CGS 2520 Switch Command Reference, 12.2(53)EX
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- February 18, 2018
Chapter: Cisco IOS Commands - aaa through reserved-only
- aaa accounting dot1x
- aaa authentication dot1x
- action
- alarm contact
- alarm facility fcs-hysteresis
- alarm facility power-supply
- alarm facility temperature
- alarm profile (global configuration)
- alarm profile (interface configuration)
- alarm relay-mode
- archive download-sw
- archive tar
- archive upload-sw
- arp access-list
- authentication control-direction
- authentication critical recovery delay
- authentication event
- authentication fallback
- authentication host-mode
- authentication mac-move permit
- authentication open
- authentication order
- authentication periodic
- authentication port-control
- authentication priority
- authentication timer
- authentication violation
- bandwidth
- boot config-file
- boot enable-break
- boot helper
- boot helper-config-file
- boot manual
- boot private-config-file
- boot system
- channel-group
- channel-protocol
- class
- class-map
- clear ip arp inspection log
- clear ip arp inspection statistics
- clear ip dhcp snooping
- clear ipc
- clear ipv6 dhcp conflict
- clear l2protocol-tunnel counters
- clear lacp
- clear logging onboard
- clear mac address-table
- clear mac address-table move update
- clear pagp
- clear policer cpu uni-eni counters
- clear port-security
- clear rep counters
- clear scada modbus tcp server statistics
- clear spanning-tree counters
- clear spanning-tree detected-protocols
- clear vmps statistics
- conform-action
- copy logging onboard module
- cpu traffic qos cos
- cpu traffic qos dscp
- cpu traffic qos precedence
- cpu traffic qos qos-group
- define interface-range
- delete
- deny (ARP access-list configuration)
- deny (IPv6 access-list configuration)
- deny (MAC access-list configuration)
- diagnostic monitor
- diagnostic schedule test
- diagnostic start test
- dot1x credentials
- dot1x critical eapol (global configuration)
- dot1x default
- dot1x guest-vlan supplicant
- dot1x initialize
- dot1x max-reauth-req
- dot1x max-req
- dot1x pae
- dot1x supplicant force-multicast
- dot1x system-auth-control
- dot1x test eapol-capable
- dot1x test timeout
- dot1x timeout
- duplex
- errdisable detect cause
- errdisable recovery
- ethernet evc
- ethernet lmi
- ethernet lmi ce-vlan map
- ethernet loopback (interface configuration)
- ethernet loopback (privileged EXEC)
- ethernet oam remote-failure
- ethernet uni
- ethernet uni id
- exceed-action
- fcs-threshold
- flowcontrol
- hw-module module logging onboard
- interface port-channel
- interface range
- interface vlan
- ip access-group
- ip address
- ip arp inspection filter vlan
- ip arp inspection limit
- ip arp inspection log-buffer
- ip arp inspection trust
- ip arp inspection validate
- ip arp inspection vlan
- ip arp inspection vlan logging
- ip device tracking maximum
- ip dhcp snooping
- ip dhcp snooping binding
- ip dhcp snooping database
- ip dhcp snooping information option
- ip dhcp snooping information option allowed-untrusted
- ip dhcp snooping information option format remote-id
- ip dhcp snooping limit rate
- ip dhcp snooping trust
- ip dhcp snooping verify mac-address
- ip dhcp snooping vlan
- ip dhcp snooping vlan information option format-type circuit-id string
- ip igmp filter
- ip igmp max-groups
- ip igmp profile
- ip igmp snooping
- ip igmp snooping last-member-query-interval
- ip igmp snooping querier
- ip igmp snooping report-suppression
- ip igmp snooping tcn
- ip igmp snooping tcn flood
- ip igmp snooping vlan immediate-leave
- ip igmp snooping vlan mrouter
- ip igmp snooping vlan static
- ip sla responder twamp
- ip sla server twamp
- ip source binding
- ip ssh
- ip sticky-arp (global configuration)
- ip sticky-arp (interface configuration)
- ip verify source
- ipv6 access-list
- ipv6 address dhcp
- ipv6 dhcp client request vendor
- ipv6 dhcp ping packets
- ipv6 dhcp pool
- ipv6 dhcp server
- ipv6 mld snooping
- ipv6 mld snooping last-listener-query-count
- ipv6 mld snooping last-listener-query-interval
- ipv6 mld snooping listener-message-suppression
- ipv6 mld snooping robustness-variable
- ipv6 mld snooping tcn
- ipv6 mld snooping vlan
- ipv6 traffic-filter
- l2protocol-tunnel
- l2protocol-tunnel cos
- lacp port-priority
- lacp system-priority
- link state group
- link state track
- location (global configuration)
- location (interface configuration)
- logging event
- logging event power-inline-status
- logging file
- mac access-group
- mac access-list extended
- mac address-table aging-time
- mac address-table learning vlan
- mac address-table move update
- mac address-table notification
- mac address-table static
- mac address-table static drop
- macro apply
- macro description
- macro global
- macro global description
- macro name
- match (access-map configuration)
- match access-group
- match cos
- match ip dscp
- match ip precedence
- match qos-group
- match vlan
- mdix auto
- media-type
- monitor session
- mvr (global configuration)
- mvr (interface configuration)
- oam protocol cfm svlan
- pagp learn-method
- pagp port-priority
- permit (ARP access-list configuration)
- permit (IPv6 access-list configuration)
- permit (MAC access-list configuration)
- police
- policer aggregate (global configuration)
- police aggregate (policy-map class configuration)
- policer cpu uni
- policy-map
- port-channel load-balance
- port-type
- power inline
- power inline consumption
- power inline police
- priority
- private-vlan
- private-vlan mapping
- queue-limit
- radius-server dead-criteria
- radius-server host
- reload
- remote-span
- renew ip dhcp snooping database
- rep admin vlan
- rep block port
- rep lsl-age-timer
- rep preempt delay
- rep preempt segment
- rep segment
- rep stcn
- reserved-only
Cisco CGS 2520 Cisco IOS Commands
aaa accounting dot1x
Use the aaa accounting dot1x global configuration command to enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions. Use the no form of this command to disable IEEE 802.1x accounting.
aaa accounting dot1x {name | default} start-stop {broadcast group {name | radius | tacacs+} [group {name | radius | tacacs+}... ] | group {name | radius | tacacs+} [group {name | radius | tacacs+} ... ]}
no aaa accounting dot1x {name | default}
Syntax Description
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
|
|
|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
This command requires access to a RADIUS server.
Note 
We recommend that you enter the authentication periodic interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.
Examples
This example shows how to configure IEEE 802.1x accounting:
Switch(config)# aaa accounting dot1x
Switch(config)# aaa accounting dot1x default start-stop group radius
Switch(config)#
Note The RADIUS authentication server must be properly configured to accept and log update or watchdog packets from the AAA client.
Related Commands
aaa authentication dot1x
Use the aaa authentication dot1x global configuration command to specify the authentication, authorization, and accounting (AAA) method to use on ports complying with IEEE 802.1x. Use the no form of this command to disable authentication.
aaa authentication dot1x {default} method1
no aaa authentication dot1x {default}
Syntax Description
Note Though other keywords are visible in the command-line help strings, only the default and group radius keywords are supported.
Defaults
No authentication is performed.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
The method argument identifies the method that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.
If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command.
Use the show running-config privileged EXEC command to display the configured lists of authentication methods.
Examples
This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
|
|---|---|
aaa new-model |
Enables the AAA access control model. For syntax information, see the Cisco IOS Security Command Reference, Release 12.2 > Authentication, Authorization, and Accounting > Authentication Commands. |
show running-config |
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html |
action
Use the action access-map configuration command to set the action for the VLAN access map entry. Use the no form of this command to set the action to the default value, which is to forward.
action {drop | forward}
no action
Syntax Description
drop |
Drop the packet when the specified conditions are matched. |
forward |
Forward the packet when the specified conditions are matched. |
Defaults
The default action is to forward packets.
Command Modes
Access-map configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You enter access-map configuration mode by using the vlan access-map global configuration command.
If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.
In access-map configuration mode, use the match access-map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.
The drop and forward parameters are not used in the no form of the command.
Examples
This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:
Switch(config)# vlan access-map vmap4
Switch(config-access-map)# match ip address al2
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter vmap4 vlan-list 5-6
You can verify your settings by entering the show vlan access-map privileged EXEC command.
Related Commands
alarm contact
Use the alarm contact global configuration command to configure triggers and severity levels for external alarms. Use the no form of this command to remove the configuration.
alarm contact {contact-number {description string | severity {critical | major | minor} | trigger {closed | open}} | all {severity {critical | major | minor} | trigger {closed | open}}
no alarm contact {contact-number {description | severity | trigger} | all {severity | trigger}
Defaults
No alarms are configured.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
The no alarm contact contact-number description sets the description to an empty string.
The no alarm contact {contact-number | all} severity sets the alarm-contact severity to minor.
The no alarm contact {contact-number | all} trigger sets the external alarm-contact trigger to closed.
Examples
This example shows how to configure alarm contact number 1 to report a critical alarm when the contact is open.
Switch(config)# alarm contact 1 description main_lab_door
Switch(config)# alarm contact 1 severity critical
Switch(config)# alarm contact 1 trigger open
Dec 4 10:34:09.049: %PLATFORM_ENV-1-EXTERNAL_ALARM_CONTACT_ASSERT: Alarm asserted: main_lab_door
You can verify your settings by entering the show env alarm-contact or the show running-config privileged EXEC command.
Switch# show env alarm-contact
ALARM CONTACT 1
Status: asserted
Description: main_lab_door
Severity: critical
Trigger: open
This example shows how to configure clear alarm contact number 1 and the show command outputs.
Switch(config)# no alarm contact 1 description
Dec 4 10:39:33.621: %PLATFORM_ENV-1-EXTERNAL_ALARM_CONTACT_CLEAR: Alarm cleared: main_lab_door Dec 4 10:39:33.621: %PLATFORM_ENV-1-EXTERNAL_ALARM_CONTACT_ASSERT: Alarm asserted: external alarm contact 1
Switch(config)# no alarm contact 1 severity
Dec 4 10:39:46.774: %PLATFORM_ENV-1-EXTERNAL_ALARM_CONTACT_CLEAR: Alarm cleared: external alarm contact 1 Dec 4 10:39:46.774: %PLATFORM_ENV-1-EXTERNAL_ALARM_CONTACT_ASSERT: Alarm asserted: external alarm contact 1
Switch(config)# no alarm contact 1 trigger open
Dec 4 10:39:56.547: %PLATFORM_ENV-1-EXTERNAL_ALARM_CONTACT_CLEAR: Alarm cleared: external alarm contact 1
Switch(config)# end
Switch# show env alarm-contact
ALARM CONTACT 1
Status: not asserted
Description: external alarm contact 1
Severity: minor
Trigger: closed
Switch# show hard led
SWITCH: 1
SYSTEM: GREEN
MGMT: GREEN
ALARM 1: BLACK
ALARM 2: BLACK
ALARM 3: BLACK
ALARM 4: BLACK
Related Commands
|
|
|
|---|---|
show env alarm-contact |
Displays the alarm setting and status for the switch. |
alarm facility fcs-hysteresis
Use the alarm facility fcs-hysteresis global configuration command to set the frame check sequence (FCS) error hysteresis threshold as a percentage of fluctuation from the FCS bit-error rate. Use the no form of this command to set the FCS error hysteresis threshold to its default value.
alarm facility fcs-hysteresis percentage
no alarm facility fcs-hysteresis percentage
Syntax Description
percentage |
Hysteresis threshold fluctuation. The range is 1 to 10 percent. |
Defaults
The default threshold-value is 10 percent.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Set a hysteresis threshold to cause an alarm to trigger when the FCS bit-error rate fluctuates near the configured rate.
You set the FCS hysteresis threshold for all ports on the switch. You set the FCS error rate on a per-port basis by using the
interface configuration command.
If the threshold is not the default, it appears in the output of the show running-config privileged EXEC command.
Examples
This example shows how to set the FCS error hysteresis to 5 percent. The alarm is not triggered unless the bit error rate is more than 5 percent from the configured FCS bit-error rate.
Switch(config)# alarm facility fcs-hysteresis 5
Related Commands
alarm facility power-supply
Use the alarm facility power-supply global configuration command to set the alarm options for a missing or failing power supply when the system is operating in dual power-supply mode. Use the no form of the command to disable the specified setting.
alarm facility power-supply {disable | notifies | relay major | syslog}
no alarm facility power-supply {disable | notifies | relay major | syslog}
Syntax Description
Defaults
A power supply alarm message is stored but not sent to an SNMP server, to a relay, or to a syslog server.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Power supply alarms are generated only when the system is in dual power-supply mode. When a second power supply is connected, you must use the power-supply dual global configuration command to set dual power-mode operation.
Before you use the notifies keyword to send alarm traps to an SNMP host, you need to set up an SNMP server by using the snmp-server enable traps global configuration command.
Examples
This example shows how to set the power-supply monitoring alarm to go to the minor relay circuitry:
Switch(config)# alarm facility power-supply relay minor
Related Commands
|
|
|
|---|---|
Displays environmental alarm settings and options. |
|
Enables the switch to send SNMP notification for various traps to the network management system (NMS). |
alarm facility temperature
Use the alarm facility temperature global configuration command to configure a primary temperature monitoring alarm or to configure a secondary temperature alarm threshold with a lower maximum temperature threshold. Use the no form of this command to delete the temperature monitoring alarm configuration or to disable the secondary temperature alarm.
alarm facility temperature {primary {high | low | notifies | relay major | syslog} | secondary {high | low | notifies | relay major | syslog}}
no alarm facility temperature {primary {high | low | notifies | relay major | syslog} | secondary {high | low | notifies | relay major | syslog}}
Syntax Description
Defaults
The primary temperature alarm is enabled for a -4 to 203ºF (-20 to 95oC) range and cannot be disabled. It is associated with a major relay. The secondary temperature alarm is disabled by default.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
The primary temperature alarm is automatically enabled. It cannot be disabled, but you can configure alarm options.
You can modify the primary temperature alarm range by using the high and low keywords.
You can use the secondary temperature alarm to trigger a high temperature alarm when the temperature reaches a threshold that is lower than the maximum primary temperature threshold. You can configure the temperature threshold and alarm options.
Before you use the notifies keyword to sent alarm traps to an SNMP host, you need to set up an SNMP server by using the snmp-server enable traps global configuration command.
Examples
This example shows how to set the secondary temperature with a high threshold value of 113oF (45oC) with alarms and how to send traps to the minor relay circuitry, to the syslog, and to an SNMP server:
Switch(config)# alarm facility temperature secondary high 45
Switch(config)# alarm facility temperature secondary relay minor
Switch(config)# alarm facility temperature secondary syslog
Switch(config)# alarm facility temperature secondary notifies
This example shows how to disable the secondary temperature alarm:
Switch(config)# no alarm facility temperature secondary 45
This example shows how to set the primary temperature alarm with alarms and traps to go to the syslog and to the major relay circuitry:
Switch(config)# alarm facility temperature primary syslog
Switch(config)# alarm facility temperature primary relay major
Related Commands
|
|
|
|---|---|
Displays environmental alarm settings and options. |
|
Enables the switch to send SNMP notification for various trap types to the network management system (NMS). |
alarm profile (global configuration)
Use the alarm profile global configuration command to create an alarm profile and to enter alarm profile configuration mode. Use the no form of this command to delete an alarm profile.
alarm profile name
no alarm profile name
Syntax Description
name |
Alarm profile name |
Defaults
No alarm profiles are created.
When a profile is created, none of the alarms are enabled.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Available commands in alarm-profile mode:
•alarm alarm-id: enables the specified alarm.
•exit: exits alarm-profile configuration mode.
•help: displays a description of the interactive help system.
•no: negates or sets the default values of a command.
•notifies alarm-id: enables notification for the alarm, which means sending a Simple Network Management Protocol (SNMP) trap to an SNMP server.
•relay-major alarm-id: enables sending the alarm to the major relay circuitry.
•relay-minor alarm-id: enables sending the alarm to the minor relay circuitry.
•syslog alarm-id: enables sending the alarm to a syslog file.
For alarm-id, you can enter one or more alarm IDs separated by a space.
Before you use the notifies keyword to send alarm traps to a SNMP host, you need to set up an SNMP server by using the snmp-server enable traps global configuration command.
There is a default profile for all interfaces. Enter the show alarm profile user EXEC command and see the output for defaultPort.
|
|
|
|---|---|
1 |
Link Fault. |
2 |
Port not Forwarding. |
3 |
Port not Operating. |
4 |
FCS Error Rate exceeds threshold. |
After you have created an alarm profile, you can attach the profile to an interface by using the alarm-profile interface configuration command.
By default, the defaultPort profile is applied to all interfaces. This profile enables only the Port Not Operating (3) alarm. You can modify this profile by using the alarm profile defaultPort global configuration command to enter alarm profile configuration mode for this profile.
Examples
This example shows how to create the alarm profile fastE for a port with the link-down (alarm 1) and port not forwarding (alarm 2) alarms enabled. The link-down alarm is connected to the minor relay circuitry, and the port not forwarding alarm is connected to the major relay circuitry. These alarms are sent to an SNMP server and written to the system log file (syslog).
Switch(config)# alarm profile fastE
Switch(config-alarm-prof)# alarm 1 2
Switch(config-alarm-prof)# relay major 2
Switch(config-alarm-prof)# relay minor 1
Switch(config-alarm-prof)# notifies 1 2
Switch(config-alarm-prof)# syslog 1 2
This example shows how to delete the alarm relay profile named my-profile:
Switch(config)# no alarm profile my-profile
Related Commands
alarm profile (interface configuration)
Use the alarm profile interface configuration command to attach an alarm profile to a port. Use the no form of this command to detach the profile from the port.
alarm profile name
no alarm profile
Syntax Description
name |
Alarm profile name |
Defaults
The alarm profile defaultPort is applied to all interfaces. In this profile, only the Port Not Operating alarm is enabled.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use the alarm profile global configuration command to create the alarm profile, enable one or more alarms and specify the alarm options.
You can attach only one alarm profile to an interface.
When you attach an alarm profile to an interface, it overwrites any previous alarm profile attached to the interface (including the defaultPort profile).
Examples
This example shows how to attach an alarm profile named fastE to a port:
Switch(config)# interface fastethernet1/2
Switch(config-if)# alarm profile fastE
This example shows how to detach the alarm profile from a port and return it to the defaultPort profile:
Switch(config)# interface fastethernet1/2
Switch(config-if)# no alarm profile
Related Commands
alarm relay-mode
Use the alarm relay-mode global configuration command to set the alarm relay mode for the switch to positive or negative. Use the no form of the command to set the alarm relay mode to the default mode.
alarm relay-mode {negative}
no alarm relay-mode {negative}
Syntax Description
negative |
Set the alarm relay mode to negative. |
Defaults
By default, the alarm relays are in positive mode when they are open. When there is no power to the switch, all alarm relays are open. The alarm relays close when one or more alarm events are detected.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use this command to invert the behavior of the alarm relays. When the alarm relay mode is set to negative, alarm relays are normally closed. When one or more alarm events are detected, the appropriate alarm relay opens.
Examples
This example shows how to set the alarm relays to negative mode:
Switch(config)# alarm relay-mode negative
Related Commands
archive download-sw
Use the archive download-sw privileged EXEC command to download a new image from a TFTP server to the switch and to overwrite or keep the existing image.
archive download-sw {/force-reload | /imageonly | /leave-old-sw | /no-set-boot | /no-version-check | /overwrite | /reload | /safe | /warm} source-url
Syntax Description
Defaults
The current software image is not overwritten with the downloaded image.
Both the software image and HTML files are downloaded.
The new image is downloaded to the flash: file system.
The BOOT environment variable is changed to point to the new software image on the flash: file system.
Image names are case sensitive; the image file is provided in tar format.
Compatibility of the version on the image to be downloaded is checked.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
The /imageonly option removes the HTML files for the existing image if the existing image is being removed or replaced. Only the Cisco IOS image (without the HTML files) is downloaded.
Using the /safe or /leave-old-sw option can cause the new image download to fail if there is insufficient flash memory. If leaving the software in place prevents the new image from fitting in flash memory due to space constraints, an error results.
If you used the /leave-old-sw option and did not overwrite the old image when you downloaded the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the "delete" section.
Note Use the /no-version-check option with care. This option allows an image to be downloaded without first confirming that it is not incompatible with the switch.
Use the /overwrite option to overwrite the image on the flash device with the downloaded one.
If you specify the command without the /overwrite option, the download algorithm verifies that the new image is not the same as the one on the switch flash device. If the images are the same, the download does not occur. If the images are different, the old image is deleted, and the new one is downloaded.
After downloading a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive download-sw command.
Examples
This example shows how to download a new image from a TFTP server at 172.20.129.10 and overwrite the image on the switch:
Switch# archive download-sw /overwrite tftp://172.20.129.10/test-image.tar
This example shows how to download only the software image from a TFTP server at 172.20.129.10 to the switch:
Switch# archive download-sw /imageonly tftp://172.20.129.10/test-image.tar
This example shows how to keep the old software version after a successful download:
Switch# archive download-sw /leave-old-sw tftp://172.20.129.10/test-image.tar
Related Commands
archive tar
Use the archive tar privileged EXEC command to create a tar file, list files in a tar file, or extract the files from a tar file.
archive tar {/create destination-url flash:/file-url} | {/table source-url} | {/xtract source-url flash:/file-url [dir/file...]}
Syntax Description
Defaults
None
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Filenames and directory names are case sensitive.
Image names are case sensitive.
Examples
This example shows how to create a tar file. The command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30:
Switch# archive tar /create tftp:172.20.10.30/saved.tar flash:/new-configs
This example shows how to display the contents of the file that is in flash memory. The contents of the tar file appear on the screen:
Switch# archive tar /table flash:image_name-mz.122-release.tar
info (219 bytes)
image_name-mz.122-release/(directory)
image_name-mz.122-release(610856 bytes)
image_name-mz.122-release/info (219 bytes)
info.ver (219 bytes)
This example shows how to display only the html directory and its contents:
Switch# archive tar /table flash:image_name-mz.122-release.tar image_name-mz.122-release/html
image_name-mz.122-release/html/ (directory)
image_name-mz.122-release/html/const.htm (556 bytes)
image_name-mz.122-release/html/xhome.htm (9373 bytes)
image_name-mz.122-release/html/menu.css (1654 bytes)
<output truncated>
This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored.
Switch# archive tar /xtract tftp://172.20.10.30/saved.tar flash:/ new-configs
Related Commands
|
|
|
|---|---|
Downloads a new image from a TFTP server to the switch. |
|
Uploads an existing image on the switch to a server. |
archive upload-sw
Use the archive upload-sw privileged EXEC command to upload an existing switch image to a server.
archive upload-sw [/version version_string] destination-url
Syntax Description
Defaults
Uploads the currently running image from the flash: file system.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use the upload feature only if the HTML files associated with the embedded device manager have been installed with the existing image.
The files are uploaded in this sequence: the Cisco IOS image, the HTML files, and info. After these files are uploaded, the software creates the tar file.
Image names are case sensitive.
Examples
This example shows how to upload the currently running image to a TFTP server at 172.20.140.2:
Switch# archive upload-sw tftp://172.20.140.2/test-image.tar
Related Commands
|
|
|
|---|---|
Downloads a new image to the switch. |
|
Creates a tar file, lists the files in a tar file, or extracts the files from a tar file. |
arp access-list
Use the arp access-list global configuration command to define an Address Resolution Protocol (ARP) access control list (ACL) or to add clauses to the end of a previously defined list. Use the no form of this command to delete the specified ARP access list.
arp access-list acl-name
no arp access-list acl-name
Syntax Description
acl-name |
Name of the ACL. |
Defaults
No ARP access lists are defined.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
After entering the arp access-list command, you enter ARP access-list configuration mode, and these configuration commands are available:
•default: returns a command to its default setting.
•deny: specifies packets to reject. For more information, see the "deny (ARP access-list configuration)" section.
•exit: exits ARP access-list configuration mode.
•no: negates a command or returns to the default settings.
•permit: specifies packets to forward. For more information, see the "permit (ARP access-list configuration)" section.
Use the permit and deny access-list configuration commands to forward and to drop ARP packets based on the specified matching criteria.
When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement, the switch compares the packet to the list of DHCP bindings (unless the ACL is static, which means that packets are not compared to the bindings).
Examples
This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
Switch(config)# arp access-list static-hosts
Switch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 00001.0000.abcd
Switch(config-arp-nacl)# end
You can verify your settings by entering the show arp access-list privileged EXEC command.
Related Commands
authentication control-direction
Use the authentication control-direction interface configuration command to configure the port mode as unidirectional or bidirectional. Use the no form of this command to return to the default setting.
authentication control-direction {both | in}
no authentication control-direction
Syntax Description
Defaults
The port is in bidirectional mode.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use the both keyword or the no form of this command to return to the default setting (bidirectional mode).
Examples
This example shows how to enable bidirectional mode:
Switch(config-if)# authentication control-direction both
This example shows how to enable unidirectional mode:
Switch(config-if)# authentication control-direction in
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication critical recovery delay
To configure the Auth Manager critical recovery delay, use the authentication critical recovery delay command in global configuration mode. To remove a previously configured recovery delay, us the no form of this command.
authentication critical recovery delay milliseconds
no authentication critical recovery delay
Syntax Description
milliseconds |
The period of time, in milliseconds, that the Auth Manager waits to reinitialize a critical port when an unavailable RADIUS server becomes available; valid values are from 1 to 10000. |
Command Default
The default delay is 1000 milliseconds.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Examples
The following example shows how to configure the critical recovery delay period to 1500 milliseconds:
Switch(config)# authentication critical recovery delay 1500
authentication event
Use the authentication event interface configuration command to set the actions for specific authentication events on the port.
authentication event {fail [action [authorize vlan vlan-id | next-method] {| retry {retry count}]} { no-response action authorize vlan vlan-id} {server {alive action reinitialize} | {dead action [authorize | reinitialize vlan vlan-id]}}
no authentication event {fail [action [authorize vlan vlan-id | next-method] {| retry {retry count}]} { no-response action authorize vlan vlan-id} {server {alive action reinitialize} | {dead action [authorize | reinitialize vlan vlan-id]}}
Syntax Descriptionno authentication event {fail [action[authorize vlan vlan-id | next-method] {| retry {retry count}]} {no-response action authorize vlan vlan-id} {server {alive action reinitialize} | {dead action [authorize | reinitialize vlan vlan-id]}}
Defaults
No event responses are configured on the port.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use this command with the fail, no-response, or event keywords to configure the switch response for a specific action.
For server-dead events:
•When the switch moves to the critical-authentication state, new hosts trying to authenticate are moved to the critical-authentication VLAN (or critical VLAN). This applies whether the port is in single-host, multiple-host, multiauth, or MDA mode. Authenticated hosts remain in the authenticated VLAN, and the reauthentication timers are disabled.
•If a client is running Windows XP and the critical port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server and a critical port receives an EAP-Success message, the DHCP configuration process might not re-initiate.
For no-response events:
•If you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL) request/identity frame or when EAPOL packets are not sent by the client.
•The switch maintains the EAPOL packet history. If another EAPOL packet is detected on the port during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL history is cleared.
•If the switch port is moved to the guest VLAN (multi-host mode), multiple non-IEEE 802.1x-capable clients are allowed access . If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put in the unauthorized state in the RADIUS-configured or user-configured access VLAN, and authentication restarts.
You can configure any active VLAN except a Remote Switched Port Analyzer (RSPAN) VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is supported only on access ports. It is not supported on internal VLANs (routed ports) or trunk ports.
•When MAC authentication bypass is enabled on an IEEE 802.1x port, the switch can authorize clients based on the client MAC address if IEEE 802.1x authentication times out while waiting for an EAPOL message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address.
–If authorization succeeds, the switch grants the client access to the network.
–If authorization fails, the switch assigns the port to the guest VLAN if one is specified.
For more information, see the "Using IEEE 802.1x Authentication with MAC Authentication Bypass" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide.
For authentication-fail events:
•If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant because it i s not notified of the actual authentication failure.
–If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message.
–Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive an EAP success message.
The restricted VLAN is supported only in single host mode (the default port mode). When a port is placed in a restricted VLAN, the supplicant's MAC address is added to the MAC address table. Any other MAC address on the port is treated as a security violation.
•You cannot configure an internal VLANs for Layer 3 ports as a restricted VLAN. You cannot specify the same VLAN as a restricted VLAN and as a voice VLAN.
Enable re-authentication with restricted VLANs. If re-authentication is disabled, the ports in the restricted VLANs do not receive re-authentication requests if it is disabled.
To start the re-authentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub:
–The port might not receive a link-down event when the host is disconnected.
–The port might not detect new hosts until the next re-authentication attempt occurs.
When you reconfigure a restricted VLAN as a different type of VLAN, ports in the restricted VLAN are also moved and stay in their currently authorized state.
Examples
This example shows how to configure the authentication event fail command:
Switch(config-if)# authentication event fail action authorize vlan 20
This example shows how to configure a no-response action:
Switch(config-if)# authentication event no-response action authorize vlan 10
This example shows how to configure a server-response action:
Switch(config-if)# authentication event server alive action reinitialize
This example shows how to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable.
Switch(config-if)# authentication event server dead action authorize vlan 10
This example shows how to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable. Use this command for ports in multiple-host or multiauth mode:
Switch(config-if)# authentication event server dead action reinitialize vlan 10
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication fallback
Use the authentication fallback interface configuration command to configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. To return to the default setting, use the no form of this command.
authentication fallback name
no authentication fallback name
Syntax Description
name |
Specify a web authentication fallback profile. |
Defaults
No fallback is enabled.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You must enter the authentication port-control auto interface configuration command before configuring a fallback method.
You can only configure web authentication as a fallback method to 802.1x or MAB, so one or both of these authentication methods should be configured for the fallback to enable.
Examples
This example shows how to specify a fallback profile on a port:
Switch(config-if)# authentication fallback profile1
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication host-mode
Use the authentication host-mode interface configuration command to set the authorization manager mode on a port.
authentication host-mode [multi-auth | multi-host | single-host]
no authentication host-mode [multi-auth | multi-host | single-host]
Syntax Description
multi-auth |
Enable multiple-authorization mode (multiauth mode) on the port. |
multi-host |
Enable multiple-host mode on the port. |
single-host |
Enable single-host mode on the port. |
Defaults
Single host mode is enabled.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Single-host mode should be configured if only one data host is connected. Do not connect a voice device to authenticate on a single-host port. Voice device authorization fails if no voice VLAN is configured on the port.
Multi-auth mode should be configured to allow up to eight devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.
Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.
Examples
This example shows how to enable multiauth mode on a port:
Switch(config-if)# authentication host-mode multi-auth
This example shows how to enable multi-host mode on a port:
Switch(config-if)# authentication host-mode multi-host
This example shows how to enable single-host mode on a port:
Switch(config-if)# authentication host-mode single-host
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication mac-move permit
Use the authentication mac-move permit global configuration command to enable MAC move on a switch. Use the no form of this command to return to the default setting.
authentication mac-move permit
no authentication mac-move permit
Syntax Description
This command has no arguments or keywords.
Defaults
MAC move is enabled.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
The command enables authenticated hosts to move between 802.1x-enabled ports on a switch. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.
If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.
MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs.
Examples
This example shows how to enable MAC move on a switch:
Switch(config)# authentication mac-move permit
Related Commands
authentication open
Use the authentication open interface configuration command to enable or disable open access on a port. Use the no form of this command to disable open access.
authentication open
no authentication open
Defaults
Open access is disabled.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Open authentication must be enabled if a device requires network access before it is authenticated.
A port ACL should be used to restrict host access when open authentication is enabled.
Examples
This example shows how to enable open access on a port:
Switch(config-if)# authentication open
This example shows how to set the port to disable open access on a port:
Switch(config-if)# no authentication open
Related Commands
authentication order
Use the authentication order interface configuration command to set the order of authentication methods used on a port.
authentication order [dot1x | mab] {webauth}
no authentication order
Syntax Description
Command Default
The default authentication order is dot1x followed by mab and webauth.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Ordering sets the order of methods that the switch attempts when trying to authenticate a new device connected to a port. If one method in the list is unsuccessful, the next method is attempted.
Each method can only be entered once. Flexible ordering is only possible between 802.1x and MAB.
Web authentication can be configured as either a standalone method or as the last method in the order after either 802.1x or MAB. Web authentication should be configured only as fallback to dot1x or mab.
Examples
This example shows how to add 802.1x as the first authentication method, MAB as the second method, and web authentication as the third method:
Switch(config-if)# authentication order dotx mab webauth
This example shows how to add MAC authentication Bypass (MAB) as the first authentication method and web authentication as the second authentication method:
Switch(config-if)# authentication order mab webauth
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication periodic
Use the authentication periodic interface configuration command to enable or disable reauthentication on a port. Enter the no form of this command to disable reauthentication.
authentication periodic
no authentication periodic
Command Default
Reauthentication is disabled.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You configure the amount of time between periodic re-authentication attempts by using the authentication timer reauthentication interface configuration command.
Examples
This example shows how to enable periodic reauthentication on a port:
Switch(config-if)# authentication periodic
This example shows how to disable periodic reauthentication on a port:
Switch(config-if)# no authentication periodic
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication port-control
Use the authentication port-control interface configuration command to enable manual control of the port authorization state. Use the no form of this command to return to the default setting.
authentication port-control {auto | force-authorized | force-un authorized}
no authentication port-control {auto | force-authorized | force-un authorized}
Syntax Description
Defaults
The default setting is force-authorized.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use the auto keyword only on one of these port types:
•Trunk port—If you try to enable IEEE 802.1x authentication on a trunk port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, an error message appears, and the port mode is not changed.
•Dynamic ports—A dynamic port can negotiate with its neighbor to become a trunk port. If you try to enable IEEE 802.1x authentication on a dynamic port, an error message appears, and IEEE 802.1x authentication is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to dynamic, an error message appears, and the port mode does not change.
•Dynamic-access ports—If you try to enable IEEE 802.1x authentication on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and IEEE 802.1x authentication is not enabled. If you try to change an IEEE 802.1x-enabled port to dynamic VLAN, an error message appears, and the VLAN configuration does not change.
•EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x authentication on an EtherChannel port, an error message appears, and IEEE 802.1x authentication is not enabled.
•Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable IEEE 802.1x authentication on a port that is a SPAN or RSPAN destination port. However, IEEE 802.1x authentication is disabled until the port is removed as a SPAN or RSPAN destination. You can enable IEEE 802.1x authentication on a SPAN or RSPAN source port.
To globally disable IEEE 802.1x authentication on the switch, use the no dot1x system-auth-control global configuration command. To disable IEEE 802.1x authentication on a specific port or to return to the default setting, use the no authentication port-control interface configuration command.
Examples
This example shows how to set the port state to automatic:
Switch(config-if)# authentication port-control auto
This example shows how to set the port state to the force- authorized state:
Switch(config-if)# authentication port-control force-authorized
This example shows how to set the port state to the force-unauthorized state:
Switch(config-if)# authentication port-control force-unauthorized
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication priority
Use the authentication priority interface configuration command to add an authentication method to the port-priority list.
auth priority [dot1x | mab] {webauth}
no auth priority [dot1x | mab] {webauth}
Syntax Description
Command Default
The default priority is 802.1x authentication, followed by MAC authentication bypass and web authentication.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Ordering sets the order of methods that the switch attempts when trying to authenticate a new device is connected to a port.
When configuring multiple fallback methods on a port, set web authentication (webauth) last.
Assigning priorities to different authentication methods allows a higher-priority method to interrupt an in-progress authentation method with a lower priority.
Note If a client is already authenticated, it might be reauthenticated if an interruption from a higher-priority method occurs.
The default priority of an authentication method is equivalent to its position in execution-list order: 802.1x authentication, MAC authentication bypass, and web authentication. Use the dot1x, mab, and webauth keywords to change this default order.
Examples
This example shows how to set 802.1x as the first authentication method and web authentication as the second authentication method:
Switch(config-if)# authentication priority dotx webauth
This example shows how to set MAC authentication Bypass (MAB) as the first authentication method and web authentication as the second authentication method:
Switch(config-if)# authentication priority mab webauth
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication timer
Use the authentication timer interface configuration command to configure the timeout and reauthentication parameters for an 802.1x-enabled port.
authentication timer {{[inactivity | reauthenticate]} {restart value}}
no authentication timer {{[inactivity | reauthenticate]} {restart value}}
Syntax Description
Defaults
The inactivity and restart keywords are set to off. The reauthenticate keyword is set to one hour.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
If a timeout value is not configured, an 802.1x session stays authorized indefinitely. No other host can use the port, and the connected host cannot move to another port on the same switch.
Examples
This example shows how to set the authentication inactivity timer to 60 seconds:
Switch(config-if)# authentication timer inactivity 60
This example shows how to set the reauthentication timer to 120 seconds:
Switch(config-if)# authentication timer restart 120
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication violation
Use the authentication violation interface configuration command to configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.
authentication violation {protect | restrict | shutdown | replace}
no authentication violation {protect | restrict | shutdown | replace}
Syntax Description
Defaults
By default authentication violation shutdown mode is enabled.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Examples
This example shows how to configure an IEEE 802.1x-enabled port as error disabled and to shut down when a new device connects it:
Switch(config-if)# authentication violation shutdown
This example shows how to configure an IEEE 802.1x-enabled port to generate a system error message and to change the port to restricted mode when a new device connects to it:
Switch(config-if)# authentication violation restrict
This example shows how to configure an IEEE 802.1x-enabled port to ignore a new device when it connects to the port:
Switch(config-if)# authentication violation protect
This example shows how to configure an IEEE 802.1x-enabled port that is in single-host mode to tear down the old session and authenticate a new device when it connects to the port:
Switch(config-if)# authentication violation replace
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
bandwidth
Use the bandwidth policy-map class configuration command to configure class-based weighted fair queuing (CBWFQ) by setting the output bandwidth for a policy-map class. Use the no form of this command to remove the bandwidth setting for the class.
bandwidth {rate | percent value | remaining percent value}
no bandwidth [rate | percent value | remaining percent value]
Syntax Description
Defaults
No bandwidth is defined.
Command Modes
Policy-map class configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You use the bandwidth policy-map class command to control output traffic. The bandwidth command specifies the bandwidth for traffic in that class. CBWFQ derives the weight for packets belonging to the class from the bandwidth allocated to the class and uses the weight to ensure that the queue for that class is serviced fairly. Bandwidth settings are not supported in input policy maps.
When you configure bandwidth for a class of traffic as an absolute rate (kb/s) or a percentage of bandwidth (percent value), it represents the minimum bandwidth guarantee or committed information rate (CIR) for that traffic class. This means that the traffic class gets at least the bandwidth specified in the command, but is not limited to that bandwidth. Any excess bandwidth on the port is allocated to each class in the same ratio as the configured CIR rates.
When you enter the bandwidth remaining percent command, hard bandwidths are not guaranteed, and only relative bandwidths are assured. Class bandwidths are always proportional to the specified bandwidth percentages configured for the port.
When you configure bandwidth in an output policy, you must specify the same units in each bandwidth configuration; that is, all absolute values (rates) or percentages.
The total rate of the minimum bandwidth guarantees for each queue of the policy cannot exceed the total speed for the interface. If the percent keyword is used, the sum of the class bandwidth percentages cannot exceed 100 percent.
Using the queue-limit command to modify the default queue limit is especially important on higher-speed interfaces so that they meet the minimum bandwidth guarantees required by the interface.
You cannot use the bandwidth policy-map class configuration command to configure CBWFQ and the shape average command to configure class-based shaping for the same class in a policy map.
You cannot configure bandwidth in a class that includes priority queuing (configured with the priority policy-map class configuration command).
Examples
This example shows how to set the precedence of output queues by setting bandwidth in kilobits per second. The classes outclass1, outclass2, and outclass3 get a minimum of 50000, 20000, and 10000 kb/s. The class class-default at a minimum gets the remaining bandwidth.
Switch(config)# policy-map out-policy
Switch(config-pmap)# class outclass1
Switch(config-pmap-c)# bandwidth 50000
Switch(config-pmap-c)# exit
Switch(config-pmap)# class outclass2
Switch(config-pmap-c)# bandwidth 20000
Switch(config-pmap-c)# exit
Switch(config-pmap)# class outclass3
Switch(config-pmap-c)# bandwidth 10000
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# interface fastethernet 0/1
Switch(config-if)# service-policy output out-policy
Switch(config-if)# exit
This example shows how to set the precedence of output queues by allocating percentages of the total available bandwidth to each traffic class.The classes outclass1, outclass2, and outclass3 get a minimum of 50, 20, and 10 percent. The class class-default at a minimum gets 20 percent.
Switch(config)# policy-map out-policy
Switch(config-pmap)# class outclass1
Switch(config-pmap-c)# bandwidth percent 50
Switch(config-pmap-c)# exit
Switch(config-pmap)# class outclass2
Switch(config-pmap-c)# bandwidth percent 20
Switch(config-pmap-c)# exit
Switch(config-pmap)# class outclass3
Switch(config-pmap-c)# bandwidth percent 10
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# interface fastethernet 0/1
Switch(config-if)# service-policy output out-policy
Switch(config-if)# exit
This example shows how to set outclass1 as a priority queue, with outclass2, and outclass3 getting 50 and 20 percent, respectively, of the bandwidth remaining after the priority queue is serviced. The class class-default gets the remaining 30 percent with no guarantees.
Switch(config)# policy-map out-policy
Switch(config-pmap)# class outclass1
Switch(config-pmap-c)# priority
Switch(config-pmap-c)# exit
Switch(config-pmap)# class outclass2
Switch(config-pmap-c)# bandwidth remaining percent 50
Switch(config-pmap-c)# exit
Switch(config-pmap)# class outclass3
Switch(config-pmap-c)# bandwidth remaining percent 20
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# interface fastethernet 0/1
Switch(config-if)# service-policy output out-policy
Switch(config-if)# exit
You can verify your settings by entering the show policy-map privileged EXEC command.
Related Commands
boot config-file
Use the boot config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the system configuration. Use the no form of this command to return to the default setting.
boot config-file flash:/file-url
no boot config-file
Syntax Description
flash:/file-url |
The path (directory) and name of the configuration file. |
Defaults
The default configuration file is flash:config.text.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Filenames and directory names are case sensitive.
This command changes the setting of the CONFIG_FILE environment variable. For more information, see Appendix A, "Cisco CGS 2520 Switch Boot Loader Commands."
Related Commands
|
|
|
|---|---|
Displays the settings of the boot environment variables. |
boot enable-break
Use the boot enable-break global configuration command to enable interrupting the automatic boot process. Use the no form of this command to return to the default setting.
boot enable-break
no boot enable-break
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled. The automatic boot process cannot be interrupted by pressing the break key on the console.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
When you enter this command, you can interrupt the automatic boot process by pressing the break key on the console after the flash file system is initialized. The break key is different for each operating system:
•On a SUN work station running UNIX, Ctrl-C is the break key.
•On a PC running Windows 2000, Ctrl-Break is the break key.
This command changes the setting of the ENABLE_BREAK environment variable. For more information, see Appendix A, "Cisco CGS 2520 Switch Boot Loader Commands."
Related Commands
|
|
|
|---|---|
Displays the settings of the boot environment variables. |
boot helper
Use the boot helper global configuration command to dynamically load files during boot loader initialization to extend or patch the functionality of the boot loader. Use the no form of this command to return to the default.
boot helper filesystem:/file-url ...
no boot helper
Syntax Description
Defaults
No helper files are loaded.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER environment variable. For more information, see Appendix A, "Cisco CGS 2520 Switch Boot Loader Commands."
Related Commands
|
|
|
|---|---|
Displays the settings of the boot environment variables. |
boot helper-config-file
Use the boot helper-config-file global configuration command to specify the name of the configuration file to be used by the Cisco IOS helper image. If this is not set, the file specified by the CONFIG_FILE environment variable is used by all versions of Cisco IOS that are loaded. Use the no form of this command to return to the default setting.
boot helper-config-file filesystem:/file-url
no boot helper-config file
Syntax Description
filesystem: |
Alias for a flash file system. Use flash: for the system board flash device. |
/file-url |
The path (directory) and helper configuration file to load. |
Defaults
No helper configuration file is specified.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER_CONFIG_FILE environment variable. For more information, see Appendix A, "Cisco CGS 2520 Switch Boot Loader Commands."
Related Commands
|
|
|
|---|---|
Displays the settings of the boot environment variables. |
boot manual
Use the boot manual global configuration command to enable manually booting the switch during the next boot cycle. Use the no form of this command to return to the default setting.
boot manual
no boot manual
Syntax Description
This command has no arguments or keywords.
Defaults
Manual booting is disabled.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
The next time you reboot the system, the switch is in boot loader mode, which is shown by the switch: prompt. To boot the system, use the boot boot loader command, and specify the name of the bootable image.
This command changes the setting of the MANUAL_BOOT environment variable. For more information, see Appendix A, "Cisco CGS 2520 Switch Boot Loader Commands."
Related Commands
|
|
|
|---|---|
Displays the settings of the boot environment variables. |
boot private-config-file
Use the boot private-config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the private configuration. Use the no form of this command to return to the default setting.
boot private-config-file filename
no boot private-config-file
Syntax Description
filename |
The name of the private configuration file. |
Defaults
The default configuration file is private-config.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Filenames are case sensitive.
Examples
This example shows how to specify the name of the private configuration file to be pconfig:
Switch(config)# boot private-config-file pconfig
Related Commands
|
|
|
|---|---|
Displays the settings of the boot environment variables. |
boot system
Use the boot system global configuration command to specify the Cisco IOS image to load during the next boot cycle. Use the no form of this command to return to the default setting.
boot system filesystem:/file-url ...
no boot system
Syntax Description
filesystem: |
Alias for a flash file system. Use flash: for the system board flash device. |
/file-url |
The path (directory) and name of a bootable image. Separate image names with a semicolon. |
Defaults
The switch attempts to automatically boot the system by using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Filenames and directory names are case sensitive.
If you are using the archive download-sw privileged EXEC command to maintain system images, you never need to use the boot system command. The boot system command is automatically manipulated to load the downloaded image.
This command changes the setting of the BOOT environment variable. For more information, see Appendix A, "Cisco CGS 2520 Switch Boot Loader Commands."
Related Commands
|
|
|
|---|---|
Displays the settings of the boot environment variables. |
channel-group
Use the channel-group interface configuration command to assign an Ethernet port to an EtherChannel group. Use the no form of this command to remove an Ethernet port from an EtherChannel group.
channel-group channel-group-number mode {active | {auto [non-silent] | desirable [non-silent] | on} | passive}
no channel-group
PAgP modes:
channel-group channel-group-number mode {auto [non-silent] | {desirable [non-silent]}
LACP modes:
channel-group channel-group-number mode {active | passive}
On mode:
channel-group channel-group-number mode on
Note Link Aggregation Control Protocol (LACP.) and Port Aggregation Protocol (PAgP) are available only on network node interfaces (NNIs) or enhanced network interfaces (ENIs). The active, auto, desirable, and passive keywords are not visible on user network interfaces (UNIs).
Syntax Description
Defaults
No channel groups are assigned.
No mode is configured.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
For Layer 2 EtherChannels, you do not have to create a port-channel interface first by using the interface port-channel global configuration command before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel interface when the channel group gets its first physical port if the logical interface is not already created. If you create the port-channel interface first, the channel-group-number can be the same as the port-channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.
If the port is a UNI or an ENI, you must use the no shutdown interface configuration command to enable it before using the channel-group command. UNIs and ENIs are disabled by default. NNIs are enabled by default.
You do not have to disable the IP address that is assigned to a physical port that is part of a channel group, but we strongly recommend that you do so.
You create Layer 3 port channels by using the interface port-channel command followed by the no switchport interface configuration command. You should manually configure the port-channel logical interface before putting the interface into the channel group.
After you configure an EtherChannel, configuration changes that you make on the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.
If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. A example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port prevents that port from ever becoming operational. However, it allows PAgP to operate, to attach the port to a channel group, and to use the port for transmission. Both ends of the link cannot be set to silent.
In the on mode, an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode.
You should exercise care when setting the mode to
on (manual configuration). All ports configured in the
on mode are bundled in the same group and are forced to have similar characteristics. If the group is misconfigured, packet loss or spanning-tree loops might occur.
Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.
Note PAgP and LACP are available only on NNIs and ENIs.
If you set the protocol by using the channel-protocol interface configuration command, the setting is not overridden by the channel-group interface configuration command.
Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x on an EtherChannel port, an error message appears, and IEEE 802.1x is not enabled.
Do not configure a secure port as part of an EtherChannel or an EtherChannel port as a secure port.
For a complete list of configuration guidelines, see the "Configuring EtherChannels" chapter in the software configuration guide for this release.
Do not enable Layer 3 addresses on the physical EtherChannel ports. Do not assign bridge groups on the physical EtherChannel ports because it creates loops.
Examples
This example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable:
Switch# configure terminal
Switch(config)# interface range gigabitethernet0/1 -2
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# channel-group 5 mode desirable
Switch(config-if-range)# end
This example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10 to channel 5 with the LACP mode active:
Switch# configure terminal
Switch(config)# interface range gigabitethernet0/1 -2
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# channel-group 5 mode active
Switch(config-if-range)# end
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
|
|---|---|
Restricts the protocol used on a port to manage channeling. |
|
Accesses or creates the port channel. |
|
Displays EtherChannel information for a channel. |
|
Displays LACP channel-group information. |
|
Displays PAgP channel-group information. |
|
show running-config |
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html |
channel-protocol
Use the channel-protocol interface configuration command to restrict the protocol used on a port to manage channeling. Use the no form of this command to return to the default setting.
channel-protocol {lacp | pagp}
no channel-protocol
Syntax Description
lacp |
Configure an EtherChannel with the Link Aggregation Control Protocol (LACP). |
pagp |
Configure an EtherChannel with the Port Aggregation Protocol (PAgP). |
Defaults
No protocol is assigned to the EtherChannel.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use the channel-protocol command only to restrict a channel to LACP or PAgP. If you set the protocol by using the channel-protocol command, the setting is not overridden by the channel-group interface configuration command.
Note PAgP and LACP are available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
If the port is a user network interface (UNI) or an ENI, you must use the no shutdown interface configuration command to enable it before using the channel-protocol command. UNIs and ENIs are disabled by default. NNIs are enabled by default.
You must use the channel-group interface configuration command to configure the EtherChannel parameters. The channel-group command also can set the mode for the EtherChannel.
You cannot enable both the PAgP and LACP modes on an EtherChannel group.
PAgP and LACP are not compatible; both ends of a channel must use the same protocol.
Examples
This example shows how to specify LACP as the protocol that manages the EtherChannel:
Switch(config-if)# channel-protocol lacp
You can verify your settings by entering the show etherchannel [channel-group-number] protocol privileged EXEC command.
Related Commands
|
|
|
|---|---|
Assigns an Ethernet port to an EtherChannel group. |
|
show etherchannel protocol |
Displays protocol information the EtherChannel. |
class
Use the class policy-map configuration command to specify the name of the class whose policy you want to create or to change or to specify the system default class before you configure a policy and to enter policy-map class configuration mode. Use the no form of this command to remove the class from a policy map.
class {class-map-name| class-default}
no class {class-map-name| class-default}
Syntax Description
Defaults
No policy map classes are defined.
Command Modes
Policy-map configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Before using the class class-map-name command in policy-map configuration mode, you must create the class by using the class-map class-map-name global configuration command. The class class-default is the class to which traffic is directed if that traffic does not match any of the match criteria in the configured class maps.
Use the policy-map global configuration command to identify the policy map and to enter policy-map configuration mode. After specifying a policy map, you can configure a policy for new classes or modify a policy for any existing classes in that policy map.
An input policy map can have a maximum of 64 classes, plus class-default.
You attach the policy map to a port by using the service-policy interface configuration command.
After entering the class command, you enter policy-map class configuration mode, and these configuration commands are available:
•bandwidth: specifies the bandwidth allocated for a class belonging to a policy map. For more information, see the bandwidth command.
•exit: exits policy-map class configuration mode and returns to policy-map configuration mode.
•no: returns a command to its default setting.
•police: defines an individual policer or aggregate policer for the classified traffic. The policer specifies the bandwidth limitations and the action to take when the limits are exceeded. For more information, see the police and police aggregate (policy-map class configuration) policy-map class commands.
•priority: sets the strict scheduling priority for this class or, when used with the police keyword, sets priority with police. For more information, see the priority policy-map class command.
•queue-limit: sets the queue maximum threshold for Weighted Tail Drop (WTD). For more information, see the queue-limit command.
•service-policy: configures a QoS service policy to attach to a parent policy map for an input or output policy. For more information, see the service-policy (policy-map class configuration) command.
•set: specifies a value to be assigned to the classified traffic. For more information, see the set commands.
•shape average: specifies the average traffic shaping rate. For more information, see the shape average command.
To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
Examples
This example shows how to create a policy map called policy1, define a class class1, and enter policy-map class configuration mode to set a criterion for the class.
Switch(config)# policy-map policy1
Switch(config-pmap)# class class1
Switch(config-pmap-c)# set dscp 10
Switch(config-pmap-c)# exit
You can verify your settings by entering the show policy-map privileged EXEC command.
Related Commands
|
|
|
|---|---|
Creates a class map to be used for matching packets to the class whose name you specify. |
|
Creates or modifies a policy map that can be attached to multiple ports to specify a service policy. |
|
Displays QoS policy maps. |
|
show policy-map interface [interface-id] |
Displays policy maps configured on the specified interface or on all interfaces. |
class-map
Use the class-map global configuration command to create a class map to be used for matching packets to a specified criteria and to enter class-map configuration mode. Use the no form of this command to delete an existing class map.
class-map [match-all | match-any] class-map-name
no class-map [match-all | match-any] class-map-name
Syntax Description
Defaults
No class maps are defined.
If neither the match-all or the match-any keyword is specified, the default is match-all.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use this command to specify the name of the class for which you want to create or to modify class-map match criteria and to enter class-map configuration mode.
The switch supports a maximum of 1024 unique class maps.
You use the class-map command and class-map configuration mode to define packet classification as part of a globally named service policy applied on a per-port basis. When you configure a class map, you can use one or more match commands to specify match criteria. Packets arriving at either the input or output interface (determined by how you configure the service-policy interface configuration command) are checked against the class-map match criteria to determine if the packet belongs to that class.
A match-all class map means that the packet must match all entries and can have no other match statements.
After you are in class-map configuration mode, these configuration commands are available:
•description: describes the class map (up to 200 characters). The show class-map privileged EXEC command displays the description and the name of the class map.
•exit: exits QoS class-map configuration mode.
•match: configures classification criteria. For more information, see the match class-map configuration commands.
•no: removes a match statement from a class map.
Examples
This example shows how to configure the class map called class1. By default, the class map is match-all and therefore can contain no other match criteria.
Switch(config)# class-map class1
Switch(config-cmap)# exit
This example shows how to configure a match-any class map with one match criterion, which is an access list called 103. This class map (matching an ACL) is supported only in an input policy map.
Switch(config)# class-map class2
Switch(config-cmap)# match access-group 103
Switch(config-cmap)# exit
This example shows how to delete the class map class1:
Switch(config)# no class-map class1
You can verify your settings by entering the show class-map privileged EXEC command.
Related Commands
clear ip arp inspection log
Use the clear ip arp inspection log privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection log buffer.
clear ip arp inspection log
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Examples
This example shows how to clear the contents of the log buffer:
Switch# clear ip arp inspection log
You can verify that the log was cleared by entering the show ip arp inspection log privileged command.
Related Commands
clear ip arp inspection statistics
Use the clear ip arp inspection statistics privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection statistics.
clear ip arp inspection statistics [vlan vlan-range]
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Examples
This example shows how to clear the statistics for VLAN 1:
Switch# clear ip arp inspection statistics vlan 1
You can verify that the statistics were deleted by entering the show ip arp inspection statistics vlan 1 privileged EXEC command.
Related Commands
|
|
|
|---|---|
show ip arp inspection statistics |
Displays statistics for forwarded, dropped, MAC validation failure, and IP validation failure packets for all VLANs or the specified VLAN. |
clear ip dhcp snooping
Use the clear ip dhcp snooping privileged EXEC command to clear the DHCP binding database agent statistics or the DHCP snooping statistics counters.
clear ip dhcp snooping {binding {* | ip-address | interface interface-id | vlan vlan-id} | database statistics | statistics}
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
When you enter the clear ip dhcp snooping database statistics command, the switch does not update the entries in the binding database and in the binding file before clearing the statistics.
Examples
This example shows how to clear the DHCP snooping binding database agent statistics:
Switch# clear ip dhcp snooping database statistics
You can verify that the statistics were cleared by entering the show ip dhcp snooping database privileged EXEC command.
This example shows how to clear the DHCP snooping statistics counters:
Switch# clear ip dhcp snooping statistics
You can verify that the statistics were cleared by entering the show ip dhcp snooping statistics user EXEC command.
Related Commands
clear ipc
Use the clear ipc privileged EXEC command to clear Interprocess Communications Protocol (IPC) statistics.
clear ipc {queue-statistics | statistics}
Syntax Description
queue-statistics |
Clear the IPC queue statistics. |
statistics |
Clear the IPC statistics. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You can clear all statistics by using the clear ipc statistics command, or you can clear only the queue statistics by using the clear ipc queue-statistics command.
Examples
This example shows how to clear all statistics:
Switch# clear ipc statistics
This example shows how to clear only the queue statistics:
Switch# clear ipc queue-statistics
You can verify that the statistics were deleted by entering the show ipc rpc or the show ipc session privileged EXEC command.
Related Commands
|
|
|
|---|---|
show ipc {rpc | session} |
Displays the IPC multicast routing statistics. |
clear ipv6 dhcp conflict
Use the clear ipv6 dhcp conflict privileged EXEC command to clear an address conflict from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server database.
clear ipv6 dhcp conflict {* | IPv6-address}
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
Syntax Description
* |
Clear all address conflicts. |
IPv6-address |
Clear the host IPv6 address that contains the conflicting address. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} global configuration command, and reload the switch.
When you configure the DHCPv6 server to detect conflicts, it uses ping. The client uses neighbor discovery to detect clients and reports to the server through a DECLINE message. If an address conflict is detected, the address is removed from the pool and is not assigned until the administrator removes the address from the conflict list.
If you use the asterisk (*) character as the address parameter, DHCP clears all conflicts.
Examples
This example shows how to clear all address conflicts from the DHCPv6 server database:
Switch# clear ipv6 dhcp conflict *
Related Commands
|
|
|
|---|---|
Displays address conflicts found by a DHCPv6 server, or reported through a DECLINE message from a client. |
clear l2protocol-tunnel counters
Use the clear l2protocol-tunnel counters privileged EXEC command to clear the protocol counters in protocol tunnel ports.
clear l2protocol-tunnel counters [interface-id]
This command is supported only when the switch is running the metro IP access or metro access image.
Syntax Description
interface-id |
(Optional) Specify interface (physical interface or port channel) for which protocol counters are to be cleared. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use this command to clear protocol tunnel counters on the switch or on the specified interface.
Examples
This example shows how to clear Layer 2 protocol tunnel counters on an interface:
Switch# clear l2protocol-tunnel counters gigabitethernet0/2
Related Commands
|
|
|
|---|---|
Displays information about ports configured for Layer 2 protocol tunneling. |
clear lacp
Use the clear lacp privileged EXEC command to clear Link Aggregation Control Protocol (LACP) channel-group counters.
clear lacp {channel-group-number counters | counters}
Note LACP is available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
Syntax Description
channel-group-number |
(Optional) Channel group number. The range is 1 to 48. |
counters |
Clear traffic counters. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You can clear all counters by using the clear lacp counters command, or you can clear only the counters for the specified channel group by using the clear lacp channel-group-number counters command.
Examples
This example shows how to clear all channel-group information:
Switch# clear lacp counters
This example shows how to clear LACP traffic counters for group 4:
Switch# clear lacp 4 counters
You can verify that the information was deleted by entering the show lacp counters or the show lacp 4 counters privileged EXEC command.
Related Commands
|
|
|
|---|---|
Displays LACP channel-group information. |
clear logging onboard
Use the clear logging onboard privileged EXEC command to clear all the on-board failure logging (OBFL) data except for the uptime and CLI-command information stored in the flash memory.
clear logging onboard [module {slot-number | all}]
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
We recommend that you keep OBFL enabled and do not clear the data stored in the flash memory.
Examples
These examples show how to clear all the OBFL information except for the uptime and CLI-command information:
Switch# clear logging onboard
Clear logging onboard buffer [confirm]
PID: CGS-2520-24TC , VID: 03 , SN: FOC1225U4CY
Switch# clear logging onboard module all
Clear logging onboard buffer [confirm]
PID: CGS-2520-24TC , VID: 03 , SN: FOC1225U4CY
You can verify that the information was cleared by entering the show logging onboard onboard privileged EXEC command.
Related Commands
|
|
|
|---|---|
Enables OBFL. |
|
Displays OBFL information. |
clear mac address-table
Use the clear mac address-table privileged EXEC command to delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, or all dynamic addresses on a particular VLAN. This command also clears the MAC address notification global counters.
clear mac address-table {dynamic [address mac-addr | interface interface-id | vlan vlan-id] | notification}
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Examples
This example shows how to remove a specific MAC address from the dynamic address table:
Switch# clear mac address-table dynamic address 0008.0070.0007
You can verify that the information was deleted by entering the show mac address-table privileged EXEC command.
Related Commands
clear mac address-table move update
Use the clear mac address-table move update privileged EXEC command to clear the mac address-table-move update-related counters.
clear mac address-table move update
This command is supported only when the switch is running the metro IP access or metro access image.
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Examples
This example shows how to clear the mac address-table move update related counters.
Switch# clear mac address-table move update
You can verify that the information was cleared by entering the show mac address-table move update privileged EXEC command.
Related Commands
|
|
|
|---|---|
Configures MAC address-table move update on the switch. |
|
Displays the MAC address-table move update information on the switch. |
clear pagp
Use the clear pagp privileged EXEC command to clear Port Aggregation Protocol (PAgP) channel-group information.
clear pagp {channel-group-number counters | counters}
Note PAgP is available only on network node interfaces (NNIs) enhanced network interfaces (ENIs).
Syntax Description
channel-group-number |
(Optional) Channel group number. The range is 1 to 48. |
counters |
Clear traffic counters. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You can clear all counters by using the clear pagp counters command, or you can clear only the counters for the specified channel group by using the clear pagp channel-group-number counters command.
Examples
This example shows how to clear all channel-group information:
Switch# clear pagp counters
This example shows how to clear PAgP traffic counters for group 10:
Switch# clear pagp 10 counters
You can verify that information was deleted by entering the show pagp privileged EXEC command.
Related Commands
|
|
|
|---|---|
Displays PAgP channel-group information. |
clear policer cpu uni-eni counters
Use the clear policer cpu uni-eni counters privileged EXEC command to clear control-plane policer statistics. The control-plane policer drops or rate-limits control packets from user network interfaces (UNIs) and enhanced network interfaces (ENIs) to protect the CPU from overload.
clear policer cpu uni-eni counters {classification | drop}
Syntax Description
classification |
Clear control-plane policer classification counters that maintain statistics by feature. |
drop |
Clear all frame drop statistics maintained by the control-plane policer. |
Command Default
No default is defined.
Command Modes
User EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You can use this command to clear statistics maintained per feature or statistics about dropped frames.
You can enter the show platform policer cpu classification or show policer cpu uni drop command to view feature statistics or dropped frames before and after you use the clear command.
Related Commands
|
|
|
|---|---|
show platform policer cpu classification |
Displays CPU policer statistics per feature. |
Displays CPU policer information for the switch. |
clear port-security
Use the clear port-security privileged EXEC command to delete from the MAC address table all secure addresses or all secure addresses of a specific type (configured, dynamic, or sticky) on the switch or on an interface.
clear port-security {all | configured | dynamic | sticky} [[address mac-addr | interface interface-id] [vlan {vlan-id | {access | voice}}]]
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Examples
This example shows how to clear all secure addresses from the MAC address table:
Switch# clear port-security all
This example shows how to remove a specific configured secure address from the MAC address table:
Switch# clear port-security configured address 0008.0070.0007
This example shows how to remove all the dynamic secure addresses learned on a specific interface:
Switch# clear port-security dynamic interface gigabitethernet0/1
This example shows how to remove all the dynamic secure addresses from the address table:
Switch# clear port-security dynamic
You can verify that the information was deleted by entering the show port-security privileged EXEC command.
Related Commands
|
|
|
|---|---|
Enables port security on an interface. |
|
switchport port-security mac-address mac-address |
Configures secure MAC addresses. |
switchport port-security maximum value |
Configures a maximum number of secure MAC addresses on a secure interface. |
Displays the port security settings defined for an interface or for the switch. |
clear rep counters
Use the clear rep counters privileged EXEC command to clear Resilient Ethernet Protocol (REP) counters for the specified interface or all interfaces.
clear rep counters [interface interface-id]
Syntax Description
interface interface-id |
(Optional) Specify a REP interface whose counters should be cleared. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You can clear all REP counters by using the clear rep counters command, or you can clear only the counters for the interface by using the clear rep counters interface interface-id command.
When you enter the clear rep counters command, only the counters visible in the output of the show interface rep detail command are cleared. SNMP visible counters are not cleared as they are read-only.
Examples
This example shows how to clear all REP counters for all REP interfaces:
Switch# clear rep counters
You can verify that REP information was deleted by entering the show interfaces rep detail privileged EXEC command.
Related Commands
|
|
|
|---|---|
show interfaces rep detail |
Displays detailed REP configuration and status information. |
clear scada modbus tcp server statistics
To clear the MODBUS TCP server and client statistics, use the clear scada modbus tcp server statistics global configuration command.
clear scada modbus tcp server statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Examples
Switch# clear scada modbus tcp server statistics
You can verify that the statistics was cleared by entering the show scada modbus tcp server [connections] privileged EXEC command.
Related Commands
|
|
|
|---|---|
Enables MODBUS TCP on the switch. The switch acts as a MODBUS TCP server. |
|
show scada modbus tcp server [connections] |
Displays the server information and statistics. Use the connection keyword to display client information and statistics. |
clear spanning-tree counters
Use the clear spanning-tree counters privileged EXEC command to clear the spanning-tree counters.
clear spanning-tree counters [interface interface-id]
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
If the interface-id is not specified, spanning-tree counters are cleared for all STP ports.
Examples
This example shows how to clear spanning-tree counters for all STP ports:
Switch# clear spanning-tree counters
Related Commands
|
|
|
|---|---|
Displays spanning-tree state information. |
clear spanning-tree detected-protocols
Use the clear spanning-tree detected-protocols privileged EXEC command to restart the protocol migration process (force the renegotiation with neighboring switches) on all spanning-tree interfaces or on the specified interface.
clear spanning-tree detected-protocols [interface interface-id]
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
A switch running the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol or the Multiple Spanning Tree Protocol (MSTP) supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If a rapid-PVST+ switch or an MSTP switch receives a legacy IEEE 802.1D configuration bridge protocol data unit (BPDU) with the protocol version set to 0, it sends only IEEE 802.1D BPDUs on that port. A multiple spanning-tree (MST) switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (Version 3) associated with a different region, or a rapid spanning-tree (RST) BPDU (Version 2).
However, the switch does not automatically revert to the rapid-PVST+ or the MSTP mode if it no longer receives IEEE 802.1D BPDUs. It cannot learn whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the clear spanning-tree detected-protocols command in this situation.
Examples
This example shows how to restart the protocol migration process on a port:
Switch# clear spanning-tree detected-protocols interface gigabitethernet0/1
Related Commands
|
|
|
|---|---|
Displays spanning-tree state information. |
|
Overrides the default link-type setting and enables rapid spanning-tree transitions to the forwarding state. |
clear vmps statistics
Use the clear vmps statistics privileged EXEC command to clear the statistics maintained by the VLAN Query Protocol (VQP) client.
clear vmps statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Examples
This example shows how to clear VLAN Membership Policy Server (VMPS) statistics:
Switch# clear vmps statistics
You can verify that information was deleted by entering the show vmps statistics privileged EXEC command.
Related Commands
|
|
|
|---|---|
Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers. |
conform-action
Use the conform-action policy-map class police configuration command to set multiple actions for a policy-map class for packets that conform to the committed information rate (CIR) or peak information rate (PIR) by having a rate less than the conform burst. Use the no form of this command to cancel the action or to return to the default action.
conform-action {drop | set-cos-transmit {new-cos-value | [cos | dscp | precedence] [table table-map name]} | set-dscp-transmit {new-dscp-value | [cos | dscp | precedence] [table table-map name]} | set-prec-transmit {new-precedence-value | [cos | dscp | precedence] [table table-map name]} | set-qos-transmit qos-group-value | transmit]}
no conform-action {drop | set-cos-transmit {new-cos-value | [cos | dscp | precedence] [table table-map name]} | set-dscp-transmit {new-dscp-value | [cos | dscp | precedence] [table table-map name]} | set-prec-transmit {new-precedence-value | [cos | dscp | precedence] [table table-map name]} | set-qos-transmit qos-group-value | transmit]}
Syntax Description
Defaults
The default conform action is to send the packet.
Command Modes
Policy-map class police configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You configure conform actions for packets when the packet rate is less than the configured conform burst.
If the conform action is set to drop, the exceed and violate actions are automatically set to drop.
You can configure conform-action marking by using enhanced packet marking to modify a QoS marking based on any incoming QoS marking and table maps. The switch also supports simultaneously marking multiple QoS parameters for the same class and configuring conform-action, exceed-action, and violate-action marking.
Access policy-map class police configuration mode by entering the police policy-map class command. See the police policy-map class configuration command for more information.
Use this command to set one or more conform actions for a traffic class.
Examples
This example shows how configure multiple conform actions in a policy map that sets a committed information rate of 23000 bits per second (bps) and a conform burst rate of 10000 bps. The policy map includes multiple conform actions (for DSCP and for Layer 2 CoS) and an exceed action.
Switch(config)# policy-map map1
Switch(config-pmap)# class cos-set-1
Switch(config-pmap-c)# police cir 23000 bc 10000
Switch(config-pmap-c-police)# conform-action set-dscp-transmit 48
Switch(config-pmap-c-police)# conform-action set-cos-transmit 5
Switch(config-pmap-c-police)# exceed-action drop
Switch(config-pmap-c-police)# exit
You can verify your settings by entering the show policy-map privileged EXEC command.
Related Commands
copy logging onboard module
Use the copy logging onboard module privileged EXEC command to copy on-board failure logging (OBFL) data to the local network or a specific file system.
copy logging onboard module [slot-number] destination
Syntax Description
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
For information about OBFL, see the hw-module module logging onboard global configuration command.
Examples
This example shows how to copy the OBFL data messages to the obfl_file file on the flash file system:
Switch# copy logging onboard module flash:obfl_file
OBFL copy successful
Related Commands
|
|
|
|---|---|
Enables OBFL. |
|
Displays OBFL information. |
cpu traffic qos cos
Use the cpu traffic qos cos command in global configuration mode to configure quality of service (QoS) marking based on class of service (CoS) for control plane traffic. To return to the default value, use the no form of this command.
cpu traffic qos cos {cos_value | cos [table-map table-map-name] | dscp [table-map table-map-name] | precedence [table-map table-map-name]}
no cpu traffic qos cos {cos_value | cos [table-map table-map-name] | dscp [table-map table-map-name] | precedence [table-map table-map-name]}
Syntax Description
Command Default
Control plane (CPU) traffic is not marked for QoS.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Configure any desired table-maps before configuring marking or queuing of CPU traffic.
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos cos global configuration command configures CoS marking for CPU-generated traffic by using either a specific CoS value or a table map, but not both. A new configuration overwrites the existing configuration.
When the cpu traffic qos cos global configuration command is configured with table maps, you can configure two map from values at a time—CoS and either DSCP or precedence.
If the cpu traffic qos cos global configuration command is configured with only a map from value of IP-DSCP or IP-precedence:
•The CoS value of IP packets is mapped by using the IP-DSCP (or IP-precedence) value in the packet and the configured table map. Packets can be classified and queued by an output policy map based on the marked CoS value.
•The CoS value of non-IP packets remains unchanged.
If the cpu traffic qos cos global configuration command is configured with a map from value of CoS:
•The CoS value of IP packets is mapped by using the CoS value in the packet and the configured table map. Packets can be classified and queued by an output policy map based on the marked CoS value.
•The CoS value of non-IP packets is mapped by using the CoS value in the packet and the configured table map. Packets can be classified and queued by an output policy map based on the marked CoS value.
If the cpu traffic qos cos global configuration command is configured with a map from value of DSCP or precedence and CoS:
•The CoS value of IP packets is mapped by using the DSCP or precedence value in the packet and the configured table map. Packets can be classified and queued by an output policy map based on the marked CoS value.
•The CoS value of non-IP packets is mapped by using the CoS value in the packet and the configured table map. Packets can be classified and queued by an output policy map based on the marked CoS value.
Examples
This example shows how to mark the CoS of CPU-generated IP traffic (including IP-SLA and TWAMP) based on the DSCP value in the packet and to configure egress queuing based on the CoS value.
The sample configuration has these results:
•All CPU-generated IP traffic is queued on the egress port based on the DSCP value and the configured output policy map called output-policy.
•All IP SLA or TWAMP probes with the DSCP value ef to simulate voice traffic are assigned to the voice class.
•All IP SLA or TWAMP probes with the DSCP values af41, af42 and af43 to simulate video traffic are assigned to the video class.
•All IP control protocol traffic with the DSCP values 48 and 56 are assigned to the network-internetwork-control class.
•The rest of the IP traffic is assigned to the default class.
•All CPU-generated non-IP traffic with CoS 5 is assigned to the voice class.
•All CPU-generated non-IP traffic with CoS 3 is assigned to the video class.
•All CPU-generated non-IP traffic with CoS 6 and 7 is assigned to the network-internetwork-control class.
•All CFM traffic with CoS 5 is assigned to the voice class.
•All CFM traffic with CoS 3 is assigned to the video class.
•All CFM traffic with CoS 6 and 7 is assigned to the network-internetwork-control class.
Table Map:
Switch(config)# table-map dscp-to-cos
Switch(config-tablemap)# map from 46 to 5
Switch(config-tablemap)# map from 48 to 6
Switch(config-tablemap)# map from 56 to 7
Switch(config-tablemap)# map from af41 to 3
Switch(config-tablemap)# map from af42 to 3
Switch(config-tablemap)# map from af43 to 3
Switch(config-tablemap)# default 0
Switch(config-tablemap)# end
CPU QoS:
Switch(config)# cpu traffic qos cos dscp table-map dscp-to-cos
Switch(config)# cpu traffic qos cos cos
Class:
Switch(config)# class-map match-any video
Switch(config-cmap)# match cos 3
Switch(config-cmap)# exit
Switch(config)# class-map match-any voice
Switch(config-cmap)# match cos 5
Switch(config-cmap)# exit
Switch(config)# class-map match-any network-internetwork-control
Switch(config-cmap)# match cos 6 7
Switch(config-cmap)# exit
Policy:
Switch(config)# policy-map output-policy
Switch(config-pmap)# class voice
Switch(config-pmap-c)# priority
Switch(config-pmap-c)# police cir 10000000
Switch(config-pmap-c)# exit
Switch(config-pmap)# class video
Switch(config-pmap-c)# bandwidth percent 40
Switch(config-pmap-c)# exit
Switch(config-pmap)# class network-internetwork-control
Switch(config-pmap-c)# bandwidth percent 10
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class-default
Switch(config-pmap-c)# bandwidth percent 30
Switch(config-pmap-c)# exit
Interface
Switch(config)# interface fastethernet0/1
Switch(config-if)# service-policy output output-policy
Switch(config-pmap-c)# exit
Related Commands
cpu traffic qos dscp
Use the cpu traffic qos dscp command in global configuration mode to configure quality of service (QoS) marking based on a differentiated services code point (DSCP) value for control plane traffic. To return to the default value, use the no form of this command.
cpu traffic qos dscp {dscp_value | cos [table-map table-map-name] | dscp [table-map table-map-name] | precedence [table-map table-map-name]}
no cpu traffic qos dscp {dscp_value | cos [table-map table-map-name] | dscp [table-map table-map-name] | precedence [table-map table-map-name]}
Syntax Description
Command Default
Control plane (CPU) traffic is not marked for QoS.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos dscp global configuration command configures IP-DSCP marking for CPU-generated IP traffic by using either a specific DSCP value or a table map, but not both. A new configuration overwrites the existing configuration.
The cpu traffic qos dscp and cpu traffic qos precedence global configuration commands are mutually exclusive. A new configuration overwrites the existing configuration.
When the cpu traffic qos dscp global configuration command is configured with table maps, you can configure only one map from value at a time—DSCP, precedence, or CoS. A new configuration overwrites the existing configuration. Packets marked by this command can be classified and queued by an output policy map based on the marked DSCP or precedence value.
You cannot configure a map from value of both DSCP and precedence. A new configuration overwrites the existing configuration.
Examples
This example shows how to configure egress queuing based on the DSCP value of CPU-generated IP packets.
The sample configuration has these results:
•All CPU-generated IP traffic queues on the egress port, based on its IP DSCP value, and the configured output policy map output-policy.
•All IP SLA or TWAMP probes with the DSCP value ef to simulate voice traffic are assigned to the voice class.
•All IP SLA or TWAMP probes with the DSCP values af41, af42 and af43 to simulate video traffic are assigned to the video class.
•All IP control protocol traffic with the DSCP values 48 and 56 are assigned to the network-internetwork-control class.
•The rest of the IP traffic is assigned to the default class.
•All CPU-generated non-IP traffic is statically mapped to a fixed queue on the egress port.
•All CFM traffic is queued to the default class because there is no class based on CoS.
Switch(config)# cpu traffic qos dscp dscp
Class:
Switch(config)# class-map match-any video
Switch(config-cmap)# match ip dscp af41 af42 af43
Switch(config-cmap)# exit
Switch(config)# class-map match-any voice
Switch(config-cmap)# match ip dscp ef
Switch(config-cmap)# exit
Switch(config)# class-map match-any network-internetwork-control
Switch(config-cmap)# match ip dscp 48 56
Switch(config-cmap)# exit
Policy:
Switch(config)# policy-map output-policy
Switch(config-pmap)# class voice
Switch(config-pmap-c)# priority
Switch(config-pmap-c)# police cir 10000000
Switch(config-pmap-c)# exit
Switch(config-pmap)# class video
Switch(config-pmap-c)# bandwidth percent 40
Switch(config-pmap-c)# exit
Switch(config-pmap)# class network-internetwork-control
Switch(config-pmap-c)# bandwidth percent 10
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class-default
Switch(config-pmap-c)# bandwidth percent 30
Switch(config-pmap-c)# exit
Interface
Switch(config)# interface fastethernet0/1
Switch(config-if)# service-policy output output-policy
Switch(config-pmap-c)# exit
This example shows how to:
•Mark the DSCP value of CPU-generated IP traffic (including IP-SLA and TWAMP) based on the DSCP value in the packet.
•Mark the CoS of CPU-generated IP traffic (including IP-SLA and TWAMP) based on the DSCP value in the packet.
•Mark the CoS of CPU-generated non-IP traffic based on the CoS value in the packet.
•Mark all CPU-generated traffic with the QoS group.
•Configure egress queuing based on the QoS group.
The example has these results:
•All CPU-generated IP traffic with the DSCP values 46, 48, and 56 retain the existing markings.
•For all other CPU-generated IP packets, the DSCP value is reset to 0.
•All CPU-generated IP traffic with the DSCP values 46, 48, and 56 are mapped to corresponding CoS values of 5, 6, and 7, respectively.
•For all other CPU-generated IP packets, the CoS value resets to 0.
•All CPU-generated non-IP traffic with the CoS values of 5, 6, and 7 retain the existing markings.
•For all other CPU-generated non-IP packets, the CoS value resets to 0.
•All CPU-generated traffic goes through a single class called cpu-traffic. The user-voice classes user-voice and user-video are reserved for user traffic. As a result, CPU traffic and user traffic are separated into different queues on the egress port.
Table-map
Switch(config)# table-map dscp-to-cos
Switch(config-tablemap)# map from 46 to 5
Switch(config-tablemap)# map from 48 to 6
Switch(config-tablemap)# map from 56 to 7
Switch(config-tablemap)# default 0
Switch(config-tablemap)# end
Switch(config)# table-map dscp-to-dscp
Switch(config-tablemap)# map from 46 to 46
Switch(config-tablemap)# map from 48 to 48
Switch(config-tablemap)# map from 56 to 56
Switch(config-tablemap)# default 0
Switch(config-tablemap)# end
Switch(config)# table-map cos-to-cos
Switch(config-tablemap)# map from 5 to 5
Switch(config-tablemap)# map from 6 to 6
Switch(config-tablemap)# map from 7 to 7
Switch(config-tablemap)# default 0
Switch(config-tablemap)# end
CPU QoS:
Switch(config)# cpu traffic qos dscp dscp table-map dscp-to-dscp
Switch(config)# cpu traffic qos cos dscp table dscp-to-cos
Switch(config)# cpu traffic qos cos cos table cos-to-cos
Switch(config)# cpu traffic qos qos-group 50
Class:
Switch(config)# class-map match-any cpu-traffic
Switch(config-cmap)# match qos-group 50
Switch(config-cmap)# exit
Switch(config)# class-map match-any user-video
Switch(config-cmap)# match cos 3
Switch(config-cmap)# exit
Switch(config)# class-map match-any user-voice
Switch(config-cmap)# match cos 5
Switch(config-cmap)# exit
Policy:
Switch(config)# policy-map output-policy
Switch(config-pmap)# class user-voice
Switch(config-pmap-c)# priority
Switch(config-pmap-c)# police cir 10000000
Switch(config-pmap-c)# exit
Switch(config-pmap)# class user-video
Switch(config-pmap-c)# bandwidth percent 40
Switch(config-pmap-c)# exit
Switch(config-pmap)# class cpu-traffic
Switch(config-pmap-c)# bandwidth percent 10
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class-default
Switch(config-pmap-c)# bandwidth percent 30
Switch(config-pmap-c)# exit
Interface:
Switch(config)# interface fastethernet0/1
Switch(config-if)# service-policy output output-policy
Switch(config-pmap-c)# exit
Related Commands
cpu traffic qos precedence
Use the cpu traffic qos precedence command in global configuration mode to configure quality of service (QoS) marking for control plane traffic. To return to the default value, use the no form of this command.
cpu traffic qos precedence {precedence_value | cos [table-map table-map-name] | dscp [table-map table-map-name] | precedence [table-map table-map-name]}
no cpu traffic qos precedence {precedence_value | cos [table-map table-map-name] | dscp [table-map table-map-name] | precedence [table-map table-map-name]}
Syntax Description
Command Default
Control plane (CPU) traffic is not marked for QoS.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos dscp and cpu traffic qos precedence global configuration commands are mutually exclusive. A new configuration overwrites the existing configuration.
When the cpu traffic qos precedence global configuration command is configured with table maps, you can configure only one map from value at a time—DSCP, precedence, or CoS. A new configuration overwrites the existing configuration. Packets marked by this command can be classified and queued by an output policy map based on the marked precedence or DSCP value.
You cannot configure a map from value of both DSCP and precedence. A new configuration overwrites the existing configuration.
Examples
The following example shows how to mark the precedence based on the DSCP value in the packet and configure egress queuing based on the precedence value.
The example has these results:
•Marks the CPU-generated IP traffic with the DSCP value 48 to the precedence value 7.
•Marks the other CPU-generated IP traffic to the precedence value 0.
•Allows all other CPU-generated non-IP traffic to be processed by the default class.
•Queues CPU-generated IP traffic with precedence value 7 using class precedence 7.
•Allows all other CPU-generated IP traffic to be processed by the default class.
Table-map:
switch(config)# table-map dscp-to-prec
switch(config-tablemap)# map from 48 to 7
switch(config-tablemap)# default 0
switch(config-tablemap)# end
CPU QoS:
switch(config)# cpu traffic qos precedence dscp table-map dscp-to-prec
Class-maps:
switch(config)# class-map prec7
switch(config-cmap)# match ip precedence 7
switch(config-cmap)# end
Policy-maps:
switch(config)# policy-map output-policy
switch(config-pmap)# class prec7
switch(config-pmap-c)# priority
switch(config-pmap-c)# end
Interface:
switch(config)# interface g1/0/1
switch(config-if)# service-policy output output-policy
switch(config-if)# exit
Related Commands
cpu traffic qos qos-group
Use the cpu traffic qos qos-group command in global configuration mode to map all CPU-generated traffic to a single class in the output policy-maps without changing the class of service (CoS), IP differentiated services code point (DSCP), or IP-precedence packet markings. To return to the default settings, use the no form of this command.
cpu traffic qos qos-group qos-group-value
no cpu traffic qos qos-group qos-group-value
Syntax Description
qos-group-value |
Specify the QoS group number. Valid values are from 0 to 99. |
Command Default
Control plane (CPU) traffic is not marked for QoS.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos qos-group global configuration command can be used to configure QoS group marking for CPU-generated traffic only for a specific QoS group. The table-map option is not available.
Examples
The following example shows how to mark all the CPU-generated traffic with a QoS-group and configure egress queuing based on that QoS-group.
CPU QoS:
switch(config)# cpu traffic qos qos-group 40
Class-maps:
switch(config)# class-map group40
switch(config-cmap)# match qos-group 40
switch(config-cmap)# end
Policy-maps:
switch(config)# policy-map output-policy
switch(config-pmap)# class group40
switch(config-pmap-c)# bandwidth percent 50
switch(config-pmap-c)# end
Interface:
Switch(config)# interface g1/0/1
Switch(config-if)# service-policy output output-policy
Switch(config-if)# exit
Related Commands
define interface-range
Use the define interface-range global configuration command to create an interface-range macro. Use the no form of this command to delete the defined macro.
define interface-range macro-name interface-range
no define interface-range macro-name interface-range
Syntax Description
macro-name |
Name of the interface-range macro; up to 32 characters. |
interface-range |
Interface range; for valid values for interface ranges, see "Usage Guidelines." |
Defaults
This command has no default setting.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
The macro name is a 32-character maximum character string.
A macro can contain up to five ranges.
All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.
When entering the interface-range, use this format:
•type {first-interface} - {last-interface}
•You must add a space between the first interface number and the hyphen when entering an interface-range. For example, gigabitethernet 0/1 - 2 is a valid range; gigabitethernet 0/1-2 is not a valid range
Valid values for type and interface:
•vlan vlan-id, where vlan-id is from 1 to 4094
VLAN interfaces must have been configured with the interface vlan command (the show running-config privileged EXEC command displays the configured VLAN interfaces). VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges.
•port-channel port-channel-number, where port-channel-number is from 1 to 48
•fastethernet module/{first port} - {last port}
•gigabitethernet module/{first port} - {last port}
For physical interfaces:
•module is always 0.
•the range is type 0/number - number (for example, gigabitethernet 0/1 - 2).
When you define a range, you must enter a space before the hyphen (-), for example:
gigabitethernet0/1 - 2
You can also enter multiple ranges. When you define multiple ranges, you must enter a space after the first entry before the comma (,). The space after the comma is optional, for example:
fastethernet0/3, gigabitethernet0/1 - 2
fastethernet0/3 -4, gigabitethernet0/1 - 2
Examples
This example shows how to create a multiple-interface macro:
Switch(config)# define interface-range macro1 fastethernet0/1 - 2, gigabitethernet0/1 - 2
Related Commands
|
|
|
|---|---|
Executes a command on multiple ports at the same time. |
|
show running-config |
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html |
delete
Use the delete privileged EXEC command to delete a file or directory on the flash memory device.
delete [/force] [/recursive] filesystem:/file-url
Syntax Description
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
If you use the /force keyword, you are prompted once at the beginning of the deletion process to confirm the deletion.
If you use the /recursive keyword without the /force keyword, you are prompted to confirm the deletion of every file.
The prompting behavior depends on the setting of the file prompt global configuration command. By default, the switch prompts for confirmation on destructive file operations. For more information about this command, see the Cisco IOS Command Reference for Release 12.1.
Examples
This example shows how to remove the directory that contains the old software image after a successful download of a new image:
Switch# delete /force /recursive flash:/old-image
You can verify that the directory was removed by entering the dir filesystem: privileged EXEC command.
Related Commands
|
|
|
|---|---|
Downloads a new image to the switch and overwrites or keeps the existing image. |
deny (ARP access-list configuration)
Use the deny Address Resolution Protocol (ARP) access-list configuration command to deny an ARP packet based on matches against the DHCP bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access list.
deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
no deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
Syntax Description
Defaults
There are no default settings. However, at the end of the ARP access list, there is an implicit deny ip any mac any command.
Command Modes
ARP access-list configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You can add deny clauses to drop ARP packets based on matching criteria.
Examples
This example shows how to define an ARP access list and to deny both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
Switch(config)# arp access-list static-hosts
Switch(config-arp-nacl)# deny ip host 1.1.1.1 mac host 0000.0000.abcd
Switch(config-arp-nacl)# end
You can verify your settings by entering the show arp access-list privileged EXEC command.
Related Commands
deny (IPv6 access-list configuration)
Use the deny command in IPv6 access list configuration mode to set deny conditions for an IPv6 access list. Use the no form of this command to remove the deny conditions.
deny {protocol} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dscp value] [fragments] [log] [log-input] [routing] [sequence value] [time-range name]
no deny {protocol} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dscp value] [fragments] [log] [log-input] [routing] [sequence value] [time-range name]
Internet Control Message Protocol
deny icmp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [icmp-type [icmp-code] | icmp-message] [dscp value] [log] [log-input] [routing] [sequence value] [time-range name]
Transmission Control Protocol
deny tcp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [ack] [dscp value] [established] [fin] [log] [log-input] [neq {port | protocol}] [psh] [range {port | protocol}] [rst] [routing] [sequence value] [syn] [time-range name] [urg]
User Datagram Protocol
deny udp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator [port-number]] [dscp value] [log] [log-input] [neq {port | protocol}] [range {port | protocol}] [routing] [sequence value] [time-range name]
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
Syntax Description
Note Although visible in the command-line help strings, the flow-label, routing, and undetermined-transport keywords are not supported.
Defaults
No IPv6 access list is defined.
Command Modes
IPv6 access list configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
The deny (IPv6 access-list configuration mode) command is similar to the deny (IPv4 access-list configuration mode) command, but it is IPv6-specific.
Use the deny (IPv6) command after the ipv6 access-list command to enter IPv6 access list configuration mode and to define the conditions under which a packet passes the access list.
Specifying IPv6 for the protocol argument matches the IPv6 header of the packet.
By default, the first statement in an access list is number 10, and the subsequent statements are numbered in increments of 10.
You can add permit, deny, or remark statements to an existing access list without re-entering the entire list. To add a new statement somewhere other than at the end of the list, create a new statement with an appropriate entry number between two existing entry numbers to show where it belongs.
Note Every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. The two permit conditions allow ICMPv6 neighbor discovery. To disallow ICMPv6 neighbor discovery and to deny icmp any any nd-na or icmp any any nd-ns, there must be an explicit deny entry in the ACL. For the three implicit statements to take effect, an IPv6 ACL must contain at least one entry.
The IPv6 neighbor discovery process uses the IPv6 network layer service. Therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data-link layer protocol. Therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Both the source-ipv6-prefix/prefix-length and destination-ipv6-prefix/prefix-length arguments are used for traffic filtering. (The source prefix filters traffic based upon its source; the destination prefix filters traffic based upon its destination.)
The switch supports IPv6 address matching for a full range of prefix lengths.
The fragments keyword is an option only if the protocol is ipv6 and the operator [port-number] arguments are not specified.
This is a list of ICMP message names:
Examples
This example configures the IPv6 access list named CISCO and applies the access list to outbound traffic on a Layer 3 interface. The first deny entry prevents all packets that have a destination TCP port number greater than 5000 from leaving the interface. The second deny entry prevents all packets that have a source UDP port number less than 5000 from leaving the interface. The second deny also logs all matches to the console. The first permit entry permits all ICMP packets to leave the interface. The second permit entry permits all other traffic to leave the interface. The second permit entry is necessary because an implicit deny-all condition is at the end of each IPv6 access list.
Switch(config)# ipv6 access-list CISCO
Switch(config-ipv6-acl)# deny tcp any any gt 5000
Switch config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log
Switch(config-ipv6-acl)# permit icmp any any
Switch(config-ipv6-acl)# permit any any
Switch(config-ipv6-acl)# exit
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# no switchport
Switch(config-if)# ipv6 address 2001::/64 eui-64
Switch(config-if)# ipv6 traffic-filter CISCO out
Related Commands
deny (MAC access-list configuration)
Use the deny MAC access-list configuration command to prevent non-IP traffic from being forwarded if the conditions are matched. Use the no form of this command to remove a deny condition from the named MAC access list.
{deny | permit} {any | host src-MAC-addr | src-MAC-addr mask} {any | host dst-MAC-addr | dst-MAC-addr mask} [type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask |mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp]
no {deny | permit} {any | host src-MAC-addr | src-MAC-addr mask} {any | host dst-MAC-addr | dst-MAC-addr mask} [type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp]
Syntax Description
Note Though visible in the command-line help strings, appletalk is not supported as a matching condition.
To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in Table 2-2.
Defaults
This command has no defaults. However; the default action for a MAC-named ACL is to deny.
Command Modes
MAC-access list configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You enter MAC-access list configuration mode by using the mac access-list extended global configuration command.
If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.
When an access control entry (ACE) is added to an access control list, an implied deny-any-any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.
Note For more information about named MAC extended access lists, see the software configuration guide for this release.
Examples
This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.
Switch(config-ext-macl)# deny any host 00c0.00a0.03fa netbios.
This example shows how to remove the deny condition from the named MAC extended access list:
Switch(config-ext-macl)# no deny any 00c0.00a0.03fa 0000.0000.0000 netbios.
This example denies all packets with Ethertype 0x4321:
Switch(config-ext-macl)# deny any any 0x4321 0
You can verify your settings by entering the show access-lists privileged EXEC command.
Related Commands
diagnostic monitor
Use the diagnostic monitor global configuration command to configure health-monitoring diagnostic testing. Use the no form of this command to disable testing and to return to the default settings.
diagnostic monitor interval test {name | test-id | test-id-range | all} hh:mm:ss milliseconds day
diagnostic monitor test {name | test-id | test-id-range | all}
diagnostic monitor syslog
diagnostic monitor threshold test {name | test-id | test-id-range | all} failure count count
no diagnostic monitor interval test {name | test-id | test-id-range | all}
no diagnostic monitor test {name | test-id | test-id-range | all}
no diagnostic monitor syslog
no diagnostic monitor threshold test {name | test-id | test-id-range | all} failure count count
Syntax Description
interval test |
Configure the interval between tests. |
test |
Specify the tests to be run. |
name |
Specify the test name. To display the test names in the test-ID list, enter the show diagnostic content privileged EXEC command. |
test-id |
Specify the ID number of the test. The range is from 1 to 6. To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
test-id-range |
Specify more than one test with the range of test ID numbers. Enter the range as integers separated by a comma and a hyphen (for example, 1,3-6 specifies test IDs 1, 3, 4, 5, and 6). To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
all |
Specify all of the diagnostic tests. |
hh:mm:ss |
Configure the monitoring interval in hours, minutes, and seconds. • • • |
milliseconds |
Configure the monitoring interval (test time) in milliseconds (ms). The range is from 0 to 999 ms. |
day |
Configure the monitoring interval in the number of days between tests. The range is from 0 to 20 days. |
syslog |
Enable the generation of a syslog message when a health-monitoring test fails. |
threshold test |
Configure the failure threshold. |
failure count count |
Set the failure threshold count. The range for count is from 0 to 99. |
Defaults
Monitoring is disabled, and a failure threshold value is not set.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
•You must configure the failure threshold and the interval between tests before enabling diagnostic monitoring.
•Enter the diagnostic monitor test 1 command to enable diagnostic monitoring.
•When you enter the diagnostic monitor test {name | test-id | test-id-range | all} command, you must isolate network traffic by disabling all connected ports.
•Do not send test packets during the test.
Examples
This example shows how to configure a health-monitoring test:
Switch(config)# diagnostic monitor threshold test 1 failure count 20
Switch(config)# diagnostic monitor interval test 1 12:30:00 750 5
Related Commands
|
|
|
|---|---|
Displays online diagnostic test results. |
diagnostic schedule test
Use the diagnostic schedule test global configuration command to configure the diagnostic test schedule. Use the no form of this command to remove the schedule.
diagnostic schedule test {name | test-id | test-id-range | all | basic | non-disruptive} {daily hh:mm | on mm dd yyyy hh:mm | weekly day-of-week hh:mm}
no diagnostic schedule test {name | test-id | test-id-range | all | basic | non-disruptive} {daily hh:mm | on mm dd yyyy hh:mm | weekly day-of-week hh:mm}
Syntax Description
name |
Specify the name of the test. To display the test names in the test-ID list, enter the show diagnostic content privileged EXEC command. |
test-id |
Specify the ID number of the test. The range is from 1 to 6. To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
test-id-range |
Specify more than one test with the range of test ID numbers. Enter the range as integers separated by a comma and a hyphen (for example, 1,3-6 specifies test IDs 1, 3, 4, 5, and 6). To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
all |
Specify all of the diagnostic tests. |
basic |
Specify the basic on-demand diagnostic tests. |
non-disruptive |
Specify the nondisruptive health-monitoring tests. |
daily hh:mm |
Specify the daily scheduling of the diagnostic tests. hh:mm—Enter the time as a 2-digit number (for a 24-hour clock) for hours:minutes; the colon (:) is required, such as 12:30. |
on mm dd yyyy hh:mm |
Specify the scheduling of the diagnostic tests on a specific day and time. For mm dd yyyy: • • • |
weekly day-of-week hh:mm |
Specify the weekly scheduling of the diagnostic tests. day-of-week—Spell out the day of the week, such as Monday, Tuesday, and so on, with upper-case or lower-case characters. |
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Examples
This example shows how to schedule diagnostic testing for a specific day and time:
Switch(config)# diagnostic schedule test 1,2,4-6 on november 3 2006 23:10
This example shows how to schedule diagnostic testing to occur weekly at a specific time:
Switch(config)# diagnostic schedule test TestPortAsicMem weekly friday 09:23
Related Commands
|
|
|
|---|---|
Displays online diagnostic test results. |
diagnostic start test
Use the diagnostic start test privileged EXEC command to run an online diagnostic test.
diagnostic start test {name | test-id | test-id-range | all | basic | non-disruptive}
Syntax Description
name |
Specify the name of the test. To display the test names in the test-ID list, enter the show diagnostic content privileged EXEC command. |
test-id |
Specify the ID number of the test. The range is from 1 to 6. To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
test-id-range |
Specify more than one test with the range of test ID numbers. Enter the range as integers separated by a comma and a hyphen (for example, 1,3-6 specifies test IDs 1, 3, 4, 5, and 6). To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
all |
Specify all the diagnostic tests. |
basic |
Specify the basic on-demand diagnostic tests. |
non-disruptive |
Specify the nondisruptive health-monitoring tests. |
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
After you start the tests by using the diagnostic start command, you cannot stop the testing process.
The switch supports these tests:
ID Test Name [On-Demand Test Attributes]
--- -------------------------------------------
1 TestPortAsicStackPortLoopback [B*N****]
2 TestPortAsicLoopback [B*D*R**]
3 TestPortAsicCam [B*D*R**]
4 TestPortAsicRingLoopback [B*D*R**]
5 TestMicRingLoopback [B*D*R**]
6 TestPortAsicMem [B*D*R**]
--- -------------------------------------------
To identify a test name, use the show diagnostic content privileged EXEC command to display the test ID list. To specify test 3 by using the test name, enter the diagnostic start switch number test TestPortAsicCam privileged EXEC command.
To specify more than one test, use the test-id-range parameter, and enter integers separated by a comma and a hyphen. For example, to specify tests 2, 3, and 4, enter the diagnostic start test 2-4 command. To specify tests 1, 3, 4, 5, and 6, enter the diagnostic start test 1,3-6 command.
Examples
This example shows how to start diagnostic test 1:
Switch# diagnostic start test 1
Switch#
06:27:50: %DIAG-6-TEST_RUNNING: Running TestPortAsicStackPortLoopback{ID=1} ...
06:27:51: %DIAG-6-TEST_OK: TestPortAsicStackPortLoopback{ID=1} has completed
successfully
This example shows how to start diagnostic test 2. Running this test disrupts the normal system operation and then reloads the switch.
Switch# diagnostic start test 2
Running test(s) 2 will cause the switch under test to reload after completion of
the test list.
Running test(s) 2 may disrupt normal system operation
Do you want to continue? [no]: y
Switch#
00:00:25: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:29: %SYS-5-CONFIG_I: Configured from memory by console
00:00:30: %DIAG-6-TEST_RUNNING : Running TestPortAsicLoopback{ID=2} ...
00:00:30: %DIAG-6-TEST_OK: TestPortAsicLoopback{ID=2} has completed successfully
Related Commands
|
|
|
|---|---|
Displays online diagnostic test results. |
dot1x credentials
Use the dot1x credentials global configuration command to configure a profile on a supplicant switch.
dot1x credentials profile
no dot1x credentials profile
Syntax Description
profile |
Specify a profile for the supplicant switch. |
Defaults
No profile is configured for the switch.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You must have another switch set up as the authenticator for this switch to be the supplicant.
Examples
This example shows how to configure a switch as a supplicant:
Switch(config)# dot1x credentials profile
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
|
|---|---|
cisp enable |
Enables Client Information Signalling Protocol (CISP). |
show cisp |
Displays CISP information for a specified interface. |
dot1x critical eapol (global configuration)
Use the dot1x critical eapol global configuration command to specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state. To return to default settings, use the no form of this command.
dot1x critical eapol
no dot1x critical eapol
Syntax Description
This command has no arguments or keywords.
Defaults
The switch does not send an EAPOL-Success message to the host when the switch successfully authenticates the critical port by putting the critical port in the critical-authentication state.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
To enable inaccessible authentication bypass on a port, or to configure the access VLAN to which the switch assigns a critical port, use the authencation event interface configuration command.
Related Commands
dot1x default
Use the dot1x default interface configuration command to reset the configurable IEEE 802.1x parameters to their default values.
dot1x default
Syntax Description
This command has no arguments or keywords.
Defaults
These are the default values:
•The per-port IEEE 802.1x protocol enable state is disabled (force-authorized).
•The number of seconds between re-authentication attempts is 3600 seconds.
•The periodic re-authentication is disabled.
•The quiet period is 60 seconds.
•The retransmission time is 30 seconds.
•The maximum retransmission number is 2 times.
•The host mode is single host.
•The client timeout period is 30 seconds.
•The authentication server timeout period is 30 seconds.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Examples
This example shows how to reset the configurable IEEE 802.1x parameters on a port:
Switch(config-if)# dot1x default
You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
|
|
|
|---|---|
show dot1x [interface interface-id] |
Displays IEEE 802.1x status for the specified port. |
dot1x guest-vlan supplicant
Use the dot1x guest-vlan supplicant global configuration command to enable the optional IEEE 802.1x guest VLAN behavior globally on the switch. Use the no form of this command to return to the default setting.
dot1x guest-vlan supplicant
no dot1x guest-vlan supplicant
Syntax Description
This command has no arguments or keywords.
Defaults
The guest VLAN behavior is disabled.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
For information about how to configure a guest VLAN on the switch, see the authentication event no-response action authorize vlan vlan-id interface configuration command.
Examples
This example shows how to globally enable the optional guest VLAN behavior on a switch:
Switch(config)# dot1x guest-vlan supplicant
Related Commands
|
|
|
|---|---|
Configures the parameters for the inaccessible authentication bypass feature on the switch. |
|
show authentication [interface interface-id] |
Displays IEEE 802.1x status for the specified port. |
dot1x initialize
Use the dot1x initialize privileged EXEC command to manually return the specified IEEE 802.1x-enabled port to an unauthorized state before initiating a new authentication session on the port.
dot1x initialize interface interface-id
Syntax Description
interface interface-id |
Port to be initialized. |
Defaults
There is no default setting.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use this command to initialize the IEEE 802.1x state machines and to set up a fresh environment for authentication. After you enter this command, the port status becomes unauthorized.
There is no no form of this command.
Examples
This example shows how to manually initialize a port:
Switch# dot1x initialize interface gigabitethernet0/2
You can verify the unauthorized port status by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
|
|
|
|---|---|
show dot1x [interface interface-id] |
Displays IEEE 802.1x status for the specified port. |
dot1x max-reauth-req
Use the dot1x max-reauth-req interface configuration command to set the maximum number of times that the switch restarts the authentication process before a port transitions to the unauthorized state. Use the no form of this command to return to the default setting.
dot1x max-reauth-req count
no dot1x max-reauth-req
Syntax Description
Defaults
The default is 2 times.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
Examples
This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port transitions to the unauthorized state:
Switch(config-if)# dot1x max-reauth-req 4
You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
|
|
|
|---|---|
Sets the maximum number of times that the switch forwards an EAP frame (assuming that no response is received) to the authentication server before restarting the authentication process. |
|
Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. |
|
Displays authentication status for the specified port. |
|
show dot1x [interface interface-id] |
Displays 802.1x status for the specified port. |
dot1x max-req
Use the dot1x max-req interface configuration command to set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP) frame from the authentication server (assuming that no response is received) to the client before restarting the authentication process. Use the no form of this command to return to the default setting.
dot1x max-req count
no dot1x max-req
Syntax Description
Defaults
The default is 2 times.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
Examples
This example shows how to set 5 as the number of times that the switch sends an EAP frame from the authentication server before restarting the authentication process:
Switch(config-if)# dot1x max-req 5
You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
dot1x pae
Use the dot1x pae interface configuration command to set the IEEE 802.1x port access entity (PAE) type. Use the no form of this command to disable the PAE type that was set
dot1x pae [supplicant | authenticator | both]
no dot1x pae [supplicant | authenticator | both]
Syntax Description
Defaults
The IEEE 802.1x PAE type is not set.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
If the dot1x system-auth-control command has not been configured, the supplicant keyword will be the only keyword available for use with this command. (That is, if the dot1x system-auth-control command has not been configured, you cannot configure the interface as an authenticator.)
When you configure IEEE 802.1x authentication on a port by entering the authentication port-control interface configuration command, the switch automatically configures the port as an IEEE 802.1x authenticator. After you enter the no dot1x pae interface configuration command, the authenticator PAE operation is disabled.
Examples
The following example shows how to configure an interface to act as a supplicant:
Router (config-if)# dot1x pae supplicant
You can verify your settings by entering the show dot1x privileged EXEC command.
Related Commands
dot1x supplicant force-multicast
Use the dot1x supplicant force-multicast global configuration command to force a supplicant switch to send only multicast Extensible Authentication Protocol over LAN (EAPOL) packets whenever it receives multicast or unicast EAPOL packets. Use the no form of this command to return to the default setting.
dot1x supplicant force-multicast
no dot1x supplicant force-multicast
Syntax Description
This command has no arguments or keywords.
Defaults
The supplicant switch sends unicast EAPoL packets when it receives unicast EAPOL packets. Similarly, it sends multicast EAPOL packets when it receives multicast EAPOL packets.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Enable this command on the supplicant switch for Network Edge Access Topology (NEAT) to work in all host modes.
Examples
This example shows how to force a supplicant switch to send multicast EAPOL packets to authenticator switch:
Switch(config)# dot1x supplicant force-multicast
Related Commands
|
|
|
|---|---|
cisp enable |
Enables Client Information Signalling Protocol (CISP) on a switch so that it acts as an authenticator to a supplicant switch. |
Configures the 802.1x supplicant credentials on the port. |
|
dot1x pae supplicant |
Configures an interface to act only as a supplicant. |
dot1x system-auth-control
Use the dot1x system-auth-control global configuration command to globally enable IEEE 802.1x. Use the no form of this command to return to the default setting.
dot1x system-auth-control
no dot1x system-auth-control
Syntax Description
This command has no arguments or keywords.
Defaults
IEEE 802.1x is disabled.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You must enable authentication, authorization, and accounting (AAA) and specify the authentication method list before globally enabling IEEE 802.1x. A method list describes the sequence and authentication methods to be queried to authenticate a user.
Before globally enabling IEEE 802.1x on a switch, remove the EtherChannel configuration from the interfaces on which IEEE 802.1x and EtherChannel are configured.
Examples
This example shows how to globally enable IEEE 802.1x on a switch:
Switch(config)# dot1x system-auth-control
You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
|
|
|
|---|---|
Enables manual control of the authorization state of the port. |
|
Displays authentication status for the specified port. |
dot1x test eapol-capable
Use the dot1x test eapol-capable privileged EXEC command to monitor IEEE 802.1x activity on all the switch ports and to display information about the devices that are connected to the ports that support IEEE 802.1x.
dot1x test eapol-capable [interface interface-id]
Syntax Description
interface interface-id |
(Optional) Port to be queried. |
Defaults
There is no default setting.
Command Modes
Privileged EXEC
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use this command to test the IEEE 802.1x capability of the devices connected to all ports or to specific ports on a switch.
There is not a no form of this command.
Examples
This example shows how to enable the IEEE 802.1x readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:
switch# dot1x test eapol-capable interface gigabitethernet1/0/13
DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL capable
Related Commands
|
|
|
|---|---|
dot1x test timeout timeout |
Configures the timeout used to wait for EAPOL response to an IEEE 802.1x readiness query. |
dot1x test timeout
Use the dot1x test timeout global configuration command to configure the timeout used to wait for EAPOL response from a port being queried for IEEE 802.1x readiness.
dot1x test timeout timeout
Syntax Description
timeout |
Time in seconds to wait for an EAPOL response. The range is from 1 to 65535 seconds. |
Defaults
The default setting is 10 seconds.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use this command to configure the timeout used to wait for EAPOL response.
There is not a no form of this command.
Examples
This example shows how to configure the switch to wait 27 seconds for an EAPOL response:
Switch# dot1x test timeout 27
You can verify the timeout configuration status by entering the show run privileged EXEC command.
Related Commands
|
|
|
|---|---|
dot1x test eapol-capable [interface interface-id] |
Checks for IEEE 802.1x readiness on devices connected to all or to specified IEEE 802.1x-capable ports. |
dot1x timeout
Use the dot1x timeout interface configuration command to set IEEE 802.1x timers. Use the no form of this command to return to the default setting.
dot1x timeout {auth-period seconds | held-period seconds | quiet-period seconds | ratelimit-period seconds | reauth-period {seconds | server} | server-timeout seconds | start-period seconds | supp-timeout seconds | tx-period seconds}
no dot1x timeout {auth-period seconds | held-period seconds | quiet-period seconds | ratelimit-period seconds | reauth-period {seconds | server} | server-timeout seconds | start-period seconds | supp-timeout seconds | tx-period seconds}
Syntax Description
Defaults
These are the default settings:
auth-period is 30 seconds.
held-period is 60 seconds.
quiet-period is 60 seconds.
rate-limit is 1 second.
reauth-period is 3600 seconds.
server-timeout is 30 seconds.
start-period is 30 seconds.
supp-timeout is 30 seconds.
tx-period is 5 seconds.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You should change the default value of the dot1x timeout command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
The dot1x timeout reauth-period interface configuration command affects the behavior of the switch only if you have enabled periodic re-authentication by using the authentication periodic interface configuration command.
During the quiet period, the switch does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a number smaller than the default.
Examples
This example shows how to enable periodic re-authentication and to set 4000 as the number of seconds between re-authentication attempts:
Switch(config-if)# authentication periodic
Switch(config-if)# dot1x timeout reauth-period 4000
This example shows how to enable periodic re-authentication and to specify the value of the Session-Timeout RADIUS attribute as the number of seconds between re-authentication attempts:
Switch(config-if)# authentication periodic
Switch(config-if)# dot1x timeout reauth-period server
This example shows how to set 30 seconds as the quiet time on the switch:
Switch(config-if)# dot1x timeout quiet-period 30
This example shows how to set 45 seconds as the switch-to-authentication server retransmission time:
Switch(config)# dot1x timeout server-timeout 45
This example shows how to set 45 seconds as the switch-to-client retransmission time for the EAP request frame:
Switch(config-if)# dot1x timeout supp-timeout 45
This example shows how to set 60 as the number of seconds to wait for a response to an EAP-request/identity frame from the client before re-transmitting the request:
Switch(config-if)# dot1x timeout tx-period 60
This example shows how to set 30 as the number of seconds that the switch ignores EAPOL packets from successfully authenticated clients:
Switch(config-if)# dot1x timeout ratelimit-period 30
You can verify your settings by entering the show dot1x privileged EXEC command.
Related Commands
duplex
Use the duplex interface configuration command to specify the duplex mode of operation for a port. Use the no form of this command to return the port to its default value.
duplex {auto | full | half}
no duplex
Syntax Description
Defaults
The default is auto for Fast Ethernet and Gigabit Ethernet ports and for 1000BASE-T small form-factor pluggable (SFP) modules.
The default is half for 100BASE-x (where -x is -BX, -FX, -FX-FE, or - LX) SFP modules.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
This command is only available when a 1000BASE-T SFP module or a 100BASE-FX MMF SFP module is in the SFP module slot. All other SFP modules operate only in full-duplex mode.
When a 1000BASE-T SFP module is in the SFP module slot, you can configure duplex mode to auto or full.
When a 100BASE-FX MMF SFP module is in the SFP module slot, you can configure duplex mode to half or full. Although the auto keyword is available, it puts the interface in half-duplex mode (the default) because the 100BASE-FX MMF SFP module does not support autonegotiation.
Certain ports can be configured to be either full duplex or half duplex. Applicability of this command depends on the device to which the switch is attached.
For Fast Ethernet ports, setting the port to auto has the same effect as specifying half if the attached device does not autonegotiate the duplex parameter.
For Gigabit Ethernet ports, setting the port to auto has the same effect as specifying full if the attached device does not autonegotiate the duplex parameter.
Note Half-duplex mode is supported on Gigabit Ethernet interfaces if duplex mode is auto and the connected device is operating at half duplex. However, you cannot configure these interfaces to operate in half-duplex mode.
If both ends of the line support autonegotiation, we highly recommend using the default autonegotiation settings. If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do use the auto setting on the supported side.
If the speed is set to auto, the switch negotiates with the device at the other end of the link for the speed setting and then forces the speed setting to the negotiated value. The duplex setting remains as configured on each end of the link, which could result in a duplex setting mismatch.
You can configure the duplex setting when the speed is set to auto.
Changing the interface speed and duplex mode configuration might shut down and re-enable the interface during the reconfiguration.
Note For guidelines on setting the switch speed and duplex parameters, see the software configuration guide for this release.
Examples
This example shows how to configure an interface for full duplex operation:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# duplex full
You can verify your setting by entering the show interfaces privileged EXEC command.
Related Commands
|
|
|
|---|---|
Displays the interface settings on the switch. |
|
Sets the speed on a 10/100 or 10/100/1000 Mb/s interface. |
errdisable detect cause
Use the errdisable detect cause global configuration command to enable error-disabled detection for a specific cause or all causes. Use the no form of this command to disable the error-disabled detection feature.
errdisable detect cause {all | arp-inspection | dhcp-rate-limit | gbic-invalid | inline-power | l2ptguard | link-flap | loopback | pagp-flap | small-frame}
no errdisable detect cause {all | arp-inspection | dhcp-rate-limit | gbic-invalid | inline-power | l2ptguard | link-flap | pagp-flap | small-frame}
Note Although visible in the command line interface, small-frame keyword is not needed on the switch because the existing broadcast storm disable feature correctly handles small frames.
Syntax Description
Defaults
Detection is enabled for all causes. All causes, except for per-VLAN error disabling, are configured to shut down the entire port.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
A cause (all, dhcp-rate-limit, and so forth) is the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state, an operational state that is similar to a link-down state.
When a port is error-disabled, it is effectively shut down, and no traffic is sent or received on the port. For the BPDU guard and port-security features, you can configure the switch to shut down just the offending VLAN on the port when a violation occurs, instead of shutting down the entire port.
If you set a recovery mechanism for the cause by entering the errdisable recovery global configuration command for the cause, the interface is brought out of the error-disabled state and allowed to retry the operation when all causes have timed out. If you do not set a recovery mechanism, you must enter the shutdown and then the no shutdown commands to manually recover an interface from the error-disabled state.
Examples
This example shows how to enable error-disabled detection for the link-flap error-disabled cause:
Switch(config)# errdisable detect cause link-flap
You can verify your setting by entering the show errdisable detect privileged EXEC command.
Related Commands
|
|
|
|---|---|
Displays errdisable detection information. |
|
show interfaces status err-disabled |
Displays interface status or a list of interfaces in the error-disabled state. |
errdisable recovery
Use the errdisable recovery global configuration command to configure the recover mechanism variables. Use the no form of this command to return to the default setting.
errdisable recovery {cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | gbic-invalid | inline-power | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | small-frame | udld |unicast-flood | vmps} | {interval interval}
no errdisable recovery {cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | gbic-invalid | inline-power | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | small-frame | udld |unicast-flood | vmps} | {interval interval}
Note Although visible in the command-line help strings, the storm-control and unicast-flood keywords are not supported. The small-frame keyword is not used because the broadcast-storm disable feature processes small frames
Syntax Description
Defaults
Recovery is disabled for all causes.
The default recovery interval is 300 seconds.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
A cause (all, bpduguard and so forth) is defined as the reason that the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state, an operational state similar to link-down state. If you do not enable errdisable recovery for the cause, the interface stays in error-disabled state until you enter a shutdown and no shutdown interface configuration command. If you enable the recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out.
Otherwise, you must enter the shutdown then no shutdown commands to manually recover an interface from the error-disabled state
Examples
This example shows how to enable the recovery timer for the BPDU guard error-disabled cause:
Switch(config)# errdisable recovery cause bpduguard
This example shows how to set the timer to 500 seconds:
Switch(config)# errdisable recovery interval 500
You can verify your settings by entering the show errdisable recovery privileged EXEC command.
Related Commands
|
|
|
|---|---|
Displays errdisable recovery timer information. |
|
show interfaces status err-disabled |
Displays interface status or a list of interfaces in error-disabled state. |
ethernet evc
Use the ethernet evc global configuration command to define an Ethernet virtual connection (EVC) and to enter EVC configuration mode. Use the no form of this command to delete the EVC.
ethernet evc evc-id
no ethernet evc evc-id
Syntax Description
evc-id |
The EVC identifier. This can be a string of from 1 to 100 characters. |
Defaults
No EVCs are defined.
Command Modes
Global configuration
Command History
|
|
|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
After you enter the ethernet evc evc-id command, the switch enters EVC configuration mode, and these configuration commands are available:
•default: sets the EVC to its default states.
•exit: exits EVC configuration mode and returns to global configuration mode.
•no: negates a command or returns a command to its default setting.
•oam protocol cfm svlan: configures the Ethernet operation, administration, and maintenance (OAM) protocol as IEEE 802.1ag Connectivity Fault Management (CFM) and sets parameters. See the oam protocol cfm svlan command.
•uni count: configures a UNI count for the EVC. See the uni count command.
Examples
This example shows how to define an EVC and to enter EVC configuration mode:
Switch(config)# ethernet evc test1
Switch(config-evc)#
Related Commands
|
|
|
service instance id ethernet evc-id |
Configures an Ethernet service instance and attaches an EVC to it. |
Displays information about configured EVCs. |
ethernet lmi
Use the ethernet lmi global configuration command to configure enable Ethernet Local Management Interface (E-LMI) and to configure the switch as a provider-edge (PE) or customer-edge (CE) device. Use the no form of this command to disable E-LMI globally or to disable E-LMI CE.
ethernet lmi {ce | global}
no ethernet lmi {ce | global}
Syntax Description
Defaults
Ethernet LMI is disabled. When enabled with the global keyword, by default the switch is a PR device.
Command Modes
Global configuration
Command History
|
|
|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use ethernet lmi global command to enable E-LMI globally. Use ethernet lmi ce command to enable the switch as E-LMI CE device.
Ethernet LMI is disabled by default on an interface and must be explicitly enabled by entering the ethernet lmi interface interface configuration command. The ethernet lmi global command enables Ethernet LMI in PE mode on all interfaces for an entire device. The benefit of this command is that you can enable Ethernet LMI on all interfaces with one command instead of enabling Ethernet LMI separately on each interface. To enable the interface in CE mode, you must also enter the ethernet lmi ce global configuration command.
To disable Ethernet LMI on a specific interface after you have entered the ethernet lmi global command, enter the no ethernet lmi interface interface configuration command.
The sequence in which you enter the ethernet lmi interface interface configuration and ethernet lmi global global configuration commands is important. The latest command entered overrides the prior command entered.
Note For information about the ethernet lmi interface configuration command, go to this URL:
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080690f2d.html#wp1166797
To enable the switch as an Ethernet LMI CE device, you must enter both the ethernet lmi global and ethernet lmi ce commands. By default Ethernet LMI is disabled, and, when enabled the switch is in provider-edge mode unless you also enter the ethernet lmi ce command.
When the switch is configured as an Ethernet LMI CE device, these interface configuration commands and keywords are visible, but not supported:
•service instance
•ethernet uni
•ethernet lmi t392
Examples
This example shows how to configure the switch as an Ethernet LMI CE device:
Switch(config)# ethernet lmi global
Switch(config)# ethernet lmi ce
Related Commands
|
|
|
ethernet lmi interface configuration command |
Enables Ethernet LMI for a user-network interface. |
ethernet lmi ce-vlan map
Use the ethernet lmi ce-vlan map Ethernet service configuration command to configure Ethernet Local Management Interface (E-LMI) parameters. Use the no form of this command to remove the configuration.
ethernet lmi ce-vlan map {vlan-id | any | default | untagged}
no ethernet lmi ce-vlan map {vlan-id | any | default | untagged}
Syntax Description
Defaults
No E-LMI mapping parameters are defined.
Command Modes
Ethernet service configuration
Command History
|
|
|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Use this command to configure an E-LMI customer VLAN-to-EVC map for a particular user-network interface (UNI).
E-LMI mapping parameters are related to the bundling characteristics set by entering the ethernet uni {bundle [all-to-one] | multiplex} interface configuration command.
•Using the default UNI attribute (bundling and multiplexing) supports multiple EVCs and multiple VLANs.
•Entering the ethernet uni bundle command supports only one EVC with one or more VLANs.
•Entering the ethernet uni bundle all-to-one command supports multiple VLANs but only one EVC. If you use the ethernet lmi ce-vlan map any Ethernet service configuration command, you must first configure all-to-one bundling on the interface.
•Entering the ethernet uni multiplex command supports multiple EVCs with only one VLAN per EVC.
Examples
This example shows how to configure an E-LMI customer VLAN-to-EVC map to map EVC test to customer VLAN 101 in service instance 333 on the interface:
Switch(config-if)# service instance 333 ethernet test
Switch(config-if-srv)# ethernet lmi ce-vlan map 101
Related Commands
|
|
|
service instance id ethernet |
Defines an Ethernet service instance and enters Ethernet service configuration mode. |
Displays information about configured Ethernet service instances. |
ethernet loopback (interface configuration)
Use the ethernet loopback facility interface configuration command to configure per-port loopbacks for testing connectivity across multiple switches. Use the ethernet loopback terminal interface configuration command to test quality of service (QoS). Use the no form of this command to remove the configuration.
ethernet loopback facility [vlan vlan-list] [mac-address {swap | copy}] [timeout {seconds | none}] supported
ethernet loopback terminal [mac-address {swap | copy}] [timeout {seconds | none}] supported
no ethernet loopback
Syntax Description
Defaults
No loopbacks are configured. If no mac-address option is configured, the default is to copy the source and destination addresses.
Command Modes
Interface configuration
Command History
|
|
|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You can configure Ethernet loopback only on physical ports, not on VLANs or port channels.
A facility loopback puts the port into a state where the link is up, but the line protocol is down for regular traffic. The switch loops back all received traffic.
When you configure VLAN loopback by entering the vlan vlan-list keywords, the other VLANs on the port continue to be switched normally, allowing non-disruptive loopback testing.
The loopback ends after a port event, such as a port shutdown or a change from a switchport to a routed port.
For a terminal loopback, the software sees the port as up, but the link is down, and no packets are sent. Any configuration changes on the port immediately affect the traffic being looped back.
You can configure one loopback per port, and a maximum of two loopbacks per switch. You can configure only on terminal loopback per switch. Therefore, a switch could have one facility loopback and one terminal loopback or two facility loopbacks.
Ethernet loopback interactions with other features:
•You cannot configure SPAN and loopback on a switch at the same time. If you try to configure SPAN on any port while loopback is configured on any port, you receive an error message.
•The port loopback function shares hardware resources with the VLAN-mapping feature. If not enough TCAM resources are available because of VLAN-mapping configuration, when you attempt to configure loopback, you receive an error message, and the configuration is not allowed.
•If loopback is active on a port, you cannot add that port to a Flex Link pair or to an Ether Channel.
After you have configured Ethernet loopback, you enter the ethernet loopback start interface-id privileged EXEC command to begin the loopback. To stop loopback, enter the ethernet loopback stop {interface-id | all} command.
Examples
This example shows how to configure an Ethernet loopback to swap the MAC source and destination addresses, to time out after 30 seconds, to start the loopback process, and to verify the configuration. You must confirm the action before configuring.
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# ethernet loopback facility mac-address swap timeout 30 supported
Switch(config-if)# end
Switch# ethernet loopback start gigabitethernet 0/1
This is an intrusive loopback.
Therefore, while you test Ethernet connectivity,
you will be unable to pass traffic across that link.
Proceed with Local Loopback? [confirm]
Switch# show ethernet loopback
=====================================
Loopback Session 0 : Interface GI0/1
Direction : facility
Type : port
Status : active
MAC Mode : swap
Time out : 30
Time remaining : 25 seconds
This example shows how to also configure a nondisruptive loopback on a second interface:
Switch(config)# interface fastethernet0/1
Switch(config-if)# ethernet loop facility mac-address swap timeout none supported
Switch(config-if)# exit
Switch(config-if)# interface fastethernet0/2
Switch(config-if)# ethernet loop facility vlan 3 mac-address copy timeout 100 supported
switch(config-if)# switch mode trunk
Switch(config-if)# exit
switch(config)# vlan 3
switch(config-vlan)# end
Switch# show ethernet loopback
=====================================
Loopback Session 0 : Interface Fa0/1
Direction : facility
Type : port
Status : configured
MAC Mode : swap
Time out : none
=====================================
Loopback Session 1 : Interface Fa0/2
Direction : facility
Type : vlan
Status : configured
MAC Mode : copy
Vlan : 3
Time out : 100
This example shows how to remove Ethernet loopback facility configuration on two interfaces and to configure Ethernet terminal loopback on an interface.
Switch(config)# interface fastethernet 0/1
switch(config-if)# no ethernet loopback
switch(config-if)# interface fastethernet 0/2
switch(config-if)# no ethernet loopback
switch(config-if)# exit
switch(config)# default interface range fastethernet 0/1-2
switch(config)# interface fastethernet 0/1
switch(config-if)# ethernet loop terminal mad-address swap timeout 300 supported
switch(config-if)# end
Switch# show ethernet loopback
=====================================
Loopback Session 0 : Interface Fa0/1
Direction : terminal
Type : port
Status : configured
MAC Mode : swap
Time out : 300
Related Commands
|
|
|
Starts or stops an Ethernet loopback operation on an interface. |
|
Displays the Ethernet loopbacks configured on the switch or the specified interface. |
ethernet loopback (privileged EXEC)
Use the ethernet loopback privileged EXEC command to start or stop an Ethernet loopback function on an interface.
ethernet loopback {start interface-id | stop {interface-id | all}}
Syntax Description
Defaults
There is no default.
Command Modes
Privileged EXEC
Command History
|
|
|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
Before starting or stopping an Ethernet loopback operation, you must configure it on an interface by entering the ethernet loopback interface configuration command. When you start loopback, you see a warning message.
You can configure Ethernet loopback and enter the ethernet loopback start or ethernet loopback stop command only for physical ports, not for VLANs or port channels.
You cannot start VLAN loopback on nontrunk interfaces. You cannot start terminal loopback on routed interfaces.
You can configure only one loopback per port and a maximum of two loopbacks per switch. You can configure only one terminal loopback per switch.
Examples
This example shows how to start a facility port loopback process, to verify it, and then to stop it:
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# ethernet loopback facility mac-address swap timeout 30 supported
Switch(config-if)# end
Switch# ethernet loopback start gigabitethernet 0/1
This is an intrusive loopback.
Therefore, while you test Ethernet connectivity,
you will be unable to pass traffic across that link.
Proceed with Local Loopback? [confirm]
Switch# show ethernet loopback
=====================================
Loopback Session 0 : Interface Gi0/1
Direction : facility
Type : port
Status : active
MAC Mode : swap
Time out : 30
Time remaining : 25 seconds
Switch# ethernet loop stop all
Dec 4 11:18:44.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
Switch# show ethernet loopback
=====================================
Loopback Session 0 : Interface Gi0/1
Direction : facility
Type : port
Status : configured
MAC Mode : swap
Time out : 30
This example shows how to start a VLAN non-intrusive loopback process:
Switch# ethernet loop start fastethernet 0/2
This is a non-intrusive loopback.
Therefore, while you test Ethernet connectivity on vlan 3, you will be unable to pass traffic across it, however, other vlans will be unaffected.
Proceed with Local Loopback? [confirm]
Switch# show ethernet loopback
=====================================
Loopback Session 1 : Interface Fa0/2
Direction : facility
Type : vlan
Status : active
MAC Mode : copy
Vlan : 3
Time out : 100
Time remaining : 94 seconds
Related Commands
|
|
|
Configures an Ethernet loopback operation on an interface. |
|
Displays the Ethernet loopbacks configured on the switch or the specified interface. |
ethernet oam remote-failure
Use the ethernet oam remote-failure interface configuration or configuration template command to configure Ethernet operations, maintenance, and administration (EOM) remote failure indication. Use the no form of this command to remove the configuration.
ethernet oam remote-failure {critical-event | dying-gasp | link-fault} action error-disable-interface
no ethernet oam remote-failure {critical-event | dying-gasp | link-fault} action
Syntax Description
Defaults
Configuration template
Interface configuration
Command Modes
Ethernet service configuration
Command History
|
|
|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You can apply this command to an Ethernet OAM template and to an interface. The interface configuration takes precedence over template configuration. To enter OAM template configuration mode, use the template template-name global configuration command.
The Cisco CGS 2520 switch does not generate Link Fault or Critical Event OAM PDUs. However, if these PDUs are received from a link partner, they are processed. The switch supports generating and receiving Dying Gasp OAM PDUs when Ethernet OAM is disabled, the interface is shut down, the interface enters the error-disabled state, or the switch is reloading. The switch can also generate and receive Dying Gasp PDUs based on loss of power. The PDU includes a reason code to indicate why it was sent. You can configure an error-disable action to occur if the remote link goes down, if the remote device is disabled, or if the remote device disables Ethernet OAM on the interface.
For complete command and configuration for the Ethernet OAM protocol, see the Cisco IOS feature module at this URL:
http://www.cisco.com/en/US/products/ps6922/products_feature_guide09186a008067344c.html
For documentation for the CFM and Ethernet OAM commands, see this URL:
http://www.cisco.com/en/US/products/ps6922/products_command_reference_book09186a0080699104.html
Examples
This example shows how to configure an Ethernet OAM template for remote-failure indication when an unrecoverable error has occurred and how to apply it to an interface:
Switch(config)# template oam1
Switch(config-template)# ethernet oam remote-failure dying-gasp action error-disable interface
Switch(config-template)# exit
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# source template oam1
Switch(config-if)# exit
This example shows how to configure an Ethernet OAM remote-failure indication on one interface for unrecoverable errors:
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# ethernet oam remote-failure dying-gasp action error-disable interface
Switch(config-if)# exit
Related Commands
|
|
|
show ethernet oam status [interface interface-id] |
Displays configured Ethernet OAM remote failure conditions on all interfaces or on the specified interface. |
ethernet uni
Use the ethernet uni interface configuration command to set UNI bundling attributes. Use the no form of this command to return to the default bundling configuration.
ethernet uni {bundle [all-to-one] | multiplex}
no ethernet uni {bundle | multiplex}
Syntax Description
Defaults
If bundling or multiplexing attributes are not configured, the default is bundling with multiplexing. The UNI then has one or more EVCs with one or more CE VLANs mapped to each EVC.
Command Modes
Interface configuration
Command History
|
|
|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
The UNI attributes determine the functionality that the interface has regarding bundling VLANs, multiplexing EVCs, and the combination of these.
If you want both bundling and multiplexing services for a UNI, you do not need to configure bundling or multiplexing. If you want only bundling, or only multiplexing, you need to configure it appropriately.
When you configure, change, or remove a UNI service type, the EVC and CE-VLAN ID configurations are checked to ensure that the configurations and the UNI service types match. If the configurations do not match, the command is rejected.
If you intend to use the ethernet lmi ce-vlan map any service configuration command, you must first configure all-to-one bundling on the interface. See the ethernet lmi ce-vlan map section for more information.
Examples
This example shows how to configure bundling without multiplexing:
Switch(config-if)# ethernet uni bundle
To verify UNI service type, enter the show ethernet service interface detail privileged EXEC command.
Related Commands
|
|
|
Displays information about Ethernet service instances on an interface, including service type. |
ethernet uni id
Use the ethernet uni interface configuration command to create an Ethernet user-network interface (UNI) ID. Use the no form of this command to remove the UNI ID.
ethernet uni id name
no ethernet uni id
Syntax Description
name |
Identify an Ethernet UNI ID. The name should be unique for all UNIs that are part of a given service instance and can be up to 64 characters in length. |
Defaults
No UNI IDs are created.
Command Modes
Interface configuration
Command History
|
|
|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
When you configure a UNI ID on a port, that ID is used as the default name for all maintenance end points (MEPs) configured on the port.
You must enter the ethernet uni id name command on all ports that are directly connected to customer-edge (CE) devices. If the specified ID is not unique on the device, an error message appears.
Examples
This example shows how to identify a unique UNI:
Switch(config-if)# ethernet uni id test2
Related Commands
|
|
|
Displays information about Ethernet service instances on an interface, including service type. |
exceed-action
Use the exceed-action policy-map class police configuration command to set multiple actions for a policy-map class for packets with a rate between the committed information rate (CIR) or peak information rate (PIR) conform rate and the conform rate plus the exceed burst. Use the no form of this command to cancel the action or to return to the default action.
exceed-action {drop | set-cos-transmit {new-cos-value | [cos | dscp | precedence] [table table-map name]} | set-dscp-transmit {new-dscp-value | [cos | dscp | precedence] [table table-map name]} | set-prec-transmit {new-precedence-value | [cos | dscp | precedence] [table table-map name]} | set-qos-transmit qos-group-value | transmit]}
no exceed-action {drop | set-cos-transmit {new-cos-value | [cos | dscp | precedence] [table table-map name]} | set-dscp-transmit {new-dscp-value | [cos | dscp | precedence] [table table-map name]} | set-prec-transmit {new-precedence-value | [cos | dscp | precedence] [table table-map name]} | set-qos-transmit qos-group-value | transmit]}
Syntax Description
Defaults
The default action is to drop the packet.
Command Modes
Policy-map class police configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
You configure exceed actions for packets when the packet rate is between the configured conform rate and the conform rate plus the exceed burst.
If the conform action is set to drop, the exceed and violate actions are automatically set to drop. If the exceed action is set to drop, the violate action is automatically set to drop.
You can configure exceed-action to send the packet unmodified, mark using explicit values, and use all combinations of enhanced packet marking. Enhanced packet marking provides the ability to modify a QoS marking based on any incoming QoS marking and table maps. The switch also supports the ability to mark multiple QoS parameters for the same class and to simultaneously configure conform-action, exceed-action, and violate-action marking.
Access policy-map class police configuration mode by entering the police policy-map class command. See the police command for more information.
You can use this command to set one or more exceed actions for a traffic class.
Examples
This example shows how configure multiple actions in a policy map that sets an information rate of 23000 bits per second (b/s) and a burst rate of 10000 bps:
Switch(config)# policy-map map1
Switch(config-pmap)# class class1
Switch(config-pmap-c)# police 23000 10000
Switch(config-pmap-c-police)# conform-action transmit
Switch(config-pmap-c-police)# exceed-action set-prec-transmit prec table policed-prec-table-map-name
Switch(config-pmap-c-police)# exit
You can verify your settings by entering the show policy-map privileged EXEC command.
Related Commands
fcs-threshold
Use the fcs-threshold interface configuration command to set the frame check sequence (FCS) bit-error rate. Use the no form of the command to return to the default setting.
fcs-threshold value
no fcs-threshold value
Syntax Description
value |
Value ranges from 6 to 11, representing a bit-error rate from 10-6 to 10-11. |
Defaults
The default rate is 8, which is the bit error rate for Ethernet standard 10-8.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(53)EX |
This command was introduced. |
Usage Guidelines
The Ethernet standard calls for a maximum bit error rate of 10-8. On the CGS 2520 switch, you can configure a bit error rate from 10-6 to 10-11. The bit error rate input to the switch is a positive integer. To configure an bit error rate of 10-9, enter the value 9 for the exponent.
You can set an FCS error hysteresis threshold on the switch to prevent the alarm when the actual bit error rate fluctuates near the configured bit error rate by using the alarm facility fcs hysteresis global configuration command.
Examples
This example shows how to set the FCS bit error rate for a port to 10-10:
Switch(config)# interface fastethernet1/1
Switch(config-if)# fcs-threshold 10
Related Commands
|
|
|
|---|---|