IP Phone.

Macro completed on port 3/1.

Console> (enable)

This example shows the warning message that appears when you do not specify an auxiliary VLAN: 

Console> (enable) set port macro 3/1 ciscoipphone vlan 2

Warning: All inbound QoS tagging information will be lost as no auxillary

vlan was specified.

Do you want to continue (y/n) [n]?

This example shows how to execute the Cisco Softphone configuration macro: 

Console> (enable) set port macro 3/1 ciscosoftphone vlan 32

Port 3/1 enabled.

Layer 2 protocol tunneling disabled for CDP STP VTP on port(s) 3/1.

Port 3/1 vlan assignment set to static.

Spantree port fast start option set to default for ports 3/1.

Port(s) 3/1 channel mode set to off.


Warning:Connecting Layer 2 devices to a fast start port can cause

temporary spanning tree loops. Use with caution.


Spantree port  3/1 fast start enabled.

Dot1q tunnel feature disabled on port(s)  3/1.

Port(s)  3/1 trunk mode set to off.

Vlan 32 configuration successful

VLAN 32 modified.

VLAN 2 modified.

VLAN  Mod/Ports

---- -----------------------

32    3/1

      16/1

Port 3/1 will not send out CDP packets with AuxiliaryVlan information.

Executing autoqos........

All ingress and egress QoS scheduling parameters configured on all ports.

CoS to DSCP, DSCP to COS, IP Precedence to DSCP and policed dscp maps

configured.  Global QoS configured.

Port 3/1 ingress QoS configured for Cisco Softphone.

Macro completed on port 3/1.

Console> (enable)

This example shows how to apply a user-defined macro named "videophone" to port 3/2: 

Console> (enable) set port macro 3/2 videophone

Before the macro is applied, variables are replaced by variables that are specified by entering the set macro variable command. The following commands that were included in the user-defined macro then are executed: 

set port enable 3/2

set vlan 3 3/2

set port auxiliaryvlan 3/2 4

set cdp enable

set cdp version v2

set qos autoqos

Console> (enable)

Related Commands

clear macro
set cdp
set macro
set macro ciscosmartports
set port qos autoqos
set qos autoqos
show macro

set port membership

To set the VLAN membership assignment to a port, use the set port membership command.

set port membership mod/port {dynamic | static}

Syntax Description

mod/port

Number of the module and the port on the module.

dynamic

Specifies that the port become a member of dynamic VLANs.

static

Specifies that the port become a member of static VLANs.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Dynamic VLAN support for VVID includes these restrictions to the following configuration of MVAP on the switch port:

You can configure any VVID on a dynamic port including dot1p and untagged, except when the VVID is equal to dot1p or untagged. If this is the case, then you must configure VMPS with the MAC address of the IP phone. When you configure the VVID as dot1p or untagged on a dynamic port, this warning message is displayed: 

VMPS should be configured with the IP phone mac's.

You cannot change the VVID of the port equal to PVID assigned by the VMPS for the dynamic port.

You cannot configure trunk ports as dynamic ports, but you can configure MVAP as a dynamic port.

Examples

This example shows how to set the port membership VLAN assignment to dynamic: 

Console> (enable) set port membership 5/5 dynamic

Port 5/5 vlan assignment set to dynamic.

Spantree port fast start option enabled for ports 5/5.

Console> (enable)

This example shows how to set the port membership VLAN assignment to static: 

Console> (enable) set port membership 5/5 static

Port 5/5 vlan assignment set to static.

Console> (enable)

Related Commands

set pvlan
set pvlan mapping
set vlan
set vlan mapping

set port mvrp

To configure MVRP on a particular trunk port, use the set port mvrp command.

set port mvrp mod/port {enable | disable}

set port mvrp mod/port {active | normal}

set port mvrp mod/port periodictimer {enable | disable}

set port mvrp timer mod/port {join | leave | leaveall} timer-value

set port mvrp mod/port registration {normal | fixed | forbidden}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables the MVRP feature on a specific port.

disable

Disables the MVRP feature on a specific port.

active

Sends out VLAN declarations even when the port is in STP blocking state.

normal

Does not send VLAN declarations when the port is in STP blocking state.

periodictimer

Defines the frequency in which the periodic events are generated.The value is preset to 1 second. The periodic timer value cannot be modified but can either be enabled or disabled.

join

Defines the interval between transmit opportunities. The value can range from 20 to 10000000, in centiseconds.

leave

Defines the waiting time before transiting to an empty state. The value can range from 60 to 10000000, in centiseconds.

leave all

Defines the frequency in which the leave all message is generated. The value can range from 1000 to 10000000, in centiseconds.

timer-value

Timer value in centiseconds on a specific port.

registration

Specifies to set the registrar in a MAD instance associated with the port to one of the three states.

normal

Responds to all MVRP requests and messages while retaining all registrations and deregistrations on the trunk port.

fixed

Ignores any further MVRP requests and messages while retaining all existing registrations on the trunk port.

forbidden

Deregisters all the VLANs (except VLAN1) and prevents any further VLAN creation or registration on the trunk port.


Defaults

MVRP is disabled on each ports.

The default applicant state is normal.

The default timer values are as follows:

Join timer-value: 20

Leave timer-value: 60

LeaveAll timer-value: 1000

The default registrar state is normal, in which the interface will respond to all incoming MVRP PDUs

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

A normal applicant sends out MVRP PDUs if and only if the port is in forwarding state in the spanning tree. An active applicant is not IEEE standard. If a port has its applicant in active state, it sends out MVRP PDUs even if the port is in blocking state.

Examples

This example shows how to enable MVRP on a particular trunk port: 

Console(enable) set port mvrp 3/48 enable

MVRP enabled on port 3/48

Console> (enable)

This example shows how to disable MVRP on a particular trunk port: 

console(enable) set port mvrp 3/48 disable

MVRP disabled on port 3/48

Console (enable)

This example shows how to enable periodic timer on a particular port: 

console(enable) set port mvrp 3/48 periodictimer enable 

MVRP periodic timer enabled on port(s) 3/48

console (enable)

This example shows how to disable periodic timer on a particular port: 

console(enable) set port mvrp 3/48 periodictimer disable 

MVRP periodic timer disabled on port 3/48

This example shows how to set join timer value on a particular port: 

console(enable) set port mvrp 3/48 timer join 50

MVRP/MRP join timer value is set to 50 centi seconds on port 3/48

console(enable)


Console> (enable)  set port mvrp 2/1 timer join 200

Failed to set MVRP/MRP join timer value.

Join timer must be greater than 1 and Leave timer must be greater than 2 * join timer.


Console> (enable) set port mvrp 2/1 timer leave 5000

Failed to set MVRP/MRP leave timer value.

Leave timer must be greater than 2 * join timer.

Leaveall timer must be greater than leave timer.

Console> (enable)


console(enable) set port mvrp 3/48 timer leave 1000

MVRP/MRP leave timer value is set to 1000 centi seconds on port 3/48

console(enable)


console(enable) set port mvrp 3/48 timer leaveall 10000

MVRP/MRP leaveAll timer value is set to 10000 centi seconds on port 3/48

console(enable)

This example shows how to set the Registrar in a MAD instance associated with the port in fixed state: 

console(enable) set port mvrp 3/48 registration fixed 

Registrar Administrative Control set to fixed on port(s) 3/48

console(enable).


This example shows how to set the Registrar in a MAD instance associated with the port in forbidden 
state:


console(enable) set port mvrp 3/48 registration forbidden 

Registrar Administrative Control set to forbidden on port(s) 3/48

console(enable).


This example shows how to set the Registrar in a MAD instance associated with the port in normal 
state:


console(enable) set port mvrp 3/48 registration normal

Registrar Administrative Control set to normal on port(s) 3/48.

console(enable)

set port name

To configure a name for a port, use the set port name command.

set port name mod/port [port_name]

Syntax Description

mod/port

Number of the module and the port on the module.

port_name

(Optional) Name of the port. See the "Usage Guidelines" section for more information.


Defaults

The default is no port name is configured for any port.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

The port_name argument must be fewer than 21 characters.

If you do not specify a port_name argument, the port name is cleared.

Examples

This example shows how to set port 1 on module 4 to Snowy: 

Console> (enable) set port name 4/1 Snowy

Port 4/1 name set.

Console> (enable)

Related Commands

set port description
show port
show port description

set port negotiation

To enable or disable the link negotiation protocol on the specified port, use the set port negotiation command.

set port negotiation mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables the link negotiation protocol.

disable

Disables the link negotiation protocol.


Defaults

The default is link negotiation protocol is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You cannot configure port negotiation on 1000BASE-T (copper) Gigabit Ethernet ports in this release. If a 1000BASE-T GBIC is inserted in the port that was previously configured as a negotiation-disabled port, the negotiation-disabled setting is ignored, and the port operates in negotiation-enabled mode.

The set port negotiation command is supported on Gigabit Ethernet ports only, except on WS-X6316-GE-TX and on WS-X6516-GE-TX.

If the port does not support this command, this message appears: 

Feature not supported on Port N/N.

where N/N is the module and port number.

In most cases, when you enable link negotiation, the system autonegotiates flow control, duplex mode, and remote fault information. The exception applies to 16-port 10/100/1000BASE-T Ethernet modules; when you enable link negotiation on these Ethernet modules, the system autonegotiates flow control only.

You must either enable or disable link negotiation on both ends of the link. Both ends of the link must be set to the same value or the link cannot connect.

Examples

This example shows how to disable link negotiation protocol on port 1, module 4: 

Console> (enable) set port negotiation 4/1 disable

Link negotiation protocol disabled on port 4/1.

Console> (enable)

Related Commands

show port negotiation

set port protocol

To enable or disable protocol membership of ports, use the set port protocol command.

set port protocol mod/port {ip | ipx | group} {on | off | auto}

Syntax Description

mod/port

Number of the module and the port on the module.

ip

Specifies IP.

ipx

Specifies IPX.

group

Specifies VINES, AppleTalk, and DECnet protocols.

on

Indicates the port will receive all the flood traffic for that protocol.

off

Indicates the port will not receive any flood traffic for that protocol.

auto

Specifies that the port is added to the group only after packets of the specific protocol are received on that port.


Defaults

The default is that the ports are configured to on for the IP protocol groups and auto for IPX and group protocols.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Protocol filtering is supported only on nontrunking EtherChannel ports. Trunking ports are always members of all the protocol groups.

If the port configuration is set to auto, the port initially does not receive any flood packets for that protocol. When the corresponding protocol packets are received on that port, the supervisor engine detects this and adds the port to the protocol group.

Ports configured as auto are removed from the protocol group if no packets are received for that protocol within a certain period of time. This aging time is set to 60 minutes. They are also removed from the protocol group on detection of a link down.

Examples

This example shows how to disable IPX protocol membership of port 1 on module 2: 

Console> (enable) set port protocol 2/1 ipx off

IPX protocol disabled on port 2/1.

Console> (enable)

This example shows how to enable automatic IP membership of port 1 on module 5: 

Console> (enable) set port protocol 5/1 ip auto

IP protocol set to auto mode on module 5/1.

Console> (enable)

Related Commands

show port protocol

set port qos

To specify whether an interface is interpreted as a physical port or as a VLAN, use the set port qos command.

set port qos mod/ports... port-based | vlan-based

Syntax Description

mod/ports...

Number of the module and the ports on the module.

port-based

Interprets the interface as a physical port.

vlan-based

Interprets the interface as part of a VLAN.


Defaults

The default is ports are port-based if QoS is enabled and VLAN-based if QoS is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

When you change a port from port-based QoS to VLAN-based QoS, all ACLs are detached from the port. Any ACLs attached to the VLAN apply to the port immediately.

When you set a port to VLAN-based QoS using the set port qos command with RSVP or COPS QoS enabled on that port, the QoS policy source is COPS, or DSBM-election is enabled. The VLAN-based setting is saved in NVRAM only.

Examples

This example shows how to specify an interface as a physical port: 

Console> (enable) set port qos 1/1-2 port-based

Updating configuration ...

QoS interface is set to port-based for ports 1/1-2.

Console> (enable)

This example shows how to specify an interface as a VLAN: 

Console> (enable) set port qos 3/1-48 vlan-based

Updating configuration ...

QoS interface is set to VLAN-based for ports 3/1-48.

Console> (enable)

This example shows the output if you change from port-based QoS to VLAN-based QoS with either RSVP or COPS enabled on the port: 

Console> (enable) set port qos 3/1-48 vlan

Qos interface is set to vlan-based for ports 3/1-48

Port(s) 3/1-48 - QoS policy-source is Cops or DSBM-election is enabled.

Vlan-based setting has been saved in NVRAM only.

Console> (enable)

Related Commands

set port qos cos
set port qos trust
show port qos
show qos info

set port qos autoqos

To apply the automatic QoS feature on a per-port basis, use the set port qos autoqos command.

set port qos mod/port autoqos trust {cos | dscp}

set port qos mod/port autoqos voip {ciscoipphone | ciscosoftphone}

Syntax Description

mod/port

Number of the module and ports on the module.

trust

Specifies AutoQoS for ports trusting all traffic markings.

cos

Trusts CoS-based markings of all inbound traffic.

dscp

Trusts DSCP-based markings of all inbound traffic.

voip

Specifies AutoQoS for voice applications.

ciscoipphone

Specifies AutoQoS for Cisco 79xx IP phones.

ciscosoftphone

Specifies AutoQoS for Cisco IP SoftPhones.


Defaults

The per-port AutoQos feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to trust CoS-based markings of inbound traffic on module 4, port 1: 

Console> (enable) set port qos 4/1 autoqos trust cos

Port 4/1 ingress QoS configured for trust cos.

Trusting all incoming CoS marking on port 4/1.

It is recommended to execute the "set qos autoqos" global command if not executed 
previously.

Console> (enable)

This example shows how to apply AutoQoS settings for Cisco 79xx IP phones on module 4, port 1: 

Console> (enable) set port qos 4/1 autoqos voip ciscoipphone

Port 4/1 ingress QoS configured for ciscoipphone.

It is recommended to execute the "set qos autoqos" global command if not executed 
previously.

Console> (enable)

This example shows how to apply AutoQoS settings for Cisco IP SoftPhones on module 4, port 1: 

Console> (enable) set port qos 4/1 autoqos voip ciscosoftphone

Port 4/1 ingress QoS configured for ciscosoftphone.  Policing configured on 4/1. 

It is recommended to execute the "set qos autoqos" global command if not executed 
previously.

Console> (enable)

Related Commands

clear port qos autoqos
clear qos autoqos
set qos autoqos
show port qos
show qos acl info

set port qos cos

To set the default value for all packets that have arrived through an untrusted port, use the set port qos cos command.

set port qos mod/ports cos cos_value

set port qos mod/ports cos-ext cos_value

Syntax Description

mod/ports

Number of the module and ports.

cos cos_value

Specifies the CoS value for a port; valid values are from 0 to 7.

cos-ext cos_value

Specifies the CoS extension for a phone port; valid values are from 0 to 8.


Defaults

The default is CoS 0.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is only supported on Ethernet modules.

This command has no effect when QoS is disabled. The port CoS setting takes effect when QoS is enabled.

Examples

This example shows how to set the CoS default value on a port: 

Console> (enable) set port qos 2/1 cos 3

Port 2/1 qos cos set to 3.

Console> (enable)

This example shows how to set the CoS-ext default value on a port: 

Console> (enable) set port qos 2/1 cos-ext 3

Port 2/1 qos cos-ext set to 3.

Console> (enable)

Related Commands

clear port qos cos
set port qos
set port qos trust
show port qos
show qos info

set port qos policy-source

To set the QoS policy source for all ports in the specified module, use the set port qos policy-source command.

set port qos policy-source mod/ports... local | cops

Syntax Description

mod/ports...

Number of the module and the ports on the module.

local

Sets the policy source to local NVRAM configuration.

cops

Sets the policy source to COPS configuration.


Defaults

The default is all ports are set to local.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you set the policy source to local, the QoS policy is taken from local configuration stored in NVRAM. If you set the policy source to local after it was set to COPS, the QoS policy reverts back to the local configuration stored in NVRAM.

Examples

This example shows how to set the policy source to local NVRAM: 

Console> (enable) set port qos 5/5 policy-source local

QoS policy source set to local on port(s) 5/1-48.

Console> (enable)

This example shows the output if you attempt to set the policy source to COPS and no COPS servers are available: 

Console> (enable) set port qos 5/5 policy-source cops

QoS policy source for the switch set to COPS.

Warning: No COPS servers configured. Use the `set cops server' command

to configure COPS servers.

Console> (enable)

This example shows the output if you set the policy source to COPS and the switch is set to local configuration (using the set qos policy-source command): 

Console> (enable) set port qos 5/5 policy-source cops

QoS policy source set to COPS on port(s) 5/1-48.

Warning: QoS policy source for the switch set to use local configuration.

Console> (enable)

Related Commands

clear qos config
show port qos

set port qos trust

To set the trusted state of a port, use the set port qos trust command; for example, whether or not the packets arriving at a port are trusted to carry the correct classification.

set port qos mod/ports... trust {untrusted | trust-cos | trust-ipprec | trust-dscp}

Syntax Description

mod/ports...

Number of the module and the ports on the module.

untrusted

Specifies that packets need to be reclassified from the matching access control entry (ACE).

trust-cos

Specifies that although the CoS bits in the incoming packets are trusted, the ToS is invalid and a valid value needs to be derived from the CoS bits.

trust-ipprec

Specifies that although the ToS and CoS bits in the incoming packets are trusted, the ToS is invalid and the ToS is set as IP precedence.

trust-dscp

Specifies that the ToS and CoS bits in the incoming packets can be accepted as is with no change.


Defaults

The default is untrusted; when you disable QoS, the default is trust-cos on Layer 2 switches and trust-dscp on Layer 3 switches.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you disable QoS, the default is trust-cos on Layer 2 switches and trust-dscp on Layer 3 switches.

This command is not supported by the NAM.

On 10/100 ports, you can use only the set port qos trust command to activate the receive-drop thresholds. To configure a trusted state, you have to convert the port to port-based QoS, define an ACL that defines all (or the desired subset) of ACEs to be trusted, and attach the ACL to that port.

Examples

This example shows how to set the port to a trusted state: 

Console> (enable) set port qos 3/7 trust trust-cos

Port 3/7 qos set to trust-cos.

Console> (enable)

This example shows the output if you try to set the trust state on a 10/100 port: 

Console> (enable) set port qos 3/28 trust trust-cos

Trust type trust-cos not supported on this port.

Receive thresholds are enabled on port 3/28.

Port  3/28 qos set to untrusted.

Console> (enable)

Related Commands

set port qos
set port qos cos
show port qos
show qos info

set port qos trust-device

To configure the trust mode on a port on a specific device or module, use the set port qos trust-device command.

set port qos mod/ports... trust-device {none | ciscoipphone}

Syntax Description

mod/ports...

Number of the module and the ports on the module.

none

Sets the device trust mode to disable.

ciscoipphone

Trusts only Cisco IP phones.


Defaults

By default, the device trust mode for each port is set to none.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to trust only Cisco IP phones on port 4/1: 

Console> (enable) set port qos 4/1 trust-device ciscoipphone

Port 4/1 set to only trust device of type ciscoIPPhone.

Console> (enable)

This example shows how to disable the device trust on port 4/1: 

Console> (enable) set port qos 4/1 trust-device none

Port 4/1 trust device feature disabled.

Console> (enable)

Related Commands

show port qos

set port qos trust-ext

To configure the access port on a Cisco IP phone connected to the switch port, use the set port qos trust-ext command.

set port qos mod/ports... trust-ext {trusted | untrusted}

Syntax Description

mod/ports...

Number of the module and the ports on the module.

trusted

Specifies that all traffic received through the access port passes through the phone switch unchanged.

untrusted

Specifies that all traffic in 802.1Q or 802.1p frames received through the access port is marked with a configured Layer 2 CoS value.


Defaults

The default when the phone is connected to a Cisco LAN switch is untrusted mode; trusted mode is the default when the phone is not connected to a Cisco LAN switch.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Traffic in frame types other than 802.1Q or 802.1p passes through the phone switch unchanged, regardless of the access port trust state.

Examples

This example shows how to set the trust extension on ports on the connected phone to a trusted state: 

Console> (enable) set port qos 3/7 trust-ext trusted

Port in the phone device connected to port 3/7 is configured to be trusted.

Console> (enable)

Related Commands

set port qos
set port qos cos
show qos info
show port qos

set port rsvp dsbm-election

To specify whether or not the switch participates in the Designated Subnet Bandwidth Manager (DSBM) election on that particular segment, use the set port rsvp dsbm-election command.

set port rsvp mod/port dsbm-election enable | disable [dsbm_priority]

Syntax Description

mod/port

Number of the module and the port.

enable

Enables participation in the DSBM election.

disable

Disables participation in the DSBM election.

dsbm_priority

(Optional) DSBM priority; valid values are from 128 to 255.


Defaults

The default is DSBM is disabled; the default dsbm_priority is 128.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Examples

This example shows how to enable participation in the DSBM election: 

Console> (enable) set port rsvp 2/1,3/2 dsbm-election enable 232

DSBM election enabled for ports 2/1,3/2.

DSBM priority set to 232 for ports 2/1,3/2.

This DSBM priority will be used during the next election process.

Console> (enable)

This example shows how to disable participation in the DSBM election: 

Console> (enable) set port rsvp 2/1 dsbm-election disable

DSBM election disabled for ports(s)  2/1.

Console> (enable)

This example shows the output when you enable participation in the DSBM election on a port that is not forwarding: 

Console> (enable) set port rsvp 2/1,3/2 dsbm-election enable 232

DSBM enabled and priority set to 232 for ports 2/1,3/2.

Warning: Port 2/1 not forwarding. DSBM negotiation will start after port starts forwarding 
on the native vlan.

Console> (enable)

Related Commands

show port rsvp

set port security

To configure port security on a port or range of ports, use the set port security command.

set port security mod[/port...] [enable | disable] [mac_addr] [age {age_time}]
[maximum {num_ of_mac}] [shutdown {shutdown_time}] [unicast-flood {enable | disable}]
[violation {shutdown | restrict}]

set port security mod/port timer-type {absolute | inactivity}

set port security auto-configure {enable | disable}

set port security mod/port mac_addr [vlan_list]

Syntax Description

mod[/port...]

Number of the module and optionally, the port on the module.

enable

(Optional) Enables port security or unicast flooding.

disable

(Optional) Disables port security or unicast flooding.

mac_addr

(Optional) Secure MAC address of the enabled port.

age age_time

(Optional) Specifies the duration for which addresses on the port will be secured; valid values are 0 (to disable) and from 1 to 1440 (minutes).

maximum num_of_mac

(Optional) Specifies the maximum number of MAC addresses to secure on the port; valid values are from 1 to 4097.

shutdown shutdown_time

(Optional) Specifies the duration for which a port will remain disabled in case of a security violation; valid values are 0 (to disable) and from 1 to 1440 (minutes).

unicast-flood

(Optional) Specifies unicast flooding.

violation

(Optional) Specifies the action to be taken in the event of a security violation.

shutdown

(Optional) Shuts down the port in the event of a security violation.

restrict

(Optional) Restricts packets from unsecure hosts.

mod/port

Number of the module and the port on the module.

timer-type

Specifies the type of aging to be applied to the autoconfigured addresses on a per-port basis.

absolute

Specifies absolute aging. See the "Usage Guidelines" section for more information.

inactivity

Specifies inactivity aging. See the "Usage Guidelines" section for more information.

auto-configure

Automatically configures all learned MAC addresses on a secure port. See the "Usage Guidelines" section for more information.

enable

Enables the automatic configuration feature.

disable

Disables the automatic configuration feature.

mac_addr

MAC address. See the "Usage Guidelines" section for more information.

vlan_list

(Optional) VLAN or list of VLANs. See the "Usage Guidelines" section for more information.


Defaults

The default port security configuration is as follows:

Port security is disabled.

Number of secure addresses per port is one.

Violation action is shutdown.

Age is permanent. (Addresses are not aged out.)

Shutdown time is indefinite.

Timer type is set to absolute aging.

Unicast flooding is enabled.

The automatic configuration feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

If you enter the set port security enable command but do not specify a MAC address, the first MAC address seen on the port becomes the secure MAC address.

You can specify the number of MAC addresses to secure on a port. You can add MAC addresses to this list of secure addresses. If you change the number of addresses to a value that is less than the current value, some configured addresses might be cleared. A warning message displays when you attempt to reduce the number of addresses.

The set port security violation command allows you to specify whether you want the port to shut down or to restrict access to insecure MAC addresses only. The shutdown time allows you to specify the duration of shutdown in the event of a security violation.

We recommend that you configure the age timer and the shutdown timer if you want to move a host from one port to another when port security is enabled on those ports. If the age_time value is less than or equal to the shutdown_time value, the moved host will function again in an amount of time equal to the shutdown_time value. The age timer begins upon learning the first MAC address, and the disable timer begins when there is a security violation.

If you disable unicast flooding on a port, the port will drop unicast flood packets when it reaches the maximum number of MAC addresses allowed.

You can secure only unicast MAC addresses through the CLI. Unicast MAC addresses can also be learned dynamically. Multicast MAC addresses cannot be secured.

You can apply one of two types of aging for automatically learned addresses on a secure port:

Absolute aging times out the MAC address after the age_time has been exceeded, regardless of the traffic pattern. This is the default for any secured port, and the age_time is set to 0.

Inactivity aging times out the MAC address only after the age_time of inactivity from the corresponding host has been exceeded.

Enabling the automatic configuration feature automatically configures learned MAC addresses on secure ports. If a secure port shuts down because of a violation, if the port is disabled, or if port security is disabled, all learned MAC addresses are converted to configured MAC addresses and retained on the port. If this feature is disabled and the secure port experiences any of the same conditions, all learned MAC addresses are cleared.

When you configure a MAC address on a port, you can associate a VLAN or multiple VLANs to that MAC address by enter the set port security mod/port mac_addr [vlan_list] command. If you do not specify a vlan_list argument, the MAC address is configured on the native VLAN of the specified port.

Examples

This example shows how to set port security with a learned MAC address: 

Console> (enable) set port security 3/1 enable

Port 3/1 port security enabled with the learned mac address.

Console> (enable)

This example shows how to set port security with a specific MAC address: 

Console> (enable) set port security 3/1 enable 00-02-03-04-05-06

Port 3/1 port security enabled with 00-02-03-04-05-06 as the secure mac address.

Console> (enable)

This example shows how to set the maximum MAC address limit to 10: 

Console> (enable) set port security 3/37 max 10

Setting the Maximum Addresses Limit to a value lesser than the 

current value might result in configured addresses getting cleared

Do you want to continue (y/n) [n]?y

Port 3/37 security maximum address 10.

Console> (enable)

This example shows how to set the shutdown time to 600 minutes on port 7/7: 

Console> (enable) set port security 7/7 shutdown 600

Secure address shutdown time set to 600 minutes for port 7/7.

Console> (enable)

This example shows how to configure the port to drop all packets that are coming in on the port from insecure hosts: 

Console> (enable) set port security 7/7 violation restrict

Port security violation on port 7/7 will cause insecure packets to be dropped.

Console> (enable)

This example shows how to enable unicast flooding on port 4/1: 

Console> (enable) set port security 4/1 unicast-flood enable

Port 4/1 security flood mode set to enable.

Console> (enable)

This example shows how to disable unicast flooding on port 4/1: 

Console> (enable) set port security 4/1 unicast-flood disable

WARNING: Trunking & Channelling will be disabled on the port. 

Port 4/1 security flood mode set to disable.

Console> (enable)

This example shows how to set the aging type on a port to absolute aging: 

Console> (enable) set port security 5/1 timer-type absolute 

Port 5/1 security timer type absolute. 

Console> (enable)

This example shows how to set the aging type on a port to inactivity aging: 

Console> (enable) set port security 5/1 timer-type inactivity

Port 5/1 security timer type inactive.

Console> (enable)

This example shows how to enable the automatic configuration feature: 

Console> (enable) set port security auto-configure enable

Automatic configuration of secure learnt addresses enabled.

Console> (enable)

This example shows how to associate a MAC address with a list of VLANs: 

Console> (enable) set port security 3/37 00-00-aa-00-00-aa 20,30

Mac address 00-00-aa-00-00-aa set for port 3/37 on vlan 20.

Mac address 00-00-aa-00-00-aa set for port 3/37 on vlan 30.

Console> (enable)

This example shows what happens if you configure a secure MAC address without specifying the vlan_list argument. Note that the MAC address is automatically configured on the native VLAN: 

Console> (enable) set port security 3/38 00-00-aa-00-00-aa

Mac address 00-00-aa-00-00-aa set for port 3/38 on vlan 1 

Console> (enable)

If a specified VLAN is not the native VLAN of the port (in the case of an access port) or if it is not an allowed VLAN on a trunk port, the command results in these messages: 

Console> (enable) set port security 3/38 00-00-aa-00-00-aa 20

Vlan 20 is not the native vlan for access port 3/38.

Console> (enable)


Console> (enable) set port security 3/37 00-00-aa-00-00-aa 20,30,100

Vlan 100 is not a configured vlan on trunk/vvid port 3/37

Console> (enable)

Related Commands

clear port security
show config
show port security

set port security-acl

To specify the port access control list (PACL) mode, use the set port security-acl command.

set port security-acl mod/ports... {port-based | vlan-based | merge}

Syntax Description

mod/ports...

Number of the module and the ports on the module.

port-based

Specifies the mode in which the PACL overrides the VACL and RACL.

vlan-based

Specifies the mode in which the VACL and RACL override the PACL.

merge

Specifies the mode in which the ingress PACL, VACL, and RACL merge.


Defaults

The port security ACL mode is vlan-based to keep the existing VACL configuration active.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configuring port access control lists is only available on PFC3-based forwarding engines.

For more information about PACLs, refer to the "Configuring Access Control" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

Examples

This example shows how to set the PACL mode to port-based mode on port 3/1: 

Console> (enable) set port security-acl 3/1 port-based

Warning: Vlan-based ACL features will be disabled on port(s) 3/1.

ACL interface is set to port-based mode for port(s) 3/1.

Console> (enable)

This example shows how to set the PACL mode to VLAN-based mode on port 3/1: 

Console> (enable) set port security-acl 3/1 vlan-based

ACL interface is set to vlan-based mode for port(s) 3/1.

Console> (enable)

This example shows how to set the PACL mode to merge mode on port 3/1: 

Console> (enable) set port security-acl 3/1 merge

ACL interface is set to merge mode for port(s) 3/1.

Console> (enable)

This example shows the message that displays when merge mode cannot work because a port is a trunk port: 

Console> (enable) set port security-acl 3/1-4 merge

ACL interface cannot be in merge mode on multi-vlan access port 3/1.

ACL interface is set to merge mode for port(s) 3/2.

ACL interface is set to merge mode for port(s) 3/3.

ACL interface is set to merge mode for port(s) 3/4.

Console> (enable)

Related Commands

show port security-acl

set port speed

To configure the speed of a port interface, use the set port speed command.

set port speed mod/port {10 | 100 | 1000 | auto | auto-10-100}

Syntax Description

mod/port

Number of the module and the port on the module.

10 | 100 | 1000

Sets a port speed for 10BASE-T, 100BASE-T, or 1000BASE-T ports.

auto

Specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet ports.

auto-10-100

Specifies autonegotiation for speed and duplex mode on 10/100/1000 Fast Ethernet ports. Only 10-Mbps and 100-Mbps Fast Ethernet ports are negotiated; 1000-Mbps Fast Ethernet ports are not negotiated.


Defaults

The default is auto.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

In most cases, autonegotiation manages transmission speed, duplex mode, the master link, and the slave link. The exception applies to 16-port 10/100/1000BASE-T Ethernet modules, where autonegotiation manages transmission speed only.

You can configure Fast Ethernet interfaces on the 10/100-Mbps Fast Ethernet switching module to either 10, 100, or 1000 Mbps, or to autosensing mode, allowing the interfaces to sense and distinguish between 10- and 100-Mbps port transmission speeds and full-duplex or half-duplex port transmission types at a remote port connection. If you set the interfaces to autosensing, they configure themselves automatically to operate at the proper speed and transmission type.

Examples

This example shows how to configure port 1, module 2 to auto: 

Console> (enable) set port speed 2/1 auto

Port 2/1 speed set to auto-sensing mode.

Console> (enable)

This example shows how to configure the port speed on port 2, module 2 to 10 Mbps: 

Console> (enable) set port speed 2/2 10

Port 2/2 speed set to 10 Mbps.

Console> (enable)

Related Commands

show port

set port sync-restart-delay

To specify the synchronization restart delay of a port, use the set port sync-restart-delay command.

set port sync-restart-delay mod/port delay

Syntax Description

mod/port

Number of the module and the port on the module.

delay

Delay time in milliseconds; the delay range is 200 to 60000 milliseconds (60 seconds).


Defaults

The default delay time is 210 milliseconds.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The more dense wavelength division multiplexing (DWDM) equipment you have in the network, usually the longer the synchronization delay should be.

The set port sync-restart-delay and show port sync-restart-delay commands are available in both binary mode and text configuration mode.

Use the clear config command to reset the synchronization delay to 210 milliseconds.

Examples

This example shows how to specify the synchronization restart delay for a specific port: 

Console> (enable) show port sync-restart-delay 

Port   Sync restart delay in ms    Sync restart delay in ms

                admin                       oper

-----  -------------------------  -------------------------

 1/1              210                      210

 1/2              210                      210

 1/3              210                      210

 1/4              210                      210

 1/5              210                      210

 1/6              210                      210

 1/7              210                      210

 1/8              210                      210

 1/9              210                      210

 1/10             210                      210

 1/11             210                      210

 1/12             210                      210

 1/13             210                      210

 1/14             210                      210

 1/15             210                      210

 1/16             210                      210

 2/1              210                      210

 2/2              210                      210

Related Commands

clear config
show port sync-restart-delay

set port trap

To enable or disable the operation of the standard Simple Network Management Protocol (SNMP) link trap (up or down) for a port or range of ports, use the set port trap command.

set port trap mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Activates the SNMP link trap.

disable

Deactivates the SNMP link trap.


Defaults

The default is all port traps are disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

To set SNMP traps, enter the set snmp trap command.

Examples

This example shows how to enable the SNMP link trap for module 1, port 2: 

Console> (enable) set port trap 1/2 enable

Port 1/2 up/down trap enabled.

Console> (enable)

Related Commands

show port trap

set port unicast-flood

To configure the switch to drop Unicast Flood traffic on an Ethernet port, use the set port unicast-flood command.

set port unicast-flood mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables unicast flood and disables unicast flood blocking.

disable

Disables unicast flood and enables unicast flood blocking.


Defaults

Unicast flood blocking is disabled on all ports.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Only Ethernet ports can block unicast flood traffic.

You must have a static CAM entry associated with the Ethernet port before you disable unicast flood on the port, or you will lose network connectivity when you disable unicast flood. You can verify a static CAM entry exists by entering the show cam static command.

You cannot configure a port channel on a unicast flood disabled port, and you cannot disable unicast flood on a port channel.

You cannot disable unicast flood on a SPAN destination port, and you cannot configure a SPAN destination on a unicast flood disabled port.

You cannot disable unicast flood on a trunk port. If you do, an error message will be displayed.

If you disable unicast flood on an Ethernet port that has port security enabled on it, the switch stops sending Unicast Flood packets to the port once the switch has learned the allowed maximum number of MAC addresses. When the learned MAC address count drops below the maximum number allowed, unicast flooding is automatically reenabled.

Unicast flood blocking and GARP VLAN Registration Protocol (GVRP) are mutually exclusive. You cannot disable unicast flood and exchange VLAN configuration information with GVRP switches at the same time.

Examples

This example shows how to enable unicast flood traffic on module 4, port 1 of a switch: 

Console> (enable) set port unicast-flood 4/1 disable

WARNING: Trunking & Channelling will be disabled on the port.

Unicast Flooding is successfully disabled on the port 4/1.

Console> (enable)

This example shows how to disable unicast flood traffic on module 4, port 1 of a switch: 

Console> (enable) set port unicast-flood 4/1 enable

Unicast Flooding is successfully enabled on the port 4/1. 

Console> (enable)

Related Commands

show port unicast-flood

set port vlan-mapping

To configure VLAN mapping on a per-port basis, use the set port vlan-mapping command.

set port vlan-mapping mod/port {enable | disable}

set port vlan-mapping mod/port source_vlan_id translated_vlan_id

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Enables VLAN mapping.

disable

Disables VLAN mapping.

source_vlan_id

Number of the source VLAN; valid values are from 1 to 4094.

translated_vlan_id

Number of the VLAN that is mapped to the source VLAN; valid values are from 1 to 4094.


Defaults

VLAN mapping is disabled on all ports.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

VLAN mapping occurs only if you enter the set port vlan-mapping mod/port enable command and only if the port is operationally trunking. The set port vlan-mapping mod/port source_vlan_id translated_vlan_id command takes effect only after VLAN mapping is enabled.

When you enable VLAN mapping and specify a source_vlan_id value and a translated_vlan_id value, traffic coming in on a trunk port with the source_vlan_id value is translated to the VLAN with the translated_vlan_id value. Also, any traffic internally tagged with the translated_vlan_id value is tagged with the source_vlan_id value before leaving the port.

Some port ASICs support VLAN mapping only on a per-ASIC basis, but VLAN mapping is enabled or disabled on a per-port basis. With these types of ASICs, the set port vlan-mapping mod/port {enable | disable} command is applied only to the port configuration and not to the ASIC.

You cannot enable global VLAN mapping and per-port/per-ASIC VLAN mapping simultaneously.

Examples

This example shows how to enable VLAN mapping on a specified port: 

Console> (enable) set port vlan-mapping 7/1 enable

VLAN mapping enabled on port 7/1.

Console> (enable)

This example shows how to enable port VLAN mapping and to configure VLAN mapping on an individual port. In this example, module 7 is the 48-port 10/100/1000 switching module (WS-X6748-GE-TX). This module supports per-ASIC VLAN mapping; 1 ASIC supports 12 ports. 

Console> (enable) set port vlan-mapping 7/1 enable

VLAN mapping enabled on port 7/1.

Console> (enable) set port vlan-mapping 7/1 2002 3003

VLAN 2002 mapped to VLAN 3003 on ports 7/1-12.

Console> (eanble)

In this example, module 5 is the 1-port 10GBASE-E serial 10-Gigabit Ethernet module (WS-X6502-10GE). This module supports per-port VLAN mapping. 

Console> (enable) set port vlan-mapping 5/1 2002 3003

VLAN 2002 mapped to VLAN 3003 on port 5/1.

Console> (enable)

In this example, module 7 is the 48-port 10/100/1000 switching module (WS-X6748-GE-TX). This module supports per-ASIC VLAN mapping; 1 ASIC supports 12 ports. In this example, ports 7/1-4 are part of an EtherChannel. 

Console>(enable) set port vlan-mapping 7/1 2002 3003 

VLAN 2002 mapped to VLAN 3003 on ports 7/1-12.

Console>(enable)

Related Commands

clear port vlan-mapping
show port vlan-mapping

set port voice interface dhcp

To set the port voice interface for the DHCP, TFTP, and DNS servers, use the set port voice interface dhcp command.

set port voice interface mod/port dhcp enable [vlan vlan]

set port voice interface mod/port dhcp disable {ipaddrspec} {tftp ipaddr} [vlan vlan]
[gateway ipaddr] [dns [ipaddr] [domain_name]]

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Activates the SNMP link trap.

vlan vlan

(Optional) Specifies a VLAN interface; valid values are from 1 to 4094.

disable

Deactivates the SNMP link trap.

ipaddrspec

IP address and mask; see the "Usage Guidelines" section for format instructions.

tftp ipaddr

Specifies the number of the TFTP server IP address or IP alias in dot notation a.b.c.d.

gateway ipaddr

(Optional) Specifies the number of the gateway server IP address or IP alias in dot notation a.b.c.d.

dns

(Optional) Specifies the DNS server.

ipaddr

(Optional) Number of the DNS IP address or IP alias in dot notation a.b.c.d.

domain_name

(Optional) Name of the domain.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The ipaddrspec format is {ipaddr} {mask} or {ipaddr}/{mask} {mask}. The mask is a dotted format (255.255.255.0) or number of bits (0 to 31).

You can specify a single port only when setting the IP address.

If you enable DHCP on a port, the port obtains all other configuration information from the TFTP server. When you disable DHCP on a port, the following mandatory parameters must be specified:

If you do not specify DNS parameters, the software uses the system DNS configuration on the supervisor engine to configure the port.

You cannot specify more than one port at a time because a unique IP address must be set for each port.

Examples

This example shows how to enable the port voice interface for the DHCP server: 

Console> (enable) set port voice interface 7/4-8 dhcp enable 

Port 7/4 DHCP enabled.

Console> (enable)

This example shows how to disable the set port voice interface DHCP server: 

Console> (enable) set port voice interface 7/3 dhcp disable 171.68.111.41/24 tftp 
173.32.43.11 dns 172.20.34.204 cisco.com

Port 7/3 dhcp disabled.

System DNS configurations applied.

Console> (enable)

This example shows how to enable the port voice interface for the DHCP server with a specified VLAN: 

Console> (enable) set port voice interface 7/4-6 dhcp enable vlan 3

Vlan 3 configuration successful

Ports 7/4-6 DHCP enabled.

Console> (enable)

This example shows how to enable the port voice interface for the TFTP, DHCP, and DNS servers: 

Console> (enable) set port voice interface dhcp enable 4/2 171.68.111.41 tftp 173.32.43.11 
dhcp 198.98.4.1 dns 189.69.24.192

Port 4/2 interface set.

IP address: 171.68.111.41 netmask 255.255.0.0

TFTP server: 173.32.43.11

DHCP server: 198.98.4.1

DNS server: 189.69.24.192

Console> (enable)

This example shows how to enable a single port voice interface: 

Console> (enable) set port voice interface 4/2-9 dhcp 123.23.32.1/24

Single port must be used when setting the IP address.

Console> (enable)

Related Commands

show port voice interface

set port vtp

To enable or disable VLAN Trunk Protocol (VTP) on a per-port basis, use the set port vtp command.

set port vtp mod/port {enable | disable}

Syntax Description

mod/port

Number of the module and the port on the module.

enable

Activates VTP.

disable

Deactivates VTP.


Defaults

VTP is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set port vtp command allows you to enable or disable any kind of VTP interaction on a per-port basis, which may be useful on trunks leading to non-trusted hosts. When a port is disabled, no VTP packet is sent on the port, and any VTP packet received on the port is dropped.

Examples

This example shows how to disable VTP on ports 1 and 2 on module 1: 

Console> (enable) set port vtp 1/1-2 disable

Port(s) 1/1-2 will no longer participate in VTP.

Console> (enable)

Related Commands

set vtp
show port vtp
show vtp

set port web-auth

To enable or disable web-based proxy authentication on a port or to specify an AAA fail policy for web-based proxy authentication, use the set port web-auth command.

set port web-auth mod/port {disable | enable}

set port web-auth mod/port aaa-fail-policy policy-name

set port web-auth mod/port ip-device-tracking {enable| disable}

Syntax Description

mod/port

Module and port number.

disable

Disables web-based proxy authentication on a port.

enable

Enables web-based proxy authentication on a port.

aaa-fail-policy

Maps an AAA fail policy for web-based proxy authentication to a specified port.

policy-name

Policy name to be mapped to the port.

ip-device-tracking

Tracks the host using its IP address.

disable

Disables IP device tracking.

enable

Enables IP device tracking.


Defaults

Disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Note If you have disabled web-based proxy authentication globally, web-based proxy authentication on a port may not start but will be stored in the configuration.

You must enable web-based proxy authentication globally before entering the set port web-auth command. To enable web-based proxy authentication globally, use the set web-auth command.

Before you can use the set port web-auth mod/port aaa-fail-policy policy-name command, the template for the policy must be created.

After you have specified a policy template for a port, any changes to the policy template affect only those hosts that have been moved to AAA fail state after the policy template was changed. Hosts in already existing sessions use the policy template as it was before any changes were made.

When you specify a different policy for a port, hosts in already existing sessions maintain the previously specified policy. The newly specified policy affects only new hosts entering AAA fail state.

Examples

This example shows how to enable web-based proxy authentication on a port: 

Console> (enable) set port web-auth 1/1 enable

web-authentication successfully enabled on Interface 1/1.

Console> (enable)

This example shows how to disable web-based proxy authentication on a port: 

Console> (enable) set port web-auth 1/1 disable

web-authentication successfully disabled on Interface 1/1.

This example shows how to enable IP device tracking for web-based proxy authentication on a port: 

Console> (enable) set port web-auth 2/25 ip-device-tracking enable

Port 2/25 Web-auth ip-device-tracking is enabled

Console> (enable)

Related Commands

clear web-auth
set port critical
set port web-auth initialize
set web-auth
set web-auth login-attempts
set web-auth login-fail-page
set web-auth login-page
set web-auth quiet-timeout
set web-auth session-timeout
show port web-auth
show web-auth summary

set port web-auth initialize

To initialize a web-based proxy authentication port for authentication again, use the set port web-auth initialize command.

set port web-auth mod/port initialize [ip_addr]

Syntax Description

mod/port

Module and port number.

ip_addr

(Optional) Host IP address.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you initialize the port by entering the set port web-auth