-
Catalyst 6500 Series Cisco IOS Command Reference, 12.1 E
-
Quick Links to Catalyst 6500 Series Switch Cisco IOS Commands
-
Index
-
Preface
-
Command-Line Interface
-
action to cd
-
channel-group to clear catalyst6000
-
clear counters to debug callback
-
debug cca to duplex
-
erase to mls aging
-
mls exclude to pagp port-priority
-
policy-map to protocol filtering
-
rcv-queue to show bootflash:
-
shutdown vlan to time-range
-
show bootvar to show ip cache
-
T1
-
show ip cef to show mls asic
-
show mls cef to show qm-sp
-
show queueing to show vtp
-
udld to username
-
verify to wrr-queue bandwidth
-
wrr-queue cos-map to wrr-queue threshold
-
Acronyms
-
Acknowledgments for Open-Source Software
-
Table Of Contents
ip access-list hardware permit fragments
ip auth-proxy max-login-attempts
ip cef table consistency-check
ip igmp snooping l2-entry-limit
ip igmp snooping last-member-query-interval
ip verify unicast reverse-path
ip verify unicast source reachable-via
l2protocol-tunnel drop-threshold
l2protocol-tunnel shutdown-threshold
logging event link-status (global configuration)
logging event link-status (interface configuration)
logging event subif-link-status
mac-address-table unicast-flood
maxconns (real server configuration submode)
22erase
To erase a file system, use the erase command.
erase {const_nvram: | nvram: | startup-config:}
Syntax Description
const_nvram:
Erases all files under the const_nvram: partition.
nvram:
Erases NVRAM.
startup-config:
Erases the contents of the configuration memory.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
12.0(7)XE
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
CautionWhen you use the erase command to erase a file system, you cannot recover the files in the file system.
The erase nvram: command replaces the write erase command and the erase startup-config command.
You can use the erase command on both Class B and Class C Flash file systems only. To reclaim space on Flash file systems after deleting files using the delete command, you must use the erase command. The erase command erases all of the files in the Flash file system.
Class A Flash file systems cannot be erased. You can delete individual files using the delete command and then reclaim the space using the squeeze command. You can also use the format command to format the Flash file system.
On Class C Flash file systems, space is dynamically reclaimed when you use the delete command. You can also use either the format or erase command to reinitialize a Class C Flash file system.
The erase nvram: command erases NVRAM. On Class A file system platforms, if the CONFIG_FILE argument specifies a file in Flash memory, the specified file is marked "deleted."
You can enter the erase const_nvram command to erase the VLAN database configuration file.Examples
This example shows how to erase the NVRAM and the startup configuration in the NVRAM:
Router# erase nvram:Router#Related Commands
boot config
delete (refer to the Cisco IOS Release 12.1 Command Reference)
more nvram:startup-config: (refer to the Cisco IOS Release 12.1 Command Reference)
show bootvar
undelete (refer to the Cisco IOS Release 12.1 Command Reference)errdisable detect cause
To enable error-disable detection, use the errdisable detect cause command. Use the no form of this command to disable error-disable detection.
errdisable detect cause {all | dtp-flap | l2ptguard | link-flap | pagp-flap | udld}
no errdisable detect cause {all | dtp-flap | l2ptguard | link-flap | pagp-flap | udld}
errdisable detect cause <udld|bpduguard|rootguard| pagp-flap|dtp-flap|link-flap
Syntax Description
Defaults
Enabled for all causes
Command Modes
Global configuration
Command History
12.1(3a)E3
Support for this command was introduced on the Catalyst 6500 series switches.
12.1(11b)EX
This command was changed to support Layer 2 protocol tunneling.
Usage Guidelines
A cause (bpduguard, dtp-flap, link-flap, pagp-flap, root-guard, udld) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state (an operational state that is similiar to the link down state).
You must enter the shutdown and then the no shutdown commands to recover an interface manually from errdisable.
Examples
This example shows how to enable error-disable detection for the Layer 2 protocol-tunnel guard error-disable cause:
Router(config)# errdisable detect cause l2ptguardRouter(config)#Related Commands
show errdisable detect
show interfaces statuserrdisable flap-setting cause
To configure the maximum number of flaps that are allowed to occur before setting to error disable, use the errdisable flap-setting cause command. Use the no form of this command to return to the default settings.
errdisable flap-setting cause {link-flap | pagp-flap | dtp-flap} {max-flaps flap-count} {time seconds}
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
Global configuration
Command History
12.1(22)E2
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
You must enter the shutdown and then the no shutdown commands to recover an interface manually from errdisable.
Examples
This example shows how to enable error-disable detection for the Layer 2 protocol-tunnel guard error-disable cause:
Router(config)# errdisable detect cause l2ptguardRouter(config)#Related Commands
show errdisable flap-values
errdisable recovery
To configure the recovery mechanism, use the errdisable recovery command. Use the no form of this command to return to the default settings.
errdisable recovery cause {all | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap | pesecure-violation | security-violation | udld | unicast-flood}
errdisable recovery {interval interval}
no errdisable recovery cause {all | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap | pesecure-violation | security-violation | udld | unicast-flood}
no errdisable recovery {interval interval}
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
Global configuration
Command History
Usage Guidelines
A cause (bpduguard, dhcp-rate-limit, dtp-flap, l2ptguard, link-flap, pagp-flap, security-violation, channel-misconfig, psecure-violation, udld, or unicast-flood) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state (an operational state that is similiar to the link down state). If you do not enable errdisable recovery for the cause, the interface stays in the error-disabled state until a shutdown and no shutdown occurs. If you enable recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry operation again once all the causes have timed out.
You must enter the shutdown and then the no shutdown commands to recover an interface manually from errdisable.
Examples
This example shows how to enable the recovery timer for the BPDU guard error-disable cause:
Router(config)# errdisable recovery cause bpduguardRouter(config)#This example shows how to set the timer to 300 seconds:
Router(config)# errdisable recovery interval 300Router(config)#Related Commands
show errdisable detect
show interfaces statusfabric lcd-banner
Use the fabric lcd-banner command to specify the message-of-the-day (MOTD) banner for display on the Switch Fabric Module. Use the no form of this command to delete the MOTD banner.
fabric lcd-banner d message d
no fabric lcd-banner
Syntax Description
d
Delimiting character; see the "Usage Guidelines" section for additional guidelines.
message
Message text; see the "Usage Guidelines" section for additional guidelines.
Defaults
The default is that no MOTD banner is specified.
Command Modes
Global configuration mode
Command History
12.1(8a)EX
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
You cannot use the delimiting character in the banner message. The delimiter is a character of your choice—a pound sign (#), for example.
You can replace tokens with the corresponding configuration argument.
Follow this command with one or more blank spaces and a delimiting character of your choice. Then enter one or more lines of text, terminating the message with the second occurrence of the delimiting character.
This MOTD banner is useful for displaying messages that affect all users (such as impending system shutdowns).
When you connect to the router, the MOTD banner appears before the login prompt. After you successfully log in to the router, the EXEC banner or incoming banner is displayed, depending on the type of connection. For a reverse Telnet login, the incoming banner is displayed. For all other connections, the router displays the EXEC banner.
To customize the banner, use tokens in the form $(token) in the message text. Tokens display current Cisco IOS configuration arguments, such as the router's host name and IP address.
Table 2-8 describes the command tokens.
Examples
This example shows how to set a MOTD banner for display on the Switch Fabric Module LCD display; the pound sign (#) is used as a delimiting character:
Router (config)# fabric lcd-banner#Building power will be off from 7:00 AM until 9:00 AM this coming Tuesday.#This example shows how to set a MOTD banner; the percent sign (%) is used as a delimiting character:
Router (config)# fabric lcd-banner%Enter TEXT message. End with the character '%'.You have entered $(hostname).$(domain) on line $(line) ($(line-desc)) %When the MOTD banner is executed, you see the following. Notice that the $(token) syntax is replaced by the corresponding configuration argument:
You have entered darkstar.ourdomain.com on line 5 (Dialin Modem)Related Commands
banner exec (refer to the Cisco IOS Release 12.1 Command Reference)
banner incoming (refer to the Cisco IOS Release 12.1 Command Reference)
banner login (refer to the Cisco IOS Release 12.1 Command Reference)
banner slip-ppp (refer to the Cisco IOS Release 12.1 Command Reference)
exec-banner (refer to the Cisco IOS Release 12.1 Command Reference)
motd-banner (refer to the Cisco IOS Release 12.1 Command Reference)fabric required
To prevent the switch from coming online without a Switch Fabric Module, use the fabric required command. Use the no form of this command to allow the switch to come up without a Switch Fabric Module.
fabric required
no fabric required
Syntax Description
This command has no arguments or keywords.
Defaults
The switch does not require a Switch Fabric Module.
Command Modes
Global configuration
Command History
12.1(11b)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
This command is not supported on systems configured with a Supervisor Engine 1.
If you enter the fabric required command when the last Switch Fabric Module is removed or powered down, all modules, except the supervisor engine, will power down. When you insert or power on the first Switch Fabric Module, the modules that were previously powered down will power up if the Switch Fabric Module configuration is not in conflict with other configurations.
If you enter the no fabric required command, modules will also power on if a Switch Fabric Module is not present and the configuration allows for it.
Examples
This example shows how to allow the switch coming online with (or without) a Switch Fabric Module:
Router (config)# fabric requiredRouter (config)#Related Commands
fabric switching-mode allow
To enable truncated mode in the presence of two or more fabric-enabled switching modules, use the fabric switching-mode allow command. Use the no form of this command to disable truncated mode.
fabric switching-mode allow {bus-mode | {truncated [{threshold [mod]}]}}
no fabric switching-mode allow {bus-mode | {truncated [threshold]}}
Syntax Description
Defaults
The truncated mode is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Bus mode—The switch uses this mode for traffic between nonfabric-enabled modules and for traffic between a nonfabric-enabled module and a fabric-enabled module. In this mode, all traffic passes between the local bus and the supervisor engine bus.
Truncated mode—The switch uses this mode for traffic between fabric-enabled modules when there are both fabric-enabled and nonfabric-enabled modules installed. In this mode, the switch sends a truncated version of the traffic (the first 64 bytes of the frame) over the switch fabric channel.
Compact mode—The switch uses this mode for all traffic when only fabric-enabled modules are installed. In this mode, a compact version of the DBus header is forwarded over the switch fabric channel, which provides the best possible performance.
To prevent use of nonfabric-enabled modules or to prevent fabric-enabled modules from using bus mode, enter the no fabric switching-mode allow bus-mode command.
Caution
The fabric switching-mode allow command affects switches configured with a minimum of two fabric-enabled modules.
You can enter the fabric switching-mode allow truncated command to unconditionally allow truncated mode.
You can enter the no fabric switching-mode allow truncated command to allow truncated mode if the threshold is met.
You can enter the no fabric switching-mode allow bus-mode command to prevent any module from running in bus-mode.
To return to the default truncated-mode threshold, enter the no fabric switching-mode allow truncated threshold command.
The valid value for mod is the threshold value.
Examples
This example shows how to specify truncated mode:
Router (config)# fabric switching-mode allow truncatedRouter (config)#Related Commands
file verify auto
To verify the compressed Cisco IOS image checksum, use the file verify auto command. Use the no form of this command to turn off automatic verification after a copy operation.
file verify auto
no file verify auto
Syntax Description
This command has no arguments or keywords.
Defaults
Verification is done automatically after completion of a copy operation.
Command Modes
Global configuration
Command History
12.1(19)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
Enter the copy /noverify command to override the default behavior for a single copy operation.
Examples
This example shows how to verify the compressed Cisco IOS image checksum:
Router(config)# file verify autoRouter(config)#Related Commands
flowcontrol
To configure a port to send or receive pause frames, use the flowcontrol command.
flowcontrol {send | receive} {desired | off | on}
Syntax Description
Defaults
Flow-control defaults depend upon port speed. The defaults are as follows:
•
•
•
•
Command Modes
Interface configuration
Command History
Usage Guidelines
The send and desired keywords are supported on Gigabit Ethernet ports only.
Pause frames are special packets that signal a source to stop sending frames for a specific period of time because the buffers are full.
Gigabit Ethernet ports on the Catalyst 6500 series switches use flow control to inhibit the transmission of packets to the port for a period of time; other Ethernet ports use flow control to respond to flow-control requests.
If a Gigabit Ethernet port receive buffer becomes full, the port transmits a "pause" packet that tells remote ports to delay sending more packets for a specified period of time. All Ethernet ports (1000 Mbps, 100 Mbps, and 10 Mbps) can receive and act upon "pause" packets from other devices.
You can configure non-Gigabit Ethernet ports to ignore received pause frames (disable) or to react to them (enable).
When used with receive, the on and desired keywords have the same result.
All Catalyst 6500 series switch Gigabit Ethernet ports can receive and process pause frames from remote devices.
To obtain predictable results, follow these guidelines:
•
•
•
•
Examples
These examples show how to configure the local port to not support any level of flow control by the remote port:
Router(config-if)# flowcontrol receive offRouter(config-if)#Router(config-if)# flowcontrol send offRouter(config-if)#Related Commands
format
To format a Class A or Class C Flash file system, use the format command.
Class A Flash file system:
format bootflash: [spare spare-number] filesystem1: [[filesystem2:][monlib-filename]]
Class C Flash file system:
format filesystem1:
Caution
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
EXEC
Command History
Usage Guidelines
Use this command to format Class A or C Flash memory file systems.
disk0: is a Class C file system.
bootflash:, slot0:, and sup-bootflash: are Class A file systems.
In some cases, you might need to insert a new Flash PC card and load images or back up configuration files onto it. Before you can use a new Flash PC card, you must format it.
Sectors in Flash PC cards can fail. Reserve certain Flash PC sectors as "spares" by using the optional spare argument on the format command to specify between 0 and 16 sectors as spares. If you reserve a small number of spare sectors for emergencies, you can still use most of the Flash PC card. If you specify 0 spare sectors and some sectors fail, you must reformat the Flash PC card, which erases all existing data.
The monlib file is the ROM monitor library. The ROM monitor uses this file to access files in the Flash file system. The Cisco IOS system software contains a monlib file.
In the command syntax, filesystem1: specifies the device to format, and filesystem2: specifies the optional device containing the monlib file, used to format filesystem1:. If you omit the optional filesystem2: and monlib-filename arguments, the system formats filesystem1:, using the monlib file already bundled with the system software. If you omit only the optional filesystem2: argument, the system formats filesystem1:, using the monlib file from the device that you specified with the cd command. If you omit only the optional monlib-filename argument, the system formats filesystem1: using filesystem2:'s monlib file. When you specify both arguments—filesystem2: and monlib-filename—the system formats filesystem1:, using the monlib file from the specified device. You can specify filesystem1:'s own monlib file in this argument. If the system cannot find a monlib file, it terminates its formatting.
The disk0: keyword is supported on systems configured with a Supervisor Engine 2 only.
Examples
This example shows how to format a Flash PC card inserted in slot 0:
Router# format slot0:Running config file on this device, proceed? [confirm]yAll sectors will be erased, proceed? [confirm]yEnter volume id (up to 31 characters): <Return>Formatting sector 1 (erasing)Format device slot0 completedWhen the console returns to the EXEC prompt, the new Flash PC card is successfully formatted and ready for use.
Related Commands
cd
copy (refer to the Cisco IOS Release 12.1 Command Reference)
delete (refer to the Cisco IOS Release 12.1 Command Reference)
show file system (refer to the Cisco IOS Release 12.1 Command Reference)
undelete (refer to the Cisco IOS Release 12.1 Command Reference)fsck
To check a Flash file system for damage and to repair any problems, use the fsck command.
fsck [/automatic | disk0: | slavedisk0:]
Syntax Description
Defaults
The current file system is checked if disk0: is not specified.
Command Modes
EXEC
Command History
12.1(11b)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The disk0: or slavedisk0: file systems are the only file systems in the Catalyst 6500 series switches on which fsck can be run. The slavedisk0: option appears in redundant supervisor engine systems only.
This command is valid only on Class C Flash file systems and only on PCMCIA ATA Flash disks and CompactFlash disks.
The output for the fsck slavedisk0: command is similar to the fsck disk0: command output.
If you do not enter any arguments, the current file system is used. Use the pwd command to display the current file system.If you enter the disk0: or slavedisk0: option, the fsck utility checks the selected file system for problems. If a problem is detected, a prompt is displayed asking if you want the problem fixed.
If you enter the /automatic keyword, you are prompted to confirm that you want the automatic mode. In automatic mode, problems are fixed automatically and you are not prompted to confirm.
Table 2-9 lists the checks and actions performed by the fsck utility.
Table 2-9 fsck Utility Checks and Actions
Checks the boot sector and the partition table and reports the errors.
No action.
Validates the media with the signature in the last 2 bytes of the first sector (0x55 and 0xaa, respectively).
No action.
Checks the os_id to find whether this is a FAT-12 or FAT-16 file system (valid values include 0, 1, 4, and 6).
No action.
Checks the number of FAT's field (correct values are 1 and 2).
No action.
Checks these values:
•
•
•
•
No action.
Checks the files and FAT for these errors:
Checks the FAT for invalid cluster numbers.
If the cluster is a part of a file chain, the cluster is changed to end of file (EOF). If the cluster is not part of a file chain, it is added to the free list and unused cluster chain. Table 2-10 lists valid cluster numbers; numbers other than those listed in Table 2-10 are invalid numbers.
Checks the file's cluster chain for loops.
Checks the directories for nonzero size fields.
If directories are found with nonzero size fields, the size is reset to zero.
Checks for invalid start cluster file numbers.
If the start cluster number of a file is invalid, the file is deleted.
Checks files for bad or free clusters.
If the file contains bad or free clusters, the file is truncated at the last good cluster; for example, the cluster that points to this bad/free cluster.
Checks to see if the file's cluster chain is longer than indicated by the size fields.
If the file's cluster chain is longer than indicated by the size fields, the file size is recalculated and the directory entry is updated.
Checks to see if two or more files share the same cluster (crosslinked).
If two or more files are crosslinked, you are prompted to accept the repair, and one of the files is truncated.
Checks to see if the file's cluster chain is shorter than indicated by the size fields.
If the file's cluster chain is shorter than indicated by the size fields, the file size is recalculated and the directory entry is updated.
Checks to see if there are any unused cluster chains.
If unused cluster chains are found, new files are created and linked to that file with the name fsck-<start cluster>.
Table 2-10 Valid Cluster Numbers
Next entry in the chain
2-FEF
2-FFEF
Last entry in chain
FF8-FFF
FFF8-FFFF
Available cluster
0
0
Bad Cluster
FF7
FFF7
Examples
This example shows how to run a check of the current file system:
Router# fsckChecking the boot sector and partition table...Checking FAT, Files and Directories...Files1) disk0:/FILE3 and2) disk0:/FILE2have a common cluster.Press 1/2 to truncate or any other character to ignore[confirm] qIgnoring this error and continuing with the rest of the check...Files1) disk0:/FILE5 and2) disk0:/FILE4have a common cluster.Press 1/2 to truncate or any other character to ignore[confirm] 1File disk0:/FILE5 truncated.Files1) disk0:/FILE7 and2) disk0:/FILE6have a common cluster.Press 1/2 to truncate or any other character to ignore[confirm] 2File disk0:/FILE6 truncated.Size of File disk0:/FILE7 recalculated.File disk0:/FILE8 has a invalid cluster, truncate ?[confirm] y...1) disk0:/FILE15 and2) disk0:/FILE13have a common cluster.Press 1/2 to truncate or any other character to ignore[confirm] iIgnoring this error and continuing with the rest of the check...Reclaiming unused space...Created file disk0:/fsck-11 for an unused cluster chainCreated file disk0:/fsck-20 for an unused cluster chainCreated file disk0:/fsck-30 for an unused cluster chainCreated file disk0:/fsck-35 for an unused cluster chainCreated file disk0:/fsck-40 for an unused cluster chainCreated file disk0:/fsck-46 for an unused cluster chainCreated file disk0:/fsck-55 for an unused cluster chainCreated file disk0:/fsck-62 for an unused cluster chainCreated file disk0:/fsck-90 for an unused cluster chainUpdating FAT...fsck of disk0: completeRouter#hold-queue
To limit the size of the IP output queue on an interface, use the hold-queue command. Use the no form of this command to restore the default settings for an interface.
hold-queue length {in | out}
no hold-queue {in | out}
Syntax Description
length
Specifies the maximum number of packets in the queue; valid values are from 0 to 65535.
in
Specifies the input queue.
out
Specifies the output queue.
Defaults
The defaults are as follows:
•
•
•
Command Modes
Interface configuration
Command History
Usage Guidelines
This command is not supported on the OSM.
The default limits prevent a malfunctioning interface from consuming an excessive amount of memory. There is no fixed upper limit to a queue size.
The default of 10 packets allows the Cisco IOS software to queue a number of back-to-back routing updates. This is the default for asynchronous interfaces only; other media types have different defaults.
Hold Queues and Priority Queueing
The hold queue stores packets that are received from the network and are waiting to be sent to the client. We recommend that the queue size does not exceed ten packets on asynchronous interfaces. For most other interfaces, the queue length should not exceed 100 packets.
The input hold queue prevents a single interface from flooding the network server with too many input packets. Further input packets are discarded if the interface has too many outstanding input packets in the system.
If you use priority output queueing, you can set the length of the four output queues using the priority-list global configuration command. However, you cannot use the hold-queue command to set an output hold-queue length in this situation.
For slow links, use a small output hold-queue limit. This approach prevents storing packets at a rate that exceeds the transmission capability of the link. For fast links, use a large output hold-queue limit. A fast link may be busy for a short time (and require the hold queue), but can empty the output hold queue quickly when capacity returns.
To display the current hold-queue setting and the number of packets that are discarded because of hold-queue overflows, use the show interfaces command in EXEC mode.
Caution
Examples
This example sets a small input queue on a slow serial line:
Router(config)# interface serial 0Router(config-if)# hold-queue 30 iRelated Commands
priority-list (refer to the Cisco IOS Release 12.1 Command Reference)
show interfaceshw-module reset
To reset a module by turning the power off and then on, use the hw-module reset command.
hw-module {module num} reset
Syntax Description
module num
Applies the command to a specific module; see the "Usage Guidelines" section for valid values.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(5c)EX
Support for this command was introduced on the Supervisor Engine 2.
12.1(8a)E
Support for this command on the Supervisor Engine 2 was extended to the 12.1 E release.
Usage Guidelines
The num argument designates the module number. Valid values depend on the chassis used. For example, if you have a 13-slot chassis, valid values for the module number are from 1 to 13.
Examples
This example shows how to reload a specific module:
Router # hw-module module 3 resetRouter #instance
To map a VLAN or a set of VLANs to an MST instance, use the instance command. Use the no form of this command to return the VLANs to the default instance (CIST).
instance instance-id {vlans vlan-range}
no instance instance-id
Syntax Description
Defaults
No VLANs are mapped to any MST instance (all VLANs are mapped to the CIST instance).
Command Modes
MST configuration submode
Command History
Usage Guidelines
The mapping is incremental, not absolute. When you enter a range of VLANs, this range is added or removed to the existing ones.
Any unmapped VLAN is mapped to the CIST instance.
If your system is configured with a Supervisor Engine 1, valid values for vlan-id are from 1 to 1005. If your system is configured with a Supervisor Engine 2, valid values for vlan-id are from 1 to 4094. Extended-range VLANs are not supported on systems configured with a Supervisor Engine 1.
Examples
This example shows how to map a range of VLANs to instance 2:
Router(config-mst)# instance 2 vlans 1-100Router(config-mst)#This example shows how to map a VLAN to instance 5:
Router(config-mst)# instance 5 vlans 1100Router(config-mst)#This example shows how to move a range of VLANs from instance 2 to the CIST instance:
Router(config-mst)# no instance 2 vlans 40-60Router(config-mst)#This example shows how to move all the VLANs mapped to instance 2 back to the CIST instance:
Router(config-mst)# no instance 2Router(config-mst)#Related Commands
name
revision
show
show spanning-tree mst
spanning-tree mst configurationinterface
To select an interface to configure and enter interface configuration mode, use the interface command.
interface type number
Syntax Description
type
Type of interface to be configured; see Table 2-11 for valid values.
number
Module and port number.
Defaults
No interface types are configured.
Command Modes
Global configuration
Command History
12.0(7)XE
Support for this command was introduced on the Catalyst 6500 series switches.
12.1(11b)E
This command was changed to include the ge-wan, atm, and pos keywords.
Usage Guidelines
Table 2-11 lists the valid values for type.
Table 2-11 Valid type Values
ethernet
Ethernet IEEE 802.3 interface.
fastethernet
100-Mbps Ethernet interface.
gigabitethernet
Gigabit Ethernet IEEE 802.3z interface.
tengigabitethernet
10-Gigabit Ethernet IEEE 802.3ae interface.
ge-wan
Gigabit Ethernet WAN IEEE 802.3z interface.
pos
Packet OC-3 interface on the Packet over SONET Interface Processor.
atm
ATM interface.
vlan
VLAN interface; see the interface vlan command.
port-channel
Port channel interface; see the interface port-channel command.
null
Null interface; the valid value is 0.
Examples
This example shows how to enter the interface configuration mode on the Ethernet interface for module 2, port 4:
Router(config)# interface fastethernet 2/4Router(config)#Related Commands
interface port-channel
To access or create the IDB port channel, use the interface port-channel command.
interface port-channel channel-group
Syntax Description
channel-group
Port-channel group number; valid values are a maximum of 64 values ranging from 1 to 256.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Usage Guidelines
The number of valid values for channel-group depends on the software release. For releases prior to Release 12.1(3a)E3, valid values are from 1 to 256; for Releases 12.1(3a)E3, 12.1(3a)E4, and 12.1(4)E1, valid values are from 1 to 64. Release 12.1(5c)EX and later support a maximum of 64 values ranging from 1 to 256.
This command is not supported on the IDSM and NAM.
Layer 2 port channels can be created dynamically or by entering the interface port-channel command. Layer 3 port channels can be created by entering the interface port-channel command only. Layer 3 port channels cannot be created dynamically.
Only one port channel in a channel group is allowed.
All ports in a port channel must all be on the same DFC-equipped module. You cannot configure any of the ports to be on other modules.
On systems configured with nonfabric-enabled modules and fabric-enabled modules, you can bundle ports across all modules, but those bundles cannot include a DFC-equipped module port.
Caution
When you use the interface port-channel command, consider the following guidelines:
•
•
•
Examples
This example creates a port-channel interface with a channel-group number of 256:
Router(config)# interface port-channel 256Creating a switch port Po256. channel-group 256 is L2Router(config-if)#Related Commands
channel-group
show etherchannelinterface range
To execute a command on multiple ports at the same time, use the interface range command.
interface range {port-range | {macro name}}
Syntax Description
port-range
Port range; for a list of valid values for port-range, see the "Usage Guidelines" section for additional information.
macro name
Macro name.
Defaults
This command has no default settings.
Command Modes
Global or interface configuration
Command History
Usage Guidelines
You can use the interface range command on existing VLAN SVIs only. To display VLAN SVIs, enter the show running config command. VLANs that are not displayed cannot be used in the interface range command.
The values entered with the interface range command are applied to all existing VLAN SVIs.
Before you can use a macro, you must define a range using the define interface-range command.
All configuration changes made to a port range are saved to NVRAM, but port ranges created with the interface range command do not get saved to NVRAM.
You can enter the port range in two ways:
•
•
You can either specify the ports or the name of a port-range macro. A port range must consist of the same port type, and the ports within a range cannot span slots.
You can define up to five port ranges on a single command with each range separated by a comma.
In releases prior to 12.1(26)E, when you define a range, you must enter a white space before the hyphen (-) as follows:
interface range gigabitethernet 7/1 -7, gigabitethernet9/5 -408If your system is configured with a Supervisor Engine 1, valid values for vlan-id are from 1 to 1005. If your system is configured with a Supervisor Engine 2, valid values for vlan-id are from 1 to 4094. Extended-range VLANs are not supported on systems configured with a Supervisor Engine 1.
When entering the port-range, use this format: card-type {slot}/{first-port} - {last-port}.
Valid values for card-type are as follows:
•
•
•
•
•
•
•
You cannot specify both a macro and an interface range in the same command. After creating a macro, the CLI does not allow you to enter additional ranges. Likewise, if you have already entered an interface range, the CLI does not allow you to enter a macro.
You can also specify a single interface in port-range.
Examples
This example shows how to execute a command on two port ranges:
Router(config)# interface range fastethernet 5/18 -20, ethernet 3/1 -24Router(config-if)#This command shows how to execute a port-range macro:
Router(config)# interface range macro macro1Router(config-if)#Related Commands
define interface-range
show running-configinterface vlan
To create or access a dynamic SVI, use the interface vlan command. Use the no form of this command to delete an SVI.
interface vlan vlan-id
no interface vlan vlan-id
Syntax Description
Defaults
Fast EtherChannel is not specified.
Command Modes
Global configuration
Command History
Usage Guidelines
SVIs are created the first time you enter the interface vlan vlan-id command for a particular VLAN. The vlan-id value corresponds to the VLAN tag that is associated with data frames on an ISL or 802.1Q-encapsulated trunk or the VLAN ID configured for an access port. A message is displayed whenever a VLAN interface is newly created, so you can check that you entered the correct VLAN number.
If you delete an SVI by entering the no interface vlan vlan-id command, the associated IDB pair is forced into an administrative down state and marked as deleted. The deleted interface will no longer be visible in a show interface command.
You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but much of the previous configuration is gone.
If your system is configured with a Supervisor Engine 1, valid values for vlan-id are from 1 to 1005. If your system is configured with a Supervisor Engine 2, valid values for vlan-id are from 1 to 1005 and from 1015 to 4094. Extended-range VLANs are not supported on systems configured with a Supervisor Engine 1. VLANs 1006 to 1014 are internal VLANs on the Catalyst 6500 series switch and cannot be used for creating new VLANs.
Examples
This example shows the output when you enter the interface vlan vlan-id command for a new VLAN number:
Router (config)# interface vlan 23% Creating new VLAN interface.Router (config)#Related Commands
ip access-list hardware permit fragments
To permit all noninitial fragments in the hardware, use the ip access-list hardware permit fragments command. Use the no form of this command to return to the default settings.
ip access-list hardware permit fragments
no ip access-list hardware permit fragments
Syntax Description
This command has no keywords or arguments.
Defaults
All fragments from flows that are received from an ACE with Layer 4 ports and permit action are permitted. All other fragments are dropped in hardware. This action also applies to flows that are handled in software regardless of this command setting.
Command Modes
Global configuration
Command History
12.1(13)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
Prior to Release 12.1(11b)E, the default was to permit all noninitial fragments in the hardware without requiring additional TCAM entries. In Release 12.1(11b)E and later releases, flow fragments that match ACEs with Layer 4 ports and permit results are permitted in the hardware; all other fragments are dropped. An entry is added in the TCAM for each ACE with Layer 4 ports and permit action. This action could cause large ACLs to not fit in the TCAM. If this is the case, use the ip access-list hardware permit fragments command to permit all noninitial fragments in hardware.
Note
Note
The initial fragments of flows that match ACEs with Layer 4 ports and permit results will be permitted in hardware. All other initial fragments are dropped in hardware.
Examples
This example shows how to permit all noninitial fragments in hardware:
Router(config)# ip access-list hardware permit fragmentsRouter(config)#This example shows how to return to the default settings:
Router(config)# no ip access-list hardware permit fragmentsRouter(config)#Related Commands
show ip interface (refer to the Cisco IOS Release 12.1 Command Reference)
ip auth-proxy max-login-attempts
To limit the number of login attempts at a firewall interface, use the ip auth-proxy max-login-attempts command. Use the no form of this command to return to the default settings.
ip auth-proxy max-login-attempts 1-maxint
no ip auth-proxy max-login-attempts
Syntax Description
1-maxint
Specifies the maximum number of login attempts: valid values are from 1 to 2147483647 attempts.
Defaults
1-maxint is 5.
Command Modes
Interface configuration
Command History
12.1(13)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
This command is supported on firewall interfaces only.
The maximum login attempt functionality is independent of the watch-list feature. If you do not configure the watch-list feature (using the ip access-list hardware permit fragments command) and you configure the maximum login attempt functionality, the existing authentication proxy behavior occurs but with the new number for retries. If you configure the watch-list feature, once the configured number of attempts has been reached, the IP address is put in the watch list.
Examples
This example shows how to set a limit to the number of login attempts at a firewall interface:
Router(config-if)# ip auth-proxy max-login-attempts 4Router(config-if)#Related Commands
clear ip auth-proxy watch-list
ip auth-proxy watch-list
show ip auth-proxy watch-listip auth-proxy watch-list
To enable and configure the authentication proxy watch list functionality, use the ip auth-proxy watch-list command. See the "Usage Guidelines" section for the no form of this command.
ip auth-proxy watch-list {{add-item ip-addr} | enable | {expiry-time minutes}}
no ip auth-proxy watch-list [add-item ip-addr} | expiry-time]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
Interface configuration
Command History
12.1(13)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The valid values for minutes are from 0 to the largest 32-bit positive number (0x7FFFFFFF or 2147483647 in decimal). Setting the minutes to 0 (zero) places the entries in the list permanently.
This command is supported on firewall interfaces only.
Use the no form of this command to do the following:
•
•
•
A watch list consists of IP addresses that have opened TCP connections to port 80 and have not sent any data. No new connections are accepted from this type of IP address (to port 80) and the packet is dropped.
The watch-list entry remains in the watch list for the time specified by expiry-time minutes.
When you disable the watch-list functionality, no entries are put into the watch list, but the sessions are put in SERVICE_DENIED state. The sessions are deleted after 2 minutes by the timer.
Examples
This example shows how to enable the authentication proxy watch list functionality:
Router(config-if)# ip auth-proxy watch-list enableRouter(config-if)#This example shows how to disable the authentication proxy watch list functionality:
Router(config-if)# no ip auth-proxy watch-listRouter(config-if)#This example shows how to add an IP address to the watch list:
Router(config-if)# ip auth-proxy watch-list add-item 12.0.0.2Router(config-if)#This example shows how to set the duration of time an entry is in the watch list:
Router(config-if)# ip auth-proxy watch-list expiry-time 29Router(config-if)#Related Commands
clear ip auth-proxy watch-list
ip auth-proxy max-login-attempts
show ip auth-proxy watch-listip cef table consistency-check
To enable CEF table consistency checker types and parameters, use the ip cef table consistency-check command. Use the no form of this command to disable consistency checkers.
ip cef table consistency-check [type {lc-detect | scan-lc | scan-rib | scan-rp}] [count count-number] [period seconds]
ip cef table consistency-check [settle-time seconds]
no ip cef table consistency-check [type {lc-detect | scan-lc | scan-rib | scan-rp}] [count count-number] [period seconds]
no ip cef table consistency-check [settle-time seconds]
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
12.1(8a)EX
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
This command configures CEF consistency checkers and parameters for the detection mechanism types listed in Table 2-12.
Examples
This example shows how to enable the CEF consistency checkers:
Router (config)# ip cef table consistency-checkRouter (config)#Related Commands
clear ip cef inconsistency
debug ip cef (refer to the Cisco IOS Release 12.1 Command Reference)
show ip cef inconsistencyip flow-aggregation cache
To create a flow aggregation cache and enter the aggregation cache configuration mode, use the ip flow-aggregation cache command. Use the no form of the command to negate a command or return to its default settings.
ip flow-aggregation cache {as | destination-prefix | prefix | protocol-port | source-prefix}
no ip flow-aggregation cache {as | destination-prefix | prefix | protocol-port | source-prefix}
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
Global configuration
Command History
12.1(8a)EX
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
In source-prefix aggregation mode, only the source mask is configurable. In destination-prefix aggregation mode, only the destination mask is configurable.
Once you enter the flow aggregation cache configuration mode, these commands are available:
•
•
•
•
The syntax descriptions are as follows:
Examples
This example shows how to enable an autonomous system aggregation scheme:
Router(config)# ip flow-aggregation cache asRouter(config-flow-cache)# enableRouter(config-flow-cache)#Related Commands
ip flow-cache entries
To change the number of entries that are maintained in the NetFlow cache, use the ip flow-cache entries command. Use the no form of this command to return to the default number of entries.
ip flow-cache entries number
no ip flow-cache entries
Syntax Description
number
Number of entries to maintain in the NetFlow cache; valid values are from 1024 to 524288 entries.
Defaults
65536 entries
Command Modes
Global configuration
Command History
Usage Guidelines
Typically, the default size of the NetFlow cache will meet your needs. However, you can increase or decrease the number of entries maintained in the cache to meet the needs of your flow traffic rates. For environments with a high amount of flow traffic (such as an Internet core router), we recommend that you maintain a larger value such as 131072. To obtain information on your flow traffic, use the show ip cache flow command.
Each cache entry is approximately 64 bytes of storage. Assuming a cache with the default number of entries, approximately 4 MB of DRAM would be required. Each time a new flow is taken from the free-flow queue, the number of free flows is checked. If there are only a few free flows remaining, NetFlow attempts to age 30 flows using an accelerated timeout. If there is only one free flow remaining, NetFlow automatically ages 30 flows regardless of their age. The intent is to ensure free-flow entries are always available.
Caution
Examples
This example shows how to increase the number of entries in the NetFlow cache to 131072:
Router(config)# ip flow-cache entries 131072Router(config)# exitRelated Commands
ip flow-export destination
To enable information exporting in NetFlow cache entries to a specific destination, use the ip flow-export destination command. Use the no form of this command to disable information exporting.
ip flow-export destination {hostname | ip-address} udp-port
no ip flow-export destination
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
A NetFlow cache entry contains a lot of information. When flow switching is enabled with the ip route-cache flow command, you can use the ip flow-export destination command to configure the router to export the flow cache entry to a workstation when a flow expires. This feature can be useful for statistics, billing, and security, for example.
When entering the ip-address value, follow these guidelines:
•
•
To specify the source IP address of the data, use the ip flow-export source command. To specify the version used on the workstation that receives the NetFlow data, use the ip flow-export version command.
For more information on NDE, refer to the "Configuring NDE" chapter in the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide.
Examples
This example shows how to export the NetFlow cache entry to UDP port 125 on the workstation at 134.22.23.7 when the flow expires using version 1 format:
Router# configure terminalRouter(config)# ip flow-export destination 134.22.23.7 125Router(config)# exitRelated Commands
ip flow-export source
ip flow-export version
ip route-cache flowip flow-export source
To specify the source interface IP address that is used in the NDE datagram, use the ip flow-export source command. Use the no form of this command to remove the source address.
ip flow-export source [{interface interface-number} | {null interface-number} | {port-channel number} | {vlan vlan-id}]
no ip flow-export source [{interface interface-number} | {null interface-number} | {port-channel number} | {vlan vlan-id}]
Syntax Description
Defaults
No source interface is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
The number of valid values for port-channel number depends on the software release. For releases prior to Release 12.1(3a)E3, valid values are from 1 to 256; for Releases 12.1(3a)E3, 12.1(3a)E4, and 12.1(4)E1, valid values are from 1 to 64. Release 12.1(5c)EX and later support a maximum of 64 values ranging from 1 to 256. Release 12.1(13)E and later support a maximum of 64 values ranging from 1 to 282; values 257 to 282 are supported on the CSM and FWSM only.
If your system is configured with a Supervisor Engine 1, valid values for vlan-id are from 1 to 1005. If your system is configured with a Supervisor Engine 2, valid values for vlan-id are from 1 to 4094. Extended-range VLANs are not supported on systems configured with a Supervisor Engine 1.
The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module installed in a 13-slot chassis, valid values for the module number are from 2 to 13 and valid values for the port number are from 1 to 48.
After you configure NDE, you can also specify the source interface used in the UDP datagram containing the export data. The NetFlow Collector on the workstation uses the IP address of the source interface to determine which router sent the information. The NetFlow Collector also performs SNMP queries to the router using the IP address of the source interface. Because the IP address of the source interface can change (for example, the interface might flap so a different interface is used to send the data), we recommend that you configure a loopback source interface. A loopback interface is always up and can respond to SNMP queries from the NetFlow Collector on the workstation.
For more information on NDE, refer to the "Configuring NDE" chapter in the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide.
Examples
This example shows the configuration for a loopback source interface. The loopback interface has the IP address 4.0.0.1 and is used by the serial interface in slot 5, port 0.
Router# configure terminalRouter(config)# interface loopback0Router(config-if)# ip address 4.0.0.1 255.0.0.0Router(config-if)# exitRouter(config)# interface serial 5/0:0Router(config-if)# ip unnumbered loopback0Router(config-if)# no ip mroute-cacheRouter(config-if)# encapsulation pppRouter(config-if)# ip route-cache flowRouter(config-if)# exitRouter(config)# ip flow-export source loopback0Router(config)# exitRelated Commands
ip flow-export destination
ip flow-export version
ip route-cache flowip flow-export version
To specify the version format that is used by the NDE packets, use the ip flow-export version command. Use the no form of this command to disable information exporting.
ip flow-export version {1 | {5 [origin-as | peer-as]} | {6 [origin-as | peer-as]}}
no ip flow-export version
Syntax Description
Defaults
Version 1
Command Modes
Global configuration
Command History
Usage Guidelines
NDE makes traffic statistics available for analysis by an external data collector. You can use NDE to monitor all Layer 3 switched and all routed IP unicast traffic. In the Catalyst 6500 series switch, both the PFC and the MSFC maintain NetFlow caches that capture flow-based traffic statistics. The cache on the PFC captures statistics for Layer 3-switched flows. The cache on the MSFC captures statistics for routed flows.
Note
For more information on NDE, refer to the "Configuring NDE" chapter in the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide.
Examples
This example shows how to export the data using the version 5 format and include the peer autonomous system information:
Router# configure terminalRouter(config)# interface loopback0Router(config-if)# ip address 4.0.0.1 255.0.0.0Router(config-if)# exitRouter(config)# interface serial 5/0:0Router(config-if)# ip unnumbered loopback0Router(config-if)# no ip mroute-cacheRouter(config-if)# encapsulation pppRouter(config-if)# ip route-cache flowRouter(config-if)# exitRouter(config)# ip flow-export version 5 peer-asRouter(config)# exitRelated Commands
ip flow-export destination
ip flow-export source
ip route-cache flowip igmp snooping
To enable IGMP snooping, use the ip igmp snooping command. Use the no form of this command to disable IGMP snooping.
ip igmp snooping
no ip igmp snooping
Syntax Description
This command has no arguments or keywords.
Defaults
The defaults are as follows:
•
•
Command Modes
Interface configuration
Command History
Usage Guidelines
Before you can enable IGMP snooping on the Catalyst 6500 series switches, you must configure the VLAN interface for multicast routing.
This command is entered in VLAN interface configuration mode only.
Examples
This example shows how to enable IGMP snooping:
Router(config-if)# ip igmp snoopingRouter(config-if)#This example shows how to disable IGMP snooping:
Router(config-if)# no ip igmp snoopingRouter(config-if)#Related Commands
ip igmp snooping fast-leave
ip igmp snooping mrouter
ip igmp snooping staticip igmp snooping fast-leave
To enable IGMPv3 snooping fast-leave processing, use the ip igmp snooping fast-leave command. Use the no form of this command to disable fast-leave processing.
ip igmp snooping fast-leave
no ip igmp snooping fast-leave
Syntax Description
This command has no arguments or keywords.
Defaults
The defaults are as follows:
•
•
Command Modes
Interface configuration
Command History
Usage Guidelines
This command is entered in VLAN interface configuration mode only.
You should use the fast-leave feature only when there is a single receiver for the MAC group for a specific VLAN.
The fast-leave feature is supported only with IGMP version 2 hosts.
Examples
This example shows how to enable IGMP fast-leave processing:
Router(config-if)# ip igmp snooping fast-leaveRouter(config-if)#This example shows how to disable IGMP fast-leave processing:
Router(config-if)# no ip igmp snooping fast-leaveRouter(config-if)#Related Commands
ip igmp snooping
ip igmp snooping mrouter
ip igmp snooping static
show ip igmp interface (refer to the Cisco IOS Release 12.1 Command Reference)
show mac-address-tableip igmp snooping l2-entry-limit
To configure the maximum number of Layer 2 entries that can be created by the switch, use the ip igmp snooping l2-entry-limit command.
ip igmp snooping l2-entry-limit max-entries
Syntax Description
max-entries
Maximum number of Layer 2 entries that can be created by the switch; valid values are from 1 to 100000.
Defaults
15488 Layer 2 entries
Command Modes
Interface configuration
Command History
12.1(12c)E1
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
When entering max-entries, do not enter a comma (,).
This command is entered in VLAN interface configuration mode only.
Examples
This example shows how to configure the maximum number of Layer 2 entries that can be created by the Catalyst 6500 series switch:
Router(config-if)# ip igmp snooping l2-entry-limit 25000Router(config-if)#Related Commands
show ip igmp interface (refer to the Cisco IOS Release 12.1 Command Reference)
ip igmp snooping last-member-query-interval
To configure the last member query interval for IGMP snooping, use the ip igmp snooping last-member-query-interval command. Use the no form of this command to return to the default settings.
ip igmp snooping last-member-query-interval interval
no ip igmp snooping last-member-query-interval
Syntax Description
interval
Interval for the last member query; valid values are from 100 to 900 milliseconds, in multiples of 100 milliseconds.
Defaults
1000 milliseconds (1 second); see the "Usage Guidelines" section for additional information.
Command Modes
Interface configuration
Command History
12.1(8a)EX
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
When a multicast host leaves a group, the host sends an IGMP leave. To check if this host is the last to leave the group, an IGMP query is sent out when the leave is seen and a timer is started. If no reports are received before the timer expires, the group record is deleted.
If you enter an interval that is not a multiple of 100, the interval is rounded to the next lowest multiple of 100. For example, if you enter 999, the interval is rounded down to 900 milliseconds.
If IGMP fast-leave processing is enabled and you enter the no igmp snooping last-member-query-interval command, the interval is set to 0 seconds; fast-leave always assumes higher priority.
Even though the valid interval range is 100 to 1000 milliseconds, you cannot enter a value of 1000. If you want this value, you must enter the no ip igmp snooping last-member-query-interval command and return to the default value (1000 milliseconds).
Examples
This example shows how to configure the last-member-query-interval to 200 milliseconds:
Router(config-if)# ip igmp snooping last-member-query-interval 200Router(config-if)#Related Commands
ip igmp snooping fast-leave
show ip igmp interface (refer to the Cisco IOS Release 12.1 Command Reference)ip igmp snooping mrouter
To configure a Layer 2 port as a multicast router port, use the ip igmp snooping mrouter command. Use the no form of this command to remove the configuration.
ip igmp snooping mrouter {interface {interface interface-number} |
{port-channel number}} | {learn {cgmp | pim-dvmrp}}no ip igmp snooping mrouter {interface {interface interface-number} |
{port-channel number}} | {learn {cgmp | pim-dvmrp}}Syntax Description
Defaults
pim-dvmrp
Command Modes
Interface configuration
Command History
Usage Guidelines
This command is entered in VLAN interface configuration mode only.
The interface to the router must be in the VLAN where you are entering the command, the interface must be administratively up, and the line protocol must be up.
The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module installed in a 13-slot chassis, valid values for the module number are from 2 to 13 and valid values for the port number are from 1 to 48.
The CGMP learning method can decrease control traffic.
The learning method you configure is saved in NVRAM.
Static connections to multicast routers are supported only on switch ports.
Examples
This example shows how to specify the next-hop interface to the multicast router:
Router(config-if)# ip igmp snooping mrouter interface fastethernet 5/6Router(config-if)#This example shows how to specify the multicast router learning method:
Router(config-if)# ip igmp snooping mrouter learn cgmpRouter(config-if)#Related Commands
ip igmp snooping
ip igmp snooping fast-leave
ip igmp snooping static
show ip igmp snooping mrouterip igmp snooping querier
To enable multicast support within a subnet when no multicast routing protocol is configured in the VLAN or subnet, use the ip igmp snooping querier command. Use the no form of this command to disable the function.
ip igmp snooping querier
no ip igmp snooping querier
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
12.1(5c)EX
Support for this command was introduced on the Supervisor Engine 2.
12.1(8a)E
Support for this command on the Supervisor Engine 2 was extended to the 12.1 E release.
Usage Guidelines
This command is entered in VLAN interface configuration mode only.
These restrictions apply to support this function:
•
•
•
•
If multicast routers are not present on the VLAN or subnet, the Catalyst 6500 series switch becomes the IGMP querier for the VLAN where the querier functionality has been enabled.
If the IGMP snooping querier function is disabled, IGMP snooping functions only when PIM is configured in the subnet.
You can enter the ip igmp snooping querier command at any time, but the IGMP snooping querier function starts only when no other multicast routers are present in the VLAN or subnet.
This command is useful as an alternative to configuring PIM in a subnet; you can use it when the multicast traffic does not need to be routed but support for IGMP snooping on Layer 2 interfaces is desired.
Examples
This example shows how to enable the IP IGMP snooping querier function on the VLAN:
Router(config-if)# ip igmp snooping querierRouter(config-if)#Related Commands
ip igmp snooping static
To configure a Layer 2 port as a member of a group, use the ip igmp snooping static command. Use the no form of this command to remove the configuration.
ip igmp snooping static {{mac-address} {interface {interface interface-number}} |
{port-channel number}}no ip igmp snooping static {{interface {interface interface-number}} |
{port-channel number}}Syntax Description
Defaults
This command has no default settings.
Command Modes
Interface configuration
Command History
12.0(7)XE
Support for this command was introduced on the Catalyst 6500 series switches.
12.1(1)E
Support for this command on the Catalyst 6500 series switches was extended to the 12.1 E release.
12.1(3a)E3
The number of valid values for port-channel number changed; see the "Usage Guidelines" section for valid values.
12.1(11b)E
This command was changed to include the ge-wan, atm, and pos keywords.
12.1(13)E
This command has been replaced with the mac-address-table static command.
Usage Guidelines
This command is not supported on Release 12.1(13)E and later releases.
This command is entered in VLAN interface configuration mode only.
The number of valid values for port-channel number depends on the software release. For releases prior to Release 12.1(3a)E3, valid values are from 1 to 256; for Releases 12.1(3a)E3, 12.1(3a)E4, and 12.1(4)E1, valid values are from 1 to 64. Release 12.1(5c)EX and later support a maximum of 64 values ranging from 1 to 256. Release 12.1(13)E and later support a maximum of 64 values ranging from 1 to 282; values 257 to 282 are supported on the CSM and FWSM only.
The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module installed in a 13-slot chassis, valid values for the module number are from 2 to 13 and valid values for the port number are from 1 to 48.
Examples
This example shows how to configure a host statically on an interface:
Router(config-if)# ip igmp snooping static 0100.5e02.0203 interface fas 5/11Configuring port FastEthernet5/11 on group 0100.5e02.0203 vlan 4Router(config-if)#Related Commands
ip igmp snooping
ip igmp snooping fast-leave
ip igmp snooping mrouter
show mac-address-tableip local-proxy-arp
To enable the local proxy ARP feature, use the ip local-proxy-arp command. Use the no form of this command to disable the feature.
ip local-proxy-arp
no ip local-proxy-arp
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
The local proxy ARP feature allows the MSFC to respond to ARP requests for IP addresses within a subnet where normally no routing is required. With the local proxy ARP feature enabled, the MSFC responds to all ARP requests for IP addresses within the subnet and forwards all traffic between hosts in the subnet. Use this feature only on subnets where hosts are intentionally prevented from communicating directly with each other by the configuration on the switch to which they are connected.
To use the local proxy ARP feature, you must enable the IP proxy ARP feature. The IP proxy ARP feature is enabled by default.
ICMP redirects are disabled on interfaces where the local proxy ARP feature is enabled.
Examples
This example shows how to enable the local proxy ARP feature:
Router(config-if)# ip local-proxy-arpRouter(config-if)#ip multicast rpf backoff
To set the PIM backoff interval, use the ip multicast rpf backoff command. Use the no form of this command to return to the default settings.
ip multicast rpf backoff {{min max} | disable}
no ip multicast rpf backoff
Syntax Description
Defaults
If you enable the triggered RPF check, the defaults are as follows:
•
•
Command Modes
Global configuration
Command History
12.1(11b)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
If you do not enable the triggered RPF check, PIM periodically polls the routing tables for changes (set using the ip multicast rpf interval command). When you enable the triggered RPF check, PIM polls the routing tables when a change in the routing tables occurs. The min argument sets the initial backoff time. Once triggered, PIM waits for additional routing table changes. If the min period expires without further routing table changes, PIM scans for routing changes. If additional routing changes occur during the backoff period, PIM doubles the length of the backoff period. You can set the maximum interval for the doubled backoff period with the max argument.
Use this command in the following situation:
•
•
Examples
This example shows how to set the PIM backoff interval in milliseconds:
Router(config)# ip multicast rpf backoff 100Router(config)#Related Commands
ip multicast rpf interval
show ip rpf events (refer to the Cisco IOS Release 12.1 Command Reference)ip multicast rpf interval
To set the RPF consistency-check interval, use the ip multicast rpf interval command. Use the no form of this command to return to the default settings.
ip multicast rpf interval interval
no ip multicast rpf interval
Syntax Description
Defaults
10 seconds
Command Modes
Global configuration
Command History
12.1(11b)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The ip multicast rfp interval command sets the interval PIM and polls the routing tables for changes.
Examples
This example shows how to set the RPF check interval in seconds:
Router(config)# ip multicast rpf interval 5Router(config)#Related Commands
ip pim autorp listener
To cause IP multicast traffic for the two Auto-RP groups 224.0.1.39 and 224.0.1.40 to be Protocol Independent Multicast (PIM) dense mode and flooded across interfaces operating in PIM sparse mode, use the ip pim autorp listener command. Use the no form of this command to disable this feature.
ip pim autorp listener
no ip pim autorp listener
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
12.1(13)E5
Support for this command was introduced on the Catalyst 6500 series switch.
Usage Guidelines
Use the ip pim autorp listener command with interfaces configured for PIM sparse mode operation in order to establish a network configuration where Auto-RP operates in PIM dense mode and multicast traffic can operate in sparse mode, bidirectional mode, or source specific multicast (SSM) mode.
Examples
This example shows how to enable IP multicast routing and the Auto-RP listener feature on a router. It also shows how to configure the router as a Candidate RP for the multicast groups 239.254.2.0 through 239.254.2.255:
Router(config)# ip multicast-routingRouter(config)# ip pim autorp listenerRouter(config)# ip pim send-rp-announce Loopback0 scope 16Router(config)# group-list 1Router(config)# ip pim send-rp-discovery Loopback1 scope 16Router(config)# access-list 1 permit 239.254.2.0 0.0.0.255Router(config)#ip rgmp
To enable RGMP on an interface, use the ip rgmp command. Use the no form of this command to disable RGMP.
ip rgmp
no ip rgmp
Syntax Description
This command has no arguments or keywords.
Defaults
The defaults are as follows:
•
•
Command Modes
Interface configuration
Command History
12.1(3a)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
These restrictions apply to RGMP on the MSFC:
•
•
•
•
•
•
•
•
•
Examples
This example shows how to enable RGMP:
Router(config-if)# ip rgmpRouter(config-if)#This example shows how to disable RGMP snooping:
Router(config-if)# no ip rgmpRouter(config-if)#Related Commands
ip route-cache flow
To enable NetFlow switching for IP routing, use the ip route-cache flow command. Use the no form of this command to disable NetFlow switching.
ip route-cache flow
no ip route-cache flow
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
NetFlow switching captures a set of traffic statistics as part of its switching function. These traffic statistics include user, protocol, port, and type of service information that can be used for network analysis and planning, accounting, and billing. To export NetFlow data, use the ip flow-export destination or the ip flow-export source global configuration command.
NetFlow switching is supported on IP and IP-encapsulated traffic over all interface types and encapsulations except for ISL/VLAN, ATM, Frame Relay interfaces when more than one input access control list is used on the interface, and ATM LANE.
For additional information on NetFlow switching, refer to the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide.
Note
Examples
This example shows how to enable NetFlow switching on the interface:
Router# configure terminalRouter(config)# interface ethernet 0/5/0Router(config-if)# ip address 17.252.245.2 255.255.255.0Router(config-if)# ip route-cache flowRouter(config-if)# exitThis example shows how to return the interface to its defaults (fast switching enabled; autonomous switching disabled):
Router# configure terminalRouter(config)# interface ethernet 0/5/0Router(config-if)# ip route-cache flowRouter(config-if)# exitRelated Commands
ip flow-export destination
show ip cache flowip sticky-arp
To turn on the sticky-ARP feature, use the ip sticky-arp command. Use the no form of this command to turn off the feature.
ip sticky-arp
no ip sticky-arp
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Command History
12.1(8a)EX
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
This command is supported on PVLANs only.
ARP entries learned on Layer 3 PVLAN interfaces are sticky ARP entries (we recommend that you display and verify PVLAN interface ARP entries using the show arp command).
For security reasons, PVLAN interface sticky ARP entries do not age out. Connecting new equipment with the same IP address generates a message and the ARP entry is not created.
Since the PVLAN interface ARP entries do not age out, you must manually remove PVLAN interface ARP entries if a MAC address changes.
Unlike static entries, sticky-ARP entries are not stored and restored when you enter the reboot and restart commands.
Examples
This example shows how to enable the sticky-ARP feature:
Router(config) ip sticky-arpRouter(config)This example shows how to disable the sticky-ARP feature:
Router(config) no ip sticky-arpRouter(config)Related Commands
arp (refer to the Cisco IOS Release 12.1 Command Reference)
show arp (refer to the Cisco IOS Release 12.1 Command Reference)ip verify unicast reverse-path
To enable Unicast RPF, use the ip verify unicast reverse-path command. Use the no form of this command to disable Unicast RPF.
ip verify unicast reverse-path [allow-self-ping] [list]
no ip verify unicast reverse-path [allow-self-ping] [list]
Syntax Description
Defaults
Disabled
Command Modes
Interface configuration
Command History
12.1(8a)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
Use the ip verify unicast reverse-path interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate DoS attacks based on source IP address spoofing.
When you enable Unicast RPF on an interface, the router examines all packets received on that interface. The router checks that the source address appears in the routing table and matches the interface on which the packet was received. This "look-backward" ability is available only when you enable CEF on the router because the lookup relies on the presence of the FIB. CEF generates the FIB as part of its operation.
Note
If you do not specify an ACL in the ip verify unicast reverse-path command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
You can log Unicast RPF events by specifying the logging option for the ACL entries used by the ip verify unicast reverse-path command. You can use the logging option to gather information about the attack, such as source address, time, and so on.
Note
To use Unicast RPF, enable CEF switching or dCEF switching in the router. You do not need to configure the input interface for CEF switching. As long as CEF is running on the router, you can configure individual interfaces with other switching modes.
Note
Do not use Unicast RPF on interfaces that are internal to the network. Internal interfaces are likely to have routing asymmetry, which means that there are multiple routes to the source of a packet. You should apply Unicast RPF only where there is natural or configured symmetry.
For example, routers at the edge of the network of an ISP are more likely to have symmetrical reverse paths than routers that are in the core of the ISP network. Routers that are in the core of the ISP network have no guarantee that the best forwarding path out of the router is the path selected for packets returning to the router. We do not recommend that you apply Unicast RPF where there is a chance of asymmetric routing. You should place Unicast RPF only at the edge of a network or, for an ISP, you should place the Unicast RPF at the customer edge of the network.
Examples
This example shows how to enable the Unicast RPF feature on a serial interface:
Router(config-if)# ip verify unicast reverse-pathRouter(config-if)#Related Commands
ip cef (refer to the Cisco IOS Release 12.1 Command Reference)
ip verify unicast source reachable-via
To enable and configure RPF checks, use the ip verify unicast source reachable-via command. Use the no form of this command to disable RPF.
ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [list]
no ip verify unicast source reachable-via
Syntax Description
Defaults
Disabled
Command Modes
Interface configuration
Command History
12.1(8a)E
Support for this command was introduced on the Catalyst 6500 series switches and support was extended to the 12.1 E release.
Usage Guidelines
•
•
•
Note
On systems configured with a Supervisor Engine 1 only, to use Unicast RPF, enable CEF switching or dCEF switching in the router. You do not need to configure the input interface for CEF switching. As long as CEF is running on the router, you can configure individual interfaces with other switching modes.
Note
Do not use Unicast RPF on interfaces that are internal to the network. Internal interfaces are likely to have routing asymmetry, which means that there are multiple routes to the source of a packet. You should apply Unicast RPF only where there is natural or configured symmetry.
Examples
This example shows how to enable Unicast RPF exist-only checking mode:
Router(config-if)# ip verify unicast source reachable-via anyRouter(config-if)#Related Commands
ip cef (refer to the Cisco IOS Release 12.1 Command Reference)
ip wccp group-listen
To enable the reception of IP multicast packets for the WCCP feature, use the ip wccp group-listen command mode. Use the no form of this command to disable the reception of IP multicast packets for the WCCP feature.
ip wccp {web-cache | {service-number | service-name}} group-listen
no ip wccp {web-cache | {service-number | service-name}} group-listen
Syntax Description
web-cache
Directs the router to send packets to the web cache service.
service-number
WCCP service number; valid values are from 0 to 99.
service-name
WCCP service name; the valid value is web-cache.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
Note
The service-number may be either one of the provided standard keyword definitions or a number representing a cache engine dynamically defined definition. Once the service is enabled, the Catalyst 6500 series switch can participate in the establishment of a service group.
On Catalyst 6500 series switches that are to be members of a service group when IP multicast is used, the following configuration is required:
•
•
Examples
This example shows how to enable the multicast packets for a web cache with a multicast address of 224.1.1.100:
router# configure terminalrouter(config)# ip wccp web-cache group-address 244.1.1.100router(config)# interface ethernet 0router(config-if)# ip wccp web-cache group listenRelated Commands
ip wccp redirect exclude in
To exclude inbound packets from outbound redirection using WCCP, use the ip wccp redirect exclude in command. Use the no form of this command to disable WCCP redirection.
ip wccp redirect exclude in
no ip wccp redirect exclude in
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
The ip wccp redirect exclude in command allows you to configure WCCP redirection on an interface receiving inbound network traffic. When the command is applied to an interface, all packets arriving at that interface will be compared against the criteria defined by the specified WCCP service. If the packets match the criteria, they will be redirected.
For a complete description of the WCCP configuration commands, including a list of commands that have changed since Cisco IOS Release 12.0, refer to the "WCCP Commands" chapter in the "Cisco IOS System Management Commands" part of the Release 12.1 Cisco IOS Configuration Fundamentals Command Reference.
Examples
This example shows a configuration session in which HTTP traffic arriving on interface 0/1 will be redirected to a Cisco Cache Engine:
Router# configure terminalRouter(config)# ip wccp web-cacheRouter(config)# interface ethernet 0/1Router(config-if)# ip wccp redirect exclude in
Related Commands
show ip interface (refer to the Cisco IOS Release 12.1 Command Reference)
show ip wccpip wccp web-cache accelerated
To enable WCCP version 1 hardware acceleration, use the ip wccp web-cache accelerated command. Use the no form of this command to disable hardware acceleration.
ip wccp web-cache accelerated {[group-address groupaddress] [redirect-list access-list] [group-list access-list] [password password]}
no ip wccp web-cache accelerated
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
This command is supported on software releases later than cache engine software Release ACNS 4.2.1.
The group-address groupaddress option requires a multicast address used by the router to determine which cache engine should receive redirected messages. This option instructs the router to use the specified multicast IP address to join the I See You responses with the Here I Am messages that it has received on this group address. The response is sent to the group address as well. The default is that no group-address is configured, in which case, all Here I Am messages are responded to with a unicast reply.
The redirect-list access-list option instructs the router to use an access list to control the traffic that is redirected to the cache engines of the service group specified by the service name given. The access-list parameter specifies either a number from 1 to 99 to represent a standard or extended access list number, or a name to represent a named standard or extended access list. The access list itself specifies which traffic is permitted to be redirected. The default is for no redirect-list to be configured (all traffic is redirected).
The group-list access-list option instructs the router to use an access list to control the cache engines allowed to participate in the specified service group. The access-list parameter specifies either a number from 1 to 99 to represent a standard access list number, or a name to represent a named standard access list. The access list itself specifies which cache engines are permitted to participate in the service group. The default is for no group-list to be configured, in which case, all cache engines may participate in the service group.
The password can be up to seven characters in length. When you designate a password, messages that are not accepted by the authentication are discarded. The password name is combined with the HMAC MD5 value to create security for the connection between the router and the Cache Engine.
Examples
This example shows how to enable WCCP version 1 hardware acceleration:
Router(config)# ip wccp web-cache acceleratedRouter(config)#Related Commands
ip wccp version (refer to the Cisco IOS Release 12.1 Command Reference)
l2protocol-tunnel
To enable protocol tunneling on an interface and specify the type of protocol to be tunneled, use the l2protocol-tunnel command. Use the no form of this command to disable protocol tunneling.
l2protocol-tunnel [{cdp | stp | vtp}]
no l2protocol-tunnel [{cdp | stp | vtp}]
Syntax Description
cdp
(Optional) Enables CDP tunneling.
stp
(Optional) Enables STP tunneling.
vtp
(Optional) Enables VTP tunneling.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
802.1Q tunneling is not supported on systems configured with a Supervisor Engine 1.
802.1Q tunneling is supported on systems configured with the following modules, but is not supported on the modules themselves:
•
•
•
•
•
On all the service provider edge switches, you must enable PortFast BPDU filtering on the 802.1Q tunnel ports by entering these commands:
Router(config-if)# spanning-tree bpdufilter enableRouter(config-if)# spanning-tree portfast
Note
If you do not specify a protocol, all protocols are tunneled.
You must enter the switchport command once without any keywords to configure the LAN port as a Layer 2 interface before you can enter additional switch port commands with keywords. This requirement applies only if you have not entered the switchport command for the interface.
Examples
This example shows how to enable a tunneling protocol on an interface:
Router(config-if)# l2protocol-tunnel cdpRouter(config-if)#This example shows how to disable a tunneling protocol on an interface:
Router(config-if)# no l2protocol-tunnelProtocol tunneling disabled on interface fastEthernet 4/1Router(config-if)#Related Commands
show l2protocol-tunnel
switchportl2protocol-tunnel cos
To specify a CoS value globally on all ingress Layer 2 protocol tunneling ports, use the l2protocol-tunnel cos command. Use the no form of this command to return to the default settings.
l2protocol-tunnel cos cos-value
no l2protocol-tunnel cos
Syntax Description
Defaults
The cos-value is 5.
Command Modes
Global configuration
Command History
Usage Guidelines
802.1Q tunneling is not supported on systems configured with a Supervisor Engine 1.
802.1Q tunneling is supported on systems configured with the following modules, but is not supported on the modules themselves:
•
•
•
•
•
On all the service provider edge switches, you must enable PortFast BPDU filtering on the 802.1Q tunnel ports by entering these commands:
Router(config-if)# spanning-tree bpdufilter enableRouter(config-if)# spanning-tree portfast
Note
You can specify a CoS value globally on all ingress Layer 2 protocol tunneling ports. Because the CoS value applies to all ingress tunneling ports, all encapsulated PDUs sent out by the Catalyst 6500 series switch have the same CoS value.
Examples
This example shows how to specify a CoS value on all ingress Layer 2 protocol tunneling ports:
Router(config)# l2protocol-tunnel cos 6Router(config)#Related Commands
l2protocol-tunnel drop-threshold
To specify the maximum number of packets that can be processed for the specified protocol on that interface before being dropped, use the l2protocol-tunnel drop-threshold command. Use the no form of this command to reset all the threshold values to 0 and disable the drop threshold.
l2protocol-tunnel drop-threshold [cdp | stp | vtp] packets
no l2protocol-tunnel drop-threshold [cdp | stp | vtp]
Syntax Description
cdp
(Optional) Specifies CDP packets.
stp
(Optional) Specifies STP packets.
vtp
(Optional) Specifies VTP packets.
packets
Maximum number of packets; valid values are from 1 to 4096 packets.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
802.1Q tunneling is not supported on systems configured with a Supervisor Engine 1.
802.1Q tunneling is supported on systems configured with the following modules, but is not supported on the modules themselves:
•
•
•
•
•
On all the service provider edge switches, you must enable PortFast BPDU filtering on the 802.1Q tunnel ports by entering these commands:
Router(config-if)# spanning-tree bpdufilter enableRouter(config-if)# spanning-tree portfast
Note
If you do not specify a protocol, the threshold applies to all protocols.
You can configure protocol tunneling on switch ports only. You must enter the switchport command once without any keywords to configure the LAN port as a Layer 2 interface before you can enter additional switch port commands with keywords. This requirement applies only if you have not entered the switchport command for the interface.
Refer to the "Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling" chapter of the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide for additional information on setting the drop threshold value.
Examples
This example shows how to set the drop threshold:
Router(config-if)# switchportRouter(config-if)# l2protocol-tunnel drop-threshold 3000Router(config-if)#Related Commands
l2protocol-tunnel shutdown-threshold
To specify the maximum number of packets that can be processed for the specified protocol on that interface in 1 second, use the l2protocol-tunnel shutdown-threshold command. When the number of packets is exceeded, the port is put in error-disabled state. Use the no form of this command to reset all the threshold values to 0 and disable the shutdown threshold.
l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] packets
no l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] packets
Syntax Description
cdp
(Optional) Specifies CDP tunneling.
stp
(Optional) Specifies STP tunneling.
vtp
(Optional) Specifies VTP tunneling.
packets
Shutdown threshold; valid values are from 1 to 4096.
Defaults
This command has no default settings.
Command Modes
Interface configuration
Command History
Usage Guidelines
802.1Q tunneling is not supported on systems configured with a Supervisor Engine 1.
802.1Q tunneling is supported on systems configured with the following modules, but is not supported on the modules themselves:
•
•
•
•
•
On all the service provider edge switches, you must enable PortFast BPDU filtering on the 802.1Q tunnel ports by entering these commands:
Router(config-if)# spanning-tree bpdufilter enableRouter(config-if)# spanning-tree portfast
Note
If you do not specify a protocol, the packets value applies to all protocols.
You can configure protocol tunneling on switch ports only. You must enter the switchport command once without any keywords to configure the LAN port as a Layer 2 interface before you can enter additional switch port commands with keywords. This requirement applies only if you have not entered the switchport command for the interface.
Refer to the "Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling" chapter of the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide for additional information on setting the drop threshold value.
Examples
This example shows how to specify the maximum number of CDP packets that can be processed on that interface in 1 second:
Router(config-if)# switchportRouter(config-if)# l2protocol-tunnel shutdown-threshold cdp 200Router(config-if)#Related Commands
l2protocol-tunnel
show l2protocol-tunnel
switchportlacp port-priority
To set the priority for the physical interfaces, use the lacp port-priority command.
lacp port-priority priority
Syntax Description
Defaults
32768
Command Modes
Interface configuration
Command History
Usage Guidelines
This command is not supported on systems configured with a Supervisor Engine 1.
You must assign each port in the switch a port priority that can be specified automatically or by entering the lacp port-priority command. The port priority is used with the port number to form the port identifier. The port priority is used to decide which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.
Although this command is a global configuration command, priority is supported only on port channels with LACP-enabled physical interfaces.
This command is supported on LACP-enabled interfaces.
When setting the priority, the higher the number, the lower the priority.
Examples
This example shows how to set the priority for the interface:
Router(config-if)# lacp port-priority 23748Router(config-if)#Related Commands
channel-group
channel-protocol
lacp system-priority
show lacplacp system-priority
To set the priority of the system, use the lacp system-priority command.
lacp system-priority priority
Syntax Description
Defaults
32768
Command Modes
Global configuration
Command History
Usage Guidelines
This command is not supported on systems configured with a Supervisor Engine 1.
You must assign each switch running LACP a system priority that can be specified automatically or by entering the lacp system-priority command. The system priority is used with the switch MAC address to form the system ID and is also used during negotiation with other systems.
Although this command is a global configuration command, priority is supported on port channels with LACP-enabled physical interfaces.
When setting the priority, the higher the number, the lower the priority.
You can also enter the lacp system-priority command in interface configuration mode. Once you enter the command, the system defaults to global configuration mode.
Examples
This example shows how to set the system priority:
Router(config)# lacp system-priority 23748Router(config)#Related Commands
channel-group
channel-protocol
lacp port-priority
show lacplink debounce
To enable the debounce timer on an interface, use the link debounce command. Use the no form of this command to disable the timer.
link debounce [time time]
no link debounce
Syntax Description
Defaults
Table 2-13 lists the debounce timer defaults.
Command Modes
Interface configuration
Command History
Usage Guidelines
The time time options are supported on Gigabit Ethernet fiber interfaces only.
The link debounce command is not supported on the following modules in releases prior to Release 12.1(19)E:
•
•
The debounce timer sets the amount of time that the firmware waits before it notifies the software that the link is down. The debounce timer does not apply to linkup because linkup is immediately notified by firmware.
The default debounce time applies when you enter the link debounce command with no arguments. For example, when you enter the link debounce time 100 command, it is equivalent to entering the link debounce command with no arguments and you will see the following link debounce entry in the configuration:
interface GigabitEthernet1/1no ip addresslink debounceEnter the show interfaces debounce command to display the debounce configuration of an interface.
Examples
This example shows how to configure the debounce timer on a Gigabit Ethernet fiber interface:
Router (config-if)# link debounce time 100Router (config-if)#Related Commands
logging event link-status (global configuration)
To change the default or set the link-status event messaging during system initialization, use the logging event link-status command. Use the no form of this command to disable link-status event messaging.
logging event link-status {default | boot}
no logging event link-status {default | boot}
Syntax Description
Defaults
Interface state-change messages are not sent.
Command Modes
Global configuration
Command History
Usage Guidelines
You do not have to enter the logging event link-status boot command to enable link-status messaging during system initialization. The logging event link-status default command logs system messages even during system initialization.
If you enter both the logging event link-status default and the no logging event link-status boot commands, the interface state-change events are syslogged after all modules in the switch come online after system initialization. The logging event link-status default and the no logging event link-status boot commands are saved and retained in the running configuration of the system.
When both the logging event link-status default and the no logging event link-status boot commands are present in the running configuration and you want to display the interface state-change messages during system initialization, enter the logging event link-status boot command.
Examples
This example shows how to enable system logging of interface state-change events on all interfaces in the system:
Router(config)# logging event link-status defaultRouter(config)#This example shows how to enable system logging of interface state-change events on all interfaces during system initialization:
Router(config)# logging event link-status bootRouter(config)#This example shows how to disable system logging of interface state-change events on all interfaces:
Router(config)# no logging event link-status defaultRouter(config)#This example shows how to disable the system logging of interface state-change events during system initialization:
Router(config)# no logging event link-status bootRouter(config)#Related Commands
logging event link-status (interface configuration)
To enable the link-status event messaging on an interface, use the logging event link-status command. Use the no form of this command to disable link-status event messaging.
logging event link-status
no logging event link-status
Syntax Description
This command has no arguments or keywords.
Defaults
Interface state-change messages are not sent.
Command Modes
Interface configuration
Command History
Usage Guidelines
To enable system logging of interface state-change events on a specific interface, enter the logging event link-status command in interface configuration mode.
To enable system logging of interface state-change events on all interfaces in the system, enter the logging event link-status command in global configuration mode.
Examples
This example shows how to enable the system logging of interface state-change events on an interface:
Router(config-if)# logging event link-statusRouter(config-if)#This example shows how to disable system logging of interface state-change events on an interface:
Router(config-if)# no logging event link-status defaultRouter(config-if)#Related Commands
logging event subif-link-status
To enable the link-status event messaging on a subinterface, use the logging event subif-link-status command. Use the no form of this command to disable link-status event messaging on a subinterface.
logging event subif-link-status
no logging event subif-link-status
Syntax Description
This command has no arguments or keywords.
Defaults
Subinterface state-change messages are not sent.
Command Modes
Interface configuration
Command History
Usage Guidelines
To enable system logging of interface state-change events on a specific subinterface, enter the logging event subif-link-status command in interface configuration mode.
To enable system logging of interface state-change events on a specific interface, enter the logging event link-status command in interface configuration mode.
To enable system logging of interface state-change events on all interfaces in the system, enter the logging event link-status command in global configuration mode.
Examples
This example shows how to enable the system logging of interface state-change events on a subinterface:
Router(config-if)# logging event subif-link-statusRouter(config-if)#This example shows how to disable system logging of interface state-change events on a subinterface:
Router(config-if)# no logging event subif-link-statusRouter(config-if)#Related Commands
mac access-list extended
To access a subcommand to define extended MAC access lists, use the mac access-list extended command. Use the no form of this command to remove MAC access lists.
mac access-list extended name
no mac access-list extended name
Syntax Description
Defaults
No default ACL
Command Modes
Global configuration
Command History
12.1(1)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
When you enter the ACL name, follow these naming conventions:
•
•
•
•
•
Once you enter the mac access-list extended name command, use the [no] {permit | deny} {{src-mac mask | any} {dest-mac mask} | any} [protocol] subset to create or delete entries in a MAC-layer access list.
Table 2-14 describes the syntax of the mac access-list extended subcommands.
Valid protocol names are aarp (AppleTalk ARP), amber (DEC-Amber), appletalk (AppleTalk/EtherTalk), decnet-iv (DECnet Phase IV), diagnostic (DEC-Diagnostic), dsm (DEC-DSM), etype-6000 (0x6000), etype-8042 (0x8042), lat (DEC-LAT), lavc-sca (DEC-LAVC-SCA), mop-console (DEC-MOP Remote Console), mop-dump (DEC-MOP Dump), msdos (DEC-MSDOS), mumps (DEC-MUMPS), netbios (DEC-NETBIOS), vines-echo (VINES Echo), vines-ip (VINES IP), and xns-idp (XNS IDP).
When you enter the src-mac mask or dest-mac mask value, note these guidelines and restrictions:
•
•
•
•
•
•
•
Examples
This example shows how to create a MAC-layer access list named mac_layer that denies traffic from 0000.4700.0001, which is going to 0000.4700.0009, and permits all other traffic:
Router(config)# mac access-list extended mac_layerRouter(config-ext-macl)# deny 0000.4700.0001 0.0.0 0000.4700.0009 0.0.0 dsmRouter(config-ext-macl)# permit any anyRelated Commands
mac-address-table aging-time
To configure the aging time for entries in the Layer 2 table, use the mac-address-table aging-time command. Use the no form of this command to reset the seconds value to the default settings.
mac-address-table aging-time seconds [vlan vlan-id]
no mac-address-table aging-time seconds [vlan vlan-id]
Syntax Description
seconds
Aging time; valid values are 0 and from 10 to 1,000,000 seconds.
vlan vlan-id
(Optional) Specifies the VLAN to apply the changed aging time; valid values are from 1 to 4094.
Defaults
300 seconds
Command Modes
Global configuration
Command History
Usage Guidelines
If you do not enter a VLAN, the change is applied to all routed-port VLANs.
If your system is configured with a Supervisor Engine 1, valid values for vlan-id are from 1 to 1005. If your system is configured with a Supervisor Engine 2, valid values for vlan-id are from 1 to 4094. Extended-range VLANs are not supported on systems configured with a Supervisor Engine 1.
Enter 0 seconds to disable aging.
Examples
This example shows how to configure the aging time:
Router(config)# mac-address-table aging-time 400Router(config)#This example shows how to disable aging:
Router(config)# mac-address-table aging-time 0Router(config)Related Commands
mac-address-table static
To add static entries to the MAC address table or configure a static MAC address with IGMP snooping disabled for that address, use the mac-address-table static command. Use the no form of this command to do the following:
•
•
mac-address-table static mac-addr {vlan vlan-id} {{interface type} [auto-learn | disable-snooping]} | {drop [disable-snooping]} [protocol {ip | ipx | assigned}]
no mac-address-table static mac-addr {vlan vlan-id} {interface int} [disable-snooping]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
12.0(7)XE
Support for this command was introduced on the Catalyst 6500 series switches.
12.1(1)E
Support for this command on the Catalyst 6500 series switches was extended to the 12.1 E release.
12.1(5c)EX
This command was changed to support multicast addresses.
12.1(11b)EX
The command was changed to support extended-range VLANs.
12.1(11b)E2
This command was changed to add the disable-snooping option.
12.1(13)E
This command replaces the ip igmp snooping static command. This command was changed support MAC-address filtering.
Usage Guidelines
If your system is configured with a Supervisor Engine 1, valid values for vlan-id are from 1 to 1005. If your system is configured with a Supervisor Engine 2, valid values for vlan-id are from 1 to 4094. Extended-range VLANs are not supported on systems configured with a Supervisor Engine 1.
When a static MAC address is installed, it is associated with a port. If the same MAC address is seen on a different port, the entry is updated with the new port if you enter the auto-learn keyword.
The output interface specified must be a Layer 2 IDB and not an SVI.
You can enter up to 15 interfaces per command entered, but you can enter more interfaces by repeating the command.
If you do not enter a protocol type, an entry is automatically created for each of the four protocol types.
Entering the no form of this command does not remove system MAC addresses. Also, entering the no form of this command does not disable IGMP snooping for the specified address.
When removing a MAC address, entering interface int is optional. For unicast entries, the entry is removed automatically. For multicast entries, if you do not specify an interface, the entire entry is removed. You can specify the selected ports to be removed by specifying the interface.
The mac-address-table static mac-addr {vlan vlan-id} {interface int} disable-snooping command disables snooping on the specified static MAC entry/VLAN pair only. To reenable snooping, you must first delete the MAC address and then reinstall it using the mac-address-table static mac-addr {vlan vlan-id} {interface int} command without entering the disable-snooping keyword.
The mac-address-table static mac-addr {vlan vlan-id} drop command applies to unicast traffic only.
Examples
This example shows how to add static entries to the MAC address table:
Router(config)# mac-address-table static 0050.3e8d.6400 vlan 100 interface fastethernet5/7Router(config)#This example shows how to configure a static MAC address with IGMP snooping disabled for a specified address:
Router(config)# mac-address-table static 0050.3e8d.6400 vlan 100 interface fastethernet5/7 disable-snoopingRouter(config)#Related Commands
mac-address-table unicast-flood
To enable unicast flood protection, use the mac-address-table unicast-flood command. Use the no form of this command to disable unicast flood protection.
mac-address-table unicast-flood {limit kfps} {vlan vlan} {filter timeout | alert | shutdown}
no mac-address-table unicast-flood {limit kfps} {vlan vlan}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
12.1(19)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
This command is supported on systems configured with a Supervisor Engine 2 only.
We recommend that you configure unicast flood protection as follows:
•
•
The shutdown option is supported on nontrunk ports only.
If you specify alert and unknown unicast floods exceeding the threshold are detected, an error message is displayed and no further action is taken.
If you specify shutdown and unknown unicast floods exceeding the threshold are detected, an error message is displayed. Once the error message is displayed, the port goes to err-disable mode.
Examples
This example shows how to set the flood rate limit to 3000 fps and display an error message when the rate limit has been exceeded:
Router(config)# mac-address-table unicast-flood limit 3 vlan 125 alertRouter(config)#Related Commands
show mac-address-table unicast
match
To specify the match clause by selecting one or more ACLs for a VLAN access-map sequence, use the match subcommand. The match clause specifies the IP, IPX, or MAC ACLs for traffic filtering. Use the no form of this command to remove the match clause.
match {ip address {acl-number | acl-name}} | {ipx address {acl-number | acl-name} | {mac address acl-name}}
no match {ip address {acl-number | acl-name}} | {ipx address {acl-number | acl-name} | {mac address acl-name}}
Syntax Description
Defaults
This command has no default settings.
Command Modes
VLAN access-map submode
Command History
12.1(8)ES
Support for this command was introduced on the Catalyst 6500 series switches.
12.1(13)E
This command was changed to support the match protocol option.
Usage Guidelines
The match ipx address and match mac address commands are not supported for VACLs on WAN interfaces.
IPX ACLs used in VACLs can only specify the IPX protocol type, the source network, the destination network, and the destination host address only.
The MAC sequence is not effective for IP or IPX packets. IP packets and IPX packets should be access controlled by IP and IPX match clauses.
You cannot configure VACLs on secondary VLANs. The secondary VLAN inherits all features that are configured on the primary VLAN.
These subcommands appear in the CLI help but are not supported by the PFC QoS:
•
•
•
•
•
•
•
•
•
Note
Refer to the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide for additional configuration guidelines and restrictions.
Refer to the Cisco IOS Release 12.1 Command Reference publication for additional match command information.
Examples
This example shows how to define a match clause for a VLAN access map:
Router(config)# vlan access-map ganymede 10Router(config-access-map)# match ip address 13Router(config-access-map)#Related Commands
action
show vlan access-map
vlan access-mapmaxconns (real server configuration submode)
To limit the number of active connections to the real server, use the maxconns command. Use the no form of this command to change the maximum number of connections to the default settings.
maxconns number-conns
no maxconns
Syntax Description
number-conns
Maximum number of active connections on the real server at any one point in time; valid values are from 0 to 4294967295.
Defaults
0
Command Modes
Real server configuration submode
Command History
Usage Guidelines
If you do not specify the number-conns value, the default value is 0, meaning that the maximum number of connections to the real server are not monitored.
Examples
This example shows how to limit the number of active connections to the real server:
Router(config-if)# maxconns 49672Router(config-if)#This example shows how to revert to the default value:
Router(config-if)# no maxconnsRouter(config-if)#Related Commands
faildetect numconns (refer to the Cisco IOS Release 12.1 Command Reference)
inservice (refer to the Cisco IOS Release 12.1 Command Reference)
retry
maximum-paths
To control the maximum number of parallel routes that an IP routing protocol can support, use the maximum-paths command. Use the no form of this command to restore the default settings.
maximum-paths maximum
no maximum-paths
Syntax Description
maximum
Maximum number of parallel routes that an IP routing protocol installs in a routing table; valid values are from 1 to 8.
Defaults
The defaults are as follows:
•
•
Command Modes
Routing protocol configuration
Command History
Examples
This example shows how to allow a maximum of two paths to a destination:
Router(config-router)# maximum-paths 2Router(config-router)
mdix auto
To enable an automatic media-dependent interface with crossover detection, use the mdix auto command. Use the no form of this command to turn automatic detection off.
mdix auto
no mdix auto
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
EXEC
Command History
12.1(13)E
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
This command is supported on the following modules only:
•
•
•
Examples
This example shows how to enable an automatic media-dependent interface with crossover detection:
Router# mdix autoRouter#This example shows how to disable automatic media-dependent interface with crossover detection:
Router# no mdix autoRouter#mkdir disk0:
To create a new directory in a Flash file system, use the mkdir disk0: command.
mkdir disk0:
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC
Command History
Usage Guidelines
This command is only valid on Flash file systems.
After you enter the mkdir disk0: command, you are prompted to enter the new directory filename.
To check your entry, enter the dir command.
To remove a directory, enter the rmdir command.
Examples
This example shows how to create a directory named newdir:
Router# mkdir disk0:Create directory filename [ ]? newdirCreated dir disk0: newdirRouter#Related Commands
cd
dir (refer to the Cisco IOS Release 12.1 Command Reference)
rmdir (refer to the Cisco IOS Release 12.1 Command Reference)mls aclmerge algorithm
To select the type of ACL merge method to use, use the mls aclmerge algorithm command. Use the no form of this command to disable the ACL merge method.
mls aclmerge algorithm {bdd | odm}
no mls aclmerge algorithm {bdd | odm}
Syntax Description
Defaults
bdd
Command Modes
Global configuration mode
Command History
Usage Guidelines
The BDD-based ACL merge function uses a method of representing Boolean functions to condense entries into a single merged list of TCAM entries that can be programmed into the TCAM.
The ODM-based ACL merge function uses an order-dependent merge algorithm to process entries that can be programmed into the TCAM.
Note
If you change the algorithm method, the change is not retroactive. For example, ACLs that have had the merge applied are not affected. The merge change applies to future merges only.
Use the show fm summary command to see the status of the current merge method.
Examples
This example shows how to select the BDD-based ACL merge function to process ACLs:
Router(config)# mls aclmerge algorithm bddThe algorithm chosen will take effect for new ACLs which are being applied, notfor already applied ACLs.Router(config)This example shows how to select the ODM-based ACL merge function to process ACLs:
Router(config)# mls aclmerge algorithm odmThe algorithm chosen will take effect for new ACLs which are being applied, notfor already applied ACLs.Router(config)#Related Commands
mls aging fast
To configure the fast-aging time for unicast entries in the Layer 3 table, use the mls aging fast command. Use the no form of this command to restore the MLS fast-aging time to the default settings.
mls aging fast [{threshold packet-count} [{time seconds}]]
mls aging fast [{time seconds} [{threshold packet-count}]]
no mls aging fast
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
Global configuration
Command History
Usage Guidelines
This command has no effect when sampled NetFlow is configured. You must disable sampled NetFlow to allow this command to take effect.
Examples
This example shows how to configure the MLS fast-aging threshold:
Router(config)# mls aging fast threshold 50Router(config)#Related Commands
mls aging long
To configure the long-aging time for unicast entries in the Layer 3 table, use the mls aging long command. Use the no form of this command to restore MLS long-aging time to the default settings.
mls aging long seconds
no mls aging long
Syntax Description
Defaults
1920 seconds
Command Modes
Global configuration
Command History
Usage Guidelines
This command has no effect when sampled NetFlow is configured. You must disable sampled NetFlow to allow this command to take effect.
Examples
This example shows how to configure the MLS long-aging threshold:
Router(config)# mls aging long 800Router(config)#Related Commands
mls aging normal
To configure the normal-aging time for unicast entries in the Layer 3 table, use the mls aging normal command. Use the no form of this command to restore MLS normal-aging time to the default settings.
mls aging normal seconds
no mls aging normal
Syntax Description
Defaults
300 seconds
Command Modes
Global configuration
Command History
Usage Guidelines
This command has no effect when sampled NetFlow is configured. You must disable sampled NetFlow to allow this command to take effect.
Examples
This example shows how to configure the MLS normal-aging threshold:
Router(config)# mls aging normal 200Router(config)#Related Commands
