Table Of Contents

Catalyst 3750 Metro Switch Cisco IOS Commands

aaa accounting dot1x

aaa authentication dot1x

action

archive download-sw

archive tar

archive upload-sw

arp access-list

auto qos voip

bandwidth

boot config-file

boot enable-break

boot helper

boot helper-config-file

boot manual

boot private-config-file

boot system

channel-group

channel-protocol

class

class-map

clear ip arp inspection log

clear ip arp inspection statistics

clear ip dhcp snooping

clear ipv6 dhcp conflict

clear l2protocol-tunnel counters

clear lacp

clear mac address-table

clear mac address-table move update

clear pagp

clear rep counters

clear spanning-tree counters

clear spanning-tree detected-protocols

clear vmps statistics

clear vtp counters

cpu traffic qos cos

cpu traffic qos dscp

cpu traffic qos precedence

define interface-range

delete

deny (ARP access-list configuration)

deny (IPv6 access-list configuration)

deny (MAC access-list configuration)

dot1x auth-fail max-attempts

dot1x auth-fail vlan

dot1x default

dot1x guest-vlan

dot1x host-mode

dot1x initialize

dot1x max-reauth-req

dot1x max-req

dot1x port-control

dot1x re-authenticate

dot1x reauthentication

dot1x supplicant force-multicast

dot1x system-auth-control

dot1x test eapol-capable

dot1x test timeout

dot1x timeout

dot1x violation-mode

duplex

errdisable detect cause

errdisable detect cause small-frame

errdisable recovery cause small-frame

errdisable recovery

ethernet evc

ethernet lmi

ethernet lmi ce-vlan map

ethernet oam remote-failure

ethernet uni

ethernet uni id

flowcontrol

interface port-channel

interface range

interface vlan

ip access-group

ip address

ip arp inspection filter vlan

ip arp inspection limit

ip arp inspection log-buffer

ip arp inspection trust

ip arp inspection validate

ip arp inspection vlan

ip arp inspection vlan logging

ip device tracking

ip device tracking maximum

ip device tracking probe

ip dhcp snooping

ip dhcp snooping binding

ip dhcp snooping database

ip dhcp snooping information option

ip dhcp snooping information option allowed-untrusted

ip dhcp snooping information option format remote-id

ip dhcp snooping limit rate

ip dhcp snooping trust

ip dhcp snooping verify

ip dhcp snooping vlan

ip dhcp snooping vlan information option format-type circuit-id string

ip igmp filter

ip igmp max-groups

ip igmp profile

ip igmp snooping

ip igmp snooping querier

ip igmp snooping report-suppression

ip igmp snooping vlan immediate-leave

ip igmp snooping vlan mrouter

ip igmp snooping vlan static

ip sla responder twamp

ip sla server twamp

ip source binding

ip ssh

ip sticky-arp (global configuration)

ip sticky-arp (interface configuration)

ip verify source

ip vrf (global configuration)

ip vrf (interface configuration)

ipv6 access-list

ipv6 address dhcp

ipv6 dhcp client request vendor

ipv6 dhcp ping packets

ipv6 dhcp pool

ipv6 dhcp server

ipv6 mld snooping

ipv6 mld snooping last-listener-query-count

ipv6 mld snooping last-listener-query-interval

ipv6 mld snooping listener-message-suppression

ipv6 mld snooping robustness-variable

ipv6 mld snooping tcn

ipv6 mld snooping vlan

ipv6 traffic-filter

l2protocol-tunnel

l2protocol-tunnel cos

lacp port-priority

lacp system-priority

link state group

link state track

location (global configuration)

location (interface configuration)

logging event

logging file

mac access-group

mac access-list extended

mac address-table aging-time

mac address-table learning

mac address-table move update

mac address-table notification

mac address-table static

mac address-table static drop

macro apply

macro description

macro global

macro global description

macro name

match (access-map configuration)

match (class-map configuration)

mdix auto

mls qos

mls qos aggregate-policer

mls qos cos

mls qos dscp-mutation

mls qos enhanced

mls qos map

mls qos queue-set output buffers

mls qos queue-set output threshold

mls qos rewrite ip dscp

mls qos srr-queue input bandwidth

mls qos srr-queue input buffers

mls qos srr-queue input cos-map

mls qos srr-queue input dscp-map

mls qos srr-queue input priority-queue

mls qos srr-queue input threshold

mls qos srr-queue output cos-map

mls qos srr-queue output cpu-queue

mls qos srr-queue output dscp-map

mls qos trust

mls qos vlan-based

monitor session

mpls l2transport route

mpls ldp holdtime

mpls mtu

mvr (global configuration)

mvr (interface configuration)

oam protocol cfm svlan

pagp learn-method

pagp port-priority

permit (ARP access-list configuration)

permit (IPv6 access-list configuration)

permit (MAC-access list configuration)

police

police aggregate

police cir

police cir percent

policy-map

port-channel load-balance

priority

priority-queue

private-vlan

private-vlan mapping

queue-limit

queue-set

random-detect

random-detect dscp

random-detect exponential-weighting-constant

random-detect precedence

remote-span

renew ip dhcp snooping database

rep admin vlan

rep block port

rep lsl-age-timer

rep preempt delay

rep preempt segment

rep segment

rep stcn

reserved-only

Catalyst 3750 Metro Switch Cisco IOS Commands

---

aaa accounting dot1x

Use the aaa accounting dot1x global configuration command to enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for 802.1x sessions. Use the no form of this command to disable 802.1x accounting.

aaa accounting dot1x {name | default} start-stop {broadcast group {name | radius | tacacs+} [group {name | radius | tacacs+} ... ] | group {name | radius | tacacs+} [group {name | radius | tacacs+} ... ]}

no aaa accounting dot1x {name | default}

Syntax Description

name	Name of a server group. This is optional when you enter it after the broadcast group and group keywords.
default	Use the accounting methods that follow as the default list for accounting services.
start-stop	Send a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested-user process begins regardless of whether or not the start accounting notice was received by the accounting server.
broadcast	Enable accounting records to be sent to multiple AAA servers and send accounting records to the first server in each group. If the first server is unavailable, the switch uses the list of backup servers to identify the first server.
group	Specify the server group to be used for accounting services. These are valid server group names: •name—Name of a server group. •radius—List of all RADIUS hosts. •tacacs+—List of all TACACS+ hosts. The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.
radius	(Optional) Enable RADIUS authorization.
tacacs+	(Optional) Enable TACACS+ accounting.

Defaults

AAA accounting is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

This command requires access to a RADIUS server.

---

Note We recommend that you enter the dot1x reauthentication interface configuration command before configuring 802.1x RADIUS accounting on an interface.

---

Examples

This example shows how to configure 802.1x accounting:

Switch(config)# aaa accounting dot1x default start-stop group radius

Switch(config)#

---

Note The RADIUS authentication server must be properly configured to accept and log update or watchdog packets from the AAA client.

---

Related Commands

Command	Description
aaa accounting dot1x	Specifies one or more AAA methods for use on interfaces running 802.1x.
dot1x reauthentication	Enables or disables periodic reauthentication.
dot1x test eapol-capable reauth-period	Sets the number of seconds between re-authentication attempts.

aaa authentication dot1x

Use the aaa authentication dot1x global configuration command to specify one or more authentication, authorization, and accounting (AAA) methods for use on ports running IEEE 802.1x. Use the no form of this command to disable authentication.

aaa authentication dot1x {default} method1 [method2...]

no aaa authentication dot1x {default}

Syntax Description

default

Use the listed authentication methods that follow this argument as the default list of methods when a user logs in.

method1 [method2...]

At least one of the these keywords: •enable—Use the enable password for authentication. •group radius—Use the list of all RADIUS servers for authentication. •line—Use the line password for authentication. •local—Use the local username database for authentication. •local-case—Use the case-sensitive local username database for authentication. •none—Use no authentication. The client is automatically authenticated by the switch without using the information supplied by the client.

---

Note Though visible in the command-line help strings, the group tacacs+ keyword is not supported.

---

Defaults

No authentication is performed.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

The method argument identifies the list of methods that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server. The remaining methods enable AAA to authenticate the client by using locally configured data. For example, the local and local-case methods use the username and password that are saved in the configuration file. The enable and line methods use the enable and line passwords for authentication.

If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command.

If you are not using a RADIUS server, you can use the local or local-case methods, which access the local username database to perform authentication. By specifying the enable or line methods, you can supply the clients with a password to provide access to the switch.

Use the show running-config privileged EXEC command to display the configured lists of authentication methods.

Examples

This example shows how to enable AAA and how to create an authentication list for 802.1x. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is allowed access with no authentication.

Switch(config)# aaa new-model

Switch(config)# aaa authentication dot1x default group radius none

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands

Command	Description
aaa new-model	Enables the AAA access control model. For syntax information, select Cisco IOS Security Command Reference, Release 12.2 > Authentication, Authorization, and Accounting > Authentication Commands.
show running-config	Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html Select the Cisco IOS Commands Master List, Release 12.2 to navigate to the command.

action

Use the action access map configuration command to set the action for the VLAN access map entry. Use the no form of this command to set the action to the default value, which is to forward.

action {drop | forward}

no action

Syntax Description

drop	Drop the packet when the specified conditions are matched.
forward	Forward the packet when the specified conditions are matched.

Defaults

The default action is to forward packets.

Command Modes

Access-map configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You enter access-map configuration mode by using the vlan access-map global configuration command.

If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.

In access map configuration mode, use the match access map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.

The drop and forward parameters are not used in the no form of the command.

Examples

This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:

Switch(config)# vlan access-map vmap4

Switch(config-access-map)# match ip address al2

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter vmap4 vlan-list 5-6

You can verify your settings by entering the show vlan access-map privileged EXEC command.

Related Commands

Command	Description
access-list {deny | permit}	Configures a standard numbered ACL. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.
ip access-list	Creates a named access list. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.
mac access-list extended	Creates a named MAC address access list.
match (access-map configuration)	Defines the match conditions for a VLAN map.
show vlan access-map	Displays the VLAN access maps created on the switch.
vlan access-map	Creates a VLAN access map.

archive download-sw

Use the archive download-sw privileged EXEC command to download a new image to the switch and to overwrite or keep the existing image.

archive download-sw {/force-reload | /imageonly | /leave-old-sw | /no-set-boot | /overwrite | /reload | /safe} source-url

Syntax Description

/force-reload	Unconditionally force a system reload after successfully downloading the software image.
/imageonly	Download only the Cisco IOS software image.
/leave-old-sw	Keep the old software version after a successful download.
/no-set-boot	Do not alter the setting of the BOOT environment variable to point to the new software image after it is successfully downloaded.
/overwrite	Overwrite the software image in flash memory with the downloaded one.
/reload	Reload the system after successfully downloading the image unless the configuration has been changed and not been saved.
/safe	Keep the current software image; do not delete it to make room for the new software image before the new image is downloaded. The current image is deleted after the download.
source-url	The source URL alias for a local or network file system. These options are supported: •The syntax for the local flash file system: flash: •The syntax for the FTP: ftp:[[//username[:password]@location]/directory]/image-name.tar •The syntax for the Remote Copy Protocol (RCP): rcp:[[//username@location]/directory]/image-name.tar •The syntax for the TFTP: tftp:[[//location]/directory]/image-name.tar The image-name.tar is the software image to download and install on the switch.

---

Note Though visible in the command-line help strings, the no-version-check keyword is not supported.

---

Defaults

The current software image is not overwritten with the downloaded image.

The new image is downloaded to the flash: file system.

The BOOT environment variable is changed to point to the new software image on the flash: file system.

Image names are case sensitive; the image file is provided in tar format.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Using the /safe or /leave-old-sw option can cause the new image download to fail if there is insufficient flash memory. If leaving the software in place prevents the new image from fitting in flash memory due to space constraints, an error results.

If you used the /leave-old-sw option and did not overwrite the old image when you downloaded the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the "delete" section.

Use the /overwrite option to overwrite the image on the flash device with the downloaded one.

If you specify the command without the /overwrite option, the download algorithm verifies that the new image is not the same as the one on the switch flash device. If the images are the same, the download does not occur. If the images are different, the old image is deleted, and the new one is downloaded.

After downloading a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive download-sw command.

Examples

This example shows how to download a new image from a TFTP server at 172.20.129.10 and overwrite the image on the switch:

Switch# archive download-sw /overwrite tftp://172.20.129.10/test-image.tar 

This example shows how to download only the software image from a TFTP server at 172.20.129.10 to the switch:

Switch# archive download-sw /imageonly tftp://172.20.129.10/test-image.tar 

This example shows how to keep the old software version after a successful download:

Switch# archive download-sw /leave-old-sw tftp://172.20.129.10/test-image.tar 

Related Commands

Command	Description
archive tar	Creates a tar file, lists the files in a tar file, or extracts the files from a tar file.
archive upload-sw	Uploads an existing image on the switch to a server.
delete	Deletes a file or directory on the flash memory device.

archive tar

Use the archive tar privileged EXEC command to create a tar file, list files in a tar file, or extract the files from a tar file.

archive tar {/create destination-url flash:/file-url} | {/table source-url} | {/xtract source-url flash:/file-url [dir/file...]}

Syntax Description

/create destination-url flash:/file-url	Create a new tar file on the local or network file system. For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create. These options are supported: •The syntax for the local flash filesystem: flash: •The syntax for the FTP: ftp:[[//username[:password]@location]/directory]/tar-filename.tar •The syntax for the Remote Copy Protocol (RCP) is: rcp:[[//username@location]/directory]/tar-filename.tar •The syntax for the TFTP: tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file to be created. For flash:/file-url, specify the location on the local flash file system from which the new tar file is created. An optional list of files or directories within the source directory can be specified to write to the new tar file. If none are specified, all files and directories at this level are written to the newly created tar file.
/table source-url	Display the contents of an existing tar file to the screen. For source-url, specify the source URL alias for the local or network file system. These options are supported: •The syntax for the local flash file system: flash: •The syntax for the FTP: ftp:[[//username[:password]@location]/directory]/tar-filename.tar •The syntax for the RCP: rcp:[[//username@location]/directory]/tar-filename.tar •The syntax for the TFTP: tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file to display.
/xtract source-url flash:/file-url [dir/file...]	Extract files from a tar file to the local file system. For source-url, specify the source URL alias for the local file system. These options are supported: •The syntax for the local flash file system: flash: •The syntax for the FTP: ftp:[[//username[:password]@location]/directory]/tar-filename.tar •The syntax for the RCP: rcp:[[//username@location]/directory]/tar-filename.tar •The syntax for the TFTP: tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file from which to extract. For flash:/file-url [dir/file...], specify the location on the local flash file system into which the tar file is extracted. Use the dir/file... option to specify an optional list of files or directories within the tar file to be extracted. If none are specified, all files and directories are extracted.

Defaults

None

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Filenames and directory names are case sensitive.

Image names are case sensitive.

Examples

This example shows how to create a tar file. The command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30.

Switch# archive tar /create tftp:172.20.10.30/saved.tar flash:/new-configs

This example shows how to display the contents of the image-tv0-m.tar file that is in flash memory. The contents of the tar file are displayed on the screen.

Switch# archive tar /table flash:image-tv0-m.tar

info (219 bytes)

image-tv0-mz-121/ (directory)

image-tv0-mz-121/html/ (directory)

image-tv0-mz-121/html/foo.html (0 bytes)

image-tv0-mz-121/image-tv0-mz-121.bin (610856 bytes)

image-tv0-mz-121/info (219 bytes)

info.ver (219 bytes)

This example shows how to display only the image-tv0-mz-121/html directory and its contents:

Switch# archive tar /table flash:image-tv0-m.tar image-tv0-mz-121/html

image-tv0-mz-121/html/ (directory)

image-tv0-mz-121/html/foo.html (0 bytes)

This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored.

Switch# archive tar /xtract tftp://172.20.10.30/saved.tar flash:/ new-configs

Related Commands

Command	Description
archive download-sw	Downloads a new image to the switch.
archive upload-sw	Uploads an existing image on the switch to a server.

archive upload-sw

Use the archive upload-sw privileged EXEC command to upload an existing switch image to a server.

archive upload-sw destination-url

Syntax Description

destination-url

The destination URL alias for a local or network file system. These options are supported: •The syntax for the local flash file system: flash: •The syntax for the FTP: ftp:[[//username[:password]@location]/directory]/image-name.tar •The syntax for the Remote Copy Protocol (RCP): rcp:[[//username@location]/directory]/image-name.tar •The syntax for the TFTP: tftp:[[//location]/directory]/image-name.tar The image-name.tar is the name of software image to be stored on the server.

Defaults

Uploads the currently running image from the flash: file system.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

The files are uploaded in this sequence: the Cisco IOS image and the info file. After these files are uploaded, the software creates the tar file.

Image names are case sensitive.

Examples

This example shows how to upload the currently running image to a TFTP server at 172.20.140.2:

Switch# archive upload-sw tftp://172.20.140.2/test-image.tar 

Related Commands

Command	Description
archive download-sw	Downloads a new image to the switch.
archive tar	Creates a tar file, lists the files in a tar file, or extracts the files from a tar file.

arp access-list

Use the arp access-list global configuration command on the switch stack or on a standalone switch to define an Address Resolution Protocol (ARP) access control list (ACL) or to add clauses to the end of a previously defined list. Use the no form of this command to delete the specified ARP access list.

arp access-list acl-name

no arp access-list acl-name

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

acl-name

Name of the ACL.

Defaults

No ARP access lists are defined.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

After entering the arp access-list command, you enter ARP access-list configuration mode, and these configuration commands are available:

•default: returns a command to its default setting.

•deny: specifies packets to reject. For more information, see the "deny (ARP access-list configuration)" section.

•exit: exits ARP access-list configuration mode.

•no: negates a command or returns to default settings.

•permit: specifies packets to forward. For more information, see the "permit (ARP access-list configuration)" section.

Use the permit and deny access-list configuration commands to forward and to drop ARP packets based on the specified matching criteria.

When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement, the switch compares the packet to the list of DHCP bindings (unless the ACL is static, which means that packets are not compared to the bindings).

Examples

This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:

Switch(config)# arp access-list static-hosts

Switch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 00001.0000.abcd

Switch(config-arp-nacl)# end

You can verify your settings by entering the show arp access-list privileged EXEC command.

Related Commands

Command	Description
deny (ARP access-list configuration)	Denies an ARP packet based on matches compared against the DHCP bindings.
ip arp inspection filter vlan	Permits ARP requests and responses from a host configured with a static IP address.
permit (MAC-access list configuration)	Permits an ARP packet based on matches compared against the DHCP bindings.
show arp access-list	Displays detailed information about ARP access lists.

auto qos voip

Use the auto qos voip interface configuration command to automatically configure quality of service (QoS) for voice over IP (VoIP) within a QoS domain. Use the no form of this command to return to the default setting.

auto qos voip {cisco-phone | cisco-softphone | trust}

no auto qos voip [cisco-phone | cisco-softphone | trust]

Syntax Description

cisco-phone	Identify this port as connected to a Cisco IP phone, and automatically configure QoS for VoIP. The QoS labels of inbound packets are trusted only when the phone is detected.
cisco-softphone	Identify this port as connected to a device running the Cisco SoftPhone, and automatically configure QoS for VoIP.
trust	Identify this port as connected to a trusted switch or router, and automatically configure QoS for VoIP. The QoS labels of inbound packets are trusted. For nonrouted ports, the class of service (CoS) value of the inbound packet is trusted. For routed ports, the Differentiated Services Code Point (DSCP) value is trusted.

Defaults

Auto-QoS is disabled on the port.

When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress queues and egress queue-sets. Table 2-1 shows the default settings.

Table 2-1 Traffic Types, Packet Labels, and Queues

	VoIP Data Traffic	VoIP Control Traffic	Routing Protocol Traffic	STP1 BPDU2 Traffic	Real-Time Video Traffic	All Other Traffic
DSCP3	46	24, 26	48	56	34	-
CoS4	5	3	6	7	3	-
CoS-to-Ingress Queue Map	2, 3, 4, 5, 6, 7 (queue 2)					0, 1 (queue 1)
CoS-to-Egress Queue Map	5 (queue 1)	3, 6, 7 (queue 2)			4 (queue 3)	2 (queue 3)	0, 1 (queue 4)

1 STP = Spanning Tree Protocol 2 BPDU = bridge protocol data unit 3 DSCP = Differentiated Services Code Point 4 CoS = class of service

Table 2-2 shows the generated auto-QoS configuration for the ingress queues.

Table 2-2 Auto-QoS Configuration for the Ingress Queues

Ingress Queue	Queue Number	CoS-to-Queue Map	Queue Weight (Bandwidth)	Queue (Buffer) Size
SRR1 shared	1	0, 1	81 percent	67 percent
Priority	2	2, 3, 4, 5, 6, 7	19 percent	33 percent

1 SRR = shaped round robin. Ingress queues support shared mode only.

Table 2-3 shows the generated auto-QoS configuration for the egress queue-set.

Table 2-3 Auto-QoS Configuration for the Egress Queue-Set

Egress Queue1	Queue Number in the Queue-Set	CoS-to-Queue Map	Queue Weight (Bandwidth)	Queue (Buffer) Size
Priority (shaped)	1	5	10 percent	10 percent
SRR shared	2	3, 6, 7	10 percent	10 percent
SRR shared	3	2, 4	60 percent	26 percent
SRR shared	4	0, 1	20 percent	54 percent

1 On an enhanced-services (ES) port, the srr-queue bandwidth shape interface configuration command is not part of the generated auto qos voip command list.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.
12.2(25)EY	The cisco-softphone keyword was added, and the generated auto-QoS configuration changed.

Usage Guidelines

Use this command to configure the QoS appropriate for VoIP traffic within the QoS domain. The QoS domain includes the switch, the interior of the network, and edge devices that can classify inbound traffic for QoS.

In releases earlier than Cisco IOS Release 12.2(25)EY, auto-QoS configures the switch only for VoIP with Cisco IP Phones on switch ports.

In Cisco IOS Release 12.2(25)EY or later, auto-QoS configures the switch for VoIP with Cisco IP Phones on switch and routed ports and for VoIP with devices running the Cisco SoftPhone application. These releases support only Cisco IP SoftPhone Version 1.3(3) or later. Connected devices must use Cisco Call Manager Version 4 or later.

To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.

---

Note The switch applies the auto-QoS-generated commands as if the commands were entered from the command-line interface (CLI). An existing user configuration can cause the application of the generated commands to fail, or the user configuration might be overridden by the generated commands. These actions occur without warning. If all the generated commands are successfully applied, any user-entered configuration that was not overridden remains in the running configuration. Any user-entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory. If the generated commands are not applied, the previous running configuration is restored.

---

If this is the first port on which you have enabled auto-QoS, the auto-QoS-generated global configuration commands are executed, followed by the interface configuration commands. If you enable auto-QoS on another port, only the auto-QoS-generated interface configuration commands for that port are executed.

When you enable the auto-QoS feature on the first port, these automatic actions occur:

•QoS is globally enabled (mls qos global configuration command), and other global configuration commands are added.

•When you enter the auto qos voip cisco-phone interface configuration command on a port at the edge of the network that is connected to a Cisco IP phone, the switch enables the trusted boundary feature. The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP phone. When a Cisco IP phone is detected, the ingress classification on the port is set to trust the QoS label received in the packet. When a Cisco IP phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress queues and the egress queue-set on the port according to the settings in Table 2-2 and Table 2-3.

•When you enter the auto qos voip cisco-softphone interface configuration command on a port at the edge of the network that is connected to a device running the Cisco SoftPhone, the switch uses policing to decide whether a packet is in or out of profile and to specify the action on the packet. If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. The switch configures ingress and egress queues on the port according to the settings in Table 2-2 and Table 2-3.

•When you enter the auto qos voip trust interface configuration command on a port connected to the interior of the network, the switch trusts the CoS value for nonrouted ports or the DSCP value for routed ports in ingress packets (the assumption is that traffic has already been classified by other edge devices). The switch configures the ingress queues and the egress queue-set on the port according to the settings in Table 2-2 and Table 2-3.

You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to the IP phone.

To display the QoS commands that are automatically generated when auto-QoS is enabled or disabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging. For more information, see the debug auto qos command.

---

Note When a device running Cisco SoftPhone is connected to a switch or routed port, the switch supports only one Cisco SoftPhone application per port.

---

After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy map from the interface, and apply the new policy map.

To disable auto-QoS on a port, use the no auto qos voip interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos voip command, auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain (to avoid disrupting traffic on other ports affected by the global configuration). You can use the no mls qos global configuration command to disable the auto-QoS-generated global configuration commands. With QoS disabled, there is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).

On a port on which the auto qos voip command is enabled, the queue-set ID that is generated depends on the interface:

•For a Fast Ethernet interface, auto-QoS generates queue-set 1 (which is the default).

•For a Gigabit Ethernet interface, auto-QoS generates queue-set 2.

Examples

This example shows how to enable auto-QoS on a port and to trust the QoS labels received in inbound packets when the switch or router connected to a port is a trusted device:

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# auto qos voip trust

You can verify your settings by entering the show auto qos interface interface-id privileged EXEC command.

Related Commands

Command	Description
debug auto qos	Enables debugging of the auto-QoS feature.
mls qos cos	Defines the default CoS value of a port or assigns the default CoS to all inbound packets on the port.
mls qos map {cos-dscp dscp1 ... dscp8 | dscp-cos dscp-list to cos}	Defines the CoS-to-DSCP map or the DSCP-to-CoS map.
mls qos queue-set output buffers	Allocates buffers to a queue-set.
mls qos srr-queue input bandwidth	Assigns SRR weights to an ingress queue.
mls qos srr-queue input buffers	Allocates the buffers between the ingress queues.
mls qos srr-queue input cos-map	Maps CoS values to an ingress queue or maps CoS values to a queue and to a threshold ID.
mls qos srr-queue input dscp-map	Maps DSCP values to an ingress queue or maps DSCP values to a queue and to a threshold ID.
mls qos srr-queue input priority-queue	Configures the ingress priority queue and guarantees bandwidth.
mls qos srr-queue output cos-map	Maps CoS values to an egress queue or maps CoS values to a queue and to a threshold ID.
mls qos srr-queue output dscp-map	Maps DSCP values to an egress queue or maps DSCP values to a queue and to a threshold ID.
mls qos trust	Configures the port trust state.
queue-set	Maps a port to a queue-set.
show auto qos	Displays the initial configuration that is generated by the auto-QoS feature.
show mls qos interface	Displays QoS information at the port level.
srr-queue bandwidth shape	Assigns the shaped weights and enables bandwidth shaping on the four egress queues mapped to a standard port.
srr-queue bandwidth share	Assigns the shared weights and enables bandwidth sharing on the four egress queues mapped to a port.

bandwidth

Use the bandwidth policy-map class configuration command to specify or modify the minimum bandwidth provided to a class belonging to a hierarchical policy map attached to an enhanced-services (ES) port. Use the no form of this command to return to the default setting.

bandwidth {bandwidth-kbps | percent percent}

no bandwidth

Syntax Description

bandwidth-kbps	Amount of bandwidth in kbps assigned to the class. The range is 200 to 2000000. Allocate the bandwidth in 100-kbps increments; otherwise, the software rounds down the bandwidth to the nearest 100-kbps increment.
percent percent	Percentage of available bandwidth assigned to the parent class. The range is 1 to 100.

Defaults

No bandwidth is specified.

Command Modes

Policy-map class configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.
12.2(25)EY	Hierarchical service policies can be applied to inbound traffic received on an ES port.

Usage Guidelines

Use the bandwidth command only in a hierarchical policy map attached to an ES port. This command is not valid for the class-default class in a physical-level policy map.

Use the bandwidth command when you configure a policy map for a class defined by the class-map global configuration command. The bandwidth command specifies the minimum bandwidth for traffic in that class when there is traffic congestion in the switch. If the switch is not congested, the class receives more bandwidth than you specify with this command. Class-based weighted fair queueing (CBWFQ) derives the weight for packets belonging to the class from the bandwidth allocated to the class. CBWFQ then uses the weight to ensure that the queue for the class is serviced fairly.

---

Note It is important to remember that hard bandwidth guarantees might not be provided and that only relative bandwidths are assured. That is, class bandwidths are always proportional to the specified percentages of the port bandwidth. When the link bandwidth is fixed, class bandwidth guarantees are in proportion to the configured percentages.

---

These restrictions apply to the bandwidth command:

•If the percent keyword is used, the sum of the class bandwidth percentages within a single policy map cannot exceed 99 percent. Percentage calculations are based on the bandwidth available at the parent class (or the port if it is the parent).

•The amount of bandwidth available to a class is dependent on the amount of bandwidth reserved by the parent class.

•The amount of bandwidth configured should be large enough to accommodate Layer 2 overhead.

•A policy map can have all the class bandwidths specified in either kbps or in percentages, but not a mix of both. You cannot specify bandwidth in kbps in a child policy (configured through the service-policy policy-map class configuration command) and then specify bandwidth as a percentage in the parent policy.

•You cannot use the bandwidth command for the class-default class map in a physical-level policy map.

•Though visible in the command-line interface, the max-reserved-bandwidth interface configuration command and the bandwidth interface configuration command are not supported on the ES ports.

When you configure the bandwidth command in a class policy, you must also configure the bandwidth or shape policy-map class configuration command in the parent VLAN-level policy.

You must configure the bandwidth or the shape policy-map class configuration command before you configure either the queue-limit or the random-detect policy-map class configuration command in a class policy.

You cannot use the bandwidth, queue-limit, random-detect, and the shape policy-map class configuration commands with the priority policy-map class configuration command in the same class within the same policy map. However, you can use these commands in the same policy map.

When you use the service-policy interface configuration command to attach the policy map containing class configurations to an ES port, the switch determines the available bandwidth.

Examples

This example shows how to set the minimum bandwidth to 2000 kbps for a class called silver-class. The class already exists in the switch configuration.

Switch(config)# policy-map polmap6 

Switch(config-pmap)# class silver-class

Switch(config-pmap-c)# bandwidth 2000

This example shows how to guarantee 30 percent of the bandwidth for class1 and 25 percent of the bandwidth for class2 when CBWFQ is configured. A policy map with two classes is created and is then attached to an ES port.

Switch(config)# policy-map policy1 

Switch(config-pmap)# class class1 

Switch(config-pmap-c)# bandwidth percent 50 

Switch(config-pmap-c)# exit 

Switch(config-pmap)# class class2 

Switch(config-pmap-c)# bandwidth percent 25 

Switch(config-pmap-c)# exit 

Switch(config-pmap)# end 

Switch(config)# interface gigabitethernet1/1/1

Switch(config-if)# service-policy input policy1 

This example shows how bandwidth is guaranteed if low-latency queueing (LLQ) and CBWFQ are configured. In this example, LLQ is enabled in a class called voice1.

Switch(config)# policy-map policy1 

Switch(config-pmap)# class class1 

Switch(config-pmap-c)# bandwidth percent 50 

Switch(config-pmap-c)# exit 

Switch(config-pmap)# class class2 

Switch(config-pmap-c)# bandwidth percent 25 

Switch(config-pmap-c)# exit 

Switch(config-pmap)# class voice1 

Switch(config-pmap-c)# priority

Switch(config-pmap-c)# exit 

Switch(config-pmap)# end 

Switch(config)# interface gigabitethernet1/1/1

Switch(config-if)# service-policy output policy1 

You can verify your settings by entering the show policy-map privileged EXEC command.

Related Commands

Command	Description
class	Specifies the name of the class whose traffic policy you want to create or change.
policy-map	Creates or modifies a policy map that can be attached to multiple ports to specify a service policy.
priority	Enables the strict-priority queue and gives priority to a class of traffic belonging to a policy map attached to an ES port.
queue-limit	Configures the maximum threshold for tail drop in a policy map attached to an ES port.
random-detect	Configures Weighted Random Early Detection (WRED) in a policy map attached to an ES port.
service-policy (policy-map class)	Creates a service policy as a quality of service (QoS) policy within a policy map.
shape	Enables traffic shaping in a policy map attached to an ES port.
show policy-map	Displays QoS policy maps.

boot config-file

Use the boot config-file global configuration command to specify the filename that software uses to read and write a nonvolatile copy of the system configuration. Use the no form of this command to return to the default setting.

boot config-file flash:/file-url

no boot config-file

Syntax Description

flash:/file-url

The path (directory) and name of the configuration file.

Defaults

The default configuration file is flash:config.text.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Filenames and directory names are case sensitive.

This command changes the setting of the CONFIG_FILE environment variable. For more information, see Appendix A, "Catalyst 3750 Metro Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot enable-break

Use the boot enable-break global configuration command to enable interrupting the automatic boot process. Use the no form of this command to return to the default setting.

boot enable-break

no boot enable-break

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled. The automatic boot process cannot be interrupted by pressing the Break key on the console.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

When you enter this command, you can interrupt the automatic boot process by pressing the Break key on the console after the flash file system is initialized.

---

Note Despite the setting of this command, you can interrupt the automatic boot process at any time by pressing the MODE button on the switch front panel.

---

This command changes the setting of the ENABLE_BREAK environment variable. For more information, see Appendix A, "Catalyst 3750 Metro Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot helper

Use the boot helper global configuration command to dynamically load files during boot loader initialization to extend or patch the functionality of the boot loader. Use the no form of this command to return to the default.

boot helper filesystem:/file-url ...

no boot helper

Syntax Description

filesystem:	Alias for a flash file system. Use flash: for the system board flash device.
/file-url	The path (directory) and a list of loadable files to dynamically load during loader initialization. Separate each image name with a semicolon.

Defaults

No helper files are loaded.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

This variable is used only for internal development and testing.

Filenames and directory names are case sensitive.

This command changes the setting of the HELPER environment variable. For more information, see Appendix A, "Catalyst 3750 Metro Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot helper-config-file

Use the boot helper-config-file global configuration command to specify the name of the configuration file to be used by the helper image. If this is not set, the file specified by the CONFIG_FILE environment variable is used by all versions of software that are loaded. Use the no form of this command to return to the default setting.

boot helper-config-file filesystem:/file-url

no boot helper-config file

Syntax Description

filesystem:	Alias for a flash file system. Use flash: for the system board flash device.
/file-url	The path (directory) and helper configuration file to load.

Defaults

No helper configuration file is specified.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

This variable is used only for internal development and testing.

Filenames and directory names are case sensitive.

This command changes the setting of the HELPER_CONFIG_FILE environment variable. For more information, see Appendix A, "Catalyst 3750 Metro Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot manual

Use the boot manual global configuration command to enable manually booting the switch during the next boot cycle. Use the no form of this command to return to the default setting.

boot manual

no boot manual

Syntax Description

This command has no arguments or keywords.

Defaults

Manual booting is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

The next time you reboot the system, the switch is in boot loader mode, which is shown by the switch: prompt. To boot the system, use the boot boot loader command, and specify the name of the bootable image.

This command changes the setting of the MANUAL_BOOT environment variable. For more information, see Appendix A, "Catalyst 3750 Metro Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot private-config-file

Use the boot private-config-file global configuration command to specify the filename that software uses to read and write a nonvolatile copy of the private configuration. Use the no form of this command to return to the default setting.

boot private-config-file filename

no boot private-config-file

Syntax Description

filename

The name of the private configuration file.

Defaults

The default configuration file is private-config.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Filenames are case sensitive.

Examples

This example shows how to specify the name of the private configuration file to be pconfig:

Switch(config)# boot private-config-file pconfig

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot system

Use the boot system global configuration command to specify the image to load during the next boot cycle. Use the no form of this command to return to the default setting.

boot system filesystem:/file-url ...

no boot system

Syntax Description

filesystem:	Alias for a flash file system. Use flash: for the system board flash device.
/file-url	The path (directory) and name of a bootable image. Separate image names with a semicolon.

Defaults

The switch attempts to automatically boot the system by using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Filenames and directory names are case sensitive.

If you are using the archive download-sw privileged EXEC command to maintain system images, you never need to use the boot system command. The boot system command is automatically manipulated to load the downloaded image.

This command changes the setting of the BOOT environment variable. For more information, see Appendix A, "Catalyst 3750 Metro Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

channel-group

Use the channel-group interface configuration command to assign a port to an EtherChannel group and to enable an EtherChannel mode. Use the no form of this command to remove a port from an EtherChannel group.

channel-group channel-group-number mode {active | {auto [non-silent]} | {desirable [non-silent]} | on | passive}

no channel-group

PAgP modes:
channel-group channel-group-number mode {{auto [non-silent]} | {desirable [non-silent}}

LACP modes:
channel-group channel-group-number mode {active | passive}

On mode:
channel-group channel-group-number mode on

Syntax Description

channel-group-number	Specify the channel group number. The range is 1 to 12.
mode	Specify the EtherChannel mode of the port.
active	Unconditionally enable Link Aggregation Protocol (LACP). Active mode places a port into a negotiating state in which the port initiates negotiations with other ports by sending LACP packets. A channel is formed with another port group in either the active or passive mode.
auto	Enable the Port Aggregation Protocol (PAgP) only if a PAgP device is detected. Auto mode places a port into a passive negotiating state in which the port responds to PAgP packets it receives but does not start PAgP packet negotiation. A channel is formed only with another port group in desirable mode. When auto is enabled, silent operation is the default.
desirable	Unconditionally enable PAgP. Desirable mode places a port into an active negotiating state in which the port starts negotiations with other ports by sending PAgP packets. A channel is formed with another port group in either the desirable or auto mode. When desirable is enabled, silent operation is the default.
non-silent	(Optional) Used with the auto or desirable keyword when traffic is expected from the other device.
on	Enable on mode. In on mode, a usable EtherChannel exists only when both connected port groups are in the on mode.
passive	Enable LACP only if a LACP device is detected. Passive mode places a port into a negotiating state in which the port responds to LACP packets it receives but does not initiate LACP packet negotiation. A channel is formed only with another port group in active mode.

Defaults

No channel groups are assigned.

No mode is configured.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

For Layer 2 EtherChannels, you do not have to create a port-channel first by using the interface port-channel global configuration command before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel when the channel group gets its first physical port if the logical interface is not already created. If you create the port-channel first, the channel-group-number can be the same as the port-channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.

You do not have to disable the IP address that is assigned to a physical port that is part of a channel group, but we strongly recommend that you do so.

You create Layer 3 port channels by using the interface port-channel command followed by the no switchport interface configuration command. You should manually configure the port-channel logical interface before putting the interface into the channel group.

After you configure an EtherChannel, configuration changes that you make on the port-channel apply to all the physical ports assigned to the port-channel. Configuration changes applied to the physical port affect only the port where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.

If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. A example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port prevents that port from ever becoming operational. However, it allows PAgP to operate, to attach the port to a channel group, and to use the port for transmission. Both ends of the link cannot be set to silent.

With the on mode, a usable EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode.

---

Caution You should use care when using the on mode. This is a manual configuration, and ports on both ends of the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.

---

---

Note Enhanced-services (ES) port cannot be bundled with non ES ports.

---

Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.

If you set the protocol by using the channel-protocol interface configuration command, the setting is not overridden by the channel-group interface configuration command

Do not configure a port that is an active member of an EtherChannel as an 802.1x port. If 802.1x is enabled on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.

---

Note If 802.1x is enabled on a not-yet active port of an EtherChannel in software releases earlier than Cisco IOS Release 12.2(25)EY, the port does not join the EtherChannel.

---

Do not configure a secure port as part of an EtherChannel or an EtherChannel port as a secure port.

For a complete list of configuration guidelines, see the "Configuring EtherChannels" chapter in the software guide for this release.

---

Caution Do not enable Layer 3 addresses on the physical EtherChannel ports. Do not assign bridge groups on the physical EtherChannel ports because it creates loops.

---

Examples

This example shows how to configure EtherChannel. It assigns ports as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable.

Switch# configure terminal 

Switch(config)# interface range fastethernet1/0/4 -5 

Switch(config-if-range)# switchport mode access

Switch(config-if-range)# switchport access vlan 10

Switch(config-if-range)# channel-group 5 mode desirable 

Switch(config-if-range)# end 

This example shows how to configure EtherChannel. It assigns ports as static-access ports in VLAN 10 to channel 5 with the LACP mode active.

Switch# configure terminal 

Switch(config)# interface range fastethernet1/0/4 -5 

Switch(config-if-range)# switchport mode access

Switch(config-if-range)# switchport access vlan 10

Switch(config-if-range)# channel-group 5 mode active 

Switch(config-if-range)# end 

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands

Command	Description
channel-protocol	Restricts the protocol used on a port to manage channeling.
interface port-channel	Accesses or creates the port channel.
show etherchannel	Displays EtherChannel information for a channel.
show lacp	Displays LACP channel-group information.
show pagp	Displays PAgP channel-group information.
show running-config	Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html Select the Cisco IOS Commands Master List, Release 12.2 to navigate to the command.

channel-protocol

Use the channel-protocol interface configuration command to restrict the protocol used on a port to manage channeling. Use the no form of this command to return to the default setting.

channel-protocol {lacp | pagp}

no channel-protocol

Syntax Description

lacp	Configure an EtherChannel with the Link Aggregation Control Protocol (LACP).
pagp	Configure an EtherChannel with the Port Aggregation Protocol (PAgP).

Defaults

No protocol is assigned to the EtherChannel.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Use the channel-protocol command only to restrict a channel to LACP or PAgP. If you set the protocol by using the channel-protocol command, the setting is not overridden by the channel-group interface configuration command.

You must use the channel-group interface configuration command to configure the EtherChannel parameters. The channel-group command also can set the mode for the EtherChannel.

You cannot enable both the PAgP and LACP modes on an EtherChannel group.

PAgP and LACP are not compatible; both ends of a channel must use the same protocol.

Examples

This example shows how to specify LACP as the protocol that manages the EtherChannel:

Switch(config-if)# channel-protocol lacp

You can verify your settings by entering the show etherchannel [channel-group-number] protocol privileged EXEC command.

Related Commands

Command	Description
channel-group	Assigns an Ethernet port to an EtherChannel group.
show etherchannel protocol	Displays protocol information the EtherChannel.

class

Use the class policy-map configuration command to specify the name of the class whose traffic policy you want to create or change. Use the no form of this command to delete an existing class from a policy map.

class {class-map-name | class-default}

no class {class-map-name | class-default}

Syntax Description

class-map-name	Name of the class map.
class-default	System default class that matches unclassified packets.

Defaults

No classes are defined.

Command Modes

Policy-map configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.
12.2(55)SE	The class-default keyword was added.

Usage Guidelines

Before using the class command, you must create a class map for matching packets to the class by using the class-map global configuration command. You also must use the policy-map global configuration command to identify the policy map and to enter policy-map configuration mode. After specifying a policy map, you can configure a traffic policy for new classes or modify a traffic policy for any existing classes in that policy map. The class name that you specify with the class command in the policy map ties the characteristics for that class—that is, its policy—to the class map and its match criteria, as configured through the class-map global configuration command. You attach the policy map to a port by using the service-policy interface configuration command.

After you enter the class command, the switch enters policy-map class configuration mode, and these configuration commands are available:

•bandwidth: specifies or modifies the minimum bandwidth provided to a class belonging to a policy map. For more information, see the bandwidth command. This command is effective only in a hierarchical policy map attached to an enhanced-services (ES) port.

•exit: exits policy-map class configuration mode and returns to policy-map configuration mode.

•no: returns a command to its default setting.

•police: configures a single-rate policer, an aggregate policer, or a two-rate traffic policer that uses the committed information rate (CIR) and the peak information rate (PIR) for a class of traffic. The policer specifies the bandwidth limitations and the action to take when the limits are exceeded. For more information, see the police and police aggregate commands. For more information about the two-rate policer, see the police cir and the police cir percent command. The two-rate traffic policer commands are effective only in a hierarchical policy map attached to an ES port.

•priority: enables the priority queue (low-latency queueing [LLQ]) for a class of traffic. For more information, see the priority command. This command is effective only in a hierarchical policy map attached to an ES port.

•queue-limit: configures the maximum packet threshold for tail drop for a class configured in a policy map attached to an ES port. For more information, see the queue-limit command. This command is effective only in a hierarchical policy map attached to an ES port.

•random-detect: configures Weighted Random Early Detection (WRED) as a drop policy. For more information, see the random-detect command. This command is effective only in a hierarchical policy map attached to an ES port.

•service-policy: creates a service policy as a quality of service (QoS) policy within a policy map (called a hierarchical service policy). For more information, see the service-policy (policy-map class) command. This command is effective only in a hierarchical policy map attached to an ES port.

•set: classifies IP traffic by setting a class of service (CoS), a Differentiated Services Code Point (DSCP), an IP-precedence, or the multiprotocol label switching (MPLS) experimental (EXP) bits in the packet. For more information, see the set command. Some keywords are effective only in a hierarchical policy map attached to an ES port.

•shape: sets the token bucket committed information rate (CIR) in a policy map. For more information, see the shape command. This command is effective only in a hierarchical policy map attached to an ES port.

•trust: defines a trust state for a traffic class. For more information, see the trust command.

The switch supports up to eight classes, including the default class, in a policy map. Packets that fail to meet any of the matching criteria are classified as members of the default traffic class. You configure the default traffic class by specifying class-default as the class name in the class policy-map class configuration command. You can manipulate the default traffic class (for example, set policies to police or to shape it) just like any other traffic class, but you cannot delete it.

Within a policy map, the class-default applies to all traffic that is not explicitly matched within the policy map but that does match the parent policy. If no parent policy is configured, the parent policy represents the physical port. In the physical-level policy map, class-default is the only class that can be configured.

In a hierarchical policy map attached to an ES port, you define a class policy to use either tail drop or WRED packet drop by using either the queue-limit policy-map class configuration command or the random-detect policy-map class configuration command, respectively. You cannot use the queue-limit and random-detect commands in the same class policy, but they can be used in two class policies in the same policy map.

In a hierarchical policy map attached to an ES port, you must configure the bandwidth or the shape policy-map class configuration command before you configure either the queue-limit or the random-detect policy-map class configuration command in a class policy.

When you configure a policy for a class, specify its bandwidth, and attach the policy map to an ES port, class-based weighted fair queueing (CBWFQ) determines if the bandwidth requirement of the class can be satisfied. If so, CBWFQ creates the necessary internal data structures to maintain the state for the class and allocates a queue for it. If CBWFQ decides that the bandwidth requirement for the class cannot be satisfied, an error message appears, and the policy is not attached. When a class is removed, available bandwidth for the port is incremented by the amount previously allocated to the class.

To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.

You can configure a default class by using the class class-default policy-map configuration command. Unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as default traffic.

Examples

This example shows how to create a policy map called policy1. When attached to an ingress port, the policy matches all the inbound traffic defined in class1, sets the IP DSCP to 10, and polices the traffic at an average rate of 1 Mbps and bursts of 20 KB. Traffic exceeding the profile is marked down to a Traffic exceeding the profile is marked down to a DSCP value obtained from the policed-DSCP map and then sent.

Switch(config)# class-map class1

Switch(config-cmap)# exit

Switch(config)# policy-map policy1

Switch(config-pmap)# class class1

Switch(config-pmap-c)# set ip dscp 10

Switch(config-pmap-c)# police 1000000 20000 exceed-action policed-dscp-transmit

Switch(config-pmap-c)# exit

Switch(config-pmap)# exit

Switch(config)# interface fastethernet1/0/4

Switch(config-if)# service-policy input policy1

This example configures two class policies included in the egress policy map called policy1. Class1 specifies a policy for 802.1Q tunneling traffic that matches packets based on the outer VLAN ID (VLAN 2) and the inner VLAN IDs (3 to 8).

Switch(config)# class-map match-all class1 

Switch(config-cmap)# match vlan 2

Switch(config-cmap)# match vlan inner 3 - 8

Switch(config-cmap)# exit

Switch(config)# policy-map policy1 

Switch(config-pmap)# class class1 

Switch(config-pmap-c)# bandwidth 2000 

Switch(config-pmap-c)# queue-limit 40 

Switch(config-pmap-c)# exit 

Switch(config-pmap)# exit

Switch(config)# interface gigabitethernet1/1/1

Switch(config-if)# service-policy output policy1

For class1, a minimum of 2000 kbps of bandwidth is expected to be delivered to this class in the event of congestion. The queue reserved for this class can contain 40 packets before tail drop occurs.

This example shows how to shape the default class. This configuration associates a class-level policy map with a VLAN-level policy map and then associates the VLAN-level policy map with a physical-level policy map.

Switch(config)# class-map my-class

Switch(config-cmap)# match ip precedence 1

Switch(config-cmap)# exit

Switch(config)# class-map my-logical-class

Switch(config-cmap)# match vlan 5

Switch(config-cmap)# exit

Switch(config)# policy-map my-class-policy

Switch(config-pmap)# class my-class

Switch(config-pmap-c)# set ip precedence 2

Switch(config-pmap-c)# exit

Switch(config-pmap)# exit

Switch(config)# policy-map my-logical-policy

Switch(config-pmap)# class my-logical-class

Switch(config-pmap-c)# shape average 400000000

Switch(config-pmap-c)# service-policy my-class-policy

Switch(config-pmap-c)# exit

Switch(config-pmap)# exit

Switch(config)# policy-map my-physical-policy

Switch(config-pmap)# class class-default

Switch(config-pmap-c)# shape average 500000000

Switch(config-pmap-c)# service-policy my-logical-policy

This example shows how to create a hierarchical class-level policy map with two traffic classes. One of the classes has a class-level classification and a two-rate policer, and the other is the default traffic class. Packets that fail to meet the matching criteria are classified as members of the default traffic class, and the IP precedence in this traffic is reset to 0.

Switch(config)# class-map match-all classprece1

Switch(config-cmap)# match ip precedence 1

Switch(config-cmap)# exit

Switch-config)# policy-map precedencepolice

Switch(config-pmap)# class classprece1

Switch(config-pmap-c)# police cir 100000000 pir 200000000 conform-action set-prec-transmit 
2 exceed-action set-prec-transmit 3 violate-action set-prec-transmit 4

Switch(config-pmap-c)# exit

Switch(config-pmap)# class class-default

Switch(config-pmap-c)# set ip precedence 0

In the previous hierarchical QoS example, the first traffic class has only one match statement. However, hierarchical policy maps can support multiple match statements.

This example shows how to configure a default traffic class to a policy map:

Switch# configure terminal 

Switch(config)# class-map cm-3

Switch(config-cmap)# match ip dscp 30

Switch(config-cmap)# match protocol ipv6

Switch(config-cmap)# exit

Switch(config)# class-map cm-4

Switch(config-cmap)# match ip dscp 40

Switch(config-cmap)# match protocol ip

Switch(config-cmap)# exit

Switch(config)# policy-map pm3

Switch(config-pmap)# class class-default

Switch(config-pmap-c)# set dscp 10

Switch(config-pmap-c)# exit

Switch(config-pmap)# class cm-3

Switch(config-pmap-c) set dscp 4

Switch(config-pmap-c)# exit

Switch(config-pmap)# class cm-4

Switch(config-pmap-c)# trust cos

Switch(config-pmap-c)# exit

Switch(config-pmap)# exit

You can verify your settings by entering the show policy-map privileged EXEC command.

This example shows how the default traffic class is automatically placed at the end of policy-map pm3 even though class-default was configured first:

Switch# show policy-map pm3

  Policy Map pm3

    Class cm-3

      set dscp 4

    Class cm-4

      trust cos

    Class class-default

      set dscp 10

Switch#

Related Commands

Command	Description
bandwidth	Specifies or modifies the minimum bandwidth provided to a class belonging to a policy map attached to an ES port.
class-map	Creates a class map to be used for matching packets to the class whose name you specify.
police	Configures a single-rate traffic policer for a class of traffic.
police cir	Configures a two-rate traffic policer for a class of traffic.
police cir percent	Configures a two-rate traffic policer for a class of traffic based on a percentage of the available bandwidth.
policy-map	Creates or modifies a policy map that can be attached to multiple ports to specify a service policy.
priority	Enables the strict-priority queue and gives priority to a class of traffic belonging to a policy map attached to an ES port.
queue-limit	Configures the maximum threshold for tail drop in a policy map attached to an ES port.
random-detect	Configures WRED in a policy map attached to an ES port.
service-policy	Applies a policy map defined by the policy-map global configuration command to a port.
service-policy (policy-map class)	Creates a service policy as a QoS policy within a policy map.
set	Classifies IP traffic by setting a CoS, a DSCP, an IP-precedence, or the MPLS EXP bits in the packet.
shape	Enables traffic shaping in a policy map attached to an ES port.
show policy-map	Displays QoS policy maps.
trust	Defines a trust state for the traffic classified through the class policy-map configuration command.

class-map

Use the class-map global configuration command to create a class map to be used for matching packets to the class whose name you specify and to enter class-map configuration mode. Use the no form of this command to delete an existing class map and to return to global configuration mode.

class-map [match-all | match-any] class-map-name

no class-map [match-all | match-any] class-map-name

Syntax Description

match-all	(Optional) Perform a logical-AND of all matching under this class map. All criteria in the class map must be matched.
match-any	(Optional) Perform a logical-OR of the matching statements under this class map. One or more criteria in the class map must be matched.
class-map-name	Name of the class map.

Defaults

No class maps are defined.

If neither the match-all nor the match-any keyword is specified, the default is match-all.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Use this command to specify the name of the class for which you want to create or modify class-map match criteria and to enter class-map configuration mode. Packets are checked against the match criteria configured for a class map to decide if the packet belongs to that class. If a packet matches the specified criteria, the packet is considered a member of the class and is forwarded according to the quality of service (QoS) specifications set in the traffic policy.

You can create up to 4093 class maps.

After you enter the class-map command, the switch enters class-map configuration mode, and these configuration commands are available:

•description: describes the class map (up to 200 characters). The show class-map privileged EXEC command displays the description and the name of the class map.

•exit: exits from QoS class-map configuration mode.

•match: configures classification criteria. For more information, see the match (class-map configuration) command.

•no: removes a match statement from a class map.

•rename: renames the current class map. If you rename a class map with a name that is already used, the message A class-map with this name already exists appears.

Only one access control list (ACL) can be configured in a class map. The ACL can have multiple access control entries (ACEs). Class maps that contain ACLs are not supported in an egress policy attached to an enhanced-services (ES) port or in a hierarchical ingress policy attached to an ES port.

Examples

This example shows how to configure the class map called class1 with one match criterion, which is an access list called 103:

Switch(config)# access-list 103 permit ip any any dscp 10

Switch(config)# class-map class1

Switch(config-cmap)# match access-group 103

Switch(config-cmap)# exit

This example shows how to delete the class1 class map:

Switch(config)# no class-map class1

You can verify your settings by entering the show class-map privileged EXEC command.

Related Commands

Command	Description
class	Specifies the name of the class whose traffic policy you want to create or change.
match (class-map configuration)	Defines the match criteria for a class map.
policy-map	Creates or modifies a policy map that can be attached to multiple ports to specify a service policy.
show class-map	Displays QoS class maps.

clear ip arp inspection log

Use the clear ip arp inspection log privileged EXEC command on the switch stack or on a standalone switch to clear the dynamic Address Resolution Protocol (ARP) inspection log buffer.

clear ip arp inspection log

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Examples

This example shows how to clear the contents of the log buffer:

Switch# clear ip arp inspection log

You can verify that the log was cleared by entering the show ip arp inspection log privileged command.

Related Commands

Command	Description
arp access-list	Defines an ARP access control list (ACL).
ip arp inspection log-buffer	Configures the dynamic ARP inspection logging buffer.
ip arp inspection vlan logging	Controls the type of packets that are logged per VLAN.
show ip arp inspection log	Displays the configuration and contents of the dynamic ARP inspection log buffer.

clear ip arp inspection statistics

Use the clear ip arp inspection statistics privileged EXEC command on the switch stack or on a standalone switch to clear the dynamic Address Resolution Protocol (ARP) inspection statistics.

clear ip arp inspection statistics [vlan vlan-range]

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

vlan vlan-range

(Optional) Clear statistics for the specified VLAN or VLANs. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Examples

This example shows how to clear the statistics for VLAN 1:

Switch# clear ip arp inspection statistics vlan 1

You can verify that the statistics were deleted by entering the show ip arp inspection statistics vlan 1 privileged EXEC command.

Related Commands

Command	Description
show ip arp inspection statistics	Displays statistics for forwarded, dropped, MAC validation failure, and IP validation failure packets for all VLANs or the specified VLAN.

clear ip dhcp snooping

Use the clear ip dhcp snooping privileged EXEC command to clear the DHCP snooping binding database, the DHCP snooping binding database agent statistics, or the DHCP snooping statistics counters.

clear ip dhcp snooping {binding {* | ip-address | interface interface-id | vlan vlan-id} | database statistics | statistics}

Syntax Description

binding	Clear the DHCP snooping binding database.
*	Clear all automatic bindings.
ip-address	Clear the binding entry IP address.
interface interface-id	Clear the binding input interface.
vlan vlan-id	Clear the binding entry VLAN.
database statistics	Clear the DHCP snooping binding database agent statistics.
statistics	Clear the DHCP snooping statistics counter.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(25)EY	This command was introduced.
12.2(37)SE	The statistics keyword was introduced.
12.2(44)SE	The *, ip-address, interface interface-id, and vlan vlan-id keywords were introduced.

Usage Guidelines

When you enter the clear ip dhcp snooping database statistics command, the switch does not update the entries in the binding database and in the binding file before clearing the statistics.

Examples

This example shows how to clear the DHCP snooping binding database agent statistics:

Switch# clear ip dhcp snooping database statistics 

You can verify that the statistics were cleared by entering the show ip dhcp snooping database privileged EXEC command.

This example shows how to clear the DHCP snooping statistics counters:

Switch# clear ip dhcp snooping statistics 

You can verify that the statistics were cleared by entering the show ip dhcp snooping statistics user EXEC command.

Related Commands

Command	Description
ip dhcp snooping	Enables DHCP snooping on a VLAN.
ip dhcp snooping database	Configures the DHCP snooping binding database agent or the binding file.
show ip dhcp snooping binding	Displays the status of DHCP snooping database agent.
show ip dhcp snooping database	Displays the DHCP snooping binding database agent statistics.
show ip dhcp snooping statistics	Displays the DHCP snooping statistics.

clear ipv6 dhcp conflict

Use the clear ipv6 dhcp conflict privileged EXEC command to clear an address conflict from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server database.

clear ipv6 dhcp conflict {* | IPv6-address}

---

Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.

---

Syntax Description

*	Clear all address conflicts.
IPv6-address	Clear the host IPv6 address that contains the conflicting address.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} global configuration command, and reload the switch.

When you configure the DHCPv6 server to detect conflicts, it uses ping. The client uses neighbor discovery to detect clients and reports to the server through a DECLINE message. If an address conflict is detected, the address is removed from the pool and is not assigned until the administrator removes the address from the conflict list.

If you use the asterisk (*) character as the address parameter, DHCP clears all conflicts.

Examples

This example shows how to clear all address conflicts from the DHCPv6 server database:

Switch# clear ipv6 dhcp conflict *

Related Commands

Command	Description
show ipv6 dhcp conflict	Displays address conflicts found by a DHCPv6 server, or reported through a DECLINE message from a client.

clear l2protocol-tunnel counters

Use the clear l2protocol-tunnel counters privileged EXEC command to clear the protocol counters in protocol tunnel ports.

clear l2protocol-tunnel counters [interface-id]

Syntax Description

interface-id

(Optional) Specify interface for which protocol counters are to be cleared. The interface can be a physical interface or a port channel.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Use this command to clear protocol tunnel counters on the switch or on the specified interface.

Examples

This example shows how to clear Layer 2 protocol tunnel counters on a port:

Switch # clear l2protocol-tunnel counters gigabitethernet1/0/2

You can verify that the information was deleted by entering the show l2protocol-tunnel privileged EXEC command.

Related Commands

Command	Description
show l2protocol-tunnel	Displays information about ports configured for Layer 2 protocol tunneling.

clear lacp

Use the clear lacp privileged EXEC command to clear Link Aggregation Control Protocol (LACP) channel-group counters.

clear lacp {channel-group-number counters | counters}

Syntax Description

channel-group-number	(Optional) Channel group number. The range is 1 to 12.
counters	Clear traffic counters.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You can clear all counters by using the clear lacp counters command, or you can clear only the counters for the specified channel group by using the clear lacp channel-group-number counters command.

Examples

This example shows how to clear all channel-group information:

Switch# clear lacp counters

This example shows how to clear LACP traffic counters for group 4:

Switch# clear lacp 4 counters

You can verify that the information was deleted by entering the show lacp counters or the show lacp 4 counters privileged EXEC command.

Related Commands

Command	Description
show lacp	Displays LACP channel-group information.

clear mac address-table

Use the clear mac address-table privileged EXEC command to delete from the MAC address table all dynamic MAC addresses, a specific dynamic MAC address, all dynamic addresses on a particular interface, or all dynamic addresses on a particular VLAN. This command also clears the MAC address notification global counters.

clear mac address-table {dynamic [address mac-addr | interface interface-id | vlan vlan-id] | notification}

Syntax Description

dynamic	Delete all dynamic MAC addresses.
dynamic address mac-addr	(Optional) Delete the specified dynamic MAC address.
dynamic interface interface-id	(Optional) Delete all dynamic MAC addresses on the specified physical port or port channel.
dynamic vlan vlan-id	(Optional) Delete all dynamic MAC addresses for the specified VLAN. The range is 1 to 4094.
notification	Clear the notifications in the history table and reset the counters.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Examples

This example shows how to remove a specific MAC address from the dynamic address table:

Switch# clear mac address-table dynamic address 0008.0070.0007

You can verify that the information was deleted by entering the show mac address-table privileged EXEC command.

Related Commands

Command	Description
mac address-table notification	Enables the MAC address notification feature.
show mac address-table	Displays the MAC address table static and dynamic entries.
show mac address-table notification	Displays the MAC address notification settings for all interfaces or the specified interface.
snmp trap mac-notification change	Enables the Simple Network Management Protocol (SNMP) MAC address notification trap on a specific interface.

clear mac address-table move update

Use the clear mac address-table move update privileged EXEC command to clear the mac address-table-move update-related counters.

clear mac address-table move update

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(25)SED	This command was introduced.

Examples

This example shows how to clear the mac address-table move update related counters.

Switch# clear mac address-table move update

You can verify that the information was cleared by entering the show mac address-table move update privileged EXEC command.

Related Commands

Command	Description
mac address-table move update	Configures MAC address-table move update on the switch.
show mac address-table move update	Displays the MAC address-table move update information on the switch.

clear pagp

Use the clear pagp privileged EXEC command to clear Port Aggregation Protocol (PAgP) channel-group information.

clear pagp {channel-group-number counters | counters}

Syntax Description

channel-group-number	(Optional) Channel group number. The range is 1 to 12.
counters	Clear traffic counters.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You can clear all counters by using the clear pagp counters command, or you can clear only the counters for the specified channel group by using the clear pagp channel-group-number counters command.

Examples

This example shows how to clear all channel-group information:

Switch# clear pagp counters

This example shows how to clear PAgP traffic counters for group 10:

Switch# clear pagp 10 counters

You can verify that information was deleted by entering the show pagp privileged EXEC command.

Related Commands

Command	Description
show pagp	Displays PAgP channel-group information.

clear rep counters

Use the clear rep counters privileged EXEC command to clear Resilient Ethernet Protocol (REP) counters for the specified interface or all interfaces.

clear rep counters [interface interface-id]

Syntax Description

interface interface-id

(Optional) Specify a REP interface whose counters should be cleared.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
122(46)SE	This command was introduced.

Usage Guidelines

You can clear all REP counters by using the clear rep counters command, or you can clear only the counters for the interface by using the clear rep counters interface interface-id command.

When you enter the clear rep counters command, only the counters visible in the output of the show interface rep detail command are cleared. SNMP visible counters are not cleared as they are read-only.

Examples

This example shows how to clear all REP counters for all REP interfaces:

Switch# clear rep counters

You can verify that REP information was deleted by entering the show interfaces rep detail privileged EXEC command.

Related Commands

Command	Description
show interfaces rep detail	Displays detailed REP configuration and status information.

clear spanning-tree counters

Use the clear spanning-tree counters privileged EXEC command to clear the spanning-tree counters.

clear spanning-tree counters [interface interface-id]

Syntax Description

interface interface-id

(Optional) Clear all spanning-tree counters on the specified interface. Valid interfaces include physical ports, VLANs, and port channels. The VLAN range is 1 to 4094. The port-channel range is 1 to 12.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

If the interface-id is not specified, spanning-tree counters are cleared for all interfaces.

Examples

This example shows how to clear spanning-tree counters for all interfaces:

Switch# clear spanning-tree counters

Related Commands

Command	Description
show spanning-tree	Displays spanning-tree state information.

clear spanning-tree detected-protocols

Use the clear spanning-tree detected-protocols privileged EXEC command to restart the protocol migration process (force the renegotiation with neighboring switches) on all interfaces or on the specified interface.

clear spanning-tree detected-protocols [interface interface-id]

Syntax Description

interface interface-id

(Optional) Restart the protocol migration process on the specified interface. Valid interfaces include physical ports, VLANs, and port channels. The VLAN range is 1 to 4094. The port-channel range is 1 to 12.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

A switch running the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol or the Multiple Spanning Tree Protocol (MSTP) supports a built-in protocol migration mechanism that enables it to interoperate with legacy 802.1D switches. If a rapid-PVST+ switch or an MSTP switch receives a legacy 802.1D configuration bridge protocol data unit (BPDU) with the protocol version set to 0, it sends only 802.1D BPDUs on that interface. A multiple spanning-tree (MST) switch can also detect that an interface is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (version 3) associated with a different region, or a rapid spanning-tree (RST) BPDU (version 2).

However, the switch does not automatically revert to the rapid-PVST+ or the MSTP mode if it no longer receives 802.1D BPDUs. It cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the clear spanning-tree detected-protocols command in this situation.

Examples

This example shows how to restart the protocol migration process on a port:

Switch# clear spanning-tree detected-protocols interface gigabitethernet1/0/1

Related Commands

Command	Description
show spanning-tree	Displays spanning-tree state information.
spanning-tree link-type	Overrides the default link-type setting and enables rapid spanning-tree transitions to the forwarding state.

clear vmps statistics

Use the clear vmps statistics privileged EXEC command to clear the statistics maintained by the VLAN Query Protocol (VQP) client.

clear vmps statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Examples

This example shows how to clear VLAN Membership Policy Server (VMPS) statistics:

Switch# clear vmps statistics

You can verify that information was deleted by entering the show vmps statistics privileged EXEC command.

Related Commands

Command	Description
show vmps	Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers.

clear vtp counters

Use the clear vtp counters privileged EXEC command to clear the VLAN Trunking Protocol (VTP) and pruning counters.

clear vtp counters

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Examples

This example shows how to clear the VTP counters:

Switch# clear vtp counters

You can verify that information was deleted by entering the show vtp counters privileged EXEC command.

Related Commands

Command	Description
show vtp	Displays general information about the VTP management domain, status, and counters.

cpu traffic qos cos

Use the cpu traffic qos cos command in global configuration mode to mark the class of service (CoS) value of CPU traffic. To return to the default value, use the no form of this command.

cpu traffic qos cos {cos-value | trust}

no cpu traffic qos cos {cos-value | trust}

Syntax Description

cos-value	Specify a CoS value. The range is from 0 to 7. If no CoS value is configured, the protocol specific value for each packet applies.
trust	Configure the switch to trust the CoS value of the incoming packet.

Command Default

Control plane (CPU) traffic is not marked for QoS.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.

Enter each cpu traffic qos marking action on a separate line.

The trust keyword configures the switch to trust the incoming CoS, DSCP, or precedence value and mark the packet according to the global map configuration.

When you configure the switch to trust CoS, the configuration applies to both IP and non-IP traffic.

When you configure the switch to trust or change DSCP or precedence, but not CoS, the configuration applies only to IP traffic.

When you configure the switch to trust CoS and trust or change DSCP or precedence, then trust CoS applies to non-IP traffic and trust or change DSCP or precedence applies to IP traffic.

The cpu traffic qos cos global configuration command configures CoS marking for CPU-generated traffic by either trusting CoS or specifying a CoS value, but not both. A new configuration overwrites the existing configuration.

Examples

This example shows how to specify a CoS value for CPU-generated IP traffic (including IP-SLA and TWAMP):

Switch(config)# cpu traffic qos cos 2

This example shows how to configure the switch to trust the CoS value of the incoming packet:

Switch(config)# cpu traffic qos cos trust

Related Commands

Command	Description
cpu traffic qos dscp	Configures the DSCP value for CPU-generated traffic.
cpu traffic qos precedence	Configures the precedence for CPU-generated traffic.
mls qos map	Configures a global map to set CoS, DSCP, and precedence values for CPU-generated traffic.
show cpu traffic qos	Displays the QoS marking values configured for CPU-generated traffic.
show mls qos maps	Displays information for all global maps.
show running-config	Displays the configured global maps and CPU traffic QoS settings.

cpu traffic qos dscp

Use the cpu traffic qos dscp command in global configuration mode to configure a differentiated services code point (DSCP) value for CPU traffic. To return to the default value, use the no form of this command.

cpu traffic qos dscp {dscp-value | trust | dscp-mutation mutation-map-name}

no cpu traffic qos dscp {dscp-value | trust | dscp-mutation mutation-map-name}

Syntax Description

dscp-value	Configure the DSCP value for CPU traffic. The range is from 0 to 63. If no DSCP value is configured, the protocol specific value for each packet applies.
trust	Configure the switch to trust the DSCP value of the incoming packet.
dscp-mutation mutation-map-name	Configure the switch to change the incoming DSCP value based on the configured mutation-map.

Command Default

Control plane (CPU) traffic is not marked for QoS.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.

Enter each cpu traffic qos marking action on a separate line.

The trust keyword configures the switch to trust the incoming CoS, DSCP, or precedence value and mark the packet according to the global map configuration.

The mutation keyword configures the switch to change the incoming value according to the global mutation-map configuration.

When you configure the switch to trust CoS, the configuration applies to both IP and non-IP traffic.

When you configure the switch to trust or change DSCP or precedence, but not CoS, the configuration applies only to IP traffic.

When you configure the switch to trust CoS and trust or change DSCP or precedence, then trust CoS applies to non-IP traffic and trust or change DSCP or precedence applies to IP traffic.

The cpu traffic qos dscp global configuration command configures DSCP marking for CPU-generated traffic by trusting DSCP, mutating DSCP or specifying a DSCP value. A new configuration overwrites the existing configuration.

The cpu traffic qos dscp and cpu traffic qos precedence global configuration commands are mutually exclusive. A new configuration overwrites the existing configuration.

Examples

This example shows how to configure the DSCP value of CPU-generated packets:

Switch(config)# cpu traffic qos dscp 36

This example shows how to configure the switch to trust the DSCP value of incoming CPU-generated packets:

Switch(config)# cpu traffic qos dscp trust

This example shows how to mark the DSCP of CPU-generated IP traffic (including IP-SLA and TWAMP) based on the DSCP value in the packet.

The example has these results:

•All IP traffic with the DSCP value 0 is assigned DSCP value 30.

•All IP traffic with the DSCP values af41 (34), af42 (36) and af43 (38) are assigned DSCP value 48.

•All other IP and non-IP traffic is processed by the default configuration.

Maps:

Switch(config)# mls qos

Switch(config)# mls qos map dscp-mutation mapname 0 to 30

Switch(config)# mls qos map dscp-mutation mapname 34 36 38 to 48

CPU QoS:

Switch(config)# cpu traffic qos dscp dscp-mutation mapname

Related Commands

Command	Description
cpu traffic qos cos	Configures the CoS value for CPU-generated traffic.
cpu traffic qos precedence	Configures the precedence for CPU-generated traffic.
mls qos map	Configures a global map to set CoS, DSCP, and precedence values for CPU-generated traffic.
show cpu traffic qos	Displays the QoS marking values configured for CPU-generated traffic.
show mls qos maps	Displays information for all global maps.
show running-config	Displays the configured global maps and CPU traffic QoS settings.

cpu traffic qos precedence

Use the cpu traffic qos precedence command in global configuration mode to configure quality of service (QoS) marking for control plane traffic. To return to the default value, use the no form of this command.

cpu traffic qos precedence {precedence-value | trust | precedence-mutation mutation-map-name}

no cpu traffic qos precedence {precedence-value | trust | precedence-mutation mutation-map-name}

Syntax Description

precedence-value	Configure the precedence value. The range is from 0 to 7. If no precedence value is configured, the protocol specific value for each packet applies. Note You can substitute the following keywords for the numbers 0 to 7: •routine (0) •priority (1) •immediate (2) •flash (3) •flash-override (4) •critical (5) •internet (6) •network (7)
trust	Configure the switch to trust the precedence value of the incoming packet.
precedence-mutation mutation-map-name	Configure the switch to change the incoming precedence value based on the configured mutation-map.

Command Default

Control plane (CPU) traffic is not marked for QoS.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.

Enter each cpu traffic qos marking action on a separate line.

The trust keyword configures the switch to trust the incoming CoS, DSCP, or precedence value and mark the packet according to the global map configuration.

The mutation keyword configures the switch to change the incoming value according to the global mutation-map configuration.

When you configure the switch to trust CoS, the configuration applies to both IP and non-IP traffic.

When you configure the switch to trust or change DSCP or precedence but not CoS, the configuration applies only to IP traffic.

When you configure the switch to trust CoS and trust or change DSCP or precedence, then trust CoS applies to non-IP traffic and trust or change DSCP or precedence applies to IP traffic.

The cpu traffic qos precedence global configuration command configures precedence marking for CPU-generated traffic by trusting precedence, mutating precedence or specifying a precedence value. A new configuration overwrites the existing configuration.

The cpu traffic qos dscp and cpu traffic qos precedence global configuration commands are mutually exclusive. A new configuration overwrites the existing configuration.

Examples

The following example shows how to configure a precedence value of 2 for CPU traffic:

Switch(config)# cpu traffic qos precedence 2

This example shows how to configure the switch to trust the precedence value of incoming CPU-generated packets:

Switch(config)# cpu traffic qos precedence trust

This example shows how to mark the precedence of CPU-generated IP traffic (including IP-SLA and TWAMP) based on the precedence value in the packet.

The example has these results:

•All CPU generated IP traffic with the precedence value 0 is assigned precedence value 3.

•All CPU generated IP traffic with the precedence values 2, 3 and 4 is assigned precedence value 6.

•All other IP and non-IP traffic is processed by the default configuration.

Maps:

Switch(config)# mls qos

Switch(config)# mls qos map dscp-mutation mapname 0 to 24

Switch(config)# mls qos map dscp-mutation mapname 16 24 32 to 48

CPU QoS:

Switch(config)# cpu traffic qos precedence precedence-mutation mapname

Related Commands

Command	Description
cpu traffic qos cos	Configures the CoS value for CPU-generated traffic.
cpu traffic qos dscp	Configures the DSCP value for CPU-generated traffic.
mls qos map	Configures a global map to set CoS, DSCP, and precedence values for CPU-generated traffic.
show cpu traffic qos	Displays the QoS marking values configured for CPU-generated traffic.
show mls qos maps	Displays information for all global maps.
show running-config	Displays the configured global maps and CPU traffic QoS settings.

define interface-range

Use the define interface-range global configuration command to create an interface-range macro. Use the no form of this command to delete the defined macro.

define interface-range macro-name interface-range

no define interface-range macro-name

Syntax Description

macro-name	Name of the interface-range macro; up to 32 characters.
interface-range	Interface range; for valid values for interface ranges, see "Usage Guidelines."

Defaults

This command has no default setting.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

The macro name is a 32-character maximum character string.

A macro can contain up to five ranges.

All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.

When entering the interface-range, use this format:

•type {first-interface} - {last-interface}

•You must add a space between the first interface number and the hyphen when entering an interface-range. For example, fastethernet1/0/1 -5 is a valid range; fastethernet1/0/1-5 is not a valid range.

Valid values for type and interface:

•vlan vlan-id, where vlan-id is from 1 to 4094

VLAN interfaces must have been configured with the interface vlan command. The show running-config privileged EXEC command displays the configured VLAN interfaces. VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges.

•port-channel port-channel-number, where port-channel-number is from 1 to 12

•fastethernet switch number (always 1)/module/{first port} - {last port}

•gigabitethernet switch number (always 1)/module/{first port} - {last port}

For physical interfaces:

•switch number is always 1.

•module number is 0 for 10/100 ports and standard SFP module slots; 1 for enhanced-services (ES) ports.

•the range is type 1/module-number/number - number (for example, gigabitethernet 1/0/1 - 2)

When you define a range, you must enter a space before the hyphen (-), for example:

gigabitethernet1/0/1 - 2

You can also enter multiple ranges. When you define multiple ranges, you must enter a space after the first entry before the comma (,). The space after the comma is optional, for example:

fastethernet1/0/3 , gigabitethernet1/0/1 - 2

fastethernet1/0/3 -4, gigabitethernet1/0/1 - 2

Examples

This example shows how to create a multiple-interface macro:

Switch(config)# define interface-range macro1 fastethernet1/0/1 -2, fastethernet1/0/5 

Related Commands

Command	Description
interface range	Executes a command on multiple ports at the same time.
show running-config	Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html Select the Cisco IOS Commands Master List, Release 12.2 to navigate to the command.

delete

Use the delete privileged EXEC command to delete a file or directory on the flash memory device.

delete [/force] [/recursive] filesystem:/file-url

Syntax Description

/force	(Optional) Suppress the prompt that confirms the deletion.
/recursive	(Optional) Delete the named directory and all subdirectories and the files contained in it.
filesystem:	Alias for a flash file system. The syntax for the local flash file system: flash:
/file-url	The path (directory) and filename to delete.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

If you use the /force keyword, you are prompted once at the beginning of the deletion process to confirm the deletion.

If you use the /recursive keyword without the /force keyword, you are prompted to confirm the deletion of every file.

The prompting behavior depends on the setting of the file prompt global configuration command. By default, the switch prompts for confirmation on destructive file operations. For more information about this command, see the Cisco IOS Command Reference for Release 12.2.

Examples

This example shows how to remove the directory that contains the old software image after a successful download of a new image:

Switch# delete /force /recursive flash:/old-image

You can verify that the directory was removed by entering the dir filesystem: privileged EXEC command.

Related Commands

Command	Description
archive download-sw	Downloads a new image to the switch and overwrites or keeps the existing image.

deny (ARP access-list configuration)

Use the deny Address Resolution Protocol (ARP) access-list configuration command on the switch stack or on a standalone switch to deny an ARP packet based on matches against the DHCP bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access list.

deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]

no deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

request	(Optional) Define a match for the ARP request. When request is not specified, matching is performed against all ARP packets.
ip	Specify the sender IP address.
any	Deny any IP or MAC address.
host sender-ip	Deny the specified sender IP address.
sender-ip sender-ip-mask	Deny the specified range of sender IP addresses.
mac	Deny the sender MAC address.
host sender-mac	Deny a specific sender MAC address.
sender-mac sender-mac-mask	Deny the specified range of sender MAC addresses.
response ip	Define the IP address values for the ARP responses.
host target-ip	Deny the specified target IP address.
target-ip target-ip-mask	Deny the specified range of target IP addresses.
mac	Deny the MAC address values for the ARP responses.
host target-mac	Deny the specified target MAC address.
target-mac target-mac-mask	Deny the specified range of target MAC addresses.
log	(Optional) Log a packet when it matches the ACE.

Defaults

There are no default settings. However, at the end of the ARP access list, there is an implicit deny ip any mac any command.

Command Modes

ARP access-list configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

You can add deny clauses to drop ARP packets based on matching criteria.

Examples

This example shows how to define an ARP access list and to deny both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:

Switch(config)# arp access-list static-hosts

Switch(config-arp-nacl)# deny ip host 1.1.1.1 mac host 0000.0000.abcd

Switch(config-arp-nacl)# end

You can verify your settings by entering the show arp access-list privileged EXEC command.

Related Commands

Command	Description
arp access-list	Defines an ARP access control list (ACL).
ip arp inspection filter vlan	Permits ARP requests and responses from a host configured with a static IP address.
permit (MAC-access list configuration)	Permits an ARP packet based on matches against the DHCP bindings.
show arp access-list	Displays detailed information about ARP access lists.

deny (IPv6 access-list configuration)

Use the deny command in IPv6 access list configuration mode to set deny conditions for an IPv6 access list. Use the no form of this command to remove the deny conditions.

deny {protocol} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dscp value] [fragments] [log] [log-input] [routing] [sequence value] [time-range name]

no deny {protocol} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dscp value] [fragments] [log] [log-input] [routing] [sequence value] [time-range name]

Internet Control Message Protocol

deny icmp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [icmp-type [icmp-code] | icmp-message] [dscp value] [log] [log-input] [routing] [sequence value] [time-range name]

Transmission Control Protocol

deny tcp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [ack] [dscp value] [established] [fin] [log] [log-input] [neq {port | protocol}] [psh] [range {port | protocol}] [rst] [routing] [sequence value] [syn] [time-range name] [urg]

User Datagram Protocol

deny udp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dscp value] [log] [log-input] [neq {port | protocol}] [range {port | protocol}] [routing] [sequence value] [time-range name]

---

Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.

---

Syntax Description

protocol	Name or number of an Internet protocol. It can be one of the keywords ahp, esp, icmp, ipv6, pcp, sctp, tcp, or udp, or an integer in the range from 0 to 255 representing an IPv6 protocol number.
source-ipv6-prefix/prefix-length	The source IPv6 network or class of networks about which to set deny conditions. This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
any	An abbreviation for the IPv6 prefix ::/0.
host source-ipv6-address	The source IPv6 host address for which to set deny conditions. This source-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
operator [port-number]	(Optional) Specify an operator that compares the source or destination ports of the specified protocol. Operators are lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source-ipv6-prefix/prefix-length argument, it must match the source port. If the operator is positioned after the destination-ipv6-prefix/prefix-length argument, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. The optional port-number argument is a decimal number or the name of a TCP or a UDP port. A port number is a number from 0 to 65535. TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP.
destination-ipv6-prefix/ prefix-length	The destination IPv6 network or class of networks for which to set deny conditions. This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
host destination-ipv6-address	The destination IPv6 host address for which to set deny conditions. This destination-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
dscp value	(Optional) Match a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header. The acceptable range is from 0 to 63.
fragments	(Optional) Match non-initial fragmented packets where the fragment extension header contains a non-zero fragment offset. The fragments keyword is an option only if the protocol is ipv6 and the operator [port-number] arguments are not specified.
log	(Optional) Send an informational logging message to the console about the packet that matches the entry. (The level of messages sent to the console is controlled by the logging console command.) The message includes the access list name and sequence number, whether the packet was denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets denied in the prior 5-minute interval. Note Logging is not supported for port ACLs.
log-input	(Optional) Provide the same function as the log keyword, but the logging message also includes the receiving interface.
routing	(Optional) Match packets with the routing extension header.
sequence value	(Optional) Specify the sequence number for the access list statement. The acceptable range is from 1 to 4294967295.
time-range name	(Optional) Specify the time range that applies to the deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
icmp-type	(Optional) Specify an ICMP message type for filtering ICMP packets. ICMP packets can be filtered by an ICMP message type. The type is a number from 0 to 255.
icmp-code	(Optional) Specify an ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message	(Optional) Specify an ICMP message name for filtering ICMP packets. ICMP packets can be filtered by an ICMP message name or an ICMP message type and code. The possible names are listed in the "Usage Guidelines" section.
ack	(Optional) Only for the TCP protocol: Acknowledgment (ACK) bit set.
established	(Optional) Only for the TCP protocol: Means the connection has been established. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
fin	(Optional) Only for the TCP protocol: Fin bit set; no more data from sender.
neq {port | protocol}	(Optional) Match only packets that are not on a given port number.
psh	(Optional) Only for the TCP protocol: Push function bit set.
range {port | protocol}	(Optional) Match only packets in the range of port numbers.
rst	(Optional) Only for the TCP protocol: Reset bit set.
syn	(Optional) Only for the TCP protocol: Synchronize bit set.
urg	(Optional) Only for the TCP protocol: Urgent pointer bit set.

---

Note Although visible in the command-line help strings, the flow-label, routing, and undetermined-transport keywords are not supported.

---

Defaults

No IPv6 access list is defined.

Command Modes

IPv6 access list configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

The deny (IPv6 access-list configuration mode) command is similar to the deny (IPv4 access-list configuration mode) command, but it is IPv6-specific.

Use the deny (IPv6) command after the ipv6 access-list command to enter IPv6 access list configuration mode and to define the conditions under which a packet passes the access list.

Specifying IPv6 for the protocol argument matches the IPv6 header of the packet.

By default, the first statement in an access list is number 10, and the subsequent statements are numbered in increments of 10.

You can add permit, deny, or remark statements to an existing access list without re-entering the entire list. To add a new statement somewhere other than at the end of the list, create a new statement with an appropriate entry number between two existing entry numbers to show where it belongs.

---

Note Every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. The two permit conditions allow ICMPv6 neighbor discovery. To disallow ICMPv6 neighbor discovery and to deny icmp any any nd-na or icmp any any nd-ns, there must be an explicit deny entry in the ACL. For the three implicit statements to take effect, an IPv6 ACL must contain at least one entry.

The IPv6 neighbor discovery process uses the IPv6 network layer service. Therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data-link layer protocol. Therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

---

Both the source-ipv6-prefix/prefix-length and destination-ipv6-prefix/prefix-length arguments are used for traffic filtering. (The source prefix filters traffic based upon its source; the destination prefix filters traffic based upon its destination.)

The switch supports IPv6 address matching for a full range of prefix lengths.

The fragments keyword is an option only if the protocol is ipv6 and the operator [port-number] arguments are not specified.

This is a list of ICMP message names:

beyond-scope	destination-unreachable
echo-reply	echo-request
header	hop-limit
mld-query	mld-reduction
mld-report	nd-na
nd-ns	next-header
no-admin	no-route
packet-too-big	parameter-option
parameter-problem	port-unreachable
reassembly-timeout	renum-command
renum-result	renum-seq-number
router-advertisement	router-renumbering
router-solicitation	time-exceeded
unreachable

Examples

This example configures the IPv6 access list named CISCO and applies the access list to outbound traffic on a Layer 3 interface. The first deny entry prevents all packets that have a destination TCP port number greater than 5000 from leaving the interface. The second deny entry prevents all packets that have a source UDP port number less than 5000 from leaving the interface. The second deny also logs all matches to the console. The first permit entry permits all ICMP packets to leave the interface. The second permit entry permits all other traffic to leave the interface. The second permit entry is necessary because an implicit deny-all condition is at the end of each IPv6 access list.

Switch(config)# ipv6 access-list CISCO

Switch(config-ipv6-acl)# deny tcp any any gt 5000

Switch config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log

Switch(config-ipv6-acl)# permit icmp any any

Switch(config-ipv6-acl)# permit any any

Switch(config-ipv6-acl)# exit

Switch(config)# interface gigabitethernet0/2

Switch(config-if)# no switchport

Switch(config-if)# ipv6 address 2001::/64 eui-64

Switch(config-if)# ipv6 traffic-filter CISCO out

Related Commands

Command	Description
ipv6 access-list	Defines an IPv6 access list and enters IPv6 access list configuration mode.
ipv6 traffic-filter	Filters incoming or outgoing IPv6 traffic on an interface.
permit (IPv6 access-list configuration)	Sets permit conditions for an IPv6 access list.
show ipv6 access-list	Displays the contents of all current IPv6 access lists.

deny (MAC access-list configuration)

Use the deny MAC access list configuration command to prevent non-IP traffic from being forwarded if the conditions are matched. Use the no form of this command to remove a deny condition from the named MAC access list.

{deny | permit} {any | host src-MAC-addr | src-MAC-addr mask} {any | host dst-MAC-addr | dst-MAC-addr mask} [type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp]

no {deny | permit} {any | host src-MAC-addr | src-MAC-addr mask} {any | host dst-MAC-addr | dst-MAC-addr mask} [type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp]

Syntax Description

any	Keyword to specify to deny any source or destination MAC address.
host src MAC-addr | src-MAC-addr mask	Define a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied.
host dst-MAC-addr | dst-MAC-addr mask	Define a destination MAC address and optional subnet mask. If the destination address for a packet matches the defined address, non-IP traffic to that address is denied.
type mask	(Optional) Use the Ethertype number of a packet with Ethernet II or SNAP encapsulation to identify the protocol of the packet. The type is 0 to 65535, specified in hexadecimal. The mask is a mask of don't care bits applied to the Ethertype before testing for a match.
aarp	(Optional) Select Ethertype AppleTalk Address Resolution Protocol that maps a data-link address to a network address.
amber	(Optional) Select EtherType DEC-Amber.
cos cos	(Optional) Select a class of service (CoS) number from 0 to 7 to set priority. Filtering on CoS can be performed only in hardware. A warning message reminds the user if the cos option is configured.
dec-spanning	(Optional) Select EtherType Digital Equipment Corporation (DEC) spanning tree.
decnet-iv	(Optional) Select EtherType DECnet Phase IV protocol.
diagnostic	(Optional) Select EtherType DEC-Diagnostic.
dsm	(Optional) Select EtherType DEC-DSM.
etype-6000	(Optional) Select EtherType 0x6000.
etype-8042	(Optional) Select EtherType 0x8042.
lat	(Optional) Select EtherType DEC-LAT.
lavc-sca	(Optional) Select EtherType DEC-LAVC-SCA.
lsap lsap-number mask	(Optional) Use the LSAP number (0 to 65535) of a packet with 802.2 encapsulation to identify the protocol of the packet. mask is a mask of don't care bits applied to the LSAP number before testing for a match.
mop-console	(Optional) Select EtherType DEC-MOP Remote Console.
mop-dump	(Optional) Select EtherType DEC-MOP Dump.
msdos	(Optional) Select EtherType DEC-MSDOS.
mumps	(Optional) Select EtherType DEC-MUMPS.
netbios	(Optional) Select EtherType DEC- Network Basic Input/Output System (NETBIOS).
vines-echo	(Optional) Select EtherType Virtual Integrated Network Service (VINES) Echo from Banyan Systems.
vines-ip	(Optional) Select EtherType VINES IP.
xns-idp	(Optional) Select EtherType Xerox Network Systems (XNS) protocol suite (0 to 65535), an arbitrary Ethertype in decimal, hexadecimal, or octal.

---

Note Though visible in the command-line help strings, appletalk is not supported as a matching condition.

---

To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in Table 2-4.

Table 2-4 IPX Filtering Criteria

IPX Encapsulation Type		Filter Criterion
Cisco IOS Name	Novel Name
arpa	Ethernet II	Ethertype 0x8137
snap	Ethernet-snap	Ethertype 0x8137
sap	Ethernet 802.2	LSAP 0xE0E0
novell-ether	Ethernet 802.3	LSAP 0xFFFF

Defaults

This command has no defaults. However; the default action for a MAC-named ACL is to deny.

Command Modes

MAC-access list configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You enter MAC-access list configuration mode by using the mac access-list extended global configuration command.

If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.

When an access control entry (ACE) is added to an access control list, an implied deny-any-any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.

---

Note For more information about named MAC extended access lists, see the software configuration guide for this release.

---

Examples

This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.

Switch(config-ext-macl)# deny any host 00c0.00a0.03fa netbios.

This example shows how to remove the deny condition from the named MAC extended access list:

Switch(config-ext-macl)# no deny any 00c0.00a0.03fa 0000.0000.0000 netbios.

This example denies all packets with Ethertype 0x4321:

Switch(config-ext-macl)# deny any any 0x4321 0

You can verify your settings by entering the show access-lists privileged EXEC command.

Related Commands

Command	Description
mac access-list extended	Creates an access list based on MAC addresses for non-IP traffic.
permit (MAC-access list configuration)	Permits non-IP traffic to be forwarded if conditions are matched.
show access-lists	Displays access control lists configured on a switch.

dot1x auth-fail max-attempts

Use the dot1x auth-fail max-attempts interface configuration command to configure the maximum allowable authentication attempts before a port is moved to the restricted VLAN. To return to the default setting, use the no form of this command.

dot1x auth-fail max-attempts max-attempts

no dot1x auth-fail max-attempts

Syntax Description

max-attempts

Specify a maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. The range is 1 to 3, the default value is 3.

Defaults

The default value is 3 attempts.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SED	This command was introduced.

Usage Guidelines

If you reconfigure the maximum number of authentication attempts allowed by the VLAN, the change takes effect after the re-authentication timer expires.

Examples

This example shows how to set 2 as the maximum number of authentication attempts allowed before the port is moved to the restricted VLAN on port 3:

Switch# configure terminal 

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface gigabitethernet1/0/3

Switch(config-if)# dot1x auth-fail max-attempts 2

Switch(config-if)# end

Switch(config)# end

Switch#

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x auth-fail vlan [vlan id]	Enables the optional restricted VLAN feature.
dot1x max-reauth-req [count]	Sets the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state.
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified port.

dot1x auth-fail vlan

Use the dot1x auth-fail vlan interface configuration command to enable the restricted VLAN on a port. To return to the default setting, use the no form of this command.

dot1x auth-fail vlan vlan-id

no dot1x auth-fail vlan vlan-id

Syntax Description

vlan-id

Specify a VLAN in the range of 1 to 4094.

Defaults

No restricted VLAN is configured.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SED	This command was introduced.

Usage Guidelines

You can configure a restricted VLAN on ports configured as follows:

• single-host (default) mode

• auto mode for authorization

You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication requests if it is disabled. To start the re-authentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub, the port might never receive a link-down event when that host is disconnected, and, as a result, might not detect any new hosts until the next re-authentication attempt occurs.

If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant. Because the supplicant is not notified of the actual authentication failure, there might be confusion about this restricted network access. An EAP success message is sent for these reasons:

•If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message.

•Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive an EAP success message.

A supplicant might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication. Until the supplicant sends the correct username and password combination, the port remains in the restricted VLAN.

Internal VLANs used for Layer 3 ports cannot be configured as restricted VLANs.

You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN. If you do this, a syslog message is generated.

When a restricted VLAN port is moved to an unauthorized state, the authentication process restarts. If the supplicant fails the authentication process again, the authenticator waits in the held state. After the supplicant has correctly re-authenticated, all IEEE 802.1x ports are reinitialized and treated as normal IEEE 802.1x ports.

When you reconfigure a restricted VLAN as a different VLAN, any ports in the restricted VLAN are also moved, and the ports stay in their currently authorized state.

When you shut down or remove a restricted VLAN from the VLAN database, any ports in the restricted VLAN are immediately moved to an unauthorized state, and the authentication process restarts. The authenticator does not wait in a held state because the restricted VLAN configuration still exists. While the restricted VLAN is inactive, all authentication attempts are counted so that when the restricted VLAN becomes active, the port is immediately placed in the restricted VLAN.

The restricted VLAN is supported only in single host mode (the default port mode). For this reason, when a port is placed in a restricted VLAN, the supplicant's MAC address is added to the MAC address table, and any other MAC address that appears on the port is treated as a security violation.

Examples

This example shows how to configure a restricted VLAN on port 1:

Switch# configure terminal 

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# dot1x auth-fail vlan 40

Switch(config-if)# end

Switch(config)# end

Switch#

You can verify your configuration by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x auth-fail max-attempts [max-attempts]	Configures the number of authentication attempts allowed before assigning a supplicant to the restricted VLAN.
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified port.

dot1x default

Use the dot1x default interface configuration command to reset the configurable 802.1x parameters to their default values.

dot1x default

Syntax Description

This command has no arguments or keywords.

Defaults

These are the default values:

•The per-port 802.1x protocol enable state is disabled (force-authorized).

•The number of seconds between re-authentication attempts is 3600 seconds.

•The periodic re-authentication is disabled.

•The quiet period is 60 seconds.

•The retransmission time is 30 seconds.

•The maximum retransmission number is 2 times.

•The host mode is single host.

•The client timeout period is 30 seconds.

•The authentication server timeout period is 30 seconds.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Examples

This example shows how to reset the configurable 802.1x parameters:

Switch(config-if)# dot1x default

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays 802.1x status for the specified port.

dot1x guest-vlan

Use the dot1x guest-vlan interface configuration command to specify an active VLAN as an 802.1x guest VLAN. Use the no form of this command to return to the default setting.

dot1x guest-vlan vlan-id

no dot1x guest-vlan

Syntax Description

vlan-id

Specify an active VLAN as an 802.1x guest VLAN. The range is 1 to 4094.

Defaults

No guest VLAN is configured.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

When you configure a guest VLAN, clients that are not 802.1x-capable are put into the guest VLAN when the server does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL) request/identity frame. Clients that are 802.1x-capable but fail authentication are not granted access to the network.

Guest VLANs are supported on 802.1x ports in single-host mode and multiple-hosts mode.

The switch maintains the EAPOL packet history. If another EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest VLAN state, the port is returned to the unauthorized state, and authentication is restarted. The EAPOL history is reset upon loss of link.

Entering the dot1x guest-vlan supplicant global configuration command disables this behavior.

Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted.

Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.

You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.

Examples

This example shows how to specify VLAN 5 as an 802.1x guest VLAN:

Switch(config-if)# dot1x guest-vlan 5

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays 802.1x status for the specified port.

dot1x host-mode

Use the dot1x host-mode interface configuration command to allow a single host (client) or multiple hosts on an 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the no form of this command to return to the default setting.

dot1x host-mode {multi-host | single-host}

no dot1x host-mode [multi-host | single-host]

Syntax Description

multi-host	Enable multiple-hosts mode on the switch.
single-host	Enable single-host mode on the switch.

---

Note Although visible in the command-line interface help, the multi-domain keyword is not supported.

---

Command Default

The default is single-host mode.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Use this command to limit an 802.1x-enabled port to a single client or to attach multiple clients to an 802.1x-enabled port. In multiple-hosts mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (re-authentication fails or an Extensible Authentication Protocol over LAN [EAPOL]-logoff message is received), all attached clients are denied access to the network.

Before entering this command, make sure that the dot1x port-control interface configuration command is set to auto for the specified port.

The dot1x host-mode multi-domain interface configuration command is not supported on the switch. Configuring this command on an interface causes the interface to go into the error-disabled state.

Examples

This example shows how to enable 802.1x globally, enable 802.1x on a port, and enable multiple-hosts mode:

Switch(config)# dot1x system-auth-control

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# dot1x port-control auto

Switch(config-if)# dot1x host-mode multi-host

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays 802.1x status for the specified port.

dot1x initialize

Use the dot1x initialize privileged EXEC command to manually return the specified 802.1x-enabled port to an unauthorized state before initiating a new authentication session on the port.

dot1x initialize interface interface-id

Syntax Description

interface interface-id

Port to be initialized.

Defaults

There is no default setting.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Use this command to initialize the 802.1x state machines and to set up a fresh environment for authentication. After you enter this command, the port status becomes unauthorized.

There is no no form of this command.

Examples

This example shows how to manually initialize a port:

Switch# dot1x initialize interface gigabitethernet1/0/2

You can verify the unauthorized port status by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays 802.1x status for the specified port.

dot1x max-reauth-req

Use the dot1x max-reauth-req interface configuration command to set the maximum number of times that the switch restarts the authentication process before a port transitions to the unauthorized state. Use the no form of this command to return to the default setting.

dot1x max-reauth-req count

no dot1x max-reauth-req

Syntax Description

count

Number of times that the switch restarts the authentication process before the port transitions to the unauthorized state. The range is 1 to 10.

Defaults

The default is 2 times.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Examples

This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port transitions to the unauthorized state:

Switch(config-if)# dot1x max-reauth-req 4

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x max-req	Sets the maximum number of times that the switch forwards an EAP frame (assuming that no response is received) to the authentication server before restarting the authentication process.
dot1x test eapol-capable tx-period	Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request.
show dot1x [interface interface-id]	Displays 802.1x status for the specified port.

dot1x max-req

Use the dot1x max-req interface configuration command to set the maximum number of times that the switch retransmits an Extensible Authentication Protocol (EAP) frame from the authentication server (assuming that no response is received) to the client before restarting the authentication process. Use the no form of this command to return to the default setting.

dot1x max-req count

no dot1x max-req

Syntax Description

count

Number of times that the switch retransmits an EAP frame from the authentication server before restarting the authentication process. The range is 1 to 10.

Defaults

The default is 2 times.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Examples

This example shows how to set 5 as the number of times that the switch sends an EAP frame before restarting the authentication process:

Switch(config-if)# dot1x max-req 5

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x test eapol-capable tx-period	Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request.
show dot1x [interface interface-id]	Displays 802.1x status for the specified port.

dot1x port-control

Use the dot1x port-control interface configuration command to enable manual control of the authorization state of the port. Use the no form of this command to return to the default setting.

dot1x port-control {auto | force-authorized | force-unauthorized}

no dot1x port-control

Syntax Description

auto	Enable 802.1x authentication on the port and cause the port to transition to the authorized or unauthorized state based on the 802.1x authentication exchange between the switch and the client.
force-authorized	Disable 802.1x authentication on the port and cause the port to transition to the authorized state without any authentication exchange required. The port sends and receives normal traffic without 802.1x-based authentication of the client.
force-unauthorized	Deny all access through this port by forcing the port to transition to the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the port.

Defaults

The default is force-authorized.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You must globally enable 802.1x on the switch by using the dot1x system-auth-control global configuration command before enabling 802.1x on a specific port.

The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports.

You can use the auto keyword only if the port is not configured as one of these:

•Trunk port—If you try to enable 802.1x on a trunk port, an error message appears, and 802.1x is not enabled. If you try to change the mode of an 802.1x-enabled port to trunk, an error message appears, and the port mode is not changed.

•Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1x on a dynamic port, an error message appears, and 802.1x is not enabled. If you try to change the mode of an 802.1x-enabled port to dynamic, an error message appears, and the port mode is not changed.

•Dynamic-access ports—If you try to enable 802.1x on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and 802.1x is not enabled. If you try to change an 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.

•EtherChannel port—Before enabling 802.1x on the port, you must first remove it from the EtherChannel. If you try to enable 802.1x on an EtherChannel or on an active port in an EtherChannel, an error message appears, and 802.1x is not enabled. If you enable 802.1x on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.

•Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable 802.1x on a port that is a SPAN or RSPAN destination port. However, 802.1x is disabled until the port is removed as a SPAN or RSPAN destination. You can enable 802.1x on a SPAN or RSPAN source port.

To globally disable 802.1x on the switch, use the no dot1x system-auth-control global configuration command. To disable 802.1x on a specific port, use the no dot1x port-control interface configuration command.

Examples

This example shows how to enable 802.1x on a port:

Switch(config)# interface fastethernet1/0/1

Switch(config-if)# dot1x port-control auto

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays 802.1x status for the specified port.

dot1x re-authenticate

Use the dot1x re-authenticate privileged EXEC command to manually initiate a re-authentication of the specified 802.1x-enabled port.

dot1x re-authenticate interface interface-id

Syntax Description

interface interface-id

Port to re-authenticate.

Defaults

There is no default setting.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You can use this command to re-authenticate a client without waiting for the configured number of seconds between re-authentication attempts (re-authperiod) and automatic re-authentication.

Examples

This example shows how to manually re-authenticate the device connected to a port:

Switch# dot1x re-authenticate interface fastethernet1/0/1

dot1x reauthentication

Use the dot1x reauthentication interface configuration command to enable periodic re-authentication of the client. Use the no form of this command to return to the default setting.

dot1x reauthentication

no dot1x reauthentication

Syntax Description

This command has no arguments or keywords.

Defaults

Periodic re-authentication is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You configure the amount of time between periodic re-authentication attempts by using the dot1x timeout reauth-period interface configuration command.

Examples

This example shows how to disable periodic re-authentication of the client:

Switch(config-if)# no dot1x reauthentication

This example shows how to enable periodic re-authentication and to set the number of seconds between re-authentication attempts to 4000 seconds:

Switch(config-if)# dot1x reauthentication

Switch(config-if)# dot1x timeout reauth-period 4000

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x test eapol-capable reauth-period	Sets the number of seconds between re-authentication attempts.
show dot1x [interface interface-id]	Displays 802.1x status for the specified port.

dot1x supplicant force-multicast

Use the dot1x supplicant force-multicast global configuration command to force a supplicant switch to send only multicast Extensible Authentication Protocol over LAN (EAPOL) packets whenever it receives multicast or unicast EAPOL packets. Use the no form of this command to return to the default setting.

dot1x supplicant force-multicast

no dot1x supplicant force-multicast

Syntax Description

This command has no arguments or keywords.

Defaults

The supplicant switch sends unicast EAPoL packets when it receives unicast EAPOL packets. Similarly, it sends multicast EAPOL packets when it receives multicast EAPOL packets.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

Enable this command on the supplicant switch for Network Edge Access Topology (NEAT) to work in all host modes.

Examples

This example shows how force a supplicant switch to send multicast EAPOL packets to authenticator switch:

Switch(config)# dot1x supplicant force-multicast

Related Commands

Command	Description
cisp enable	Enable Client Information Signalling Protocol (CISP) on a switch so that it acts as an authenticator to a supplicant switch.
dot1x credentials	Configure the 802.1x supplicant credentials on the port.
dot1x pae supplicant	Configure an interface to act only as a supplicant.

dot1x system-auth-control

Use the dot1x system-auth-control global configuration command to globally enable 802.1x. Use the no form of this command to return to the default setting.

dot1x system-auth-control

no dot1x system-auth-control

Syntax Description

This command has no arguments or keywords.

Defaults

802.1x is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You must enable authentication, authorization, and accounting (AAA) and specify the authentication method list before globally enabling 802.1x. A method list describes the sequence and authentication methods to be queried to authenticate a user.

Examples

This example shows how to globally enable 802.1x on a switch:

Switch(config)# dot1x system-auth-control

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x port-control	Enables manual control of the authorization state of the port.
show dot1x [interface interface-id]	Displays 802.1x status for the specified port.

dot1x test eapol-capable

Use the dot1x test eapol-capable privileged EXEC command to monitor IEEE 802.1x activity on all the switch ports and to display information about the devices that are connected to the ports that support IEEE 802.1x.

dot1x test eapol-capable [interface interface-id]

Syntax Description

interface interface-id

(Optional) Port to be queried.

Defaults

There is no default setting.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(44)SE	This command was introduced.

Usage Guidelines

Use this command to test the IEEE 802.1x capability of the devices connected to all ports or to specific ports on a switch.

There is not a no form of this command.

Examples

This example shows how to enable the IEEE 802.1x readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:

switch# dot1x test eapol-capable interface gigabitethernet1/0/13

DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL 
capable

Related Commands

Command	Description
dot1x test timeout timeout	Configures the timeout used to wait for EAPOL response to an IEEE 802.1x readiness query.

dot1x test timeout

Use the dot1x test timeout global configuration command to configure the timeout used to wait for EAPOL response from a port being queried for IEEE 802.1x readiness.

dot1x test timeout timeout

Syntax Description

timeout

Time in seconds to wait for an EAPOL response. The range is from 1 to 65535 seconds.

Defaults

The default setting is 10 seconds.

Command Modes

Global configuration

Command History

Release	Modification
12.2(44)SE	This command was introduced.

Usage Guidelines

Use this command to configure the timeout used to wait for EAPOL response.

There is not a no form of this command.

Examples

This example shows how to configure the switch to wait 27 seconds for an EAPOL response:

Switch# dot1x test timeout 27

You can verify the timeout configuration status by entering the show run privileged EXEC command.

Related Commands

Command	Description
dot1x test eapol-capable [interface interface-id]	Checks for IEEE 802.1x readiness on devices connected to all or to specified IEEE 802.1x-capable ports.

dot1x timeout

Use the dot1x timeout interface configuration command to set 802.1x timers. Use the no form of this command to return to the default setting.

dot1x timeout {quiet-period seconds | reauth-period seconds | server-timeout seconds | supp-timeout seconds | tx-period seconds}

no dot1x timeout {quiet-period | reauth-period | server-timeout | supp-timeout | tx-period}

Syntax Description

quiet-period seconds	Number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The range is 1 to 65535.
reauth-period seconds	Number of seconds between re-authentication attempts. The range is 1to 65535.
server-timeout seconds	Number of seconds that the switch waits for the retransmission of packets by the switch to the authentication server. The range is 1 to 65535. However, we recommend a minimum setting of 30.
supp-timeout seconds	Number of seconds that the switch waits for the retransmission of packets by the switch to the 802.1x client. The range is 30 to 65535.
tx-period seconds	Number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. The range is 1 to 65535.

Defaults

These are the default settings:

reauth-period is 3600 seconds.

quiet-period is 60 seconds.

tx-period is 30 seconds.

supp-timeout is 30 seconds.

server-timeout is 30 seconds.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.
12.2(40)SE	The range for tx-period seconds is incorrect. The correct range is from 1 to 65535.

Usage Guidelines

You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.

The dot1x timeout reauth-period interface configuration command affects the behavior of the switch only if you have enabled periodic re-authentication by using the dot1x reauthentication interface configuration command.

During the quiet period, the switch does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a smaller number than the default.

Examples

This example shows how to enable periodic re-authentication and to set 4000 as the number of seconds between re-authentication attempts:

Switch(config-if)# dot1x reauthentication

Switch(config-if)# dot1x timeout reauth-period 4000

This example shows how to set 30 seconds as the quiet time on the switch:

Switch(config-if)# dot1x timeout quiet-period 30

This example shows how to set 25 seconds as the switch-to-authentication server retransmission time:

Switch(config)# dot1x timeout server-timeout 25

This example shows how to set 25 seconds as the switch-to-client retransmission time for the EAP request frame:

Switch(config-if)# dot1x timeout supp-timeout 25

This example shows how to set 60 as the number of seconds to wait for a response to an EAP-request/identity frame from the client before resending the request:

Switch(config-if)# dot1x timeout tx-period 60

You can verify your settings by entering the show dot1x privileged EXEC command.

Related Commands

Command	Description
dot1x max-req	Sets the maximum number of times that the switch sends an EAP-request/identity frame before restarting the authentication process.
dot1x reauthentication	Enables periodic re-authentication of the client.
show dot1x	Displays 802.1x status for all ports.

dot1x violation-mode

Use the dot1x violation-mode interface configuration command on the switch stack or on a standalone switch to configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.

dot1x violation-mode {shutdown | restrict | protect}

no dot1x violation-mode

Syntax Description

shutdown	Error disables the port or the virtual port on which a new unexpected MAC address occurs.
restrict	Generates a syslog error when a violation error occurs.
protect	Silently discards packets from any new MAC addresses. This is the default setting.

Defaults

By default dot1x violation-mode protect is enabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(46)SE	This command was introduced.

Examples

This example shows how to configure an IEEE 802.1x-enabled port as error disabled and to shut down when a new device connects to the port:

Switch(config-if)# dot1x violation-mode shutdown

This example shows how to configure an IEEE 802.1x-enabled port to generate a system error message and change the port to restricted mode when a new device connects to the port:

Switch(config-if)# dot1x violation-mode restrict

This example shows how to configure an IEEE 802.1x-enabled port to ignore a new connected device when it is connected to the port:

Switch(config-if)# dot1x violation-mode protect

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified port.

duplex

Use the duplex interface configuration command to specify the duplex mode of operation for Fast Ethernet and Gigabit Ethernet ports. Use the no form of this command to return the port to its default value.

duplex {auto | full | half}

no duplex

Syntax Description

auto	Enable automatic duplex configuration; port automatically detects whether it should run in full- or half-duplex mode, depending on the attached device mode.
full	Enable full-duplex mode.
half	Enable half-duplex mode (for Fast Ethernet ports only).

Defaults

The default is auto for Fast Ethernet ports and for 1000BASE-T small form-factor pluggable (SFP) modules.

The default is full for 100BASE-FX MMF SFP modules.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.
12.2(25)EY	Support for the half keyword was added for the 100BASE-FX SFP module.

Usage Guidelines

For Fast Ethernet ports, setting the port to auto has the same effect as specifying half if the attached device does not autonegotiate the duplex parameter.

For Gigabit Ethernet ports, setting the port to auto has the same effect as specifying full if the attached device does not autonegotiate the duplex parameter.

Certain ports can be configured to be either full duplex or half duplex. Applicability of this command depends on the device to which the switch is attached.

If both ends of the line support autonegotiation, we highly recommend using the default autonegotiation settings. If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do use the auto setting on the supported side.

If the speed is set to auto, the switch negotiates with the device at the other end of the link for the speed setting and then forces the speed setting to the negotiated value. The duplex setting remains as configured on each end of the link, which could result in a duplex setting mismatch.

For 10/100 Mbps ports, if both speed and duplex are set to specific values, the link operates at the negotiated speed and duplex value.

For 10/100/1000 Mbps ports, if both the speed and duplex are set to specific values, autonegotiation is disabled.

Beginning with Cisco IOS Release 12.2(25)EY, you can configure the duplex setting when the speed is set to auto.

This command is not available on SFP module ports unless a 1000BASE-T SFP module or a 100BASE-FX MMF SFP module is in the port. All other SFP modules operate only in full-duplex mode.

•When a 1000BASE-T SFP module is in the SFP module port, you can configure duplex mode to auto or full.

•When a 100BASE-FX SFP module is in the SFP module port, you can configure duplex mode to half or full. Although the auto keyword is available, it puts the interface in half-duplex mode (the default) because the 100BASE-FX SFP module does not support autonegotiation.

---

Note The 100BASE-FX SFP modules are not supported on the ES ports.

---

---

Caution Changing the interface speed and duplex mode configuration might shut down and reenable the interface during the reconfiguration.

---

For guidelines on setting the switch speed and duplex parameters, see the "Configuring Interface Characteristics" chapter in the software configuration guide for this release.

Examples

This example shows how to configure a port for full duplex operation:

Switch(config)# interface fastethernet1/0/11

Switch(config-if)# duplex full

You can verify your setting by entering the show interfaces privileged EXEC command.

Related Commands

Command	Description
show interfaces	Displays the interface settings on the switch.
speed	Sets the speed on a 10/100 or 10/100/1000 Mbps interface.

errdisable detect cause

Use the errdisable detect cause global configuration command to enable error-disabled detection for a specific cause or all causes. Use the no form of this command to disable the error-disabled detection feature.

errdisable detect cause {all | dtp-flap | gbic-invalid | l2ptguard| link-flap | loopback | pagp-flap}

no errdisable detect cause {all | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap}

Syntax Description

all	Enable error detection for all error-disabled causes.
dtp-flap	Enable error detection for the Dynamic Trunking Protocol (DTP) flapping.
gbic-invalid	Enable error detection for an invalid GBIC. This error refers to an invalid small form-factor pluggable (SFP) module interface cause.
l2ptguard	Enable error detection for a Layer 2 protocol-tunnel error-disabled cause.
link-flap	Enable error detection for link-state flapping.
loopback	Enable error detection for detected loopbacks.
pagp-flap	Enable error detection for the Port Aggregation Protocol (PAgP) flap-error-disabled cause.

---

Note Though visible in the command-line help strings, the dhcp-rate-limit keyword is not supported.

---

Defaults

Detection is enabled for all causes. All causes, except for per-VLAN error disabling, are configured to shut down the entire port.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

A cause (dtp-flap, gbic-invalid, l2ptguard, link-flap, loopback, and pagp-flap) is the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state, an operational state that is similar to link-down state.

When a port is error-disabled, it is effectively shut down, and no traffic is sent or received on the port.

If you set a recovery mechanism for the cause by entering the errdisable recovery global configuration command for the cause, the interface is brought out of the error-disabled state and allowed to retry the operation when all causes have timed out. If you do not set a recovery mechanism, you must enter the shutdown and then the no shutdown commands to manually recover an interface from the error-disabled state.

Examples

This example shows how to enable error-disabled detection for the link-flap error-disabled cause:

Switch(config)# errdisable detect cause link-flap

You can verify your setting by entering the show errdisable detect privileged EXEC command.

Related Commands

Command	Description
show errdisable detect	Displays errdisable detection information.
show interfaces status err-disabled	Displays interface status or a list of interfaces in the error-disabled state.

errdisable detect cause small-frame

Use the errdisable detect cause small-frame global configuration command on the switch stack or on a standalone switch to allow any switch port to be error disabled if incoming VLAN-tagged packets are small frames (67 bytes or less) and arrive at the minimum configured rate (the threshold). Use the no form of this command to return to the default setting.

errdisable detect cause small-frame

no errdisable detect cause small-frame

Syntax Description

This command has no arguments or keywords.

Defaults

This feature is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(44)SE	This command was introduced.

Usage Guidelines

This command globally enables the small-frame arrival feature. Use the small violation-rate interface configuration command to set the threshold for each port.

You can configure the port to be automatically re-enabled by using the errdisable recovery cause small-frame global configuration command. You configure the recovery time by using the errdisable recovery interval interval global configuration command.

Examples

This example shows how to enable the switch ports to be put into the error-disabled mode if incoming small frames arrive at the configured threshold:

Switch(config)# errdisable detect cause small-frame

You can verify your setting by entering the show interfaces privileged EXEC command.

Related Commands

Command	Description
errdisable recovery cause small-frame	Enables the recovery timer.
errdisable recovery interval interval	Specifies the time to recover from the specified error-disabled state.
show interfaces	Displays the interface settings on the switch, including input and output flow control.
small-frame violation-rate	Configures the rate (threshold) for incoming small frames to cause a port to be put into the error-disabled state.

errdisable recovery cause small-frame

Use the errdisable recovery cause small-frame global configuration command on the switch stack or on a standalone switch to enable the recovery timer for ports to be automatically re-enabled after they are error disabled by the arrival of small frames. Use the no form of this command to return to the default setting.

errdisable recovery cause small-frame

no errdisable recovery cause small-frame

Syntax Description

This command has no arguments or keywords.

Defaults

This feature is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(44)SE	This command was introduced.

Usage Guidelines

This command enables the recovery timer for error-disabled ports. You configure the recovery time by using the errdisable recovery interval interval interface configuration command.

Examples

This example shows how to set the recovery timer:

Switch(config)# errdisable recovery cause small-frame

You can verify your setting by entering the show interfaces user EXEC command.

Related Commands

Command	Description
errdisable detect cause small-frame	Allows any switch port to be put into the error-disabled state if an incoming frame is smaller than the configured minimum size and arrives at the specified rate (threshold).
show interfaces	Displays the interface settings on the switch, including input and output flow control.
small-frame violation-rate	Configures the size for an incoming (small) frame to cause a port to be put into the error-disabled state.

errdisable recovery

Use the errdisable recovery global configuration command to configure the recover mechanism variables. Use the no form of this command to return to the default setting.

errdisable recovery {cause {all | arp-inspection | bpduguard | channel-misconfig | dtp-flap | gbic-invalid | l2ptguard| link-flap | loopback | pagp-flap | psecure-violation | security-violation | udld | vmps} | {interval interval}

no errdisable recovery {cause {all |arp-inspection | bpduguard | channel-misconfig | dtp-flap | gbic-invalid | l2ptguard| link-flap | loopback | pagp-flap | psecure-violation | security-violation | udld | vmps} | {interval interval}

Syntax Description

cause	Enable error disable to recover from a specific cause.
all	Enable the timer to recover from all error-disable causes.
arp-inspection	Enable error detection for dynamic Address Resolution Protocol (ARP) inspection.
bpduguard	Enable the timer to recover from the bridge protocol data unit (BPDU) guard error-disable state.
channel-misconfig	Enable the timer to recover from the EtherChannel misconfiguration error-disable state.
dtp-flap	Enable the timer to recover from the Dynamic Trunking Protocol (DTP) flap error-disable state.
gbic-invalid	Enable the timer to recover from an invalid GBIC error-disable state. This error refers to an invalid small form-factor pluggable (SFP) interface state.
l2ptguard	Enable the timer to recover from a Layer 2 protocol tunnel error-disable state.
link-flap	Enable the timer to recover from the link-flap error-disable state.
loopback	Enable the timer to recover from a loopback error-disable state.
pagp-flap	Enable the timer to recover from the Port Aggregation Protocol (PAgP)-flap error-disable state.
psecure-violation	Enable the timer to recover from a port security violation disable state.
security-violation	Enable the timer to recover from an 802.1x-violation disable state
udld	Enable the timer to recover from the UniDirectional Link Detection (UDLD) error-disabled state.
vmps	Enable the timer to recover from the VLAN Membership Policy Server (VMPS) error-disabled state.
interval interval	Specify the time to recover from the specified error-disabled state. The range is 30 to 86400 seconds. The same interval is applied to all causes. The default interval is 300 seconds. Note The error-disabled recovery timer is initialized at a random differential from the configured interval value. The difference between the actual timeout value and the configured value can be up to 15 percent of the configured interval.

---

Note Though visible in the command-line help strings, the dhcp-rate-limit, unicast-flood, and channel-misconfig keywords are not supported.

---

Defaults

Recovery is disabled for all causes.

The default recovery interval is 300 seconds.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.
12.2(25)EY	The arp-inspection keyword was added.

Usage Guidelines

A cause (bpduguard, dtp-flap, gbic-invalid, l2ptguard, link-flap, loopback, pagp-flap, psecure-violation, security-violation, udld, vmps) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state, an operational state similar to link-down state. If you do not enable errdisable recovery for the cause, the interface stays in error-disabled state until you enter a shutdown and no shutdown interface configuration command. If you enable the recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out.

Otherwise, you must enter the shutdown then no shutdown commands to manually recover an interface from the error-disabled state.

Examples

This example shows how to enable the recovery timer for the BPDU guard error-disable cause:

Switch(config)# errdisable recovery cause bpduguard

This example shows how to set the timer to 500 seconds:

Switch(config)# errdisable recovery interval 500

You can verify your settings by entering the show errdisable recovery privileged EXEC command.

Related Commands

Command	Description
show etherchannel	Displays errdisable recovery timer information.
show interfaces status err-disabled	Displays interface status or a list of interfaces in error-disabled state.

ethernet evc

Use the ethernet evc global configuration command to define an Ethernet virtual connection (EVC) and to enter EVC configuration mode. Use the no form of this command to delete the EVC.

ethernet evc evc-id

no ethernet evc evc-id

Syntax Description

evc-id

The EVC identifier. This can be a string of from 1 to 100 characters.

Defaults

No EVCs are defined.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEG	This command was introduced.

Usage Guidelines

After you enter the ethernet evc evc-id command, the switch enters EVC configuration mode, and these configuration commands are available:

•default: sets the EVC to its default states.

•exit: exits EVC configuration mode and returns to global configuration mode.

•no: negates a command or returns a command to its default setting.

•oam protocol cfm svlan: configures the Ethernet operation, administration, and maintenance (OAM) protocol as IEEE 802.1ag Connectivity Fault Management (CFM) and sets parameters. See the oam protocol cfm svlan command.

•uni count: configures a UNI count for the EVC. See the uni count command.

Examples

This example shows how to define an EVC and to enter EVC configuration mode:

Switch(config)# ethernet evc test1

Switch(config-evc)#

Related Commands

Command	Description
service instance id ethernet evc-id	Configures an Ethernet service instance and attaches an EVC to it.
show ethernet service evc	Displays information about configured EVCs.

ethernet lmi

Use the ethernet lmi global configuration command to configure enable Ethernet Local Management Interface (E-LMI) and to configure the switch as a provider-edge (PE) or customer-edge (CE) device. Use the no form of this command to disable E-LMI globally or to disable E-LMI CE.

ethernet lmi {ce | global}

no ethernet lmi {ce | global}

Syntax Description

ce	Enable the switch as an E-LMI CE device. Note Ethernet LMI is disabled by default. You must enable it globally or on an interface in addition to enabling it in CE mode.
global	Enable E-LMI globally on the switch. By default, the switch is a PE device.

Defaults

Ethernet LMI is disabled. When enabled with the global keyword, by default the switch is a PR device.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEG	This command was introduced.
12.2(37)SE	The ce keyword was added.

Usage Guidelines

Use ethernet lmi global command to enable E-LMI globally. Use ethernet lmi ce command to enable the switch as E-LMI CE device.

Ethernet LMI is disabled by default on an interface and must be explicitly enabled by entering the ethernet lmi interface interface configuration command. The ethernet lmi global command enables Ethernet LMI in PE mode on all interfaces for an entire device. The benefit of this command is that you can enable Ethernet LMI on all interfaces with one command instead of enabling Ethernet LMI separately on each interface. To enable the interface in CE mode, you must also enter the ethernet lmi ce global configuration command.

To disable Ethernet LMI on a specific interface after you have entered the ethernet lmi global command, enter the no ethernet lmi interface interface configuration command.

The sequence in which you enter the ethernet lmi interface interface configuration and ethernet lmi global global configuration commands is important. The latest command entered overrides the prior command entered.

---

Note For information about the ethernet lmi interface configuration command, see the Cisco IOS Carrier Ethernet Command Reference at this URL:
http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html

---

To enable the switch as an Ethernet LMI CE device, you must enter both the ethernet lmi global and ethernet lmi ce commands. By default Ethernet LMI is disabled, and, when enabled the switch is in provider-edge mode unless you also enter the ethernet lmi ce command.

When the switch is configured as an Ethernet LMI CE device, these interface configuration commands and keywords are visible, but not supported:

•service instance

•ethernet uni

•ethernet lmi t392

Examples

This example shows how to configure the switch as an Ethernet LMI CE device:

Switch(config)# ethernet lmi global

Switch(config)# ethernet lmi ce

Related Commands

Command	Description
ethernet lmi interface configuration command	Enables Ethernet LMI for a user-network interface.

ethernet lmi ce-vlan map

Use the ethernet lmi ce-vlan map Ethernet service configuration command to configure Ethernet Local Management Interface (E-LMI) parameters. Use the no form of this command to remove the configuration.

ethernet lmi ce-vlan map {vlan-id | any | default | untagged}

no ethernet lmi ce-vlan map {vlan-id | any | default | untagged}

Syntax Description

vlan-id	Enter the customer VLAN ID or VLAN IDs to map to. You can enter a single VLAN ID (the range is 1 to 4094), a range of VLAN IDs separated by a hyphen, or a series of VLAN IDs separated by commas.
any	Map all VLANs (untagged and VLANs 1 to 4094).
default	Map to the default service instance. You can use the default keyword only if you have already mapped the service instance to a VLAN or a group of VLANs.
untagged	Map only untagged VLANs.

Defaults

No E-LMI mapping parameters are defined.

Command Modes

Ethernet service configuration

Command History

Release	Modification
12.2(25)SEG	This command was introduced.

Usage Guidelines

Use this command to configure an E-LMI customer VLAN-to-EVC map for a particular user-network interface (UNI).

E-LMI mapping parameters are related to the bundling characteristics set by entering the ethernet uni {bundle [all-to-one] | multiplex} interface configuration command.

•Using the default UNI attribute (bundling and multiplexing) supports multiple EVCs and multiple VLANs.

•Entering the ethernet uni bundle command supports only one EVC with one or more VLANs.

•Entering the ethernet uni bundle all-to-one command supports multiple VLANs but only one EVC. If you use the ethernet lmi ce-vlan map any Ethernet service configuration command, you must first configure all-to-one bundling on the interface.

•Entering the ethernet uni multiplex command supports multiple EVCs with only one VLAN per EVC.

Examples

This example shows how to configure an E-LMI customer VLAN-to-EVC map to map EVC test to customer VLAN 101 in service instance 333 on the interface:

Switch(config-if)# service instance 333 ethernet test

Switch(config-if-srv)# ethernet lmi ce-vlan map 101

Related Commands

Command	Description
service instance id ethernet	Defines an Ethernet service instance and enters Ethernet service configuration mode.
show ethernet service instance	Displays information about configured Ethernet service instances.

ethernet oam remote-failure

Use the ethernet oam remote-failure interface configuration or configuration template command to configure Ethernet operations, maintenance, and administration (EOM) remote failure indication. Use the no form of this command to remove the configuration.

ethernet oam remote-failure {critical-event | dying-gasp | link-fault} action error-disable-interface

no ethernet oam remote-failure {critical-event | dying-gasp | link-fault} action

Syntax Description

critical-event	Configure the switch to put an interface in error-disabled mode when an unspecified critical event has occurred.
dying-gasp	Configure the switch to put an interface in error-disabled mode when an unrecoverable condition has occurred.
link-fault	Configure the switch to put an interface in error-disabled mode when the receiver detects a loss of power.

Defaults

Configuration template

Interface configuration

Command Modes

Ethernet service configuration

Command History

Release	Modification
12.2(35)SE	This command was introduced.

Usage Guidelines

You can apply this command to an Ethernet OAM template and to an interface. The interface configuration takes precedence over template configuration. To enter OAM template configuration mode, use the template template-name global configuration command.

You can configure an error-disable action to occur if the remote link goes down, if the remote device is disabled, or if the remote device disables Ethernet OAM on the interface.

The Catalyst 3750 Metro switch does not generate Link Fault or Critical Event OAM PDUs. However, if these PDUs are received from a link partner, they are processed. The switch supports generating and receiving Dying Gasp OAM PDUs when Ethernet OAM is disabled, the interface is shut down, the interface enters the error-disabled state, or the switch is reloading. It can respond to, but not generate, Dying Gasp PDUs based on loss of power.

For complete command and configuration information for the Ethernet OAM protocol, see the Cisco IOS Carrier Ethernet Configuration Guide at this URL:
http://www.cisco.com/en/US/docs/ios/cether/configuration/guide/12_2sr/ce_12_2sr_book.html

For information about other CFM and Ethernet OAM commands, see the Cisco IOS Carrier Ethernet Command Reference at this URL:
http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html

Examples

This example shows how to configure an Ethernet OAM template for remote-failure indication when an unrecoverable error has occurred and how to apply it to an interface:

Switch(config)# template oam1

Switch(config-template)# ethernet oam remote-failure dying-gasp action error-disable 
interface

Switch(config-template)# exit

Switch(config)# interface gigabitethernet 0/1

Switch(config-if)# source template oam1

Switch(config-if)# exit

This example shows how to configure an Ethernet OAM remote-failure indication on one interface for unrecoverable errors:

Switch(config)# interface gigabitethernet 0/1

Switch(config-if)# ethernet oam remote-failure dying-gasp action error-disable interface

Switch(config-if)# exit

Related Commands

Command	Description
show ethernet oam status [interface interface-id]	Displays configured Ethernet OAM remote failure conditions on all interfaces or on the specified interface.

ethernet uni

Use the ethernet uni interface configuration command to set UNI bundling attributes. Use the no form of this command to return to the default bundling configuration.

ethernet uni {bundle [all-to-one] | multiplex}

no ethernet uni {bundle | multiplex}

Syntax Description

bundle	Configure the UNI to support bundling without multiplexing. This service supports only one Ethernet virtual connection (EVC) at the UNI with one or multiple customer edge (CE)-VLAN IDs mapped to the EVC.
all-to-one	(Optional) Configure the UNI to support bundling with a single EVC at the UNI and all CE VLANs mapped to that EVC.
multiplex	Configure the UNI to support multiplexing without bundling. The UNI can have one or more EVCs with a single CE-VLAN ID mapped to each EVC.

Defaults

If bundling or multiplexing attributes are not configured, the default is bundling with multiplexing. The UNI then has one or more EVCs with one or more CE VLANs mapped to each EVC.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEG	This command was introduced.

Usage Guidelines

The UNI attributes determine the functionality that the interface has regarding bundling VLANs, multiplexing EVCs, and the combination of these.

If you want both bundling and multiplexing services for a UNI, you do not need to configure bundling or multiplexing. If you want only bundling, or only multiplexing, you need to configure it appropriately.

When you configure, change, or remove a UNI service type, the EVC and CE-VLAN ID configurations are checked to ensure that the configurations and the UNI service types match. If the configurations do not match, the command is rejected.

If you intend to use the ethernet lmi ce-vlan map any service configuration command, you must first configure all-to-one bundling on the interface. See the ethernet lmi ce-vlan map section for more information.

Examples

This example shows how to configure bundling without multiplexing:

Switch(config-if)# ethernet uni bundle

To verify UNI service type, enter the show ethernet service interface detail privileged EXEC command.

Related Commands

Command	Description
show ethernet service interface	Displays information about Ethernet service instances on an interface, including service type.

ethernet uni id

Use the ethernet uni interface configuration command to create an Ethernet user-network interface (UNI) ID. Use the no form of this command to remove the UNI ID.

ethernet uni id name

no ethernet uni id

Syntax Description

name	Identify an Ethernet UNI ID. The name should be unique for all UNIs that are part of a given service instance and can be up to 64 characters in length.

Defaults

No UNI IDs are created.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEG	This command was introduced.

Usage Guidelines

When you configure a UNI ID on a port, that ID is used as the default name for all maintenance end points (MEPs) configured on the port.

You must enter the ethernet uni id name command on all ports that are directly connected to customer-edge (CE) devices. If the specified ID is not unique on the device, an error message appears.

Examples

This example shows how to identify a unique UNI:

Switch(config-if)# ethernet uni id test2

Related Commands

Command	Description
show ethernet service interface	Displays information about Ethernet service instances on an interface, including service type.

flowcontrol

Use the flowcontrol interface configuration command to set the receive flow-control state for an interface. When flow control send is operable and on for a device and it detects any congestion at its end, it notifies the link partner or the remote device of the congestion by sending a pause frame. When flow control receive is on for a device and it receives a pause frame, it stops sending any data packets. This prevents any loss of data packets during the congestion period.

Use the receive off keywords to disable flow control.

flowcontrol receive {desired | off | on}

---

Note The switch can only receive pause frames.

---

Syntax Description

receive	Sets whether the interface can receive flow-control packets from a remote device.
desired	Allows an interface to operate with an attached device that is required to send flow-control packets or with an attached device that is not required to but can send flow-control packets.
off	Turns off an attached device's ability to send flow-control packets to an interface.
on	Allows an interface to operate with an attached device that is required to send flow-control packets or with an attached device that is not required to but can send flow-control packets.

Defaults

The default is flowcontrol receive off.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

The switch does not support sending flow-control pause frames.

Note that the on and desired keywords have the same result.

When you use the flowcontrol command to set a port to control traffic rates during congestion, you are setting flow control on a port to one of these conditions:

•receive on or desired: The port cannot send out pause frames, but can operate with an attached device that is required to or is able to send pause frames; the port is able to receive pause frames.

•receive off: Flow control does not operate in either direction. In case of congestion, no indication is given to the link partner and no pause frames are sent or received by either device.

Table 2-5 shows the flow control results on local and remote ports for a combination of settings. The table assumes that receive desired has the same results as using the receive on keywords.

Table 2-5 Flow Control Settings and Local and Remote Port Flow Control Resolution 

Flow Control Settings		Flow Control Resolution
Local Device	Remote Device	Local Device	Remote Device
send off/receive on	send on/receive on send on/receive off send desired/receive on send desired/receive off send off/receive on send off/receive off	Receives only Receives only Receives only Receives only Receives only Does not send or receive	Sends and receives Sends only Sends and receives Sends only Receives only Does not send or receive
send off/receive off	send on/receive on send on/receive off send desired/receive on send desired/receive off send off/receive on send off/receive off	Does not send or receive Does not send or receive Does not send or receive Does not send or receive Does not send or receive Does not send or receive	Does not send or receive Does not send or receive Does not send or receive Does not send or receive Does not send or receive Does not send or receive

Examples

This example shows how to configure the local port to not support flow control by the remote port:

Switch(config-if)# flowcontrol receive off

You can verify your settings by entering the show interfaces privileged EXEC command.

Related Commands

Command	Description
show interfaces	Displays the interface settings on the switch, including input and output flow control.

interface port-channel

Use the interface port-channel global configuration command to access or create the port-channel logical interface. Use the no form of this command to remove the port-channel.

interface port-channel port-channel-number

no interface port-channel port-channel-number

Syntax Description

port-channel-number

Port-channel number. The range is 1 to12.

Defaults

No port-channel logical interfaces are defined.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

For Layer 2 EtherChannels, you do not have to create a port-channel first before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel when the channel group gets its first physical port. If you create the port-channel first, the channel-group-number can be the same as the port-channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.

You create Layer 3 port channels by using the interface port-channel command followed by the no switchport interface configuration command. You should manually configure the port-channel logical interface before putting the interface into the channel group.

Only one port channel in a channel group is allowed.

---

Caution When using a port-channel interface as a routed port, do not assign Layer 3 addresses on the physical ports that are assigned to the channel group.

---

---

Caution Do not assign bridge groups on the physical ports in a channel group used as a Layer 3 port-channel interface because it creates loops. You must also disable spanning tree.

---

Follow these guidelines when you use the interface port-channel command:

•If you want to use the Cisco Discovery Protocol (CDP), you must configure it only on the physical port and not on the port-channel.

•Do not configure a port that is an active member of an EtherChannel as an 802.1x port. If 802.1x is enabled on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.

For a complete list of configuration guidelines, see the "Configuring EtherChannels" chapter in the software guide for this release.

Examples

This example shows how to create port-channel 5:

Switch(config)# interface port-channel 5

You can verify your setting by entering the show running-config privileged EXEC or show etherchannel channel-group-number detail privileged EXEC command.

Related Commands

Command	Description
channel-group	Assigns an Ethernet port to an EtherChannel group.
show etherchannel	Displays EtherChannel information for a channel.
show running-config	Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html Select the Cisco IOS Commands Master List, Release 12.2 to navigate to the command.

interface range

Use the interface range global configuration command to enter interface range configuration mode and to execute a command on multiple ports at the same time. Use the no form of this command to remove an interface range.

interface range {port-range | macro name}

no interface range {port-range | macro name}

Syntax Description

port-range	Port range. For a list of valid values for port-range, see the "Usage Guidelines" section.
macro name	Specify the name of a macro.

Defaults

This command has no default setting.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

When you enter interface range configuration mode, all interface parameters you enter are attributed to all interfaces within the range.

For VLANs, you can use the interface range command only on existing VLAN switch virtual interfaces (SVIs). To display VLAN SVIs, enter the show running-config privileged EXEC command. VLANs not displayed cannot be used in the interface range command. The commands entered under interface range command are applied to all existing VLAN SVIs in the range.

All configuration changes made to an interface range are saved to NVRAM, but the interface range itself is not saved to NVRAM.

You can enter the interface range in two ways:

•Specifying up to five interface ranges

•Specifying a previously defined interface-range macro

All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs. However, you can define up to five interface ranges with a single command, with each range separated by a comma.

Valid values for port-range type and interface:

•vlan vlan-ID - vlan-ID, where VLAN ID is from 1 to 4094

•port-channel port-channel-number - port-channel-number, where port-channel-number is from 1 to 12

---

Note When you use the interface range command with port channels, the first and last port channel number in the range must be active port channels.

---

•fastethernet switch number (always 1)/module/{first port} - {last port}

•gigabitethernet switch number (always 1)/module/{first port} - {last port}

For physical interfaces:

•The switch number is always 1.

•The module number is 0 for 10/100 ports and standard SFP module slots and 1 for enhanced-services (ES) ports.

•The range is type 1/module-number/number - number (for example, gigabitethernet 1/0/1 - 2).

When you define a range, you must enter a space between the first entry and the hyphen (-):

interface range gigabitethernet1/0/1 -2

When you define multiple ranges, you must still enter a space after the first entry, before the comma (,):

interface range fastethernet1/0/3 , gigabitethernet1/0/1 - 2

interface range fastethernet1/0/3 -5, fastethernet1/0/7 -8

You cannot specify both a macro and an interface range in the same command.

A single interface can also be specified in port-range (this would make the command similar to the interface interface-id global configuration command).

---

Note For more information about configuring interface ranges, see the software configuration guide for this release.

---

Examples

This example shows how to use the interface range command to enter interface range configuration mode to apply commands to two ports:

Switch(config)# interface range gigabitethernet1/0/1 - 2

Switch(config-if-range)#

This example shows how to use a port-range macro macro1 for the same function. The advantage is that you can reuse macro1 until you delete it.

Switch(config)# define interface-range macro1 gigabitethernet1/0/1 - 2

Switch(config)# interface range macro macro1

Switch(config-if-range)#

Related Commands

Command	Description
define interface-range	Creates an interface range macro.
show running-config	Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html Select the Cisco IOS Commands Master List, Release 12.2 to navigate to the command.

interface vlan

Use the interface vlan global configuration command to create or access a dynamic switch virtual interface (SVI) and to enter interface configuration mode. Use the no form of this command to delete an SVI.

interface vlan vlan-id

no interface vlan vlan-id

Syntax Description

vlan-id

VLAN number. The range is 1 to 4094.

Defaults

The default VLAN interface is VLAN 1.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You cannot delete the VLAN 1 interface.

SVIs are created the first time that you enter the interface vlan vlan-id command for a particular VLAN. The vlan-id corresponds to the VLAN-tag associated with data frames on an ISL or 802.1Q encapsulated trunk or the VLAN ID configured for an access port.

---

Note When you create an SVI, it does not become active until it is associated with a physical port.

---

If you delete an SVI by entering the no interface vlan vlan-id command, the deleted interface is no longer visible in the output from the show interfaces privileged EXEC command.

You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but much of the previous configuration will be gone.

The interrelationship between the number of SVIs configured on a switch and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables. For more information, see the sdm prefer command.

Examples

This example shows how to create a new SVI with VLAN ID 23 and enter interface configuration mode:

Switch(config)# interface vlan 23

Switch(config-if)#

You can verify your setting by entering the show interfaces and show interfaces vlan vlan-id privileged EXEC commands.

Related Commands

Command	Description
show interfaces vlan vlan-id	Displays the administrative and operational status of all interfaces or the specified VLAN.

ip access-group

Use the ip access-group interface configuration command to control access to a Layer 2 or Layer 3 interface. Use the no form of this command to remove all access groups or the specified access group from the interface.

ip access-group {access-list-number | name} {in | out}

no ip access-group [access-list-number | name] {in | out}

Syntax Description

access-list-number	The number of the IP access control list (ACL). The range is 1 to 199 or 1300 to 2699.
name	The name of an IP ACL, specified in the ip access-list global configuration command.
in	Specify filtering on inbound packets.
out	Specify filtering on outbound packets. This keyword is valid only on Layer 3 interfaces.

Defaults

No access list is applied to the interface.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You can apply named or numbered standard or extended IP access lists to an interface. To define an access list by name, use the ip access-list global configuration command. To define a numbered access list, use the access list global configuration command. You can used numbered standard access lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199 and 2000 to 2699.

You can use this command to apply an access list to a Layer 2 or Layer 3 interface. However, note these limitations for Layer 2 interfaces (port ACLs):

•You can only apply ACLs in the inbound direction; the out keyword is not supported for Layer 2 interfaces.

•You can only apply one IP ACL and one MAC ACL per interface.

•Layer 2 interfaces do not support logging; if the log keyword is specified in the IP ACL, it is ignored.

•An IP ACL applied to a Layer 2 interface only filters IP packets. To filter non-IP packets, use the mac access-group interface configuration command with MAC extended ACLs.

You can use router ACLs, input port ACLs, and VLAN maps on the same switch. However, a port ACL takes precedence over a router ACL or VLAN map.

•When an input port ACL is applied to an interface and a VLAN map is applied to a VLAN that the interface is a member of, incoming packets received on ports with the ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map

•When an input router ACL and input port ACLs exist in an switch virtual interface (SVI), incoming packets received on ports to which a port ACL is applied are filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered.

•When an output router ACL and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered.

•When a VLAN map, input router ACLs, and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by both the VLAN map and the router ACL. Other packets are filtered only by the VLAN map.

•When a VLAN map, output router ACLs, and input port ACLs exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL. Outgoing routed IP packets are filtered by both the VLAN map and the router ACL. Other packets are filtered only by the VLAN map.

You can apply IP ACLs to both outbound or inbound Layer 3 interfaces.

A Layer 3 interface can have one IP ACL applied in each direction.

You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN interface.

For standard inbound access lists, after the switch receives a packet, it checks the source address of the packet against the access list. IP extended access lists can optionally check other fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access list permits the packet, the switch continues to process the packet. If the access list denies the packet, the switch discards the packet. If the access list has been applied to a Layer 3 interface, discarding a packet (by default) causes the generation of an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP Host Unreachable messages are not generated for packets discarded on a Layer 2 interface.

For standard outbound access lists, after receiving a packet and sending it to a controlled interface, the switch checks the packet against the access list. If the access list permits the packet, the switch sends the packet. If the access list denies the packet, the switch discards the packet and, by default, generates an ICMP Host Unreachable message.

If the specified access list does not exist, all packets are passed.

Examples

This example shows how to apply IP access list 101 to inbound packets on a port:

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# ip access-group 101 in

You can verify your settings by entering the show ip interface, show access-lists, or show ip access-lists privileged EXEC command.

Related Commands

Command	Description
access list	Configures a numbered ACL. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.
ip access-list	Configures a named ACL. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.
show access-lists	Displays ACLs configured on the switch.
show ip access-lists	Displays IP ACLs configured on the switch. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.
show ip interface	Displays information about interface status and configuration. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.

ip address

Use the ip address interface configuration command to set an IP address for the Layer 2 switch or an IP address for each switch virtual interface (SVI) or routed port on the Layer 3 switch. Use the no form of this command to remove an IP address or to disable IP processing.

ip address ip-address subnet-mask [secondary]

no ip address [ip-address subnet-mask] [secondary]

Syntax Description

ip-address	IP address.
subnet-mask	Mask for the associated IP subnet.
secondary	(Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.

Defaults

No IP address is defined.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

If you remove the switch IP address through a Telnet session, your connection to the switch will be lost.

Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) Mask Request message. Routers respond to this request with an ICMP Mask Reply message.

You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the switch detects another host using one of its IP addresses, it will send an error message to the console.

You can use the optional keyword secondary to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and ARP requests are handled properly, as are interface routes in the IP routing table.

---

Note If any router on a network segment uses a secondary address, all other devices on that same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can very quickly cause routing loops.

---

When you are routing Open Shortest Path First (OSPF), ensure that all secondary addresses of an interface fall into the same OSPF area as the primary addresses.

If your switch receives its IP address from a Bootstrap Protocol (BOOTP) or DHCP server and you remove the switch IP address by using the no ip address command, IP processing is disabled, and the BOOTP or DHCP server cannot reassign the address.

A Layer 3 switch can have an IP address assigned to each routed port and SVI. The number of routed ports and SVIs that you can configure is not limited by software; however, the interrelationship between this number and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables. For more information, see the sdm prefer command.

Examples

This example shows how to configure the IP address for the Layer 2 switch on a subnetted network:

Switch(config)# interface vlan 1

Switch(config-if)# ip address 172.20.128.2 255.255.255.0

This example shows how to configure the IP address for a port on the Layer 3 switch:

Switch(config)# ip multicast-routing

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# no switchport

Switch(config-if)# ip address 172.20.128.2 255.255.255.0

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands

Command	Description
show running-config	Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html Select the Cisco IOS Commands Master List, Release 12.2 to navigate to the command.

ip arp inspection filter vlan

Use the ip arp inspection filter vlan global configuration command on the switch stack or on a standalone switch to permit or deny Address Resolution Protocol (ARP) requests and responses from a host configured with a static IP address when dynamic ARP inspection is enabled. Use the no form of this command to return to the default settings.

ip arp inspection filter arp-acl-name vlan vlan-range [static]

no ip arp inspection filter arp-acl-name vlan vlan-range [static]

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

arp-acl-name	ARP access control list (ACL) name.
vlan-range	VLAN number or range. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.
static	(Optional) Specify static to treat implicit denies in the ARP ACL as explicit denies and to drop packets that do not match any previous clauses in the ACL. DHCP bindings are not used. If you do not specify this keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL.

Defaults

No defined ARP ACLs are applied to any VLAN.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

When an ARP ACL is applied to a VLAN for dynamic ARP inspection, only the ARP packets with IP-to-MAC address bindings are compared against the ACL. If the ACL permits a packet, the switch forwards it. All other packet types are bridged in the ingress VLAN without validation.

If the switch denies a packet because of an explicit deny statement in the ACL, the packet is dropped. If the switch denies a packet because of an implicit deny statement, the packet is then compared against the list of DHCP bindings (unless the ACL is static, which means that packets are not compared against the bindings).

Use the arp access-list acl-name global configuration command to define the ARP ACL or to add clauses to the end of a predefined list.

Examples

This example shows how to apply the ARP ACL static-hosts to VLAN 1 for dynamic ARP inspection:

Switch(config)# ip arp inspection filter static-hosts vlan 1

You can verify your settings by entering the show ip arp inspection vlan 1 privileged EXEC command.

Related Commands

Command	Description
arp access-list	Defines an ARP ACL.
deny (ARP access-list configuration)	Denies an ARP packet based on matches against the DHCP bindings.
permit (MAC-access list configuration)	Permits an ARP packet based on matches against the DHCP bindings.
show arp access-list	Displays detailed information about ARP access lists.
show ip arp inspection vlan vlan-range	Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.

ip arp inspection limit

Use the ip arp inspection limit interface configuration command on the switch stack or on a standalone switch to limit the rate of incoming Address Resolution Protocol (ARP) requests and responses on an interface. It prevents dynamic ARP inspection from using all of the switch resources if a denial-of-service attack occurs. Use the no form of this command to return to the default settings.

ip arp inspection limit {rate pps [burst interval seconds] | none}

no ip arp inspection limit

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

rate pps	Specify an upper limit for the number of incoming packets processed per second. The range is 0 to 2048 packets per second (pps).
burst interval seconds	(Optional) Specify the consecutive interval in seconds, over which the interface is monitored for a high rate of ARP packets.The range is 1 to 15 seconds.
none	Specify no upper limit for the rate of incoming ARP packets that can be processed.

Defaults

The rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.

The rate is unlimited on all trusted interfaces.

The burst interval is 1 second.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

The rate applies to both trusted and untrusted interfaces. Configure appropriate rates on trunks to process packets across multiple dynamic ARP inspection-enabled VLANs, or use the none keyword to make the rate unlimited.

After a switch receives more than the configured rate of packets every second consecutively over a number of burst seconds, the interface is placed into an error-disabled state.

Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.

You should configure trunk ports with higher rates to reflect their aggregation. When the rate of incoming packets exceeds the user-configured rate, the switch places the interface into an error-disabled state. The error-disable recovery feature automatically removes the port from the error-disabled state according to the recovery setting.

The rate of incoming ARP packets on EtherChannel ports equals the sum of the incoming rate of ARP packets from all channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on all the channel members.

Examples

This example shows how to limit the rate of incoming ARP requests on a port to 25 pps and to set the interface monitoring interval to 5 consecutive seconds:

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# ip arp inspection limit rate 25 burst interval 5

You can verify your settings by entering the show ip arp inspection interfaces interface-id privileged EXEC command.

Related Commands

Command	Description
show ip arp inspection interfaces	Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces.

ip arp inspection log-buffer

Use the ip arp inspection log-buffer global configuration command on the switch stack or on a standalone switch to configure the dynamic Address Resolution Protocol (ARP) inspection logging buffer. Use the no form of this command to return to the default settings.

ip arp inspection log-buffer {entries number | logs number interval seconds}

no ip arp inspection log-buffer {entries | logs}

Syntax Description

entries number	Number of entries to be logged in the buffer. The range is 0 to 1024.
logs number interval seconds	Number of entries needed in the specified interval to generate system messages. For logs number, the range is 0 to 1024. A 0 value means that the entry is placed in the log buffer, but a system message is not generated. For interval seconds, the range is 0 to 86400 seconds (1 day). A 0 value means that a system message is immediately generated (and the log buffer is always empty).

Defaults

When dynamic ARP inspection is enabled, denied or dropped ARP packets are logged.

The number of log entries is 32.

The number of system messages is limited to 5 per second.

The logging-rate interval is 1 second.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

A value of 0 is not allowed for both the logs and the interval keywords.

The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. For example, if the logs number is 20 and the interval seconds is 4, the switch generates system messages for five entries every second while there are entries in the log buffer.

A log buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a system message as a single entry.

If the log buffer overflows, it means that a log event does not fit into the log buffer, and the output display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer, or increase the logging rate.

Examples

This example shows how to configure the logging buffer to hold up to 45 entries:

Switch(config)# ip arp inspection log-buffer entries 45

This example shows how to configure the logging rate to 20 log entries per 4 seconds. With this configuration, the switch generates system messages for five entries every second while there are entries in the log buffer.

Switch(config)# ip arp inspection log-buffer logs 20 interval 4

You can verify your settings by entering the show ip arp inspection log privileged EXEC command.

Related Commands

Command	Description
arp access-list	Defines an ARP access control list (ACL).
clear ip arp inspection log	Clears the dynamic ARP inspection log buffer.
ip arp inspection vlan logging	Controls the type of packets that are logged per VLAN.
show ip arp inspection log	Displays the configuration and contents of the dynamic ARP inspection log buffer.

ip arp inspection trust

Use the ip arp inspection trust interface configuration command on the switch stack or on a standalone switch to configure an interface trust state that determines which incoming Address Resolution Protocol (ARP) packets are inspected. Use the no form of this command to return to the default setting.

ip arp inspection trust

no ip arp inspection trust

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

This command has no arguments or keywords.

Defaults

The interface is untrusted.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

The switch does not check ARP packets that it receives on the trusted interface; it simply forwards the packets.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command.

Examples

This example shows how to configure a port to be trusted:

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# ip arp inspection trust 

You can verify your setting by entering the show ip arp inspection interfaces interface-id privileged EXEC command.

Related Commands

Command	Description
ip arp inspection log-buffer	Configures the dynamic ARP inspection logging buffer.
show ip arp inspection interfaces	Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces.
show ip arp inspection log	Displays the configuration and contents of the dynamic ARP inspection log buffer.

ip arp inspection validate

Use the ip arp inspection validate global configuration command on the switch stack or on a standalone switch to perform specific checks for dynamic Address Resolution Protocol (ARP) inspection. Use the no form of this command to return to the default settings.

ip arp inspection validate {[src-mac] [dst-mac] [ip [allow zeros]]}

no ip arp inspection validate [src-mac] [dst-mac] [ip [allow zeros]]

Syntax Description

src-mac	Compare the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
dst-mac	Compare the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
ip	Compare the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are compared in all ARP requests and responses. Target IP addresses are compared only in ARP responses.
allow-zeros	Modifies the IP validation test so that ARPs with a sender address of 0.0.0.0 (ARP probes) are not denied.

Defaults

No checks are performed.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.
12.2(37)SE	The allow-zero keyword was added.

Usage Guidelines

You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src-mac and dst-mac validations, and a second command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.

The allow-zeros keyword interacts with ARP access control lists (ACLs) in this way:

•If you configure an ARP ACL to deny ARP probes, they are dropped even if the allow-zero keyword is specified.

•If you configure an ARP ACL that specifically permits ARP probes and configure the ip arp inspection validate ip command, ARP probes are dropped unless you enter the allow-zeros keyword.

The no form of the command disables only the specified checks. If none of the options are enabled, all checks are disabled.

Examples

This example show how to enable source MAC validation:

Switch(config)# ip arp inspection validate src-mac 

You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.

Related Commands

Command	Description
show ip arp inspection vlan vlan-range	Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.

ip arp inspection vlan

Use the ip arp inspection vlan global configuration command on the switch stack or on a standalone switch to enable dynamic Address Resolution Protocol (ARP) inspection on a per-VLAN basis. Use the no form of this command to return to the default setting.

ip arp inspection vlan vlan-range

no ip arp inspection vlan vlan-range

This command is available only if your switch is running the enhanced multilayer image (EMI).

Syntax Description

vlan-range

VLAN number or range. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

Defaults

ARP inspection is disabled on all VLANs.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

You must specify the VLANs on which to enable dynamic ARP inspection.

Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

Examples

This example shows how to enable dynamic ARP inspection on VLAN 1:

Switch(config)# ip arp inspection vlan 1

You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.

Related Commands

Command	Description
arp access-list	Defines an ARP access control list (ACL).
show ip arp inspection vlan vlan-range	Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.

ip arp inspection vlan logging

Use the ip arp inspection vlan logging global configuration command on the switch stack or on a standalone switch to control the type of packets that are logged per VLAN. Use the no form of this command to disable this logging control.

ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit} | arp-probe}

no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings | arp-probe}

Syntax Description

vlan-range	Specify the VLANs configured for logging. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.
acl-match {matchlog | none}	Specify that the logging of packets is based on access control list (ACL) matches. The keywords have these meanings: •matchlog—Log packets based on the logging configuration specified in the access control entry (ACE). If you specify the matchlog keyword in this command and the log keyword in the permit or deny Address Resolution Protocol (ARP) access-list configuration command, ARP packets permitted or denied by the ACL are logged. •none—Do not log packets that match ACLs.
dhcp-bindings {permit | all | none}	Specify the logging of packets is based on DHCP binding matches. The keywords have these meanings: •all—Log all packets that match DHCP bindings. •none—Do not log packets that match DHCP bindings. •permit—Log DHCP-binding permitted packets.
arp-probe	Specify logging of packets permitted specifically because they are ARP probes.

Defaults

All denied or all dropped packets are logged. ARP probe packets are not logged.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.
12.2(37)SE	The arp-probe keyword was added.

Usage Guidelines

The term logged means that the entry is placed into the log buffer and that a system message is generated.

The acl-match and dhcp-bindings keywords merge with each other; that is, when you configure an ACL match, the DHCP bindings configuration is not disabled. Use the no form of the command to reset the logging criteria to their defaults. If neither option is specified, all types of logging are reset to log when ARP packets are denied. These are the options:

•acl-match—Logging on ACL matches is reset to log on deny.

•dhcp-bindings—Logging on DHCP binding matches is reset to log on deny.

If neither the acl-match or the dhcp-bindings keywords are specified, all denied packets are logged.

The implicit deny at the end of an ACL does not include the log keyword. This means that when you use the static keyword in the ip arp inspection filter vlan global configuration command, the ACL overrides the DHCP bindings. Some denied packets might not be logged unless you explicitly specify the deny ip any mac any log ACE at the end of the ARP ACL.

Examples

This example shows how to configure ARP inspection on VLAN 1 to log packets that match the permit commands in the ACL:

Switch(config)# arp access-list test1

Switch(config-arp-nacl)# permit request ip any mac any log

Switch(config-arp-nacl)# permit response ip any any mac any any log

Switch(config-arp-nacl)# exit

Switch(config)# ip arp inspection vlan 1 logging acl-match matchlog 

You can verify your settings by entering the show ip arp inspection vlan vlan-range privileged EXEC command.

Related Commands

Command	Description
arp access-list	Defines an ARP ACL.
clear ip arp inspection log	Clears the dynamic ARP inspection log buffer.
ip arp inspection log-buffer	Configures the dynamic ARP inspection logging buffer.
show ip arp inspection log	Displays the configuration and contents of the dynamic ARP inspection log buffer.
show ip arp inspection vlan vlan-range	Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.

ip device tracking

To enable IP device tracking, use the ip device tracking global configuration command. Use the no form of this command to disable this feature.

ip device tracking

no ip device tracking

Syntax Description

This command has no arguments or keywords.

Command Default

IP device tracking is disabled.

Command Modes

Global configuration

Command History

12.2(52)SE

This command was introduced.

Usage Guidelines

When IP device tracking is enabled, you can set the IP device tracking probe interval, count, and configure the ARP probe address with the ip device tracking probe command.

Use the show ip device tracking all command to display information about entries in the IP device tracking table. For more information about this command, see the Cisco IOS Security Command Reference, Release 12.4T.

Examples

This example shows how to enable device tracking:

Switch(config)# ip device tracking

Switch(config)#

Related Commands

Command	Description
ip device tracking probe	Configures the IP device tracking table for ARP probes.
show ip device tracking all	Displays information about the entries in the IP device tracking table.

ip device tracking maximum

Use the ip device tracking maximum command to enable IP port security binding tracking on a Layer 2 port. Use the no form of this command to disable IP port security on untrusted Layer 2 interfaces.

ip device tracking maximum {number}

no ip device tracking maximum {number}

Syntax Description

number

Specify the number of bindings created in the IP device tracking table for a port. valid values are from 0 to 2048.

Defaults

This command has no default setting.

Command Modes

Interface configuration mode

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Examples

This example shows how to enable IP port security with IP-MAC filters on a Layer 2 access port:

Switch# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# ip device tracking

Switch(config)# interface gigabitethernet1/0/3

Switch(config-if)# switchport mode access 

Switch(config-if)# switchport access vlan 1

Switch(config-if)# ip device tracking maximum 5

Switch(config-if)# switchport port-security 

Switch(config-if)# switchport port-security maximum 5

Switch(config-if)# ip verify source tracking port-security 

Switch(config-if)# end 

You can verify your settings by entering the show ip verify source privileged EXEC command.

Related Commands

Command	Description
ip verify source	Enables IP source guard on untrusted Layer 2 interfaces.
show ip verify source	Displays the IP source guard configuration and filters on a particular interface.

ip device tracking probe

Use the ip device tracking probe global configuration command to configure the IP device tracking table for Address Resolution Protocol (ARP) probes. Use the no form of this command to disable ARP probes.

ip device tracking probe {count | interval | use-svi}

no ip device tracking probe {count | interval | use-svi}

Syntax Description

count number	Sets the number of times that the switch sends the ARP probe. The range is from 1 to 255.
interval seconds	Sets the number of seconds that the switch waits for a response before resending the ARP probe. The range is from 30 to 1814400 seconds.
use-svi	Uses the switch virtual interface (SVI) IP address as source of ARP probes.

Command Default

The count number is 3.

The interval is 30 seconds.

The ARP probe default source IP address is the Layer 3 interface and 0.0.0.0 for switchports.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.
12.2(55)SE	The use-svi keyword was added.

Usage Guidelines

Use the count keyword option to set the number of times that the switch sends the ARP probe. The range is from 1 to 255.

Use the interval keyword option to set the number of seconds that the switch waits for a response before resending the ARP probe. The range is from 30 to 1814400 seconds.

Use the use-svi keyword option to configure the IP device tracking table to use the SVI IP address for ARP probes in cases when the default source ip address 0.0.0.0 for switch ports is used and the ARP probes drop.

Use the show ip device tracking all command to display information about entries in the IP device tracking table. For more information about this command, see the Cisco IOS Security Command Reference, Release 12.4T.

Examples

This example shows how to set SVI as the source for ARP probes:

Switch(config)# ip device tracking probe use-svi

Switch(config)#

Related Commands

Command	Description
show ip device tracking all	Displays information about the entries in the IP device tracking table.

ip dhcp snooping

Use the ip dhcp snooping global configuration command to globally enable DHCP snooping. Use the no form of this command to return to the default setting.

ip dhcp snooping

no ip dhcp snooping

Syntax Description

This command has no arguments or keywords.

Defaults

DHCP snooping is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

For any DHCP snooping configuration to take effect, you must globally enable DHCP snooping.

DHCP snooping is not active until you enable snooping on a VLAN by using the ip dhcp snooping vlan vlan-id global configuration command.

Examples

This example shows how to enable DHCP snooping:

Switch(config)# ip dhcp snooping

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
ip dhcp snooping vlan	Enables DHCP snooping on a VLAN.
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.

ip dhcp snooping binding

Use the ip dhcp snooping binding privileged EXEC command to configure the DHCP snooping binding database and to add binding entries to the database. Use the no form of this command to delete entries from the binding database.

ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds

no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id

Syntax Description

mac-address	Specify a MAC address.
vlan vlan-id	Specify a VLAN number. The range is from 1 to 4904.
ip-address	Specify an IP address.
interface interface-id	Specify an interface on which to add or delete a binding entry.
expiry seconds	Specify the interval (in seconds) after which the binding entry is no longer valid. The range is from 1 to 4294967295.

Defaults

No default database is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

Use this command when you are testing or debugging the switch.

In the DHCP snooping binding database, each database entry, also referred to a binding, has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database can have up to 512 bindings.

Use the show ip dhcp snooping binding privileged EXEC command to display only the dynamically configured bindings. Use the show ip source binding privileged EXEC command to display the dynamically and statically configured bindings.

Examples

This example shows how to generate a DHCP binding configuration with an expiration time of 1000 seconds on a port in VLAN 1:

Switch# ip dhcp snooping binding 0001.1234.1234 vlan 1 172.20.50.5 interface 
gigabitethernet1/0/1 expiry 1000

You can verify your settings by entering the show ip dhcp snooping binding or the show ip dhcp source binding privileged EXEC command.

Related Commands

Command	Description
ip dhcp snooping	Enables DHCP snooping on a VLAN.
show ip dhcp snooping binding	Displays the dynamically configured bindings in the DHCP snooping binding database and the configuration information.
show ip igmp snooping groups	Displays the dynamically and statically configured bindings in the DHCP snooping binding database.

ip dhcp snooping database

Use the ip dhcp snooping database global configuration command to configure the DHCP snooping binding database agent. Use the no form of this command to disable the agent, to reset the timeout value, or to reset the write-delay value.

ip dhcp snooping database {{flash:/filename | ftp://user:password@host/filename | rcp://user@host/filename | tftp://host/filename} | timeout seconds | write-delay seconds}

no ip dhcp snooping database [timeout | write-delay]

Syntax Description

flash:/filename	Specify that the database agent or the binding file is in the flash memory.
ftp://user:password@host/filename	Specify that the database agent or the binding file is on an FTP server.
rcp://user@host/filename	Specify that the database agent or the binding file is on a Remote Control Protocol (RCP) server.
tftp://host/filename	Specify that the database agent or the binding file is on a TFTP server.
timeout seconds	Specify (in seconds) when to stop the database transfer process after the DHCP snooping binding database changes. The default is 300 seconds. The range is from 0 to 86400. Use 0 to define an infinite duration.
write-delay seconds	Specify (in seconds) the duration for which the transfer should be delayed after the binding database changes. The default is 300 seconds. The range is from 15 to 86400.

Defaults

The URL for the database agent or binding file is not defined.

The timeout value is 300 seconds (5 minutes).

The write-delay value is 300 seconds (5 minutes).

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

The DHCP snooping binding database can have up to 512 bindings.

To ensure that the lease time in the database is accurate, we recommend that Network Time Protocol (NTP) is enabled and configured for these features:

•NTP authentication

•NTP peer and server associations

•NTP broadcast service

•NTP access restrictions

•NTP packet source IP address

If NTP is configured, the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP.

Because both NVRAM and the flash memory have limited storage capacity, we recommend that you store a binding file on a TFTP server. You must create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write bindings to the binding file at that URL for the first time.

Use the ip dhcp snooping database flash:/filename command to save the DHCP snooping binding database in the stack master NVRAM. The database is not saved in a stack member NVRAM.

Use the no ip dhcp snooping database command to disable the agent.

Use the no ip dhcp snooping database timeout command to reset the timeout value.

Use the no ip dhcp snooping database write-delay command to reset the write-delay value.

Examples

This example shows how to store a binding file at an IP address of 10.1.1.1 that is in a directory called directory. A file named file must be present on the TFTP server.

Switch(config)# ip dhcp snooping database tftp://10.1.1.1/directory/file

This example shows how to store a binding file called file01.txt in the stack master NVRAM.

Switch(config)# ip dhcp snooping database flash:file01.txt

You can verify your settings by entering the show ip dhcp snooping database privileged EXEC command.

Related Commands

Command	Description
ip dhcp snooping	Enables DHCP snooping on a VLAN.
ip dhcp snooping binding	Configures the DHCP snooping binding database.
show ip dhcp snooping database	Displays the status of DHCP snooping database agent.

ip dhcp snooping information option

Use the ip dhcp snooping information option global configuration command to enable DHCP option-82 data insertion. Use the no form of this command to disable DHCP option-82 data insertion.

ip dhcp snooping information option

no ip dhcp snooping information option

Syntax Description

This command has no arguments or keywords.

Defaults

DHCP option-82 data insertion is enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.

When the option-82 feature is enabled and a switch receives a DHCP request from a host, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server.

When the DHCP server receives the packet, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or a circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply.

The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch inspects the remote ID and possibly the circuit ID fields to verify that it originally inserted the option-82 data. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP host that sent the DHCP request.

Examples

This example shows how to enable DHCP option-82 data insertion:

Switch(config)# ip dhcp snooping information option

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.

ip dhcp snooping information option allowed-untrusted

Use the ip dhcp snooping information option allowed-untrusted global configuration command on an aggregation switch to configure it to accept DHCP packets with option-82 information that are received on untrusted ports that might be connected to an edge switch. Use the no form of this command to configure the switch to drop these packets from the edge switch.

ip dhcp snooping information option allowed-untrusted

no ip dhcp snooping information option allowed-untrusted

Syntax Description

This command has no arguments or keywords.

Defaults

The switch drops DHCP packets with option-82 information that are received on untrusted ports that might be connected to an edge switch.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

You might want an edge switch to which a host is connected to insert DHCP option-82 information at the edge of your network. You might also want to enable DHCP security features, such as DHCP snooping, IP source guard, or dynamic Address Resolution Protocol (ARP) inspection, on an aggregation switch. However, if DHCP snooping is enabled on the aggregation switch, the switch drops packets with option-82 information that are received on an untrusted port and does not learn DHCP snooping bindings for connected devices on a trusted interface.

If the edge switch to which a host is connected inserts option-82 information and you want to use DHCP snooping on an aggregation switch, enter the ip dhcp snooping information option allowed-untrusted command on the aggregation switch. The aggregation switch can learn the bindings for a host even though the aggregation switch receives DHCP snooping packets on an untrusted port. You can also enable DHCP security features on the aggregation switch. The port on the edge switch to which the aggregation switch is connected must be configured as a trusted port.

---

Note Do not enter the ip dhcp snooping information option allowed-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.

---

Examples

This example shows how to configure an access switch to not check the option-82 information in untrusted packets from an edge switch and to accept the packets:

Switch(config)# ip dhcp snooping information option allowed-untrusted

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.

ip dhcp snooping information option format remote-id

Use the ip dhcp snooping information option format remote-id global configuration command on the switch to configure the option-82 remote-ID suboption. Use the no form of this command to configure the default remote-ID suboption.

ip dhcp snooping information option format remote-id [string ASCII string | hostname]

no ip dhcp snooping information option format remote-id

Syntax Description

string ASCII-string	Specify a remote ID, using from 1 to 63 ASCII characters (no spaces).
hostname	Specify the switch hostname as the remote ID.

Defaults

The switch MAC address is the remote ID.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEE	This command was introduced.

Usage Guidelines

You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.

When the option-82 feature is enabled, the default remote-ID suboption is the switch MAC address. This command allows you to configure either the switch hostname or a string of up to 63 ASCII characters (but no spaces) to be the remote ID.

---

Note If the hostname exceeds 63 characters, it will be truncated to 63 characters in the remote-ID configuration.

---

Examples

This example shows how to configure the option- 82 remote-ID suboption:

Switch(config)# ip dhcp snooping information option format remote-id hostname

You can verify your settings by entering the show ip dhcp snooping user EXEC command.

Related Commands

Command	Description
ip dhcp snooping vlan information option format-type circuit-id string	Configures the option-82 circuit-ID suboption.
show ip dhcp snooping	Displays the DHCP snooping configuration.

ip dhcp snooping limit rate

Use the ip dhcp snooping limit rate interface configuration command to configure the number of DHCP messages an interface can receive per second. Use the no form of this command to return to the default setting.

ip dhcp snooping limit rate rate

no ip dhcp snooping limit rate

Syntax Description

rate	Number of DHCP messages an interface can receive per second. The range is 1 to 2048.

Defaults

DHCP snooping rate limiting is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

Normally, the rate limit applies to untrusted interfaces. If you want to configure rate limiting for trusted interfaces, keep in mind that trusted interfaces might aggregate DHCP traffic on multiple VLANs (some of which might not be snooped) in the switch, and you will need to adjust the interface rate limits to a higher value.

If the rate limit is exceeded, the interface is error-disabled. If you enabled error recovery by entering the errdisable recovery dhcp-rate-limit global configuration command, the interface retries the operation again when all the causes have timed out. If the error-recovery mechanism is not enabled, the interface stays in the error-disabled state until you enter the shutdown and no shutdown interface configuration commands.

Examples

This example shows how to set a message rate limit of 150 messages per second on an interface:

Switch(config-if)# ip dhcp snooping limit rate 150

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
errdisable recovery	Configures the recover mechanism.
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.

ip dhcp snooping trust

Use the ip dhcp snooping trust interface configuration command to configure a port as trusted for DHCP snooping purposes. Use the no form of this command to return to the default setting.

ip dhcp snooping trust

no ip dhcp snooping trust

Syntax Description

This command has no arguments or keywords.

Defaults

DHCP snooping trust is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

Configure as trusted ports those that are connected to a DHCP server or to other switches or routers. Configure as untrusted ports those that are connected to DHCP clients.

Examples

This example shows how to enable DHCP snooping trust on a port:

Switch(config-if)# ip dhcp snooping trust

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.

ip dhcp snooping verify

Use the ip dhcp snooping verify global configuration command to configure the switch to verify on an untrusted port that the source MAC address in a DHCP packet matches the client hardware address. Use the no form of this command to configure the switch to not verify the MAC addresses.

ip dhcp snooping verify mac-address

no ip dhcp snooping verify mac-address

Syntax Description

This command has no arguments or keywords.

Defaults

The switch verifies the source MAC address in a DHCP packet that is received on untrusted ports matches the client hardware address in the packet.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

In a service-provider network, when a switch receives a packet from a DHCP client on an untrusted port, it automatically verifies that the source MAC address and the DHCP client hardware address match. If the addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the packet.

Examples

This example shows how to disable the MAC address verification:

Switch(config)# no ip dhcp snooping verify mac-address

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
show ip dhcp snooping	Displays the DHCP snooping configuration.

ip dhcp snooping vlan

Use the ip dhcp snooping vlan global configuration command to enable DHCP snooping on a VLAN. Use the no form of this command to disable DHCP snooping on a VLAN.

ip dhcp snooping vlan vlan-range

no ip dhcp snooping vlan vlan-range

Syntax Description

vlan vlan-range

Specify a VLAN ID or a range of VLANs on which to enable DHCP snooping. The range is 1 to 4094. You can enter a single VLAN ID identified by VLAN ID number, a series of VLAN IDs separated by commas, a range of VLAN IDs separated by hyphens, or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space.

Defaults

DHCP snooping is disabled on all VLANs.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

You must first globally enable DHCP snooping before enabling DHCP snooping on a VLAN.

Examples

This example shows how to enable DHCP snooping on VLAN 10:

Switch(config)# ip dhcp snooping vlan 10

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.

ip dhcp snooping vlan information option format-type circuit-id string

Use the ip dhcp snooping vlan information option format-type circuit-id string interface configuration command on the switch to configure the option-82 circuit-ID suboption. Use the no form of this command to configure the default circuit-ID suboption.

ip dhcp snooping vlan vlan information option format-type circuit-id [override] string ASCII-string

no ip dhcp snooping vlan vlan information option format-type circuit-id [override] string

Syntax Description

vlan vlan	Specify the VLAN ID. The range is 1 to 4094.
override	(Optional) Specify an override string, using from 3 to 63 ASCII characters (no spaces).
string ASCII-string	Specify a circuit ID, using from 3 to 63 ASCII characters (no spaces).

Defaults

The switch VLAN and the port identifier, in the format vlan-mod-port, is the default circuit ID.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEE	This command was introduced.
12.2(52)SE	The override keyword was added.

Usage Guidelines

You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.

When the option-82 feature is enabled, the default circuit-ID suboption is the switch VLAN and port identifier, in the format vlan-mod-port. This command allows you to configure a string of ASCII characters to be the circuit ID. When you want to override the vlan-mod-port format type and instead use the circuit-ID to define subscriber information, use the override keyword.

---

Note When configuring a large number of circuit IDs on a switch, consider the impact of lengthy character strings on the NVRAM or flash memory. If the circuit-ID configurations, combined with other data, exceed the capacity of the NVRAM or flash memory, an error message appears.

---

Examples

This example shows how to configure the option-82 circuit-ID suboption:

Switch(config-if)# ip dhcp snooping vlan 250 information option format-type circuit-id 
string customerABC-250-0-0

This example shows how to configure the option-82 circuit-ID override suboption:

Switch(config-if)# ip dhcp snooping vlan 250 information option format-type circuit-id 
override string testcustomer

You can verify your settings by entering the show ip dhcp snooping user EXEC command.

---

Note The show ip dhcp snooping command only displays the global command output, including a remote-ID configuration. It does not display any per-interface, per-VLAN string that you have configured for the circuit ID.

---

Related Commands

Command	Description
ip dhcp snooping information option format remote-id	Configures the option-82 remote-ID suboption.
show ip dhcp snooping	Displays the DHCP snooping configuration.

ip igmp filter

Use the ip igmp filter interface configuration command to control whether or not all hosts on a Layer 2 interface can join one or more IP multicast groups by applying an Internet Group Management Protocol (IGMP) profile to the interface. Use the no form of this command to remove the specified profile from the interface.

ip igmp filter profile number

no ip igmp filter

Syntax Description

profile number

The IGMP profile number to be applied. The range is 1 to 4294967295.

Defaults

No IGMP filters are applied.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

You can apply IGMP filters only to Layer 2 physical interfaces; you cannot apply IGMP filters to routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.

An IGMP profile can be applied to one or more switch port interfaces, but one port can have only one profile applied to it.

Examples

This example shows how to apply IGMP profile 22 to a port.

Switch(config)# interface gigabitethernet1/0/2

Switch(config-if)# ip igmp filter 22

You can verify your setting by using the show running-config privileged EXEC command and by specifying an interface.

Related Commands

Command	Description
ip igmp profile	Configures the specified IGMP profile number.
show ip dhcp snooping statistics	Displays the characteristics of the specified IGMP profile.
show running-config interface interface-id	Displays the running configuration on the switch interface, including the IGMP profile (if any) that is applied to an interface. For syntax information, select Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

ip igmp max-groups

Use the ip igmp max-groups interface configuration command to set the maximum number of Internet Group Management Protocol (IGMP) groups that a Layer 2 interface can join or to configure the IGMP throttling action when the maximum number of entries is in the forwarding table. Use the no form of this command to set the maximum back to the default, which is to have no maximum limit, or to return to the default throttling action, which is to drop the report.

ip igmp max-groups {number | action {deny | replace}}

no ip igmp max-groups {number | action}

Syntax Description

number	The maximum number of IGMP groups that an interface can join. The range is 0 to 4294967294. The default is no limit.
action deny	When the maximum number of entries is in the IGMP snooping forwarding table, drop the next IGMP join report. This is the default action.
action replace	When the maximum number of entries is in the IGMP snooping forwarding table, replace the existing group with the new group for which the IGMP report was received.

Defaults

The default maximum number of groups is no limit.

After the switch learns the maximum number of IGMP group entries on an interface, the default throttling action is to drop the next IGMP report that the interface receives and to not add an entry for the IGMP group to the interface.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.
12.2(25)EY	The action, deny, and replace keywords were introduced.

Usage Guidelines

You can use this command only on Layer 2 physical interfaces and on logical EtherChannel interfaces. You cannot set IGMP maximum groups for routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.

Follow these guidelines when configuring the IGMP throttling action:

•If you configure the throttling action as deny and set the maximum group limitation, the entries that were previously in the forwarding table are not removed but are aged out. After these entries are aged out, when the maximum number of entries is in the forwarding table, the switch drops the next IGMP report received on the interface.

•If you configure the throttling action as replace and set the maximum group limitation, the entries that were previously in the forwarding table are removed. When the maximum number of entries is in the forwarding table, the switch replaces a randomly selected multicast entry with the received IGMP report.

•When the maximum group limitation is set to the default (no maximum), entering the ip igmp max-groups {deny | replace} command has no effect.

Examples

This example shows how to limit to 25 the number of IGMP groups that a port can join.

Switch(config)# interface gigabitethernet1/0/2

Switch(config-if)# ip igmp max-groups 25

This example shows how to configure the switch to replace the existing group with the new group for which the IGMP report was received when the maximum number of entries is in the forwarding table:

Switch(config)# interface gigabitethernet2/0/1

Switch(config-if)# ip igmp max-groups action replace

You can verify your setting by using the show running-config privileged EXEC command and by specifying an interface.

Related Commands

Command	Description
show running-config interface interface-id	Displays the running configuration on the switch interface, including the maximum number of IGMP groups that an interface can join and the throttling action. For syntax information, select Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

ip igmp profile

Use the ip igmp profile global configuration command to create an Internet Group Management Protocol (IGMP) profile and enter IGMP profile configuration mode. From this mode, you can specify the configuration of the IGMP profile to be used for filtering IGMP membership reports from a switchport. Use the no form of this command to delete the IGMP profile.

ip igmp profile profile number

no ip igmp profile profile number

Syntax Description

profile number

The IGMP profile number being configured. The range is 1 to 4294967295.

Defaults

No IGMP profiles are defined. When configured, the default action for matching an IGMP profile is to deny matching addresses.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

When you are in IGMP profile configuration mode, you can create the profile by using these commands:

•deny: specifies that matching addresses are denied; this is the default condition.

•exit: exits from igmp-profile configuration mode.

•no: negates a command or resets to its defaults.

•permit: specifies that matching addresses are permitted.

•range: specifies a range of IP addresses for the profile. This can be a single IP address or a range with a start and an end address.

When entering a range, enter the low IP multicast address, a space, and the high IP multicast address.

You can apply an IGMP profile to one or more Layer 2 interfaces, but each interface can have only one profile applied to it.

Examples

This example shows how to configure IGMP profile 40 that permits the specified range of IP multicast addresses:

Switch(config)# ip igmp profile 40

Switch(config-igmp-profile)# permit

Switch(config-igmp-profile)# range 233.1.1.1 233.255.255.255

You can verify your settings by using the show ip igmp profile privileged EXEC command.

Related Commands

Command	Description
ip igmp filter	Applies the IGMP profile to the specified interface.
show ip dhcp snooping statistics	Displays the characteristics of all IGMP profiles or the specified IGMP profile number.

ip igmp snooping

Use the ip igmp snooping global configuration command to globally enable Internet Group Management Protocol (IGMP) snooping on the switch or to enable it on a per-VLAN basis. Use the no form of this command to return to the default setting.

ip igmp snooping [vlan vlan-id]

no ip igmp snooping [vlan vlan-id]

Syntax Description

vlan vlan-id

(Optional) Enable IGMP snooping on the specified VLAN. The range is 1 to 1001 and 1006 to 4094.

Defaults

IGMP snooping is globally enabled on the switch.

IGMP snooping is enabled on VLAN interfaces.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

.When IGMP snooping is enabled globally, it is enabled in all the existing VLAN interfaces. When IGMP snooping is globally disabled, it is disabled on all the existing VLAN interfaces.

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.

Examples

This example shows how to globally enable IGMP snooping:

Switch(config)# ip igmp snooping

This example shows how to enable IGMP snooping on VLAN 1:

Switch(config)# ip igmp snooping vlan 1

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping report-suppression	Enables IGMP report suppression.
show ip igmp snooping	Displays the snooping configuration.
show ip igmp snooping groups	Displays IGMP snooping multicast information.
show ip igmp snooping groups	Displays the IGMP snooping router ports.
show ip igmp snooping querier	Displays the configuration and operation information for the IGMP querier configured on a switch.

ip igmp snooping querier

Use the ip igmp snooping querier global configuration command to globally enable the Internet Group Management Protocol (IGMP) querier function in Layer 2 networks. Use the command with keywords to enable and configure the IGMP querier feature on a VLAN interface. Use the no form of this command to return to the default settings.

ip igmp snooping querier [vlan vlan-id] [address ip-address | max-response-time response-time | query-interval interval-count | tcn query [count count | interval interval] | timer expiry | version version]

no ip igmp snooping querier [vlan vlan-id] [address | max-response-time | query-interval | tcn query { count count | interval interval} | timer expiry | version]

Syntax Description

vlan vlan-id	(Optional) Enable IGMP snooping and the IGMP querier function on the specified VLAN. The range is 1 to 1001 and 1006 to 4094.
address ip-address	(Optional) Specify a source IP address. If you do not specify an IP address, the querier tries to use the global IP address configured for the IGMP querier.
max-response-time response-time	(Optional) Set the maximum time to wait for an IGMP querier report. The range is 1 to 25 seconds.
query-interval interval-count	(Optional) Set the interval between IGMP queriers. The range is 1 to 18000 seconds.
tcn query [count count | interval interval]	(Optional) Set parameters related to Topology Change Notifications (TCNs). The keywords have these meanings: •count count—Set the number of TCN queries to be executed during the TCN interval time. The range is 1 to 10. •interval interval—Set the TCN query interval time. The range is 1 to 255.
timer expiry	(Optional) Set the length of time until the IGMP querier expires. The range is 60 to 300 seconds.
version version	(Optional) Select the IGMP version number that the querier feature uses. Select 1 or 2.

Defaults

The IGMP snooping querier feature is globally disabled on the switch.

When enabled, the IGMP snooping querier disables itself if it detects IGMP traffic from a multicast-enabled device.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

Use this command to enable IGMP snooping to detect the IGMP version and IP address of a device that sends IGMP query messages, which is also called a querier.

By default, the IGMP snooping querier is configured to detect devices that use IGMP Version 2 (IGMPv2) but does not detect clients that are using IGMP Version 1 (IGMPv1). You can manually configure the max-response-time value when devices use IGMPv2. You cannot configure the max-response-time when devices use IGMPv1. (The value cannot be configured and is set to zero).

Non-RFC compliant devices running IGMPv1 might reject IGMP general query messages that have a non-zero value as the max-response-time value. If you want the devices to accept the IGMP general query messages, configure the IGMP snooping querier to run IGMPv1.

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.

Examples

This example shows how to globally enable the IGMP snooping querier feature:

Switch(config)# ip igmp snooping querier

This example shows how to set the IGMP snooping querier maximum response time to 25 seconds:

Switch(config)# ip igmp snooping querier max-response-time 25

This example shows how to set the IGMP snooping querier interval time to 60 seconds:

Switch(config)# ip igmp snooping querier query-interval 60

This example shows how to set the IGMP snooping querier TCN query count to 25:

Switch(config)# ip igmp snooping querier tcn count 25

This example shows how to set the IGMP snooping querier timeout to 60 seconds:

Switch(config)# ip igmp snooping querier timeout expiry 60

This example shows how to set the IGMP snooping querier feature to version 2:

Switch(config)# ip igmp snooping querier version 2

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping report-suppression	Enables IGMP report suppression.
show ip igmp snooping	Displays the IGMP snooping configuration.
show ip igmp snooping groups	Displays IGMP snooping multicast information.
show ip igmp snooping groups	Displays the IGMP snooping router ports.

ip igmp snooping report-suppression

Use the ip igmp snooping report-suppression global configuration command to enable Internet Group Management Protocol (IGMP) report suppression. Use the no form of this command to disable IGMP report suppression and forward all IGMP reports to multicast routers.

ip igmp snooping report-suppression

no ip igmp snooping report-suppression

Syntax Description

This command has no arguments or keywords.

Defaults

IGMP report suppression is enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports.

The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast devices. When IGMP router suppression is enabled (the default), the switch sends the first IGMP report from all hosts for a group to all the multicast routers. The switch does not send the remaining IGMP reports for the group to the multicast routers. This feature prevents duplicate reports from being sent to the multicast devices.

If the multicast router query includes requests only for IGMPv1 and IGMPv2 reports, the switch forwards only the first IGMPv1 or IGMPv2 report from all hosts for a group to all the multicast routers. If the mulitcast router query also includes requests for IGMPv3 reports, the switch forwards all IGMPv1, IGMPv2, and IGMPv3 reports for a group to the multicast devices.

If you disable IGMP report suppression by entering the no ip igmp snooping report-suppression command, all IGMP reports are forwarded to all the multicast routers.

Examples

This example shows how to disable report suppression:

Switch(config)# no ip igmp snooping report-suppression

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping	Enables IGMP snooping on the switch or on a VLAN.
show ip igmp snooping	Displays the IGMP snooping configuration of the switch or the VLAN.

ip igmp snooping vlan immediate-leave

Use the ip igmp snooping immediate-leave global configuration command to enable Internet Group Management Protocol (IGMP) snooping immediate-leave processing on a per-VLAN basis. Use the no form of this command to return to the default setting.

ip igmp snooping vlan vlan-id immediate-leave

no ip igmp snooping vlan vlan-id immediate-leave

Syntax Description

vlan-id

Enable IGMP snooping and the Immediate-Leave feature on the specified VLAN. The range is 1 to 1001 and 1006 to 4094.

Defaults

IGMP immediate-leave processing is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.

You should configure the Immediate- Leave feature only when there is a maximum of one receiver on every port in the VLAN. The configuration is saved in NVRAM.

The Immediate-Leave feature is supported only with IGMP Version 2 hosts.

Examples

This example shows how to enable IGMP immediate-leave processing on VLAN 1:

Switch(config)# ip igmp snooping vlan 1 immediate-leave

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping report-suppression	Enables IGMP report suppression.
show ip igmp snooping	Displays the snooping configuration.
show ip igmp snooping groups	Displays IGMP snooping multicast information.
show ip igmp snooping groups	Displays the IGMP snooping router ports.
show ip igmp snooping querier	Displays the configuration and operation information for the IGMP querier configured on a switch.

ip igmp snooping vlan mrouter

Use the ip igmp snooping mrouter global configuration command to add a multicast router port or to configure the multicast learning method. Use the no form of this command to return to the default settings.

ip igmp snooping vlan vlan-id mrouter {interface interface-id | learn {cgmp | pim-dvmrp}}

no ip igmp snooping vlan vlan-id mrouter {interface interface-id | learn {cgmp | pim-dvmrp}}

Syntax Description

vlan-id	Enable IGMP snooping, and add the port in the specified VLAN as the multicast router port. The range is 1 to 1001 and 1006 to 4094.
interface interface-id	Specify the next-hop interface to the multicast router. The keywords have these meanings: •fastethernet interface number—a Fast Ethernet IEEE 802.3 interface. •gigabitethernet interface number—a Gigabit Ethernet IEEE 802.3z interface. •port-channel interface number—a channel interface. The range is 0 to 12.
learn {cgmp | pim-dvmrp}	Specify the multicast router learning method. The keywords have these meanings: •cgmp—Set the switch to learn multicast router ports by snooping on Cisco Group Management Protocol (CGMP) packets. •pim-dvmrp—Set the switch to learn multicast router ports by snooping on IGMP queries and Protocol-Independent Multicast-Distance Vector Multicast Routing Protocol (PIM-DVMRP) packets.

Defaults

By default, there are no multicast router ports.

The default learning method is pim-dvmrp—to snoop IGMP queries and PIM-DVMRP packets.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.

The CGMP learn method is useful for reducing control traffic.

The configuration is saved in NVRAM.

Examples

This example shows how to configure a port as a multicast router port:

Switch(config)# ip igmp snooping vlan 1 mrouter interface gigabitethernet1/0/2

This example shows how to specify the multicast router learning method as CGMP:

Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping report-suppression	Enables IGMP report suppression.
show ip igmp snooping	Displays the snooping configuration.
show ip igmp snooping groups	Displays IGMP snooping multicast information.
show ip igmp snooping groups	Displays the IGMP snooping router ports.
show ip igmp snooping querier	Displays the configuration and operation information for the IGMP querier configured on a switch.

ip igmp snooping vlan static

Use the ip igmp snooping static global configuration command to enable Internet Group Management Protocol (IGMP) snooping and to statically add a Layer 2 port as a member of a multicast group. Use the no form of this command to remove ports specified as members of a static multicast group.

ip igmp snooping vlan vlan-id static ip-address interface interface-id

no ip igmp snooping vlan vlan-id static ip-address interface interface-id

Syntax Description

vlan-id	Enable IGMP snooping on the specified VLAN. The range is 1 to 1001 and 1006 to 4094.
ip-address	Add a Layer 2 port as a member of a multicast group with the specified group IP address.
interface interface-id	Specify the interface of the member port. The keywords have these meanings: •fastethernet interface number—a Fast Ethernet IEEE 802.3 interface. •gigabitethernet interface number—a Gigabit Ethernet IEEE 802.3z interface. •port-channel interface number—a channel interface. The range is 0 to 12.

Defaults

By default, there are no ports statically configured as members of a multicast group.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.

The configuration is saved in NVRAM.

Examples

This example shows how to statically configure a host on an interface:

Switch(config)# ip igmp snooping vlan 1 static 0100.5e02.0203 interface 
gigabitethernet1/0/1

Configuring port gigabitethernet1/0/1 on group 0100.5e02.0203

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping report-suppression	Enables IGMP report suppression.
show ip igmp snooping	Displays the snooping configuration.
show ip igmp snooping groups	Displays IGMP snooping multicast information.
show ip igmp snooping groups	Displays the IGMP snooping router ports.
show ip igmp snooping querier	Displays the configuration and operation information for the IGMP querier configured on a switch.

ip sla responder twamp

Use the ip sla responder twamp global configuration command to configure the switch as a Two-Way Active Measurement Protocol (TWAMP) responder. Use the no form of this command to disable the IP SLA TWAMP responder.

ip sla responder twamp [timeout seconds]

no ip sla responder twamp [timeout seconds]

Syntax Description

timeout seconds

(Optional) Specify the number of seconds a TWAMP session can be inactive before the session ends. The range is 1-604800 seconds. The default is 900 seconds.

Defaults

No IP SLA TWAMP responder is configured.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

After entering the ip sla responder twamp command, you enter IP SLA TWAMP reflector configuration mode, and these configuration commands are available:

•default: sets a command to its defaults.

•exit: exits from IP SLA TWAMP reflector configuration mode.

•no: negates a command or resets to its defaults.

•timeout seconds: specifies the maximum time the session can be inactive before the session ends. The range is 1-604800 seconds. The default is 900 seconds.

For the TWAMP server and reflector to function, you must also configure a TWAMP control device, which serves as the client and session sender. These functions are not configured on a Cisco device.

Examples

This example shows how to configure a switch as an IP SLA TWAMP responder:

Switch(config)# ip sla responder twamp 

Switch(config-twamp-ref)# timeout inactivity 900

Related Commands

Command	Description
ip sla responder	Enables the Cisco IOS IP Service Level Agreements (SLAs) responder for general IP SLAs operations.
ip sla server twamp	Configures the switch as a Two-Way Active Measurement Protocol (TWAMP) server.
show ip sla standards	(Optional) Display the IP SLAs standards configured on the switch.
show ip sla twamp connection {detail | requests}	(Optional) Displays the current Cisco IOS IP Service Level Agreements (SLAs) Two-Way Active Measurement Protocol (TWAMP) connections

ip sla server twamp

Use the ip sla server twamp global configuration command to configure the switch as a Two-Way Active Measurement Protocol (TWAMP) server. Use the no form of this command to disable the IP SLA TWAMP server.

ip sla server twamp

no ip sla server twamp

Syntax Description

This command has no arguments or keywords.

Defaults

No IP SLA TWAMP server is configured.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

After entering the ip sla server twamp command, you enter IP SLA TWAMP server configuration mode, and these configuration commands are available:

•default: sets a command to its defaults.

•exit: exits from IP SLA TWAMP server configuration mode.

•no: negates a command or resets to its defaults.

•port port-number: specifies the source port for TWAMP control traffic. Valid port numbers are from 1 to 65535.

•timer inactivity seconds: specifies the maximum time the session can be inactive before the session ends. The range is 1-6000 seconds. The default is 900 seconds.

For the TWAMP server and reflector to function, you must also configure a TWAMP control device, which serves as the client and session sender. These functions are not configured on a Cisco device.

Examples

This example shows how to configure a switch as an IP SLA TWAMP server:

Switch(config)# ip sla server twamp 

Switch(config-twamp-srvr)# port 862

Switch(config-twamp-srvr)# timer inactivity 540

Related Commands

Command	Description
ip sla responder	Enables the Cisco IOS IP Service Level Agreements (SLAs) responder for general IP SLAs operations.
ip sla responder twamp	Configures the switch as a Two-Way Active Measurement Protocol (TWAMP) responder.
show ip sla standards	(Optional) Displays the IP SLAs standards configured on the switch.
show ip sla twamp connection {detail | requests}	(Optional) Displays the current Cisco IOS IP Service Level Agreements (SLAs) Two-Way Active Measurement Protocol (TWAMP) connections.

ip source binding

Use the ip source binding global configuration command to configure static IP source bindings on the switch. Use the no form of this command to delete static bindings.

ip source binding mac-address vlan vlan-id ip-address interface interface-id

no source binding mac-address vlan vlan-id ip-address interface interface-id

Syntax Description

mac-address	Specify a MAC address.
vlan vlan-id	Specify a VLAN number. The range is from 1 to 4094.
ip-address	Specify an IP address.
interface interface-id	Specify an interface on which to add or delete an IP source binding.

Defaults

No IP source bindings are configured.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

A static IP source binding entry has an IP address, its associated MAC address, and its associated VLAN number. The entry is based on the MAC address and the VLAN number. If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.

Examples

This example shows how to add a static IP source binding:

Switch(config)# ip source binding 0001.1234.1234 vlan 1 172.20.50.5 interface 
gigabitethernet1/0/1 

This example shows how to add a static binding and then modify the IP address for it:

Switch(config)# ip source binding 0001.1357.0007 vlan 1 172.20.50.25 interface 
gigabitethernet1/0/1 

Switch(config)# ip source binding 0001.1357.0007 vlan 1 172.20.50.30 interface 
gigabitethernet1/0/1 

You can verify your settings by entering the show ip source binding privileged EXEC command.

Related Commands

Command	Description
ip verify source	Enables IP source guard on an interface.
show ip igmp snooping groups	Displays the IP source bindings on the switch.
show ip verify source	Displays the IP source guard configuration on the switch or on a specific interface.

ip ssh

Use the ip ssh global configuration command to configure the switch to run Secure Shell (SSH) Version 1 or SSH Version 2. This command is available only when your switch is running the cryptographic (encrypted) software image. Use the no form of this command to return to the default setting.

ip ssh version [1 | 2]

no ip ssh version [1 | 2]

Syntax Description

1	(Optional) Configure the switch to run SSH Version 1 (SSHv1).
2	(Optional) Configure the switch to run SSH Version 2 (SSHv1).

Defaults

The default version is the latest SSH version supported by the SSH client.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

If you do not enter this command or if you do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.

The switch supports an SSHv1 or an SSHv2 server. It also supports an SSHv1 client. For more information about the SSH server and the SSH client, see the software configuration guide for this release.

A Rivest, Shamir, and Adelman (RSA) key pair generated by an SSHv1 server can be used by an SSHv2 server and the reverse.

Examples

This example shows how to configure the switch to run SSH Version 2:

Switch(config)# ip ssh version 2

You can verify your settings by entering the show ip ssh or show ssh privileged EXEC command.

Related Commands

Command	Description
show ip ssh	Displays if the SSH server is enabled and displays the version and configuration information for the SSH server. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Security Command Reference, Release 12.2 > Other Security Features > Secure Shell Commands.
show ssh	Displays the status of the SSH server. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Security Command Reference, Release 12.2 > Other Security Features > Secure Shell Commands.

ip sticky-arp (global configuration)

Use the ip sticky-arp global configuration command to enable sticky Address Resolution Protocol (ARP) on a switch virtual interface (SVI) that belongs to a private VLAN. Use the no form of this command to disable sticky ARP.

ip sticky-arp

no ip sticky-arp

Syntax Description

This command has no arguments or keywords.

Defaults

Sticky ARP is enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

Sticky ARP entries are those learned on private-VLAN SVIs. These entries do not age out.

The ip sticky-arp global configuration command is supported only on SVIs belonging to private VLANs.

•When you configure a private VLAN, sticky ARP is enabled on the switch (the default).

If you enter the ip sticky-arp interface configuration command, it does not take effect.

If you enter the no ip sticky-arp interface configuration command, you do not disable sticky ARP on an interface.

---

Note We recommend that you use the show arp privileged EXEC command to display and verify private-VLAN interface ARP entries.

---

•If you disconnect the switch from a device and then connect it to another device with a different MAC address but with the same IP address, the ARP entry is not created, and this message appears:

*Mar 2 00:26:06.967: %IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry:  
20.6.2.1, hw: 0000.0602.0001 by hw: 0000.0503.0001

•If a MAC address of a device changes, you must use the no arp ip-address global configuration command to manually remove the private-VLAN interface ARP entries.

•Use the arp ip-address hardware-address type global configuration command to add a private-VLAN ARP entry.

•Use the no sticky-arp global configuration command to disable sticky ARP on the switch.

•Use the no sticky-arp interface configuration command to disable sticky ARP on an interface when sticky ARP is disabled on the switch.

Examples

To disable sticky ARP:

Switch(config)# no ip sticky-arp

You can verify your settings by using the show arp privileged EXEC command.

Related Commands

Command	Description
arp	Adds a permanent entry in the ARP table. For syntax information, see the Cisco IOS IP Addressing Services Command Reference, Release 12.4 > ARP Commands.
show arp	Displays the entries in the ARP table. For syntax information, see the Cisco IOS IP Addressing Services Command Reference, Release 12.4 > ARP Commands.

ip sticky-arp (interface configuration)

Use the ip sticky-arp interface configuration command to enable sticky Address Resolution Protocol (ARP) on a switch virtual interface (SVI) or a Layer 3 interface. Use the no form of this command to disable sticky ARP.

ip sticky-arp

no ip sticky-arp

Syntax Description

This command has no arguments or keywords.

Defaults

Sticky ARP is enabled on private-VLAN SVIs.

Sticky ARP is disabled on Layer 3 interfaces and normal SVIs.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.

Usage Guidelines

Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. These entries do not age out.

The ip sticky-arp interface configuration command is only supported on

•Layer 3 interfaces

•SVIs belonging to normal VLANs

•SVIs belonging to private VLANs

On a Layer 3 interface or on an SVI belonging to a normal VLAN

•Use the sticky-arp interface configuration command to enable sticky ARP.

•Use the no sticky-arp interface configuration command to disable sticky ARP.

On private-VLAN SVIs

•When you configure a private VLAN, sticky ARP is enabled on the switch (the default).

If you enter the ip sticky-arp interface configuration command, it does not take effect.

If you enter the no ip sticky-arp interface configuration command, you do not disable sticky ARP on an interface.

---

Note We recommend that you use the show arp privileged EXEC command to display and verify private-VLAN interface ARP entries.

---

•If you disconnect the switch from a device and then connect it to another device with a different MAC address but with the same IP address, the ARP entry is not created, and this message appears:

*Mar 2 00:26:06.967: %IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry:  
20.6.2.1, hw: 0000.0602.0001 by hw: 0000.0503.0001

•If a MAC address of a device changes, you must use the no arp ip-address global configuration command to manually remove the private-VLAN interface ARP entries.

•Use the arp ip-address hardware-address type global configuration command to add a private-VLAN ARP entry.

•Use the no sticky-arp global configuration command to disable sticky ARP on the switch.

•Use the no sticky-arp interface configuration command to disable sticky ARP on an interface.

Examples

To enable sticky ARP on a normal SVI:

Switch(config-if)# ip sticky-arp

To disable sticky ARP on a Layer 3 interface or an SVI:

Switch(config-if)# no ip sticky-arp

You can verify your settings by using the show arp privileged EXEC command.

Related Commands

Command	Description
arp	Adds a permanent entry in the ARP table. For syntax information, see the Cisco IOS IP Addressing Services Command Reference, Release 12.4 > ARP Commands.
show arp	Displays the entries in the ARP table. For syntax information, see the Cisco IOS IP Addressing Services Command Reference, Release 12.4 > ARP Commands.

ip verify source

Use the ip verify source interface configuration command to enable IP source guard on an interface. Use the no form of this command to disable IP source guard.

ip verify source {vlan dhcp-snooping | tracking}[port-security]

no ip verify source {vlan dhcp-snooping | tracking}[port-security]

Syntax Description

vlan dhcp-snooping	Enable IP source guard on an untrusted Layer 2 DHCP snooping interfaces.
tracking	Enable IP port security to learn static IP address learning on a port.
port-security	(Optional) Enable IP source guard with IP and MAC address filtering. If you do not enter the port-security keyword, IP address filtering is enabled.

Defaults

IP source guard is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)EY	This command was introduced.
12.2(52)SE	The vlan dhcp-snooping and tracking keywords were added.

Usage Guidelines

To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.

To enable IP source guard with source IP and MAC address filtering, use the ip verify source port-security interface configuration command.

To enable IP source guard with source IP and MAC address filtering, you must enable port security on the interface.

Examples

This example shows how to enable IP source guard on VLANs 10 through 20 on a per-port basis:

Switch# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# ip dhcp snooping

Switch(config)# ip dhcp snooping vlan 10 20

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# switchport trunk encapsulation dot1q

Switch(config-if)# switchport mode trunk

Switch(config-if)# switchport trunk native vlan 10

Switch(config-if)# switchport trunk allowed vlan 11-20

Switch(config-if)# no ip dhcp snooping trust

Switch(config-if)# ip verify source vlan dhcp-snooping

Switch(config)# end

Switch# show ip verify source interface gigabitethernet1/0/1

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan

---------  -----------  -----------  ---------------  -----------------  ----------

Gi1/0/1      ip-mac       active       10.0.0.1                            10  

Gi1/0/1      ip-mac       active       deny-all                            11-20  

Switch#

This example shows how to enable IP port security with IP-MAC filters on a Layer 2 access port:

Switch# configure terminal 

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# ip device tracking

Switch(config)# interface gigabitEthernet1/0/3

Switch(config-if)# switchport mode access 

Switch(config-if)# switchport access vlan 1

Switch(config-if)# ip device tracking maximum 5

Switch(config-if)# switchport port-security 

Switch(config-if)# switchport port-security maximum 5

Switch(config-if)# ip verify source tracking port-security 

Switch(config-if)# end

Verify your settings by entering the show ip verify source privileged EXEC command.

Related Commands

Command	Description
ip device tracking maximum	Enable IP port security binding tracking on a Layer 2 port.
ip dhcp snooping	Globally enable DHCP snooping.
ip dhcp snooping limit rate	Configure the number of the DHCP messages that an interface can receive per second.
ip dhcp snooping information option	Enable DHCP option-82 data insertion.
ip dhcp snooping trust	Enable DHCP snooping on a trusted VLAN.
ip source binding	Configure static bindings on the switch.
show ip dhcp snooping	Display the DHCP snooping configuration.
show ip dhcp snooping binding	Display the DHCP snooping binding entries.
show ip verify source	Display the IP source guard configuration on the switch or on a specific interface.

ip vrf (global configuration)

Use the ip-vrf global configuration command to configure a virtual private network (VPN) routing/forwarding (VRF) routing table and to enter VRF configuration mode. Use the no form of this command to remove a VRF routing table and to return to global configuration mode.

ip vrf vrf-name

no ip vrf vrf-name

---

Note The switch supports multiple VPN routing/forwarding instances in customer edge devices (multi-VRF CE).

---

Syntax Description

vrf-name

Name assigned to a VRF.

Defaults

No VRFs are defined.

No import or export lists are associated with a VRF.

No route maps are associated with a VRF.

Command Modes

Global configuration or router configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Entering the ip vrf command enables the VRF configuration mode. These configuration commands are available:

•default: sets a command (description, export, import, maximum, route-target) to its default.

•description: describes the VRF (up to 80 characters).

•exit: exits VRF configuration mode and returns you to global configuration mode.

•export map route-map: sets a route map to be used as an export route map for the VRF.

•import map route-map: sets a route map to be used as an import route map for the VRF.

•maximum routes limit {warn threshold | warn-only}: limits the maximum number of routes in a VRF to prevent a provider edge (PE) router from importing too many routes. The range is from 1 to 4294967295; the threshold is a percentage of the limit, from 1 to 100.

•no: negates a command or sets its defaults.

•rd: specifies a Route Distinguisher (RD) as either ASN-relative, containing an autonomous system number and an arbitrary number, or IP-address-relative, containing an IP address and an arbitrary number.

–16-bit AS number: your arbitrary 32-bit number (for example, 101:3)

–32-bit IP address: your arbitrary 16-bit number (for example, 192.168.122.15:1.)

•route-target {import | export | both} route-target-ext-community: specifies target VPN extended communities. You can specify the target for export, import, or both.

To return to global configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.

The switch supports a total of 26 VRFs and VPNs.

Use an import route map when an application requires finer control over the routes imported into a VRF than provided by the import and export extended communities configured for the importing and exporting VRF. The import map command associates a route map with the specified VRF. By using a route map, you can filter routes that are eligible for import into a VRF, based on the route target extended community attributes of the route. The route map might deny access to selected routes from a community that is on the import list.

If you set a maximum routes threshold, the switch rejects routes when the threshold limit is reached. If you enter warn-only, the switch issues a syslog error message when the maximum number of VRF routes exceeds the allowed limit, but still allows additional routes.

An RD creates routing and forwarding tables and specifies the default route distinguisher for a VPN. You must configure a route distinguisher for a VRF to be functional. The RD is added to the beginning of the customer's IPv4 prefixes to change them into globally unique VPN-IPv4 prefixes.

The route target specifies a target VPN extended community. Like a route-distinguisher, an extended community is composed of either an autonomous system number and an arbitrary number or an IP address and an arbitrary number.

The ip vrf vrf-name command creates a VRF routing table and a Cisco Express Forwarding (CEF) forwarding table, both named vrf-name. Associated with these tables is the default route distinguisher value route-distinguisher.

Examples

This example shows how to create the VRF named vpn1, enter VRF configuration mode, and import a route map to the VRF:

Switch(config)# ip vrf vpn1

Switch(config-vrf)# rd 100:2

Switch(config-vrf)# route-target both 100:2

Switch(config-vrf)# route-target import 100:1

Related Commands

Command	Description
ip vrf (interface configuration)	Associates a VRF routing table or a route map with an interface.
show ip route vrf	Displays the IP routing table associated with a VRF. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Switching Services Command Reference, Release 12.2.
show ip vrf	Displays display the set of defined VRFs and associated interfaces. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Switching Services Command Reference, Release 12.2.

ip vrf (interface configuration)

Use the ip-vrf interface configuration command to associate a virtual private network (VPN) routing/forwarding (VRF) routing table or a route map with an interface. Use the no form of this command to disassociate the VRF routing table or route map.

ip vrf {forwarding table-name | sitemap route-map-name}

no ip vrf {forwarding table-name | sitemap route-map-name}

---

Note The switch supports multiple VPN routing/forwarding instances in customer edge devices (multi-VRF CE).

---

Syntax Description

forwarding table-name	Specify a VRF forwarding table name for the interface.
sitemap route-map-name	Specify a VRF route map for routes received from this site.

Defaults

The default for an interface is the global routing table.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)AX	This command was introduced.

Usage Guidelines

Use the ip vrf forwarding command to associate an interface with a VRF. Executing this command on an interface removes the IP address. You should then reconfigure the IP address.

Examples

This example shows how to link the VRF named vpn1 to a port:

Switch(config)# interface gigabitethernet1/0/2

Switch(config-if)# ip vrf forwarding vpn1

Related Commands

Command	Description
ip vrf (global configuration)	Configures a VRF routing table.
ip route vrf	Establishes static routes for a VRF. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Switching Services Command Reference, Release 12.2.
show ip route vrf	Displays the IP routing table associated with a VRF. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Switching Services Command Reference, Release 12.2.
show ip vrf	Displays display the set of defined VRFs and associated interfaces. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Switching Services Command Reference, Release 12.2.

ipv6 access-list

Use the ipv6 access-list global configuration command to define an IPv6 access list and to place the switch in IPv6 access list configuration mode. To remove the access list, use the no form of this command.

ipv6 access-list access-list-name

no ipv6 access-list access-list-name

---

Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.

---

Syntax Description

access-list-name

Name of the IPv6 access list. Names cannot contain a space or quotation mark or begin with a number.

Defaults

No IPv6 access list is defined.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan) global configuration command, and reload the switch.

The ipv6 access-list command is similar to the ip access-list command, but it is IPv6-specific.

IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.

See the deny (IPv6 access-list configuration) and permit (IPv6 access-list configuration) commands for more information on filtering IPv6 traffic based on IPv6 option headers and optional, upper-layer protocol-type information. See the "Examples" section for an example of a translated IPv6 ACL configuration.

Every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. The two permit conditions allow ICMPv6 neighbor discovery. To disallow ICMPv6 neighbor discovery and to deny icmp any any nd-na or icmp any any nd-ns, there must be an explicit deny entry in the ACL. For the implicit deny ipv6 any any statement to take effect, an IPv6 ACL must contain at least one entry.

The IPv6 neighbor discovery process uses the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data-link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply an IPv6 ACL to an IPv6 interface. You can apply inbound and outbound IPv6 ACLs to Layer 3 physical interfaces or to switch virtual interfaces for routed ACLs, but only inbound IPv6 ACLs to Layer 2 interfaces for port ACLs.

---

Note An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded by the switch and does not filter traffic generated by the switch.

---

Examples

This example puts the switch in IPv6 access list configuration mode, configures the IPv6 ACL named list2, and applies the ACL to outbound traffic on an interface. The first ACL entry prevents all packets from the network FE80:0:0:2::/64 (packets that have the link-local prefix FE80:0:0:2 as the first 64 bits of their source IPv6 address) from leaving the interface. The second entry in the ACL permits all other traffic to leave the interface. The second entry is necessary because an implicit deny-all condition is at the end of each IPv6 ACL.

Switch(config)# ipv6 access-list list2

Switch(config-ipv6-acl)# deny FE80:0:0:2::/64 any

Switch(config-ipv6-acl)# permit any any

Switch(config-ipv6-acl)# exit

Switch(config)# interface gigabitethernet0/3

Switch(config-if)# no switchport

Switch(config-if)# ipv6 address 2001::/64 eui-64

Switch(config-if)# ipv6 traffic-filter list2 out

---

Note IPv6 ACLs that rely on the implicit deny condition or specify a deny any any statement to filter traffic should contain permit statements for link-local addresses to avoid the filtering of protocol packets. Additionally IPv6 ACLs that use deny statements to filter traffic should also use a permit any any statement as the last statement in the list.

---

Related Commands

Command	Description
deny (IPv6 access-list configuration)	Sets deny conditions for an IPv6 access list.
ipv6 traffic-filter	Filters incoming or outgoing IPv6 traffic on an interface.
permit (IPv6 access-list configuration)	Sets permit conditions for an IPv6 access list.
show ipv6 access-list	Displays the contents of all current IPv6 access lists.

ipv6 address dhcp

Use the ipv6 address dhcp interface configuration command to acquire an IPv6 address on an interface from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server. To remove the address from the interface, use the no form of this command.

ipv6 address dhcp [rapid-commit]

no ipv6 address dhcp [rapid-commit]

---

Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.

---

Syntax Description

rapid-commit

(Optional) Allow two-message exchange method for address assignment.

Defaults

No default is defined.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} global configuration command, and reload the switch.

The ipv6 address dhcp interface configuration command allows any interface to dynamically learn its IPv6 address by using DHCP.

The rapid-commit keyword enables the use of the two-message exchange for address allocation and other configuration. If it is enabled, the client includes the rapid-commit option in a solicit message.

Examples

This example shows how to acquire an IPv6 address and to enable the rapid-commit option:

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ipv6 address dhcp rapid-commit

You can verify your settings by using the show ipv6 dhcp interface privileged EXEC command.

Related Commands

Command	Description
show ipv6 dhcp interface	Displays DHCPv6 interface information.

ipv6 dhcp client request vendor

Use the ipv6 dhcp client request interface configuration command to configure an IPv6 client to request an option from a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server. To remove the request, use the no form of this command.

ipv6 dhcp client request vendor

no ipv6 dhcp client request vendor

---

Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.

---

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} global configuration command, and reload the switch.

Use the ipv6 dhcp client request vendor interface configuration to request a vendor-specific option. When enabled, the command is verified only when an IPv6 address is acquired from DHCP. If you enter the command after the interface has an IPv6 address, the command does not take effect until the next time the client acquires an IPv6 address from DHCP.

Examples

This example shows how to enable the request vendor-specific option.

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ipv6 dhcp client request vendor-specific

Related Commands

Command	Description
ipv6 address dhcp	Acquires an IPv6 address on an interface from DHCP.

ipv6 dhcp ping packets

Use the ipv6 dhcp ping packets global configuration command to specify the number of packets a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server sends to a pool address as part of a ping operation. To prevent the server from pinging pool addresses, use the no form of this command.

ipv6 dhcp ping packets number

no ipv6 dhcp ping packets

---

Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.

---

Syntax Description

number

The number of ping packets sent before the address is assigned to a requesting client. The range is 0 to 10.

Defaults

The default is 0.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 {default | vlan} global configuration command, and reload the switch.

The DHCPv6 server pings a pool address before assigning it to a requesting client. An unanswered ping indicates that the address is not in use and the server assigns the address to the requesting client.

Setting the number argument to 0 turns off the DHCPv6 server ping operation.

Examples

This example specifies two ping attempts by the DHCPv6 server before further ping attempts stop:

Switch(config)# ipv6 dhcp ping packets 2

Related Commands

Command	Description
clear ipv6 dhcp conflict	Clears an address conflict from the DHCPv6 server database.
show ipv6 dhcp conflict	Displays address conflicts found by a DHCPv6 server or reported through a DECLINE message from a client.

ipv6 dhcp pool

Use the ipv6 dhcp pool global configuration command to enter Dynamic Host Configuration Protocol for IPv6 (DHCPv6) pool configuration mode. Use the no form of this command to return to the default settings.

ipv6 dhcp pool poolname

no ipv6 dhcp pool poolname

---

Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.

---

Syntax Description

poolname

User-defined name for the DHCPv6 pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0).

Defaults

No default is defined.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 {default | vlan} global configuration command, and reload the switch.

DHCPv6 pool configuration mode commands:

•address prefix IPv6-prefix: sets an address prefix for address assignment. This address must be in hexadecimal, using 16-bit values between colons.

•lifetime t1 t2: sets a valid and a preferred time interval (in seconds) for the IPv6 address. The range is 5 to 4294967295 seconds. The valid default is 2 days. The preferred default is 1 day. The valid lifetime must be greater than or equal to the preferred lifetime. Specify infinite for no time interval.

•link-address IPv6-prefix: sets a link-address IPv6 prefix. When an address on the incoming interface or a link-address in the packet matches the specified IPv6-prefix, the server uses the configuration information pool. This address must be in hexadecimal, using 16-bit values between colons.

•vendor-specific: enables the DHCPv6 vendor-specific configuration mode with these configuration commands:

–vendor-id: enter a vendor-specific identification number. This number is the vendor IANA Private Enterprise Number. The range is 1 to 4294967295.

–suboption number: sets vendor-specific suboption number. The range is 1 to 65535. Enter an IPv6 address, ASCII text, or a hexadecimal string as defined by the suboption parameters.

After you create the DHCPv6 configuration information pool, use the ipv6 dhcp server interface configuration command to associate the pool with a server on an interface. However, if you do not configure an information pool, you still need to use the ipv6 dhcp server interface configuration command to enable the DHCPv6 server function on an interface.

When you associate a DHCPv6 pool with an interface, only that pool services requests on the associated interface. The pool also services other interfaces. If you do not associate a DHCPv6 pool with an interface, it can service requests on any interface.

Not using any IPv6 address prefix means that the pool only returns configured options.

The link-address keyword allows matching of a link-address without necessarily allocating an address. You can match the pool from multiple relays by using multiple link-address configuration commands inside a pool.

Because a longest match is performed on either the address pool information or the link information, you can configure one pool to allocate addresses and another pool on a subprefix that only returns configured options.

Examples

This example shows how to configure a pool called engineering with an IPv6 address prefix:

Switch# configure terminal

Switch(config)# ipv6 dhcp pool engineering

Switch(config-dhcpv6)# address prefix 2001:1000::0/64

Switch(config-dhcpv6)# end

This example shows how to configure a pool called testgroup with three link-address prefixes and an IPv6 address prefix:

Switch# configure terminal

Switch(config)# ipv6 dhcp pool testgroup

Switch(config-dhcpv6)# link-address 2001:1001::0/64

Switch(config-dhcpv6)# link-address 2001:1002::0/64

Switch(config-dhcpv6)# link-address 2001:2000::0/48

Switch(config-dhcpv6)# address prefix 2001:1003::0/64

Switch(config-dhcpv6)# end

This example shows how to configure a pool called 350 with vendor-specific options:

Switch# configure terminal

Switch(config)# ipv6 dhcp pool 350

Switch(config-dhcpv6)# vendor-specific 9

Switch(config-dhcpv6-vs)# suboption 1 address 1000:235D::1

Switch(config-dhcpv6-vs)# suboption 2 ascii "IP-Phone"

Switch(config-dhcpv6-vs)# end

Related Commands

Command	Description
ipv6 dhcp server	Enables DHCPv6 service on an interface.
show ipv6 dhcp pool	Displays DHCPv6 configuration pool information.

ipv6 dhcp server

Use the ipv6 dhcp server interface configuration command to enable Dynamic Host Configuration Protocol for IPv6 (DHCPv6) service on an interface. To disable DHCPv6 service on an interface, use the no form of this command.

ipv6 dhcp server [poolname | automatic] [allow-hint] [rapid-commit] [preference value]

no ipv6 dhcp server

---

Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.

---

Syntax Description

poolname	(Optional) User-defined name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0).
automatic	(Optional) Enable the server to automatically determine which pool to use when allocating addresses for a client.
allow-hint	(Optional) Specify whether the server should consider client suggestions in the SOLICIT message. By default, the server ignores client suggestions.
preference value	(Optional) The preference value carried in the preference option in the advertise message sent by the server. The range is from 0 to 255. The default is 0.
rapid-commit	(Optional) Allow two-message exchange method.

Defaults

By default, no DHCPv6 packets are serviced on the interface.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(52)SE	The automatic keyword was added to the command.

Usage Guidelines

The ipv6 dhcp server interface configuration command enables DHCPv6 service on a specified interface.

If you enter the automatic keyword, the system automatically determine which pool to use when allocating addresses for a client. When the server receives an IPv6 DHCP packet, the server determines if it was received from a DHCP relay or if it was directly received from the client. If the packet was received from a relay, the server verifies the link-address field inside the packet associated with the first relay that is closest to the client. The server matches this link-address against all address prefix and link-address configurations in IPv6 DHCP pools to find the longest prefix match. The server selects the pool associated with the longest match.

If the packet was received directly from the client, the server performs this same matching, but it uses all the IPv6 addresses configured on the incoming interface when performing the match. Once again, the server selects the longest prefix match.

If you enter the allow-hint keyword, the server allocates a valid client-suggested address in the solicit and request messages. The prefix address is valid if it is in the associated local prefix address pool and it is not assigned to a device. If the allow-hint keyword is not specified, the server ignores the client hint, and an address is allocated from the free list in the pool.

If you configure the preference keyword with a value other than 0, the server adds a preference option to carry the preference value for the advertise messages. This action affects the selection of a server by the client. Any advertise message that does not include a preference option is considered to have a preference value of 0. If the client receives an advertise message with a preference value of 255, the client immediately sends a request message to the server from which the message was received.

Entering the rapid-commit keyword enables the use of the two-message exchange.

The DHCPv6 client, server, and relay functions are mutually exclusive on an interface. When one of these functions is already enabled and you try to configure a different function on the same interface, the switch returns one of these messages:

Interface is in DHCP client mode

Interface is in DHCP server mode

Interface is in DHCP relay mode

Examples

This example enables DHCPv6 for the pool named testgroup:

Switch(config-if)# ipv6 dhcp server testgroup

Related Commands

Command	Description
ipv6 dhcp pool	Configures a DHCPv6 pool and enters DHCPv6 pool configuration mode.
show ipv6 dhcp interface	Displays DHCPv6 interface information.

ipv6 mld snooping

Use the ipv6 mld snooping global configuration command without keywords to enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping globally or on the specified VLAN. Use the no form of this command to disable MLD snooping on the switch or switch stack or the VLAN.

ipv6 mld snooping [vlan vlan-id]

no ipv6 mld snooping [vlan vlan-id]

---

Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.

---

Syntax Description

vlan vlan-id

(Optional) Enable or disable IPv6 MLD snooping on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.

Defaults

MLD snooping is globally disabled on the switch.

MLD snooping is enabled on all VLANs. However, MLD snooping must be globally enabled before VLAN snooping will take place.

Command Modes

Global configuration

Command History

Release	Modification
12.2(52)SE	This command was introduced.

Usage Guidelines

To configure the d