Table Of Contents

set port auxiliaryvlan

set port broadcast

set port channel

set port cops

set port critical

set port debounce

set port description

set port dhcp-snooping

set port disable

set port dot1q-all-tagged

set port dot1q-ethertype

set port dot1qtunnel

set port dot1x

set port duplex

set port enable

set port eou

set port errdisable-timeout

set port errordetection

set port ethernet-cfm

set port ethernet-oam

set port ethernet-oam action

set port ethernet-oam link-monitor

set port ethernet-oam mode

set port ethernet-oam remote-loopback

set port flexlink

set port flowcontrol

set port gmrp

set port gvrp

set port host

set port inlinepower

set port jumbo

set port l2protocol-tunnel

set port lacp-channel

set port mac-auth-bypass

set port macro

set port membership

set port mvrp

set port name

set port negotiation

set port protocol

set port qos

set port qos autoqos

set port qos cos

set port qos policy-source

set port qos trust

set port qos trust-device

set port qos trust-ext

set port rsvp dsbm-election

set port security

set port security-acl

set port speed

set port sync-restart-delay

set port trap

set port unicast-flood

set port vlan-mapping

set port voice interface dhcp

set port vtp

set port web-auth

set port web-auth initialize

set power redundancy

set prompt

set protocolfilter

set pvlan

set pvlan mapping

set qos

set qos acl default-action

set qos acl ip

set qos acl ipx

set qos acl mac

set qos acl map

set qos autoqos

set qos bridged-microflow-policing

set qos cos-cos-map

set qos cos-dscp-map

set qos drop-threshold

set qos dscp-cos-map

set qos dscp-mutation-map

set qos dscp-mutation-table-map

set qos dscp-rewrite

set qos ipprec-dscp-map

set qos mac-cos

set qos map

set qos policed-dscp-map

set qos policer

set qos policy-source

set qos rsvp

set qos rxq-ratio

set qos statistics export

set qos statistics export aggregate

set qos statistics export destination

set qos statistics export interval

set qos statistics export port

set qos txq-ratio

set qos wred

set qos wrr

set radius attribute

set radius auto-initialize

set radius deadtime

set radius keepalive

set radius key

set radius retransmit

set radius server

set radius timeout

set rate-limit

set rcp username

2

set port auxiliaryvlan

To configure the auxiliary VLAN ports, use the set port auxiliaryvlan command.

set port auxiliaryvlan mod[/port] {vlan | untagged | dot1p | none} [cdpverify {enable | disable}]

Syntax Description

mod[/port]	Number of the module and (optional) port or multiple ports.
vlan	Number of the VLAN; valid values are from 1 to 4094.
untagged	Specifies the connected device send and receive untagged packets without 802.1p priority.
dot1p	Specifies the connected device send and receive packets with 802.1p priority.
none	Specifies that the switch does not send any auxiliary VLAN information in the CDP packets from that port.
cdpverify	(Optional) Sets automatic detection of IP phones by using CDP.
enable	(Optional) Enables the automatic detection of IP phones.
disable	(Optional) Disables the automatic detection of IP phones.

Defaults

The default setting is none.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you do not specify a port, all ports are selected.The vlan option specifies that the connected device sends packets that are tagged with a specific VLAN.

If you enter the none option, voice information will not be sent or received.

Dynamic VLAN support for voice VLAN identifier (VVID) includes these restrictions to the following multiple VLAN access port (MVAP) configuration on the switch port:

•You can configure any VVID on a dynamic port including dot1p and untagged, except when the VVID is equal to dot1p or untagged. If this is the case, you must configure VMPS with the MAC address of the IP phone. When you configure the VVID as dot1p or untagged on a dynamic port, this warning message is displayed:

VMPS should be configured with the IP phone mac's.

•For dynamic ports, the auxiliary VLAN ID cannot be the same as the native VLAN ID assigned by VMPS for the dynamic port.

•You cannot configure trunk ports as dynamic ports, but an MVAP can be configured as a dynamic port.

The presence of an IP phone is determined through CDP packet exchange between the switch and the phone. This detection method is used for both inline-powered IP phones and wall-powered IP phones.

If the auxiliary VLAN ID equals the port-VLAN ID or when the auxiliary VLAN ID is configured as none, dot1p, or untagged, this feature cannot be applied to the port. If any command entry results in the auxiliary VLAN ID equaling the port-VLAN ID, the feature is disabled and the following warning message is displayed:

cdpverify feature on port mod/port is disabled.

Examples

This example shows how to set the auxiliary VLAN port to untagged:

Console> (enable) set port auxiliaryvlan 5/7 untagged

Port 5/7 allows the connected device send and receive untagged packets and 

without 802.1p priority.  

Console> (enable)

This example shows how to set the auxiliary VLAN port to dot1p:

Console> (enable) set port auxiliaryvlan 5/9 dot1p

Port 5/9 allows the connected device send and receive packets with 802.1p priority.

Console> (enable)

This example shows how to set the auxiliary VLAN port to none:

Console> (enable) set port auxiliaryvlan 5/12 none 

Port 5/12 will not allow sending CDP packets with AuxiliaryVLAN information.

Console> (enable)

This example shows how to set the auxiliary VLAN port to a specific module, port, and VLAN:

Console> (enable) set port auxiliaryvlan 2/1-3 222 

Auxiliaryvlan 222 configuration successful.

AuxiliaryVlan AuxVlanStatus Mod/Ports

------------- ------------- -------------------------

222           active        1/2,2/1-3

Console> (enable)

Related Commands

show port auxiliaryvlan

set port broadcast

To set broadcast, multicast, or unicast suppression for one or more ports, use the set port broadcast command. The threshold limits the backplane traffic received from the module.

set port broadcast mod/port threshold% [violation {drop-packets | errdisable}]
[multicast {enable | disable}] [unicast {enable | disable}]

Syntax Description

mod/port	Number of the module and the port on the module.
threshold%	Percentage of total available bandwidth that can be used by traffic; valid values are decimal numbers from 0.00% to 100% or whole numbers from 0% to 100%.
violation	(Optional) Specifies an action when suppression occurs.
drop-packets	(Optional) Drops packets when suppression occurs.
errdisable	(Optional) Errdisables the port when suppression occurs.
multicast	(Optional) Specifies multicast suppression.
enable | disable	(Optional) Enables or disables the suppression type.
unicast	(Optional) Specifies unicast suppression.

Defaults

The default is 100% (no broadcast limit).

The default action is drop-packets if a broadcast violation occurs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

You can enter the threshold value in two ways:

•A decimal number followed by a percent sign (for example 0.33%)

•A whole number followed by a percent sign (for example 33%)

The percent sign (%) is required when entering the threshold value.

The multicast and unicast keywords are supported on Gigabit Ethernet modules only.

If you enter the command without using the multicast or unicast keyword, only broadcast traffic is suppressed. If you enter the multicast or unicast keyword, both broadcast and the selected traffic type are suppressed.

Examples

This example shows how to limit broadcast traffic to 20 percent:

Console> (enable) set port broadcast 4/3 20%

Port 4/3 broadcast traffic limited to 20.00%.

Console> (enable) 

This example shows how to limit broadcast traffic to 90 percent and to errdisable when suppression occurs:

Console> (enable) set port broadcast 4/6 90% violation errdisable

Port 4/6 broadcast traffic limited to 90.00%.

On broadcast suppression port 4/6 is configured to move to errdisabled state.

Console> (enable)

This example shows how to allow a specific amount of multicast traffic to a range of ports:

Console> (enable) set port broadcast 4/1-24 80% multicast enable

Port 4/1-24 multicast traffic limited to 80%.

Console> (enable) 

This example shows how to limit broadcast and multicast traffic to 91 percent, to disable unicast traffic, and to errdisable when suppression occurs:

Console> (enable) set port broadcast 4/2 91% violation errdisable multicast enable unicast 
disable 

Port 4/2 broadcast and multicast traffic limited to 91.00%.

On broadcast suppression port 4/2 is configured to move to errdisabled state.

Console> (enable)

This example shows how to limit broadcast, multicast, and unicast traffic to 91 percent:

Console> (enable) set port broadcast 4/2 91% multicast enable unicast enable

Port 4/2 broadcast, multicast and unicast traffic limited to 91.00%.

Console> (enable)

Related Commands

clear port broadcast
show port broadcast

set port channel

To configure EtherChannel on Ethernet module ports, use the set port channel command.

set port channel mod/port [admin_group]

set port channel mod/port mode {on | off | desirable | auto} [silent | non-silent]

set port channel all mode off

set port channel all distribution {ip | mac} [source | destination | both]

set port channel all distribution {session} [source | destination | both]

set port channel all distribution {ip-vlan-session} [source | destination | both]

Syntax Description

mod/port	Number of the module and the port on the module.
admin_group	(Optional) Number of the administrative group; valid values are from 1 to 1024.
mode	Specifies the EtherChannel mode.
on	Enables and forces specified ports to channel without PAgP.
off	Prevents ports from channeling.
desirable	Sets a PAgP mode that places a port into an active negotiating state, in which the port initiates negotiations with other ports by sending PAgP packets.
auto	Sets a PAgP mode that places a port into a passive negotiating state, in which the port responds to PAgP packets it receives, but does not initiate PAgP packet negotiation.
silent	(Optional) Uses with auto or desirable when no traffic is expected from the other device to prevent the link from being reported to STP as down.
non-silent	(Optional) Uses with auto or desirable when traffic is expected from the other device.
all mode off	Turns off channeling on all ports globally.
all distribution	Applies frame distribution to all ports in the Catalyst 6500 series switch.
ip	Specifies the frame distribution method using IP address values.
mac	Specifies the frame distribution method using MAC address values.
source	(Optional) Specifies the frame distribution method using source address values.
destination	(Optional) Specifies the frame distribution method using destination address values.
both	(Optional) Specifies the frame distribution method using source and destination address values.
session	Allows frame distribution of Layer 4 traffic.
both	(Optional) Specifies the frame distribution method using source and destination Layer 4 port number.
ip-vlan-session	Specifies the frame distribution method based on the source or destination IP address, the forwarding index derived from the VLAN, and the source or destination Layer 4 port.

Defaults

The default is EtherChannel is set to auto and silent on all module ports. The defaults for frame distribution are ip and both.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

This command is not supported by non-EtherChannel-capable modules.

The set port channel all distribution session command is supported on systems configured with the Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2) and the Supervisor Engine 720.

Make sure that all ports in the channel are configured with the same port speed, duplex mode, and so forth. For more information on EtherChannel, refer to the Catalyst 6500 Series Software Configuration Guide.

With the on mode, a usable EtherChannel exists only when a port group in on mode is connected to another port group in on mode.

If you are running QoS, make sure that bundled ports are all of the same trust types and have similar queueing and drop capabilities.

Disable the port security feature on the channeled ports (see the set port security command). If you enable port security for a channeled port, the port shuts down when it receives packets with source addresses that do not match the secure address of the port.

You can configure up to eight ports on the same switch in each administrative group.

When you assign ports to an existing administrative group, the original ports associated with the administrative group will move to a new automatically picked administrative group. You cannot add ports to the same administrative group.

If you do not enter an admin_group value, a new administrative group is created with the admin_group value selected automatically. The next available administrative group is automatically selected.

If you do not enter the channel mode, the channel mode of the ports addressed are not modified.

The silent | non-silent parameters only apply if desirable or auto modes are entered.

If you do not specify silent or non-silent, the current setting is not affected.

The ip-vlan-session keyword is supported only on the Supervisor Engine 720.

---

Note With software releases 6.2(1) and earlier, the 6- and 9-slot Catalyst 6500 series switches support a maximum of 128 EtherChannels.

With software releases 6.2(2) and later, due to the port ID handling by the spanning tree feature, the maximum supported number of EtherChannels is 126 for a 6- or 9-slot chassis and 63 for a 13-slot chassis. Note that the 13-slot chassis was first supported in software release 6.2(2).

---

Examples

This example shows how to set the channel mode to desirable:

Console> (enable) set port channel 2/2-8 mode desirable

Ports 2/2-8 channel mode set to desirable.

Console> (enable)

This example shows how to set the channel mode to auto:

Console> (enable) set port channel 2/7-8,3/1 mode auto

Ports 2/7-8,3/1 channel mode set to auto.

Console> (enable)

This example shows how to group ports 4/1 through 4 in an administrative group:

Console> (enable) set port channel 4/1-4 96

Port(s) 4/1-4 are assigned to admin group 96.

Console> (enable)

This example shows the display when the port list is exceeded:

Console> (enable) set port channel 2/1-9 1

No more than 8 ports can be assigned to an admin group.

Console> (enable) 

This example shows how to disable EtherChannel on module 4, ports 4 through 6:

Console> (enable) set port channel 4/4-6 mode off

Port(s) 4/4-6 channel mode set to off.

Console> (enable) 

This example shows the display output when you assign ports to an existing administrative group. This example moves ports in admin group 96 to another admin group and assigns ports 4/4 through 6 to admin group 96:

Console> (enable) set port channel 4/4-6 96

Port(s) 4/1-3 are moved to admin group 97.

Port(s) 4/4-6 are assigned to admin group 96.

Console> (enable) 

This example shows how to set the channel mode to off for ports 4/4 through 6 and assign ports 4/4 through 6 to an automatically selected administrative group:

Console> (enable) set port channel 4/4-6 off

Port(s) 4/4-6 channel mode set to off.

Port(s) 4/4-6 are assigned to admin group 23.

Console> (enable) 

This example shows how to configure the EtherChannel load-balancing feature:

Console> (enable) set port channel all distribution ip destination

Channel distribution is set to ip destination.

Console> (enable) 

Related Commands

show channel
show channel group
show port channel

set port cops

To create port roles, use the set port cops command.

set port cops mod/port roles role1 [role2]...

Syntax Description

mod/port	Number of the module and the port on the module.
roles role#	Specifies the roles.

Defaults

The default is all ports have a default role of null string, for example, the string of length 0.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

A port may have multiple roles. You can configure a maximum of 64 total roles per switch. You can specify multiple roles in a single command.

Examples

This example shows how to create roles on a port:

Console> (enable) set port cops 3/1 roles backbone_port main_port

New role `backbone_port' created.

New role `main_port' created.

Roles added for port 3/1-4.

Console> (enable)

This example shows the display if you attempt to create a roll and exceed the maximum allowable number of roles:

Console> (enable) set port cops 3/1 roles access_port

Unable to add new role. Maximum number of roles is 64.

Console> (enable)

Related Commands

clear port cops
show port cops

set port critical

To enable or disable the Inaccessible Authentication Bypass (IAB) feature on a port that is configured to use 802.1X, LPIP, MAC authentication bypass, or Web Authentication, use the set port critical command.

set port critical mod/port {enable | disable}

Syntax Description

mod/port	Number of the module and the port on the module.
enable	Enables IAB on the specified port.
disable	Disables IAB on the specified port.

Defaults

IAB is disabled.

Command Types

Switch.

Command Modes

Privileged.

Usage Guidelines

Use the set port critical command in place of the set port dot1x mod/port critical command.

Examples

This example show how to enable IAB on port 1, module 5:

Console> (enable) set port critical 5/1 enable

Port, 5/1 Critical feature enabled.

Console> (enable)

Related Commands

show port critical
show port mac-auth-bypass
show port web-auth

set port debounce

To enable or disable the debounce timer or configure the timer setting on a per-port basis, use the set port debounce command.

set port debounce mod/port {enable | disable}

set port debounce mod/port delay time

Syntax Description

mod/port	Number of the module and the port on the module.
enable | disable	Enables or disables the debounce timer.
delay	Sets the debounce timer for gigabit fiber ports.
time	Amount of time the firmware waits before notifying the supervisor engine of a link change; valid values are 200 milliseconds or from 300 to 5000 milliseconds. This is supported on gigabit fiber ports only. See the "Usage Guidelines" section for more information.

Defaults

By default, the debounce timer is disabled on all ports.

When the debounce timer is disabled, the default debounce timer values are as follows:

•10BASE-FL ports—300 milliseconds

•10/100BASE-TX ports —300 milliseconds

•100BASE-FX ports—300 milliseconds

•10/100/1000BASE-TX ports—300 milliseconds

•1000BASE-TX ports—300 milliseconds

•Fiber Gigabit Ethernet ports—10 milliseconds

•10-Gigabit Ethernet ports—10 milliseconds

When the debounce timer is enabled, the default debounce timer values are as follows:

•10BASE-FL ports—3100 milliseconds

•10/100BASE-TX ports —3100 milliseconds

•100BASE-FX ports—3100 milliseconds

•10/100/1000BASE-TX ports—3100 milliseconds

•1000BASE-TX ports—3100 milliseconds

•Fiber Gigabit Ethernet ports—100 milliseconds

•10-Gigabit Ethernet ports—100 milliseconds

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The debounce timer is the time the firmware waits before notifying the supervisor engine of a link change at the physical layer.

Setting the debounce timer value to 200 milliseconds or from 300 to 5000 milliseconds is possible only for gigabit fiber ports. You do not need to enable the debounce timer on a gigabit fiber port before adjusting the timer. Any timer value that is greater than the default value in disabled state is considered a value that enables the timer.

For 10/100 ports and 100BASE-FX ports in the disabled state, the firmware may take up to 600 milliseconds to notify the supervisor engine of a link change because the firmware polling time is every 300 milliseconds.

For 10/100 ports and 100BASE-FX ports in the enabled state, the firmware may take up to 3400 milliseconds to notify the supervisor engine of a link change because the firmware polling time is every 300 milliseconds.

Examples

This example shows how to enable the debounce timer for a specific port on a specific module:

Console> (enable) set port debounce 1/1 enable

Debounce is enabled on port 1/1.

Warning:Enabling port debounce causes Link Up/Down detections to be delayed.

It results in loss of data traffic during debouncing period, which might

affect the convergence/reconvergence of various Layer 2 and Layer 3

protocols.

Use with caution.

Console> (enable)

Related Commands

show port debounce

set port description

To include a description that identifies a port, use the set port description command.

set port description mod/port [port_description]

Syntax Description

mod/port	Number of the module and the port on the module.
port_description	(Optional) Description that identifies the specified port. See the "Usage Guidelines" section for more information.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set port description command adds another 43 characters to the existing limit of 21 characters that can be set when you enter the set port name command.

The set port description command is only supported in text configuration mode.

If you do not enter a port_description argument, the port description is cleared.

Examples

This example shows how to include a port description:

Console> (enable) set port description 7/1 sarahtom 172.30.8.35 00-0a-5e-44-8b-8 2/2

Port 7/1 description set.

Console> (enable)

This example shows how to clear a port description:

Console> (enable) set port description 7/1

Port 7/1 description cleared.

Console> (enable)

Related Commands

set port name
show config mode
show port description

set port dhcp-snooping

To configure DHCP snooping on a port, use the set port dhcp-snooping command.

set port dhcp-snooping mod/port {trust | source-guard} {enable | disable}

set port dhcp-snooping mod/port binding-limit count

set port dhcp-snooping mod/port add-binding ip-addr mac-addr [vlan]

Syntax Description

mod/port	Number of the module and port on the module.
trust	Specifies the trust feature.
source-guard	Specifies the IP Source Guard feature.
enable	Enables the specified DHCP-Snooping feature.
disable	Disables the specified DHCP-Snooping feature.
binding-limit	Specifies the number of IP-to-MAC bindings that are allowed on a port.
count	Number of bindings that are allowed on a port; valid values are from 1 to 100.
add-binding	Adds an IP-to-MAC binding.
ip-addr	IP address.
mac-addr	MAC address.
vlan	(Optional) Number of the VLAN.

Defaults

Trust and Source Guard are disabled.

The binding limit on a port is 32.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you enter the set port dhcp-snooping mod/ports trust disable command, the DHCP snooping feature performs checks on packets coming from the ports that you specify. If you enter the enable keyword, the feature trusts the packets from those ports and does not perform checks.

If you enter the set port dhcp-snooping mod/ports source-guard enable command, the IP addresses learned through DHCP snooping are the only source IP addresses allowed on incoming traffic. All packets that contain other IP addresses are dropped. If a new binding is added, the IP address associated with that binding is added to the port. If a binding is deleted, the IP address associated with that binding is removed from the port.

If DHCP snooping is disabled on a VLAN, the bindings for that VLAN are deleted.

If you enable IP Source Guard on a port, that port should be untrusted. Also, the security ACL mode should be port-based or merge-mode, and no PACLs should be on the port.

Note the following when configuring DHCP-related features:

•IP Source Guard is supported only on the PFC3.

•ARP inspection is supported on Supervisor Engine 2, Supervisor Engine 720, and Supervisor Engine 32, but not on Supervisor Engine 1.

•DHCP snooping is supported on all supervisor engines.

•IP Source Guard is supported on Supervisor Engine 720 and Supervisor Engine 32, but not on Supervisor Engine 1 or Supervisor Engine 2.

•Dynamic ARP Inspection is support on Supervisor Engine 2, Supervisor Engine 720, and Supervisor Engine 32, but not on Supervisor Engine 1.

•You must configure DHCP snooping on a server port when configured on per-port basis. The server port must be trusted.

•You can enable IP Source Guard only when the ACL mode is port based.

Examples

This example shows how to enable DHCP trust on port 2 of module 2:

Console> (enable) set port dhcp-snooping 2/2 trust enable

Port(s)  2/2 state set to trusted for DHCP Snooping.

Console> (enable)

This example shows how to enable IP Source Guard on port 2 of module 2:

Console> (enable) set port dhcp-snooping 2/2 source-guard enable

Enabling IP Source Guard on port(s) 2/2.

Console> (enable)

This example shows how to limit the number of bindings to 48 on port 4 and port 5 of module 3:

Console> (enable) set port dhcp-snooping 3/4-5 binding-limit 48

Ports 3/4-5 DHCP snooping binding limit is set to 48

Console> (enable)

This example show how to add a binding to a specified port:

Console> (enable) set port dhcp-snooping 5/1 add-binding 172.20.52.18 00-50-f0-ac-30-54 1

DHCP Snooping Binding addition successful for Port 5/1, Vlan 1 

 IP addr 172.20.52.18, Mac Addr 00-50-f0-ac-30-54.

Console> (enable) 

Related Commands

clear dhcp-snooping bindings
show port dhcp-snooping

set port disable

To disable a port or a range of ports, use the set port disable command.

set port disable mod/port

Syntax Description

mod/port

Number of the module and the port on the module.

Defaults

The default system configuration has all ports enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

It takes approximately 30 seconds for this command to take effect.

Examples

This example shows how to disable a port using the set port disable command:

Console> (enable) set port disable 5/10

Port 5/10 disabled.

Console> (enable) 

Related Commands

set port enable
show port

set port dot1q-all-tagged

To enable the 802.1Q tagging feature on specific ports, use the set port dot1q-all-tagged command.

set port dot1q-all-tagged {mod/port} {enable | disable}

Syntax Description

mod/port	Number of the module and the port on the module.
enable	Enables the dot1q-all-tagged feature.
disable	Disables the dot1q-all-tagged feature.

Defaults

The 802.1Q tagging feature is enabled on a per-port basis. See the "Usage Guidelines" section for more information.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Although 802.1Q tagging is enabled by default on a per-port basis, tagging only takes effect when you enable the feature globally by entering the set dot1q-all-tagged enable command. When the global command is enabled, if you do not want tagging on a specific port, you must disable the feature on that port.

Examples

This example shows how to enable the dot1q tagging feature on specific ports:

Console> (enable) set port dot1q-all-tagged 1/1-2 enable

Packets on native vlan will be tagged on port(s) 1/1-2.

Console> (enable)

This example shows how to enable the dot1q tagging feature on all ports:

Console> (enable) set port dot1q-all-tagged all enable

Packets on native vlan will be tagged on all applicable ports.

Console> (enable)

This example shows how to disable the dot1q tagging feature on specific ports:

Console> (enable) set port dot1q-all-tagged 1/1-2 disable

Packets on native vlan will not be tagged for port(s) 1/1-2.

Console> (enable)

This example shows how to disable the dot1q tagging feature on all ports:

Console> (enable) set port dot1q-all-tagged all disable

Packets on native vlan will not be tagged on all applicable ports.

Console> (enable)

Related Commands

set dot1q-all-tagged
show dot1q-all-tagged
show port dot1q-all-tagged

set port dot1q-ethertype

To set the EtherType field in the IEEE 802.1Q tag to a custom value, use the set port dot1q-ethertype command.

set port dot1q-ethertype mod/port {value | default}

Syntax Description

mod/port	Number of the module and the port on the module.
value	Hexadecimal number of the two-byte EtherType field.
default	Specifies the default value of 0x8100 for the two-byte EtherType field.

Defaults

The EtherType field is set to default.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you specify a custom EtherType field, your network can support Cisco and non-Cisco switches that do not use the standard 0x8100 EtherType to identify 802.1Q-tagged frames. When you specify a custom EtherType field, you can identify 802.1Q tagged frames and switch the frames to a specified VLAN. The two bytes immediately following the EtherType are interpreted as a standard 802.1Q tag. Specify the value of the two-byte EtherType field as a hexadecimal number.

To return the custom EtherType field to the default value (0x8100), use the set port dot1q-ethertype mod/port default command.

---

Note A custom 802.1Q EtherType field is supported on the following modules only: Supervisor Engine 2 and Supervisor Engine 720 uplink ports, WS-X6516-GBIC, WS-X6516A-GBIC, WS-X6516-GE-TX, WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6748-GE-TX, WS-X6724-SFP, WS-X6704-10GE, WS-X6501-10GEX4, and WS-X6502-10GE.

---

---

Note EtherChannels do not support a custom 802.1Q EtherType field. If you configure a port with a custom 802.1Q EtherType field, the port cannot join a channel. If a channel is already configured, you cannot change the 802.1Q EtherType on any of the channel ports.

---

---

Note On the WS-X6516A-GBIC, WS-X6516-GBIC, and WS-X6548-GE-TX modules, if you configure a port with a custom 802.1Q EtherType in the port groups 1 through 8 or 9 through 16, all ports in the group are configured with the custom 802.1Q EtherType. On the WS-X6516-GE-TX module, if you configure a port with a custom 802.1Q EtherType in the port groups 1 through 4, 5 through 8, 9 through 12, or 13 through 16, all ports in the group are configured with the custom 802.1Q EtherType.

---

---

Note You can use a custom 802.1Q EtherType field on trunk ports, 802.1Q access ports, and 802.1Q/802.1p multi-VLAN access ports. Additionally, you should configure the custom EtherType value the same on both ends of a link.

---

Examples

This example shows how to set the 802.1Q EtherType to 0x1234 on module 2, port 1:

Console> (enable) set port dot1q-ethertype 2/1 1234

All the group ports 2/1-2 associated with port 2/1 will be modified.

Do you want to continue (y/n) [n]?y

Dot1q Ethertype value set to 0x1234 on ports 2/1-2.

Console> (enable)

This example shows how to return the 802.1Q EtherType field to the standard EtherType field (0x8100) on module 2, port 1:

Console> (enable) set port dot1q-ethertype 2/1 default

All the group ports 2/1-2 associated with port 2/1 will be modified.

Do you want to continue (y/n) [n]?y

Dot1q Ethertype value set to 0x8100 on ports 2/1-2.

Console> (enable)

Related Commands

show port dot1q-ethertype

set port dot1qtunnel

To configure the dot1q tunnel mode for the port, use the set port dot1qtunnel command.

set port dot1qtunnel mod/port {access | disable}

Syntax Description

mod/port	Number of the module and the port on the module.
access	Turns off the port trunking mode.
disable	Disables dot1q tunneling.

Defaults

Dot1q tunnel mode is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You cannot enable the dot1q tunneling feature on a port until dot1q-tagged-only mode is enabled.

You cannot disable dot1q-tagged-only mode on the switch until dot1q tunneling is disabled on all the ports on the switch.

You cannot set the dot1q tunnel mode to access if port security is enabled.

You cannot set the dot1q tunnel mode to access on a port with an auxiliary VLAN configured.

An interconnected network can have redundant paths to the same edge switch of ISP, but it cannot have redundant paths to two different edge switches of ISP.

---

Note PBF does not work with 802.1Q tunnel traffic. PBF is supported on Layer 3 IP unicast traffic, but it is not applicable to Layer 2 traffic. At the intermediate (PBF) switch, all 802.1Q tunnel traffic appears as Layer 2 traffic.

---

If you enable dot1q-tagged globally, the dot1q-tagged per-port setting controls whether or not the frames are tagged. If you disable dot-1q-tagged globally, the default group is never tagged and the per-port setting has no effect.

Examples

This example shows how to set dot1q tunneling on the port to access:

Console> (enable) set port dot1qtunnel 4/1 access

Dot1q tunnel feature set to access mode on port 4/1.

Port 4/2 trunk mode set to off.

Console> (enable) 

This example shows the output if you try to turn on trunking on a port that has dot1q tunneling mode set:

Console> (enable) set trunk 4/1 on

Failed to set port 4/1 to trunk mode on.

The dot1q tunnel mode for the port is currently set to access.

Console> (enable) 

Related Commands

show port dot1qtunnel

set port dot1x

To configure 802.1X on a port, use the set port dot1x command.

set port dot1x mod/port multiple-host {enable | disable}

set port dot1x mod/port port-control port_control_value

set port dot1x mod/port initialize

set port dot1x mod/port re-authenticate

set port dot1x mod/port re-authentication {enable | disable}

set port dot1x mod/port multiple-authentication {enable | disable}

set port dot1x mod/port guest-vlan {vlan | none}

set port dot1x mod/port shutdown-timeout {enable | disable}

set port dot1x mod/port port-control-direction {both | in}

set port dot1x mod/port auth-fail-vlan {vlan | none}

set port dot1x mod/port critical {enable | disable}

set port dot1x mod/port re-authperiod server {enable | disable}

set port dot1x mod/port ip-device-tracking {enable | disable}

Syntax Description

mod/port	Number of the module and port on the module.
multiple-host	Specifies multiple-user access; see the "Usage Guidelines" section for more information.
enable	Enables multiple-user access.
disable	Disables multiple-user access.
port-control port_control_value	Specifies the port control type; valid values are force-authorized, force-unauthorized, and auto.
initialize	Initializes 802.1X on the port.
re-authenticate	Manually initiates a reauthentication of the entity connected to the port.
re-authentication	Automatically initiates reauthentication of the entity connected to the port within the reauthentication time period; see the "Usage Guidelines" section for more information.
enable	Enables automatic reauthentication.
disable	Disables automatic reauthentication.
multiple-authentication	Specifies multiple authentications so that more than one host can gain access to the port; see the "Usage Guidelines" section for more information.
enable	Enables multiple authentication.
disable	Disables multiple authentication.
guest-vlan	Specifies an active VLAN as an 802.1X guest VLAN.
vlan	Number of the VLAN; valid values are from 1 to 4094.
none	Clears the guest VLAN on the port.
shutdown-timeout	Specifies the shutdown-timeout period for a port after a security violation. See the "Usage Guidelines" section for more information.
enable	Activates the automatic reenabling of a port after the shutdown timeout period.
disable	Deactivates the automatic reenabling of a port after the shutdown timeout period.
port-control-direction	Specifies the traffic control direction on a port.
both	Blocks traffic in both directions.
in	Blocks traffic only in the incoming direction.
auth-fail-vlan	Sets the VLAN that provides limited access to end hosts that have failed 802.1X authentication. See the "Usage Guidelines" section for more information.
none	Clears the authentication failure VLAN on a port.
critical	Sets the 802.1X port as a critical port. See the "Usage Guidelines" section for more information.
enable	Enables the critical option on the 802.1X port.
disable	Disables the critical option on the 802.1X port.
re-authperiod server	Sets session timeout override on the 802.1X port. See the "Usage Guidelines" section for more information.
enable	Applies the session timeout value that is received from the RADIUS server.
disable	Applies the reauthentication period value that was configured through the CLI.
ip-device tracking	Tracks the host using its IP address.
enable	Enables IP device tracking.
disable	Disables IP device tracking.

Defaults

The default settings are as follows:

•The multiple host feature is disabled.

•The port_control_value is set to force-authorized.

•The reauthentication feature is disabled.

•The multiple authentication feature is disabled.

•The guest VLAN feature is set to none.

•The shutdown-timeout feature is disabled.

•