The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions, use the aaa accounting dot1x command in global configuration mode. Use the no form of this command to disable IEEE 802.1x accounting.
aaa accounting dot1x { name | default } start-stop { broadcast group { name | radius | tacacs+ } [ group { name | radius | tacacs+ }... ] | group { name | radius | tacacs+ } [ group { name | radius | tacacs+ }...]}
no aaa accounting dot1x { name | default }
|
|
This command requires access to a RADIUS server.
We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.
This example shows how to configure IEEE 802.1x accounting:
Note The RADIUS authentication server must be properly configured to accept and log update or watchdog packets from the AAA client.
|
|
Specifies one or more AAA methods for use on interfaces running IEEE 802.1x. |
|
Enables the AAA access control model. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
|
dot1x timeout reauth-period |
Sets the number of seconds between reauthentication attempts. |
To specify the authentication, authorization, and accounting (AAA) method to use on ports complying with the IEEE 802.1x authentication, use the aaa authentication dot1x command in global configuration mode. Use the no form of this command to disable authentication.
aaa authentication dot1x { default } word
no aaa authentication dot1x { default }
Note Though other keywords are visible in the command-line help strings, only the default and group radius keywords are supported.
|
|
The word argument identifies the method that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is actually IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.
If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command.
Use the show running-config privileged EXEC command to display the configured lists of authentication methods.
This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.
You can verify your settings by entering the show running-config privileged EXEC command.
|
|
---|---|
Enables the AAA access control model. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To configure the switch to use user-RADIUS authorization for all network-related service requests, such as IEEE 802.1x aaa-user access control lists (ACLs) or VLAN assignment, use the aaa authorization network command in global configuration mode. Use the no form of this command to disable RADIUS user authorization.
aaa authorization network default group radius
no aaa authorization network default
Specifies the list of all RADIUS hosts in the server group as the default authorization list. |
|
|
Use the aaa authorization network default group radius global configuration command to allow the switch to download IEEE 802.1x authorization parameters from the RADIUS servers in the default authorization list. The authorization parameters are used by features such as per-user ACLs or VLAN assignment to get parameters from the RADIUS servers.
Use the show running-config privileged EXEC command to display the configured lists of authorization methods.
This example shows how to configure the switch for user RADIUS authorization for all network-related service requests:
To set the action for the VLAN access map entry, use the action command in access-map configuration mode. Use the no form of this command to return to the default setting.
Forwards the packet when the specified conditions are matched. |
|
|
You enter access-map configuration mode by using the vlan access-map global configuration command.
If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.
In access-map configuration mode, use the match access-map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.
The drop and forward parameters are not used in the no form of the command.
This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:
You can verify your settings by entering the show vlan access-map privileged EXEC command.
To configure the system alarm contact settings, use the alarm contact command in global configuration mode.
alarm contact contact { description { line } | severity { major | minor | none } | trigger { closed | open }| all }
no alarm contact contact { description { line } | severity { major | minor | none } | trigger { closed | open }| all }
|
|
---|---|
Use this command only when you are working directly with a technical support representative while troubleshooting a problem. Do not use this command unless a technical support representative asks you to do so.
This example shows how to set the alarm contact to 1 and the severity level to major:
This example shows how to unset the severity level for alarm contact 1:
This example shows how to set the trigger to closed for alarm 1:
This example shows how to unset the trigger to closed for alarm 1:
|
|
---|---|
To set the frame check sequence (FCS) error hysteresis threshold as a percentage of fluctuation from the FCS bit-error rate, use the alarm facility fcs-hysteresis command in global configuration mode. Use the no form of this command to set the FCS error hysteresis threshold to its default value.
alarm facility fcs-hysteresis percentage
Hysteresis threshold fluctuation. The range is 1 to 10 percent. |
The default threshold-value is 10 percent. Both input alarms are tied to the notifies and syslog.
|
|
Set a hysteresis threshold to cause an alarm to trigger when the FCS bit-error rate fluctuates near the configured rate.
You set the FCS hysteresis threshold for all ports on the switch. You set the FCS error rate on a per-port basis by using the fcs-threshold interface configuration command.
If the threshold is not the default, it appears in the output of the show running-config privileged EXEC command.
This example shows how to set the FCS error hysteresis to 5 percent. The alarm is not triggered unless the bit error rate is more than 5 percent from the configured FCS bit-error rate.
|
|
---|---|
To set the external contact alarm settings, use the alarm facility input-alarm command in global configuration mode. Use the no form of this command to set the external contact alarm settings to its default value.
alarm facility input-alarm number { notifies | relay major | syslog }
no alarm facility input-alarm number { notifies | relay major | syslog }
|
|
This example shows how to set the input alarm to 2 with notifications being sent to the server.
|
|
---|---|
To set the alarm options for a missing or failing power supply when the system is operating in dual power supply mode, use the alarm facility power-supply command in global configuration mode. Use the no form of the command to disable the specified setting.
alarm facility power-supply { disable | notifies | relay { major | minor } | syslog }
no alarm facility power-supply { disable | notifies | relay { major | minor } | syslog }
A power supply alarm message is stored but not sent to an SNMP server, to a relay, or to a syslog server. By default, both input alarms are mapped to the output alarm “MAJOR.”
|
|
Power supply alarms are generated only when the system is in dual power supply mode. When a second power supply is connected, you must use the power-supply dual global configuration command to set dual power-mode operation.
Before you use the notifies keyword to send alarm traps to an SNMP host, you need to set up an SNMP server by using the snmp-server enable traps global configuration command.
This example shows how to disable the power supply monitoring alarm:
This example shows how to set the power supply monitoring alarm to send notifications to the SNMP server:
This example shows how to set the power supply monitoring alarm to go to the major relay circuitry:
This example shows how to set the power supply monitoring alarm to go to the minor relay circuitry:
This example shows how to set the power supply monitoring alarm to go to the syslog server:
|
|
---|---|
Enables the switch to send SNMP notification for various trap types to the network management system (NMS). |
To set the SD card settings, use the alarm facility sd-card command in global configuration mode. Use the no form of this command to set the SD card settings to its default value.
alarm facility sd-card { notifies | relay major | syslog }
no alarm facility sd-card { notifies | relay major | syslog }
|
|
This example shows how to set the input alarm to notify the server when an SD card is installed.
|
|
---|---|
To configure the primary temperature monitoring alarm or to configure a secondary temperature alarm threshold with a lower maximum temperature threshold, use the alarm facility temperature command in global configuration mode. Use the no form of this command to delete the temperature monitoring alarm configuration or to disable the secondary temperature alarm.
alarm facility temperature { primary { high | low | notifies | relay { major } | syslog } | secondary { high | low | notifies | relay { major | minor }| syslog }}
no alarm facility temperature { primary { high | low | notifies | relay { major } | syslog } | secondary { high | low | notifies | relay { major | minor }| syslog }}
The primary temperature alarm is enabled for a –4 to 203ºF (–20 to 95oC) range and cannot be disabled. It is associated with a major relay. The secondary temperature alarm is disabled by default.
|
|
The primary temperature alarm is automatically enabled. It cannot be disabled, but you can configure alarm options.
You can modify the primary temperature alarm range by using the high and low keywords.
You can use the secondary temperature alarm to trigger a high temperature alarm that is lower than the maximum primary temperature threshold, which is 203oF (95oC). You can configure the temperature threshold and alarm options.
Before you use the notifies keyword to sent alarm traps to an SNMP host, you need to set up an SNMP server by using the snmp-server enable traps global configuration command.
This example shows how to set the secondary temperature with a high threshold value of 113oF (45oC) with alarms and how to send traps to the minor relay circuitry, to the syslog, and to an SNMP server:
This example shows how to disable the secondary temperature alarm:
This example shows how to set the primary temperature alarm with alarms and traps to go to the syslog and to the major relay circuitry:
|
|
---|---|
Enables the switch to send SNMP notification for various trap types to the network management system (NMS). |
To create an alarm profile and to enter alarm profile configuration mode, use the alarm profile command in global configuration mode. Use the no form of this command to delete an alarm profile.
|
|
In alarm-profile configuration mode, these commands are available:
For alarm-id, you can enter one or more alarm IDs separated by a space.
Before you use the notifies keyword to send alarm traps to a SNMP host, you need to set up an SNMP server by using the snmp-server enable traps global configuration command.
There is a default profile for all interfaces. Enter the show alarm profile user EXEC command to display the output for defaultPort.
Table 1-1 lists the alarm IDs and the corresponding alarm descriptions.
|
|
---|---|
After you have created an alarm profile, you can attach the profile to an interface by using the alarm-profile interface configuration command.
By default, the defaultPort profile is applied to all interfaces. This profile enables only the Port Not Operating (3) alarm. You can modify this profile by using the alarm profile defaultPort global configuration command to enter alarm profile configuration mode for this profile.
This example shows how to create the alarm profile fastE for a port with the link-down (alarm 1) and port not forwarding (alarm 2) alarms enabled. The link-down alarm is connected to the minor relay circuitry, and the port not forwarding alarm is connected to the major relay circuitry. These alarms are sent to an SNMP server and written to the system log file (syslog).
This example shows how to delete the alarm relay profile named my-profile:
To attach an alarm profile to a port, use the alarm profile command in interface configuration mode. Use the no form of this command to detach the profile from the port.
The alarm profile defaultPort is applied to all interfaces. In this profile, only the Port Not Operating alarm is enabled.
|
|
Use the alarm profile global configuration command to create the alarm profile, enabling one or more alarms and specifying the alarm options.
You can attach only one alarm profile to an interface.
When you attach an alarm profile to an interface, it overwrites any previous alarm profile that was attached to the interface (including the defaultPort profile).
This example shows how to attach an alarm profile named fastE to a port:
This example shows how to detach the alarm profile from a port and return it to the defaultPort profile:
To set the alarm relay mode for the switch, use the alarm relay-mode command in global configuration mode. Use the no form of the command to set the alarm relay mode to the default mode.
|
|
The alarm relays are in positive mode when they are open. When there is no power to the switch, all alarm relays are open. The alarm relays close when one or more alarm events are detected.
This example shows how to set the alarm relays to negative mode:
To download a new image from a TFTP server to the switch and to overwrite or keep the existing image, use the archive download-sw command in privileged EXEC mode.
archive download-sw { /directory | /force-reload | /imageonly | /leave-old-sw | /no-set-boot | no-version-check | /overwrite | /reload | /safe } source-url
The current software image is not overwritten with the downloaded image.
Both the software image and HTML files are downloaded.
The new image is downloaded to the flash: file system.
The BOOT environment variable is changed to point to the new software image on the flash: file system.
Image names are case sensitive; the image file is provided in tar format.
|
|
Use the archive download-sw /directory command to specify a directory one time.
The /imageonly option removes the HTML files for the existing image if the existing image is being removed or replaced. Only the Cisco IOS image (without the HTML files) is downloaded.
Using the /safe or /leave-old-sw option can cause the new image download to fail if there is insufficient flash memory. If leaving the software in place prevents the new image from fitting in flash memory due to space constraints, an error results.
If you used the /leave-old-sw option and did not overwrite the old image when you downloaded the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the “delete” section.
Use the /overwrite option to overwrite the image on the flash device with the downloaded one.
If you specify the command without the /overwrite option, the download algorithm verifies that the new image is not the same as the one on the switch flash device. If the images are the same, the download does not occur. If the images are different, the old image is deleted, and the new one is downloaded.
After downloading a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive download-sw command.
Use the /directory option to specify a directory for images.
This example shows how to download a new image from a TFTP server at 172.20.129.10 and to overwrite the image on the switch:
This example shows how to download only the software image from a TFTP server at 172.20.129.10 to the switch:
This example shows how to keep the old software version after a successful download:
|
|
---|---|
Creates a tar file, lists the files in a tar file, or extracts the files from a tar file. |
|
To create a tar file, list files in a tar file, or extract the files from a tar file, use the archive tar command in privileged EXEC mode.
archive tar { /create destination-url flash:/ file-url } | { /table source-url } | { /xtract source-url flash:/ file-ur l [ dir/file ...]}
|
|
This example shows how to create a tar file. The command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30:
This example shows how to display the contents of the file that is in flash memory. The contents of the tar file appear on the screen:
This example shows how to display only the /html directory and its contents:
This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored.
|
|
---|---|
To upload an existing switch image to a server, use the archive upload-sw command in privileged EXEC mode.
archive upload-sw [ /version version_string ] destination-url
Uploads the currently running image from the flash file system.
|
|
Use the upload feature only if the HTML files associated with the embedded Device Manager have been installed with the existing image.
The files are uploaded in this sequence: the Cisco IOS image, the HTML files, and info. After these files are uploaded, the software creates the tar file.
This example shows how to upload the currently running image to a TFTP server at 172.20.140.2:
|
|
---|---|
Creates a tar file, lists the files in a tar file, or extracts the files from a tar file. |
To define an Address Resolution Protocol (ARP) access control list (ACL) or to add clauses to the end of a previously defined list, use the arp access-list command in global configuration mode. Use the no form of this command to delete the specified ARP access list.
|
|
After entering the arp access-list command, you enter ARP access-list configuration mode, and these configuration commands are available:
Use the permit and deny access-list configuration commands to forward and to drop ARP packets based on the specified matching criteria.
When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement, the switch compares the packet to the list of DHCP bindings (unless the ACL is static, which means that packets are not compared to the bindings).
This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
You can verify your settings by entering the show arp access-list privileged EXEC command.
To allow the switch to ignore a command to temporarily disable a port on the switch stack or on a standalone switch, use the authentication command bounce-port ignore command in global configuration mode. Use the no form of this command to return to the default status.
authentication command bounce-port ignore
no authentication command bounce-port ignore
Note To use this command, the switch must be running the LAN Base or IP Base image.
The switch accepts a RADIUS Change of Authorization (CoA) bounce port command.
|
|
The CoA bounce port command causes a link flap, which triggers a DHCP renegotiation from the host. This is useful when a VLAN change occurs and the endpoint is a device such as a printer, that has no supplicant to detect the change. Use this command to configure the switch to ignore the bounce port command.
This example shows how to instruct the switch to ignore a CoA bounce port command:
|
|
To ignore a command to disable a port on the switch stack or on a standalone switch to allow the switch, use the authentication command disable-port ignore command in global configuration mode. Use the no form of this command to return to the default status.
authentication command disable-port ignore
no authentication command disable-port ignore
Note To use this command, the switch must be running the LAN Base or IP Base image.
The switch accepts a RADIUS Change of Authorization (CoA) disable port command.
|
|
The CoA disable port command administratively shuts down a port hosting a session, resulting in session termination. Use this command to configure the switch to ignore this command.
This example shows how to instruct the switch to ignore a CoA disable port command:
|
|
To configure the port mode as unidirectional or bidirectional, use the authentication control-direction command in interface configuration mode. Use the no form of this command to return to the default setting.
authentication control-direction {both | in}
no authentication control-direction
|
|
Use the both keyword or the no form of this command to return to the default setting (bidirectional mode).
This example shows how to enable bidirectional mode:
This example shows how to enable unidirectional mode:
You can verify your settings by entering the show authentication privileged EXEC command.
To set the actions for specific authentication events on the port, use the authentication event command in interface configuration mode. Use the no form of the command to disable the specified setting.
authentication event {fail [ action [ authorize vlan vlan-id | next-method] {| retry { retry count}]} { no-response action authorize vlan vlan-id} {server { alive action reinitialize} | {dead action [authorize | reinitialize vlan vlan-id]}}
no authentication event {fail [ action [ authorize vlan vlan-id | next-method] {| retry { retry count}]} { no-response action authorize vlan vlan-id} {server { alive action reinitialize} | {dead action [authorize | reinitialize vlan vlan-id]}}
|
|
Use this command with the fail, no-response, or event keywords to configure the switch response for a specific action.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server and a critical port receives an EAP-Success message, the DHCP configuration process might not reinitiate.
You can configure any active VLAN except a Remote Switched Port Analyzer (RSPAN) VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is supported only on access ports. It is not supported on internal VLANs (routed ports) or trunk ports.
– If authorization succeeds, the switch grants the client access to the network.
– If authorization fails, the switch assigns the port to the guest VLAN if one is specified.
For more information, see the “Using IEEE 802.1x Authentication with MAC Authentication Bypass” section in the “Configuring IEEE 802.1x Port-Based Authentication” chapter of the software configuration guide.
For authentication-fail events:
– If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message.
– Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive an EAP success message.
The restricted VLAN is supported only in single host mode (the default port mode). When a port is placed in a restricted VLAN, the supplicant's MAC address is added to the MAC address table. Any other MAC address on the port is treated as a security violation.
Enable reauthentication with restricted VLANs. If reauthentication is disabled, the ports in the restricted VLANs do not receive reauthentication requests if it is disabled.
To start the reauthentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub:
– The port might not receive a link-down event when the host is disconnected.
– The port might not detect new hosts until the next reauthentication attempt occurs.
When you reconfigure a restricted VLAN as a different type of VLAN, ports in the restricted VLAN are also moved and stay in their currently authorized state.
This example shows how to configure the authentication event fail command:
This example shows how to configure a no-response action:
This example shows how to configure a server-response action:
This example shows how to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable. Use this command for ports in multiple authentication (multiauth) mode or if the voice domain of the port is in MDA mode:
You can verify your settings by entering the show authentication privileged EXEC command.
To configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication, use the authentication fallback command in interface configuration mode. To return to the default setting, use the no form of this command.
no authentication fallback name
|
|
You must enter the authentication port-control auto interface configuration command before configuring a fallback method.
You can only configure web authentication as a fallback method to 802.1x or MAB, so one or both of these authentication methods should be configured for the fallback to enable.
This example shows how to specify a fallback profile on a port:
You can verify your settings by entering the show authentication privileged EXEC command.
To set the authorization manager mode on a port, use the authentication host-mode command in interface configuration mode. Use the no form of the command to disable the specified setting.
authentication host-mode [multi-auth | multi-domain | multi-host | single-host]
no authentication host-mode [multi-auth | multi-domain | multi-host | single-host]
(Optional) Enables multiple-authorization mode (multiauth mode) on the port. |
|
|
|
Single-host mode should be configured if only one data host is connected. Do not connect a voice device to authenticate on a single-host port. Voice device authorization fails if no voice VLAN is configured on the port.
Multi-domain mode should be configured if data host is connected through an IP Phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.
Multi-auth mode should be configured to allow devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.
Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.
This example shows how to enable multiauth mode on a port:
This example shows how to enable multi-domain mode on a port:
Switch(config-if)# authentication host-mode multi-domain
This example shows how to enable multi-host mode on a port:
Switch(config)# authentication host-mode multi-host
This example shows how to enable single-host mode on a port:
Switch(config-if)# authentication host-mode single-host
You can verify your settings by entering the show authentication privileged EXEC command.
To enable MAC move on a switch, use the authentication mac-move permit command in global configuration mode. Use the no form of this command to return to the default setting.
authentication mac-move permit
no authentication mac-move permit
|
|
The command enables authenticated hosts to move between 802.1x-enabled ports on a switch. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.
If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.
MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs.
This example shows how to enable MAC move on a switch:
To enable or disable open access on a port, use the authentication open command in interface configuration mode. Use the no form of this command to disable open access.
|
|
Open authentication must be enabled if a device requires network access before it is authenticated.
A port ACL should be used to restrict host access when open authentication is enabled.
This example shows how to enable open access on a port:
This example shows how to set the port to disable open access on a port:
To set the order of authentication methods used on a port, use the authentication order command in interface configuration mode. Use the no form of the command to disable the specified setting.
authentication order [dot1x | mab] {webauth}
The default authentication order is dot1x followed by mab and webauth.
|
|
Ordering sets the order of methods that the switch attempts when trying to authenticate a new device connected to a port. If one method in the list is unsuccessful, the next method is attempted.
Each method can only be entered once. Flexible ordering is only possible between 802.1x and MAB.
Web authentication can be configured as either a standalone method or as the last method in the order after either 802.1x or MAB. Web authentication should be configured only as fallback to dot1x or mab.
This example shows how to add 802.1x as the first authentication method, MAB as the second method, and web authentication as the third method:
This example shows how to add MAC authentication Bypass (MAB) as the first authentication method and web authentication as the second authentication method:
You can verify your settings by entering the show authentication privileged EXEC command.
To enable or disable reauthentication on a port, use the authentication periodic command in interface configuration mode. Enter the no form of this command to disable reauthentication.
|
|
You configure the amount of time between periodic reauthentication attempts by using the authentication timer reauthentication interface configuration command.
This example shows how to enable periodic reauthentication on a port:
This example shows how to disable periodic reauthentication on a port:
You can verify your settings by entering the show authentication privileged EXEC command.
To enable manual control of the port authorization state, use the authentication port-control command in interface configuration mode. Use the no form of this command to return to the default setting.
authentication port-control {auto | force-authorized | force-un authorized}
no authentication port-control {auto | force-authorized | force-un authorized}
|
|
Use the auto keyword only on one of these port types:
To globally disable IEEE 802.1x authentication on the switch, use the no dot1x system-auth-control global configuration command. To disable IEEE 802.1x authentication on a specific port or to return to the default setting, use the no authentication port-control interface configuration command.
This example shows how to set the port state to automatic:
This example shows how to set the port state to the force-authorized state:
This example shows how to set the port state to the force-unauthorized state:
You can verify your settings by entering the show authentication privileged EXEC command.
To add an authentication method to the port-priority list, use the authentication priority command in interface configuration mode. Use the no form of the command to disable the specified setting.
auth priority [dot1x | mab] {webauth}
no auth priority [dot1x | mab] {webauth}
The default priority is 802.1x authentication, followed by MAC authentication bypass and web authentication.
|
|
Ordering sets the order of methods that the switch attempts when trying to authenticate that a new device is connected to a port.
When configuring multiple fallback methods on a port, set web authentication (webauth) last.
Assigning priorities to different authentication methods allows a higher-priority method to interrupt an in-progress authentication method with a lower priority.
Note If a client is already authenticated, it might be reauthenticated if an interruption from a higher-priority method occurs.
The default priority of an authentication method is equivalent to its position in execution-list order: 802.1x authentication, MAC authentication bypass, and web authentication. Use the dot1x, mab, and webauth keywords to change this default order.
This example shows how to set 802.1x as the first authentication method and web authentication as the second authentication method:
This example shows how to set MAC authentication Bypass (MAB) as the first authentication method and web authentication as the second authentication method:
You can verify your settings by entering the show authentication privileged EXEC command.
To configure the timeout and reauthentication parameters for an 802.1x-enabled port, use the authentication timer command in interface configuration mode. Use the no form of the command to disable the specified setting.
authentication timer {{[inactivity | reauthenticate] [server | am]} {restart value}}
no authentication timer {{[inactivity | reauthenticate] [server | am]} {restart value}}
The inactivity, server, and restart keywords are set to 60 seconds.
|
|
If a timeout value is not configured, an 802.1x session stays authorized indefinitely. No other host can use the port, and the connected host cannot move to another port on the same switch.
This example shows how to set the authentication inactivity timer to 60 seconds:
This example shows how to set the reauthentication timer to 120 seconds:
You can verify your settings by entering the show authentication privileged EXEC command.
To configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port, use the authentication violation command in interface configuration mode. Use the no form of the command to disable the specified setting.
authentication violation {protect | restrict | shutdown}
no authentication violation {protect | restrict | shutdown}
Unexpected incoming MAC addresses are dropped. No syslog errors are generated. |
|
Error disables the port or the virtual port on which an unexpected MAC address occurs. |
By default authentication violation shutdown mode is enabled.
|
|
This example shows how to configure an IEEE 802.1x-enabled port as error disabled and to shut down when a new device connects it:
This example shows how to configure an IEEE 802.1x-enabled port to generate a system error message and to change the port to restricted mode when a new device connects to it:
This example shows how to configure an IEEE 802.1x-enabled port to ignore a new device when it connects to the port:
You can verify your settings by entering the show authentication privileged EXEC command.
To automatically configure quality of service (QoS) for voice over IP (VoIP) within a QoS domain, use the auto qos voip command in interface configuration mode. Use the no form of this command to return to the default setting.
auto qos voip { cisco-phone | cisco-softphone | trust }
no auto qos voip [ cisco-phone | cisco-softphone | trust ]
Note This command is available only when the switch is running the LAN Base image.
Auto-QoS is disabled on the port.
When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Table 1-2 .
|
Traffic |
|
|
|
|
||
---|---|---|---|---|---|---|---|
DSCP3 |
|||||||
CoS4 |
|||||||
|
Table 1-3 shows the generated auto-QoS configuration for the ingress queues.
|
|
|
|
|
---|---|---|---|---|
SRR5 shared |
||||
5.SRR = shaped round robin. Ingress queues support shared mode only. |
Table 1-4 shows the generated auto-QoS configuration for the egress queues.
|
|
|
|
|
|
---|---|---|---|---|---|
|
|
The LAN Base image supports 2 ingress and 4 egress queues.
The LAN Base Lite image does not support ingress or egress queues.
Use this command to configure the QoS appropriate for VoIP traffic within the QoS domain. The QoS domain includes the switch, the interior of the network, and edge devices that can classify incoming traffic for QoS.
Auto-QoS configures the switch for VoIP with Cisco IP Phones on switch and routed ports and for VoIP with devices running the Cisco SoftPhone application. These releases support only Cisco IP SoftPhone Version 1.3(3) or later. Connected devices must use Cisco Call Manager Version 4 or later.
The show auto qos command output shows the service policy information for the Cisco IP phone.
To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.
Note The switch applies the auto-QoS-generated commands as if the commands were entered from the command-line interface (CLI). An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning. If all the generated commands are successfully applied, any user-entered configuration that was not overridden remains in the running configuration. Any user-entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory. If the generated commands fail to be applied, the previous running configuration is restored.
If this is the first port on which you have enabled auto-QoS, the auto-QoS-generated global configuration commands are executed followed by the interface configuration commands. If you enable auto-QoS on another port, only the auto-QoS-generated interface configuration commands for that port are executed.
When you enable the auto-QoS feature on the first port, these automatic actions occur:
If the switch port was configured by using the auto qos voip cisco-phone interface configuration command in Cisco IOS Release 15.0(1)EY, the auto-QoS-generated commands new to this release are not applied to the port. To have these commands automatically applied, you must remove and then reapply the configuration to the port.
You can enable auto-QoS on static, dynamic-access, and voice VLAN access, and trunk ports. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to the IP phone.
Note When a device running Cisco SoftPhone is connected to a switch or routed port, the switch supports only one Cisco SoftPhone application per port.
After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy map from the interface, and apply the new policy map.
To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging. For more information, see the debug auto qos command.
To disable auto-QoS on a port, use the no auto qos voip interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos voip command, auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain (to avoid disrupting traffic on other ports affected by the global configuration). You can use the no mls qos global configuration command to disable the auto-QoS-generated global configuration commands. With QoS disabled, there is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets when the switch or router connected to the port is a trusted device:
You can verify your settings by entering the show auto qos interface interface-id privileged EXEC command.
|
|
---|---|
Defines the default CoS value of a port or assigns the default CoS to all incoming packets on the port. |
|
mls qos map { cos-dscp dscp1... dscp8 | dscp-cos dscp-list to cos } |
|
Assigns shaped round robin (SRR) weights to an ingress queue. |
|
Maps CoS values to an ingress queue or maps CoS values to a queue and to a threshold ID. |
|
Maps DSCP values to an ingress queue or maps DSCP values to a queue and to a threshold ID. |
|
Configures the ingress priority queue and guarantees bandwidth. |
|
Maps CoS values to an egress queue or maps CoS values to a queue and to a threshold ID. |
|
Maps DSCP values to an egress queue or maps DSCP values to a queue and to a threshold ID. |
|
Assigns the shaped weights and enables bandwidth shaping on the four egress queues mapped to a port. |
|
Assigns the shared weights and enables bandwidth sharing on the four egress queues mapped to a port. |
To specify the buffer size for file system-simulated NVRAM, use the boot buffersize command in global configuration mode. Use the no form of this command to return to the default setting.
NVRAM simulation buffer size; valid values are 4096 through 1048576. |
The default file system-simulated NVRAM boot buffer size is 65536.
|
|
This example shows how to change the file system-simulated NVRAM boot buffer size to 15000.
|
|
---|---|
To specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the system configuration, use the boot config-file command in global configuration mode. To use the no form of this command to return to the default setting.
boot config-file flash: / file-url
|
|
Filenames and directory names are case-sensitive.
This command changes the setting of the CONFIG_FILE environment variable. For more information, see Appendix 1, “Switch Bootloader Commands on the IE 2000 Switch.”
|
|
---|---|
To enable interrupting the automatic boot process, use the boot enable-break command in global configuration mode. Use the no form of this command to return to the default setting
Disabled. The automatic boot process cannot be interrupted by pressing the Break key on the console.
|
|
---|---|
When you enter this command, you can interrupt the automatic boot process by pressing the Break key on the console after the flash file system is initialized.
Note Despite the setting of this command, you can interrupt the automatic boot process at any time by pressing the MODE button on the switch front panel.
This command changes the setting of the ENABLE_BREAK environment variable. For more information, see Appendix 1, “Switch Bootloader Commands on the IE 2000 Switch.”
|
|
---|---|
To optimize the switch boot-up time after a system crash, use the boot fast command in global configuration mode. Use the no form of this command to return to the default setting.
|
|
---|---|
The command is enabled by default, but after a system crash this feature is automatically disabled.
To optimize switch boot-up time and disable the memory test, file system checks (FSCK) and POST processes, use this command to reenable the boot fast feature.
The following reload sequences occur immediately if your switch is set up to automatically bring up the system by using information in the BOOT environment variable. Otherwise, these reload sequences happen after the manual boot command in bootloader configuration mode is issued:
The switch disables the boot fast feature and displays the following warning message:
After the system message displays, the system saves the crashinfo and automatically resets itself for the next reload cycle.
The boot loader performs its normal full memory test and FSCK check with LED status progress. If the memory and FSCK tests are successful, the system then performs additional POST tests and the results are displayed on the console.
The boot fast feature is reenabled after the system comes up successfully.
|
|
---|---|
To dynamically load files during boot loader initialization to extend or patch the functionality of the boot loader, use the boot helper command in global configuration mode. Use the no form of this command to return to the default.
boot helper filesystem :/ file-url...
|
|
---|---|
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER environment variable. For more information, see Appendix 1, “Switch Bootloader Commands on the IE 2000 Switch.”
|
|
---|---|
To specify the name of the configuration file to be used by the Cisco IOS helper image. If this is not set, the file specified by the CONFIG_FILE environment variable is used by all versions of Cisco IOS that are loaded, use the boot helper-config-file command in global configuration mode. Use the no form of this command to return to the default setting.
boot helper-config-file filesystem :/ file-url
Alias for a flash file system. Use flash: for the system board flash device. |
|
|
|
---|---|
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER_CONFIG_FILE environment variable. For more information, see Appendix 1, “Switch Bootloader Commands on the IE 2000 Switch.”
|
|
---|---|
To optimize the router-specific configuration file, use the boot host command in global configuration mode. Use the no form of this command to return to the default setting.
boot host { dhcp | retry timeout seconds }
no boot host { dhcp | retry timeout seconds }
Sets the timeout in seconds; valid values are 60 to 65535 seconds. |
|
|
---|---|
This example shows how to optimize the router-specific configuration file using DHCP:
This example shows how to set the retry timeout to 120 seconds:
This example shows how to disable the retry timeout:
|
|
---|---|
To enable manually booting the switch during the next boot cycle, use the boot manual command in global configuration mode. Use the no form of this command to return to the default setting.
|
|
---|---|
The next time you reboot the system, the switch is in boot loader mode, which is shown by the switch: prompt. To boot up the system, use the boot boot loader command, and specify the name of the bootable image.
This command changes the setting of the MANUAL_BOOT environment variable. For more information, see Appendix 1, “Switch Bootloader Commands on the IE 2000 Switch.”
|
|
---|---|
To specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the private configuration, use the boot private-config-file command in global configuration mode. Use the no form of this command to return to the default setting.
boot private-config-file filename
|
|
---|---|
This example shows how to specify the name of the private configuration file to be pconfig:
|
|
---|---|
To specify the Cisco IOS image to load during the next boot cycle, use the boot system command in global configuration mode. Use the no form of this command to return to the default setting.
boot system filesystem :/ file-url ...
Alias for a flash file system. Use flash: for the system board flash device. |
|
The path (directory) and name of a bootable image. Separate image names with a semicolon. |
The switch attempts to automatically boot up the system by using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.
|
|
---|---|
Filenames and directory names are case sensitive.
If you are using the archive download-sw privileged EXEC command to maintain system images, you never need to use the boot system command. The boot system command is automatically manipulated to load the downloaded image.
This command changes the setting of the BOOT environment variable. For more information, see Appendix 1, “Switch Bootloader Commands on the IE 2000 Switch.”
|
|
---|---|
To assign an Ethernet port to an EtherChannel group, to enable an EtherChannel mode, or both, use the channel-group command in interface configuration mode. Use the no form of this command to remove an Ethernet port from an EtherChannel group.
channel-group channel -group-number mode { active | { auto [ non-silent ]} | { desirable [ non-silent ]} | on | passive }
PAgP modes:
channel-group channel -group-number mode { { auto [ non-silent ]} | { desirable [ non-silent}}
LACP modes:
channel-group channel -group-number mode {active | passive}
On mode:
channel-group channel -group-number mode on
|
|
---|---|
For Layer 2 EtherChannels, you do not have to create a port-channel interface first by using the interface port-channel global configuration command before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel interface when the channel group gets its first physical port if the logical interface is not already created. If you create the port-channel interface first, the channel-group-number can be the same as the port - channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.
You do not have to disable the IP address that is assigned to a physical port that is part of a channel group, but we strongly recommend that you do so.
You create Layer 3 port channels by using the interface port-channel command followed by the no switchport interface configuration command. You should manually configure the port-channel logical interface before putting the interface into the channel group.
After you configure an EtherChannel, configuration changes that you make on the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.
If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. A example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port prevents that port from ever becoming operational. However, it allows PAgP to operate, to attach the port to a channel group, and to use the port for transmission. Both ends of the link cannot be set to silent.
In the on mode, an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode.
Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.
If you set the protocol by using the channel-protocol interface configuration command, the setting is not overridden by the channel-group interface configuration command.
Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x authentication on an EtherChannel port, an error message appears, and IEEE 802.1x authentication is not enabled.
Do not configure a secure port as part of an EtherChannel or an EtherChannel port as a secure port.
For a complete list of configuration guidelines, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
This example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable :
This example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10 to channel 5 with the LACP mode active :
|
|
---|---|
To restrict the protocol used on a port to manage channeling, use the channel-protocol command in interface configuration mode. Use the no form of this command to return to the default setting.
channel-protocol { lacp | pagp }
Configures an EtherChannel with the Link Aggregation Control Protocol (LACP). |
|
Configures an EtherChannel with the Port Aggregation Protocol (PAgP). |
|
|
---|---|
Use the channel-protocol command only to restrict a channel to LACP or PAgP. If you set the protocol by using the channel-protocol command, the setting is not overridden by the channel-group interface configuration command.
You must use the channel-group interface configuration command to configure the EtherChannel parameters. The channel-group command also can set the mode for the EtherChannel.
You cannot enable both the PAgP and LACP modes on an EtherChannel group.
PAgP and LACP are not compatible; both ends of a channel must use the same protocol.
This example shows how to specify LACP as the protocol that manages the EtherChannel:
You can verify your settings by entering the show etherchannel [ channel-group-number ] protocol privileged EXEC command.
|
|
---|---|
show etherchannel protocol |
To enable the Common Industrial Protocol (CIP) on a VLAN, use the cip enable command in interface configuration mode. Use the no form of the command to disable CIP.
|
|
---|---|
The interface must be a VLAN, not a physical interface.
You can enable CIP on only one VLAN on a switch.
We recommend that you configure a CIP security password when enabling CIP.
This example shows how to enable CIP on VLAN 3:
This is an example of the error message that appears if you try to enable CIP on a second VLAN:
|
|
---|---|
To set the Common Industrial Protocol (CIP) security options on the switch, use the cip security command in global configuration mode. Use the no form of the command to cancel the password or return to the default timeout value.
cip security {password password | window timeout value }
no cip security {password password | window timeout}
Sets the value for the CIP security window timeout. The range is 1 to 3600 seconds. The default is 600 seconds. |
|
|
---|---|
We recommend that you configure a CIP security password when you enable CIP on a VLAN. Otherwise, any CIP user can configure the switch.
This example shows how to set the CIP security window timeout value to 1 hour:
This example shows how to set the CIP security password to abc123:
|
|
---|---|
To enable Client Information Signalling Protocol (CISP) on a switch so that it acts as an authenticator to a supplicant switch, use the cisp enable command in global configuration mode.
|
|
---|---|
The link between the authenticator and supplicant switch is a trunk. When you enable VTP on both switches, the VTP domain name must be the same, and the VTP mode must be server.
When you configure VTP mode, to avoid the MD5 checksum mismatch error, verify that:
This example shows how to enable CISP:
|
|
---|---|
To define a traffic classification match criteria (through the police, set, and trust policy-map class configuration commands) for the specified class-map name, use the class command in policy-map configuration mode. Use the no form of this command to delete an existing class map.
|
|
---|---|
Before using the class command, you must use the policy-map global configuration command to identify the policy map and to enter policy-map configuration mode. After specifying a policy map, you can configure a policy for new classes or modify a policy for any existing classes in that policy map. You attach the policy map to a port by using the service-policy interface configuration command.
After entering the class command, you enter policy-map class configuration mode, and these configuration commands are available:
To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
The class command performs the same function as the class-map global configuration command. Use the class command when a new classification, which is not shared with any other ports, is needed. Use the class-map command when the map is shared among many ports.
This example shows how to create a policy map called policy1. When attached to the ingress direction, it matches all the incoming traffic defined in class1, sets the IP Differentiated Services Code Point (DSCP) to 10, and polices the traffic at an average rate of 1 Mb/s and bursts at 20 KB. Traffic exceeding the profile is marked down to a DSCP value received from the policed-DSCP map and then sent.
You can verify your settings by entering the show policy-map privileged EXEC command.
To create a class map to be used for matching packets to the class name you specify and to enter class-map configuration mode, use the class-map command in global configuration mode. Use the no form of this command to delete an existing class map and to return to global configuration mode.
class-map [ match-all | match-any ] class-map-name
no class-map [ match-all | match-any ] class-map-name
If neither the match-all or match-any keyword is specified, the default is match-all.
|
|
---|---|
Use this command to specify the name of the class for which you want to create or modify class-map match criteria and to enter class-map configuration mode.
The class-map command and its subcommands are used to define packet classification, marking, and aggregate policing as part of a globally named service policy applied on a per-port basis.
After you are in quality of service (QoS) class-map configuration mode, these configuration commands are available:
A class-map with this name already exists
appears.To define packet classification on a physical-port basis, only one match command per class map is supported. In this situation, the match-all and match-any keywords are equivalent.
Only one access control list (ACL) can be configured in a class map. The ACL can have multiple access control entries (ACEs).
This example shows how to configure the class map called class1 with one match criterion, which is an access list called 103:
This example shows how to delete the class map class1:
You can verify your settings by entering the show class-map privileged EXEC command.
To clear IEEE 802.1x information for the switch or for the specified port, use the clear dot1x command in privileged EXEC mode.
clear dot1x { all | interface interface-id }
|
|
---|---|
You can clear all the information by using the clear dot1x all command, or you can clear only the information for the specified interface by using the clear dot1x interface interface-id command.
This example shows how to clear all IEEE 8021.x information:
Switch#
clear dot1x all
This example shows how to clear IEEE 8021.x information for the specified interface:
Switch#
clear dot1x interface gigabithethernet1/1
You can verify that the information was deleted by entering the show dot1x privileged EXEC command.
|
|
---|---|
Displays IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified port. |
To clear Extensible Authentication Protocol (EAP) session information for the switch or for the specified port, use the clear eap sessions command in privileged EXEC mode.
clear eap sessions [ credentials name [ interface interface-id ] | interface interface-id | method name | transport name ] [ credentials name | interface interface-id | transport name ]...
|
|
---|---|
You can clear all counters by using the clear eap sessions command, or you can clear only the specific information by using the keywords.
This example shows how to clear all EAP information:
Switch#
clear eap
This example shows how to clear EAP-session credential information for the specified profile:
Switch#
clear eap sessions credential type1
You can verify that the information was deleted by entering the show dot1x privileged EXEC command.
|
|
---|---|
Displays EAP registration and session information for the switch or for the specified port |
To reenable a VLAN that was error-disabled, use the clear errdisable interface command in privileged EXEC mode.
clear errdisable interface interface-id vlan [vlan-list]
(Optional) A list of VLANs to be reenabled. If a VLAN list is not specified, then all VLANs are reenabled. |
|
|
---|---|
You can reenable a port by using the shutdown and no shutdown interface configuration commands, or you can clear error-disable for VLANs by using the clear errdisable interface command.
This example shows how to reenable all VLANs that were error-disabled on port 2.
Switch#
clear errdisable interface GigabitEthernet1/2 vlan
|
|
---|---|
Enables error-disabled detection for a specific cause or all causes. |
|
show interfaces status err-disabled |
Displays interface status of a list of interfaces in error-disabled state. |
To clear the dynamic Address Resolution Protocol (ARP) inspection log buffer, use the clear ip arp inspection log command in privileged EXEC mode.
|
|
---|---|
This example shows how to clear the contents of the log buffer:
Switch#
clear ip arp inspection log
You can verify that the log was cleared by entering the show ip arp inspection log privileged command.
|
|
---|---|
show inventory log |
Displays the configuration and contents of the dynamic ARP inspection log buffer. |
To clear the dynamic Address Resolution Protocol (ARP) inspection statistics, use the clear ip arp inspection statistics command in privileged EXEC mode.
clear ip arp inspection statistics [ vlan vlan-range ]
|
|
---|---|
This example shows how to clear the statistics for VLAN 1:
You can verify that the statistics were deleted by entering the show ip arp inspection statistics vlan 1 privileged EXEC command.
|
|
---|---|
show inventory statistics |
Displays statistics for forwarded, dropped, MAC validation failure, and IP validation failure packets for all VLANs or the specified VLAN. |
To clear the DHCP snooping binding database, the DHCP snooping binding database agent statistics, or the DHCP snooping statistics counters, use the clear ip dhcp snooping command in privileged EXEC mode.
clear ip dhcp snooping { binding {* | ip-address | interface interface-id | vlan vlan-id } | database statistics | statistics }
|
|
---|---|
When you enter the clear ip dhcp snooping database statistics command, the switch does not update the entries in the binding database and in the binding file before clearing the statistics.
This example shows how to clear the DHCP snooping binding database agent statistics:
You can verify that the statistics were cleared by entering the show ip dhcp snooping database privileged EXEC command.
This example shows how to clear the DHCP snooping statistics counters:
Switch#
clear ip dhcp snooping statistics
You can verify that the statistics were cleared by entering the show ip dhcp snooping statistics user EXEC command.
|
|
---|---|
Configures the DHCP snooping binding database agent or the binding file. |
|
Displays the DHCP snooping binding database agent statistics. |
|
show ip dhcp snooping statistics |
To clear Interprocess Communications Protocol (IPC) statistics, use the clear ipc command in privileged EXEC mode.
clear ipc { queue-statistics | statistics }
Note This command is visible only when the switch is running the IP services image.
|
|
---|---|
You can clear all statistics by using the clear ipc statistics command, or you can clear only the queue statistics by using the clear ipc queue-statistics command.
This example shows how to clear all statistics:
Switch#
clear ipc statistics
This example shows how to clear only the queue statistics:
Switch#
clear ipc queue-statistics
You can verify that the statistics were deleted by entering the show ipc rpc or the show ipc session privileged EXEC command.
|
|
---|---|
show ipc { rpc | session } |
To clear an address conflict from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server database, use the clear ipv6 dhcp conflict command in privileged EXEC mode.
clear ipv6 dhcp conflict {* | IPv6-address}
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch and the switch is running the IP services image.
The host IPv6 address that contains the conflicting address. |
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 { default | vlan } global configuration command, and reload the switch.
When you configure the DHCPv6 server to detect conflicts, it uses ping. The client uses neighbor discovery to detect clients and reports to the server through a DECLINE message. If an address conflict is detected, the address is removed from the pool, and the address is not assigned until the administrator removes the address from the conflict list.
If you use the asterisk (*) character as the address parameter, DHCP clears all conflicts.
This example shows how to clear all address conflicts from the DHCPv6 server database:
|
|
---|---|
Displays address conflicts found by a DHCPv6 server, or reported through a DECLINE message from a client. |
To clear Link Aggregation Control Protocol (LACP) channel-group counters, use the clear lacp command in privileged EXEC mode.
clear lacp { channel-group-number counters | counters }
|
|
---|---|
You can clear all counters by using the clear lacp counters command, or you can clear only the counters for the specified channel group by using the clear lacp channel-group-number counters command.
This example shows how to clear all channel group information:
Switch#
clear lacp counters
This example shows how to clear LACP traffic counters for group 4:
Switch#
clear lacp 4 counters
You can verify that the information was deleted by entering the show lacp counters or the show lacp 4 counters privileged EXEC command.
|
|
---|---|
To delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, or all dynamic addresses on a particular VLAN, use the clear mac address-table command in privileged EXEC mode. This command also clears the MAC address notification global counters.
clear mac address-table { dynamic [ address mac-addr | interface interface-id | vlan vlan-id ] | notification }
|
|
---|---|
This example shows how to remove a specific MAC address from the dynamic address table:
You can verify that the information was deleted by entering the show mac address-table privileged EXEC command.
To clear the MAC address-table-move update-related counters, use the clear mac address-table move update command in privileged EXEC mode.
clear mac address-table move update
|
|
---|---|
This example shows how to clear the MAC address-table move update-related counters.
You can verify that the information was cleared by entering the show mac address-table move update privileged EXEC command.
|
|
---|---|
mac address-table move update { receive | transmit } |
|
Displays the MAC address-table move update information on the switch. |
To clear the Network Mobility Services Protocol (NMSP) statistics, use the clear nmsp statistics command in privileged EXEC mode. This command is available only when your switch is running the cryptographic (encrypted) software image.
|
|
---|---|
This example shows how to clear NMSP statistics:
You can verify that information was deleted by entering the show nmsp statistics privileged EXEC command.
|
|
---|---|
To clear Port Aggregation Protocol (PAgP) channel-group information, use the clear pagp command in privileged EXEC mode.
clear pagp { channel-group-number counters | counters }
|
|
---|---|
You can clear all counters by using the clear pagp counters command, or you can clear only the counters for the specified channel group by using the clear pagp channel-group-number counters command.
This example shows how to clear all channel group information:
Switch#
clear pagp counters
This example shows how to clear PAgP traffic counters for group 10:
Switch#
clear pagp 10 counters
You can verify that information was deleted by entering the show pagp privileged EXEC command.
|
|
---|---|
To delete from the MAC address table all secure addresses or all secure addresses of a specific type (configured, dynamic, or sticky) on the switch or on an interface, use the clear port-security command in privileged EXEC mode.
clear port-security { all | configured | dynamic | sticky } [[ address mac-addr | interface interface-id ] [ vlan { vlan-id | { access | voice}}]]
|
|
---|---|
This example shows how to clear all secure addresses from the MAC address table:
This example shows how to remove a specific configured secure address from the MAC address table:
This example shows how to remove all the dynamic secure addresses learned on a specific interface:
This example shows how to remove all the dynamic secure addresses from the address table:
You can verify that the information was deleted by entering the show port-security privileged EXEC command.
|
|
---|---|
switchport port-security mac-address mac-address |
|
switchport port-security maximum value |
Configures a maximum number of secure MAC addresses on a secure interface. |
Displays the port security settings defined for an interface or for the switch. |
To clear the protocol storm protection counter of packets dropped for all protocols, use the clear psp counter command in privileged EXEC mode.
clear psp counter [ arp | igmp | dhcp ]
|
|
---|---|
In this example, the protocol storm protection counter for DHCP is cleared:
|
|
---|---|
Configures protocol storm protection for ARP, DHCP, or IGMP. |
|
To clear Resilient Ethernet Protocol (REP) counters for the specified interface or all interfaces, use the clear rep counters command in privileged EXEC mode.
clear rep counters [ interface interface-id ]
(Optional) Specifies a REP interface whose counters should be cleared. |
|
|
---|---|
You can clear all REP counters by using the clear rep counters command, or you can clear only the counters for the interface by using the clear rep counters interface interface-id command.
When you enter the clear rep counters command, only the counters visible in the output of the show interface rep detail command are cleared. SNMP visible counters are not cleared as they are read-only.
This example shows how to clear all REP counters for all REP interfaces:
You can verify that REP information was deleted by entering the show interfaces rep detail privileged EXEC command.
|
|
---|---|
show interfaces rep detail |
To clear the spanning-tree counters, use the clear spanning-tree counters command in privileged EXEC mode.
clear spanning-tree counters [ interface interface-id ]
|
|
---|---|
If the interface-id value is not specified, spanning-tree counters are cleared for all interfaces.
This example shows how to clear spanning-tree counters for all interfaces:
|
|
---|---|
To restart the protocol migration process (force the renegotiation with neighboring switches) on all interfaces or on the specified interface, use the clear spanning-tree detected-protocols command in privileged EXEC mode.
clear spanning-tree detected-protocols [ interface interface-id ]
|
|
---|---|
A switch running the Rapid per-VLAN Spanning Tree Plus (RPVST+) protocol or the Multiple Spanning Tree Protocol (MSTP) supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If a RPVST+ switch or an MSTP switch receives a legacy IEEE 802.1D configuration bridge protocol data unit (BPDU) with the protocol version set to 0, it sends only IEEE 802.1D BPDUs on that port. A multiple spanning-tree (MST) switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (Version 3) associated with a different region, or a Rapid Spanning Tree (RST) BPDU (Version 2).
However, the switch does not automatically revert to the RPVST+ or the MSTP mode if it no longer receives IEEE 802.1D BPDUs because it cannot learn whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the clear spanning-tree detected-protocols command in this situation.
This example shows how to restart the protocol migration process on a Gigabit Ethernet port:
This example shows how to restart the protocol migration process on a Fast Ethernet port:
|
|
---|---|
Overrides the default link-type setting and enables rapid spanning tree changes to the forwarding state. |
To clear the statistics maintained by the VLAN Query Protocol (VQP) client, use the clear vmps statistics command in privileged EXEC mode.
|
|
---|---|
This example shows how to clear VLAN Membership Policy Server (VMPS) statistics:
You can verify that information was deleted by entering the show vmps statistics privileged EXEC command.
|
|
---|---|
Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers. |
To clear the VLAN Trunking Protocol (VTP) and pruning counters, use the clear vtp counters command in privileged EXEC mode.
|
|
---|---|
This example shows how to clear the VTP counters:
You can verify that information was deleted by entering the show vtp counters privileged EXEC command.
|
|
---|---|
Displays general information about the VTP management domain, status, and counters. |
To automatically provide a MAC address to cluster member switches when these switches join the cluster, use the cluster commander-address command in global configuration mode. Use the no form of this command from the cluster member switch console port to remove the switch from a cluster only during debugging or recovery procedures.
cluster commander-address mac-address [ member number name name ]
(Optional) Specifies the number of a configured cluster member switch. The range is 0 to 15. |
|
(Optional) Specifies the name of the configured cluster up to 31 characters. |
|
|
---|---|
You do not need to enter this command from a standalone cluster member switch. The cluster command switch automatically provides its MAC address to cluster member switches when these switches join the cluster. The cluster member switch adds this information and other cluster information to its running configuration file.
This command is available only on the cluster command switch.
A cluster member can have only one cluster command switch.
The cluster member switch retains the identity of the cluster command switch during a system reload by using the mac-address parameter.
You can enter the no form on a cluster member switch to remove it from the cluster during debugging or recovery procedures. You would normally use this command from the cluster member switch console port only when the member has lost communication with the cluster command switch. With normal switch configuration, we recommend that you remove cluster member switches only by entering the no cluster member n global configuration command on the cluster command switch.
When a standby cluster command switch becomes active (becomes the cluster command switch), it removes the cluster commander address line from its configuration.
This is partial sample output from the running configuration of a cluster member.
This example shows how to remove a member from the cluster by using the cluster member console.
You can verify your settings by entering the show cluster privileged EXEC command.
|
|
---|---|
Displays the cluster status and a summary of the cluster to which the switch belongs. |
To set the hop-count limit for extended discovery of candidate switches, use the cluster discovery hop-count command in global configuration mode on the cluster command switch. Use the no form of this command to return to the default setting.
cluster discovery hop-count number
no cluster discovery hop-count
Number of hops from the cluster edge that the cluster command switch limits the discovery of candidates. The range is 1 to 7. |
|
|
---|---|
This command is available only on the cluster command switch. This command does not operate on cluster member switches.
If the hop count is set to 1, it disables extended discovery. The cluster command switch discovers only candidates that are one hop from the edge of the cluster. The edge of the cluster is the point between the last discovered cluster member switch and the first discovered candidate switch.
This example shows how to set hop count limit to 4. This command is executed on the cluster command switch.
You can verify your setting by entering the show cluster privileged EXEC command.
|
|
---|---|
Displays the cluster status and a summary of the cluster to which the switch belongs. |
|
To enable the switch as the cluster command switch, assign a cluster name, and to optionally assign a member number to it, use the cluster enable command in global configuration mode on a command-capable switch. Use the no form of the command to remove all members and to make the cluster command switch a candidate switch.
cluster enable name [ command-switch-member-number ]
The switch is not a cluster command switch.
The member number is 0 when the switch is the cluster command switch.
|
|
---|---|
Enter this command on any command-capable switch that is not part of any cluster. This command fails if a device is already configured as a member of the cluster.
You must name the cluster when you enable the cluster command switch. If the switch is already configured as the cluster command switch, this command changes the cluster name if it is different from the previous cluster name.
This example shows how to enable the cluster command switch, name the cluster, and set the cluster command switch member number to 4.
You can verify your setting by entering the show cluster privileged EXEC command on the cluster command switch.
|
|
---|---|
Displays the cluster status and a summary of the cluster to which the switch belongs. |
To set the duration in seconds before a switch (either the command or cluster member switch) declares the other switch down after not receiving heartbeat messages, use the cluster holdtime command in global configuration mode. Use the no form of this command to set the duration to the default value.
cluster holdtime holdtime-in-secs
Duration in seconds before a switch (either a command or cluster member switch) declares the other switch down. The range is 1 to 300 seconds. |
|
|
---|---|
Enter this command with the cluster timer global configuration command only on the cluster command switch. The cluster command switch propagates the values to all its cluster members so that the setting is consistent among all switches in the cluster.
The holdtime is typically set as a multiple of the interval timer (cluster timer). For example, it takes (holdtime-in-secs divided by the interval-in-secs) number of heartbeat messages to be missed in a row to declare a switch down.
This example shows how to change the interval timer and the duration on the cluster command switch.
You can verify your settings by entering the show cluster privileged EXEC command.
|
|
---|---|
Displays the cluster status and a summary of the cluster to which the switch belongs. |
To add candidates to a cluster, use the cluster member command in global configuration mode on the cluster command switch. Use the no form of the command to remove members from the cluster.
cluster member [ n ] mac-address H.H.H [ password enable-password ] [ vlan vlan-id ]
A newly enabled cluster command switch has no associated cluster members.
|
|
---|---|
Enter this command only on the cluster command switch to add a candidate to or remove a member from the cluster. If you enter this command on a switch other than the cluster command switch, the switch rejects the command and displays an error message.
You must enter a member number to remove a switch from the cluster. However, you do not need to enter a member number to add a switch to the cluster. The cluster command switch selects the next available member number and assigns it to the switch that is joining the cluster.
You must enter the enable password of the candidate switch for authentication when it joins the cluster. The password is not saved in the running or startup configuration. After a candidate switch becomes a member of the cluster, its password becomes the same as the cluster command-switch password.
If a switch does not have a configured hostname, the cluster command switch appends a member number to the cluster command-switch hostname and assigns it to the cluster member switch.
If you do not specify a VLAN ID, the cluster command switch automatically chooses a VLAN and adds the candidate to the cluster.
This example shows how to add a switch as member 2 with MAC address 00E0.1E00.2222 and the password key to a cluster. The cluster command switch adds the candidate to the cluster through VLAN 3.
This example shows how to add a switch with MAC address 00E0.1E00.3333 to the cluster. This switch does not have a password. The cluster command switch selects the next available member number and assigns it to the switch that is joining the cluster.
You can verify your settings by entering the show cluster members privileged EXEC command on the cluster command switch.
|
|
---|---|
Displays the cluster status and a summary of the cluster to which the switch belongs. |
|
To configure the outside interface for cluster Network Address Translation (NAT) so that a member without an IP address can communicate with devices outside the cluster, use the cluster outside-interface command in global configuration mode. Use the no form of this command to return to the default setting.
cluster outside-interface interface-id
Interface to serve as the outside interface. Valid interfaces include physical interfaces, port channels, or VLANs. The port channel range is 1 to 6. The VLAN range is 1 to 4094. |
The default outside interface is automatically selected by the cluster command switch.
|
|
---|---|
Enter this command only on the cluster command switch. If you enter this command on a cluster member switch, an error message appears.
This example shows how to set the outside interface to VLAN 1:
You can verify your setting by entering the show running-config privileged EXEC command.
|
|
---|---|
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To enable clustering on a switch, use the cluster run command in global configuration mode. Use the no form of this command to disable clustering on a switch.
|
|
---|---|
When you enter the no cluster run command on a cluster command switch, the cluster command switch is disabled. Clustering is disabled, and the switch cannot become a candidate switch.
When you enter the no cluster run command on a cluster member switch, it is removed from the cluster. Clustering is disabled, and the switch cannot become a candidate switch.
When you enter the no cluster run command on a switch that is not part of a cluster, clustering is disabled on this switch. This switch cannot then become a candidate switch.
This example shows how to disable clustering on the cluster command switch:
You can verify your setting by entering the show cluster privileged EXEC command.
|
|
---|---|
Displays the cluster status and a summary of the cluster to which the switch belongs. |
To enable cluster command-switch redundancy by binding the cluster to an existing Hot Standby Router Protocol (HSRP), use the cluster standby-group command in global configuration mode. Entering the routing-redundancy keyword enables the same HSRP group to be used for cluster command-switch redundancy and routing redundancy. Use the no form of this command to return to the default setting.
cluster standby-grou p HSRP-group-name [ routing-redundancy ]
|
|
---|---|
Enter this command only on the cluster command switch. If you enter it on a cluster member switch, an error message appears.
The cluster command switch propagates the cluster-HSRP binding information to all cluster-HSRP capable members. Each cluster member switch stores the binding information in its NVRAM. The HSRP group name must be a valid standby group; otherwise, the command exits with an error.
The same group name should be used on all members of the HSRP standby group that is to be bound to the cluster. The same HSRP group name should also be used on all cluster-HSRP capable members for the HSRP group that is to be bound. (When not binding a cluster to an HSRP group, you can use different names on the cluster commander and the members.)
This example shows how to bind the HSRP group named my_hsrp to the cluster. This command is executed on the cluster command switch.
This example shows how to use the same HSRP group named my_hsrp for routing redundancy and cluster redundancy.
This example shows the error message when this command is executed on a cluster command switch and the specified HSRP standby group does not exist:
This example shows the error message when this command is executed on a cluster member switch:
You can verify your settings by entering the show cluster privileged EXEC command. The output shows whether redundancy is enabled in the cluster.
To set the interval in seconds between heartbeat messages, use the cluster timer command in global configuration mode. Use the no form of this command to set the interval to the default value.
cluster timer interval-in-secs
Interval in seconds between heartbeat messages. The range is 1 to 300 seconds. |
|
|
---|---|
Enter this command with the cluster holdtime global configuration command only on the cluster command switch. The cluster command switch propagates the values to all its cluster members so that the setting is consistent among all switches in the cluster.
The holdtime is typically set as a multiple of the heartbeat interval timer (cluster timer). For example, it takes (holdtime-in-secs divided by the interval-in-secs) number of heartbeat messages to be missed in a row to declare a switch down.
This example shows how to change the heartbeat interval timer and the duration on the cluster command switch:
You can verify your settings by entering the show cluster privileged EXEC command.
|
|
---|---|
Displays the cluster status and a summary of the cluster to which the switch belongs. |
To create an interface-range macro, use the define interface-range command in global configuration mode. Use the no form of this command to delete the defined macro.
define interface-range macro-name interface-range
no define interface-range macro-name interface-range
Interface range; for valid values for interface ranges, see “Usage Guidelines.” |
|
|
---|---|
The macro name is a 32-character maximum character string.
A macro can contain up to five ranges.
All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.
When entering the interface-range, use this format:
Valid values for type and interface :
VLAN interfaces must have been configured with the interface vlan command (the show running-config privileged EXEC command displays the configured VLAN interfaces). VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges.
When you define a range, you must enter a space before the hyphen (-), for example:
You can also enter multiple ranges. When you define multiple ranges, you must enter a space after the first entry before the comma (,). The space after the comma is optional, for example:
This example shows how to create a multiple-interface macro:
|
|
---|---|
Displays the current operating configuration, including defined macros. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To delete a file or directory on the flash memory device, use the delete command in privileged EXEC mode.
delete [ /force ] [/ recursive ] filesystem :/ file-url
(Optional) Suppresses the prompt that confirms the deletion. |
|
(Optional) Deletes the named directory and all subdirectories and the files contained in it. |
|
|
|
---|---|
If you use the /force keyword, you are prompted once at the beginning of the deletion process to confirm the deletion.
If you use the /recursive keyword without the /force keyword, you are prompted to confirm the deletion of every file.
The prompting behavior depends on the setting of the file prompt global configuration command. By default, the switch prompts for confirmation on destructive file operations. For more information about this command, see the Cisco IOS Command Reference for Release 12.1.
This example shows how to remove the directory that contains the old software image after a successful download of a new image:
You can verify that the directory was removed by entering the dir filesystem : privileged EXEC command.
|
|
---|---|
Downloads a new image to the switch and overwrites or keeps the existing image. |
To deny an ARP packet based on matches against the DHCP bindings, use the deny command in Address Resolution Protocol (ARP) access-list configuration mode. Use the no form of this command to remove the specified access control entry (ACE) from the access list.
deny {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
no deny {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
(Optional) Defines a match for the ARP request. When request is not specified, matching is performed against all ARP packets. |
|
At the end of the ARP access list, there is an implicit deny ip any mac any command.
|
|
---|---|
You can add deny clauses to drop ARP packets based on matching criteria.
This example shows how to define an ARP access list and to deny both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
You can verify your settings by entering the show arp access-list privileged EXEC command.
|
|
---|---|
Permits ARP requests and responses from a host configured with a static IP address. |
|
Permits an ARP packet based on matches against the DHCP bindings. |
|
To prevent non-IP traffic from being forwarded if the conditions are matched, use the deny command in MAC access-list configuration mode. Use the no form of this command to remove a deny condition from the named MAC access list.
{ deny | permit } { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp ]
no { deny | permit } { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp ]
Note Though visible in the command-line help strings, appletalk is not supported as a matching condition.
To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in Table 1-5 .
|
|
|
---|---|---|
|
|
|
This command has no defaults. However; the default action for a MAC-named ACL is to deny.
|
|
---|---|
You enter MAC-access list configuration mode by using the mac access-list extended global configuration command.
If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.
When an access control entry (ACE) is added to an access control list, an implied deny - any - any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.
For more information about named MAC extended access lists, see the software configuration guide for this release.
This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.
This example shows how to remove the deny condition from the named MAC extended access list:
This example denies all packets with Ethertype 0x4321:
You can verify your settings by entering the show access-lists privileged EXEC command.
|
|
---|---|
Creates an access list based on MAC addresses for non-IP traffic. |
|
Permits non-IP traffic to be forwarded if conditions are matched. |
|
To globally enable IEEE 802.1x authentication, use the dot1x command in global configuration mode. Use the no form of this command to return to the default setting.
dot1x { critical { eapol | recovery delay milliseconds } | { guest-vlan supplicant } | system-auth-control }
no dot1x { critical { eapol | recovery delay } | { guest-vlan supplicant } | system-auth-control }
Note Though visible in the command-line help strings, the credentials name keywords are not supported.
Configures the inaccessible authentication bypass parameters. For more information, see the dot1x critical (global configuration) command. |
|
Enables optional guest VLAN behavior globally on the switch. |
|
IEEE 802.1x authentication is disabled, and the optional guest VLAN behavior is disabled.
|
|
---|---|
You must enable authentication, authorization, and accounting (AAA) and specify the authentication method list before globally enabling IEEE 802.1x authentication. A method list describes the sequence and authentication methods to be used to authenticate a user.
Before globally enabling IEEE 802.1x authentication on a switch, remove the EtherChannel configuration from the interfaces on which IEEE 802.1x authentication and EtherChannel are configured.
If you are using a device running the Cisco Access Control Server (ACS) application for IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and with EAP-MD5, make sure that the device is running ACS Version 3.2.1 or later.
You can use the guest-vlan supplicant keywords to enable the optional IEEE 802.1x guest VLAN behavior globally on the switch. For more information, see the dot1x guest-vlan command.
This example shows how to globally enable IEEE 802.1x authentication on a switch:
This example shows how to globally enable the optional guest VLAN behavior on a switch:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
Configures the parameters for the inaccessible authentication bypass feature on the switch. |
|
Enables and specifies an active VLAN as an IEEE 802.1x guest VLAN. |
|
Enables manual control of the authorization state of the port. |
|
show dot1x [ interface interface-id ] |
To configure the maximum allowable authentication attempts before a port is moved to the restricted VLAN, use the dot1x auth-fail max-attempts command in interface configuration mode. To return to the default setting, use the no form of this command.
dot1x auth-fail max-attempts max-attempts
no dot1x auth-fail max-attempts
Specifies a maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. The range is 1 to 3, the default value is 3. |
|
|
---|---|
If you reconfigure the maximum number of authentication attempts allowed by the VLAN, the change takes effect after the reauthentication timer expires.
This example shows how to set 2 as the maximum number of authentication attempts allowed before the port is moved to the restricted VLAN on port 3:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
dot1x auth-fail vlan [ vlan id] |
|
dot1x max-reauth-req [ count] |
Sets the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state. |
show dot1x [ interface interface-id ] |
To enable the restricted VLAN on a port, use the dot1x auth-fail vlan command in interface configuration mode. To return to the default setting, use the no form of this command.
|
|
---|---|
You can configure a restricted VLAN on ports configured as follows:
You should enable reauthentication. The ports in restricted VLANs do not receive reauthentication requests if it is disabled. To start the reauthentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub, the port might never receive a link-down event when that host is disconnected, and, as a result, might not detect any new hosts until the next reauthentication attempt occurs.
If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant. Because the supplicant is not notified of the actual authentication failure, there might be confusion about this restricted network access. An EAP success message is sent for these reasons:
A supplicant might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and reuse that information in every reauthentication. Until the supplicant sends the correct username and password combination, the port remains in the restricted VLAN.
Internal VLANs used for Layer 3 ports cannot be configured as restricted VLANs.
You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN. If you do this, a syslog message is generated.
When a restricted VLAN port is moved to an unauthorized state, the authentication process restarts. If the supplicant fails the authentication process again, the authenticator waits in the held state. After the supplicant has correctly reauthenticated, all IEEE 802.1x ports are reinitialized and treated as normal IEEE 802.1x ports.
When you reconfigure a restricted VLAN as a different VLAN, any ports in the restricted VLAN are also moved, and the ports stay in their currently authorized state.
When you shut down or remove a restricted VLAN from the VLAN database, any ports in the restricted VLAN are immediately moved to an unauthorized state, and the authentication process restarts. The authenticator does not wait in a held state because the restricted VLAN configuration still exists. While the restricted VLAN is inactive, all authentication attempts are counted so that when the restricted VLAN becomes active, the port is immediately placed in the restricted VLAN.
The restricted VLAN is supported only in single host mode (the default port mode). For this reason, when a port is placed in a restricted VLAN, the supplicant’s MAC address is added to the MAC address table, and any other MAC address that appears on the port is treated as a security violation.
This example shows how to configure a restricted VLAN on port 1:
You can verify your configuration by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
dot1x auth-fail max-attempts [ max-attempts] |
Configures the number of authentication attempts allowed before assigning a supplicant to the restricted VLAN. |
show dot1x [ interface interface-id ] |
To enable the IEEE 802.1x authentication with the wake-on-LAN (WoL) feature and to configure the port control as unidirectional or bidirectional, use the dot1x control-direction command in interface configuration mode. Use the no form of this command to return to the default setting.
dot1x control-direction { both | in }
|
|
---|---|
Use the both keyword or the no form of this command to return to the default setting, bidirectional mode.
For more information about WoL, see the “Using IEEE 802.1x Authentication with Wake-on-LAN” section in the “Configuring IEEE 802.1x Port-Based Authentication” chapter in the software configuration guide.
This example shows how to enable unidirectional control:
This example shows how to enable bidirectional control:
You can verify your settings by entering the show dot1x all privileged EXEC command.
The show dot1x all privileged EXEC command output is the same for all switches except for the port names and the state of the port. If a host is attached to the port but is not yet authenticated, a display similar to this appears:
If you enter the dot1x control-direction in interface configuration command to enable unidirectional control, this appears in the show dot1x all command output:
If you enter the dot1x control-direction in interface configuration command and the port cannot support this mode due to a configuration conflict, this appears in the show dot1x all command output:
|
|
---|---|
show dot1x [ all | interface interface-id ] |
Displays control-direction port setting status for the specified interface. |
To configure a profile on a supplicant switch, use the dot1x credentials command in global configuration mode.
|
|
---|---|
You must have another switch set up as the authenticator for this switch to be the supplicant.
This example shows how to configure a switch as a supplicant:
You can verify your settings by entering the show running-config privileged EXEC command.
|
|
---|---|
To configure the parameters for the inaccessible authentication bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting (AAA) fail policy, use the dot1x critical command in global configuration mode. To return to default settings, use the no form of this command.
dot1x critical { eapol | recovery delay milliseconds }
no dot1x critical { eapol | recovery delay }
The switch does not send an EAPOL-Success message to the host when the switch successfully authenticates the critical port by putting the critical port in the critical-authentication state.
|
|
---|---|
Use the eapol keyword to specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state.
Use the recovery delay milliseconds keyword to set the recovery delay period during which the switch waits to reinitialize a critical port when a RADIUS server that was unavailable becomes available. The default recovery delay period is 1000 milliseconds. A port can be reinitialized every second.
To enable inaccessible authentication bypass on a port, use the dot1x critical interface configuration command. To configure the access VLAN to which the switch assigns a critical port, use the dot1x critical vlan vlan-id interface configuration command.
This example shows how to set 200 as the recovery delay period on the switch:
You can verify your configuration by entering the show dot1x privileged EXEC command.
|
|
---|---|
Enables the inaccessible authentication bypass feature, and configures the access VLAN for the feature. |
|
To enable the inaccessible-authentication-bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting (AAA) fail policy, use the dot1x critical command in interface configuration mode. You can also configure the access VLAN to which the switch assigns the critical port when the port is in the critical-authentication state. To disable the feature or return to default, use the no form of this command.
dot1x critical [ recovery action reinitialize | vlan vlan-id ]
no dot1x critical [ recovery | vlan ]
The inaccessible-authentication-bypass feature is disabled.
|
|
---|---|
To specify the access VLAN to which the switch assigns a critical port when the port is in the critical-authentication state, use the vlan vlan-id keywords. The specified type of VLAN must match the type of port, as follows:
If the client is running Windows XP and the critical port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server, receiving an EAP-Success message on a critical port might not reinitiate the DHCP configuration process.
You can configure the inaccessible authentication bypass feature and the restricted VLAN on an IEEE 802.1x port. If the switch tries to reauthenticate a critical port in a restricted VLAN and all the RADIUS servers are unavailable, the switch changes the port state to the critical authentication state, and it remains in the restricted VLAN.
You can configure the inaccessible bypass feature and port security on the same switch port.
This example shows how to enable the inaccessible authentication bypass feature on a port:
You can verify your configuration by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
Configures the parameters for the inaccessible authentication bypass feature on the switch. |
|
show dot1x [ interface interface-id ] |
To reset the IEEE 802.1x parameters to their default values, use the dot1x default command in interface configuration mode.
|
|
---|---|
This example shows how to reset the IEEE 802.1x parameters on a port:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
show dot1x [ interface interface-id ] |
To configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication, use the dot1xfallback command in interface configuration mode. To return to the default setting, use the no form of this command.
A fallback profile for clients that do not support IEEE 802.1x authentication. |
|
|
---|---|
You must enter the dot1x port-control auto interface configuration command on a switch port before entering this command.
This example shows how to specify a fallback profile to a switch port that has been configured for IEEE 802.1x authentication:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
show dot1x [ interface interface-id ] |
To specify an active VLAN as an IEEE 802.1x guest VLAN, use the dot1x guest-vlan command in interface configuration mode. Use the no form of this command to return to the default setting.
An active VLAN that is an IEEE 802.1x guest VLAN. The range is 1 to 4094. |
|
|
---|---|
You can configure a guest VLAN on a static-access port that belongs to a nonprivate VLAN.
For each IEEE 802.1x port on the switch, you can configure a guest VLAN to provide limited services to clients (a device or workstation connected to the switch) not running IEEE 802.1x authentication. These users might be upgrading their systems for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL) request/identity frame or when EAPOL packets are not sent by the client.
The switch maintains the EAPOL packet history. If another EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL history is reset upon loss of link.
Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the RADIUS-configured or user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an Remote Switched Port Analyzer (RSPAN) VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you might need to get a host IP address from a DHCP server. You can change the settings for restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x client type.
The switch supports MAC authentication bypass. When it is enabled on an IEEE 802.1x port, the switch can authorize clients based on the client MAC address when IEEE 802.1x authentication times out while waiting for an EAPOL message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is specified. For more information, see the “Using IEEE 802.1x Authentication with MAC Authentication Bypass” section in the “Configuring IEEE 802.1x Port-Based Authentication” chapter of the software configuration guide.
This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN:
This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request, and to enable VLAN 2 as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected to a DHCP client:
This example shows how to enable the optional guest VLAN behavior and to specify VLAN 5 as an IEEE 802.1x guest VLAN:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
show dot1x [ interface interface-id ] |
To allow a single host (client) or multiple hosts on an IEEE 802.1x-authorized port, use the dot1x host-mode command in interface configuration mode. To enable multidomain authentication (MDA) on an IEEE 802.1x-authorized port, use the multi-domain keyword. Use the no form of this command to return to the default setting.
dot1x host-mode { multi-host | single-host | multi-domain }
no dot1x host-mode [ multi-host | single-host | multi-domain }
|
|
---|---|
Use this command to limit an IEEE 802.1x-enabled port to a single client or to attach multiple clients to an IEEE 802.1x-enabled port. In multiple-hosts mode, only one of the attached hosts needs to be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (reauthentication fails or an Extensible Authentication Protocol over LAN [EAPOL]-logoff message is received), all attached clients are denied access to the network.
Use the multi-domain keyword to enable MDA on a port. MDA divides the port into both a data domain and a voice domain. MDA allows both a data device and a voice device, such as an IP phone (Cisco or non-Cisco), on the same IEEE 802.1x-enabled port.
Before entering this command, make sure that the dot1x port-control interface configuration command is set to auto for the specified port.
This example shows how to enable IEEE 802.1x authentication globally, to enable IEEE 802.1x authentication on a port, and to enable multiple-hosts mode:
This example shows how to globally enable IEEE 802.1x authentication, to enable IEEE 802.1x authentication, and to enable MDA on the specified port:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
show dot1x [ interface interface-id ] |
To manually return the specified IEEE 802.1x-enabled port to an unauthorized state before initiating a new authentication session on the port, use the dot1x initialize command in privileged EXEC mode.
dot1x initialize [ interface interface-id ]
|
|
---|---|
Use this command to initialize the IEEE 802.1x state machines and to set up a fresh environment for authentication. After you enter this command, the port status becomes unauthorized.
This example shows how to manually initialize a port:
You can verify the unauthorized port status by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
show dot1x [ interface interface-id ] |
To enable the MAC authentication bypass feature, use the dot1x mac-auth-bypass command in interface configuration mode. Use the no form of this command to disable MAC authentication bypass feature.
dot1x mac-auth-bypass [ eap | timeout inactivity value ]
|
|
---|---|
Unless otherwise stated, the MAC authentication bypass usage guidelines are the same as the IEEE 802.1x authentication guidelines.
If you disable MAC authentication bypass from a port after the port has been authenticated with its MAC address, the port state is not affected.
If the port is in the unauthorized state and the client MAC address is not the authentication-server database, the port remains in the unauthorized state. However, if the client MAC address is added to the database, the switch can use MAC authentication bypass to reauthorize the port.
If the port is in the authorized state, the port remains in this state until reauthorization occurs.
If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.1x-capable supplicant and uses IEEE 802.1x authentication (not MAC authentication bypass) to authorize the interface.
Clients that were authorized with MAC authentication bypass can be reauthenticated.
For more information about how MAC authentication bypass and IEEE 802.lx authentication interact, see the “Understanding IEEE 802.1x Authentication with MAC Authentication Bypass” section and the “IEEE 802.1x Authentication Configuration Guidelines” section in the “Configuring IEEE 802.1x Port-Based Authentication” chapter of the software configuration guide.
This example shows how to enable MAC authentication bypass and to configure the switch to use EAP for authentication:
This example shows how to enable MAC authentication bypass and to configure the timeout if the connected host is inactive for 30 seconds:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
show dot1x [ interface interface-id ] |
To set the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state, use the dot1x max-reauth-req command in interface configuration mode. Use the no form of this command to return to the default setting.
Number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 0 to 10. |
|
|
---|---|
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
Sets the maximum number of times that the switch forwards an EAP frame (assuming that no response is received) to the authentication server before restarting the authentication process. |
|
dot1x timeout tx-period |
Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. |
show dot1x [ interface interface-id ] |
To set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP) frame from the authentication server (assuming that no response is received) to the client before restarting the authentication process, use the dot1x max-req command in interface configuration mode. Use the no form of this command to return to the default setting.
Number of times that the switch resends an EAP frame from the authentication server before restarting the authentication process. The range is 1 to 10. |
|
|
---|---|
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
This example shows how to set 5 as the number of times that the switch sends an EAP frame from the authentication server to the client before restarting the authentication process:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
dot1x timeout tx-period |
Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. |
show dot1x [ interface interface-id ] |
To configure the port as an IEEE 802.1x port access entity (PAE) authenticator, use the dot1x pae command in interface configuration mode. Use the no form of this command to disable IEEE 802.1x authentication on the port.
The port is not an IEEE 802.1x PAE authenticator, and IEEE 802.1x authentication is disabled on the port.
|
|
---|---|
Use the no dot1x pae interface configuration command to disable IEEE 802.1x authentication on the port.
When you configure IEEE 802.1x authentication on a port, such as by entering the dot1x port-control interface configuration command, the switch automatically configures the port as an EEE 802.1x authenticator. After the no dot1x pae interface configuration command is entered, the Authenticator PAE operation is disabled.
This example shows how to disable IEEE 802.1x authentication on the port:
You can verify your settings by entering the show dot1x or show eap privileged EXEC command.
To enable manual control of the authorization state of the port, use the dot1x port-control command in interface configuration mode. Use the no form of this command to return to the default setting.
dot1x port-control { auto | force-authorized | force-unauthorized }
|
|
---|---|
You must globally enable IEEE 802.1x authentication on the switch by using the dot1x system-auth-control global configuration command before enabling IEEE 802.1x authentication on a specific port.
The IEEE 802.1x standard is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports.
You can use the auto keyword only if the port is not configured as one of these:
To globally disable IEEE 802.1x authentication on the switch, use the no dot1x system-auth-control global configuration command. To disable IEEE 802.1x authentication on a specific port or to return to the default setting, use the no dot1x port-control interface configuration command.
This example shows how to enable IEEE 802.1x authentication on a port:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
show dot1x [ interface interface-id ] |
To manually initiate a reauthentication of the specified IEEE 802.1x-enabled port, use the dot1x re-authenticate command in privileged EXEC mode.
dot1x re-authenticate [ interface interface-id ]
(Optional) Module and port number of the interface to reauthenticate. |
|
|
---|---|
You can use this command to reauthenticate a client without waiting for the configured number of seconds between reauthentication attempts (reauthperiod) and automatic reauthentication.
This example shows how to manually reauthenticate the device connected to a port:
|
|
---|---|
dot1x timeout reauth-period |
Sets the number of seconds between reauthentication attempts. |
To enable periodic reauthentication of the client, use the dot1x reauthentication command in interface configuration mode. Use the no form of this command to return to the default setting.
|
|
---|---|
You configure the amount of time between periodic reauthentication attempts by using the dot1x timeout reauth-period interface configuration command.
This example shows how to disable periodic reauthentication of the client:
This example shows how to enable periodic reauthentication and to set the number of seconds between reauthentication attempts to 4000 seconds:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
Manually initiates a reauthentication of all IEEE 802.1x-enabled ports. |
|
dot1x timeout reauth-period |
Sets the number of seconds between reauthentication attempts. |
show dot1x [ interface interface-id ] |
To monitor IEEE 802.1x activity on all the switch ports and to display information about the devices that are connected to the ports that support IEEE 802.1x, use the dot1x test eapol-capable command in privileged EXEC mode.
dot1x test eapol-capable [ interface interface-id ]
|
|
---|---|
Use this command to test the IEEE 802.1x capability of the devices connected to all ports or to specific ports on a switch.
This example shows how to enable the IEEE 802.1x readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:
|
|
---|---|
dot1x test timeout timeout |
Configures the timeout used to wait for EAPOL response to an IEEE 802.1x readiness query. |
To configure the timeout used to wait for EAPOL response from a port being queried for IEEE 802.1x readiness, use the dot1x test timeout command in global configuration mode.
Time in seconds to wait for an EAPOL response. The range is from 1 to 65535 seconds. |
|
|
---|---|
Use this command to configure the timeout used to wait for EAPOL response.
This example shows how to configure the switch to wait 27 seconds for an EAPOL response:
You can verify the timeout configuration status by entering the show run privileged EXEC command.
|
|
---|---|
dot1x test eapol-capable [ interface interface-id ] |
Checks for IEEE 802.1x readiness on devices connected to all or to specified IEEE 802.1x-capable ports. |
To set IEEE 802.1x timers, use the dot1x timeout command in interface configuration mode. Use the no form of this command to return to the default setting.
dot1x timeout { quiet-period seconds | ratelimit-period seconds | reauth-period { seconds | server } | server-timeout seconds | supp-timeout seconds | tx-period seconds }
no dot1x timeout { quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }
These are the default settings:
|
|
---|---|
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
The dot1x timeout reauth-period interface configuration command affects the behavior of the switch only if you have enabled periodic reauthentication by using the dot1x reauthentication interface configuration command.
During the quiet period, the switch does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a number smaller than the default.
When the ratelimit-period is set to 0 (the default), the switch does not ignore EAPOL packets from clients that have been successfully authenticated and forwards them to the RADIUS server.
This example shows how to enable periodic reauthentication and to set 4000 as the number of seconds between reauthentication attempts:
This example shows how to enable periodic reauthentication and to specify the value of the Session-Timeout RADIUS attribute as the number of seconds between reauthentication attempts:
This example shows how to set 30 seconds as the quiet time on the switch:
This example shows how to set 45 seconds as the switch-to-authentication server retransmission time:
This example shows how to set 45 seconds as the switch-to-client retransmission time for the EAP request frame:
This example shows how to set 60 as the number of seconds to wait for a response to an EAP-request/identity frame from the client before retransmitting the request:
This example shows how to set 30 as the number of seconds that the switch ignores EAPOL packets from successfully authenticated clients:
You can verify your settings by entering the show dot1x privileged EXEC command.
|
|
---|---|
Sets the maximum number of times that the switch sends an EAP-request/identity frame before restarting the authentication process. |
|
To configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port, use the dot1x violation-mode command in interface configuration mode. Use the no form of this command to return to the default setting.
dot1x violation-mode {shutdown | restrict | protect}
Error-disables the port or the virtual port on which a new unexpected MAC address occurs. |
|
Silently discards packets from any new MAC addresses. This is the default setting. |
|
|
---|---|
This example shows how to configure an IEEE 802.1x-enabled port as error disabled and to shut down when a new device connects to the port:
This example shows how to configure an IEEE 802.1x-enabled port to generate a system error message and change the port to restricted mode when a new device connects to the port:
This example shows how to configure an IEEE 802.1x-enabled port to ignore a new connected device when it is connected to the port:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
|
|
---|---|
show dot1x [ interface interface-id ] |
To specify the duplex mode of operation for a port, use the duplex command in interface configuration mode. Use the no form of this command to return the port to its default value.
The default is auto for Fast Ethernet and Gigabit Ethernet ports.
The default is full for 100BASE- x (where - x is -BX, -FX, -FX-FE, or - LX) SFP modules.
Duplex options are not supported on the 1000BASE- x (where - x is -BX, -CWDM, -LX, -SX, or -ZX) SFP modules.
For information about which SFP modules are supported on your switch, see the product release notes.
|
|
---|---|
For Fast Ethernet ports, setting the port to auto has the same effect as specifying half if the attached device does not autonegotiate the duplex parameter.
For Gigabit Ethernet ports, setting the port to auto has the same effect as specifying full if the attached device does not autonegotiate the duplex parameter.
Note Half-duplex mode is supported on Gigabit Ethernet interfaces if the duplex mode is auto and the connected device is operating at half duplex. However, you cannot configure these interfaces to operate in half-duplex mode.
Certain ports can be configured to be either full duplex or half duplex. Applicability of this command depends on the device to which the switch is attached.
If both ends of the line support autonegotiation, we highly recommend using the default autonegotiation settings. If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do use the auto setting on the supported side.
If the speed is set to auto, the switch negotiates with the device at the other end of the link for the speed setting and then forces the speed setting to the negotiated value. The duplex setting remains as configured on each end of the link, which could result in a duplex setting mismatch.
You can configure the duplex setting when the speed is set to auto.
For guidelines on setting the switch speed and duplex parameters, see the “Configuring Interface Characteristics” chapter in the software configuration guide for this release.
This example shows how to configure an interface for full-duplex operation:
You can verify your setting by entering the show interfaces privileged EXEC command.
|
|
---|---|
To enable error-disable detection for a specific cause or all causes, use the errdisable detect cause command in global configuration mode. To disable the error-disable detection feature, use the no form of this command.
errdisable detect cause { all | arp-inspection | bpduguard | dhcp-rate-limit | dtp-flap | gbic-invalid | inline-power | link-flap | loopback | pagp-flap | psp | security-violation shutdown vlan | sfp-config-mismatch }
no errdisable detect cause { all | arp-inspection | bpduguard | dhcp-rate-limit | dtp-flap | gbic-invalid | inline-power | link-flap | loopback | pagp-flap | psp | security-violation shutdown vlan | sfp-config-mismatch }
errdisable detect cause bpduguard shutdown vlan
no errdisable detect cause bpduguard shutdown vlan
Detection is enabled for all causes. All causes, except for per-VLAN error disabling, are configured to shut down the entire port.
|
|
---|---|
For the bridge protocol data unit (BPDU) guard and port security, you can use this command to configure the switch to disable only a specific VLAN on a port instead of disabling the entire port.
When the per-VLAN error-disable feature is turned off and a BPDU guard violation occurs, the entire port is disabled. Use the no form of this command to disable the per-VLAN error-disable feature.
A cause (link-flap, dhcp-rate-limit, and so forth) is the reason why the error-disabled state occurred. When a cause is detected on a port, the port is placed in an error-disabled state, an operational state that is similar to a link-down state.
When a port is error-disabled, it is effectively shut down, and no traffic is sent or received on the port. For the BPDU, voice aware 802.1x security, guard and port-security features, you can configure the switch to shut down just the offending VLAN on the port when a violation occurs, instead of shutting down the entire port.
If you set a recovery mechanism for the cause by entering the errdisable recovery global configuration command for the cause, the port is brought out of the error-disabled state and allowed to retry the operation when all causes have timed out. If you do not set a recovery mechanism, you must enter the shutdown and then the no shutdown commands to manually change the port from the error-disabled state.
For protocol storm protection, excess packets are dropped for a maximum of two virtual ports. Virtual port error disabling using the psp keyword is not supported for EtherChannel and Flexlink interfaces.
To verify your settings, enter the show errdisable detect privileged EXEC command.
This example shows how to enable error-disable detection for the link-flap error-disabled cause:
S
witch(config)# errdisable detect cause link-flap
This command shows how to globally configure BPDU guard for per-VLAN error disable:
S
witch(config)# errdisable detect cause bpduguard shutdown vlan
This command shows how to globally configure voice aware 802.1x security for per-VLAN error disable:
S
witch(config)# errdisable detect cause security-violation shutdown vlan
You can verify your settings by entering the show errdisable detect privileged EXEC command.
|
|
---|---|
show interfaces status err-disabled |
Displays interface status or a list of interfaces in the error-disabled state. |
Clears the error-disabled state from a port or VLAN that was error disabled by the per-VLAN error disable feature. |
To allow any switch port to be error disabled if incoming VLAN-tagged packets are small frames (67 bytes or less) and arrive at the minimum configured rate (the threshold), use the errdisable detect cause small-frame command in global configuration mode. Use the no form of this command to return to the default setting.
errdisable detect cause small-frame
no errdisable detect cause small-frame
|
|
---|---|
This command globally enables the small-frame arrival feature. Use the small violation-rate interface configuration command to set the threshold for each port.
You can configure the port to be automatically reenabled by using the errdisable recovery cause small-frame global configuration command. You configure the recovery time by using the errdisable recovery interval interval global configuration command.
This example shows how to enable the switch ports to be put into the error-disabled mode if incoming small frames arrive at the configured threshold:
You can verify your setting by entering the show interfaces privileged EXEC command.
To enable the recovery timer for ports to be automatically reenabled after they are error-disabled by the arrival of small frames on a switch, use the errdisable recovery cause small-frame command in global configuration mode. Use the no form of this command to return to the default setting.
errdisable recovery cause small-frame
no errdisable recovery cause small-frame
|
|
---|---|
This command enables the recovery timer for error-disabled ports. You configure the recovery time by using the errdisable recovery interval interval interface configuration command.
This example shows how to set the recovery timer:
You can verify your setting by entering the show interfaces user EXEC command.
To configure the recover mechanism variables, use the errdisable recovery command in global configuration mode. Use the no form of this command to return to the default setting.
errdisable recovery { cause { all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | inline-power | link-flap | loopback | pagp-flap | psecure-violation | psp | security-violation | sfp-config-mismatch | udld | vmps } | { interval interval }
no errdisable recovery { cause { all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | inline-power | link-flap | loopback | pagp-flap | psecure-violation | psp | security-violation | sfp-config-mismatch | udld | vmps } | { interval interval }
|
|
---|---|
A cause (link-flap, bpduguard , and so forth) is defined as the reason that the error-disabled state occurred. When a cause is detected on a port, the port is placed in the error-disabled state, an operational state similar to the link-down state.
When a port is error-disabled, it is effectively shut down, and no traffic is sent or received on the port. For the BPDU guard and port-security features, you can configure the switch to shut down just the offending VLAN on the port when a violation occurs, instead of shutting down the entire port.
If you do not enable the recovery for the cause, the port stays in the error-disabled state until you enter the shutdown and the no shutdown interface configuration commands. If you enable the recovery for a cause, the port is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out.
Otherwise, you must enter the shutdown and then the no shutdown commands to manually recover a port from the error-disabled state.
This example shows how to enable the recovery timer for the BPDU guard error-disabled cause:
S
witch(config)# errdisable recovery cause bpduguard
This example shows how to set the timer to 500 seconds:
You can verify your settings by entering the show errdisable recovery privileged EXEC command.
|
|
---|---|
Clears the error-disabled state from a port or VLAN that was error disabled by the per-VLAN error disable feature. |
|
show interfaces status err-disabled |
Displays interface status or a list of interfaces in error-disabled state. |
To configure the switch to create the extended crashinfo file when the Cisco IOS image fails, use the exception crashinfo command in global configuration mode. Use the no form of this command to disable this feature.
|
|
---|---|
The basic crashinfo file includes the Cisco IOS image name and version that failed and a list of the processor registers. The extended crashinfo file includes additional information that can help determine the cause of the switch failure.
Use the no exception crashinfo global configuration command to configure the switch to not create the extended crashinfo file.
This example shows how to configure the switch to not create the extended crashinfo file:
You can verify your settings by entering the show running-config privileged EXEC command.
|
|
---|---|
Displays the operating configuration, including defined macros. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To creates a fallback profile for web authentication, use the fallback profile command in global configuration mode. To return to the default setting, use the no form of this command.
Specifies the fallback profile for clients that do not support IEEE 802.1x authentication. |
|
|
---|---|
The fallback profile is used to define the IEEE 802.1x fallback behavior for IEEE 802.1x ports that do not have supplicants. The only supported behavior is to fall back to web authentication.
After entering the fallback profile command, you enter profile configuration mode, and these configuration commands are available:
This example shows how to create a fallback profile to be used with web authentication:
You can verify your settings by entering the show running-configuration [ interface interface-id ] privileged EXEC command.
|
|
---|---|
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. |
|
show dot1x [ interface interface-id ] |
|
To set the frame check sequence (FCS) bit-error rate, use the fcs-threshold command in interface configuration mode. Use the no form of the command to return to the default setting.
Value ranges from 6 to 11, representing a bit-error rate from 10-6 to 10-11. |
The default rate is 8, which is the bit error rate for Ethernet standard 10-8.
|
|
---|---|
The Ethernet standard calls for a maximum bit error rate of 10-8. In the switch, the bit error rate configurable range is from 10-6 to 10-11. The bit error rate input to the switch is a positive integer. To configure an bit error rate of 10-9, enter the value 9 for the exponent.
You can set an FCS error hysteresis threshold on the switch to prevent the toggle of the alarm when the actual bit error rate fluctuates near the configured bit error rate by using the alarm facility fcs hysteresis global configuration command.
This example shows how to set the FCS bit error rate for a port to 10-10:
Some protocols do not work transparently across Layer 2 NAT. These protocols need to be “fixed up” by using Application Layer Gateways (ALG). Fixups for ARP and ICMP are enabled by default. To modify these settings for an Layer 2 NAT instance, use the fixup command in config-l2nat mode.
Enter the no form of this command to disable fixups of the specified protocol.
|
|
---|---|
This example shows how to enable ARP on an Layer 2 NAT instance.
To set the receive flow-control state for an interface, use the flowcontrol command in interface configuration mode.
flowcontrol receive { desired | off | on }
|
|
---|---|
When flow control send is operable and on for a device and it detects any congestion at its end, it notifies the link partner or the remote device of the congestion by sending a pause frame. When flow control receive is on for a device and it receives a pause frame, it stops sending any data packets. This prevents any loss of data packets during the congestion period.
Note The switch can receive, but not send, pause frames.
The switch does not support sending flow-control pause frames.
Note that the on and desired keywords have the same result.
When you use the flowcontrol command to set a port to control traffic rates during congestion, you are setting flow control on a port to one of these conditions:
Table 1-6 shows the flow control results on local and remote ports for a combination of settings. The table assumes that receive desired has the same results as using the receive on keywords.
|
|
||
---|---|---|---|
|
|
|
|
This example shows how to configure the local port to not support flow control by the remote port:
You can verify your settings by entering the show interfaces privileged EXEC command.
|
|
---|---|
Displays the interface settings on the switch, including input and output flow control. |
To translate inside addresses to outside addresses, enter the inside from command in config-l2nat mode. Use the no form of this command to remove a translation.
inside from { host | range | network } original ip to translated ip [ mask ] number | mask
no inside from { host | range | network} original ip to translated ip [ mask ] number | mask
|
|
---|---|
– Ranges must not overlap one another.
– Ranges must not overlap with a /24 network configuration.
– The original and translated IP addresses must match one-to-one (x.x.x.1 to y.y.y.1, x.x.x.2 to x.x.x.2, and so on). If your original addresses and translated addresses do not correspond in this manner, use the host command to configure each address individually.
This example shows how to configure an instance named Instance1, to translate the inside address 192.168.0.100 to the external address 10.1.0.100.
Switch(config-l2nat)#
inside from host 192.168.0.100 to 10.1.0.100
This example shows how to configure an instance named Instance1, to translate a range of five internal addresses to corresponding external addresses. 192.168.142.1 is translated to 10.10.10.1, 192.168.142.2 to 10.10.10.2, and so on.
This example shows how to configure an instance named Instance1, to translate all addresses in a internal subnet to corresponding addresses in an external subnet.
Switch(config-l2nat)#
inside from network 192.168.142.0 to 20.20.30.0 mask 255.255.255.0
To access or create the port-channel logical interface, use the interface port-channel command in global configuration mode. Use the no form of this command to remove the port-channel.
interface port-channel port - channel-number
no interface port-channel port - channel-number
|
|
---|---|
For Layer 2 EtherChannels, you do not have to create a port-channel interface first before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel interface when the channel group gets its first physical port. If you create the port-channel interface first, the channel-group-number can be the same as the port - channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.
You create Layer 3 port channels by using the interface port-channel command followed by the no switchport interface configuration command. You should manually configure the port-channel logical interface before putting the interface into the channel group.
Only one port channel in a channel group is allowed.
Follow these guidelines when you use the interface port-channel command:
For a complete list of configuration guidelines, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
This example shows how to create a port-channel interface with a port channel number of 5:
You can verify your setting by entering the show running-config privileged EXEC or show etherchannel channel-group-number detail privileged EXEC command.
|
|
---|---|
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To enter a range of interfaces and to execute a command on multiple ports at the same time, use the interface range command in global configuration mode. Use the no form of this command to remove an interface range.
interface range { type | id } { port-range | macro name }
no interface range { port-range | macro name }
Port range. For a list of valid values for port-range, see the “Usage Guidelines” section. |
|
|
|
---|---|
When you enter interface range configuration mode, all interface parameters you enter are attributed to all interfaces within the range.
For VLANs, you can use the interface range command only on existing VLAN switch virtual interfaces (SVIs). To display VLAN SVIs, enter the show running-config privileged EXEC command. VLANs not displayed cannot be used in the interface range command. The commands entered under interface range command are applied to all existing VLAN SVIs in the range.
All configuration changes made to an interface range are saved to NVRAM, but the interface range itself is not saved to NVRAM.
You can enter the interface range in two ways:
All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs. However, you can define up to five interface ranges with a single command, with each range separated by a comma.
Valid values for port-range type and interface :
– the range is type number/number - number (for example, gigabitethernet1/1 - 2)
Note When you use the interface range command with port channels, the first and last port channel number in the range must be active port channels.
When you define a range, you must enter a space between the first entry and the hyphen (-):
When you define multiple ranges, you must still enter a space after the first entry and before the comma (,):
You cannot specify both a macro and an interface range in the same command.
You can also specify a single interface in port-range. The command is then similar to the interface interface-id global configuration command.
For more information about configuring interface ranges, see the software configuration guide for this release.
This example shows how to use the interface range command to enter interface-range configuration mode to apply commands to two ports:
This example shows how to use a port-range macro macro1 for the same function. The advantage is that you can reuse macro1 until you delete it.
|
|
---|---|
Displays the configuration information currently running on the switch. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To control access to a Layer 2 or Layer 3interface, use the ip access-group command in interface configuration mode. Use the no form of this command to remove all access groups or the specified access group from the interface.
ip access-group { access-list-number | name } { in | out }
no ip access-group [ access-list-number | name ] { in | out }
|
|
---|---|
You can apply named or numbered standard or extended IP access lists to an interface. To define an access list by name, use the ip access-list global configuration command. To define a numbered access list, use the access list global configuration command. You can used numbered standard access lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199 and 2000 to 2699.
You can use this command to apply an access list to a Layer 2 or Layer 3 interface. However, note these limitations for Layer 2 interfaces (port ACLs):
Note You can use router ACLs, input port ACLs, and VLAN maps on the same switch. However, a port ACL takes precedence over a router ACL or VLAN map. Router ACLs are supported only on switches running the IP services image.
You can apply IP ACLs to both outbound or inbound Layer 3 interfaces.
A Layer 3 interface can have one IP ACL applied in each direction.
You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN interface. For standard inbound access lists, after the switch receives a packet, it checks the source address of the packet against the access list. IP extended access lists can optionally check other fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access list permits the packet, the switch continues to process the packet. If the access list denies the packet, the switch discards the packet. If the access list has been applied to a Layer 3 interface, discarding a packet (by default) causes the generation of an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP Host Unreachable messages are not generated for packets discarded on a Layer 2 interface.
For standard outbound access lists, after receiving a packet and sending it to a controlled interface, the switch checks the packet against the access list. If the access list permits the packet, the switch sends the packet. If the access list denies the packet, the switch discards the packet and, by default, generates an ICMP Host Unreachable message. If the specified access list does not exist, all packets are passed.
This example shows how to apply IP access list 101 to inbound packets on a port:
To set an IP address for the Layer 2 switch or an IP address for each switch virtual interface (SVI) or routed port on the Layer 3 switch, use the ip address command in interface configuration mode. Use the no form of this command to remove an IP address or to disable IP processing.
ip address ip-address subnet-mask [ secondary ]
no ip address [ ip-address subnet-mask ] [ secondary ]
(Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address. |
|
|
---|---|
If you remove the switch IP address through a Telnet session, your connection to the switch will be lost.
Hosts can find subnet masks using the Internet Control Message Protocol (ICMP) Mask Request message. Routers respond to this request with an ICMP Mask Reply message.
You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the switch detects another host using one of its IP addresses, it will send an error message to the console.
You can use the optional keyword secondary to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and ARP requests are handled properly, as are interface routes in the IP routing table.
Note If any router on a network segment uses a secondary address, all other devices on that same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can very quickly cause routing loops.
When you are routing Open Shortest Path First (OSPF), ensure that all secondary addresses of an interface are located in the same OSPF area as the primary addresses.
A Layer 3 switch can have an IP address assigned to each routed port and SVI. The number of routed ports and SVIs that you can configure is not limited by software. The interrelationship between this number and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables. For more information, see the sdm prefer command.
This example shows how to configure the IP address for the Layer 2 switch on a subnetted network:
This example shows how to configure the IP address for a port on the Layer 3 switch:
You can verify your settings by entering the show running-config privileged EXEC command.
|
|
---|---|
Displays the running configuration on the switch. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To enable web authentication, use the ip admission command in interface configuration mode. You can also use this command in fallback-profile mode. Use the no form of this command to disable web authentication.
|
|
---|---|
The ip admission command applies a web authentication rule to a switch port.
This example shows how to apply a web authentication rule to a switch port:
This example shows how to apply a web authentication rule to a fallback profile for use on an IEEE 802.1x enabled switch port:
To enable web authentication, use the ip admission name proxy http command in global configuration mode. Use the no form of this command to disable web authentication.
no ip admission name proxy htt p
|
|
---|---|
The ip admission name proxy http command globally enables web authentication on a switch.
After you enable web authentication on a switch, use the ip access-group in and ip admission web-rule interface configuration commands to enable web authentication on a specific interface.
This example shows how to configure only web authentication on a switch port:
This example shows how to configure IEEE 802.1x authentication with web authentication as a fallback mechanism on a switch port:
To permit or deny Address Resolution Protocol (ARP) requests and responses from a host configured with a static IP address when dynamic ARP inspection is enabled, use the ip arp inspection filter vlan command in global configuration mode. Use the no form of this command to return to the default settings.
ip arp inspection filter arp-acl-name vlan vlan-range [ static ]
no ip arp inspection filter arp-acl-name vlan vlan-range [ static ]
|
|
---|---|
When an ARP ACL is applied to a VLAN for dynamic ARP inspection, only the ARP packets with IP-to-MAC 15.0(1)EY address bindings are compared against the ACL. If the ACL permits a packet, the switch forwards it. All other packet types are bridged in the ingress VLAN without validation.
If the switch denies a packet because of an explicit deny statement in the ACL, the packet is dropped. If the switch denies a packet because of an implicit deny statement, the packet is then compared against the list of DHCP bindings (unless the ACL is static, which means that packets are not compared against the bindings).
Use the arp access-list acl-name global configuration command to define the ARP ACL or to add clauses to the end of a predefined list.
This example shows how to apply the ARP ACL static-hosts to VLAN 1 for dynamic ARP inspection:
You can verify your settings by entering the show ip arp inspection vlan 1 privileged EXEC command.
|
|
---|---|
Denies an ARP packet based on matches against the DHCP bindings. |
|
Permits an ARP packet based on matches against the DHCP bindings. |
|
show inventory vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
To limit the rate of incoming Address Resolution Protocol (ARP) requests and responses on an interface, use the ip arp inspection limit command in interface configuration mode. It prevents dynamic ARP inspection from using all of the switch resources if a denial-of-service attack occurs. Use the no form of this command to return to the default settings.
ip arp inspection limit { rate pps [ burst interval seconds ] | none }
The rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.
|
|
---|---|
The rate applies to both trusted and untrusted interfaces. Configure appropriate rates on trunks to process packets across multiple dynamic ARP inspection-enabled VLANs, or use the none keyword to make the rate unlimited.
After a switch receives more than the configured rate of packets every second consecutively over a number of burst seconds, the interface is placed into an error-disabled state.
Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.
You should configure trunk ports with higher rates to reflect their aggregation. When the rate of incoming packets exceeds the user-configured rate, the switch places the interface into an error-disabled state. The error-disabled recovery feature automatically removes the port from the error-disabled state according to the recovery setting.
The rate of incoming ARP packets on EtherChannel ports equals the sum of the incoming rate of ARP packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on all the channel members.
This example shows how to limit the rate of incoming ARP requests on a port to 25 pps and to set the interface monitoring interval to 5 consecutive seconds:
You can verify your settings by entering the show ip arp inspection interfaces interface-id privileged EXEC command.
|
|
---|---|
show inventory interfaces |
Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces. |
To configure the dynamic Address Resolution Protocol (ARP) inspection logging buffer, use the ip arp inspection log-buffer command in global configuration mode. Use the no form of this command to return to the default settings.
ip arp inspection log-buffer { entries number | logs number interval seconds }
no ip arp inspection log-buffer { entries | logs }
When dynamic ARP inspection is enabled, denied, or dropped, ARP packets are logged.
The number of log entries is 32.
|
|
---|---|
A value of 0 is not allowed for both the logs and the interval keywords.
The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. For example, if the logs number is 20 and the interval seconds is 4, the switch generates system messages for five entries every second while there are entries in the log buffer.
A log buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a system message as a single entry.
If the log buffer overflows, it means that a log event does not fit into the log buffer, and the output display for the show ip arp inspection log privileged EXEC command is affected. A -- in the output display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer, or increase the logging rate.
This example shows how to configure the logging buffer to hold up to 45 entries:
This example shows how to configure the logging rate to 20 log entries per 4 seconds. With this configuration, the switch generates system messages for five entries every second while there are entries in the log buffer.
You can verify your settings by entering the show ip arp inspection log privileged EXEC command.
|
|
---|---|
show inventory log |
Displays the configuration and contents of the dynamic ARP inspection log buffer. |
To configure an interface trust state that determines which incoming Address Resolution Protocol (ARP) packets are inspected, use the ip arp inspection trust command in interface configuration mode. Use the no form of this command to return to the default setting.
|
|
---|---|
The switch does not check ARP packets that it receives on the trusted interface; it simply forwards the packets.
For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command.
This example shows how to configure a port to be trusted:
You can verify your setting by entering the show ip arp inspection interfaces interface-id privileged EXEC command.
|
|
---|---|
show inventory interfaces |
Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces. |
show inventory log |
Displays the configuration and contents of the dynamic ARP inspection log buffer. |
To perform specific checks for dynamic Address Resolution Protocol (ARP) inspection, use the ip arp inspection validate command in global configuration mode. Use the no form of this command to return to the default settings.
ip arp inspection validate {[ src-mac ] [ dst-mac ] [ ip [ allow zeros ]]}
no ip arp inspection validate [ src-mac ] [ dst-mac ] [ ip [ allow zeros ]]
|
|
---|---|
You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src-mac and dst-mac validations, and a second command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.
The allow-zeros keyword interacts with ARP access control lists (ACLs) in this way:
The no form of the command disables only the specified checks. If none of the options are enabled, all checks are disabled.
This example shows how to enable source MAC validation:
You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
|
|
---|---|
show inventory vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
To enable dynamic Address Resolution Protocol (ARP) inspection on a per-VLAN basis, use the ip arp inspection vlan command in global configuration mode. Use the no form of this command to return to the default setting.
ip arp inspection vlan vlan-range
no ip arp inspection vlan vlan-range
You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094. |
|
|
---|---|
You must specify the VLANs on which to enable dynamic ARP inspection.
Dynamic ARP inspection is supported on access ports, trunk ports, or EtherChannel ports.
This example shows how to enable dynamic ARP inspection on VLAN 1:
You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
|
|
---|---|
show inventory vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
To control the type of packets that are logged per VLAN, use the ip arp inspection vlan logging command in global configuration mode. Use the no form of this command to disable this logging control.
ip arp inspection vlan vlan-range logging { acl-match { matchlog | none } | dhcp-bindings { all | none | permit } | arp-probe }
no ip arp inspection vlan vlan-range logging { acl-match | dhcp-bindings | arp-probe }
All denied or all dropped packets are logged. ARP probe packets are not logged.
|
|
---|---|
The term logged means that the entry is placed into the log buffer and that a system message is generated.
The acl-match and dhcp-bindings keywords merge with each other; that is, when you configure an ACL match, the DHCP bindings configuration is not disabled. Use the no form of the command to reset the logging criteria to their defaults. If neither option is specified, all types of logging are reset to log when ARP packets are denied. These are the options:
If neither the acl-match or the dhcp-bindings keywords are specified, all denied packets are logged.
The implicit deny at the end of an ACL does not include the log keyword. This means that when you use the static keyword in the ip arp inspection filter vlan global configuration command, the ACL overrides the DHCP bindings. Some denied packets might not be logged unless you explicitly specify the deny ip any mac any log ACE at the end of the ARP ACL.
This example shows how to configure ARP inspection on VLAN 1 to log packets that match the permit commands in the ACL:
You can verify your settings by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
|
|
---|---|
show inventory log |
Displays the configuration and contents of the dynamic ARP inspection log buffer. |
show inventory vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
To globally enable DHCP snooping, use the ip dhcp snooping command in global configuration mode. Use the no form of this command to return to the default setting.
|
|
---|---|
For any DHCP snooping configuration to take effect, you must globally enable DHCP snooping.
DHCP snooping is not active until you enable snooping on a VLAN by using the ip dhcp snooping vlan vlan-id global configuration command.
This example shows how to enable DHCP snooping:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
|
|
---|---|
To configure the DHCP snooping binding database and to add binding entries to the database, use the ip dhcp snooping binding command in privileged EXEC mode. Use the no form of this command to delete entries from the binding database.
ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds
no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id
Specifies an interface on which to add or delete a binding entry. |
|
Specifies the interval (in seconds) after which the binding entry is no longer valid. The range is 1 to 4294967295. |
|
|
---|---|
Use this command when you are testing or debugging the switch.
In the DHCP snooping binding database, each database entry, also referred to a binding, has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database can have up to 8192 bindings.
Use the show ip dhcp snooping binding privileged EXEC command to display only the configured bindings. Use the show ip source binding privileged EXEC command to display the dynamically and statically configured bindings.
This example shows how to generate a DHCP binding configuration with an expiration time of 1000 seconds on a port in VLAN 1:
To configure the DHCP snooping binding database agent, use the ip dhcp snooping database command in global configuration mode. Use the no form of this command to disable the agent, to reset the timeout value, or to reset the write-delay value.
ip dhcp snooping database {{ flash:/ filename | ftp:// user:password @host/filename | http: // [[ username:password ] @ ]{ hostname | host-ip }[ /directory ] /image-name.tar | rcp:// user @host/filename | tftp:// host/filename } | timeout seconds | write-delay seconds }
no ip dhcp snooping database [ timeout | write-delay ]
The URL for the database agent or binding file is not defined.
|
|
---|---|
The DHCP snooping binding database can have up to 8192 bindings.
To ensure that the lease time in the database is accurate, we recommend that Network Time Protocol (NTP) is enabled and configured for these features:
If NTP is configured, the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP.
Because both NVRAM and the flash memory have limited storage capacities, we recommend that you store a binding file on a TFTP server. You must create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can first write bindings to the binding file at that URL.
Use the ip dhcp snooping database flash:/ filename comman d to save the DHCP snooping binding database in the NVRAM. If you set the ip dhcp snooping database timeout command to 0 seconds and the database is being written to a TFTP file, if the TFTP server goes down, the database agent continues to try the transfer indefinitely. No other transfer can be initiated while this one is in progress. This might be inconsequential because if the server is down, no file can be written to it.
Use the no ip dhcp snooping database command to disable the agent.
Use the no ip dhcp snooping database timeout command to reset the timeout value.
Use the no ip dhcp snooping database write-delay command to reset the write-delay value.
This example shows how to store a binding file at an IP address of 10.1.1.1 that is in a directory called directory. A file named file must be present on the TFTP server.
This example shows how to store a binding file called file01. txt in the NVRAM:
You can verify your settings by entering the show ip dhcp snooping database privileged EXEC command.
|
|
---|---|
To enable DHCP option-82 data insertion, use the ip dhcp snooping information option command in global configuration mode. Use the no form of this command to disable DHCP option-82 data insertion.
ip dhcp snooping information option
no ip dhcp snooping information option
|
|
---|---|
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled and a switch receives a DHCP request from a host, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
When the DHCP server receives the packet, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or a circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply.
The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch inspects the remote ID and possibly the circuit ID fields to verify that it originally inserted the option-82 data. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP host that sent the DHCP request.
This example shows how to enable DHCP option-82 data insertion:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
|
|
---|---|
To accept DHCP packets with option-82 information, on an aggregation switch, that is received on untrusted ports that might be connected to an edge switch, use the ip dhcp snooping information option allow-untrusted command in global configuration mode. Use the no form of this command to return to the default setting.
ip dhcp snooping information option allow-untrusted
no ip dhcp snooping information option allow-untrusted
The switch drops DHCP packets with option-82 information that are received on untrusted ports that might be connected to an edge switch.
|
|
---|---|
You might want an edge switch to which a host is connected to insert DHCP option-82 information at the edge of your network. You might also want to enable DHCP security features, such as DHCP snooping, IP source guard, or dynamic Address Resolution Protocol (ARP) inspection, on an aggregation switch. However, if DHCP snooping is enabled on the aggregation switch, the switch drops packets with option-82 information that are received on an untrusted port and does not learn DHCP snooping bindings for connected devices on a trusted interface.
If the edge switch to which a host is connected inserts option-82 information and you want to use DHCP snooping on an aggregation switch, enter the ip dhcp snooping information option allow-untrusted command on the aggregation switch. The aggregation switch can learn the bindings for a host even though the aggregation switch receives DHCP snooping packets on an untrusted port. You can also enable DHCP security features on the aggregation switch. The port on the edge switch to which the aggregation switch is connected must be configured as a trusted port.
Note Do not enter the ip dhcp snooping information option allow-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.
This example shows how to configure an access switch to not check the option-82 information in untrusted packets from an edge switch and to accept the packets:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
|
|
---|---|
To configure the option-82 remote-ID suboption, use the ip dhcp snooping information option format remote-id command in global configuration mode. Use the no form of this command to configure the default remote-ID suboption.
ip dhcp snooping information option format remote-id [string ASCII-string | hostname]
no ip dhcp snooping information option format remote-id
Specifies a remote ID, using from 1 to 63 ASCII characters (no spaces). |
|
|
|
---|---|
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled, the default remote-ID suboption is the switch MAC address. This command allows you to configure either the switch hostname or a string of up to 63 ASCII characters (but no spaces) to be the remote ID.
Note If the hostname exceeds 63 characters, it will be truncated to 63 characters in the remote-ID configuration.
This example shows how to configure the option-82 remote-ID suboption:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
|
|
---|---|
To configure the number of DHCP messages an interface can receive per second, use the ip dhcp snooping limit rate command in interface configuration mode. Use the no form of this command to return to the default setting.
ip dhcp snooping limit rate rate
no ip dhcp snooping limit rate
Number of DHCP messages an interface can receive per second. The range is 1 to 2048. |
|
|
---|---|
Normally, the rate limit applies to untrusted interfaces. If you want to configure rate limiting for trusted interfaces, keep in mind that trusted interfaces might aggregate DHCP traffic on multiple VLANs (some of which might not be snooped) in the switch, and you will need to adjust the interface rate limits to a higher value.
If the rate limit is exceeded, the interface is error-disabled. If you enabled error recovery by entering the errdisable recovery dhcp-rate-limit global configuration command, the interface retries the operation again when all the causes have timed out. If the error-recovery mechanism is not enabled, the interface stays in the error-disabled state until you enter the shutdown and no shutdown interface configuration commands.
This example shows how to set a message rate limit of 150 messages per second on an interface:
|
|
---|---|
To configure a port as trusted for DHCP snooping purposes, use the ip dhcp snooping trust command in interface configuration mode. Use the no form of this command to return to the default setting.
|
|
---|---|
Configure as trusted ports those that are connected to a DHCP server or to other switches or routers. Configure as untrusted ports those that are connected to DHCP clients.
This example shows how to enable DHCP snooping trust on a port:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
|
|
---|---|
To configure the switch to verify on an untrusted port that the source MAC address in a DHCP packet matches the client hardware address, use the ip dhcp snooping verify command in global configuration mode. Use the no form of this command to configure the switch to not verify the MAC addresses.
ip dhcp snooping verify mac-address
no ip dhcp snooping verify mac-address
The switch verifies the source MAC address in a DHCP packet that is received on untrusted ports matches the client hardware address in the packet.
|
|
---|---|
In a service-provider network, when a switch receives a packet from a DHCP client on an untrusted port, it automatically verifies that the source MAC address and the DHCP client hardware address match. If the addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the packet.
This example shows how to disable the MAC address verification:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
|
|
---|---|
To enable DHCP snooping on a VLAN, use the ip dhcp snooping vlan command in global configuration mode. Use the no form of this command to return to the default setting.
ip dhcp snooping vlan vlan-range
no ip dhcp snooping vlan vlan-range
|
|
---|---|
You must first globally enable DHCP snooping before enabling DHCP snooping on a VLAN.
This example shows how to enable DHCP snooping on VLAN 10:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
|
|
---|---|
To configure the option-82 circuit-ID suboption, use the ip dhcp snooping vlan information option format-type circuit-id string command in interface configuration mode. Use the no form of this command to configure the default circuit-ID suboption.
ip dhcp snooping vlan vlan-id information option format-type circuit-id [override] string ASCII-string
no ip dhcp snooping vlan vlan-id information option format-type circuit-id [override] string
Note This command is supported only on switches running the IP services image.
(Optional) Specifies an override string, using from 3 to 63 ASCII characters (no spaces). |
|
Specifies a circuit ID, using from 3 to 63 ASCII characters (no spaces). |
The switch VLAN and the port identifier, in the format vlan-mod-port, is the default circuit ID.
|
|
---|---|
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled, the default circuit-ID suboption is the switch VLAN and the port identifier, in the format vlan-mod-port. This command allows you to configure a string of ASCII characters to be the circuit ID. When you want to override the vlan-mod-port format type and instead use the circuit-ID to define subscriber information, use the override keyword.
Note When configuring a large number of circuit IDs on a switch, consider the impact of lengthy character strings on the NVRAM or flash memory. If the circuit-ID configurations, combined with other data, exceed the capacity of the NVRAM or the flash memory, an error message appears.
This example shows how to configure the option-82 circuit-ID suboption:
This example shows how to configure the option-82 circuit-ID override suboption:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
Note The show ip dhcp snooping user EXEC command only displays the global command output, including a remote-ID configuration. It does not display any per-interface, per-VLAN string that you have configured for the circuit ID.
|
|
---|---|
To control whether or not all hosts on a Layer 2 interface can join one or more IP multicast groups by applying an Internet Group Management Protocol (IGMP) profile to the interface, use the ip igmp filter command in interface configuration mode. Use the no form of this command to remove the specified profile from the interface.
The IGMP profile number to be applied. The range is 1 to 4294967295. |
|
|
---|---|
You can apply IGMP filters only to Layer 2 physical interfaces; you cannot apply IGMP filters to routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.
An IGMP profile can be applied to one or more switch port interfaces, but one port can have only one profile applied to it.
This example shows how to apply IGMP profile 22 to a port:
You can verify your setting by using the show running-config privileged EXEC command and by specifying an interface.
To set the maximum number of Internet Group Management Protocol (IGMP) groups that a Layer 2 interface can join or to configure the IGMP throttling action when the maximum number of entries is in the forwarding table, use the ip igmp max-groups command in interface configuration mode. Use the no form of this command to set the maximum back to the default, which is to have no maximum limit, or to return to the default throttling action, which is to drop the report.
ip igmp max-groups { number | action { deny | replace }}
no ip igmp max-groups { number | action }
The default maximum number of groups is no limit.
After the switch learns the maximum number of IGMP group entries on an interface, the default throttling action is to drop the next IGMP report that the interface receives and to not add an entry for the IGMP group to the interface.
|
|
---|---|
You can use this command only on Layer 2 physical interfaces and on logical EtherChannel interfaces. You cannot set IGMP maximum groups for routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.
Follow these guidelines when configuring the IGMP throttling action:
This example shows how to limit to 25 the number of IGMP groups that a port can join:
This example shows how to configure the switch to replace the existing group with the new group for which the IGMP report was received when the maximum number of entries is in the forwarding table:
You can verify your setting by using the show running-config privileged EXEC command and by specifying an interface.
To create an Internet Group Management Protocol (IGMP) profile and enter IGMP profile configuration mode, use the ip igmp profile command in global configuration mode. From this mode, you can specify the configuration of the IGMP profile to be used for filtering IGMP membership reports from a switch port. Use the no form of this command to delete the IGMP profile.
ip igmp profile profile number
no ip igmp profile profile number
IGMP profile number being configured. The range is 1 to 4294967295. |
No IGMP profiles are defined. When configured, the default action for matching an IGMP profile is to deny matching addresses.
|
|
---|---|
When you are in IGMP profile configuration mode, you can create the profile by using these commands:
When entering a range, enter the low IP multicast address, a space, and the high IP multicast address.
You can apply an IGMP profile to one or more Layer 2 interfaces, but each interface can have only one profile applied to it.
This example shows how to configure IGMP profile 40 that permits the specified range of IP multicast addresses:
|
|
---|---|
Displays the characteristics of all IGMP profiles or the specified IGMP profile number. |
To globally enable Internet Group Management Protocol (IGMP) snooping on the switch or to enable it on a per-VLAN basis, use the ip igmp snooping command in global configuration mode. Use the no form of this command to return to the default setting.
ip igmp snooping [ vlan vlan-id ]
no ip igmp snooping [ vlan vlan-id ]
(Optional) Enables IGMP snooping on the specified VLAN. The range is 1 to 1001 and 1006 to 4094. |
|
|
---|---|
When IGMP snooping is enabled globally, it is enabled in all the existing VLAN interfaces. When IGMP snooping is globally disabled, it is disabled on all the existing VLAN interfaces.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This example shows how to globally enable IGMP snooping:
This example shows how to enable IGMP snooping on VLAN 1:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
|
|
---|---|
Displays the configuration and operation information for the IGMP querier configured on a switch. |
To enable the Internet Group Management Protocol (IGMP) configurable-leave timer globally or on a per-VLAN basis, use the ip igmp snooping last-member-query-interval command in global configuration mode. Use the no form of this command to return to the default setting.
ip igmp snooping [ vlan vlan-id ] last-member-query-interval time
no ip igmp snooping [ vlan vlan-id ] last-member-query-interval
(Optional) Enables IGMP snooping and the leave timer on the specified VLAN. The range is 1 to 1001 and 1006 to 4094. |
|
Interval time out in seconds. The range is 100 to 32768 milliseconds. |
|
|
---|---|
When IGMP snooping is globally enabled, IGMP snooping is enabled on all the existing VLAN interfaces. When IGMP snooping is globally disabled, IGMP snooping is disabled on all the existing VLAN interfaces.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
Configuring the leave timer on a VLAN overrides the global setting.
The IGMP configurable leave time is only supported on devices running IGMP Version 2.
This example shows how to globally enable the IGMP leave timer for 2000 milliseconds:
This example shows how to configure the IGMP leave timer for 3000 milliseconds on VLAN 1:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
|
|
---|---|
To globally enable the Internet Group Management Protocol (IGMP) querier function in Layer 2 networks, use the ip igmp snooping querier command in global configuration mode. Use the command with keywords to enable and configure the IGMP querier feature on a VLAN interface. Use the no form of this command to return to the default settings.
ip igmp snooping querier [ vlan vlan-id ] [ address ip-address | max-response-time response-time | query-interval interval-count | tcn query [ count count | interval interval ] | timer expiry | version version ]
no ip igmp snooping querier [ vlan vlan-id ] [ address | max-response-time | query-interval | tcn query { count count | interval interval } | timer expiry | version ]
The IGMP snooping querier feature is globally disabled on the switch.
When enabled, the IGMP snooping querier disables itself if it detects IGMP traffic from a multicast-enabled device.
|
|
---|---|
Use this command to enable IGMP snooping to detect the IGMP version and IP address of a device that sends IGMP query messages, which is also called a querier.
By default, the IGMP snooping querier is configured to detect devices that use IGMP Version 2 (IGMPv2) but does not detect clients that are using IGMP Version 1 (IGMPv1). You can manually configure the max-response-time value when devices use IGMPv2. You cannot configure the max-response-time when devices use IGMPv1. (The value cannot be configured and is set to zero).
Non-RFC compliant devices running IGMPv1 might reject IGMP general query messages that have a non-zero value as the max-response-time value. If you want the devices to accept the IGMP general query messages, configure the IGMP snooping querier to run IGMPv1.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This example shows how to globally enable the IGMP snooping querier feature:
This example shows how to set the IGMP snooping querier maximum response time to 25 seconds:
This example shows how to set the IGMP snooping querier interval time to 60 seconds:
This example shows how to set the IGMP snooping querier TCN query count to 25:
This example shows how to set the IGMP snooping querier timeout to 60 seconds:
This example shows how to set the IGMP snooping querier feature to version 2:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
|
|
---|---|
To enable Internet Group Management Protocol (IGMP) report suppression, use the ip igmp snooping report-suppression command in global configuration mode. Use the no form of this command to disable IGMP report suppression and to forward all IGMP reports to multicast routers.
ip igmp snooping report-suppression
no ip igmp snooping report-suppression
|
|
---|---|
IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports.
The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast devices. When IGMP router suppression is enabled (the default), the switch sends the first IGMP report from all hosts for a group to all the multicast routers. The switch does not send the remaining IGMP reports for the group to the multicast routers. This feature prevents duplicate reports from being sent to the multicast devices.
If the multicast router query includes requests only for IGMPv1 and IGMPv2 reports, the switch forwards only the first IGMPv1 or IGMPv2 report from all hosts for a group to all the multicast routers. If the multicast router query also includes requests for IGMPv3 reports, the switch forwards all IGMPv1, IGMPv2, and IGMPv3 reports for a group to the multicast devices.
If you disable IGMP report suppression by entering the no ip igmp snooping report-suppression command, all IGMP reports are forwarded to all the multicast routers.
This example shows how to disable report suppression:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
|
|
---|---|
Displays the IGMP snooping configuration of the switch or the VLAN. |
To configure the Internet Group Management Protocol (IGMP) Topology Change Notification (TCN) behavior, use the ip igmp snooping tcn command in global configuration mode. Use the no form of this command to return to the default settings.
ip igmp snooping tcn { flood query count count | query solicit }
no ip igmp snooping tcn { flood query count | query solicit }
|
|
---|---|
Use ip igmp snooping tcn flood query count global configuration command to control the time that multicast traffic is flooded after a TCN event. If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command, the flooding stops after receiving 1 general query. If you set the count to 7, the flooding of multicast traffic due to the TCN event lasts until 7 general queries are received. Groups are relearned based on the general queries received during the TCN event.
Use the ip igmp snooping tcn query solicit global configuration command to enable the switch to send the global leave message whether or not it is the spanning-tree root. This command also speeds the process of recovering from the flood mode caused during a TCN event.
This example shows how to specify 7 as the number of IGMP general queries for which the multicast traffic is flooded:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
|
|
---|---|
Specifies flooding on an interface as the IGMP snooping spanning-tree TCN behavior. |
|
Displays the IGMP snooping configuration of the switch or the VLAN. |
To specify multicast flooding as the Internet Group Management Protocol (IGMP) snooping spanning-tree Topology Change Notification (TCN) behavior, use the ip igmp snooping tcn flood command in interface configuration mode. Use the no form of this command to disable the multicast flooding.
Multicast flooding is enabled on an interface during a spanning-tree TCN event.
|
|
---|---|
When the switch receives a TCN, multicast traffic is flooded to all the ports until two general queries are received. If the switch has many ports with attached hosts that are subscribed to different multicast groups, the flooding might exceed the capacity of the link and cause packet loss.
You can change the flooding query count by using the ip igmp snooping tcn flood query count count global configuration command.
This example shows how to disable the multicast flooding on an interface:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
|
|
---|---|
Displays the IGMP snooping configuration of the switch or the VLAN. |
To enable Internet Group Management Protocol (IGMP) snooping immediate-leave processing on a per-VLAN basis, use the ip igmp snooping immediate-leave command in global configuration mode. Use the no form of this command to return to the default setting.
ip igmp snooping vlan vlan-id immediate-leave
no ip igmp snooping vlan vlan-id immediate-leave
Specified VLAN on which IGMP and Immediate-Leave are enabled. The range is 1 to 1001 and 1006 to 4094. |
|
|
---|---|
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
You should configure the Immediate-Leave feature only when there is a maximum of one receiver on every port in the VLAN. The configuration is saved in NVRAM.
The Immediate-Leave feature is supported only with IGMP Version 2 hosts.
This example shows how to enable IGMP immediate-leave processing on VLAN 1:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
|
|
---|---|
Displays the configuration and operation information for the IGMP querier configured on a switch. |
To add a multicast router port or to configure the multicast learning method, use the ip igmp snooping vlan mrouter command in global configuration mode. Use the no form of this command to return to the default settings.
ip igmp snooping vlan vlan-id mrouter { interface interface-id | learn { cgmp | pim-dvmrp }}
no ip igmp snooping vlan vlan-id mrouter { interface interface-id | learn { cgmp | pim-dvmrp }}
By default, there are no multicast router ports.
The default learning method is pim-dvmrp to snoop IGMP queries and PIM-DVMRP packets.
|
|
---|---|
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
The CGMP learn method is useful for reducing control traffic.
This example shows how to configure a port as a multicast router port:
This example shows how to specify the multicast router learning method as CGMP:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
|
|
---|---|
Displays the configuration and operation information for the IGMP querier configured on a switch. |
To enable Internet Group Management Protocol (IGMP) snooping and to statically add a Layer 2 port as a member of a multicast group, use the ip igmp snooping static command in global configuration mode. Use the no form of this command to remove ports specified as members of a static multicast group.
ip igmp snooping vlan vlan-id static ip-address interface interface-id
no ip igmp snooping vlan vlan-id static ip-address interface interface-id
By default, there are no ports statically configured as members of a multicast group.
|
|
---|---|
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This example shows how to statically configure a host on an interface:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
|
|
---|---|
Displays the configuration and operation information for the IGMP querier configured on a switch. |
To configure static IP source bindings on the switch, use the ip source binding command in global configuration mode. Use the no form of this command to delete static bindings.
ip source binding mac-address vlan vlan-id ip-address interface interface-id
no source binding mac-address vlan vlan-id ip-address interface interface-id
Specifies an interface on which to add or delete an IP source binding. |
|
|
---|---|
A static IP source binding entry has an IP address, its associated MAC address, and its associated VLAN number. The entry is based on the MAC address and the VLAN number. If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.
This example shows how to add a static IP source binding:
This example shows how to add a static binding and then modify the IP address for it:
You can verify your settings by entering the show ip source binding privileged EXEC command.
|
|
---|---|
Displays the IP source guard configuration on the switch or on a specific interface. |
To configure the switch to run Secure Shell (SSH) Version 1 or SSH Version 2, use the ip ssh command in global configuration mode. This command is available only when your switch is running the cryptographic (encrypted) software image. Use the no form of this command to return to the default setting.
(Optional) Configures the switch to run SSH Version 1 (SSHv1). |
|
(Optional) Configures the switch to run SSH Version 2 (SSHv1). |
The default version is the latest SSH version supported by the SSH client.
|
|
---|---|
If you do not enter this command or if you do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.
The switch supports an SSHv1 or an SSHv2 server. It also supports an SSHv1 client. For more information about the SSH server and the SSH client, see the software configuration guide for this release.
A Rivest, Shamir, and Adelman (RSA) key pair generated by an SSHv1 server can be used by an SSHv2 server and the reverse.
This example shows how to configure the switch to run SSH Version 2:
You can verify your settings by entering the show ip ssh or show ssh privileged EXEC command.
To enable sticky Address Resolution Protocol (ARP) on a switch virtual interface (SVI) or a Layer 3 interface, use the ip sticky-arp command in interface configuration mode. Use the no form of this command to disable sticky ARP.
Note This command is supported only on switches running the IP services image.
Sticky ARP is disabled on Layer 3 interfaces and normal SVIs.
|
|
---|---|
Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. These entries do not age out.
The ip sticky-arp interface configuration command is only supported on
On a Layer 3 interface or on an SVI belonging to a normal VLAN
To enable sticky ARP on a normal SVI:
To disable sticky ARP on a Layer 3 interface or an SVI:
You can verify your settings by using the show arp privileged EXEC command.
To enable IP source guard on an interface, use the ip verify source command in interface configuration mode. Use the no form of this command to disable IP source guard.
ip verify source [ port-security ]
(Optional) Enables IP source guard with IP and MAC address filtering. If you do not enter the port-security keyword, IP source guard with IP address filtering is enabled. |
|
|
---|---|
To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.
To enable IP source guard with source IP and MAC address filtering, use the ip verify source port-security interface configuration command.
To enable IP source guard with source IP and MAC address filtering, you must enable port security on the interface.
This example shows how to enable IP source guard with source IP address filtering:
This example shows how to enable IP source guard with source IP and MAC address filtering:
You can verify your settings by entering the show ip source binding privileged EXEC command.
|
|
---|---|
Displays the IP source guard configuration on the switch or on a specific interface. |
To acquire an IPv6 address on an interface from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server, use the ipv6 address dhcp command in interface configuration mode. To remove the address from the interface, use the no form of this command.
ipv6 address dhcp [rapid-commit]
no ipv6 address dhcp [rapid-commit]
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch and the switch is running the IP services image.
(Optional) Allows two-message exchange method for address assignment. |
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command, and reload the switch.
The ipv6 address dhcp interface configuration command allows any interface to dynamically learn its IPv6 address by using the DHCP protocol.
The rapid-commit keyword enables the use of the two-message exchange for address allocation and other configuration. If it is enabled, the client includes the rapid-commit option in a solicit message.
This example shows how to acquire an IPv6 address and enable the rapid-commit option:
You can verify your settings by using the show ipv6 dhcp interface privileged EXEC command.
|
|
---|---|
Displays DHCPv6 interface information. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To configure an IPv6 client to request an option from a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server, use the ipv6 dhcp client request command in interface configuration mode. To remove the request, use the no form of this command.
ipv6 dhcp client request vendor
no ipv6 dhcp client request vendor
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch and the switch is running the IP services image.
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command, and reload the switch.
Use the ipv6 dhcp client request vendor interface configuration to request a vendor-specific option. When enabled, the command is checked only when an IPv6 address is acquired from DHCP. If you enter the command after the interface has acquired an IPv6 address, it does not take effect until the next time the client acquires an IPv6 address from DHCP.
This example shows how to enable the request vendor-specific option:
|
|
---|---|
To specify the number of packets a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server sends to a pool address as part of a ping operation, use the ipv6 dhcp ping packets command in global configuration mode. To prevent the server from pinging pool addresses, use the no form of this command.
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch and the switch is running the IP services image.
The number of ping packets sent before the address is assigned to a requesting client. The range is 0 to 10. |
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command, and reload the switch.
The DHCPv6 server pings a pool address before assigning the address to a requesting client. If the ping is unanswered, the server assumes, with a high probability, that the address is not in use and assigns the address to the requesting client.
Setting the number argument to 0 turns off the DHCPv6 server ping operation.
This example specifies two ping attempts by the DHCPv6 server before further ping attempts stop:
|
|
---|---|
Displays address conflicts found by a DHCPv6 server, or reported through a DECLINE message from a client. |
To enter Dynamic Host Configuration Protocol for IPv6 (DHCPv6) pool configuration mode, use the ipv6 dhcp pool command in global configuration mode. Use the no form of this command to return to the default settings.
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch and the switch is running the IP services image.
User-defined name for the DHCPv6 pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0). |
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command, and reload the switch.
The ipv6 dhcp pool command enables the DHCPv6 pool configuration mode. These configuration commands are available:
– vendor-id —Specifies a vendor-specific identification number. This number is the vendor IANA Private Enterprise Number. The range is 1 to 4294967295.
– suboption number—Sets vendor-specific suboption number. The range is 1 to 65535. Enter an IPv6 address, ASCII text, or a hex string as defined by the suboption parameters.
After you create the DHCPv6 configuration information pool, use the ipv6 dhcp server interface configuration command to associate the pool with a server on an interface. However, if you do not configure an information pool, you still need to use the ipv6 dhcp server interface configuration command to enable the DHCPv6 server function on an interface.
When you associate a DHCPv6 pool with an interface, only that pool services requests on the associated interface. The pool also services other interfaces. If you do not associate a DHCPv6 pool with an interface, it can service requests on any interface.
Not using any IPv6 address prefix means that the pool only returns configured options.
The link-address keyword allows matching a link-address without necessarily allocating an address. You can match the pool from multiple relays by using multiple link-address configuration commands inside a pool.
Because a longest match is performed on either the address pool information or the link information, you can configure one pool to allocate addresses and another pool on a subprefix that only returns configured options.
This example shows how to configure a pool called engineering with an IPv6 address prefix :
This example shows how to configure a pool called testgroup with three link-address prefixes and an IPv6 address prefix:
This example shows how to configure a pool called 350 with vendor-specific options:
|
|
---|---|
Displays DHCPv6 configuration pool information. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To enable Dynamic Host Configuration Protocol for IPv6 (DHCPv6) service on an interface, use the ipv6 dhcp server command in interface configuration mode. To disable DHCPv6 service on an interface, use the no form of this command.
ipv6 dhcp server [poolname | automatic ] [ rapid-commit ] [ preference value] [ allow-hint ]
no ipv6 dhcp server [poolname | automatic ] [ rapid-commit ] [ preference value] [ allow-hint ]
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch and the switch is running the IP services image.
By default, no DHCPv6 packets are serviced on the interface.
|
|
---|---|
The ipv6 dhcp server interface configuration command enables DHCPv6 service on a specified interface.
The automatic keyword enables the system to automatically determine which pool to use when allocating addresses for a client. When an IPv6 DHCP packet is received by the server, the server determines if it was received from a DHCP relay or if it was directly received from the client. If the packet was received from a relay, the server verifies the link-address field inside the packet associated with the first relay that is closest to the client. The server matches this link-address against all address prefix and link-address configurations in IPv6 DHCP pools to find the longest prefix match. The server selects the pool associated with the longest match.
If the packet was directly received from the client, the server performs this same matching, but it uses all the IPv6 addresses configured on the incoming interface when performing the match. Once again, the server selects the longest prefix match.
The rapid-commit keyword enables the use of the two-message exchange.
If the preference keyword is configured with a value other than 0, the server adds a preference option to carry the preference value for the advertise messages. This action affects the selection of a server by the client. Any advertise message that does not include a preference option is considered to have a preference value of 0. If the client receives an advertise message with a preference value of 255, the client immediately sends a request message to the server from which the message was received.
If the allow-hint keyword is specified, the server allocates a valid client-suggested address in the solicit and request messages. The prefix address is valid if it is in the associated local prefix address pool and it is not assigned to a device. If the allow-hint keyword is not specified, the server ignores the client hint, and an address is allocated from the free list in the pool.
The DHCPv6 client, server, and relay functions are mutually exclusive on an interface. When one of these functions is already enabled and you try to configure a different function on the same interface, the switch returns one of these messages:
This example enables DHCPv6 for the pool named testgroup:
To enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping globally or on the specified VLAN, use the ipv6 mld snooping command in global configuration mode without keywords. Use the no form of this command to disable MLD snooping on the switch or switch stack or the VLAN.
ipv6 mld snooping [ vlan vlan-id ]
no ipv6 mld snooping [ vlan vlan-id ]
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
(Optional) Enables or disables IPv6 MLD snooping on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. |
MLD snooping is globally disabled on the switch.
MLD snooping is enabled on all VLANs. However, MLD snooping must be globally enabled before VLAN snooping will take place.
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
When MLD snooping is globally disabled, it is disabled on all the existing VLAN interfaces. When you globally enable MLD snooping, it is enabled on all VLAN interfaces that are in the default state (enabled). VLAN configuration will override global configuration on interfaces on which MLD snooping has been disabled.
If MLD snooping is globally disabled, you cannot enable it on a VLAN. If MLD snooping is globally enabled, you can disable it on individual VLANs.
When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs (in the range 1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
This example shows how to globally enable MLD snooping:
This example shows how to disable MLD snooping on a VLAN:
You can verify your settings by entering the show ipv6 mld snooping user EXEC command.
|
|
---|---|
Configures an SDM template to optimize system resources based on how the switch is being used. |
|
To configure IP version 6 (IPv6) Multicast Listener Discovery Mulitcast Address Specific Queries (MASQs) or queries that will be sent before aging out a client, use the ipv6 mld snooping last-listener-query-count command in global configuration mode. Use the no form of this command to reset the query count to the default settings.
ipv6 mld snooping [ vlan vlan-id ] last-listener-query-count integer_value
no ipv6 mld snooping [ vlan vlan-id ] last-listener-query-count
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
(Optional) Configures last-listener query count on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. |
|
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
In MLD snooping, the IPv6 multicast router periodically sends out queries to hosts belonging to the multicast group. If a host wants to leave a multicast group, it can silently leave or it can respond to the query with a Multicast Listener Done message (equivalent to an IGMP Leave message). When Immediate Leave is not configured (which it should not be if multiple clients for a group exist on the same port), the configured last-listener query count determines the number of MASQs that are sent before an MLD client is aged out.
When the last-listener query count is set for a VLAN, this count overrides the value configured globally. When the VLAN count is not configured (set to the default of 0), the global count is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
This example shows how to globally set the last-listener query count:
This example shows how to set the last-listener query count for VLAN 10:
You can verify your settings by entering the show ipv6 mld snooping [ vlan vlan-id ] user EXEC command.
|
|
---|---|
Configures an SDM template to optimize system resources based on how the switch is being used. |
|
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping last-listener query interval on the switch or on a VLAN, use the ipv6 mld snooping last-listener-query-interval command in global configuration mode. This time interval is the maximum time that a multicast router waits after issuing a Mulitcast Address Specific Query (MASQ) before deleting a port from the multicast group. Use the no form of this command to reset the query time to the default settings.
ipv6 mld snooping [ vlan vlan-id ] last-listener-query-interval integer_value
no ipv6 mld snooping [ vlan vlan-id ] last-listener-query-interval
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
The default global query interval (maximum response time) is 1000 (1 second).
The default VLAN query interval (maximum response time) is 0 (the global count is used).
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
In MLD snooping, when the IPv6 multicast router receives an MLD leave message, it sends out queries to hosts belonging to the multicast group. If there are no responses from a port to a MASQ for a length of time, the router deletes the port from the membership database of the multicast address. The last listener query interval is the maximum time that the router waits before deleting a nonresponsive port from the multicast group.
When a VLAN query interval is set, this overrides the global query interval. When the VLAN interval is set at 0, the global value is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
This example shows how to globally set the last-listener query interval to 2 seconds:
This example shows how to set the last-listener query interval for VLAN 1 to 5.5 seconds:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
|
|
---|---|
Configures an SDM template to optimize system resources based on how the switch is being used. |
|
To enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping listener message suppression, use the ipv6 mld snooping listener-message-suppression command in global configuration mode. Use the no form of this command to disable MLD snooping listener message suppression.
ipv6 mld snooping listener-message-suppression
no ipv6 mld snooping listener-message-suppression
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
The default is for MLD snooping listener message suppression to be disabled.
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
MLD snooping listener message suppression is equivalent to IGMP snooping report suppression. When enabled, received MLDv1 reports to a group are forwarded to IPv6 multicast routers only once in every report-forward time. This prevents the forwarding of duplicate reports.
This example shows how to enable MLD snooping listener-message-suppression:
This example shows how to disable MLD snooping listener-message-suppression:
You can verify your settings by entering the show ipv6 mld snooping [ vlan vlan-id ] user EXEC command.
|
|
---|---|
Configures an SDM template to optimize system resources based on how the switch is being used. |
|
To configure the number of IP version 6 (IPv6) Multicast Listener Discovery (MLD) queries that the switch sends before deleting a listener that does not respond, or enter a VLAN ID to configure on a per-VLAN basis, use the ipv6 mld snooping robustness-variable command in global configuration mode. Use the no form of this command to reset the variable to the default settings.
ipv6 mld snooping [ vlan vlan-id ] robustness-variable integer_value
no ipv6 mld snooping [ vlan vlan-id ] robustness-variable
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
(Optional) Configures the robustness variable on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. |
|
The default global robustness variable (number of queries before deleting a listener) is 2.
The default VLAN robustness variable (number of queries before aging out a multicast address) is 0, which means that the system uses the global robustness variable for aging out the listener.
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
Robustness is measured in terms of the number of MLDv1 queries sent with no response before a port is removed from a multicast group. A port is deleted when there are no MLDv1 reports received for the configured number of MLDv1 queries. The global value determines the number of queries that the switch waits before deleting a listener that does not respond and applies to all VLANs that do not have a VLAN value set.
The robustness value configured for a VLAN overrides the global value. If the VLAN robustness value is 0 (the default), the global value is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
This example shows how to configure the global robustness variable so that the switch sends out three queries before it deletes a listener port that does not respond:
This example shows how to configure the robustness variable for VLAN 1. This value overrides the global configuration for the VLAN:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
|
|
---|---|
Configures an SDM template to optimize system resources based on how the switch is being used. |
|
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) Topology Change Notifications (TCNs), use the ipv6 mld snooping tcn command in global configuration mode. Use the no form of the command to reset the default settings.
ipv6 mld snooping tcn { flood query count integer_value | query solicit }
no ipv6 mld snooping tcn { flood query count integer_value | query solicit }
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
Sets the flood query count, which is the number of queries that are sent before forwarding multicast data to only those ports requesting to receive it. The range is 1 to 10. |
|
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
This example shows how to enable TCN query soliciting:
This example shows how to set the flood query count to 5:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
|
|
---|---|
Configures an SDM template to optimize system resources based on how the switch is being used. |
|
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping parameters on the VLAN interface, use the ipv6 mld snooping vlan command in global configuration mode. Use the no form of this command to reset the parameters to the default settings.
ipv6 mld snooping vlan vlan-id [ immediate-leave | mrouter interface interface-id | static ipv6-multicast-address interface interface-id ]
no ipv6 mld snooping vlan vlan-id [ immediate-leave | mrouter interface interface-id | static ip-address interface interface-id ]
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
MLD snooping Immediate-Leave processing is disabled.
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
You should only configure the Immediate-Leave feature when there is only one receiver on every port in the VLAN. The configuration is saved in NVRAM.
The static keyword is used for configuring the MLD member ports statically.
The configuration and the static ports and groups are saved in NVRAM.
When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs (in the range 1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750 or Catalyst 3560 switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
This example shows how to enable MLD Immediate-Leave processing on VLAN 1:
This example shows how to disable MLD Immediate-Leave processing on VLAN 1:
This example shows how to configure a port as a multicast router port:
This example shows how to configure a static multicast group:
You can verify your settings by entering the show ipv6 mld snooping vlan vlan-id user EXEC command.
|
|
---|---|
Configures an SDM template to optimize system resources based on how the switch is being used. |
|