Administering the Device

Information About Administering the Device

System Time and Date Management

You can manage the system time and date on your device using automatic configuration methods (RTC and NTP), or manual configuration methods.


Note


For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference on Cisco.com.


System Clock

The basis of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time.

The system clock can then be set from these sources:

  • RTC

  • NTP

  • Manual configuration

The system clock can provide time to these services:

  • User show commands

  • Logging and debugging messages

The system clock keeps track of time internally based on Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time appears correctly for the local time zone.

The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set by a time source considered to be authoritative). If it is not authoritative, the time is available only for display purposes and is not redistributed.

Network Time Protocol

The NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol (UDP), which runs over IP. NTP is documented in RFC 1305.

An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two devices to within a millisecond of one another.

NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP speakers.

NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized. NTP also compares the time reported by several devices and does not synchronize to a device whose time is significantly different than the others, even if its stratum is lower.

The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP address of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, in that case, information flow is one-way only.

The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.

Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.

The Figure shows a typical network example using NTP. Device A is the primary NTP, with the Device B, C, and D configured in NTP server mode, in server association with Device A. Device E is configured as an NTP peer to the upstream and downstream device, Device B and Device F, respectively.

Figure 1. Typical NTP Network Configuration


If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.

When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time overrides the time set by any other method.

Several manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software allows host systems to be time-synchronized as well.

NTP Stratum

NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP speakers.

NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized. NTP also compares the time reported by several devices and does not synchronize to a device whose time is significantly different than the others, even if its stratum is lower.

NTP Associations

The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP address of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, in that case, information flow is one-way only.

Poll-Based NTP Associations

Networking devices running NTP can be configured to operate in variety of association modes when synchronizing time with reference time sources. A networking device can obtain time information on a network in two ways—by polling host servers and by listening to NTP broadcasts. This section focuses on the poll-based association modes. Broadcast-based NTP associations are discussed in the Broadcast-Based NTP Associations section.

The following are the two most commonly used poll-based association modes:

  • Client mode

  • Symmetric active mode

The client and the symmetric active modes should be used when NTP is required to provide a high level of time accuracy and reliability.

When a networking device is operating in the client mode, it polls its assigned time-serving hosts for the current time. The networking device will then pick a host from among all the polled time servers to synchronize with. Because the relationship that is established in this case is a client-host relationship, the host will not capture or use any time information sent by the local client device. This mode is most suited for file-server and workstation clients that are not required to provide any form of time synchronization to other local clients. Use the ntp server command to individually specify the time server that you want your networking device to consider synchronizing with and to set your networking device to operate in the client mode.

When a networking device is operating in the symmetric active mode, it polls its assigned time-serving hosts for the current time and it responds to polls by its hosts. Because this is a peer-to-peer relationship, the host will also retain time-related information of the local networking device that it is communicating with. This mode should be used when a number of mutually redundant servers are interconnected via diverse network paths. Most stratum 1 and stratum 2 servers on the Internet adopt this form of network setup. Use the ntp peer command to individually specify the time serving hosts that you want your networking device to consider synchronizing with and to set your networking device to operate in the symmetric active mode.

The specific mode that you should set for each of your networking devices depends primarily on the role that you want them to assume as a timekeeping device (server or client) and the device’s proximity to a stratum 1 timekeeping server.

A networking device engages in polling when it is operating as a client or a host in the client mode or when it is acting as a peer in the symmetric active mode. Although polling does not usually place a burden on memory and CPU resources such as bandwidth, an exceedingly large number of ongoing and simultaneous polls on a system can seriously impact the performance of a system or slow the performance of a given network. To avoid having an excessive number of ongoing polls on a network, you should limit the number of direct, peer-to-peer or client-to-server associations. Instead, you should consider using NTP broadcasts to propagate time information within a localized network.

Broadcast-Based NTP Associations

Broadcast-based NTP associations should be used when time accuracy and reliability requirements are modest and if your network is localized and has more than 20 clients. Broadcast-based NTP associations are also recommended for use on networks that have limited bandwidth, system memory, or CPU resources.

A networking device operating in the broadcast client mode does not engage in any polling. Instead, it listens for NTP broadcast packets that are transmitted by broadcast time servers. Consequently, time accuracy can be marginally reduced because time information flows only one way.

Use the ntp broadcast client command to set your networking device to listen for NTP broadcast packets propagated through a network. For broadcast client mode to work, the broadcast server and its clients must be located on the same subnet. You must enable the time server that transmits NTP broadcast packets on the interface of the given device by using the ntp broadcast command.

Authoritative NTP Server

An authoritative NTP server is a time server that can distribute time in the network. Other devices can configure it as a time server. You can configure a Cisco Catalyst 9000 Series Switch to act as an authoritative NTP server, enabling it to distribute time even when it is not synchronized to an outside time source. Use the ntp master command, in global configuration mode, to configure the device to be an authoritative NTP server.


Caution


Use the ntp master command with caution. Usage of this command can override valid time sources, especially if a low stratum number is configured. Configuring multiple devices in the same network with the ntp master command can cause instability in timekeeping if the devices do not agree on the time.


NTP Security

The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.


Note


We do not recommend configuring Message Direct 5 (MD5) authentication. You can use other supported authentication methods for stronger encryption.


NTP Access Group

The access list-based restriction scheme allows you to grant or deny certain access privileges to an entire network, a subnet within a network, or a host within a subnet. To define an NTP access group, use the ntp access-group command in global configuration mode.

The access group options are scanned in the following order, from least restrictive to the most restrictive:

  1. ipv4 —Configures IPv4 access lists.

  2. ipv6 —Configures IPv6 access lists.

  3. peer —Allows time requests and NTP control queries, and allows the system to synchronize itself to a system whose address passes the access list criteria.

  4. serve —Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.

  5. serve-only —Allows only time requests from a system whose address passes the access list criteria.

  6. query-only —Allows only NTP control queries from a system whose address passes the access list criteria.

If the source IP address matches the access lists for more than one access type, the first type is granted access. If no access groups are specified, all access types are granted access to all systems. If any access groups are specified, only the specified access types will be granted access.

For details on NTP control queries, see RFC 1305 (NTP Version 3).

The encrypted NTP authentication scheme should be used when a reliable form of access control is required. Unlike the access list-based restriction scheme that is based on IP addresses, the encrypted authentication scheme uses authentication keys and an authentication process to determine if NTP synchronization packets sent by designated peers or servers on a local network are deemed as trusted before the time information that they carry along with them is accepted.

The authentication process begins from the moment an NTP packet is created. Cryptographic checksum keys are generated using the message digest algorithm 5 (MD5) and are embedded into the NTP synchronization packet that is sent to a receiving client. Once a packet is received by a client, its cryptographic checksum key is decrypted and checked against a list of trusted keys. If the packet contains a matching authentication key, the time-stamp information that is contained within the packet is accepted by the receiving client. NTP synchronization packets that do not contain a matching authenticator key are ignored.


Note


In large networks, where many trusted keys must be configured, the Range of Trusted Key Configuration feature enables configuring multiple keys simultaneously.


It is important to note that the encryption and decryption processes used in NTP authentication can be very CPU-intensive and can seriously degrade the accuracy of the time that is propagated within a network. If your network setup permits a more comprehensive model of access control, you should consider the use of the access list-based form of control.

After NTP authentication is properly configured, your networking device will synchronize with and provide synchronization only to trusted time sources.

NTP Services on a Specific Interface

Network Time Protocol (NTP) services are disabled on all interfaces by default. NTP is enabled globally when any NTP commands are entered. You can selectively prevent NTP packets from being received through a specific interface by using the ntp disable command in interface configuration mode.

Source IP Address for NTP Packets

When the system sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the ntp source interface command in global configuration mode to configure a specific interface from which the IP source address will be taken.

This interface will be used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source keyword in the ntp peer or ntp server command.

NTP Implementation

Implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.

If the network is isolated from the Internet, NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.

When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time overrides the time set by any other method.

Several manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software allows host systems to be time-synchronized as well.

DNS

The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map hostnames to IP addresses. When you configure DNS on your device, you can substitute the hostname for the IP address with all IP commands, such as ping , telnet , connect , and related Telnet support operations.

IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.

To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.

Default DNS Settings

Table 1. Default DNS Settings

Feature

Default Setting

DNS enable state

Enabled.

DNS default domain name

None configured.

DNS servers

No name server addresses are configured.

Login Banners

You can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner is displayed on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns).

The login banner is also displayed on all connected terminals. It appears after the MOTD banner and before the login prompts.


Note


For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4.


Default Banner Configuration

The MOTD and login banners are not configured.

MAC Address Table

The MAC address table contains address information that the device uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses:

  • Dynamic address—A source MAC address that the device learns and then ages when it is not in use.

  • Static address—A manually entered unicast address that does not age and that is not lost when the device resets.

The address table lists the destination MAC address, the associated VLAN ID, and port number associated with the address and the type (static or dynamic).


Note


For complete syntax and usage information for the commands used in this section, see the command reference for this release.


MAC Address Table Creation

With multiple MAC addresses supported on all ports, you can connect any port on the device to other network devices. The device provides dynamic addressing by learning the source address of packets it receives on each port and adding the address and its associated port number to the address table. As devices are added or removed from the network, the device updates the address table, adding new dynamic addresses and aging out those that are not in use.

The aging interval is globally configured. However, the device maintains an address table for each VLAN, and STP can accelerate the aging interval on a per-VLAN basis.

The device sends packets between any combination of ports, based on the destination address of the received packet. Using the MAC address table, the device forwards the packet only to the port associated with the destination address. If the destination address is on the port that sent the packet, the packet is filtered and not forwarded. The device always uses the store-and-forward method: complete packets are stored and checked for errors before transmission.

MAC Addresses and VLANs

All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 1 in VLAN 5.

Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN.

Default MAC Address Table Settings

The following table shows the default settings for the MAC address table.

Table 2. Default Settings for the MAC Address

Feature

Default Setting

Aging time

300 seconds

Dynamic addresses

Automatically learned

Static addresses

None configured

ARP Table Management

To communicate with a device (over Ethernet, for example), the software first must learn the 48-bit MAC address or the local data link address of that device. The process of learning the local data link address from an IP address is called address resolution .

The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and the VLAN ID. Using an IP address, ARP finds the associated MAC address. When a MAC address is found, the IP-MAC address association is stored in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP). By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword) is enabled on the IP interface.

ARP entries added manually to the table do not age and must be manually removed.

For CLI procedures, see the Cisco IOS Release 12.4 documentation on Cisco.com.

How to Administer the Device

Configuring the Time and Date Manually

System time remains accurate through restarts and reboot, however, you can manually configure the time and date after the system is restarted.

We recommend that you use manual configuration only when necessary. If you have an outside source to which the device can synchronize, you do not need to manually set the system clock.

Setting the System Clock

If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock.

Follow these steps to set the system clock:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

Use one of the following:

  • clock set hh:mm:ss day month year
  • clock set hh:mm:ss month day year
Example:

Device# clock set 13:32:00 23 March 2013

Manually set the system clock using one of these formats:

  • hh:mm:ss— Specifies the time in hours (24-hour format), minutes, and seconds. The time specified is relative to the configured time zone.

  • day— Specifies the day by date in the month.

  • month— Specifies the month by name.

  • year— Specifies the year (no abbreviation).

Configuring the Time Zone

Follow these steps to manually configure the time zone:
Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

clock timezone zone hours-offset [minutes-offset]

Example:

Device(config)# clock timezone AST -3 30

Sets the time zone.

Internal time is kept in Coordinated Universal Time (UTC), so this command is used only for display purposes and when the time is manually set.

  • zone— Enters the name of the time zone to be displayed when standard time is in effect. The default is UTC.

  • hours-offset— Enters the hours offset from UTC.

  • (Optional) minutes-offset— Enters the minutes offset from UTC. This available where the local time zone is a percentage of an hour different from UTC.

Step 4

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Step 5

show running-config

Example:

Device# show running-config 

Verifies your entries.

Step 6

copy running-config startup-config

Example:

Device# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Configuring Summer Time (Daylight Saving Time)

To configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year, perform this task:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

clock summer-time zone date date month year hh:mm date month year hh:mm [offset]]

Example:

Device(config)# clock summer-time PDT date 
10 March 2013 2:00 3 November 2013 2:00

Configures summer time to start and end on specified days every year.

Step 4

clock summer-time zone recurring [week day month hh:mm week day month hh:mm [offset]]

Example:

Device(config)# clock summer-time 
PDT recurring 10 March 2013 2:00 3 November 2013 2:00

Configures summer time to start and end on the specified days every year. All times are relative to the local time zone. The start time is relative to standard time.

The end time is relative to summer time. Summer time is disabled by default. If you specify clock summer-time zone recurring without parameters, the summer time rules default to the United States rules.

If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.

  • zone— Specifies the name of the time zone (for example, PDT) to be displayed when summer time is in effect.

  • (Optional) week— Specifies the week of the month (1 to 4, first , or last ).

  • (Optional) day— Specifies the day of the week (Sunday, Monday...).

  • (Optional) month— Specifies the month (January, February...).

  • (Optional) hh:mm— Specifies the time (24-hour format) in hours and minutes.

  • (Optional) offset— Specifies the number of minutes to add during summer time. The default is 60.

Step 5

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Step 6

show running-config

Example:

Device# show running-config 

Verifies your entries.

Step 7

copy running-config startup-config

Example:

Device# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Configuring NTP

These following sections provide configuration information on NTP:

Default NTP Configuration

shows the default NTP configuration.

Table 3. Default NTP Configuration

Feature

Default Setting

NTP authentication

Disabled. No authentication key is specified.

NTP peer or server associations

None configured.

NTP broadcast service

Disabled; no interface sends or receives NTP broadcast packets.

NTP access restrictions

No access control is specified.

NTP packet source IP address

The source address is set by the outgoing interface.

NTP is enabled on all interfaces by default. All interfaces receive NTP packets.

Configuring NTP Authentication

To configure NTP authentication, perform this procedure:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

[no] ntp authenticate

Example:

Device(config)# ntp authenticate

Enables NTP authentication.

Use the no form of this command to disable NTP authentication

Step 4

[no] ntp authentication-key number {md5 | cmac-aes-128 | hmac-sha1 | hmac-sha2-256} value

Example:

Device(config)# ntp authentication-key 42 md5 aNiceKey

Defines the authentication keys.

  • Each key has a key number, a type, and a value.

  • Keys can be one of the following types:

    • md5 : Authentication using the MD5 algorithm.

    • cmac-aes-128 : Authentication using Cipher-based message authentication codes (CMAC) with the AES-128 algorithm. The digest length is 128 bits and the key length is 16 or 32 bytes.

    • hmac-sha1 : Authentication using Hash-based Message Authentication Code (HMAC) using the SHA1 hash function. The digest length is 128 bits and the key length is 1 to 32 bytes.

    • hmac-sha2-256 : Authentication using HMAC using the SHA2 hash function. The digest length is 256 bits and the key length is 1 to 32 bytes

Use the no form of this command to remove authentication key.

Step 5

[no] ntp trusted-key key-number

Example:

Device(config)# ntp trusted-key 42

Defines trusted authentication keys that a peer NTP device must provide in its NTP packets for this device to synchronize to it.

Use the no form of this command to disable trusted authentication.

Step 6

[no] ntp server ip-address key key-id [prefer]

Example:

Device(config)# ntp server 172.16.22.44 key 42

Allows the software clock to be synchronized by an NTP time server.

  • ip-address : The IP address of the time server providing the clock synchronization.

  • key-id : Authentication key defined with the ntp authentication-key command.

  • prefer : Sets this peer as the preferred one that provides synchronization. This keyword reduces clock hop among peers.

Use the no form of this command to remove a server association.

Step 7

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Configuring Poll-Based NTP Associations

To configure poll-based NTP associations, perform this procedure:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

[no] ntp peer ip-address [version number] [key key-id] [source interface] [prefer]

Example:

Device(config)# ntp peer 172.16.22.44 version 2

Configures the device system clock to synchronize a peer or to be synchronized by a peer (peer association).

  • ip-address : The IP address of the peer providing or being provided, the clock synchronization.

  • number : NTP version number. The range is 1 to 3. By default, version 3 is selected.

  • key-id : Authentication key defined with the ntp authentication-key command.

  • interface : The interface from which to pick the IP source address. By default, the source IP address is taken from the outgoing interface.

  • prefer : Sets this peer as the preferred one that provides synchronization. This keyword reduces switching back and forth between peers.

Use the no form of this command to remove a peer association.

Step 4

[no] ntp server [vrf vrf-name] ip-address [version number] [key key-id] [source interface] [prefer]

Example:

Device(config)# ntp server 172.16.22.44 version 2

Configures the device's system clock to be synchronized by a time server (server association).

  • vrf-name : The virtual routing and forwarding (VRF) address of the server providing the clock synchronization.

    Note

     

    Before you configure this command, the VRF must be configured.

  • ip-address : The IP address of the time server providing the clock synchronization.

  • number : NTP version number. The range is 1 to 3. By default, version 3 is selected.

  • key-id : Authentication key defined with the ntp authentication-key command.

  • interface : The interface from which to pick the IP source address. By default, the source IP address is taken from the outgoing interface.

  • prefer : Sets this peer as the preferred one that provides synchronization. This keyword reduces clock hop among peers.

Use the no form of this command to remove a server association.

Step 5

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Configuring Broadcast-Based NTP Associations

To configure broadcast-based NTP associations, perform this procedure:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface interface-id

Example:

Device(config)# interface gigabitethernet1/0/1

Configures an interface and enters interface configuration mode.

Step 4

[no] ntp broadcast [version number] [key key-id] [destination-address]

Example:

Device(config-if)# ntp broadcast version 2

Enables the interface to send NTP broadcast packets to a peer.

  • number : NTP version number. The range is 1 to 3. By default, version 3 is used.

  • key-id : Authentication key.

  • destination-address : IP address of the peer that is synchronizing its clock to this switch.

Use the no form of this command to disable the interface from sending NTP broadcast packets.

Step 5

[no] ntp broadcast client

Example:

Device(config-if)# ntp broadcast client

Enables the interface to receive NTP broadcast packets.

Use the no form of this command to disable the interface from receiving NTP broadcast packets.

Step 6

exit

Example:

Device(config-if)# exit

Returns to privileged EXEC mode.

Step 7

[no] ntp broadcastdelay microseconds

Example:

Device(config)# ntp broadcastdelay 100

(Optional) Change the estimated round-trip delay between the device and the NTP broadcast server

The default is 3000 microseconds. The range is from 1 to 999999.

Use the no form of this command to disable the interface from receiving NTP broadcast packets.

Step 8

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Configuring NTP Access Restrictions

You can control NTP access on two levels as described in these sections:

Creating an Access Group and Assigning a Basic IP Access List

To create an access group and assign a basic IP access list, perform this procedure:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

[no] ntp access-group {query-only | serve-only | serve | peer} access-list-number

Example:

Device(config)# ntp access-group peer 99

Create an access group, and apply a basic IP access list..

  • query-only : NTP control queries.

  • serve-only : Time requests.

  • serve : Allows time requests and NTP control queries, but does not allow the device to synchronize to the remote device.

  • peer : Allows time requests and NTP control queries and allows the device to synchronize to the remote device.

  • access-list-number : IP access list number. The range is from 1 to 99.

Use the no form of this command to remove access control to the switch NTP services.

Step 4

access-list access-list-number permit source [source-wildcard]

Example:

Device(config)# access-list 99 permit 172.20.130.5

Create the access list.

  • access-list-number : IP access list number. The range is from 1 to 99.

  • permit : Permits access if the conditions are matched.

  • source : IP address of the device that is permitted access to the device.

  • source-wildcard : Wildcard bits to be applied to the source.

Note

 

When creating an access list, remember that, by default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end.

Use the no form of this command to remove authentication key.

Step 5

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Disabling NTP Services on a Specific Interface

To disable NTP packets from being received on an interface, perform this procedure:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface interface-id

Example:

Device(config)# interface gigabitethernet1/0/1

Enters global configuration mode.

Step 4

[no] ntp disable

Example:

Device(config-if)# ntp disable

Disables NTP packets from being received on the interface.

Use the no form of this command to re-enable receipt of NTP packets on an interface.

Step 5

end

Example:

Device(config-if)# end

Returns to privileged EXEC mode.

Configuring a System Name

Follow these steps to manually configure a system name:

Procedure

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

hostname name

Example:


Device(config)# hostname 
remote-users

Configures a system name. When you set the system name, it is also used as the system prompt.

The default setting is Switch.

The name must follow the rules for ARPANET hostnames. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphens. Names can be up to 63 characters.

Step 4

end

Example:

remote-users(config)#end
remote-users#

Returns to priviliged EXEC mode.

Step 5

show running-config

Example:


Device# show running-config 

Verifies your entries.

Step 6

copy running-config startup-config

Example:


Device# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Setting Up DNS

If you use the device IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.), a period followed by the default domain name is appended to the hostname before the DNS query is made to map the name to an IP address. The default domain name is the value set by the ip domain name command in global configuration mode. If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.

Follow these steps to set up your switch to use the DNS:

Procedure

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

ip domain name name

Example:


Device(config)# ip domain name Cisco.com

Defines a default domain name that the software uses to complete unqualified hostnames (names without a dotted-decimal domain name).

Do not include the initial period that separates an unqualified name from the domain name.

At boot time, no domain name is configured; however, if the device configuration comes from a BOOTP or Dynamic Host Configuration Protocol (DHCP) server, then the default domain name might be set by the BOOTP or DHCP server (if the servers were configured with this information).

Step 4

ip name-server server-address1 [server-address2 ... server-address6]

Example:


Device(config)# ip 
name-server 192.168.1.100 
192.168.1.200 192.168.1.300

Specifies the address of one or more name servers to use for name and address resolution.

You can specify up to six name servers. Separate each server address with a space. The first server specified is the primary server. The device sends DNS queries to the primary server first. If that query fails, the backup servers are queried.

Step 5

ip domain lookup [nsap | source-interface interface]

Example:


Device(config)# ip domain-lookup

(Optional) Enables DNS-based hostname-to-address translation on your device. This feature is enabled by default.

If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS).

Step 6

end

Example:


Device(config)# end

Returns to privileged EXEC mode.

Step 7

show running-config

Example:


Device# show running-config 

Verifies your entries.

Step 8

copy running-config startup-config

Example:


Device# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Configuring a Message-of-the-Day Login Banner

You can create a single or multiline message banner that appears on the screen when someone logs in to the device.

Follow these steps to configure a MOTD login banner:

Procedure

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

banner motd c message c

Example:


Device(config)# banner motd # 
This is a secure site. Only 
authorized users are allowed.
For access, contact technical 
support.
#

Specifies the message of the day.

c— Enters the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.

message— Enters a banner message up to 255 characters. You cannot use the delimiting character in the message.

Step 4

end

Example:


Device(config)# end

Returns to privileged EXEC mode.

Step 5

show running-config

Example:


Device# show running-config 

Verifies your entries.

Step 6

copy running-config startup-config

Example:


Device# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Configuring a Login Banner

You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt.

Follow these steps to configure a login banner:

Procedure

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

banner login c message c

Example:


Device(config)# banner login $
Access for authorized users only. 
Please enter your username and 
password.
$

Specifies the login message.

c— Enters the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.

message— Enters a login message up to 255 characters. You cannot use the delimiting character in the message.

Step 4

end

Example:


Device(config)# end

Returns to privileged EXEC mode.

Step 5

show running-config

Example:


Device# show running-config 

Verifies your entries.

Step 6

copy running-config startup-config

Example:


Device# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Managing the MAC Address Table

Changing the Address Aging Time

Follow these steps to configure the dynamic address table aging time:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

mac address-table aging-time [0 | 10-1000000] [routed-mac | vlan vlan-id]

Example:

Device(config)# mac address-table 
aging-time 500 vlan 2

Sets the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated.

The range is 10 to 1000000 seconds. The default is 300. You can also enter 0, which disables aging. Static address entries are never aged or removed from the table.

vlan-id— Valid IDs are 1 to 4094.

Step 4

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Step 5

show running-config

Example:

Device# show running-config 

Verifies your entries.

Step 6

copy running-config startup-config

Example:

Device# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Configuring MAC Address Change Notification Traps

Follow these steps to configure the switch to send MAC address change notification traps to an NMS host:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

snmp-server host host-addr community-string notification-type { informs | traps } {version {1 | 2c | 3}} {vrf vrf instance name}

Example:

Device(config)# snmp-server host 
172.20.10.10 traps private mac-notification

Specifies the recipient of the trap message.

  • host-addr— Specifies the name or address of the NMS.

  • traps (the default) Sends SNMP traps to the host.

  • informs Sends SNMP informs to the host.

  • version Specifies the SNMP version to support. Version 1, the default, is not available with informs.

  • community-string— Specifies the string to send with the notification operation. Though you can set this string by using the snmp-server host command, we recommend that you define this string by using the snmp-server community command before using the snmp-server host command.

  • notification-type— Uses the mac-notification keyword.

  • vrf vrf instance name Specifies the VPN routing/forwarding instance for this host.

Step 4

snmp-server enable traps mac-notification change

Example:

Device(config)# snmp-server enable traps 
mac-notification change

Enables the device to send MAC address change notification traps to the NMS.

Step 5

mac address-table notification change

Example:

Device(config)# mac address-table 
notification change

Enables the MAC address change notification feature.

Step 6

mac address-table notification change [interval value] [history-size value]

Example:

Device(config)# mac address-table 
notification change interval 123
Device(config)#mac address-table 
notification change history-size 100

Enters the trap interval time and the history table size.

  • (Optional) interval value— Specifies the notification trap interval in seconds between each set of traps that are generated to the NMS. The range is 0 to 2147483647 seconds; the default is 1 second.

  • (Optional) history-size value— Specifies the maximum number of entries in the MAC notification history table. The range is 0 to 500; the default is 1.

Step 7

interface interface-id

Example:

Device(config)# interface 
gigabitethernet1/0/2

Enters interface configuration mode, and specifies the Layer 2 interface on which to enable the SNMP MAC address notification trap.

Step 8

snmp trap mac-notification change {added | removed}

Example:

Device(config-if)# snmp trap 
mac-notification change added

Enables the MAC address change notification trap on the interface.

  • Enables the trap when a MAC address is added on this interface.

  • Enables the trap when a MAC address is removed from this interface.

Step 9

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Step 10

show running-config

Example:

Device# show running-config 

Verifies your entries.

Step 11

copy running-config startup-config

Example:

Device# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Configuring MAC Address Move Notification Traps

When you configure MAC-move notification, an SNMP notification is generated and sent to the network management system whenever a MAC address moves from one port to another within the same VLAN.

Follow these steps to configure the device to send MAC address-move notification traps to an NMS host:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

snmp-server host host-addr {traps | informs} {version {1 | 2c | 3}} community-string notification-type

Example:

Device(config)# snmp-server host 
172.20.10.10 traps private mac-notification

Specifies the recipient of the trap message.

  • host-addr— Specifies the name or address of the NMS.

  • traps (the default) Sends SNMP traps to the host.

  • informs Sends SNMP informs to the host.

  • version Specifies the SNMP version to support. Version 1, the default, is not available with informs.

  • community-string— Specifies the string to send with the notification operation. Though you can set this string by using the snmp-server host command, we recommend that you define this string by using the snmp-server community command before using the snmp-server host command.

  • notification-type— Uses the mac-notification keyword.

Step 4

snmp-server enable traps mac-notification move

Example:

Device(config)# snmp-server enable traps 
mac-notification move

Enables the device to send MAC address move notification traps to the NMS.

Step 5

mac address-table notification mac-move

Example:

Device(config)# mac address-table 
notification mac-move

Enables the MAC address move notification feature.

Step 6

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Step 7

show running-config

Example:

Device# show running-config 

Verifies your entries.

Step 8

copy running-config startup-config

Example:

Device# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

What to do next

To disable MAC address-move notification traps, use the no snmp-server enable traps mac-notification move global configuration command. To disable the MAC address-move notification feature, use the no mac address-table notification mac-move global configuration command.

You can verify your settings by entering the show mac address-table notification mac-move privileged EXEC commands.

Configuring MAC Threshold Notification Traps

When you configure MAC threshold notification, an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded.

Follow these steps to configure the switch to send MAC address table threshold notification traps to an NMS host:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

snmp-server host host-addr {traps | informs} {version {1 | 2c | 3}} community-string notification-type

Example:

Device(config)# snmp-server host 
172.20.10.10 traps private 
mac-notification

Specifies the recipient of the trap message.

  • host-addr— Specifies the name or address of the NMS.

  • traps (the default) Sends SNMP traps to the host.

  • informs Sends SNMP informs to the host.

  • version Specifies the SNMP version to support. Version 1, the default, is not available with informs.

  • community-string— Specifies the string to send with the notification operation. You can set this string by using the snmp-server host command, but we recommend that you define this string by using the snmp-server community command before using the snmp-server host command.

  • notification-type— Uses the mac-notification keyword.

Step 4

snmp-server enable traps mac-notification threshold

Example:

Device(config)# snmp-server enable traps 
mac-notification threshold

Enables MAC threshold notification traps to the NMS.

Step 5

mac address-table notification threshold

Example:

Device(config)# mac address-table 
notification threshold

Enables the MAC address threshold notification feature.

Step 6

mac address-table notification threshold [limit percentage] | [interval time]

Example:

Device(config)# mac address-table 
notification threshold interval 123
Device(config)# mac address-table 
notification threshold limit 78

Enters the threshold value for the MAC address threshold usage monitoring.

  • (Optional) limit percentage— Specifies the percentage of the MAC address table use; valid values are from 1 to 100 percent. The default is 50 percent.

  • (Optional) interval time— Specifies the time between notifications; valid values are greater than or equal to 120 seconds. The default is 120 seconds.

Step 7

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Step 8

show running-config

Example:

Device# show running-config 

Verifies your entries.

Step 9

copy running-config startup-config

Example:

Device# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Disabling MAC Address Learning on VLAN

This feature is supported on Cisco Catalyst 9500 High Performance Series Switches.

You can control MAC address learning on a VLAN to manage the available MAC address table space by controlling which VLANs can learn MAC addresses. Before you disable MAC address learning, be sure that you are familiar with the network topology. Disabling MAC address learning on VLAN could cause flooding in the network.

Beginning in privileged EXEC mode, follow these steps to disable MAC address learning on a VLAN:

Before you begin

Follow these guidelines when disabling MAC address learning on a VLAN:

  • Use caution before disabling MAC address learning on a VLAN with a configured switch virtual interface (SVI). The switch then floods all IP packets in the Layer 2 domain.

  • You can disable MAC address learning on a single VLAN ID from 2 - 4093 (for example, no mac address-table learning vlan 223) or a range of VLAN IDs, separated by a hyphen or comma (for example, no mac address-table learning vlan 1-10, 15).

  • It is recommended that you disable MAC address learning only in VLANs with two ports. If you disable MAC address learning on a VLAN with more than two ports, every packet entering the switch is flooded in that VLAN domain.

  • If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning is not disabled on that port.

Procedure
  Command or Action Purpose

Step 1

configure terminal

Example:
Device# configure  terminal

Enters the global configuration mode.

Step 2

no mac-address-table learning vlan[vlan-id |,vlan-id | -vlan-id,]

Example:
Device(config)# no mac-address-table learning {vlan vlan-id [,vlan-id | -vlan-id]

Disable MAC address learning on a specified VLAN or VLANs.

You can specify a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma. Valid VLAN IDs range from 2 - 4093. It cannot be an internal VLAN.

Step 3

end

Example:
Device(config)# end

Returns to privileged EXEC mode.

Step 4

show mac-address-table learning vlan[vlan-id ]

Example:
Device# show mac-address-table learning [vlan vlan-id]

Verify the configuration.

You can display the MAC address learning status of all VLANs or a specified VLAN by entering the show mac-address-table learning [vlan vlan-id] privileged EXEC command.

Step 5

copy running-config startup-config

Example:
Device# copy running-config startup-config

(Optional) Save your entries in the configuration file.

Step 6

default mac address-table learning

Example:
Device# default mac address-table

(Optional) Reenable MAC address learning on VLAN in a global configuration mode.

Adding and Removing Static Address Entries

Follow these steps to add a static address:

Procedure
  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

mac address-table static mac-addr vlan vlan-id interface interface-id

Example:

Device(config)# mac address-table 
static c2f3.220a.12f4 vlan 4 interface gigabitethernet 1/0/1 

Adds a static address to the MAC address table.

  • mac-addr— Specifies the destination MAC unicast address to add to the address table. Packets with this destination address received in the specified VLAN are forwarded to the specified interface.

  • vlan-id— Specifies the VLAN for which the packet with the specified MAC address is received. Valid VLAN IDs are 1 to 4094.

  • interface-id— Specifies the interface to which the received packet is forwarded. Valid interfaces include physical ports or port channels. For static multicast addresses, you can enter multiple interface IDs. For static unicast addresses, you can enter only one interface at a time, but you can enter the command multiple times with the same MAC address and VLAN ID.

Step 4

show running-config

Example:

Device# show running-config 

Verifies your entries.

Step 5

copy running-config startup-config

Example:

Device# copy running-config startup-config 

(Optional) Saves your entries in the configuration file.

Configuring Unicast MAC Address Filtering

Follow these steps to configure the device to drop a source or destination unicast static address:

Procedure
  Command or Action Purpose

Step 1

enable

Example:
Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.

Step 3

mac address-table static mac-addr vlan vlan-id drop

Example:
Device(config)# mac address-table static c2f3.220a.12f4 vlan 4 drop

Enables unicast MAC address filtering and configure the device to drop a packet with the specified source or destination unicast static address.

  • mac-addr— Specifies a source or destination unicast MAC address (48-bit). Packets with this MAC address are dropped.

  • vlan-id— Specifies the VLAN for which the packet with the specified MAC address is received. Valid VLAN IDs are 1 to 4094.

Step 4

end

Example:
Device(config)# end

Returns to privileged EXEC mode.

Step 5

show running-config

Example:
Device# show running-config

Verifies your entries.

Step 6

copy running-config startup-config

Example:
Device# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

Monitoring and Maintaining Administration of the Device

Command Purpose

clear mac address-table dynamic

Removes all dynamic entries.

clear mac address-table dynamic address mac-address

Removes a specific MAC address.

clear mac address-table dynamic interface interface-id

Removes all addresses on the specified physical port or port channel.

clear mac address-table dynamic vlan vlan-id

Removes all addresses on a specified VLAN.

show clock [detail]

Displays the time and date configuration.

show ip igmp snooping groups

Displays the Layer 2 multicast entries for all VLANs or the specified VLAN.

show mac address-table address mac-address

Displays MAC address table information for the specified MAC address.

show mac address-table aging-time

Displays the aging time in all VLANs or the specified VLAN.

show mac address-table count

Displays the number of addresses present in all VLANs or the specified VLAN.

show mac address-table dynamic

Displays only dynamic MAC address table entries.

show mac address-table interface interface-name

Displays the MAC address table information for the specified interface.

show mac address-table move update

Displays the MAC address table move update information.

show mac address-table multicast

Displays a list of multicast MAC addresses.

show mac address-table notification {change | mac-move | threshold}

Displays the MAC notification parameters and history table.

show mac address-table secure

Displays the secure MAC addresses.

show mac address-table static

Displays only static MAC address table entries.

show mac address-table vlan vlan-id

Displays the MAC address table information for the specified VLAN.

Configuration Examples for Device Administration

Example: Setting the System Clock

This example shows how to manually set the system clock:


Device# clock set 13:32:00 23 July 2013

Examples: Configuring Summer Time

This example (for daylight savings time) shows how to specify that summer time starts on March 10 at 02:00 and ends on November 3 at 02:00:


Device(config)# clock summer-time PDT recurring PST date 
10 March 2013 2:00 3 November 2013 2:00

This example shows how to set summer time start and end dates:


Device(config)#clock summer-time PST date 
20 March 2013 2:00 20 November 2013 2:00

Example: Configuring a MOTD Banner

This example shows how to configure a MOTD banner by using the pound sign (#) symbol as the beginning and ending delimiter:

 
Device(config)# banner motd #

This is a secure site. Only authorized users are allowed.
For access, contact technical support.

#

Device(config)#

This example shows the banner that appears from the previous configuration:


Unix> telnet 192.0.2.15

Trying 192.0.2.15...

Connected to 192.0.2.15.

Escape character is '^]'.

This is a secure site. Only authorized users are allowed.

For access, contact technical support.

User Access Verification

Password:

Example: Configuring a Login Banner

This example shows how to configure a login banner by using the dollar sign ($) symbol as the beginning and ending delimiter:


Device(config)# banner login $

Access for authorized users only. Please enter your username and password.

$

Device(config)#

Example: Configuring MAC Address Change Notification Traps

This example shows how to specify 172.20.10.10 as the NMS, enable MAC address notification traps to the NMS, enable the MAC address-change notification feature, set the interval time to 123 seconds, set the history-size to 100 entries, and enable traps whenever a MAC address is added on the specified port:


Device(config)# snmp-server host 172.20.10.10 traps private mac-notification
Device(config)# snmp-server enable traps mac-notification change
Device(config)# mac address-table notification change 
Device(config)# mac address-table notification change interval 123
Device(config)# mac address-table notification change history-size 100
Device(config)# interface gigabitethernet1/2/1
Device(config-if)# snmp trap mac-notification change added

Example: Configuring MAC Threshold Notification Traps

This example shows how to specify 172.20.10.10 as the NMS, enable the MAC address threshold notification feature, set the interval time to 123 seconds, and set the limit to 78 per cent:


Device(config)# snmp-server host 172.20.10.10 traps private mac-notification
Device(config)# snmp-server enable traps mac-notification threshold
Device(config)# mac address-table notification threshold
Device(config)# mac address-table notification threshold interval 123
Device(config)# mac address-table notification threshold limit 78

Example: Adding the Static Address to the MAC Address Table

This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified port:


Note


You cannot associate the same static MAC address to multiple interfaces. If the command is executed again with a different interface, the static MAC address is overwritten on the new interface.



Device(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface gigabitethernet1/1/1

Example: Configuring Unicast MAC Address Filtering

This example shows how to enable unicast MAC address filtering and how to configure drop packets that have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped:


Device(config)# mac address-table static c2f3.220a.12f4 vlan 4 drop

Additional References for Device Administration

Related Documents

Related Topic Document Title

For complete syntax and usage information for the commands used in this chapter.

Command Reference (Catalyst 9500 Series Switches)

For configuring VRF-aware services for NTP.

Configuring Multi-VRF CE in IP Routing Configuration Guide

Feature History for Device Administration

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Everest 16.5.1a

Device Administration

The device administration allows to configure the system time and date, system name, a login banner, and set up the DNS.

Support for this feature was introduced only on the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the Cisco Catalyst 9500 Series Switches.

Cisco IOS XE Fuji 16.8.1a

Device Administration

Support for this feature was introduced only on the C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C models of the Cisco Catalyst 9500 Series Switches.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.