The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To display access control lists (ACLs) configured on the switch, use the show access-lists command in privileged EXEC mode.
show access-lists [name | number | hardware counters | ipc ]
(Optional) Displays global hardware ACL statistics for switched and routed packets. |
|
(Optional) Displays Interprocess Communication (IPC) protocol access-list configuration download information. |
|
|
---|---|
The switch supports only IP standard and extended access lists. The allowed numbers are only 1 to 199 and 1300 to 2699.
This command also displays the MAC ACLs that are configured.
Note Though visible in the command-line help strings, the rate-limit keywords are not supported.
This is an example of output from the show access-lists command:
This is an example of output from the show access-lists hardware counters command:
To display the alarm numbers with the text description, use the show alarm description port command in EXEC mode.
|
|
---|---|
This example shows output from the show alarm description port command. It shows the alarm IDs and their respective alarm descriptions.
To display all alarm profiles configured in the system or the specified profile and the interfaces to which each profile is attached, use the show alarm profile command in EXEC mode.
(Optional) Displays only the profile with the specified name. |
|
|
---|---|
If you do not enter a profile name, the display includes the profile information for all existing alarm profiles. This command does not display the default configuration settings.
The defaultPort profile is applied by default to all interfaces. This profile enables only the Port Not Operating (3) alarm. You can use the alarm profile defaultPort global configuration command and modify this profile to enable other alarms.
These are examples of output from the show alarm profile command.
This output displays all ports that are attached to the configured profiles:
This output displays all the configured profiles:
|
|
---|---|
Creates an alarm profile containing one or more alarm IDs and alarm options. |
|
To display all environmental alarm settings on the switch, use the show alarm settings command in EXEC mode.
|
|
---|---|
This example shows output from the show alarm settings command. It shows all the switch alarm settings that are on the switch:
|
|
---|---|
To display the status of a new image being downloaded to a switch with the HTTP or the TFTP protocol, use the show archive status command in Privileged EXEC mode.
|
|
---|---|
If you use the archive download-sw privileged EXEC command to download an image to a TFTP server, the output of the archive download-sw command shows the status of the download.
If you do not have a TFTP server, you can use Network Assistant or the embedded Device Manager to download the image by using HTTP. The show archive status command shows the progress of the download.
These are examples of output from the show archive status command:
|
|
---|---|
To display detailed information about Address Resolution Protocol (ARP) access control lists, use the show arp access-list command in EXEC mode.
show arp access-list [ acl-name ]
|
|
---|---|
This is an example of output from the show arp access-list command:
To display information about authentication manager events on the switch, use the show authentication command EXEC mode.
show authentication { interface interface-id | registrations | sessions [ session-id session-id ] [ handle handle ] [ interface interface-id ] [ mac mac ] [ method method ] | statistics [ summary ]}
|
|
---|---|
Table 0-1 describes the significant fields shown in the output of the show authentication command.
Note The possible values for the status of sessions are shown in the table. For a session in terminal state, Authz Success or Authz Failed is displayed along with No methods if no method has provided a result.
Table 0-2 lists the possible values for the state of methods. For a session in a terminal state, Authc Success, Authc Failed, or Failed over are displayed. Failed over means that an authentication method ran and then failed over to the next method, which did not provide a result. Not run appears for sessions that synchronized on standby.
This example shows output of the show authentication registrations command:
This example shows output of the show authentication interface interface-id command:
This example shows output of the show authentication sessions command:
This example shows output of the show authentication sessions command for a specified interface:
This example shows output of the show authentication sessions command for a specified MAC address:
This example shows output of the show authentication session method command for a specified method:
To display the quality of service (QoS) commands entered on the interfaces on which automatic QoS (auto-QoS) is enabled, use the show auto qos command in EXEC mode.
show auto qos [ interface [ interface-id ]]
Note This command is available only when the switch is running the LAN Base image.
(Optional) Displays auto-QoS information for the specified port or for all ports. Valid interfaces include physical ports. |
|
|
---|---|
The show auto qos command output shows only the auto-QoS command entered on each interface. The show auto qos interface interface-id command output shows the auto-QoS command entered on a specific interface.
Use the show running-config privileged EXEC command to display the auto-QoS configuration and the user modifications.
The show auto qos command output also shows the service policy information for the Cisco IP phone.
To display information about the QoS configuration that might be affected by auto-QoS, use one of these commands:
This is an example of output from the show auto qos command after the auto qos voip cisco-phone and the auto qos voip cisco-softphone interface configuration commands are entered:
This is an example of output from the show auto qos interface interface-id command when the auto qos voip cisco-phone interface configuration command is entered:
This is an example of output from the show running-config privileged EXEC command when the auto qos voip cisco-phone and the auto qos voip cisco-softphone interface configuration commands are entered:
This is an example of output from the show auto qos interface interface-id command when the auto qos voip cisco-phone interface configuration command is entered:
This is an example of output from the show auto qos command when auto-QoS is disabled on the switch:
This is an example of output from the show auto qos i nterface interface-id command when auto-QoS is disabled on an interface:
|
|
---|---|
To display the settings of the boot environment variables, use the show boot command in Privileged EXEC mode.
|
|
---|---|
This is an example of output from the show boot command. Table 0-3 describes each field in the display.
To display the buffer size for file system-simulated NVRAM, use the show boot buffersize command in Privileged EXEC mode.
|
|
This example shows how to display the file system-simulated NVRAM boot buffer size.
|
|
---|---|
To display the Time Domain Reflector (TDR) results, use the show cable-diagnostics tdr command in Privileged EXEC mode.
show cable-diagnostics tdr interface interface-id
|
|
---|---|
For more information about TDR, see the software configuration guide for this release.
This is an example of output from the show cable-diagnostics tdr interface interface-id command:
This is an example of output from the show cable-diagnostics tdr interface interface-id command:
Table 0-4 lists the descriptions of the fields in the show cable-diagnostics tdr command output.
This is an example of output from the show interfaces interface-id command when TDR is running:
This is an example of output from the show cable-diagnostics tdr interface interface-id command when TDR is not running:
If an interface does not support TDR, this message appears:
|
|
---|---|
To display information about the Common Industrial Protocol (CIP) subsystem, use the show cip command in Privileged EXEC mode.
show cip { connection { count | explicit | implicit } | faults | file { config | eds | vlan }| miscellaneous | object { assembly | dhcp instance instance | ethernet link | identity | switch { paramenter }| sync | tcp/ip { interface }}| security | session | status }
|
|
---|---|
This is an example of output from the show cip fault command:
This is an example of output from the show cip security command:
|
|
---|---|
To display CISP information for a specified interface, use the show cisp command in Privileged EXEC mode.
show cisp {[ interface interface-id ] | clients | summary }
(Optional) Displays CISP information about the specified interface. Valid interfaces include physical ports and port channels. |
|
|
|
---|---|
This example shows output from the show cisp interface command:
This example shows output from the show cisp summary command:
|
|
---|---|
To display quality of service (QoS) class maps, which define the match criteria to classify traffic, use the show class-map command in EXEC mode.
show class-map [ class-map-name ]
|
|
---|---|
This is an example of output from the show class-map command:
|
|
---|---|
Creates a class map to be used for matching packets to the class whose name you specify. |
|
To display the cluster status and a summary of the cluster to which the switch belongs, use the show cluster command in EXEC mode. This command can be entered on the cluster command switch and cluster member switches.
|
|
---|---|
If you enter this command on a switch that is not a cluster member, the error message Not a management cluster member
appears.
On a cluster member switch, this command displays the identity of the cluster command switch, the switch member number, and the state of its connectivity with the cluster command switch.
On a cluster command switch, this command displays the cluster name and the total number of members. It also shows the cluster status and time since the status changed. If redundancy is enabled, it displays the primary and secondary command-switch information.
This is an example of output when the show cluster command is entered on the active cluster command switch:
This is an example of output when the show cluster command is entered on a cluster member switch:
This is an example of output when the show cluster command is entered on a cluster member switch that is configured as the standby cluster command switch:
This is an example of output when the show cluster command is entered on the cluster command switch that has lost connectivity with member 1:
This is an example of output when the show cluster command is entered on a cluster member switch that has lost connectivity with the cluster command switch:
|
|
---|---|
Enables a command-capable switch as the cluster command switch, assigns a cluster name, and optionally assigns a member number to it. |
|
To display a list of candidate switches, use the show cluster candidates command in Privileged EXEC mode.
show cluster candidates [ detail | mac-address H.H.H. ]
(Optional) Displays detailed information for all candidates. |
|
(Optional) Specifies the MAC address of the cluster candidate. |
|
|
---|---|
This command is available only on the cluster command switch.
If the switch is not a cluster command switch, the command displays an empty line at the prompt.
The SN in the display means switch member number. If E appears in the SN column, it means that the switch is discovered through extended discovery. If E does not appear in the SN column, it means that the switch member number is the upstream neighbor of the candidate switch. The hop count is the number of devices the candidate is from the cluster command switch.
This is an example of output from the show cluster candidates command:
This is an example of output from the show cluster candidates command that uses the MAC address of a cluster member switch directly connected to the cluster command switch:
This is an example of output from the show cluster candidates command that uses the MAC address of a cluster member switch three hops from the cluster edge:
This is an example of output from the show cluster candidates detail command:
|
|
---|---|
Displays the cluster status and a summary of the cluster to which the switch belongs. |
|
To display information about the cluster members, use the show cluster members command in Privileged EXEC mode.
show cluster members [ n | detail ]
(Optional) Number that identifies a cluster member. The range is 0 to 15. |
|
(Optional) Displays detailed information for all cluster members. |
|
|
---|---|
This command is available only on the cluster command switch.
If the cluster has no members, this command displays an empty line at the prompt.
This is an example of output from the show cluster members command. The SN in the display means switch number.
This is an example of output from the show cluster members for cluster member 3:
This is an example of output from the show cluster members detail command:
|
|
---|---|
Displays the cluster status and a summary of the cluster to which the switch belongs. |
|
To display the state of the CPU network interface ASIC and the send and receive statistics for packets reaching the CPU, use the show controllers cpu-interface command in Privileged EXEC mode.
show controllers cpu-interface
|
|
---|---|
This display provides information that might be useful for Cisco technical support representatives troubleshooting the switch.
This is a partial output example from the show controllers cpu-interface command:
To display per-interface send and receive statistics read from the hardware, use the show controllers ethernet-controller command in Privileged EXEC mode without keywords.
show controllers ethernet-controller [ interface-id ] [ phy [ detail ]] [ port-asic { configuration | statistics }] [ fastethernet 0 ]
Privileged EXEC (only supported with the interface-id variable in EXEC mode)
|
|
---|---|
This command without keywords provides traffic statistics, basically the RMON statistics for all interfaces or for the specified interface.
When you enter the phy or port-asic keywords, the displayed information is useful primarily for Cisco technical support representatives troubleshooting the switch.
This is an example of output from the show controllers ethernet-controller command for an interface. Table 0-5 describes the Transmit fields, and Table 0-6 describes the Receive fields.
|
|
---|---|
The number of frames dropped on the egress port because the packet aged out. |
|
The number of frames that are not sent after the time exceeds 2*maximum-packet time. |
|
The number of frames that are larger than the maximum allowed frame size. |
|
The number of frames that are successfully sent on an interface after one collision occurs. |
|
The number of frames that are successfully sent on an interface after two collisions occur. |
|
The number of frames that are successfully sent on an interface after three collisions occur. |
|
The number of frames that are successfully sent on an interface after four collisions occur. |
|
The number of frames that are successfully sent on an interface after five collisions occur. |
|
The number of frames that are successfully sent on an interface after six collisions occur. |
|
The number of frames that are successfully sent on an interface after seven collisions occur. |
|
The number of frames that are successfully sent on an interface after eight collisions occur. |
|
The number of frames that are successfully sent on an interface after nine collisions occur. |
|
The number of frames that are successfully sent on an interface after ten collisions occur. |
|
The number of frames that are successfully sent on an interface after 11 collisions occur. |
|
The number of frames that are successfully sent on an interface after 12 collisions occur. |
|
The number of frames that are successfully sent on an interface after 13 collisions occur. |
|
The number of frames that are successfully sent on an interface after 14 collisions occur. |
|
The number of frames that are successfully sent on an interface after 15 collisions occur. |
|
The number of frames that could not be sent on an interface after 16 collisions occur. |
|
After a frame is sent, the number of frames dropped because late collisions were detected while the frame was sent. |
|
The number of frames dropped on an interface because the CFI1 bit is set. |
|
The number of frames that are not sent after the time exceeds the maximum-packet time. |
|
The total number of frames sent on an interface that are 64 bytes. |
|
The total number of frames sent on an interface that are from 65 to 127 bytes. |
|
The total number of frames sent on an interface that are from 128 to 255 bytes. |
|
The total number of frames sent on an interface that are from 256 to 511 bytes. |
|
The total number of frames sent on an interface that are from 512 to 1023 bytes. |
|
The total number of frames sent on an interface that are from 1024 to 1518 bytes. |
|
The number of frames sent on an interface that are larger than the maximum allowed frame size. |
|
The number of frames that are successfully sent on an interface after one collision occurs. This value does not include the number of frames that are not successfully sent after one collision occurs. |
|
|
|
---|---|
The total amount of memory (in bytes) used by frames received on an interface, including the FCS2 value and the incorrectly formed frames. This value excludes the frame header bits. |
|
The total number of frames successfully received on the interface that are directed to unicast addresses. |
|
The total number of frames successfully received on the interface that are directed to multicast addresses. |
|
The total number of frames successfully received on an interface that are directed to broadcast addresses. |
|
The total amount of memory (in bytes) used by unicast frames received on an interface, including the FCS value and the incorrectly formed frames. This value excludes the frame header bits. |
|
The total amount of memory (in bytes) used by multicast frames received on an interface, including the FCS value and the incorrectly formed frames. This value excludes the frame header bits. |
|
The total amount of memory (in bytes) used by broadcast frames received on an interface, including the FCS value and the incorrectly formed frames. This value excludes the frame header bits. |
|
The total number of frames received on an interface that have alignment errors. |
|
The total number of frames received on an interface that have a valid length (in bytes) but do not have the correct FCS values. |
|
The number of frames received on an interface that are larger than the maximum allowed frame size. |
|
The number of frames received on an interface that are smaller than 64 bytes. |
|
The total number of frames that are from 1024 to 1518 bytes. |
|
The total number of overrun frames received on an interface. |
|
The number of frames received on an interface that have symbol errors. |
|
The number of frames received that were larger than maximum allowed MTU3 size (including the FCS bits and excluding the frame header) and that have either an FCS error or an alignment error. |
|
The number of frames received on an interface that are larger than the maximum allowed frame size. |
|
The number of frames received that are smaller than 64 bytes (including the FCS bits and excluding the frame header) and that have either an FCS error or an alignment error. |
|
The number of frames received on an interface that are smaller than 64 bytes (or 68 bytes for VLAN-tagged frames) and that have valid FCS values. The frame size includes the FCS bits but excludes the frame header bits. |
|
The number of frames dropped on the ingress port because the packet aged out. |
|
The number of frames received on an interface that are larger than the maximum allowed frame size and have valid FCS values. The frame size includes the FCS value but does not include the VLAN tag. |
|
The total number of frames received on an interface that have a valid length (in bytes) but that do not have the correct FCS values. |
|
The total number of frames received on an interface that are dropped because the ingress queue is full. |
|
This is an example of output from the show controllers ethernet-controller phy command for a specific interface:
This is an example of output from the show controllers ethernet-controller port-asic configuration command:
This is an example of output from the show controllers ethernet-controller port-asic statistics command:
Use the show controllers power inline command in EXEC mode to display the values in the registers of the specified Power over Ethernet (PoE) controller.
show controllers power inline [ instance ]
(Optional) Power controller instance, where each instance corresponds to four ports. If no instance is specified, information for all instances appear. |
|
|
---|---|
The instance range is 0 to 1. For instances other than 0 to 1, the switchs provides no output.
Though the instances are visible on all switches, this command is valid only for PoE switches. The command does not provide information for switches that do not support PoE.
The output provides information that might be useful for Cisco technical support representatives troubleshooting the switch.
This is an example of output from the show controllers power inline command on a switch:
Switch# show controllers power inline
|
|
---|---|
Configures the power management mode for the specified PoE port or for all PoE ports. |
|
Displays the PoE status for the specified PoE port or for all PoE ports. |
To display the state of the registers for all ternary content addressable memory (TCAM) in the system and for all TCAM interface ASICs that are CAM controllers, use the show controllers tcam command in Privileged EXEC mode.
show controllers tcam [ asic [ number ]] [ detail ]
(Optional) Displays information for the specified port ASIC number. The range is from 0 to 15. |
|
|
|
---|---|
This command provides information that might be useful for Cisco technical support representatives troubleshooting the switch.
This is an example of output from the show controllers tcam command:
To display bandwidth utilization on the switch or specific ports, use the show controllers utilization command in EXEC mode.
show controllers [ interface-id ] utilization
|
|
---|---|
This is an example of output from the show controllers utilization command:
This is an example of output from the show controllers utilization command on a specific port:
|
|
---|---|
To display IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified port, use the show dot1x command in EXEC mode.
show dot1x [{ all [ summary ] | interface interface-id } [ details | statistics ]]
(Optional) Displays the IEEE 802.1x status for the specified port (including type, module, and port number). |
|
(Optional) Displays IEEE 802.1x statistics for the specified port. |
|
|
---|---|
If you do not specify a port, global parameters and a summary appear. If you specify a port, details for that port appear.
If the port control is configured as unidirectional or bidirectional control and this setting conflicts with the switch configuration, the show dot1x { all | interface interface-id } privileged EXEC command output has this information:
This is an example of output from the show dot1x EXEC command:
This is an example of output from the show dot1x all EXEC command:
This is an example of output from the show dot1x all summary EXEC command:
This is an example of output from the show dot1x interface interface-id EXEC command:
This is an example of output from the show dot1x interface interface-id details EXEC command:
This is an example of output from the show dot1x interface interface-id details commmand when a port is assigned to a guest VLAN and the host mode changes to multiple-hosts mode:
This is an example of output from the show dot1x interface interface-id statistics command. Table 0-8 describes the fields in the display.
|
|
---|---|
To display Dynamic Trunking Protocol (DTP) information for the switch or for a specified interface, use the show dtp command in Privileged EXEC mode.
show dtp [ interface interface-id ]
(Optional) Displays port security settings for the specified interface. Valid interfaces include physical ports (including type, module, and port number). |
|
|
---|---|
This is an example of output from the show dtp command:
This is an example of output from the show dtp interface command:
|
|
---|---|
show interfaces trunk |
To display Extensible Authentication Protocol (EAP) registration and session information for the switch or for the specified port, use the show eap command in Privileged EXEC mode.
show eap {{ registrations [ method [ name ] | transport [ name ]]} | { sessions [ credentials name [ interface interface-id ] | interface interface-id | method name | transport name ]}} [ credentials name | interface interface-id | transport name ]
(Optional) Displays the EAP information for the specified port (including type, module, and port number). |
|
|
---|---|
When you use the show eap registrations privileged EXEC command with these keywords, the command output shows this information:
When you use the show eap sessions privileged EXEC command with these keywords, the command output shows this information:
This is an example of output from the show eap registrations all privileged EXEC command:
This is an example of output from the show eap registrations transport privileged EXEC command:
This is an example of output from the show eap sessions privileged EXEC command:
This is an example of output from the show eap sessions interface interface-id privileged EXEC command:
|
|
---|---|
Clears EAP session information for the switch or for the specified port. |
To show switch environment information, use the show env command in EXEC mode.
show env { all | power | temperature [ status ]}
|
|
---|---|
The command output shows the green and yellow states as OK and the red state as FAULTY.
If you enter the show env all command on this switch, the command output is the same as the show env temperature status command output.
For more information about the threshold levels, see the software configuration guide for this release.
This is an example of output from the show env all command:
This is an example of output from the show env power command.
This is an example of output from the show env temperature command.
This is an example of output from the show env temperature status command.
To show the alarm contact information, use the show env alarm contact command in EXEC mode.
|
|
---|---|
This example shows the output of the show env alarm-contact command:
|
|
---|---|
To display error-disabled detection status, use the show errdisable detect command in EXEC mode.
|
|
---|---|
A displayed gbic-invalid
error reason refers to an invalid small form-factor pluggable (SFP) module.
This is an example of output from the show errdisable detect command:
|
|
---|---|
Enables error-disabled detection for a specific cause or all causes. |
|
show interfaces status |
Displays interface status or a list of interfaces in error-disabled state. |
To display conditions that cause an error to be recognized for a cause, use the show errdisable flap-values command in EXEC mode.
|
|
---|---|
The Flaps column in the command display shows how many changes to the state within the specified time interval will cause an error to be detected and a port to be disabled. For example, the display shows that an error will be assumed and the port shut down if three Dynamic Trunking Protocol (DTP)-state (port mode access/trunk) or Port Aggregation Protocol (PAgP) flap changes occur during a 30-second interval, or if 5 link-state (link up/down) changes occur during a 10-second interval.
This is an example of output from the show errdisable flap-values command:
|
|
---|---|
Enables error-disabled detection for a specific cause or all causes. |
|
show interfaces status |
Displays interface status or a list of interfaces in error-disabled state. |
To display the error-disabled recovery timer information, use the show errdisable recovery command in EXEC mode.
|
|
---|---|
A gbic-invalid error-disable reason shown in the command output refers to an invalid small form-factor pluggable (SFP) module interface.
This is an example of output from the show errdisable recovery command:
ErrDisable Reason Timer Status
----------------- --------------
udld Disabled
bpduguard Disabled
security-violatio Disabled
channel-misconfig Disabled
vmps Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Enabled
l2ptguard Disabled
psecure-violation Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
unicast-flood Disabled
storm-control Disabled
arp-inspection Disabled
loopback Disabled
Timer interval:300 seconds
Interfaces that will be enabled at the next timeout:
Interface Errdisable reason Time left(sec)
--------- ----------------- --------------
Gi
1/2 link-flap 279
Note Though visible in the output, the unicast-flood field is not valid.
|
|
---|---|
show interfaces status |
Displays interface status or a list of interfaces in error-disabled state. |
To display EtherChannel information for a channel, use the show etherchannel command in EXEC mode.
show etherchannel [ channel-group-number { detail | port | port-channel | protocol | summary }] { detail | load-balance | port | port-channel | protocol | summary }
|
|
---|---|
If you do not specify a channel-group-number value, all channel groups are displayed.
In the output, the Passive port list field is displayed only for Layer 3 port channels. This field means that the physical port, which is still not up, is configured to be in the channel group (and indirectly is in the only port channel in the channel group).
This is an example of output from the show etherchannel 1 detail command:
This is an example of output from the show etherchannel 1 summary command:
This is an example of output from the show etherchannel 1 port-channel command:
This is an example of output from the show etherchannel protocol command:
|
|
---|---|
To display all generated alarms for the switch, use the show facility-alarm status command in EXEC mode.
show facility-alarm status [ critical | info | major | minor ]
|
|
---|---|
This is an example of output from the show facility-alarm status command. It displays alarm information for the switch.
|
|
---|---|
Creates alarm profiles with alarm IDs and alarm options to be attached to interfaces. |
To display the fallback profiles that are configured on a switch, use the show fallback profile command in Privileged EXEC mode.
|
|
---|---|
Use the show fallback profile privileged EXEC command to display profiles that are configured on the switch.
This is an example of output from the show fallback profile command:
|
|
---|---|
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. |
|
show dot1x [ interface interface-id ] |
To display the frame check sequence (FCS) bit error-rate settings on the switch interfaces, use the show fcs-threshold command in EXEC mode.
|
|
---|---|
The Ethernet standard calls for a maximum bit error rate of 10-8. In the switch, the configurable bit error-rate range is from 10-6 to 10-11. The bit error-rate input to the switch is a positive exponent. The output displays the positive exponent; an output of 9 means that the bit error-rate is 10-9.
This is an example of output from the show fcs-threshold command. It shows the output when all ports are set to the default FCS threshold.
|
|
---|---|
To display the flow control status and statistics, use the show flowcontrol command in EXEC mode.
show flowcontrol [ interface interface-id | module number ]
|
|
---|---|
Use this command to display the flow control status and statistics on the switch or for a specific interface.
Use the show flowcontrol command to display information about all the switch interfaces. The output from the show flowcontrol command is the same as the output from the show flowcontrol module number command.
Use the show flowcontrol interface interface-id command to display information about a specific interface.
This is an example of output from the show flowcontrol command.
This is an example of output from the show flowcontrol interface interface-id command:
|
|
---|---|
To display the administrative and operational status of all interfaces or a specified interface, use the show interfaces command in Privileged EXEC mode.
show interfaces [ interface-id | vlan vlan-id ] [ accounting | capabilities [ module number ] | counters | description | etherchannel | flowcontrol | rep | pruning | stats | status [ err-disabled ] | [ backup | module number ] | transceiver | properties | detail [ module number ] | trunk ]
(Optional) Valid interfaces include physical ports (including type, module, and port number) and port channels. The port-channel range is 1 to 6. |
|
(Optional) Specifies VLAN identification. The range is 1 to 4094. |
|
(Optional) Displays accounting information on the interface, including active protocols and input and output packets and octets. Note The display shows only packets processed in software; hardware-switched packets do not appear. |
|
(Optional) Displays the capabilities of all interfaces or the specified interface, including the features and options that you can configure on the interface. Though visible in the command line help, this option is not available for VLAN IDs. |
|
(Optional) Displays capabilities or transceiver characteristics (depending on preceding keyword) of all interfaces on the switch. The only valid module number is 1. This option is not available if you enter a specific interface ID. |
|
(Optional) Displays the show interfaces counters information. |
|
(Optional) Displays the administrative status and description set for an interface. |
|
(Optional) Displays interface trunk VTP pruning information. |
|
(Optional) Displays the show interfaces rep information. |
|
(Optional) Displays the input and output packets by switching path for the interface. |
|
(Optional) Displays the status of the interface. A status of unsupported in the Type field means that a non-Cisco small form-factor pluggable (SFP) module is inserted in the module slot. |
|
(Optional) Displays Flex Link backup interface configuration and status for the specified interface or all interfaces on the switch. |
|
(Optional) Displays the physical properties of a CWDM or DWDM small form-factor (SFP) module interface. The keywords have these meanings: |
|
Displays interface trunk information. If you do not specify an interface, only information for active trunking ports appears. |
|
|
---|---|
The show interfaces capabilities command with different keywords has these results:
Note Though visible in the command-line help strings, the crb, fair-queue, irb, mac-accounting, precedence, random-detect, rate-limit, and shape keywords are not supported.
This is an example of output from the show interfaces interface-id command for an interface:
This is an example of output from the show interfaces accounting command.
This is an example of output from the show interfaces capabilities interface-id command for an interface.
This is an example of output from the show interfaces interface description command when the interface has been described as Connects to Marketing by using the description interface configuration command.
This is an example of output from the show interfaces etherchannel command when port channels are configured on the switch:
This is an example of output from the show interfaces interface-id pruning command when pruning is enabled in the VTP domain:
This is an example of output from the show interfaces stats command for a specified VLAN interface.
This is an example of partial output from the show interfaces status command. It displays the status of all interfaces.
This is an example of output from the show interfaces status err-disabled command. It displays the status of interfaces in the error-disabled state.
This is an example of output from the show interfaces interface-id pruning command:
This is an example of output from the show interfaces interface-id trunk command. It displays trunking information for the port.
This is an example of output from the show interfaces interface-id transceiver properties command:
This is an example of output from the show interfaces interface-id transceiver detail command:
|
|
---|---|
Configures a port as a static-access or a dynamic-access port. |
|
Configures Flex Links, a pair of Layer 2 interfaces that provide mutual backup. |
|
Blocks unknown unicast or multicast traffic on an interface. |
|
Isolates unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch. |
|
switchport trunk pruning |
Configures the VLAN pruning-eligible list for ports in trunking mode. |
To display various counters for the switch or for a specific interface, use the show interfaces counters command in Privileged EXEC mode.
show interfaces [ interface-id | vlan vlan-id ] counters [ errors | etherchannel | protocol status | trunk ]
|
|
---|---|
If you do not enter any keywords, all counters for all interfaces are included.
Note Though visible in the command-line help string, the vlan vlan-id keyword is not supported.
This is an example of partial output from the show interfaces counters command. It displays all counters for the switch:
This is an example of partial output from the show interfaces counters protocol status command for all interfaces:
This is an example of output from the show interfaces counters trunk command. It displays trunk counters for all interfaces:
|
|
---|---|
To display Resilient Ethernet Protocol (REP) configuration and status for a specified interface or for all interfaces, use the show interfaces rep command in EXEC mode.
show interfaces [ interface-id ] rep [ detail ]
(Optional) A specified physical interface or port channel ID. |
|
(Optional) Displays detailed REP configuration and status information. |
|
|
---|---|
In the output for the show interface rep [ detail ] command, in addition to an Open, Fail, or AP (alternate port) state, the Port Role might show as Fail Logical Open (FailLogOpen) or Fail No Ext Neighbor (FailNoNbr). These states indicate that the port is physically up, but REP is not configured on the neighboring port. In this case, one port goes into a forwarding state for the data path to help maintain connectivity during configuration. The Port Role for this port shows as Fail Logical Open; the port forwards all data traffic on all VLANs. The other failed Port Role shows as Fail No Ext Neighbor; this port blocks traffic for all VLANs.
When the external neighbors for the failed ports are configured, the failed ports go through the alternate port state transitions and eventually go to an Open state or remain as the alternate port, based on the alternate port election mechanism.
In the show interfaces rep command output, ports configured as edge no-neighbors are designated with an asterisk (*) in front of Primary Edge or Secondary Edge. In the output of the show interfaces rep detail command, No-Neighbor is spelled out.
The output of this command is also included in the show tech-support privileged EXEC command output.
This is sample output from the show interface rep command:
This is sample output from the show interface rep command when the edge port is configured to have no REP neighbor. Note the asterisk (*) next to Primary Edge.
This is sample output from the show interface rep command when external neighbors are not configured:
This is sample output from the show interface rep detail command for a specified interface:
|
|
---|---|
Enables REP on an interface and assigns a segment ID. This command is also used to configure a port as an edge port, a primary edge port, or a preferred port. |
|
show rep topology [ detail ] |
Displays information about all ports in the segment, including which one was configured and selected as the primary edge port. |
To display product identification (PID) information for the hardware, use the show inventory command in EXEC mode.
show inventory [ entity-name | raw ]
(Optional) The specified entity. For example, enter the interface (such as gigabitethernet1/1) into which a small form-factor pluggable (SFP) module is installed. |
|
|
|
---|---|
The command is case sensitive. With no arguments, the show inventory command produces a compact dump of all identifiable entities that have a product identifier. The compact dump displays the entity location (slot identity), entity description, and the unique device identifier (UDI) (PID, VID, and SN) of that entity.
Note If there is no PID, no output appears when you enter the show inventory command.
This is example output from the show inventory command:
To display the configuration and the operating state of dynamic Address Resolution Protocol (ARP) inspection or the status of this feature for all VLANs or for the specified interface or VLAN, use the show ip arp inspection command in Privileged EXEC mode.
show ip arp inspection [ interfaces [ interface-id ] | log | statistics [ vlan vlan-range ] | vlan vlan-range ]
|
|
---|---|
This is an example of output from the show ip arp inspection command:
This is an example of output from the show ip arp inspection interfaces command:
This is an example of output from the show ip arp inspection interfaces interface-id command:
This is an example of output from the show ip arp inspection log command. It shows the contents of the log buffer before the buffers are cleared:
If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer, or increase the logging rate in the ip arp inspection log-buffer global configuration command.
This is an example of output from the show ip arp inspection statistics command. It shows the statistics for packets that have been processed by dynamic ARP inspection for all active VLANs:
For the show ip arp inspection statistics command, the switch increments the number of forwarded packets for each ARP request and response packet on a trusted dynamic ARP inspection port. The switch increments the number of ACL or DHCP permitted packets for each packet that is denied by source MAC, destination MAC, or IP validation checks, and the switch increments the appropriate failure count.
This is an example of output from the show ip arp inspection statistics vlan 5 command. It shows statistics for packets that have been processed by dynamic ARP for VLAN 5:
This is an example of output from the show ip arp inspection vlan 5 command. It shows the configuration and the operating state of dynamic ARP inspection for VLAN 5:
|
|
---|---|
To display the DHCP snooping configuration, use the show ip dhcp snooping command in EXEC mode.
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This command displays only the results of global configuration. Therefore, in this example, the circuit ID suboption appears in its default format of vlan - mod - port, even if a string is configured for the circuit ID.
This is an example of output from the show ip dhcp snooping command:
|
|
---|---|
To display the DHCP snooping binding database and configuration information for all interfaces on a switch, use the show ip dhcp snooping binding command in EXEC mode.
show ip dhcp snooping binding [ ip-address ] [ mac-address ] [ interface interface-id ] [ vlan vlan-id ]
|
|
---|---|
The show ip dhcp snooping binding command output shows only the dynamically configured bindings. Use the show ip source binding privileged EXEC command to display the dynamically and statically configured bindings in the DHCP snooping binding database.
If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the statically configured bindings.
This example shows how to display the DHCP snooping binding entries for a switch:
This example shows how to display the DHCP snooping binding entries for a specific IP address:
This example shows how to display the DHCP snooping binding entries for a specific MAC address:
This example shows how to display the DHCP snooping binding entries on a port:
This example shows how to display the DHCP snooping binding entries on VLAN 20:
Table 0-9 describes the fields in the show ip dhcp snooping binding command output.
|
|
---|---|
To display the status of the DHCP snooping binding database agent, use the show ip dhcp snooping database command in EXEC mode.
show ip dhcp snooping database [ detail ]
(Optional) Displays detailed status and statistics information. |
|
|
---|---|
This is an example of output from the show ip dhcp snooping database command:
This is an example of output from the show ip dhcp snooping database detail command:
|
|
---|---|
Configures the DHCP snooping binding database agent or the binding file. |
|
To display DHCP snooping statistics in summary or detail form, use the show ip dhcp snooping statistics command in EXEC mode.
show ip dhcp snooping statistics [ detail ]
|
|
---|---|
In a switch stack, all statistics are generated on the stack master. If a new stack master is elected, the statistics counters reset.
This is an example of output from the show ip dhcp snooping statistics command:
This is an example of output from the show ip dhcp snooping statistics detail command:
Table 0-10 shows the DHCP snooping statistics and their descriptions:
|
|
---|---|
Clears the DHCP snooping binding database, the DHCP snooping binding database agent statistics, or the DHCP snooping statistics counters. |
To display all configured Internet Group Management Protocol (IGMP) profiles or a specified IGMP profile, use the show ip igmp profile command in Privileged EXEC mode.
show ip igmp profile [ profile number ]
(Optional) The IGMP profile number to be displayed. The range is 1 to 4294967295. If no profile number is entered, all IGMP profiles are displayed. |
|
|
---|---|
These are examples of output from the show ip igmp profile privileged EXEC command, with and without specifying a profile number. If no profile number is entered, the display includes all profiles configured on the switch.
|
|
---|---|
To display the Internet Group Management Protocol (IGMP) snooping configuration of the switch or the VLAN, use the show ip igmp snooping EXEC command.
show ip igmp snooping [ groups | mrouter | querier ] [ vlan vlan-id ]
(Optional) Displays the show ip igmp snooping groups information. |
|
(Optional) Displays the show ip igmp snooping mrouter information. |
|
(Optional) Displays the show ip igmp snooping querier information. |
|
(Optional) Specifies a VLAN; the range is 1 to 1001 and 1006 to 4094 (available only in privileged EXEC mode). |
|
|
---|---|
Use this command to display snooping configuration for the switch or for a specific VLAN.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This is an example of output from the show ip igmp snooping vlan 1 command. It shows snooping characteristics for a specific VLAN.
This is an example of output from the show ip igmp snooping command. It displays snooping characteristics for all VLANs on the switch.
To display the Internet Group Management Protocol (IGMP) snooping multicast table for the switch or the multicast information, use the show ip igmp snooping groups command in Privileged EXEC mode. Use with the vlan keyword to display the multicast table for a specified multicast VLAN or specific multicast information.
show ip igmp snooping groups [ vlan vlan-id [ ip_address ] | dynamic | user ] [ count ]
|
|
---|---|
Use this command to display multicast information or the multicast table.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This is an example of output from the show ip igmp snooping groups command without any keywords. It displays the multicast table for the switch.
This is an example of output from the show ip igmp snooping groups count command. It displays the total number of multicast groups on the switch.
This is an example of output from the show ip igmp snooping groups dynamic command. It shows only the entries learned by IGMP snooping.
This is an example of output from the show ip igmp snooping groups vlan vlan-id ip-address command. It shows the entries for the group with the specified IP address.
To display the Internet Group Management Protocol (IGMP) snooping dynamically learned and manually configured multicast router ports for the switch or for the specified multicast VLAN, use the show ip igmp snooping mrouter command in Privileged EXEC mode.
show ip igmp snooping mrouter [ vlan vlan-id ]
(Optional) Specifies a VLAN; the range is 1 to 1001 and 1006 to 4094. |
|
|
---|---|
Use this command to display multicast router ports on the switch or for a specific VLAN.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
When multicast VLAN registration (MVR) is enabled, the show ip igmp snooping mrouter command displays MVR multicast router information and IGMP snooping information.
This is an example of output from the show ip igmp snooping mrouter command. It shows how to display multicast router ports on the switch.
To display the configuration and operation information for the IGMP querier configured on a switch, use the show ip igmp snooping querier detail command in EXEC mode.
show ip igmp snooping querier [ detail | vlan vlan-id [ detail ]]
(Optional) Displays IGMP querier information for the specified VLAN. The range is 1 to 1001 and 1006 to 4094. Use the detail keyword to display detailed information. |
|
|
---|---|
Use the show ip igmp snooping querier command to display the IGMP version and the IP address of a detected device, also called a querier , t hat sends IGMP query messages. A subnet can have multiple multicast routers but has only one IGMP querier. In a subnet running IGMPv2, one of the multicast routers is elected as the querier. The querier can be a Layer 3 switch.
The show ip igmp snooping querier command output also shows the VLAN and the interface on which the querier was detected. If the querier is the switch, the output shows the Port field as Router. If the querier is a router, the output shows the port number on which the querier is learned in the Port field.
The show ip igmp snooping querier detail EXEC command is similar to the show ip igmp snooping querier command. However, the show ip igmp snooping querier command displays only the device IP address most recently detected by the switch querier.
The show ip igmp snooping querier detail command di splays the device IP address most recently detected by the switch querier and this additional information:
This is an example of output from the show ip igmp snooping querier command:
This is an example of output from the show ip igmp snooping querier detail command:
|
|
---|---|
Displays IGMP snooping multicast router ports for the switch or for the specified multicast VLAN. |
To display the IP source bindings on the switch, use the show ip source binding command in EXEC mode.
show ip source binding [ ip-address ] [ mac-address ] [ dhcp-snooping | static ] [ interface interface-id ] [ vlan vlan-id ]
(Optional) Displays IP source bindings that were learned by DHCP snooping. |
|
(Optional) Displays IP source bindings on a specific interface. |
|
|
|
---|---|
The show ip source binding command output shows the dynamically and statically configured bindings in the DHCP snooping binding database. Use the show ip dhcp snooping binding privileged EXEC command to display only the dynamically configured bindings.
This is an example of output from the show ip source binding command:
|
|
---|---|
To display the IP source guard configuration on the switch or on a specific interface, use the show ip verify source command in EXEC mode.
show ip verify source [ interface interface-id ]
(Optional) Displays IP source guard configuration on a specific interface. |
|
|
---|---|
This is an example of output from the show ip verify source command:
In the previous example, this is the IP source guard configuration:
This is an example of output on an interface on which IP source guard is disabled:
|
|
---|---|
To display Interprocess Communications Protocol (IPC) configuration, status, and statistics, use the show ipc command in EXEC mode.
show ipc { hog-info | mcast { appclass | groups | status } | nodes | ports [ open ] | queue | rpc | session { all | rx | tx } [ verbose ] | status [ cumlulative ] | zones }
|
|
---|---|
This command is available only when the switch is running the IP services image.
This example shows how to display the IPC routing status:
This example shows how to display the participating nodes:
This example shows how to display the local IPC ports:
This example shows how to display the contents of the IPC retransmission queue:
This example shows how to display all the IPC session statistics:
This example shows how to display the status of the local IPC server:
|
|
---|---|
To display address conflicts found by a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server when addresses are offered to the client, use the show ipv6 dhcp conflict command in Privileged EXEC mode.
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch and the switch is running the IP services image.
|
|
---|---|
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command, and reload the switch.
When you configure the DHCPv6 server to detect conflicts, it uses ping. The client uses neighbor discovery to detect clients and reports to the server through a DECLINE message. If an address conflict is detected, the address is removed from the pool, and the address is not assigned until the administrator removes the address from the conflict list.
This is an example of the output from the show ipv6 dhcp conflict command:
|
|
---|---|
Configures a DHCPv6 pool and enters DHCPv6 pool configuration mode. |
To display IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping configuration of the switch or the VLAN, use the show ipv6 mld snooping command in EXEC mode.
show ipv6 mld snooping [ vlan vlan-id ]
(Optional) Specifies a VLAN; the range is 1 to 1001 and 1006 to 4094. |
|
|
---|---|
Use this command to display MLD snooping configuration for the switch or for a specific VLAN.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
This is an example of output from the show ipv6 mld snooping vlan command. It shows snooping characteristics for a specific VLAN.
Global MLD Snooping configuration:
-------------------------------------------
MLD snooping : Enabled
MLDv2 snooping (minimal) : Enabled
Listener message suppression : Enabled
TCN solicit query : Disabled
TCN flood query count : 2
Robustness variable : 3
Last listener query count : 2
Last listener query interval : 1000
Vlan 100:
--------
MLD snooping : Disabled
MLDv1 immediate leave : Disabled
Explicit host tracking : Enabled
Multicast router learning mode : pim-dvmrp
Robustness variable : 3
Last listener query count : 2
Last listener query interval : 1000
This is an example of output from the show ipv6 mld snooping command. It displays snooping characteristics for all VLANs on the switch.
Switch
>
show ipv6 mld snooping
Global MLD Snooping configuration:
-------------------------------------------
MLD snooping : Enabled
MLDv2 snooping (minimal) : Enabled
Listener message suppression : Enabled
TCN solicit query : Disabled
TCN flood query count : 2
Robustness variable : 3
Last listener query count : 2
Last listener query interval : 1000
Vlan 1:
--------
MLD snooping : Disabled
MLDv1 immediate leave : Disabled
Explicit host tracking : Enabled
Multicast router learning mode : pim-dvmrp
Robustness variable : 1
Last listener query count : 2
Last listener query interval : 1000
<output truncated>
Vlan 951:
--------
MLD snooping : Disabled
MLDv1 immediate leave : Disabled
Explicit host tracking : Enabled
Multicast router learning mode : pim-dvmrp
Robustness variable : 3
Last listener query count : 2
Last listener query interval : 1000
|
|
---|---|
Enables and configures MLD snooping on the switch or on a VLAN. |
|
Configures an SDM template to optimize system resources based on how the switch is being used. |
To display all or specified IP version 6 (IPv6) multicast address information maintained by Multicast Listener Discovery (MLD) snooping, use the show ipv6 mld snooping address command in EXEC mode.
show ipv6 mld snooping address [[ vlan vlan-id ] [ ipv6 multicast-address ]] [ vlan vlan-id ] [ count | dynamic | user ]
|
|
---|---|
Use this command to display IPv6 multicast address information.
You can enter an IPv6 multicast address only after you enter a VLAN ID.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
Use the dynamic keyword to display information only about groups that are learned. Use the user keyword to display information only about groups that have been configured.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
This is an example of output from the show ipv6 mld snooping address EXEC command:
Switch> show ipv6 mld snooping address
This is an example of output from the show ipv6 mld snooping address count EXEC command:
This is an example of output from the show ipv6 mld snooping address User command:
|
|
---|---|
Configures an SDM template to optimize system resources based on how the switch is being used. |
To display dynamically learned and manually configured IP version 6 (IPv6) Multicast Listener Discovery (MLD) router ports for the switch or a VLAN, use the show ipv6 mld snooping mrouter command in EXEC mode.
show ipv6 mld snooping mrouter [ vlan vlan-id ]
(Optional) Specifies a VLAN; the range is 1 to 1001 and 1006 to 4094. |
|
|
---|---|
Use this command to display MLD snooping router ports for the switch or for a specific VLAN.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
This is an example of output from the show ipv6 mld snooping mrouter command. It displays snooping characteristics for all VLANs on the switch that are participating in MLD snooping.
This is an example of output from the show ipv6 mld snooping mrouter vlan command. It shows multicast router ports for a specific VLAN.
|
|
---|---|
Enables and configures MLD snooping on the switch or on a VLAN. |
|
ipv6 mld snooping vlan mrouter interface interface-id | static ipv6-multicast-address interface interface-id ] |
|
Configures an SDM template to optimize system resources based on how the switch is being used. |
To display IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping querier-related information most recently received by the switch or the VLAN, use the show ipv6 mld snooping querier command in EXEC mode.
show ipv6 mld snooping querier [ vlan vlan-id ] [ detail ]
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
(Optional) Specifies a VLAN; the range is 1 to 1001 and 1006 to 4094. |
|
(Optional) Displays MLD snooping detailed querier information for the switch or for the VLAN. |
|
|
---|---|
Use the show ipv6 mld snooping querier command to display the MLD version and IPv6 address of a detected device that sends MLD query messages, which is also called a querier. A subnet can have multiple multicast routers but has only one MLD querier. The querier can be a Layer 3 switch.
The show ipv6 mld snooping querier command output also shows the VLAN and interface on which the querier was detected. If the querier is the switch, the output shows the Port field as Router. If the querier is a router, the output shows the port number on which the querier is learned in the Port field.
The output of the show ipv6 mld snoop querier vlan command displays the information received in response to a query message from an external or internal querier. It does not display user-configured VLAN values, such as the snooping robustness variable on the particular VLAN. This querier information is used only on the MASQ message that is sent by the switch. It does not override the user-configured robustness variable that is used for aging out a member that does not respond to query messages.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show ipv6 mld snooping querier command:
This is an example of output from the show ipv6 mld snooping querier detail command:
This is an example of output from the show ipv6 mld snooping querier vlan command:
To display the current contents of the IPv6 routing table, use the show ipv6 route updated command in EXEC command.
show ipv6 route updated [ boot-up ]{ hh:mm | day { month [ hh:mm ]} [{ hh:mm | day { month [ hh:mm ]}]
|
|
---|---|
Use the show ipv6 route privileged EXEC command to display the current contents of the IPv6 routing table.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show ipv6 route updated rip command:
|
|
---|---|
Displays the current contents of the IPv6 routing table. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To show the configuration details for an Layer 2 NAT instance, enter the show l2nat instance command in EXEC mode.
show l2nat instance [ instance_name ]
(Optional) The Layer 2 NAT instance that you want to display. If this parameter is omitted, all Layer 2 NAT instances are displayed. |
|
|
---|---|
This example shows how to display the configuration details of all Layer 2 NAT instances.
To display the configuration details for an Layer 2 NAT instance on a particular interface and/or VLAN, use the show l2nat interface command in EXEC mode. If you do not specify an interface or a VLAN, all are included.
show l2nat interface [ int ] [ vlan ]
|
|
---|---|
This example shows how to display the configuration details of all Layer 2 NAT instances on all interfaces.
This example shows how to display the configuration details of the Layer 2 NAT instance on interface Gi1/1, VLAN 10.
To show statistics for all Layer 2 NAT instances, use the show l2nat statistics command in EXEC mode.
For each Layer 2 NAT instance, the statistics include the number of bypassed, discarded, and translated packets; the number of fixups for ARP, ICMP, NSMP, and Profinet; and the number of IGMP, multicast, unmatched, and unicast packets. There are also global statistics for all of the above.
Additional statistics include the number of active translations in the past 90 seconds, the total translations, and the total instances that are attached to interfaces.
|
|
---|---|
This example shows how to display all l2nat statistics.
To show the statistics for a specified interface or VLAN, use the show l2nat statistics interface command in EXEC mode.
show l2nat statistics interface [ int ] [ vlan ]
The interface. If this parameter is omitted, all interfaces are included. |
|
The VLAN ID. Include this parameter only if an interface is specified. If this parameter is omitted, all VLANs are included. |
If you do not specify an interface or a VLAN, all are included. Statistics include the number of bypassed, discarded, and translated packets; the number of fixups for ARP, ICMP, pass-through protocols SNMP, PROFINET, SIP, PTP, Telnet, FTP, and the number of IGMP, multicast, unmatched, and unicast packets.
|
|
---|---|
This example shows how to display the l2nat statistics for interface Gi1/1, VLAN10.
To display Link Aggregation Control Protocol (LACP) channel-group information, use the show lacp command in EXEC mode.
show lacp [ channel-group-number ] { counters | internal | neighbor | sys-id }
|
|
---|---|
You can enter any show lacp command to display the active channel-group information. To display specific channel information, enter the show lacp command with a channel-group number.
If you do not specify a channel group, information for all channel groups appears.
You can enter the channel-group-number option to specify a channel group for all keywords except sys-id.
This is an example of output from the show lacp counters EXEC command. Table 0-11 describes the fields in the display.
This is an example of output from the show lacp channel-group-number internal command:
Table 0-12 describes the fields in the display.
This is an example of output from the show lacp neighbor command:
This is an example of output from the show lacp sys-id command:
The system identification is made up of the system priority and the system MAC address. The first two bytes are the system priority, and the last six bytes are the globally administered individual MAC address associated to the system.
|
|
---|---|
To display link diagnostic error rate information, use the show link state group command in Privileged EXEC mode.
show link-diag error-rate { fastethernet interface | gigabitethernet interface | window-size }
Displays the fastethernet interface number which ranges from 1-1. |
|
Displays the gigabitethernet interface number which ranges from 1-1. |
|
|
|
---|---|
This example shows how to display show link diagnostics error rates:
This example shows how to display Fast Ethernet link diagnostics error rates:
This example shows how to display Gigabit Ethernet link diagnostics error rates:
|
|
---|---|
Configures the window size for the link diagnostics feature. |
To display location information for an endpoint, use the show location command in EXEC mode.
show location [ admin-tag ] [ civic-location | elin-location { cdp | identifier id | interface interface-id | static }]
|
|
---|---|
Use the show location command to display location information for an endpoint.
This is an example of output from the show location civic-location command that displays location information for an interface:
This is an example of output from the show location civic-location identifier command that displays all the civic location information:
|
|
---|---|
To display the link-state group information, use the show link state group command in Privileged EXEC mode.
show link state group [ number ] [ detail ]
|
|
---|---|
Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups. Enter the group number to display information specific to the group.
Enter the detail keyword to display detailed information about the group. The output for the show link state group detail command displays only those link-state groups that have link-state tracking enabled or that have upstream or downstream interfaces (or both) configured. If there is no link-state group configuration for a group, it is not shown as enabled or disabled.
This is an example of output from the show link state group 1 command:
This is an example of output from the show link state group detail command:
|
|
---|---|
To display the MAC access control lists (ACLs) configured for an interface or a switch, use the show mac access-group command in EXEC mode.
show mac access-group interface interface-id
(Optional) Displays the MAC ACLs configured on a specific interface. Valid interfaces are physical ports and port channels; the port-channel range is 1 to 6 (available only in privileged EXEC mode). |
|
|
---|---|
This is an example of output from the show mac-access group EXEC command. Port 2 has the MAC access list macl_e1 applied; no MAC ACLs are applied to other interfaces.
This is an example of output from the show mac access-group interface command:
|
|
---|---|
To display a specific MAC address table static and dynamic entry or the MAC address table static and dynamic entries on a specific interface or VLAN, use the show mac address-table command in EXEC mode.
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mac address-table command:
|
|
---|---|
clear mac address-table dynamic |
Deletes from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, or all dynamic addresses on a particular VLAN. |
Displays the number of addresses present in all VLANs or the specified VLAN. |
|
Displays the MAC address table information for the specified interface. |
|
Displays the MAC address notification settings for all interfaces or the specified interface. |
|
Displays the MAC address table information for the specified VLAN. |
To display MAC address table information for the specified MAC address, use the show mac address-table address command in EXEC mode.
show mac address-table address mac-address [ interface interface-id ] [ vlan vlan-id ]
(Optional) Displays information for a specific interface. Valid interfaces include physical ports and port channels. |
|
(Optional) Displays entries for the specific VLAN only. The range is 1 to 4094. |
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mac address-table address command:
Use the show mac address-table aging-time command in EXEC mode to display the aging time of a specific address table instance, all address table instances on a specified VLAN or, if a specific VLAN is not specified, on all VLANs.
show mac address-table aging-time [ vlan vlan-id ]
(Optional) Displays aging time information for a specific VLAN. The range is 1 to 4094. |
|
|
---|---|
If no VLAN number is specified, the aging time for all VLANs appears.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mac address-table aging-time command:
This is an example of output from the show mac address-table aging-time vlan 10 command:
To display the number of addresses present in all VLANs or the specified VLAN, use the show mac address-table count command in EXEC mode.
show mac address-table count [ vlan vlan-id ]
(Optional) Displays the number of addresses for a specific VLAN. The range is 1 to 4094. |
|
|
---|---|
If no VLAN number is specified, the address count for all VLANs appears.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mac address-table count command:
To display only dynamic MAC address table entries, use the show mac address-table dynamic command in EXEC mode.
show mac address-table dynamic [ address mac-address ] [ interface interface-id ] [ vlan vlan-id ]
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mac address-table dynamic command:
|
|
---|---|
clear mac address-table dynamic |
Deletes from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, or all dynamic addresses on a particular VLAN. |
Displays MAC address table information for the specified MAC address. |
|
Displays the number of addresses present in all VLANs or the specified VLAN. |
|
Displays the MAC address table information for the specified interface. |
|
Displays the MAC address table information for the specified VLAN. |
To display the MAC address table information for the specified interface in the specified VLAN, use the show mac address-table interface user command.
show mac address-table interface interface-id [ vlan vlan-id ]
An interface type; valid interfaces include physical ports and port channels. |
|
(Optional) Displays entries for a specific VLAN; the range is 1 to 4094. |
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mac address-table interface command:
To display the status of MAC address learning for all VLANs or the specified VLAN u se the show mac address-table learning command in EXEC mode.
show mac address-table learning [ vlan vlan-id ]
(Optional) Displays information for a specific VLAN. The range is 1 to 4094. |
|
|
---|---|
Use the show mac address-table learning command without any keywords to display configured VLANs and whether MAC address learning is enabled or disabled on them. The default is that MAC address learning is enabled on all VLANs. Use the command with a specific VLAN ID to display the learning status on an individual VLAN.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mac address-table learning EXEC command showing that MAC address learning is disabled on VLAN 200:
|
|
---|---|
To display the MAC address-table move update information on the switch, use the show mac address-table move update command in EXEC mode.
show mac address-table move update
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mac address-table move update command:
|
|
---|---|
mac address-table move update { receive | transmit } |
To display the MAC address notification settings for all interfaces or the specified interface, use the show mac address-table notification command in EXEC mode.
show mac address-table notification { change [ interface [ interface-id ] | mac-move | threshold }
|
|
---|---|
Use the show mac address-table notification change command without keywords to see if the MAC address change notification feature is enabled or disabled, the MAC notification interval, the maximum number of entries allowed in the history table, and the history table contents.
Use the interface keyword to display the notifications for all interfaces. If the interface-id is included, only the flags for that interface appear.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mac address-table notification change command:
|
|
---|---|
clear mac address-table notification |
|
Enables the MAC address notification feature for MAC address changes, moves, or address-table thresholds. |
|
Displays MAC address table information for the specified MAC address. |
|
Displays the number of addresses present in all VLANs or the specified VLAN. |
|
Displays the MAC address table information for the specified interface. |
|
Displays the MAC address table information for the specified VLAN. |
To display only static MAC address table entries, use the show mac address-table static command in EXEC mode.
show mac address-table static [ address mac-address ] [ interface interface-id ] [ vlan vlan-id ]
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mac address-table static command:
To display the MAC address table information for the specified VLAN, use the show mac address-table vlan command in EXEC mode.
show mac address-table vlan vlan-id
(Optional) Displays addresses for a specific VLAN. The range is 1 to 4094. |
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mac address-table vlan 1 command:
To display global quality of service (QoS) configuration information, use the show mls qos command in EXEC mode.
Note This command is available only when the switch is running the LAN Base image.
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mls qos command when QoS is enabled and DSCP transparency is enabled:
|
|
---|---|
To display the quality of service (QoS) aggregate policer configuration, use the show mls qos aggregate-policer command in EXEC mode. A policer defines a maximum permissible rate of transmission, a maximum burst size for transmissions, and an action to take if either maximum is exceeded.
show mls qos aggregate-policer [ aggregate-policer-name ]
Note This command is available only when the switch is running the LAN Base image.
(Optional) The policer configuration for the specified name. |
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mls qos aggregate-policer command:
|
|
---|---|
Defines policer parameters that can be shared by multiple classes within a policy map. |
To display quality of service (QoS) settings for the ingress queues, use the show mls qos input-queue command in EXEC mode.
Note This command is available only when the switch is running the LAN Base image.
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mls qos input-queue command:
To display quality of service (QoS) information at the port level, use the show mls qos interface command in EXEC mode.
show mls qos interface [ interface-id ] [ buffers | queueing | statistics ]
Note This command is available only when the switch is running the LAN Base image.
Note Though visible in the command-line help string, the policer keyword is not supported.
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mls qos interface interface-id command when VLAN-based QoS is enabled:
This is an example of output from the show mls qos interface interface-id command when VLAN-based QoS is disabled:
This is an example of output from the show mls qos interface interface-id buffers command:
This is an example of output from the show mls qos interface interface-id queueing command. The egress expedite queue overrides the configured shaped round robin (SRR) weights.
This is an example of output from the show mls qos interface interface-id statistics command. Table 0-13 describes the fields in this display.
|
|
|
To display quality of service (QoS) mapping information, use the show mls qos maps command in EXEC mode. During classification, QoS uses the mapping tables to represent the priority of the traffic and to derive a corresponding class of service (CoS) or Differentiated Services Code Point (DSCP) value from the received CoS, DSCP, or IP precedence value.
show mls qos maps [ cos-dscp | cos-input-q | cos-output-q | dscp-cos | dscp-input-q | dscp-mutation dscp-mutation-name | dscp-output-q | ip-prec-dscp | policed-dscp ]
Note This command is available only when the switch is running the LAN Base image.
(Optional) Displays the specified DSCP-to-DSCP-mutation map. |
|
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
The policed-DSCP, DSCP-to-CoS, and the DSCP-to-DSCP-mutation maps appear as a matrix. The d1 column specifies the most-significant digit in the DSCP. The d2 row specifies the least-significant digit in the DSCP. The intersection of the d1 and d2 values provides the policed-DSCP, the CoS, or the mutated-DSCP value. For example, in the DSCP-to-CoS map, a DSCP value of 43 corresponds to a CoS value of 5.
The DSCP input queue threshold and the DSCP output queue threshold maps appear as a matrix. The d1 column specifies the most-significant digit of the DSCP number. The d2 row specifies the least-significant digit in the DSCP number. The intersection of the d1 and the d2 values provides the queue ID and threshold ID. For example, in the DSCP input queue threshold map, a DSCP value of 43 corresponds to queue 2 and threshold 1 (02-01).
The CoS input queue threshold and the CoS output queue threshold maps show the CoS value in the top row and the corresponding queue ID and threshold ID in the second row. For example, in the CoS input queue threshold map, a CoS value of 5 corresponds to queue 2 and threshold 1 (2-1).
This is an example of output from the show mls qos maps command:
To display quality of service (QoS) settings for the egress queues, use the show mls qos queue-set command in EXEC mode.
show mls qos queue-set [ qset-id ]
Note This command is available only when the switch is running the LAN Base image.
(Optional) ID of the queue-set. Each port belongs to a queue-set, which defines all the characteristics of the four egress queues per port. The range is 1 to 2. |
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.nway
This is an example of output from the show mls qos queue-set command:
|
|
---|---|
Configures the weighted tail-drop (WTD) thresholds, guarantees the availability of buffers, and configures the maximum memory allocation of the queue-set. |
To display the policy maps attached to a switch virtual interface (SVI), use the show mls qos vlan command in EXEC mode.
Note This command is available only when the switch is running the LAN Base image.
The VLAN ID of the SVI to display the policy maps. The range is 1 to 4094. |
|
|
---|---|
The output from the show mls qos vlan command is meaningful only when VLAN-based quality of service (QoS) is enabled and when hierarchical policy maps are configured.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mls qos vlan command:
|
|
---|---|
Creates or modifies a policy map that can be attached to multiple ports and enters policy-map configuration mode. |
To display information about all Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) sessions on the switch, use the show monitor command in EXEC mode. Use the command with keywords to show a specific session, all sessions, all local sessions, or all remote sessions.
show monitor [ session { session_number | all | local | range list | remote } [ detail ]]
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
The output is the same for the show monitor command and the show monitor session all command.
This is an example of output for the show monitor EXEC command:
This is an example of output for the show monitor EXEC command for local SPAN source session 1:
This is an example of output for the show monitor session all EXEC command when ingress traffic forwarding is enabled:
|
|
---|---|
To display the current Multicast VLAN Registration (MVR) global parameter values, including whether or not MVR is enabled, the MVR multicast VLAN, the maximum query response time, the number of multicast groups, and the MVR mode (dynamic or compatible), use the show mvr command in Privileged EXEC mode without keywords.
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mvr command:
In the preceding display, the maximum number of multicast groups is fixed at 256. The MVR mode is either compatible (for interoperability with Catalyst 2900 XL and Catalyst 3500 XL switches) or dynamic (where operation is consistent with IGMP snooping operation and dynamic MVR membership on source ports is supported).
To display the Multicast VLAN Registration (MVR) receiver and source ports, use the show mvr interface command in Privileged EXEC mode without keywords. Use the command with keywords to display MVR parameters for a specific receiver port.
show mvr interface [ interface-id [ members [ vlan vlan-id ]]]
|
|
---|---|
If the entered port identification is a non-MVR port or a source port, the command returns an error message. For receiver ports, it displays the port type, per port status, and Immediate-Leave setting.
If you enter the members keyword, all MVR group members on the interface appear. If you enter a VLAN ID, all MVR group members in the VLAN appear.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mvr interface command:
In the preceding display, Status is defined as follows:
This is an example of output from the show mvr interface command for a specified port:
This is an example of output from the show mvr interface interface-id members command:
|
|
---|---|
Enables and configures multicast VLAN registration on the switch. |
|
Displays all receiver ports that are members of an MVR multicast group. |
To display all receiver and source ports that are currently members of an IP multicast group, use the show mvr members command in Privileged EXEC mode.
show mvr member s [ ip-address ]
|
|
---|---|
The show mvr members command applies to receiver and source ports. For MVR-compatible mode, all source ports are members of all multicast groups.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show mvr members command:
This is an example of output from the show mvr members ip-address command. It displays the members of the IP multicast group with that address:
To display the network-policy profiles, use the show network policy profile command in Privileged EXEC mode.
show network-policy profile [ profile number ] [ detail ]
Note To use this command, the switch must be running the LAN Base image.
(Optional) Displays the network-policy profile number. If no profile is entered, all network-policy profiles appear. |
|
(Optional) Displays detailed status and statistics information. |
|
|
---|---|
This is an example of output from the show network-policy profile command:
|
|
---|---|
To display the Network Mobility Services Protocol (NMSP) information for the switch, use the show nmsp command in Privileged EXEC mode. This command is available only when your switch is running the cryptographic (encrypted) software image.
show nmsp { attachment suppress interface | capability | notification interval | statistics { connection | summary } | status | subscription { detail | summary} }
|
|
---|---|
This is an example of output from the show nmsp attachment suppress interface command:
This is an example of output from the show nmsp capability command:
This is an example of output from the show nmsp notification interval command:
This is an example of output from the show nmsp statistics connection and show nmsp statistics summary commands:
This is an example of output from the show nmsp status command:
This is an example of output from the show nmsp show subscription detail and the show nmsp show subscription summary commands:
|
|
---|---|
Enables Network Mobility Services Protocol (NMSP) on the switch. |
To display Port Aggregation Protocol (PAgP) channel-group information, use the show pagp command in EXEC mode.
show pagp [ channel-group-number ] { counters | dual-active | internal | neighbor }
(Optional) Number of the channel group. The range is 1 to 6. |
|
|
|
---|---|
You can enter any show pagp command to display the active channel-group information. To display the nonactive information, enter the show pagp command with a channel-group number.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output are appear.
This is an example of output from the show pagp 1 counters command:
This is an example of output from the show pagp 1 internal command:
This is an example of output from the show pagp 1 neighbor command:
This is an example of output from the show pagp dual-active command:
|
|
---|---|
To display the parameters for all configured macros or for one macro on the switch, use the show parser macro command in EXEC mode.
show parser macro [ { brief | description [ interface interface-id ] | name word }]
(Optional) Displays all macro descriptions or the description of a specific interface. |
|
(Optional) Displays information about a single macro identified by the macro name. |
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is a partial output example from the show parser macro command. The output for the Cisco-default macros varies depending on the switch platform and the software image running on the switch:
This is an example of output from the show parser macro name command:
This is an example of output from the show parser macro brief command:
This is an example of output from the show parser description command:
This is an example of output from the show parser description interface command:
To display quality of service (QoS) policy maps, which define classification criteria for incoming traffic, use the show policy-map command in EXEC mode. Policy maps can include policers that specify the bandwidth limitations and the action to take if the limits are exceeded.
show policy-map [ policy-map-name [ class class-map-name ]]
(Optional) Displays QoS policy actions for a individual class. |
Note Though visible in the command-line help string, the control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored.
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show policy-map command:
|
|
---|---|
To display port-security settings for an interface or for the switch, use the show port-security command in Privileged EXEC mode.
show port-security [ interface interface-id ] [ address | vlan ]
|
|
---|---|
If you enter the command without keywords, the output includes the administrative and operational status of all secure ports on the switch.
If you enter an interface-id, the command displays port security settings for the interface.
If you enter the address keyword, the command displays the secure MAC addresses for all interfaces and the aging information for each secure address.
If you enter an interface-id and the address keyword, the command displays all the MAC addresses for the interface with aging information for each secure address. You can also use this command to display all the MAC addresses for an interface even if you have not enabled port security on it.
If you enter the vlan keyword, the command displays the configured maximum and the current number of secure MAC addresses for all VLANs on the interface.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of the output from the show port-security command:
This is an example of output from the show port-security interface interface-id command:
This is an example of output from the show port-security address command:
This is an example of output from the show port-security interface gigabitethernet 1 /2 address command:
This is an example of output from the show port-security interface interface-id vlan command:
Use the show power inline command in EXEC mode to display the Power over Ethernet (PoE) status for the specified PoE port or for all PoE ports.
show power inline [ interface-id | consumption ]
(Optional) Displays PoE-related power management information for the specified interface. |
|
(Optional) Displays the power allocated to devices connected to PoE ports. |
|
|
---|---|
Use this command to show the interface port number, administration (configuration) status, current (actual) status, power consumption and device type information.
The following is an example of output from the show power inline command on the IE 2000 switch.
The IE 2000 switch supports PoE+ with maximum wattage of 30 W.
|
|
---|---|
Configures the power management mode for the specified PoE port or for all PoE ports. |
|
Displays the values in the registers of the specified PoE controller. |
To display information about the PROFINET sessions on the switch, use the show profinet command in EXEC mode.
show profinet { alarm | lldp | session | status }
|
|
---|---|
When LLDP and PROFINET are enabled, this command shows the physical ports that are sending and receiving PROFINET-formatted LLDP packets.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.
This example shows how to display PROFINET alarms:
This example shows how to display PROFINET LLDP:
This example shows how to display a PROFINET session:
This example shows how to display the PROFINET status:
To display the status of protocol storm protection configured for a specific protocol on a VLAN, use the show psp config command in Privileged EXEC mode.
show psp config { arp | dhcp | igmp }
|
|
---|---|
This is an example of output from the show psp config dhcp command with protocol storm protection configured to drop packets when the incoming rate exceeds 35 packets per second.
|
|
---|---|
psp { arp | dhcp | igmp } pps value |
Configures protocol storm protection for ARP, DHCP, or IGMP. |
Displays the number of dropped packets when protocol storm protection is configured. |
To display the number of packets dropped for all protocols when protocol storm protection is configured, use the show psp statistics command in Privileged EXEC mode.
show psp statistics [ arp | dhcp | igmp ]
|
|
---|---|
This is an example of output from the show psp statistics dhcp command when protocol storm protection is configured for DHCP. The output shows that 13 packets were dropped.
|
|
---|---|
psp { arp | dhcp | igmp } pps value |
Configures protocol storm protection for ARP, DHCP, or IGMP. |
To view the global Precision Time Protocol (PTP) properties. use the show ptp command in Privileged EXEC mode.
show ptp { clock | foreign-master-record | parent | time-property }
|
|
---|---|
The show ptp foreign-master-record command applies to boundary clock mode, even though the command also appears in end-to-end transparent mode.
If you enter the show ptp clock or show ptp port privileged EXEC command when the switch is in PTP forward mode, an error message states that no information is available.
This is an example of output from the show ptp clock command:
This is an example of output from the show ptp parent command:
This is an example of output from the show ptp time-property command:
This is an example of output from the show ptp foreign-master-record command:
|
|
---|---|
To view the Precision Time Protocol (PTP) port properties. use the show ptp port command in Privileged EXEC mode.
show ptp port [ FastEthernet interface | GigabitEthernet interface ]
(Optional) Displays the PTP FastEthernet properties on the specified port. |
|
(Optional) Displays the PTP Gigabit Ethernet properties on the specified port. |
|
|
---|---|
This is an example of output from the show ptp port FastEthernet 1/1 command:
|
|
---|---|
To display Resilient Ethernet Protocol (REP) topology information for a segment or for all segments, including the primary and secondary edge ports in the segment, use the show rep topology command in EXEC mode.
show rep topology [ segment segment_id ] [ archive ] [ detail ]
|
|
---|---|
In the show rep topology command output, ports configured as edge no-neighbor are designated with an asterisk (*) in front of Pri or Sec. In the output of the show rep topology detail command, No-Neighbor is spelled out.
The output of this command is also included in the show tech-support privileged EXEC command output.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.
This is a sample output from the show rep topology segment privileged EXEC command:
This is a sample output from the show rep topology command when the edge ports are configured to have no REP neighbor:
This example shows output from the show rep topology detail command:
This example shows output from the show rep topology segment archive command:
|
|
---|---|
Enables REP on an interface and assigns a segment ID. This command is also used to configure a port as an edge port, a primary edge port, or a preferred port. |
To display information about the Switch Database Management (SDM) templates that can be used to maximize allocating system resources for a particular feature, use the show sdm prefer command in Privileged EXEC mode.
show sdm prefer [ default | dual-ipv4-and-ipv6 { default | routing } qos | routing ]
|
|
---|---|
When you change the SDM template by using the sdm prefer global configuration command, you must reload the switch for the configuration to take effect. If you enter the show sdm prefer command before you enter the reload privileged EXEC command, the show sdm prefer command shows the template currently in use and the template that will become active after a reload.
The numbers displayed for each template represent an approximate maximum number for each feature resource. The actual number might vary, depending on the actual number of other features configured.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show sdm prefer default command:
This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 command:
This is an example of output from the show sdm prefer routing command:
This is an example of output from the show sdm prefer dual-ip4-and-ipv6 routing command:
|
|
---|---|
To display if Express Setup mode is active on the switch, use the show setup express command in Privileged EXEC mode.
|
|
---|---|
This is an example of output from the show setup express co mmand:
|
|
---|---|
To display spanning-tree state information, use the show spanning-tree command in EXEC mode.
show spanning-tree [ bridge-group | active [ detail ] | backbonefast | blockedports | bridge | detail [ active ] | inconsistentports | interface interface-id | mst | pathcost method | root | summary [ totals ] | uplinkfast | vlan vlan-id ]
show spanning-tree bridge-group [ active [ detail ] | blockedports | bridge | detail [ active ] | inconsistentports | interface interface-id | root | summary ]
show spanning-tree vlan vlan-id [ active [ detail ] | blockedports | bridge | detail [ active ] | inconsistentports | interface interface-id | root | summary ]
show spanning-tree { vlan vlan-id | bridge-group } bridge [ address | detail | forward-time | hello-time | id | max-age | priority [ system-id ] | protocol ] ]
show spanning-tree { vlan vlan-id | bridge-group } root [ address | cost | detail | forward-time | hello-time | id | max-age | port | priority [ system-id ] ]
show spanning-tree interface interface-id [ active [ detail ] | cost | detail [ active ] | inconsistency | portfast | priority | rootcost | state ]
show spanning-tree mst [ configuration [digest]] | [ instance-id [ detail | interface interface-id [ detail ]]
|
|
---|---|
If the vlan-id variable is omitted, the command applies to the spanning-tree instance for all VLANs.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show spanning-tree active command:
This is an example of output from the show spanning-tree detail command:
This is an example of output from the show spanning-tree interface interface-id command:
This is an example of output from the show spanning-tree mst configuration command:
This is an example of output from the show spanning-tree mst interface interface-id command:
This is an example of output from the show spanning-tree mst 0 command:
To display broadcast, multicast, or unicast storm control settings on the switch or on the specified interface or to display storm-control history, use the show storm-control command in EXEC mode.
show storm-control [ interface-id ] [ broadcast | multicast | unicast ]
(Optional) Interface ID for the physical port (including type, module, and port number). |
|
|
|
---|---|
When you enter an interface-id, the storm control thresholds appear for the specified interface.
If you do not enter an interface-id, settings appear for one traffic type for all ports on the switch.
If you do not enter a traffic type, settings appear for broadcast storm control.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of a partial output from the show storm-control command when no keywords are entered. Because no traffic-type keyword was entered, the broadcast storm control settings appear.
This is an example of output from the show storm-control command for a specified interface. Because no traffic-type keyword was entered, the broadcast storm control settings appear.
Table 0-14 describes the fields in the show storm-control display.
|
|
---|---|
Sets the broadcast, multicast, or unicast storm control levels for the switch. |
To display the global maximum transmission unit (MTU) or maximum packet size set for the switch, use the show system mtu command in Privileged EXEC mode.
|
|
---|---|
If you have used the system mtu or system mtu jumbo global configuration command to change the MTU setting, the new setting does not take effect until you reset the switch.
The system MTU refers to ports operating at 10/100 Mb/s; the system jumbo MTU refers to Gigabit ports; the system routing MTU refers to routed ports.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show system mtu command:
|
|
---|---|
Sets the MTU size for the Fast Ethernet, Gigabit Ethernet, or routed ports. |
To display UniDirectional Link Detection (UDLD) administrative and operational status for all ports or the specified port, use the show udld command in EXEC mode.
(Optional) ID of the interface and port number. Valid interfaces include physical ports and VLANs. The VLAN range is 1 to 4094. |
|
|
---|---|
If you do not enter an interface-id, administrative and operational UDLD status for all interfaces appear.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show udld interface-id command. For this display, UDLD is enabled on both ends of the link, and UDLD detects that the link is bidirectional. Table 0-15 describes the fields in this display.
To display version information for the hardware and firmware, use the show version command in EXEC mode.
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
Note Though visible in the show version output, the configuration register information is not supported on the switch.
This is an example of output from the show version command:
To display the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) on the switch, use the show vlan command in EXEC mode.
show vlan [ brief | id vlan-id | internal usage | mtu | name vlan-name | remote-span | summary ]
Note Though visible in the command-line help string, the ifindex keyword is not supported.
|
|
---|---|
In the show vlan mtu command output, the MTU_Mismatch column shows whether all the ports in the VLAN have the same MTU. When yes appears in this column, it means that the VLAN has ports with different MTUs, and packets that are switched from a port with a larger MTU to a port with a smaller MTU might be dropped. If the VLAN does not have an SVI, the hyphen (-) symbol appears in the SVI_MTU column. If the MTU-Mismatch column displays yes, the names of the port with the MinMTU and the port with the MaxMTU appear.
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show vlan command. Table 0-16 describes the fields in the display.
|
|
---|---|
Bridging mode for this VLAN—possible values are source-route bridging (SRB) and source-route transparent (SRT); the default is SRB. |
|
This is an example of output from the show vlan summary command:
This is an example of output from the show vlan id command.
This is an example of output from the show vlan internal usage command. It shows that VLANs 1025 and 1026 are being used as internal VLANs for Fast Ethernet routed ports 23 and 24. If you want to use one of these VLAN IDs, you must first shut down the routed port, which releases the internal VLAN, and then create the extended-range VLAN. When you start up the routed port, another internal VLAN number is assigned to it.
|
|
---|---|
Enables VLAN configuration mode where you can configure VLANs 1 to 4094. |
To display information about a particular VLAN access map or for all VLAN access maps, use the show vlan access-map command in Privileged EXEC mode.
show vlan access-map [ mapname ]
Note This command is available only when the switch is running the IP services image.
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show vlan access-map command:
|
|
---|---|
Displays information about all VLAN filters or about a particular VLAN or VLAN access map. |
|
To display information about all VLAN filters or about a particular VLAN or VLAN access map, use the show vlan filter command in Privileged EXEC mode.
show vlan filter [ access-map name | vlan vlan-id ]
Note This command is available only when the switch is running the IP services image.
(Optional) Displays filtering information for the specified VLAN access map. |
|
(Optional) Displays filtering information for the specified VLAN. The range is 1 to 4094. |
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show vlan filter command:
|
|
---|---|
Displays information about a particular VLAN access map or for all VLAN access maps. |
|
To display the VLAN Query Protocol (VQP) version, reconfirmation interval, retry count, VLAN Membership Policy Server (VMPS) IP addresses, and the current and primary servers, or use the statistics keyword to display client-side statistics, use the show vmps command in EXEC mode without keywords.
(Optional) Displays VQP client-side statistics and counters. |
|
|
---|---|
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show vmps command:
This is an example of output from the show vmps statistics command. Table 0-17 describes each field in the display.
|
|
---|---|
Sends VQP queries to reconfirm all dynamic VLAN assignments with the VMPS. |
|
Configures the primary VMPS and up to three secondary servers. |
To display general information about the VLAN Trunking Protocol (VTP) management domain, status, and counters, use the show vtp command in EXEC mode.
show vtp { counters | devices [ conflicts ] | interface [ interface-id ] | password | status }
|
|
---|---|
When you enter the show vtp password command when the switch is running VTP version 3, the display follows these rules:
Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.
This is an example of output from the show vtp devices command. A Yes in the Conflict column means that the responding server is in conflict with the local server for the feature; that is, when two switches in the same domain do not have the same primary server for a database.
Retrieving information from the VTP domain. Waiting for 5 seconds.
VTP Database Conf switch ID Primary Server Revision System Name
lict
------------ ---- -------------- -------------- ---------- ----------------------
VLAN Yes 00b0.8e50.d000 000c.0412.6300 12354 main.cisco.com
MST No 00b0.8e50.d000 0004.AB45.6000 24 main.cisco.com
VLAN Yes 000c.0412.6300=000c.0412.6300 67 qwerty.cisco.com
This is an example of output from the show vtp counters command. Table 0-18 describes the fields in the display.
This is an example of output from the show vtp status command for a switch running VTP version 2. Table 0-19 describes the fields in the display.
This is an example of output from the show vtp status command for a switch running VTP version 3:
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : Cisco
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 0021.1bcd.c700
Feature VLAN:
--------------
VTP Operating Mode : Server
Number of existing VLANs : 7
Number of existing extended VLANs : 0
Configuration Revision : 0
Primary ID : 0000.0000.0000
Primary Description :
MD5 digest : 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Feature MST:
--------------
VTP Operating Mode : Client
Configuration Revision : 0
Primary ID : 0000.0000.0000
Primary Description :
MD5 digest : 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Feature UNKNOWN:
--------------
VTP Operating Mode : Transparent
|
|
---|---|
Configures the VTP filename, interface name, domain name, and mode. |
To disable an interface. Use the no form of this command to restart a disabled interface, use the shutdown interface configuration command.
|
|
---|---|
The shutdown command causes a port to stop forwarding. You can enable the port with the no shutdown command.
The no shutdown command has no effect if the port is a static-access port assigned to a VLAN that has been deleted, suspended, or shut down. The port must first be a member of an active VLAN before it can be reenabled.
The shutdown command disables all functions on the specified interface.
This command also marks the interface as unavailable. To see if an interface is disabled, use the show interfaces privileged EXEC command. An interface that has been shut down is shown as administratively down in the display.
These examples show how to disable and reenable a port:
You can verify your settings by entering the show interfaces privileged EXEC command.
|
|
---|---|
Displays the statistical information specific to all interfaces or to a specific interface. |
To shut down (suspend) local traffic on the specified VLAN. Use the no form of this command to restart local traffic on the VLAN, use the shutdown vlan global configuration command.
|
|
---|---|
The shutdown vlan command does not change the VLAN information in the VTP database. The command shuts down local traffic, but the switch still advertises VTP information.
This example shows how to shut down traffic on VLAN 2:
You can verify your setting by entering the show vlan privileged EXEC command.
To configure the rate (threshold) for an interface to be error-disabled when it receives VLAN-tagged packets that are small frames (67 bytes or less) at the specified rate, use the small-frame violation rate interface configuration command. Use the no form of this command to return to the default setting.
small-frame violation rate pps
no small-frame violation rate pps
Specifies the threshold at which an interface receiving small frames will be error-disabled. The range is 1 to 10,000 packets per second (pps). |
|
|
---|---|
This command enables the rate (threshold) for a port to be error-disabled when it receives small frames. Small frames are considered packets that are 67 frames or less.
Use the errdisable detect cause small-frame global configuration command to globally enable the small-frames threshold for each port.
You can configure the port to be automatically reenabled by using the errdisable recovery cause small-frame global configuration command. You configure the recovery time by using the errdisable recovery interval interval global configuration command.
This example shows how to enable the small-frame arrival rate feature so that the port is error-disabled if incoming small frames arrived at 10,000 pps:
You can verify your setting by entering the show interfaces privileged EXEC command.
To enable the switch to send Simple Network Management Protocol (SNMP) notifications for various traps or inform requests to the network management system (NMS), use the snmp-server enable traps global configuration command. Use the no form of this command to return to the default setting.
snmp-server enable traps [ bgp | bridge [ newroot ] [ topologychange ] | cluster | config | copy-config | cpu [ threshold ] | dot1x [auth-fail-vlan | guest-vlan | no-auth-fail-vlan | no-guest-vlan] | entity | envmon [ fan | shutdown | status | supply | temperature ] | errdisable [ notification-rate value ] | flash [ insertion | removal ] | hsrp | ipmulticast | mac-notification [ change ] [ move ] [ threshold ] | ospf [ cisco-specific | errors | lsa | rate-limit | retransmit | state-change ] | pim [ invalid-pim-message | neighbor-change | rp-mapping-change ] | port-security [ trap-rate value ] | rtr | snmp [ authentication | coldstart | linkdown | linkup | warmstart ] | storm-contro l trap-rate value | stpx [ inconsistency ] [ root-inconsistency ] [ loop-inconsistency ] | syslog | tty | vlan-membership | vlancreate | vlandelete | vtp]
no snmp-server enable traps [ bgp | bridge [ newroot ] [ topologychange ] | cluster | config | copy-config | cpu [ threshold ] | dot1x [auth-fail-vlan | guest-vlan | no-auth-fail-vlan | no-guest-vlan] | entity | envmon [ fan | shutdown | status | supply | temperature ] | errdisable [ notification-rate value ] | flash [ insertion | removal ] | hsrp | ipmulticast | mac-notification [ change ] [ move ] [ threshold ] | ospf [ cisco-specific | errors | lsa | rate-limit | retransmit | state-change ] | pim [ invalid-pim-message | neighbor-change | rp-mapping-change ] | port-security [ trap-rate value ] | rtr | snmp [ authentication | coldstart | linkdown | linkup | warmstart ] | storm-contro l trap-rate value | stpx [ inconsistency ] [ root-inconsistency ] [ loop-inconsistency ] | syslog | tty | vlan-membership | vlancreate | vlandelete | vtp]
Note Though visible in the command-line help strings, the insertion, and removal keywords are not supported. The snmp-server enable informs global configuration command is not supported. To enable the sending of SNMP inform notifications, use the snmp-server enable traps global configuration command combined with the snmp-server host host-addr informs global configuration command.
|
|
---|---|
Specifies the host (NMS) that receives the traps by using the snmp-server host global configuration command. If no trap types are specified, all types are sent.
When supported, use the snmp-server enable traps command to enable sending of traps or informs.
Note Informs are not supported in SNMPv1.
To enable more than one type of trap, you must enter a separate snmp-server enable traps command for each trap type.
To set the CPU threshold notification types and values, use the process cpu threshold type global configuration command.
This example shows how to send VTP traps to the NMS:
|
|
---|---|
Displays the running configuration on the switch. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
|
To specify the recipient (host) of a Simple Network Management Protocol (SNMP) notification operation, use the snmp-server host global configuration command. Use the no form of this command to remove the specified host.
snmp-server host host-addr [ udp-port port | informs | traps ] [ version { 1 | 2c | 3 { auth | noauth | priv }] [ vrf vrf-instance ] { community-string [ notification-type ]}
no snmp-server host host-addr [ informs | traps ] [ version { 1 | 2c | 3 { auth | noauth | priv }] [ vrf vrf-instance ] community-string
This command is disabled by default. No notifications are sent.
15.0(1)EYIf you enter this command with no keywords, the default is to send all trap types to the host. No informs are sent to this host.
If no version keyword is present, the default is Version 1.
If Version 3 is selected and no authentication keyword is entered, the default is the noauth (noAuthNoPriv) security level.
|
|
---|---|
SNMP notifications can be sent as traps or inform requests. Traps are unreliable because the receiver does not send acknowledgments when it receives traps. The sender cannot determine if the traps were received. However, an SNMP entity that receives an inform request acknowledges the message with an SNMP response PDU. If the sender never receives the response, the inform request can be sent again. Thus, informs are more likely to reach their intended destinations.
However, informs consume more resources in the agent and in the network. Unlike a trap, which is discarded as soon as it is sent, an inform request must be held in memory until a response is received or the request times out. Traps are also sent only once, but an inform might be retried several times. The retries increase traffic and contribute to a higher overhead on the network.
If you do not enter an snmp-server host command, no notifications are sent. To configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. If you enter the command with no keywords, all trap types are enabled for the host. To enable multiple hosts, you must enter a separate snmp-server host command for each host. You can specify multiple notification types in the command for each host.
If a local user is not associated with a remote host, the switch does not send informs for the auth (authNoPriv) and the priv (authPriv) authentication levels.
When multiple snmp-server host commands are given for the same host and kind of notification (trap or inform), each succeeding command overwrites the previous command. Only the last snmp-server host command is in effect. For example, if you enter an snmp-server host inform command for a host and then enter another snmp-server host inform command for the same host, the second command replaces the first.
The snmp-server host command is used with the snmp-server enable traps global configuration command. Use the snmp-server enable traps command to specify which SNMP notifications are sent globally. For a host to receive most notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled. Some notification types cannot be controlled with the snmp-server enable traps command. For example, some notification types are always enabled. Other notification types are enabled by a different command.
The no snmp-server host command with no keywords disables traps, but not informs, to the host. To disable informs, use the no snmp-server host informs command.
This example shows how to configure a unique SNMP community string named comaccess for traps and prevent SNMP polling access with this string through access-list 10:
This example shows how to send the SNMP traps to the host specified by the name myhost.cisco.com. The community string is defined as comaccess:
This example shows how to enable the switch to send all traps to the host myhost.cisco.com by using the community string public:
To enable the Simple Network Management Protocol (SNMP) MAC address change notification trap on a specific Layer 2 interface, use the snmp trap mac-notification change interface configuration command. Use the no form of this command to return to the default setting.
snmp trap mac-notification change { added | removed }
no snmp trap mac-notification change { added | removed }
Enables the MAC notification trap when a MAC address is added on this interface. |
|
Enables the MAC notification trap when a MAC address is removed from this interface. |
By default, the traps for both address addition and address removal are disabled.
|
|
---|---|
Even though you enable the notification trap for a specific interface by using the snmp trap mac-notification change command, the trap is generated only when you enter the snmp-server enable traps mac-notification change and the mac address-table notification change global configuration commands.
This example shows how to enable the MAC notification trap when a MAC address is added to a port:
You can verify your settings by entering the show mac address-table notification change interface privileged EXEC command.
|
|
---|---|
clear mac address-table notification |
|
Displays the MAC address notification settings for all interfaces or on the specified interface when the interface keyword is appended. |
|
Sends the SNMP MAC notification traps when the mac-notification keyword is appended. |
To enable the BackboneFast feature. Use the no form of the command to return to the default setting, use the spanning-tree backbonefast global configuration command.
|
|
---|---|
You can configure the BackboneFast feature for rapid PVST+ or for multiple spanning-tree (MST) mode, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
BackboneFast starts when a root port or blocked port on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch. When a switch receives an inferior BPDU, it means that a link to which the switch is not directly connected (an indirect link) has failed (that is, the designated switch has lost its connection to the root switch. If there are alternate paths to the root switch, BackboneFast causes the maximum aging time on the interfaces on which it received the inferior BPDU to expire and allows a blocked port to move immediately to the listening state. BackboneFast then transitions the interface to the forwarding state. For more information, see the software configuration guide for this release.
Enable BackboneFast on all supported switches to allow the detection of indirect link failures and to start the spanning-tree reconfiguration sooner.
This example shows how to enable BackboneFast on the switch:
You can verify your setting by entering the show spanning-tree summary privileged EXEC command.
|
|
---|---|
show spanning-tree summary |
To prevent an interface from sending or receiving bridge protocol data units (BPDUs), use the spanning-tree bpdufilter interface configuration command. Use the no form of this command to return to the default setting.
spanning-tree bpdufilter { disable | enable }
|
|
---|---|
You can enable the BPDU filtering feature when the switch is operating in the per-VLAN spanning-tree plus (PVST+), rapid-PVST+, or the multiple spanning-tree (MST) mode.
You can globally enable BPDU filtering on all Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command.
You can use the spanning-tree bpdufilter interface configuration command to override the setting of the spanning-tree portfast bpdufilter default global configuration command.
This example shows how to enable the BPDU filtering feature on a port:
You can verify your setting by entering the show running-config privileged EXEC command.
To put an interface in the error-disabled state when it receives a bridge protocol data unit (BPDU), use the spanning-tree bpduguard interface configuration command. Use the no form of this command to return to the default setting.
spanning-tree bpduguard { disable | enable }
|
|
---|---|
The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service. Use the BPDU guard feature in a service-provider network to prevent an interface from being included in the spanning-tree topology.
You can enable the BPDU guard feature when the switch is operating in the per-VLAN spanning-tree plus (PVST+), rapid PVST+ (RPVST+), or the multiple spanning tree (MST) mode.
You can globally enable BPDU guard on all Port Fast-enabled interfaces by using the spanning-tree portfast bpduguard default global configuration command.
You can use the spanning-tree bpduguard interface configuration command to override the setting of the spanning-tree portfast bpduguard default global configuration command.
This example shows how to enable the BPDU guard feature on a port:
You can verify your setting by entering the show running-config privileged EXEC command.
To set the path cost for spanning-tree calculations. If a loop occurs, spanning tree considers the path cost when selecting an interface to place in the forwarding state, use the spanning-tree cost interface configuration command. Use the no form of this command to return to the default setting.
spanning-tree [ vlan vlan-id ] cost cost
no spanning-tree [ vlan vlan-id ] cost
The default path cost is computed from the interface bandwidth setting. These are the IEEE default path cost values:
|
|
---|---|
When you configure the cost, higher values represent higher costs.
If you configure an interface with both the spanning-tree vlan vlan-id cost cost command and the spanning-tree cost cost command, the spanning-tree vlan vlan-id cost cost command takes effect.
This example shows how to set the path cost to 250 on a port:
This example shows how to set a path cost to 300 for VLANs 10, 12 to 15, and 20:
You can verify your settings by entering the show spanning-tree interface interface-id privileged EXEC command.
|
|
---|---|
show spanning-tree interface interface-id |
Displays spanning-tree information for the specified interface. |
spanning-tree vlan priority |
Sets the switch priority for the specified spanning-tree instance. |
To display an error message when the switch detects an EtherChannel misconfiguration, use the spanning-tree etherchannel guard misconfig global configuration command. Use the no form of this command to disable the feature.
spanning-tree etherchannel guard misconfig
no spanning-tree etherchannel guard misconfig
|
|
---|---|
When the switch detects an EtherChannel misconfiguration, this error message appears:
To show switch ports that are in the misconfigured EtherChannel, use the show interfaces status err-disabled privileged EXEC command. To verify the EtherChannel configuration on a remote device, use the show etherchannel summary privileged EXEC command on the remote device.
When a port is in the error-disabled state because of an EtherChannel misconfiguration, you can bring it out of this state by entering the errdisable recovery cause channel-misconfig global configuration command, or you can manually reenable it by entering the shutdown and no shut down interface configuration commands.
This example shows how to enable the EtherChannel guard misconfiguration feature:
You can verify your settings by entering the show spanning-tree summary privileged EXEC command.
|
|
---|---|
errdisable recovery cause channel-misconfig |
Enables the timer to recover from the EtherChannel misconfiguration error-disabled state. |
show etherchannel summary |
Displays EtherChannel information for a channel as a one-line summary per channel group. |
show interfaces status err-disabled |
To enable the extended system ID feature, use the spanning-tree extend system-id global configuration command.
spanning-tree extend system-id
Note Though visible in the command-line help strings, the no version of this command is not supported. You cannot disable the extended system ID feature.
|
|
The switch supports the IEEE 802.1t spanning-tree extensions. Some of the bits previously used for the switch priority are now used for the extended system ID (VLAN identifier for the per-VLAN spanning-tree plus [PVST+] and rapid PVST+ or as an instance identifier for the multiple spanning tree [MST]).
The spanning tree uses the extended system ID, the switch priority, and the allocated spanning-tree MAC address to make the bridge ID unique for each VLAN or multiple spanning-tree instance.
Support for the extended system ID affects how you manually configure the root switch, the secondary root switch, and the switch priority of a VLAN. For more information, see the “spanning-tree mst root” and the “spanning-tree vlan” sections.
If your network consists of switches that do not support the extended system ID and switches that do support it, it is unlikely that the switch with the extended system ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches.
|
|
---|---|
show spanning-tree summary |
|
Configures the MST root switch priority and timers based on the network diameter. |
|
spanning-tree vlan priority |
Sets the switch priority for the specified spanning-tree instance. |
To enable root guard or loop guard on all the VLANs associated with the selected interface, use the spanning-tree guard interface configuration command. Root guard restricts which interface is allowed to be the spanning-tree root port or the path-to-the root for the switch. Loop guard prevents alternate or root ports from becoming designated ports when a failure creates a unidirectional link. Use the no form of this command to return to the default setting.
spanning-tree guard { loop | none | root }
Loop guard is configured according to the spanning-tree loopguard default global configuration command (globally disabled).
|
|
---|---|
You can enable root guard or loop guard when the switch is operating in the per-VLAN spanning tree plus (PVST+), rapid PVST+ (RPVST+), or the multiple spanning tree (MST) mode.
When root guard is enabled, if spanning-tree calculations cause an interface to be selected as the root port, the interface transitions to the root-inconsistent (blocked) state to prevent the customer’s switch from becoming the root switch or being in the path to the root. The root port provides the best path from the switch to the root switch.
When the no spanning-tree guard or the no spanning-tree guard none command is entered, root guard is disabled for all VLANs on the selected interface. If this interface is in the root-inconsistent (blocked) state, it automatically transitions to the listening state.
Do not enable root guard on interfaces that will be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure. However, if root guard is also enabled, all the backup interfaces used by the UplinkFast feature are placed in the root-inconsistent state (blocked) and prevented from reaching the forwarding state. The UplinkFast feature is not available when the switch is operating in the rapid-PVST+ or MST mode.
Loop guard is most effective when it is configured on the entire switched network. When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send bridge protocol data units (BPDUs) on root or alternate ports. When the switch is operating in MST mode, BPDUs are not sent on nonboundary interfaces if the interface is blocked by loop guard in all MST instances. On a boundary interface, loop guard blocks the interface in all MST instances.
To disable root guard or loop guard, use the spanning-tree guard none interface configuration command. You cannot enable both root guard and loop guard at the same time.
You can override the setting of the spanning-tree loopguard default global configuration command by using the spanning-tree guard loop interface configuration command.
This example shows how to enable root guard on all the VLANs associated with the specified port:
This example shows how to enable loop guard on all the VLANs associated with the specified port:
You can verify your settings by entering the show running-config privileged EXEC command.
|
|
---|---|
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
|
Prevents alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. |
|
Configures the MST root switch priority and timers based on the network diameter. |
|
spanning-tree vlan priority |
Sets the switch priority for the specified spanning-tree instance. |
To override the default link-type setting, which is determined by the duplex mode of the interface, and to enable rapid spanning-tree transitions to the forwarding state, use the spanning-tree link-type interface configuration command. Use the no form of this command to return to the default setting.
spanning-tree link-type { point-to-point | shared }
Specifies that the link type of an interface is point-to-point. |
|
The switch derives the link type of an interface from the duplex mode. A full-duplex interface is considered a point-to-point link, and a half-duplex interface is considered a shared link.
|
|
---|---|
You can override the default setting of the link type by using the spanning-tree link-type command. For example, a half-duplex link can be physically connected point-to-point to a single interface on a remote switch running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN plus (rapid-PVST+) spanningtree protocol and be enabled for rapid transitions.
This example shows how to specify the link type as shared (regardless of the duplex setting) and to prevent rapid transitions to the forwarding state:
You can verify your setting by entering the show spanning-tree mst interface interface-id or the show spanning-tree interface interface-id privileged EXEC command.
|
|
---|---|
Restarts the protocol migration process (force the renegotiation with neighboring switches) on all interfaces or on the specified interface. |
|
show spanning-tree interface interface-id |
Displays spanning-tree state information for the specified interface. |
show spanning-tree mst interface interface-id |
To prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link, use the spanning-tree loopguard default global configuration command. Use the no form of this command to return to the default setting.
spanning-tree loopguard default
no spanning-tree loopguard default
|
|
---|---|
You can enable the loop guard feature when the switch is operating in the per-VLAN spanning tree plus (PVST+), rapid PVST+ (RPVST+), or the multiple spanning tree (MST) mode.
Loop guard is most effective when it is configured on the entire switched network. When the switch is operating in PVST+ or RPVST+ mode, loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send bridge protocol data units (BPDUs) on root or alternate ports. When the switch is operating in MST mode, BPDUs are not sent on nonboundary interfaces if the interface is blocked by loop guard in all MST instances. On a boundary interface, loop guard blocks the interface in all MST instances.
Loop guard operates only on interfaces that the spanning tree identifies as point-to-point.
You can override the setting of the spanning-tree loopguard default global configuration command by using the spanning-tree guard loop interface configuration command.
This example shows how to globally enable loop guard:
You can verify your settings by entering the show running-config privileged EXEC comm and.
|
|
---|---|
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
|
spanning-tree guard loop |
Enables the loop guard feature on all the VLANs associated with the specified interface. |
To enable per-VLAN spanning tree plus (PVST+), rapid PVST+ (RPVST+), or multiple spanning tree (MST) on your switch, use the spanning-tree mode global configuration command. Use the no form of this command to return to the default setting.
spanning-tree mode { mst | pvst | rapid-pvst }
Enables MST and Rapid Spanning Tree Protocol (RSTP) (based on IEEE 802.1s and IEEE 802.1w). |
|
|
|
---|---|
The switch supports PVST+, RPVST+, and MSTP, but only one version can be active at any time: All VLANs run PVST+, all VLANs run RPVST+, or all VLANs run MSTP.
When you enable the MST mode, RSTP is automatically enabled.
This example shows to enable MST and RSTP on the switch:
This example shows to enable RPVST+ on the switch:
You can verify your setting by entering the show running-config privileged EXEC command.
|
|
---|---|
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To enter multiple spanning-tree (MST) configuration mode through which you configure the MST region, use the spanning-tree mst configuration global configuration command. Use the no form of this command to return to the default settings.
spanning-tree mst configuration
no spanning-tree mst configuration
The default mapping is that all VLANs are mapped to the common and internal spanning-tree (CIST) instance (instance 0).
|
|
---|---|
The spanning-tree mst configuration command enables the MST configuration mode. These configuration commands are available:
In MST mode, the switch supports up to 65 MST instances. The number of VLANs that can be mapped to a particular MST instance is unlimited.
When you map VLANs to an MST instance, the mapping is incremental, and VLANs specified in the command are added to or removed from the VLANs that were previously mapped. To specify a range, use a hyphen; for example, instance 1 vlan 1-63 maps VLANs 1 to 63 to MST instance 1. To specify a series, use a comma; for example, instance 1 vlan 10, 20, 30 maps VLANs 10, 20, and 30 to MST instance 1.
All VLANs that are not explicitly mapped to an MST instance are mapped to the common and internal spanning tree (CIST) instance (instance 0) and cannot be unmapped from the CIST by using the no form of the command.
For two or more switches to be in the same MST region, they must have the same VLAN mapping, the same configuration revision number, and the same name.
This example shows how to enter MST configuration mode, map VLANs 10 to 20 to MST instance 1, name the region region1, set the configuration revision to 1, display the pending configuration, apply the changes, and return to global configuration mode:
This example shows how to add VLANs 1 to 100 to the ones already mapped (if any) to instance 2, to move VLANs 40 to 60 that were previously mapped to instance 2 to the CIST instance, to add VLAN 10 to instance 10, and to remove all the VLANs mapped to instance 2 and map them to the CIST instance:
You can verify your settings by entering the show pending MST configuration command.
|
|
---|---|
show spanning-tree mst configuration |
To set the path cost for multiple spanning-tree (MST) calculations, use the spanning-tree mst cost interface configuration command. If a loop occurs, spanning tree considers the path cost when selecting an interface to put in the forwarding state. Use the no form of this command to return to the default setting.
spanning-tree mst instance-id cost cost
no spanning-tree mst instance-id cost
The default path cost is computed from the interface bandwidth setting. These are the IEEE default path cost values:
|
|
---|---|
When you configure the cost, higher values represent higher costs.
This example shows how to set a path cost of 250 on a port associated with instances 2 and 4:
You can verify your settings by entering the show spanning-tree mst interface interface-id privileged EXEC command.
|
|
---|---|
show spanning-tree mst interface interface-id |
|
Configures the switch priority for the specified spanning-tree instance. |
To set the forward-delay time for all multiple spanning-tree (MST) instances, use the spanning-tree mst forward-time global configuration command. The forwarding time specifies how long each of the listening and learning states last before the interface begins forwarding. Use the no form of this command to return to the default setting.
spanning-tree mst forward-time seconds
no spanning-tree mst forward-time
Length of the listening and learning states. The range is 4 to 30 seconds. |
|
|
---|---|
Changing the spanning-tree mst forward-time command affects all spanning-tree instances.
This example shows how to set the spanning-tree forwarding time to 18 seconds for all MST instances:
You can verify your setting by entering the show spanning-tree mst privileged EXEC command.
To set the interval between hello bridge protocol data units (BPDUs) sent by root switch configuration messages, use the spanning-tree mst hello-time global configuration command. Use the no form of this command to return to the default setting.
spanning-tree mst hello-time seconds
no spanning-tree mst hello-time
Interval between hello BPDUs sent by root switch configuration messages. The range is 1 to 10 seconds. |
|
|
---|---|
After you set the spanning-tree mst max-age seconds global configuration command, if a switch does not receive BPDUs from the root switch within the specified interval, the switch recomputes the spanning-tree topology. The max-age setting must be greater than the hello-time setting.
Changing the spanning-tree mst hello-time command affects all spanning-tree instances.
This example shows how to set the spanning-tree hello time to 3 seconds for all multiple spanning-tree (MST) instances:
You can verify your setting by entering the show spanning-tree mst privileged EXEC command.
|
|
---|---|
Sets the interval between messages that the spanning tree receives from the root switch. |
|
Sets the number of hops in a region before the BPDU is discarded. |
To set the interval between messages that the spanning tree receives from the root switch, use the spanning-tree mst max-age global configuration command. If a switch does not receive a bridge protocol data unit (BPDU) message from the root switch within this interval, it recomputes the spanning-tree topology. Use the no form of this command to return to the default setting.
spanning-tree mst max-age seconds
Interval between messages the spanning tree receives from the root switch. The range is 6 to 40 seconds. |
|
|
---|---|
After you set the spanning-tree mst max-age seconds global configuration command, if a switch does not receive BPDUs from the root switch within the specified interval, the switch recomputes the spanning-tree topology. The max-age setting must be greater than the hello-time setting.
Changing the spanning-tree mst max-age command affects all spanning-tree instances.
This example shows how to set the spanning-tree max-age to 30 seconds for all multiple spanning-tree (MST) instances:
You can verify your setting by entering the show spanning-tree mst privileged EXEC command.
|
|
---|---|
Sets the interval between hello BPDUs sent by root switch configuration messages. |
|
Sets the number of hops in a region before the BPDU is discarded. |
To set the number of hops in a region before the bridge protocol data unit (BPDU) is discarded and the information held for an interface is aged. Use the no form of this command to return to the default setting, use the spanning-tree mst max-hops global configuration command.
spanning-tree mst max-hops hop-count
Number of hops in a region before the BPDU is discarded. The range is 1 to 255 hops. |
|
|
---|---|
The root switch of the instance always sends a BPDU (or M-record) with a cost of 0 and the hop count set to the maximum value. When a switch receives this BPDU, it decrements the received remaining hop count by one and propagates the decremented count as the remaining hop count in the generated M-records. A switch discards the BPDU and ages the information held for the interface when the count reaches 0.
Changing the spanning-tree mst max-hops command affects all spanning-tree instances.
This example shows how to set the spanning-tree max-hops to 10 for all multiple spanning-tree (MST) instances:
You can verify your setting by entering the show spanning-tree mst privileged EXEC command.
|
|
---|---|
Sets the interval between hello BPDUs sent by root switch configuration messages. |
|
Sets the interval between messages that the spanning tree receives from the root switch. |
To configure an interface priority, use the spanning-tree mst port-priority interface configuration command. If a loop occurs, the Multiple Spanning Tree Protocol (MSTP) can find the interface to put in the forwarding state. Use the no form of this command to return to the default setting.
spanning-tree mst instance-id port-priority priority
no spanning-tree mst instance-id port-priority
|
|
---|---|
You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last. If all interfaces have the same priority value, the multiple spanning tree (MST) puts the interface with the lowest interface number in the forwarding state and blocks other interfaces.
This example shows how to increase the likelihood that the interface associated with spanning-tree instances 20 and 22 is placed into the forwarding state if a loop occurs:
You can verify your settings by entering the show spanning-tree mst interface interface-id privileged EXEC command.
|
|
---|---|
show spanning-tree mst interface interface-id |
|
Sets the switch priority for the specified spanning-tree instance. |
To configure a port to send only prestandard bridge protocol data units (BPDUs), use the spanning-tree mst pre-standard interface configuration command.
spanning-tree mst pre-standard
no spanning-tree mst pre-standard
The default state is automatic detection of prestandard neighbors.
|
|
---|---|
The port can accept both prestandard and standard BPDUs. If the neighbor types are mismatched, only the common and internal spanning tree (CIST) runs on this interface.
Note If a switch port is connected to a switch running prestandard Cisco IOS software, you must use the spanning-tree mst pre-standard interface configuration command on the port. If you do not configure the port to send only prestandard BPDUs, the Multiple STP (MSTP) performance might diminish.
When the port is configured to automatically detect prestandard neighbors, the prestandard flag always appears in the show spanning-tree mst commands.
This example shows how to configure a port to send only prestandard BPDUs:
You can verify your settings by entering the show spanning-tree mst privileged EXEC command.
|
|
---|---|
show spanning-tree mst instance-id |
Displays multiple spanning-tree (MST) information, including the prestandard flag, for the specified interface. |
To set the switch priority for the specified spanning-tree instance, use the spanning-tree mst priority global configuration command. Use the no form of this command to return to the default setting.
spanning-tree mst instance-id priority priority
no spanning-tree mst instance-id priority
|
|
---|---|
This example shows how to set the spanning-tree priority to 8192 for multiple spanning-tree instances (MST) 20 to 21:
You can verify your settings by entering the show spanning-tree mst instance-id privileged EXEC command.
|
|
---|---|
show spanning-tree mst instance-id |
|
To configure the multiple spanning-tree (MST) root switch priority and timers based on the network diameter, use the spanning-tree mst root global configuration command. Use the no form of this command to return to the default settings.
spanning-tree mst instance-id root { primary | secondary } [ diameter net-diameter
[ hello-time seconds ]]
no spanning-tree mst instance-id root
The primary root switch priority is 24576.
|
|
---|---|
Use the spanning-tree mst instance-id root command only on backbone switches.
Whe n you enter the spanning-tree mst instance-id root command, the software tries to set a high enough priority to make this switch the root of the spanning-tree instance. Because of the extended system ID support, the switch sets the switch priority for the instance to 24576 if this value will cause this switch to become the root for the specified instance. If any root switch for the specified instance has a switch priority lower than 24576, the switch sets its own priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value.)
When y ou enter the spanning-tree mst instance-id root secondary command, because of support for the extended system ID, the software changes the switch priority from the default value (32768) to 28672. If the root switch fails, this switch becomes the next root switch (if the other switches in the network use the default switch priority of 32768 and are unlikely to become the root switch).
This example shows how to configure the switch as the root switch for instance 10 with a network diameter of 4:
This example shows how to configure the switch as the secondary root switch for instance 10 with a network diameter of 4:
You can verify your settings by entering the show spanning-tree mst instance-id privileged EXEC command.
|
|
---|---|
show spanning-tree mst instance-id |
|
Sets the interval between hello BPDUs sent by root switch configuration messages. |
|
Sets the interval between messages that the spanning tree receives from the root switch. |
|
Sets the number of hops in a region before the BPDU is discarded. |
To configure an interface priority, use the spanning-tree port-priority interface configuration command. If a loop occurs, spanning tree can find the interface to put in the forwarding state. Use the no form of this command to return to the default setting.
spanning-tree [ vlan vlan-id ] port-priority priority
no spanning-tree [ vlan vlan-id ] port-priority
|
|
---|---|
If the variable vlan-id is omitted, the command applies to the spanning-tree instance associated with VLAN 1.
You can set the priority on a VLAN that has no interfaces assigned to it. The setting takes effect when you assign the interface to the VLAN.
If you configure an interface with both the spanning-tree vlan vlan-id port-priority priority command and the spanning-tree port-priority priority command, the spanning-tree vlan vlan-id port-priority priority command takes effect.
This example shows how to increase the likelihood that a port will be put in the forwarding state if a loop occurs:
This example shows how to set the port-priority value on VLANs 20 to 25:
You can verify your settings by entering the show spanning-tree interface interface-id privileged EXEC command.
|
|
---|---|
show spanning-tree interface interface-id |
Displays spanning-tree information for the specified interface. |
spanning-tree vlan priority |
Sets the switch priority for the specified spanning-tree instance. |
To globally enable bridge protocol data unit (BPDU) filtering on Port Fast-enabled interfaces, the BPDU guard feature on Port Fast-enabled interfaces, or the Port Fast feature on all nontrunking interfaces, use the spanning-tree portfast global configuration command. Use the no form of this command to return to the default settings.
spanning-tree portfast { bpdufilter default | bpduguard default | default }
no spanning-tree portfast { bpdufilter default | bpduguard default | default }
The BPDU filtering, the BPDU guard, and the Port Fast features are disabled on all interfaces unless they are individually configured.
|
|
---|---|
The BPDU filtering feature prevents the switch interface from sending or receiving BPDUs. The BPDU guard feature puts Port Fast-enabled interfaces that receive BPDUs in an error-disabled state.
You can enable these features when the switch is operating in the per-VLAN spanning-tree plus (PVST+) rapid PVST+ (RPVST+), or the multiple spanningtree (MST) mode.
Use the spanning-tree portfast bpdufilter default global configuration command to globally enable BPDU filtering on interfaces that are Port Fast-enabled (the interfaces are in a Port Fast-operational state). The interfaces still send a few BPDUs at linkup before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to switch interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status and BPDU filtering is disabled.
You can override the spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bdpufilter interface configuration command.
Use the spanning-tree portfast bpduguard default global configuration command to globally enable BPDU guard on interfaces that are in a Port Fast-operational state. In a valid configuration, Port Fast-enabled interfaces do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled interface signals an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the interface in the error-disabled state. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree.
You can override the spanning-tree portfast bpduguard default global configuration command by using the spanning-tree bdpuguard interface configuration command.
Use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking interfaces. Configure Port Fast only on interfaces that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation. A Port Fast-enabled interface moves directly to the spanning-tree forwarding state when linkup occurs without waiting for the standard forward-delay time.
You can override the spanning-tree portfast default global configuration command by using the spanning-tree portfast interface configuration command. You can use the no spanning-tree portfast default global configuration command to disable Port Fast on all interfaces unless they are individually configured with the spanning-tree portfast interface configuration command.
This example shows how to globally enable the BPDU filtering feature:
This example shows how to globally enable the BPDU guard feature:
This example shows how to globally enable the Port Fast feature on all nontrunking interfaces:
You can verify your settings by entering the show running-config privileged EXEC command.
To enable the Port Fast feature on an interface in all its associated VLANs. use the spanning-tree portfast interface configuration command. When the Port Fast feature is enabled, the interface changes directly from a blocking state to a forwarding state without making the intermediate spanning-tree state changes. Use the no form of this command to return to the default setting.
spanning-tree portfast [ disable | trunk ]
(Optional) Disables the Port Fast feature on the specified interface. |
|
(Optional) Enables the Port Fast feature on a trunking interface. |
The Port Fast feature is disabled on all interfaces; however, it is automatically enabled on dynamic-access ports.
|
|
---|---|
Use this feature only on interfaces that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation.
To enable Port Fast on trunk ports, you must use the spanning-tree portfast trunk interface configuration command. The spanning-tree portfast command is not supported on trunk ports.
You can enable this feature when the switch is operating in the per-VLAN spanning tree plus (PVST+), rapid-PVST+ (RPVST+), or the multiple spanning tree (MST) mode.
This feature affects all VLANs on the interface.
An interface with the Port Fast feature enabled is moved directly to the spanning-tree forwarding state without the standard forward-time delay.
You can use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking interfaces. However, the spanning-tree portfast interface configuration command can override the global setting.
If you configure the spanning-tree portfast default global configuration command, you can disable Port Fast on an interface that is not a trunk interface by using the spanning-tree portfast disable interface configuration command.
This example shows how to enable the Port Fast feature on a port:
You can verify your settings by entering the show running-config privileged EXEC command.
To configure the number of bridge protocol data units (BPDUs) sent every second, use the spanning-tree transmit hold-count global configuration command. Use the no form of this command to return to the default setting.
spanning-tree transmit hold-count [ value ]
no spanning-tree transmit hold-count [ value ]
(Optional) Numbers of BPDUs sent every second. The range is 1 to 20. |
|
|
---|---|
Increasing the transmit hold-count value can have a significant impact on CPU utilization when the switch is in RPVST+ mode. Decreasing this value might slow down convergence. We recommend using the default setting.
This example shows how to set the transmit hold count to 8:
You can verify your setting by entering the show spanning-tree mst privileged EXEC command.
|
|
---|---|
Displays the multiple spanning tree (MST) region configuration and status, including the transmit hold count. |
To accelerate the choice of a new root port when a link or switch fails or when the spanning tree reconfigures itself, use the spanning-tree uplinkfast global configuration command. Use the no form of this command to return to the default setting.
spanning-tree uplinkfast [ max-update-rate pkts-per-second ]
no spanning-tree uplinkfast [ max-update-rate ]
(Optional) The number of packets per second at which update packets are sent. The range is 0 to 32000. |
|
|
---|---|
Use this command only on access switches.
You can configure the UplinkFast feature for rapid PVST+ (RPVST+) or for multiple spanning tree (MST) mode, but the feature remains disabled (inactive) until you change the spanning tree mode to PVST+.
When you enable UplinkFast, it is enabled for the entire switch and cannot be enabled for individual VLANs.
When UplinkFast is enabled, the switch priority of all VLANs is set to 49152. If you change the path cost to a value less than 3000 and you enable UplinkFast or UplinkFast is already enabled, the path cost of all interfaces and VLAN trunks is increased by 3000 (if you change the path cost to 3000 or above, the path cost is not altered). The changes to the switch priority and the path cost reduce the chance that a switch will become the root switch.
When UplinkFast is disabled, the switch priorities of all VLANs and path costs of all interfaces are set to default values if you did not modify them from their defaults.
When spanning tree detects that the root port has failed, UplinkFast immediately changes to an alternate root port, changing the new root port directly to forwarding state. During this time, a topology change notification is sent.
Do not enable the root guard on interfaces that will be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure. However, if root guard is also enabled, all the backup interfaces used by the UplinkFast feature are placed in the root-inconsistent state (blocked) and prevented from reaching the forwarding state.
If you set the max-update-rate to 0, station-learning frames are not generated, so the spanning-tree topology converges more slowly after a loss of connectivity.
This example shows how to enable UplinkFast:
You can verify your setting by entering the show spanning-tree summary privileged EXEC command.
|
|
---|---|
show spanning-tree summary |
|
spanning-tree vlan root primary |
To configure spanning tree on a per-VLAN basis, use the spanning-tree vlan global configuration command. Use the no form of this command to return to the default setting.
spanning-tree vlan vlan-id [ forward-time seconds | hello-time seconds | max-age seconds |
priority priority | root { primary | secondary } [ diameter net-diameter
[ hello-time seconds ]]]
no spanning-tree vlan vlan-id [ forward-time | hello-time | max-age | priority | root ]
Spanning tree is enabled on all VLANs.
The forward-delay time is 15 seconds.
|
|
---|---|
Disabling the STP causes the VLAN to stop participating in the spanning-tree topology. Interfaces that are administratively down remain down. Received BPDUs are forwarded like other multicast frames. The VLAN does not detect and prevent loops when STP is disabled.
You can disable the STP on a VLAN that is not currently active and verify the change by using the show running-config or the show spanning-tree vlan vlan-id privileged EXEC command. The setting takes effect when the VLAN is activated.
When disabling or reenabling the STP, you can specify a range of VLANs that you want to disable or enable.
When a VLAN is disabled and then enabled, all assigned VLANs continue to be its members. However, all spanning-tree bridge parameters are returned to their previous settings (the last setting before the VLAN was disabled).
You can enable spanning-tree options on a VLAN that has no interfaces assigned to it. The setting takes effect when you assign interfaces to it.
When setting the max-age seconds, if a switch does not receive BPDUs from the root switch within the specified interval, it recomputes the spanning-tree topology. The max-age setting must be greater than the hello-time setting.
The spanning-tree vlan vlan-id root command should be used only on backbone switches.
When you enter the spanning-tree vlan vlan-id root command, the software checks the switch priority of the current root switch for each VLAN. Because of the extended system ID support, the switch sets the switch priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN. If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its own priority for the specified VLAN to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value.)
When you enter the spanning-tree vlan vlan-id root secondary command, because of support for the extended system ID, the software changes the switch priority from the default value (32768) to 28672. If the root switch fails, this switch becomes the next root switch (if the other switches in the network use the default switch priority of 32768, and are unlikely to become the root switch).
This example shows how to disable the STP on VLAN 5:
You can verify your setting by entering the show spanning-tree privileged EXEC command. In this instance, VLAN 5 does not appear in the list.
This example shows how to set the spanning-tree forwarding time to 18 seconds for VLANs 20 and 25:
This example shows how to set the spanning-tree hello-delay time to 3 seconds for VLANs 20 to 24:
This example shows how to set spanning-tree max-age parameter to 30 seconds for VLAN 20:
This example shows how to reset the max-age parameter to the default value for spanning-tree instance 100 and 105 to 108:
This example shows how to set the spanning-tree priority to 8192 for VLAN 20:
This example shows how to configure the switch as the root switch for VLAN 10 with a network diameter of 4:
This example shows how to configure the switch as the secondary root switch for VLAN 10 with a network diameter of 4:
You can verify your settings by entering the show spanning-tree vlan vlan-id privileged EXEC command.
|
|
---|---|
show spanning-tree vlan |
|
Enables the root guard or the loop guard feature for all the VLANs associated with the selected interface. |
|
Globally enables the BPDU filtering or the BPDU guard feature on Port Fast-enabled interfaces or enables the Port Fast feature on all nontrunking interfaces. |
|
Enables the Port Fast feature on an interface in all its associated VLANs. |
|
Enables the UplinkFast feature, which accelerates the choice of a new root port. |
To specify the speed of a 10/100 Mb/s or 10/100/1000 Mb/s port, use the speed interface configuration command. Use the no or default form of this command to return the port to its default value.
speed { 10 | 100 | 1000 | auto [ 10 | 100 | 1000 ] | nonegotiate }
|
|
---|---|
Except for the 1000BASE-T SFP modules, if an SFP module port is connected to a device that does not support autonegotiation, you can configure the speed to not negotiate (nonegotiate ).
If the speed is set to auto, the switch negotiates with the device at the other end of the link for the speed setting and then forces the speed setting to the negotiated value. The duplex setting remains as configured on each end of the link, which could result in a duplex setting mismatch.
If both ends of the line support autonegotiation, we highly recommend the default autonegotiation settings. If one interface supports autonegotiation and the other end does not, use the auto setting on the supported side, but set the duplex and speed on the other side.
For guidelines on setting the switch speed and duplex parameters, see the “Configuring Interface Characteristics” chapter in the software configuration guide for this release.
This example shows how to set the speed on a port to 100 Mb/s:
This example shows how to set a port to autonegotiate at only 10 Mb/s:
This example shows how to set a port to autonegotiate at only 10 or 100 Mb/s:
You can verify your settings by entering the show interfaces privileged EXEC command.
|
|
---|---|
Displays the statistical information specific to all interfaces or to a specific interface. |
To limit the maximum output on a port. Use the no form of this command to return to the default setting, use the srr-queue bandwidth limit interface configuration command.
srr-queue bandwidth limit weight1
Percentage of the port speed to which the port should be limited. The range is 10 to 90. |
|
|
---|---|
If you configure this command to 80 percent, the port is idle 20 percent of the time. The line rate drops to 80 percent of the connected speed. These values are not exact because the hardware adjusts the line rate in increments of six.
Note The egress queue default settings are suitable for most situations. You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your quality of service (QoS) solution.
This example shows how to limit a port to 80 Mb/s:
You can verify your settings by entering the show mls qos interface [ interface-id ] queueing privileged EXEC command.
|
|
---|---|
Maps class of service (CoS) values to egress queue or maps CoS values to a queue and to a threshold ID. |
|
Maps Differentiated Services Code Point (DSCP) values to an egress queue or maps DSCP values to a queue and to a threshold ID. |
|
Configures the weighted tail-drop (WTD) thresholds, guarantees the availability of buffers, and configures the maximum memory allocation for the queue set. |
|
show mls qos interface queueing |
|
Assigns the shaped weights and enables bandwidth shaping on the four egress queues mapped to a port. |
|
Assigns the shared weights and enables bandwidth sharing on the four egress queues mapped to a port. |
To assign the shaped weights and to enable bandwidth shaping on the four egress queues mapped to a port, use the srr-queue bandwidth shape interface configuration command. Use the no form of this command to return to the default setting.
srr-queue bandwidth shape weight1 weight2 weight3 weight4
Weight1 is set to 25. Weight2, weight3, and weight4 are set to 0, and these queues are in shared mode.
|
|
---|---|
In shaped mode, the queues are guaranteed a percentage of the bandwidth, and they are rate-limited to that amount. Shaped traffic does not use more than the allocated bandwidth even if the link is idle. Use shaping to smooth bursty traffic or to provide a smoother output over time.
The shaped mode overrides the shared mode.
If you configure a shaped queue weight to 0 by using the srr-queue bandwidth shape interface configuration command, this queue participates in shared mode. The weight specified with the srr-queue bandwidth shape command is ignored, and the weights specified with the srr-queue bandwidth share interface configuration command for a queue come into effect.
When configuring queues for the same port for both shaping and sharing, make sure that you configure the lowest numbered queue for shaping.
Note The egress queue default settings are suitable for most situations. You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.
This example shows how to configure the queues for the same port for both shaping and sharing. Because the weight ratios for queues 2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent. Queue 1 is guaranteed this bandwidth and limited to it; it does not extend its slot to the other queues even if the other queues have no traffic and are idle. Queues 2, 3, and 4 are in shared mode, and the setting for queue 1 is ignored. The bandwidth ratio allocated for the queues in shared mode is 4/(4+4+4), which is 33 percent:
|
|
---|---|
Maps class of service (CoS) values to an egress queue or maps CoS values to a queue and to a threshold ID. |
|
Maps Differentiated Services Code Point (DSCP) values to an egress queue or maps DSCP values to a queue and to a threshold ID. |
|
Configures the weighted tail-drop (WTD) thresholds, guarantees the availability of buffers, and configures the maximum memory allocation to a queue set. |
|
show mls qos interface queueing |
|
Assigns the shared weights and enables bandwidth sharing on the four egress queues mapped to a port. |
To assign the shared weights and to enable bandwidth sharing on the four egress queues mapped to a port, use the srr-queue bandwidth share interface configuration command switch. The ratio of the weights is the ratio of frequency in which the shaped round robin (SRR) scheduler dequeues packets from each queue. Use the no form of this command to return to the default setting.
srr-queue bandwidth share weight1 weight2 weight3 weight4
The ratios of the frequency in which the SRR scheduler dequeues packets. Separate each value with a space. The range is 1 to 255. |
Weight1, weight2, weight3, and weight4 are 25 (1/4 of the bandwidth is allocated to each queue).
|
|
---|---|
The absolute value of each weight is meaningless, and only the ratio of parameters is used.
In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among themselves.
If you configure a shaped queue weight to 0 by using the srr-queue bandwidth shape interface configuration command, this queue participates in SRR shared mode. The weight specified with the srr-queue bandwidth shape command is ignored, and the weights specified with the srr-queue bandwidth share interface configuration command for a queue take effect.
When configuring queues for the same port for both shaping and sharing, make sure that you configure the lowest numbered queue for shaping.
Note The egress queue default settings are suitable for most situations. You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.
This example shows how to configure the weight ratio of the SRR scheduler running on an egress port. Four queues are used. The bandwidth ratio allocated for each queue in shared mode is 1/(1+2+3+4), 2/(1+2+3+4), 3/(1+2+3+4), and 4/(1+2+3+4), which is 10 percent, 20 percent, 30 percent, and 40 percent for queues 1, 2, 3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2, and one-and-a-third times the bandwidth of queue 3.
|
|
---|---|
Maps class of service (CoS) values to an egress queue or maps CoS values to a queue and to a threshold ID. |
|
Maps Differentiated Services Code Point (DSCP) values to an egress queue or maps DSCP values to a queue and to a threshold ID. |
|
Configures the weighted tail-drop (WTD) thresholds, guarantees the availability of buffers, and configures the maximum memory allocation to a queueset. |
|
show mls qos interface queueing |
|
Assigns the shaped weights and enables bandwidth shaping on the four egress queues mapped to a port. |
To enable broadcast, multicast, or unicast storm control and to set threshold levels on an interface, use the storm-control interface configuration command. Use the no form of this command to return to the default setting.
storm-control {{ broadcast | multicast | unicast } level { level [ level-low ] | bps bps [ bps-low ] | pps pps [ pps-low ]}} | { action { shutdown | trap }}
no storm-control {{ broadcast | multicast | unicast } level } | { action { shutdown | trap }}
Broadcast, multicast, and unicast storm control are disabled.
The default action is to filter traffic and to not send an SNMP trap.
|
|
---|---|
The storm-control suppression level can be entered as a percentage of total bandwidth of the port, as a rate in packets per second at which traffic is received, or as a rate in bits per second at which traffic is received.
When specified as a percentage of total bandwidth, a suppression value of 100 percent means that no limit is placed on the specified traffic type. A value of level 0 0 means that all broadcast, multicast, or unicast traffic on that port is blocked. Storm control is enabled only when the rising suppression level is less than 100 percent. If no other storm-control configuration is specified, the default action is to filter the traffic causing the storm and to send no SNMP traps.
Note When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked.However, the switch does not differentiate between routing updates, such as Open Shortest Path First (OSPF) and regular multicast data traffic, so both types of traffic are blocked.
The trap and shutdown options are independent of each other.
If you configure the action to be taken as shutdown (the port is error-disabled during a storm) when a packet storm is detected, you must use the no shutdown interface configuration command to bring the interface out of this state. If you do not specify the shutdown action, specify the action as trap (the switch generates a trap when a storm is detected).
When a storm occurs and the action is to filter traffic, if the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. If the falling suppression level is specified, the switch blocks traffic until the traffic rate drops below this level.
Note Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel. When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces.
When a broadcast storm occurs and the action is to filter traffic, the switch blocks only broadcast traffic.
For more information, see the software configuration guide for this release.
This example shows how to enable broadcast storm control with a 75.5-percent rising suppression level:
This example shows how to enable unicast storm control on a port with a 87-percent rising suppression level and a 65-percent falling suppression level:
This example shows how to enable multicast storm control on a port with a 2000-packets-per-second rising suppression level and a 1000-packets-per-second falling suppression level:
This example shows how to enable the shutdown action on a port:
|
|
---|---|
Displays broadcast, multicast, or unicast storm control settings on all interfaces or on a specified interface. |
To configure a port as a static-access or dynamic-access port, use the switchport access interface configuration command. Use the no form of this command to reset the access mode to the default VLAN for the switch.
switchport access vlan { vlan-id | dynamic }
The default access VLAN and trunk interface native VLAN is a default VLAN corresponding to the platform or interface hardware.
A dynamic-access port is initially a member of no VLAN and receives its assignment based on the packet it receives.
|
|
---|---|
If the switchport mode is set to access, the port operates as a member of the specified VLAN. If set to dynamic, the port starts discovery of VLAN assignment based on the incoming packets it receives.
The no switchport access command resets the access mode VLAN to the appropriate default VLAN for the device.
The port must be in access mode before the switchport access vlan command can take effect.
An access port can be assigned to only one VLAN.
The VMPS server (such as a Catalyst 6500 series switch) must be configured before a port is configured as dynamic.
These restrictions apply to dynamic-access ports:
– Members of an EtherChannel port group (dynamic-access ports cannot be grouped with any other port, including other dynamic ports).
This example shows how to change a switched port interface that is operating in access mode to operate in VLAN 2 instead of the default VLAN:
You can verify your setting by entering the show interfaces interface-id switchport privileged EXEC command and examining information in the Administrative Mode and Operational Mode rows.
|
|
---|---|
show interfaces switchport |
Displays the administrative and operational status of a switching (nonrouting) port, including port blocking and port protection settings. |
To exclude an interface from the VLAN interface (switch virtual interface) line-state up or down calculation, use the switchport autostate exclude interface configuration command. Use the no form of this command to return to the default setting.
no switchport autostate exclude
Note This command is available only when the switch is running the IP services image.
All ports in the VLAN are included in the VLAN interface link-up calculation.
|
|
---|---|
Enter the switchport autostate exclude command on a Layer 2 access or trunk port belonging to an SVI.
A VLAN interface (SVI) is up if ports are forwarding traffic in the associated VLAN. When all ports on a VLAN are down or blocking, the SVI is down. For the SVI line state to be up, at least one port in the VLAN must be up and forwarding. You can use the switchport autostate exclude command to exclude a port from the SVI interface line-state up-or-down calculation. For example, you might exclude a monitoring port from the calculations so that the VLAN is not considered up when only the monitoring port is active.
When you enter the switchport autostate exclude command on a port, the command applies to all VLANs that are enabled on the port.
You can verify the autostate mode of an interface by entering the show interface interface-id switchport privileged EXEC command. If the mode has not been set, the autostate mode does not appear.
This example shows how to configure autostate exclude on an interface and to verify the configuration:
|
|
---|---|
show interfaces [ interface-id ] switchport |
Displays the administrative and operational status of a switching (nonrouting) port, including autostate mode, if set. |
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
To configure Flex Links, a pair of interfaces that provide backup to each other, use the switchport backup interface interface configuration command on a Layer 2 interface. Use the no form of this command to remove the Flex Links configuration.
switchport backup interface [FastEthernet interface-id | GigabitEthernet interface-id | Port-channel interface-id | TenGigabitEthernet interface-id ] {mmu primary vlan interface-id | multicast fast-convergence | preemption {delay delay-time | mode} | prefer vlan vlan-id}
no switchport backup interface [FastEthernet interface-id | GigabitEthernet interface-id | Port-channel interface-id | TenGigabitEthernet interface-id ] {mmu | multicast fast-convergence | preemption {delay delay-time | mode} | prefer vlan vlan-id}
Note This command is available only when the switch is running the LAN Base image.
The default is to have no Flex Links defined. Preemption mode is off; no preemption occurs. Preemption delay is set to 35 seconds.
|
|
---|---|
With Flex Links configured, one link acts as the primary interface and forwards traffic, while the other interface is in standby mode, ready to begin forwarding traffic if the primary link shuts down. The interface being configured is referred to as the active link; the specified interface is identified as the backup link. The feature provides an alternative to the Spanning Tree Protocol (STP), allowing users to turn off STP and still retain basic link redundancy.
This example shows how to configure two interfaces as Flex Links:
This example shows how to configure the Fast Ethernet interface to always preempt the backup:
This example shows how to configure the Fast Ethernet interface preemption delay time:
This example shows how to configure the Fast Ethernet interface as the MMU primary VLAN:
The following example shows how to configure preferred VLANs:
You can verify your setting by entering the show interfaces switchport backup privileged EXEC command.
In the following example, VLANs 60, and 100 to 120 are configured on the switch:
When both interfaces are up, Gi1/2 forwards traffic for VLANs 1 to 50, and Gi1/1 forwards traffic for VLANs 60 and 100 to 120.
When a Flex Link interface goes down (LINK_DOWN), VLANs preferred on this interface are moved to the peer interface of the Flex Link pair. In this example, if interface Gi1/2 goes down, Gi1/1 carries all VLANs of the Flex Link pair.
When a Flex Link interface comes up, VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up. In this example, if interface Gi1/2 comes up, VLANs preferred on this interface are blocked on the peer interface Gi1/1 and forwarded on Gi1/2.
This example shows how to configure multicast fast-convergence on interface Gi1/1:
You can verify your setting by entering the show interfaces switchport backup detail privileged EXEC command.
|
|
---|---|
show interfaces [ interface-id ] switchport backup |
Displays the configured Flex Links and their status on the switch or for the specified interface. |
To prevent unknown multicast or unicast packets from being forwarded, use the switchport block interface configuration command. Use the no form of this command to allow forwarding unknown multicast or unicast packets.
switchport block { multicast | unicast }
no switchport block { multicast | unicast }
Specifies that unknown multicast traffic should be blocked. Note Only pure Layer 2 multicast traffic is blocked. Multicast packets that contain IPv4 or IPv6 information in the header are not blocked. |
|
|
|
By default, all traffic with unknown MAC addresses is sent to all ports. You can block unknown multicast or unicast traffic on protected or nonprotected ports. If unknown multicast or unicast traffic is not blocked on a protected port, there could be security issues.
With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that contain IPv4 or IPv6 information in the header are not blocked.
Blocking unknown multicast or unicast traffic is not automatically enabled on protected ports; you must explicitly configure it.
For more information about blocking packets, see the software configuration guide for this release.
This example shows how to block unknown unicast traffic on an interface:
You can verify your setting by entering the show interfaces interface-id switchport privileged EXEC command.
|
|
---|---|
show interfaces switchport |
Displays the administrative and operational status of a switching (nonrouting) port, including port blocking and port protection settings. |
To optimize a port for a host connection, use the switchport host interface configuration command. The no form of this command has no affect on the system.
The default is for the port to not be optimized for a host connection.
|
|
---|---|
To optimize the port for a host connection, the switchport host command sets switch port mode to access, enables spanning tree Port Fast, and disables channel grouping. Only an end station can accept this configuration.
Because spanning tree Port Fast is enabled, you should enter the switchport host command only on ports that are connected to a single host. Connecting other switches, hubs, concentrators, or bridges to a fast-start port can cause temporary spanning-tree loops.
Enable the switchport host command to decrease the time that it takes to start up packet forwarding.
This example shows how to optimize the port configuration for a host connection:
You can verify your setting by entering the show interfaces interface-id switchport privileged EXEC command.
|
|
---|---|
show interfaces switchport |
Displays the administrative and operational status of a switching port, including switchport mode. |
To configure the VLAN membership mode of a port, use the switchport mode interface configuration command. Use the no form of this command to reset the mode to the appropriate default for the device.
switchport mode { access | dynamic { auto | desirable } | trunk }
no switchport mode { access | dynamic | trunk }
|
|
---|---|
A configuration that uses the access or trunk keywords takes effect only when you configure the port in the appropriate mode by using the switchport mode command. The static-access and trunk configuration are saved, but only one configuration is active at a time.
When you enter access mode, the interface changes to permanent nontrunking mode and negotiates to convert the link into a nontrunk link even if the neighboring interface does not agree to the change.
When you enter trunk mode, the interface changes to permanent trunking mode and negotiates to convert the link into a trunk link even if the interface connecting to it does not agree to the change.
When you enter dynamic auto mode, the interface converts the link to a trunk link if the neighboring interface is set to trunk or desirable mode.
When you enter dynamic desirable mode, the interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.
To autonegotiate trunking, the interfaces must be in the same VLAN Trunking Protocol (VTP) domain. Trunk negotiation is managed by the Dynamic Trunking Protocol ( DTP), which is a point-to-point protocol. However, some internetworking devices might forward DTP frames improperly, which could cause misconfigurations. To avoid this, you should configure interfaces connected to devices that do not support DTP to not forward DTP frames, which turns off DTP.
The IEEE 802.1x feature interacts with switchport modes in these ways:
This example shows how to configure a port for access mode:
This example shows how set the port to dynamic desirable mode:
This example shows how to configure a port for trunk mode:
|
|
---|---|
show interfaces switchport |
Displays the administrative and operational status of a switching (nonrouting) port, including port blocking and port protection settings. |
Configures a port as a static-access or dynamic-access port. |
|
Configures the trunk characteristics when an interface is in trunking mode. |
To specify that Dynamic Trunking Protocol (DTP) negotiation packets are not sent on the Layer 2 interface, use the switchport nonegotiate interface configuration command. The switch does not engage in DTP negotiation on this interface. Use the no form of this command to return to the default setting.
The default is to use DTP negotiation to learn the trunking status.
|
|
---|---|
The no form of the switchport nonegotiate command removes nonegotiate status.
This command is valid only when the interface switchport mode is access or trunk (configured by using the switchport mode access or the switchport mode trunk interface configuration command). This command returns an error if you attempt to execute it in dynamic (auto or desirable) mode.
Internetworking devices that do not support DTP might forward DTP frames improperly and cause misconfigurations. To avoid this, you should turn off DTP by using the switchport no negotiate command to configure the interfaces connected to devices that do not support DTP to not forward DTP frames.
When you enter the switchport nonegotiate command, DTP negotiation packets are not sent on the interface. The device does or does not trunk according to the mode parameter: access or trunk.
This example shows how to cause a port to refrain from negotiating trunking mode and to act as a trunk or access port (depending on the mode set):
You can verify your setting by entering the show interfaces interface-id switchport privileged EXEC command.
|
|
---|---|
show interfaces switchport |
Displays the administrative and operational status of a switching port, including port blocking and port protection settings. |
To enable port security on the interface, use the switchport port-security interface configuration command without keywords. Use the keywords to configure secure MAC addresses, sticky MAC address learning, a maximum number of secure MAC addresses, or the violation mode. Use the no form of this command to disable port security or to set the parameters to their default states.
switchport port-security [ mac-address mac-address [ vlan { vlan-id | { access | voice }}] | mac-address sticky [ mac-address | vlan { vlan-id | { access | voice }}]] [ maximum value [ vlan { vlan-list | { access | voice }}]]
no switchport port-security [ mac-address mac-address [ vlan { vlan-id | { access | voice }}] | mac-address sticky [ mac-address | vlan { vlan-id | { access | voice }}]] [ maximum value [ vlan { vlan-list | { access | voice }}]]
switchport port-security [ aging ] [ violation { protect | restrict | shutdown | shutdown vlan}]
no switchport port-security [ aging ] [ violation { protect | restrict | shutdown | shutdown vlan}]
(Optional) Specifies a secure MAC address for the interface by entering a 48-bit MAC address. You can add additional secure MAC addresses up to the maximum value configured. |
|
(Optional) On a trunk port only, specifies the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used. |
|
(Optional) On an access port only, specifies the VLAN as an access VLAN. |
|
(Optional) On an access port only, specifies the VLAN as a voice VLAN. Note The voice keyword is available only if voice VLAN is configured on a port and if that port is not the access VLAN. |
|
(Optional) Enables the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. (Optional) Enter a mac-address to specify a sticky secure MAC address. |
|
(Optional) Sets the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template. For more information, see the sdm prefer global configuration command. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. |
|
(Optional) For trunk ports, sets the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. |
|
(Optional) See the switchport port-security aging command. |
|
(Optional) Sets the security violation mode or the action to be taken if port security is violated. The default is shutdown. |
|
Sets the security violation protect mode. In this mode, when the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit. |
|
Sets the security violation restrict mode. In this mode, when the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. |
|
Sets the security violation shutdown mode. In this mode, the interface is error-disabled when a violation occurs and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. |
|
Sets the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled. |
The default is to disable port security.
When port security is enabled and no keywords are entered, the default maximum number of secure MAC addresses is 1.
|
|
---|---|
A secure port has the following limitations:
A security violation occurs when the maximum number of secure MAC addresses are in the address table and a station whose MAC address is not in the address table attempts to access the interface or when a station whose MAC address is configured as a secure MAC address on another secure port attempts to access the interface.
When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command. You can manually reenable the port by entering the shutdown and no shut down interface configuration commands or by using the clear errdisable interface privileged EXEC command.
Setting a maximum number of addresses to one and configuring the MAC address of an attached device ensures that the device has the full bandwidth of the port.
When you enter a maximum secure address value for an interface, this occurs:
Sticky secure MAC addresses have these characteristics:
This example shows how to enable port security on a port and to set the maximum number of secure addresses to 5. The violation mode is the default, and no secure MAC addresses are configured.
This example shows how to configure a secure MAC address and a VLAN ID on a port:
This example shows how to enable sticky learning and to enter two sticky secure MAC addresses on a port:
This example show how to configure a port to shut down only the VLAN if a violation occurs:
You can verify your settings by using the show port-security privileged EXEC command.
|
|
---|---|
Deletes from the MAC address table a specific type of secure address or all the secure addresses on the switch or an interface. |
|
show port-security address |
|
show port-security |
Displays port security configuration for the switch or for the specified interface. |
To set the aging time and type for secure address entries or to change the aging behavior for secure addresses on a particular port, use the switchport port-security aging interface configuration command. Use the no form of this command to disable port security aging or to set the parameters to their default states.
switchport port-security aging { static | time time | type { absolute | inactivity }}
no switchport port-security aging { static | time | type }
The port security aging feature is disabled. The default time is 0 minutes.
|
|
---|---|
To enable secure address aging for a particular port, set the aging time to a value other than 0 for that port.
To allow limited time access to particular secure addresses, set the aging type as absolute. When the aging time lapses, the secure addresses are deleted.
To allow continuous access to a limited number of secure addresses, set the aging type as inactivity. This removes the secure address when it become inactive, and other addresses can become secure.
To allow unlimited access to a secure address, configure it as a secure address, and disable aging for the statically configured secure address by using the no switchport port-security aging static interface configuration command.
This example sets the aging time as 2 hours for absolute aging for all the secure addresses on the port:
This example sets the aging time as 2 minutes for inactivity aging type with aging enabled for configured secure addresses on the port:
This example shows how to disable aging for configured secure addresses:
|
|
---|---|
Enables port security on a port, restricts the use of the port to a user-defined group of stations, and configures secure MAC addresses. |
To set a port priority for the incoming untagged frames or the priority of frames received by the IP phone connected to the specified port, use the switchport priority extend interface configuration command. Use the no form of this command to return to the default setting.
switchport priority extend { cos value | trust }
The default port priority is set to a CoS value of 0 for untagged frames received on the port.
|
|
---|---|
When voice VLAN is enabled, you can configure the switch to send the Cisco Discovery Protocol (CDP) packets to instruct the IP phone how to send data packets from the device attached to the access port on the Cisco IP Phone. You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration to the Cisco IP Phone. (CDP is enabled by default globally and on all switch interfaces.)
You should configure voice VLAN on switch access ports. You can configure a voice VLAN only on Layer 2 ports.
Before you enable voice VLAN, we recommend that you enable quality of service (QoS) on the switch by entering the mls qos global configuration command and configure the port trust state to trust by entering the mls qos trust cos interface configuration command.
This example shows how to configure the IP phone connected to the specified port to trust the received IEEE 802.1p priority:
You can verify your settings by entering the show interfaces interface-id switchport privileged EXEC command.
|
|
---|---|
Displays the administrative and operational status of a switching (nonrouting) port. |
|
To isolate unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch, use the switch port protected interface configuration command. Use the no form of this command to disable protection on the port.
|
|
---|---|
The switch port protection feature is local to the switch; communication between protected ports on the same switch is possible only through a Layer 3 device. To prevent communication between protected ports on different switches, you must configure the protected ports for unique VLANs on each switch and configure a trunk link between the switches. A protected port is different from a secure port.
A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
Port monitoring does not work if both the monitor and monitored ports are protected ports.
This example shows how to enable a protected port on an interface:
You can verify your settings by entering the show interfaces interface-id switchport privileged EXEC command.
|
|
---|---|
show interfaces switchport |
Displays the administrative and operational status of a switching port, including port blocking and port protection settings. |
Prevents unknown multicast or unicast traffic on the interface. |
To set the trunk characteristics when the interface is in trunking mode, use the switchport trunk interface configuration command. Use the no form of this command to reset a trunking characteristic to the default.
switchport trunk { allowed vlan vlan-list | native vlan vlan-id | pruning vlan vlan-list }
no switchport trunk { allowed vlan | native vlan | { pruning vlan }
|
|
---|---|
The vlan-list format is all | none | [ add | remove | except ] vlan-atom [ , vlan-atom... ] where:
Note You can add extended-range VLANs to the allowed VLAN list, but not to the pruning-eligible VLAN list.
Separate nonconsecutive VLAN IDs with a comma; use a hyphen to designate a range of IDs.
Note You can remove extended-range VLANs from the allowed VLAN list, but you cannot remove them from the pruning-eligible list.
Separate nonconsecutive VLAN IDs with a comma; use a hyphen to designate a range of IDs.
This example shows how to configure VLAN 3 as the default for the port to send all untagged traffic:
This example shows how to add VLANs 1, 2, 5, and 6 to the allowed list:
This example shows how to remove VLANs 3 and 10 to 15 from the pruning-eligible list:
You can verify your settings by entering the show interfaces interface-id switchport privileged EXEC command.
|
|
---|---|
show interfaces switchport |
Displays the administrative and operational status of a switching (nonrouting) port, including port blocking and port protection settings. |
To configure voice VLAN on the port. Use the no form of this command to return to the default setting, use the switchport voice vlan interface configuration command.
switchport voice vlan { vlan-id | dot1p | none | untagged }
The switch default is not to automatically configure the telephone (none).
|
|
---|---|
You should configure voice VLAN on Layer 2 access ports.
You must enable Cisco Discovery Protocol (CDP) on the switch port connected to the Cisco IP phone for the switch to send configuration information to the phone. CDP is enabled by default globally and on the interface.
Before you enable voice VLAN, we recommend that you enable quality of service (QoS) on the switch by entering the mls qos global configuration command and configure the port trust state to trust by entering the mls qos trust cos interface configuration command.
When you enter a VLAN ID, the IP phone forwards voice traffic in IEEE 802.1X frames, tagged with the specified VLAN ID. The switch puts IEEE 802.1X voice traffic in the voice VLAN.
When you select dot1q, none, or untagged, the switch puts the indicated voice traffic in the access VLAN.
In all configurations, the voice traffic carries a Layer 2 IP precedence value. The default is 5 for voice traffic.
When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the Cisco IP phone.
If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN.
You cannot configure static secure MAC addresses in the voice VLAN.
The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled.
This example shows how to configure VLAN 2 as the voice VLAN for the port:
You can verify your settings by entering the show interfaces interface-id switchport privileged EXEC command.
|
|
---|---|
show interfaces interface-id switchport |
Displays the administrative and operational status of a switching (nonrouting) port. |
Decides how the device connected to the specified port handles priority traffic received on its incoming port. |
To copy flash images to destination flash systems, use the command in EXEC mode sync flash sdflash command. This command copies the environment variable BOOT files to the destination flash environment variable with the source flash name being replaced by the destination flash name.
sync flash sdflash { ios-image-name | skip | save-old-files }
If no Cisco IOS image name is specified, the Cisco IOS image from the source flash BOOT environment variable is copied to the destination flash.
|
|
---|---|
If the Cisco IOS image name is the same, then the image is also saved with the saved image name. If the source and destination paths have the same directory name, then the destination directory is saved as *-saved. All files in the saved directory stay the same. A new directory with the same name is created on the destination flash for the sync operation.
This example shows how to sync the Cisco IOS image from the SD flash to the on-board flash:
To set the maximum packet size or maximum transmission unit (MTU) size for Gigabit Ethernet ports, for routed ports, or for Fast Ethernet (10/100) ports, use the system mtu global configuration command. Use the no form of this command to restore the global MTU value to its default value.
system mtu { bytes | jumbo bytes | routing bytes }
The default MTU size for all ports is 1500 bytes. However, if you configure a different value for the system MTU, that configured value becomes the default MTU size for routed ports when it is applied following a switch reset.
|
|
---|---|
When you use this command to change the system MTU or jumbo MTU size, you must reset the switch before the new configuration takes effect.The system mtu routing command does not require a switch reset to take effect.
The system MTU setting is saved in the switch environmental variable in NVRAM and becomes effective when the switch reloads. Unlike the system MTU routing configuration, the MTU settings you enter with the system mtu and system mtu jumbo commands are not saved in the switch Cisco IOS configuration file, even if you enter the copy running-config startup-config privileged EXEC command. Therefore, if you use TFTP to configure a new switch by using a backup configuration file and want the system MTU to be other than the default, you must explicitly configure the system mtu and system mtu jumbo settings on the new switch and then reload the switch.
Gigabit Ethernet ports operating at 1000 Mb/s are not affected by the system mtu command, and 10/100-Mb/s ports are not affected by the system mtu jumbo command.
You can use the system mtu routing command to configure the MTU size on routed ports.
Note You cannot configure a routing MTU size that exceeds the system MTU size. If you change the system MTU size to a value smaller than the currently configured routing MTU size, the configuration change is accepted, but not applied until the next switch reset. When the configuration change takes effect, the routing MTU size defaults to the new system MTU size.
If you enter a value that is outside the range for the specific type of switch, the value is not accepted.
Note The switch does not support setting the MTU on a per-interface basis.
The size of frames that can be received by the switch CPU is limited to 1998 bytes, regardless of the value entered with the system mtu command. Although forwarded or routed frames are usually not received by the CPU, some packets (for example, control traffic, SNMP, Telnet, and routing protocols) are sent to the CPU.
Because the switch does not fragment packets, it drops:
For example, if the system mtu value is 1998 bytes and the system mtu jumbo value is 5000 bytes, packets up to 5000 bytes can be received on interfaces operating at 1000 Mb/s. However, although a packet larger than 1998 bytes can be received on an interface operating at 1000 Mb/s, if its destination interface is operating at 10 or 100 Mb/s, the packet is dropped.
This example shows how to set the maximum jumbo packet size for Gigabit Ethernet ports operating at 1000 Mb/s or greater to 1800 bytes:
You can verify your setting by entering the show system mtu privileged EXEC command.
|
|
---|---|
Displays the packet size set for Fast Ethernet, Gigabit Ethernet, and routed ports. |
To run the Time Domain Reflector (TDR) feature on an interface, use the test cable-diagnostics tdr command in Privileged EXEC mode.
test cable-diagnostics tdr interface interface-id
|
|
---|---|
TDR is supported only on 10/100 and 10/100/1000 copper Ethernet ports. It is not supported on SFP module ports. For more information about TDR, see the software configuration guide for this release.
After you run TDR by using the test cable-diagnostics tdr interface interface-id command, use the show cable-diagnostics tdr interface interface-id privileged EXEC command to display the results.
This example shows how to run TDR on an interface:
If you enter the test cable-diagnostics tdr interface interface-id command on an interface that has a link status of up and a speed of 10 or 100 Mb/s, these messages appear:
|
|
---|---|
To turn on or off the relay circuitry, use the test relay command in Privileged EXEC mode.
test relay { major | minor } { on | off }
|
|
---|---|
You can use the test relay privileged EXEC command to verify relay circuitry connections to the alert devices. You can test alarm scanners without having to create an alarm condition.
This example shows how to turn on the major relay circuitry:
|
|
---|---|
Displays all alarm profiles or a specified alarm profile and lists the interfaces to which each profile is attached. |
|
Use the traceroute mac command in Privileged EXEC mode to display the Layer 2 path taken by the packets from the specified source MAC address to the specified destination MAC address.
traceroute mac [ interface interface-id ] { source-mac-address } [ interface interface-id ] { destination-mac-address } [ vlan vlan-id ] [ detail ]
|
|
---|---|
For Layer 2 traceroute to function properly, Cisco Discovery Protocol (CDP) must be enabled on all the switches in the network. Do not disable CDP.
When the switch detects a device in the Layer 2 path that does not support Layer 2 traceroute, the switch continues to send Layer 2 trace queries and lets them time out.
The maximum number of hops identified in the path is ten.
Layer 2 traceroute supports only unicast traffic. If you specify a multicast source or destination MAC address, the physical path is not identified, and an error message appears.
The traceroute mac command output shows the Layer 2 path when the specified source and destination addresses belong to the same VLAN. If you specify source and destination addresses that belong to different VLANs, the Layer 2 path is not identified, and an error message appears.
If the source or destination MAC address belongs to multiple VLANs, you must specify the VLAN to which both the source and destination MAC addresses belong. If the VLAN is not specified, the path is not identified, and an error message appears.
The Layer 2 traceroute feature is not supported when multiple devices are attached to one port through hubs (for example, multiple CDP neighbors are detected on a port). When more than one CDP neighbor is detected on a port, the Layer 2 path is not identified, and an error message appears.
This example shows how to display the Layer 2 path by specifying the source and destination MAC addresses:
This example shows how to display the Layer 2 path by using the detail keyword:
This example shows how to display the Layer 2 path by specifying the interfaces on the source and destination switches:
This example shows the Layer 2 path when the switch is not connected to the source switch:
This example shows the Layer 2 path when the switch cannot find the destination port for the source MAC address:
This example shows the Layer 2 path when the source and destination devices are in different VLANs:
This example shows the Layer 2 path when the destination MAC address is a multicast address:
This example shows the Layer 2 path when source and destination switches belong to multiple VLANs:
|
|
---|---|
Displays the Layer 2 path taken by the packets from the specified source IP address or hostname to the specified destination IP address or hostname. |
To display the Layer 2 path taken by the packets from the specified source IP address or hostname to the specified destination IP address or hostname, use the traceroute mac ip command in Privileged EXEC mode.
traceroute mac ip { source-ip-address | source-hostname } { destination-ip-address | destination-hostname } [ detail ]
The IP address of the source switch as a 32-bit quantity in dotted-decimal format. |
|
The IP address of the destination switch as a 32-bit quantity in dotted-decimal format. |
|
|
|
---|---|
For Layer 2 traceroute to function properly, Cisco Discovery Protocol (CDP) must be enabled on all the switches in the network. Do not disable CDP.
When the switch detects an device in the Layer 2 path that does not support Layer 2 traceroute, the switch continues to send Layer 2 trace queries and lets them time out.
The maximum number of hops identified in the path is ten.
The traceroute mac ip command output shows the Layer 2 path when the specified source and destination IP addresses are in the same subnet. When you specify the IP addresses, the switch uses Address Resolution Protocol (ARP) to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs.
The Layer 2 traceroute feature is not supported when multiple devices are attached to one port through hubs (for example, multiple CDP neighbors are detected on a port). When more than one CDP neighbor is detected on a port, the Layer 2 path is not identified, and an error message appears.
This example shows how to display the Layer 2 path by specifying the source and destination IP addresses and by using the detail keyword:
This example shows how to display the Layer 2 path by specifying the source and destination hostnames:
This example shows the Layer 2 path when ARP cannot associate the source IP address with the corresponding MAC address:
|
|
---|---|
Displays the Layer 2 path taken by the packets from the specified source MAC address to the specified destination MAC address. |
To define a trust state for traffic classified through the class policy-map configuration or the class-map global configuration command, use the trust policy-map class configuration command. Use the no form of this command to return to the default setting.
trust [ cos | dscp | ip-precedence ]
no trust [ cos | dscp | ip-precedence ]
The action is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Policy-map class configuration
|
|
---|---|
Use this command to distinguish the quality of service (QoS) trust behavior for certain traffic from other traffic. For example, incoming traffic with certain DSCP values can be trusted. You can configure a class map to match and trust the DSCP values in the incoming traffic.
Trust values set with this command supersede trust values set with the mls qos trust interface configuration command.
The trust command is mutually exclusive with set policy-map class configuration command within the same policy map.
If you specify trust cos, QoS uses the received or default port CoS value and the CoS-to-DSCP map to generate a DSCP value for the packet.
If you specify trust dscp, QoS uses the DSCP value from the ingress packet. For non-IP packets that are tagged, QoS uses the received CoS value; for non-IP packets that are untagged, QoS uses the default port CoS value. In either case, the DSCP value for the packet is derived from the CoS-to-DSCP map.
If you specify trust ip-precedence, QoS uses the IP precedence value from the ingress packet and the IP-precedence-to-DSCP map. For non-IP packets that are tagged, QoS uses the received CoS value; for non-IP packets that are untagged, QoS uses the default port CoS value. In either case, the DSCP for the packet is derived from the CoS-to-DSCP map.
To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
This example shows how to define a port trust state to trust incoming DSCP values for traffic classified with class1 :
You can verify your settings by entering the show policy-map privileged EXEC command.
To enable aggressive or normal mode in the UniDirectional Link Detection (UDLD) and to set the configurable message timer time, use the udld global configuration command. Use the no form of the command to disable aggressive or normal mode UDLD on all fiber-optic ports.
udld { aggressive | enable | message time message-timer-interval }
no udld { aggressive | enable | message }
|
|
---|---|
UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD detects unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD also detects unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and due to misconnected interfaces on fiber-optic links. For information about normal and aggressive modes, see the “Understanding UDLD” section in the software configuration guide for this release.
If you change the message time between probe packets, you are making a trade-off between the detection speed and the CPU load. By decreasing the time, you can make the detection-response faster but increase the load on the CPU.
This command affects fiber-optic interfaces only. Use the udld interface configuration command to enable UDLD on other interface types.
You can use these commands to reset an interface shut down by UDLD:
This example shows how to enable UDLD on all fiber-optic interfaces:
You can verify your setting by entering the show udld privileged EXEC command.
To enable the UniDirectional Link Detection (UDLD) on an individual interface or prevent a fiber-optic interface from being enabled by the udld global configuration command. Use the no form of this command to return to the udld global configuration command setting or to disable UDLD if entered for a nonfiber-optic port, use the udld port interface configuration command.
(Optional) Enables UDLD in aggressive mode on the specified interface. |
On fiber-optic interfaces, UDLD is not enabled, not in aggressive mode, and not disabled. For this reason, fiber-optic interfaces enable UDLD according to the state of the udld enable or udld aggressive global configuration command.
|
|
---|---|
A UDLD-capable port cannot detect a unidirectional link if it is connected to a UDLD-incapable port of another switch.
UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD detects unidirectional links due to misconnected interfaces on fiber-optic connections. In aggressive mode, UDLD also detects unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and due to misconnected interfaces on fiber-optic links. For information about normal and aggressive modes, see the “Configuring UDLD” chapter in the software configuration guide for this release.
To enable UDLD in normal mode, use the udld port interface configuration command. To enable UDLD in aggressive mode, use the udld port aggressive interface configuration command.
Use the no udld port command on fiber-optic ports to return control of UDLD to the udld enable global configuration command or to disable UDLD on nonfiber-optic ports.
Use the udld port aggressive command on fiber-optic ports to override the setting of the udld enable or udld aggressive global configuration command. Use the no form on fiber-optic ports to remove this setting and to return control of UDLD enabling to the udld global configuration command or to disable UDLD on nonfiber-optic ports.
You can use these commands to reset an interface shut down by UDLD:
This example shows how to enable UDLD on an port:
This example shows how to disable UDLD on a fiber-optic interface despite the setting of the udld global configuration command:
You can verify your settings by entering the show running-config or the show udld interface privileged EXEC command.
To reset all interfaces disabled by the UniDirectional Link Detection (UDLD) and permit traffic to begin passing through them again (though other features, such as spanning tree, Port Aggregation Protocol (PAgP), and Dynamic Trunking Protocol (DTP) still have their normal effects, if enabled), use the udld reset command in Privileged EXEC mode.
|
|
---|---|
If the interface configuration is still enabled for UDLD, these ports begin to run UDLD again and are disabled for the same reason if the problem has not been corrected.
This example shows how to reset all interfaces disabled by UDLD:
You can verify your setting by entering the show udld privileged EXEC command.
To add a VLAN and to enter the VLAN configuration mode, use the vlan command in global configuration mode. Use the no form of this command to delete the VLAN.
ID of the VLAN to be added and configured. The range is 1 to 4094. You can enter a single VLAN ID, a series of VLAN IDs separated by commas, or a range of VLAN IDs separated by hyphens. |
|
|
---|---|
Configuration information for normal-range VLANs (VLAN IDs 1 to 1005) is always saved in the VLAN database. When you are using (VLAN Trunking Protocol (VTP) version 3 or when VTP mode is transparent (VTP version 1 or 2), you can create extended-range VLANs (VLAN IDs greater than 1005). In VTP version 3, these VLANs are also saved in the VLAN database.
You use the vlan vlan-id global configuration command to add normal-range VLANs (VLAN IDs 1 t0 1005) or extended-range VLANs (VLAN IDs 1006 to 4094). With VTP version 1 and version 2, before adding extended-range VLANs, you must use the vtp transparent global configuration command to put the switch in VTP transparent mode. With VTP version 1 and 2, extended-range VLANs are not learned by VTP and are not added to the VLAN database. When VTP mode is transparent, VTP mode and domain name and all VLAN configurations are saved in the running configuration, and you can save them in the switch startup configuration file.
VTP version 3 supports propagation of extended-range VLANs and you can create them in VTP server or client mode.
When you save the VLAN and VTP configurations in the startup configuration file and reboot the switch, the configuration is selected in these ways:
With VTP version 1 and version 2, if you try to create an extended-range VLAN when the switch is not in VTP transparent mode, the VLAN is rejected, and you receive an error message.
If you enter an invalid VLAN ID, you receive an error message and do not enter config-vlan mode.
Entering the vlan command with a VLAN ID enables config-vlan mode. When you enter the VLAN ID of an existing VLAN, you do not create a new VLAN, but you can modify VLAN parameters for that VLAN. The specified VLANs are added or modified when you exit the config-vlan mode. Only the shutdown command (for VLANs 1 to 1005) takes effect immediately.
These configuration commands are available in config-vlan mode. The no form of each command returns the characteristic to its default state.
Note Although all commands are visible, the only VLAN configuration commands that are supported on extended-range VLANs are mtu mtu-size and remote-span. For extended-range VLANs, all other characteristics must remain at the default state.
– enable backup CRF mode for this VLAN.
– disable backup CRF mode for this VLAN (the default).
– srb (source-route bridging)
– srt (source-route transparent) bridging VLAN
Note The switch supports only Ethernet ports. You configure only FDDI and Token Ring media-specific characteristics for VLAN Trunking Protocol (VTP) global advertisements to other switches. These VLANs are locally suspended.
– ethernet is Ethernet media type (the default).
– fd-net is FDDI network entity title (NET) media type.
– tokenring is Token Ring media type if the VTP v2 mode is disabled, or TrCRF if the VTP Version 2 (v) mode is enabled.
– tr-net is Token Ring network entity title (NET) media type if the VTP v2 mode is disabled or TrBRF media type if the VTP v2 mode is enabled.
– active means the VLAN is operational (the default).
– suspend means the VLAN is suspended. Suspended VLANs do not pass packets.
– ieee for IEEE Ethernet STP running source-route transparent (SRT) bridging.
– ibm for IBM STP running source-route bridging (SRB).
– auto for STP running a combination of source-route transparent bridging (IEEE) and source-route bridging (IBM).
Table 0-21 describes the rules for configuring VLANs.
This example shows how to add an Ethernet VLAN with default media characteristics. The default includes a vlan-name of VLANxxx, where xxxx represents four numeric digits (including leading zeros) equal to the VLAN ID number. The default media option is ethernet ; the state option is active. The default said-value variable is 100000 plus the VLAN ID; the mtu-size variable is 1500; the stp-type option is ieee. When you enter the exit config-vlan configuration command, the VLAN is added if it did not already exist; otherwise, this command does nothing.
This example shows how to create a new VLAN with all default characteristics and enter config-vlan mode:
This example shows how to create a new extended-range VLAN with all the default characteristics, to enter config-vlan mode, and to save the new VLAN in the switch startup configuration file:
You can verify your setting by entering the show vlan privileged EXEC command.
|
|
---|---|
Displays the parameters for all configured VLANs or one VLAN (if the VLAN ID or name is specified) in the administrative domain. |
To create or modify a VLAN map entry for VLAN packet filtering, use the vlan access-map global configuration command. This entry changes the mode to the VLAN access-map configuration. Use the no form of this command to delete a VLAN map entry. Use the vlan filter interface configuration command to apply a VLAN map to one or more VLANs.
vlan access-map name [ number ]
no vlan access-map name [ number ]
There are no VLAN map entries and no VLAN maps applied to a VLAN.
|
|
---|---|
In global configuration mode, use this command to create or modify a VLAN map. This entry changes the mode to VLAN access-map configuration, where you can use the match access-map configuration command to specify the access lists for IP or non-IP traffic to match and use the action command to set whether a match causes the packet to be forwarded or dropped.
In VLAN access-map configuration mode, these commands are available:
When you do not specify an entry number (sequence number), it is added to the end of the map.
There can be only one VLAN map per VLAN and it is applied as packets are received by a VLAN.
You can use the no vlan access-map name [ number ] command with a sequence number to delete a single entry.
In global configuration mode, use the vlan filter interface configuration command to apply the map to one or more VLANs.
For more information about VLAN map entries, see the software configuration guide for this release.
This example shows how to create a VLAN map named vac1 and apply matching conditions and actions to it. If no other entries already exist in the map, this will be entry 10.
This example shows how to delete VLAN map vac1 :
|
|
---|---|
Sets the VLAN map to match packets against one or more access lists. |
|
Displays information about a particular VLAN access map or all VLAN access maps. |
|
To apply a VLAN map to one or more VLANs, use the vlan filter global configuration command. Use the no form of this command to remove the map.
vlan filter mapname vlan-list { list | all }
no vlan filter mapname vlan-list { list | all }
Note This command is available only when the switch is running the IP services image.
The list of one or more VLANs in the form tt, uu-vv, xx, yy-zz, where spaces around commas and dashes are optional. The range is 1 to 4094. |
|
|
|
---|---|
To avoid accidentally dropping too many packets and disabling connectivity in the middle of the configuration process, we recommend that you completely define the VLAN access map before applying it to a VLAN.
For more information about VLAN map entries, see the software configuration guide for this release.
This example applies VLAN map entry map1 to VLANs 20 and 30:
This example shows how to delete VLAN map entry mac1 from VLAN 20:
You can verify your settings by entering the show vlan filter privileged EXEC command.
|
|
---|---|
Displays information about a particular VLAN access map or all VLAN access maps. |
|
Displays information about all VLAN filters or about a particular VLAN or VLAN access map. |
|
To immediately send VLAN Query Protocol (VQP) queries to reconfirm all dynamic VLAN assignments with the VLAN Membership Policy Server (VMPS), use the vmps reconfirm command in Privileged EXEC mode.
|
|
---|---|
This example shows how to immediately send VQP queries to the VMPS:
You can verify your setting by entering the show vmps privileged EXEC command and examining the VMPS Action row of the Reconfirmation Status section. The show vmps command shows the result of the last time the assignments were reconfirmed either because the reconfirmation timer expired or because the vmps reconfirm command was entered.
|
|
---|---|
To change the reconfirmation interval for the VLAN Query Protocol (VQP) client, use the vmps reconfirm global configuration command. Use the no form of this command to return to the default setting.
Reconfirmation interval for VQP client queries to the VLAN Membership Policy Server (VMPS) to reconfirm dynamic VLAN assignments. The range is 1 to 120 minutes. |
|
|
---|---|
This example shows how to set the VQP client to reconfirm dynamic VLAN entries every 20 minutes:
You can verify your setting by entering the show vmps privileged EXEC command and examining information in the Reconfirm Interval row.
|
|
---|---|
Sends VQP queries to reconfirm all dynamic VLAN assignments with the VMPS. |
To configure the per-server retry count for the VLAN Query Protocol (VQP) client, use the vmps retry global configuration command. Use the no form of this command to return to the default setting.
Number of attempts to contact the VLAN Membership Policy Server (VMPS) by the client before querying the next server in the list. The range is 1 to 10. |
|
|
---|---|
This example shows how to set the retry count to 7:
You can verify your setting by entering the show vmps privileged EXEC command and examining information in the Server Retry Count row.
|
|
---|---|
To configure the primary VLAN Membership Policy Server (VMPS) and up to three secondary servers, use the vmps server global configuration command. Use the no form of this command to remove a VMPS server.
vmps server ipaddress [ primary ]
|
|
---|---|
The first server entered is automatically selected as the primary server whether or not primary is entered. The first server address can be overridden by using primary in a subsequent command.
If a member switch in a cluster configuration does not have an IP address, the cluster does not use the VMPS server configured for that member switch. Instead, the cluster uses the VMPS server on the command switch, and the command switch proxies the VMPS requests. The VMPS server treats the cluster as a single switch and uses the IP address of the command switch to respond to requests.
When using the no form without specifying the ipaddress value, all configured servers are deleted. If you delete all servers when dynamic-access ports are present, the switch cannot forward packets from new sources on these ports because it cannot query the VMPS.
This example shows how to configure the server with IP address 191.10.49.20 as the primary VMPS server. The servers with IP addresses 191.10.49.21 and 191.10.49.22 are configured as secondary servers:
This example shows how to delete the server with IP address 191.10.49.21:
You can verify your setting by entering the show vmps privileged EXEC command and examining information in the VMPS Domain Server row.
|
|
---|---|
To set or modify the VLAN Trunking Protocol (VTP) configuration characteristics, use the vtp global configuration command. Use the no form of this command to remove the settings or to return to the default settings.
vtp { domain domain-name | file filename | interface name [ only ] | mode { client | off | server | transparent } [ mst | unknown | vlan ] | password password [ hidden | secret ] | pruning | version number }
no vtp { file | interface | mode [ client | off | server | transparent ] [ mst | unknown | vlan ] | password | pruning | version }
The default filename is flash:vlan.dat .
The default mode is server mode and the default database is VLAN.
In VTP version 3, for the MST database, the default mode is transparent.
|
|
---|---|
When you save VTP mode, domain name, and VLAN configurations in the switch startup configuration file and reboot the switch, the VTP and VLAN configurations are selected by these conditions:
The vtp file filename cannot be used to load a new database; it renames only the file in which the existing database is stored.
Follow these guidelines when configuring a VTP domain name:
Follow these guidelines when setting VTP mode:
Follow these guidelines when setting a VTP password:
Follow these guidelines when setting VTP pruning:
Follow these guidelines when setting the VTP version:
You cannot save password, pruning, and version configurations in the switch configuration file.
This example shows how to rename the filename for VTP configuration storage to vtpfilename :
This example shows how to clear the device storage filename:
This example shows how to specify the name of the interface providing the VTP updater ID for this device:
This example shows how to set the administrative domain for the switch:
This example shows how to place the switch in VTP transparent mode:
This example shows how to configure the VTP domain password:
This example shows how to enable pruning in the VLAN database:
This example shows how to enable Version 2 mode in the VLAN database:
You can verify your settings by entering the show vtp status privileged EXEC command.
|
|
---|---|
show vtp status |
Displays the VTP statistics for the switch and general information about the VTP management domain status. |
To enable the VLAN Trunking Protocol (VTP) on a per-port basis, use the vtp interface configuration command. Use the no form of this command to disable VTP on the interface.
Note This command is supported only when the switch is running the LAN Base image and VTP version 3.
|
|
---|---|
This command is supported only on switches configured for VTP version 3.
This example shows how to enable VTP on an interface:
|
|
---|---|
Globally configures VTP domain-name, password, pruning, version, and mode. |
To configure a switch as the VLAN Trunking Protocol (VTP) primary server, use the vtp primary privileged EXEC command.
vtp primary [ mst | vlan ] [ force ]
There is no no form of the command.
Note This command is supported only when the switch is running the LAN Base image and VTP version 3.
Note Although visible in the command line help, the vtp {password password | pruning | version number} commands are not supported.
|
|
---|---|
This command is supported only on switches configured for VTP version 3.
A VTP primary server updates the database information and sends updates that are honored by all devices in the system. A VTP secondary server can only back up the updated VTP configurations received from the primary server to NVRAM.
By default, all devices come up as secondary servers. Primary server status is needed only for database updates when the administrator issues a takeover message in the domain. You can have a working VTP domain without any primary servers.
Primary server status is lost if the device reloads or domain parameters change.
This example shows how to configure the switch as the primary VTP server for VLANs:
You can verify your settings by entering the show vtp status privileged EXEC command.
|
|
---|---|
show vtp status |
Displays the VTP statistics for the switch and general information about the VTP management domain status. |
Configures the VTP filename, interface, domain name, mode, and version. |