To select an interface to configure and to enter interface configuration mode, use the interface command.
Type of interface to be configured; see Valid type Values for valid values. |
|
|
|
---|---|
The fortygigabitethernet option was introduced on on Cisco Catalyst 4500E Series Switches configured with Supervisor Engine 9-E. |
|
Table 2-8 lists the valid values for type .
|
|
---|---|
40-Gigabit Ethernet interface; supported on Cisco Catalyst 4500E Series Switches configured with Supervisor Engine 9-E. To use this interface type, first enable the corresponding uplink mode—enter the hw-module uplink mode 80Gig command in global configuration mode. In this mode, the 10-GE uplink ports on the supervisor are not available, but if there are other 10-GE linecards in the chassis, the tengigabitethernet option is available on the CLI. |
|
Gigabit Ethernet WAN IEEE 802.3z interface; supported on Catalyst 4500 series switch that are configured with a Supervisor Engine 2 only. |
|
Packet OC-3 interface on the Packet over SONET Interface Processor; supported on Catalyst 4500 series switch that are configured with a Supervisor Engine 2 only. |
|
ATM interface; supported on Catalyst 4500 series switch that are configured with a Supervisor Engine 2 only. |
|
VLAN interface; see the interface vlan command. |
|
Port channel interface; see the interface port-channel command. |
|
The following example shows how to enter the interface configuration mode on the Fast Ethernet interface 2/4:
|
|
---|---|
To select an interface to configure and enter interface configuration mode, use the interface global configuration mode command.
interface [interface switch-num/slot/port.subinterface }
Specifies the interface to be configured; see Valid type Values for valid values. |
|
|
|
---|---|
Table 2-9 lists the valid values for type .
|
|
---|---|
VLAN interface; see the interface vlan command. |
|
Port channel interface; see the interface port-channel command. |
|
The following example shows how to enter the interface configuration mode on the GigabitEthernet interface for switch 1, module 2, port 4:
|
|
---|---|
To access or create a port-channel interface, use the interface port-channel command.
interface port-channel channel-group
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You do not have to create a port-channel interface before assigning a physical interface to a channel group. A port-channel interface is created automatically when the channel group gets its first physical interface, if it is not already created.
You can also create the port channels by entering the interface port-channel command. This will create a Layer 3 port channel. To change the Layer 3 port channel into a Layer 2 port channel, use the switchport command before you assign the physical interfaces to the channel group. A port channel cannot be changed from Layer 3 to Layer 2 or vice versa when it contains member ports.
Only one port channel in a channel group is allowed.
If you want to use CDP, you must configure it only on the physical Fast Ethernet interface and not on the port-channel interface.
This example creates a port-channel interface with a channel-group number of 64:
|
|
---|---|
Assigns and configures an EtherChannel interface to an EtherChannel group. |
|
To run a command on multiple ports at the same time, use the interface range command.
interface range { vlan vlan_id - vlan_id } { port-range | macro name }
Port range; for a list of valid values for port-range, see the “Usage Guidelines” section. |
|
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
You can use the interface range command on the existing VLAN SVIs only. To display the VLAN SVIs, enter the show running config command. The VLANs that are not displayed cannot be used in the interface range command.
The values that are entered with the interface range command are applied to all the existing VLAN SVIs.
Before you can use a macro, you must define a range using the define interface-range command.
All configuration changes that are made to a port range are saved to NVRAM, but the port ranges that are created with the interface range command do not get saved to NVRAM.
You can enter the port range in two ways:
You can either specify the ports or the name of a port-range macro. A port range must consist of the same port type, and the ports within a range cannot span the modules.
You can define up to five port ranges on a single command; separate each range with a comma.
When you define a range, you must enter a space between the first port and the hyphen (-):
Use these formats when entering the port-range :
Valid values for interface-type are as follows:
Although the port-channel interface range is 1 to 256, in a VSS setup, there is a discrepancy in the way the range is displayed on the CLI when you enter the beginning of the interface range before you enter the ? prompt. This discrepancy is not seen on a standalone switch.
When you enter the beginning of the interface range, the CLI output is displayed as follows:
To continue, you have to enter the beginning of the next number range:
If you do not enter the beginning of the interface range, the CLI output is displayed as follows:
You cannot specify both a macro and an interface range in the same command. After creating a macro, you can enter additional ranges. If you have already entered an interface range, the CLI does not allow you to enter a macro.
You can specify a single interface in the port-range value. This makes the command similar to the interface interface-number command.
The following example shows how to use the interface range command to interface to FE 5/18 - 20:
This command shows how to run a port-range macro:
|
|
---|---|
To create or access a Layer 3 switch virtual interface (SVI), use the interface vlan command. To delete an SVI, use the no form of this command.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
The SVIs are created the first time that you enter the interface vlan vlan_id command for a particular VLAN. The vlan_id value corresponds to the VLAN tag that is associated with the data frames on an ISL or 802.1Q-encapsulated trunk or the VLAN ID that is configured for an access port. A message is displayed whenever a VLAN interface is newly created, so you can check that you entered the correct VLAN number.
If you delete an SVI by entering the no interface vlan vlan_id command, the associated interface is forced into an administrative down state and marked as deleted. The deleted interface will no longer be visible in a show interface command.
You can reinstate a deleted SVI by entering the interface vlan vlan_id command for the deleted interface. The interface comes back up, but much of the previous configuration will be gone.
The following example shows the output when you enter the interface vlan vlan_id command for a new VLAN number:
To ensure that you see a customized WebAuth login page with the same name in the switch system directory as a same-named prior login page, use the ip admission proxy http refresh-all command.
ip admission proxy http [success | failure | refresh-all | login [expired | page]]
If you do not enter this command, if any of the customized web-based authentication page files with the file of same name have been changed, you see the old login page rather than the new file.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You should enter this command whenever the customized web-based authentication page has been changed in the system directory.
The following example shows how to enter this command:
To permit ARPs from hosts that are configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the ip arp inspection filter vlan command. To disable this application, use the no form of this command.
ip arp inspection filter arp-acl-name vlan vlan-range [ static ]
no ip arp inspection filter arp-acl-name vlan vlan-range [ static ]
(Optional) Specifies that the access control list should be applied statically. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
When an ARP access control list is applied to a VLAN for dynamic ARP inspection, the ARP packets containing only the IP-to-Ethernet MAC bindings are compared against the ACLs. All other packet types are bridged in the incoming VLAN without validation.
This command specifies that the incoming ARP packets are compared against the ARP access control list, and the packets are permitted only if the access control list permits them.
If the access control lists deny the packets because of explicit denies, the packets are dropped. If the packets are denied because of an implicit deny, they are then matched against the list of DHCP bindings if the ACL is not applied statically.
The following example shows how to apply the ARP ACL static hosts to VLAN 1 for DAI:
|
|
---|---|
Defines an ARP access list or adds clauses at the end of a predefined list. |
|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from consuming all of the system’s resources in the event of a DoS attack, use the ip arp inspection limit command. To release the limit, use the no form of this command.
ip arp inspection limit { rate pps | none } [ burst interval seconds ]
The rate is set to 15 packets per second on the untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
The trunk ports should be configured with higher rates to reflect their aggregation. When the rate of the incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state. The error-disable timeout feature can be used to remove the port from the error-disabled state. The rate applies to both the trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle the packets across multiple DAI-enabled VLANs or use the none keyword to make the rate unlimited.
The rate of the incoming ARP packets onthe channel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for the channel ports only after examining the rate of the incoming ARP packets on the channel members.
After a switch receives more than the configured rate of packets every second consecutively over a period of burst seconds, the interface is placed into an error-disabled state.
The following example shows how to limit the rate of the incoming ARP requests to 25 packets per second:
The following example shows how to limit the rate of the incoming ARP requests to 20 packets per second and to set the interface monitoring interval to 5 consecutive seconds:
|
|
---|---|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
To configure the parameters that are associated with the logging buffer, use the ip arp inspection log-buffer command. To disable the parameters, use the no form of this command.
ip arp inspection log-buffer { entries number | logs number interval seconds }
no ip arp inspection log-buffer { entries | logs }
When dynamic ARP inspection is enabled, denied, or dropped, the ARP packets are logged.
The number of entries is set to 32.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The first dropped packet of a given flow is logged immediately. The subsequent packets for the same flow are registered but are not logged immediately. Registering these packets is done in a log buffer that is shared by all the VLANs. Entries from this buffer are logged on a rate-controlled basis.
The following example shows how to configure the logging buffer to hold up to 45 entries:
The following example shows how to configure the logging rate to 10 logs per 3 seconds:
|
|
---|---|
Defines an ARP access list or adds clauses at the end of a predefined list. |
|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
To set a per-port configurable trust state that determines the set of interfaces where incoming ARP packets are inspected, use the ip arp inspection trust command. To make the interfaces untrusted, use the no form of this command.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The following example shows how to configure an interface to be trusted:
To verify the configuration, use the show form of this command:
|
|
---|---|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
To perform specific checks for ARP inspection, use the ip arp inspection validate command. To disable checks, use the no form of this command.
ip arp inspection validate [ src-mac ] [ dst-mac ] [ ip ]
no ip arp inspection validate [ src-mac ] [ dst-mac ] [ ip ]
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the command line. Each command overrides the configuration of the previous command. If a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.
The no form of this command disables only the specified checks. If none of the check options are enabled, all the checks are disabled.
This example show how to enable the source MAC validation:
|
|
---|---|
Defines an ARP access list or adds clauses at the end of a predefined list. |
|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
To enable dynamic ARP inspection (DAI) on a per-VLAN basis, use the ip arp inspection vlan command. To disable DAI, use the no form of this command.
ip arp inspection vlan vlan-range
no ip arp inspection vlan vlan-range
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You must specify on which VLANs to enable DAI. DAI may not function on the configured VLANs if they have not been created or if they are private.
The following example shows how to enable DAI on VLAN 1:
The following example shows how to disable DAI on VLAN 1:
|
|
---|---|
Defines an ARP access list or adds clauses at the end of a predefined list. |
|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
To control the type of packets that are logged, use the ip arp inspection vlan logging command. To disable this logging control, use the no form of this command.
ip arp inspection vlan vlan-range logging { acl-match { matchlog | none } | dhcp-bindings { permit | all | none }}
no ip arp inspection vlan vlan-range logging { acl-match | dhcp-bindings }
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The acl-match and dhcp-bindings keywords merge with each other. When you set an ACL match configuration, the DHCP bindings configuration is not disabled. You can use the no form of this command to reset some of the logging criteria to their defaults. If you do not specify either option, all the logging types are reset to log on when the ARP packets are denied. The two options that are available to you are as follows:
The following example shows how to configure an ARP inspection on VLAN 1 to add packets to a log on matching against the ACLs with the logging keyword:
|
|
---|---|
Defines an ARP access list or adds clauses at the end of a predefined list. |
|
Displays the status of dynamic ARP inspection for a specific range of VLANs. |
To configure the load-sharing hash function so that the source TCP/UDP port, the destination TCP/UDP port, or both ports can be included in the hash in addition to the source and destination IP addresses, use the ip cef load-sharing algorithm command. To revert back to the default, which does not include the ports, use the no form of this command.
ip cef load-sharing algorithm { include-ports { source source | destination dest } | original | tunnel | universal }
no ip cef load-sharing algorithm { include-ports { source source | destination dest } | original | tunnel | universal }
Default load-sharing algorithm is disabled.
Note This option does not include the source or destination port in the load-balancing hash.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The original algorithm, tunnel algorithm, and universal algorithm are routed through the hardware. For software-routed packets, the algorithms are handled by the software. The include-ports option does not apply to the software-switched traffic.
The following example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 ports:
The following example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 tunneling ports:
|
|
---|---|
Displays the IP CEF VLAN interface status and configuration information. |
To enable IP port security binding tracking on a Layer 2 port, use the ip device tracking maximum command. To disable IP port security on untrusted Layer 2 interfaces, use the no form of this command.
ip device tracking maximum { number }
no ip device tracking maximum { number }
Specifies the number of bindings created in the IP device tracking table for a port, valid values are from 0 to 65535. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
The upper limit for the number of bindings you can specifiy was increased from 2048 to 65535. |
The following example shows how to enable IP port security with IP-MAC filters on a Layer 2 access port:
You can verify your settings by entering the show ip verify source privileged EXEC command.
|
|
---|---|
Displays the IP source guard configuration and filters on a particular interface. |
To enable the tracking of device probes, use the ip device tracking probe command in configuration mode. To disable device probes, use the no form of this command.
ip device tracking probe { count count | delay interval | interval interval }
no ip device tracking probe { count count | delay interval | interval interval }
Note Starting with Cisco IOS XE Release 3.10.1E, the [no] ip device tracking probe count and [no] ip device tracking probe delay commands are deprecated; there are no replacement commands.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
The following example shows how to set the interval time to 35:
|
|
---|---|
To enable DHCP snooping globally, use the ip dhcp snooping command. To disable DHCP snooping, use the no form of this command.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You must enable DHCP snooping globally before you can use DHCP snooping on a VLAN.
The following example shows how to enable DHCP snooping:
The following example shows how to disable DHCP snooping:
|
|
---|---|
Configures the number of the DHCP messages that an interface can receive per second. |
|
To set up and generate a DHCP binding configuration to restore bindings across reboots, use the ip dhcp snooping binding command. To disable the binding configuration, use the no form of this command.
ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface expiry seconds
no ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface
Specifies the interval (in seconds) after which binding is no longer valid. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Support for the 10-Gigabit Ethernet interface was introduced on the Catalyst 4500 series switch. |
Whenever a binding is added or removed using this command, the binding database is marked as changed and a write is initiated.
The following example shows how to generate a DHCP binding configuration on interface gigabitethernet1/1 in VLAN 1 with an expiration time of 1000 seconds:
|
|
---|---|
To store the bindings that are generated by DHCP snooping, use the ip dhcp snooping database command. To either reset the timeout, reset the write-delay, or delete the agent specified by the URL, use the no form of this command.
ip dhcp snooping database { url | timeout seconds | write-delay seconds }
no ip dhcp snooping database {timeout | write-delay}
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You need to create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write the set of bindings for the first time at the URL.
Note Because both NVRAM and bootflash have limited storage capacity, using TFTP or network-based files is recommended. If you use flash to store the database file, new updates (by the agent) result in the creation of new files (flash fills quickly). In addition, due to the nature of the file system used on the flash, a large number of files causes access to be considerably slowed. When a file is stored in a remote location accessible through TFTP, an RPR/SSO standby supervisor engine can take over the binding list when a switchover occurs.
The following example shows how to store a database file with the IP address 10.1.1.1 within a directory called directory. A file named file must be present on the TFTP server.
|
|
---|---|
Sets up and generates a DHCP binding configuration to restore bindings across reboots. |
|
To enable DHCP option 82 data insertion, use the ip dhcp snooping information option command. To disable DHCP option 82 data insertion, use the no form of this command.
ip dhcp snooping information option format remote-id { hostname | string { word }}
no ip dhcp snooping information option format remote-id { hostname | string { word }}
Specifies the user-defined string for the remote ID. The word string can be from 1 to 63 characters long with no spaces. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
If the hostname is longer than 63 characters it is truncated to 63 characters in the remote ID.
The following example shows how to enable DHCP option 82 data insertion:
The following example shows how to disable DHCP option 82 data insertion:
The following example shows how to configure the hostname as the remote ID:
The following example shows how to enable DHCP Snooping on VLAN 500 through 555 and option 82 remote ID:
|
|
---|---|
Sets up and generates a DHCP binding configuration to restore bindings across reboots. |
|
Configures the number of the DHCP messages that an interface can receive per second. |
|
ip dhcp snooping vlan information option format-type circuit-id string |
Enables circuit-id (a sub-option of DHCP snooping option-82) on a VLAN. |
To allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port, use the ip dhcp snooping information option allow-untrusted command. To disallow receipt of these DHCP packets, use the no form of this command.
ip dhcp snooping information option allow-untrusted
no ip dhcp snooping information option allow-untrusted
DHCP packets with option 82 are not allowed on snooping untrusted ports.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The following example shows how to allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port:
Switch(config)#
end
|
|
---|---|
Configures the number of the DHCP messages that an interface can receive per second. |
|
To configure the number of the DHCP messages that an interface can receive per second, use the ip dhcp snooping limit rate command. To disable the DHCP snooping rate limiting, use the no form of this command.
ip dhcp snooping limit rate rate
no ip dhcp snooping limit rate
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
Typically, the rate limit applies to the untrusted interfaces. If you want to set up rate limiting for the trusted interfaces, note that the trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit of the interfaces to a higher value.
The following example shows how to enable the DHCP message rate limiting:
The following example shows how to disable the DHCP message rate limiting:
|
|
---|---|
To configure an interface as trusted for DHCP snooping purposes, use the ip dhcp snooping trust command. To configure an interface as untrusted, use the no form of this command.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The following example shows how to enable DHCP snooping trust on an interface:
The following example shows how to disable DHCP snooping trust on an interface:
|
|
---|---|
Configures the number of the DHCP messages that an interface can receive per second. |
|
Use the ip dhcp snooping vlan command to enable DHCP snooping on a VLAN. To disable DHCP snooping on a VLAN, use the no form of this command.
ip dhcp snooping [ vlan number ]
no ip dhcp snooping [ vlan number ]
(Optional) Single VLAN number or a range of VLANs; valid values are from 1 to 4094. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
DHCP snooping is enabled on a VLAN only if both global snooping and the VLAN snooping are enabled.
The following example shows how to enable DHCP snooping on a VLAN:
The following example shows how to disable DHCP snooping on a VLAN:
The following example shows how to enable DHCP snooping on a group of VLANs:
The following example shows how to disable DHCP snooping on a group of VLANs:
|
|
---|---|
Configures the number of the DHCP messages that an interface can receive per second. |
|
ip dhcp snooping vlan information option format-type circuit-id string |
Enables circuit-id (a suboption of DHCP snooping option-82) on a VLAN. |
To enable circuit-id (a suboption of DHCP snooping option 82) on a VLAN, use the ip dhcp snooping vlan information option format-type circuit-id string command. To disable circuit-id on a VLAN, use the no form of this command.
ip dhcp snooping vlan number information option format-type circuit-id [override] string string
no ip dhcp snooping vlan number information option format-type circuit-id [override] string
Specifies single or range of VLANs; valid values are from 1 to 4094. |
|
Specifies a user-defined string for the circuit ID; range of 3 to 63 ASCII characters with no spaces. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
The circuit-id suboption of DHCP option 82 is supported only when DHCP snooping is globally enabled and on VLANs using DHCP option 82.
This command allows you to configure a string of ASCII characters to be the circuit ID. When you want to override the vlan-mod-port format type and instead use the circuit-ID to define subscriber information, use the override keyword.
The following example shows how to enable DHCP snooping on VLAN 500 through 555 and option 82 circuit-id:
The following example shows how to configure the option-82 circuit-ID override suboption:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
Note The show ip dhcp snooping user EXEC command only displays the global command output, including a remote-ID configuration. It does not display any per-interface, per-VLAN string that you have configured for the circuit ID.
|
|
---|---|
Configures the number of the DHCP messages that an interface can receive per second. |
|
To control whether all hosts on a Layer 2 interface can join one or more IP multicast groups by applying an IGMP profile to the interface, use the ip igmp filter command. To remove a profile from the interface, use the no form of this command.
IGMP profile number to be applied; valid values are from 1 to 429496795. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You can apply IGMP filters only to Layer 2 physical interfaces; you cannot apply IGMP filters to routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.
An IGMP profile can be applied to one or more switch port interfaces, but one port can have only one profile applied to it.
The following example shows how to apply IGMP profile 22 to an interface:
|
|
---|---|
Displays all configured IGMP profiles or a specified IGMP profile. |
To set the maximum number of IGMP groups that a Layer 2 interface can join, use the ip igmp max-groups command. To set the maximum back to the default, use the no form of this command.
Maximum number of IGMP groups that an interface can join; valid values are from 0 to 4294967294. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You can use the ip igmp max-groups command only on Layer 2 physical interfaces; you cannot set the IGMP maximum groups for the routed ports, the switch virtual interfaces (SVIs), or the ports that belong to an EtherChannel group.
The following example shows how to limit the number of IGMP groups that an interface can join to 25:
To create an IGMP profile, use the ip igmp profile command. To delete the IGMP profile, use the no form of this command.
ip igmp profile profile number
no ip igmp profile profile number
IGMP profile number being configured; valid values are from 1 to 4294967295. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
When entering a range, enter the low IP multicast address, a space, and the high IP multicast address.
You can apply an IGMP profile to one or more Layer 2 interfaces, but each interface can have only one profile applied to it.
The following example shows how to configure IGMP profile 40 that permits the specified range of IP multicast addresses:
To configure the frequency that the switch sends the IGMP host-query messages, use the ip igmp query-interval command. To return to the default frequency, use the no form of this command.
ip igmp query-interval seconds
Frequency, in seconds, at which the IGMP host-query messages are transmitted; valid values depend on the IGMP snooping mode. See the “Usage Guidelines” section for more information. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
If you use the default IGMP snooping configuration, the valid query interval values are from 1 to 65535 seconds. If you have changed the default configuration to support CGMP as the IGMP snooping learning method, the valid query interval values are from 1 to 300 seconds.
The designated switch for a LAN is the only switch that sends the IGMP host-query messages. For IGMP version 1, the designated switch is elected according to the multicast routing protocol that runs on the LAN. For IGMP version 2, the designated querier is the lowest IP-addressed multicast switch on the subnet.
If no queries are heard for the timeout period (controlled by the ip igmp query-timeout command), the switch becomes the querier.
Note Changing the timeout period may severely impact multicast forwarding.
The following example shows how to change the frequency at which the designated switch sends the IGMP host-query messages:
Switch(config-if)#
ip igmp query-interval 120
Switch(config-if)#
To enable IGMP snooping, use the ip igmp snooping command. To disable IGMP snooping, use the no form of this command.
ip igmp snooping [ tcn { flood query count count | query solicit }]
no ip igmp snooping [ tcn { flood query count count | query solicit }]
(Optional) Specifies to flood the spanning tree table to the network when a topology change occurs. |
|
(Optional) Specifies how often the spanning tree table is flooded; valid values are from 1 to 10. |
|
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
The tcn flood option applies only to Layer 2 switch ports and EtherChannels; it does not apply to routed ports, VLAN interfaces, or Layer 3 channels.
The ip igmp snooping command is disabled by default on multicast routers.
Note You can use the tcn flood option in interface configuration mode.
The following example shows how to enable IGMP snooping:
Switch(config)#
ip igmp snooping
Switch(config)#
The following example shows how to disable IGMP snooping:
Switch(config)#
no ip igmp snooping
Switch(config)#
The following example shows how to enable the flooding of the spanning tree table to the network after nine topology changes have occurred:
Switch(config)#
ip igmp snooping tcn flood query count 9
Switch(config)#
The following example shows how to disable the flooding of the spanning tree table to the network:
Switch(config)#
no ip igmp snooping tcn flood
Switch(config)#
The following example shows how to enable an IGMP general query:
Switch(config)#
ip igmp snooping tcn query solicit
Switch(config)#
The following example shows how to disable an IGMP general query:
Switch(config)#
no ip igmp snooping tcn query solicit
Switch(config)#
|
|
---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
To enable report suppression, use the ip igmp snooping report-suppression command. To disable report suppression and forward the reports to the multicast devices, use the no form of this command.
ip igmp snooping report-suppression
no igmp snooping report-suppression
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
If the ip igmp snooping report-suppression command is disabled, all the IGMP reports are forwarded to the multicast devices.
If the command is enabled, report suppression is done by IGMP snooping.
The following example shows how to enable report suppression:
Switch(config)#
ip igmp snooping report-suppression
Switch(config)#
The following example shows how to disable report suppression:
Switch(config)#
no
ip igmp snooping report-suppression
Switch(config)#
The following example shows how to display the system status for report suppression:
Switch#
show ip igmp snoop
vlan 1
----------
IGMP snooping is globally enabled
IGMP snooping TCN solicit query is globally disabled
IGMP snooping global TCN flood query count is 2
IGMP snooping is enabled on this Vlan
IGMP snooping immediate-leave is disabled on this Vlan
IGMP snooping mrouter learn mode is pim-dvmrp on this Vlan
IGMP snooping is running in IGMP_ONLY mode on this Vlan
IGMP snooping report suppression is enabled on this Vlan
Switch#
|
|
---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
To enable IGMP snooping for a VLAN, use the ip igmp snooping vlan command. To disable IGMP snooping, use the no form of this command.
no ip igmp snooping vlan vlan-id
Number of the VLAN; valid values are from 1 to 1001 and from 1006 to 4094. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
This command is entered in VLAN interface configuration mode only.
The ip igmp snooping vlan command is disabled by default on multicast routers.
The following example shows how to enable IGMP snooping on a VLAN:
Switch(config)#
ip igmp snooping vlan 200
Switch(config)#
The following example shows how to disable IGMP snooping on a VLAN:
Switch(config)#
no ip igmp snooping vlan 200
Switch(config)#
|
|
---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
To enable per-VLAN explicit host tracking, use the ip igmp snooping vlan explicit-tracking command. To disable explicit host tracking, use the no form of this command.
ip igmp snooping vlan vlan-id explicit-tracking
no ip igmp snooping vlan vlan-id explicit-tracking
(Optional) Specifies a VLAN; valid values are from 1 to 1001 and from 1006 to 4094. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The following example shows how to disable IGMP explicit host tracking on interface VLAN 200 and how to verify the configuration:
|
|
---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
To enable IGMP immediate-leave processing, use the ip igmp snooping vlan immediate-leave command. To disable immediate-leave processing, use the no form of this command.
ip igmp snooping vlan vlan_num immediate-leave
no ip igmp snooping vlan vlan_num immediate-leave
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
You enter this command in global configuration mode only.
Use the immediate-leave feature only when there is a single receiver for the MAC group for a specific VLAN.
The immediate-leave feature is supported only with IGMP version 2 hosts.
The following example shows how to enable IGMP immediate-leave processing on VLAN 4:
Switch(config)#
ip igmp snooping vlan 4 immediate-leave
Switch(config)#
The following example shows how to disable IGMP immediate-leave processing on VLAN 4:
Switch(config)#
no ip igmp snooping vlan 4 immediate-leave
Switch(config)#
|
|
---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
Displays the information about the IGMP-interface status and configuration. |
|
To statically configure an Layer 2 interface as a multicast router interface for a VLAN, use the
ip igmp snooping vlan mrouter command. To remove the configuration, use the no form of this command.
ip igmp snooping vlan vlan-id mrouter { interface {{ fastethernet slot/port } | { gigabitethernet slot/port } | { tengigabitethernet slot/port } | { port-channel number }} |
{ learn { cgmp | pim-dvmrp }}
no ip igmp snooping vlan vlan-id mrouter { interface {{ fastethernet slot/port } | { gigabitethernet slot/port } | { tengigabitethernet slot/port } | { port-channel number }} |
{ learn { cgmp | pim-dvmrp }}
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Support for the 10-Gigabit Ethernet interface was introduced on the Catalyst 4500 series switch. |
You enter this command in VLAN interface configuration mode only.
The interface to the switch must be in the VLAN where you are entering the command. It must be both administratively up and line protocol up.
The CGMP learning method can decrease control traffic.
The learning method that you configure is saved in NVRAM.
The static connections to multicast interfaces are supported only on switch interfaces.
The following example shows how to specify the next-hop interface to a multicast switch:
Switch(config-if)#
ip igmp snooping 400 mrouter interface fastethernet 5/6
Switch(config-if)#
The following example shows how to specify the multicast switch learning method:
Switch(config-if)#
ip igmp snooping 400 mrouter learn cgmp
Switch(config-if)#
To configure a Layer 2 interface as a member of a group, use the ip igmp snooping vlan static command. To remove the configuration, use the no form of this command.
ip igmp snooping vlan vlan_num static mac-address { interface { fastethernet slot/port } | { gigabitethernet slot/port } | { tengigabitethernet slot/port } | { port-channel number }}
no ip igmp snooping vlan vlan_num static mac-address { interface { fastethernet slot/port } | { gigabitethernet slot/port } | { tengigabitethernet mod/interface-number } | { port-channel number }}
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Support for the 10-Gigabit Ethernet interface was introduced on the Catalyst 4500 series switch. |
The following example shows how to configure a host statically on an interface:
Switch(config)#
ip igmp snooping vlan 4 static 0100.5e02.0203 interface fastethernet 5/11
Configuring port FastEthernet5/11 on group 0100.5e02.0203 vlan 4
Switch(config)#
|
|
---|---|
Configures a Layer 2 interface as a multicast router interface for a VLAN. |
|
To enable the l ocal proxy ARP feature, use the ip local-proxy-arp command. To disable the l ocal proxy ARP feature, use the no form of this command.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
Use this feature only on subnets where hosts are intentionally prevented from communicating directly to the switch on which they are connected.
ICMP redirect is disabled on interfaces where the local proxy ARP feature is enabled.
The following example shows how to enable the local proxy ARP feature:
Switch(config-if)#
ip local-proxy-arp
Switch(config-if)#
To enable MFIB fast drop, use the ip mfib fastdrop command. To disable MFIB fast drop, use the no form of this command.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The following example shows how to enable MFIB fast drops:
|
|
---|---|
Displays all currently active fast-drop entries and shows whether fast drop is enabled. |
To enable load splitting of IP multicast traffic over Equal Cost Multipath (ECMP), use the
ip multicast multipath command in global configuration mode. To disable this functionality, use the no form of this command.
ip multicast [ vrf vrf-name ] multipath [ s-g-hash { basic | next-hop-based }]
no ip multicast [ vrf vrf-name ] multipath [ s-g-hash { basic | next-hop-based }]
If multiple equal-cost paths exist, multicast traffic will not be load-split across those paths.
|
|
---|---|
The s-g-hash keyword was introduced on the Catalyst 4500 switch. |
The ip multicast multipath command does not work with bidirectional Protocol Independent Multicast (PIM).
Use the ip multicast multipath command to enable load splitting of IP multicast traffic across multiple equal-cost paths.
If two or more equal-cost paths from a source are available, unicast traffic will be load-split across those paths. However, by default, multicast traffic is not load-split across multiple equal-cost paths. In general, multicast traffic flows down from the reverse path forwarding (RPF) neighbor. According to the PIM specifications, this neighbor must have the highest IP address if more than one neighbor has the same metric.
When you configue load splitting with the ip multicast multipath command, the system splits multicast traffic across multiple equal-cost paths based on source address using the S-hash algorithm. When the ip multicast multipath command is configured and multiple equal-cost paths exist, the path in which multicast traffic will travel is selected based on the source IP address. Multicast traffic from different sources will be load-split across the different equal-cost paths. Load splitting will not occur across equal-cost paths for multicast traffic from the same source sent to different multicast groups.
Note The ip multicast multipath command load splits the traffic but does not load balance the traffic. Traffic from a source will use only one path, even if the traffic greatly exceeds traffic from other sources.
If the ip multicast multipath command is configured with the s-g-hash keyword and multiple equal-cost paths exist, load splitting will occur across equal-cost paths based on source and group address or on source, group, and next-hop address. If you specify the optional s-g-hash keyword for load splitting IP multicast traffic, you must select the algorithm used to calculate the equal-cost paths by specifying one of the following keywords:
The following example shows how to enable ECMP multicast load splitting on a router based on source address using the S-hash algorithm:
The following example shows how to enable ECMP multicast load splitting on a router based on source and group address using the basic S-G-hash algorithm:
The following example shows how to enable ECMP multicast load splitting on a router based on source, group, and next-hop address using the next-hop-based S-G-hash algorithm:
To configure the IP address of the domain name server (DNS), use the ip name-server command. To delete the name server use the no form of this command.
ip name-server server-address1 [ server-address2...server-address6 ]
no name-server server-address1 [ server-address2...server-address6 ]
IPv4 or IPv6 addresses of a name server to use for name and address resolution. |
|
(Optional) IP addresses of additional name servers (a maximum of six name servers) |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
Separate each server address with a space. The first server specified is the primary server. The switch sends DNS queries to the primary server first. If that query fails, the backup servers are queried.
For the Application Visibility Control (AVC) with Domain Name System as an Authoritative Source (DNS-AS) feature (AVC with DNS-AS), ensure that at least the first two IP addresses in the sequence are IPv4 addresses, because the AVC with DNS-AS feature will use only these. See the example below, here the first two addresses are IPv4 (192.0.2.1 and 192.0.2.2), the third one (2001:DB8::1) is an IPv6 address. AVC with DNS-AS will use the first two:
Enter the show ip name-server command to display all the name server IP addresses that have been maintained.
The following example shows how to specify IPv4 hosts 172.16.1.111 and 172.16.1.2 as the name servers:
The following example shows how to specify IPv6 hosts 3FFE:C00::250:8BFF:FEE8:F800 and 2001:0DB8::3 as the name servers:
To enable NetFlow statistics for IP routing, use the ip route-cache flow command. To disable NetFlow statistics, use the no form of this command.
ip route-cache flow [ infer-fields ]
no ip route-cache flow [ infer-fields ]
(Optional) Includes the NetFlow fields as inferred by the software: Input identifier, Output identifier, and Routing information. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
To use these commands, you need to install the Supervisor Engine IV and the NetFlow Service Card.
The NetFlow statistics feature captures a set of traffic statistics. These traffic statistics include the source IP address, destination IP address, Layer 4 port information, protocol, input and output identifiers, and other routing information that can be used for network analysis, planning, accounting, billing and identifying DoS attacks.
NetFlow switching is supported on IP and IP-encapsulated traffic over all interface types.
If you enter the ip route-cache flow infer-fields command after the ip route-cache flow command, you will purge the existing cache, and vice versa. This action is done to avoid having flows with and without inferred fields in the cache simultaneously.
For additional information on NetFlow switching, refer to the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
Note NetFlow consumes additional memory and CPU resources compared to other switching modes. You need to know the resources required on your switch before enabling NetFlow.
The following example shows how to enable NetFlow switching on the switch:
Note This command does not work on individual interfaces.
To add or delete a static IP source binding entry, use the ip source binding command. To delete the corresponding IP source binding entry, use the no form of this command.
ip source binding ip-address mac-address vlan vlan-id interface interface-name
no ip source binding ip-address mac-address vlan vlan-id interface interface-name
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The ip source binding command is used to add a static IP source binding entry only.
The no form of this command deletes the corresponding IP source binding entry. For the deletion to succeed, all required parameters must match.
Each static IP binding entry is keyed by a MAC address and VLAN number. If the CLI contains an existing MAC and VLAN, the existing binding entry will be updated with the new parameters; a separate binding entry will not be created.
The following example shows how to configure the static IP source binding:
|
|
---|---|
Displays IP source bindings that are configured on the system. |
To specify the IP address of an interface as the source address for a Secure Shell (SSH) client device, use the ip ssh source-interface command in global configuration mode. To remove the IP address as the source address, use the no form of this command.
ip ssh source-interface interface
no ip ssh source-interface interface
The interface whose address is used as the source address for the SSH client. |
The address of the closest interface to the destination is used as the source address (the closest interface is the output interface through which the SSH packet is sent).
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
By specifying this command, you can force the SSH client to use the IP address of the source interface as the source address.
In the following example, the IP address assigned to Ethernet interface 0 will be used as the source address for the SSH client:
To enable sticky ARP, use the ip sticky-arp command. Use the no form of this command to disable sticky ARP.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
This command is supported on PVLANs only.
ARP entries that are learned on Layer 3 PVLAN interfaces are sticky ARP entries. (You should display and verify ARP entries on the PVLAN interface using the show arp command).
For security reasons, sticky ARP entries on the PVLAN interface do not age out. Connecting new equipment with the same IP address generates a message and the ARP entry is not created.
Because the ARP entries on the PVLAN interface do not age out, you must manually remove ARP entries on the PVLAN interface if a MAC address changes.
Unlike static entries, sticky-ARP entries are not stored and restored when you enter the reboot and restart commands.
The following example shows how to enable sticky ARP:
Switch(config)#
end
The following example shows how to disable sticky ARP:
Switch(config)#
end
|
|
---|---|
Enables Address Resolution Protocol (ARP) entries for static routing over the Switched Multimegabit Data Service (SMDS) network. |
|
To enable IP header validation for Layer 2-switched IPv4 packets, use the ip verify header vlan all command. To disable the IP header validation, use the no form of this command.
The IP header is validated for bridged and routed IPv4 packets.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
This command does not apply to Layer 3-switched (routed) packets.
The Catalyst 4500 series switch checks the validity of the following fields in the IPv4 header for all switched IPv4 packets:
If an IPv4 packet fails the IP header validation, the packet is dropped. If you disable the header validation, the packets with the invalid IP headers are bridged but are not routed even if routing was intended. The IPv4 access lists also are not applied to the IP headers.
The following example shows how to disable the IP header validation for the Layer 2-switched IPv4 packets:
To enable IP source guard on untrusted Layer 2 interfaces, use the ip verify source command. To disable IP source guard on untrusted Layer 2 interfaces, use the no form of this command.
ip verify source { vlan dhcp-snooping | tracking } [port-security]
no ip verify source { vlan dhcp-snooping | tracking } [port-security]
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
The following example shows how to enable IP source guard on VLANs 10 through 20 on a per-port basis:
The following example shows how to enable IP port security with IP-MAC filters on a Layer 2 access port:
You can verify your settings by entering the show ip verify source privileged EXEC command.
To enable and configure unicast RPF checks on a IPv4 interface, use the ip verify unicast source reachable-via command. To disable unicast RPF, use the no form of this command.
ip verify unicast source reachable-via rx allow-default
no ip verify unicast source reachable-via
Verifies that the source address is reachable on the interface where the packet was received. |
|
|
|
---|---|
Support introduced on Catalyst 4900M chassis and a Catalyst 4500 with a Supervisor Engine 6-E. |
Note Unicast RPF is an input function and is applied only on the input interface of a router at the upstream end of a connection.
Do not use unicast RPF on internal network interfaces. Internal interfaces might have routing asymmetry, which means that there are multiple routes to the source of a packet. Apply unicast RPF only where there is natural or configured symmetry.
The following example shows how to enable unicast RPF exist-only checking mode:
|
|
---|---|
To enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group, use the ip wccp command in global configuration mode. To disable the service group, use the no form of this command.
ip wccp { web-cache | service-number } [ accelerated ] [ group-address multicast-address ] [ redirect-list access-list ] [ group-list access-list ] [ password [ 0 | 7 ] password ]
no ip wccp { web-cache | service-number }[ accelerated ] [ group-address multicast-address ] [ redirect-list access-list ] [ group-list access-list ] [ password [ 0 | 7 ] password ]
This command instructs a router to enable or disable the support for the specified service number or the web-cache service name. A service number can be from 0 to 254. Once the service number or name is enabled, the router can participate in the establishment of a service group.
When the no ip wccp command is entered, the router terminates participation in the service group, deallocates space if none of the interfaces still has the service configured, and terminates the WCCP task if no other services are configured.
The keywords following the web-cache keyword and the service-number argument are optional and may be specified in any order, but only may be specified once. The following sections outline the specific usage of each of the optional forms of this command.
ip wccp { web-cache | service-number } group-address multicast-address
A WCCP group address can be configured to set up a multicast address that cooperating routers and web caches can use to exchange WCCP protocol messages. If such an address is used, IP multicast routing must be enabled so that the messages that use the configured group (multicast) addresses are received correctly.
This option instructs the router to use the specified multicast IP address to coalesce the “I See You” responses for the “Here I Am” messages that it has received on this group address. The response is sent to the group address as well. The default is for no group address to be configured, in which case all “Here I Am” messages are responded to with a unicast reply.
ip wccp { web-cache | service-number } redirect-list access-list
This option instructs the router to use an access list to control the traffic that is redirected to the web caches of the service group specified by the service name given. The access-list argument specifies either the number or the name of a standard or extended access list. The access list itself specifies which traffic is permitted to be redirected. The default is for no redirect list to be configured (all traffic is redirected).
WCCP requires that the following protocol and ports not be filtered by any access lists:
ip wccp { web-cache | service-number } group-list access-list
This option instructs the router to use an access list to control the cache engines that are allowed to participate in the specified service group. The access-list argument specifies either the number of a standard or extended access list or the name of any type of named access list. The access list itself specifies which cache engines are permitted to participate in the service group. The default is for no group list to be configured, in which case all cache engines may participate in the service group.
Note The ip wccp {web-cache | service-number} group-list command syntax resembles the ip wccp {web-cache | service-number} group-listen command, but these are entirely different commands. The ip wccp group-listen command is an interface configuration command used to configure an interface to listen for multicast notifications from a cache cluster. Refer to the description of the ip wccp group-listen command in the Cisco IOS IP Application Services Command Reference.
ip wccp { web-cache | service-number } password password
This option instructs the router to use MD5 authentication on the messages received from the service group specified by the service name given. Use this form of the command to set the password on the router. You must also configure the same password separately on each web cache. The password can be up to a maximum of eight characters. Messages that do not authenticate when authentication is enabled on the router are discarded. The default is for no authentication password to be configured and for authentication to be disabled.
The following example shows how to configure a router to run WCCP reverse-proxy service, using the multicast address of 239.0.0.0:
The following example shows how to configure a router to redirect web-related packets without a destination of 10.168.196.51 to the web cache:
|
|
---|---|
Specifies which version of WCCP you wish to use on your router. |
|
To enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group, use the ipv6 wccp command in global configuration mode. To disable the service group, use the no form of this command.
ipv6 wccp vrf vrf-name [ group-address groupaddress ] [ redirect-list access-list ] [ group-list access-list ]
|
|
---|---|
This command instructs a device to enable or disable the support for the specified service number or the VRF. A service number can be from 0 to 254. Once the service number or name is enabled, the router can participate in the establishment of a service group.
When the no ipv6 wccp command is entered, the device terminates participation in the service group, deallocates space if none of the interfaces still has the service configured, and terminates the WCCP task if no other services are configured.
The following sections outline the specific usage of each of the optional forms of this command.
ipv6 wccp vrf vrf name group-address groupaddress
The vrf vrf-name keyword and argument pair is optional. It allows you to specify a VRF to associate with a service group. You can then specify a web-cache service name or service number.
A WCCP group address can be configured to set up a multicast address that cooperating devices and can use to exchange WCCP protocol messages. If such an address is used, IP multicast routing must be enabled so that the messages that use the configured group (multicast) addresses are received correctly.
This option instructs the device to use the specified multicast IP address to coalesce the “I See You” responses for the “Here I Am” messages that it has received on this group address. The response is sent to the group address as well. The default is for no group address to be configured, in which case all “Here I Am” messages are responded to with a unicast reply.
ipv6 wccp vrf vrf name redirect-list access-list
This option instructs the device to use an access list to control the traffic that is redirected to the service group specified by the service name given. The access-list argument specifies either the number or the name of a standard or extended access list. The access list itself specifies which traffic is permitted to be redirected. The default is for no redirect list to be configured (all traffic is redirected).
WCCP requires that the following protocol and ports not be filtered by any access lists:
ipv6 wccp vrf vrf name group-list access-list
This option instructs the router to use an access list to control the cache engines that are allowed to participate in the specified service group. The access-list argument specifies either the number of a standard or extended access list or the name of any type of named access list. The access list itself specifies which cache engines are permitted to participate in the service group. The default is for no group list to be configured, in which case all cache engines may participate in the service group.
The following example shows how to configure the TCP promiscuous service for IPv4 VRF interfaces, where VLAN 40 represents the server interface and VLAN 50 represents the content engine interface:
|
|
---|---|
To enable all Web Cache Communication Protocol (WCCP) services, use the ip wccp check services all command in global configuration mode. To disable all services, use the no form of this command.
With the ip wccp check services all command, WCCP can be configured to check all configured services for a match and perform redirection for those services if appropriate. The caches to which packets are redirected can be controlled by a redirect ACL access control list (ACL) as well as by the priority value of the service.
It is possible to configure an interface with more than one WCCP service. When more than one WCCP service is configured on an interface, the precedence of a service depends on the relative priority of the service compared to the priority of the other configured services. Each WCCP service has a priority value as part of its definition.
If no WCCP services are configured with a redirect ACL, the services are considered in priority order until a service is found which matches the IP packet. If no services match the packet, the packet is not redirected. If a service matches the packet and the service has a redirect ACL configured, then the IP packet will be checked against the ACL. If the packet is rejected by the ACL, the packet will not be passed down to lower priority services unless the ip wccp check services all command is configured. When the ip wccp check services all command is configured, WCCP will continue to attempt to match the packet against any remaining lower priority services configured on the interface.
Note The priority of a WCCP service group is determined by the web cache appliance. The priority of a WCCP service group cannot be configured via Cisco IOS software.
Note The ip wccp check services all command is a global WCCP command that applies to all services and is not associated with a single service.
The following example shows how to configure all WCCP services:
To configure an interface on a router to enable or disable the reception of IP multicast packets for Web Cache Communication Protocol (WCCP), use the ip wccp group-listen command in interface configuration mode. To disable the reception of IP multicast packets for WCCP, use the no form of this command.
ip wccp { web-cache | service-number } group-listen
no ip wccp { web-cache | service-number } group-listen
Interface configuration (config-if)
On routers that are to be members of a Service Group when IP multicast is used, the following configuration is required:
The following example shows how to enable the multicast packets for a web cache with a multicast address of 224.1.1.100:
To enable packet redirection on an inbound or outbound interface using Web Cache Communication Protocol (WCCP), use the ip wccp redirect command in interface configuration mode. To disable WCCP redirection, use the no form of this command.
ip wccp { web-cache | service-number } redirect { in | out }
no ip wccp { web-cache | service-number } redirect { in | out }
Identification number of the cache engine service group; valid values are from 0 to 254. If Cisco cache engines are used in the cache cluster, the reverse proxy service is indicated by a value of 99. |
|
Interface configuration (config-if)
The ip wccp {web-cache | service-number} redirect in command allows you to configure WCCP redirection on an interface receiving inbound network traffic. When the command is applied to an interface, all packets arriving at that interface will be compared against the criteria defined by the specified WCCP service. If the packets match the criteria, they will be redirected.
Likewise, the ip wccp {web-cache | service-number} redirect out command allows you to configure the WCCP redirection check at an outbound interface.
Tips Be careful not to confuse the ip wccp {web-cache | service-number} redirect {out | in} interface configuration command with the ip wccp redirect exclude in interface configuration command.
The following example shows how to configure a session in which reverse proxy packets on Ethernet interface 3/1 are being checked for redirection and redirected to a Cisco Cache Engine:
The following example shows how to configure a session in which HTTP traffic arriving on GigabitEthernet interface 3/1 is redirected to a Cache Engine:
To configure an interface to exclude packets received on an interface from being checked for redirection, use the ip wccp redirect exclude in command in interface configuration mode. To disable the ability of a router to exclude packets from redirection checks, use the no form of this command.
no ip wccp redirect exclude in
Interface configuration (config-if)
This configuration command instructs the interface to exclude inbound packets from any redirection check. Note that the command is global to all the services and should be applied to any inbound interface that will be excluded from redirection.
This command is intended to be used to accelerate the flow of packets from a cache engine to the Internet as well as allow for the use of the Web Cache Communication Protocol (WCCP) v2 packet return feature.
In the following example, packets arriving on GigabitEthernet interface 3/1 are excluded from WCCP output redirection checks:
To enable Lightweight DHCPv6 Relay Agent (LDRA) functionality on an access node, use the ipv6 dhcp-ldra command in global configuration mode. To disable the LDRA functionality, use the no form of this command.
ipv6 dhcp-lrda { enable | disable | remote-id remote-id }
no ipv6 dhcp-lrda { enable | disable | remote-id remote-id }
If the remote ID is not configured, a system generated remote ID is used.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You must configure the LDRA functionality globally using the ipv6 dhcp-ldra command before configuring it on a VLAN or an access node (such as a Digital Subscriber Link Access Multiplexer [DSLAM] or an Ethernet switch) interface.
To enable LDRA, configure the ipv6 dhcp-ldra command. To disable LDRA, configure either the no ipv6 dhcp-ldra enable or the ipv6 dhcp-ldra disable command. Configuring the no ipv6 dhcp-ldra command will not disable LDRA globally, and as a result, there is no carriage return after the no ipv6 dhcp-ldra command.
The following example shows how to enable the LDRA functionality:
|
|
---|---|
Specifies a destination address to which client messages are forwarded and to enable DHCPv6 relay service on the interface. |
To configure Lightweight DHCPv6 Relay Agent (LDRA) interface ID on a port or an interface, use the ipv6 dhcp-ldra interface-id command in interface configuration mode. To disable LDRA interface ID on an interface or port, use the no form of this command.
ipv6 dhcp-ldra interface-id interface-id
no dhcp-ldra interface-id interface-id
Interface identifier. Valid length for this argument is from 2 to 23 characters. |
If the interface ID is not configured, the system uses a short name for an interface (for example, the system uses eth0/0 for Ethernet 0/0) as the interface ID.
Interface configuration (config-if)
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The following example shows how to configure an LDRA interface ID:
|
|
---|---|
To enable Lightweight DHCPv6 Relay Agent (LDRA) functionality on a port or interface, use the ipv6 dhcp-ldra attach-policy command in interface configuration mode. To disable LDRA functionality on an interface or port, use the no form of this command.
ipv6 dhcp-ldra attach-policy { client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing }
no ipv6 dhcp-ldra attach-policy { client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing }
Interface configuration (config-if)
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You need to configure the LDRA functionality globally using the ipv6 dhcp-ldra command in global configuration mode before configuring it on an interface or port.
The ipv6 dhcp-ldra attach-policy command enables LDRA functionality on a specific interface or port. Instead of configuring LDRA individually on all the client-facing interfaces or ports individually, use the ipv6 dhcp ldra attach-policy command to configure LDRA on an entire VLAN.
The following example shows how to enable LDRA functionality on an interface and specify it as server facing:
|
|
---|---|
To enable Lightweight DHCPv6 Relay Agent (LDRA) functionality on a VLAN, use the ipv6 dhcp ldra attach-policy command in VLAN configuration mode. To disable LDRA functionality on a VLAN, use the no form of this command.
ipv6 dhcp ldra attach-policy { client-facing-trusted | client-facing-untrusted }
no ipv6 dhcp ldra attach-policy { client-facing-trusted | client-facing-untrusted }
VLAN configuration (config-vlan-config)
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch in a release prior to Cisco IOS Release 15.2(5)E2. |
You need to configure the LDRA functionality globally using the ipv6 dhcp-ldra command before configuring it on a VLAN.
In a typical deployment, a majority of the interfaces or ports on a device are client facing. Instead of configuring LDRA individually on all the client facing interfaces and ports, use the ipv6 dhcp ldra attach-policy command to configure LDRA on the entire VLAN. As a result, all the ports or interfaces associated with the VLAN will be configured as client facing.
The following example shows how to enable LDRA functionality on a VLAN:
|
|
---|---|
To specify a destination address to which client messages are forwarded and to enable Dynamic Host Configuration Protocol Version 6 (DHCPv6) relay service on the interface, use the ipv6 dhcp relay destination command in interface configuration mode. To remove a relay destination on the interface or to delete an output interface for a destination, use the no form of this command.
ipv6 dhcp relay destination { ipv6-address | global ipv6-address | vrf vrfname ipv6-address } [ interface-type interface-number ] [ link-address link-address ] [ source-address source-address ]
no ipv6 dhcp relay destination { ipv6-address | global ipv6-address | vrf vrfname ipv6-address } [ interface-type interface-number ] [ link-address link-address ] [ source-address source-address ]
The relay function is disabled, and there is no relay destination on an interface.
Interface configuration (config-if)
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch in a release prior to Cisco IOS Release 152(5)E2. |
The ipv6 dhcp relay destination command specifies a destination address to which client messages are forwarded, and it enables DHCPv6 relay service on the interface. When relay service is enabled on an interface, a DHCPv6 message received on that interface is forwarded to all configured relay destinations. The incoming DHCPv6 message may have come from a client on that interface, or relayed by another relay agent.
The relay destination can be a unicast address of a server or another relay agent, or it may be a multicast address. There are two types of relay destination addresses:
If no output interface is configured for a destination, the output interface is determined by routing tables. In this case, it is recommended that a unicast or multicast routing protocol be running on the device.
Multiple destinations can be configured on one interface, and multiple output interfaces can be configured for one destination. When the relay agent relays messages to a multicast address, it sets the hop limit field in the IPv6 packet header to 32.
Unspecified, loopback, and node-local multicast addresses are not acceptable as the relay destination. If any one of them is configured, the message "Invalid destination address" is displayed.
Note that it is not necessary to enable the relay function on an interface for it to accept and forward an incoming relay reply message from servers. By default, the relay function is disabled, and there is no relay destination on an interface. The no form of the command removes a relay destination on an interface or deletes an output interface for a destination. If all relay destinations are removed, the relay service is disabled on the interface.
The DHCPv6 client, server, and relay functions are mutually exclusive on an interface. When one of these functions is already enabled, and a user tries to configure a different function on the same interface, one of the following messages is displayed: "Interface is in DHCP client mode," "Interface is in DHCP server mode," or "Interface is in DHCP relay mode."
The following example sets the relay destination address on Ethernet interface 4/3:
|
|
---|---|
Configures an interface and enters interface configuration mode. |
|
To enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping globally or on the specified VLAN, use the ipv6 mld snooping command without keywords. To disable MLD snooping on a switch or the VLAN, use the no form of this command.
ipv6 mld snooping [ vlan vlan-id ]
no ipv6 mld snooping [ vlan vlan-id ]
(Optional) Enables or disables IPv6 MLD snooping on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. |
MLD snooping is globally disabled on the switch.
MLD snooping is enabled on all VLANs. However, MLD snooping must be globally enabled before VLAN snooping can take place.
|
|
---|---|
When MLD snooping is globally disabled, it is disabled on all the existing VLAN interfaces. When you globally enable MLD snooping, it is enabled on all VLAN interfaces that are in the default state (enabled). VLAN configuration overrides global configuration on interfaces on which MLD snooping has been disabled.
If MLD snooping is globally disabled, you cannot enable it on a VLAN. If MLD snooping is globally enabled, you can disable it on individual VLANs.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
The following example shows how to globally enable MLD snooping:
The following example shows how to disable MLD snooping on a VLAN:
You can verify your settings by entering the show ipv6 mld snooping user EXEC command.
|
|
---|---|
Displays IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping configuration of the switch or the VLAN. |
To configure IP version 6 (IPv6) Multicast Listener Discovery Mulitcast Address Specific Queries (MASQs) that will be sent before aging out a client, use the ipv6 mld snooping last-listener-query-count command. To reset the query count to the default settings, use the no form of this command.
ipv6 mld snooping [ vlan vlan-id ] last-listener-query-count integer_value
no ipv6 mld snooping [ vlan vlan-id ] last-listener-query-count
(Optional) Configures last-listener query count on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. |
|
|
|
---|---|
In MLD snooping, the IPv6 multicast switch periodically sends out queries to hosts belonging to the multicast group. If a host wants to leave a multicast group, it can silently leave or it can respond to the query with a Multicast Listener Done message (equivalent to an IGMP Leave message). When Immediate Leave is not configured (it should not be configured if multiple clients for a group exist on the same port), the configured last-listener query count determines the number of MASQs that are sent before an MLD client is aged out.
When the last-listener query count is set for a VLAN, this count overrides the value configured globally. When the VLAN count is not configured (set to the default of 0), the global count is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
The following example shows how to globally set the last-listener query count:
The following example shows how to set the last-listener query count for VLAN 10:
You can verify your settings by entering the show ipv6 mld snooping [ vlan vlan-id ] user EXEC command.
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping last-listener query interval on the switch or on a VLAN, use the ipv6 mld snooping last-listener-query-interval command. To reset the query time to the default settings, use the no form of this command.
ipv6 mld snooping [ vlan vlan-id ] last-listener-query-interval integer_value
no ipv6 mld snooping [ vlan vlan-id ] last-listener-query-interval
The default global query interval (maximum response time) is 1000 (1 second).
The default VLAN query interval (maximum response time) is 0 (the global count is used).
|
|
---|---|
The last-listener-query-interval time is the maximum time that a multicast switch waits after issuing a Mulitcast Address Specific Query (MASQ) before deleting a port from the multicast group.
In MLD snooping, when the IPv6 multicast switch receives an MLD leave message, it sends out queries to hosts belonging to the multicast group. If there are no responses from a port to a MASQ for a length of time, the switch deletes the port from the membership database of the multicast address. The last listener query interval is the maximum time that the switch waits before deleting a nonresponsive port from the multicast group.
When a VLAN query interval is set, the global query interval is overridden. When the VLAN interval is set at 0, the global value is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
The following example shows how to globally set the last-listener query interval to 2 seconds:
The following example shows how to set the last-listener query interval for VLAN 1 to 5.5 seconds:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
To enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping listener message suppression, use the ipv6 mld snooping listener-message-suppression command. To disable MLD snooping listener message suppression, use the no form of this command.
ipv6 mld snooping listener-message-suppression
no ipv6 mld snooping listener-message-suppression
The default is for MLD snooping listener message suppression to be disabled.
|
|
---|---|
MLD snooping listener message suppression is equivalent to IGMP snooping report suppression. When it is enabled, received MLDv1 reports to a group are forwarded to IPv6 multicast switchs only once in every report-forward time. This prevents the forwarding of duplicate reports.
The following example shows how to enable MLD snooping listener message suppression:
The following example shows how to disable MLD snooping listener message suppression:
You can verify your settings by entering the show ipv6 mld snooping [ vlan vlan-id ] user EXEC command.
To configure the number of IP version 6 (IPv6) Multicast Listener Discovery (MLD) queries that the switch sends before deleting a listener that does not respond, or to enter a VLAN ID to configure the number of queries per VLAN, use the ipv6 mld snooping robustness-variable command. To reset the variable to the default settings, use the no form of this command.
ipv6 mld snooping [ vlan vlan-id ] robustness-variable integer_value
no ipv6 mld snooping [ vlan vlan-id ] robustness-variable
(Optional) Configures the robustness variable on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. |
|
The default global robustness variable (number of queries before deleting a listener) is 2.
The default VLAN robustness variable (number of queries before aging out a multicast address) is 0, which means that the system uses the global robustness variable for aging out the listener.
|
|
---|---|
Robustness is measured by the number of MLDv1 queries sent with no response before a port is removed from a multicast group. A port is deleted when there are no MLDv1 reports received for the configured number of MLDv1 queries. The global value determines the number of queries that the switch waits before deleting a listener that does not respond, and it applies to all VLANs that do not have a VLAN value set.
The robustness value configured for a VLAN overrides the global value. If the VLAN robustness value is 0 (the default), the global value is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
The following example shows how to configure the global robustness variable so that the switch sends out three queries before it deletes a listener port that does not respond:
The following example shows how to configure the robustness variable for VLAN 1. This value overrides the global configuration for the VLAN:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) Topology Change Notifications (TCNs), use the ipv6 mld snooping tcn commands. To reset the default settings, use the no form of the commands.
ipv6 mld snooping tcn { flood query count integer_value | query solicit }
no ipv6 mld snooping tcn { flood query count integer_value | query solicit }
Sets the flood query count, which is the number of queries that are sent before forwarding multicast data to only those ports requesting it. The range is 1 to 10. |
|
|
|
---|---|
The following example shows how to enable TCN query soliciting:
The following example shows how to set the flood query count to 5:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
|
|
---|---|
Displays IP version 6 (IPv6) MLD snooping configuration of the switch or the VLAN. |
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping parameters on the VLAN interface, use the ipv6 mld snooping vlan command. To reset the parameters to the default settings, use the no form of this command.
ipv6 mld snooping vlan vlan-id [ immediate-leave | mrouter interface interface-id | static ipv6-multicast-address interface interface-id ]
no ipv6 mld snooping vlan vlan-id [ immediate-leave | mrouter interface interface-id | static ip-address interface interface-id ]
MLD snooping Immediate-Leave processing is disabled.
|
|
---|---|
You should only configure the Immediate-Leave feature when there is only one receiver on every port in the VLAN. The configuration is saved in NVRAM.
The static keyword is used for configuring the MLD member ports statically.
The configuration and the static ports and groups are saved in NVRAM.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
The following example shows how to enable MLD Immediate-Leave processing on VLAN 1:
The following example shows how to disable MLD Immediate-Leave processing on VLAN 1:
The following example shows how to configure a port as a multicast switch port:
The following example shows how to configure a static multicast group:
You can verify your settings by entering the show ipv6 mld snooping vlan vlan-id user EXEC command.
To cancel the ISSU upgrade or the downgrade process in progress and to restore the Catalyst 4500 series switch to its state before the start of the process, use the issue abortversion command.
issu abortversion active-slot [ active-image-new ]
Specifies the slot number for the current standby supervisor engine. |
|
(Optional) Name of the new image present in the current standby supervisor engine. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You can use the issu abortversion command at any time to stop the ISSU process. To complete the process enter the issu commitversion command. Before any action is taken, a check ensures that both supervisor engines are either in the run version (RV) or load version (LV) state.
When the issu abortversion command is entered before the issu runversion command, the standby supervisor engine is reset and reloaded with the old image. When the issu abortversion command is entered after the issu runversion command, a change takes place and the new standby supervisor engine is reset and reloaded with the old image.
The following example shows how you can reset and reload the standby supervisor engine:
To halt the rollback timer and to ensure that the new Cisco IOS software image is not automatically stopped during the ISSU process, use the issu acceptversion command.
issu acceptversion active-slot [ active-image-new ]
Specifies the slot number for the currently active supervisor engine. |
|
(Optional) Name of the new image on the currently active supervisor engine. |
Rollback timer resets automatically 45 minutes after you enter the issu runversion command.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
After you are satisfied with the new image and have confirmed the new supervisor engine is reachable by both the console and the network, enter the issu acceptversion command to halt the rollback timer. If the issu acceptversion command is not entered within 45 minutes from the time the issu runversion command is entered, the entire ISSU process is automatically rolled back to the previous version of the software. The rollback timer starts immediately after you enter the issu runversion command.
If the rollback timer expires before the standby supervisor engine goes to a hot standby state, the timer is automatically extended by up to 15 minutes. If the standby state goes to a hot-standby state within this extension time or the 15 minute extension expires, the switch aborts the ISSU process. A warning message that requires your intervention is displayed every 1 minute of the timer extension.
If the rollback timer is set to a long period of time, such as the default of 45 minutes, and the standby supervisor engine goes into the hot standby state in 7 minutes, you have 38 minutes (45 minus 7) to roll back if necessary.
Use the issu set rollback-timer to configure the rollback timer.
The following example shows how to halt the rollback timer and allow the ISSU process to continue:
To load the new Cisco IOS software image into the new standby supervisor engine, use the issu commitversion command.
issu commitversion standby-slot [standby-image-new]
Specifies the slot number for the currently active supervisor engine. |
|
(Optional) Name of the new image on the currently active supervisor engine. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The issu commitversion command verifies that the standby supervisor engine has the new Cisco IOS software image in its file system and that both supervisor engines are in the run version (RV) state. If these conditions are met, the following actions take place:
Entering the issu commitversion command completes the In Service Software Upgrade (ISSU) process. This process cannot be stopped or reverted to its original state without starting a new ISSU process.
Entering the issu commitversion command without entering the issu acceptversion command is equivalent to entering both the issu acceptversion and the issu commitversion commands. Use the
issu commitversion command if you do not intend to run in the current state for an extended period of time and are satisfied with the new software version.
The following example shows how you can configure the standby supervisor engine to be reset and reloaded with the new Cisco IOS software version:
To start the ISSU process, use the issu loadversion command.
issu loadversion active-slot active-image-new standby-slot standby-image-new [ force ]
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The issu loadversion command causes the standby supervisor engine to be reset and booted with the new Cisco IOS software image specified by the command. If both the old image and the new image are ISSU capable, ISSU compatible, and have no configuration mismatches, the standby supervisor engine moves into Stateful Switchover (SSO) mode, and both supervisor engines move into the load version (LV) state.
It will take several seconds after the issu loadversion command is entered for Cisco IOS software to load onto the standby supervisor engine and the standby supervisor engine to transition to SSO mode.
The following example shows how to initiate the ISSU process:
To force a change from the active supervisor engine to the standby supervisor engine and to cause the newly active supervisor engine to run the new image specified in the issu loadversion command, use the issu runversion command.
issu runversion standby-slot [ standby-image-new ]
(Optional) Specifies the name of the new image on the standby supervisor engine. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The issu runversion command changes the currently active supervisor engine to standby supervisor engine and the real standby-supervisor engine is booted with the old image version following and resets the switch. As soon as the standby-supervisor engine moves into the standby state, the rollback timer is started.
The following example shows how to force a change of the active-supervisor engine to standby-supervisor engine:
To configure the In Service Software Upgrade (ISSU) rollback timer value, use the
issu set rollback-timer command.
issu set rollback-timer seconds
Specfies the rollback timer value, in seconds. The valid timer value range is from 0 to 7200 seconds (2 hours). A value of 0 seconds disables the rollback timer. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
Use the issue set rollback-timer command to configure the rollback timer value. You can only enable this command when the supervisor engines are in the init state.
The following example shows how you can set the rollback timer value to 3600 seconds, or 1 hour:
To configure a device as an Ingress Tunnel Router (ITR) use the itr command in the service mode or instance-service submode.
|
|
---|---|
Use this command to enable a device to perform the ITR functionality.
Use the no form of the command to remove the ITR functionality.
The following example shows how to enable the ITR functionality:
To configure a device as a map resolver to be used by an Ingress Tunnel Router (ITR) when sending map-requests, use the itr map-resolver command in the service mode or instance-service submode.
[no] itr map-resolver map-address
Configures map-resolver address for sending map requests, on |
|
|
---|---|
Use this command to configure map-resolver ITRs.
Use the no form of the command to remove the map-resolver functionality.
A device configured as a Map Resolver accepts encapsulated Map-Request messages from ITRs,decapsulate those messages, and then forwards the messages to the Map Server responsible for the egress tunnel routers (ETRs) that are authoritative for the requested EIDs.
The following example shows how to configure an ITR to use the map-resolver located at 2.1.1.6 when sending map request messages.
To create or modify a macsec keychain, and enter keychain-macsec configuration mode, use the key chain key-chain-name macsec command
To disable this feature, use the no form of this command.
key chain key-chain-name macsec
Specifies the name of the keychain. The maximum length is 32. |
|
|
---|---|
This command was introduced on the Cisco Catalyst 4500-E and 4500-X series switches. |
The following example shows how to enable protocol tunneling for the CDP packets:
S
witch(config terminal)# key chain mac_chain macsec
S
witch(config-keychain-macsec)#
|
|
---|---|
To enable protocol tunneling on an interface, use the l2protocol-tunnel command. You can enable tunneling for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable tunneling on the interface, use the no form of this command.
l2protocol-tunnel [ cdp | stp | vtp ]
no l2protocol-tunnel [ cdp | stp | vtp ]
The default is that no Layer 2 protocol packets are tunneled.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You must enter this command, with or without protocol types, to tunnel Layer 2 packets.
Layer 2 protocol tunneling across a service-provider network ensures that Layer 2 information is propagated across the network to all customer locations. When protocol tunneling is enabled, protocol packets are encapsulated with a well-known Cisco multicast address for transmission across the network. When the packets reach their destination, the well-known MAC address is replaced by the Layer 2 protocol MAC address.
You can enable Layer 2 protocol tunneling for CDP, STP, and VTP individually or for all three protocols.
The following example shows how to enable protocol tunneling for the CDP packets:
S
witch(config-if)# l2protocol-tunnel cdp
S
witch(config-if)#
To configure the class of service (CoS) value for all tunneled Layer 2 protocol packets, use the l2protocol-tunnel cos command. To return to the default value of zero, use the no form of this command.
Specifies the CoS priority value for tunneled Layer 2 protocol packets. The range is 0 to 7, with 7 being the highest priority. |
The default is to use the CoS value that is configured for data on the interface. If no CoS value is configured, the default is 5 for all tunneled Layer 2 protocol packets.
|
|
---|---|
This command was first introduced on the Catalyst 4500 series switch. |
When enabled, the tunneled Layer 2 protocol packets use this CoS value.
The following example shows how to configure a Layer 2 protocol tunnel CoS value of 7:
S
witch(config)# l2protocol-tunnel cos 7
S
witch(config)#
|
|
---|---|
Sets a drop threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface drops packets. |
|
To set a drop threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface drops packets, use the I2protocol-tunnel drop-threshold command. You can set the drop threshold for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable the drop threshold on the interface, use the no form of this command.
l2protocol-tunnel drop -threshold [ cdp | stp | vtp ] value
no l2protocol-tunnel drop -threshold [ cdp | stp | vtp ] value
The default is no drop threshold for the number of the Layer 2 protocol packets.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The l2protocol-tunnel drop-threshold command controls the number of protocol packets per second that are received on an interface before it drops packets. When no protocol option is specified with a keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a shutdown threshold on the interface, the drop-threshold value must be less than or equal to the shutdown-threshold value.
When the drop threshold is reached, the interface drops the Layer 2 protocol packets until the rate at which they are received is below the drop threshold.
The following example shows how to configure the drop threshold rate:
S
witch(config-if)# l2protocol-tunnel drop-threshold cdp 50
S
witch(config-if)#
|
|
---|---|
Configures the class of service (CoS) value for all tunneled Layer 2 protocol packets. |
|
To configure the protocol tunneling encapsulation rate, use the I2protocol-tunnel shutdown-threshold command. You can set the encapsulation rate for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable the encapsulation rate on the interface, use the no form of this command.
l2protocol-tunnel shutdown-threshold [ cdp | stp | vtp ] value
no l2protocol-tunnel shutdown-threshold [ cdp | stp | vtp ] value
Specifies a threshold in packets per second to be received for encapsulation before the interface shuts down. The range is 1 to 4096. The default is no threshold. |
The default is no shutdown threshold for the number of Layer 2 protocol packets.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The l2-protocol-tunnel shutdown-threshold command controls the number of protocol packets per second that are received on an interface before it shuts down. When no protocol option is specified with the keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a drop threshold on the interface, the shutdown-threshold value must be greater than or equal to the drop-threshold value.
When the shutdown threshold is reached, the interface is error disabled. If you enable error recovery by entering the errdisable recovery cause l2ptguard command, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out. If the error recovery feature generation is not enabled for l2ptguard, the interface stays in the error-disabled state until you enter the shutdown and no shutdown commands.
The following example shows how to configure the maximum rate:
S
witch(config-if)# l2protocol-tunnel shutdown-threshold cdp 50
S
witch(config-if)#
To define the minimum number of LACP ports that must be bundled in the link-up state and bundled in the EtherChannel in order that a port channel becomes active, use the port-channel min-links command in interface configuration mode. To return to the default setting, use the no form of this command.
The minimum number of active LACP ports in the port channel. The range is 2 to 8. The default is 1. |
|
|
---|---|
For switches in VSS mode, when configuring min-links, ensure that the port-channel has the same number of links on the active switch and the standby switch.
The following example shows how to specify a minimum of three active LACP ports before port channel 2 becomes active:
|
|
---|---|
To set the LACP priority for the physical interfaces, use the lacp port-priority command.
Priority for the physical interfaces; valid va lues are from 1 to 65535. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You must assign each port in the switch a port priority that can be specified automatically or by entering the lacp port-priority command. The port priority is used with the port number to form the port identifier. The port priority is used to decide which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.
Although this command is a global configuration command, the priority value is supported only on port channels with LACP-enabled physical interfaces.This command is supported on LACP-enabled interfaces.
When setting the priority, the higher numbers indicate lower priorities.
The following example shows how to set the priority for the interface:
|
|
---|---|
Assigns and configure an EtherChannel interface to an EtherChannel group. |
|
To set the rate at which Link Aggregation Control Protocol (LACP) control packets are received by an LACP-supported interface, use the lacp rate command in interface configuration mode. To return to the default settings, use the no form of this command.
Specifies that LACP control packets are received at the normal rate (every 30 seconds). |
|
Specifies that LACP control packets are received at the fast rate (once every 1 second). |
|
|
---|---|
Using the lacp rate command, you can set the LACP rate to a default of 30 seconds or to the fast rate of 1 second. This command is supported only on LACP-enabled interfaces.
The following example shows how to set the lacp rate for an interface:
|
|
---|---|
To set the priority of the system for LACP, use the lacp system-priority command.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You must assign each switch that is running LACP a system priority that can be specified automatically or by entering the lacp system-priority command. The system priority is used with the switch MAC address to form the system ID and is also used during negotiation with other systems.
Although this command is a global configuration command, the priority value is supported on port channels with LACP-enabled physical interfaces.
When setting the priority, tthe higher numbers indicate lower priorities.
You can also enter the lacp system-priority command in interface configuration mode. After you enter the command, the system defaults to global configuration mode.
The following example shows how to set the system priority:
|
|
---|---|
Assigns and configure an EtherChannel interface to an EtherChannel group. |
|
To order and activate a specific license type and level, and then to manage license usage on your switch, use the license right-to-use activate command, in privileged EXEC mode.
license right-to-use activate [ add-on { dna-advantage | dna-essentials }{ evaluation | subscription }| entservices | internal_service | ipbase | lanbase ][ accepteula ]
This command applies only to Cisco Catalyst 4500E Series Switches with Supervisor Engines 7-E, 7L-E, 8-E, 8L-E, and 9-E and Cisco Catalyst 4500-X Series Switches.
Use this command to activate RTU licenses that are inactive.
Downloading the license file from the cisco portal and installing the license is not required. The RTU licenses are bundled with image. Because the RTU license is of highest precedence, when the RTU license is activated, other licenses of the same feature switch to inactive state.
The types of licenses available to order by duration are:
You must have an activated a base license before you activate an add-on license. Only certain base and add-on licenses combinations are permitted. See the software configuration guide for this information.
When activating an add-on license level, you do not have to reload the switch.
Evaluation licenses are available with base and add-on liceses, and cannot be ordered. They can be activated temporarily, without purchase. Warning system messages about the evaluation license expiry are generated 10 and 5 days before the 90-day window. Warning system messages are generated every day after the 90-day period. An expired evaluation license cannot be reactivated after reload.
The following example shows how to activate a base RTU license:
The following example shows how to activate a an add-on RTU license:
|
|
---|---|
To deactivate the RTU license use the license right-to-use deactivate command.
license right-to-use deactivate [ add-on { dna-advantage | dna-essentials }| entservices | internal_service | ipbase | lanbase ]
[ add-on { dna-advantage | dna-essentials }| entservices | internal_service | ipbase | lanbase ] |
Use this command to deactivate RTU licenses that are active.
The RTU licenses can be deactivated provided any other valid license is available for the same feature.
For example, to deactivate a entservices RTU license, the switch should contain a valid evaluation license. Else, the deactivation will fail.
The following example shows how to deactivate RTU licenses:
|
|
---|---|
To configure the link state group, use the link state group command in interface configuration mode.
link state group [ number ] { upstream | downstream }
|
|
The upper limit of the group number values was increased from 10 to 20. |
You can configure a maximum of 20 link state groups per switch.
To disable a link-state group, use the no link state track number global configuration command.
The following example shows how to configure the link state groups.
|
|
---|---|
Configures the link state group and enables link state tracking. |
|
To configure the link state group and enable link state tracking, use the link state track command in interface configuration mode.
no link state track [ number ]
Specifies a link-state group and enables link state tracking. Valid values are from 1 to 20; the default value is 1. |
|
|
The upper limit of the group number values was increased from 10 to 20. |
When you configure LST for the first time, add upstream interfaces to the link state group before adding the downstream interface, otherwise the downstream interfaces move into the error-disable mode.
To restore the default link-state track, use the no link state track number global configuration command.
The following example shows how to configure the link state tracking number.
|
|
---|---|
Configures the link state group and the interface as either an upstream or downstream interface in the group. |
|
To to enable power negotiation through LLDP, use the lldp tlv-select power-management interface command.
lldp tlv-select power-management
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
You need to disable this feature if you do not want to perform power negotiation through LLDP.
This feature is not supported on non-POEP ports; the CLI is suppressed on such ports and TLV is not exchanged.
The following example shows how to enable LLDP power negotiation on interface Gigabit Ethernet 3/1:
|
|
---|---|
To mark a locator-set as default, use the locator default-set command at the router-lisp level.
locator default-set rloc-set-name
|
|
---|---|
The locator-set configured as default with the locator default-set command applies to all services and instances.
To specify a locator-set and enter the locator-set configuration mode, use the locator-set command at the
|
|
---|---|
You must first define the locator-set before referring to it.
To change the default switch-wide global link-status event messaging settings, use the
logging event link-status global command. Use the no form of this command to disable the link-status event messaging.
logging event link-status global
no logging event link-status global
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
If link-status logging event is not configured at the interface level, this global link-status setting takes effect for each interface.
The following example shows how to globally enable link status message on each interface:
|
|
---|---|
To enable the link-status event messaging on an interface, use the logging event link-status command. Use the no form of this command to disable link-status event messaging. Use the
logging event link-status use-global command to apply the global link-status setting.
logging event link-status use-global
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
To enable system logging of interface state-change events on a specific interface, enter the
logging event link-status command in interface configuration mode.
To enable system logging of interface state-change events on all interfaces in the system, enter the logging event link-status global command in global configuration mode. All interfaces without the state change event configuration use the global setting.
The following example shows how to enable logging event state-change events on interface gi11/1:
The following example shows how to turn off logging event link status regardless of the global setting:
The following example shows how to enable the global event link-status setting on interface gi11/1:
|
|
---|---|
Changes the default switch-wide global link-status event messaging settings. |
To enable the trunk-status event messaging globally, use the logging event trunk-status global command. Use the no form of this command to disable trunk-status event messaging.
logging event trunk - status global
no logging event trunk - status global
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
If trunk-status logging event is not configured at the interface level, the global trunk-status setting takes effect for each interface.
The following example shows how to globally enable link status messaging on each interface:
|
|
---|---|
To enable the trunk-status event messaging on an interface, use the logging event trunk-status command. Use the no form of this command to disable the trunk-status event messaging. Use the
logging event trunk-status use-global command to apply the global trunk-status setting.
logging event trunk-status use-global
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
To enable system logging of interface state-change events on a specific interface, enter the
logging event trunk-status command in interface configuration mode.
To enable system logging of interface state-change events on all interfaces in the system, enter the logging event trunk-status use-global command in global configuration mode. All interfaces without the state change event configuration use the global setting.
The following example shows how to enable logging event state-change events on interface gi11/1:
The following example shows how to turn off logging event trunk status regardless of the global setting:
The following example shows how to enable the global event trunk-status setting on interface gi11/1:
|
|
---|---|
To enable and configure MAC authorization bypass (MAB) on a port, use the mab command in interface configuration mode. To disable MAB, use the no form of this command.
Note The mab command is totally independent of the effect of the dot1x system-auth control command.
(Optional) Specifies that a full EAP conversation should be used, as opposed to standard RADIUS Access-Request, Access-Accept conversation. |
|
|
---|---|
When a port is configured for MAB as a fallback method, it operates in a typical dot1X method until a configurable number of failed attempts to request the identity of the host. The authenticator learns the MAC address of the host and uses that information to query an authentication server to see whether this MAC address will be granted access.
The following example shows how to enable MAB on a port:
The following example shows how to enable and configure MAB on a port:
The following example shows how to disable MAB on a port:
|
|
---|---|
Use the mab logging verbose global configuration command on the switch stack or on a standalone switch to filter detailed information from MAC authentication bypass (MAB) system messages.
|
|
---|---|
This command filters details, such as anticipated success, from MAC authentication bypass (MAB) system messages.
To filter verbose MAB system messages:
You can verify your settings by entering the show running-config privileged EXEC command.
|
|
---|---|
To define the extended MAC access lists, use the mac access-list extended command. To remove the MAC access lists, use the no form of this command.
no mac access-list extended name
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
When you enter the ACL name, follow these naming conventions:
When you enter the mac access-list extended name command, you use the following subset to create or delete entries in a MAC layer access list:
[ no ] { permit | deny } {{ src-mac mask | any } [ dest-mac mask ]} [ protocol-family { appletalk | arp-non-ipv4 | decnet | ipx | ipv6 | rarp-ipv4 | rarp-non-ipv4 | vines | xns } | <arbitrary ethertype> | name-coded ethertype].
Table 2-10 describes the syntax of the mac access-list extended subcommands.
|
|
---|---|
(Optional) Specifies an arbitrary ethertype in the range 1536 to 65535 (Decimal or Hexadecimal) |
|
(Optional) Specifies a destination MAC address of the form: dest-mac-address dest-mac-address-mask . |
|
(Optional) Denotes a predefined name-coded ethertype for common protocols: dec-spanning—DEC-Spanning-Tree mop-console—DEC-MOP Remote Console |
|
(Optional) Name of the protocol family. Table 2-11 lists which packets are mapped to a particular protocol family. |
|
Source MAC address in the form: source-mac-address source-mac-address-mask . |
Table 2-11 describes mapping an Ethernet packet to a protocol family.
|
|
---|---|
0x0806 and protocol header of Arp is a non-Ip protocol family |
|
0x8035 and protocol header of Rarp is a non-Ipv4 protocol family |
|
When you enter the src-mac mask or dest-mac mask value, follow these guidelines:
The following example shows how to create a MAC layer access list named mac_layer that denies traffic from 0000.4700.0001, which is going to 0000.4700.0009, and permits all other traffic:
|
|
---|---|
To specify a Media Access Control (MAC) address to use as the common router MAC address for interfaces on the active and standby chassis, use the mac-address virtual switch configuration submode command. To return to the default setting, use the no form of this command.
mac-address {mac-address | use-virtual | chassis}
no mac-address {mac-address | use-virtual | chassis}
Specifies the MAC address range reserved for the virtual switch system (VSS). |
|
The router MAC address is derived from the Cisco pool of virtual switch specific MAC addresses intended for the domain 1-255.
Virtual switch configuration submode (config-vs-domain)
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
When a virtual switch boots, the router MAC address is derived from the Cisco pool of virtual switch specific MAC addresses. The router address is used as the common router MAC address for interfaces on both the active and the standby chassis. Between switchovers, this MAC address is maintained on the new active switch. You can enter the mac-address mac-address command to specify a MAC address to use or the mac-address use-virtual command to use the MAC address range reserved for the VSS.
The MAC address range reserved for the VSS is derived from a reserved pool of addresses with the domain ID encoded in the leading 6 bits of the last octet and trailing 2 bits of the previous octet of the mac-address. The last two bits of the first octet is allocated for the protocol mac-address that is derived by adding the protocol ID (0 to 3) to the router MAC address.
Note You must reload the virtual switch for the new router MAC address to take effect. If the MAC address you configured is different from the current MAC address, the following message is displayed:
Console (enable)#
The following example shows how to specify the MAC address to use in hexadecimal format:
Router(config)# switch virtual domain test-mac-address
Router(config-vs-domain)# mac-address 0000.0000.0000
Router(config-vs-domain)#
The following example shows how to specify the MAC address range reserved for the VSS:
Router(config)# switch virtual domain test-mac-address
Router(config-vs-domain)# mac-address use-virtual
Router(config-vs-domain)#
|
|
---|---|
Assigns a switch number and enters virtual switch domain configuration submode. |
To configure the aging time for the entries in the Layer 2 table, use the mac-address-table aging-time command. To reset the seconds value to the default setting, use the no form of this command.
mac-address-table aging-time seconds [ vlan vlan_id ]
no mac-address-table aging-time seconds [ vlan vlan_id ]
Aging time in seconds; valid values are 0 and from 10 to 1000000 seconds. |
|
(Optional) Single VLAN number or a range of VLANs; valid values are from 1 to 4094. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
If you do not enter a VLAN, the change is applied to all routed-port VLANs.
The following example shows how to configure the aging time to 400 seconds:
Switch(config)#
mac-address-table aging-time 400
Switch(config)#
The following example shows how to disable aging:
Switch(config)#
mac-address-table aging-time 0
Switch(config)
|
|
---|---|
To enable the learning of MAC addresses in both the “ip” and “other” protocol buckets, even though the incoming packet may belong to only one of the protocol buckets, use the
mac - address - table dynamic group protocols command. To disable grouped learning, use the no form of this command.
mac-address-table dynamic group protocols { ip | other } { ip | other }
no mac-address-table dynamic group protocols { ip | other } { ip | other }
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The entries within the “ip” and “other” protocol buckets are created according to the protocol of the incoming traffic.
When you use the mac-address-table dynamic group protocols command, an incoming MAC address that might belong to either the “ip” or the “other” protocol bucket, is learned on both protocol buckets. Therefore, any traffic destined to this MAC address and belonging to any of the protocol buckets is unicasted to that MAC address, rather than flooded. This reduces the unicast Layer 2 flooding that might be caused if the incoming traffic from a host belongs to a different protocol bucket than the traffic that is destined to the sending host.
The following example shows that the MAC addresses are initially assigned to either the “ip” or the “other” protocol bucket:
The following example shows how to assign MAC addresses that belong to either the “ip” or the “other” bucket to both buckets:
To enable MAC address learning on a VLAN, use the mac-address-table learning global configuration command. Use the no form of this command to disable MAC address learning on a VLAN to control which VLANs can learn MAC addresses.
mac-address-table learning vlan vlan-id
no mac-address-table learning vlan vlan-id
Specifies a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma. Valid VLAN IDs are 1 to 4094. |
|
|
---|---|
This command was modified to support the disable learning feature on the Catalyst 4500 series switch. |
When you control MAC address learning on a VLAN, you can manage the available table space by controlling which VLANs, and which ports can learn MAC addresses.
You can disable MAC address learning on a single VLAN ID (for example, by entering
no mac-address-table learning vlan 223) or on a range of VLAN IDs (for example, by entering
no mac-address-table learning vlan 1-20, 15.)
Before you disable MAC address learning, familiarize yourself with the network topology and the switch system configuration. If you disable MAC address learning on a VLAN, flooding may occur in the network. For example, if you disable MAC address learning on a VLAN with a configured switch virtual interface (SVI), the switch floods all IP packets in the Layer 2 domain. If you disable MAC address learning on a VLAN that includes more than two ports, every packet entering the switch is flooded in that VLAN domain. Disable MAC address learning only in VLANs that contain two ports. Use caution before disabling MAC address learning on a VLAN with an SVI.
You cannot disable MAC address learning on a VLAN that the switch uses internally. This action causes the switch to generate an error message and rejects the no mac-address-table learning vlan command. To view used internal VLANs, enter the show vlan internal usage privileged EXEC command.
If you disable MAC address learning on a VLAN configured as a PVLAN primary or a secondary VLAN, the MAC addresses are still learned on the VLAN (primary or secondary) associated with the PVLAN.
You cannot disable MAC address learning on an RSPAN VLAN. The configuration is not allowed.
If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning is not disabled on the secure port. If you later disable port security on the interface, the disabled MAC address learning state is enabled.
To display the MAC address learning status of a specific VLAN or for all VLANs, enter the
show mac-address-table learning vlan command.
The following example shows how to disable MAC address learning on VLAN 2003:
|
|
---|---|
Displays the MAC address learning status on all VLANs or on the specified VLAN. |
To enable MAC address notification on a switch, use the mac-address-table notification command. To return to the default setting, use the no form of this command
mac-address-table notification [[ change [ history-size hs_value | interval intv_value ]] | [ mac-move ] | [ threshold [ limit percentage | interval time]] | [ learn-fail [ interval time | limit num_fail ]]
no mac-address-table notificatio n [[ change [ history-size hs_value | interval intv_value ]] | [ mac-move ] | [ threshold [ limit percentage | interval time]] | [ learn-fail [ interval time | limit num_fail ]]
MAC address notification feature is disabled.
The default MAC change trap interval value is 1 second.
The default number of entries in the history table is 1.
MAC move notification is disabled.
MAC threshold monitoring feature is disabled.
The default limit is 50 percent.
The default time is 120 seconds.
Hardware MAC learning failure syslog notification is disabled.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
|
Support introduced for the learn-fail keyword on Supervisor Engine 6-E and Catalyst 4900M. |
You can enable the MAC change notification feature using the mac-address-table notification change command. If you do this, you must also enable MAC notification traps on an interface using the
snmp trap mac-notification change interface configuration command and configure the switch to send MAC change traps to the NMS using the snmp-server enable traps mac-notification global configuration command.
When the history-size option is configured, the existing MAC change history table is deleted, and a new table is created.
The following example shows how to set the MAC address notification history table size to 300 entries:
Switch(config)#
mac-address-table notification change history-size 300
Switch(config)#
The following example shows how to set the MAC address notification interval time to 1250 seconds:
Switch(config)#
mac-address-table notification change interval 1250
Switch(config)#
The following example shows how to enable hardware MAC address learning failure syslog notification:
The following example shows how to set the interval of hardware MAC address learning failure syslog notification to 30 seconds:
|
|
---|---|
Clears the global counter entries from the Layer 2 MAC address table. |
|
To configure the static MAC addresses for a VLAN interface or drop unicast traffic for a MAC address for a VLAN interface, use the mac-address-table static command. To remove the static MAC address configurations, use the no form of this command.
mac-address-table static mac-addr { vlan vlan-id } { interface type | drop }
no mac-address-table static mac-addr { vlan vlan-id } { interface type } { drop }
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
When a static MAC address is installed, it is associated with a port.
The output interface specified must be a Layer 2 interface and not an SVI.
If you do not enter a protocol type, an entry is automatically created for each of the four protocol types.
Entering the no form of this command does not remove the system MAC addresses.
When removing a MAC address, entering interface int is optional. For unicast entries, the entry is removed automatically. For multicast entries, if you do not specify an interface, the entire entry is removed. You can specify the selected ports to be removed by specifying the interface.
The following example shows how to add the static entries to the MAC address table:
Switch(config)#
mac-address-table static 0050.3e8d.6400 vlan 100 interface fastethernet5/7
Switch(config)#
|
|
---|---|
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a standard desktop, use the macro apply cisco-desktop c ommand.
macro apply cisco-desktop $AVID access_vlanid
|
|
This command was introduced on the Catalyst 4500 series switch. |
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro, clear the configuration on the interface with the default interface command.
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
The contents of this macro are as follows:
To enable MKA MACsec on switch-to-switch links using EAP-TLS, use the macsec netowrk-link c ommand.
Enables MKA MACsec on switch-to-switch links using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method. |
|
|
This command was introduced on Cisco Catalyst 4500-E with Supervisor Engine 8-E, and on Cisco Catalyst 4500-X series switches. |
This command cannot be used to configure multi-point to multi-point links.
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
To configure a static endpoint identifier (EID) to routing locator (RLOC) (EID-to-RLOC) mapping relationship, use the map-cache command in the service ipv4 or service ipv6 mode.
[no] map-cache destination-eid-prefix/prefix-len { ipv4-address { priority priority weight weight } | ipv6-address | map-request | native-forward }
|
|
The first use of this command is to configure an Ingress Tunnel Router (ITR) with a static IPv4 or IPv6 EID-to-RLOC mapping relationship and its associated traffic policy. For each entry, a destination EID-prefix
block and its associated locator, priority, and weight are entered. The value in the EID-prefix/prefix-length argument is the LISP EID-prefix block at the destination site. The locator is an IPv4 address of the remote site where the IPv4 or IPv6 EID-prefix can be reached. Associated with the locator address is a priority and weight that are used to define traffic policies when multiple RLOCs are defined for the same EID-prefix block.
The following example shows how to enable the map-cache:
To apply an MACsec Key Agreement policy on an interface, and to configure MKA MACsec on a interface using a PSK, use the mka c ommand.
mka {default-policy | policy policy name {|pre-shared-key {key-chain key-chain-name }
Enables MKA MACsec using the default MKA policy on the interface. |
|
Enables MKA MACsec using a configured MKA policy on the interface. |
|
|
|
This command was introduced on Cisco Catalyst 4500-E with Supervisor Engine 8-E, and on Cisco Catalyst 4500-X series switches. |
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
To configure MACsec Key Agreement policy options, and enter mka-policy configuration mode, use the mka policy c ommand.
mka policy policy name [confidentiality-offset| default | key-server priority priority | macsec-cipher-suite {gcm-aes-128 | gcm-aes-256}]
|
|
This command was introduced on Cisco Catalyst 4500-E with Supervisor Engine 8-E, and on Cisco Catalyst 4500-X series switches. |
The following example shows how to configure MKA policy options:
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a standard desktop and a Cisco IP phone, use the macro apply cisco-phone command.
macro apply cisco-phone $AVID access_vlanid $VVID voice_vlanid
|
|
This command was introduced on the Catalyst 4500 series switch. |
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro, clear the configuration on the interface with the default interface command.
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
The contents of this macro are as follows:
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a router, use the macro apply cisco-router command.
macro apply cisco-router $NVID native_vlanid
|
|
This command was introduced on the Catalyst 4500 series switch. |
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro apply cisco-router command, clear the configuration on the interface with the default interface command.
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
The contents of this macro are as follows:
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to another switch, use the macro apply cisco-switch command.
macro apply cisco-switch $NVID native_vlanid
|
|
This command was introduced on the Catalyst 4500 series switch. |
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply this macro, clear the configuration on the interface with the default interface command.
The following example shows how to enable the Cisco-recommended features and settings on port fa2/1:
The contents of this macro are as follows:
Use the macro auto device command to simplify changing the parameters for a built-in functions for a device type. Use the no form of this command to revert to the intial parameter values.
macro auto device device_type [params values]
no macro auto device device_type [params values]
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
Although you can use the macro auto execute command to produce the same effect as the macro auto device command, the later is simpler.
The following example shows how to change the access VLAN and voice VLAN from their default value to user defined values for phone devices.
Use the macro auto execute configuration command to change built-in function default values or to map user-defined triggers to built-in functions and to pass the parameter values. Use the no form of this command to unmap the trigger.
macro auto execute event_trigger builtin shell_function [param name=values]
no macro auto execute event_trigger builtin shell_function [param name=values]
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The switch automatically maps from builtin event triggers to builtin functions. The builtin functions are system-defined functions in the software image.
Use the macro auto execute global configuration command to replace the builtin function default values with values specific to your switch.
You can also create user-defined triggers and use this command to map the triggers to builtin functions.
You can create user-defined event triggers by entering the shell trigger global configuration command. Use the show shell privileged EXEC command to display the contents of the builtin and user-defined triggers and functions.
The following example shows how to use two built-in Auto Smartports macros for connecting Cisco switches and Cisco IP phones to the switch. It modifies the default voice VLAN, access VLAN, and native VLAN for the trunk interface:
|
|
---|---|
Simplifies changing the parameters for a built-in functions for a device type. |
|
Specifies not to remove configurations applied by ASP across link flaps and device removal. |
|
Use the macro auto execute configuration command to map a trigger to a remotely defined function. Use the no form of this command to unmap the trigger.
macro auto execute trigger_name remote url
no macro auto execute trigger_name remote url
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The following example shows how to map a trigger to the remotely defined function myfunction - the filename that contains the function body:
Use the macro auto execute configuration command to map a trigger to a user-defined function. Use the no form of this command to unmap the trigger.
macro auto execute trigger_name [param_name=value] {function body}
no macro auto execute trigger_name [param_name=value]
(Optional) Specifies values for the parameters that are to be used in the function body. |
|
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The following example shows how to map the user-defined event trigger Cisco Digital Media Player (DMP) to a user-defined macro.
a. Connect the DMP to an 802.1x- or MAB-enabled switch port.
b. On the RADIUS server, set the attribute-value pair to auto-smart-port =CISCO_DMP_EVENT.
c. On the switch, create the event trigger CISCO_DMP_EVENT, and enter the user-defined macro commands shown below.
d. The switch recognizes the attribute-value pair=CISCO_DMP_EVENT response from the RADIUS server and applies the macro associated with this event trigger.
Use the macro auto global processing global configuration command to enable Auto SmartPorts macros on the switch. Use the no form of this command to disable Auto SmartPorts (ASP) macros globally.
macro auto global processing [cdp | lldp]
no macro auto global processing [ cdp | ldp]
Note Starting with Release 15.0(2)SG, the fallback option has been deprecated.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
Use the macro auto global processing global configuration command to globally enable Auto Smartports macros on the switch. To disable ASP macros on a specific port, use the no macro auto processing command in the interface mode before ASP is enabled globally.
Auto Smartports macros dynamically configure ports based on the device type detected on the port. When the switch detects a new device on a port it applies the appropriate ASP macro. When a link-down event occurs on a port, the switch removes the macro. For example, when you connect a Cisco IP phone to a port, ASP automatically applies the IP phone macro. The IP phone macro enables quality of service (QoS), security features, and a dedicated voice VLAN to ensure proper treatment of delay-sensitive voice traffic.
ASP uses event triggers to map devices to macros. The most common event triggers are based on Cisco Discovery Protocol (CDP) messages received from connected devices. The detection of a device invokes a CDP event trigger: Cisco IP phone, Cisco wireless access point, Cisco switch, or Cisco router. Other event triggers use MAC authentication bypass (MAB) and 802.1X authentication messages.
Use CDP if port authentication is enabled and the RADIUS server does not send an event trigger.
Select LLDP to apply auto configuration if authentication fails.
If authentication is enabled on a port, a switch ignores CDP and LLDP messages unless the cdp keyword is enabled.
When using 802.1X or MAB authentication, configure the RADIUS server to support the Cisco attribute-value (AV) pair auto-smart-port=event trigger.
When CDP-identified devices advertise multiple capabilities, a switch chooses a capability in this priority order: switch, router, access point, lightweight access point, phone, host.
To verify that an ASP macro is applied to an interface, use the show running config command.
The macro auto global processing cdp and macro auto global processing lldp commands enables ASP globally if it is not already enabled, and set the fallback to CDP or LLDP, respectively. However, the no macro auto global processing [cdp | lldp] command only removes the fallback mechanism. It does not disable ASP globally; only the no macro auto global processing command disables ASP globally.
The keywords cdp and lldp are also controlled at the interface level; by default, CDP is the fallback mechanism on an interface. If you prefer LLDP, first enter the no macro auto processing cdp command, then enter the macro auto processing lldp command.
If you want to activate both CDP and LLDP, you must enable them in sequence. For example, you would first enter the macro auto processing cdp command, then the macro auto processing lldp command.
The following example shows how enable ASP on a switch and to disable the feature on Gi1/0/1:
Use the macro auto mac-address-group command to configure a group of MAC-address or OUIs as a trigger. Use the no form of this command to unconfigure the group.
macro auto mac-address-group grp_name
no macro auto mac-address-group grp_namel
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
This command changes the mode to config-mac-addr-grp, in which you can add or remove a MAC address or OUI from the group.
You can specify a list of MACs or OUIs, or a range of OUIs (maximum of 5 in the range).
The following example shows how to configure testGroup as a trigger:
To enable the device classifier, use the macro auto monitor global configuration command. Use the no form of this command to disable the device classifier.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
Use the no macro auto monitor global configuration command to disable the device classifier. You cannot disable the device classifier while it is being used by features such as ASP.
The following example shows how to enable the ASP device classifier on a switch:
Note Only use this command when Auto SmartPorts (ASP) is enabled globally; when ASP is disabled globally, interface-level control has no effect.
Use the macro auto processing interface configuration command to enable ASP macros on a specific interface. Use the no form of this command to disable ASP on a specific interface before ASP is enabled globally.
macro auto processing [fallback cdp] [fallback lldp]
no macro auto processing [fallback cdp] [fallback lldp]
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The no macro auto processing command should be configured on all interfaces where ASP is not desirable (such as Layer 3 and EtherChannel interfaces) before ASP is enabled globally.
At the interface level, the default fallback mechanism is CDP. To change the mechanism to LLDP, enter the no macro auto processing fallback cdp command, followed by the macro auto processing fallback lldp command.
The following example shows how to enable the feature on an interface:
Use the macro auto sticky configuration to specify not to remove configurations applied by ASP across link flaps and device removal.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
This command enables you to avoid unnecessary removal of ASP configurations when a feature intentionally shuts down a link (like EnergyWise, which shuts down inactive links to save energy). When such a feature is enabled, you don't want ASP macros to be applied and removed unnecessarily. So you configure the sticky feature.
The following example shows how to specify not to remove configurations:
|
|
---|---|
Changes built-in function default values or to map user-defined triggers to built-in functions, and to pass the parameter values. |
|
To apply the system-defined default template to the switch, use the macro global apply cisco-global global configuration command on the switch stack or on a standalone switch.
macro global apply cisco-global
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
These examples show how to apply the system-defined default to the switch:
To apply the control plane policing default template to the switch, use the macro global apply system-cpp global configuration command on the switch stack or on a standalone switch.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The following example shows how to apply the system-defined default to the switch:
|
|
---|---|
Enters a description about the macros that are applied to the switch. |
To enter a description about the macros that are applied to the switch, use the macro global description global configuration command on the switch stack or on a standalone switch. Use the no form of this command to remove the description.
no macro global description text
Enters a description about the macros that are applied to the switch. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
This command associates comment text, or the macro name, with a switch. When multiple macros are applied on a switch, the description text will be from the last applied macro.
The following example shows how to add a description to a switch:
You can verify your settings by entering the show parser macro description privileged EXEC command.
|
|
---|---|
To enter the main CPU submode and manually synchronize the configurations on two supervisor engines, use the main-cpu command.
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. (Catalyst 4507R only). |
The main CPU submode is used to manually synchronize the configurations on the two supervisor engines. From the main CPU submode, use the auto-sync command to enable automatic synchronization of the configuration files in NVRAM.
Note After you enter the main CPU submode, you can use the auto-sync command to automatically synchronize the configuration between the primary and secondary route processors based on the primary configuration. In addition, you can use all of the redundancy commands that are applicable to the main CPU.
The following example shows how to reenable the default automatic synchronization feature using the auto-sync standard command to synchronize the startup-config and config-register configuration of the active supervisor engine with the standby supervisor engine. The updates for the boot variables are automatic and cannot be disabled.
|
|
---|---|
Enables automatic synchronization of the configuration files in NVRAM. |
To specify a match clause by selecting one or more ACLs for a VLAN access-map sequence, use the match subcommand. To remove the match clause, use the no form of this command.
match { ip address { acl-number | acl-name }} | { mac address acl-name }
no match { ip address { acl-number | acl-name }} | { mac address acl-name }
Note If a match clause is not specified, the action for the VLAN access-map sequence is applied to all packets. All packets are matched against that sequence in the access map.
Selects one or more IP ACLs for a VLAN access-map sequence; valid values are from 1 to 199 and from 1300 to 2699. |
|
Selects one or more MAC ACLs for a VLAN access-map sequence. |
|
|
---|---|
This command was introduced on the Catalyst 4500 series switch. |
The match clause specifies the IP or MAC ACL for traffic filtering.
The MAC sequence is not effective for IP packets. IP packets should be access controlled by IP match clauses.
Refer to the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide for additional configuration guidelines and restrictions.
Refer to the Cisco IOS Command Reference publication for additional match command information.
The following example shows how to define a match clause for a VLAN access map:
|
|
---|---|