Table Of Contents

set rgmp

set rspan

set security acl adjacency

set security acl arp-inspection

set security acl capture-ports

set security acl cram

set security acl feature ratelimit

set security acl ip

set security acl ipx

set security acl log

set security acl mac

set security acl map

set security acl statistics

set snmp

set snmp access

set snmp access-list

set snmp buffer

set snmp chassis-alias

set snmp community

set snmp community-ext

set snmp extendedrmon netflow

set snmp group

set snmp ifalias

set snmp inform

set snmp notify

set snmp rmon

set snmp rmonmemory

set snmp targetaddr

set snmp targetparams

set snmp trap

set snmp user

set snmp view

set span

set spantree backbonefast

set spantree bpdu-filter

set spantree bpdu-guard

set spantree bpdu-skewing

set spantree channelcost

set spantree channelvlancost

set spantree defaultcostmode

set spantree disable

set spantree enable

set spantree fwddelay

set spantree global-default

set spantree guard

set spantree hello

set spantree link-type

set spantree macreduction

set spantree maxage

set spantree mode

set spantree mst

set spantree mst config

set spantree mst link-type

set spantree mst maxhops

set spantree mst vlan

set spantree portcost

set spantree portfast

set spantree portfast bpdu-filter

set spantree portfast bpdu-guard

set spantree portinstancecost

set spantree portinstancepri

set spantree portpri

set spantree portvlancost

set spantree portvlanpri

set rgmp

To enable or disable the Router-Ports Group Management Protocol (RGMP) feature on the switch, use the set rgmp command.

set rgmp {enable | disable}

Syntax Description 

enable	Enables RGMP on the switch.
disable	Disables RGMP on the switch.

Defaults

The default is RGMP is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set rgmp command affects the entire switch. You cannot enable or disable RGMP on a per-VLAN basis.

The RGMP feature is operational only if IGMP snooping is enabled on the switch. (See the set igmp command.)

Examples

This example shows how to enable RGMP on the switch:

Console> (enable) set rgmp enable

RGMP is enabled.

Console> (enable)

This example shows how to disable RGMP on the switch:

Console> (enable) set rgmp disable

RGMP is disabled.

Console> (enable)

Related Commands

clear rgmp statistics
set igmp
show rgmp group
show rgmp statistics

set rspan

To create remote Switched Port Analyzer (SPAN) sessions, use the set rspan command.

set rspan disable source [rspan_vlan | all]

set rspan disable session session_number

set rpsan disable destination [mod/port | all]

set rspan disable destination session session_number

set rspan source {src_mod/src_ports... | vlans... | sc0} {rspan_vlan} [rx | tx | both]
session session_number [multicast {enable | disable}] [filter vlans...] [create]

set rspan destination mod/port {rspan_vlan} session session_number
[inpkts {enable | disable}] [learning {enable | disable}] [create]

Syntax Description

disable source	Disables remote SPAN source information.
rspan_vlan	(Optional) Remote SPAN VLAN.
all	(Optional) Disables all remote SPAN source or destination sessions.
session session_number	Specifies a unique SPAN session across all types of SPAN sessions.
disable destination	Disables remote SPAN destination information.
mod/port	(Optional) Remote SPAN destination port.
src_mod/src_ports...	Monitored ports (remote SPAN source).
vlans...	Monitored VLANs (remote SPAN source).
sc0	Specifies the inband port is a valid source.
rx	(Optional) Specifies that information received at the source (ingress SPAN) is monitored.
tx	(Optional) Specifies that information transmitted from the source (egress SPAN) is monitored.
both	(Optional) Specifies that information both transmitted from the source (ingress SPAN) and received (egress SPAN) at the source are monitored.
multicast enable	(Optional) Enables monitoring multicast traffic (egress traffic only).
multicast disable	(Optional) Disables monitoring multicast traffic (egress traffic only).
filter vlans	(Optional) Monitors traffic on selected VLANs on source trunk ports.
create	(Optional) Creates a new remote SPAN session instead of overwriting the previous SPAN session.
inpkts enable	(Optional) Allows the remote SPAN destination port to receive normal ingress traffic (from the network to the bus) while forwarding the remote SPAN traffic.
inpkts disable	(Optional) Disables the receiving of normal inbound traffic on the remote SPAN destination port.
learning enable	(Optional) Enables learning for the remote SPAN destination port.
learning disable	(Optional) Disables learning for the remote SPAN destination port.

Defaults

The defaults are as follows:

•Remote SPAN is disabled.

•No VLAN filtering.

•Monitoring multicast traffic is enabled.

•Learning is enabled.

•inpkts is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The rspan_vlan variable is optional in the set rspan disable source command and required in the set rspan source and set rspan destination command set.

After you enable SPAN, system defaults are used if no parameters were ever set. If you changed parameters, these are stored in NVRAM, and the new parameters are used.

Use a network analyzer to monitor ports.

Use the inpkts keyword with the enable option to allow the remote SPAN destination port to receive normal incoming traffic in addition to the traffic mirrored from the remote SPAN source. Use the disable option to prevent the remote SPAN destination port from receiving normal incoming traffic.

You can specify an Multilayer Switch Module (MSM) port as the remote SPAN source port. However, you cannot specify an MSM port as the remote SPAN destination port.

When you enable the inpkts option, a warning message notifies you that the destination port does not join STP and may cause loops if this option is enabled.

If you do not specify the keyword create and you have only one session, the session will be overwritten. If a matching rspan_vlan or destination port exists, the particular session will be overwritten (with or without specifying create). If you specify the keyword create and there is no matching rspan_vlan or destination port, the session will be created.

Each switch can source only one remote SPAN session (ingress, egress, or both). When you configure a remote ingress or bidirectional SPAN session in a source switch, the limit for local ingress or bidirectional SPAN session is reduced to one. There are no limits on the number of remote SPAN sessions carried across the network within the remote SPAN session limits.

You can configure any VLAN as a remote SPAN VLAN as long as these conditions are met:

•The same remote SPAN VLAN is used for a remote SPAN session in the switches.

•All the participating switches have appropriate hardware and software.

•No unwanted access port is configured in the remote SPAN VLAN.

If you do not specify a SPAN session number, one is provided by the software. The software provides a session number only if the basic check for the SPAN session limits and sanity is successful.

If you provide a session number, but the same session number for the same session type is present in the SPAN database already, the session number that you enter overwrites the SPAN session with the same number. If the same session number is already present in the database, but that session number is for a different session type, the session number that you enter is rejected.

If you provide a session number that does not exist in the SPAN database, the number is regarded as a new SPAN session request and is subject to SPAN session limits.

Examples

This example shows how to disable all enabled source sessions:

Console> (enable) set rspan disable source all

This command will disable all remote span source session(s).

Do you want to continue (y/n) [n]? y

Disabled monitoring of all source(s) on the switch for remote span.

Console> (enable) 

This example shows how to disable one source session to a specific VLAN:

Console> (enable) set rspan disable source 903

Disabled monitoring of all source(s) on the switch for rspan_vlan 903.

Console> (enable) 

This example shows how to disable all enabled destination sessions:

Console> (enable) set rspan disable destination all

This command will disable all remote span destination session(s).

Do you want to continue (y/n) [n]? y

Disabled monitoring of remote span traffic on ports 9/1,9/2,9/3,9/4,9/5,9/6.

Console> (enable) 

This example shows how to disable one destination session to a specific port:

Console> (enable) set rspan disable destination 4/1

Disabled monitoring of remote span traffic on port 4/1.

Console> (enable) 

Related Commands

show rspan

set security acl adjacency

To set an entry for the adjacency table, use the set security acl adjacency command.

set security acl adjacency adjacency_name dest_vlan dest_mac [source_mac [mtu mtu_size] |
mtu mtu_size]

Syntax Description 

adjacency_name	Name of the adjacency table entry.
dest_vlan	Name of the destination VLAN.
dest_mac	Destination MAC address.
source_mac	(Optional) Source MAC address.
mtu mtu_size	(Optional) Specifies packet size in bytes.

Defaults

The default size for the MTU is 9600 bytes.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The order of ACEs in a policy-based forwarding (PBF) VACL is important. The adjacency table entry has to be defined in the VACL before the redirect ACE because the redirect ACE uses it to redirect traffic. Refer to the Catalyst 6500 Series Switch Software Configuration Guide for detailed information on configuring PBF VACLs.

You can set the MTU when jumbo frames are sent using PBF.

Examples

This example shows how to set an entry for the adjacency table:

Console> (enable) set security acl adjacency ADJ1 11 0-0-0-0-0-B 0-0-0-0-0-A

Console> (enable)

This example shows how to set an entry for the adjacency table with a specific MTU size:

Console> (enable) set security acl adjacency a_1 2 0-0a-0a-0a-0a-0a 9000

Console> (enable)

Related Commands

clear security acl
commit
show security acl

set security acl arp-inspection

To configure Address Resolution Protocol (ARP) inspection features, use the set security acl arp-inspection command.

set security acl arp-inspection {match-mac | address-validation}
{enable | [drop [log]] | disable}

set security acl arp-inspection dynamic {enable | disable} {vlanlist | port mod/port}

set security acl arp-inspection dynamic log {enable | disable}

Syntax Description

match-mac	Specifies the MAC address matching feature.
address-validation	Specifies the address validation feature.
enable	Enables the specified ARP inspection feature.
drop	(Optional) Indicates to drop match-mac or address-validation packets.
log	(Optional) Enables logging of match-mac or address-validation packets that are dropped.
disable	Disables the specified ARP inspection feature.
dynamic	Specifies the Dynamic ARP Inspection (DAI) bindings feature for a list of VLANs.
vlanlist	VLANs included in DAI.
port	Specifies a port to be included in DAI.
mod/port	Number of the module and the port on module.
log	Specifies logging for DAI.

Defaults

The MAC address matching, address validation, DAI, and the DAI logging features are disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you enter the set security acl arp-inspection match-mac enable command, the system drops packets in which the source Ethernet address in the Ethernet header is not the same as the source MAC address in the ARP header.

When you enter the set security acl arp-inspection address-validation enable command, the system drops packets that have illegal IP or MAC addresses.

The following IP addresses are illegal:

•0.0.0.0

•255.255.255.255

•Class D multicast IP addresses

The following MAC addresses are illegal:

•00-00-00-00-00-00

•Multicast MAC addresses

•ff-ff-ff-ff-ff-ff

---

Note If you do not enter the drop keyword, the system only generates a syslog message.

---

The set security acl arp-inspection dynamic {enable | disable} vlanlist command enables or disables DAI bindings for specified VLANs. The command does not affect any static ARP inspection rules that are specified as part of the security ACL framework.

Do not enable DAI on a VLAN unless DHCP Snooping is also enabled on the VLAN. You cannot enable DAI on management VLANs.

Do not enable DAI on VLANs that have ports with static IP addresses unless the ports are trusted.

If DAI is enabled for a VLAN that is untrusted for ARP inspection, the port should be untrusted for DHCP snooping. Otherwise, all ARP packets from that port will be dropped because bindings are not kept for ports trusted by DHCP snooping.

The set security acl arp-inspection dynamic log {enable | disable} command enables or disables the logging of packets that have been denied because of dynamic bindings. If logging is enabled, all packets dropped because of dynamic bindings are logged. If logging is disabled, these packets are not logged. DAI logging is configured on a global basis and does not affect per-ACE logging that is specified for static bindings.

Examples

This example shows how to enable the MAC address matching feature:

Console> (enable) set security acl arp-inspection match-mac enable

ARP Inspection match-mac feature enabled.

Console> (enable)

This example shows how to enable the address validation feature:

Console> (enable) set security acl arp-inspection address-validation enable

ARP Inspection address-validation feature enabled.

Console> (enable)

This example shows how to enable the dynamic ARP inspection feature:

Console> (enable) set security acl arp-inspection dynamic enable 100

Dynamic ARP Inspection is enabled for vlan(s) 100.

Console> (enable)

This example shows how to enable the dynamic ARP inspection logging feature:

Console> (enable) set security acl arp-inspection dynamic log enable

Dynamic ARP Inspection logging enabled.

Console> (enable)

Related Commands

set port arp-inspection 
set security acl ip

set security acl capture-ports

To set the ports (specified with the capture option in the set security acl ip, set security acl ipx, and set security acl mac commands) to show traffic captured on these ports, use the set security acl capture-ports command.

set security acl capture-ports {mod/ports...}

Syntax Description

mod/ports...

Module and port number.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved in NVRAM. This command does not require that you enter the commit command.

The module and port specified in this command are added to the current ports configuration list.

This command works with Ethernet ports only; you cannot set ATM ports.

The ACL capture will not work unless the capture port is in the spanning tree forwarding state for the VLAN.

Examples

This example shows how to set a port to capture traffic:

Console> (enable) set security acl capture-ports 3/1

Successfully set 3/1 to capture ACL traffic.

Console> (enable) 

This example shows how to set multiple ports to capture traffic:

Console> (enable) set security acl capture-ports 1/1-10

Successfully set the following ports to capture ACL traffic: 1/1-2.

Console> (enable) 

Related Commands

clear security acl capture-ports
show security acl capture-ports

set security acl cram

To enable a test run of the compression and reordering of ACL masks (CRAM) feature or to enable the CRAM feature, use the set security acl cram command.

set security acl cram testrun

set security acl cram {run | {auto [nsec]}}

Syntax Description

testrun	Tests ACL mask usage if CRAM was executed.
run	Manually executes the CRAM feature.
auto	Automatically executes the CRAM feature at specified interval.
nsec	(Optional) CRAM timer; valid values are 60 to 3600 seconds.

Defaults

The default time for the CRAM timer is 300 seconds.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When the CRAM feature is executed, the new mask ordering is computed and the ACL hardware is programmed accordingly.

The CRAM feature can be run in two modes. To manually execute the CRAM feature, enter the set security acl cram run command. To automatically execute the CRAM feature whenever the TCAM is full, enter the set security acl cram auto command.

The CRAM timer runs CRAM at an interval that you specify even if the TCAM is not full.

---

Note With software release 8.4(1), the CRAM feature is only supported for security ACLs. The CRAM feature works for QoS ACLs but you cannot specifically run the feature on QoS ACLs.

---

Examples

This example shows how to execute a test run of the CRAM feature:

Console> (enable) set security acl cram testrun

CRAM execution in progress.

CRAM execution complete.

Current ACL storage mask usage 60.0%

ACL storage mask usage if CRAM is run is 41.0%

Console> (enable)

This example shows how to manually execute the CRAM feature:

Console> (enable) set security acl cram run

Traffic may be disrupted for some time while programming hardware. Agree (y/n)[n] ? y

CRAM execution in progress.

CRAM execution complete.

Previous ACL storage mask usage 60.0%

Current ACL storage mask usage 41.0%

Console> (enable)

This example shows how to enable the automatic execution of the CRAM feature:

Console> (enable) set security acl cram auto

Cram auto mode enabled. Timer is default =  300 seconds

Console> (enable)

This example shows how to change the CRAM timer interval:

Console> (enable) set security acl cram auto 1000

Cram auto mode enabled. Timer is 1000 seconds

Console> (enable)

Related Commands

clear security acl cram
show security acl cram

set security acl feature ratelimit

To specify a rate limit in packets per second for ARP inspection, DHCP snooping, and 802.1X DHCP features, use the set security acl feature ratelimit command.

set security acl feature ratelimit rate

Syntax Description

rate	Number of packets; valid values are 0 and from 500 to 2000 packets per second. See the "Usage Guidelines" section for more information.

Defaults

The rate is 1000 pps.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set security acl feature ratelimit command sets the rate at which packets are sent to the supervisor engine for processing by the ARP inspection, DHCP snooping, and 802.1X DHCP features.

If you want to disable rate limiting, enter a rate value of 0. We strongly recommend, however, that you do not disable rate limiting because traffic that is redirected by various security features might flood the supervisor engine and diminish system performance.

The rate limit is shared by multiple features. To display the features sharing rate limiting, enter the show security acl feature ratelimit command.

The rate limit is available on the PFC2 or later.

To specify the rate limit for the number of ARP inspection packets that are sent to the CPU on a per-port basis, use the set port arp-inspection command.

Examples

This example shows how to set the global rate limit to 600:

Console> (enable) set security acl feature ratelimit 600

ARP Inspection, DHCP Snooping, and Dot1x DHCP global rate limit set to 600 pps.

Console> (enable) 

This example shows how to disable rate limiting:

Console> (enable) set security acl feature ratelimit 0

CAUTION:ARP Inspection, DHCP Snooping, and Dot1x DHCP global rate limit is disabled.

Console> (enable) 2004 Feb 04 16:17:17 %ACL-4-ARPINSPECTRATELIMITDISABLED:ARP Inspection, 
DHCP Snooping, and Dot1x DHCP global rate is disabled

Console> (enable)

Related Commands

set port arp-inspection
show security acl feature ratelimit

set security acl ip

To create a new entry in a standard IP VACL and append the new entry at the end of the VACL, use the set security acl ip command.

set security acl ip {acl_name} {permit | deny} {src_ip_spec} [before editbuffer_index |
modify editbuffer_index] [log]

set security acl ip {acl_name} [permit | deny] arp

set security acl ip {acl_name} permit dot1x-dhcp [before edit_buffer | modify edit_buffer]

set security acl ip {acl_name} permit dhcp-snooping {before editbuffer_index |
modify editbuffer_index}

set security acl ip {acl_name} {permit | deny | redirect {adj_name | mod_num/port_num}} {protocol} {src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [fragment] [capture] [before editbuffer_index | modify editbuffer_index] [log]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [ip]
{src_ip_spec | group group_name} {dest_ip_spec | group group_name} [precedence precedence] [tos tos] [fragment] [capture] [before editbuffer_index | modify editbuffer_index] [log]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [icmp | 1]
{src_ip_spec} {dest_ip_spec} [icmp_type] [icmp_code] | [icmp_message]
[precedence precedence] [tos tos] [fragment] [capture] [before editbuffer_index |
modify editbuffer_index] [log]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [tcp | 6]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]] [established]
[precedence precedence] [tos tos] [fragment] [capture] [before editbuffer_index |
modify editbuffer_index] [log]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [udp | 17]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]]
[precedence precedence] [tos tos] [fragment] [capture] [before editbuffer_index |
modify editbuffer_index] [log]

set security acl ip {acl_name} {permit | deny} arp-inspection {host ip_addr}
{mac_addr | any [log]}

set security acl ip {acl_name} {permit | deny} arp-inspection any any [log] [before edit_buffer | modify edit_buffer]

set security acl ip {acl_name} {permit | deny} arp-inspection {host ip_addr} {ip_mask} any [log]

set security acl ip {acl_name} permit any

set security acl ip {acl_name} [permit] eapoudp [before editbuffer_index |
modify editbuffer_index]

set security acl ip {acl_name} include {downloaded-acl | ip-phone} {feature}

Syntax Description

acl_name	Unique name that identifies the lists to which the entry belongs.
permit	Allows traffic from the source IP address.
deny	Blocks traffic from the source IP address.
src_ip_spec	Source IP address and the source mask. See the "Usage Guidelines" section for the format.
before editbuffer_index	(Optional) Inserts the new ACE in front of another ACE.
modify editbuffer_index	(Optional) Replaces an ACE with the new ACE.
log	(Optional) Logs denied packets.
arp	Specifies ARP.
dot1x-dhcp	Specifies 802.1X authentication for the DHCP Relay Agent.
dhcp-snooping	Specifies DHCP snooping.
redirect	Specifies to which switched ports the packet is redirected.
adj_name	Name of the adjacency table entry.
mod_num/port_num	Number of the module and port.
protocol	Keyword or number of an IP protocol; valid numbers are from 0 to 255 representing an IP protocol number. See the "Usage Guidelines" section for the list of valid keywords.
dest_ip_spec	Destination IP address and the destination mask. See the "Usage Guidelines" section for the format.
precedence precedence	(Optional) Specifies the precedence level; valid values are from 0 to 7 or by name. See the "Usage Guidelines" section for a list of valid names.
tos tos	(Optional) Specifies the type of service level; valid values are from 0 to 15 or by name. See the "Usage Guidelines" section for a list of valid names.
fragment	(Optional) Filters IP traffic that carries fragments.
capture	(Optional) Specifies packets are switched normally and captured; permit must also be enabled.
ip	(Optional) Matches any Internet Protocol packet.
icmp | 1	(Optional) Matches ICMP packets.
icmp-type	(Optional) ICMP message type name or a number; valid values are from 0 to 255. See the "Usage Guidelines" section for a list of valid names.
icmp-code	(Optional) ICMP message code name or a number; valid values are from 0 to 255. See the "Usage Guidelines" section for a list of valid names.
icmp-message	(Optional) ICMP message type name or ICMP message type and code name. See the "Usage Guidelines" section for a list of valid names.
tcp | 6	(Optional) Matches TCP packets.
operator	(Optional) Operands; valid values include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
port	(Optional) Number or name of a TCP or UDP port; valid port numbers are from 0 to 65535. See the "Usage Guidelines" section for a list of valid names.
established	(Optional) Specifies an established connection; used only for TCP protocol.
udp | 17	(Optional) Matches UDP packets.
arp-inspection	Specifies ARP inspection.
host ip_addr	Specifies the host and host's IP address.
mac_addr	Specifies the MAC address.
any	Matches any IP address or MAC address.
ip_mask	Specifies the IP mask.
eapoudp	Redirects all LPIP contol packets (EAPoUDP) to the supervisor engine.
include	Creates a place holder for an ACE.
downloaded-acl | ip-phone	Specifies either a downloaded ACL or an IP phone ACE.
feature	Specifies the feature type and applies only to downloaded ACLs. This can be dot1x, webauth, macauth-bypass, or eou.

Defaults

There are no default ACLs and no default ACL-VLAN mappings. By default, ARP is enabled. By default, DHCP snooping is disabled on all VLANs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and the switch hardware only after you enter the commit command. Enter ACEs in batches, and then enter the commit command to save them in NVRAM and in the hardware.

The arp keyword is supported on switches configured with the Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2). The arp keyword is supported on a per-ACL basis only; either ARP is allowed or ARP is denied.

If you use the fragment keyword in an ACE, this ACE applies to nonfragmented traffic and to the fragment with offset equal to zero in a fragmented flow.

A fragmented ACE that permits Layer 4 traffic from host A to host B also permits fragmented traffic from host A to host B regardless of the Layer 4 port.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

802.1X and DHCP Snooping cannot coexist on a VLAN. If both features are configured on a VLAN, the feature that resides higher up in the ACL will override the other.

The position of the DHCP-Snooping Access Control Entry (ACE) in the VACL is important, as it can be used to restrict specific types of DHCP packets. The position of the DHCP Snooping ACE is determined by the policy for DHCP Snooping packets. For example, if you want to deny DHCP Snooping packets from a certain host and perform DHCP Snooping on other packets, then the deny ACE should come before the DHCP Snooping ACE.

When you enter the ACL name, follow these naming conventions:

•Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

•Must start with an alpha character and must be unique across all ACLs of all types

•Case sensitive

•Cannot be a number

•Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

When you specify the source IP address and the source mask, use the form source_ip_address source_mask and follow these guidelines:

•The source_mask is required; 0 indicates a care bit, 1 indicates a don't-care bit.

•Use a 32-bit quantity in four-part dotted-decimal format.

•Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

•Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

When you enter a destination IP address and the destination mask, use the form destination_ip_address destination_mask. The destination mask is required.

•Use a 32-bit quantity in a four-part dotted-decimal format.

•Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

•Use host/source as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

The log keyword is an option of deny only. If you want to change an existing VACL configuration to deny with log, you must first clear the VACL and then set it again.

The log keyword is supported on systems configured with Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2) only.

Valid names for precedence are critical, flash, flash-override, immediate, internet, network, priority, and routine.

Valid names for tos are max-reliability, max-throughput, min-delay, min-monetary-cost, and normal.

Valid protocol keywords include icmp (1), ip, ipinip (4), tcp (6), udp (17), igrp (9), eigrp (88), gre (47), nos (94), ospf (89), ahp (51), esp (50), pcp (108), and pim (103). The IP number is displayed in parentheses. Use the keyword ip to match any Internet Protocol.

ICMP packets that are matched by ICMP message type can also be matched by the ICMP message code.

Valid names for icmp_type and icmp_code are administratively-prohibited, alternate-address, conversion-error, dod-host-prohibited, dod-net-prohibited, echo, echo-reply, general-parameter-problem, host-isolated, host-precedence-unreachable, host-redirect, host-tos-redirect, host-tos-unreachable, host-unknown, host-unreachable, information-reply, information-request, mask-reply, mask-request, mobile-redirect, net-redirect, net-tos-redirect, net-tos-unreachable, net-unreachable, network-unknown, no-room-for-option, option-missing, packet-too-big, parameter-problem, port-unreachable, precedence-unreachable, protocol-unreachable, reassembly-timeout, redirect, router-advertisement, router-solicitation, source-quench, source-route-failed, time-exceeded, timestamp-reply, timestamp-request, traceroute, ttl-exceeded, and unreachable.

If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.

TCP port names can be used only when filtering TCP. Valid names for TCP ports are bgp, chargen, daytime, discard, domain, echo, finger, ftp, ftp-data, gopher, hostname, irc, klogin, kshell, lpd, nntp, pop2, pop3, smtp, sunrpc, syslog, tacacs-ds, talk, telnet, time, uucp, whois, and www.

UDP port names can be used only when filtering UDP. Valid names for UDP ports are biff, bootpc, bootps, discard, dns, dnsix, echo, mobile-ip, nameserver, netbios-dgm, netbios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs-ds, talk, tftp, time, who, and xdmcp.

The number listed with the protocol type is the layer protocol number (for example, udp | 17).

If no layer protocol number is entered, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny} {src_ip_spec} [before editbuffer_index |
modify editbuffer_index]

If a Layer 4 protocol is specified, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect mod_num/port_num} {protocol}
{src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture]
[before editbuffer_index | modify editbuffer_index]

For IP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [ip]
{src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture]
[before editbuffer_index | modify editbuffer_index]

For ICMP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [icmp | 1]
{src_ip_spec} {dest_ip_spec} [icmp_type] [icmp_code] | [icmp_message]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

For TCP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [tcp | 6]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]] [established]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

For UDP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [udp | 17]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

---

Note With PFC2, the counters report if a particular ACE was hit during a 300 ms window, but the counters do not indicate how much traffic hit the entry. For example, if you have two flows where one flow is 1000 packets per second and the second flow is 10 packets per second, both flows return the same result with a PFC2. PFC3 and later PFCs do not have this limitation.

---

Examples

These examples show different ways to use the set security acl ip commands to configure IP security ACLs:

Console> (enable) set security acl ip IPACL1 deny 1.2.3.4 0.0.0.0

IPACL1 editbuffer modified.  Use `commit' command to apply changes.

Console> (enable) 

Console> (enable) set security acl ip IPACL1 deny host 171.3.8.2 before 2 

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

Console> (enable) set security acl ip IPACL1 permit any any

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable) 

Console> (enable) set security acl ip IPACL1 redirect 3/1 ip 3.7.1.2 0.0.0.255 host 
255.255.255.255 precedence 1 tos min-delay

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable) 

Console> (enable) set security acl ip IPACL1 permit ip host 60.1.1.1 host 60.1.1.98 
capture 

IPACL1 editbuffer modified. Use 'commit' command to apply changes.

Console> (enable)

This example shows how to create a placeholder for a downloaded ACL:

Console> set security acl ip test include downloaded-acl dot1x

Console> Successfully configured placeholder download ACL test. Use    

  'commit' command to save changes.

Console> show security acl info test

set security acl ip test

--------------------------------------------------

1. permit arp-inspection

2. permit eapoudp

3. include downloaded-acl dot1x

4. permit url-redirect

5. deny ip any any

Related Commands

clear eou
clear security acl
clear security acl capture-ports
clear security acl map
clear security acl statistics
commit
set eou
set port eou
set security acl map
set security acl capture-ports
show security acl
show security acl capture-ports
show security acl downloaded-acl

set security acl ipx

To create a new entry in a standard IPX VACL and to append the new entry at the end of the VACL, use the set security acl ipx command.

set security acl ipx {acl_name} {permit | deny | redirect mod_num/port_num} {protocol}
{src_net} [dest_net.[dest_node] [[dest_net_mask.]dest_node_mask]] [capture]
[before editbuffer_index | modify editbuffer_index]

Syntax Description

acl_name	Unique name that identifies the list to which the entry belongs.
permit	Allows traffic from the specified source IPX address.
deny	Blocks traffic from the specified source IPX address.
redirect	Redirects traffic from the specified source IPX address.
mod_num/port_num	Number of the module and port.
protocol	Keyword or number of an IPX protocol; valid values are from 0 to 255 representing an IPX protocol number. See the "Usage Guidelines" section for a list of valid keywords and corresponding numbers.
src_net	Number of the network from which the packet is being sent. See the "Usage Guidelines" section for format guidelines.
dest_net.	(Optional) Number of the network from which the packet is being sent.
dest_node	(Optional) Node on destination-network to which the packet is being sent.
dest_net_mask.	(Optional) Mask to be applied to the destination network. See the "Usage Guidelines" section for format guidelines.
dest_node_mask	(Optional) Mask to be applied to the destination-node. See the "Usage Guidelines" section for format guidelines.
capture	(Optional) Specifies packets are switched normally and captured.
before editbuffer_index	(Optional) Inserts the new ACE in front of another ACE.
modify editbuffer_index	(Optional) Replaces an ACE with the new ACE.

Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and hardware only after you enter the commit command. Enter ACEs in batches, and then enter the commit command to save all of them in NVRAM and in the hardware.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

When you enter the ACL name, follow these naming conventions:

•Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

•Must start with an alpha character and must be unique across all ACLs of all types

•Case sensitive

•Cannot be a number

•Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

Valid protocol keywords include ncp (17), netbios (20), rip (1), sap (4), and spx (5).

The src_net and dest_net variables are eight-digit hexadecimal numbers that uniquely identify network cable segments. When you specify the src_net or dest_net, use the following guidelines:

•It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all networks.

•You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA.

The dest_node is a 48-bit value represented by a dotted triplet of 4-digit hexadecimal numbers (xxxx.xxxx.xxxx).

The dest_net_mask. is an eight-digit hexadecimal mask. Place ones in the bit positions you want to mask. The mask must be immediately followed by a period, which must in turn be immediately followed by the destination-node-mask. You can enter this value only when dest_node is specified.

The dest_node_mask is a 48-bit value represented as a dotted triplet of 4-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. You can enter this value only when dest_node is specified.

The dest_net_mask. is an eight-digit hexadecimal number that uniquely identifies the network cable segment. It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all networks. You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. Following are dest_net_mask. examples:

•123A

•123A.1.2.3

•123A.1.2.3 ffff.ffff.ffff

•1.2.3.4 ffff.ffff.ffff.ffff

Use the show security acl command to display the list.

Examples

This example shows how to block traffic from a specified source IPX address:

Console> (enable) set security acl ipx IPXACL1 deny 1.a

IPXACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to deny traffic from hosts in specific subnet (10.1.2.0/8):

Console> (enable) set security acl ipx SERVER deny ip 10.1.2.0 0.0.0.255 host 10.1.1.100

IPXACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

Related Commands

clear security acl
clear security acl capture-ports
clear security acl map
commit
set security acl map
set security acl capture-ports
show security acl
show security acl capture-ports

set security acl log

To configure the security ACL log table, use the set security acl log command.

set security acl log maxflow max_flows

set security acl log ratelimit max_rate

Syntax Description

maxflow max_flows	Specifies the maximum flow pattern number in packets per second; valid values are from 256 to 2048.
ratelimit max_rate	Specifies the redirect rate in packets per second; valid values are 0 and from 500 to 5000. See the "Usage Guidelines" section for more information.

Defaults

The default max_number is 500 packets per second and the default ratelimit is 2500 packets per second.

Command Types

Switch command.

Command Modes

Normal.

Usage Guidelines

The command is supported on systems configured with Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2) only.

The set security acl log maxflow command tries to allocate a new log table based on the maximum flow pattern number to store logged packet information. If successful, the new buffer replaces the old one and all flows in the old table are cleared. If either memory is not enough or the maximum number is over the limit, an error message is displayed and the command is dropped.

The set security acl log ratelimit command tries to set the redirect rate in packets per second. If the configuration is over the range, the command is discarded and the range is displayed on the console.

If you want to disable rate limiting for VACL logging, enter a rate argument of 0.

Examples

This example shows how to set the maximum flow:

Console> (enable) set security acl log maxflow 322

Log table size set to 322 flow entries.

Console> (enable)  

This example shows how to set the rate limit:

Console> (enable) set security acl log ratelimit 3444

Max logging eligible packet rate set to 3444pps.

Console> (enable) 

This example shows how to disable rate limiting:

Console> (enable) set security acl log rate-limit 0

CAUTION: Rate limit for logging eligible packet is disabled.

2003 Apr 07 07:13:36 %ACL-4-VACLLOGRATELIMITDISABLED:VACL Logging rate limit disabled

Console> (enable)

Related Commands

clear security acl log flow
show security acl log

set security acl mac

To create a new entry in a non-IP or non-IPX protocol VACL and to append the new entry at the end of the VACL, use the set security acl mac command.

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec}
{dest_mac_addr_spec} [ethertype] [cos cos_value] [vlan vlan] [capture]
[before editbuffer_index | modify editbuffer_index]

Syntax Description

acl_name	Unique name that identifies the list to which the entry belongs.
permit	Allows traffic from the specified source MAC address.
deny	Blocks traffic from the specified source MAC address.
src_mac_addr_spec	Source MAC address and mask in the form source_mac_address source_mac_address_mask.
dest_mac_addr_spec	Destination MAC address and mask.
ethertype	(Optional) Number or name that matches the Ethertype for Ethernet-encapsulated packets; valid values are 0x0600, 0x0601, 0x0BAD, 0x0BAF, 0x6000-0x6009, 0x8038-0x8042, 0x809b, and 0x80f3. See the "Usage Guidelines" section for a list of valid names.
cos cos_value	(Optional) Specifies the CoS value; valid values are from 0 to 7.
vlan vlan	(Optional) Specifies a VLAN; valid values are from 1 to 4094.
capture	(Optional) Specifies packets are switched normally and captured.
before editbuffer_index	(Optional) Inserts the new ACE in front of another ACE.
modify editbuffer_index	(Optional) Replaces an ACE with the new ACE.

Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and hardware only after you enter the commit command. Enter ACEs in batches, and then enter the commit command to save all of them in NVRAM and in the hardware.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

When you enter the ACL name, follow these naming conventions:

•Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

•Must start with an alpha character and must be unique across all ACLs of all types

•Case sensitive

•Cannot be a number

•Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

The src_mac_addr_spec is a 48-bit source MAC address and mask and entered in the form of source_mac_address source_mac_address_mask (for example, 08-11-22-33-44-55 ff-ff-ff-ff-ff-ff). Place ones in the bit positions you want to mask. When you specify the src_mac_addr_spec, follow these guidelines:

•The source_mask is required; 0 indicates a care bit; 1 indicates a don't-care bit.

•Use a 32-bit quantity in four-part dotted-decimal format.

•Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

•Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

The dest_mac_spec is a 48-bit destination MAC address and mask and entered in the form of dest_mac_address dest_mac_address_mask (for example, 08-00-00-00-02-00/ff-ff-ff-00-00-00). Place ones in the bit positions you want to mask. The destination mask is mandatory. When you specify the dest_mac_spec, use the following guidelines:

•Use a 48-bit quantity in 6-part dotted-hexadecimal format for a source address and mask.

•Use the keyword any as an abbreviation for a source and source-wildcard of 0-0-0-0-0-0-0 ff-ff-ff-ff-ff-ff.

•Use host source as an abbreviation for a destination and destination-wildcard of destination 0-0-0-0-0-0.

Valid names for Ethertypes (and corresponding numbers) are EtherTalk (0x809B), AARP (0x8053), dec-mop-dump (0x6001), dec-mop-remote-console (0x6002), dec-phase-iv (0x6003), dec-lat (0x6004), dec-diagnostic-protocol (0x6005), dec-lavc-sca (0x6007), dec-amber (0x6008), dec-mumps (0x6009), dec-lanbridge (0x8038), dec-dsm (0x8039), dec-netbios (0x8040), dec-msdos (0x8041), banyan-vines-echo (0x0baf), xerox-ns-idp (0x0600), xerox-address-translation (0x0601), and IPv4 (0x8000).

Use the show security acl command to display the list.

---

Note With PFC2, the counters report if a particular ACE was hit during a 300 ms window, but the counters do not indicate how much traffic hit the entry. For example, if you have two flows where one flow is 1000 packets per second and the second flow is 10 packets per second, both flows return the same result with a PFC2. PFC3 and later PFCs do not have this limitation.

---

Examples

This example shows how to block traffic to an IP address:

Console> (enable) set security acl mac MACACL1 deny 01-02-02-03-04-05

MACACL1 editbuffer modified. User `commit' command to apply changes.

Console> (enable)

Related Commands

clear security acl
clear security acl capture-ports
clear security acl map
commit
set security acl map
set security acl capture-ports
show security acl
show security acl capture-ports

set security acl map

To map an existing ACL to a port or to a VLAN or to enable ACL statistics, use the set security acl map command.

set security acl map acl_name {mod/port | vlans} [statistics {enable | disable}]

Syntax Description

acl_name	Unique name that identifies the list to which the entry belongs.
mod/port	Number of the module and the port on the module.
vlans	Number of the VLANs to be mapped to the VACL; valid values are from 1 to 4094.
statistics	(Optional) Specifies ACL statistics on a per-VLAN basis.
enable	Enables ACL statistics on a per-VLAN basis.
disable	Disables ACL statistics on a per-VLAN basis.

Defaults

There are no default ACLs and no default ACL-to-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you use this command, the configurations are saved in NVRAM. This command does not require that you enter the commit command. Each VLAN can be mapped to only one ACL of each type (IP, IPX, and MAC). An ACL can be mapped to a VLAN only after you have committed the ACL.

When you enter the ACL name, follow these naming conventions:

•Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

•Must start with an alpha character and must be unique across all ACLs of all types

•Case sensitive

•Cannot be a number

•Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

---

Caution Use the copy command to save the ACL configuration to Flash memory.

---

You can map an ACL to a port even if the port is in VLAN-based PACL mode. In such cases, the configuration is committed to NVRAM and is later restored to the hardware when the port is changed to port-based or merge mode.

---

Note Mapping an ACL to a port is only available with a Supervisor Engine 720.

---

If per-VLAN statistics are enabled on a VLAN, subsequent maps configured on the same VLAN will also have per-VLAN statistics enabled. If per-VLAN statistics are disabled on a VLAN, previous maps configured on the same VLAN will also have per-VLAN statistics disabled.

For example, if you enter the set security acl map ip1 1 statistics enable command followed by the set security acl map mac1 1 command, the MAC 1 ACL will also have per-VLAN statistics enabled.

If you enter the set security acl map ip1 1 statistics enable command followed by the set security acl map mac1 1 statistics disable command, the ip1 ACL will also have per-VLAN statistics disabled.

---

Note In the per-VLAN mode, label sharing is disabled resulting in more labels being used.

---

---

Note With a PFC2, the counters report if a particular ACE was hit during a 300 ms window, but the counters do not indicate how much traffic hit the entry. For example, if you have two flows where one flow is 1000 packets per second and the second flow is 10 packets per second, both flows return the same result on a PFC2. The PFC3 and later PFCs do not have this limitation.

---

Examples

This example shows how to map an existing ACL to a VLAN:

Console> (enable) set security acl map IPACL1 1

ACL IPACL1 mapped to vlan 1

Console> (enable)

This example shows the output if you try to map an ACL that has not been committed:

Console> (enable) set security acl map IPACL1 1

Commit ACL IPACL1 before mapping.

Console> (enable)

This example shows the output if you try to map an ACL that is already mapped to a VLAN for the ACL type (IP, IPX, or MAC):

Console> (enable) set security acl map IPACL2 1

Mapping for this type already exists for this VLAN.

Console> (enable)

This example shows how to map an ACL to a port:

Console> (enable) set security acl map ipacl1 3/1

Mapping in progress.

ACL ipacl1 is successfully mapped to port(s) 3/1.

Console> (enable)

This example shows how to enable ACL statistics on a per-VLAN basis:

Console> (enable) set security acl map ACL1 1 statistics enable

Mapping in progress.

ACL ACL1 successfully mapped to VLAN 1.

Console> (enable)

Related Commands

clear security acl
clear security acl map
commit
set port security-acl
show port security-acl
show security acl
show security acl map

set security acl statistics

To enable aggregated ACL statistics on a per-ACL basis, use the set security acl statistics command.

set security acl statistics {all | acl_name}

Syntax Description

all	Enables aggregated ACL statistics on all ACLs.
acl_name	Name of the ACL.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

In aggregated statistics mode, the statistics are enabled for all the ACEs in the specified ACL. This command is effective only after you enter the commit command to commit all ACEs to NVRAM.

This command overwrites the per-ACE command, set security acl ip/mac acl_name ... [statistics].

The aggregated statistics mode disables the merge optimization and can result in a larger number of ACEs. In some cases, an ACL that was previously installed in the TCAM might not fit in the TCAM after aggregated statistics mode is enabled.

---

Note With a PFC2, the counters report if a particular ACE was hit during a 300 ms window, but the counters do not indicate how much traffic hit the entry. For example, if you have two flows where one flow is 1000 packets per second and the second flow is 10 packets per second, both flows return the same result on a PFC2. The PFC3 and later PFCs do not have this limitation.

---

Examples

This example shows how to enable aggregated ACL statistics on a per-ACL basis:

Console> (enable) set security acl statistics ACL1

ACL1 editbuffer modified. Use 'commit' command to save changes.

Console> (enable) commit security acl ACL1

ACL commit in progress.

ACL 'ACL1' successfully committed.

Console> (enable)

Related Commands

clear security acl counters
clear security acl statistics

set snmp

To enable or disable the processing of SNMP requests to the switch and SNMP traps from the switch, use the set snmp command.

set snmp {enable | disable}

Syntax Description

enable	Enables SNMP processing.
disable	Disables SNMP processing.

Defaults

By default, SNMP processing is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When SNMP processing is enabled, the switch processes SNMP inquiries and sends out SMNP traps if there are no conflicts with other SNMP configurations. When SNMP processing is disabled, the switch ignores SNMP requests and no SNMP traps are sent out regardless of other SNMP configurations.

Whether SNMP processing is enabled or disabled, you can change other SNMP configurations, and RMON-related processes are not affected.

The SNMP ifIndex persistence feature is always enabled. With the ifIndex persistence feature, the ifIndex value of the port and VLAN is always retained and used after the following occurrences:

•Switch reboot

•High-availability switchover

•Software upgrade

•Module reset

•Module removal and insertion of the same type of module

For Fast EtherChannel and Gigabit EtherChannel interfaces, the ifIndex value is only retained and used after a high-availability switchover.

Examples

This example shows how to disable SNMP processing:

Console> (enable) set snmp disable

SNMP disabled

Console> (enable)

Related Commands

show snmp

set snmp access

To define the access rights of an SNMP group, use the set snmp access command.

set snmp access [-hex] {groupname} {security-model {v1 | v2c}}
[read [-hex] {readview}] [write [-hex] {writeview}] [notify [-hex] {notifyview}]
[volatile | nonvolatile]

set snmp access [-hex] {groupname} {security-model v3 {noauthentication |
authentication | privacy}} [read [-hex] {readview}] [write [-hex] {writeview}]
[notify [-hex] {notifyview}] [context [-hex] contextname [exact | prefix]] [volatile | nonvolatile]

Syntax Description

-hex	(Optional) Displays the groupname, readview, writeview, notifyview, and contextname in a hexadecimal format.
groupname	Name of the SNMP group.
security-model v1 | v2c	Specifies security-model v1 or v2c.
read readview	(Optional) Specifies the name of the view that allows you to see the MIB objects.
write writeview	(Optional) Specifies the name of the view that allows you to configure the contents of the agent.
notify notifyview	(Optional) Specifies the name of the view that allows you to send a trap about MIB objects.
v3	Specifies security model v3.
noauthentication	Specifies security model is not set to use authentication protocol.
authentication	Specifies the type of authentication protocol.
privacy	Specifies the messages sent on behalf of the user are protected from disclosure.
volatile	(Optional) Specifies that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Specifies that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.
context contextname	(Optional) Specifies the name of the context string and the way to match the context string; maximum of 32 characters.
exact	(Optional) Specifies that an exact match between the contextname and the value of vacmAccessContextPrefix is required to select this entry.
prefix	(Optional) Specifies that only a match between vacmAccessContextPrefix and the starting portion of contextname is required to select this entry.

Defaults

The defaults are as follows:

•storage type is nonvolatile.

•read readview is Internet OID space.

•write writeview is NULL OID.

•notify notifyview is NULL OID.

•context contextname is a NULL string.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for groupname, readview, writeview, and notifyview (nonprintable delimiters for these parameters), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

readview is assumed to be every object belonging to the Internet (1.3.6.1) OID space; you can use the read option to override this state.

For writeview, you must also configure write access.

For notifyview, if a view is specified, any notifications in that view are sent to all users associated with the group. (An SNMP server host configuration must exist for the user.)

For contextname, the string is treated as either a full context name or the prefix of a context name, depending on whether you enter the exact or prefix keyword. If you enter the prefix keyword, this allows you to enter a simple form of wildcarding. For example, if you enter a contextname of vlan, vlan-1 and vlan-100 will be selected.

If you do not enter a context name, a NULL context string is used.

Examples

This example shows how to set the SNMP access rights for a group:

Console> (enable) set snmp access cisco-group security-model v3 authentication

SNMP access group was set to cisco-group version v3 level authentication, readview 
internet, nonvolatile.

Console> (enable) 

Related Commands

clear snmp access
show snmp access
show snmp context

set snmp access-list

To specify an access list number for a host or group of hosts, use the set snmp access-list command.

set snmp access-list access_number IP_address [ipmask maskaddr]

Syntax Description

access_number	Number that specifies a list of hosts that are pemitted to use a specific community string; valid values are 1 to 65535.
IP_address	IP address that is associated with the access list. See the "Usage Guidelines" section for more information.
ipmask maskaddr	(Optional) Sets a mask for the IP address. See the "Usage Guidelines" section for more in information.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you want to associate multiple IP addresses to the same access list, you must enter one IP address at a time in the CLI.

If you use an access list number that is already in use, the new IP addresses are appended to the access list. You can clear one or more IP addresses associated with an access list by entering the clear snmp access-list command.

The maskaddr variable is in the format xxx.xxx.xxx.xxx.

Examples

This example shows how to associate the IP address of a host to access list number 1:

Console> (enable) set snmp access-list 1 172.20.60.100

Host 172.20.60.100 is associated with access number 1.

Console> (enable)

This example shows how to associate multiple IP addresses to access list number 1:

Console> (enable) set snmp access-list 1 10.1.1.1

Console> (enable) set snmp access-list 1 10.1.1.2

Console> (enable) set snmp access-list 1 10.1.1.3

Console> (enable)

This example shows how to associate the IP address and subnet mask of a host to access list number 2:

Console> (enable) set snmp access-list 2 172.20.60.100 ipmask 255.0.0.0

Access nmber 2 has been created with new IP Address 172.20.60.100 mask 255.0.0.0

Console> (enable)

Related Commands

clear snmp access-list
show snmp access-list

set snmp buffer

To set the size of the SNMP UDP socket receive buffer, use the set snmp buffer command.

set snmp buffer {packets}

Syntax Description

packets

Number of packets allowed in the buffer; valid ranges are from 32 to 95.

Defaults

95 packets.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can adjust the SNMP UDP socket receive buffer up to 95 packets by using the set snmp buffer command.

Examples

This example shows how to set the SNMP UDP socket receive buffer to 45:

Console> (enable) set snmp buffer 45 

SNMP socket receive buffer set to 45 packets. 

Console> (enable)

This example shows the error message the displays when you try to set the SNMP UDP socket receive buffer above the valid range:

Console> (enable)  set snmp buffer 100 

Invalid input. Must be an integer between 32 and 95. 

Console> (enable)

Related Commands

show snmp buffer

set snmp chassis-alias

To set the chassis alias and save it in NVRAM and in the configuration file, use the set snmp chassis-alias command.

set snmp chassis-alias [chassisAlias]

Syntax Description

chassisAlias

(Optional) Chassis entPhysicalAlias. See the "Usage Guidelines" section for more information about setting the chassis alias.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The chassisAlias value must be from 0 to 32 characters.

To clear the current chassisAlias value, enter the set snmp chassis-alias command without entering a chassisAlias value.

Examples

This example shows how to set the chassis alias:

Console> (enable) set snmp chassis-alias my chassis

SNMP chassis entPhysicalAlias set to 'my chassis'.

Console> (enable)

This example shows how to clear the chassis alias:

Console> (enable) set snmp chassis-alias

SNMP chassis entPhysicalAlias cleared.

Console> (enable)

This example shows the message that appears when you attempt to set a chassis alias that exceeds 32 characters:

Console> (enable) set snmp chassis-alias 123456789123456789123456789123456789

Chassis entPhysicalAlias must be less than 33 characters.

Console> (enable)

Related Commands

show snmp

set snmp community

To set SNMP communities and associated access types, use the set snmp community command.

set snmp community {read-only | read-write | read-write-all} [community_string]

set snmp community index [-hex] index-name name community_string security [-hex] security-name [context [-hex] context-name] [volatile | nonvolatile]
[transporttag [-hex] tag-value]

Syntax Description

read-only	Assigns read-only access to the specified SNMP community.
read-write	Assigns read-write access to the specified SNMP community.
read-write-all	Assigns read-write access to the specified SNMP community.
community_string	(Optional) Name of the SNMP community.
index	Sets the SNMP community index.
-hex	(Optional) Specifies the SNMP community index in hexadecimal format.
index-name	SNMP community index name.
name	Sets the SNMP community name.
security	Sets the SNMP community security name.
security-name	SNMP community security name.
context	(Optional) Sets the SNMP context name.
context-name	(Optional) SNMP community context name.
volatile	(Optional) Specifies that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Specifies that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.
transporttag	(Optional) Specifies SNMP transport endpoints.
tag-value	(Optional) Transport tag value.

Defaults

The default is the following communities and access types are defined:

•public—read-only

•private—read-write

•secret—read-write-all

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

There are three configurable SNMP communities, one for each access type. If you do not specify the community string, the community string configured for that access type is cleared.

The community_string variable cannot contain the @ symbol.

To support the access types, you also need to configure four MIB tables: vacmContextTable, vacmSecurityToGroupTable, vacmAccessTable, and vacmViewTreeFamilyTable. Use the clear config snmp command to reset these tables to the default values.

Examples

This example shows how to set read-write access to the SNMP community called yappledapple:

Console> (enable) set snmp community read-write yappledapple

SNMP read-write community string set to yappledapple.

Console> (enable)

This example shows how to clear the community string defined for read-only access:

Console> (enable) set snmp community read-only

SNMP read-only community string cleared.

Console> (enable)

Related Commands

clear config
clear snmp community
show snmp
show snmp community

set snmp community-ext

To set additional community strings, use the set snmp community-ext command.

set snmp community-ext community_string {read-only | read-write | read-write-all}
[view view_oid] [access access_number]

Syntax Description

community_string	Name of the SNMP community.
read-only	Assigns read-only access to the specified SNMP community.
read-write	Assigns read-write access to the specified SNMP community.
read-write-all	Assigns read-write access to the specified SNMP community.
view view_oid	(Optional) Restricts the community string to a view. See the "Usage Guidelines" section for more information.
access access_number	(Optional) Restricts the community string to an access number; valid values are from 1 to 65335.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Types

Privileged.

Usage Guidelines

Adding a new community string using the set snmp community-ext command creates appropriate entries in the vacmAccessTable (if a view is specified), snmpCommunityTable, and vacmSecurityToGroup tables.

An example of the view_oid variable is 1.3.6.1.2.1.

Examples

This example shows how to set an additional SNMP community string:

Console> (enable) set snmp community-ext public1 read-only 

Community string public1 is created with access type as read-only 

Console> (enable)

This example shows how to restrict the community string to an access number:

Console> (enable) set snmp community-ext private1 read-write access 2 

Community string private1 is created with access type as read-write access 

number 2 

Console> (enable)

This example shows how to change the access number to the community string:

Console> (enable) set snmp community-ext private1 read-write access 3 

Community string private1 is updated with access type as read-write access 

number 3 

Console> (enable)

Related Commands

clear snmp community-ext

set snmp extendedrmon netflow

To enable or disable the SNMP extended RMON support for the NAM module, use the set snmp extendedrmon netflow command.

set snmp extendedrmon netflow {enable | disable} {mod}

Syntax Description

enable	Enables the extended RMON support.
disable	Disables the extended RMON support.
mod	Module number of the extended RMON NAM.

Defaults

The default is SNMP-extended RMON NetFlow is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to enable SNMP-extended RMON NetFlow support:

Console> (enable) set snmp extendedrmon netflow enable 2

Snmp extended RMON netflow enabled

Console> (enable) 

This example shows how to disable SNMP-extended RMON NetFlow support:

Console> (enable) set snmp extendedrmon netflow disable 2

Snmp extended RMON netflow disabled

Console> (enable) 

This example shows the response when the SNMP-extended RMON NetFlow feature is not supported:

Console> (enable) set snmp extendedrmon enable 4 

NAM card is not installed. 
Console> (enable) 

Related Commands

set snmp rmon
show snmp

set snmp group

To establish the relationship between an SNMP group and a user with a specific security model, use the set snmp group command.

set snmp group [-hex] {groupname} user [-hex] {username}
{security-model {v1 | v2c | v3}} [volatile | nonvolatile]

Syntax Description

-hex	(Optional) Displays the groupname and username in a hexadecimal format.
groupname	Name of the SNMP group that defines an access control; the maximum length is 32 bytes.
user	Specifies the SNMP group username.
username	Name of the SNMP user that belongs to the SNMP group; the maximum length is 32 bytes.
security-model v1 | v2c | v3	Specifies security-model v1, v2c, or v3.
volatile	(Optional) Specifies that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Specifies that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for groupname or username (nonprintable delimiters for these parameters), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

Examples

This example shows how to set the SNMP group:

Console> (enable) set snmp group cisco-group user joe security-model v3

SNMP group was set to cisco-group user joe and version v3,nonvolatile.

Console> (enable)

Related Commands

clear snmp group
show snmp group

set snmp ifalias

To set the SNMP interface alias, use the set snmp ifalias command.

set snmp ifalias {ifIndex} [ifAlias]

Syntax Description

ifIndex	Interface index number.
ifAlias	(Optional) Name of the interface alias. See the "Usage Guidelines" section for more information.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The ifAlias string can contain 0 to 64 characters.

Examples

This example shows how to set the SNMP interface alias:

Console> (enable) set snmp ifalias 1 Inband port

ifIndex 1 alias set

Console> (enable)

Related Commands

clear snmp ifalias
show snmp ifalias

set snmp inform

To configure the handling of SNMP inform requests, use the set snmp inform command.

set snmp inform value

set snmp inform rcvr_address rcvr_community [port rcvr_port] [index rcvr_index]

Syntax Description

value	Number of SNMP inform requests that are kept in the inform request queue; valid values are from 25 to 65536.
rcvr_address	IP address or IP alias of the SNMP host that will receive the SNMP inform request.
rcvr_community	Community string that will receive the SNMP inform request.
port rcvr_port	(Optional) Specifies the UDP port for the SNMP inform request.
index rcvr_index	(Optional) Specifies the index for the SNMP inform request; valid values are from 1 to 65535.

Defaults

100 SNMP inform requests are kept in the SNMP inform request queue.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The switch can send notifications to SNMP managers when particular events occur. For example, an SNMP agent switch might send a message to an SNMP manager when the agent switch experiences an error condition.

SNMP notifications can be sent as traps or inform requests. Inform requests are more reliable than traps because the receiver sends a response when it gets an inform request. However, the receiver does not send a response when it gets a trap. The switch discards the trap after it is sent.

With the SNMP inform request feature, the switch sends the inform request to the SNMP manager and waits for a SNMP response PDU from the manager. If the switch never receives a response, it tries to send the inform request again. To configure the period of time that the switch waits to resend the inform request, use the set snmp targetaddr command. Use the set snmp targetaddr command to configure how long the inform request stays in the queue before it times out.

Sending SNMP inform requests consumes more resources in the switch and in the network than sending SNMP traps. Unlike a trap, an inform request must be held in memory until a response is received or the request times out.

If it is important that the SNMP manager receives every notification, use inform requests.

Setting the inform request queue size restricts the number of inform requests that stay in the inform request queue. If you do not limit the size of the queue, the switch memory will be consumed quickly, especially if the timeout value is too small, if the retry value is too large, and if the SNMP inform request receiver is unreachable.

If the number of inform requests that are pending in the queue exceeds the configured limit, the oldest inform request is removed to free up space for new inform requests.

Examples

This example shows how to configure the number of inform requests that will stay in the queue:

Console> (enable) set snmp inform 150

Size of inform queue has been set to 150

Console> (enable)

Related Commands

clear snmp inform
set snmp trap
set snmp targetaddr
show snmp inform

set snmp notify

To set the notifyname entry in the snmpNotifyTable and the notifytag entry in the snmpTargetAddrTable, use the set snmp notify command.

set snmp notify [-hex] {notifyname} tag [-hex] {notifytag}
[trap | inform] [volatile | nonvolatile]

Syntax Description

-hex	(Optional) Displays the notifyname and notifytag in a hexadecimal format.
notifyname	Identifier to index the snmpNotifyTable.
tag	Specifies the tag name in the taglist.
notifytag	Name of entries in the snmpTargetAddrTable.
trap	(Optional) Specifies all messages that contain snmpv2-Trap PDUs.
inform	(Optional) Specifies all messages that contain InfoRequest PDUs.
volatile	(Optional) Specifies that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Specifies that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

The defaults are storage type is volatile and notify type is trap.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for the notifyname and notifytag (nonprintable delimiters for these parameters), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

Examples

This example shows how to set the SNMP notify for a specific notifyname:

Console> (enable) set snmp notify hello tag world inform

SNMP notify name was set to hello with tag world notifyType inform, and storageType 
nonvolatile.

Console> (enable)

Related Commands

clear snmp notify
show snmp notify

set snmp rmon

To enable or disable SNMP RMON support, use the set snmp rmon command.

set snmp rmon {enable | disable}

Syntax Description

enable	Activates SNMP RMON support.
disable	Deactivates SNMP RMON support.

Defaults

The default is RMON support is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

RMON statistics are collected on a segment basis.

The RMON feature deinstalls all of the domains for all of the interfaces on an Ethernet module that has been removed from the system.

When you enable RMON, the supported RMON groups for Ethernet ports are Statistics, History, Alarms, and Events as specified in RFC 1757.

Use of this command requires a separate software license.

Examples

This example shows how to enable RMON support:

Console> (enable) set snmp rmon enable

SNMP RMON support enabled.

Console> (enable)

This example shows how to disable RMON support:

Console> (enable) set snmp rmon disable

SNMP RMON support disabled.

Console> (enable)

Related Commands

show port counters

set snmp rmonmemory

To set the memory usage limit in percentage, use the set snmp rmonmemory command.

set snmp rmonmemory percentage

Syntax Description

percentage

Memory usage limit; see the "Usage Guidelines" section for additional information.

Defaults

The default is 85 percent.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When using this command, setting the percentage value to 85 does not mean that RMON can use 85 percent of memory. It means that you cannot create new RMON entries or restore entries from the NVRAM if the DRAM memory usage exceeds or will exceed 85 percent.

If you expect the device to run other sessions such as Telnet, a lower value should be set to the memory limit. Otherwise, the new Telnet sessions may fail because the available memory is not enough.

Examples

This example shows how to set the memory usage limit:

Console> (enable) set snmp rmonmemory 90

Console> (enable) 

Related Commands

show snmp rmonmemory

set snmp targetaddr

To configure the SNMP target address entries in the snmpTargetAddressTable, use the set snmp targetaddr command.

set snmp targetaddr [-hex] {addrname} param [-hex] {paramsname} {ipaddr}
[udpport {port}] [timeout {value}] [retries {value}] [volatile | nonvolatile]
[taglist {[-hex] tag}] [[-hex] tag tagvalue]

Syntax Description

-hex	(Optional) Displays addrname, paramsname, tagvalue, and tag in a hexadecimal format.
addrname	Unique identifier to index the snmpTargetAddrTable; the maximum length is 32 bytes.
param	Specifies an entry in the snmpTargetParamsTable that provides parameters to be used when generating a message to the target; the maximum length is 32 bytes.
paramsname	Entry in the snmpTargetParamsTable; the maximum length is 32 bytes.
ipaddr	IP address of the target.
udpport port	(Optional) Specifies which UDP port of the target host to use.
timeout value	(Optional) Specifies the number of timeouts.
retries value	(Optional) Specifies the number of retries.
volatile	(Optional) Specifies that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Specifies that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.
taglist tag	(Optional) Specifies a tag name in the taglist.
tag tagvalue	(Optional) Specifies the tag name.

Defaults

The defaults are as follows:

•storage type is nonvolatile.

•udpport is 162.

•timeout is 1500.

•retries is 3.

•taglist is NULL.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for the addrname, paramsname, tag, and tagvalue (nonprintable delimiters for these parameters), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

The maximum tagvalue and taglist length is 255 bytes.

Examples

This example shows how to set the target address in the snmpTargetAddressTable:

Console> (enable) set snmp targetaddr foo param bar 10.1.2.4 udp 160 timeout 10 retries 3 
taglist tag1 tag2 tag3

SNMP targetaddr name was set to foo with param bar ipAddr 10.1.2.4, udpport 160, timeout 
10, retries 3, storageType nonvolatile with taglist tag1 tag2 tag3.

Console> (enable)

Related Commands

clear snmp targetaddr
show snmp targetaddr

set snmp targetparams

To configure the SNMP parameters used in the snmpTargetParamsTable when generating a message to a target, use the set snmp targetparams command.

set snmp targetparams [-hex] {paramsname} user [-hex] {username} {security-model {v1 | v2c}} {message-processing {v1 | v2c | v3}} [volatile | nonvolatile]

set snmp targetparams [-hex] {paramsname} user [-hex] {username} {security-model v3} {message-processing v3 {noauthentication | authentication | privacy}} [volatile | nonvolatile]

Syntax Description

-hex	(Optional) Displays the paramsname and username in a hexadecimal format.
paramsname	Name of the parameter in the snmpTargetParamsTable; the maximum length is 32 bytes.
user	Specifies the SNMP group username.
username	Name of the SNMP user that belongs to the SNMP group; the maximum length is 32 bytes.
security-model v1 | v2c	Specifies security-model v1 or v2c.
message-processing v1 | v2c | v3	Specifies the version number used by the message processing model.
security-model v3	Specifies security-model v3.
message-processing v3	Specifies v3 is used by the message-processing model.
noauthentication	Specifies the security model is not set to use the authentication protocol.
authentication	Specifies the type of authentication protocol.
privacy	Specifies the messages sent on behalf of the user are protected from disclosure.
volatile	(Optional) Specifies that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Specifies that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

The default storage type is volatile.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for the paramsname and username (nonprintable delimiters for these parameters), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

Examples

This example shows how to set target parameters in the snmpTargetParamsTable:

Console> (enable) set snmp targetparams bar user joe security-model v3 message-processing 
v3 authentication

SNMP target params was set to bar v3 authentication, message-processing v3, user joe 
nonvolatile.

Console> (enable)

Related Commands

clear snmp targetparams
show snmp targetparams

set snmp trap

To enable or disable the different SNMP traps on the system or to add an entry into the SNMP authentication trap receiver table, use the set snmp trap command.

set snmp trap {enable | disable} [all | auth | autoshutdown | bridge | callhomesmtp | chassis | config | entity | entityfru | envfan | envpower | envshutdown | envstate | envtemp | flashinsert | flashremove | inlinepower {module mod} | ippermit | l2tunnel | linkerrhigh | linkerrlow | macmove | macnotification | macthreshold | module | redundancy | stpx | syslog | system | vlancreation | vlandeletion | vmps | vtp]

set snmp trap rcvr_addr rcvr_community [port rcvr_port] [owner rcvr_owner] [index rcvr_index]

Syntax Description

enable	Enables SNMP traps.
disable	Disables SNMP traps.
all	(Optional) Specifies all trap types and all port traps. See the "Usage Guidelines" section before using this option.
auth	(Optional) Specifies the authenticationFailure trap from RFC 1157.
autoshutdown	(Optional) Specifies the automatic module shutdown traps.
bridge	(Optional) Specifies the newRoot and topologyChange traps from RFC 1493 (the BRIDGE-MIB).
callhomesmtp	(Optional) Specifies the CallHome SMTP server traps.
chassis	(Optional) Specifies the chassisAlarmOn and chassisAlarmOff traps from the CISCO-STACK-MIB.
config	(Optional) Specifies the sysConfigChange trap from the CISCO-STACK-MIB.
entity	(Optional) Specifies the entityMIB trap from the ENTITY-MIB.
entityfru	(Optional) Specifies the entity field replaceable unit (FRU).
envfan	(Optional) Specifies the environmental fan.
envpower	(Optional) Specifies the environmental power.
envshutdown	(Optional) Specifies the environmental shutdown.
envstate	(Optional) Specifies the environmental monitoring status change traps.
envtemp	(Optional) Specifies the environmental monitoring temperature traps.
flashinsert	(Optional) Specifies flash insertion.
flashremove	(Optional) Specifies flash removal.
flexifchange	(Optional) Specifies the cflIfStatusChangeNotif trap from the CISCO-FLEX-LINKS-MIB.
inlinepower {module mod}	(Optional) Specifies the inline power traps for a specific module; valid values for the mod argument are from 1 through 9, 15, and 16.
ippermit	(Optional) Specifies the IP Permit Denied access from the CISCO-STACK-MIB.
l2tunnel	(Optional) Specifies the Layer 2 protocol tunnel threshold traps.
linkerrhigh	(Optional) Specifies the traps for link error monitoring when the high threshold is exceeded.
linkerrlow	(Optional) Specifies the traps for link error monitoring when the low threshold is exceeded.
macmove	(Optional) Specifies MAC address move notification traps.
macnotification	(Optional) Specifies MAC address (CAM) notification traps.
macthreshold	(Optional) Specifies MAC address threshold notification traps.
module	(Optional) Specifies the moduleUp and moduleDown traps from the CISCO-STACK-MIB.
noauthfailvlan	(Optional) Specifies the cpaeNoAuthFailVlanNotif trap from the CISCO-PAE-MIB.
noguestvlan	(Optional) Specifies the cpaeNoGuestVlanNotif trap from the CISCO-PAE-MIB.
redundancy	(Optional) Specifies the redundancy status traps.
stpx	(Optional) Specifies the spanning tree extension traps.
syslog	(Optional) Specifies the syslog notification traps.
system	(Optional) Specifies the system notification traps.
sysinfolog	(Optional) Specifies the csilLoggingFailNotif trap from CISCO-SYS-INFO-LOG-MIB.
vlancreate	(Optional) Specifies the VLAN creation traps.
vlandelete	(Optional) Specifies the VLAN deletion traps.
vmps	(Optional) Specifies the vmVmpsChange trap from the CISCO-VLAN-MEMBERSHIP-MIB.
vtp	(Optional) Specifies the VTP from the CISCO-VTP-MIB.
rcvr_addr	IP address or IP alias of the system to receive SNMP traps.
rcvr_community	Community string to use when sending authentication traps.
port rcvr_port	(Optional) Specifies the UDP port and port number; valid values are from 0 to 65535.
owner rcvr_owner	(Optional) Specifies the user who configured the settings for the SNMP trap; the valid value is a character string from 1 to 21 characters in length.
index rcvr_index	(Optional) Specifies index entries with the same rcvr_addr; valid values are from 0 to 65535.

Defaults

The default is SNMP traps are disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

An IP permit trap is sent when unauthorized access based on the IP permit list is attempted.

Use the show snmp command to verify the appropriate traps were configured.

To use this command, you must configure all notification tables: snmpTargetAddrTable, snmpTargetParamsTable, and snmpNotifyTable.

Use the all option to enable or disable all trap types and all port traps.

Use the set port trap command to enable or disable a single port or a range of ports.

The trap configuration is saved in NVRAM and the configuration file.

Examples

This example shows how to enable SNMP chassis traps:

Console> (enable) set snmp trap enable chassis

SNMP chassis alarm traps enabled.

Console> (enable) 

This example shows how to enable all traps:

Console> (enable) set snmp trap enable

All SNMP traps enabled.

Console> (enable) 

This example shows how to disable SNMP chassis traps:

Console> (enable) set snmp trap disable chassis

SNMP chassis alarm traps disabled.

Console> (enable) 

This example shows how to enable SNMP MAC address notification traps:

Console> (enable) set snmp trap enable macnotification

SNMP MAC notification trap enabled.

Console> (enable)

This example shows how to add an entry in the SNMP trap receiver table:

Console> (enable) set snmp trap 192.122.173.42 public

SNMP trap receiver added.

Console> (enable)

This example shows how to enable the SNMP MAC move notification trap:

Console> (enable) set snmp trap enable macmove

SNMP MAC move notification trap enabled.

Console> (enable)

This example shows how to enable the SNMP MAC threshold notification trap:

Console> (enable) set snmp trap enable macthreshold

SNMP MAC threshold notification trap enabled.

Console> (enable)

This example shows to enable the automatic module shutdown traps:

Console> (enable) set snmp trap enable autoshutdown 

SNMP module auto shutdown traps enabled.

Console> (enable) 

Related Commands

clear snmp trap
set port trap
show snmp
test snmp trap

set snmp user

To configure a new SNMP user, use the set snmp user command.

set snmp user [-hex] {username} {remote {engineid}} [authentication {md5 | sha | authpassword}] [privacy [des | 3des | aes {128 | 192 | 256}] privpassword] [volatile | nonvolatile]

Syntax Description

-hex	(Optional) Displays username in a hexadecimal format.
username	Name of the SNMP user.
remote engineid	Specifies the remote SNMP engine ID.
authentication	(Optional) Specifies the authentication protocol.
md5	Specifies HMAC-MD5-96 authentication protocol.
sha	Specifies HMAC-SHA-96 authentication protocol.
authpassword	Password for authentication.
privacy	(Optional) Enables the host to encrypt the contents of the message sent to or from the agent.
des	(Optional) Specifies DES as the privacy protocol.
3des	(Optional) Specifies 3DES as the privacy protocol. This option is only available in k9 images.
aes {128 | 192 | 256}	(Optional) Specifies AES as the privacy protocol. When you use the aes option, you must also specify the key length (128, 192 or 256 bits). This option is only available in k9 images.
privpassword	(Optional) Password that enables the host to encrypt the contents of the message sent to or from the agent; the maximum length is 32 characters.
volatile	(Optional) Specifies that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Specifies that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

The default storage type is volatile. If you do not specify authentication, the security level default will be noauthentication. If you do not specify privacy, the default will be no privacy. The privacy protocol is des.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for username (nonprintable delimiters for this parameter), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

The authpassword and privpassword values must be hexadecimal characters without delimiters in between.

Examples

This example shows how to set a specific username:

Console> (enable) set snmp user joe

Snmp user was set to joe authProt no-auth  privProt no-priv with engineid 00:00.

Console> (enable)

This example shows how to set a specific username, authentication, and authpassword:

Console> (enable) set snmp user John authentication md5 arizona2

Snmp user was set to John authProt md5 authPasswd arizona2. privProt no-priv wi.

Console> (enable)

Related Commands

clear snmp user
show snmp user

set snmp view

To configure the SNMP MIB view, use the set snmp view command.

set snmp view [-hex]{viewname}{subtree}[mask] [included | excluded] [volatile | nonvolatile]

Syntax Description

-hex	(Optional) Displays the viewname value in a hexadecimal format.
viewname	Name of a MIB view.
subtree	MIB subtree.
mask	(Optional) Specifies that the bit mask is used with the subtree. A bit mask can be all ones, all zeros, or any combination; the maximum length is 3 bytes.
included | excluded	(Optional) Specifies that the MIB subtree is included or excluded.
volatile	(Optional) Specifies that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Specifies that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

The defaults are as follows:

•Storage type is volatile.

•Bit mask is NULL.

•MIB subtree is included.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for viewname (nonprintable delimiters for this parameter), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

A MIB subtree with a mask defines a view subtree. The MIB subtree can be in object identifier (OID) format or a text name mapped to a valid OID.

Examples

This example shows how to assign a subtree to the view public:

Console> (enable) set snmp view public 1.3.6.1 included

Snmp view name was set to public with subtree 1.3.6.1 included, nonvolatile.

Control> (enable)

This example shows the response when the subtree is incorrect:

Console> (enable) set snmp view stats statistics excluded

Statistics is not a valid subtree OID

Control> (enable)

Related Commands

clear snmp view
show snmp view

set span

To enable or disable SPAN and to set up the switch port and VLAN analyzer for multiple SPAN sessions, use the set span command.

set span disable [dest_mod/dest_port | all]

set span disable session session_number

set span {src_mod/src_ports | src_vlans | sc0} {dest_mod/dest_port} [rx | tx | both]
[session session_number] [inpkts {enable | disable}] [learning {enable | disable}]
[multicast {enable | disable}] [filter vlans...] [create]

set span permit-list mod/port {include | exclude}

set span permit-list {enable | disable}

Syntax Description

disable	Disables SPAN.
dest_mod	(Optional) Monitoring module (SPAN destination).
dest_port	(Optional) Monitoring port (SPAN destination).
all	(Optional) Disables all SPAN sessions.
session session_number	Specifies a unique SPAN session across all types of SPAN sessions.
src_mod	Monitored module (SPAN source).
src_ports	Monitored ports (SPAN source).
src_vlans	Monitored VLANs (SPAN source).
sc0	Specifies the inband port is a valid source.
rx	(Optional) Specifies that information received at the source (ingress SPAN) is monitored.
tx	(Optional) Specifies that information transmitted from the source (egress SPAN) is monitored.
both	(Optional) Specifies that information both transmitted from the source (ingress SPAN) and received (egress SPAN) at the source are monitored.
inpkts enable	(Optional) Enables the receiving of normal inbound traffic on the SPAN destination port.
inpkts disable	(Optional) Disables the receiving of normal inbound traffic on the SPAN destination port.
learning enable	(Optional) Enables learning for the SPAN destination port.
learning disable	(Optional) Disables learning for the SPAN destination port.
multicast enable	(Optional) Enables monitoring multicast traffic (egress traffic only).
multicast disable	(Optional) Disables monitoring multicast traffic (egress traffic only).
filter vlans	(Optional) Monitors traffic on selected VLANs on source trunk ports.
create	(Optional) Creates a SPAN port.
permit-list	Specifies a list of ports that can be configured as SPAN or RSPAN destinations.
mod/port	Numbers of the modules and numbers of the ports on the modules.
include	Includes the specified ports in the permit list.
exclude	Removes the specified ports from the permit list.
enable	Enables the permit-list feature for all SPAN sessions.
disable	Disables the permit-list feature for all SPAN sessions.

Defaults

•SPAN is disabled,

•No VLAN filtering is enabled.

•Multicast is enabled.

•Input packets are disabled.

•Learning is enabled.

•The permit-list feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

After you enable SPAN, system defaults are used if no parameters were ever set. If you changed parameters, the old parameters are stored in NVRAM, and the new parameters are used.

Use a network analyzer to monitor ports.

If you specify multiple SPAN source ports, the ports can belong to different VLANs.

A maximum of two rx or both SPAN sessions and four tx SPAN sessions can exist simultaneously. If you use a remote SPAN station, the maximum number of rx or both SPAN sessions is one.

Use the inpkts keyword with the enable option to allow the SPAN destination port to receive normal incoming traffic in addition to the traffic mirrored from the SPAN source. Use the disable option to prevent the SPAN destination port from receiving normal incoming traffic.

You can specify an MSM port as the SPAN source port. However, you cannot specify an MSM port as the SPAN destination port.

When you enable the inpkts option, a warning message notifies you that the destination port does not join STP and may cause loops if this option is enabled.

When you configure multiple SPAN sessions, the destination module number/port number must be known to index the particular SPAN session.

If you do not specify the keyword create and you have only one session, the session will be overwritten. If a matching destination port exists, the particular session will be overwritten (with or without specifying create). If you specify the keyword create and there is no matching destination port, the session will be created.

If any VLANs on SPAN source port(s) are blocked by spanning tree, you may see extra packets transmitted on the destination port that were not actually transmitted out of the source port(s). The extra packets seen at the destination port are packets sent through the switch fabric to the source port and then blocked by spanning tree at the source port.

To specify a unique SPAN session across all types of SPAN sessions (local SPAN, RSPAN, and ESPAN), enter the session session_number option. If you do not specify a SPAN session number, one is provided by the software. The software provides a session number only if the basic check for SPAN session limits and sanity is successful.

If you provide a session number, but the same session number for the same session type is present in the SPAN database already, the session number that you enter overwrites the SPAN session with the same number. If the same session number is already present in the database, but that session number is for a different session type, the session number that you enter is rejected.

If you provide a session number that does not exist in the SPAN database, the number is regarded as a new SPAN session request and is subject to SPAN session limits.

You can specify multiple destination ports in the CLI. However, you cannot mix VLANs and ports in the same SPAN session.

Examples

This example shows how to configure SPAN so that both transmit and receive traffic from port 1/1 (the SPAN source) is mirrored on port 2/1 (the SPAN destination):

Console> (enable) set span 1/1 2/1

Enabled monitoring of Port 1/1 transmit/receive traffic by Port 2/1

Console> (enable)

This example shows how to set VLAN 522 as the SPAN source and port 2/1 as the SPAN destination:

Console> (enable) set span 522 2/1

Enabled monitoring of VLAN 522 transmit/receive traffic by Port 2/1

Console> (enable) 

This example shows how to set VLAN 522 as the SPAN source and port 3/12 as the SPAN destination. Only transmit traffic is monitored. Normal incoming packets on the SPAN destination port are allowed:

Console> (enable) set span 522 2/12 tx inpkts enable

SPAN destination port incoming packets enabled.

Enabled monitoring of VLAN 522 transmit traffic by Port 2/12

Console> (enable) 

This example shows how to set port 3/2 as the SPAN source and port 2/2 as the SPAN destination:

Console> (enable) set span 3/2 2/2 tx create

Enabled monitoring of port 3/2 transmit traffic by Port 2/1

Console> (enable)

This example shows how to disable SPAN if multiple SPAN sessions are not defined:

Console> (enable) set span disable

This command WILL disable your span session(s). 

Do you want to continue (y/n) [n]?y 

Disabled all sessions 

Console> (enable) 

This example shows what happens if you try to enter the set span disable command (without the destination module number/port number defined) and multiple SPAN sessions are defined:

Console> (enable) set span disable

Multiple active span sessions. Please specify span destination to disable.

Console> (enable)

Related Commands

clear config
show span

set spantree backbonefast

To enable or disable the spanning tree BackboneFast Convergence feature, use the set spantree backbonefast command.

set spantree backbonefast {enable | disable}

Syntax Description

enable	Enables BackboneFast Convergence.
disable	Disables BackboneFast Convergence.

Defaults

The default is BackboneFast convergence is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not available in Multiple Spanning Tree (MST) mode.

For BackboneFast Convergence to work, you must enable it on all switches in the network.

When you try to enable BackboneFast and the switch is in Rapid PVST+ mode, this message is displayed:

Cannot enable backbonefast when the spantree mode is RAPID-PVST+.

Examples

This example shows how to enable BackboneFast Convergence:

Console> (enable) set spantree backbonefast enable

Backbonefast enabled for all VLANs.

Console> (enable) 

This example shows the message that is displayed when you try to enable BackboneFast in Rapid PVST+ mode:

Console> (enable) set spantree backbonefast enable

Cannot enable backbonefast when the spantree mode is RAPID-PVST+.

Console> (enable)

Related Commands

show spantree

set spantree bpdu-filter

To enable or disable BPDU packet filtering on a port, use the set spantree bpdu-filter command.

set spantree bpdu-filter mod/port {enable | disable | default}

Syntax Description

mod/port	Number of the module and the port on the module.
enable	Enables BPDU packet filtering.
disable	Disables BPDU packet filtering.
default	Sets BPDU packet filtering to the global BPDU packet filtering state. See the "Usage Guidelines" section for more information.

Defaults

The default is BPDU packet filtering is default.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

BPDU packet filtering turns off BPDU transmission on ports.

If you enter the default keyword, the spanning tree port is set to the global BPDU filtering state.

To enable or disable BPDU filtering for all ports on the switch, enter the set spantree global-default bpdu-filter command.

Examples

This example shows how to enable BPDU filtering on module 3, port 4:

Console> (enable) set spantree bpdu-filter 3/4 enable

Warning: Ports enabled with bpdu filter will not send BPDUs and drop all

received BPDUs. You may cause loops in the bridged network if you misuse

this feature.

Spantree port 3/4 bpdu filter enabled.

Console> (enable)

Related Commands

set spantree global-default
show spantree portfast

set spantree bpdu-guard

To enable or disable spanning tree BPDU guard on a port, use the set spantree bpdu-guard command.

set spantree bpdu-guard mod/port {enable | disable | default}

Syntax Description

mod/port	Number of the module and the port on the module.
enable	Enables the spanning tree BPDU guard.
disable	Disables the spanning tree BPDU guard.
default	Sets spanning tree BPDU guard to the global BPDU guard state. See the "Usage Guidelines" section for more information.

Defaults

The default is BPDU guard is default.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You must enable PortFast mode before you can enable BPDU guard for BPDU guard to work correctly.

When you enable BPDU guard, a port is moved into an errdisable state when a BPDU is received on that port. When you disable a BPDU guard, a PortFast-enabled nontrunking port will stay up when it receives BPDUs, which may cause spanning tree loops.

If you enter the default keyword, the spanning tree port is set to the global BPDU guard state.

To enable or disable BPDU guard for all ports on the switch, enter the set spantree global-default bpdu-guard command.

Examples

This example shows how to enable BPDU guard on module 3, port 1:

Console> (enable) set spantree bpdu-guard 3/1 enable

Spantree port 3/1 bpdu guard enabled.

Console> (enable)

Related Commands

set spantree global-default
show spantree portfast

set spantree bpdu-skewing

To enable or disable collection of the spanning tree BPDU skewing detection statistics, use the set spantree bpdu-skewing command.

set spantree bpdu-skewing {enable | disable}

Syntax Description

enable	Enables BPDU skewing detection statistics collection.
disable	Disables BPDU skewing detection statistics collection.

Defaults

The default is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can use this command to troubleshoot slow network convergence due to skewing. Skewing occurs when spanning tree timers lapse, expected BPDUs are not received, and spanning tree detects topology changes. The difference between the expected result and the BPDUs actually received is a "skew." The skew causes BPDUs to reflood the network to keep the spanning tree topology database up to date.

Examples

This example shows how to enable the BPDU skew detection feature:

Console> (enable) set spantree bpdu-skewing enable

Spantree bpdu-skewing enabled on this switch. 

Console> (enable) 

This example shows how to disable the BPDU skew detection feature:

Console> (enable) set spantree bpdu-skewing disable

Spantree bpdu-skewing disabled on this switch. 

Console> (enable) 

Related Commands

show spantree bpdu-skewing

set spantree channelcost

To set the channel path cost and to automatically adjust the channel port costs, use the set spantree channelcost command.

set spantree channelcost {channel_id | all} cost

Syntax Description

channel_id	Channel identification number.
all	Configures all channels.
cost	Channel port costs.

Defaults

The port cost is updated automatically based on the current port costs of the channeling ports.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can use this command when your switch is in Link Aggregation Control Protocol (LACP) channel mode or in PAgP channel mode.

For differences between PAgP and LACP, refer to the "Guidelines for Port Configuration" section of the "Configuring EtherChannel" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

Examples

This example shows how to set the channel 768 path cost to 12.

Console> (enable) set spantree channelcost 768 12

Port(s) 1/1-2 port path cost are updated to 19.

Channel 768 cost is set to 12.

Warning: channel cost may not be applicable if channel is broken.

Console> (enable)

This example shows how to set all channel path costs to 15:

Console> (enable) set spantree channelcost all 15

Port(s) 1/1-2 port path cost are updated to 24.

Channel 768 cost is set to 15.

Port(s) 4/3-4 cost is set to 15.

channel 769 cost is set to 15.

Port(s) 4/7-8 cost is set to 15.

channel 770 cost is set to 15.

Warning: channel cost may not be applicable if channel is broken.

Console> (enable)

Related Commands

clear lacp-channel statistics
set channelprotocol
set lacp-channel system-priority
set port lacp-channel
set spantree channelvlancost
show lacp-channel
show port lacp-channel

set spantree channelvlancost

To set the channel VLAN path cost and adjust the port VLAN costs of the ports that belong to the channel, use the set spantree channelvlancost command.

set spantree channelvlancost channel_id cost

Syntax Description

channel_id	Number of the channel identification.
cost	Port costs of the ports in the channel.

Defaults

The command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You must set the channel VLAN cost one channel at a time.

You can use this command when your system is in LACP channel mode or PAgP channel mode.

For differences between PAgP and LACP, refer to the "Guidelines for Port Configuration" section of the "Configuring EtherChannel" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

Examples

This example shows how to set the VLAN cost to 10 for channel 768:

Console> (enable) set spantree channelvlancost 768 10

Port(s) 1/1-2 vlan cost are updated to 24.

Channel 768 vlancost is set to 10.

Console> (enable)

Related Commands

clear lacp-channel statistics
set channelprotocol
set lacp-channel system-priority
set port lacp-channel
set spantree channelcost
show lacp-channel
show port lacp-channel

set spantree defaultcostmode

To specify the spanning tree default port cost mode, use the set spantree defaultcostmode command.

set spantree defaultcostmode {short | long}

Syntax Description

short	Sets the default port cost for port speeds slower than 10 gigabits.
long	Sets the default port cost mode port speeds of 10 gigabits and faster.

Defaults

The default is short.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set spantree defaultcostmode long command is available in PVST+ mode only. If you enter this command in MISTP or MISTP-PVST+ mode, this message is displayed:

In MISTP or MISTP-PVST+ mode, default portcost and portinstancecost always

use long format default values.

All switches in a network must have the same default. If any switch in the network supports port speeds of 10 gigabits and greater, the default cost mode must be set to long on all the switches in the network.

For port speeds of 1 gigabits and greater, the default port cost should be set to long. For port speeds less than 10 gigabits, the default port cost can be set to short.

The default path cost is based on port speed; see Table 2-25 and Table 2-26 for default settings.

Table 2-25 Default Port Cost—Short Mode

Port Speed	Default Port Cost
4 Mb	250
10 Mb	100
16 Mb	62
100 Mb	19
155 Mb	14
1 Gb	4
10 Gb	2

Table 2-26 Default Port Cost—Long Mode

Port Speed	Default Port Cost
100 Kb	200,000,000
1 Mb	20,000,000
10 Mb	2,000,000
100 Mb	200,000
1 Gb	20,000
10 Gb	2,000
100 Gb	200
1 Tb	20
10 Tb	2

Examples

This example shows how to set the spanning tree default port cost mode:

Console> (enable) set spantree defaultcostmode long

Portcost and portvlancost set to use long format default values.

Console> (enable) 

Related Commands

show spantree defaultcostmode

set spantree disable

To disable the spanning tree algorithm for all VLANs or a specific VLAN or disable spanning tree instance, use the set spantree disable command.

set spantree disable vlan

set spantree disable all

set spantree disable mistp-instance instance

set spantree disable mistp-instance all

Syntax Description

vlan	Number of the VLAN; valid values are from 1 to 4094.
all	Specifies all VLANs.
mistp-instance instance	Specifies the instance number; valid values are from 1 to 16.
mistp-instance all	Deletes all instances.

Defaults

The default is spanning tree is enabled, and all instances are enabled (flooding disabled).

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you do not specify a VLAN number or an instance number, 1 is assumed.

When an instance is enabled, the Spanning Tree Protocol starts running on that instance.

When an instance is disabled, the switch stops sending out config type-length values (TLVs) for that instance and starts flooding incoming TLVs for the same instance (but checks the VLAN mapping on the incoming side). All the traffic running on the VLANs mapped to the instance is flooded as well.

This command is not available in MST mode.

Examples

This example shows how to disable the spanning tree for VLAN 1:

Console> (enable) set spantree disable 1

VLAN 1 bridge spanning tree disabled.

Console> (enable) 

This example shows how to disable spanning tree for a specific instance:

Console> (enable) set spantree disable mistp-instance 2

MI-STP instance 2 disabled.

Console> (enable) 

Related Commands

set spantree enable
show spantree

set spantree enable

To enable the spanning tree algorithm for all VLANs, a specific VLAN, a specific instance, or all instances, use the set spantree enable command.

set spantree enable vlans

set spantree enable all

set spantree enable mistp-instance instance

set spantree enable mistp-instance all

Syntax Description

vlans	Number of the VLAN; valid values are from 1 to 4094.
all	Specifies all VLANs.
mistp-instance instance	Specifies the instance number; valid values are from 1 to 16.
mistp-instance all	Enables all instances.

Defaults

The default is enabled, and all instances are enabled (flooding disabled).

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

MISTP and VTP pruning cannot be enabled at the same time.

If you do not specify a VLAN number or an instance number, 1 is assumed.

This command is not available in MST mode.

Examples

This example shows how to activate spanning tree for VLAN 1:

Console> (enable) set spantree enable 1

VLAN 1 bridge spanning tree enabled.

Console> (enable) 

This example shows how to activate spanning tree for an instance:

Console> (enable) set spantree enable mistp-instance 1

-STP instance 1 enabled.

Console> (enable) 

Related Commands

set spantree disable
show spantree

set spantree fwddelay

To set the bridge forward delay for a VLAN or an instance, use the set spantree fwddelay command.

set spantree fwddelay delay [vlans]

set spantree fwddelay delay mistp-instance [instances]

set spantree fwddelay delay mst

Syntax Description

delay	Number of seconds for the bridge forward delay; valid values are from 4 to 30 seconds.
vlans	(Optional) Number of the VLAN; valid values are from 1 to 4094.
mistp-instance instances	Specifies the instance number; valid values are from 1 to 16.
mst	Sets the forward delay time for the IST instance and all MST instances; see the "Usage Guidelines" section for more information.

Defaults

The default is the bridge forward delay is set to 15 seconds for all VLANs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you do not specify a VLAN number or an instance number, 1 is assumed.

If you enable MISTP, you cannot set the VLAN bridge forward delay.

If you enable PVST+, you cannot set the instance bridge forward delay.

If you enter the set spantree fwddelay delay mst command, you set the forward delay time for the IST instance and all MST instances. You do not need to set the forward delay time for each MST instance.

Examples

This example shows how to set the bridge forward delay for VLAN 100 to 16 seconds:

Console> (enable) set spantree fwddelay 16 100

Spantree 100 forward delay set to 16 seconds.

Console> (enable)

This example shows how to set the bridge forward delay for an instance to 16 seconds:

Console> (enable) set spantree fwddelay 16 mistp-instance 1

Instance 1 forward delay set to 16 seconds.

Console> (enable)

This example shows how to set the bridge forward delay for the IST and all MST instances to 15 seconds:

Console> (enable) set spantree fwddelay 15 mst

MST forward delay set to 15 seconds.

Console> (enable)

Related Commands

show spantree

set spantree global-default

To set the global states on the switch, use the set spantree global-default command.

set spantree global-default portfast {enable | disable}

set spantree global-default loop-guard {enable | disable}

set spantree global-default bpdu-guard {enable | disable}

set spantree global-default bpdu-filter {enable | disable}

Syntax Description

portfast	Sets the global PortFast state.
enable	Enables the global state.
disable	Disables the global state.
loop-guard	Sets the global loop guard state.
bpdu-guard	Sets the global BPDU guard state.
bpdu-filter	Sets the global BPDU filter state.

Defaults

All ports are in nonedge state.

Loop guard is disabled on all ports.

BPDU guard is disabled on all ports.

BPDU filter is disabled on all ports.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to disable the global PortFast state on the switch:

Console> (enable) set spantree global-default portfast disable

Spantree global portfast state disabled on this switch.

Console> (enable)

This example shows how to enable the global loop guard state on the switch:

Console> (enable) set spantree global-default loop-guard enable

Spantree global loop-guard state enabled on the switch.

Console> (enable)

This example shows how to disable the global BPDU guard state on the switch:

Console> (enable) set spantree global-default bpdu-guard disable

Spantree global-default bpdu-guard disabled on this switch.

Console> (enable)

This example shows how to disable the global BPDU filter state on the switch:

Console> (enable) set spantree global-default bpdu-filter disable

Spantree global-default bpdu-filter disabled on this switch.

Console> (enable)

Related Commands

clear spantree mst
set spantree mst config
set spantree portfast bpdu-filter
set spantree portfast bpdu-guard
show spantree mst config

set spantree guard

To enable or disable the spanning tree root guard or loop guard feature on a per-port basis, use the set spantree guard command.

set spantree guard {none | root | loop} mod/port

Syntax Description

none	Disables the spanning tree guard feature.
root	Enables the root guard feature.
loop	Enables the loop guard feature.
mod/port	Number of the module and ports on the module.

Defaults

The default is root guard and loop guard are disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you enable loop guard on a channel and the first link becomes unidirectional, loop guard will block the entire channel until the affected port is removed from the channel.

You can use the root guard feature to prevent switches from becoming the root switch. The root guard feature forces a port to become a designated port so that no switch on the other end of the link can become a root switch.

When you enable root guard, it is automatically applied to all of the active instances or VLANs to which that port belongs. When you disable root guard, it is disabled for the specified ports. If a port goes into the root-inconsistent state, it automatically goes into the listening state. Disabling loop guard moves all loop-inconsistent ports to the listening state.

When using the loop guard feature, follow these guidelines:

•Use care when enabling loop guard. Loop guard is useful only in those topologies where there are blocked ports. Topologies where there are no blocked ports are loop free by definition and do not need this feature to be enabled.

•Enable loop guard only on root and alternate root ports.

•Use loop guard mainly on access switches.

•You cannot enable loop guard on PortFast-enabled or dynamic VLAN ports.

•You cannot enable PortFast on loop guard-enabled ports.

•You cannot enable loop guard if root guard is enabled.

Examples

This example shows how to enable root guard:

Console> (enable) set spantree guard root 5/1

Rootguard on port 5/1 is enabled.

Warning!! Enabling rootguard may result in a topolopy change.

Console> (enable)

This example shows how to enable the loop guard feature:

Console> (enable) set spantree guard loop 5/1

Rootguard is enabled on port 5/1, enabling loopguard will disable rootguard on

 this port.

Do you want to continue (y/n) [n]? y

Loopguard on port 5/1 is enabled.

Console> (enable)

Related Commands

show spantree guard

set spantree hello

To set the bridge hello time for a VLAN or an instance, use the set spantree hello command.

set spantree hello interval [vlans]

set spantree hello interval mistp-instance instances

set spantree hello interval mst

Syntax Description

interval	Number of seconds the system waits before sending a bridge hello message (a multicast message indicating that the system is active); valid values are from 1 to 10 seconds.
vlans	(Optional) Number of the VLAN; valid values are from 1 to 4094.
mistp-instance instances	Specifies the instance number; valid values are from 1 to 16.
mst	Sets the hello time for the IST instance and all MST instances. See the "Usage Guidelines" section for more information.

Defaults

The bridge hello time is set to 2 seconds for all VLANs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you do not specify a VLAN number or an instance number, 1 is assumed.

If you enable MISTP, you cannot set the VLAN hello time.

If you enable PVST+, you cannot set the instance hello time.

If you enter the set spantree hello interval mst command, you set the hello time for the Internal Spanning Tree (IST) instance and all MST instances. You do not need to set the hello time for each MST instance.

If you do not configure a hello time on a per-port basis, the global hello time is used on the port.

Examples

This example shows how to set the spantree hello time for VLAN 100 to 3 seconds:

Console> (enable) set spantree hello 3 100

Spantree 100 hello time set to 3 seconds.

Console> (enable)

This example shows how to set the spantree hello time for an instance to 3 seconds:

Console> (enable) set spantree hello 3 mistp-instance 1

Spantree 1 hello time set to 3 seconds.

Console> (enable)

This example shows how to set the spantree hello time for the IST and all MST instances to 2 seconds:

Console> (enable) set spantree hello 2 mst

MST hello time set to 2 seconds.

Console> (enable)

Related Commands

show spantree

set spantree link-type

To configure the link type of a port, use the set spantree link-type command.

set spantree link-type mod/port {auto | point-to-point | shared}

Syntax Description

mod/port	Number of the module and the port on the module.
auto	Derives the link from either a half-duplex or full-duplex link type. See "Usage Guidelines" for more information.
point-to-point	Connects the port to a point-to-point link.
shared	Connects the port to a shared medium.

Defaults

The link type is auto.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If the link type is set to auto and the link is a half-duplex link, then the link is a shared link. If the link type is set to auto and the link is a full-duplex link, then the link is a point-to-point link.

The set spantree link-type command is the same as the set spantree mst link-type command.

Examples

This example shows how to connect port 1 on module 3 to a point-to-point link:

Console> (enable) set spantree link-type 3/1 point-to-point

Link type set to point-to-point on port 3/1

Console> (enable)

Related Commands

set spantree global-default
show spantree

set spantree macreduction

To enable or disable the spanning tree MAC address reduction feature, use the set spantree macreduction command.

set spantree macreduction enable | disable

Syntax Description

enable	Enables MAC address reduction.
disable	Disables MAC address reduction.

Defaults

The default is MAC address reduction is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The MAC address reduction feature is used to enable extended-range VLAN identification and allows the switch to support a large number of spanning tree instances with a very limited number of MAC addresses and still maintain the IEEE 802.1D bridge-ID requirement for each STP instance.

You cannot disable this feature if extended-range VLANs exist.

You cannot disable this feature on chassis with 64 MAC addresses.

Examples

This example shows how to disable the MAC address reduction feature:

Console> (enable) set spantree macreduction disable

MAC address reduction disabled

Console> (enable)

Related Commands

show spantree

set spantree maxage

To set the bridge maximum aging time for a VLAN or an instance, use the set spantree maxage command.

set spantree maxage agingtime [vlans]

set spantree maxage agingtime mistp-instance instances

set spantree maxage agingtime mst

Syntax Description

agingtime	Maximum number of seconds that the system retains the information received from other bridges through Spanning Tree Protocol; valid values are from 6 to 40 seconds.
vlans	(Optional) Number of the VLAN; valid values 1 to 4094.
mistp-instance instances	Specifies the instance number; valid values are from 1 to 16.
mst	Sets the maximum aging time for the IST instance and all MST instances. See the "Usage Guidelines" section for more information.

Defaults

The default configuration is 20 seconds for all VLANs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you do not specify a VLAN number or an instance number, 1 is assumed.

If you enable MISTP, you cannot set the VLAN maximum aging time.

If you enable PVST+, you cannot set the instance maximum aging time.

If you enter the set spantree maxage agingtime mst command, you set the maximum aging time for the IST instance and all MST instances. You do not need to set the maximum aging time for each MST instance.

Examples

This example shows how to set the maximum aging time for VLAN 1000 to 25 seconds:

Console> (enable) set spantree maxage 25 1000

Spantree 1000 max aging time set to 25 seconds.

Console> (enable)

This example shows how to set the maximum aging time for an instance to 25 seconds:

Console> (enable) set spantree maxage 25 mistp-instance 1

Instance 1 max aging time set to 25 seconds.

Console> (enable)

This example shows how to set the maximum aging time for the IST and all MST instances to 20 seconds:

Console> (enable) set spantree maxage 20 mst

MST max age set to 20 seconds.

Console> (enable)

Related Commands

show spantree

set spantree mode

To configure the type of Spanning Tree Protocol mode to run, use the set spantree mode command.

set spantree mode {mistp | pvst+ | mistp-pvst+ | mst | rapid-pvst+}

Syntax Description

mistp	Specifies MISTP mode.
pvst+	Specifies PVST+ mode.
mistp-pvst+	Allows the switch running MISTP to tunnel BPDUs with remote switches running PVST+.
mst	Specifies MST mode.
rapid-pvst+	Specifies per VLAN Rapid Spanning Tree (IEEE 802.1w).

Defaults

The default is rapid-pvst+.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you connect through Telnet into a switch and try to change the spanning tree mode from PVST+ to MISTP or MISTP-PVST+, and no VLANs are mapped to any instance on that switch, this warning message is displayed:

Console> (enable) set spantree mode mistp

Warning!! Changing the STP mode from a telnet session will disconnect the

session because there are no VLANs mapped to any MISTP instance.

Do you want to continue [n]?

When you connect through Telnet into a switch and try to change the spanning tree mode from MISTP or MISTP-PVST+ to PVST+, or when you connect through Telnet into a switch and try to change the spanning tree mode from PVST+ to MISTP or MISTP-PVST+ and additional VLAN-instance mappings are on that switch, this warning message is displayed:

Console> (enable) set spantree mode pvst+

Warning!! Changing the STP mode from a telnet session might disconnect the

session.

Do you want to continue [n]?

When you change from MISTP to Rapid PVST+ and over 8000 VLAN ports are currently configured on the switch, this warning message is displayed:

Console> (enable) set spantree mode rapid-pvst+

Warning!! This switch has 12345 VLAN-ports currently configured for STP.

Going out of MISTP mode could impact system performance.

Do you want to continue [n]?

If you change the spanning tree mode from PVST+ to MISTP or MISTP to PVST+, the STP mode previously running stops, all the information collected at runtime is used to build the port database for the new mode, and the new STP mode restarts the computation of the active topology from zero. All the parameters of the previous STP per VLAN or per instance are kept in NVRAM.

If you change the spanning tree mode from PVST+ to MISTP or MISTP to PVST+ and BackboneFast is enabled, this message is displayed:

Console> (enable) set spantree mode mistp

Cannot change the spantree mode to MISTP when backbonefast is enabled.

Examples

This example shows how to set the spanning tree mode to PVST+:

Console> (enable) set spantree mode pvst+

Warning!! Changing the STP mode from a telnet session might disconnect the session.

Do you want to continue [n]? y

Spantree mode set to PVST+.

Console> (enable)

This example shows what happens if you change the spanning tree mode from PVST+ to MISTP:

Console> (enable) set spantree mode mistp

Warning!! Changing the STP mode from a telnet session will disconnect the session because 
there are no VLANs mapped to any MISTP instance.

Do you want to continue [n]? y

Console> (enable)

This example shows how to set the spanning tree mode to MST:

Console> (enable) set spantree mode mst

Warning!! Changing the STP mode from a telnet session will disconnect the sessi

n because there are no VLANs mapped to any MISTP instance.

Do you want to continue [n]? y

Console> (enable)

This example shows how to set the spanning tree mode to rapid PVST+:

Console> (enable) set spantree mode rapid-pvst+

Warning!! Changing the STP mode from a telnet session might disconnect the session.

Do you want to continue [n]? y

Console> (enable)

Related Commands

set vlan
show spantree

set spantree mst

To configure the mapping of VLANs to an MST instance or to configure ports that are connected to neighbors that are in pre-standard MST mode, use the set spantree mst command.

set spantree mst instance vlan vlan

set spantree mst {mod/port} {pre-std | auto}

Syntax Description

instance	Number of the instance; valid values are from 0 to 4094. See the "Usage Guidelines" section for more information.
vlan vlan	Specifies the VLAN number; valid values are from 1 to 4094.
mod/port	Number of the module and the port on the module.
pre-std	Configures a port that is connected to a switch running pre-standard MST. See the "Usage Guidelines" section for more information.
auto	Reverts a port that is in pre-standard MST mode back to standard MST mode (IEEE Std 802.1s). See the "Usage Guidelines" section for more information.

Defaults

Ports are set to auto.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

All changes made to the region configuration (region information and VLAN mapping) are buffered. Only one user can hold the buffer at a time. This buffer is locked when you first use the set spantree mst instance or set spantree mst config commands.

If the VLAN is already mapped to some other instance, the VLAN is unmapped from that instance and mapped to the new instance.

Each time you map a new VLAN or VLANs, they are added to the existing mapping.

All unmapped VLANs are automatically mapped to MST instance 0 (IST).

You can configure up to 64 instances, including the mandatory instance 0. If 64 instances have already been configured, you cannot create an additional instance by mapping more VLANs to it.

If a port is connected to a neighbor that is running pre-standard MST, you can configure the port to operate in pre-standard MST mode by entering the set spantree mst mod/port pre-std command.

Pre-standard MST is the implementation of MST that is not compliant with with IEEE Std 802.1s. MST implementation is pre-standard on Catalyst 6500 series switches that are running software before release 8.3(1) . MST implementation is pre-standard on Catalyst 6500 series switches that are running any Cisco IOS software release.

Entering the set spantree mst mod/port auto commands reverts a port that is in pre-standard MST mode back to standard MST mode. In standard MST mode, a port on a neighbor that is in pre-standard MST mode might become a boundary port, even though both switches have the same MST configuration.

The clear spantree mst mod/port pre-std command also reverts a port back to standard MST mode.

Examples

This example shows how to map VLAN 1 to an MST instance 2:

Console> (enable) set spantree mst 2 vlan 1

Console> (enable)

This example shows how to set a port to pre-standard MST mode:

Console> (enable) set spantree mst 4/47 pre-std

Port configured to pre-mst port 4/47.

Console> (enable)

Related Commands

clear spantree mst
set spantree mst config

set spantree mst config

To change the MST region information, use the set spantree mst config command.

set spantree mst config [name name] [revision number]

set spantree mst config commit

set spantree mst config rollback [force]

Syntax Description

name name	(Optional) Specifies the MST region name. See the "Usage Guidelines" section for more information.
revision number	(Optional) Specifies the MST region revision number; number is from 0 to 65535. See the "Usage Guidelines" section for more information.
commit	Puts the new MST VLAN mapping into effect.
rollback	Discards changes made to the MST configuration that have not been applied yet.
force	(Optional) Unlocks the MST edit buffer when it is held by another user.

Defaults

Unless you specify a region name, no region name will be given.

The default revision number is 0.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The region name can be up to 32 characters long.

The region name and revision number are copied from NVRAM MST region information. You must enter the revision number if the revision number needs to be updated. The revision number is not incremented automatically each time that the MST configuration is committed.

Changes that you make to MST VLAN mapping are buffered, and by entering the set spantree mst config commit command, you put the new MST VLAN mapping into effect. After you enter the set spantree mst config commit command, the lock for the MST edit buffer is released.

If you enter the set spantree mst config rollback command, you discard the changes made to the MST region configuration that are not applied yet (only if you have locked the edit buffer). You can forcefully release the lock set by another user by entering the command set spantreee mst config rollback force.

The set spantree mst config commit and set spantree mst config rollback commands are stored in NVRAM.

Examples

This example shows how to configure an MST region and to give that region a name and revision number:

Console> (enable) set spantree mst config name test-lab revision 10

Edit Buffer modified. Use 'set spantree mst config commit' to apply the

changes

Console> (enable)

This example shows how to put the new MST VLAN mapping into effect:

Console> (enable) set spantree mst config commit

Console> (enable)

This example shows how to discard MST region configuration when you hold the MST edit buffer:

Console> (enable) set spantree mst config rollback

Console> (enable)

This example shows how to unlock the MST edit buffer when it is held by another user:

Console> (enable) set spantree mst config rollback force

Console> (enable)

This example shows the message that displays on the console if the switch is either a non-primary server or a client for the MST feature:

Console> (enable) set spantree mst config commit

MST configuration cannot be changed on a non primary server

Console> (enable)

Related Commands

clear spantree mst
show spantree mst
show spantree mst config

set spantree mst link-type

To configure the link type of a port, use the set spantree mst link-type command.

set spantree mst link-type mod/port {auto | point-to-point | shared}

Syntax Description

mod/port	Number of the module and the port on the module.
auto	Derives the link from either a half-duplex or full-duplex link type. See the "Usage Guidelines" section for more information about auto.
point-to-point	Connects the port to a point-to-point link.
shared	Connects the port to a shared medium.

Defaults

The default link type is auto.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

MST rapid connectivity only works on point-to-point links between two bridges.

If the link type is set to auto and the link is a half-duplex link, then the link is a shared link. If the link type is set to auto and the link is a full-duplex link, then the link is a point-to-point link.

Examples

This example shows how to connect port 1 on module 3 to a point-to-point link:

Console> (enable) set spantree mst link-type 3/1 point-to-point

Link type set to point-to-point on port 3/1

Console> (enable)

Related Commands

clear spantree mst
set spantree global-default
set spantree mst config

set spantree mst maxhops

To set the spanning tree hop count, use the set spantree mst maxhops command.

set spantree mst maxhops maxhops

Syntax Description

maxhops

Maximum number of hops. Valid values are 1 to 40.

Defaults

The bridge forward delay default is 20 seconds for all instances.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to set the maximum number of hops:

Console> (enable) set spantree mst maxhops 20

Console> (enable)

Related Commands

clear spantree mst
set spantree mst config
set spantree mst link-type
set spantree mst vlan
show spantree mst
show spantree mst config

set spantree mst vlan

To configure the mapping of VLANs to an MST instance, use the set spantree mst vlan command.

set spantree mst instance vlan vlan

Syntax Description

instance	Number of the instance; valid values are from 0 to 15.
vlan vlan	Specifies the VLAN number; valid values are from 1 to 4094.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

All changes made to the region configuration (region information and VLAN mapping) are buffered. Only one user can hold the buffer at a time. This buffer is locked when you first enter the set spantree mst instance or set spantree mst config commands.

If the VLAN is already mapped to some other instance, the VLAN is unmapped from that instance and mapped to the new instance.

Each time you map a new VLAN or VLANs, they are added to the existing mapping.

All unmapped VLANs are mapped to MST instance 0 (IST).

Examples

This example shows how to map VLANs 400 through 499 to MST instance 4:

Console> (enable) set spantree mst 4 vlan 400-499

Edit Buffer modified. Use 'set spantree mst config commit' to apply the

changes

Console> (enable)

Related Commands

clear spantree mst
set spantree mst config
show spantree mst
show spantree mst config

set spantree portcost

To set the path cost for a port, use the set spantree portcost command.

set spantree portcost mod/port cost [mst]

Syntax Description

mod/port	Number of the module and the port on the module.
cost	Number of the path cost; see the "Usage Guidelines" section for additional information.
mst	(Optional) Sets the path cost for an MST port.

Defaults

The default path cost is based on port speed; see Table 2-27 and Table 2-28 for default settings.

Table 2-27 Default Port Cost—Short Mode

Port Speed	Default Port Cost
4 Mb	250
10 Mb	100
16 Mb	62
100 Mb	19
155 Mb	14
1 Gb	4
10 Gb	2

Table 2-28 Default Port Cost—Long Mode

Port Speed	Default Port Cost
100 Kb	200000000 (200 million)
1 Mb	20000000 (20 million)
10 Mb	2000000 (2 million)
10 Mb	200000 (200 thousand)
1 Gb	20000 (20 thousand)
10 Gb	2000 (2 thousand)
100 Gb	200
1 Tb	20
10 Tb	2

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The Spanning Tree Protocol uses port path costs to determine which port to select as a forwarding port. You should assign lower numbers to ports attached to faster media (such as full duplex) and higher numbers to ports attached to slower media.

Examples

This example shows how to set the port cost for port 12 on module 2 to 19:

Console> (enable) set spantree portcost 2/12 19

Spantree port 2/12 path cost set to 19.

Console> (enable) 

Related Commands

set spantree defaultcostmode
show spantree

set spantree portfast

To allow a port that is connected to a single workstation or PC to start faster when it is connected, use the set spantree portfast command.

set spantree portfast mod/port {enable [trunk] | disable | default}

Syntax Description

mod/port	Number of the module and the port on the module.
enable	Enables the spanning tree PortFast-start feature on the port.
trunk	(Optional) Enables the spanning tree PortFast-start feature on the trunk port.
disable	Disables the spanning tree PortFast-start feature on the port.
default	Sets the spanning tree PortFast-start feature back to its default setting.

Defaults

The default is the PortFast-start feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When a port configured with the spantree portfast enable command is connected, the port immediately enters the spanning tree forwarding state rather than going through the normal spanning tree states, such as listening and learning.

If you enter the trunk keyword, the spanning tree PortFast-start feature is enabled on the specified trunk port.

Examples

This example shows how to enable the spanning tree PortFast-start feature on port 2 on module 1:

Console> (enable) set spantree portfast 1/2 enable

Warning: Connecting layer 2 devices to a fast-start port can cause temporary spanning tree 
loops. Use with caution.

Spantree port 1/2 fast start enabled.

Console> (enable)

This example shows how to enable the spanning tree PortFast-start feature on the trunk port:

Console> (enable) set spantree portfast 3/2 enable trunk 

Warning: Connecting layer 2 devices to a fast-start port can cause temporary spanning tree 
loops. Use with caution.

Spantree port 1/2 fast start enabled.	

Console> (enable)

Related Commands

show spantree portfast

set spantree portfast bpdu-filter

To enable or disable spanning tree PortFast BPDU packet filtering on a port, use the set spantree portfast bpdu-filter command.

set spantree portfast bpdu-filter mod/port {enable | disable | default}

Syntax Description

mod/port	Number of the module and the port on the module.
enable	Enables spanning tree PortFast BPDU packet filtering.
disable	Disables spanning tree PortFast BPDU packet filtering.
default	Sets spanning tree PortFast BPDU packet filtering to the global BPDU packet filtering state. See the "Usage Guidelines" section for more information.

Defaults

The default is BPDU packet filtering is default.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Spanning tree PortFast BPDU packet filtering turns off BPDU transmission on PortFast-enabled ports and nontrunking ports.

If you enter the default keyword, the spanning tree port is set to the global BPDU filtering state.

To enable or disable spanning tree PortFast BPDU filtering for all ports on the switch, enter the set spantree global-default bpdu-filter command.

Examples

This example shows how to enable spanning tree PortFast BPDU filtering on module 3, port 4:

Console> (enable) set spantree portfast bpdu-filter 3/4 enable

Warning: Ports enabled with bpdu filter will not send BPDUs and drop all

received BPDUs. You may cause loops in the bridged network if you misuse

this feature.

Spantree port 3/4 bpdu filter enabled.

Console> (enable)

Related Commands

set spantree global-default
show spantree portfast

set spantree portfast bpdu-guard

To enable or disable spanning tree PortFast BPDU guard on a port, use the set spantree portfast bpdu-guard command.

set spantree portfast bpdu-guard mod/port {enable | disable | default}

Syntax Description

mod/port	Number of the module and the port on the module.
enable	Enables the spanning tree PortFast BPDU guard.
disable	Disables the spanning tree PortFast BPDU guard.
default	Sets spanning tree PortFast BPDU guard to the global BPDU guard state. See the "Usage Guidelines" section for more information.

Defaults

The default is PortFast BPDU guard is default.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You must enable spanning tree PortFast mode before you can enable spanning tree PortFast BPDU guard for BPDU guard to work correctly.

When you enable spanning tree PortFast BPDU guard, a nontrunking PortFast-enabled port is moved into an errdisable state when a BPDU is received on that port. When you disable spanning tree PortFast BPDU guard, a PortFast-enabled nontrunking port will stay up when it receives BPDUs, which may cause spanning tree loops.

If you enter the default keyword, the spanning tree port is set to the global BPDU guard state.

To enable or disable BPDU guard for all ports on the switch, enter the set spantree global-default bpdu-guard command.

Examples

This example shows how to enable spanning tree BPDU guard on module 3, port 1:

Console> (enable) set spantree portfast bpdu-guard 3/1 enable

Spantree port 3/1 bpdu guard enabled.

Console> (enable)

Related Commands

set spantree global-default
show spantree portfast

set spantree portinstancecost

To assign the path cost of the port for the specified instances, use the set spantree portinstancecost command.

set spantree portinstancecost mod/port [cost cost] [instances]

set spantree portinstancecost mod/port [cost cost] mst [instances]

Syntax Description

mod/port	Number of the module and the port on the module.
cost cost	(Optional) Indicates the path cost; see the "Usage Guidelines" section for additional information.
mst	Sets the cost for an MST instance.
instances	(Optional) Instance number; valid values are from 0 to 15.

Defaults

The default path cost is based on port speed; see Table 2-29 for default settings.

Table 2-29 Default Port Cost—Short Mode

Port Speed	Default Port Cost
4 Mb	250
10 Mb	100
16 Mb	62
100 Mb	19
155 Mb	14
1 Gb	4
10 Gb	2

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The port instance cost applies to trunk ports only.

The value specified is used as the path cost of the port for the specified instances. The rest of the instances have a path cost equal to the port path cost set through the set spantree instancecost command. (If not set, the value is the default path cost of the port.)

Examples

These examples show how to use the set spantree portinstancecost command and explicitly specify the path cost of a port:

Console> (enable) set spantree portinstancecost 2/10 cost 6 1-10

Port 2/10 instances 11-16 have path cost 2000000.

Port 2/10 instances 1-10 have path cost 6.

This parameter applies to trunking ports only.

Console> (enable)

These examples show how to use the set spantree portinstancecost command without explicitly specifying the path cost of a port:

Console> (enable) set spantree portinstancecost 1/2

Port 1/2 Instances 1-1005 have path cost 3100.

Console> (enable)

Console> (enable) set spantree portinstancecost 1/2 16

Port 1/2 Instances 16,22-1005 have path cost 3100.

Console> (enable) 

This example shows the display if you enter the command when PVST+ is enabled:

Console> (enable) set spantree portinstancecost 3/1

This command is only valid when STP is in MISTP or MISTP-PVST+ mode.

Console> (enable)

This example shows how to set the port cost for a specific MST instance:

Console> (enable) set spantree portinstancecost 2/10 cost 6 1-10 mst

Port 2/10 mst instances 1-10 have path cost 6.

This parameter applies to trunking ports only.

Console> (enable)

Related Commands

clear spantree portinstancecost
show spantree mistp-instance

set spantree portinstancepri

To set the port priority for instances in the trunk port, use the set spantree portinstancepri command.

set spantree portinstancepri mod/port priority [instances]

set spantree portinstancepri mod/port priority mst [instances]

Syntax Description

mod/port	Number of the module and the port on the module.
priority	Number that represents the cost of a link in a spanning tree bridge; valid values are 0, 16, 32, 48, 64, 80, 96, 112, 128, 144,160, 176, 192, 208, 224, 240, with 0 indicating high priority and 240, low priority. See the "Usage Guidelines" section for more information.
mst	Specifies the port priority for MST instances.
instances	(Optional) Instance number; valid values are from 0 to 15.

Defaults

The default is the port priority is set to 0, with no instances specified.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Priority values that are not a multiple of 16 (between the values of 0 to 63) are converted to the nearest multiple of 16. Use this command to add instances to a specified port priority level. Subsequent calls to this command do not replace instances that are already set at a specified port priority level.

This feature is not supported for the MSM.

The set spantree portinstancepri command applies to trunk ports only. If you enter this command, you see this message:

Port xx is not a trunk-capable port

Examples

This example shows how to set the port priority for module 1, port 2, on specific instances:

Console> (enable) set spantree portinstancepri 1/2 16 1-11

Port 1/2 instances 1-11 using portpri 16.

This parameter applies to trunking ports only.

Console> (enable)

This example shows how to set the port priority for module 8, port 1, on MST instance 2:

Console> (enable) set spantree portinstancepri 8/1 31 mst 2 

Port 8/1 instances 2 using portpri 31.

Port 8/1 instances 0-1, 3-15 using portpri 32.

Console> (enable)

Related Commands

clear spantree portinstancecost
show spantree mistp-instance

set spantree portpri

To set the bridge priority for a spanning tree port, use the set spantree portpri command.

set spantree portpri mod/port priority [mst]

Syntax Description

mod/port	Number of the module and the port on the module.
priority	Number that represents the cost of a link in a spanning tree bridge; valid values are 0, 16, 32, 48, 64, 80, 96, 112, 128, 144,160, 176, 192, 208, 224, 240, with 0 indicating high priority and 240, low priority. See the "Usage Guidelines" section for more information.
mst	(Optional) Sets the bridge priority for an MST port.

Defaults

The default is all ports with bridge priority are set to 32.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

A priority value that is not a multiple of 16 (between the values of 0 to 63) is converted to the nearest multiple of 16.

Examples

This example shows how to set the priority of port 1 on module 4 to 63:

Console> (enable) set spantree portpri 2/3 48

Bridge port  2/3 port priority set to 48.

Console> (enable)

This example shows the output when you have specified a priority value that is not a multiple of 16:

Console> (enable) set spantree portpri 2/3 2

Vlan port priority must be one of these numbers:0, 16, 32, 48, 64, 80,

96, 112, 128, 144,

160, 176, 192, 208, 224, 240

converting 2 to 0 nearest multiple of 16

Bridge port  2/3 port priority set to 0.

Console> (enable)

Related Commands

show spantree

set spantree portvlancost

To assign a lower path cost to a set of VLANs on a port, use the set spantree portvlancost command.

set spantree portvlancost mod/port [cost cost] [vlan_list]

Syntax Description

mod/port	Number of the module and the port on the module.
cost cost	(Optional) Sets the path cost; valid values are from 1 to 65535.
vlan_list	(Optional) Number of the VLAN; valid values are from 1 to 4094.

Defaults

The default path cost is based on port speed; see Table 2-30 and Table 2-31 for default settings.

Table 2-30 Default Port Cost—Short Mode

Port Speed	Default Port Cost
4 Mb	250