-
Catalyst Supervisor Engine 32 PISA IOS Command Reference, 12.2ZY
-
Index
-
Preface
-
Command-Line Interface
-
action to channel-group
-
channel-protocol to class-map
-
clear cable-diagnostics tdr to copy /noverify
-
define interface-range to duplex
-
eigrp event-log-size to mls exclude
-
mls flow to pagp port
-
platform ip features pisa to process-min-time percent
-
rcv-queue to show bootvar
-
show cable-diagnostics to show ip cache
-
show ip cef to show mls asic
-
show mls cef to show qm-sp
-
show queueing to show vtp
-
shutdown vlan to test cable-diagnostics
-
tunnel udlr address-resolution to username
-
verify to wrr-queue
-
wrr-queue cos-trap to wrr-queue threshold
-
Acronyms
-
Acknowledgments for Open-Source Software
-
Table Of Contents
error-detection packet-buffer action
ip access-list hardware permit fragments
ip arp inspection vlan logging
ip auth-proxy max-login-attempts
ip cef table consistency-check
ip dhcp relay information option trust-all
ip dhcp relay information trust
ip dhcp snooping information option
ip dhcp snooping verify mac-address
ip flow-export hardware version
ip forward-protocol turbo-flood
ip igmp immediate-leave group-list
ip igmp last-member-query-interval
ip igmp snooping explicit-tracking
ip igmp snooping l2-entry-limit
ip igmp snooping last-member-query-interval
ip igmp snooping report-suppression
ip igmp snooping source-only-learning age-timer
ip pim snooping (global configuration mode)
ip pim snooping (interface configuration mode)
ip pim snooping suppress sgr-prune
ip sticky-arp (global configuration)
ip sticky-arp (interface configuration)
ipv6 mld snooping explicit-tracking
ipv6 mld snooping last-member-query-interval
ipv6 mld snooping report-suppression
ip verify unicast reverse-path
ip verify unicast source reachable-via
l2protocol-tunnel drop-threshold
l2protocol-tunnel global drop-threshold
l2protocol-tunnel shutdown-threshold
logging event link-status (global configuration)
logging event link-status (interface configuration)
logging event subif-link-status
logging ip access-list cache (global configuration mode)
logging ip access-list cache (interface configuration mode)
mac-address-table notification mac-move
mac-address-table notification threshold
maxconns (real server configuration submode)
eigrp event-log-size
To set the size of the IP-EIGRP event log, use the eigrp event-log-size command.
eigrp event-log-size size
Syntax Description
Command Default
This command has no default settings.
Command Modes
Router configuration (config-router)
Command History
Usage Guidelines
Once the configured event log size has been exceeded, the last configured (event-log-size) number of lines of log is retained.
Examples
This example shows how to set the size of the IP-EIGRP event log:
Router (config-router)# eigrp event-log-size 5000010Router (config-router)#Related Commands
encapsulation dot1q
To enable the IEEE 802.1Q encapsulation of traffic on a specified subinterface in the VLANs, use the encapsulation dot1q command.
encapsulation dot1q vlan-id [native]
Syntax Description
vlan-id
Virtual LAN identifier; valid values are from 1 to 4094.
native
(Optional) Sets the PVID value of the port to the vlan-id value.
Command Default
This command has no default settings.
Command Modes
Subinterface configuration
Command History
Usage Guidelines
Always use the native keyword when the vlan-id is the ID of the 802.1Q native VLAN. Do not configure encapsulation on the native VLAN of an 802.1Q trunk without the native keyword.
To enter the subinterface configuration mode, you must enter the interface configuration mode first and then enter the interface command to specify a subinterface.
Examples
This example shows how to set encapsulation for VLAN traffic using the 802.1Q protocol for VLAN 100:
Router(config-subif)# encapsulation dot1q 100Router(config-subif)#Related Commands
encapsulation isl
To enable ISL, use the encapsulation isl command.
encapsulation isl vlan-identifier
Syntax Description
Command Default
This command has no default settings.
Command Modes
Subinterface configuration
Command History
Usage Guidelines
ISL is a Cisco protocol that is used for interconnecting multiple switches and routers and for defining VLAN topologies.
ISL encapsulation adds a 26-byte header to the beginning of the Ethernet frame. The header contains a 10-bit VLAN identifier that conveys VLAN membership identities between the switches.
To enter the subinterface configuration mode, you must enter the interface configuration mode first and then enter the interface command to specify a subinterface.
Examples
This example shows how to enable ISL on Fast Ethernet subinterface 2/1.20:
Router(config-subif)# encapsulation isl 400Router(config-subif)#Related Commands
erase
To erase a file system, use the erase command.
erase {const_nvram: | nvram: | startup-config:}
Syntax Description
const_nvram:
Erases all files under the const_nvram: partition.
nvram:
Erases NVRAM.
startup-config:
Erases the contents of the configuration memory.
Command Default
This command has no default settings.
Command Modes
EXEC
Command History
Usage Guidelines
CautionWhen you use the erase command to erase a file system, you cannot recover the files in the file system.
The erase nvram: command replaces the write erase command and the erase startup-config command.
You can use the erase command on both Class B and Class C flash file systems only. To reclaim space on flash file systems after deleting files using the delete command, you must use the erase command. The erase command erases all of the files in the flash file system.
Class A flash file systems cannot be erased. You can delete individual files using the delete command and then reclaim the space using the squeeze command. You can also use the format command to format the flash file system.
On Class C flash file systems, space is dynamically reclaimed when you use the delete command. You can also use either the format or erase command to reinitialize a Class C flash file system.
The erase nvram: command erases NVRAM. On Class A file system platforms, if the CONFIG_FILE variable specifies a file in flash memory, the specified file is marked "deleted."
You can enter the erase const_nvram command to erase the VLAN database configuration file.Examples
This example shows how to erase the NVRAM and the startup configuration in the NVRAM:
Router# erase nvram:Router#Related Commands
errdisable detect cause
To enable the error-disable detection, use the errdisable detect cause command. To disable the error-disable detection, use the no form of this command.
errdisable detect cause {all | dtp-flap | l2ptguard | link-flap | packet-buffer-error | pagp-flap | udld}
no errdisable detect cause {all | dtp-flap | l2ptguard | link-flap | pagp-flap | udld}
Syntax Description
Command Default
Enabled for all causes.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Note
A cause (bpduguard, dtp-flap, link-flap, pagp-flap, root-guard, udld) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state (an operational state that is similiar to the link-down state).
You must enter the shutdown and then the no shutdown commands to recover an interface manually from the error-disable state.
Examples
This example shows how to enable the error-disable detection for the Layer 2 protocol-tunnel guard error-disable cause:
Router(config)# errdisable detect cause l2ptguardRouter(config)#Related Commands
Displays the error-disable detection status.
Displays the interface status or a list of interfaces in an error-disabled state on LAN ports only.
errdisable recovery
To configure the recovery mechanism variables, use the errdisable recovery command. To return to the default state, use the no form of this command.
errdisable recovery cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap | pesecure-violation | security-violation | udld | unicast-flood}
errdisable recovery {interval interval}
no errdisable recovery cause {all | {arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap | pesecure-violation | security-violation | udld | unicast-flood}
no errdisable recovery {interval interval}
Syntax Description
Command Default
The defaults are as follows:
•
•
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
The secure-violation option is not supported.
A cause (bpduguard, dhcp-rate-limit, dtp-flap, l2ptguard, link-flap, pagp-flap, security-violation, channel-misconfig, psecure-violation, udld, or unicast-flood) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state (an operational state that is similiar to the link-down state). If you do not enable errdisable recovery for the cause, the interface stays in the error-disabled state until a shutdown and no shutdown occurs. If you enable recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry operation once all the causes have timed out.
You must enter the shutdown and then the no shutdown commands to recover an interface manually from the error-disabled state.
Examples
This example shows how to enable the recovery timer for the BPDU-guard error-disable cause:
Router(config)# errdisable recovery cause bpduguardRouter(config)#This example shows how to set the timer to 300 seconds:
Router(config)# errdisable recovery interval 300Router(config)#Related Commands
Displays the information about the error-disable recovery timer.
Displays the interface status or a list of interfaces in an error-disabled state on LAN ports only.
error-detection packet-buffer action
To specify the action that a module takes after packet buffer memory failures, use the error-detection packet-buffer action command. To return to the default settings, use the no form of this command.
error-detection packet-buffer action {module num} {error-disable | power-down | reset}
Syntax Description
module num
Specifies the module number.
error-disable
Error disables the module.
power-down
Powers down the module.
reset
Resets the module.
Command Default
Error-disable port group
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
This command is supported on the following modules only:
•
•
•
•
•
•
When you specify the reset keyword, a rapid reboot (approximately 10 seconds) and not a normal reboot (approximately 45 to 50 seconds) is performed. Prior to this release, the module always went through a non-rapid reboot.
Examples
This example shows how to set the module to error disable after packet buffer memory failures:
Router(config)# error-detection packet-buffer action module 2 error-disableRouter(config)#This example shows how to set the module to power down after packet buffer memory failures:
Router(config)# error-detection packet-buffer action module 2 power-downRouter(config)#This example shows how to set the module to reset after packet buffer memory failures:
Router(config)# error-detection packet-buffer action module 2 resetRouter(config)#file verify auto
To verify the compressed Cisco IOS image checksum, use the file verify auto command. To turn off automatic verification after a copy operation, use the no form of this command.
file verify auto
no file verify auto
Syntax Description
This command has no arguments or keywords.
Command Default
Verification is done automatically after completion of a copy operation.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
Enter the copy /noverify command to override the default behavior for a single copy operation.
Examples
This example shows how to verify the compressed Cisco IOS image checksum:
Router(config)# file verify autoRouter(config)#Related Commands
Disables the automatic image verification for the current copy operation.
Verifies the checksum of a file on a flash memory file system or computes an MD5 signature for a file.
flowcontrol
To configure a port to send or receive pause frames, use the flowcontrol command.
flowcontrol {send | receive} {desired | off | on}
Syntax Description
Command Default
Flow-control defaults depend upon port speed. The defaults are as follows:
•
•
•
•
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
The send and desired keywords are supported on Gigabit Ethernet ports only.
Pause frames are special packets that signal a source to stop sending frames for a specific period of time because the buffers are full.
Gigabit Ethernet ports on the Catalyst 6500 series switches use flow control to inhibit the transmission of packets to the port for a period of time; other Ethernet ports use flow control to respond to flow-control requests.
If a Gigabit Ethernet port receive buffer becomes full, the port transmits a "pause" packet that tells remote ports to delay sending more packets for a specified period of time. All Ethernet ports (1000 Mbps, 100 Mbps, and 10 Mbps) can receive and act upon "pause" packets from other devices.
You can configure non-Gigabit Ethernet ports to ignore received pause frames (disable) or to react to them (enable).
When used with receive, the on and desired keywords have the same result.
All Catalyst 6500 series switch Gigabit Ethernet ports can receive and process pause frames from remote devices.
To obtain predictable results, follow these guidelines:
•
•
•
•
Examples
These examples show how to configure the local port to not support any level of flow control by the remote port:
Router(config-if)# flowcontrol receive offRouter(config-if)#Router(config-if)# flowcontrol send offRouter(config-if)#Related Commands
format
To format a Class A or Class C flash file system, use the format command.
Class A flash file system:
format bootflash: [spare spare-number] filesystem1: [[filesystem2:][monlib-filename]]
Class C flash file system:
format filesystem1:
Caution
Syntax Description
Command Default
The defaults are as follows:
•
•
Command Modes
EXEC
Command History
Usage Guidelines
Use this command to format Class A or C flash memory file systems.
The Supervisor Engine 32 PISA has these flash memory devices:
•
–
–
•
–
–
•
–
–
In some cases, you might need to insert a new flash PC card and load images or back up configuration files onto it. Before you can use a new flash PC card, you must format it.
Sectors in flash PC cards can fail. Reserve certain flash PC sectors as "spares" by using the optional spare argument on the format command to specify between 0 and 16 sectors as spares. If you reserve a small number of spare sectors for emergencies, you can still use most of the flash PC card. If you specify 0 spare sectors and some sectors fail, you must reformat the flash PC card, which erases all existing data.
The monlib file is the ROM monitor library. The ROM monitor uses this file to access files in the flash file system. The Cisco IOS system software contains a monlib file.
When used with HSA and you do not specify the monlib-filename argument, the system takes the ROM monitor library file from the slave image bundle. If you specify the monlib-filename argument, the system assumes that the files reside on the slave devices.
In the command syntax, filesystem1: specifies the device to format, and filesystem2: specifies the optional device containing the monlib file, used to format filesystem1:. If you omit the optional filesystem2: and monlib-filename arguments, the system formats filesystem1:, using the monlib file that is already bundled with the system software. If you omit only the optional filesystem2: argument, the system formats filesystem1:, using the monlib file from the device that you specified with the cd command. If you omit only the optional monlib-filename argument, the system formats filesystem1: using filesystem2:'s monlib file. When you specify both arguments—filesystem2: and monlib-filename—the system formats filesystem1:, using the monlib file from the specified device. You can specify filesystem1:'s own monlib file in this argument. If the system cannot find a monlib file, it terminates its formatting.
Examples
This example shows how to format a CompactFlash PC card that is inserted in slot 0:
Router# format disk0:Running config file on this device, proceed? [confirm]yAll sectors will be erased, proceed? [confirm]yEnter volume id (up to 31 characters): <Return>Formatting sector 1 (erasing)Format device disk0 completedWhen the console returns to the EXEC prompt, the new CompactFlash PC card is successfully formatted and ready for use.
Related Commands
fsck
To check a flash file system for damage and to repair any problems, use the fsck command.
fsck [/automatic | disk0:]
Syntax Description
/automatic
(Optional) Specifies automatic mode; see the "Usage Guidelines" section for additional information.
disk0:
(Optional) Specifies the file system to check.
Command Default
The current file system is checked if disk0: is not specified.
Command Modes
EXEC
Command History
Usage Guidelines
This command is valid only on Class C flash file systems and on PCMCIA ATA flash disks and CompactFlash disks.
If you do not enter any arguments, the current file system is used. Use the pwd command to display the current file system.
If you enter the disk0: keyword, the fsck utility checks the selected file system for problems. If a problem is detected, a prompt is displayed asking if you want the problem fixed.
If you enter the /automatic keyword, you are prompted to confirm that you want the automatic mode. In automatic mode, problems are fixed automatically and you are not prompted to confirm.
Table 2-9 lists the checks and actions that are performed by the fsck utility.
Table 2-9 fsck Utility Checks and Actions
Checks the boot sector and the partition table and reports the errors.
No action.
Validates the media with the signature in the last 2 bytes of the first sector (0x55 and 0xaa, respectively).
No action.
Checks the os_id to find whether this is a FAT-12 or FAT-16 file system (valid values include 0, 1, 4, and 6).
No action.
Checks the number of FAT's field (correct values are 1 and 2).
No action.
Checks these values:
•
•
•
•
No action.
Checks the files and FAT for these errors:
Checks the FAT for invalid cluster numbers.
If the cluster is a part of a file chain, the cluster is changed to end of file (EOF). If the cluster is not part of a file chain, it is added to the free list and unused cluster chain. Table 2-10 lists valid cluster numbers; numbers other than those listed in Table 2-10 are invalid numbers.
Checks the file's cluster chain for loops.
If the loop is broken, the file is truncated at the cluster where the looping occurred.
Checks the directories for nonzero size fields.
If directories are found with nonzero size fields, the size is reset to zero.
Checks for invalid start cluster file numbers.
If the start cluster number of a file is invalid, the file is deleted.
Checks files for bad or free clusters.
If the file contains bad or free clusters, the file is truncated at the last good cluster; an example is the cluster that points to this bad/free cluster.
Checks to see if the file's cluster chain is longer than indicated by the size fields.
If the file's cluster chain is longer than indicated by the size fields, the file size is recalculated and the directory entry is updated.
Checks to see if two or more files share the same cluster (crosslinked).
If two or more files are crosslinked, you are prompted to accept the repair, and one of the files is truncated.
Checks to see if the file's cluster chain is shorter than is indicated by the size fields.
If the file's cluster chain is shorter than is indicated by the size fields, the file size is recalculated and the directory entry is updated.
Checks to see if there are any unused cluster chains.
If unused cluster chains are found, new files are created and linked to that file with the name fsck-start cluster.
Table 2-10 Valid Cluster Numbers
Next entry in the chain
2-FEF
2-FFEF
Last entry in chain
FF8-FFF
FFF8-FFFF
Available cluster
0
0
Bad cluster
FF7
FFF7
Examples
This example shows how to run a check of the current file system:
Router# fsckChecking the boot sector and partition table...Checking FAT, Files and Directories...Files1) disk0:/FILE3 and2) disk0:/FILE2have a common cluster.Press 1/2 to truncate or any other character to ignore[confirm] qIgnoring this error and continuing with the rest of the check...Files1) disk0:/FILE5 and2) disk0:/FILE4have a common cluster.Press 1/2 to truncate or any other character to ignore[confirm] 1File disk0:/FILE5 truncated.Files1) disk0:/FILE7 and2) disk0:/FILE6have a common cluster....1) disk0:/FILE15 and2) disk0:/FILE13have a common cluster.Press 1/2 to truncate or any other character to ignore[confirm] iIgnoring this error and continuing with the rest of the check...Reclaiming unused space...Created file disk0:/fsck-11 for an unused cluster chainCreated file disk0:/fsck-20 for an unused cluster chainCreated file disk0:/fsck-30 for an unused cluster chainCreated file disk0:/fsck-35 for an unused cluster chainCreated file disk0:/fsck-40 for an unused cluster chainCreated file disk0:/fsck-46 for an unused cluster chainCreated file disk0:/fsck-55 for an unused cluster chainCreated file disk0:/fsck-62 for an unused cluster chainCreated file disk0:/fsck-90 for an unused cluster chainUpdating FAT...fsck of disk0: completeRouter#hold-queue
To limit the size of the IP output queue on an interface, use the hold-queue command. To return to the default settings, use the no form of this command.
hold-queue length {in | out}
no hold-queue {in | out}
Syntax Description
length
Maximum number of packets in the queue; valid values are from 0 to 65535.
in
Specifies the input queue.
out
Specifies the output queue.
Command Default
The defaults are as follows:
•
•
•
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
This command is not supported on the OSM.
The default limits prevent a malfunctioning interface from consuming an excessive amount of memory. There is no fixed upper limit to a queue size.
The default of ten packets allows the Cisco IOS software to queue a number of back-to-back routing updates. The default is for asynchronous interfaces only; other media types have different defaults.
The guidelines for hold queues and priority queueing are as follows:
•
•
•
•
•
•
Caution
Examples
This example sets a small input queue on a slow serial line:
Router(config)# interface serial 0Router(config-if)# hold-queue 30 iRelated Commands
priority-list
Establishes queueing priorities based on the protocol type.
Displays the traffic that is seen by a specific interface.
hw-module boot
To specify the boot options for the module through the power management bus control register, use the hw-module boot command.
hw-module {module num} {boot [value] {config-register | eobc | {flash image} | rom-monitor}}
Syntax Description
Command Default
This command has no default settings.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
This command is supported on the CMM only.
The valid values for the boot value argument are as follows:
•
•
•
•
•
Examples
This example shows how to reload the module in slot 6 using the module's config-register value:
Router# hw-module slot 1/6 boot config-registerRouter#This example shows how to reload the module in slot 3 using an image downloaded through EOBC:
Router# hw-module slot 1/3 boot eobcRouter#hw-module fan-tray version
To set the fan-type (high or low power) version, use the hw-module fan-tray version command.
hw-module fan-tray version [1 | 2]
Syntax Description
1 | 2
(Optional) Specifies the version number; see the "Usage Guidelines" section for additional information.
Command Default
This command has no default settings.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Before you install a high-capacity fan tray, enter the hw-module fan-tray version 2 command to check for configuration problems, such as power-supply compatibility and power sufficiency. If there are no problems, a message is displayed to change the fan tray from version 1 to version 2. At this point, you can remove the old fan tray and quickly insert the new high-capacity fan tray.
This command is supported on the following chassis:
•
•
•
Set the version to 2 before installing higher power fan trays. Set the version to 1 before downgrading to lower power fan trays.
Command confirmation does not change the fan power consumption or cooling capacity. It updates the backplane IDPROM. The new values take effect the next time that you insert a fan.
When you execute the command, the software checks the configurations and prompts for confirmation. Any illegal configurations (such as power-supply incompatibility) result in a warning being displayed and a command failure.
Examples
This example shows how to set the fan type for lower power fan trays:
Router # hw-module fan-tray version 1Router #Related Commands
hw-module oversubscription
To administratively disable the oversubscribed ports (3, 4, 7, and 8) on a module, use the hw-module oversubscription command. Use the no form of this command to enable the oversubscribed ports.
hw-module {module num} oversubscription
no hw-module {module num} oversubscription
Syntax Description
Command Default
Enabled.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
This command is supported on the WS-X6708-10G-3C and the WS-X6708-10G-3CXL modules only.
When you disable the oversubscribed ports, the port is put into shutdown mode. In this mode, you cannot enter the no shut command on the disabled ports. If you attempt to enter the no shut command on the disabled ports, this message appears:
The current module is operating in non-oversubscription mode. To utilise this interface, enable oversubscription mode for the module.The num argument designates the module number. Valid values depend on the chassis that is used. For example, if you have a 13-slot chassis, valid values for the module number are from 1 to 13.
When you enter the show interfaces command on the disabled ports, the output displays "disabled for performance" to distinguish between the normal port shutdown and the shutdown for performance.
Examples
This example shows how to administratively disable the oversubscribed ports on a module:
Router # hw-module module 3 oversubscriptionRouter #This example shows how to administratively enable the oversubscribed ports on a module:
Router # no hw-module module 3 oversubscriptionRouter #Related Commands
hw-module reset
To reset a module by turning the power off and then on, use the hw-module reset command.
hw-module {module num} reset
Syntax Description
module num
Applies the command to a specific module; see the "Usage Guidelines" section for valid values.
Command Default
This command has no default settings.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
The num argument designates the module number. Valid values depend on the chassis that is used. For example, if you have a 13-slot chassis, valid values for the module number are from 1 to 13.
Examples
This example shows how to reload a specific module:
Router # hw-module module 3 resetRouter #hw-module shutdown
To shut down the module, use the hw-module shutdown command.
hw-module {module num} shutdown
Syntax Description
module num
Applies the command to a specific module; see the "Usage Guidelines" section for valid values.
Command Default
This command has no default settings.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
This command is supported on the SSL Services Module and the NAM.
If you enter the hw-module shutdown command to shut down the module, you will have to enter the no power enable module command and the power enable module command to restart (power down and then power up) the module.
Examples
This example shows how to shut down and restart the module:
Router# hw-module module 3 shutdownRouter# no power enable module 3Router# power enable module 3hw-module simulate link-up
To enable a software link on a specified module, use the hw-module simulate link-up command. For information on disabling a software link, refer to the "Usage Guidelines" section.
hw-module {module num} simulate link-up
Syntax Description
module num
Applies the command to a specific module; see the "Usage Guidelines" section for valid values.
Command Default
This command has no default settings.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
This command is supported on Ethernet modules only.
To disable a software link on a module, you must perform one of the following procedures:
•
•
When you apply this command to a module, the port LEDs on the module will glow green and simulate a link-up condition. This command can be used for testing interface configurations without cabling to the interface.
The num argument designates the module number. Valid values depend on the chassis that is used. For example, if you have a 13-slot chassis, valid values for the module number are from 1 to 13.
Examples
This example shows how to enable softlink on a module:
Router# hw-module module 3 simulate link-upRouter#Related Commands
instance
To map a VLAN or a set of VLANs to an MST instance, use the instance command. To return the VLANs to the default instance (CIST), use the no form of this command.
instance instance-id {vlans vlan-range}
no instance instance-id
Syntax Description
Command Default
No VLANs are mapped to any MST instance (all VLANs are mapped to the CIST instance).
Command Modes
MST configuration submode
Command History
Usage Guidelines
The vlans vlan-range is entered as a single value or a range.
The mapping is incremental, not absolute. When you enter a range of VLANs, this range is added or removed to the existing instances.
Any unmapped VLAN is mapped to the CIST instance.
You can configure up to 65 interfaces
Examples
This example shows how to map a range of VLANs to instance 2:
Router(config-mst)# instance 2 vlans 1-100Router(config-mst)#This example shows how to map a VLAN to instance 5:
Router(config-mst)# instance 5 vlans 1100Router(config-mst)#This example shows how to move a range of VLANs from instance 2 to the CIST instance:
Router(config-mst)# no instance 2 vlans 40-60Router(config-mst)#This example shows how to move all the VLANs that are mapped to instance 2 back to the CIST instance:
Router(config-mst)# no instance 2Router(config-mst)#Related Commands
interface
To select an interface to configure and enter interface configuration mode, use the interface command.
interface {type module} [.subinterface]
Syntax Description
type
Type of interface to be configured; see Table 2-11 for valid values.
module
Module and port number or port-subinterface number; see the "Usage Guidelines" section for additional information.
.subinterface
(Optional) Subinterface number to be configured; valid values are from 0 to 4294967295.
Command Default
No interface types are configured.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
Table 2-11 lists the valid values for type.
Table 2-11 Valid type Values
fastethernet
100-Mbps Ethernet interface.
gigabitethernet
Gigabit Ethernet IEEE 802.3z interface.
tengigabitethernet
10-Gigabit Ethernet IEEE 802.3ae interface.
ge-wan
Gigabit Ethernet WAN IEEE 802.3z interface.
pos
Packet OC-3 interface on the Packet over SONET Interface Processor.
atm
ATM interface.
vlan
VLAN interface; see the interface vlan command.
port-channel
Port channel interface; see the interface port-channel command.
null
Null interface; the valid value is 0.
tunnel
Tunnel interface.
By default, the Supervisor Engine 32 PISA EtherChannel (port channel interface 256, which is automatically configured with the pisa-channel command) is a 1-Gps EtherChannel.
Note
You can enter the number of a port subinterface in the following format:
interface {{type module/port.subinterface}}
The Supervisor Engine 32 PISA ports are as follows:
•
•
–
–
Note
•
–
–
Note
Note
On a WS-S32-GE-PISA, you can allocate both ports 8 and 9 to the PISA EtherChannel.
You cannot enter any configuration under port channel interface 256.
The PISA EtherChannel MTU size is 4,096 bytes.
Examples
This example shows how to allocate the port ASIC capacity of port 3 to the PISA EtherChannel on a WS-S32-10GE-PISA that is installed in slot 5:
Router(config)# interface gigabitethernet 5/3Router(config-if)# channel-group 256 mode onRouter(config-if)#This example shows how to allocate the port ASIC capacity of port 9 to the PISA EtherChannel on a WS-S32-GE-PISA that is installed in slot 5:
Router(config)# interface gigabitethernet 5/9Router(config-if)# channel-group 256 mode onRouter(config-if)#This example shows how to revert to the default port ASIC capacity allocation.
Router(config)# interface gigabitethernet 5/9Router(config-if)# no channel-group 256 mode onRouter(config-if)#Related Commands
interface port-channel
To create a port-channel virtual interface and enter interface configuration mode, use the interface port-channel command. To remove a virtual interface or subinterface, use the no form of this command.
interface port-channel channel-number[.subinterface]
no interface port-channel channel-number[.subinterface]
Syntax Description
Command Default
This command has no default settings.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
This command is not supported on the IDSM and NAM.
This command is supported on EtherChannel, Fast EtherChannel, Gigabit EtherChannel, and 10-Gigabit EtherChannel interfaces.
The channel-number argument can be from 1 to 256, with a maximum of 128 port-channel interfaces.
You can create Layer 2 port channels dynamically or by entering the interface port-channel command; you can create Layer 3 port channels by entering the interface port-channel command only. You cannot create Layer 3 port channels dynamically.
Only one port channel in a channel group is allowed.
Ports can be bundled across any module.
Caution
When you use the interface port-channel command, follow these guidelines:
•
•
•
Examples
This example shows how to create a port-channel interface with a channel-group number of 256:
Router(config)# interface port-channel 256Creating a switch port Po256. channel-group 256 is L2Router(config-if)#
Note
Related Commands
Assigns and configures an EtherChannel interface to an EtherChannel group.
Displays the EtherChannel information for a channel.
interface range
To execute a command on multiple ports at the same time, use the interface range command.
interface range {port-range | {macro name}}
Syntax Description
port-range
Port range; for a list of valid values for port-range, see the "Usage Guidelines" section for additional information.
macro name
Specifies the macro name.
Command Default
This command has no default settings.
Command Modes
Global or interface configuration
Command History
Usage Guidelines
The values that you entered with the interface range vlan command are applied to all existing VLAN SVIs.
Before you can use a macro, you must define a range using the define interface-range command.
All configuration changes that are made to a port range are saved to NVRAM, but port ranges that are created with the interface range command are not saved to NVRAM.
You can enter the port range in two ways:
•
•
You can either specify the ports or the name of a port-range macro. A port range must consist of the same port type, and the ports within a range cannot span slots.
You can define up to five port ranges on a single command with each range separated by a comma.
You can enter the range with or without white spaces. For example, you can enter the range as gigabitethernet 7/1 -7 or gigabitethernet 7/1-7.
When you enter a range of VLANs, any SVIs that do not exist within that range are created.
When entering the port-range, use this format: card-type {slot}/{first-port} - {last-port}.
Valid values for card-type are as follows:
•
•
•
•
•
•
•
•
•
•
•
You cannot specify both a macro and an interface range in the same command. After creating a macro, the CLI does not allow you to enter additional ranges. If you have already entered an interface range, the CLI does not allow you to enter a macro.
In addition, you can specify a single interface in port-range.
Examples
This example shows how to execute a command on two port ranges:
Router(config)# interface range fastethernet 5/18 -20, ethernet 3/1 -24Router(config-if-range)#This command shows how to execute a port-range macro:
Router(config)# interface range macro macro1Router(config-if-range)#Related Commands
Creates an interface-range macro.
Displays the status and configuration of the module or Layer 2 VLAN.
interface vlan
To create or access a dynamic SVI, use the interface vlan command. To delete an SVI, use the no form of this command.
interface vlan vlan-id
no interface vlan vlan-id
Syntax Description
Command Default
Fast EtherChannel is not specified.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
SVIs are created the first time that you enter the interface vlan vlan-id command for a particular VLAN. The vlan-id value corresponds to the VLAN tag that is associated with the data frames on an ISL, the 802.1Q-encapsulated trunk, or the VLAN ID that is configured for an access port. A message displays whenever you create a new VLAN interface, so that you can check if you entered the correct VLAN number.
If you delete an SVI by entering the no interface vlan vlan-id command, the associated IDB pair is forced into an administrative down state and is marked as deleted. The deleted interface will not be visible in the show interface command.
You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but much of the previous configuration is gone.
VLANs 1006 to 1014 are internal VLANs on the Catalyst 6500 series switch and cannot be used for creating new VLANs.
Examples
This example shows the output when you enter the interface vlan vlan-id command for a new VLAN number:
Router(config)# interface vlan 23% Creating new VLAN interface.Router(config)#inter-packet gap 6502-mode
To set the IPG value, use the inter-packet gap 6502-mode command. To return to the default settings, use the no form of this command.
inter-packet gap 6502-mode
no inter-packet gap 6502-mode
Syntax Description
This command has no keywords or arguments.
Command Default
All fragments from flows that are received from an ACE with Layer 4 ports and permit action are permitted. All other fragments are dropped in the hardware. This action also applies to flows that are handled in the software regardless of this command setting.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
This command is supported on situations where a WS-X6704-10GE is connected to a WS-X6502-10GE only. You enter this command to change the IPG value of the WS-X6704-10GE to match the WS-X6502-10GE.
The default 6704 mode sets the IPG value to average 12. Based on packet size, the IPG between successive packets range from 9 to 15.
The 6502 mode sets the IPG value to average 16. Based on packet size, the IPG between successive packets range from 13 to 19.
Examples
This example shows how to set the IPG to 6502 mode:
Router(config-if)# inter-packet gap 6502-modeRouter(config-if)#This example shows how to set the IPG to the default mode:
Router(config-if)# no inter-packet gap 6502-modeRouter(config-if)#ip access-list hardware permit fragments
To permit all noninitial fragments in the hardware, use the ip access-list hardware permit fragments command. To return to the default settings, use the no form of this command.
ip access-list hardware permit fragments
no ip access-list hardware permit fragments
Syntax Description
This command has no keywords or arguments.
Command Default
All fragments from flows that are received from an ACE with Layer 4 ports and permit action are permitted. All other fragments are dropped in the hardware. This action also applies to flows that are handled in the software regardless of this command setting.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
Flow fragments that match ACEs with Layer 4 ports and permit results are permitted in the hardware, and all other fragments are dropped. An entry is added in the TCAM for each ACE with Layer 4 ports and permit action. This action could cause large ACLs to not fit in the TCAM. If this situation occurs, use the ip access-list hardware permit fragments command to permit all noninitial fragments in the hardware.
This command affects all ACLs that are currently applied to interfaces and not only newly-applied ACLs.
The initial flow fragments that match the ACEs with Layer 4 ports and permit results are permitted in the hardware. All other initial fragments are dropped in the hardware.
Examples
This example shows how to permit all noninitial fragments in the hardware:
Router(config)# ip access-list hardware permit fragmentsRouter(config)#This example shows how to return to the default settings:
Router(config)# no ip access-list hardware permit fragmentsRouter(config)#Related Commands
ip arp inspection filter vlan
To permit ARPs from hosts that are configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the ip arp inspection filter vlan command. To disable this application, use the no form of this command.
ip arp inspection filter arp-acl-name {vlan vlan-range} [static]
no ip arp inspection filter arp-acl-name {vlan vlan-range} [static]
Syntax Description
Command Default
No defined ARP ACLs are applied to any VLAN.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
For vlan-range, you can specify the VLAN to which the switches and hosts belong. You can specify a single VLAN identified by a VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma.
When an ARP access control list is applied to a VLAN for dynamic ARP inspection, the ARP packets containing only the IP-to-Ethernet MAC bindings are compared against the ACLs. All other packet types are bridged in the incoming VLAN without validation.
This command specifies that the incoming ARP packets are compared against the ARP access control list, and the packets are permitted only if the access control list permits them.
If the access control lists deny the packets because of explicit denies, the packets are dropped. If the packets are denied because of an implicit deny, they are then matched against the list of DHCP bindings if the ACL is not applied statically.
If you do not specify the static keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL.
Examples
This example shows how to apply the ARP ACL static hosts to VLAN 1 for DAI:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip arp inspection filter static-hosts vlan 1Router(config)#Related Commands
Configures an ARP ACL for ARP inspection and QoS filtering and enters the ARP ACL configuration submode.
Displays the status of DAI for a specific range of VLANs.
ip arp inspection limit
To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from consuming all of the system's resources in the event of a DoS attack, use the ip arp inspection limit command. To return to the default settings, use the no form of this command.
ip arp inspection limit {rate pps [{burst interval seconds}]} | none
no ip arp inspection limit
Syntax Description
Command Default
The default settings are as follows:
•
•
•
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
You should configure the trunk ports with higher rates to reflect their aggregation. When the rate of the incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state. You can use the error-disable timeout feature to remove the port from the error-disabled state. The rate applies to both the trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle the packets across multiple DAI-enabled VLANs, or use the none keyword to make the rate unlimited.
The rate of the incoming ARP packets on the channel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for the channel ports only after examining the rate of the incoming ARP packets on the channel members.
After a switch receives more than the configured rate of packets every second consecutively over a period of burst seconds, the interface is placed into an error-disabled state.
Examples
This example shows how to limit the rate of the incoming ARP requests to 25 packets per second:
Router# config terminalRouter(config)# interface fa6/3Router(config-if)# ip arp inspection limit rate 25Router(config-if)#This example shows how to limit the rate of the incoming ARP requests to 20 packets per second and to set the interface monitoring interval to 5 consecutive seconds:
Router# config terminalRouter(config)# interface fa6/1Router(config-if)# ip arp inspection limit rate 20 burst interval 5Router(config-if)#Related Commands
ip arp inspection log-buffer
To configure the parameters that are associated with the logging buffer, use the ip arp inspection log-buffer command. To disable the parameters, use the no form of this command.
ip arp inspection log-buffer {{entries number} | {logs number} {interval seconds}}
no ip arp inspection log-buffer {entries | logs}
Syntax Description
Command Default
The default settings are as follows:
•
•
•
•
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
A 0 value for the logs number indicates that the entries should not be logged out of this buffer.
A 0 value for the interval seconds keyword and argument indicates an immediate log.
You cannot enter a 0 for both the logs number and the interval seconds keywords and arguments.
The first dropped packet of a given flow is logged immediately. The subsequent packets for the same flow are registered but are not logged immediately. Registration for these packets occurs in a log buffer that is shared by all the VLANs. Entries from this buffer are logged on a rate-controlled basis.
Examples
This example shows how to configure the logging buffer to hold up to 45 entries:
Router# config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip arp inspection log-buffer entries 45Router(config)#This example shows how to configure the logging rate for 10 logs per 3 seconds:
Router(config)# ip arp inspection log-buffer logs 10 interval 3Router(config)#Related Commands
Configures an ARP ACL for ARP inspection and QoS filtering and enters the ARP ACL configuration submode.
Clears the status of the log buffer.
Shows the status of the log buffer.
ip arp inspection trust
To set a per-port configurable trust state that determines the set of interfaces where incoming ARP packets are inspected, use the ip arp inspection trust command. To make the interfaces untrusted, use the no form of this command.
ip arp inspection trust
no ip arp inspection trust
Syntax Description
This command has no arguments or keywords.
Command Default
This command has no default settings.
Command Modes
Interface configuration (config-if)
Command History
Examples
This example shows how to configure an interface to be trusted:
Router# config terminalRouter(config)# interface fastEthernet 6/3Router(config-if)# ip arp inspection trustRouter(config-if)#Related Commands
ip arp inspection validate
To perform specific checks for an ARP inspection, use the ip arp inspection validate command. To disable ARP inspection checks, use the no form of this command.
ip arp inspection validate [src-mac] [dst-mac] [ip]
no ip arp inspection validate [src-mac] [dst-mac] [ip]
Syntax Description
Command Default
Disabled
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
The sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
The src-mac checks are issued against both ARP requests and responses. The dst-mac checks are issued for ARP responses.
Note
When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the command line. Each command overrides the configuration of the previous command. If a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.
The no form of this command disables only the specified checks. If no check options are enabled, all the checks are disabled.
Examples
This example shows how to enable the source MAC validation:
Router(config)# ip arp inspection validate src-macRouter(config)#Related Commands
Configures an ARP ACL for ARP inspection and QoS filtering and enters the ARP ACL configuration submode.
Displays the status of DAI for a specific range of VLANs.
ip arp inspection vlan
To enable DAI on a per-VLAN basis, use the ip arp inspection vlan command. To disable DAI, use the no form of this command.
ip arp inspection vlan vlan-range
no ip arp inspection vlan vlan-range
Syntax Description
Command Default
ARP inspection is disabled on all VLANs.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
For vlan-range, you can specify a single VLAN identified by a VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma.
You must specify on which VLANs to enable DAI. DAI may not function on the configured VLANs if the VLAN has not been created or is a private VLAN.
Examples
This example shows how to enable DAI on VLAN 1:
Router(config)# ip arp inspection vlan 1Router(config)#Related Commands
Configures an ARP ACL for ARP inspection and QoS filtering and enters the ARP ACL configuration submode.
Displays the status of DAI for a specific range of VLANs.
ip arp inspection vlan logging
To control the type of packets that are logged, use the ip arp inspection vlan logging command. To disable this logging control, use the no form of this command.
ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {permit | all | none}}
no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings}
Syntax Description
Command Default
All denied or dropped packets are logged.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
By default, the matchlog keyword is not available on the ACEs. When you enter the matchlog keyword, denied packets are not logged. Packets are logged only when they match against an ACE that has the matchlog keyword.
The acl-match and dhcp-bindings keywords merge with each other. When you set an ACL match configuration, the DHCP bindings configuration is not disabled. You can use the no form of this command to reset some of the logging criteria to their defaults. If you do not specify either option, all the logging types are reset to log on when the ARP packets are denied. The two options that are available are as follows:
•
•
Examples
This example shows how to configure an ARP inspection on VLAN 1 to add packets to a log that matches the ACLs:
Router# config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip arp inspection vlan 1 logging acl-match matchlogRouter(config)#Related Commands
Configures an ARP ACL for ARP inspection and QoS filtering and enters the ARP ACL configuration submode.
Displays the status of DAI for a specific range of VLANs.
ip auth-proxy max-login-attempts
To limit the number of login attempts at a firewall interface, use the ip auth-proxy max-login-attempts command. To return to the default settings, use the no form of this command.
ip auth-proxy max-login-attempts 1-maxint
no ip auth-proxy max-login-attempts
Syntax Description
Command Default
1-maxint is 5.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
This command is supported on the firewall interfaces only.
The maximum login attempt functionality is independent of the watch-list feature. If you do not configure a watch list (using the ip access-list hardware permit fragments command) and you configure a maximum login attempt, the existing authentication proxy behavior occurs but displays the new number for retries. If you configure a watch list, the IP address is put in the watch list, once the configured number of attempts has been reached.
Examples
This example shows how to set a limit to the number of login attempts at a firewall interface:
Router(config-if)# ip auth-proxy max-login-attempts 4Router(config-if)#Related Commands
ip auth-proxy watch-list
To enable and configure an authentication proxy watch list, use the ip auth-proxy watch-list command. See the "Usage Guidelines" section for the no form of this command usage.
ip auth-proxy watch-list {{add-item ip-addr} | enable | {expiry-time minutes}}
no ip auth-proxy watch-list [{add-item ip-addr} | expiry-time]
Syntax Description
Command Default
The defaults are as follows:
•
•
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
The valid values for minutes are from 0 to the largest 32-bit positive number (0x7FFFFFFF or 2147483647 in decimal). Setting the minutes to 0 (zero) places the entries in the list permanently.
This command is supported on the firewall interfaces only.
Use the no form of this command to do the following:
•
•
•
A watch list consists of IP addresses that have opened TCP connections to port 80 and have not sent any data. No new connections are accepted from this type of IP address (to port 80) and the packet is dropped.
An entry remains in the watch list for the time that is specified by expiry-time minutes.
When you disable a watch list, no new entries are put into the watch list, but the sessions are put in SERVICE_DENIED state. The timer deletes sessions after 2 minutes.
Examples
This example shows how to enable an authentication proxy watch list:
Router(config-if)# ip auth-proxy watch-list enableRouter(config-if)#This example shows how to disable an authentication proxy watch list:
Router(config-if)# no ip auth-proxy watch-listRouter(config-if)#This example shows how to add an IP address to a watch list:
Router(config-if)# ip auth-proxy watch-list add-item 12.0.0.2Router(config-if)#This example shows how to set the duration of time that an entry is in a watch list:
Router(config-if)# ip auth-proxy watch-list expiry-time 29Router(config-if)#Related Commands
ip casa
To configure the router to function as a forwarding agent, use the ip casa command. To disable the forwarding agent, use the no form of this command.
ip casa [control-address igmp-address [udp-limit]]
no ip casa
Syntax Description
Command Default
The default udp-limit value is 256.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
If more than the maximum udp-limit value arrives in a burst, the CASA wildcard updates from the service manager might get dropped.
The control-address value is unique for each forwarding agent.
Examples
This example shows how to specify the IP address (10.10.4.1) and IGMP address (224.0.1.2) for the forwarding agent and set the UDP queue length to 300:
Router(config)# ip-casa 10.10.4.1 224.0.1.2 300Router(config)#Related Commands
forwarding-agent
Specifies the port on which the forwarding agent listens for the wildcard and the fixed affinities.
ip cef load-sharing algorithm
To select a CEF load-balancing algorithm, use the ip cef load-sharing algorithm command. To return to the default universal load-balancing algorithm, use the no form of this command.
ip cef load-sharing algorithm {original | tunnel [id] | universal [id]}
no ip cef load-sharing algorithm {original | tunnel [id] | universal [id]}
Syntax Description
Command Default
The universal load-balancing is selected.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
The original CEF load-sharing algorithm produced distortions in load-balancing across multiple routers due to the use of the same algorithm on every router. When the load-balancing algorithm is set to universal mode, each router on the network can make a different load-balancing decision for each source-destination address pair which resolves load-balancing distortions.
Use the tunnel algorithm to share the load more fairly when only a few source-destination pairs are involved.
Examples
This example shows how to enable the CEF load-balancing algorithm for universal environments:
Router(config)# ip cef load-sharing algorithm universal 1Router(config)#Related Commands
ip cef table consistency-check
To enable the CEF-table consistency-checker types and parameters, use the ip cef table consistency-check command. To disable consistency checkers, use the no form of this command.
ip cef table consistency-check [type {lc-detect | scan-lc | scan-rib | scan-rp}] [count count-number] [period seconds]
ip cef table consistency-check [settle-time seconds]
no ip cef table consistency-check [type {lc-detect | scan-lc | scan-rib | scan-rp}] [count count-number] [period seconds]
no ip cef table consistency-check [settle-time seconds]
Syntax Description
Command Default
Enabled
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
This command configures CEF-table consistency checkers and parameters for the detection mechanism types that are listed in Table 2-12.
Examples
This example shows how to enable the CEF-table consistency checkers:
Router(config)# ip cef table consistency-checkRouter(config)#Related Commands
Clears the statistics and records for the CEF-consistency checker.
Displays the IP CEF inconsistencies.
ip dhcp relay information option trust-all
To enable all the interfaces as trusted sources of the DHCP relay-agent information option, use the ip dhcp relay information option trust-all command. To return to the default settings, use the no form of this command.
ip dhcp relay information option trust-all
no ip dhcp relay information option trust-all
Syntax Description
This command has no arguments or keywords.
Command Default
The DHCP server does not insert relay information.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
This command is used by cable access router termination systems. This functionality enables a DHCP server to identify the user (cable access router) sending the request and initiate appropriate action that is based on this information.
Examples
This example shows how to specify that all interfaces on the router are trusted:
Router(config)# ip dhcp relay information option trust-allRouter(config)#Related Commands
ip dhcp relay information trust
To enable an interface as a trusted source of the DHCP relay-agent information, use the ip dhcp relay information trust command. To return to the default settings, use the no form of this command.
ip dhcp relay information trust
no ip dhcp relay information trust
Syntax Description
This command has no arguments or keywords.
Command Default
All interfaces on the router are untrusted.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Configuring an interface as a trusted source of relay-agent information allows the interface to receive DHCP discover or request packets. DHCP discover or request packets contain the relay-agent information option.
Examples
This example shows how to specify that the interface is trusted:
Router(config)# ip dhcp relay information trustRouter(config)#Related Commands
ip dhcp route connected
To specify routes as connected routes, use the ip dhcp route connected command. To return to the default settings, use the no form of this command.
ip dhcp route connected
no ip dhcp route connected
Syntax Description
This command has no arguments or keywords.
Command Default
All interfaces on the router are untrusted.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
If you enable the ip dhcp route connected command, DHCP downloads the route database from a database agent and adds the routes as connected routes, even though they may have been added as static routes previously.
Examples
This example shows how to specify routes as connected routes:
Router(config)# ip dhcp route connectedRouter(config)#ip dhcp snooping
To globally enable DHCP snooping, use the ip dhcp snooping command. To disable DHCP snooping, use the no form of this command.
ip dhcp snooping
no ip dhcp snooping
Syntax Description
This command has no arguments or keywords.
Command Default
Disabled
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
Wireless clients, or mobile nodes, gain access to an untrusted wireless network only if there is a corresponding entry in the DHCP snooping database. Enable DHCP snooping globally by entering the ip dhcp snooping command, and enable DHCP snooping on the tunnel interface by entering the ip dhcp snooping packets command. After you enable DHCP snooping, the process snoops DHCP packets to and from the mobile nodes and populates the DHCP snooping database.
Examples
This example shows how to enable DHCP snooping:
Router(config) # ip dhcp snoopingRouter(config) #This example shows how to disable DHCP snooping:
Router(config) # no ip dhcp snoopingRouter(config) #Related Commands
ip dhcp snooping binding
To set up and generate a DHCP binding configuration to restore bindings across reboots, use the ip dhcp snooping binding command. To disable the binding configuration, use the no form of this command.
ip dhcp snooping binding mac-address {vlan vlan} ip-address {interface interface interface-number} {expiry seconds}
no ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface
Syntax Description
Command Default
This command has no default settings.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
When you add or remove a binding using this command, the binding database is marked as changed and a write is initiated.
A maximum of 512 bindings are allowed in the DHCP snooping database.
Examples
This example shows how to generate a DHCP binding configuration on interface gigabitethernet1/1 in VLAN 1 with an expiration time of 1000 seconds:
Router# ip dhcp snooping binding 0000.0c00.40af vlan 1 10.42.0.6 interface gi1/1 expiry 1000Router#Related Commands
Displays the DHCP snooping configuration.
Displays the DHCP snooping binding entries.
Displays the status of the DHCP snooping database agent.
ip dhcp snooping database
To configure the DHCP-snooping database, use the ip dhcp snooping database command.
ip dhcp snooping database {bootflash:url | ftp:url | rcp:url | scp:url | sup-bootflash: | tftp:url}
ip dhcp snooping database {timeout timeout | write-delay time}
Syntax Description
Command Default
This command has no default settings.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
You must enable DHCP snooping on the interface before entering this command. Use the ip dhcp snooping command to enable DHCP snooping.
Examples
This example shows how to specify the database URL using TFTP:
Router(config)# ip dhcp snooping database tftp://90.90.90.90/snooping-rp2Router(config)#This example shows how to specify the amount of time before writing DHCP snooping entries to an external server:
Router(config)# ip dhcp snooping database write-delay 15Router(config)#Related Commands
Displays the DHCP snooping configuration.
Displays the DHCP snooping binding entries.
Displays the status of the DHCP snooping database agent.
ip dhcp snooping information option
To enable DHCP option 82 data insertion, use the ip dhcp snooping information option command. To disable DHCP option 82 data insertion, use the no form of this command.
ip dhcp snooping information option [allow-untrusted]
no ip dhcp snooping information option
Syntax Description
allow-untrusted
(Optional) Enables the switch to accept incoming DHCP snooping packets with option 82 information from the edge switch.
Command Default
The defaults are as follows:
•
•
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
DHCP option 82 is part of RFC 3046. DHCP is an application-layer protocol that is used for the dynamic configuration of TCP/IP networks. The protocol allows for a relay agent to pass DHCP messages between the DHCP clients and DHCP servers. By using a relay agent, servers do not have to be on the same network as the clients. Option 82 (82 is the option's code) addresses the security and scalability issues. Option 82 resides in the relay agent when DHCP packets that originate from the forwarding client are sent to the server. Servers that recognize option 82 may use the information to implement the IP address or other parameter assignment policies. The DHCP server echoes the option back to the relay agent in its replies. The relay agent strips out the option from the relay agent before forwarding the reply to the client.
When you enter the ip dhcp snooping information option allow-untrusted on an aggregation switch that is connected to an edge switch through an untrusted interface, the aggregation switch accepts packets with option 82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. You can enable the DHCP security features, such as dynamic ARP inspection or IP source guard, on the aggregation switch while the switch receives packets with option 82 information on untrusted input interfaces to which hosts are connected. You must configure the port on the edge switch that connects to the aggregation switch as a trusted interface.
Caution
Examples
This example shows how to enable DHCP option 82 data insertion:
Router(config)# ip dhcp snooping information optionRouter(config)#This example shows how to disable DHCP option 82 data insertion:
Router(config)# no ip dhcp snooping information optionRouter(config)#This example shows how to enable the switch to accept incoming DHCP snooping packets with option 82 information from the edge switch:
Router(config)# ip dhcp snooping information option allow-trustedRouter(config)#Related Commands
Displays the DHCP snooping configuration.
Displays the DHCP snooping binding entries.
Displays the status of the DHCP snooping database agent.
ip dhcp snooping limit rate
To configure the number of the DHCP messages that an interface can receive per second, use the ip dhcp snooping limit rate command. To disable the DHCP message rate limiting, use the no form of this command.
ip dhcp snooping limit rate rate
no ip dhcp snooping limit rate
Syntax Description
rate
Number of DHCP messages that a switch can receive per second; valid values are from 1 to 4294967294 seconds.
Command Default
Disabled
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
This command is supported on Layer 2 switch-port and port-channel interfaces only.
Typically, the rate limit applies to the untrusted interfaces. If you want to set up rate limiting for the trusted interfaces, note that the trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit of the interfaces to a higher value.
Examples
This example shows how to specify the number of DHCP messages that a switch can receive per second:
Router(config-if)# ip dhcp snooping limit rate 150Router(config)#This example shows how to disable the DHCP message rate limiting:
Router(config-if)# no ip dhcp snooping limit rateRouter(config)#Related Commands
Displays the DHCP snooping configuration.
Displays the DHCP snooping binding entries.
Displays the status of the DHCP snooping database agent.
ip dhcp snooping packets
To enable DHCP snooping on the tunnel interface, use the ip dhcp snooping packets command. To disable DHCP snooping, use the no form of this command.
ip dhcp snooping packets
no ip dhcp snooping packets
Syntax Description
This command has no arguments or keywords.
Command Default
Disabled
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
This command is supported on Layer 2 switch-port and port-channel interfaces only.
This command is supported on Catalyst 6500 series switches that are configured with a WLSM only.
Wireless clients, or mobile nodes, gain access to an untrusted wireless network only if there is a corresponding entry in the DHCP snooping database. Enable DHCP snooping globally by entering the ip dhcp snooping command, and enable DHCP snooping on the tunnel interface by entering the ip dhcp snooping packets command. After you enable DHCP snooping, the process snoops DHCP packets to and from the mobile nodes and populates the DHCP snooping database.
Examples
This example shows how to enable DHCP snooping:
Router(config)# ip dhcp snooping packetsRouter(config)#This example shows how to disable DHCP snooping:
Router(config)# no ip dhcp snooping packetsRouter(config)#Related Commands
Displays the DHCP snooping configuration.
Displays the DHCP snooping binding entries.
Displays the status of the DHCP snooping database agent.
ip dhcp snooping verify mac-address
To verify that the source MAC address in a DHCP packet matches the client hardware address on an untrusted port, use the ip dhcp snooping verify mac-address command. To disable verification, use the no form of this command.
ip dhcp snooping verify mac-address
no ip dhcp snooping verify mac-address
Syntax Description
This command has no arguments or keywords.
Command Default
Enabled
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
For untrusted DHCP snooping ports, DHCP snooping verifies the MAC address on the client hardware address field to ensure that a client is requesting multiple addresses from a single MAC address. You can use the ip dhcp snooping verify mac-address command to trust the ports or you can use the no ip dhcp snooping verify mac-address command to leave the ports untrusted by disabling the MAC address verification on the client hardware address field.
Examples
This example shows how to verify that the source MAC address in a DHCP packet matches the client hardware address on an untrusted port:
Router(config)# ip dhcp snooping verify mac-addressRouter(config)#This example shows how to turn off the verification of the MAC address on the client hardware address field:
Router(config)# no ip dhcp snooping verify mac-addressRouter(config)#Related Commands
Displays the DHCP snooping configuration.
Displays the DHCP snooping binding entries.
Displays the status of the DHCP snooping database agent.
ip dhcp snooping vlan
To enable DHCP snooping on a VLAN or a group of VLANs, use the ip dhcp snooping vlan command. To disable DHCP snooping on a VLAN or a group of VLANs, use the no form of this command.
ip dhcp snooping vlan {number | vlanlist}
no ip dhcp snooping vlan {number | vlanlist}
Syntax Description
number | vlanlist
VLAN number or a group of VLANs; valid values are from 1 to 4094. See the "Usage Guidelines" section for additional information.
Command Default
Disabled
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
DHCP snooping is enabled on a VLAN only if both the global snooping and the VLAN snooping are enabled.
Enter the range of VLANs using this format: 1,3-5,7,9-11.
Examples
This example shows how to enable DHCP snooping on a VLAN:
Router(config)# ip dhcp snooping vlan 10Router(config)#This example shows how to disable DHCP snooping on a VLAN:
Router(config)# no ip dhcp snooping vlan 10Router(config)#This example shows how to enable DHCP snooping on a group of VLANs:
Router(config)# ip dhcp snooping vlan 10,4-8,55Router(config)#This example shows how to disable DHCP snooping on a group of VLANs:
Router(config)# no ip dhcp snooping vlan 10,4-8,55Router(config)#Related Commands
Displays the DHCP snooping configuration.
Displays the DHCP snooping binding entries.
Displays the status of the DHCP snooping database agent.
ip flow-aggregation cache
To create a flow-aggregation cache and enter the aggregation cache configuration mode, use the ip flow-aggregation cache command. To negate a command or return to its default settings, use the no form of this command.
ip flow-aggregation cache {as | destination-prefix | prefix | protocol-port | source-prefix}
no ip flow-aggregation cache {as | destination-prefix | prefix | protocol-port | source-prefix}
Syntax Description
Command Default
The defaults are as follows:
•
•
•
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
In source-prefix aggregation mode, only the source mask is configurable. In destination-prefix aggregation mode, only the destination mask is configurable.
Once you enter the flow aggregation cache configuration mode, these commands are available:
•
•
•
•
The syntax descriptions are as follows:
Examples
This example shows how to enable an autonomous-system aggregation-cache scheme:
Router(config)# ip flow-aggregation cache asRouter(config-flow-cache)# enableRouter(config-flow-cache)#Related Commands
ip flow-cache entries
To change the number of entries that are maintained in the NetFlow cache, use the ip flow-cache entries command. To return to the default number of entries, use the no form of this command.
ip flow-cache entries number
no ip flow-cache entries
Syntax Description
number
Number of entries to maintain in the NetFlow cache; valid values are from 1024 to 524288 entries.
Command Default
65536 entries
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
Typically, the default size of the NetFlow cache will meet your needs. However, you can increase or decrease the number of entries that are maintained in the cache to meet the needs of your flow traffic rates. For environments with a high amount of flow traffic (such as an Internet core router), we recommend that you maintain a larger value such as 131072. To obtain information on your flow traffic, use the show ip cache flow command.
Each cache entry is approximately 64 bytes of storage. Assuming a cache with the default number of entries, approximately 4 MB of DRAM would be required. Each time that a new flow is taken from the free-flow queue, the number of free flows is checked. If there are only a few free flows remaining, NetFlow attempts to age 30 flows using an accelerated timeout. If there is only one free flow remaining, NetFlow automatically ages 30 flows regardless of their age. This action ensures that free flow entries are always available.
Caution
Examples
This example shows how to increase the number of entries in the NetFlow cache to 131072:
Router(config)# ip flow-cache entries 131072Router(config)# exitRelated Commands
ip flow-export
To globally enable NDE for the hardware-switched flows, use the ip flow-export command. To disable NDE for the hardware-switched flows, use the no form of this command.
ip flow-export
no ip flow-export
Syntax Description
This command has no arguments or keywords.
Command Default
The defaults are as follows:
•
•
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
To change the default NDE version, use the ip flow-export hardware version command.
Examples
This example shows how to enable NDE for the hardware-switched flows:
Router(config)# ip flow-exportRouter(config)#This example shows how to disable NDE for the hardware-switched flows:
Router(config)# no ip flow-exportRouter(config)#Related Commands
Specifies the NDE version for hardware-switched flows.
Displays information about the NDE hardware-switched flow.
ip flow-export destination
To export the NetFlow cache entries to a specific destination, use the ip flow-export destination command. To disable information exporting, use the no form of this command.
ip flow-export destination {hostname | ip-address} udp-port
no ip flow-export destination
Syntax Description
Command Default
Disabled
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
You can enter two destination IP addresses to improve the probability of receiving complete NetFlow data by providing redundant data streams.
To configure multiple NetFlow export destinations to a router, enter the ip flow-export destination command twice, once for each destination. Do not enter the same IP address twice. However, entering two different IP addresses with the same UDP port number is configurable.
A NetFlow cache entry contains a lot of information. When flow switching is enabled with the ip route-cache flow command, you can use the ip flow-export destination command to configure the router to export the flow cache entry to a workstation when a flow expires. This feature can be useful for statistics, billing, and security, for example.
When entering the ip-address value, follow these guidelines:
•
•
To specify the source IP address of the data, use the ip flow-export source command. To specify the version that is used on the workstation that receives the NetFlow data, use the ip flow-export version command.
For more information on NDE, refer to the "Configuring NDE" chapter in the Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide—Release 12.2ZY.
Examples
This example shows how to export a NetFlow cache entry to UDP port 125 using the version 1 format on the workstation that has an IP address of 10.42.42.1 99917:
Router# configure terminalRouter(config)# ip flow-export destination 10.42.42.1 9991 125Router(config)# exitRelated Commands
ip flow-export hardware version
To specify the NDE version for hardware-switched flows, use the ip flow-export hardware version command. To return to the default settings, use the no form of this command.
ip flow-export hardware version [5 | 7]
no ip flow-export hardware version
Syntax Description
Command Default
Version 7
Command Modes
Global configuration (config) (config)
Command History
Examples
This example shows how to specify the NDE version for hardware-switched flows:
Router(config)# ip flow-export hardware version 5Router(config)#Related Commands
Enables the interface-based ingress NDE for hardware-switched flows.
Displays information about the NDE hardware-switched flow.
ip flow-export interface
To enable the interface-based ingress NDE for hardware-switched flows, use the ip flow-export interface command. To disable interface-based NDE for hardware-switched flows, use the no form of this command.
ip flow-export interface
no ip flow-export interface
Syntax Description
This command has no arguments or keywords.
Command Default
Disabled
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
Use the ip flow-export interface command with the ip flow ingress command to enable or disable NDE on a specific interface.
Examples
This example shows how to enable interface-based NDE for hardware-switched flows:
Router(config)# ip flow-export interfaceRouter(config)#This example shows how to disable interface-based NDE for hardware-switched flows:
Router(config)# no ip flow-export interfaceRouter(config)#Related Commands
ip flow-export source
To specify the source interface IP address that is used in the NDE datagram, use the ip flow-export source command. To remove the source address, use the no form of this command.
ip flow-export source [{interface interface-number} | {null interface-number} | {port-channel number} | {vlan vlan-id}]
no ip flow-export source [{interface interface-number} | {null interface-number} | {port-channel number} | {vlan vlan-id}]
Syntax Description
Command Default
No source interface is specified.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module that are used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module that is installed in a 13-slot chassis, valid values for the module number are from 1 to 13 and valid values for the port number are from 1 to 48.
After you configure NDE, you can specify the source interface that is used in the UDP datagram containing the export data. The NetFlow Collector on the workstation uses the IP address of the source interface to determine which router sent the information. The NetFlow Collector performs SNMP queries to the router using the IP address of the source interface. Because the IP address of the source interface can change (for example, the interface might flap so a different interface is used to send the data), we recommend that you configure a loopback source interface. A loopback interface is always up and can respond to SNMP queries from the NetFlow Collector on the workstation.
For more information on NDE, refer to the "Configuring NDE" chapter in the Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide—Release 12.2ZY.
Examples
This example shows the configuration for a loopback source interface. The loopback interface has the IP address as 4.0.0.1 and is used by the serial interface in slot 5, port 0:
Router# configure terminalRouter(config)# interface loopback0Router(config-if)# ip address 4.0.0.1 255.0.0.0Router(config-if)# exitRouter(config)# interface serial 5/0:0Router(config-if)# ip unnumbered loopback0Router(config-if)# no ip mroute-cacheRouter(config-if)# encapsulation pppRouter(config-if)# ip route-cache flowRouter(config-if)# exitRouter(config)# ip flow-export source loopback0Router(config)# exitRelated Commands
ip flow-export version
To specify the version for the export of information in NetFlow cache entries, use the ip flow-export version command. To return to the default settings, use the no form of this command.
ip flow-export version {1 | {5 [origin-as | peer-as]} | {9 [bgp-nexthop | origin-as | peer-as]}}
no ip flow-export version
Syntax Description
Command Default
Export of information in NetFlow cache entries is disabled.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
Version 5 and version 9 formats include the source and destination autonomous-system addresses and source and destination prefix masks. Also, version 9 includes BGP next-hop information.
The number of records stored in the datagram is a variable from 1 to 24 for version 1. The number of records stored in the datagram is a variable between 1 and 30 for version 5.
For more information on NDE, refer to the "Configuring NDE" chapter in the Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide—Release 12.2ZY.
Examples
This example shows how to export the data using the version 5 format:
Router(config)# ip flow-export version 5Router(config)#Related Commands
ip flow ingress
To enable the software-switched flow creation in Layer 3, use the ip flow ingress command. To return to the default settings, use the no form of this command.
ip flow ingress
no ip flow ingress
Syntax Description
This command has no arguments or keywords.
Command Default
Disabled
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
To create a NetFlow entry, you need to enter the ip flow ingress command.
Follow these guidelines to display multicast entries:
•
•
•
Examples
This example shows how to enable inbound NDE for IPv4-bridged flows and NetFlow entry creation:
Router(config-if)# ip flow ingressRouter(config-if)#This example shows how to disable inbound NDE for IPv4-bridged flows:
Router(config-if)# no ip flow ingressRouter(config-if)#ip flow layer2-switched
To enable the creation of switched, bridged, and Layer 2 IP flows for a specific VLAN, use the ip flow layer2-switched command. To return to the default settings, use the no form of this command.
ip flow {ingress | export} layer2-switched {vlan {num | vlanlist}}
no ip flow {ingress | export} layer2-switched {vlan {num | vlanlist}}
Syntax Description
Command Default
The defaults are as follows:
•
•
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
Before using this command, you must ensure that a corresponding VLAN interface is available and has a valid IP address.
You can enter one or multiple VLANs. The following examples are samples of valid VLAN lists: 1; 1,2,3; 1-3,7.
Examples
This example shows how to enable the collection of Layer 2-switched flows on a specific VLAN:
Router(config)# ip flow ingress layer2-switched vlan 2Router(config)#This example shows how to enable export of Layer 2-switched flows on a range of VLANs:
Router(config)# ip flow export layer2-switched vlan 1-3,7Router(config)#This example shows how to disable the collection of Layer 2-switched flows on a specific VLAN:
Router(config)# no ip flow ingress layer2-switched vlan 2Router(config#ip forward-protocol turbo-flood
To speed up the flooding of UDP packets using the spanning-tree algorithm, use the ip forward-protocol turbo-flood command. To return to the default settings, use the no form of this command.
ip forward-protocol turbo-flood [udp-checksum]
no ip forward-protocol turbo-flood [udp-checksum]
Syntax Description
Command Default
Disabled
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
When you enter the ip forward-protocol turbo-flood command, the outgoing UDP packets have a NULL checksum. If you want to have UDP checksums on all outgoing packets, you must enter the ip forward-protocol turbo-flood udp-checksum command.
Examples
This example shows how to speed up the flooding of UDP packets using the spanning-tree algorithm:
Router(config)# ip forward-protocol turbo-floodRouter(config)#This example shows how to speed up the flooding of UDP packets using the spanning-tree algorithm and have the UDP checksums on all outgoing packets:
Router(config)# ip forward-protocol turbo-flood udp-checksumRouter(config)#This example shows how to turn off the udp-checksum keyword and the ip forward-protocol turbo-flood command:
Router(config)# no ip forward-protocol turbo-flood udp-checksumRouter(config)#This example shows how to reinstate the ip forward-protocol turbo-flood command without the udp-checksum keyword:
Router(config)# ip forward-protocol turbo-floodRouter(config)#Related Commands
ip forward-protocol
Specifies that protocols and ports that the router forwards when forwarding broadcast packets.
ip igmp immediate-leave group-list
To enable the immediate processing of the IGMP leave-group messages, use the ip igmp immediate-leave group-list command. To return to the default settings, use the no form of this command.
ip igmp immediate-leave group-list acl
no ip igmp immediate-leave group-list acl
Syntax Description
Command Default
Disabled
Command Modes
Global or interface configuration
Command History
Usage Guidelines
If you enter the ip igmp immediate-leave group-list command, you must enter this command in VLAN interface configuration mode only.
Valid values for the acl argument are as follows:
•
•
•
You can configure one or the other but not both configuration modes at the same time.
You can enter the acl value to restrict the immediate-leave behavior to a simple access list for multicast groups. The IGMP leave-group messages for multicast groups that are not permitted by the acl value has the standard inquiry mechanism/leave latency.
Examples
This example shows how to enable the immediate processing of the IGMP leave-group messages:
Router(config)# ip igmp immediate-leave group-list 3Router(config)#ip igmp last-member-query-interval
To configure the last-member query interval for the IGMP, use the ip igmp last-member-query-interval command. To return to the default settings, use the no form of this command.
ip igmp last-member-query-interval interval
no ip igmp last-member-query-interval
Syntax Description
interval
Interval for the last-member query; valid values are from 100 to 65535 milliseconds in multiples of 100 milliseconds.
Command Default
1000 milliseconds (1 second); see the "Usage Guidelines" section for additional information.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
When a multicast host leaves a group, the host sends an IGMP leave. To check if this host is the last to leave the group, an IGMP query is sent out when the leave is seen and a timer is started. If no reports are received before the timer expires, the group record is deleted.
The interval is the actual time that the Catalyst 6500 series switch waits for a response for the group-specific query.
If you enter an interval that is not a multiple of 100, the interval is rounded to the next lowest multiple of 100. For example, if you enter 999, the interval is rounded down to 900 milliseconds.
If IGMP fast-leave processing is enabled and you enter the no igmp last-member-query-interval command, the interval is set to 0 seconds; immediate leave always assumes higher priority.
Examples
This example shows how to configure the last-member query interval to 200 milliseconds:
Router(config-if)# ip igmp last-member-query-interval 200Router(config-if)#Related Commands
Enables the immediate processing of the IGMP leave-group messages.
show ip igmp interface
Displays the information about the IGMP-interface status and configuration.
ip igmp snooping
To enable IGMP snooping, use the ip igmp snooping command. To disable IGMP snooping, use the no form of this command.
ip igmp snooping
no ip igmp snooping
Syntax Description
This command has no arguments or keywords.
Command Default
The defaults are as follows:
•
•
Command Default
Interface configuration (config-if)
Command History
Usage Guidelines
Before you can enable IGMP snooping on the Catalyst 6500 series switches, you must configure the VLAN interface for multicast routing.
Enter this command in VLAN interface configuration mode only.
Examples
This example shows how to enable IGMP snooping:
Router(config-if)# ip igmp snoopingRouter(config-if)#This example shows how to disable IGMP snooping:
Router(config-if)# no ip igmp snoopingRouter(config-if)#Related Commands
ip igmp snooping explicit-tracking
To enable explicit host tracking, use the ip igmp snooping explicit-tracking command. To disable the explicit host tracking, use the no form of this command.
ip igmp snooping explicit-tracking
no ip igmp snooping explicit-tracking
Syntax Description
This command has no arguments or keywords.
Command Modes
Enabled
Command Default
Interface configuration (config-if)
Command History
Usage Guidelines
Explicit host tracking is supported only with IGMPv3 hosts.
When you enable explicit host tracking and the Catalyst 6500 series switch is working in proxy-reporting mode, the router may not be able to track all the hosts that are behind a VLAN interface. In proxy-reporting mode, the Catalyst 6500 series switch forwards only the first report for a channel to the router and suppresses all other reports for the same channel.
With IGMPv3 proxy reporting, the Catalyst 6500 series switch does proxy reporting for unsolicited reports and reports that are received in the general query interval.
Proxy reporting is turned on by default. When you disable proxy reporting, the Catalyst 6500 series switch works in transparent mode and updates the IGMP snooping database as it receives reports and forwards this information to the upstream router. The router can then explicitly track all reporting hosts.
Disabling explicit tracking disables fast-leave processing and proxy reporting.
IGMPv3 supports explicit host tracking of membership information on any port. The explicit host-tracking database is used for fast-leave processing for IGMPv3 hosts, proxy reporting, and statistics collection. When you enable explicit host tracking on a VLAN, the IGMP snooping software processes the IGMPv3 report that it receives from a host and builds an explicit host-tracking database that contains the following information:
•
•
•
•
•
•
Examples
This example shows how to enable IGMPv3-explicit host tracking:
Router(config-if)# ip igmp snooping explicit-trackingRouter(config-if)#This example shows how to disable IGMPv3-explicit host tracking:
Router(config-if)# no ip igmp snooping explicit-trackingRouter(config-if)#Related Commands
Limits the size of the explicit-tracking database.
Displays the information about the explicit host-tracking status for IGMPv3 hosts.
ip igmp snooping fast-leave
To enable the IGMPv3-snooping fast-leave processing, use the ip igmp snooping fast-leave command. To disable fast-leave processing, use the no form of this command.
ip igmp snooping fast-leave
no ip igmp snooping fast-leave
Syntax Description
This command has no arguments or keywords.
Command Modes
The defaults are as follows:
•
•
Command Default
Interface configuration (config-if)
Command History
Usage Guidelines
Enter this command in VLAN interface configuration mode only.
Note
You should use the IGMPv3-snooping fast-leave processing when there is a single receiver for the MAC group for a specific VLAN.
Examples
This example shows how to enable IGMPv3-snooping fast-leave processing:
Router(config-if)# ip igmp snooping fast-leaveRouter(config-if)#This example shows how to disable IGMPv3-snooping fast-leave processing:
Router(config-if)# no ip igmp snooping fast-leaveRouter(config-if)#Related Commands
ip igmp snooping flooding
To configure periodic flooding of multicast packets, use the ip igmp snooping flooding command. To disable periodic flooding, use the no form of this command.
ip igmp snooping flooding [timer seconds]
no ip igmp snooping flooding
Syntax Description
timer seconds
(Optional) Specifies the interval between flooding in a 24-hour period for source-only entries; valid values are from 0 to 86400 seconds.
Command Modes
The defaults are as follows:
•
•
Command Default
Interface configuration (config-if)
Command History
Usage Guidelines
This command is supported on source-only VLANs.
You can enter 0 seconds to disable flooding. If you enter a maximum of 86400 seconds, flooding would occur once every 24 hours.
Examples
This example shows how to specify the interval between flooding in a 24-hour period:
Router(config-if)# ip igmp snooping flooding timer 300Router(config-if)#ip igmp snooping l2-entry-limit
To configure the maximum number of Layer 2 entries that can be created by the Catalyst 6500 series switch, use the ip igmp snooping l2-entry-limit command.
ip igmp snooping l2-entry-limit max-entries
Syntax Description
max-entries
Maximum number of Layer 2 entries that can be created by the Catalyst 6500 series switch; valid values are from 1 to 100000.
Command Default
15488 Layer 2 entries
Command Modes
Global configuration (config)
Command History
Usage Guidelines
When entering max-entries, do not enter a comma (,).
Enter this command in VLAN interface configuration mode only.
Examples
This example shows how to configure the maximum number of Layer 2 entries that can be created by the Catalyst 6500 series switch:
Router(config-if)# ip igmp snooping l2-entry-limit 25000Router(config-if)#Related Commands
show ip igmp interface
Displays the information about the IGMP-interface status and configuration.
ip igmp snooping last-member-query-interval
To configure the last member query interval for IGMP snooping, use the ip igmp snooping last-member-query-interval command. To return to the default settings, use the no form of this command.
ip igmp snooping last-member-query-interval interval
no ip igmp snooping last-member-query-interval
Syntax Description
interval
Interval for the last member query; valid values are from 100 to 900 milliseconds in multiples of 100 milliseconds.
Command Default
1000 milliseconds (1 second); see the "Usage Guidelines" section for additional information.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
When a multicast host leaves a group, the host sends an IGMP leave. To check if this host is the last to leave the group, an IGMP query is sent out when the leave is seen and a timer is started. If no reports are received before the timer expires, the group record is deleted.
The interval is the actual time that the Catalyst 6500 series switch waits for a response for the group-specific query.
If you enter an interval that is not a multiple of 100, the interval is rounded to the next lowest multiple of 100. For example, if you enter 999, the interval is rounded down to 900 milliseconds.
If you enable IGMP fast-leave processing and you enter the no igmp snooping last-member-query-interval command, the interval is set to 0 seconds; fast-leave processing always assumes higher priority.
Even though the valid interval range is 100 to 1000 milliseconds, you cannot enter a value of 1000. If you want this value, you must enter the no ip igmp snooping last-member-query-interval command and return to the default value (1000 milliseconds).
Examples
This example shows how to configure the last-member-query-interval to 200 milliseconds:
Router(config-if)# ip igmp snooping last-member-query-interval 200Router(config-if)#Related Commands
ip igmp snooping fast-leave
Enables the IGMP v3-snooping fast-leave processing.
show ip igmp interface
Displays the information about the IGMP-interface status and configuration.
ip igmp snooping limit track
To limit the size of the explicit-tracking database, use the ip igmp snooping limit track command. To return to the default settings, use the no form of this command.
ip igmp snooping limit track max-entries
no ip igmp snooping limit track
Syntax Description
max-entries
Maximum number of entries in the explicit-tracking database; valid values are from 0 to 128000 entries.
Command Default
max-entries is 32000.
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
Each entry in the explicit-tracking database is identified by the source IP, group IP, port, VLAN, and reporter IP.
When you set the max-entries to 0, explicit tracking is disabled.
When the explicit-tracking database exceeds the configured max-entries, a syslog message is generated.
When you reduce the max-entries, the explicit-tracking database does not decrease in size immediately. The explicit-tracking database gradually shrinks as reporters time out.
Examples
This example shows how to configure the maximum number of entries in the explicit-tracking database:
Router(config)# ip igmp snooping limit track 20000Router(config)#Related Commands
Enables explicit host tracking.
show ip igmp snooping explicit-tracking vlan
Displays information about the explicit host tracking for IGMPv3 hosts.
ip igmp snooping mrouter
To configure a Layer 2 port as a multicast router port, use the ip igmp snooping mrouter command. To remove the configuration., use the no form of this command
ip igmp snooping mrouter {interface {interface interface-number} |
{port-channel number}} | {learn {cgmp | pim-dvmrp}}no ip igmp snooping mrouter {interface {interface interface-number} |
{port-channel number}} | {learn {cgmp | pim-dvmrp}}Syntax Description
Command Default
pim-dvmrp
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Enter this command in VLAN interface configuration mode only.
The interface to the router must be in the VLAN where you are entering the command, the interface must be administratively up, and the line protocol must be up.
The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module that are used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module that is installed in a 13-slot chassis, valid values for the module number are from 1 to 13 and valid values for the port number are from 1 to 48.
The CGMP learning method can decrease control traffic.
The learning method that you configure is saved in NVRAM.
Static connections to multicast routers are supported only on switch ports.
Examples
This example shows how to specify the next-hop interface to the multicast router:
Router(config-if)# ip igmp snooping mrouter interface fastethernet 5/6Router(config-if)#This example shows how to specify the learning method for the multicast router:
Router(config-if)# ip igmp snooping mrouter learn cgmpRouter(config-if)#Related Commands
ip igmp snooping querier
To enable multicast support within a subnet when no multicast routing protocol is configured in the VLAN or subnet, use the ip igmp snooping querier command. To disable multicast support within a subnet when no multicast routing protocol is configured, use the no form of this command.
ip igmp snooping querier
no ip igmp snooping querier
Syntax Description
This command has no arguments or keywords.
Command Default
Disabled
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Enter this command in VLAN interface configuration mode only.
You enable IGMP snooping on the Catalyst 6500 series switch, and disable PIM on the VLAN.
Configure the VLAN in global configuration mode.
Configure an IP address on the VLAN interface. When enabled, the IGMP-snooping querier uses the IP address as the query source address. If no IP address is configured on the VLAN interface, the IGMP-snooping querier does not start. The IGMP-snooping querier disables itself if you clear the IP address. When enabled, the IGMP-snooping querier restarts if you configure an IP address.
The IGMP-snooping querier supports IGMPv2.
When enabled, the IGMP-snooping querier does the following:
•
•
•
QoS does not support IGMP packets when IGMP snooping is enabled.
You can enable the IGMP-snooping querier on all the Catalyst 6500 series switches in the VLAN. One Catalyst 6500 series switch is elected as the querier.
If multicast routers are not present on the VLAN or subnet, the Catalyst 6500 series switch becomes the IGMP querier for the VLAN when you enable the IGMP-snooping querier.
If you disable the IGMP-snooping querier, IGMP snooping functions only when you configure PIM in the subnet.
You can enter the ip igmp snooping querier command at any time, but the IGMP-snooping querier starts only when no other multicast routers are present in the VLAN or subnet.
You can use this command as an alternative to configuring PIM in a subnet; use this command when the multicast traffic does not need to be routed but you would like support for IGMP snooping on Layer 2 interfaces in your network.
Examples
This example shows how to enable the IGMP-snooping querier on the VLAN:
Router(config-if)# ip igmp snooping querierRouter(config-if)#Related Commands
Displays the information about the dynamically learned and manually configured multicast router interfaces.
ip igmp snooping rate
To set the rate limit for IGMP-snooping packets, use the ip igmp snooping rate command. To disable the software rate limiting, use the no form of this command.
ip igmp snooping rate pps
no ip igmp snooping rate
Syntax Description
Command Default
Disabled
Command Modes
Global configuration (config) (config)
Command History
Examples
This example shows how to enable software rate limiting:
Router(config)# ip igmp snooping rateRouter(config)#This example shows how to disable software rate limiting:
Router(config)# no ip igmp snooping rateRouter(config)#Related Commands
ip igmp snooping report-suppression
To turn on IP IGMP snooping report suppression, use the ip igmp snooping report-suppression command. To turn off report suppression, use the no form of this command.
ip igmp snooping report-suppression
no ip igmp snooping report-suppression
Syntax Description
This command has no arguments or keywords.
Command Default
Disabled
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
When you enable report suppression for all host reports responding to a general query, IP IGMP snooping forwards the first report only and suppresses the remaining reports to constrain IGMP traffic to the multicast router.
ip igmp snooping source-only-learning age-timer
To flood multicast packets periodically to a Layer 2 segment that has only multicast sources and no receivers connected to it, use the ip igmp snooping source-only-learning age-timer command. To return to the default settings, use the no form of this command.
ip igmp snooping source-only-learning age-timer seconds
no ip igmp snooping source-only-learning age-timer
Syntax Description
Command Default
seconds is 600 seconds (10 minutes).
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
There are two source-only timers that run in an alternating fashion; the source_only_age_timer and the source_only_delete_timer. The value that you configure by entering the ip igmp snooping source-only-learning age-timer command sets the source_only_age_timer. The source_only_delete_timer has a fixed, nonconfigurable value of 5 minutes (300 seconds).
The expiration of one timer starts the other timer. At any time, only one timer is running.
Setting the age timer to 0 stops the flooding in the source-only VLAN.
Note
Examples
This example shows how to flood multicast packets periodically:
Router(config)# ip igmp snooping source-only-learning age-timer 300Router(config)#This example shows how to return to the default settings:
Router(config)# no ip igmp snooping source-only-learning age-timerRouter(config)#ip igmp ssm-map
To enable and configure SSM mapping, use the ip igmp ssm-map command. To disable SSM mapping, use the no form of this command.
ip igmp ssm-map {enable | {query dns} | {static {group-access-list | group-access-list-name} source-address}}
no ip igmp ssm-map {enable | {query dns}
Syntax Description
Command Default
Disabled
Command Modes
Global configuration (config) (config)
Command History
Usage Guidelines
By default, the locally configured static SSM mappings and the DNS server are queried. Local configured mappings have priority over dynamic mappings. If a DNS server is not available, you may want to disable DNS server lookups. To disable DNS lookups, use the no ip igmp ssm-map query dns command.
If a DNS server is not available, a locally configured static SSM mapping database is used to query. A database query uses the group address and receives the source list in return. As soon as the static SSM mappings are configured, the maps are used for the lookups. To build a static SSM mappings database, use the following commands:
ip igmp ssm-map static acl-1 source-1-ip-address
ip igmp ssm-map static acl-2 source-2-ip-address
The ACL specifies the group or groups that have to be mapped to the listed source. Because the content servers may send out more then one stream with the same source address, the access list is used to group the multicast destination addresses together. You can use wildcards if the addresses are contiguous.
If multiple sources have to be joined for a multicast group address, you must place the group in all ACLs that are associated with the source address. In the example above, if group G must join sources 1 and 2, the group address must be placed in both acl-1 and acl-2.
When you enable SSM mapping using the ip igmp ssm-map enable command, but the source mapping list is empty for the group, enter the no ip igmp ssm-map query dns command. The ip igmp ssm-map enable command is supported on statically configured SSM-mapped source entries only.
Examples
This example shows how to enable an SSM group to the source mapping:
Router(config)# ip igmp
