Catalyst 3750-X and 3560-X Switch
Cisco IOS Commands
aaa accounting dot1x
Use the aaa accounting dot1x global configuration command to enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions. Use the no form of this command to disable IEEE 802.1x accounting.
aaa accounting dot1x { name | default } start-stop { broadcast group { name | radius | tacacs+ } [ group { name | radius | tacacs+ } ... ] | group { name | radius | tacacs+ } [ group { name | radius | tacacs+ }... ]}
no aaa accounting dot1x { name | default }
Syntax Description
name |
Name of a server group. This is optional when you enter it after the broadcast group and group keywords. |
default |
Use the accounting methods that follow as the default list for accounting services. |
start-stop |
Send a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested-user process begins regardless of whether or not the start accounting notice was received by the accounting server. |
broadcast |
Enable accounting records to be sent to multiple AAA servers and send accounting records to the first server in each group. If the first server is unavailable, the switch uses the list of backup servers to identify the first server. |
group |
Specify the server group to be used for accounting services. These are valid server group names:
- name —Name of a server group.
- radius —List of all RADIUS hosts.
- tacacs+ —List of all TACACS+ hosts.
The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword. |
radius |
(Optional) Enable RADIUS authorization. |
tacacs+ |
(Optional) Enable TACACS+ accounting. |
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
This command requires access to a RADIUS server.
We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.
Examples
This example shows how to configure IEEE 802.1x accounting:
Switch(config)# aaa new-model
Switch(config)# aaa accounting dot1x default start-stop group radius
Note The RADIUS authentication server must be properly configured to accept and log update or watchdog packets from the AAA client.
Related Commands
|
|
aaa authentication dot1x |
Specifies one or more AAA methods for use on interfaces running IEEE 802.1x. |
aaa new-model |
Enables the AAA access control model. For syntax information, see the Cisco IOS Security Command Reference, Release 12.2 > Authentication, Authorization, and Accounting > Authentication Commands. |
dot1x reauthentication |
Enables or disables periodic reauthentication. |
dot1x timeout reauth-period |
Sets the number of seconds between re-authentication attempts. |
aaa authentication dot1x
Use the aaa authentication dot1x global configuration command on the switch stack or on a standalone switch to specify the authentication, authorization, and accounting (AAA) method to use on ports complying with the IEEE 802.1x authentication. Use the no form of this command to disable authentication.
aaa authentication dot1x { default } method1
no aaa authentication dot1x { default }
Syntax Description
default |
Use the listed authentication method that follows this argument as the default method when a user logs in. |
method1 |
Enter the group radius keywords to use the list of all RADIUS servers for authentication. |
Note Though other keywords are visible in the command-line help strings, only the default and group radius keywords are supported.
Defaults
No authentication is performed.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
The method argument identifies the method that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.
If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command.
Use the show running-config privileged EXEC command to display the configured lists of authentication methods.
Examples
This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
aaa new-model |
Enables the AAA access control model. For syntax information, see the Cisco IOS Security Command Reference, Release 12.2 > Authentication, Authorization, and Accounting > Authentication Commands. |
show running-config |
Displays the operating configuration. |
aaa authorization network
Use the aaa authorization network global configuration command on the switch stack or on a standalone switch to the configure the switch to use user-RADIUS authorization for all network-related service requests, such as IEEE 802.1x per-user access control lists (ACLs) or VLAN assignment. Use the no form of this command to disable RADIUS user authorization.
aaa authorization network default group radius
no aaa authorization network default
Syntax Description
default group radius |
Use the list of all RADIUS hosts in the server group as the default authorization list. |
Defaults
Authorization is disabled.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Use the aaa authorization network default group radius global configuration command to allow the switch to download IEEE 802.1x authorization parameters from the RADIUS servers in the default authorization list. The authorization parameters are used by features such as per-user ACLs or VLAN assignment to get parameters from the RADIUS servers.
Use the show running-config privileged EXEC command to display the configured lists of authorization methods.
Examples
This example shows how to configure the switch for user RADIUS authorization for all network-related service requests:
Switch(config)# aaa authorization network default group radius
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
show running-config |
Displays the operating configuration. |
access-list
To enable smart logging for a standard or extended IP access list, use the access-list command in global configuration mode with the smartlog keyword. Matches to ACL entries are logged to a NetFlow collector. To disable smart logging for the access list, use the no form of this command.
access-list access-list-number { deny | permit } source [ source-wildcard ] [ log [ word ] | smartlog ]
access-list access-list-number [ dynamic dynamic-name [ timeout minutes ]] { deny | permit } protocol source source-wildcard destination destination-wildcard [ precedence precedence ] [ tos tos ] [ time-range time-range-name ] [ fragments ] [ log [ word ] | log-input [ word ] | smartlog ]
Syntax Description
smartlog |
(Optional) Sends packet flows matching the access list to a NetFlow collector when smart logging is enabled on the switch. |
Defaults
ACL smart logging is not enabled.
Command Modes
Global configuration
Command History
|
|
12.2(58)SE |
The smartlog keyword was added. |
Usage Guidelines
For the complete syntax description of the access-list command without the smartlog keyword, see the Cisco IOS Security Command Reference.
When an ACL is applied to an interface, packets matching the ACL are denied or permitted based on the ACL configuration. When smart logging is enabled on the switch and an ACL includes the smartlog keyword, the contents of the denied or permitted packet are sent to a Flexible NetFlow collector.
You must also enable smart logging globally by entering the logging smartlog global configuration command.
Only port ACLs (ACLs attached to Layer 2 interfaces) support smart logging. Router ACLs or VLAN ACLs do not support smart logging. Port ACLs do not support logging.
When an ACL is applied to an interface, matching packets can be either logged or smart logged, but not both.
To remove disable smart logging of an access list, enter access-list configuration mode and enter the no deny { source [ source-wildcard ] | host source | any } [ smartlog ] command or the no permit { source [ source-wildcard ] | host source | any } [ smartlog ] command.
You can verify that smart logging is enabled in an ACL by entering the show ip access list privileged EXEC command.
Examples
This example shows how to configure smart logging on an extended access list, ACL 101, which allows IP traffic from the host with the IP address 172.20.10.101 to any destination. When smart logging is enabled and the ACL is attached to a Layer 2 interface, copies of packets matching this criteria are sent to the NetFlow collector.
Switch(config)# acl 101 permit ip host 10.1.1.2 any smartlog
Related Commands
|
|
logging smartlog |
Globally enables smart logging. |
show access list show ip access list |
Displays the contents of all access lists or all IP access lists. |
action
Use the action access-map configuration command on the switch stack or on a standalone switch to set the action for the VLAN access map entry. Use the no form of this command to return to the default setting.
action { drop | forward }
no action
Note This command is not supported on switches running the LAN base feature set.
Syntax Description
drop |
Drop the packet when the specified conditions are matched. |
forward |
Forward the packet when the specified conditions are matched. |
Defaults
The default action is to forward packets.
Command Modes
Access-map configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You enter access-map configuration mode by using the vlan access-map global configuration command.
If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.
In access-map configuration mode, use the match access-map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.
The drop and forward parameters are not used in the no form of the command.
Examples
This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2 :
Switch(config)# vlan access-map vmap4
Switch(config-access-map)# match ip address al2
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter vmap4 vlan-list 5-6
You can verify your settings by entering the show vlan access-map privileged EXEC command.
Related Commands
|
|
access-list { deny | permit } |
Configures a standard numbered ACL. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands . |
ip access-list |
Creates a named access list. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands . |
mac access-list extended |
Creates a named MAC address access list. |
match (class-map configuration) |
Defines the match conditions for a VLAN map. |
show vlan access-map |
Displays the VLAN access maps created on the switch. |
vlan access-map |
Creates a VLAN access map. |
archive copy-sw
Use the archive copy-sw privileged EXEC command on the stack master to copy the running image from the flash memory on one stack member to the flash memory on one or more other stack members.
archive copy-sw [ /destination-system destination-stack-member-number ] [ /force-reload ] [ leave-old-sw ] [ /no-set-boot ] [ /overwrite ] [ /reload ] [ /safe ] source-stack-member-number
Note This command is supported only on Catalyst 3750-X switches.
Syntax Description
/destination-system destination-stack- member-number |
(Optional) The number of the stack member to which to copy the running image. The range is 1 to 9. |
/force-reload |
(Optional) Unconditionally force a system reload after successfully downloading the software image. |
/leave-old-sw |
(Optional) Keep the old software version after a successful download. |
/no-set-boot |
(Optional) Do not alter the setting of the BOOT environment variable to point to the new software image after it is successfully downloaded. |
/overwrite |
(Optional) Overwrite the software image in flash memory with the downloaded one. |
/reload |
(Optional) Reload the system after downloading the image unless the configuration has been changed and not been saved. |
/safe |
(Optional) Keep the current software image; do not delete it to make room for the new software image before the new image is downloaded. The current image is deleted after the download. |
source-stack-member- number |
The number of the stack member from which to copy the running image. The range is 1 to 9. |
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
The current software image is not overwritten with the copied image.
Both the software image and HTML files are copied.
The new image is copied to the flash: file system.
The BOOT environment variable is changed to point to the new software image on the flash: file system.
Image names are case sensitive; the image file is provided in tar format.
Note To successfully use the archive copy-sw privileged EXEC command, you must have downloaded from a TFTP server the images for both the stack member switch being added and the stack master. You use the archive download-sw privileged EXEC command to perform the download.
At least one stack member must be running the image that is to be copied to the switch that has incompatible software.
You can copy the image to more than one specific stack member by repeating the /destination -system destination-stack-member-number option in the command for each stack member to be upgraded. If you do not specify the destination-stack-member-number, the default is to copy the running image file to all stack members.
Using the /safe or /leave-old-sw option can cause the new copied image to fail if there is insufficient flash memory. If leaving the software in place would prevent the new image from fitting in flash memory due to space constraints, an error results.
If you used the /leave-old-sw option and did not overwrite the old image when you copied the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the “delete” section on page 141.
Use the /overwrite option to overwrite the image on the flash device with the copied one.
If you specify the command without the /overwrite option, the algorithm verifies that the new image is not the same as the one on the switch flash device or is not running on any stack members. If the images are the same, the copy does not occur. If the images are different, the old image is deleted, and the new one is copied.
After copying a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive copy-sw command.
You can enter one or more of these options with the s ource-stack-member-number option:
- /destination-system destination-stack-member-number
- / force-reload
- / leave-old-sw
- / no-set-boot
- / overwrite
- / reload
- /safe
If you enter the s ource-stack-member-number option before one of the previous options, you can enter only the archive copy-sw s ource-stack-member-number command.
These are examples of how you can enter the archive copy-sw command:
- To copy the running image from a stack member to another stack member and to overwrite the software image in the second stack member’s flash memory (if it already exists) with the copied one, enter the archive copy-sw /destination destination-stack-member-number /overwrite s ource-stack-member-number command.
- To copy the running image from a stack member to another stack member, keep the current software image, and reload the system after the image copies, enter the archive copy-sw /destination destination-stack-member-number /safe /reload s ource-stack-member-number command.
Examples
This example shows how to copy the running image from stack member 6 to stack member 8:
Switch# archive copy-sw /destination-system 8 6
This example shows how to copy the running image from stack member 6 to all the other stack members:
Switch# archive copy-sw 6
This example shows how to copy the running image from stack member 5 to stack member 7. If the image being copied already exists on the second stack member’s flash memory, it can be overwritten with the copied one. The system reloads after the image is copied:
Switch# archive copy-sw /destination-system 7 /overwrite /force-reload 5
Related Commands
|
|
archive download-sw |
Downloads a new image from a TFTP server to the switch. |
archive tar |
Creates a tar file, lists the files in a tar file, or extracts the files from a tar file. |
archive upload-sw |
Uploads an existing image on the switch to a server. |
delete |
Deletes a file or directory on the flash memory device. |
archive download-sw
Use the archive download-sw privileged EXEC command on the switch stack or on a standalone switch to download a new image from a TFTP server to the switch or switch stack and to overwrite or keep the existing image.
archive download-sw [ /allow-feature-upgrade | /destination-system stack-member-number | / directory source-url1 [ source-url2 source-url3 source-url4 ] | /force-reload | /force-ucode-reload | /imageonly | /leave-old-sw | /no-set-boot | /no-version-check | /only-system-type system-type | /overwrite | /reload | /rolling-stack-upgrade | /safe | /warm ] | directory:source-url1 [ source-url2 ]
Syntax Description
/allow-feature-upgrade |
Allows installation of software images with different feature sets (for example, upgrade from the IP base feature set to the IP services features set). |
/destination-system stack-member-number |
Specifies the specific stack member to be upgraded. The range is 1 to 9. This keyword is supported only on stacking-capable switches. |
/directory |
Specifies a directory for all of the images. |
/force-reload |
Unconditionally forces a system reload after downloading the software image. |
/force-ucode-reload |
Forces the system to reload the switch multipoint control unit (MCU) code before shutting down the switch, which reduces the time that the switch is down. |
/imageonly |
Downloads only the software image but not the HTML files associated with the embedded device manager. The HTML files for the existing version are deleted only if the existing version is being overwritten or removed. |
/leave-old-sw |
Keeps the old software version after a download. |
/no-set-boot |
Does not alter the setting of the BOOT environment variable to point to the new software image after it is downloaded. |
/no-version-check |
Downloads the software image without checking the compatibility of the stack protocol version on the image and on the switch stack. This keyword is supported only on stacking-capable switches. |
/only-system-type system-type |
Specifies the specific system type to be upgraded. The range is 0 to FFFFFFFF. This keyword is supported only on stacking-capable switches. |
/overwrite |
Overwrites the software image in flash memory with the downloaded image. |
/reload |
Reloads the system after downloading the image unless the configuration has been changed and not been saved. |
/rolling-stack-upgrade |
Starts the rolling state upgrade process to upgrade the members one at a time. |
/safe |
Keeps the current software image; does not delete it to make room for the new software image before the new image is downloaded. The current image is deleted after the download. |
/ warm |
Reloads the system using a warm upgrade method after a software upgrade. |
source-url1 [ sourceurl2 sourceurl3 sourceurl4 ] |
The source URLs for the software images. On a standalone switch, enter one source URL for the software image that the switch supports. In a switch stack, you can enter source URLs for the software images that the stack members support as follows:
- Up to two source URLs without the /directory keyword.
- Up to four source URLS with the /directory keyword.
The image-name .tar is the software image to download and install on the switch. These options are supported:
- Local flash file system syntax on the standalone switch or the stack master:
flash:
Local flash file system syntax on a stack member: flash member number : The member number can be from 1 to 9.
- FTP syntax: ftp: [[ // username [ : password ] @ location ]/ directory ] / image-name .tar
- HTTP server syntax:
http:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- Secure HTTP server syntax:
https:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- Remote Copy Protocol (RCP) syntax: rcp: [[ // username @ location ]/ directory ] / image-name .tar
- Secure Copy Protocol (SCP) syntax for the: scp: [[ // username @ location ]/ directory ] / image-name .tar
- The syntax for the TFTP:
tftp: [[ // location ]/ directory ] / image-name .tar
|
Defaults
The current software image is not overwritten with the downloaded image.
Both the software image and the HTML files are downloaded.
The new image is downloaded to the flash: file system.
The BOOT environment variable is changed to point to the new software image on the flash: file system.
Image names are case sensitive; the image file is provided in tar format.
Compatibility of the stack protocol version on the image to be downloaded is checked with the version on the switch stack.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
12.2(58)SE |
The /rolling-stack-upgrade keywords were added. |
12.2(55)SE3 and 15.0(1)SE |
The /force-ucode-reload keywords were added. |
Usage Guidelines
Use the /allow-feature-upgrade option to allow installation of an image with a different feature set, for example, upgrading from the IP base feature set to the IP services feature.
You can use the archive download-sw /directory command to specify a directory just once, followed by a tar file or list of tar files to be downloaded, instead of specifying complete paths with each tar file. For example, in a mixed hardware stack, you can enter archive download-sw /directory tftp://10.1.1.10/ c3750-ipservices-tar.122-35.SE.tar c3750e-universal-tar.122-35.SE2.tar
The /imageonly option removes the HTML files for the existing image if the existing image is being removed or replaced. Only the Cisco IOS image (without the HTML files) is downloaded.
Using the /safe or /leave-old-sw option can cause the new image download to fail if there is insufficient flash memory. If leaving the software in place prevents the new image from fitting in flash memory due to space constraints, an error results.
If you used the /leave-old-sw option and did not overwrite the old image when you downloaded the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the “delete” section on page 141.
Use the /no-version-check option if you want to download an image that has a different stack protocol version than the one existing on the switch stack. You must use this option with the /destination-system option to specify the specific stack member to be upgraded with the image.
Note Use the /no-version-check option with care. All stack members, including the stack master, must have the same stack protocol version to be in the same switch stack. This option allows an image to be downloaded without first confirming the compatibility of its stack protocol version with the version of the switch stack.
You can upgrade more than one specific stack member by repeating the /destination-system option in the command for each stack member to be upgraded.
Use the /overwrite option to overwrite the image on the flash device with the downloaded one.
If you specify the command without the /overwrite option, the download algorithm verifies that the new image is not the same as the one on the switch flash device or is not running on any stack members. If the images are the same, the download does not occur. If the images are different, the old image is deleted, and the new one is downloaded.
After downloading a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive download-sw command.
If you use the archive download-sw command on a Catalyst 3560-X or on a Catalyst 3750-X switch or switch stack (including a mixed stack), after the switch reload and while the links are still shut down, the MCU ucode is upgraded (if necessary). If you use the /force-ucode-reload option, the system performs the ucode upgrade before the reload, which reduces network downtime. When you enter the /force-ucode-reload option, you see a message explaining the behavior, requiring you to enter yes to continue.
Use the /directory option to specify a directory for the images.
Before starting the rolling stack upgrade, configure at least a redundant uplink to the network to ensure that the stack has network connectivity during the upgrade.
Examples
This example shows how to download a new image from a TFTP server at 172.20.129.10 and to overwrite the image on the switch:
Switch# archive download-sw /overwrite tftp://172.20.129.10/test-image.tar
This example shows how to download only the software image from a TFTP server at 172.20.129.10 to the switch:
Switch# archive download-sw /imageonly tftp://172.20.129.10/test-image.tar
This example shows how to keep the old software version after a successful download:
Switch# archive download-sw /leave-old-sw tftp://172.20.129.10/test-image.tar
This example specifies the location of two tar images without having to specify the path each time:
Switch# archive download-sw tftp://10.1.1.10/
c3750x-universal-tar.122-53.SE2.tar c3750e-universal-tar.122-35.SE2.tar
This example specifies the location of three tar images without having to specify the path each time:
Switch# archive download-sw /directory tftp://10.1.1.10/
c3750x-universal-tar.122-53.SE2.tar c3750e-universal-tar.122-35.SE2.tar c3750-ipbase-tar.122-35.SE.tar
This example shows how to upgrade stack members 6 and 8:
Switch# archive download-sw /imageonly /destination-system 6 /destination-system 8 tftp://172.20.129.10/test-image.tar
This example shows hot to start a rolling stack update:
Switch# archive download-sw /rolling-stack-update
This is an example of the output when you enter the /force-ucode-reload option:
Switch# archive download-sw /force-ucode-reload
A UCODE upgrade with forced reload results in a shorter reload time and downtime
for the switch or stack if the switch requires new UCODE with the new software.
If no UCODE upgrade is required after the software download, then the reload
After a successful software download and upgrade, and if the UCODE upgrade is
necessary, the reload may be delayed by up to 20 minutes (though typically
less) in order to complete the UCODE upgrade. During this time, on
supported switches, no new powered devices will be granted power, no new
power supplies will be recognized, and stack-power topology changes will not
be indicated on the console. All other switch functionality is unaffected.
Do you wish to continue? (yes/[no]): yes
Related Commands
|
|
archive copy-sw |
Copies the running image from the flash memory on one stack member to the flash memory on one or more other stack members. |
archive tar |
Creates a tar file, lists the files in a tar file, or extracts the files from a tar file. |
archive upload-sw |
Uploads an existing image on the switch to a server. |
delete |
Deletes a file or directory on the flash memory device. |
rsu { active | standby } |
Configures a redundant uplink to the network during the rolling stack upgrade. |
archive tar
Use the archive tar privileged EXEC command on the switch stack or on a standalone switch to create a tar file, list files in a tar file, or extract the files from a tar file.
archive tar { /create destination-url flash:/ file-url } | { /table source-url } | { /xtract source-url flash:/ file-ur l [ dir/file ...]}
Syntax Description
/create destination-url flash:/ file-url |
Create a new tar file on the local or network file system. For destination-url, specify t he destination URL alias for the local or network file system and the name of the tar file to create. These options are supported:
- The syntax for the local flash filesystem:
flash:
- The syntax for the FTP: ftp: [[ // username [ : password ] @ location ]/ directory ] / tar-filename .tar
- The syntax for an HTTP server:
http:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- The syntax for a secure HTTP server:
https:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- The syntax for the Remote Copy Protocol (RCP): rcp: [[ // username @ location ]/ directory ] / tar-filename .tar
- The syntax for the TFTP: tftp: [[ // location ]/ directory ] / tar-filename .tar
The tar-filename .tar is the tar file to be created. For flash:/ file-url, specify t he location on the local flash file system from which the new tar file is created. An optional list of files or directories within the source directory can be specified to write to the new tar file. If none are specified, all files and directories at this level are written to the newly created tar file. |
/table source-url |
Display the contents of an existing tar file to the screen. For source-url, specify the source URL alias for the local or network file system. These options are supported:
- The syntax for the local flash file system:
flash:
- The syntax for the FTP:
ftp: [[ // username [ : password ] @ location ]/ directory ] / tar-filename .tar
- The syntax for an HTTP server:
http:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- The syntax for a secure HTTP server:
https:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- The syntax for the RCP: rcp: [[ // username @ location ]/ directory ] / tar-filename .tar
- The syntax for the TFTP: tftp: [[ // location ]/ directory ] / tar-filename .tar
The tar-filename .tar is the tar file to display. |
/xtract source-url flash:/ file-url [ dir/file... ] |
Extract files from a tar file to the local file system. For source-url , specify t he source URL alias for the local file system. These options are supported:
- The syntax for the local flash file system:
flash:
- The syntax for the FTP: ftp: [[ // username [ : password ] @ location ]/ directory ] / tar-filename .tar
- The syntax for an HTTP server:
http:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- The syntax for a secure HTTP server:
https:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- The syntax for the RCP: rcp: [[ // username @ location ]/ directory ] / tar-filename .tar
- The syntax for the TFTP: tftp: [[ // location ]/ directory ] / tar-filename .tar
The tar-filename .tar is the tar file from which to extract. For flash:/ file-url [ dir/file ...], specify t he location on the local flash file system into which the tar file is extracted. Use the dir/file... option to specify an optional list of files or directories within the tar file to be extracted. If none are specified, all files and directories are extracted. |
Defaults
There is no default setting.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Filenames and directory names are case sensitive.
Image names are case sensitive.
Examples
This example shows how to create a tar file. The command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30:
Switch# archive tar /create tftp:172.20.10.30/saved.tar flash:/new-configs
This example shows how to display the contents of an image file that is in flash memory. An example of an image file name is c3750x-universal-tar.12-53.SE2. The contents of the tar file appear on the screen:
Switch# archive tar /table flash:image_name.tar
image_name/info (219 bytes)
This example shows how to display only the html directory and its contents:
Switch# archive tar /table flash:image_name/html
image_name/html/ (directory)
image_name/html/const.htm (556 bytes)
image_name/html/xhome.htm (9373 bytes)
image_name/html/menu.css (1654 bytes)
This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored.
Switch# archive tar /xtract tftp://172.20.10.30/saved.tar flash:/ new-configs
Related Commands
|
|
archive copy-sw |
Copies the running image from the flash memory on one stack member to the flash memory on one or more other stack members. |
archive download-sw |
Downloads a new image from a TFTP server to the switch. |
archive upload-sw |
Uploads an existing image on the switch to a server. |
archive upload-sw
Use the archive upload-sw privileged EXEC command on the switch stack or on a standalone switch to upload an existing switch image to a server.
archive upload-sw [ /source-system-num stack member number | /version version_string ] destination-url
Syntax Description
/source-system-num stack member number |
Specify the specific stack member containing the image that is to be uploaded. This keyword is supported only on stacking-capable switches. |
/version version_string |
(Optional) Specify the specific version string of the image to be uploaded. |
destination-url |
The destination URL alias for a local or network file system. The image-name .tar is the name of software image to be stored on the server. These options are supported:
- Local flash file system syntax on the standalone switch or the stack master:
flash:
Local flash file system syntax on a stack member: flash member number :
- FTP syntax: ftp: [[ // username [ : password ] @ location ]/ directory ] / image-name .tar
- HTTP server syntax:
http:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- Secure HTTP server syntax:
https:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- Remote Copy Protocol (RCP) syntax: rcp: [[ // username @ location ]/ directory ] / image-name .tar
- TFTP syntax:
tftp: [[ // location ]/ directory ] / image-name .tar
|
Defaults
Uploads the currently running image from the flash: file system.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You must specify that the /source-system-num option uses the /version option. The options together upload the specified image, not the running image, of a specific stack member.
Use the upload feature only if the HTML files associated with the embedded device manager have been installed with the existing image.
The files are uploaded in this sequence: the Cisco IOS image, the HTML files, and info. After these files are uploaded, the software creates the tar file.
Image names are case sensitive.
Examples
This example shows how to upload the currently running image on stack member 6 to a TFTP server at 172.20.140.2:
Switch# archive upload-sw /source-system-num 6 tftp://172.20.140.2/test-image.tar
Related Commands
|
|
archive copy-sw |
Copies the running image from the flash memory on one stack member to the flash memory on one or more other stack members. |
archive download-sw |
Downloads a new image to the switch. |
archive tar |
Creates a tar file, lists the files in a tar file, or extracts the files from a tar file. |
arp access-list
Use the arp access-list global configuration command on the switch stack or on a standalone switch to define an Address Resolution Protocol (ARP) access control list (ACL) or to add clauses to the end of a previously defined list. Use the no form of this command to delete the specified ARP access list.
arp access-list acl-name
no arp access-list acl-name
Syntax Description
acl-name |
Name of the ACL. |
Defaults
No ARP access lists are defined.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
After entering the arp access-list command, you enter ARP access-list configuration mode, and these configuration commands are available:
- default : returns a command to its default setting.
- deny : specifies packets to reject. For more information, see the “deny (ARP access-list configuration)” section on page 144.
- exit : exits ARP access-list configuration mode.
- no : negates a command or returns to default settings.
- permit : specifies packets to forward. For more information, see the “permit (ARP access-list configuration)” section on page 461.
Use the permit and deny access-list configuration commands to forward and to drop ARP packets based on the specified matching criteria.
When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement, the switch compares the packet to the list of DHCP bindings (unless the ACL is static, which means that packets are not compared to the bindings).
Examples
This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
Switch(config)# arp access-list static-hosts
Switch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 00001.0000.abcd
Switch(config-arp-nacl)# end
You can verify your settings by entering the show arp access-list privileged EXEC command.
Related Commands
|
|
deny (ARP access-list configuration) |
Denies an ARP packet based on matches compared against the DHCP bindings. |
ip arp inspection filter vlan |
Permits ARP requests and responses from a host configured with a static IP address. |
permit (ARP access-list configuration) |
Permits an ARP packet based on matches compared against the DHCP bindings. |
show arp access-list |
Displays detailed information about ARP access lists. |
authentication command bounce-port ignore
Use the authentication command bounce-port ignore global configuration command on the switch stack or on a standalone switch to allow the switch to ignore a command to temporarily disable a port. Use the no form of this command to return to the default status.
authentication command bounce-port ignore
no authentication command bounce-port ignore
Syntax Description
This command has no arguments or keywords.
Defaults
The switch accepts a RADIUS Change of Authorization (CoA) bounce port command.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
The CoA bounce port command causes a link flap, which triggers a DHCP renegotiation from the host. This is useful when a VLAN change occurs and the endpoint is a device such as a printer, that has no supplicant to detect the change. Use this command to configure the switch to ignore the bounce port command.
Examples
This example shows how to instruct the switch to ignore a CoA bounce port command:
Switch(config)# authentication command bounce-port ignore
Related Commands
|
|
authentication command disable-port ignore |
Configures the switch to ignore a CoA disable port command. |
authentication command disable-port ignore
Use the authentication command disable-port ignore global configuration command on the switch stack or on a standalone switch to allow the switch to ignore a command to disable a port. Use the no form of this command to return to the default status.
authentication command disable-port ignore
no authentication command disable-port ignore
Syntax Description
This command has no arguments or keywords.
Defaults
The switch accepts a RADIUS Change of Authorization (CoA) disable port command.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
The CoA disable port command administratively shuts down a port hosting a session, resulting in session termination. Use this command to configure the switch to ignore this command.
Examples
This example shows how to instruct the switch to ignore a CoA disable port command:
Switch(config)# authentication command disable-port ignore
Related Commands
|
|
authentication command bounce-port ignore |
Configures the switch to ignore a CoA bounce port command. |
authentication control-direction
Use the authentication control-direction interface configuration command to configure the port mode as unidirectional or bidirectional. Use the no form of this command to return to the default setting.
authentication control-direction {both | in}
no authentication control-direction
Syntax Description
both |
Enable bidirectional control on port. The port cannot receive packets from or send packets to the host. |
in |
Enable unidirectional control on port. The port can send packets to the host but cannot receive packets from the host. |
Defaults
The port is in bidirectional mode.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Use the both keyword or the no form of this command to return to the default setting (bidirectional mode).
Examples
This example shows how to enable bidirectional mode:
Switch(config-if)# authentication control-direction both
This example shows how to enable unidirectional mode:
Switch(config-if)# authentication control-direction in
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
|
|
authentication event |
Sets the action for specific authentication events. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication open |
Enables or disables open access on a port. |
authentication order |
Sets the order of authentication methods used on a port. |
authentication periodic |
Enable or disables reauthentication on a port. |
authentication port-control |
Enables manual control of the port authorization state. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port with the maximum number of devices already connected to that port. |
show authentication |
Displays information about authentication manager events on the switch. |
authentication event
To set the actions for specific authentication events on the port, use the authentication event interface configuration command. To return to the default settings, use the no form of the command.
authentication event {[ linksec ] fail [ retry retry count ] action { authorize vlan vlan-id | next-method }} | { no-response action authorize vlan vlan-id } | { server { alive action reinitialize } | { dead action { authorize { vlan vlan-id | voice } | reinitialize vlan vlan-id }}
no authentication event {[ linksec ] fail | no-response | { server { alive } | { dead [ action { authorize { vlan vlan-id | voice } | reinitialize vlan }] }
Syntax Descriptionno authentication event {fail [action[authorize vlan vlan-id | next-method] {| retry {retry count}]} {no-response action authorize vlan vlan-id} {server {alive action reinitialize} | {dead action [authorize | reinitialize vlan vlan-id]}}
action |
Configure the required action for an authentication event. |
alive |
Configure the authentication, authorization, and accounting (AAA) server alive actions. |
authorize |
Authorize the port. |
dead |
Configure the AAA server dead actions. |
fail |
Configure the failed-authentication parameters. |
linksec fail action |
See the authentication event linksec fail action command. |
next-method |
Move to next authentication method. |
no-response |
Configure the non-responsive host actions. |
reinitialize |
Reinitialize all authorized clients |
retry |
Enable retry attempts after a failed authentication. |
retry count |
Number of retry attempts from 0 to 5. |
server |
Configure the actions for AAA server events. |
vlan |
Specify the authentication-fail VLAN from 1 to 4094. |
vlan-id |
VLAN ID number from 1 to 4094. |
voice |
Specifies that if the traffic from the host is tagged with the voice VLAN, the device is placed in the configured voice VLAN on the port. |
Defaults
No event responses are configured on the port.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
15.0(1)SE |
The voice keyword was added. |
Usage Guidelines
Use this command with the fail, no-response, or event keywords to configure the switch response for a specific action.
For authentication-fail events:
- If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant because it i s not notified of the actual authentication failure.
– If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message.
– Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive an EAP success message.
The restricted VLAN is supported only in single host mode (the default port mode). When a port is placed in a restricted VLAN, the supplicant's MAC address is added to the MAC address table. Any other MAC address on the port is treated as a security violation.
- You cannot configure an internal VLANs for Layer 3 ports as a restricted VLAN. You cannot specify the same VLAN as a restricted VLAN and as a voice VLAN.
Enable re-authentication with restricted VLANs. If re-authentication is disabled, the ports in the restricted VLANs do not receive re-authentication requests if it is disabled.
To start the re-authentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub:
– The port might not receive a link-down event when the host is disconnected.
– The port might not detect new hosts until the next re-authentication attempt occurs.
When you reconfigure a restricted VLAN as a different type of VLAN, ports in the restricted VLAN are also moved and stay in their currently authorized state.
For no-response events:
- If you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL) request/identity frame or when EAPOL packets are not sent by the client.
- The switch maintains the EAPOL packet history. If another EAPOL packet is detected on the port during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL history is cleared.
- If the switch port is moved to the guest VLAN (multi-host mode), multiple non-IEEE 802.1x-capable clients are allowed access. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put in the unauthorized state in the RADIUS-configured or user-configured access VLAN, and authentication restarts.
You can configure any active VLAN except a Remote Switched Port Analyzer (RSPAN) VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is supported only on access ports. It is not supported on internal VLANs (routed ports) or trunk ports.
- When MAC authentication bypass is enabled on an IEEE 802.1x port, the switch can authorize clients based on the client MAC address if IEEE 802.1x authentication times out while waiting for an EAPOL message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address.
– If authorization succeeds, the switch grants the client access to the network.
– If authorization fails, the switch assigns the port to the guest VLAN if one is specified.
For more information, see the "Using IEEE 802.1x Authentication with MAC Authentication Bypass" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide.
For server-dead events:
- When the switch moves to the critical-authentication state, new hosts trying to authenticate are moved to the critical-authentication VLAN (or critical VLAN). This applies whether the port is in single-host, multiple-host, multiauth, or MDA mode. Authenticated hosts remain in the authenticated VLAN, and the reauthentication timers are disabled.
- If a client is running Windows XP and the critical port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server and a critical port receives an EAP-Success message, the DHCP configuration process might not re-initiate.
You can verify your settings by entering the show authentication privileged EXEC command.
Examples
This example shows how to configure the authentication event fail command:
Switch(config-if)# authentication event fail action authorize vlan 20
This example shows how to configure a no-response action:
Switch(config-if)# authentication event no-response action authorize vlan 10
This example shows how to configure a server-response action:
Switch(config-if)# authentication event server alive action reinitialize
This example shows how to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable. Use this command for ports in multiple authentication (multiauth) mode or if the voice domain of the port is in MDA mode:
Switch(config-if)# authentication event server dead action authorize vlan 10
This example shows how to configure a port to send both new and existing hosts to the critical VLAN when the RADIUS server is unavailable and if the traffic from the host is tagged with the voice VLAN to put the host in the configured voice VLAN on the port. Use this command for ports in multiple-host or multiauth mode:
Switch(config-if)# authentication event server dead action reinitialize vlan 10
Switch(config-if)# authentication event server dead action authorize voice
Related Commands
|
|
authentication control-direction |
Configures the port mode as unidirectional or bidirectional. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication open |
Enables or disable open access on a port. |
authentication order |
Sets the order of authentication methods used on a port. |
authentication periodic |
Enables or disables reauthentication on a port |
authentication port-control |
Enables manual control of the port authorization state. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port. |
show authentication |
Displays information about authentication manager events on the switch. |
authentication event linksec fail action
To configure the required action for a link-security authentications failure, use the authentication event linksec fail action interface configuration command. To disable the configured fail action, use the no form of this command.
authentication event linksec fail action {authorize vlan vlan-id | next-method}
no authentication event linksec fail action
Syntax Description
authorize vlan vlan-id |
Authorizes the port and configures a linksec-fail VLAN ID to use if the link-security authentication fails. |
next-method |
Moves to the next authentication method. The order of authentication methods is specified by the authentication order command. |
Defaults
The default is to take no action when link-security authentication fails.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
When link-security authentication fails because of unrecognized user credentials, this command specifies that the switch authorizes a restricted VLAN on the port.
Examples
This example configures the interface so that the port is assigned to a restricted VLAN 40 after a failed authentication attempt:
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# authentication event linksec fail action authorize vlan 40
You can verify your setting by entering the show authentication sessions privileged EXEC command.
Related Commands
|
|
show authentication sessions |
Displays information about authentication events on the switch. |
authentication fallback
Use the authentication fallback interface configuration command to configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. To return to the default setting, use the no form of this command.
authentication fallback name
no authentication fallback name
Syntax Description
name |
Specify a web authentication fallback profile. |
Defaults
No fallback is enabled.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You must enter the authentication port-control auto interface configuration command before configuring a fallback method.
You can only configure web authentication as a fallback method to 802.1x or MAB, so one or both of these authentication methods should be configured for the fallback to enable.
Examples
This example shows how to specify a fallback profile on a port:
Switch(config-if)# authentication fallback profile1
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
|
|
authentication control-direction |
Configures the port mode as unidirectional or bidirectional. |
authentication event |
Sets the action for specific authentication events. |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication open |
Enables or disable open access on a port. |
authentication order |
Sets the order of authentication methods used on a port. |
authentication periodic |
Enables or disables reauthentication on a port. |
authentication port-control |
Enables manual control of the port authorization state. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port. |
show authentication |
Displays information about authentication manager events on the switch. |
authentication host-mode
Use the authentication host-mode interface configuration command to set the authorization manager mode on a port.
authentication host-mode [multi-auth | multi-domain | multi-host | single-host]
no authentication host-mode [multi-auth | multi-domain | multi-host | single-host]]
Syntax Description
multi-auth |
Enable multiple-authorization mode (multiauth mode) on the port. |
multi-domain |
Enable multiple-domain mode on the port. |
multi-host |
Enable multiple-host mode on the port. |
single-host |
Enable single-host mode on the port. |
Defaults
Single host mode is enabled.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Single-host mode should be configured if only one data host is connected. Do not connect a voice device to authenticate on a single-host port. Voice device authorization fails if no voice VLAN is configured on the port.
Multi-domain mode should be configured if data host is connected through an IP Phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.
Multi-auth mode should be configured to allow devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.
Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.
Examples
This example shows how to enable multiauth mode on a port:
Switch(config-if)# authentication host-mode multi-auth
This example shows how to enable multi-domain mode on a port:
Switch(config-if)# authentication host-mode multi-domain
This example shows how to enable multi-host mode on a port:
Switch(config-if)# authentication host-mode multi-host
This example shows how to enable single-host mode on a port:
Switch(config-if)# authentication host-mode single-host
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
|
|
authentication control-direction |
Configures the port mode as unidirectional or bidirectional. |
authentication event |
Sets the action for specific authentication events. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication |
authentication open |
Enables or disable open access on a port. |
authentication order |
Sets the order of authentication methods used on a port. |
authentication periodic |
Enables or disable reauthentication on a port. |
authentication port-control |
Enables manual control of the port authorization state. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port. |
show authentication |
Displays information about authentication manager events on the switch. |
authentication linksec policy
To set the static selection of a link-security policy, use the authentication linksec policy interface configuration command. To return to the default state, use the no form of this command.
authentication linksec policy { must-not-secure | must-secure | should-secure }
no authentication linksec policy
Syntax Description
must-not-secure |
Establishes the host session without Media Access Control Security (MACsec). Never secures the sessions. |
must-secure |
Secures the session with MACsec. Always secures the sessions. |
should-secure |
Optionally secures the session with MACsec. |
Defaults
The default is to support a link security policy of should secure.
Command Modes
MKA policy configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
The linksec policy might change after a successful reauthentication started by a local timer or a change of authorization (CoA) reauthenticate command. If the policy changes from must-not-secure to must-secure after a reauthentication, the system attempts to secure the session. If the MACsec key does not renegotiate a MACsec connection after a reauthentication, the session is terminated, and all local states are removed.
A per-user policy received after authentication overrides the interface configuration policy.
Examples
This example configures the interface to always secure MACsec sessions:
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# authentication linksec policy must-secure
You can verify your setting by entering the show authentication sessions privileged EXEC command.
Related Commands
|
|
show authentication sessions |
Displays information about authentication events on the switch. |
authentication mac-move permit
Use the authentication mac-move permit global configuration command to enable MAC move on a switch. Use the no form of this command to return to the default setting.
authentication mac-move permit
no authentication mac-move permit
Syntax Description
This command has no arguments or keywords.
Defaults
MAC move is disabled.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
The command enables authenticated hosts to move between 802.1x-enabled ports on a switch. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.
If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.
MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs.
Examples
This example shows how to enable MAC move on a switch:
Switch(config)# authentication mac-move permit
Related Commands
|
|
authentication event |
Sets the action for specific authentication events. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication open |
Enables or disables open access on a port. |
authentication order |
Sets the order of authentication methods used on a port. |
authentication periodic |
Enable or disables reauthentication on a port. |
authentication port-control |
Enables manual control of the port authorization state. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port with the maximum number of devices already connected to that port. |
show authentication |
Displays information about authentication manager events on the switch. |
authentication open
Use the authentication open interface configuration command to enable or disable open access on a port. Use the no form of this command to disable open access.
authentication open
no authentication open
Defaults
Open access is disabled.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Open authentication must be enabled if a device requires network access before it is authenticated.
A port ACL should be used to restrict host access when open authentication is enabled.
Examples
This example shows how to enable open access on a port:
Switch(config-if)# authentication open
This example shows how to set the port to disable open access on a port:
Switch(config-if)# no authentication open
Related Commands
|
|
authentication control-direction |
Configures the port mode as unidirectional or bidirectional. |
authentication event |
Sets the action for specific authentication events. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication order |
Sets the order of authentication methods used on a port. |
authentication periodic |
Enables or disables reauthentication on a port. |
authentication port-control |
Enables manual control of the port authorization state. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port. |
show authentication |
Displays information about authentication manager events on the switch. |
authentication order
Use the authentication order interface configuration command to set the order of authentication methods used on a port.
authentication order [dot1x | mab] {webauth}
no authentication order
Syntax Description
dot1x |
Add 802.1x to the order of authentication methods. |
mab |
Add MAC authentication bypass (MAB) to the order of authentication methods. |
webauth |
Add web authentication to the order of authentication methods. |
Command Default
The default authentication order is dot1x followed by mab and webauth.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Ordering sets the order of methods that the switch attempts when trying to authenticate a new device connected to a port. If one method in the list is unsuccessful, the next method is attempted.
Each method can only be entered once. Flexible ordering is only possible between 802.1x and MAB.
Web authentication can be configured as either a standalone method or as the last method in the order after either 802.1x or MAB. Web authentication should be configured only as fallback to dot1x or mab.
Examples
This example shows how to add 802.1x as the first authentication method, MAB as the second method, and web authentication as the third method:
Switch(config-if)# authentication order dotx mab webauth
This example shows how to add MAC authentication Bypass (MAB) as the first authentication method and web authentication as the second authentication method:
Switch(config-if)# authentication order mab webauth
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
|
|
authentication control-direction |
Configures the port mode as unidirectional or bidirectional. |
authentication event |
Sets the action for specific authentication events. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication open |
Enables or disables open access on a port. |
authentication periodic |
Enables or disables reauthentication on a port. |
authentication port-control |
Enables manual control of the port authorization state. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port. |
mab |
Enables MAC authentication bypass on a port. |
mab eap |
Configures a port to use Extensible Authentication Protocol (EAP). |
show authentication |
Displays information about authentication manager events on the switch. |
authentication periodic
Use the authentication periodic interface configuration command to enable or disable reauthentication on a port. Enter the no form of this command to disable reauthentication.
authentication periodic
no authentication periodic
Command Default
Reauthentication is disabled.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You configure the amount of time between periodic re-authentication attempts by using the authentication timer reauthentication interface configuration command.
Examples
This example shows how to enable periodic reauthentication on a port:
Switch(config-if)# authentication periodic
This example shows how to disable periodic reauthentication on a port:
Switch(config-if)# no authentication periodic
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
|
|
authentication control-direction |
Configures the port mode as unidirectional or bidirectional. |
authentication event |
Sets the action for specific authentication events. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication open |
Enables or disable open access on a port. |
authentication order |
Sets the order of authentication methods used on a port. |
authentication port-control |
Enables manual control of the port authorization state. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port. |
show authentication |
Displays information about authentication manager events on the switch. |
authentication port-control
Use the authentication port-control interface configuration command to enable manual control of the port authorization state. Use the no form of this command to return to the default setting.
authentication port-control {auto | force-authorized | force-un authorized}
no authentication port-control {auto | force-authorized | force-un authorized}
Syntax Description
auto |
Enable authentication on the port. The port changes to the authorized or unauthorized state based, on the authentication exchange between the switch and the client. |
force-authorized |
Disable authentication on the port. The port changes to the authorized state without an authentication exchange. The port sends and receives normal traffic without authentication of the client. |
force-un authorized |
Deny all access the port. The port changes to the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the port. |
Defaults
The default setting is force-authorized.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Use the auto keyword only on one of these port types:
- Trunk port—If you try to enable authentication on a trunk port, an error message appears, and is not enabled. If you try to change the mode of an port to trunk, an error message appears, and the port mode is not changed.
- Dynamic ports—A dynamic port can negotiate with its neighbor to become a trunk port. If you try to enable authentication on a dynamic port, an error message appears, and authentication is not enabled. If you try to change the mode of an port to dynamic, an error message appears, and the port mode does not change.
- Dynamic-access ports—If you try to enable authentication on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and authentication is not enabled. If you try to change an port to dynamic VLAN, an error message appears, and the VLAN configuration does not change.
- EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an port. If you try to enable authentication on an EtherChannel port, an error message appears, and authentication is not enabled.
- Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable authentication on a port that is a SPAN or RSPAN destination port. However, authentication is disabled until the port is removed as a SPAN or RSPAN destination. You can enable authentication on a SPAN or RSPAN source port.
To globally disable authentication on the switch, use the no dot1x system-auth-control global configuration command. To disable authentication on a specific port or to return to the default setting, use the no authentication port-control interface configuration command.
Examples
This example shows how to set the port state to automatic:
Switch(config-if)# authentication port-control auto
This example shows how to set the port state to the force- authorized state:
Switch(config-if)# authentication port-control force-authorized
This example shows how to set the port state to the force-unauthorized state:
Switch(config-if)# authentication port-control force-unauthorized
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
|
|
authentication control-direction |
Configures the port mode as unidirectional or bidirectional. |
authentication event |
Sets the action for specific authentication events. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication open |
Enables or disables open access on a port. |
authentication order |
Sets the order of the authentication methods used on a port. |
authentication periodic |
Enables or disable reauthentication on a port. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port. |
show authentication |
Displays information about authentication manager events on the switch. |
authentication priority
Use the authentication priority interface configuration command to add an authentication method to the port-priority list.
auth priority [dot1x | mab] {webauth}
no auth priority [dot1x | mab] {webauth}
Syntax Description
dot1x |
Add 802.1x to the order of authentication methods. |
mab |
Add MAC authentication bypass (MAB) to the order of authentication methods. |
webauth |
Add web authentication to the order of authentication methods. |
Command Default
The default priority is 802.1x authentication, followed by MAC authentication bypass and web authentication.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Ordering sets the order of methods that the switch attempts when trying to authenticate a new device is connected to a port.
When configuring multiple fallback methods on a port, set web authentication (webauth) last.
Assigning priorities to different authentication methods allows a higher-priority method to interrupt an in-progress authentation method with a lower priority.
Note If a client is already authenticated, it might be reauthenticated if an interruption from a higher-priority method occurs.
The default priority of an authentication method is equivalent to its position in execution-list order: 802.1x authentication, MAC authentication bypass, and web authentication. Use the dot1x, mab, and webauth keywords to change this default order.
Examples
This example shows how to set 802.1x as the first authentication method and web authentication as the second authentication method:
Switch(config-if)# authentication priority dotx webauth
This example shows how to set MAC authentication Bypass (MAB) as the first authentication method and web authentication as the second authentication method:
Switch(config-if)# authentication priority mab webauth
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
|
|
authentication control-direction |
Configures the port mode as unidirectional or bidirectional. |
authentication event |
Sets the action for specific authentication events. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication open |
Enables or disables open access on a port. |
authentication order |
Sets the order of authentication methods used on a port. |
authentication periodic |
Enables or disables reauthentication on a port. |
authentication port-control |
Enables manual control of the port authorization state. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port. |
mab |
Enables MAC authentication bypass on a port. |
mab eap |
Configures a port to use Extensible Authentication Protocol (EAP). |
show authentication |
Displays information about authentication manager events on the switch. |
authentication timer
Use the authentication timer interface configuration command to configure the timeout and reauthentication parameters for an 802.1x-enabled port.
authentication timer {{[inactivity | reauthenticate]} {restart value}}
no authentication timer {{[inactivity | reauthenticate]} {restart value}}
Syntax Description
inactivity |
Interval in seconds after which the client is unauthorized if there is no activity. |
reauthenticate |
Time in seconds after which an automatic re-authentication attempt starts. |
restart |
Interval in seconds after which an attempt is made to authenticate an unauthorized port. |
value |
Enter a value between 1 and 65535 (in seconds). |
Defaults
The inactivity and restart keywords are set to 60 seconds. The reauthenticate keyword is set to one hour.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
If a timeout value is not configured, an 802.1x session stays authorized indefinitely. No other host can use the port, and the connected host cannot move to another port on the same switch.
Examples
This example shows how to set the authentication inactivity timer to 60 seconds:
Switch(config-if)# authentication timer inactivity 60
This example shows how to set the reauthentication timer to 120 seconds:
Switch(config-if)# authentication timer restart 120
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
|
|
authentication control-direction |
Configures the port mode as unidirectional or bidirectional. |
authentication event |
Sets the action for specific authentication events. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication open |
Enables or disables open access on a port. |
authentication order |
Sets the order of authentication methods used on a port. |
authentication periodic |
Enables or disables reauthentication on a port. |
authentication port-control |
Enables manual control of the port authorization state. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port. |
show authentication |
Displays information about authentication manager events on the switch. |
authentication violation
Use the authentication violation interface configuration command to configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.
authentication violation {protect | replace | restrict | shutdown}
no authentication violation {protect | replace | restrict | shutdown}
Syntax Description
protect |
Unexpected incoming MAC addresses are dropped. No syslog errors are generated. |
replace |
Removes the current session and initiates authentication with the new host. |
restrict |
Generates a syslog error when a violation error occurs. |
shutdown |
Error disables the port or the virtual port on which an unexpected MAC address occurs. |
Defaults
By default authentication violation shutdown mode is enabled.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
12.2(55)SE |
The replace keyword was added. |
Examples
This example shows how to configure an IEEE 802.1x-enabled port as error disabled and to shut down when a new device connects it:
Switch(config-if)# authentication violation shutdown
This example shows how to configure an 802.1x-enabled port to generate a system error message and to change the port to restricted mode when a new device connects to it:
Switch(config-if)# authentication violation restrict
This example shows how to configure an 802.1x-enabled port to ignore a new device when it connects to the port:
Switch(config-if)# authentication violation protect
This example shows how to configure an 802.1x-enabled port to remove the current session and initiate authentication with a new device when it connects to the port:
Switch(config-if)# authentication violation replace
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
|
|
authentication control-direction |
Configures the port mode as unidirectional or bidirectional. |
authentication event |
Sets the action for specific authentication events. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support 802.1x authentication. |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication open |
Enables or disables open access on a port. |
authentication order |
Sets the order of authentication methods used on a port. |
authentication periodic |
Enables or disables reauthentication on a port. |
authentication port-control |
Enables manual control of the port authorization state. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
show authentication |
Displays information about authentication manager events on the switch. |
auto qos classify
Use the auto qos classify interface configuration command to automatically configure quality of service (QoS) classification for untrusted devices within a QoS domain. Use the no form of this command to return to the default setting.
auto qos classify [ police ]
no auto qos classify [ police ]
Syntax Description
police |
(Optional) Configure QoS policing for untrusted devices. |
Defaults
Auto-QoS classify is disabled on the port.
When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues
Table 2-1 Auto-QoS Configuration for the Ingress Queues
|
|
|
|
|
SRR shared |
1 |
0, 1, 2, 3, 6, 7 |
70 percent |
90 percent |
Priority |
2 |
4, 5 |
30 percent |
10 percent |
Table 2-2 Auto-QoS Configuration for the Egress Queues
|
|
|
|
Queue (Buffer) Size for Gigabit-Capable Ports
|
Queue (Buffer) Size for 10/100 Ethernet Ports
|
Priority (shaped) |
1 |
4, 5 |
up to 100 percent |
25 percent |
15 percent |
SRR shared |
2 |
2, 3, 6,7 |
10 percent |
25 percent |
25 percent |
SRR shared |
3 |
0 |
60 percent |
25 percent |
40 percent |
SRR shared |
4 |
1 |
20 percent |
25 percent |
20 percent |
Command Modes
Interface configuration
Command History
|
|
12.2(55)SE |
This command was introduced. |
Usage Guidelines
Use this command to configure the QoS for trusted interfaces within the QoS domain. The QoS domain includes the switch, the network interior, and edge devices that can classify incoming traffic for QoS.
Auto-QoS configures the switch for connectivity with a trusted interface. The QoS labels of incoming packets are trusted. For nonrouted ports, the CoS value of the incoming packets is trusted. For routed ports, the DSCP value of the incoming packet is trusted.
To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.
This is the policy map when the auto qos classify command is configured:
policy-map AUTOQOS-SRND4-CLASSIFY-POLICY
class AUTOQOS_MULTIENHANCED_CONF_CLASS
class AUTOQOS_BULK_DATA_CLASS
class AUTOQOS_TRANSACTION_CLASS
class AUTOQOS_SCAVANGER_CLASS
class AUTOQOS_SIGNALING_CLASS
class AUTOQOS_DEFAULT_CLASS
This is the policy map when the auto qos classify police command is configured:
policy-map AUTOQOS-SRND4-CLASSIFY-POLICE-POLICY
class AUTOQOS_MULTIENHANCED_CONF_CLASS
police 5000000 8000 exceed-action drop
class AUTOQOS_BULK_DATA_CLASS
police 10000000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_TRANSACTION_CLASS
police 10000000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_SCAVANGER_CLASS
police 10000000 8000 exceed-action drop
class AUTOQOS_SIGNALING_CLASS
police 32000 8000 exceed-action drop
class AUTOQOS_DEFAULT_CLASS
police 10000000 8000 exceed-action policed-dscp-transmit
Note The switch applies the auto-QoS-generated commands as if the commands were entered from the command-line interface (CLI). An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning. If all the generated commands are successfully applied, any user-entered configuration that was not overridden remains in the running configuration. Any user-entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory. If the generated commands fail to be applied, the previous running configuration is restored.
After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy map from the interface, and apply the new policy map.
To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging. For more information, see the debug auto qos command.
To disable auto-QoS on a port, use the no auto qos trust interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos trust command, auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain (to avoid disrupting traffic on other ports affected by the global configuration). You can use the no mls qos global configuration command to disable the auto-QoS-generated global configuration commands. With QoS disabled, there is no concept of trusted or untrusted ports because the packets are not modified. The CoS, DSCP, and IP precedence values in the packet are not changed. Traffic is switched in pass-through mode. Packets are switched without any rewrites and classified as best effort without any policing.
Examples
This example shows how to enable auto-QoS classification of an untrusted device and police traffic:
Switch(config)# interface gigabitethernet2/0/1
Switch(config-if)# auto qos classify police
You can verify your settings by entering the show auto qos interface interface-id privileged EXEC command.
Related Commands
|
|
debug auto qos |
Enables debugging of the auto-QoS feature. |
mls qos trust |
Configures the port trust state. |
srr-queue bandwidth share |
Assigns the shared weights and enables bandwidth sharing on the four egress queues mapped to a port. |
queue-set |
Maps a port to a queue-set. |
show auto qos |
Displays auto-QoS information. |
show mls qos interface |
Displays QoS information at the port level. |
auto qos trust
Use the auto qos trust interface configuration command on the switch stack or on a standalone switch to automatically configure quality of service (QoS) for trusted interfaces within a QoS domain. Use the no form of this command to return to the default setting.
auto qos trust { cos | dscp }
no auto qos trust { cos | dscp }
Syntax Description
cos |
Trust the CoS packet classification. |
dscp |
Trust the DSCP packet classification. |
Defaults
Auto-QoS trust is disabled on the port.
When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues.
Table 2-3 Traffic Types, Packet Labels, and Queues
|
|
|
|
|
|
|
DSCP |
46 |
24, 26 |
48 |
56 |
34 |
– |
CoS |
5 |
3 |
6 |
7 |
3 |
– |
CoS-to-ingress queue map |
4, 5 (queue 2) |
0, 1, 2, 3, 6, 7(queue 1) |
CoS-to-egress queue map |
4, 5 (queue 1) |
2, 3, 6, 7 (queue 2) |
0 (queue 3) |
2 (queue 3) |
0, 1 (queue 4) |
Table 2-4 Auto-QoS Configuration for the Ingress Queues
|
|
|
|
|
SRR shared |
1 |
0, 1, 2, 3,6, 7 |
70 percent |
90 percent |
Priority |
2 |
4, 5 |
30 percent |
10 percent |
Table 2-5 Auto-QoS Configuration for the Egress Queues
|
|
|
|
Queue (Buffer) Size for Gigabit-Capable Ports
|
Queue (Buffer) Size for 10/100 Ethernet Ports
|
Priority (shaped) |
1 |
4, 5 |
up to 100 percent |
25 percent |
15 percent |
SRR shared |
2 |
2, 3, 6,7 |
10 percent |
25 percent |
25 percent |
SRR shared |
3 |
0 |
60 percent |
25 percent |
40 percent |
SRR shared |
4 |
1 |
20 percent |
25 percent |
20 percent |
Command Modes
Interface configuration
Command History
|
|
12.2(55)SE |
This command was introduced. |
Usage Guidelines
Use this command to configure the QoS for trusted interfaces within the QoS domain. The QoS domain includes the switch, the network interior, and edge devices that can classify incoming traffic for QoS.
Auto-QoS configures the switch for connectivity with a trusted interface. The QoS labels of incoming packets are trusted. For nonrouted ports, the CoS value of the incoming packets is trusted. For routed ports, the DSCP value of the incoming packet is trusted.
To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.
If the port is configured with auto-QoS trust, it trusts all the packets on the port. If the packets are not marked with a DSCP or CoS value, default marking takes affect.
Note The switch applies the auto-QoS-generated commands as if the commands were entered from the command-line interface (CLI). An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning. If all the generated commands are successfully applied, any user-entered configuration that was not overridden remains in the running configuration. Any user-entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory. If the generated commands fail to be applied, the previous running configuration is restored.
After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy map from the interface, and apply the new policy map.
To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging. For more information, see the debug auto qos command.
To disable auto-QoS on a port, use the no auto qos trust interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos trust command, auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain (to avoid disrupting traffic on other ports affected by the global configuration). You can use the no mls qos global configuration command to disable the auto-QoS-generated global configuration commands. With QoS disabled, there is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Examples
This example shows how to enable auto-QoS for a trusted interface with specific cos classification.
Switch(config)# interface gigabitethernet2/0/1
Switch(config-if)# auto qos trust cos
You can verify your settings by entering the show auto qos interface interface-id privileged EXEC command.
Related Commands
|
|
debug auto qos |
Enables debugging of the auto-QoS feature. |
mls qos trust |
Configures the port trust state. |
srr-queue bandwidth share |
Assigns the shared weights and enables bandwidth sharing on the four egress queues mapped to a port. |
queue-set |
Maps a port to a queue-set. |
show auto qos |
Displays auto-QoS information. |
show mls qos interface |
Displays QoS information at the port level. |
auto qos video
Use the auto qos video interface configuration command on the switch stack or on a standalone switch to automatically configure quality of service (QoS) for video within a QoS domain. Use the no form of this command to return to the default setting.
auto qos video { cts | ip-camera | media-player }
no auto qos video { cts | ip-camera | media-player }
Syntax Description
cts |
Identiy this port as connected to a Cisco TelePresence System and automatically configure QoS for video. |
ip-camera |
Identify this port as connected to a Cisco IP camera and automatically configure QoS for video. |
media-player |
Identify this port as connected to a CDP-capable Cisco digital media player and automatically configure QoS for video. |
Defaults
Auto-QoS video is disabled on the port.
When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues.
Table 2-6 Traffic Types, Packet Labels, and Queues
|
|
|
|
|
|
|
DSCP |
46 |
24, 26 |
48 |
56 |
34 |
– |
CoS |
5 |
3 |
6 |
7 |
3 |
– |
CoS-to-ingress queue map |
4, 5 (queue 2) |
0, 1, 2, 3, 6, 7(queue 1) |
CoS-to-egress queue map |
4, 5 (queue 1) |
2, 3, 6, 7 (queue 2) |
0 (queue 3) |
2 (queue 3) |
0, 1 (queue 4) |
Table 2-7 Auto-QoS Configuration for the Ingress Queues
|
|
|
|
|
SRR shared |
1 |
0, 1, 2, 3, 6, 7 |
70 percent |
90 percent |
Priority |
2 |
4, 5 |
30 percent |
10 percent |
Table 2-8 Auto-QoS Configuration for the Egress Queues
|
|
|
|
Queue (Buffer) Size for Gigabit-Capable Ports
|
Queue (Buffer) Size for 10/100 Ethernet Ports
|
Priority (shaped) |
1 |
4, 5 |
up to 100 percent |
25 percent |
15 percent |
SRR shared |
2 |
2, 3, 6, 7 |
10 percent |
25 percent |
25 percent |
SRR shared |
3 |
0 |
60 percent |
25 percent |
40 percent |
SRR shared |
4 |
1 |
20 percent |
25 percent |
20 percent |
Command Modes
Interface configuration
Command History
|
|
12.2(55)SE |
This command was introduced. |
Usage Guidelines
Use this command to configure the QoS appropriate for video traffic within the QoS domain. The QoS domain includes the switch, the network interior, and edge devices that can classify incoming traffic for QoS.
Auto-QoS configures the switch for video connectivity to a Cisco TelePresence system, a Cisco IP camera, or a Cisco digital media player.
To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.
Note The switch applies the auto-QoS-generated commands as if the commands were entered from the command-line interface (CLI). An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning. If all the generated commands are successfully applied, any user-entered configuration that was not overridden remains in the running configuration. Any user-entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory. If the generated commands fail to be applied, the previous running configuration is restored.
If this is the first port on which you have enabled auto-QoS, the auto-QoS-generated global configuration commands are executed followed by the interface configuration commands. If you enable auto-QoS on another port, only the auto-QoS-generated interface configuration commands for that port are executed.
When you enable the auto-QoS feature on the first port, these automatic actions occur:
- QoS is globally enabled ( mls qos global configuration command), and other global configuration commands are added.
- After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy map from the interface, and apply the new policy map.
To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging. For more information, see the debug auto qos command.
To disable auto-QoS on a port, use the no auto qos video interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos video command, auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain (to avoid disrupting traffic on other ports affected by the global configuration). You can use the no mls qos global configuration command to disable the auto-QoS-generated global configuration commands. With QoS disabled, there is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Examples
This example shows how to enable auto-QoS for a Cisco Telepresence interface with conditional trust. The interface is trusted only if a Cisco Telepresence device is detected; otherwise, the port is untrusted.
Switch(config)# interface gigabitethernet2/0/1
Switch(config-if)# auto qos video cts
You can verify your settings by entering the show auto qos video interface interface-id privileged EXEC command.
Related Commands
|
|
debug auto qos |
Enables debugging of the auto-QoS feature. |
mls qos trust |
Configures the port trust state. |
srr-queue bandwidth share |
Assigns the shared weights and enables bandwidth sharing on the four egress queues mapped to a port. |
queue-set |
Maps a port to a queue-set. |
show auto qos |
Displays auto-QoS information. |
show mls qos interface |
Displays QoS information at the port level. |
auto qos voip
Use the auto qos voip interface configuration command to automatically configure quality of service (QoS) for voice over IP (VoIP) within a QoS domain. Use the no form of this command to return to the default setting.
auto qos voip { cisco-phone | cisco-softphone | trust }
no auto qos voip [ cisco-phone | cisco-softphone | trust ]
Syntax Description
cisco-phone |
Identify this port as connected to a Cisco IP Phone, and automatically configure QoS for VoIP. The QoS labels of incoming packets are trusted only when the telephone is detected. |
cisco-softphone |
Identify this port as connected to a device running the Cisco SoftPhone, and automatically configure QoS for VoIP. |
trust |
Identify this port as connected to a trusted switch or router, and automatically configure QoS for VoIP. The QoS labels of incoming packets are trusted. For nonrouted ports, the CoS value of the incoming packet is trusted. For routed ports, the DSCP value of the incoming packet is trusted. |
Defaults
Auto-QoS is disabled on the port.
When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues.
Table 2-9 Traffic Types, Packet Labels, and Queues
|
|
|
|
|
|
|
DSCP |
46 |
24, 26 |
48 |
56 |
34 |
– |
CoS |
5 |
3 |
6 |
7 |
3 |
– |
CoS-to-ingress queue map |
4, 5 (queue 2) |
0, 1, 2, 3, 6, 7(queue 1) |
CoS-to-egress queue map |
4, 5 (queue 1) |
2, 3, 6, 7 (queue 2) |
0 (queue 3) |
2 (queue 3) |
0, 1 (queue 4) |
Table 2-10 Auto-QoS Configuration for the Ingress Queues
|
|
|
|
|
SRR shared |
1 |
0, 1, 2, 3, 6, 7 |
70 percent |
90 percent |
Priority |
2 |
4, 5 |
30 percent |
10 percent |
Table 2-11 Auto-QoS Configuration for the Egress Queues
|
|
|
|
Queue (Buffer) Size for Gigabit-Capable Ports
|
Queue (Buffer) Size for 10/100 Ethernet Ports
|
Priority (shaped) |
1 |
4, 5 |
up to 100 percent |
25 percent |
15 percent |
SRR shared |
2 |
2, 3, 6, 7 |
10 percent |
25 percent |
25 percent |
SRR shared |
3 |
0 |
60 percent |
25 percent |
40 percent |
SRR shared |
4 |
1 |
20 percent |
25 percent |
20 percent |
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
12.2(55)SE |
Support for enhanced auto-QoS was added. |
Usage Guidelines
Use this command to configure the QoS appropriate for VoIP traffic within the QoS domain. The QoS domain includes the switch, the network interior, and edge devices that can classify incoming traffic for QoS.
Auto-QoS configures the switch for VoIP with Cisco IP Phones on switch and routed ports and for VoIP with devices running the Cisco SoftPhone application. These releases support only Cisco IP SoftPhone Version 1.3(3) or later. Connected devices must use Cisco Call Manager Version 4 or later.
To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.
Note The switch applies the auto-QoS-generated commands as if the commands were entered from the command-line interface (CLI). An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning. If all the generated commands are successfully applied, any user-entered configuration that was not overridden remains in the running configuration. Any user-entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory. If the generated commands fail to be applied, the previous running configuration is restored.
If this is the first port on which you have enabled auto-QoS, the auto-QoS-generated global configuration commands are executed followed by the interface configuration commands. If you enable auto-QoS on another port, only the auto-QoS-generated interface configuration commands for that port are executed.
When you enable the auto-QoS feature on the first port, these automatic actions occur:
- QoS is globally enabled ( mls qos global configuration command), and other global configuration commands are added.
- When you enter the auto qos voip cisco-phone interface configuration command on a port at the edge of the network that is connected to a Cisco IP Phone, the switch enables the trusted boundary feature. The switch uses the Cisco Discovery Protocol (CDP) to detect the presence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to trust the QoS label received in the packet. The switch also uses policing to determine whether a packet is in or out of profile and to specify the action on the packet. If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress and egress queues on the port according to the settings in Table 2-10 and Table 2-11. The policing is applied to those traffic matching the policy-map classification before the switch enables the trust boundary feature.
- When you enter the auto qos voip cisco-softphone interface configuration command on a port at the edge of the network that is connected to a device running the Cisco SoftPhone, the switch uses policing to decide whether a packet is in or out of profile and to specify the action on the packet. If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. The switch configures ingress and egress queues on the port according to the settings in Table 2-10 and Table 2-11.
- When you enter the auto qos voip trust interface configuration command on a port connected to the network interior, the switch trusts the CoS value for nonrouted ports or the DSCP value for routed ports in ingress packets (the assumption is that traffic has already been classified by other edge devices). The switch configures the ingress and egress queues on the port according to the settings in Table 2-10 and Table 2-11.
You can enable auto-QoS on static, dynamic-access, and voice VLAN access, and trunk ports. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to the IP phone.
Note When a device running Cisco SoftPhone is connected to a switch or routed port, the switch supports only one Cisco SoftPhone application per port.
After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy map from the interface, and apply the new policy map.
To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging. For more information, see the debug auto qos command.
To disable auto-QoS on a port, use the no auto qos voip interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos voip command, auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain (to avoid disrupting traffic on other ports affected by the global configuration). You can use the no mls qos global configuration command to disable the auto-QoS-generated global configuration commands. With QoS disabled, there is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode. Packets are switched without any rewrites and classified as best effort without any policing.
This is the enhanced configuration for the auto qos voip cisco-phone command:
Switch(config)# mls qos map policed-dscp 0 10 18 to 8
Switch(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56
Switch(config)# class-map match-all AUTOQOS_VOIP_DATA_CLASS
Switch(config-cmap)# match ip dscp ef
Switch(config)# class-map match-all AUTOQOS_DEFAULT_CLASS
Switch(config-cmap)# match access-group name AUTOQOS-ACL-DEFAULT
Switch(config)# class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
Switch(config-cmap)# match ip dscp cs3
Switch(config)# policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
Switch(config-pmap)# class AUTOQOS_VOIP_DATA_CLASS
Switch(config-pmap-c)# set dscp ef
Switch(config-pmap-c)# police 128000 8000 exceed-action policed-dscp-transmit
Switch(config-pmap)# class AUTOQOS_VOIP_SIGNAL_CLASS
Switch(config-pmap-c)# set dscp cs3
Switch(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit
Switch(config-pmap)# class AUTOQOS_DEFAULT_CLASS
Switch(config-pmap-c)# set dscp default
Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit
Switch(config-if)# service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
This is the enhanced configuration for the auto qos voip cisco-softphone command:
Switch(config)# mls qos map policed-dscp 0 10 18 to 8
Switch(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56
Switch(config)# class-map match-all AUTOQOS_MULTIENHANCED_CONF_CLASS
Switch(config-cmap)# match access-group name AUTOQOS-ACL-MULTIENHANCED-CONF
Switch(config)# class-map match-all AUTOQOS_VOIP_DATA_CLASS
Switch(config-cmap)# match ip dscp ef
Switch(config)# class-map match-all AUTOQOS_DEFAULT_CLASS
Switch(config-cmap)# match access-group name AUTOQOS-ACL-DEFAULT
Switch(config)# class-map match-all AUTOQOS_TRANSACTION_CLASS
Switch(config-cmap)# match access-group name AUTOQOS-ACL-TRANSACTIONAL-DATA
Switch(config)# class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
Switch(config-cmap)# match ip dscp cs3
Switch(config)# class-map match-all AUTOQOS_SIGNALING_CLASS
Switch(config-cmap)# match access-group name AUTOQOS-ACL-SIGNALING
Switch(config)# class-map match-all AUTOQOS_BULK_DATA_CLASS
Switch(config-cmap)# match access-group name AUTOQOS-ACL-BULK-DATA
Switch(config)# class-map match-all AUTOQOS_SCAVANGER_CLASS
Switch(config-cmap)# match access-group name AUTOQOS-ACL-SCAVANGER
Switch(config)# policy-map AUTOQOS-SRND4-SOFTPHONE-POLICY
Switch(config-pmap)# class AUTOQOS_VOIP_DATA_CLASS
Switch(config-pmap-c)# set dscp ef
Switch(config-pmap-c)# police 128000 8000 exceed-action policed-dscp-transmit
Switch(config-pmap)# class AUTOQOS_VOIP_SIGNAL_CLASS
Switch(config-pmap-c)# set dscp cs3
Switch(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit
Switch(config-pmap)# class AUTOQOS_MULTIENHANCED_CONF_CLASS
Switch(config-pmap-c)# set dscp af41
Switch(config-pmap-c)# police 5000000 8000 exceed-action drop
Switch(config-pmap)# class AUTOQOS_BULK_DATA_CLASS
Switch(config-pmap-c)# set dscp af11
Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit
Switch(config-pmap)# class AUTOQOS_TRANSACTION_CLASS
Switch(config-pmap-c)# set dscp af21
Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit
Switch(config-pmap)# class AUTOQOS_SCAVANGER_CLASS
Switch(config-pmap-c)# set dscp cs1
Switch(config-pmap-c)# police 10000000 8000 exceed-action drop
Switch(config-pmap)# class AUTOQOS_SIGNALING_CLASS
Switch(config-pmap-c)# set dscp cs3
Switch(config-pmap-c)# police 32000 8000 exceed-action drop
Switch(config-pmap)# class AUTOQOS_DEFAULT_CLASS
Switch(config-pmap-c)# set dscp default
Switch(config-if)# service-policy input AUTOQOS-SRND4-SOFTPHONE-POLICY
Examples
This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets when the switch or router connected to the port is a trusted device:
Switch(config)# interface gigabitethernet2/0/1
Switch(config-if)# auto qos voip trust
You can verify your settings by entering the show auto qos interface interface-id privileged EXEC command.
Related Commands
|
|
debug auto qos |
Enables debugging of the auto-QoS feature. |
mls qos cos |
Defines the default CoS value of a port or assigns the default CoS to all incoming packets on the port. |
mls qos map cos-dscp |
Defines the CoS-to-DSCP map or the DSCP-to-CoS map. |
mls qos queue-set output buffers |
Allocates buffers to a queue-set. |
mls qos srr-queue input bandwidth |
Assigns shaped round robin (SRR) weights to an ingress queue. |
mls qos srr-queue input buffers |
Allocates the buffers between the ingress queues. |
mls qos srr-queue input cos-map |
Maps CoS values to an ingress queue or maps CoS values to a queue and to a threshold ID. |
mls qos srr-queue input dscp-map |
Maps DSCP values to an ingress queue or maps DSCP values to a queue and to a threshold ID. |
mls qos srr-queue input priority-queue |
Configures the ingress priority queue and guarantees bandwidth. |
mls qos srr-queue output cos-map |
Maps CoS values to an egress queue or maps CoS values to a queue and to a threshold ID. |
mls qos srr-queue output dscp-map |
Maps DSCP values to an egress queue or maps DSCP values to a queue and to a threshold ID. |
mls qos trust |
Configures the port trust state. |
queue-set |
Maps a port to a queue-set. |
show auto qos |
Displays auto-QoS information. |
show mls qos interface |
Displays QoS information at the port level. |
srr-queue bandwidth shape |
Assigns the shaped weights and enables bandwidth shaping on the four egress queues mapped to a port. |
srr-queue bandwidth share |
Assigns the shared weights and enables bandwidth sharing on the four egress queues mapped to a port. |
boot time
To set the switch boot time, use the boot time command in global configuration mode. Use the no form of this command to return to the default setting.
boot time minutes
no boot time
Syntax Description
minutes |
The switch boot time in minutes. The range is from 7 to 30. |
Defaults
The default is 7 minutes.
Command Modes
Global configuration
Command History
|
|
12.2(58)SE |
This command was introduced. |
Examples
To set the boot time to 10 minutes:
Switch(config)# boot time 10
Related Commands
|
|
archive download-sw /rolling-stack upgrade |
Starts the rolling state upgrade process to upgrade the members one at a time. |
rsu { active | standby } |
Configures the redundant uplinks to the network during the rolling stack upgrade. |
show boot |
Displays the settings of the boot environment variables. |
boot auto-copy-sw
Use the boot auto-copy-sw global configuration command from the stack master to enable the automatic upgrade (auto-upgrade) process. It automatically upgrades a switch in version-mismatch (VM) mode by copying the running software image on any stack member or by copying a tar file image in switch stack flash memory. Use the no form of this command to disable the auto-upgrade process.
boot auto-copy-sw
no boot auto-copy-sw
Note This command is supported only on Catalyst 3750-X switches.
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
A switch in VM mode is a switch that has a different minor version number than the version on the switch stack. A switch in VM mode cannot join the switch stack as a fully functioning member. If the switch stack has an image that can be copied to a switch in VM mode, the auto-upgrade process automatically copies the image from a stack member to the switch in VM mode. The switch then exits VM mode, reboots, and joins the switch stack as a fully functioning member.
The auto-upgrade process affects only switches in VM mode. It does not affect existing stack members.
Related Commands
|
|
show boot |
Displays the settings of the boot environment variables. |
show version |
Displays version information for the hardware and firmware. |
boot auto-download-sw
Use the boot auto-download-sw global configuration command on the switch stack to specify a URL pathname to use for the automatic software upgrades. Use the no form of this command to remove the software image.
boot auto-download-sw source-url
no boot auto-download-sw
Note This command is supported only on Catalyst 3750-X switches.
Syntax Description
source-url |
The source URLs for the software images. The image-name .tar is the software image to download and install on the switch. These options are supported:
- Local flash file system syntax on the standalone switch or the stack master:
flash:
Local flash file system syntax on a stack member: flash member number : The member number can be from 1 to 9.
- FTP syntax: ftp: [[ // username [ : password ] @ location ]/ directory ] / image-name .tar
- HTTP server syntax for an HTTP server:
http:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- Secure HTTP server syntax:
https:// [[ username : password ]@]{ hostname | host-ip }[/ directory ] / image-name .tar
- Remote Copy Protocol (RCP) syntax: rcp: [[ // username @ location ]/ directory ] / image-name .tar
- Secure Copy Protocol (SCP) syntax: scp: [[ // username @ location ]/ directory ] / image-name .tar
- TFTP syntax:
tftp: [[ // location ]/ directory ] / image-name .tar
|
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
This command specifies a URL path to use for automatic software upgrades.
You can use this command to configure the URL for the master switch to access in case of version-mismatch.
Related Commands
|
|
show boot |
Displays the settings of the boot environment variables. |
show version |
Displays version information for the hardware and firmware. |
boot buffersize
Use the boot buffersize global configuration command on the switch stack or on a standalone switch to configure the NVRAM size. Use the no form of this command to return to the default.
boot buffersize size
no boot buffersize
Syntax Description
size |
The NVRAM buffer size in KB. The valid range is from 4096 to 1048576. |
Defaults
The default NVRAM buffer size is 512 KB.
Command Modes
Global configuration
Command History
|
|
12.2(55)SE |
This command was introduced. |
Usage Guidelines
The default NVRAM buffer size is 512 KB. In some cases, the configuration file might be too large to save to NVRAM. Typically, this occurs when you have many switches in a switch stack. You can configure the size of the NVRAM buffer to support larger configuration files. The new NVRAM buffer size is synced to all current and new member switches.
After you configure the NVRAM buffer size, reload the switch or switch stack.
When you add a switch to a stack and the NVRAM size differs, the new switch syncs with the stack and reloads automatically.
Examples
This example shows how to configure the NVRAM buffer size:
Switch(config)#
boot buffersize 524288
Related Commands
|
|
show boot |
Displays the settings of the boot environment variables. |
boot config-file
Use the boot config-file global configuration command on a standalone switch to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the system configuration. Use the no form of this command to return to the default setting.
boot config-file flash: / file-url
no boot config-file
Syntax Description
flash:/ file-url |
The path (directory) and name of the configuration file. |
Defaults
The default configuration file is flash:config.text.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
This command works properly only from a standalone switch in a stack.
Filenames and directory names are case sensitive.
This command changes the setting of the CONFIG_FILE environment variable. For more information, see Appendix A “Catalyst 3750-X and 3560-X Switch Boot Loader Commands.”
Related Commands
|
|
show boot |
Displays the settings of the boot environment variables. |
boot enable-break
Use the boot enable-break global configuration command on a standalone switch to enable interrupting the automatic boot process. Use the no form of this command to return to the default setting.
boot enable-break
no boot enable-break
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled. The automatic boot process cannot be interrupted by pressing the Break key on the console.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
This command works properly only from a standalone switch in a stack.
When you enter this command, you can interrupt the automatic boot process by pressing the Break key on the console after the flash file system is initialized.
Note Despite the setting of this command, you can interrupt the automatic boot process at any time by pressing the MODE button on the switch front panel.
This command changes the setting of the ENABLE_BREAK environment variable. For more information, see Appendix A “Catalyst 3750-X and 3560-X Switch Boot Loader Commands.”
Related Commands
|
|
show boot |
Displays the settings of the boot environment variables. |
boot helper
Use the boot helper global configuration command on the switch stack or on a standalone switch to dynamically load files during boot loader initialization to extend or patch the functionality of the boot loader. Use the no form of this command to return to the default.
boot helper filesystem :/ file-url...
no boot helper
Syntax Description
filesystem : |
Alias for a flash file system. Use flash: for the system board flash device. |
/ file-url |
The path (directory) and a list of loadable files to dynamically load during loader initialization. Separate each image name with a semicolon. |
Defaults
No helper files are loaded.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER environment variable. For more information, see Appendix A “Catalyst 3750-X and 3560-X Switch Boot Loader Commands.”
Related Commands
|
|
show boot |
Displays the settings of the boot environment variables. |
boot helper-config-file
Use the boot helper-config-file global configuration command on the switch stack or on a standalone switch to specify the name of the configuration file to be used by the Cisco IOS helper image. If this is not set, the file specified by the CONFIG_FILE environment variable is used by all versions of Cisco IOS that are loaded. Use the no form of this command to return to the default setting.
boot helper-config-file filesystem :/ file-url
no boot helper-config file
Syntax Description
filesystem : |
Alias for a flash file system. Use flash: for the system board flash device. |
/ file-url |
The path (directory) and helper configuration file to load. |
Defaults
No helper configuration file is specified.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER_CONFIG_FILE environment variable. For more information, see Appendix A “Catalyst 3750-X and 3560-X Switch Boot Loader Commands.”
Related Commands
|
|
show boot |
Displays the settings of the boot environment variables. |
boot manual
Use the boot manual global configuration command on a standalone switch to enable manually booting the switch during the next boot cycle. Use the no form of this command to return to the default setting.
boot manual
no boot manual
Syntax Description
This command has no arguments or keywords.
Defaults
Manual booting is disabled.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
This command works properly only from a standalone switch in a stack.
The next time you reboot the system, the switch is in boot loader mode, which is shown by the switch: prompt. To boot up the system, use the boot boot loader command, and specify the name of the bootable image.
This command changes the setting of the MANUAL_BOOT environment variable. For more information, see Appendix A “Catalyst 3750-X and 3560-X Switch Boot Loader Commands.”
Related Commands
|
|
show boot |
Displays the settings of the boot environment variables. |
boot private-config-file
Use the boot private-config-file global configuration command on a standalone switch to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the private configuration. Use the no form of this command to return to the default setting.
boot private-config-file filename
no boot private-config-file
Syntax Description
filename |
The name of the private configuration file. |
Defaults
The default configuration file is private-config.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
This command works properly only from a standalone switch in a stack.
Filenames are case sensitive.
Examples
This example shows how to specify the name of the private configuration file to be pconfig :
Switch(config)# boot private-config-file pconfig
Related Commands
|
|
show boot |
Displays the settings of the boot environment variables. |
boot system
Use the boot system global configuration command on the switch stack or on a standalone switch to specify the Cisco IOS image to load during the next boot cycle. Use the no form of this command to return to the default setting.
boot system { filesystem :/ file-url ...| switch { number | all }}
no boot system
no boot system switch { number | all }
Syntax Description
filesystem : |
Alias for a flash file system. Use flash: for the system board flash device. |
/ file-url |
The path (directory) and name of a bootable image. Separate image names with a semicolon. |
switch |
Specify the switches on which the Cisco IOS image is loaded. This keyword is supported only on on stacking-capable switches. |
number |
Specify a stack member. (Specify one stack member only.) This keyword is supported only on on stacking-capable switches. |
all |
Specify all stack members. This keyword is supported only on on stacking-capable switches. |
Defaults
The switch attempts to automatically boot up the system by using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Filenames and directory names are case sensitive.
If you enter the boot system filesystem:/file-url command on the stack master, the specified software image is loaded only on the stack master during the next boot cycle.
On the stack master, use the boot system switch number command to specify that the software image is loaded on the specified stack member during the next boot cycle. Use the boot system switch all command to specify that the software image is loaded on all the stack members during the next boot cycle.
When you enter the boot system switch number or the boot system switch all command on the stack master, the stack master checks if a software image is already on the stack member (except on the stack master). If the software image does not exist on the stack member (for example, stack member 1), an error message like this appears:
%Command to set boot system switch all xxx on switch=1 failed
When you enter the boot system switch number command on the stack master, you can specify only one stack member for the number variable. Entering more than one stack member for the number variable is not supported.
If you are using the archive download-sw privileged EXEC command to maintain system images, you never need to use the boot system command. The boot system command is automatically manipulated to load the downloaded image.
If you enter boot system flash: filesystem:/file-url on a Cisco 3750 Stack (Applies only to Master Switch), you will have to enter no boot system switch all: then again type boot system switch all: filesystem:/file-url for command to take effect on the whole stack.
This command changes the setting of the BOOT environment variable. For more information, see Appendix A “Catalyst 3750-X and 3560-X Switch Boot Loader Commands.”
Related Commands
|
|
show boot |
Displays the settings of the boot environment variables. |
cdp forward
To specify the ingress and egress switch ports for CDP traffic, use the cdp forward global configuration command. To return to the default setting, use the no form of this command.
cdp forward ingress port-id egress port-id
no cdp forward ingress port-id
Note This command is not supported on switches running the LAN base feature set.
Syntax Description
ingress port-id |
Specifies the switch port that receives the CDP packet from an IP phone. |
egress port-id |
Specifies the switch port that forwards the CDP packet to the Cisco TelePresence System. |
Defaults
The default path for CDP packets through the switch is from any ingress port to the egress port connected to the Cisco Telepresence System.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You must use only CDP-enabled phones with TelePresence E911 IP phone support.
You can connect the IP phone and codec in the Cisco TelePresence System through any two ports in a switch stack.
Examples
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# cdp forward ingress gigabitethernet2/0/1 egress gigabitethernet2/0/12
Switch(config)# cdp forward ingress gigabitethernet2/0/2 egress gigabitethernet2/0/13
Switch# show running-config | include cdp
cdp forward ingress GigabitEthernet2/0/1 egress GigabitEthernet2/0/12
cdp forward ingress GigabitEthernet2/0/2 egress GigabitEthernet2/0/13
Ingress Egress # packets # packets
Port Port forwarded dropped
-------------------------------------------------------------
Related Commands
|
|
show cdp forward |
Displays the CDP forwarding table. |
channel-group
Use the channel-group interface configuration command on the switch stack or on a standalone switch to assign an Ethernet port to an EtherChannel group, to enable an EtherChannel mode, or both. Use the no form of this command to remove an Ethernet port from an EtherChannel group.
channel-group channel -group-number mode { active | { auto [ non-silent ]} | { desirable [ non-silent ]} | on | passive }
no channel-group
PAgP modes:
channel-group channel -group-number mode {{ auto [ non-silent ]} | { desirable [ non-silent }}
LACP modes:
channel-group channel -group-number mode { active | passive }
On mode:
channel-group channel -group-number mode on
Syntax Description
channel-group-number |
Specify the channel group number. The range is 1 to 48. |
mode |
Specify the EtherChannel mode. |
active |
Unconditionally enable Link Aggregation Control Protocol (LACP). Active mode places a port into a negotiating state in which the port initiates negotiations with other ports by sending LACP packets. A channel is formed with another port group in either the active or passive mode. |
auto |
Enable the Port Aggregation Protocol (PAgP) only if a PAgP device is detected. Auto mode places a port into a passive negotiating state in which the port responds to PAgP packets it receives but does not start PAgP packet negotiation. A channel is formed only with another port group in desirable mode. When auto is enabled, silent operation is the default. |
desirable |
Unconditionally enable PAgP. Desirable mode places a port into an active negotiating state in which the port starts negotiations with other ports by sending PAgP packets. An EtherChannel is formed with another port group that is in the desirable or auto mode. When desirable is enabled, silent operation is the default. |
non-silent |
(Optional) Use in PAgP mode with the auto or desirable keyword when traffic is expected from the other device. |
on |
Enable on mode. In on mode, a usable EtherChannel exists only when both connected port groups are in the on mode. |
passive |
Enable LACP only if a LACP device is detected. Passive mode places a port into a negotiating state in which the port responds to received LACP packets but does not initiate LACP packet negotiation. A channel is formed only with another port group in active mode. |
Defaults
No channel groups are assigned.
No mode is configured.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
For Layer 2 EtherChannels, you do not have to create a port-channel interface first by using the interface port-channel global configuration command before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel interface when the channel group gets its first physical port if the logical interface is not already created. If you create the port-channel interface first, the channel-group-number can be the same as the port - channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.
You do not have to disable the IP address that is assigned to a physical port that is part of a channel group, but we strongly recommend that you do so.
You create Layer 3 port channels by using the interface port-channel command followed by the no switchport interface configuration command. You should manually configure the port-channel logical interface before putting the interface into the channel group.
After you configure an EtherChannel, configuration changes that you make on the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.
If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. A example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port prevents that port from ever becoming operational. However, it allows PAgP to operate, to attach the port to a channel group, and to use the port for transmission. Both ends of the link cannot be set to silent.
In the on mode, an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode.
Caution
You should use care when using the on mode. This is a manual configuration, and ports on both ends of the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.
Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch or on different switches in the stack (but not in a cross-stack configuration). Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.
If you set the protocol by using the channel-protocol interface configuration command, the setting is not overridden by the channel-group interface configuration command.
Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x authentication on an EtherChannel port, an error message appears, and IEEE 802.1x authentication is not enabled.
Do not configure a secure port as part of an EtherChannel or an EtherChannel port as a secure port.
For a complete list of configuration guidelines, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
Caution
Do not enable Layer 3 addresses on the physical EtherChannel ports. Do not assign bridge groups on the physical EtherChannel ports because it creates loops.
Examples
This example shows how to configure an EtherChannel on a single switch in the stack. It assigns two static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable :
Switch# configure terminal
Switch(config)# interface range gigabitethernet2/0/1 -2
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# channel-group 5 mode desirable
Switch(config-if-range)# end
This example shows how to configure an EtherChannel on a single switch in the stack. It assigns two static-access ports in VLAN 10 to channel 5 with the LACP mode active :
Switch# configure terminal
Switch(config)# interface range gigabitethernet2/0/1 -2
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# channel-group 5 mode active
Switch(config-if-range)# end
This example shows how to configure a cross-stack EtherChannel in a switch stack. It uses LACP passive mode and assigns two ports on stack member 2 and one port on stack member 3 as static-access ports in VLAN 10 to channel 5:
Switch# configure terminal
Switch(config)# interface range gigabitethernet2/0/4 -5
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# channel-group 5 mode passive
Switch(config-if-range)# exit
Switch(config)# interface gigabitethernet3/0/3
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# channel-group 5 mode passive
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
channel-protocol |
Restricts the protocol used on a port to manage channeling. |
interface port-channel |
Accesses or creates the port channel. |
show etherchannel |
Displays EtherChannel information for a channel. |
show lacp |
Displays LACP channel-group information. |
show pagp |
Displays PAgP channel-group information. |
show running-config |
Displays the operating configuration. |
channel-protocol
Use the channel-protocol interface configuration command on the switch stack or on a standalone switch to restrict the protocol used on a port to manage channeling. Use the no form of this command to return to the default setting.
channel-protocol { lacp | pagp }
no channel-protocol
Syntax Description
lacp |
Configure an EtherChannel with the Link Aggregation Control Protocol (LACP). |
pagp |
Configure an EtherChannel with the Port Aggregation Protocol (PAgP). |
Defaults
No protocol is assigned to the EtherChannel.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Use the channel-protocol command only to restrict a channel to LACP or PAgP. If you set the protocol by using the channel-protocol command, the setting is not overridden by the channel-group interface configuration command.
You must use the channel-group interface configuration command to configure the EtherChannel parameters. The channel-group command also can set the mode for the EtherChannel.
You cannot enable both the PAgP and LACP modes on an EtherChannel group.
PAgP and LACP are not compatible; both ends of a channel must use the same protocol.
Examples
This example shows how to specify LACP as the protocol that manages the EtherChannel:
Switch(config-if)# channel-protocol lacp
You can verify your settings by entering the show etherchannel [ channel-group-number ] protocol privileged EXEC command.
Related Commands
|
|
channel-group |
Assigns an Ethernet port to an EtherChannel group. |
show etherchannel protocol |
Displays protocol information the EtherChannel. |
cisp enable
Use the cisp enable global configuration command to enable Client Information Signalling Protocol (CISP) on a switch so that it acts as an authenticator to a supplicant switch.
cisp enable
no cisp enable
Defaults
There is no default setting.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
The link between the authenticator and supplicant switch is a trunk. When you enable VTP on both switches, the VTP domain name must be the same, and the VTP mode must be server.
When you configure VTP mode, to avoid the MD5 checksum mismatch error, verify that:
- VLANs are not configured on two different.switches, which can be caused by two VTP servers in the same domain.
- Both switches have the different configuration revision numbers.
Examples
This example shows how to enable CISP:
switch(config)# cisp enable
Related Commands
|
|
dot1x credentials (global configuration) profile |
Configures a profile on a supplicant switch. |
show cisp |
Displays CISP information for a specified interface. |
class
Use the class policy-map configuration command on the switch stack or on a standalone switch to define a traffic classification match criteria (through the police, set, and trust policy-map class configuration commands) for the specified class-map name. Use the no form of this command to delete an existing class map.
class { class-map-name | class-default }
no class { class-map-name | class-default }
Syntax Description
class-map-name |
Name of the class map. |
class-default |
System default class that matches unclassified packets. |
Defaults
No policy map class-maps are defined.
Command Modes
Policy-map configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
12.2(55)SE |
The class-default keyword was added. |
Usage Guidelines
Before using the class command, you must use the policy-map global configuration command to identify the policy map and to enter policy-map configuration mode. After specifying a policy map, you can configure a policy for new classes or modify a policy for any existing classes in that policy map. You attach the policy map to a port by using the service-policy interface configuration command.
After entering the class command, you enter policy-map class configuration mode, and these configuration commands are available:
- exit : exits policy-map class configuration mode and returns to policy-map configuration mode.
- no : returns a command to its default setting.
- police : defines a policer or aggregate policer for the classified traffic. The policer specifies the bandwidth limitations and the action to take when the limits are exceeded. For more information, see the police and police aggregate policy-map class commands.
- set : specifies a value to be assigned to the classified traffic. For more information, see the set command.
- trust : defines a trust state for traffic classified with the class or the class-map command. For more information, see the trust command.
To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
The class command performs the same function as the class-map global configuration command. Use the class command when a new classification, which is not shared with any other ports, is needed. Use the class-map command when the map is shared among many ports.
You can configure a default class by using the class class-default policy-map configuration command. Unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as default traffic.
Examples
This example shows how to create a policy map called policy1. When attached to the ingress direction, it matches all the incoming traffic defined in class1, sets the IP Differentiated Services Code Point (DSCP) to 10, and polices the traffic at an average rate of 1 Mb/s and bursts at 20 KB. Traffic exceeding the profile is marked down to a DSCP value gotten from the policed-DSCP map and then sent.
Switch(config)# policy-map policy1
Switch(config-pmap)# class class1
Switch(config-pmap-c)# set dscp 10
Switch(config-pmap-c)# police 1000000 20000 exceed-action policed-dscp-transmit
Switch(config-pmap-c)# exit
This example shows how to configure a default traffic class to a policy map:
Switch# configure terminal
Switch(config)# class-map cm-3
Switch(config-cmap)# match ip dscp 30
Switch(config-cmap)# match protocol ipv6
Switch(config-cmap)# exit
Switch(config)# class-map cm-4
Switch(config-cmap)# match ip dscp 40
Switch(config-cmap)# match protocol ip
Switch(config-cmap)# exit
Switch(config)# policy-map pm3
Switch(config-pmap)# class class-default
Switch(config-pmap-c)# set dscp 10
Switch(config-pmap-c)# exit
Switch(config-pmap)# class cm-3
Switch(config-pmap-c) set dscp 4
Switch(config-pmap-c)# exit
Switch(config-pmap)# class cm-4
Switch(config-pmap-c)# trust cos
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
You can verify your settings by entering the show policy-map privileged EXEC command.
This example shows how the default traffic class is automatically placed at the end of policy-map pm3 even though class-default was configured first:
Switch# show policy-map pm3
Related Commands
|
|
class-map |
Creates a class map to be used for matching packets to the class whose name you specify. |
police |
Defines a policer for classified traffic. |
policy-map |
Creates or modifies a policy map that can be attached to multiple ports to specify a service policy. |
set |
Classifies IP traffic by setting a DSCP or IP-precedence value in the packet. |
show policy-map |
Displays quality of service (QoS) policy maps. |
trust |
Defines a trust state for the traffic classified through the class policy-map configuration command or the class-map global configuration command. |
class-map
Use the class-map global configuration command on the switch stack or on a standalone switch to create a class map to be used for matching packets to the class whose name you specify and to enter class-map configuration mode. Use the no form of this command to delete an existing class map and to return to global configuration mode.
class-map [ match-all | match-any ] class-map-name
no class-map [ match-all | match-any ] class-map-name
Syntax Description
match-all |
(Optional) Perform a logical-AND of all matching statements under this class map. All criteria in the class map must be matched. |
match-any |
(Optional) Perform a logical-OR of the matching statements under this class map. One or more criteria must be matched. |
class-map-name |
Name of the class map. |
Defaults
No class maps are defined.
If neither the match-all or match-any keyword is specified, the default is match-all.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Use this command to specify the name of the class for which you want to create or modify class-map match criteria and to enter class-map configuration mode.
The class-map command and its subcommands are used to define packet classification, marking, and aggregate policing as part of a globally named service policy applied on a per-port basis.
After you are in quality of service (QoS) class-map configuration mode, these configuration commands are available:
- description : describes the class map (up to 200 characters). The show class-map privileged EXEC command displays the description and the name of the class-map.
- exit : exits from QoS class-map configuration mode.
- match : configures classification criteria. For more information, see the match (class-map configuration) command.
- no : removes a match statement from a class map.
- rename : renames the current class map. If you rename a class map with a name that is already used, the message
A class-map with this name already exists
appears.
If you enter the match-all or match-any keyword, you can only use it to specify an extended named access control list (ACL) with the match access-group acl-index-or-name class-map configuration command.
To define packet classification on a physical-port basis, only one match command per class map is supported. In this situation, the match-all and match-any keywords are equivalent.
Only one ACL can be configured in a class map. The ACL can have multiple access control entries (ACEs).
Examples
This example shows how to configure the class map called class1 with one match criterion, which is an access list called 103 :
Switch(config)# access-list 103 permit ip any any dscp 10
Switch(config)# class-map class1
Switch(config-cmap)# match access-group 103
Switch(config-cmap)# exit
This example shows how to delete the class map class1:
Switch(config)# no class-map class1
You can verify your settings by entering the show class-map privileged EXEC command.
Related Commands
|
|
class |
Defines a traffic classification match criteria (through the police, set, and trust policy-map class configuration commands) for the specified class-map name. |
match (class-map configuration) |
Defines the match criteria to classify traffic. |
policy-map |
Creates or modifies a policy map that can be attached to multiple ports to specify a service policy. |
show class-map |
Displays QoS class maps. |
clear dot1x
Use the clear dot1x privileged EXEC command on the switch stack or on a standalone switch to clear IEEE 802.1x information for the switch or for the specified port.
clear dot1x { all | interface interface-id }
Syntax Description
all |
Clear all IEEE 802.1x information for the switch. |
interface interface-id |
Clear IEEE 802.1x information for the specified interface. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You can clear all the information by using the clear dot1x all command, or you can clear only the information for the specified interface by using the clear dot1x interface interface-id command.
Examples
This example shows how to clear all IEEE 8021.x information:
This example shows how to clear IEEE 8021.x information for the specified interface:
Switch#
clear dot1x interface gigabithethernet1/0/1
You can verify that the information was deleted by entering the show dot1x privileged EXEC command.
Related Commands
|
|
show dot1x |
Displays IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified port. |
clear eap sessions
Use the clear eap sessions privileged EXEC command on the switch stack or on a standalone switch to clear Extensible Authentication Protocol (EAP) session information for the switch or for the specified port.
clear eap sessions [ credentials name [ interface interface-id ] | interface interface-id | method name | transport name ] [ credentials name | interface interface-id | transport name ]...
Syntax Description
credentials name |
Clear EAP credential information for the specified profile. |
interface interface-id |
Clear EAP information for the specified interface. |
method name |
Clear EAP information for the specified method. |
transport name |
Clear EAP transport information for the specified lower level. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You can clear all counters by using the clear eap sessions command, or you can clear only the specific information by using the keywords.
Examples
This example shows how to clear all EAP information:
Switch#
clear eap sessions
This example shows how to clear EAP-session credential information for the specified profile:
Switch#
clear eap sessions credential type1
You can verify that the information was deleted by entering the show dot1x privileged EXEC command.
Related Commands
|
|
show eap |
Displays EAP registration and session information for the switch or for the specified port |
clear errdisable interface
Use the clear errdisable interface privileged EXEC command on the switch stack or on a standalone switch to re-enable a VLAN that was error disabled.
clear errdisable interface interface-id vlan [vlan-list]
Syntax Description
vlan list |
(Optional) Specify a list of VLANs to be re-enabled. If a vlan-list is not specified, then all VLANs are re-enabled. |
Command Default
No default is defined
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You can re-enable a port by using the shutdown and no shutdown interface configuration commands, or you can clear error disable for VLANs by using the clear errdisable interface command.
Examples
This example shows how to re-enable all VLANs that were error-disabled on Gigabit Ethernet port 4/0/2.
Switch#
clear errdisable interface gigabitethernet4/0/2 vlan
Related Commands
|
|
errdisable detect cause |
Enables error-disabled detection for a specific cause or all causes. |
errdisable recovery |
Configures the recovery mechanism variables. |
show errdisable detect |
Displays error-disabled detection status. |
show errdisable recovery |
Display error-disabled recovery timer information. |
show interfaces status err-disabled |
Displays interface status of a list of interfaces in error-disabled state. |
clear ip arp inspection log
Use the clear ip arp inspection log privileged EXEC command on the switch stack or on a standalone switch to clear the dynamic Address Resolution Protocol (ARP) inspection log buffer.
clear ip arp inspection log
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Examples
This example shows how to clear the contents of the log buffer:
Switch#
clear ip arp inspection log
You can verify that the log was cleared by entering the show ip arp inspection log privileged command.
Related Commands
|
|
arp access-list |
Defines an ARP access control list (ACL). |
ip arp inspection log-buffer |
Configures the dynamic ARP inspection logging buffer. |
ip arp inspection vlan logging |
Controls the type of packets that are logged per VLAN. |
show inventory log |
Displays the configuration and contents of the dynamic ARP inspection log buffer. |
clear ip arp inspection statistics
Use the clear ip arp inspection statistics privileged EXEC command on the switch stack or on a standalone switch to clear the dynamic Address Resolution Protocol (ARP) inspection statistics.
clear ip arp inspection statistics [ vlan vlan-range ]
Syntax Description
vlan vlan-range |
(Optional) Clear statistics for the specified VLAN or VLANs. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Examples
This example shows how to clear the statistics for VLAN 1:
Switch# clear ip arp inspection statistics vlan 1
You can verify that the statistics were deleted by entering the show ip arp inspection statistics vlan 1 privileged EXEC command.
Related Commands
|
|
show inventory statistics |
Displays statistics for forwarded, dropped, MAC validation failure, and IP validation failure packets for all VLANs or the specified VLAN. |
clear ip dhcp snooping
Use the clear ip dhcp snooping privileged EXEC command on the switch stack or on a standalone switch to clear the DHCP binding database agent statistics or the DHCP snooping statistics counters.
clear ip dhcp snooping { binding {* | ip-address | interface interface-id | vlan vlan-id } | database statistics | statistics }
Syntax Description
binding |
Clear the DHCP snooping binding database. |
* |
Clear all automatic bindings. |
ip-address |
Clear the binding entry IP address. |
interface interface-id |
Clear the binding input interface. |
vlan vlan-id |
Clear the binding entry VLAN. |
database statistics |
Clear the DHCP snooping binding database agent statistics. |
statistics |
Clear the DHCP snooping statistics counter. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
When you enter the clear ip dhcp snooping database statistics command, the switch does not update the entries in the binding database and in the binding file before clearing the statistics.
Examples
This example shows how to clear the DHCP snooping binding database agent statistics:
Switch#
clear ip dhcp snooping database statistics
You can verify that the statistics were cleared by entering the show ip dhcp snooping database privileged EXEC command.
This example shows how to clear the DHCP snooping statistics counters:
Switch#
clear ip dhcp snooping statistics
You can verify that the statistics were cleared by entering the show ip dhcp snooping statistics user EXEC command.
Related Commands
|
|
ip dhcp snooping |
Enables DHCP snooping on a VLAN. |
ip dhcp snooping database |
Configures the DHCP snooping binding database agent or the binding file. |
show ip dhcp snooping binding |
Displays the status of DHCP snooping database agent. |
show ip dhcp snooping database |
Displays the DHCP snooping binding database agent statistics. |
show ip dhcp snooping statistics |
Displays the DHCP snooping statistics. |
clear ipc
Use the clear ipc privileged EXEC command on the switch stack or on a standalone switch to clear Interprocess Communications Protocol (IPC) statistics.
clear ipc { queue-statistics | statistics }
Note This command is not supported on switches running the LAN base feature set.
Syntax Description
queue-statistics |
Clear the IPC queue statistics. |
statistics |
Clear the IPC statistics. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You can clear all statistics by using the clear ipc statistics command, or you can clear only the queue statistics by using the clear ipc queue-statistics command.
Examples
This example shows how to clear all statistics:
Switch#
clear ipc statistics
This example shows how to clear only the queue statistics:
Switch#
clear ipc queue-statistics
You can verify that the statistics were deleted by entering the show ipc rpc or the show ipc session privileged EXEC command.
Related Commands
|
|
show ipc { rpc | session } |
Displays the IPC multicast routing statistics. |
clear ipv6 dhcp conflict
Use the clear ipv6 dhcp conflict privileged EXEC command on the switch stack or on a standalone switch to clear an address conflict from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server database.
clear ipv6 dhcp conflict {* | IPv6-address}
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch. This command is not supported if the switch is running the LAN base feature set.
Syntax Description
* |
Clear all address conflicts. |
IPv6-address |
Clear the host IPv6 address that contains the conflicting address. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 { default | vlan } global configuration command, and reload the switch.
When you configure the DHCPv6 server to detect conflicts, it uses ping. The client uses neighbor discovery to detect clients and reports to the server through a DECLINE message. If an address conflict is detected, the address is removed from the pool, and the address is not assigned until the administrator removes the address from the conflict list.
If you use the asterisk (*) character as the address parameter, DHCP clears all conflicts.
Examples
This example shows how to clear all address conflicts from the DHCPv6 server database:
Switch# clear ipv6 dhcp conflict *
Related Commands
|
|
show ipv6 dhcp conflict |
Displays address conflicts found by a DHCPv6 server, or reported through a DECLINE message from a client. |
clear l2protocol-tunnel counters
Use the clear l2protocol-tunnel counters privileged EXEC command on the switch stack or on a standalone switch to clear the protocol counters in protocol tunnel ports.
clear l2protocol-tunnel counters [ interface-id ]
Note This command is not supported on switches running the LAN base feature set.
Syntax Description
interface-id |
(Optional) Specify the interface (physical interface or port channel) for which protocol counters are to be cleared. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Use this command to clear protocol tunnel counters on the switch or on the specified interface.
Examples
This example shows how to clear Layer 2 protocol tunnel counters on an interface:
S
witch# clear l2protocol-tunnel counters gigabitethernet1/0/3
Related Commands
|
|
show l2protocol-tunnel |
Displays information about ports configured for Layer 2 protocol tunneling. |
clear lacp
Use the clear lacp privileged EXEC command on the switch stack or on a standalone switch to clear Link Aggregation Control Protocol (LACP) channel-group counters.
clear lacp { channel-group-number counters | counters }
Syntax Description
channel-group-number |
(Optional) Channel group number. The range is 1 to 48. |
counters |
Clear traffic counters. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You can clear all counters by using the clear lacp counters command, or you can clear only the counters for the specified channel group by using the clear lacp channel-group-number counters command.
Examples
This example shows how to clear all channel-group information:
Switch#
clear lacp counters
This example shows how to clear LACP traffic counters for group 4:
Switch#
clear lacp 4 counters
You can verify that the information was deleted by entering the show lacp counters or the show lacp 4 counters privileged EXEC command.
Related Commands
|
|
show lacp |
Displays LACP channel-group information. |
clear logging onboard
Use the clear logging onboard privileged EXEC command on the switch stack or on a standalone switch to clear all of the on-board failure logging (OBFL) data except for the uptime and CLI-command information stored in the flash memory.
clear logging onboard
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
We recommend that you keep OBFL enabled and do not erase the data stored in the flash memory.
Examples
This example shows how to clear all the OBFL information except for the uptime and CLI-command information:
Switch#
clear logging onboard
Clear logging onboard buffer [confirm]
You can verify that the information was deleted by entering the show logging onboard onboard privileged EXEC command.
Related Commands
|
|
hw-module module [ switch-number ] logging onboard |
Enables OBFL. |
show logging onboard onboard |
Displays OBFL information. |
clear logging smartlog statistics interface
To clear smart logging counters on an interface, use the clear logging smartlog statistics interface command in privileged EXEC mode.
clear logging smartlog statistics [ interface interface-id ]
Syntax Description
interface interface-id |
Clears smartlog counters on the specified interface. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(58)SE |
This command was introduced. |
Usage Guidelines
You can clear all smart logging statistics by using the clear logging smartlog statistics command, or you can clear only the statistics on an interface by using the clear logging smartlog statistics interface interface-id command.
Examples
This example shows how to clear all smart logging statistics:
Switch#
clear logging smartlog statistics
This example shows how to clear only the smart logging statistics on the specified interface:
Switch#
clear logging smartlog statistics interface gi1/0/1
You can verify that the statistics were deleted by entering the show ipc rpc or the show ipc session privileged EXEC command.
Related Commands
|
|
show logging smartlog statistics |
Displays the smart logging statistics. |
clear mac address-table
Use the clear mac address-table privileged EXEC command on the switch stack or on a standalone switch to delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, all dynamic addresses on stack members, or all dynamic addresses on a particular VLAN. This command also clears the MAC address notification global counters.
clear mac address-table { dynamic [ address mac-addr | interface interface-id | vlan vlan-id ] | notification }
Syntax Description
dynamic |
Delete all dynamic MAC addresses. |
dynamic address mac-addr |
(Optional) Delete the specified dynamic MAC address. |
dynamic interface interface-id |
(Optional) Delete all dynamic MAC addresses on the specified physical port or port channel. |
dynamic vlan vlan-id |
(Optional) Delete all dynamic MAC addresses for the specified VLAN. The range is 1 to 4094. |
notification |
Clear the notifications in the history table and reset the counters. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Examples
This example shows how to remove a specific MAC address from the dynamic address table:
Switch# clear mac address-table dynamic address 0008.0070.0007
You can verify that the information was deleted by entering the show mac address-table privileged EXEC command.
Related Commands
|
|
mac address-table notification |
Enables the MAC address notification feature. |
\show mac address-table |
Displays the MAC address table static and dynamic entries. |
show mac address-table notification |
Displays the MAC address notification settings for all interfaces or the specified interface. |
snmp trap mac-notification change |
Enables the Simple Network Management Protocol (SNMP) MAC address notification trap on a specific interface. |
clear mac address-table move update
Use the clear mac address-table move update privileged EXEC command on the switch stack or on a standalone switch to clear the MAC address table move-update counters.
clear mac address-table move update
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Examples
This example shows how to clear the MAC address table move-update counters.
Switch# clear mac address-table move update
You can verify that the information was cleared by entering the show mac address-table move update privileged EXEC command.
Related Commands
|
|
mac address-table move update { receive | transmit } |
Configures MAC address-table move update on the switch. |
show mac address-table move update |
Displays the MAC address-table move update information on the switch. |
clear macsec counters interface
To clear Media Access Control Security (MACsec) counters for all interfaces or a specified interface, use the clear macsec counters interface privileged EXEC command.
clear macsec counters interface [ interface-id ]
Syntax Description
interface-id |
(Optional) Clears MACsec counters only for the specified interface. |
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Examples
This example clears all MACsec counters on all interfaces:
Switch# clear macsec counters interface
This example clears the MACsec counters on the specified interface:
Switch# clear macsec counters interface gigabitethernet 1/0/2
Related Commands
|
|
clear mka |
Clears MACsec Key Agreement (MKA) protocol policies or information. |
macsec |
Enables MACsec on an interface. |
show macsec |
Displays MACsec information. |
clear mka
To clear MACsec Key Agreement (MKA) protocol sessions or information, use the clear mka privileged EXEC command.
clear mka { all | sessions [ interface interface-id [ port-id port-id ]] | [ local-sci sci ] | statistics [ interface interface-id port-id port-id ] | [ local-sci sci ]}
Syntax Description
all |
Clears all MKA sessions and global statistics. |
sessions |
Clears all MKA sessions. |
interface interface-id |
(Optional) Clears all active MKA sessions on the interface. |
port-id port-id |
(Optional) Clears the MKA session on the specified interface with the specified port ID. The port-ID range is 1 to 65535. |
local-sci sci |
(Optional) Clears all active MKA sessions with the specified Local TX-SCI, a 64-bit hexadecimal string. |
statistics |
Clears all MKA statistics and error counters. Enter additional keywords to clear counters only for an interface or Local TX-SCI.
- interface interface-id port-id port-id — Clears MKA session statistics for the specified interface and port ID.
- local-sci sci — Clears MKA session statistics for the specified Local TX-SCI.
|
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
When you enter the clear mka all command, the switch prompts for a confirmation and then deletes all active MKA sessions.
Examples
This example clears all active MKA sessions:
Are you sure you want to do this? [yes/no]: yes
This example clears the statistics counter of a specific MKA session running with Local TX-SCI 0023330853030002:
Switch# clear mka statistics local-sci 0023330853030002
Related Commands
|
|
show mka policy |
Displays MKA policy configuration information. |
show mka sessions |
Displays a summary of MKA sessions. |
show mka statistics |
Displays global MKA statistics. |
show mka summary |
Displays MKA sessions summary and global statistics. |
clear nmsp statistics
Use the clear nmsp statistics privileged EXEC command to clear the Network Mobility Services Protocol (NMSP) statistics.
clear nmsp statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Examples
This example shows how to clear NMSP statistics:
Switch# clear nmsp statistics
You can verify that information was deleted by entering the show nmsp statistics privileged EXEC command.
Related Commands
|
|
show nmsp |
Displays the NMSP information. |
clear pagp
Use the clear pagp privileged EXEC command on the switch stack or on a standalone switch to clear Port Aggregation Protocol (PAgP) channel-group information.
clear pagp { channel-group-number counters | counters }
Syntax Description
channel- group-number |
(Optional) Channel group number. The range is 1 to 48. |
counters |
Clear traffic counters. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You can clear all counters by using the clear pagp counters command, or you can clear only the counters for the specified channel group by using the clear pagp channel-group-number counters command.
Examples
This example shows how to clear all channel-group information:
Switch#
clear pagp counters
This example shows how to clear PAgP traffic counters for group 10:
Switch#
clear pagp 10 counters
You can verify that information was deleted by entering the show pagp privileged EXEC command.
Related Commands
|
|
show pagp |
Displays PAgP channel-group information. |
clear port-security
Use the clear port-security privileged EXEC command on the switch stack or on a standalone switch to delete from the MAC address table all secure addresses or all secure addresses of a specific type (configured, dynamic, or sticky) on the switch or on an interface.
clear port-security { all | configured | dynamic | sticky } [[ address mac-addr | interface interface-id ] [ vlan { vlan-id | { access | voice }}]]
Syntax Description
all |
Delete all secure MAC addresses. |
configured |
Delete configured secure MAC addresses. |
dynamic |
Delete secure MAC addresses auto-learned by hardware. |
sticky |
Delete secure MAC addresses, either auto-learned or configured. |
address mac-addr |
(Optional) Delete the specified dynamic secure MAC address. |
interface interface-id |
(Optional) Delete all the dynamic secure MAC addresses on the specified physical port or VLAN. |
vlan |
(Optional) Delete the specified secure MAC address from the specified VLAN. Enter one of these options after you enter the vlan keyword:
- vlan-id —On a trunk port, specify the VLAN ID of the VLAN on which this address should be cleared.
- access —On an access port, clear the specified secure MAC address on the access VLAN.
- voice —On an access port, clear the specified secure MAC address on the voice VLAN.
Note The voice keyword is available only if voice VLAN is configured on a port and if that port is not the access VLAN. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Examples
This example shows how to clear all secure addresses from the MAC address table:
Switch# clear port-security all
This example shows how to remove a specific configured secure address from the MAC address table:
Switch# clear port-security configured address 0008.0070.0007
This example shows how to remove all the dynamic secure addresses learned on a specific interface:
Switch# clear port-security dynamic interface gigabitethernet1/0/1
This example shows how to remove all the dynamic secure addresses from the address table:
Switch# clear port-security dynamic
You can verify that the information was deleted by entering the show port-security privileged EXEC command.
Related Commands
|
|
switchport port-security |
Enables port security on an interface. |
switchport port-security mac-address mac-address |
Configures secure MAC addresses. |
switchport port-security maximum value |
Configures a maximum number of secure MAC addresses on a secure interface. |
show port-security |
Displays the port security settings defined for an interface or for the switch. |
clear psp counter
To clear the protocol storm protection counter of packets dropped for all protocols, use the clear psp counter privileged EXEC command.
clear psp counter [ arp | igmp | dhcp ]
Syntax Description
arp |
(Optional) Clear the counter of dropped packets for ARP and ARP snooping. |
dhcp |
(Optional) Clear the counter of dropped packets for DHCP and DHCP snooping. |
igmp |
(Optional) Clear the counter of dropped packets for IGMP and IGMP snooping. |
Command Modes
Privileged EXEC
Command History
|
|
12.2(58)SE |
This command was introduced. |
Examples
In this example, the protocol storm protection counter for DHCP is cleared.
Switch# clear psp counter dhcp
Related Commands
|
|
psp { arp | dhcp | igmp } pps value |
Configures protocol storm protection for ARP, DHCP, or IGMP. |
show psp config |
Displays the protocol storm protection configuration |
show psp statistics |
Displays the number of dropped packets. |
clear rep counters
To clear Resilient Ethernet Protocol (REP) counters for the specified interface or all interfaces, use the clear rep counters privileged EXEC command
clear rep counters [ interface interface-id ]
Syntax Description
interface interface-id |
(Optional) Specifies a REP interface whose counters should be cleared. |
Command Modes
Privileged EXEC
Command History
|
|
15.0(2)SE |
This command was introduced. |
Usage Guidelines
You can clear all REP counters by using the clear rep counters command, or you can clear only the counters for the interface by using the clear rep counters interface interface-id command.
When you enter the clear rep counters command, only the counters visible in the output of the show interface rep detail command are cleared. SNMP visible counters are not cleared because they are read-only.
Examples
This example shows how to clear all REP counters for all REP interfaces:
Switch# clear rep counters
You can verify that REP information was deleted by entering the show interfaces rep detail privileged EXEC command.
Related Commands
|
|
show interfaces rep [detail] |
Displays detailed REP configuration and status information. |
clear spanning-tree counters
Use the clear spanning-tree counters privileged EXEC command on the switch stack or on a standalone switch to clear the spanning-tree counters.
clear spanning-tree counters [ interface interface-id ]
Syntax Description
interface interface-id |
(Optional) Clear all spanning-tree counters on the specified interface. Valid interfaces include physical ports, VLANs, and port channels. The VLAN range is 1 to 4094. The port-channel range is 1 to 48. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
If the interface-id is not specified, spanning-tree counters are cleared for all interfaces.
Examples
This example shows how to clear spanning-tree counters for all interfaces:
Switch# clear spanning-tree counters
Related Commands
|
|
show spanning-tree |
Displays spanning-tree state information. |
clear spanning-tree detected-protocols
Use the clear spanning-tree detected-protocols privileged EXEC command on the switch stack or on a standalone switch to restart the protocol migration process (force the renegotiation with neighboring switches) on all interfaces or on the specified interface.
clear spanning-tree detected-protocols [ interface interface-id ]
Syntax Description
interface interface-id |
(Optional) Restart the protocol migration process on the specified interface. Valid interfaces include physical ports, VLANs, and port channels. The VLAN range is 1 to 4094. The port-channel range is 1 to 48. |
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
A switch running the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol or the Multiple Spanning Tree Protocol (MSTP) supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If a rapid-PVST+ switch or an MSTP switch receives a legacy IEEE 802.1D configuration bridge protocol data unit (BPDU) with the protocol version set to 0, it sends only IEEE 802.1D BPDUs on that port. A multiple spanning-tree (MST) switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (Version 3) associated with a different region, or a rapid spanning-tree (RST) BPDU (Version 2).
However, the switch does not automatically revert to the rapid-PVST+ or the MSTP mode if it no longer receives IEEE 802.1D BPDUs because it cannot learn whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the clear spanning-tree detected-protocols command in this situation.
Examples
This example shows how to restart the protocol migration process on a port:
Switch# clear spanning-tree detected-protocols interface gigabitethernet2/0/1
Related Commands
|
|
show spanning-tree |
Displays spanning-tree state information. |
spanning-tree link-type |
Overrides the default link-type setting and enables rapid spanning-tree changes to the forwarding state. |
clear vmps statistics
Use the clear vmps statistics privileged EXEC command on the switch stack or on a standalone switch to clear the statistics maintained by the VLAN Query Protocol (VQP) client.
clear vmps statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Examples
This example shows how to clear VLAN Membership Policy Server (VMPS) statistics:
Switch# clear vmps statistics
You can verify that information was deleted by entering the show vmps statistics privileged EXEC command.
Related Commands
|
|
show vmps |
Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers. |
clear vtp counters
Use the clear vtp counters privileged EXEC command on the switch stack or on a standalone switch to clear the VLAN Trunking Protocol (VTP) and pruning counters.
clear vtp counters
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Examples
This example shows how to clear the VTP counters:
Switch# clear vtp counters
You can verify that information was deleted by entering the show vtp counters privileged EXEC command.
Related Commands
|
|
show vtp |
Displays general information about the VTP management domain, status, and counters. |
cluster commander-address
You do not need to enter this command from the switch stack or from a standalone cluster member switch. The cluster command switch automatically provides its MAC address to cluster member switches when these switches join the cluster. The cluster member switch adds this information and other cluster information to its running configuration file. Use the no form of this global configuration command from the cluster member switch console port or Ethernet management port to remove the switch from a cluster only during debugging or recovery procedures.
cluster commander-address mac-address [ member number name name ]
no cluster commander-address
Syntax Description
mac-address |
MAC address of the cluster command switch. |
member number |
(Optional) Number of a configured cluster member switch. The range is 0 to 15. |
name name |
(Optional) Name of the configured cluster up to 31 characters. |
Defaults
The switch is not a member of any cluster.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
This command is available only on the cluster command switch stack or the cluster command switch.
A cluster member can have only one cluster command switch.
The cluster member switch retains the identity of the cluster command switch during a system reload by using the mac-address parameter.
You can enter the no form on a cluster member switch to remove it from the cluster during debugging or recovery procedures. You would normally use this command from the cluster member switch console port or Ethernet management port only when the member has lost communication with the cluster command switch. With normal switch configuration, we recommend that you remove cluster member switches only by entering the no cluster member n global configuration command on the cluster command switch.
When a standby cluster command switch becomes active (becomes the cluster command switch), it removes the cluster commander address line from its configuration.
Examples
This is partial sample output from the running configuration of a cluster member.
Switch(config)# show running-configuration
cluster commander-address 00e0.9bc0.a500 member 4 name my_cluster
This example shows how to remove a member from the cluster by using the cluster member console.
Switch # configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# no cluster commander-address
You can verify your settings by entering the show cluster privileged EXEC command.
Related Commands
|
|
show cluster |
Displays the cluster status and a summary of the cluster to which the switch belongs. |
cluster discovery hop-count
Use the cluster discovery hop-count global configuration command on the switch stack or on the cluster command switch to set the hop-count limit for extended discovery of candidate switches. Use the no form of this command to return to the default setting.
cluster discovery hop-count number
no cluster discovery hop-count
Syntax Description
number |
Number of hops from the cluster edge that the cluster command switch limits the discovery of candidates. The range is 1 to 7. |
Defaults
The hop count is set to 3.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
This command is available only on the cluster command switch stack or cluster command switch. This command does not operate on cluster member switches.
If the hop count is set to 1, it disables extended discovery. The cluster command switch discovers only candidates that are one hop from the edge of the cluster. The edge of the cluster is the point between the last discovered cluster member switch and the first discovered candidate switch.
Examples
This example shows how to set hop count limit to 4. This command is executed on the cluster command switch.
Switch(config)# cluster discovery hop-count 4
You can verify your setting by entering the show cluster privileged EXEC command.
Related Commands
|
|
show cluster |
Displays the cluster status and a summary of the cluster to which the switch belongs. |
show cluster candidates |
Displays a list of candidate switches. |
cluster enable
Use the cluster enable global configuration command on a command-capable switch or switch stack to enable it as the cluster command switch, assign a cluster name, and to optionally assign a member number to it. Use the no form of the command to remove all members and to make the cluster command switch a candidate switch.
cluster enable name [ command-switch-member-number ]
no cluster enable
Syntax Description
name |
Name of the cluster up to 31 characters. Valid characters include only alphanumerics, dashes, and underscores. |
command-switch-member-number |
(Optional) Assign a member number to the cluster command switch of the cluster. The range is 0 to 15. |
Defaults
The switch is not a cluster command switch.
No cluster name is defined.
The member number is 0 when the switch is the cluster command switch.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Enter this command on any command-capable switch that is not part of any cluster. This command fails if a device is already configured as a member of the cluster.
You must name the cluster when you enable the cluster command switch. If the switch is already configured as the cluster command switch, this command changes the cluster name if it is different from the previous cluster name.
Examples
This example shows how to enable the cluster command switch, name the cluster, and set the cluster command switch member number to 4.
Switch(config)# cluster enable Engineering-IDF4 4
You can verify your setting by entering the show cluster privileged EXEC command on the cluster command switch.
Related Commands
|
|
show cluster |
Displays the cluster status and a summary of the cluster to which the switch belongs. |
cluster holdtime
Use the cluster holdtime global configuration command on the switch stack or on the cluster command switch to set the duration in seconds before a switch (either the command or cluster member switch) declares the other switch down after not receiving heartbeat messages. Use the no form of this command to set the duration to the default value.
cluster holdtime holdtime-in-secs
no cluster holdtime
Syntax Description
holdtime-in-secs |
Duration in seconds before a switch (either a command or cluster member switch) declares the other switch down. The range is 1 to 300 seconds. |
Defaults
The default holdtime is 80 seconds.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Enter this command with the cluster timer global configuration command only on the cluster command switch. The cluster command switch propagates the values to all its cluster members so that the setting is consistent among all switches in the cluster.
The holdtime is typically set as a multiple of the interval timer (cluster timer). For example, it takes (holdtime-in-secs divided by the interval-in-secs) number of heartbeat messages to be missed in a row to declare a switch down.
Examples
This example shows how to change the interval timer and the duration on the cluster command switch.
Switch(config)# cluster timer 3
Switch(config)# cluster holdtime 30
You can verify your settings by entering the show cluster privileged EXEC command.
Related Commands
|
|
show cluster |
Displays the cluster status and a summary of the cluster to which the switch belongs. |
cluster member
Use the cluster member global configuration command on the cluster command switch to add candidates to a cluster. Use the no form of the command to remove members from the cluster.
cluster member [ n ] mac-address H.H.H [ password enable-password ] [ vlan vlan-id ]
no cluster member n
Syntax Description
n |
The number that identifies a cluster member. The range is 0 to 15. |
mac-address H.H.H |
MAC address of the cluster member switch in hexadecimal format. |
password enable-password |
Enable password of the candidate switch. The password is not required if there is no password on the candidate switch. |
vlan vlan-id |
(Optional) VLAN ID through which the candidate is added to the cluster by the cluster command switch. The range is 1 to 4094. |
Defaults
A newly enabled cluster command switch has no associated cluster members.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Enter this command only on the cluster command switch to add a candidate to or remove a member from the cluster. If you enter this command on a switch other than the cluster command switch, the switch rejects the command and displays an error message.
You must enter a member number to remove a switch from the cluster. However, you do not need to enter a member number to add a switch to the cluster. The cluster command switch selects the next available member number and assigns it to the switch that is joining the cluster.
You must enter the enable password of the candidate switch for authentication when it joins the cluster. The password is not saved in the running or startup configuration. After a candidate switch becomes a member of the cluster, its password becomes the same as the cluster command-switch password.
If a switch does not have a configured hostname, the cluster command switch appends a member number to the cluster command-switch hostname and assigns it to the cluster member switch.
If you do not specify a VLAN ID, the cluster command switch automatically chooses a VLAN and adds the candidate to the cluster.
Examples
This example shows how to add a switch as member 2 with MAC address 00E0.1E00.2222 and the password key to a cluster. The cluster command switch adds the candidate to the cluster through VLAN 3.
Switch(config)# cluster member 2 mac-address 00E0.1E00.2222 password key vlan 3
This example shows how to add a switch with MAC address 00E0.1E00.3333 to the cluster. This switch does not have a password. The cluster command switch selects the next available member number and assigns it to the switch that is joining the cluster.
Switch(config)# cluster member mac-address 00E0.1E00.3333
You can verify your settings by entering the show cluster members privileged EXEC command on the cluster command switch.
Related Commands
|
|
show cluster |
Displays the cluster status and a summary of the cluster to which the switch belongs. |
show cluster candidates |
Displays a list of candidate switches. |
show cluster members |
Displays information about the cluster members. |
cluster outside-interface
Use the cluster outside-interface global configuration command on the switch stack or on the a cluster command switch to configure the outside interface for cluster Network Address Translation (NAT) so that a member without an IP address can communicate with devices outside the cluster. Use the no form of this command to return to the default setting.
cluster outside-interface interface-id
no cluster outside-interface
Syntax Description
interface-id |
Interface to serve as the outside interface. Valid interfaces include physical interfaces, port-channels, or VLANs. The port-channel range is 1 to 48. The VLAN range is 1 to 4094. |
Defaults
The default outside interface is automatically selected by the cluster command switch.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Enter this command only on the cluster command switch. If you enter this command on a cluster member switch, an error message appears.
Examples
This example shows how to set the outside interface to VLAN 1:
Switch(config)# cluster outside-interface vlan 1
You can verify your setting by entering the show running-config privileged EXEC command.
Related Commands
|
|
show running-config |
Displays the operating configuration. |
cluster run
Use the cluster run global configuration command to enable clustering on a switch. Use the no form of this command to disable clustering on a switch.
cluster run
no cluster run
Syntax Description
This command has no arguments or keywords.
Defaults
Clustering is enabled on all switches.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
When you enter the no cluster run command on a cluster command switch or cluster command switch stack, the cluster command switch is disabled. Clustering is disabled, and the switch cannot become a candidate switch.
When you enter the no cluster run command on a cluster member switch, it is removed from the cluster. Clustering is disabled, and the switch cannot become a candidate switch.
When you enter the no cluster run command on a switch that is not part of a cluster, clustering is disabled on this switch. This switch cannot then become a candidate switch.
Examples
This example shows how to disable clustering on the cluster command switch:
Switch(config)# no cluster run
You can verify your setting by entering the show cluster privileged EXEC command.
Related Commands
|
|
show cluster |
Displays the cluster status and a summary of the cluster to which the switch belongs. |
cluster standby-group
Use the cluster standby-group global configuration command to enable cluster command-switch redundancy by binding the cluster to an existing Hot Standby Router Protocol (HSRP). Entering the routing-redundancy keyword enables the same HSRP group to be used for cluster command-switch redundancy and routing redundancy. Use the no form of this command to return to the default setting.
cluster standby-grou p HSRP-group-name [ routing-redundancy ]
no cluster standby-group
Syntax Description
HSRP-group-name |
Name of the HSRP group that is bound to the cluster. The group name is limited to 32 characters. |
routing-redundancy |
(Optional) Enable the same HSRP standby group to be used for cluster command-switch redundancy and routing redundancy. |
Defaults
The cluster is not bound to any HSRP group.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Enter this command only on the cluster command switch. If you enter it on a cluster member switch, an error message appears.
The cluster command switch propagates the cluster-HSRP binding information to all cluster-HSRP capable members. Each cluster member switch stores the binding information in its NVRAM. The HSRP group name must be a valid standby group; otherwise, the command exits with an error.
The same group name should be used on all members of the HSRP standby group that is to be bound to the cluster. The same HSRP group name should also be used on all cluster-HSRP capable members for the HSRP group that is to be bound. (When not binding a cluster to an HSRP group, you can use different names on the cluster commander and the members.)
Examples
This example shows how to bind the HSRP group named my_hsrp to the cluster. This command is executed on the cluster command switch.
Switch(config)# cluster standby-group my_hsrp
This example shows how to use the same HSRP group named my_hsrp for routing redundancy and cluster redundancy.
Switch(config)# cluster standby-group my_hsrp routing-redundancy
This example shows the error message when this command is executed on a cluster command switch and the specified HSRP standby group does not exist:
Switch(config)# cluster standby-group my_hsrp
%ERROR: Standby (my_hsrp) group does not exist
This example shows the error message when this command is executed on a cluster member switch:
Switch(config)# cluster standby-group my_hsrp routing-redundancy
%ERROR: This command runs on a cluster command switch
You can verify your settings by entering the show cluster privileged EXEC command. The output shows whether redundancy is enabled in the cluster.
Related Commands
|
|
standby ip |
Enables HSRP on the interface. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands . |
show cluster |
Displays the cluster status and a summary of the cluster to which the switch belongs. |
show standby |
Displays standby group information. For syntax information, select Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands . |
cluster timer
Use the cluster timer global configuration command on the switch stack or on the a cluster command switch to set the interval in seconds between heartbeat messages. Use the no form of this command to set the interval to the default value.
cluster timer interval-in-secs
no cluster timer
Syntax Description
interval-in-secs |
Interval in seconds between heartbeat messages. The range is 1 to 300 seconds. |
Defaults
The interval is 8 seconds.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Enter this command with the cluster holdtime global configuration command only on the cluster command switch. The cluster command switch propagates the values to all its cluster members so that the setting is consistent among all switches in the cluster.
The holdtime is typically set as a multiple of the heartbeat interval timer (cluster timer). For example, it takes (holdtime-in-secs divided by the interval-in-secs) number of heartbeat messages to be missed in a row to declare a switch down.
Examples
This example shows how to change the heartbeat interval timer and the duration on the cluster command switch:
Switch(config)# cluster timer 3
Switch(config)# cluster holdtime 30
You can verify your settings by entering the show cluster privileged EXEC command.
Related Commands
|
|
show cluster |
Displays the cluster status and a summary of the cluster to which the switch belongs. |
copy logging onboard
Use the copy logging onboard privileged EXEC command on the switch stack or on a standalone switch to copy on-board failure logging (OBFL) data to the local network or a specific file system.
copy logging onboard module stack-member destination
Syntax Description
module stack-member |
Specify the stack member number. If the switch is a standalone switch, the switch number is 1. If the switch is in a stack, the range is 1 to 9, depending on the switch member numbers in the stack. This keyword is supported only on on stacking-capable switches. |
destination |
Specify the location on the local network or file system to which the system messages are copied. For destination, specify t he destination on the local or network file system and the filename. These options are supported:
- The syntax for the local flash file system:
flash [ number ] :/ filename
Use the number parameter to specify the stack member number of the stack master. The range for number is 1 to 9.
- The syntax for the FTP:
ftp:// username : password @ host / filename
- The syntax for an HTTP server:
http:// [[ username : password ] @ ]{ hostname | host-ip }[ / direct o ry ] /filename
- The syntax for the NVRAM:
nvram:/ filename
- The syntax for the null file system:
null:/ filename
- The syntax for the Remote Copy Protocol (RCP): rcp:// username @ host / filename
- The syntax for the switch file system:
system: filename
- The syntax for the temporary file system:
tmpsys:/ filename
- The syntax for the TFTP:
tftp: [[ // location ] / directory ] / filename
|
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
For information about OBFL, see the hw-module command.
Examples
This example shows how to copy the OBFL data messages to the obfl_file file on the flash file system for stack member 3:
Switch# copy logging onboard module 3 flash:obfl_file
Related Commands
|
|
hw-module module [ switch-number ] logging onboard |
Enables OBFL. |
show logging onboard onboard |
Displays OBFL information. |
confidentiality-offset
To configure the confidentiality offset value for the MACsec Key Agreement (MKA) Protocol policy, use the confidentiality-offset MKA policy configuration command. To return to the default setting, use the no or default form of this command
confidentiality-offset offset-value
[ no | default ] confidentiality-offset
Syntax Description
offset-value |
Identifies a confidentiality (encryption) offset value for the MKA policy. Valid values are 0, 30, and 50 octets (bytes). |
Defaults
The default offset is 0 with no confidentiality offset.
Command Modes
MKA policy configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
If no confidentiality offset is configured, no encryption offset is used.
To use this feature, both peers must support confidentiality offset.
Examples
This example configures an MKA policy with a confidentiality offset of 30 bytes.
Switch(config)# mka policy replay-policy
Switch(config-mka-policy)# replay-protection window-size 300
Switch(config-mka-policy)# confidentiality offset 30
Switch(config-mka-policy)# end
You can verify your setting by entering the show mka session detail privileged EXEC command.
Related Commands
|
|
show mka session detail |
Displays detailed information about active MKA sessions. |
define interface-range
Use the define interface-range global configuration command on the switch stack or on a standalone switch to create an interface-range macro. Use the no form of this command to delete the defined macro.
define interface-range macro-name interface-range
no define interface-range macro-name interface-range
Syntax Description
macro-name |
Name of the interface-range macro; up to 32 characters. |
interface-range |
Interface range; for valid values for interface ranges, see “Usage Guidelines.” |
Defaults
This command has no default setting.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
The macro name is a 32-character maximum character string.
A macro can contain up to five ranges.
All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.
When entering the interface-range, use this format:
- type { first-interface } - { last-interface }
- You must add a space between the first interface number and the hyphen when entering an interface-range. For example, gigabitethernet 1/0/1 - 2 is a valid range; gigabit ethernet 1/0/1-2 is not a valid range
Valid values for type and interface :
- vlan vlan-id - vlan-ID, where the VLAN ID is 1 to 4094
VLAN interfaces must have been configured with the interface vlan command (the show running-config privileged EXEC command displays the configured VLAN interfaces). VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges.
- port-channel port-channel-number, where port-channel-number is from 1 to 48
- gigabitethernet stack member/module/{ first port } - { last port }
- tengigabitethernet stack member/module/{ first port } - { last port }
For physical interfaces:
- stack member is the number used to identify the switch within the stack. The number ranges from 1 to 9 and is assigned to the switch the first time the stack member initializes.
- module is always 0.
- the range is type stack member /0/number - number (for example, gigabitethernet 1/0/1 - 2).
When you define a range, you must enter a space before the hyphen (-), for example:
gigabitethernet1/0/1 - 2
You can also enter multiple ranges. When you define multiple ranges, you must enter a space after the first entry before the comma (,). The space after the comma is optional, for example:
gigabitethernet1/0/3, gigabitethernet2/0/1 - 2
gigabitethernet1/0/3 -4, tengigabitethernet1/0/1 - 2
Examples
This example shows how to create a multiple-interface macro:
Switch(config)# define interface-range macro1 gigabitethernet1/0/1 - 2, gigabitethernet1/0/5 - 7, gigabitethernet3/0/2 - 4, tengigabitethernet1/0/1 - 2
Related Commands
|
|
interface range |
Executes a command on multiple ports at the same time. |
show running-config |
Displays the operating configuration. |
delete
Use the delete privileged EXEC command on the switch stack or on a standalone switch to delete a file or directory on the flash memory device.
delete [ /force ] [/ recursive ] filesystem :/ file-url
Syntax Description
/force |
(Optional) Suppress the prompt that confirms the deletion. |
/recursive |
(Optional) Delete the named directory and all subdirectories and the files contained in it. |
filesystem : |
Alias for a flash file system. The syntax for the local flash file system on the stack member or the stack master: flash: From the stack master, the syntax for the local flash file system on a stack member: flash member number : |
/ file-url |
The path (directory) and filename to delete. |
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
If you use the /force keyword, you are prompted once at the beginning of the deletion process to confirm the deletion.
If you use the /recursive keyword without the /force keyword, you are prompted to confirm the deletion of every file.
The prompting behavior depends on the setting of the file prompt global configuration command. By default, the switch prompts for confirmation on destructive file operations. For more information about this command, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Examples
This example shows how to remove the directory that contains the old software image after a successful download of a new image:
Switch# delete /force /recursive flash:/old-image
You can verify that the directory was removed by entering the dir filesystem : privileged EXEC command.
Related Commands
|
|
archive download-sw |
Downloads a new image to the switch and overwrites or keeps the existing image. |
deny (access-list configuration mode)
To enable smart logging in a named IP access list with deny conditions, use the deny command in access list configuration mode with the smartlog keyword. Matches to ACL entries are logged to a NetFlow collector. To disable smart logging for the access list, use the no form of this command.
deny { source [ source-wildcard ] | host source | any } [ log ] [ smartlog ]
no deny { source [ source-wildcard ] | host source | any } [ smartlog ]
deny protocol { source [ source-wildcard ] | host source | any } { destination [ destination-wildcard ] | host destination | any } [ dscp tos ] [ precedence precedence ] [ tos tos ] [ fragments ] [ log ] [ time-range time-range-name ] [ smartlog ]
no deny protocol { source [ source-wildcard ] | host source | any } { destination [ destination-wildcard ] | host destination | any } [ dscp tos ] [ precedence precedence ] [ tos tos ] [ fragments ] [ log ] [ time-range time-range-name ] [ smartlog ]
Syntax Description
smartlog |
(Optional) Sends packet flows matching the access list to a NetFlow collector when smart logging is enabled on the switch. |
Defaults
ACL smart logging is not enabled.
Command Modes
Access list configuration
Command History
|
|
12.2(58)SE |
The smartlog keyword was added. |
Usage Guidelines
For the complete syntax description of the deny command without the smartlog keyword, see the Cisco IOS Security Command Reference.
When an ACL is applied to an interface, packets matching the ACL are denied or permitted based on the ACL configuration. When smart logging is enabled on the switch and an ACL includes the smartlog keyword, the contents of the denied or permitted packet are sent to a Flexible NetFlow collector.
You must also enable smart logging globally by entering the logging smartlog global configuration command.
Only port ACLs (ACLs attached to Layer 2 interfaces) support smart logging. Router ACLs or VLAN ACLs do not support smart logging. Port ACLs do not support logging.
When an ACL is applied to an interface, matching packets can be either logged or smart logged, but not both.
You can verify that smart logging is enabled in an ACL by entering the show ip access list privileged EXEC command.
Examples
This example enables smart logging on a named access list with a deny condition:
Switch(config)# ip access-list extended test1
Switch(config-ext-nacl)# deny ip host 10.1.1.3 any smartlog
Related Commands
|
|
logging smartlog |
Globally enables smart logging. |
show access list show ip access list |
Displays the contents of all access lists or all IP access lists. |
deny (ARP access-list configuration)
Use the deny Address Resolution Protocol (ARP) access-list configuration command on the switch stack or on a standalone switch to deny an ARP packet based on matches against the DHCP bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access list.
deny {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
no deny {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
This command is available only if your switch is running the IP services feature set.
Syntax Description
request |
(Optional) Define a match for the ARP request. When request is not specified, matching is performed against all ARP packets. |
ip |
Specify the sender IP address. |
any |
Deny any IP or MAC address. |
host sender-ip |
Deny the specified sender IP address. |
sender-ip sender-ip-mask |
Deny the specified range of sender IP addresses. |
mac |
Deny the sender MAC address. |
host sender-mac |
Deny a specific sender MAC address. |
sender-mac sender-mac-mask |
Deny the specified range of sender MAC addresses. |
response ip |
Define the IP address values for the ARP responses. |
host target-ip |
Deny the specified target IP address. |
target-ip target-ip-mask |
Deny the specified range of target IP addresses. |
mac |
Deny the MAC address values for the ARP responses. |
host target-mac |
Deny the specified target MAC address. |
target-mac target-mac-mask |
Deny the specified range of target MAC addresses. |
log |
(Optional) Log a packet when it matches the ACE. |
Defaults
There are no default settings. However, at the end of the ARP access list, there is an implicit deny ip any mac any command.
Command Modes
ARP access-list configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You can add deny clauses to drop ARP packets based on matching criteria.
Examples
This example shows how to define an ARP access list and to deny both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
Switch(config)# arp access-list static-hosts
Switch(config-arp-nacl)# deny ip host 1.1.1.1 mac host 0000.0000.abcd
Switch(config-arp-nacl)# end
You can verify your settings by entering the show arp access-list privileged EXEC command.
Related Commands
|
|
arp access-list |
Defines an ARP access control list (ACL). |
ip arp inspection filter vlan |
Permits ARP requests and responses from a host configured with a static IP address. |
permit (ARP access-list configuration) |
Permits an ARP packet based on matches against the DHCP bindings. |
show arp access-list |
Displays detailed information about ARP access lists. |
deny (IPv6 access-list configuration)
Use the deny command in IPv6 access list configuration mode on the switch stack or on a standalone switch to set deny conditions for an IPv6 access list. Use the no form of this command to remove the deny conditions.
deny { protocol } { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ fragments ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
no deny { protocol } { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ fragments ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
Internet Control Message Protocol
deny icmp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ icmp-type [ icmp-code ] | icmp-message ] [ dscp value ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
Transmission Control Protocol
deny tcp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ ack ] [ dscp value ] [ established ] [ fin ] [ log ] [ log-input ] [ neq { port | protocol }] [ psh ] [ range { port | protocol }] [ rst ] [ routing ] [ sequence value ] [ syn ] [ time-range name ] [ urg ]
User Datagram Protocol
deny udp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ log ] [ log-input ] [ neq { port | protocol }] [ range { port | protocol }] [ routing ] [ sequence value ] [ time-range name ]
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch. This command is not supported on switches running the LAN base feature set.
Syntax Description
protocol |
Name or number of an Internet protocol. It can be one of the keywords ahp, esp, icmp, ipv6, pcp, sctp, tcp, or udp, or an integer in the range from 0 to 255 representing an IPv6 protocol number. |
source-ipv6-prefix / prefix-length |
The source IPv6 network or class of networks about which to set deny conditions. This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons. |
any |
An abbreviation for the IPv6 prefix ::/0. |
host source-ipv6-address |
The source IPv6 host address for which to set deny conditions. This source-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons. |
operator [ port-number ] |
(Optional) Specify an operator that compares the source or destination ports of the specified protocol. Operators are lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source-ipv6-prefix / prefix-length argument, it must match the source port. If the operator is positioned after the destination-ipv6-prefix/prefix-length argument, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. The optional port-number argument is a decimal number or the name of a TCP or a UDP port. A port number is a number from 0 to 65535. TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP. |
destination-ipv6-prefix / prefix-length |
The destination IPv6 network or class of networks for which to set deny conditions. This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons. |
host destination-ipv6-address |
The destination IPv6 host address for which to set deny conditions. This destination-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons. |
dscp value |
(Optional) Match a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header. The acceptable range is from 0 to 63. |
fragments |
(Optional) Match non-initial fragmented packets where the fragment extension header contains a non-zero fragment offset. The fragments keyword is an option only if the protocol is ipv6 and the operator [ port-number ] arguments are not specified. |
log |
(Optional) Send an informational logging message to the console about the packet that matches the entry. (The level of messages sent to the console is controlled by the logging console command.) The message includes the access list name and sequence number, whether the packet was denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets denied in the prior 5-minute interval. Note Logging is not supported for port ACLs. |
log-input |
(Optional) Provide the same function as the log keyword, but the logging message also includes the receiving interface. |
routing |
(Optional) Match packets with the routing extension header. |
sequence value |
(Optional) Specify the sequence number for the access list statement. The acceptable range is from 1 to 4294967295. |
time-range name |
(Optional) Specify the time range that applies to the deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively. |
icmp-type |
(Optional) Specify an ICMP message type for filtering ICMP packets. ICMP packets can be filtered by an ICMP message type. The type is a number from 0 to 255. |
icmp-code |
(Optional) Specify an ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255. |
icmp-message |
(Optional) Specify an ICMP message name for filtering ICMP packets. ICMP packets can be filtered by an ICMP message name or an ICMP message type and code. The possible names are listed in the “Usage Guidelines” section. |
ack |
(Optional) Only for the TCP protocol: Acknowledgment (ACK) bit set. |
established |
(Optional) Only for the TCP protocol: Means the connection has been established. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
fin |
(Optional) Only for the TCP protocol: Fin bit set; no more data from sender. |
neq { port | protocol } |
(Optional) Match only packets that are not on a given port number. |
psh |
(Optional) Only for the TCP protocol: Push function bit set. |
range { port | protocol } |
(Optional) Match only packets in the range of port numbers. |
rst |
(Optional) Only for the TCP protocol: Reset bit set. |
syn |
(Optional) Only for the TCP protocol: Synchronize bit set. |
urg |
(Optional) Only for the TCP protocol: Urgent pointer bit set. |
Note Although visible in the command-line help strings, the flow-label, routing, and undetermined-transport keywords are not supported.
Defaults
No IPv6 access list is defined.
Command Modes
IPv6 access list configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
The deny (IPv6 access-list configuration mode) command is similar to the deny (IPv4 access-list configuration mode) command, but it is IPv6-specific.
Use the deny (IPv6) command after the ipv6 access-list command to enter IPv6 access list configuration mode and to define the conditions under which a packet passes the access list.
Specifying IPv6 for the protocol argument matches against the IPv6 header of the packet.
By default, the first statement in an access list is number 10, and the subsequent statements are numbered in increments of 10.
You can add permit, deny, or remark statements to an existing access list without re-entering the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number between two existing entry numbers to show where it belongs.
Note Every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. The two permit conditions allow ICMPv6 neighbor discovery. To disallow ICMPv6 neighbor discovery and to deny icmp any any nd-na or icmp any any nd-ns, there must be an explicit deny entry in the ACL. For the three implicit statements to take effect, an IPv6 ACL must contain at least one entry.
The IPv6 neighbor discovery process uses the IPv6 network layer service. Therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data-link layer protocol. Therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Both the source-ipv6-prefix / prefix-length and destination-ipv6-prefix / prefix-length arguments are used for traffic filtering. (The source prefix filters traffic based upon the traffic source; the destination prefix filters traffic based upon the traffic destination.)
The switch supports IPv6 address matching for a full range of prefix-lengths.
The fragments keyword is an option only if the protocol is ipv6 and the operator [ port-number ] arguments are not specified.
This is a list of ICMP message names:
beyond-scope |
destination-unreachable |
echo-reply |
echo-request |
header |
hop-limit |
mld-query |
mld-reduction |
mld-report |
nd-na |
nd-ns |
next-header |
no-admin |
no-route |
packet-too-big |
parameter-option |
parameter-problem |
port-unreachable |
reassembly-timeout |
renum-command |
renum-result |
renum-seq-number |
router-advertisement |
router-renumbering |
router-solicitation |
time-exceeded |
unreachable |
|
Examples
This example configures the IPv6 access list named CISCO and applies the access list to outbound traffic on a Layer 3 interface. The first deny entry in the list prevents all packets that have a destination TCP port number greater than 5000 from leaving the interface. The second deny entry in the list prevents all packets that have a source UDP port number less than 5000 from leaving the interface. The second deny also logs all matches to the console. The first permit entry in the list permits all ICMP packets to leave the interface. The second permit entry in the list permits all other traffic to leave the interface. The second permit entry is necessary because an implicit deny-all condition is at the end of each IPv6 access list.
Switch(config)# ipv6 access-list CISCO
Switch(config-ipv6-acl)# deny tcp any any gt 5000
Switch config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log
Switch(config-ipv6-acl)# permit icmp any any
Switch(config-ipv6-acl)# permit any any
Switch(config-ipv6-acl)# exit
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# no switchport
Switch(config-if)# ipv6 address 2001::/64 eui-64
Switch(config-if)# ipv6 traffic-filter CISCO out
Related Commands
|
|
ipv6 access-list |
Defines an IPv6 access list and enters IPv6 access list configuration mode. |
ipv6 traffic-filter |
Filters incoming or outgoing IPv6 traffic on an interface. |
permit (IPv6 access-list configuration) |
Sets permit conditions for an IPv6 access list. |
show ipv6 access-list |
Displays the contents of all current IPv6 access lists. |
deny (MAC access-list configuration)
Use the deny MAC access-list configuration command on the switch stack or on a standalone switch to prevent non-IP traffic from being forwarded if the conditions are matched. Use the no form of this command to remove a deny condition from the named MAC access list.
{ deny | permit } { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp ]
no { deny | permit } { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp ]
Syntax Description
any |
Keyword to specify to deny any source or destination MAC address. |
host src MAC-addr | src-MAC-addr mask |
Define a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied. |
host dst-MAC-addr | dst-MAC-addr mask |
Define a destination MAC address and optional subnet mask. If the destination address for a packet matches the defined address, non-IP traffic to that address is denied. |
type mask |
(Optional) Use the Ethertype number of a packet with Ethernet II or SNAP encapsulation to identify the protocol of the packet. The type is 0 to 65535, specified in hexadecimal. The mask is a mask of don’t care bits applied to the Ethertype before testing for a match. |
aarp |
(Optional) Select Ethertype AppleTalk Address Resolution Protocol that maps a data-link address to a network address. |
amber |
(Optional) Select EtherType DEC-Amber. |
cos cos |
(Optional) Select a class of service (CoS) number from 0 to 7 to set priority. Filtering on CoS can be performed only in hardware. A warning message reminds the user if the cos option is configured. |
dec-spanning |
(Optional) Select EtherType Digital Equipment Corporation (DEC) spanning tree. |
decnet-iv |
(Optional) Select EtherType DECnet Phase IV protocol. |
diagnostic |
(Optional) Select EtherType DEC-Diagnostic. |
dsm |
(Optional) Select EtherType DEC-DSM. |
etype-6000 |
(Optional) Select EtherType 0x6000. |
etype-8042 |
(Optional) Select EtherType 0x8042. |
lat |
(Optional) Select EtherType DEC-LAT. |
lavc-sca |
(Optional) Select EtherType DEC-LAVC-SCA. |
lsap lsap-number mask |
(Optional) Use the LSAP number (0 to 65535) of a packet with 802.2 encapsulation to identify the protocol of the packet. mask is a mask of don’t care bits applied to the LSAP number before testing for a match. |
mop-console |
(Optional) Select EtherType DEC-MOP Remote Console. |
mop-dump |
(Optional) Select EtherType DEC-MOP Dump. |
msdos |
(Optional) Select EtherType DEC-MSDOS. |
mumps |
(Optional) Select EtherType DEC-MUMPS. |
netbios |
(Optional) Select EtherType DEC- Network Basic Input/Output System (NETBIOS). |
vines-echo |
(Optional) Select EtherType Virtual Integrated Network Service (VINES) Echo from Banyan Systems. |
vines-ip |
(Optional) Select EtherType VINES IP. |
xns-idp |
(Optional) Select EtherType Xerox Network Systems (XNS) protocol suite (0 to 65535), an arbitrary Ethertype in decimal, hexadecimal, or octal. |
Note Though visible in the command-line help strings, appletalk is not supported as a matching condition.
To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in Table 2-12.
Table 2-12 IPX Filtering Criteria
|
|
|
|
arpa |
Ethernet II |
Ethertype 0x8137 |
snap |
Ethernet-snap |
Ethertype 0x8137 |
sap |
Ethernet 802.2 |
LSAP 0xE0E0 |
novell-ether |
Ethernet 802.3 |
LSAP 0xFFFF |
Defaults
This command has no defaults. However; the default action for a MAC-named ACL is to deny.
Command Modes
MAC-access list configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You enter MAC-access list configuration mode by using the mac access-list extended global configuration command.
If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.
When an access control entry (ACE) is added to an access control list, an implied deny - any - any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.
For more information about named MAC extended access lists, see the software configuration guide for this release.
Examples
This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.
Switch(config-ext-macl)# deny any host 00c0.00a0.03fa netbios.
This example shows how to remove the deny condition from the named MAC extended access list:
Switch(config-ext-macl)# no deny any 00c0.00a0.03fa 0000.0000.0000 netbios.
This example denies all packets with Ethertype 0x4321:
Switch(config-ext-macl)# deny any any 0x4321 0
You can verify your settings by entering the show access-lists privileged EXEC command.
Related Commands
|
|
mac access-list extended |
Creates an access list based on MAC addresses for non-IP traffic. |
permit (MAC access-list configuration) |
Permits non-IP traffic to be forwarded if conditions are matched. |
show access-lists |
Displays access control lists configured on a switch. |
device-sensor accounting
To add Device Sensor protocol data to accounting records and to generate accounting events when new Device Sensor data is detected, use the device-sensor accounting command in global configuration mode. To disable adding the Device Sensor protocol data to accounting records and to disable generating accounting events, use the no form of this command.
device-sensor accounting
no device-sensor accounting
Syntax Description
This command has no arguments or keywords.
Command Default
Device Sensor protocol data is added to accounting records and accounting events are generated when new Device Sensor data is detected.
Command Modes
Global configuration (config)
Command History
|
|
15.0(1)SE1 |
This command was introduced. |
Usage Guidelines
Device Sensor gathers endpoint information from Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP), and DHCP messages and makes this information available to registered clients in the context of an access session. You can use the device-sensor accounting command to include Device Sensor protocol data in RADIUS accounting messages.
Before Device Sensor protocol data can be added to accounting messages, you must first enable session accounting with the aaa and radius-server commands.
Examples
The following example shows how to add the Device Sensor protocol data to accounting records:
Switch# configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa accounting dot1x default start-stop group radius
Switch(config)# radius-server host host1
Switch(config)# radius-server vsa send accounting
Switch(config)# device-sensor accounting
Related Commands
|
|
debug device-sensor |
Enables debugging for Device Sensor. |
show device-sensor cache |
Displays the Device Sensor cache entries. |
device-sensor filter-list
To create a CDP or Link Layer Discovery Protocol (LLPD) filter list that contains a list of Type-Length-Value (TLV) fields to be included or excluded in the Device Sensor output, use the device-sensor filter-list command in global configuration mode. To remove the filter list, use the no form of this command.
device-sensor filter-list cdp | lldp list list-name
no device-sensor filter-list cdp | lldp list list-name
Syntax Description
list |
Contains a discovery protocol filter list. |
list-name |
Name of the filter list. |
Command Default
Protocol TLV fields filter list is not available.
Command Modes
Global configuration (config)
Command History
|
|
15.0(1)SE1 |
This command was introduced. |
Usage Guidelines
Use the device-sensor filter-list command to configure the name of the protocol filter list and enter into discovery protocol sensor configuration mode. You can configure the list of TLVs in discovery protocol sensor configuration mode using the tlv { name tlv-name | number tlv-number } command. Use the name tlv-name keyword-argument pair to specify the name of the TLV. Enter ? to query the available TLV names or refer to the following tables.
CDP TLV Names
|
|
Global configuration mode |
app |
Enables application TLV |
forward |
Forwards CDP packets to another interface |
location |
Enables location information |
Interface configuration mode |
app |
Enables application TLV |
location |
Enables location information |
server-location |
Enables CDP location server on the interface. |
LLDP TLVs
|
|
Global configuration mode
|
4-wire-power-management |
Cisco 4-wire power with MDI TLV |
mac-phy-cfg |
IEEE 802.3 MAC/PHY configuration status TLV |
management-address |
Management address TLV |
port-description |
Port description TLV |
port-vlan |
Port VLAN ID TLV |
power-management |
IEEE 802.3 DTE power with MDI TLV |
system-capabilities |
System capabilities TLV |
system-description |
System description TLV |
system-name |
System name TLV |
Interface configuration mode
|
inventory-management |
LLDP Media Endpoint Devices (MED) inventory management TLV |
location |
LLDP MED location TLV |
network-policy |
LLDP MED network policy TLV |
Use the number tlv-name keyword-argument pair to specify the TLV number to be added to the TLV filter list.
Use the no tlv { name tlv-name | number tlv-number } command to remove individual TLVs from the TLV filter list.
Use the no device-sensor filter-list lldp list tlv-list-name command to remove the entire TLV list containing all of the TLVs.
The following example shows how to create an LLDP filter containing a list of TLVs:
Switch# configure terminal
Switch(config)# device-sensor filter-list lldp list lldp-list
Switch(config-sensor-lldplist)# tlv name mac-phy-config
Switch(config-sensor-lldplist)# tlv name system-name
Switch(config-sensor-lldplist)# end
Examples
The following example shows how to create an LLDP filter containing a list of TLVs:
Switch# configure terminal
Switch(config)# device-sensor filter-list lldp list lldp-list
Switch(config-sensor-lldplist)# tlv name mac-phy-config
Switch(config-sensor-lldplist)# tlv name system-name
Switch(config-sensor-lldplist)# end
Related Commands
|
|
debug device-sensor |
Enables debugging for Device Sensor. |
device-sensor accounting |
Adds the Device Sensor protocol data to accounting records and generates additional accounting events when new sensor data is detected. |
device-sensor filter-list dhcp |
Creates a DHCP filter containing a list of options that can be included or excluded in the Device Sensor output. |
show device-sensor cache |
Displays Device Sensor cache entries. |
device-sensor filter-list dhcp
To create a DHCP filter containing a list of options that can be included or excluded in the Device Sensor output, use the device-sensor filter-list dhcp command in global configuration mode. To remove the DHCP filter containing the list of options, use the no form of this command.
device-sensor filter-list dhcp list option-list-name
no device-sensor filter-list dhcp list option-list-name
Syntax Description
list |
Contains a DHCP options filter list. |
option-list-name |
DHCP options filter list name. |
Command Default
DHCP options filter list is not available.
Command Modes
Global configuration (config)
Command History
|
|
15.0(1)SE1 |
This command was introduced. |
Usage Guidelines
Use the device-sensor filter-list dhcp command to configure the name of the DHCP options filter list and enter into DHCP sensor configuration mode. You can configure the list of options in DHCP sensor configuration mode using the option { name option-name | number option-number } command. Use the name option-name keyword-argument pair to specify the name of the DHCP option. Use the number option-number keyword-argument pair to specify the TLV number to be added to the DHCP options filter list.
Use the no option { name option-name | number option-number } command to remove individual options from the DHCP options filter list.
Use the no device-sensor filter-list dhcp list option-list-name command to remove the entire DHCP options filter list.
Examples
The following example shows how to create a DHCP filter containing a list of options:
Switch# configure terminal
Switch(config)# device-sensor filter-list dhcp list dhcp-list
Switch(config-sensor-dhcplist)# option name domain-name
Switch(config-sensor-dhcplist)# option name host-name
Switch(config-sensor-dhcplist)# option number 50
Switch(config-sensor-dhcplist)# end
Related Commands
|
|
debug device-sensor |
Enables debugging for Device Sensor. |
device-sensor accounting |
Adds the Device Sensor protocol data to accounting records and generates additional accounting events when new sensor data is detected. |
device-sensor filter-list |
Creates a CDP or LLDP filter containing a list of options that can be included or excluded in the Device Sensor output. |
show device-sensor cache |
Displays Device Sensor cache entries. |
device-sensor filter-spec
To apply a protocol filter list to the Device Sensor output, use the device-sensor filter-spec command in global configuration mode. To remove the protocol filter list from the Device Sensor output, use the no form of this command.
device-sensor filter-spec {cdp | lldp | dhcp} {exclude {all | list list-name } | include list list-name }
Syntax Description
cdp |
Applies a CDP TLV filter list to the Device Sensor output. |
lldp |
Applies a LLDP TLV filter list to the Device Sensor output. |
dhcp |
Applies a DHCP options filter list to the Device Sensor output. |
exclude |
Specifies the protocol TLVs or DHCP options to be excluded from the Device Sensor output. |
all |
Disables all notifications for the associated protocol. |
list list-name |
Specifies the name of the filter list. |
include |
Specifies the TLVs or DHCP options that should be included in the Device Sensor output. |
Command Default
All TLVs or DHCP options are included in notifications and will trigger notifications.
Command Modes
Global configuration (config)
Command History
|
|
15.0(1)SE1 |
This command was introduced. |
Usage Guidelines
Use the device-sensor filter-spec command to specify a list of CDP or LLDP TLV fields or DHCP options to be included in Device Sensor outputs.
Certain TLVs and message types such as DISCOVER, OFFER, REQUEST, ACK, and IP address are unconditionally excluded. These excluded TLVs and message types are used as transport for higher layer protocols, which change frequently and convey little useful information about endpoints. OFFER messages are also excluded because they can be received from multiple servers, and therefore, do not convey useful endpoint data.
Examples
The following example shows how to apply a CDP TLV filter list to the Device Sensor output:
Switch# configure terminal
Switch(config)# device-sensor filter-spec cdp include cdp-list1
Related Commands
|
|
debug device-sensor |
Enables debugging for Device Sensor. |
device-sensor accounting |
Adds the Device Sensor protocol data to accounting records and generates additional accounting events when new sensor data is detected. |
device-sensor filter-list |
Creates a CDP or LLDP filter containing a list of options that can be included or excluded in the Device Sensor output. |
device-sensor filter-list dhcp |
Creates a DHCP filter containing a list of options that can be included or excluded in the Device Sensor output. |
show device-sensor cache |
Displays Device Sensor cache entries. |
device-sensor notify
To enable client notifications and accounting events for TLV changes, use the device-sensor notify command in global configuration mode. To disable client notifications and accounting events for TLV changes, use the no form of this command.
device-sensor notify all-changes | new-tlvs
no device-sensor notify all-changes | new-tlvs
Syntax Description
all-changes |
Enables client notifications and accounting events for all TLV changes. |
new-tlvs |
Enables client notifications and accounting events for only new TLV changes. |
Command Default
Client notifications and accounting events are generated only for new TLVs.
Command Modes
Global configuration (config)
Command History
|
|
15.0(1)SE1 |
This command was introduced. |
Usage Guidelines
By default, for each supported peer protocol, client notifications and accounting events will only be generated when an incoming packet includes a TLV that has not been previously received in the context of a given session.
To enable client notifications and accounting events for all TLV changes, where either a new TLV has been received or a previously received TLV has been received with a different value, use the device-sensor notify all-changes command.
To return to the default behavior, use the device-sensor notify new-tlvs or the default device-sensor notify command.
Examples
The following example shows how to enable client notifications and accounting events for all TLV change:
Switch# configure terminal
Switch(config)# device-sensor notify all-changes
Related Commands
|
|
debug device-sensor |
Enables debugging for Device Sensor. |
device-sensor accounting |
Adds the Device Sensor protocol data to accounting records and generates additional accounting events when new sensor data is detected. |
device-sensor filter-list |
Creates a CDP or LLDP filter containing a list of options that can be included or excluded in the Device Sensor output. |
device-sensor filter-list dhcp |
Creates a DHCP filter containing a list of options that can be included or excluded in the Device Sensor output. |
show device-sensor cache |
Displays Device Sensor cache entries. |
diagnostic monitor
Use the diagnostic monitor global configuration command to configure health-monitoring diagnostic testing. Use the no form of this command to disable testing and to return to the default settings.
diagnostic monitor interval switch number test { name | test-id | test-id-range | all } hh:mm:ss milliseconds day
diagnostic monitor switch number test { name | test-id | test-id-range | all }
diagnostic monitor syslog
diagnostic monitor threshold switch number test { name | test-id | test-id-range | all } failure count count
no diagnostic monitor interval switch number test { name | test-id | test-id-range | all }
no diagnostic monitor switch num ber test { name | test-id | test-id-range | all }
no diagnostic monitor syslog
no diagnostic monitor threshold switch number test { name | test-id | test-id-range | all } failure coun t count
Syntax Description
interval |
Configure the interval between tests. |
switch number |
Specify the switch number, which is the stack member number. If the switch is a standalone switch, the switch number is 1. If the switch is in a stack, the range is 1 to 9, depending on the switch member numbers in the stack. This keyword is supported only on on stacking-capable switches. |
test |
Specify the tests to be run. |
name |
Specify the name of the test. For more information, see the “Usage Guidelines” section. |
test-id |
Specify the ID number of the test. The range is from 1 to 7. For more information, see the “Usage Guidelines” section. |
test-id-range |
Specify more than one test with the range of test ID numbers. For more information, see the “Usage Guidelines” section. |
all |
Specify all of the diagnostic tests. |
hh:mm:ss |
Configure the monitoring interval in hours, minutes, and seconds. For formatting information, see the “Usage Guidelines” section. |
milliseconds |
Configure the monitoring interval in milliseconds (ms). The range is from 0 to 999 ms. |
day |
Configure the monitoring interval in the number of days. The range is from 0 to 20 days. For formatting information, see the “Usage Guidelines” section. |
syslog |
Enable the generation of a syslog message when a health-monitoring test fails. |
threshold |
Configure the failure threshold. |
failure count count |
Set the failure threshold count. The range for count is from 0 to 99. |
Defaults
Monitoring is disabled, and a failure threshold value is not set.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Follow these guidelines when configuring health-monitoring diagnostic testing:
- name —Enter the show diagnostic content privileged EXEC command to display the test names in the test ID list.
- test-id — Enter the show diagnostic content command to display the test numbers in the test ID list.
- test-id-range — Enter the show diagnostic content command to display the test numbers in the test ID list. Enter the range as integers separated by a comma and a hyphen (for example, 1,3-6 specifies test IDs 1, 3, 4, 5, and 6).
- hh— Enter the hours from 0 to 24.
- mm— Enter the minutes from 0 to 60.
- ss— Enter the seconds from 0 to 60.
- milliseconds— Enter the test time in milliseconds from 0 to 999.
- day— Enter the number of days between test from 0 to 20.
- Enter the diagnostic monitor test 1 command to enable diagnostic monitoring.
You must configure the failure threshold and the interval between tests before enabling diagnostic monitoring.
When entering the diagnostic monitor switch number test { name | test-id | test-id-range | all } command, you must isolate network traffic by disabling all connected ports, and do not send test packets during the test.
Examples
This example shows how to configure a health-monitoring test:
Switch(config)#
diagnostic monitor threshold switch 2 test 1 failure count 20
Switch(config)# diagnostic monitor interval switch 2 test 1 12:30:00 750 5
Related Commands
|
|
show diagnostic |
Displays online diagnostic test results. |
diagnostic schedule
Use the diagnostic schedule global configuration command to configure the diagnostic test schedule. Use the no form of this command to remove the schedule.
diagnostic schedule switch nu mber test { name | test-id | test-id-range | all | basic | non-disruptive } { daily hh : mm | on mm dd yyyy hh : mm | weekly day-of-week hh : mm }
no diagnostic schedule switch nu mber test { name | test-id | test-id-range | all | basic | non-disruptive } { daily hh : mm | on mm dd yyyy hh : mm | weekly day-of-week hh : mm }
Syntax Description
switch number |
Specify the switch number, which is the stack member number. If the switch is a standalone switch, the switch number is 1. If the switch is in a stack, the range is 1 to 9, depending on the switch member numbers in the stack. This keyword is supported only on on stacking-capable switches. |
test |
Specify the tests to be scheduled. |
name |
Specify the name of the test. For more information, see the “Usage Guidelines” section. |
test-id |
Specify the ID number of the test. The range is from 1 to 7. For more information, see the “Usage Guidelines” section. |
test-id-range |
Specify more than one test with the range of test ID numbers. For more information, see the “Usage Guidelines” section. |
all |
Specify all of the diagnostic tests. |
basic |
Specify the basic on-demand diagnostic tests. |
non-disruptive |
Specify the nondisruptive health-monitoring tests. |
daily hh : mm |
Specify the daily scheduling of the diagnostic tests. For formatting information, see the “Usage Guidelines” section. |
on mm dd yyyy hh : mm |
Specify the scheduling of the diagnostic tests on a specific day and time. For formatting information, see the “Usage Guidelines” section. |
weekly day-of-week hh : mm |
Specify the weekly scheduling of the diagnostic tests. For formatting information, see the “Usage Guidelines” section. |
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Use these guidelines when scheduling testing:
- name —Enter the show diagnostic content privileged EXEC command to display the test names in the test ID list.
- test-id — Enter the show diagnostic content command to display the test numbers in the test ID list.
- test-id-range — Enter the show diagnostic content command to display the test numbers in the test ID list. Enter the range as integers separated by a comma and a hyphen (for example, 1,3-6 specifies test IDs 1, 3, 4, 5, and 6).
- hh : mm— Enter the time as a 2-digit number (for a 24-hour clock) for hours:minutes; the colon ( : ) is required, such as 12:30.
- For mm dd yyyy :
– mm— Spell out the month, such as January, February, and so on, with upper case or lower case characters.
– dd— Enter the day as a 2-digit number, such as 03 or 16.
– yyyy— Enter the year as a 4-digit number, such as 2006.
- day-of-week— Spell out the day of the week, such as Monday, Tuesday, and so on, with upper case or lower case characters.
Note If you are running a diagnostic test that has the reload attribute on a switch in a stack, you could potentially partition the stack depending on your cabling configuration. To avoid partitioning your stack, enter the show switch detail privileged EXEC command to verify the stack configuration.
Examples
This example shows how to schedule diagnostic testing for a specific day and time on stack member 3 when this command is entered on a stack master:
Switch(config)# diagnostic schedule switch 3 test 1,2,4-6 on november 3 2006 23:10
This example shows how to schedule diagnostic testing to occur weekly at a specific time on a switch:
Switch(config)# diagnostic schedule test TestPortAsicMem weekly friday 09:23
Related Commands
|
|
show diagnostic |
Displays online diagnostic test results. |
diagnostic start
Use the diagnostic start privileged EXEC command to run an online diagnostic test.
diagnostic start switch number test { name | test-id | test-id-range | all | basic | non-disruptive }
Syntax Description
switch number |
Specify the switch number, which is the stack member number. If the switch is a standalone switch, the switch number is 1. If the switch is in a stack, the range is 1 to 9, depending on the switch member numbers in the stack. This keyword is supported only on on stacking-capable switches. |
test |
Specify the tests to run. |
name |
Specify the name of a test. For more information, see the “Usage Guidelines” section. |
test-id |
Specify the ID number of a test. The range is from 1 to 7. For more information, see the “Usage Guidelines” section. |
test-id-range |
Specify more than one test with the range of test ID numbers. For more information, see the “Usage Guidelines” section. |
all |
Specify all the diagnostic tests. |
basic |
Specify the basic on-demand diagnostic tests. |
non-disruptive |
Specify the nondisruptive health-monitoring tests. |
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
The switch supports these tests:
ID Test Name [On-Demand Test Attributes]
--- -------------------------------------------
1 TestPortAsicStackPortLoopback [B*N****]
2 TestPortAsicLoopback [B*D*R**]
3 TestPortAsicCam [B*D*R**]
4 TestPortAsicRingLoopback [B*D*R**]
5 TestMicRingLoopback [B*D*R**]
6 TestPortAsicMem [B*D*R**]
7 TestInlinePwrCtlr [B*D*R**]
--- -------------------------------------------
When specifying a test name, use the show diagnostic content privileged EXEC command to display the test ID list. To specify test 3 by using the test name, enter the diagnostic start switch number test TestPortAsicCam privileged EXEC command.
If specifying more than one test to run, use the test-id-range parameter, and enter integers separated by a comma and a hyphen. For example, to specify tests 2, 3, and 4, enter the diagnostic start switch number test 2-4 comman d. To specify tests 1, 3, 4, 5, and 6, enter the diagnostic start switch number test 1,3-6 comman d.
After starting the tests by using the diagnostic start command, you cannot stop the testing process.
Examples
This example shows how to start diagnostic test 1 on stack member 2 when this command is entered on a stack master:
Switch# diagnostic start switch 2 test 1
06:27:50: %DIAG-6-TEST_RUNNING: Switch 2: Running TestPortAsicStackPortLoopback{ID=1}...
06:27:51: %DIAG-6-TEST_OK: Switch 2: TestPortAsicStackPortLoopback{ID=1} has completed
This example shows how to start diagnostic test 2 on a stack member in a switch stack. Running this test disrupts the normal system operation, causes the switch to lose stack connectivity, and then causes the switch to reload.
Switch# diagnostic start switch 1 test 2
Switch 1: Running test(s) 2 will cause the switch under test to reload after completion of
Switch 1: Running test(s) 2 may disrupt normal system operation
Do you want to continue? [no]: y
16:43:29: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 2 has changed to state DOWN
16:43:30: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 9 has changed to state DOWN
16:43:30: %STACKMGR-4-SWITCH_REMOVED: Switch 1 has been REMOVED from the stack
16:44:35: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state UP
16:44:37: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 2 has changed to state UP
16:44:45: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
16:45:00: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
16:45:00: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state UP
16:45:00: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state UP
00:00:20: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack (Switch-1)
00:00:20: %STACKMGR-4-SWITCH_ADDED: Switch 2 has been ADDED to the stack (Switch-1)
00:00:25: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan (Switch-1)
00:00:29: %SYS-5-CONFIG_I: Configured from memory by console (Switch-1)
00:00:29: %STACKMGR-5-SWITCH_READY: Switch 2 is READY (Switch-1)
00:00:29: %STACKMGR-5-MASTER_READY: Master Switch 2 is READY (Switch-1)
00:00:30: %STACKMGR-5-SWITCH_READY: Switch 1 is READY (Switch-1)
00:00:30: %DIAG-6-TEST_RUNNING: Switch 1: Running TestPortAsicLoopback{ID=2}...
00:00:30: %DIAG-6-TEST_OK: Switch 1: TestPortAsicLoopback{ID=2} has completed successfully
This message appears if the configured test can cause the switch to lose stack connectivity:
Switch 3: Running test(s) 2 will cause the switch under test to reload after completion of
Switch 3: Running test(s) 2 may disrupt normal system operation
Do you want to continue? [no]:
This message appears if the configured test can cause a stack partition:
Switch 6: Running test(s) 2 will cause the switch under test to reload after completion of
Switch 6: Running test(s) 2 will partition stack
Switch 6: Running test(s) 2 may disrupt normal system operation
Do you want to continue? [no]:
Related Commands
|
|
show diagnostic |
Displays online diagnostic test results. |
dot1x
Use the dot1x global configuration command on the switch stack or on a standalone switch to globally enable IEEE 802.1x authentication. Use the no form of this command to return to the default setting.
dot1x { guest-vlan supplicant } | { system-auth-control }
no dot1x { guest-vlan supplicant } | { system-auth-control }
Note Though visible in the command-line help strings, the credentials name keywords are not supported.
Syntax Description
guest-vlan supplicant |
Enable optional guest VLAN behavior globally on the switch. |
system-auth-control |
Enable IEEE 802.1x authentication globally on the switch. |
Defaults
IEEE 802.1x authentication is disabled, and the optional guest VLAN behavior is disabled.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You must enable authentication, authorization, and accounting (AAA) and specify the authentication method list before globally enabling IEEE 802.1x authentication. A method list describes the sequence and authentication methods to be used to authenticate a user.
Before globally enabling IEEE 802.1x authentication on a switch, remove the EtherChannel configuration from the interfaces on which IEEE 802.1x authentication and EtherChannel are configured.
If you are using a device running the Cisco Access Control Server (ACS) application for IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and with EAP-MD5, make sure that the device is running ACS Version 3.2.1 or later.
You can use the guest-vlan supplicant keywords to enable the optional IEEE 802.1x guest VLAN behavior globally on the switch. For more information, see the dot1x guest-vlan command.
Examples
This example shows how to globally enable IEEE 802.1x authentication on a switch:
Switch(config)# dot1x system-auth-control
This example shows how to globally enable the optional guest VLAN behavior on a switch:
Switch(config)# dot1x guest-vlan supplicant
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
Related Commands
|
|
dot1x critical (global configuration) |
Configures the parameters for the inaccessible authentication bypass feature on the switch. |
dot1x guest-vlan |
Enables and specifies an active VLAN as an IEEE 802.1x guest VLAN. |
dot1x port-control |
Enables manual control of the authorization state of the port. |
show dot1x [ interface interface-id ] |
Displays IEEE 802.1x status for the specified port. |
dot1x auth-fail max-attempts
Use the dot1x auth-fail max-attempts interface configuration command on the switch stack or on a standalone switch to configure the maximum allowable authentication attempts before a port is moved to the restricted VLAN. To return to the default setting, use the no form of this command.
dot1x auth-fail max-attempts max-attempts
no dot1x auth-fail max-attempts
Syntax Description
max-attempts |
Specify a maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. The range is 1 to 3, the default value is 3. |
Defaults
The default value is 3 attempts.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
If you reconfigure the maximum number of authentication attempts allowed by the VLAN, the change takes effect after the re-authentication timer expires.
Examples
This example shows how to set 2 as the maximum number of authentication attempts allowed before the port is moved to the restricted VLAN on port 3:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# dot1x auth-fail max-attempts 2
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
Related Commands
|
|
dot1x auth-fail vlan [ vlan id] |
Enables the optional restricted VLAN feature. |
dot1x max-reauth-req [ count] |
Sets the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state. |
show dot1x [ interface interface-id ] |
Displays IEEE 802.1x status for the specified port. |
dot1x auth-fail vlan
Use the dot1x auth-fail vlan interface configuration command on the switch stack or on a standalone switch to enable the restricted VLAN on a port. To return to the default setting, use the no form of this command.
dot1x auth-fail vlan vlan-id
no dot1x auth-fail v lan
Syntax Description
vlan-id |
Specify a VLAN in the range of 1 to 4094. |
Defaults
No restricted VLAN is configured.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You can configure a restricted VLAN on ports configured as follows:
- single-host (default) mode
- auto mode for authorization
You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication requests if it is disabled. To start the re-authentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub, the port might never receive a link-down event when that host is disconnected, and, as a result, might not detect any new hosts until the next re-authentication attempt occurs.
If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant. Because the supplicant is not notified of the actual authentication failure, there might be confusion about this restricted network access. An EAP success message is sent for these reasons:
- If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the default) by sending an EAP-start message.
- Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive an EAP success message.
A supplicant might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication. Until the supplicant sends the correct username and password combination, the port remains in the restricted VLAN.
Internal VLANs used for Layer 3 ports cannot be configured as restricted VLANs.
You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN. If you do this, a syslog message is generated.
When a restricted VLAN port is moved to an unauthorized state, the authentication process restarts. If the supplicant fails the authentication process again, the authenticator waits in the held state. After the supplicant has correctly re-authenticated, all IEEE 802.1x ports are reinitialized and treated as normal IEEE 802.1x ports.
When you reconfigure a restricted VLAN as a different VLAN, any ports in the restricted VLAN are also moved, and the ports stay in their currently authorized state.
When you shut down or remove a restricted VLAN from the VLAN database, any ports in the restricted VLAN are immediately moved to an unauthorized state, and the authentication process restarts. The authenticator does not wait in a held state because the restricted VLAN configuration still exists. While the restricted VLAN is inactive, all authentication attempts are counted so that when the restricted VLAN becomes active, the port is immediately placed in the restricted VLAN.
The restricted VLAN is supported only in single host mode (the default port mode). For this reason, when a port is placed in a restricted VLAN, the supplicant’s MAC address is added to the MAC address table, and any other MAC address that appears on the port is treated as a security violation.
Examples
This example shows how to configure a restricted VLAN on port 1:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# dot1x auth-fail vlan 40
You can verify your configuration by entering the show dot1x [ interface interface-id ] privileged EXEC command.
Related Commands
|
|
dot1x auth-fail max-attempts [ max-attempts] |
Configures the number of authentication attempts allowed before assigning a supplicant to the restricted VLAN. |
show dot1x [ interface interface-id ] |
Displays IEEE 802.1x status for the specified port. |
dot1x control-direction
Use the dot1x control-direction interface configuration command to enable the IEEE 802.1x authentication with the wake-on-LAN (WoL) feature and to configure the port control as unidirectional or bidirectional. Use the no form of this command to return to the default setting.
dot1x control-direction { both | in }
no dot1x control-direction
Syntax Description
both |
Enable bidirectional control on port. The port cannot receive packets from or send packets to the host. |
in |
Enable unidirectional control on port. The port can send packets to the host but cannot receive packets from the host. |
Defaults
The port is in bidirectional mode.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Use the both keyword or the no form of this command to return to the default setting, bidirectional mode.
For more information about WoL, see the “Using IEEE 802.1x Authentication with Wake-on-LAN” section in the “Configuring IEEE 802.1x Port-Based Authentication” chapter in the software configuration guide.
Examples
This example shows how to enable unidirectional control:
Switch(config-if)# dot1x control-direction in
This example shows how to enable bidirectional control:
Switch(config-if)# dot1x control-direction both
You can verify your settings by entering the show dot1x all privileged EXEC command.
The show dot1x all privileged EXEC command output is the same for all switches except for the port names and the state of the port. If a host is attached to the port but is not yet authenticated, a display similar to this appears:
Supplicant MAC 0002.b39a.9275
AuthSM State = CONNECTING
PortStatus = UNAUTHORIZED
If you enter the dot1x control-direction in interface configuration command to enable unidirectional control, this appears in the show dot1x all command output:
If you enter the dot1x control-direction in interface configuration command and the port cannot support this mode due to a configuration conflict, this appears in the show dot1x all command output:
ControlDirection = In (Disabled due to port settings)
Related Commands
|
|
show dot1x [ all | interface interface-id ] |
Displays control-direction port setting status for the specified interface. |
dot1x credentials (global configuration)
Use the dot1x credentials global configuration command to configure a profile on a supplicant switch.
dot1x credentials profile
no dot1x credentials profile
Syntax Description
profile |
Specify a profile for the supplicant switch. |
Defaults
No profile is configured for the switch.
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You must have another switch set up as the authenticator for this switch to be the supplicant.
Examples
This example shows how to configure a switch as a supplicant:
Switch(config)# dot1x credentials profile
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
cisp enable |
Enables Client Information Signalling Protocol (CISP). |
show cisp |
Displays CISP information for a specified interface. |
dot1x critical (global configuration)
Use the dot1x critical global configuration command on the switch stack or on a standalone switch to configure the parameters for the inaccessible authentication bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting (AAA) fail policy. To return to default settings, use the no form of this command.
dot1x critical { eapol | recovery delay milliseconds }
no dot1x critical { eapol | recovery delay }
Syntax Description
eapol |
Specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state. |
recovery delay milliseconds |
Set the recovery delay period in milliseconds. The range is from 1 to 10000 milliseconds. |
Defaults
The switch does not send an EAPOL-Success message to the host when the switch successfully authenticates the critical port by putting the critical port in the critical-authentication state.
The recovery delay period is 1000 milliseconds (1 second).
Command Modes
Global configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
Use the eapol keyword to specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state.
Use the recovery delay milliseconds keyword to set the recovery delay period during which the switch waits to re-initialize a critical port when a RADIUS server that was unavailable becomes available. The default recovery delay period is 1000 milliseconds. A port can be re-initialized every second.
To enable inaccessible authentication bypass on a port, use the dot1x critical interface configuration command. To configure the access VLAN to which the switch assigns a critical port, use the dot1x critical vlan vlan-id interface configuration command.
Examples
This example shows how to set 200 as the recovery delay period on the switch:
Switch# dot1x critical recovery delay 200
You can verify your configuration by entering the show dot1x privileged EXEC command.
Related Commands
|
|
dot1x critical (interface configuration) |
Enables the inaccessible authentication bypass feature, and configures the access VLAN for the feature. |
show dot1x |
Displays IEEE 802.1x status for the specified port. |
dot1x critical (interface configuration)
Use the dot1x critical interface configuration command on the switch stack or on a standalone switch to enable the inaccessible-authentication-bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting (AAA) fail policy. You can also configure the access VLAN to which the switch assigns the critical port when the port is in the critical-authentication state. To disable the feature or return to default, use the no form of this command.
dot1x critical [ recovery action reinitialize | vlan vlan-id ]
no dot1x critical [ recovery | vlan ]
Syntax Description
recovery action reinitialize |
Enable the inaccessible-authentication-bypass recovery feature, and specify that the recovery action is to authenticate the port when an authentication server is available. |
vlan vlan-id |
Specify the access VLAN to which the switch can assign a critical port. The range is from 1 to 4094. |
Defaults
The inaccessible-authentication-bypass feature is disabled.
The recovery action is not configured.
The access VLAN is not configured.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
To specify the access VLAN to which the switch assigns a critical port when the port is in the critical-authentication state, use the vlan vlan-id keywords. The specified type of VLAN must match the type of port, as follows:
- If the critical port is an access port, the VLAN must be an access VLAN.
- If the critical port is a private VLAN host port, the VLAN must be a secondary private VLAN.
- If the critical port is a routed port, you can specify a VLAN, but this is optional.
If the client is running Windows XP and the critical port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server, receiving an EAP-Success message on a critical port might not re-initiate the DHCP configuration process.
You can configure the inaccessible authentication bypass feature and the restricted VLAN on an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all the RADIUS servers are unavailable, the switch changes the port state to the critical authentication state, and it remains in the restricted VLAN.
You can configure the inaccessible bypass feature and port security on the same switch port.
Examples
This example shows how to enable the inaccessible authentication bypass feature on port 1:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# dot1x critical
You can verify your configuration by entering the show dot1x [ interface interface-id ] privileged EXEC command.
Related Commands
|
|
dot1x critical (global configuration) |
Configures the parameters for the inaccessible authentication bypass feature on the switch. |
show dot1x [ interface interface-id ] |
Displays IEEE 802.1x status for the specified port. |
dot1x default
Use the dot1x default interface configuration command on the switch stack or on a standalone switch to reset the IEEE 802.1x parameters to their default values.
dot1x default
Syntax Description
This command has no arguments or keywords.
Defaults
These are the default values:
- The per-port IEEE 802.1x protocol enable state is disabled (force-authorized).
- The number of seconds between re-authentication attempts is 3600 seconds.
- The periodic re-authentication is disabled.
- The quiet period is 60 seconds.
- The retransmission time is 30 seconds.
- The maximum retransmission number is 2 times.
- The host mode is single host.
- The client timeout period is 30 seconds.
- The authentication server timeout period is 30 seconds.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Examples
This example shows how to reset the IEEE 802.1x parameters on a port:
Switch(config-if)# dot1x default
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
Related Commands
|
|
show dot1x [ interface interface-id ] |
Displays IEEE 802.1x status for the specified port. |
dot1x fallback
Use the dot1xfallback interface configuration command on the switch stack or on a standalone switch to configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. To return to the default setting, use the no form of this command.
dot1x fallback fallback-profile
no dot1x fallback
Syntax Description
fallback-profile |
Specify a fallback profile for clients that do not support IEEE 802.1x authentication. |
Defaults
No fallback is enabled.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You must enter the dot1x port-control auto interface configuration command on a switch port before entering this command.
Examples
This example shows how to specify a fallback profile to a switch port that has been configured for IEEE 802.1x authentication:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet1/0/3
Switch(config-if)# dot1x fallback profile1
Switch(config-fallback-profile)# exit
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
Related Commands
|
|
show dot1x [ interface interface-id ] |
Displays IEEE 802.1x status for the specified port. |
fallback profile |
Create a web authentication fallback profile. |
ip admission |
Enable web authentication on a port |
ip admission name proxy http |
Enable web authentication globally on a switch |
dot1x guest-vlan
Use the dot1x guest-vlan interface configuration command on the switch stack or on a standalone switch to specify an active VLAN as an IEEE 802.1x guest VLAN. Use the no form of this command to return to the default setting.
dot1x guest-vlan vlan-id
no dot1x guest-vlan
Syntax Description
vlan-id |
Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094. |
Defaults
No guest VLAN is configured.
Command Modes
Interface configuration
Command History
|
|
12.2(53)SE2 |
This command was introduced. |
Usage Guidelines
You can configure a guest VLAN on one of these switch ports:
- A static-access port that belongs to a nonprivate VLAN.
- A private-VLAN port that belongs to a secondary private VLAN. All the hosts connected to the switch port are assigned to private VLANs, whether or not the posture validation was successful. The switch determines the primary private VLAN by using the primary- and secondary-private-VLAN associations on the switch.
For each IEEE 802.1x port on the switch, you can configure a guest VLAN to provide limited services to clients (a device or workstation connected to the switch) not running IEEE 802.1x authentication. These users might be upgrading their systems for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL) request/identity frame or when EAPOL packets are not sent by the client.
The switch maintains the EAPOL packet history. If another EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL history is reset upon loss of link.
To allow clients that failed authentication access to the network, you can use a restricted VLAN by entering the dot1x auth-fail vlan vlan-id interface configuration command.
Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the RADIUS-configured or user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an Remote Switched Port Analyzer (RSPAN) VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you might need to get a host IP address from a DHCP server. You can change the settings for restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x client type.
The switch supports MAC authentication bypass. When it is enabled on an IEEE 802.1x port, the switch can authorize clients based on the client MAC address when IEEE 802.1x authentication times out while waiting for an EAPOL message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is specified. For more information, see the “Using IEEE 802.1x Authentication with MAC Authentication Bypass” section in the “Configuring IEEE 802.1x Port-Based Authentication” chapter of the software configuration guide.
Examples
This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN:
Switch(config-if)# dot1x guest-vlan 5
This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request, and to enable VLAN 2 as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected to a DHCP client:
Switch(config-if)# dot1x timeout quiet-period 3
Switch(config-if)# dot1x timeout tx-period 15
Switch(config-if)# dot1x guest-vlan 2
This example shows how to enable the optional guest VLAN behavior and to specify VLAN 5 as an IEEE 802.1x guest VLAN:
Switch(config)# dot1x guest-vlan supplicant
Switch(config)# interface gigabitethernet2/0/1
Switch(config-if)# dot1x guest-vlan 5
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.