Catalyst 4500 Series Switch Cisco IOS Command Reference, IOS XE 3.11.xE
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- April 28, 2022
Chapter: interface port-channel through shape
- interface
- interface (virtual switch)
- interface port-channel
- interface range
- interface vlan
- ip admission proxy http refresh-all
- ip arp inspection filter vlan
- ip arp inspection limit (interface)
- ip arp inspection log-buffer
- ip arp inspection trust
- ip arp inspection validate
- ip arp inspection vlan
- ip arp inspection vlan logging
- ip cef load-sharing algorithm
- ip device tracking maximum
- ip device tracking probe
- ip dhcp snooping
- ip dhcp snooping binding
- ip dhcp snooping database
- ip dhcp snooping information option
- ip dhcp snooping information option allow-untrusted
- ip dhcp snooping limit rate
- ip dhcp snooping trust
- ip dhcp snooping vlan
- ip dhcp snooping vlan information option format-type circuit-id string
- ip igmp filter
- ip igmp max-groups
- ip igmp profile
- ip igmp query-interval
- ip igmp snooping
- ip igmp snooping report-suppression
- ip igmp snooping vlan
- ip igmp snooping vlan explicit-tracking
- ip igmp snooping vlan immediate-leave
- ip igmp snooping vlan mrouter
- ip igmp snooping vlan static
- ip local-proxy-arp
- ip mfib fastdrop
- ip multicast multipath
- ip name-server
- ip route-cache flow
- ip source binding
- ip ssh source-interface
- ip sticky-arp
- ip verify header vlan all
- ip verify source
- ip verify unicast source reachable-via
- ip wccp
- ipv6 wccp
- ip wccp check services all
- ip wccp group-listen
- ip wccp redirect
- ip wccp redirect exclude in
- ipv6 dhcp-lrda
- ipv6 dhcp-ldra interface-id
- ipv6 dhcp-ldra attach-policy
- ipv6 dhcp lrda attach-policy (VLAN)
- ipv6 dhcp relay destination
- ipv6 mld snooping
- ipv6 mld snooping last-listener-query-count
- ipv6 mld snooping last-listener-query-interval
- ipv6 mld snooping listener-message-suppression
- ipv6 mld snooping robustness-variable
- ipv6 mld snooping tcn
- ipv6 mld snooping vlan
- issu abortversion
- issu acceptversion
- issu commitversion
- issu loadversion
- issu runversion
- issu set rollback-timer
- itr
- itr map-resolver
- key chain macsec
- l2protocol-tunnel
- l2protocol-tunnel cos
- l2protocol-tunnel drop-threshold
- l2protocol-tunnel shutdown-threshold
- lacp port-priority
- lacp system-priority
- license right-to-use activate
- license right-to-use deactivate
- link state group
- link state track
- lldp tlv-select power-management
- locator default-set
- locator-set
- logging event link-status global (global configuration)
- logging event link-status (interface configuration)
- logging event trunk-status global (global configuration)
- logging event trunk-status (interface configuration)
- mab
- mab logging verbose
- mac access-list extended
- mac-address (virtual switch)
- mac-address-table aging-time
- mac-address-table dynamic group protocols
- mac-address-table learning vlan
- mac-address-table notification
- mac-address-table static
- macro apply cisco-desktop
- macsec network-link
- map-cache
- mka
- mka policy
- macro apply cisco-phone
- macro apply cisco-router
- macro apply cisco-switch
- macro auto device
- macro auto execute (built-in function)
- macro auto execute (remotely-defined trigger)
- macro auto execute (user-defined function)
- macro auto global processing
- macro auto mac-address-group
- macro auto monitor
- macro auto processing
- macro auto sticky
- macro global apply cisco-global
- macro global apply system-cpp
- macro global description
- main-cpu
- match
- match (class-map configuration)
- match flow ip
- mdix auto
- media-type
- mode
- monitor capture {access-list | class-map}
- monitor capture [clear | export]
- monitor capture [interface | vlan | control-plane]
- monitor capture file location buffer-size
- monitor capture limit
- monitor capture mycap match
- monitor capture start
- monitor session
- mtu
- mvr (global configuration)
- mvr (interface configuration)
- name
- netflow-lite exporter
- netflow-lite monitor
- netflow-lite sampler
- nmsp
- nmsp attachment suppress
- object-group
- options timeout (netflow-lite exporter submode)
- packet-offset (netflow-lite sampler submode)
- packet-rate (netflow-lite sampler submode)
- packet-section size (netflow-lite sampler submode)
- pagp learn-method
- pagp port-priority
- passive-interface
- permit
- police
- police (percent)
- police rate
- police (two rates)
- policy-map
- port-channel auto
- port-channel load-balance
- port-channel standalone-disable
- port-security mac-address
- port-security mac-address sticky
- port-security maximum
- power dc input
- power efficient-ethernet auto
- power inline
- power inline consumption
- power inline four-pair forced
- power inline logging global
- power inline police
- power redundancy combined max inputs
- power redundancy-mode
- pppoe intermediate-agent (global)
- pppoe intermediate-agent (interface)
- pppoe intermediate-agent (interface vlan-range)
- pppoe intermediate-agent format-type (global)
- pppoe intermediate-agent format-type (interface)
- pppoe intermediate-agent format-type (interface vlan-range)
- pppoe intermediate-agent limit rate
- pppoe intermediate-agent trust
- pppoe intermediate-agent vendor-tag strip
- priority
- private-vlan
- private-vlan mapping
- private-vlan synchronize
- profile
- profile flow
- qos account layer-all encapsulation
- qos account layer2 encapsulation
- qos trust
- queue-limit
- redundancy
- redundancy config-sync mismatched-commands
- redundancy force-switchover
- redundancy reload
- remote login module
- remote-span
- renew ip dhcp snooping database
- rep admin vlan
- rep block port
- rep lsl-age-timer
- rep preempt delay
- rep preempt segment
- rep segment
- rep stcn
- reset
- revision
- sampler (netflow-lite monitor submode)
- service
- service-policy (interface configuration)
- service-policy (policy-map class)
- service-policy input (control-plane)
- session module
- set
- set cos
- set dscp
- set ip next-hop verify-availability
- set precedence
- set qos-group
- shape (class-based queueing)
- shape (interface configuration)
- shell trigger
- use-petr
interface
To select an interface to configure and to enter interface configuration mode, use the interface command.
Syntax Description
Type of interface to be configured; see Valid type Values for valid values. |
|
Command Default
Command Modes
Command History
|
|
|
|---|---|
The fortygigabitethernet option was introduced on on Cisco Catalyst 4500E Series Switches configured with Supervisor Engine 9-E. |
|
Usage Guidelines
Table 2-8 lists the valid values for type .
|
|
|
|---|---|
40-Gigabit Ethernet interface; supported on Cisco Catalyst 4500E Series Switches configured with Supervisor Engine 9-E. To use this interface type, first enable the corresponding uplink mode—enter the hw-module uplink mode 80Gig command in global configuration mode. In this mode, the 10-GE uplink ports on the supervisor are not available, but if there are other 10-GE linecards in the chassis, the tengigabitethernet option is available on the CLI. |
|
Gigabit Ethernet WAN IEEE 802.3z interface; supported on Catalyst 4500 series switch that are configured with a Supervisor Engine 2 only. |
|
Packet OC-3 interface on the Packet over SONET Interface Processor; supported on Catalyst 4500 series switch that are configured with a Supervisor Engine 2 only. |
|
ATM interface; supported on Catalyst 4500 series switch that are configured with a Supervisor Engine 2 only. |
|
VLAN interface; see the interface vlan command. |
|
Port channel interface; see the interface port-channel command. |
|
Examples
The following example shows how to enter the interface configuration mode on the Fast Ethernet interface 2/4:
Related Commands
|
|
|
|---|---|
interface (virtual switch)
To select an interface to configure and enter interface configuration mode, use the interface global configuration mode command.
interface [interface switch-num/slot/port.subinterface }
Syntax Description
Specifies the interface to be configured; see Valid type Values for valid values. |
|
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Table 2-9 lists the valid values for type .
|
|
|
|---|---|
VLAN interface; see the interface vlan command. |
|
Port channel interface; see the interface port-channel command. |
|
Examples
The following example shows how to enter the interface configuration mode on the GigabitEthernet interface for switch 1, module 2, port 4:
Related Commands
|
|
|
|---|---|
interface port-channel
To access or create a port-channel interface, use the interface port-channel command.
interface port-channel channel-group
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You do not have to create a port-channel interface before assigning a physical interface to a channel group. A port-channel interface is created automatically when the channel group gets its first physical interface, if it is not already created.
You can also create the port channels by entering the interface port-channel command. This will create a Layer 3 port channel. To change the Layer 3 port channel into a Layer 2 port channel, use the switchport command before you assign the physical interfaces to the channel group. A port channel cannot be changed from Layer 3 to Layer 2 or vice versa when it contains member ports.
Only one port channel in a channel group is allowed.
The Layer 3 port-channel interface is the routed interface. Do not enable Layer 3 addresses on the physical Fast Ethernet interfaces.
If you want to use CDP, you must configure it only on the physical Fast Ethernet interface and not on the port-channel interface.
Examples
This example creates a port-channel interface with a channel-group number of 64:
Related Commands
|
|
|
|---|---|
Assigns and configures an EtherChannel interface to an EtherChannel group. |
|
interface range
To run a command on multiple ports at the same time, use the interface range command.
interface range { vlan vlan_id - vlan_id } { port-range | macro name }
Syntax Description
Port range; for a list of valid values for port-range, see the “Usage Guidelines” section. |
|
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Usage Guidelines
You can use the interface range command on the existing VLAN SVIs only. To display the VLAN SVIs, enter the show running config command. The VLANs that are not displayed cannot be used in the interface range command.
The values that are entered with the interface range command are applied to all the existing VLAN SVIs.
Before you can use a macro, you must define a range using the define interface-range command.
All configuration changes that are made to a port range are saved to NVRAM, but the port ranges that are created with the interface range command do not get saved to NVRAM.
You can enter the port range in two ways:
You can either specify the ports or the name of a port-range macro. A port range must consist of the same port type, and the ports within a range cannot span the modules.
You can define up to five port ranges on a single command; separate each range with a comma.
When you define a range, you must enter a space between the first port and the hyphen (-):
Use these formats when entering the port-range :
- interface-type { mod }/{ first-port } - { last-port }
- interface-type { mod }/{ first-port } - { last-port }
Valid values for interface-type are as follows:
Although the port-channel interface range is 1 to 256, in a VSS setup, there is a discrepancy in the way the range is displayed on the CLI when you enter the beginning of the interface range before you enter the ? prompt. This discrepancy is not seen on a standalone switch.
When you enter the beginning of the interface range, the CLI output is displayed as follows:
To continue, you have to enter the beginning of the next number range:
If you do not enter the beginning of the interface range, the CLI output is displayed as follows:
You cannot specify both a macro and an interface range in the same command. After creating a macro, you can enter additional ranges. If you have already entered an interface range, the CLI does not allow you to enter a macro.
You can specify a single interface in the port-range value. This makes the command similar to the interface interface-number command.
Examples
The following example shows how to use the interface range command to interface to FE 5/18 - 20:
This command shows how to run a port-range macro:
Related Commands
|
|
|
|---|---|
interface vlan
To create or access a Layer 3 switch virtual interface (SVI), use the interface vlan command. To delete an SVI, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Usage Guidelines
The SVIs are created the first time that you enter the interface vlan vlan_id command for a particular VLAN. The vlan_id value corresponds to the VLAN tag that is associated with the data frames on an ISL or 802.1Q-encapsulated trunk or the VLAN ID that is configured for an access port. A message is displayed whenever a VLAN interface is newly created, so you can check that you entered the correct VLAN number.
If you delete an SVI by entering the no interface vlan vlan_id command, the associated interface is forced into an administrative down state and marked as deleted. The deleted interface will no longer be visible in a show interface command.
You can reinstate a deleted SVI by entering the interface vlan vlan_id command for the deleted interface. The interface comes back up, but much of the previous configuration will be gone.
Examples
The following example shows the output when you enter the interface vlan vlan_id command for a new VLAN number:
ip admission proxy http refresh-all
To ensure that you see a customized WebAuth login page with the same name in the switch system directory as a same-named prior login page, use the ip admission proxy http refresh-all command.
ip admission proxy http [success | failure | refresh-all | login [expired | page]]
Syntax Description
Command Default
If you do not enter this command, if any of the customized web-based authentication page files with the file of same name have been changed, you see the old login page rather than the new file.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You should enter this command whenever the customized web-based authentication page has been changed in the system directory.
Examples
The following example shows how to enter this command:
ip arp inspection filter vlan
To permit ARPs from hosts that are configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the ip arp inspection filter vlan command. To disable this application, use the no form of this command.
ip arp inspection filter arp-acl-name vlan vlan-range [ static ]
no ip arp inspection filter arp-acl-name vlan vlan-range [ static ]
Syntax Description
(Optional) Specifies that the access control list should be applied statically. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
When an ARP access control list is applied to a VLAN for dynamic ARP inspection, the ARP packets containing only the IP-to-Ethernet MAC bindings are compared against the ACLs. All other packet types are bridged in the incoming VLAN without validation.
This command specifies that the incoming ARP packets are compared against the ARP access control list, and the packets are permitted only if the access control list permits them.
If the access control lists deny the packets because of explicit denies, the packets are dropped. If the packets are denied because of an implicit deny, they are then matched against the list of DHCP bindings if the ACL is not applied statically.
Examples
The following example shows how to apply the ARP ACL static hosts to VLAN 1 for DAI:
Related Commands
|
|
|
|---|---|
Defines an ARP access list or adds clauses at the end of a predefined list. |
|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
ip arp inspection limit (interface)
To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from consuming all of the system’s resources in the event of a DoS attack, use the ip arp inspection limit command. To release the limit, use the no form of this command.
ip arp inspection limit { rate pps | none } [ burst interval seconds ]
Syntax Description
Command Default
The rate is set to 15 packets per second on the untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Usage Guidelines
The trunk ports should be configured with higher rates to reflect their aggregation. When the rate of the incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state. The error-disable timeout feature can be used to remove the port from the error-disabled state. The rate applies to both the trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle the packets across multiple DAI-enabled VLANs or use the none keyword to make the rate unlimited.
The rate of the incoming ARP packets onthe channel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for the channel ports only after examining the rate of the incoming ARP packets on the channel members.
After a switch receives more than the configured rate of packets every second consecutively over a period of burst seconds, the interface is placed into an error-disabled state.
Examples
The following example shows how to limit the rate of the incoming ARP requests to 25 packets per second:
The following example shows how to limit the rate of the incoming ARP requests to 20 packets per second and to set the interface monitoring interval to 5 consecutive seconds:
Related Commands
|
|
|
|---|---|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
ip arp inspection log-buffer
To configure the parameters that are associated with the logging buffer, use the ip arp inspection log-buffer command. To disable the parameters, use the no form of this command.
ip arp inspection log-buffer { entries number | logs number interval seconds }
no ip arp inspection log-buffer { entries | logs }
Syntax Description
Command Default
When dynamic ARP inspection is enabled, denied, or dropped, the ARP packets are logged.
The number of entries is set to 32.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The first dropped packet of a given flow is logged immediately. The subsequent packets for the same flow are registered but are not logged immediately. Registering these packets is done in a log buffer that is shared by all the VLANs. Entries from this buffer are logged on a rate-controlled basis.
Examples
The following example shows how to configure the logging buffer to hold up to 45 entries:
The following example shows how to configure the logging rate to 10 logs per 3 seconds:
Related Commands
|
|
|
|---|---|
Defines an ARP access list or adds clauses at the end of a predefined list. |
|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
ip arp inspection trust
To set a per-port configurable trust state that determines the set of interfaces where incoming ARP packets are inspected, use the ip arp inspection trust command. To make the interfaces untrusted, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Examples
The following example shows how to configure an interface to be trusted:
To verify the configuration, use the show form of this command:
Related Commands
|
|
|
|---|---|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
ip arp inspection validate
To perform specific checks for ARP inspection, use the ip arp inspection validate command. To disable checks, use the no form of this command.
ip arp inspection validate [ src-mac ] [ dst-mac ] [ ip ]
no ip arp inspection validate [ src-mac ] [ dst-mac ] [ ip ]
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the command line. Each command overrides the configuration of the previous command. If a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.
The no form of this command disables only the specified checks. If none of the check options are enabled, all the checks are disabled.
Examples
This example show how to enable the source MAC validation:
Related Commands
|
|
|
|---|---|
Defines an ARP access list or adds clauses at the end of a predefined list. |
|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
ip arp inspection vlan
To enable dynamic ARP inspection (DAI) on a per-VLAN basis, use the ip arp inspection vlan command. To disable DAI, use the no form of this command.
ip arp inspection vlan vlan-range
no ip arp inspection vlan vlan-range
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You must specify on which VLANs to enable DAI. DAI may not function on the configured VLANs if they have not been created or if they are private.
Examples
The following example shows how to enable DAI on VLAN 1:
The following example shows how to disable DAI on VLAN 1:
Related Commands
|
|
|
|---|---|
Defines an ARP access list or adds clauses at the end of a predefined list. |
|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
ip arp inspection vlan logging
To control the type of packets that are logged, use the ip arp inspection vlan logging command. To disable this logging control, use the no form of this command.
ip arp inspection vlan vlan-range logging { acl-match { matchlog | none } | dhcp-bindings { permit | all | none }}
no ip arp inspection vlan vlan-range logging { acl-match | dhcp-bindings }
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The acl-match and dhcp-bindings keywords merge with each other. When you set an ACL match configuration, the DHCP bindings configuration is not disabled. You can use the no form of this command to reset some of the logging criteria to their defaults. If you do not specify either option, all the logging types are reset to log on when the ARP packets are denied. The two options that are available to you are as follows:
Examples
The following example shows how to configure an ARP inspection on VLAN 1 to add packets to a log on matching against the ACLs with the logging keyword:
Related Commands
|
|
|
|---|---|
Defines an ARP access list or adds clauses at the end of a predefined list. |
|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
ip cef load-sharing algorithm
To configure the load-sharing hash function so that the source TCP/UDP port, the destination TCP/UDP port, or both ports can be included in the hash in addition to the source and destination IP addresses, use the ip cef load-sharing algorithm command. To revert back to the default, which does not include the ports, use the no form of this command.
ip cef load-sharing algorithm { include-ports { source source | destination dest } | original | tunnel | universal }
no ip cef load-sharing algorithm { include-ports { source source | destination dest } | original | tunnel | universal }
Syntax Description
Command Default
Default load-sharing algorithm is disabled.
Note This option does not include the source or destination port in the load-balancing hash.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The original algorithm, tunnel algorithm, and universal algorithm are routed through the hardware. For software-routed packets, the algorithms are handled by the software. The include-ports option does not apply to the software-switched traffic.
Examples
The following example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 ports:
The following example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 tunneling ports:
Related Commands
|
|
|
|---|---|
Displays the IP CEF VLAN interface status and configuration information. |
ip device tracking maximum
To enable IP port security binding tracking on a Layer 2 port, use the ip device tracking maximum command. To disable IP port security on untrusted Layer 2 interfaces, use the no form of this command.
ip device tracking maximum { number }
no ip device tracking maximum { number }
Syntax Description
Specifies the number of bindings created in the IP device tracking table for a port, valid values are from 0 to 65535. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
The upper limit for the number of bindings you can specifiy was increased from 2048 to 65535. |
Examples
The following example shows how to enable IP port security with IP-MAC filters on a Layer 2 access port:
You can verify your settings by entering the show ip verify source privileged EXEC command.
Related Commands
|
|
|
|---|---|
Displays the IP source guard configuration and filters on a particular interface. |
ip device tracking probe
To enable the tracking of device probes, use the ip device tracking probe command in configuration mode. To disable device probes, use the no form of this command.
ip device tracking probe { count count | delay interval | interval interval }
no ip device tracking probe { count count | delay interval | interval interval }
Note Starting with Cisco IOS XE Release 3.10.1E, the [no] ip device tracking probe count and [no] ip device tracking probe delay commands are deprecated; there are no replacement commands.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Examples
The following example shows how to set the interval time to 35:
Related Commands
|
|
|
|---|---|
ip dhcp snooping
To enable DHCP snooping globally, use the ip dhcp snooping command. To disable DHCP snooping, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You must enable DHCP snooping globally before you can use DHCP snooping on a VLAN.
Examples
The following example shows how to enable DHCP snooping:
The following example shows how to disable DHCP snooping:
Related Commands
|
|
|
|---|---|
Configures the number of the DHCP messages that an interface can receive per second. |
|
ip dhcp snooping binding
To set up and generate a DHCP binding configuration to restore bindings across reboots, use the ip dhcp snooping binding command. To disable the binding configuration, use the no form of this command.
ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface expiry seconds
no ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface
Syntax Description
Specifies the interval (in seconds) after which binding is no longer valid. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Support for the 10-Gigabit Ethernet interface was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Whenever a binding is added or removed using this command, the binding database is marked as changed and a write is initiated.
Examples
The following example shows how to generate a DHCP binding configuration on interface gigabitethernet1/1 in VLAN 1 with an expiration time of 1000 seconds:
Related Commands
|
|
|
|---|---|
ip dhcp snooping database
To store the bindings that are generated by DHCP snooping, use the ip dhcp snooping database command. To either reset the timeout, reset the write-delay, or delete the agent specified by the URL, use the no form of this command.
ip dhcp snooping database { url | timeout seconds | write-delay seconds }
no ip dhcp snooping database {timeout | write-delay}
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You need to create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write the set of bindings for the first time at the URL.
Note Because both NVRAM and bootflash have limited storage capacity, using TFTP or network-based files is recommended. If you use flash to store the database file, new updates (by the agent) result in the creation of new files (flash fills quickly). In addition, due to the nature of the file system used on the flash, a large number of files causes access to be considerably slowed. When a file is stored in a remote location accessible through TFTP, an RPR/SSO standby supervisor engine can take over the binding list when a switchover occurs.
Examples
The following example shows how to store a database file with the IP address 10.1.1.1 within a directory called directory. A file named file must be present on the TFTP server.
Related Commands
|
|
|
|---|---|
Sets up and generates a DHCP binding configuration to restore bindings across reboots. |
|
ip dhcp snooping information option
To enable DHCP option 82 data insertion, use the ip dhcp snooping information option command. To disable DHCP option 82 data insertion, use the no form of this command.
ip dhcp snooping information option format remote-id { hostname | string { word }}
no ip dhcp snooping information option format remote-id { hostname | string { word }}
Syntax Description
Specifies the user-defined string for the remote ID. The word string can be from 1 to 63 characters long with no spaces. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Usage Guidelines
If the hostname is longer than 63 characters it is truncated to 63 characters in the remote ID.
Examples
The following example shows how to enable DHCP option 82 data insertion:
The following example shows how to disable DHCP option 82 data insertion:
The following example shows how to configure the hostname as the remote ID:
The following example shows how to enable DHCP Snooping on VLAN 500 through 555 and option 82 remote ID:
Related Commands
|
|
|
|---|---|
Sets up and generates a DHCP binding configuration to restore bindings across reboots. |
|
Configures the number of the DHCP messages that an interface can receive per second. |
|
ip dhcp snooping vlan information option format-type circuit-id string |
Enables circuit-id (a sub-option of DHCP snooping option-82) on a VLAN. |
ip dhcp snooping information option allow-untrusted
To allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port, use the ip dhcp snooping information option allow-untrusted command. To disallow receipt of these DHCP packets, use the no form of this command.
ip dhcp snooping information option allow-untrusted
no ip dhcp snooping information option allow-untrusted
Syntax Description
Command Default
DHCP packets with option 82 are not allowed on snooping untrusted ports.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Examples
The following example shows how to allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port:
Switch(config)# end
Related Commands
|
|
|
|---|---|
Configures the number of the DHCP messages that an interface can receive per second. |
|
ip dhcp snooping limit rate
To configure the number of the DHCP messages that an interface can receive per second, use the ip dhcp snooping limit rate command. To disable the DHCP snooping rate limiting, use the no form of this command.
ip dhcp snooping limit rate rate
no ip dhcp snooping limit rate
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Typically, the rate limit applies to the untrusted interfaces. If you want to set up rate limiting for the trusted interfaces, note that the trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit of the interfaces to a higher value.
Examples
The following example shows how to enable the DHCP message rate limiting:
The following example shows how to disable the DHCP message rate limiting:
Related Commands
|
|
|
|---|---|
ip dhcp snooping trust
To configure an interface as trusted for DHCP snooping purposes, use the ip dhcp snooping trust command. To configure an interface as untrusted, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Examples
The following example shows how to enable DHCP snooping trust on an interface:
The following example shows how to disable DHCP snooping trust on an interface:
Related Commands
|
|
|
|---|---|
Configures the number of the DHCP messages that an interface can receive per second. |
|
ip dhcp snooping vlan
Use the ip dhcp snooping vlan command to enable DHCP snooping on a VLAN. To disable DHCP snooping on a VLAN, use the no form of this command.
ip dhcp snooping [ vlan number ]
no ip dhcp snooping [ vlan number ]
Syntax Description
(Optional) Single VLAN number or a range of VLANs; valid values are from 1 to 4094. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
DHCP snooping is enabled on a VLAN only if both global snooping and the VLAN snooping are enabled.
Examples
The following example shows how to enable DHCP snooping on a VLAN:
The following example shows how to disable DHCP snooping on a VLAN:
The following example shows how to enable DHCP snooping on a group of VLANs:
The following example shows how to disable DHCP snooping on a group of VLANs:
Related Commands
|
|
|
|---|---|
Configures the number of the DHCP messages that an interface can receive per second. |
|
ip dhcp snooping vlan information option format-type circuit-id string |
Enables circuit-id (a suboption of DHCP snooping option-82) on a VLAN. |
ip dhcp snooping vlan information option format-type circuit-id string
To enable circuit-id (a suboption of DHCP snooping option 82) on a VLAN, use the ip dhcp snooping vlan information option format-type circuit-id string command. To disable circuit-id on a VLAN, use the no form of this command.
ip dhcp snooping vlan number information option format-type circuit-id [override] string string
no ip dhcp snooping vlan number information option format-type circuit-id [override] string
Syntax Description
Specifies single or range of VLANs; valid values are from 1 to 4094. |
|
Specifies a user-defined string for the circuit ID; range of 3 to 63 ASCII characters with no spaces. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Usage Guidelines
The circuit-id suboption of DHCP option 82 is supported only when DHCP snooping is globally enabled and on VLANs using DHCP option 82.
This command allows you to configure a string of ASCII characters to be the circuit ID. When you want to override the vlan-mod-port format type and instead use the circuit-ID to define subscriber information, use the override keyword.
Examples
The following example shows how to enable DHCP snooping on VLAN 500 through 555 and option 82 circuit-id:
The following example shows how to configure the option-82 circuit-ID override suboption:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
Note The show ip dhcp snooping user EXEC command only displays the global command output, including a remote-ID configuration. It does not display any per-interface, per-VLAN string that you have configured for the circuit ID.
Related Commands
|
|
|
|---|---|
Configures the number of the DHCP messages that an interface can receive per second. |
|
ip igmp filter
To control whether all hosts on a Layer 2 interface can join one or more IP multicast groups by applying an IGMP profile to the interface, use the ip igmp filter command. To remove a profile from the interface, use the no form of this command.
Syntax Description
IGMP profile number to be applied; valid values are from 1 to 429496795. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You can apply IGMP filters only to Layer 2 physical interfaces; you cannot apply IGMP filters to routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.
An IGMP profile can be applied to one or more switch port interfaces, but one port can have only one profile applied to it.
Examples
The following example shows how to apply IGMP profile 22 to an interface:
Related Commands
|
|
|
|---|---|
Displays all configured IGMP profiles or a specified IGMP profile. |
ip igmp max-groups
To set the maximum number of IGMP groups that a Layer 2 interface can join, use the ip igmp max-groups command. To set the maximum back to the default, use the no form of this command.
Syntax Description
Maximum number of IGMP groups that an interface can join; valid values are from 0 to 4294967294. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You can use the ip igmp max-groups command only on Layer 2 physical interfaces; you cannot set the IGMP maximum groups for the routed ports, the switch virtual interfaces (SVIs), or the ports that belong to an EtherChannel group.
Examples
The following example shows how to limit the number of IGMP groups that an interface can join to 25:
ip igmp profile
To create an IGMP profile, use the ip igmp profile command. To delete the IGMP profile, use the no form of this command.
ip igmp profile profile number
no ip igmp profile profile number
Syntax Description
IGMP profile number being configured; valid values are from 1 to 4294967295. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
When entering a range, enter the low IP multicast address, a space, and the high IP multicast address.
You can apply an IGMP profile to one or more Layer 2 interfaces, but each interface can have only one profile applied to it.
Examples
The following example shows how to configure IGMP profile 40 that permits the specified range of IP multicast addresses:
Related Commands
ip igmp query-interval
To configure the frequency that the switch sends the IGMP host-query messages, use the ip igmp query-interval command. To return to the default frequency, use the no form of this command.
ip igmp query-interval seconds
Syntax Description
Frequency, in seconds, at which the IGMP host-query messages are transmitted; valid values depend on the IGMP snooping mode. See the “Usage Guidelines” section for more information. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
If you use the default IGMP snooping configuration, the valid query interval values are from 1 to 65535 seconds. If you have changed the default configuration to support CGMP as the IGMP snooping learning method, the valid query interval values are from 1 to 300 seconds.
The designated switch for a LAN is the only switch that sends the IGMP host-query messages. For IGMP version 1, the designated switch is elected according to the multicast routing protocol that runs on the LAN. For IGMP version 2, the designated querier is the lowest IP-addressed multicast switch on the subnet.
If no queries are heard for the timeout period (controlled by the ip igmp query-timeout command), the switch becomes the querier.
Note Changing the timeout period may severely impact multicast forwarding.
Examples
The following example shows how to change the frequency at which the designated switch sends the IGMP host-query messages:
Switch(config-if)# ip igmp query-interval 120
Switch(config-if)#
Related Commands
ip igmp snooping
To enable IGMP snooping, use the ip igmp snooping command. To disable IGMP snooping, use the no form of this command.
ip igmp snooping [ tcn { flood query count count | query solicit }]
no ip igmp snooping [ tcn { flood query count count | query solicit }]
Syntax Description
(Optional) Specifies to flood the spanning tree table to the network when a topology change occurs. |
|
(Optional) Specifies how often the spanning tree table is flooded; valid values are from 1 to 10. |
|
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Usage Guidelines
The tcn flood option applies only to Layer 2 switch ports and EtherChannels; it does not apply to routed ports, VLAN interfaces, or Layer 3 channels.
The ip igmp snooping command is disabled by default on multicast routers.
Note You can use the tcn flood option in interface configuration mode.
Examples
The following example shows how to enable IGMP snooping:
Switch(config)# ip igmp snooping
Switch(config)#
The following example shows how to disable IGMP snooping:
Switch(config)# no ip igmp snooping
Switch(config)#
The following example shows how to enable the flooding of the spanning tree table to the network after nine topology changes have occurred:
Switch(config)# ip igmp snooping tcn flood query count 9
Switch(config)#
The following example shows how to disable the flooding of the spanning tree table to the network:
Switch(config)# no ip igmp snooping tcn flood
Switch(config)#
The following example shows how to enable an IGMP general query:
Switch(config)# ip igmp snooping tcn query solicit
Switch(config)#
The following example shows how to disable an IGMP general query:
Switch(config)# no ip igmp snooping tcn query solicit
Switch(config)#
Related Commands
|
|
|
|---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
ip igmp snooping report-suppression
To enable report suppression, use the ip igmp snooping report-suppression command. To disable report suppression and forward the reports to the multicast devices, use the no form of this command.
ip igmp snooping report-suppression
no igmp snooping report-suppression
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
If the ip igmp snooping report-suppression command is disabled, all the IGMP reports are forwarded to the multicast devices.
If the command is enabled, report suppression is done by IGMP snooping.
Examples
The following example shows how to enable report suppression:
Switch(config)# ip igmp snooping report-suppression
Switch(config)#
The following example shows how to disable report suppression:
Switch(config)# no ip igmp snooping report-suppression
Switch(config)#
The following example shows how to display the system status for report suppression:
Switch# show ip igmp snoop
vlan 1
----------
IGMP snooping is globally enabled
IGMP snooping TCN solicit query is globally disabled
IGMP snooping global TCN flood query count is 2
IGMP snooping is enabled on this Vlan
IGMP snooping immediate-leave is disabled on this Vlan
IGMP snooping mrouter learn mode is pim-dvmrp on this Vlan
IGMP snooping is running in IGMP_ONLY mode on this Vlan
IGMP snooping report suppression is enabled on this Vlan
Switch#
Related Commands
|
|
|
|---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
ip igmp snooping vlan
To enable IGMP snooping for a VLAN, use the ip igmp snooping vlan command. To disable IGMP snooping, use the no form of this command.
no ip igmp snooping vlan vlan-id
Syntax Description
Number of the VLAN; valid values are from 1 to 1001 and from 1006 to 4094. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Usage Guidelines
This command is entered in VLAN interface configuration mode only.
The ip igmp snooping vlan command is disabled by default on multicast routers.
Examples
The following example shows how to enable IGMP snooping on a VLAN:
Switch(config)# ip igmp snooping vlan 200
Switch(config)#
The following example shows how to disable IGMP snooping on a VLAN:
Switch(config)# no ip igmp snooping vlan 200
Switch(config)#
Related Commands
|
|
|
|---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
ip igmp snooping vlan explicit-tracking
To enable per-VLAN explicit host tracking, use the ip igmp snooping vlan explicit-tracking command. To disable explicit host tracking, use the no form of this command.
ip igmp snooping vlan vlan-id explicit-tracking
no ip igmp snooping vlan vlan-id explicit-tracking
Syntax Description
(Optional) Specifies a VLAN; valid values are from 1 to 1001 and from 1006 to 4094. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Examples
The following example shows how to disable IGMP explicit host tracking on interface VLAN 200 and how to verify the configuration:
Related Commands
|
|
|
|---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
ip igmp snooping vlan immediate-leave
To enable IGMP immediate-leave processing, use the ip igmp snooping vlan immediate-leave command. To disable immediate-leave processing, use the no form of this command.
ip igmp snooping vlan vlan_num immediate-leave
no ip igmp snooping vlan vlan_num immediate-leave
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Usage Guidelines
You enter this command in global configuration mode only.
Use the immediate-leave feature only when there is a single receiver for the MAC group for a specific VLAN.
The immediate-leave feature is supported only with IGMP version 2 hosts.
Examples
The following example shows how to enable IGMP immediate-leave processing on VLAN 4:
Switch(config)# ip igmp snooping vlan 4 immediate-leave
Switch(config)#
The following example shows how to disable IGMP immediate-leave processing on VLAN 4:
Switch(config)# no ip igmp snooping vlan 4 immediate-leave
Switch(config)#
Related Commands
|
|
|
|---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
Displays the information about the IGMP-interface status and configuration. |
|
ip igmp snooping vlan mrouter
To statically configure an Layer 2 interface as a multicast router interface for a VLAN, use the
ip igmp snooping vlan mrouter command. To remove the configuration, use the no form of this command.
ip igmp snooping vlan vlan-id mrouter { interface {{ fastethernet slot/port } | { gigabitethernet slot/port } | { tengigabitethernet slot/port } | { port-channel number }} |
{ learn { cgmp | pim-dvmrp }}
no ip igmp snooping vlan vlan-id mrouter { interface {{ fastethernet slot/port } | { gigabitethernet slot/port } | { tengigabitethernet slot/port } | { port-channel number }} |
{ learn { cgmp | pim-dvmrp }}
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Support for the 10-Gigabit Ethernet interface was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You enter this command in VLAN interface configuration mode only.
The interface to the switch must be in the VLAN where you are entering the command. It must be both administratively up and line protocol up.
The CGMP learning method can decrease control traffic.
The learning method that you configure is saved in NVRAM.
The static connections to multicast interfaces are supported only on switch interfaces.
Examples
The following example shows how to specify the next-hop interface to a multicast switch:
Switch(config-if)# ip igmp snooping 400 mrouter interface fastethernet 5/6
Switch(config-if)#
The following example shows how to specify the multicast switch learning method:
Switch(config-if)# ip igmp snooping 400 mrouter learn cgmp
Switch(config-if)#
Related Commands
ip igmp snooping vlan static
To configure a Layer 2 interface as a member of a group, use the ip igmp snooping vlan static command. To remove the configuration, use the no form of this command.
ip igmp snooping vlan vlan_num static mac-address { interface { fastethernet slot/port } | { gigabitethernet slot/port } | { tengigabitethernet slot/port } | { port-channel number }}
no ip igmp snooping vlan vlan_num static mac-address { interface { fastethernet slot/port } | { gigabitethernet slot/port } | { tengigabitethernet mod/interface-number } | { port-channel number }}
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Support for the 10-Gigabit Ethernet interface was introduced on the Catalyst 4500 series switch. |
Examples
The following example shows how to configure a host statically on an interface:
Switch(config)# ip igmp snooping vlan 4 static 0100.5e02.0203 interface fastethernet 5/11
Configuring port FastEthernet5/11 on group 0100.5e02.0203 vlan 4
Switch(config)#
Related Commands
|
|
|
|---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
ip local-proxy-arp
To enable the l ocal proxy ARP feature, use the ip local-proxy-arp command. To disable the l ocal proxy ARP feature, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Use this feature only on subnets where hosts are intentionally prevented from communicating directly to the switch on which they are connected.
ICMP redirect is disabled on interfaces where the local proxy ARP feature is enabled.
Examples
The following example shows how to enable the local proxy ARP feature:
Switch(config-if)# ip local-proxy-arp
Switch(config-if)#
ip mfib fastdrop
To enable MFIB fast drop, use the ip mfib fastdrop command. To disable MFIB fast drop, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Examples
The following example shows how to enable MFIB fast drops:
Related Commands
|
|
|
|---|---|
Displays all currently active fast-drop entries and shows whether fast drop is enabled. |
ip multicast multipath
To enable load splitting of IP multicast traffic over Equal Cost Multipath (ECMP), use the
ip multicast multipath command in global configuration mode. To disable this functionality, use the no form of this command.
ip multicast [ vrf vrf-name ] multipath [ s-g-hash { basic | next-hop-based }]
no ip multicast [ vrf vrf-name ] multipath [ s-g-hash { basic | next-hop-based }]
Syntax Description
Command Default
If multiple equal-cost paths exist, multicast traffic will not be load-split across those paths.
Command Modes
Command History
|
|
|
|---|---|
The s-g-hash keyword was introduced on the Catalyst 4500 switch. |
Usage Guidelines
The ip multicast multipath command does not work with bidirectional Protocol Independent Multicast (PIM).
Use the ip multicast multipath command to enable load splitting of IP multicast traffic across multiple equal-cost paths.
If two or more equal-cost paths from a source are available, unicast traffic will be load-split across those paths. However, by default, multicast traffic is not load-split across multiple equal-cost paths. In general, multicast traffic flows down from the reverse path forwarding (RPF) neighbor. According to the PIM specifications, this neighbor must have the highest IP address if more than one neighbor has the same metric.
When you configue load splitting with the ip multicast multipath command, the system splits multicast traffic across multiple equal-cost paths based on source address using the S-hash algorithm. When the ip multicast multipath command is configured and multiple equal-cost paths exist, the path in which multicast traffic will travel is selected based on the source IP address. Multicast traffic from different sources will be load-split across the different equal-cost paths. Load splitting will not occur across equal-cost paths for multicast traffic from the same source sent to different multicast groups.
Note The ip multicast multipath command load splits the traffic but does not load balance the traffic. Traffic from a source will use only one path, even if the traffic greatly exceeds traffic from other sources.
If the ip multicast multipath command is configured with the s-g-hash keyword and multiple equal-cost paths exist, load splitting will occur across equal-cost paths based on source and group address or on source, group, and next-hop address. If you specify the optional s-g-hash keyword for load splitting IP multicast traffic, you must select the algorithm used to calculate the equal-cost paths by specifying one of the following keywords:
- basic —The basic S-G-hash algorithm is predictable because no randomization is used in calculating the hash value. The basic S-G-hash algorithm, however, is subject to polarization because for a given source and group the same hash is always chosen irrespective of the router that the hash is being calculated on.
- next-hop-based —The next-hop-based S-G-hash algorithm is predictable because no randomization is used to determine the hash value. Unlike the S-hash and basic S-G-hash algorithms, the next-hop-based hash mechanism is not subject to polarization.
Examples
The following example shows how to enable ECMP multicast load splitting on a router based on source address using the S-hash algorithm:
The following example shows how to enable ECMP multicast load splitting on a router based on source and group address using the basic S-G-hash algorithm:
The following example shows how to enable ECMP multicast load splitting on a router based on source, group, and next-hop address using the next-hop-based S-G-hash algorithm:
ip name-server
To configure the IP address of the domain name server (DNS), use the ip name-server command. To delete the name server use the no form of this command.
ip name-server server-address1 [ server-address2...server-address6 ]
no name-server server-address1 [ server-address2...server-address6 ]
Syntax Description
IPv4 or IPv6 addresses of a name server to use for name and address resolution. |
|
(Optional) IP addresses of additional name servers (a maximum of six name servers) |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Separate each server address with a space. The first server specified is the primary server. The switch sends DNS queries to the primary server first. If that query fails, the backup servers are queried.
For the Application Visibility Control (AVC) with Domain Name System as an Authoritative Source (DNS-AS) feature (AVC with DNS-AS), ensure that at least the first two IP addresses in the sequence are IPv4 addresses, because the AVC with DNS-AS feature will use only these. See the example below, here the first two addresses are IPv4 (192.0.2.1 and 192.0.2.2), the third one (2001:DB8::1) is an IPv6 address. AVC with DNS-AS will use the first two:
Enter the show ip name-server command to display all the name server IP addresses that have been maintained.
Examples
The following example shows how to specify IPv4 hosts 172.16.1.111 and 172.16.1.2 as the name servers:
The following example shows how to specify IPv6 hosts 3FFE:C00::250:8BFF:FEE8:F800 and 2001:0DB8::3 as the name servers:
ip route-cache flow
To enable NetFlow statistics for IP routing, use the ip route-cache flow command. To disable NetFlow statistics, use the no form of this command.
ip route-cache flow [ infer-fields ]
no ip route-cache flow [ infer-fields ]
Syntax Description
(Optional) Includes the NetFlow fields as inferred by the software: Input identifier, Output identifier, and Routing information. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Usage Guidelines
To use these commands, you need to install the Supervisor Engine IV and the NetFlow Service Card.
The NetFlow statistics feature captures a set of traffic statistics. These traffic statistics include the source IP address, destination IP address, Layer 4 port information, protocol, input and output identifiers, and other routing information that can be used for network analysis, planning, accounting, billing and identifying DoS attacks.
NetFlow switching is supported on IP and IP-encapsulated traffic over all interface types.
If you enter the ip route-cache flow infer-fields command after the ip route-cache flow command, you will purge the existing cache, and vice versa. This action is done to avoid having flows with and without inferred fields in the cache simultaneously.
For additional information on NetFlow switching, refer to the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
Note NetFlow consumes additional memory and CPU resources compared to other switching modes. You need to know the resources required on your switch before enabling NetFlow.
Examples
The following example shows how to enable NetFlow switching on the switch:
Note This command does not work on individual interfaces.
ip source binding
To add or delete a static IP source binding entry, use the ip source binding command. To delete the corresponding IP source binding entry, use the no form of this command.
ip source binding ip-address mac-address vlan vlan-id interface interface-name
no ip source binding ip-address mac-address vlan vlan-id interface interface-name
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The ip source binding command is used to add a static IP source binding entry only.
The no form of this command deletes the corresponding IP source binding entry. For the deletion to succeed, all required parameters must match.
Each static IP binding entry is keyed by a MAC address and VLAN number. If the CLI contains an existing MAC and VLAN, the existing binding entry will be updated with the new parameters; a separate binding entry will not be created.
Examples
The following example shows how to configure the static IP source binding:
Related Commands
|
|
|
|---|---|
Displays IP source bindings that are configured on the system. |
ip ssh source-interface
To specify the IP address of an interface as the source address for a Secure Shell (SSH) client device, use the ip ssh source-interface command in global configuration mode. To remove the IP address as the source address, use the no form of this command.
ip ssh source-interface interface
no ip ssh source-interface interface
Syntax Description
The interface whose address is used as the source address for the SSH client. |
Command Default
The address of the closest interface to the destination is used as the source address (the closest interface is the output interface through which the SSH packet is sent).
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
By specifying this command, you can force the SSH client to use the IP address of the source interface as the source address.
Examples
In the following example, the IP address assigned to Ethernet interface 0 will be used as the source address for the SSH client:
ip sticky-arp
To enable sticky ARP, use the ip sticky-arp command. Use the no form of this command to disable sticky ARP.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command is supported on PVLANs only.
ARP entries that are learned on Layer 3 PVLAN interfaces are sticky ARP entries. (You should display and verify ARP entries on the PVLAN interface using the show arp command).
For security reasons, sticky ARP entries on the PVLAN interface do not age out. Connecting new equipment with the same IP address generates a message and the ARP entry is not created.
Because the ARP entries on the PVLAN interface do not age out, you must manually remove ARP entries on the PVLAN interface if a MAC address changes.
Unlike static entries, sticky-ARP entries are not stored and restored when you enter the reboot and restart commands.
Examples
The following example shows how to enable sticky ARP:
Switch(config)# end
The following example shows how to disable sticky ARP:
Switch(config)# end
Related Commands
|
|
|
|---|---|
Enables Address Resolution Protocol (ARP) entries for static routing over the Switched Multimegabit Data Service (SMDS) network. |
|
ip verify header vlan all
To enable IP header validation for Layer 2-switched IPv4 packets, use the ip verify header vlan all command. To disable the IP header validation, use the no form of this command.
Syntax Description
Command Default
The IP header is validated for bridged and routed IPv4 packets.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command does not apply to Layer 3-switched (routed) packets.
The Catalyst 4500 series switch checks the validity of the following fields in the IPv4 header for all switched IPv4 packets:
- The version must be 4.
- The header length must be greater than or equal to 20 bytes.
- The total length must be greater than or equal to four times the header length and greater than the Layer 2 packet size minus the Layer 2 encapsulation size.
If an IPv4 packet fails the IP header validation, the packet is dropped. If you disable the header validation, the packets with the invalid IP headers are bridged but are not routed even if routing was intended. The IPv4 access lists also are not applied to the IP headers.
Examples
The following example shows how to disable the IP header validation for the Layer 2-switched IPv4 packets:
ip verify source
To enable IP source guard on untrusted Layer 2 interfaces, use the ip verify source command. To disable IP source guard on untrusted Layer 2 interfaces, use the no form of this command.
ip verify source { vlan dhcp-snooping | tracking } [port-security]
no ip verify source { vlan dhcp-snooping | tracking } [port-security]
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Examples
The following example shows how to enable IP source guard on VLANs 10 through 20 on a per-port basis:
The following example shows how to enable IP port security with IP-MAC filters on a Layer 2 access port:
You can verify your settings by entering the show ip verify source privileged EXEC command.
Related Commands
ip verify unicast source reachable-via
To enable and configure unicast RPF checks on a IPv4 interface, use the ip verify unicast source reachable-via command. To disable unicast RPF, use the no form of this command.
ip verify unicast source reachable-via rx allow-default
no ip verify unicast source reachable-via
Syntax Description
Verifies that the source address is reachable on the interface where the packet was received. |
|
Command Default
Command Modes
Command History
|
|
|
|---|---|
Support introduced on Catalyst 4900M chassis and a Catalyst 4500 with a Supervisor Engine 6-E. |
Usage Guidelines
- In basic RX mode, unicast RPF ensures a source address must be reachable on the arrived interface. For example, the source must be reachable without load balancing.
Note Unicast RPF is an input function and is applied only on the input interface of a router at the upstream end of a connection.
Do not use unicast RPF on internal network interfaces. Internal interfaces might have routing asymmetry, which means that there are multiple routes to the source of a packet. Apply unicast RPF only where there is natural or configured symmetry.
Examples
The following example shows how to enable unicast RPF exist-only checking mode:
Related Commands
|
|
|
|---|---|
ip wccp
To enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group, use the ip wccp command in global configuration mode. To disable the service group, use the no form of this command.
ip wccp { web-cache | service-number } [ accelerated ] [ group-address multicast-address ] [ redirect-list access-list ] [ group-list access-list ] [ password [ 0 | 7 ] password ]
no ip wccp { web-cache | service-number }[ accelerated ] [ group-address multicast-address ] [ redirect-list access-list ] [ group-list access-list ] [ password [ 0 | 7 ] password ]
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
This command instructs a router to enable or disable the support for the specified service number or the web-cache service name. A service number can be from 0 to 254. Once the service number or name is enabled, the router can participate in the establishment of a service group.
When the no ip wccp command is entered, the router terminates participation in the service group, deallocates space if none of the interfaces still has the service configured, and terminates the WCCP task if no other services are configured.
The keywords following the web-cache keyword and the service-number argument are optional and may be specified in any order, but only may be specified once. The following sections outline the specific usage of each of the optional forms of this command.
ip wccp { web-cache | service-number } group-address multicast-address
A WCCP group address can be configured to set up a multicast address that cooperating routers and web caches can use to exchange WCCP protocol messages. If such an address is used, IP multicast routing must be enabled so that the messages that use the configured group (multicast) addresses are received correctly.
This option instructs the router to use the specified multicast IP address to coalesce the “I See You” responses for the “Here I Am” messages that it has received on this group address. The response is sent to the group address as well. The default is for no group address to be configured, in which case all “Here I Am” messages are responded to with a unicast reply.
ip wccp { web-cache | service-number } redirect-list access-list
This option instructs the router to use an access list to control the traffic that is redirected to the web caches of the service group specified by the service name given. The access-list argument specifies either the number or the name of a standard or extended access list. The access list itself specifies which traffic is permitted to be redirected. The default is for no redirect list to be configured (all traffic is redirected).
WCCP requires that the following protocol and ports not be filtered by any access lists:
- User Datagram Protocol (UDP) (protocol type 17) port 2048. This port is used for control signaling. Blocking this type of traffic will prevent WCCP from establishing a connection between the router and cache engines.
ip wccp { web-cache | service-number } group-list access-list
This option instructs the router to use an access list to control the cache engines that are allowed to participate in the specified service group. The access-list argument specifies either the number of a standard or extended access list or the name of any type of named access list. The access list itself specifies which cache engines are permitted to participate in the service group. The default is for no group list to be configured, in which case all cache engines may participate in the service group.
Note The ip wccp {web-cache | service-number} group-list command syntax resembles the ip wccp {web-cache | service-number} group-listen command, but these are entirely different commands. The ip wccp group-listen command is an interface configuration command used to configure an interface to listen for multicast notifications from a cache cluster. Refer to the description of the ip wccp group-listen command in the Cisco IOS IP Application Services Command Reference.
ip wccp { web-cache | service-number } password password
This option instructs the router to use MD5 authentication on the messages received from the service group specified by the service name given. Use this form of the command to set the password on the router. You must also configure the same password separately on each web cache. The password can be up to a maximum of eight characters. Messages that do not authenticate when authentication is enabled on the router are discarded. The default is for no authentication password to be configured and for authentication to be disabled.
Examples
The following example shows how to configure a router to run WCCP reverse-proxy service, using the multicast address of 239.0.0.0:
The following example shows how to configure a router to redirect web-related packets without a destination of 10.168.196.51 to the web cache:
Related Commands
|
|
|
|---|---|
Specifies which version of WCCP you wish to use on your router. |
|
ipv6 wccp
To enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group, use the ipv6 wccp command in global configuration mode. To disable the service group, use the no form of this command.
ipv6 wccp vrf vrf-name [ group-address groupaddress ] [ redirect-list access-list ] [ group-list access-list ]
Syntax Descriptionno ipv6 wccp [group-address groupaddress] [redirect-list access-list] [group-list access-list] S
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This command instructs a device to enable or disable the support for the specified service number or the VRF. A service number can be from 0 to 254. Once the service number or name is enabled, the router can participate in the establishment of a service group.
When the no ipv6 wccp command is entered, the device terminates participation in the service group, deallocates space if none of the interfaces still has the service configured, and terminates the WCCP task if no other services are configured.
The following sections outline the specific usage of each of the optional forms of this command.
ipv6 wccp vrf vrf name group-address groupaddress
The vrf vrf-name keyword and argument pair is optional. It allows you to specify a VRF to associate with a service group. You can then specify a web-cache service name or service number.
A WCCP group address can be configured to set up a multicast address that cooperating devices and can use to exchange WCCP protocol messages. If such an address is used, IP multicast routing must be enabled so that the messages that use the configured group (multicast) addresses are received correctly.
This option instructs the device to use the specified multicast IP address to coalesce the “I See You” responses for the “Here I Am” messages that it has received on this group address. The response is sent to the group address as well. The default is for no group address to be configured, in which case all “Here I Am” messages are responded to with a unicast reply.
ipv6 wccp vrf vrf name redirect-list access-list
This option instructs the device to use an access list to control the traffic that is redirected to the service group specified by the service name given. The access-list argument specifies either the number or the name of a standard or extended access list. The access list itself specifies which traffic is permitted to be redirected. The default is for no redirect list to be configured (all traffic is redirected).
WCCP requires that the following protocol and ports not be filtered by any access lists:
- User Datagram Protocol (UDP) (protocol type 17) port 2048. This port is used for control signaling. Blocking this type of traffic will prevent WCCP from establishing a connection between the router and cache engines.
ipv6 wccp vrf vrf name group-list access-list
This option instructs the router to use an access list to control the cache engines that are allowed to participate in the specified service group. The access-list argument specifies either the number of a standard or extended access list or the name of any type of named access list. The access list itself specifies which cache engines are permitted to participate in the service group. The default is for no group list to be configured, in which case all cache engines may participate in the service group.
Examples
The following example shows how to configure the TCP promiscuous service for IPv4 VRF interfaces, where VLAN 40 represents the server interface and VLAN 50 represents the content engine interface:
Related Commands
|
|
|
|---|---|
ip wccp check services all
To enable all Web Cache Communication Protocol (WCCP) services, use the ip wccp check services all command in global configuration mode. To disable all services, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
With the ip wccp check services all command, WCCP can be configured to check all configured services for a match and perform redirection for those services if appropriate. The caches to which packets are redirected can be controlled by a redirect ACL access control list (ACL) as well as by the priority value of the service.
It is possible to configure an interface with more than one WCCP service. When more than one WCCP service is configured on an interface, the precedence of a service depends on the relative priority of the service compared to the priority of the other configured services. Each WCCP service has a priority value as part of its definition.
If no WCCP services are configured with a redirect ACL, the services are considered in priority order until a service is found which matches the IP packet. If no services match the packet, the packet is not redirected. If a service matches the packet and the service has a redirect ACL configured, then the IP packet will be checked against the ACL. If the packet is rejected by the ACL, the packet will not be passed down to lower priority services unless the ip wccp check services all command is configured. When the ip wccp check services all command is configured, WCCP will continue to attempt to match the packet against any remaining lower priority services configured on the interface.
Note The priority of a WCCP service group is determined by the web cache appliance. The priority of a WCCP service group cannot be configured via Cisco IOS software.
Note The ip wccp check services all command is a global WCCP command that applies to all services and is not associated with a single service.
Examples
The following example shows how to configure all WCCP services:
Related Commands
ip wccp group-listen
To configure an interface on a router to enable or disable the reception of IP multicast packets for Web Cache Communication Protocol (WCCP), use the ip wccp group-listen command in interface configuration mode. To disable the reception of IP multicast packets for WCCP, use the no form of this command.
ip wccp { web-cache | service-number } group-listen
no ip wccp { web-cache | service-number } group-listen
Syntax Description
Command Default
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
On routers that are to be members of a Service Group when IP multicast is used, the following configuration is required:
Examples
The following example shows how to enable the multicast packets for a web cache with a multicast address of 224.1.1.100:
Related Commands
ip wccp redirect
To enable packet redirection on an inbound or outbound interface using Web Cache Communication Protocol (WCCP), use the ip wccp redirect command in interface configuration mode. To disable WCCP redirection, use the no form of this command.
ip wccp { web-cache | service-number } redirect { in | out }
no ip wccp { web-cache | service-number } redirect { in | out }
Syntax Description
Identification number of the cache engine service group; valid values are from 0 to 254. If Cisco cache engines are used in the cache cluster, the reverse proxy service is indicated by a value of 99. |
|
Command Default
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
The ip wccp {web-cache | service-number} redirect in command allows you to configure WCCP redirection on an interface receiving inbound network traffic. When the command is applied to an interface, all packets arriving at that interface will be compared against the criteria defined by the specified WCCP service. If the packets match the criteria, they will be redirected.
Likewise, the ip wccp {web-cache | service-number} redirect out command allows you to configure the WCCP redirection check at an outbound interface.
Tips Be careful not to confuse the ip wccp {web-cache | service-number} redirect {out | in} interface configuration command with the ip wccp redirect exclude in interface configuration command.
Examples
The following example shows how to configure a session in which reverse proxy packets on Ethernet interface 3/1 are being checked for redirection and redirected to a Cisco Cache Engine:
The following example shows how to configure a session in which HTTP traffic arriving on GigabitEthernet interface 3/1 is redirected to a Cache Engine:
Related Commands
ip wccp redirect exclude in
To configure an interface to exclude packets received on an interface from being checked for redirection, use the ip wccp redirect exclude in command in interface configuration mode. To disable the ability of a router to exclude packets from redirection checks, use the no form of this command.
no ip wccp redirect exclude in
Syntax Description
Command Default
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
This configuration command instructs the interface to exclude inbound packets from any redirection check. Note that the command is global to all the services and should be applied to any inbound interface that will be excluded from redirection.
This command is intended to be used to accelerate the flow of packets from a cache engine to the Internet as well as allow for the use of the Web Cache Communication Protocol (WCCP) v2 packet return feature.
Examples
In the following example, packets arriving on GigabitEthernet interface 3/1 are excluded from WCCP output redirection checks:
Related Commands
ipv6 dhcp-lrda
To enable Lightweight DHCPv6 Relay Agent (LDRA) functionality on an access node, use the ipv6 dhcp-ldra command in global configuration mode. To disable the LDRA functionality, use the no form of this command.
ipv6 dhcp-lrda { enable | disable | remote-id remote-id }
no ipv6 dhcp-lrda { enable | disable | remote-id remote-id }
Syntax Description
Command Default
If the remote ID is not configured, a system generated remote ID is used.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You must configure the LDRA functionality globally using the ipv6 dhcp-ldra command before configuring it on a VLAN or an access node (such as a Digital Subscriber Link Access Multiplexer [DSLAM] or an Ethernet switch) interface.
To enable LDRA, configure the ipv6 dhcp-ldra command. To disable LDRA, configure either the no ipv6 dhcp-ldra enable or the ipv6 dhcp-ldra disable command. Configuring the no ipv6 dhcp-ldra command will not disable LDRA globally, and as a result, there is no carriage return after the no ipv6 dhcp-ldra command.
Examples
The following example shows how to enable the LDRA functionality:
Related CommandsT
|
|
|
|---|---|
Specifies a destination address to which client messages are forwarded and to enable DHCPv6 relay service on the interface. |
ipv6 dhcp-ldra interface-id
To configure Lightweight DHCPv6 Relay Agent (LDRA) interface ID on a port or an interface, use the ipv6 dhcp-ldra interface-id command in interface configuration mode. To disable LDRA interface ID on an interface or port, use the no form of this command.
ipv6 dhcp-ldra interface-id interface-id
no dhcp-ldra interface-id interface-id
Syntax Description
Interface identifier. Valid length for this argument is from 2 to 23 characters. |
Command Default
If the interface ID is not configured, the system uses a short name for an interface (for example, the system uses eth0/0 for Ethernet 0/0) as the interface ID.
Command Modes
Interface configuration (config-if)
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Examples
The following example shows how to configure an LDRA interface ID:
Related Commands
|
|
|
|---|---|
ipv6 dhcp-ldra attach-policy
To enable Lightweight DHCPv6 Relay Agent (LDRA) functionality on a port or interface, use the ipv6 dhcp-ldra attach-policy command in interface configuration mode. To disable LDRA functionality on an interface or port, use the no form of this command.
ipv6 dhcp-ldra attach-policy { client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing }
no ipv6 dhcp-ldra attach-policy { client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing }
Syntax Description
Command Default
Command Modes
Interface configuration (config-if)
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You need to configure the LDRA functionality globally using the ipv6 dhcp-ldra command in global configuration mode before configuring it on an interface or port.
The ipv6 dhcp-ldra attach-policy command enables LDRA functionality on a specific interface or port. Instead of configuring LDRA individually on all the client-facing interfaces or ports individually, use the ipv6 dhcp ldra attach-policy command to configure LDRA on an entire VLAN.
Examples
The following example shows how to enable LDRA functionality on an interface and specify it as server facing:
Related Commands
|
|
|
|---|---|
ipv6 dhcp lrda attach-policy (VLAN)
To enable Lightweight DHCPv6 Relay Agent (LDRA) functionality on a VLAN, use the ipv6 dhcp ldra attach-policy command in VLAN configuration mode. To disable LDRA functionality on a VLAN, use the no form of this command.
ipv6 dhcp ldra attach-policy { client-facing-trusted | client-facing-untrusted }
no ipv6 dhcp ldra attach-policy { client-facing-trusted | client-facing-untrusted }
Syntax Description
Command Default
Command Modes
VLAN configuration (config-vlan-config)
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch in a release prior to Cisco IOS Release 15.2(5)E2. |
Usage Guidelines
You need to configure the LDRA functionality globally using the ipv6 dhcp-ldra command before configuring it on a VLAN.
In a typical deployment, a majority of the interfaces or ports on a device are client facing. Instead of configuring LDRA individually on all the client facing interfaces and ports, use the ipv6 dhcp ldra attach-policy command to configure LDRA on the entire VLAN. As a result, all the ports or interfaces associated with the VLAN will be configured as client facing.
Examples
The following example shows how to enable LDRA functionality on a VLAN:
Related Commands
|
|
|
|---|---|
ipv6 dhcp relay destination
To specify a destination address to which client messages are forwarded and to enable Dynamic Host Configuration Protocol Version 6 (DHCPv6) relay service on the interface, use the ipv6 dhcp relay destination command in interface configuration mode. To remove a relay destination on the interface or to delete an output interface for a destination, use the no form of this command.
ipv6 dhcp relay destination { ipv6-address | global ipv6-address | vrf vrfname ipv6-address } [ interface-type interface-number ] [ link-address link-address ] [ source-address source-address ]
no ipv6 dhcp relay destination { ipv6-address | global ipv6-address | vrf vrfname ipv6-address } [ interface-type interface-number ] [ link-address link-address ] [ source-address source-address ]
Syntax Description
Command Default
The relay function is disabled, and there is no relay destination on an interface.
Command Modes
Interface configuration (config-if)
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch in a release prior to Cisco IOS Release 152(5)E2. |
Usage Guidelines
The ipv6 dhcp relay destination command specifies a destination address to which client messages are forwarded, and it enables DHCPv6 relay service on the interface. When relay service is enabled on an interface, a DHCPv6 message received on that interface is forwarded to all configured relay destinations. The incoming DHCPv6 message may have come from a client on that interface, or relayed by another relay agent.
The relay destination can be a unicast address of a server or another relay agent, or it may be a multicast address. There are two types of relay destination addresses:
- A link-scoped unicast or multicast IPv6 address, for which a user must specify an output interface
- A global or site-scoped unicast or multicast IPv6 address. A user can optionally specify an output interface for this kind of address.
If no output interface is configured for a destination, the output interface is determined by routing tables. In this case, it is recommended that a unicast or multicast routing protocol be running on the device.
Multiple destinations can be configured on one interface, and multiple output interfaces can be configured for one destination. When the relay agent relays messages to a multicast address, it sets the hop limit field in the IPv6 packet header to 32.
Unspecified, loopback, and node-local multicast addresses are not acceptable as the relay destination. If any one of them is configured, the message "Invalid destination address" is displayed.
Note that it is not necessary to enable the relay function on an interface for it to accept and forward an incoming relay reply message from servers. By default, the relay function is disabled, and there is no relay destination on an interface. The no form of the command removes a relay destination on an interface or deletes an output interface for a destination. If all relay destinations are removed, the relay service is disabled on the interface.
The DHCPv6 client, server, and relay functions are mutually exclusive on an interface. When one of these functions is already enabled, and a user tries to configure a different function on the same interface, one of the following messages is displayed: "Interface is in DHCP client mode," "Interface is in DHCP server mode," or "Interface is in DHCP relay mode."
Examples
The following example sets the relay destination address on Ethernet interface 4/3:
Related Commands
|
|
|
|---|---|
Configures an interface and enters interface configuration mode. |
|
ipv6 mld snooping
To enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping globally or on the specified VLAN, use the ipv6 mld snooping command without keywords. To disable MLD snooping on a switch or the VLAN, use the no form of this command.
ipv6 mld snooping [ vlan vlan-id ]
no ipv6 mld snooping [ vlan vlan-id ]
Syntax Description
(Optional) Enables or disables IPv6 MLD snooping on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. |
Command Default
MLD snooping is globally disabled on the switch.
MLD snooping is enabled on all VLANs. However, MLD snooping must be globally enabled before VLAN snooping can take place.
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
When MLD snooping is globally disabled, it is disabled on all the existing VLAN interfaces. When you globally enable MLD snooping, it is enabled on all VLAN interfaces that are in the default state (enabled). VLAN configuration overrides global configuration on interfaces on which MLD snooping has been disabled.
If MLD snooping is globally disabled, you cannot enable it on a VLAN. If MLD snooping is globally enabled, you can disable it on individual VLANs.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
Examples
The following example shows how to globally enable MLD snooping:
The following example shows how to disable MLD snooping on a VLAN:
You can verify your settings by entering the show ipv6 mld snooping user EXEC command.
Related Commands
|
|
|
|---|---|
Displays IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping configuration of the switch or the VLAN. |
ipv6 mld snooping last-listener-query-count
To configure IP version 6 (IPv6) Multicast Listener Discovery Mulitcast Address Specific Queries (MASQs) that will be sent before aging out a client, use the ipv6 mld snooping last-listener-query-count command. To reset the query count to the default settings, use the no form of this command.
ipv6 mld snooping [ vlan vlan-id ] last-listener-query-count integer_value
no ipv6 mld snooping [ vlan vlan-id ] last-listener-query-count
Syntax Description
(Optional) Configures last-listener query count on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. |
|
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
In MLD snooping, the IPv6 multicast switch periodically sends out queries to hosts belonging to the multicast group. If a host wants to leave a multicast group, it can silently leave or it can respond to the query with a Multicast Listener Done message (equivalent to an IGMP Leave message). When Immediate Leave is not configured (it should not be configured if multiple clients for a group exist on the same port), the configured last-listener query count determines the number of MASQs that are sent before an MLD client is aged out.
When the last-listener query count is set for a VLAN, this count overrides the value configured globally. When the VLAN count is not configured (set to the default of 0), the global count is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
Examples
The following example shows how to globally set the last-listener query count:
The following example shows how to set the last-listener query count for VLAN 10:
You can verify your settings by entering the show ipv6 mld snooping [ vlan vlan-id ] user EXEC command.
Related Commands
ipv6 mld snooping last-listener-query-interval
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping last-listener query interval on the switch or on a VLAN, use the ipv6 mld snooping last-listener-query-interval command. To reset the query time to the default settings, use the no form of this command.
ipv6 mld snooping [ vlan vlan-id ] last-listener-query-interval integer_value
no ipv6 mld snooping [ vlan vlan-id ] last-listener-query-interval
Syntax Description
Command Default
The default global query interval (maximum response time) is 1000 (1 second).
The default VLAN query interval (maximum response time) is 0 (the global count is used).
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The last-listener-query-interval time is the maximum time that a multicast switch waits after issuing a Mulitcast Address Specific Query (MASQ) before deleting a port from the multicast group.
In MLD snooping, when the IPv6 multicast switch receives an MLD leave message, it sends out queries to hosts belonging to the multicast group. If there are no responses from a port to a MASQ for a length of time, the switch deletes the port from the membership database of the multicast address. The last listener query interval is the maximum time that the switch waits before deleting a nonresponsive port from the multicast group.
When a VLAN query interval is set, the global query interval is overridden. When the VLAN interval is set at 0, the global value is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
Examples
The following example shows how to globally set the last-listener query interval to 2 seconds:
The following example shows how to set the last-listener query interval for VLAN 1 to 5.5 seconds:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
Related Commands
ipv6 mld snooping listener-message-suppression
To enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping listener message suppression, use the ipv6 mld snooping listener-message-suppression command. To disable MLD snooping listener message suppression, use the no form of this command.
ipv6 mld snooping listener-message-suppression
no ipv6 mld snooping listener-message-suppression
Command Default
The default is for MLD snooping listener message suppression to be disabled.
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
MLD snooping listener message suppression is equivalent to IGMP snooping report suppression. When it is enabled, received MLDv1 reports to a group are forwarded to IPv6 multicast switchs only once in every report-forward time. This prevents the forwarding of duplicate reports.
Examples
The following example shows how to enable MLD snooping listener message suppression:
The following example shows how to disable MLD snooping listener message suppression:
You can verify your settings by entering the show ipv6 mld snooping [ vlan vlan-id ] user EXEC command.
Related Commands
ipv6 mld snooping robustness-variable
To configure the number of IP version 6 (IPv6) Multicast Listener Discovery (MLD) queries that the switch sends before deleting a listener that does not respond, or to enter a VLAN ID to configure the number of queries per VLAN, use the ipv6 mld snooping robustness-variable command. To reset the variable to the default settings, use the no form of this command.
ipv6 mld snooping [ vlan vlan-id ] robustness-variable integer_value
no ipv6 mld snooping [ vlan vlan-id ] robustness-variable
Syntax Description
(Optional) Configures the robustness variable on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. |
|
Command Default
The default global robustness variable (number of queries before deleting a listener) is 2.
The default VLAN robustness variable (number of queries before aging out a multicast address) is 0, which means that the system uses the global robustness variable for aging out the listener.
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Robustness is measured by the number of MLDv1 queries sent with no response before a port is removed from a multicast group. A port is deleted when there are no MLDv1 reports received for the configured number of MLDv1 queries. The global value determines the number of queries that the switch waits before deleting a listener that does not respond, and it applies to all VLANs that do not have a VLAN value set.
The robustness value configured for a VLAN overrides the global value. If the VLAN robustness value is 0 (the default), the global value is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
Examples
The following example shows how to configure the global robustness variable so that the switch sends out three queries before it deletes a listener port that does not respond:
The following example shows how to configure the robustness variable for VLAN 1. This value overrides the global configuration for the VLAN:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
Related Commands
ipv6 mld snooping tcn
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) Topology Change Notifications (TCNs), use the ipv6 mld snooping tcn commands. To reset the default settings, use the no form of the commands.
ipv6 mld snooping tcn { flood query count integer_value | query solicit }
no ipv6 mld snooping tcn { flood query count integer_value | query solicit }
Syntax Description
Sets the flood query count, which is the number of queries that are sent before forwarding multicast data to only those ports requesting it. The range is 1 to 10. |
|
Command Default
Command Modes
Command History
|
|
|
|---|---|
Examples
The following example shows how to enable TCN query soliciting:
The following example shows how to set the flood query count to 5:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
Related Commands
|
|
|
|---|---|
Displays IP version 6 (IPv6) MLD snooping configuration of the switch or the VLAN. |
ipv6 mld snooping vlan
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping parameters on the VLAN interface, use the ipv6 mld snooping vlan command. To reset the parameters to the default settings, use the no form of this command.
ipv6 mld snooping vlan vlan-id [ immediate-leave | mrouter interface interface-id | static ipv6-multicast-address interface interface-id ]
no ipv6 mld snooping vlan vlan-id [ immediate-leave | mrouter interface interface-id | static ip-address interface interface-id ]
Syntax Description
Command Default
MLD snooping Immediate-Leave processing is disabled.
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
You should only configure the Immediate-Leave feature when there is only one receiver on every port in the VLAN. The configuration is saved in NVRAM.
The static keyword is used for configuring the MLD member ports statically.
The configuration and the static ports and groups are saved in NVRAM.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
Examples
The following example shows how to enable MLD Immediate-Leave processing on VLAN 1:
The following example shows how to disable MLD Immediate-Leave processing on VLAN 1:
The following example shows how to configure a port as a multicast switch port:
The following example shows how to configure a static multicast group:
You can verify your settings by entering the show ipv6 mld snooping vlan vlan-id user EXEC command.
Related Commands
issu abortversion
To cancel the ISSU upgrade or the downgrade process in progress and to restore the Catalyst 4500 series switch to its state before the start of the process, use the issue abortversion command.
issu abortversion active-slot [ active-image-new ]
Syntax Description
Specifies the slot number for the current standby supervisor engine. |
|
(Optional) Name of the new image present in the current standby supervisor engine. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You can use the issu abortversion command at any time to stop the ISSU process. To complete the process enter the issu commitversion command. Before any action is taken, a check ensures that both supervisor engines are either in the run version (RV) or load version (LV) state.
When the issu abortversion command is entered before the issu runversion command, the standby supervisor engine is reset and reloaded with the old image. When the issu abortversion command is entered after the issu runversion command, a change takes place and the new standby supervisor engine is reset and reloaded with the old image.
Examples
The following example shows how you can reset and reload the standby supervisor engine:
Related Commands
issu acceptversion
To halt the rollback timer and to ensure that the new Cisco IOS software image is not automatically stopped during the ISSU process, use the issu acceptversion command.
issu acceptversion active-slot [ active-image-new ]
Syntax Description
Specifies the slot number for the currently active supervisor engine. |
|
(Optional) Name of the new image on the currently active supervisor engine. |
Command Default
Rollback timer resets automatically 45 minutes after you enter the issu runversion command.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
After you are satisfied with the new image and have confirmed the new supervisor engine is reachable by both the console and the network, enter the issu acceptversion command to halt the rollback timer. If the issu acceptversion command is not entered within 45 minutes from the time the issu runversion command is entered, the entire ISSU process is automatically rolled back to the previous version of the software. The rollback timer starts immediately after you enter the issu runversion command.
If the rollback timer expires before the standby supervisor engine goes to a hot standby state, the timer is automatically extended by up to 15 minutes. If the standby state goes to a hot-standby state within this extension time or the 15 minute extension expires, the switch aborts the ISSU process. A warning message that requires your intervention is displayed every 1 minute of the timer extension.
If the rollback timer is set to a long period of time, such as the default of 45 minutes, and the standby supervisor engine goes into the hot standby state in 7 minutes, you have 38 minutes (45 minus 7) to roll back if necessary.
Use the issu set rollback-timer to configure the rollback timer.
Examples
The following example shows how to halt the rollback timer and allow the ISSU process to continue:
Related Commands
issu commitversion
To load the new Cisco IOS software image into the new standby supervisor engine, use the issu commitversion command.
issu commitversion standby-slot [standby-image-new]
Syntax Description
Specifies the slot number for the currently active supervisor engine. |
|
(Optional) Name of the new image on the currently active supervisor engine. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The issu commitversion command verifies that the standby supervisor engine has the new Cisco IOS software image in its file system and that both supervisor engines are in the run version (RV) state. If these conditions are met, the following actions take place:
- The standby supervisor engine is reset and booted with the new version of Cisco IOS software.
- The standby supervisor engine moves into the Stateful Switchover (SSO) mode and is fully stateful for all clients and applications with which the standby supervisor engine is compatible.
- The supervisor engines are moved into final state, which is the same as initial state.
Entering the issu commitversion command completes the In Service Software Upgrade (ISSU) process. This process cannot be stopped or reverted to its original state without starting a new ISSU process.
Entering the issu commitversion command without entering the issu acceptversion command is equivalent to entering both the issu acceptversion and the issu commitversion commands. Use the
issu commitversion command if you do not intend to run in the current state for an extended period of time and are satisfied with the new software version.
Examples
The following example shows how you can configure the standby supervisor engine to be reset and reloaded with the new Cisco IOS software version:
Related Commands
issu loadversion
To start the ISSU process, use the issu loadversion command.
issu loadversion active-slot active-image-new standby-slot standby-image-new [ force ]
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The issu loadversion command causes the standby supervisor engine to be reset and booted with the new Cisco IOS software image specified by the command. If both the old image and the new image are ISSU capable, ISSU compatible, and have no configuration mismatches, the standby supervisor engine moves into Stateful Switchover (SSO) mode, and both supervisor engines move into the load version (LV) state.
It will take several seconds after the issu loadversion command is entered for Cisco IOS software to load onto the standby supervisor engine and the standby supervisor engine to transition to SSO mode.
Examples
The following example shows how to initiate the ISSU process:
Related Commands
issu runversion
To force a change from the active supervisor engine to the standby supervisor engine and to cause the newly active supervisor engine to run the new image specified in the issu loadversion command, use the issu runversion command.
issu runversion standby-slot [ standby-image-new ]
Syntax Description
(Optional) Specifies the name of the new image on the standby supervisor engine. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The issu runversion command changes the currently active supervisor engine to standby supervisor engine and the real standby-supervisor engine is booted with the old image version following and resets the switch. As soon as the standby-supervisor engine moves into the standby state, the rollback timer is started.
Examples
The following example shows how to force a change of the active-supervisor engine to standby-supervisor engine:
Related Commands
issu set rollback-timer
To configure the In Service Software Upgrade (ISSU) rollback timer value, use the
issu set rollback-timer command.
issu set rollback-timer seconds
Syntax Description
Specfies the rollback timer value, in seconds. The valid timer value range is from 0 to 7200 seconds (2 hours). A value of 0 seconds disables the rollback timer. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Use the issue set rollback-timer command to configure the rollback timer value. You can only enable this command when the supervisor engines are in the init state.
Examples
The following example shows how you can set the rollback timer value to 3600 seconds, or 1 hour:
Related Commands
itr
To configure a device as an Ingress Tunnel Router (ITR) use the itr command in the service mode or instance-service submode.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use this command to enable a device to perform the ITR functionality.
Use the no form of the command to remove the ITR functionality.
Examples
The following example shows how to enable the ITR functionality:
itr map-resolver
To configure a device as a map resolver to be used by an Ingress Tunnel Router (ITR) when sending map-requests, use the itr map-resolver command in the service mode or instance-service submode.
[no] itr map-resolver map-address
Syntax Description
Configures map-resolver address for sending map requests, on |
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Use this command to configure map-resolver ITRs.
Use the no form of the command to remove the map-resolver functionality.
A device configured as a Map Resolver accepts encapsulated Map-Request messages from ITRs,decapsulate those messages, and then forwards the messages to the Map Server responsible for the egress tunnel routers (ETRs) that are authoritative for the requested EIDs.
Examples
The following example shows how to configure an ITR to use the map-resolver located at 2.1.1.6 when sending map request messages.
key chain macsec
To create or modify a macsec keychain, and enter keychain-macsec configuration mode, use the key chain key-chain-name macsec command
To disable this feature, use the no form of this command.
key chain key-chain-name macsec
Syntax Description
Specifies the name of the keychain. The maximum length is 32. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Cisco Catalyst 4500-E and 4500-X series switches. |
Examples
The following example shows how to enable protocol tunneling for the CDP packets:
Switch(config terminal)# key chain mac_chain macsec
Switch(config-keychain-macsec)#
Related Commands
|
|
|
|---|---|
l2protocol-tunnel
To enable protocol tunneling on an interface, use the l2protocol-tunnel command. You can enable tunneling for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable tunneling on the interface, use the no form of this command.
l2protocol-tunnel [ cdp | stp | vtp ]
no l2protocol-tunnel [ cdp | stp | vtp ]
Syntax Description
Command Default
The default is that no Layer 2 protocol packets are tunneled.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You must enter this command, with or without protocol types, to tunnel Layer 2 packets.
Layer 2 protocol tunneling across a service-provider network ensures that Layer 2 information is propagated across the network to all customer locations. When protocol tunneling is enabled, protocol packets are encapsulated with a well-known Cisco multicast address for transmission across the network. When the packets reach their destination, the well-known MAC address is replaced by the Layer 2 protocol MAC address.
You can enable Layer 2 protocol tunneling for CDP, STP, and VTP individually or for all three protocols.
Examples
The following example shows how to enable protocol tunneling for the CDP packets:
Switch(config-if)# l2protocol-tunnel cdp
Switch(config-if)#
Related Commands
l2protocol-tunnel cos
To configure the class of service (CoS) value for all tunneled Layer 2 protocol packets, use the l2protocol-tunnel cos command. To return to the default value of zero, use the no form of this command.
Syntax Description
Specifies the CoS priority value for tunneled Layer 2 protocol packets. The range is 0 to 7, with 7 being the highest priority. |
Command Default
The default is to use the CoS value that is configured for data on the interface. If no CoS value is configured, the default is 5 for all tunneled Layer 2 protocol packets.
Command Modes
Command History
|
|
|
|---|---|
This command was first introduced on the Catalyst 4500 series switch. |
Usage Guidelines
When enabled, the tunneled Layer 2 protocol packets use this CoS value.
Examples
The following example shows how to configure a Layer 2 protocol tunnel CoS value of 7:
Switch(config)# l2protocol-tunnel cos 7
Switch(config)#
Related Commands
|
|
|
|---|---|
Sets a drop threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface drops packets. |
|
l2protocol-tunnel drop-threshold
To set a drop threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface drops packets, use the I2protocol-tunnel drop-threshold command. You can set the drop threshold for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable the drop threshold on the interface, use the no form of this command.
l2protocol-tunnel drop -threshold [ cdp | stp | vtp ] value
no l2protocol-tunnel drop -threshold [ cdp | stp | vtp ] value
Syntax Description
Command Default
The default is no drop threshold for the number of the Layer 2 protocol packets.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The l2protocol-tunnel drop-threshold command controls the number of protocol packets per second that are received on an interface before it drops packets. When no protocol option is specified with a keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a shutdown threshold on the interface, the drop-threshold value must be less than or equal to the shutdown-threshold value.
When the drop threshold is reached, the interface drops the Layer 2 protocol packets until the rate at which they are received is below the drop threshold.
Examples
The following example shows how to configure the drop threshold rate:
Switch(config-if)# l2protocol-tunnel drop-threshold cdp 50
Switch(config-if)#
Related Commands
|
|
|
|---|---|
Configures the class of service (CoS) value for all tunneled Layer 2 protocol packets. |
|
l2protocol-tunnel shutdown-threshold
To configure the protocol tunneling encapsulation rate, use the I2protocol-tunnel shutdown-threshold command. You can set the encapsulation rate for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable the encapsulation rate on the interface, use the no form of this command.
l2protocol-tunnel shutdown-threshold [ cdp | stp | vtp ] value
no l2protocol-tunnel shutdown-threshold [ cdp | stp | vtp ] value
Syntax Description
Specifies a threshold in packets per second to be received for encapsulation before the interface shuts down. The range is 1 to 4096. The default is no threshold. |
Command Default
The default is no shutdown threshold for the number of Layer 2 protocol packets.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The l2-protocol-tunnel shutdown-threshold command controls the number of protocol packets per second that are received on an interface before it shuts down. When no protocol option is specified with the keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a drop threshold on the interface, the shutdown-threshold value must be greater than or equal to the drop-threshold value.
When the shutdown threshold is reached, the interface is error disabled. If you enable error recovery by entering the errdisable recovery cause l2ptguard command, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out. If the error recovery feature generation is not enabled for l2ptguard, the interface stays in the error-disabled state until you enter the shutdown and no shutdown commands.
Examples
The following example shows how to configure the maximum rate:
Switch(config-if)# l2protocol-tunnel shutdown-threshold cdp 50
Switch(config-if)#
Related Commands
lacp port-channel min-links
To define the minimum number of LACP ports that must be bundled in the link-up state and bundled in the EtherChannel in order that a port channel becomes active, use the port-channel min-links command in interface configuration mode. To return to the default setting, use the no form of this command.
Syntax Description
The minimum number of active LACP ports in the port channel. The range is 2 to 8. The default is 1. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
For switches in VSS mode, when configuring min-links, ensure that the port-channel has the same number of links on the active switch and the standby switch.
Examples
The following example shows how to specify a minimum of three active LACP ports before port channel 2 becomes active:
Related Commands
|
|
|
|---|---|
lacp port-priority
To set the LACP priority for the physical interfaces, use the lacp port-priority command.
Syntax Description
Priority for the physical interfaces; valid va lues are from 1 to 65535. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You must assign each port in the switch a port priority that can be specified automatically or by entering the lacp port-priority command. The port priority is used with the port number to form the port identifier. The port priority is used to decide which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.
Although this command is a global configuration command, the priority value is supported only on port channels with LACP-enabled physical interfaces.This command is supported on LACP-enabled interfaces.
When setting the priority, the higher numbers indicate lower priorities.
Examples
The following example shows how to set the priority for the interface:
Related Commands
|
|
|
|---|---|
Assigns and configure an EtherChannel interface to an EtherChannel group. |
|
lacp rate
To set the rate at which Link Aggregation Control Protocol (LACP) control packets are received by an LACP-supported interface, use the lacp rate command in interface configuration mode. To return to the default settings, use the no form of this command.
Syntax Description
Specifies that LACP control packets are received at the normal rate (every 30 seconds). |
|
Specifies that LACP control packets are received at the fast rate (once every 1 second). |
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
Using the lacp rate command, you can set the LACP rate to a default of 30 seconds or to the fast rate of 1 second. This command is supported only on LACP-enabled interfaces.
Examples
The following example shows how to set the lacp rate for an interface:
Related Commands
|
|
|
|---|---|
lacp system-priority
To set the priority of the system for LACP, use the lacp system-priority command.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You must assign each switch that is running LACP a system priority that can be specified automatically or by entering the lacp system-priority command. The system priority is used with the switch MAC address to form the system ID and is also used during negotiation with other systems.
Although this command is a global configuration command, the priority value is supported on port channels with LACP-enabled physical interfaces.
When setting the priority, tthe higher numbers indicate lower priorities.
You can also enter the lacp system-priority command in interface configuration mode. After you enter the command, the system defaults to global configuration mode.
Examples
The following example shows how to set the system priority:
Related Commands
|
|
|
|---|---|
Assigns and configure an EtherChannel interface to an EtherChannel group. |
|
license right-to-use activate
To order and activate a specific license type and level, and then to manage license usage on your switch, use the license right-to-use activate command, in privileged EXEC mode.
license right-to-use activate [ add-on { dna-advantage | dna-essentials }{ evaluation | subscription }| entservices | internal_service | ipbase | lanbase ][ accepteula ]
Syntax Description
Command Default
Command Modes
Command History
Usage Guidelines
This command applies only to Cisco Catalyst 4500E Series Switches with Supervisor Engines 7-E, 7L-E, 8-E, 8L-E, and 9-E and Cisco Catalyst 4500-X Series Switches.
Use this command to activate RTU licenses that are inactive.
Downloading the license file from the cisco portal and installing the license is not required. The RTU licenses are bundled with image. Because the RTU license is of highest precedence, when the RTU license is activated, other licenses of the same feature switch to inactive state.
The types of licenses available to order by duration are:
- Base licenses—include LAN Base, IP Base, and Enterprise Services licenses. They are only of type permanent (without an expiration date).
- Add-on licenses—include DNA Essentials and DNA Advantage licenses. They can only be term licenses(keyword subscription).
You must have an activated a base license before you activate an add-on license. Only certain base and add-on licenses combinations are permitted. See the software configuration guide for this information.
When activating an add-on license level, you do not have to reload the switch.
Evaluation licenses are available with base and add-on liceses, and cannot be ordered. They can be activated temporarily, without purchase. Warning system messages about the evaluation license expiry are generated 10 and 5 days before the 90-day window. Warning system messages are generated every day after the 90-day period. An expired evaluation license cannot be reactivated after reload.
Examples
The following example shows how to activate a base RTU license:
The following example shows how to activate a an add-on RTU license:
Related Commands
|
|
|
|---|---|
license right-to-use deactivate
To deactivate the RTU license use the license right-to-use deactivate command.
license right-to-use deactivate [ add-on { dna-advantage | dna-essentials }| entservices | internal_service | ipbase | lanbase ]
Syntax Description
[ add-on { dna-advantage | dna-essentials }| entservices | internal_service | ipbase | lanbase ] |
Command Default
Command Modes
Command History
Usage Guidelines
Use this command to deactivate RTU licenses that are active.
The RTU licenses can be deactivated provided any other valid license is available for the same feature.
For example, to deactivate a entservices RTU license, the switch should contain a valid evaluation license. Else, the deactivation will fail.
Examples
The following example shows how to deactivate RTU licenses:
Related Commands
|
|
|
|---|---|
link state group
To configure the link state group, use the link state group command in interface configuration mode.
link state group [ number ] { upstream | downstream }
Syntax Description
Command Default
Command Modes
Command History
|
|
|
The upper limit of the group number values was increased from 10 to 20. |
Usage Guidelines
You can configure a maximum of 20 link state groups per switch.
To disable a link-state group, use the no link state track number global configuration command.
Examples
The following example shows how to configure the link state groups.
Related Commands
|
|
|
|---|---|
Configures the link state group and enables link state tracking. |
|
link state track
To configure the link state group and enable link state tracking, use the link state track command in interface configuration mode.
no link state track [ number ]
Syntax Description
Specifies a link-state group and enables link state tracking. Valid values are from 1 to 20; the default value is 1. |
Command Default
Command Modes
Command History
|
|
|
The upper limit of the group number values was increased from 10 to 20. |
Usage Guidelines
When you configure LST for the first time, add upstream interfaces to the link state group before adding the downstream interface, otherwise the downstream interfaces move into the error-disable mode.
To restore the default link-state track, use the no link state track number global configuration command.
Examples
The following example shows how to configure the link state tracking number.
Related Commands
|
|
|
|---|---|
Configures the link state group and the interface as either an upstream or downstream interface in the group. |
|
lldp tlv-select power-management
To to enable power negotiation through LLDP, use the lldp tlv-select power-management interface command.
lldp tlv-select power-management
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You need to disable this feature if you do not want to perform power negotiation through LLDP.
This feature is not supported on non-POEP ports; the CLI is suppressed on such ports and TLV is not exchanged.
Examples
The following example shows how to enable LLDP power negotiation on interface Gigabit Ethernet 3/1:
Related Commands
|
|
|
|---|---|
locator default-set
To mark a locator-set as default, use the locator default-set command at the router-lisp level.
locator default-set rloc-set-name
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
The locator-set configured as default with the locator default-set command applies to all services and instances.
locator-set
To specify a locator-set and enter the locator-set configuration mode, use the locator-set command at the
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
You must first define the locator-set before referring to it.
logging event link-status global (global configuration)
To change the default switch-wide global link-status event messaging settings, use the
logging event link-status global command. Use the no form of this command to disable the link-status event messaging.
logging event link-status global
no logging event link-status global
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
If link-status logging event is not configured at the interface level, this global link-status setting takes effect for each interface.
Examples
The following example shows how to globally enable link status message on each interface:
Related Commands
|
|
|
|---|---|
logging event link-status (interface configuration)
To enable the link-status event messaging on an interface, use the logging event link-status command. Use the no form of this command to disable link-status event messaging. Use the
logging event link-status use-global command to apply the global link-status setting.
logging event link-status use-global
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
To enable system logging of interface state-change events on a specific interface, enter the
logging event link-status command in interface configuration mode.
To enable system logging of interface state-change events on all interfaces in the system, enter the logging event link-status global command in global configuration mode. All interfaces without the state change event configuration use the global setting.
Examples
The following example shows how to enable logging event state-change events on interface gi11/1:
The following example shows how to turn off logging event link status regardless of the global setting:
The following example shows how to enable the global event link-status setting on interface gi11/1:
Related Commands
|
|
|
|---|---|
Changes the default switch-wide global link-status event messaging settings. |
logging event trunk-status global (global configuration)
To enable the trunk-status event messaging globally, use the logging event trunk-status global command. Use the no form of this command to disable trunk-status event messaging.
logging event trunk - status global
no logging event trunk - status global
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
If trunk-status logging event is not configured at the interface level, the global trunk-status setting takes effect for each interface.
Examples
The following example shows how to globally enable link status messaging on each interface:
Related Commands
|
|
|
|---|---|
logging event trunk-status (interface configuration)
To enable the trunk-status event messaging on an interface, use the logging event trunk-status command. Use the no form of this command to disable the trunk-status event messaging. Use the
logging event trunk-status use-global command to apply the global trunk-status setting.
logging event trunk-status use-global
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
To enable system logging of interface state-change events on a specific interface, enter the
logging event trunk-status command in interface configuration mode.
To enable system logging of interface state-change events on all interfaces in the system, enter the logging event trunk-status use-global command in global configuration mode. All interfaces without the state change event configuration use the global setting.
Examples
The following example shows how to enable logging event state-change events on interface gi11/1:
The following example shows how to turn off logging event trunk status regardless of the global setting:
The following example shows how to enable the global event trunk-status setting on interface gi11/1:
Related Commands
|
|
|
|---|---|
mab
To enable and configure MAC authorization bypass (MAB) on a port, use the mab command in interface configuration mode. To disable MAB, use the no form of this command.
Note The mab command is totally independent of the effect of the dot1x system-auth control command.
Syntax Description
(Optional) Specifies that a full EAP conversation should be used, as opposed to standard RADIUS Access-Request, Access-Accept conversation. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
When a port is configured for MAB as a fallback method, it operates in a typical dot1X method until a configurable number of failed attempts to request the identity of the host. The authenticator learns the MAC address of the host and uses that information to query an authentication server to see whether this MAC address will be granted access.
Examples
The following example shows how to enable MAB on a port:
The following example shows how to enable and configure MAB on a port:
The following example shows how to disable MAB on a port:
Related Commands
|
|
|
|---|---|
mab logging verbose
Use the mab logging verbose global configuration command on the switch stack or on a standalone switch to filter detailed information from MAC authentication bypass (MAB) system messages.
Defaults
Syntax Description
Command Modes
Command History
|
|
|
|---|---|
Usage Guidelines
This command filters details, such as anticipated success, from MAC authentication bypass (MAB) system messages.
Examples
To filter verbose MAB system messages:
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
|
|---|---|
mac access-list extended
To define the extended MAC access lists, use the mac access-list extended command. To remove the MAC access lists, use the no form of this command.
no mac access-list extended name
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
When you enter the ACL name, follow these naming conventions:
- Maximum of 31 characters long and can include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)
- Must start with an alpha character and must be unique across all ACLs of all types
- Case sensitive
- Cannot be a number
- Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer
When you enter the mac access-list extended name command, you use the following subset to create or delete entries in a MAC layer access list:
[ no ] { permit | deny } {{ src-mac mask | any } [ dest-mac mask ]} [ protocol-family { appletalk | arp-non-ipv4 | decnet | ipx | ipv6 | rarp-ipv4 | rarp-non-ipv4 | vines | xns } | <arbitrary ethertype> | name-coded ethertype].
Table 2-10 describes the syntax of the mac access-list extended subcommands.
|
|
|
|---|---|
(Optional) Specifies an arbitrary ethertype in the range 1536 to 65535 (Decimal or Hexadecimal) |
|
(Optional) Specifies a destination MAC address of the form: dest-mac-address dest-mac-address-mask . |
|
(Optional) Denotes a predefined name-coded ethertype for common protocols: dec-spanning—DEC-Spanning-Tree mop-console—DEC-MOP Remote Console |
|
(Optional) Name of the protocol family. Table 2-11 lists which packets are mapped to a particular protocol family. |
|
Source MAC address in the form: source-mac-address source-mac-address-mask . |
Table 2-11 describes mapping an Ethernet packet to a protocol family.
|
|
|
|---|---|
0x0806 and protocol header of Arp is a non-Ip protocol family |
|
0x8035 and protocol header of Rarp is a non-Ipv4 protocol family |
|
When you enter the src-mac mask or dest-mac mask value, follow these guidelines:
- Enter the MAC addresses as three 4-byte values in dotted hexadecimal format such as 0030.9629.9f84.
- Enter the MAC address masks as three 4-byte values in dotted hexadecimal format. Use 1 bit as a wildcard. For example, to match an address exactly, use 0000.0000.0000 (can be entered as 0.0.0).
- For the optional protocol parameter, you can enter either the EtherType or the keyword.
- Entries without a protocol parameter match any protocol.
- The access list entries are scanned in the order that you enter them. The first matching entry is used. To improve performance, place the most commonly used entries near the beginning of the access list.
- An implicit deny any any entry exists at the end of an access list unless you include an explicit permit any any entry at the end of the list.
- All new entries to an existing list are placed at the end of the list. You cannot add entries to the middle of a list.
Examples
The following example shows how to create a MAC layer access list named mac_layer that denies traffic from 0000.4700.0001, which is going to 0000.4700.0009, and permits all other traffic:
Related Commands
|
|
|
|---|---|
mac-address (virtual switch)
To specify a Media Access Control (MAC) address to use as the common router MAC address for interfaces on the active and standby chassis, use the mac-address virtual switch configuration submode command. To return to the default setting, use the no form of this command.
mac-address {mac-address | use-virtual | chassis}
no mac-address {mac-address | use-virtual | chassis}
Syntax Description
Specifies the MAC address range reserved for the virtual switch system (VSS). |
|
Command Default
The router MAC address is derived from the Cisco pool of virtual switch specific MAC addresses intended for the domain 1-255.
Command Modes
Virtual switch configuration submode (config-vs-domain)
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
When a virtual switch boots, the router MAC address is derived from the Cisco pool of virtual switch specific MAC addresses. The router address is used as the common router MAC address for interfaces on both the active and the standby chassis. Between switchovers, this MAC address is maintained on the new active switch. You can enter the mac-address mac-address command to specify a MAC address to use or the mac-address use-virtual command to use the MAC address range reserved for the VSS.
The MAC address range reserved for the VSS is derived from a reserved pool of addresses with the domain ID encoded in the leading 6 bits of the last octet and trailing 2 bits of the previous octet of the mac-address. The last two bits of the first octet is allocated for the protocol mac-address that is derived by adding the protocol ID (0 to 3) to the router MAC address.
Note You must reload the virtual switch for the new router MAC address to take effect. If the MAC address you configured is different from the current MAC address, the following message is displayed:
Console (enable)#
Examples
The following example shows how to specify the MAC address to use in hexadecimal format:
Router(config)# switch virtual domain test-mac-address
Router(config-vs-domain)# mac-address 0000.0000.0000
Router(config-vs-domain)#
The following example shows how to specify the MAC address range reserved for the VSS:
Router(config)# switch virtual domain test-mac-address
Router(config-vs-domain)# mac-address use-virtual
Router(config-vs-domain)#
Related Commands
|
|
|
|---|---|
Assigns a switch number and enters virtual switch domain configuration submode. |
mac-address-table aging-time
To configure the aging time for the entries in the Layer 2 table, use the mac-address-table aging-time command. To reset the seconds value to the default setting, use the no form of this command.
mac-address-table aging-time seconds [ vlan vlan_id ]
no mac-address-table aging-time seconds [ vlan vlan_id ]
Syntax Description
Aging time in seconds; valid values are 0 and from 10 to 1000000 seconds. |
|
(Optional) Single VLAN number or a range of VLANs; valid values are from 1 to 4094. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Usage Guidelines
If you do not enter a VLAN, the change is applied to all routed-port VLANs.
Examples
The following example shows how to configure the aging time to 400 seconds:
Switch(config)# mac-address-table aging-time 400
Switch(config)#
The following example shows how to disable aging:
Switch(config)# mac-address-table aging-time 0
Switch(config)
Related Commands
|
|
|
|---|---|
mac-address-table dynamic group protocols
To enable the learning of MAC addresses in both the “ip” and “other” protocol buckets, even though the incoming packet may belong to only one of the protocol buckets, use the
mac - address - table dynamic group protocols command. To disable grouped learning, use the no form of this command.
mac-address-table dynamic group protocols { ip | other } { ip | other }
no mac-address-table dynamic group protocols { ip | other } { ip | other }
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The entries within the “ip” and “other” protocol buckets are created according to the protocol of the incoming traffic.
When you use the mac-address-table dynamic group protocols command, an incoming MAC address that might belong to either the “ip” or the “other” protocol bucket, is learned on both protocol buckets. Therefore, any traffic destined to this MAC address and belonging to any of the protocol buckets is unicasted to that MAC address, rather than flooded. This reduces the unicast Layer 2 flooding that might be caused if the incoming traffic from a host belongs to a different protocol bucket than the traffic that is destined to the sending host.
Examples
The following example shows that the MAC addresses are initially assigned to either the “ip” or the “other” protocol bucket:
The following example shows how to assign MAC addresses that belong to either the “ip” or the “other” bucket to both buckets:
mac-address-table learning vlan
To enable MAC address learning on a VLAN, use the mac-address-table learning global configuration command. Use the no form of this command to disable MAC address learning on a VLAN to control which VLANs can learn MAC addresses.
mac-address-table learning vlan vlan-id
no mac-address-table learning vlan vlan-id
Syntax Description
Specifies a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma. Valid VLAN IDs are 1 to 4094. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was modified to support the disable learning feature on the Catalyst 4500 series switch. |
Usage Guidelines
When you control MAC address learning on a VLAN, you can manage the available table space by controlling which VLANs, and which ports can learn MAC addresses.
You can disable MAC address learning on a single VLAN ID (for example, by entering
no mac-address-table learning vlan 223) or on a range of VLAN IDs (for example, by entering
no mac-address-table learning vlan 1-20, 15.)
Before you disable MAC address learning, familiarize yourself with the network topology and the switch system configuration. If you disable MAC address learning on a VLAN, flooding may occur in the network. For example, if you disable MAC address learning on a VLAN with a configured switch virtual interface (SVI), the switch floods all IP packets in the Layer 2 domain. If you disable MAC address learning on a VLAN that includes more than two ports, every packet entering the switch is flooded in that VLAN domain. Disable MAC address learning only in VLANs that contain two ports. Use caution before disabling MAC address learning on a VLAN with an SVI.
You cannot disable MAC address learning on a VLAN that the switch uses internally. This action causes the switch to generate an error message and rejects the no mac-address-table learning vlan command. To view used internal VLANs, enter the show vlan internal usage privileged EXEC command.
If you disable MAC address learning on a VLAN configured as a PVLAN primary or a secondary VLAN, the MAC addresses are still learned on the VLAN (primary or secondary) associated with the PVLAN.
You cannot disable MAC address learning on an RSPAN VLAN. The configuration is not allowed.
If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning is not disabled on the secure port. If you later disable port security on the interface, the disabled MAC address learning state is enabled.
To display the MAC address learning status of a specific VLAN or for all VLANs, enter the
show mac-address-table learning vlan command.
Examples
The following example shows how to disable MAC address learning on VLAN 2003:
Related Commands
|
|
|
|---|---|
Displays the MAC address learning status on all VLANs or on the specified VLAN. |
mac-address-table notification
To enable MAC address notification on a switch, use the mac-address-table notification command. To return to the default setting, use the no form of this command
mac-address-table notification [[ change [ history-size hs_value | interval intv_value ]] | [ mac-move ] | [ threshold [ limit percentage | interval time]] | [ learn-fail [ interval time | limit num_fail ]]
no mac-address-table notificatio n [[ change [ history-size hs_value | interval intv_value ]] | [ mac-move ] | [ threshold [ limit percentage | interval time]] | [ learn-fail [ interval time | limit num_fail ]]
Syntax Description
Command Default
MAC address notification feature is disabled.
The default MAC change trap interval value is 1 second.
The default number of entries in the history table is 1.
MAC move notification is disabled.
MAC threshold monitoring feature is disabled.
The default limit is 50 percent.
The default time is 120 seconds.
Hardware MAC learning failure syslog notification is disabled.
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Support introduced for the learn-fail keyword on Supervisor Engine 6-E and Catalyst 4900M. |
Usage Guidelines
You can enable the MAC change notification feature using the mac-address-table notification change command. If you do this, you must also enable MAC notification traps on an interface using the
snmp trap mac-notification change interface configuration command and configure the switch to send MAC change traps to the NMS using the snmp-server enable traps mac-notification global configuration command.
When the history-size option is configured, the existing MAC change history table is deleted, and a new table is created.
Examples
The following example shows how to set the MAC address notification history table size to 300 entries:
Switch(config)# mac-address-table notification change history-size 300
Switch(config)#
The following example shows how to set the MAC address notification interval time to 1250 seconds:
Switch(config)# mac-address-table notification change interval 1250
Switch(config)#
The following example shows how to enable hardware MAC address learning failure syslog notification:
The following example shows how to set the interval of hardware MAC address learning failure syslog notification to 30 seconds:
Related Commands
|
|
|
|---|---|
Clears the global counter entries from the Layer 2 MAC address table. |
|
mac-address-table static
To configure the static MAC addresses for a VLAN interface or drop unicast traffic for a MAC address for a VLAN interface, use the mac-address-table static command. To remove the static MAC address configurations, use the no form of this command.
mac-address-table static mac-addr { vlan vlan-id } { interface type | drop }
no mac-address-table static mac-addr { vlan vlan-id } { interface type } { drop }
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
When a static MAC address is installed, it is associated with a port.
The output interface specified must be a Layer 2 interface and not an SVI.
If you do not enter a protocol type, an entry is automatically created for each of the four protocol types.
Entering the no form of this command does not remove the system MAC addresses.
When removing a MAC address, entering interface int is optional. For unicast entries, the entry is removed automatically. For multicast entries, if you do not specify an interface, the entire entry is removed. You can specify the selected ports to be removed by specifying the interface.
Examples
The following example shows how to add the static entries to the MAC address table:
Switch(config)# mac-address-table static 0050.3e8d.6400 vlan 100 interface fastethernet5/7
Switch(config)#
Related Commands
|
|
|
|---|---|
macro apply cisco-desktop
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a standard desktop, use the macro apply cisco-desktop c ommand.
macro apply cisco-desktop $AVID access_vlanid
Syntax Description
Command Default
Command Modes
Command History
|
|
|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro, clear the configuration on the interface with the default interface command.
Examples
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
The contents of this macro are as follows:
Related Commands
macsec network-link
To enable MKA MACsec on switch-to-switch links using EAP-TLS, use the macsec netowrk-link c ommand.
Syntax Description
Enables MKA MACsec on switch-to-switch links using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method. |
Command Default
Command Modes
Command History
|
|
|
This command was introduced on Cisco Catalyst 4500-E with Supervisor Engine 8-E, and on Cisco Catalyst 4500-X series switches. |
Usage Guidelines
This command cannot be used to configure multi-point to multi-point links.
Examples
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
map-cache
To configure a static endpoint identifier (EID) to routing locator (RLOC) (EID-to-RLOC) mapping relationship, use the map-cache command in the service ipv4 or service ipv6 mode.
[no] map-cache destination-eid-prefix/prefix-len { ipv4-address { priority priority weight weight } | ipv6-address | map-request | native-forward }
Syntax Description
Command Default
Command Modes
Command History
|
|
|
Usage Guidelines
The first use of this command is to configure an Ingress Tunnel Router (ITR) with a static IPv4 or IPv6 EID-to-RLOC mapping relationship and its associated traffic policy. For each entry, a destination EID-prefix
block and its associated locator, priority, and weight are entered. The value in the EID-prefix/prefix-length argument is the LISP EID-prefix block at the destination site. The locator is an IPv4 address of the remote site where the IPv4 or IPv6 EID-prefix can be reached. Associated with the locator address is a priority and weight that are used to define traffic policies when multiple RLOCs are defined for the same EID-prefix block.
Examples
The following example shows how to enable the map-cache:
mka
To apply an MACsec Key Agreement policy on an interface, and to configure MKA MACsec on a interface using a PSK, use the mka c ommand.
mka {default-policy | policy policy name {|pre-shared-key {key-chain key-chain-name }
Syntax Description
Enables MKA MACsec using the default MKA policy on the interface. |
|
Enables MKA MACsec using a configured MKA policy on the interface. |
|
Command Default
Command Modes
Command History
|
|
|
This command was introduced on Cisco Catalyst 4500-E with Supervisor Engine 8-E, and on Cisco Catalyst 4500-X series switches. |
Examples
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
mka policy
To configure MACsec Key Agreement policy options, and enter mka-policy configuration mode, use the mka policy c ommand.
mka policy policy name [confidentiality-offset| default | key-server priority priority | macsec-cipher-suite {gcm-aes-128 | gcm-aes-256}]
Syntax Description
Command Default
Command Modes
Command History
|
|
|
This command was introduced on Cisco Catalyst 4500-E with Supervisor Engine 8-E, and on Cisco Catalyst 4500-X series switches. |
Examples
The following example shows how to configure MKA policy options:
macro apply cisco-phone
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a standard desktop and a Cisco IP phone, use the macro apply cisco-phone command.
macro apply cisco-phone $AVID access_vlanid $VVID voice_vlanid
Syntax Description
Command Default
Command Modes
Command History
|
|
|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro, clear the configuration on the interface with the default interface command.
Examples
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
The contents of this macro are as follows:
Related Commands
macro apply cisco-router
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a router, use the macro apply cisco-router command.
macro apply cisco-router $NVID native_vlanid
Syntax Description
Command Default
Command Modes
Command History
|
|
|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro apply cisco-router command, clear the configuration on the interface with the default interface command.
Examples
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
The contents of this macro are as follows:
Related Commands
macro apply cisco-switch
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to another switch, use the macro apply cisco-switch command.
macro apply cisco-switch $NVID native_vlanid
Syntax Description
Command Default
Command Modes
Command History
|
|
|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply this macro, clear the configuration on the interface with the default interface command.
Examples
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
The contents of this macro are as follows:
Related Commands
macro auto device
Use the macro auto device command to simplify changing the parameters for a built-in functions for a device type. Use the no form of this command to revert to the intial parameter values.
macro auto device device_type [params values]
no macro auto device device_type [params values]
Syntax Description
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Although you can use the macro auto execute command to produce the same effect as the macro auto device command, the later is simpler.
Examples
The following example shows how to change the access VLAN and voice VLAN from their default value to user defined values for phone devices.
Related Commands
|
|
|
|---|---|
macro auto execute (built-in function)
Use the macro auto execute configuration command to change built-in function default values or to map user-defined triggers to built-in functions and to pass the parameter values. Use the no form of this command to unmap the trigger.
macro auto execute event_trigger builtin shell_function [param name=values]
no macro auto execute event_trigger builtin shell_function [param name=values]
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The switch automatically maps from builtin event triggers to builtin functions. The builtin functions are system-defined functions in the software image.
Use the macro auto execute global configuration command to replace the builtin function default values with values specific to your switch.
You can also create user-defined triggers and use this command to map the triggers to builtin functions.
You can create user-defined event triggers by entering the shell trigger global configuration command. Use the show shell privileged EXEC command to display the contents of the builtin and user-defined triggers and functions.
Examples
The following example shows how to use two built-in Auto Smartports macros for connecting Cisco switches and Cisco IP phones to the switch. It modifies the default voice VLAN, access VLAN, and native VLAN for the trunk interface:
Related Commands
|
|
|
|---|---|
macro auto execute (remotely-defined trigger)
Use the macro auto execute configuration command to map a trigger to a remotely defined function. Use the no form of this command to unmap the trigger.
macro auto execute trigger_name remote url
no macro auto execute trigger_name remote url
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Examples
The following example shows how to map a trigger to the remotely defined function myfunction - the filename that contains the function body:
Related Commands
|
|
|
|---|---|
macro auto execute (user-defined function)
Use the macro auto execute configuration command to map a trigger to a user-defined function. Use the no form of this command to unmap the trigger.
macro auto execute trigger_name [param_name=value] {function body}
no macro auto execute trigger_name [param_name=value]
Syntax Description
(Optional) Specifies values for the parameters that are to be used in the function body. |
|
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Examples
The following example shows how to map the user-defined event trigger Cisco Digital Media Player (DMP) to a user-defined macro.
a. Connect the DMP to an 802.1x- or MAB-enabled switch port.
b. On the RADIUS server, set the attribute-value pair to auto-smart-port =CISCO_DMP_EVENT.
c. On the switch, create the event trigger CISCO_DMP_EVENT, and enter the user-defined macro commands shown below.
d. The switch recognizes the attribute-value pair=CISCO_DMP_EVENT response from the RADIUS server and applies the macro associated with this event trigger.
Related Commands
|
|
|
|---|---|
macro auto global processing
Use the macro auto global processing global configuration command to enable Auto SmartPorts macros on the switch. Use the no form of this command to disable Auto SmartPorts (ASP) macros globally.
macro auto global processing [cdp | lldp]
no macro auto global processing [ cdp | ldp]
Note Starting with Release 15.0(2)SG, the fallback option has been deprecated.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Use the macro auto global processing global configuration command to globally enable Auto Smartports macros on the switch. To disable ASP macros on a specific port, use the no macro auto processing command in the interface mode before ASP is enabled globally.
Auto Smartports macros dynamically configure ports based on the device type detected on the port. When the switch detects a new device on a port it applies the appropriate ASP macro. When a link-down event occurs on a port, the switch removes the macro. For example, when you connect a Cisco IP phone to a port, ASP automatically applies the IP phone macro. The IP phone macro enables quality of service (QoS), security features, and a dedicated voice VLAN to ensure proper treatment of delay-sensitive voice traffic.
ASP uses event triggers to map devices to macros. The most common event triggers are based on Cisco Discovery Protocol (CDP) messages received from connected devices. The detection of a device invokes a CDP event trigger: Cisco IP phone, Cisco wireless access point, Cisco switch, or Cisco router. Other event triggers use MAC authentication bypass (MAB) and 802.1X authentication messages.
Use CDP if port authentication is enabled and the RADIUS server does not send an event trigger.
Select LLDP to apply auto configuration if authentication fails.
If authentication is enabled on a port, a switch ignores CDP and LLDP messages unless the cdp keyword is enabled.
When using 802.1X or MAB authentication, configure the RADIUS server to support the Cisco attribute-value (AV) pair auto-smart-port=event trigger.
When CDP-identified devices advertise multiple capabilities, a switch chooses a capability in this priority order: switch, router, access point, lightweight access point, phone, host.
To verify that an ASP macro is applied to an interface, use the show running config command.
The macro auto global processing cdp and macro auto global processing lldp commands enables ASP globally if it is not already enabled, and set the fallback to CDP or LLDP, respectively. However, the no macro auto global processing [cdp | lldp] command only removes the fallback mechanism. It does not disable ASP globally; only the no macro auto global processing command disables ASP globally.
The keywords cdp and lldp are also controlled at the interface level; by default, CDP is the fallback mechanism on an interface. If you prefer LLDP, first enter the no macro auto processing cdp command, then enter the macro auto processing lldp command.
If you want to activate both CDP and LLDP, you must enable them in sequence. For example, you would first enter the macro auto processing cdp command, then the macro auto processing lldp command.
Examples
The following example shows how enable ASP on a switch and to disable the feature on Gi1/0/1:
Related Commands
|
|
|
|---|---|
macro auto mac-address-group
Use the macro auto mac-address-group command to configure a group of MAC-address or OUIs as a trigger. Use the no form of this command to unconfigure the group.
macro auto mac-address-group grp_name
no macro auto mac-address-group grp_namel
Syntax Description
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command changes the mode to config-mac-addr-grp, in which you can add or remove a MAC address or OUI from the group.
You can specify a list of MACs or OUIs, or a range of OUIs (maximum of 5 in the range).
Examples
The following example shows how to configure testGroup as a trigger:
Related Commands
|
|
|
|---|---|
macro auto monitor
To enable the device classifier, use the macro auto monitor global configuration command. Use the no form of this command to disable the device classifier.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Use the no macro auto monitor global configuration command to disable the device classifier. You cannot disable the device classifier while it is being used by features such as ASP.
Examples
The following example shows how to enable the ASP device classifier on a switch:
Related Commands
macro auto processing
Note Only use this command when Auto SmartPorts (ASP) is enabled globally; when ASP is disabled globally, interface-level control has no effect.
Use the macro auto processing interface configuration command to enable ASP macros on a specific interface. Use the no form of this command to disable ASP on a specific interface before ASP is enabled globally.
macro auto processing [fallback cdp] [fallback lldp]
no macro auto processing [fallback cdp] [fallback lldp]
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The no macro auto processing command should be configured on all interfaces where ASP is not desirable (such as Layer 3 and EtherChannel interfaces) before ASP is enabled globally.
At the interface level, the default fallback mechanism is CDP. To change the mechanism to LLDP, enter the no macro auto processing fallback cdp command, followed by the macro auto processing fallback lldp command.
Examples
The following example shows how to enable the feature on an interface:
Related Commands
macro auto sticky
Use the macro auto sticky configuration to specify not to remove configurations applied by ASP across link flaps and device removal.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command enables you to avoid unnecessary removal of ASP configurations when a feature intentionally shuts down a link (like EnergyWise, which shuts down inactive links to save energy). When such a feature is enabled, you don't want ASP macros to be applied and removed unnecessarily. So you configure the sticky feature.
Examples
The following example shows how to specify not to remove configurations:
Related Commands
|
|
|
|---|---|
macro global apply cisco-global
To apply the system-defined default template to the switch, use the macro global apply cisco-global global configuration command on the switch stack or on a standalone switch.
macro global apply cisco-global
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Examples
These examples show how to apply the system-defined default to the switch:
macro global apply system-cpp
To apply the control plane policing default template to the switch, use the macro global apply system-cpp global configuration command on the switch stack or on a standalone switch.
Syntax Description
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |
Examples
The following example shows how to apply the system-defined default to the switch:
Related Commands
|
|
|
|---|---|
Enters a description about the macros that are applied to the switch. |
macro global description
To enter a description about the macros that are applied to the switch, use the macro global description global configuration command on the switch stack or on a standalone switch. Use the no form of this command to remove the description.
no macro global description text
Syntax Description
Enters a description about the macros that are applied to the switch. |
Command Default
Command Modes
Command History
|
|
|
|---|---|
This command was introduced on the Catalyst 4500 series switch. |