The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Use the aaa accounting dot1x global configuration command to enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions. Use the no form of this command to disable IEEE 802.1x accounting.
aaa accounting dot1x { name | default} start-stop {broadcast group { name | radius | tacacs+ } [group { name | radius | tacacs+ }... ] | group { name | radius | tacacs+ } [ group { name | radius | tacacs+ } ... ]}
no aaa accounting dot1x { name | default }
This command requires access to a RADIUS server.
Note We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.
This example shows how to configure IEEE 802.1x accounting:
Note The RADIUS authentication server must be properly configured to accept and log update or watchdog packets from the AAA client.
Specifies one or more AAA methods for use on interfaces running IEEE 802.1x. |
|
Enables the AAA access control model. For syntax information, see the Cisco IOS Security Command Reference, Release 12.2> Authentication, Authorization, and Accounting > Authentication Commands . |
|
dot1x timeout reauth period |
Sets the number of seconds between re-authentication attempts. |
Use the aaa authentication dot1x global configuration command to specify the authentication, authorization, and accounting (AAA) method to use on ports complying with IEEE 802.1x. Use the no form of this command to disable authentication.
aaa authentication dot1x { default } method1
no aaa authentication dot1x { default }
Use the listed authentication method that follows this argument as the default method when a user logs in. |
|
Enter the group radius keywords to use the list of all RADIUS servers for authentication. |
Note Though other keywords are visible in the command-line help strings, only the default and group radius keywords are supported.
The method argument identifies the method that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.
If you specify group radius , you must configure the RADIUS server by entering the radius-server host global configuration command.
Use the show running-config privileged EXEC command to display the configured lists of authentication methods.
This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.
You can verify your settings by entering the show running-config privileged EXEC command.
Enables the AAA access control model. For syntax information, see the Cisco IOS Security Command Reference, Release 12.2 > Authentication, Authorization, and Accounting > Authentication Commands . |
|
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the action access-map configuration command to set the action for the VLAN access map entry. Use the no form of this command to set the action to the default value, which is to forward.
You enter access-map configuration mode by using the vlan access-map global configuration command.
If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.
In access-map configuration mode, use the match access-map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.
The drop and forward parameters are not used in the no form of the command.
This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2 :
You can verify your settings by entering the show vlan access-map privileged EXEC command.
Use the alarm-contact global configuration command to configure triggers and severity levels for external alarms. Use the no form of this command to remove the configuration.
alarm-contact { contact-number { description string | severity { critical | major | minor } | trigger { closed | open }} | all { severity { critical | major | minor } | trigger { closed | open }}
no alarm-contact { contact-number { description | severity | trigger } | all { severity | trigger }
The no alarm-contact contact-number description sets the description to an empty string.
The no alarm-contact { contact-number | all } severity sets the alarm-contact severity to minor.
The no alarm-contact { contact-number | all } trigger sets the external alarm-contact trigger to closed.
This example shows how to configure alarm contact number 1 to report a critical alarm when the contact is open.
You can verify your settings by entering the show env alarm-contact or the show running-config privileged EXEC command.
This example shows how to configure clear alarm contact number 1 and the show command outputs.
show env alarm-contact |
Use the archive download-sw privileged EXEC command to download a new image from a TFTP server to the switch and to overwrite or keep the existing image.
archive download-sw { /force-reload | /imageonly | /leave-old-sw | /no-set-boot | /no-version-check | /overwrite | /reload | /safe } source-url
The current software image is not overwritten with the downloaded image.
Both the software image and HTML files are downloaded.
The new image is downloaded to the flash: file system.
The BOOT environment variable is changed to point to the new software image on the flash: file system.
Image names are case sensitive; the image file is provided in tar format.
Compatibility of the version on the image to be downloaded is checked.
The /imageonly option removes the HTML files for the existing image if the existing image is being removed or replaced. Only the Cisco IOS image (without the HTML files) is downloaded.
Using the /safe or /leave-old-sw option can cause the new image download to fail if there is insufficient flash memory. If leaving the software in place prevents the new image from fitting in flash memory due to space constraints, an error results.
If you used the /leave-old-sw option and did not overwrite the old image when you downloaded the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the “delete” section.
Note Use the /no-version-check option with care. This option allows an image to be downloaded without first confirming that it is not incompatible with the switch.
Use the /overwrite option to overwrite the image on the flash device with the downloaded one.
If you specify the command without the /overwrite option, the download algorithm verifies that the new image is not the same as the one on the switch flash device. If the images are the same, the download does not occur. If the images are different, the old image is deleted, and the new one is downloaded.
After downloading a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive download-sw command.
This example shows how to download a new image from a TFTP server at 172.20.129.10 and overwrite the image on the switch:
This example shows how to download only the software image from a TFTP server at 172.20.129.10 to the switch:
This example shows how to keep the old software version after a successful download:
Use the archive tar privileged EXEC command to create a tar file, list files in a tar file, or extract the files from a tar file.
archive tar { /create destination-url flash:/ file-url } | { /table source-url } | { /xtract source-url flash:/ file-url [ dir / file... ]}
This example shows how to create a tar file. The command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30:
This example shows how to display the contents of the file that is in flash memory. The contents of the tar file appear on the screen:
This example shows how to display only the html directory and its contents:
This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored.
Use the archive upload-sw privileged EXEC command to upload an existing switch image to a server.
archive upload-sw [ /version version_string ] destination-url
Use the upload feature only if the HTML files associated with the embedded device manager have been installed with the existing image.
The files are uploaded in this sequence: the Cisco IOS image, the HTML files, and info. After these files are uploaded, the software creates the tar file.
This example shows how to upload the currently running image to a TFTP server at 172.20.140.2:
Use the arp access-list global configuration command to define an Address Resolution Protocol (ARP) access control list (ACL) or to add clauses to the end of a previously defined list. Use the no form of this command to delete the specified ARP access list.
After entering the arp access-list command, you enter ARP access-list configuration mode, and these configuration commands are available:
Use the permit and deny access-list configuration commands to forward and to drop ARP packets based on the specified matching criteria.
When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement, the switch compares the packet to the list of DHCP bindings (unless the ACL is static , which means that packets are not compared to the bindings).
This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
You can verify your settings by entering the show arp access-list privileged EXEC command.
Use the bandwidth policy-map class configuration command to configure class-based weighted fair queuing (CBWFQ) by setting the output bandwidth for a policy-map class. Use the no form of this command to remove the bandwidth setting for the class.
bandwidth { rate | percent value | remaining percent value }
no bandwidth [ rate | percent value | remaining percent value ]
Policy-map class configuration
You use the bandwidth policy-map class command to control output traffic. The bandwidth command specifies the bandwidth for traffic in that class. CBWFQ derives the weight for packets belonging to the class from the bandwidth allocated to the class and uses the weight to ensure that the queue for that class is serviced fairly. Bandwidth settings are not supported in input policy maps.
When you configure bandwidth for a class of traffic as an absolute rate (kbps) or a percentage of bandwidth ( percent value) , it represents the minimum bandwidth guarantee or committed information rate (CIR) for that traffic class. This means that the traffic class gets at least the bandwidth specified in the command, but is not limited to that bandwidth. Any excess bandwidth on the port is allocated to each class in the same ratio as the configured CIR rates.
When you enter the bandwidth remaining percent command, hard bandwidths are not guaranteed, and only relative bandwidths are assured. Class bandwidths are always proportional to the specified bandwidth percentages configured for the port.
When you configure bandwidth in an output policy, you must specify the same units in each bandwidth configuration; that is, all absolute values (rates) or percentages.
The total rate of the minimum bandwidth guarantees for each queue of the policy cannot exceed the total speed for the interface. If the percent keyword is used, the sum of the class bandwidth percentages cannot exceed 100 percent.
Using the queue-limit command to modify the default queue limit is especially important on higher-speed interfaces so that they meet the minimum bandwidth guarantees required by the interface.
You cannot use the bandwidth policy-map class configuration command to configure CBWFQ and the shape average command to configure class-based shaping for the same class in a policy map.
You cannot configure bandwidth in a class that includes priority queuing (configured with the priority policy-map class configuration command).
This example shows how to set the precedence of output queues by setting bandwidth in kilobits per second. The classes outclass1 , outclass2 , and outclass3 get a minimum of 50000, 20000, and 10000 kbps. The class class-default at a minimum gets the remaining bandwidth.
This example shows how to set the precedence of output queues by allocating percentages of the total available bandwidth to each traffic class.The classes outclass1 , outclass2 , and outclass3 get a minimum of 50, 20, and 10 percent. The class class-default at a minimum gets 20 percent.
This example shows how to set outclass1 as a priority queue, with outclass2 , and outclass3 getting 50 and 20 percent, respectively, of the bandwidth remaining after the priority queue is serviced. The class class-default gets the remaining 30 percent with no guarantees.
You can verify your settings by entering the show policy-map privileged EXEC command.
Use the boot buffersize global configuration command to configure the NVRAM size. Use the no form of this command to return to the default.
The default NVRAM buffer size is 512 KB. In some cases, the configuration file might be too large to save to NVRAM. You can configure the size of the NVRAM buffer to support larger configuration files.
After you configure the NVRAM buffer size, reload the switch.
Use the boot config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the system configuration. Use the no form of this command to return to the default setting.
Filenames and directory names are case sensitive.
This command changes the setting of the CONFIG_FILE environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the boot enable-break global configuration command to enable interrupting the automatic boot process. Use the no form of this command to return to the default setting.
When you enter this command, you can interrupt the automatic boot process by pressing the break key on the console after the flash file system is initialized. The break key is different for each operating system:
This command changes the setting of the ENABLE_BREAK environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the boot helper global configuration command to dynamically load files during boot loader initialization to extend or patch the functionality of the boot loader. Use the no form of this command to return to the default.
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the boot helper-config-file global configuration command to specify the name of the configuration file to be used by the Cisco IOS helper image. If this is not set, the file specified by the CONFIG_FILE environment variable is used by all versions of Cisco IOS that are loaded. Use the no form of this command to return to the default setting.
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER_CONFIG_FILE environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the boot manual global configuration command to enable manually booting the switch during the next boot cycle. Use the no form of this command to return to the default setting.
The next time you reboot the system, the switch is in boot loader mode, which is shown by the switch: prompt. To boot the system, use the boot boot loader command, and specify the name of the bootable image.
This command changes the setting of the MANUAL_BOOT environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the boot private-config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the private configuration. Use the no form of this command to return to the default setting.
This example shows how to specify the name of the private configuration file to be pconfig :
Use the boot system global configuration command to specify the Cisco IOS image to load during the next boot cycle. Use the no form of this command to return to the default setting.
boot system filesystem:/file-url ...
The switch attempts to automatically boot the system by using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.
Filenames and directory names are case sensitive.
If you are using the archive download-sw privileged EXEC command to maintain system images, you never need to use the boot system command. The boot system command is automatically manipulated to load the downloaded image.
This command changes the setting of the BOOT environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the channel-group interface configuration command to assign an Ethernet port to an EtherChannel group. Use the no form of this command to remove an Ethernet port from an EtherChannel group.
channel-group channel -group-number mode { active | { auto [ non-silent ] | desirable [ non-silent ] | on } | passive }
PAgP modes:
channel-group
channel
-group-number
mode
{
auto
[
non-silent
] | {
desirable
[
non-silent
]}
LACP modes:
channel-group
channel
-group-number
mode {active | passive}
On mode:
channel-group
channel
-group-number
mode on
Note Link Aggregation Control Protocol (LACP.) and Port Aggregation Protocol (PAgP) are available only on network node interfaces (NNIs) or enhanced network interfaces (ENIs). The active, auto, desirable, and passive keywords are not visible on user network interfaces (UNIs).
For Layer 2 EtherChannels, you do not have to create a port-channel interface first by using the interface port-channel global configuration command before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel interface when the channel group gets its first physical port if the logical interface is not already created. If you create the port-channel interface first, the channel-group-number can be the same as the port - channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.
If the port is a UNI or an ENI, you must use the no shutdown interface configuration command to enable it before using the channel-group command. UNIs and ENIs are disabled by default. NNIs are enabled by default.
You do not have to disable the IP address that is assigned to a physical port that is part of a channel group, but we strongly recommend that you do so.
You create Layer 3 port channels by using the interface port-channel command followed by the no switchport interface configuration command. You should manually configure the port-channel logical interface before putting the interface into the channel group.
After you configure an EtherChannel, configuration changes that you make on the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.
If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. A example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port prevents that port from ever becoming operational. However, it allows PAgP to operate, to attach the port to a channel group, and to use the port for transmission. Both ends of the link cannot be set to silent.
In the on mode, an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode.
Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.
Note PAgP and LACP are available only on NNIs and ENIs.
If you set the protocol by using the channel-protocol interface configuration command, the setting is not overridden by the channel-group interface configuration command.
Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x on an EtherChannel port, an error message appears, and IEEE 802.1x is not enabled.
Do not configure a secure port as part of an EtherChannel or an EtherChannel port as a secure port.
For a complete list of configuration guidelines, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
This example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable :
This example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10 to channel 5 with the LACP mode active :
You can verify your settings by entering the show running-config privileged EXEC command.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the channel-protocol interface configuration command to restrict the protocol used on a port to manage channeling. Use the no form of this command to return to the default setting.
Use the channel-protocol command only to restrict a channel to LACP or PAgP. If you set the protocol by using the channel-protocol command, the setting is not overridden by the channel-group interface configuration command.
Note PAgP and LACP are available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
If the port is a user network interface (UNI) or an ENI, you must use the no shutdown interface configuration command to enable it before using the channel-protocol command. UNIs and ENIs are disabled by default. NNIs are enabled by default.
You must use the channel-group interface configuration command to configure the EtherChannel parameters. The channel-group command also can set the mode for the EtherChannel.
You cannot enable both the PAgP and LACP modes on an EtherChannel group.
PAgP and LACP are not compatible; both ends of a channel must use the same protocol.
This example shows how to specify LACP as the protocol that manages the EtherChannel:
You can verify your settings by entering the show etherchannel [ channel-group-number ] protocol privileged EXEC command.
show etherchannel protocol |
Use the class policy-map configuration command to specify the name of the class whose policy you want to create or to change or to specify the system default class before you configure a policy and to enter policy-map class configuration mode. Use the no form of this command to remove the class from a policy map.
class { class-map-name| class-default }
Before using the class class-map-name command in policy-map configuration mode, you must create the class by using the class-map class-map-name global configuration command. The class class-default is the class to which traffic is directed if that traffic does not match any of the match criteria in the configured class maps.
Use the policy-map global configuration command to identify the policy map and to enter policy-map configuration mode. After specifying a policy map, you can configure a policy for new classes or modify a policy for any existing classes in that policy map.
An input policy map can have a maximum of 64 classes, plus class-default .
You attach the policy map to a port by using the service-policy interface configuration command.
After entering the class command, you enter policy-map class configuration mode, and these configuration commands are available:
To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
This example shows how to create a policy map called policy1, define a class class1 , and enter policy-map class configuration mode to set a criterion for the class.
You can verify your settings by entering the show policy-map privileged EXEC command.
Creates a class map to be used for matching packets to the class whose name you specify. |
|
Creates or modifies a policy map that can be attached to multiple ports to specify a service policy. |
|
show policy-map interface [ interface-id ] |
Displays policy maps configured on the specified interface or on all interfaces. |
Use the class-map global configuration command to create a class map to be used for matching packets to a specified criteria and to enter class-map configuration mode. Use the no form of this command to delete an existing class map.
class-map [ match-all | match-any ] class-map-name
Use this command to specify the name of the class for which you want to create or to modify class-map match criteria and to enter class-map configuration mode.
The switch supports a maximum of 1024 unique class maps.
You use the class-map command and class-map configuration mode to define packet classification as part of a globally named service policy applied on a per-port basis. When you configure a class map, you can use one or more match commands to specify match criteria. Packets arriving at either the input or output interface (determined by how you configure the service-policy interface configuration command) are checked against the class-map match criteria to determine if the packet belongs to that class.
A match-all class map means that the packet must match all entries and can have no other match statements.
After you are in class-map configuration mode, these configuration commands are available:
This example shows how to configure the class map called class1. By default, the class map is match-all and therefore can contain no other match criteria.
This example shows how to configure a match-any class map with one match criterion, which is an access list called 103. This class map (matching an ACL) is supported only in an input policy map.
This example shows how to delete the class map cla ss1:
You can verify your settings by entering the show class-map privileged EXEC command.
Use the clear ip arp inspection log privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection log buffer.
This example shows how to clear the contents of the log buffer:
You can verify that the log was cleared by entering the show ip arp inspection log privileged command.
Use the clear ip arp inspection statistics privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection statistics.
This example shows how to clear the statistics for VLAN 1:
You can verify that the statistics were deleted by entering the show ip arp inspection statistics vlan 1 privileged EXEC command.
show ip arp inspection statistics |
Displays statistics for forwarded, dropped, MAC validation failure, and IP validation failure packets for all VLANs or the specified VLAN. |
Use the clear ip dhcp snooping privileged EXEC command to clear the DHCP binding database agent statistics or the DHCP snooping statistics counters.
clear ip dhcp snooping { binding {* | ip-address | interface interface-id | vlan vlan-id } | database statistics | statistics }
When you enter the clear ip dhcp snooping database statistics command, the switch does not update the entries in the binding database and in the binding file before clearing the statistics.
This example shows how to clear the DHCP snooping binding database agent statistics:
You can verify that the statistics were cleared by entering the show ip dhcp snooping database privileged EXEC command.
This example shows how to clear the DHCP snooping statistics counters:
You can verify that the statistics were cleared by entering the show ip dhcp snooping statistics user EXEC command.
Use the clear ipc privileged EXEC command to clear Interprocess Communications Protocol (IPC) statistics.
You can clear all statistics by using the clear ipc statistics command, or you can clear only the queue statistics by using the clear ipc queue-statistics command.
This example shows how to clear all statistics:
This example shows how to clear only the queue statistics:
You can verify that the statistics were deleted by entering the show ipc rpc or the show ipc session privileged EXEC command.
show ipc { rpc | session } |
Use the clear ipv6 dhcp conflict privileged EXEC command to clear an address conflict from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server database.
clear ipv6 dhcp conflict {* | IPv6-address}
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 { default | routing | vlan } global configuration command, and reload the switch.
When you configure the DHCPv6 server to detect conflicts, it uses ping. The client uses neighbor discovery to detect clients and reports to the server through a DECLINE message. If an address conflict is detected, the address is removed from the pool and is not assigned until the administrator removes the address from the conflict list.
If you use the asterisk (*) character as the address parameter, DHCP clears all conflicts.
Use the clear l2protocol-tunnel counters privileged EXEC command to clear the protocol counters in protocol tunnel ports.
clear l2protocol-tunnel counters [ interface-id ]
This command is supported only when the switch is running the metro IP access or metro access image.
Use this command to clear protocol tunnel counters on the switch or on the specified interface.
Use the clear lacp privileged EXEC command to clear Link Aggregation Control Protocol (LACP) channel-group counters.
clear lacp { channel-group-number counters | counters }
Note LACP is available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
You can clear all counters by using the clear lacp counters command, or you can clear only the counters for the specified channel group by using the clear lacp channel-group-number counters command.
This example shows how to clear all channel-group information:
This example shows how to clear LACP traffic counters for group 4:
You can verify that the information was deleted by entering the show lacp counters or the show lacp 4 counters privileged EXEC command.
Use the clear logging onboard privileged EXEC command to clear all the on-board failure logging (OBFL) data except for the uptime and CLI-command information stored in the flash memory.
We recommend that you keep OBFL enabled and do not clear the data stored in the flash memory.
These examples show how to clear all the OBFL information except for the uptime and CLI-command information:
You can verify that the information was cleared by entering the show logging onboard onboard privileged EXEC command.
Use the clear mac address-table privileged EXEC command to delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, or all dynamic addresses on a particular VLAN. This command also clears the MAC address notification global counters.
clear mac address-table { dynamic [ address mac-addr | interface interface-id | vlan vlan-id ] | notification }
This example shows how to remove a specific MAC address from the dynamic address table:
You can verify that the information was deleted by entering the show mac address-table privileged EXEC command.
Use the clear mac address-table move update privileged EXEC command to clear the mac address-table-move update-related counters.
clear mac address-table move update
This command is supported only when the switch is running the metro IP access or metro access image.
This example shows how to clear the mac address-table move update related counters.
You can verify that the information was cleared by entering the show mac address-table move update privileged EXEC command.
Use the clear pagp privileged EXEC command to clear Port Aggregation Protocol (PAgP) channel-group information.
clear pagp { channel-group-number counters | counters }
Note PAgP is available only on network node interfaces (NNIs) enhanced network interfaces (ENIs).
You can clear all counters by using the clear pagp counters command, or you can clear only the counters for the specified channel group by using the clear pagp channel-group-number counters command.
This example shows how to clear all channel-group information:
This example shows how to clear PAgP traffic counters for group 10:
You can verify that information was deleted by entering the show pagp privileged EXEC command.
Use the clear policer cpu uni-eni counters privileged EXEC command to clear control-plane policer statistics. The control-plane policer drops or rate-limits control packets from user network interfaces (UNIs) and enhanced network interfaces (ENIs) to protect the CPU from overload.
clear policer cpu uni-eni counters { classification | drop }
You can use this command to clear statistics maintained per feature or statistics about dropped frames.
You can enter the show platform policer cpu classification or show policer cpu uni drop command to view feature statistics or dropped frames before and after you use the clear command.
show platform policer cpu classification |
|
Use the clear port-security privileged EXEC command to delete from the MAC address table all secure addresses or all secure addresses of a specific type (configured, dynamic, or sticky) on the switch or on an interface.
clear port-security { all | configured | dynamic | sticky } [[ address mac-addr | interface interface-id ] [ vlan { vlan-id | {access | voice}}]]
This example shows how to clear all secure addresses from the MAC address table:
This example shows how to remove a specific configured secure address from the MAC address table:
This example shows how to remove all the dynamic secure addresses learned on a specific interface:
This example shows how to remove all the dynamic secure addresses from the address table:
You can verify that the information was deleted by entering the show port-security privileged EXEC command.
switchport port-security mac-address mac-address |
|
switchport port-security maximum value |
Configures a maximum number of secure MAC addresses on a secure interface. |
Displays the port security settings defined for an interface or for the switch. |
Use the clear rep counters privileged EXEC command to clear Resilient Ethernet Protocol (REP) counters for the specified interface or all interfaces.
You can clear all REP counters by using the clear rep counters command, or you can clear only the counters for the interface by using the clear rep counters interface interface-id command.
When you enter the clear rep counters command, only the counters visible in the output of the show interface rep detail command are cleared. SNMP visible counters are not cleared as they are read-only.
This example shows how to clear all REP counters for all REP interfaces:
You can verify that REP information was deleted by entering the show interfaces rep detail privileged EXEC command.
show interfaces rep detail |
Use the clear spanning-tree counters privileged EXEC command to clear the spanning-tree counters.
clear spanning-tree counters [ interface interface-id ]
If the interface-id is not specified, spanning-tree counters are cleared for all STP ports.
Use the clear spanning-tree detected-protocols privileged EXEC command to restart the protocol migration process (force the renegotiation with neighboring switches) on all spanning-tree interfaces or on the specified interface.
clear spanning-tree detected-protocols [ interface interface-id ]
A switch running the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol or the Multiple Spanning Tree Protocol (MSTP) supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If a rapid-PVST+ switch or an MSTP switch receives a legacy IEEE 802.1D configuration bridge protocol data unit (BPDU) with the protocol version set to 0, it sends only IEEE 802.1D BPDUs on that port. A multiple spanning-tree (MST) switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (Version 3) associated with a different region, or a rapid spanning-tree (RST) BPDU (Version 2).
However, the switch does not automatically revert to the rapid-PVST+ or the MSTP mode if it no longer receives IEEE 802.1D BPDUs. It cannot learn whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the clear spanning-tree detected-protocols command in this situation.
Use the clear vmps statistics privileged EXEC command to clear the statistics maintained by the VLAN Query Protocol (VQP) client.
This example shows how to clear VLAN Membership Policy Server (VMPS) statistics:
You can verify that information was deleted by entering the show vmps statistics privileged EXEC command.
Use the conform-action policy-map class police configuration command to set multiple actions for a policy-map class for packets that conform to the committed information rate (CIR) or peak information rate (PIR) by having a rate less than the conform burst. Use the no form of this command to cancel the action or to return to the default action.
conform-action { drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ]}
no conform-action { drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ]}
Policy-map class police configuration
You configure conform actions for packets when the packet rate is less than the configured conform burst.
If the conform action is set to drop , the exceed and violate actions are automatically set to drop .
You can configure conform-action marking by using enhanced packet marking to modify a QoS marking based on any incoming QoS marking and table maps. The switch also supports simultaneously marking multiple QoS parameters for the same class and configuring conform-action, exceed-action, and violate-action marking.
Access policy-map class police configuration mode by entering the police policy-map class command. See the police policy-map class configuration command for more information.
Use this command to set one or more conform actions for a traffic class.
This example shows how configure multiple conform actions in a policy map that sets a committed information rate of 23000 bits per second (bps) and a conform burst rate of 10000 bps. The policy map includes multiple conform actions (for DSCP and for Layer 2 CoS) and an exceed action.
You can verify your settings by entering the show policy-map privileged EXEC command.
Use the copy logging onboard module privileged EXEC command to copy on-board failure logging (OBFL) data to the local network or a specific file system.
copy logging onboard module [ slot-number ] destination
For information about OBFL, see the hw-module module logging onboard global configuration command.
This example shows how to copy the OBFL data messages to the obfl_file file on the flash file system:
Use the cpu traffic qos cos command in global configuration mode to configure quality of service (QoS) marking based on class of service (CoS) for control plane traffic. To return to the default value, use the no form of this command.
cpu traffic qos cos { cos_value | cos [table-map table-map-name ] | dscp [table-map table-map-name ] | precedence [table-map table-map-name ]}
no cpu traffic qos cos { cos_value | cos [table-map table-map-name ] | dscp [table-map table-map-name ] | precedence [table-map table-map-name ]}
Configure any desired table-maps before configuring marking or queuing of CPU traffic.
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos cos global configuration command configures CoS marking for CPU-generated traffic by using either a specific CoS value or a table map, but not both. A new configuration overwrites the existing configuration.
When the cpu traffic qos cos global configuration command is configured with table maps, you can configure two map from values at a time—CoS and either DSCP or precedence.
If the cpu traffic qos cos global configuration command is configured with only a map from value of IP-DSCP or IP-precedence:
If the cpu traffic qos cos global configuration command is configured with a map from value of CoS:
If the cpu traffic qos cos global configuration command is configured with a map from value of DSCP or precedence and CoS:
This example shows how to mark the CoS of CPU-generated IP traffic (including IP-SLA and TWAMP) based on the DSCP value in the packet and to configure egress queuing based on the CoS value.
The sample configuration has these results:
Use the cpu traffic qos dscp command in global configuration mode to configure quality of service (QoS) marking based on a differentiated services code point (DSCP) value for control plane traffic. To return to the default value, use the no form of this command.
cpu traffic qos dscp { dscp_value | cos [table-map table-map-name ] | dscp [table-map table-map-name ] | precedence [table-map table-map-name ]}
no cpu traffic qos dscp { dscp_value | cos [table-map table-map-name ] | dscp [table-map table-map-name ] | precedence [table-map table-map-name ]}
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos dscp global configuration command configures IP-DSCP marking for CPU-generated IP traffic by using either a specific DSCP value or a table map, but not both. A new configuration overwrites the existing configuration.
The cpu traffic qos dscp and cpu traffic qos precedence global configuration commands are mutually exclusive. A new configuration overwrites the existing configuration.
When the cpu traffic qos dscp global configuration command is configured with table maps, you can configure only one map from value at a time—DSCP, precedence, or CoS. A new configuration overwrites the existing configuration. Packets marked by this command can be classified and queued by an output policy map based on the marked DSCP or precedence value.
You cannot configure a map from value of both DSCP and precedence. A new configuration overwrites the existing configuration.
This example shows how to configure egress queuing based on the DSCP value of CPU-generated IP packets.
The sample configuration has these results:
The example has these results:
Use the cpu traffic qos precedence command in global configuration mode to configure quality of service (QoS) marking for control plane traffic. To return to the default value, use the no form of this command.
cpu traffic qos precedence { precedence_value | cos [ table-map table-map-name ] | dscp [ table-map table-map-name ] | precedence [ table-map table-map-name ]}
no cpu traffic qos precedence { precedence_value | cos [ table-map table-map-name ] | dscp [ table-map table-map-name ] | precedence [ table-map table-map-name ]}
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos dscp and cpu traffic qos precedence global configuration commands are mutually exclusive. A new configuration overwrites the existing configuration.
When the cpu traffic qos precedence global configuration command is configured with table maps, you can configure only one map from value at a time—DSCP, precedence, or CoS. A new configuration overwrites the existing configuration. Packets marked by this command can be classified and queued by an output policy map based on the marked precedence or DSCP value.
You cannot configure a map from value of both DSCP and precedence. A new configuration overwrites the existing configuration.
The following example shows how to mark the precedence based on the DSCP value in the packet and configure egress queuing based on the precedence value.
The example has these results:
Use the cpu traffic qos qos-group command in global configuration mode to map all CPU-generated traffic to a single class in the output policy-maps without changing the class of service (CoS), IP differentiated services code point (DSCP), or IP-precedence packet markings. To return to the default settings, use the no form of this command.
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos qos-group global configuration command can be used to configure QoS group marking for CPU-generated traffic only for a specific QoS group. The table-map option is not available.
The following example shows how to mark all the CPU-generated traffic with a QoS-group and configure egress queuing based on that QoS-group.
Use the define interface-range global configuration command to create an interface-range macro. Use the no form of this command to delete the defined macro.
define interface-range macro-name interface-range
The macro name is a 32-character maximum character string.
A macro can contain up to five ranges.
All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.
When entering the interface-range , use this format:
Valid values for type and interface :
VLAN interfaces must have been configured with the interface vlan command (the show running-config privileged EXEC command displays the configured VLAN interfaces). VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges.
When you define a range, you must enter a space before the hyphen (-), for example:
You can also enter multiple ranges. When you define multiple ranges, you must enter a space after the first entry before the comma (,). The space after the comma is optional, for example:
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the delete privileged EXEC command to delete a file or directory on the flash memory device.
If you use the /force keyword, you are prompted once at the beginning of the deletion process to confirm the deletion.
If you use the /recursive keyword without the /force keyword, you are prompted to confirm the deletion of every file.
The prompting behavior depends on the setting of the file prompt global configuration command. By default, the switch prompts for confirmation on destructive file operations. For more information about this command, see the Cisco IOS Command Reference for Release 12.1 .
This example shows how to remove the directory that contains the old software image after a successful download of a new image:
You can verify that the directory was removed by entering the dir filesystem : privileged EXEC command.
Use the deny Address Resolution Protocol (ARP) access-list configuration command to deny an ARP packet based on matches against the DHCP bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access list.
deny {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
no deny {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
This example shows how to define an ARP access list and to deny both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
You can verify your settings by entering the show arp access-list privileged EXEC command.
Use the deny command in IPv6 access list configuration mode to set deny conditions for an IPv6 access list. Use the no form of this command to remove the deny conditions.
deny { protocol } { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ fragments ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
no deny { protocol } { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ fragments ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
Internet Control Message Protocol
deny icmp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ icmp-type [ icmp-code ] | icmp-message ] [ dscp value ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
deny tcp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ ack ] [ dscp value ] [ established ] [ fin ] [ log ] [ log-input ] [ neq { port | protocol }] [ psh ] [ range { port | protocol }] [ rst ] [ routing ] [ sequence value ] [ syn ] [ time-range name ] [ urg ]
deny udp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ log ] [ log-input ] [ neq { port | protocol }] [ range { port | protocol }] [ routing ] [ sequence value ] [ time-range name ]
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
Note Although visible in the command-line help strings, the flow-label, routing, and undetermined-transport keywords are not supported.
IPv6 access list configuration
The deny (IPv6 access-list configuration mode) command is similar to the deny (IPv4 access-list configuration mode) command, but it is IPv6-specific.
Use the deny (IPv6) command after the ipv6 access-list command to enter IPv6 access list configuration mode and to define the conditions under which a packet passes the access list.
Specifying IPv6 for the protocol argument matches the IPv6 header of the packet.
By default, the first statement in an access list is number 10, and the subsequent statements are numbered in increments of 10.
You can add permit , deny , or remark statements to an existing access list without re-entering the entire list. To add a new statement somewhere other than at the end of the list, create a new statement with an appropriate entry number between two existing entry numbers to show where it belongs.
Note Every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. The two permit conditions allow ICMPv6 neighbor discovery. To disallow ICMPv6 neighbor discovery and to deny icmp any any nd-na or icmp any any nd-ns, there must be an explicit deny entry in the ACL. For the three implicit statements to take effect, an IPv6 ACL must contain at least one entry.
The IPv6 neighbor discovery process uses the IPv6 network layer service. Therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data-link layer protocol. Therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Both the source-ipv6-prefix / prefix-length and destination-ipv6-prefix / prefix-length arguments are used for traffic filtering. (The source prefix filters traffic based upon its source; the destination prefix filters traffic based upon its destination.)
The switch supports IPv6 address matching for a full range of prefix lengths.
The fragments keyword is an option only if the protocol is ipv6 and the operator [ port-number ] arguments are not specified.
This is a list of ICMP message names:
This example configures the IPv6 access list named CISCO and applies the access list to outbound traffic on a Layer 3 interface. The first deny entry prevents all packets that have a destination TCP port number greater than 5000 from leaving the interface. The second deny entry prevents all packets that have a source UDP port number less than 5000 from leaving the interface. The second deny also logs all matches to the console. The first permit entry permits all ICMP packets to leave the interface. The second permit entry permits all other traffic to leave the interface. The second permit entry is necessary because an implicit deny-all condition is at the end of each IPv6 access list.
Use the deny MAC access-list configuration command to prevent non-IP traffic from being forwarded if the conditions are matched. Use the no form of this command to remove a deny condition from the named MAC access list.
{ deny | permit } { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask |mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp ]
no { deny | permit } { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp ]
Note Though visible in the command-line help strings, appletalk is not supported as a matching condition.
To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in Table 2-1 .
You enter MAC-access list configuration mode by using the mac access-list extended global configuration command.
If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.
When an access control entry (ACE) is added to an access control list, an implied deny - any - any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.
Note For more information about named MAC extended access lists, see the software configuration guide for this release.
This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.
This example shows how to remove the deny condition from the named MAC extended access list:
This example denies all packets with Ethertype 0x4321:
You can verify your settings by entering the show access-lists privileged EXEC command.
Use the diagnostic monitor global configuration command to configure health-monitoring diagnostic testing. Use the no form of this command to disable testing and to return to the default settings.
diagnostic monitor interval test { name | test-id | test-id-range | all } hh:mm:ss milliseconds day
diagnostic monitor test { name | test-id | test-id-range | all }
diagnostic monitor threshold test { name | test-id | test-id-range | all } failure count count
no diagnostic monitor interval test { name | test-id | test-id-range | all }
no diagnostic monitor test { name | test-id | test-id-range | all }
no diagnostic monitor threshold test { name | test-id | test-id-range | all } failure coun t count
Specify the test name. To display the test names in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify the ID number of the test. The range is from 1 to 6. To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify more than one test with the range of test ID numbers. Enter the range as integers separated by a comma and a hyphen (for example, 1,3-6 specifies test IDs 1, 3, 4, 5, and 6). To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Configure the monitoring interval in hours, minutes, and seconds. |
|
Configure the monitoring interval (test time) in milliseconds (ms). The range is from 0 to 999 ms. |
|
Configure the monitoring interval in the number of days between tests. The range is from 0 to 20 days. |
|
Enable the generation of a syslog message when a health-monitoring test fails. |
|
Set the failure threshold count. The range for count is from 0 to 99. |
Use the diagnostic schedule test global configuration command to configure the diagnostic test schedule. Use the no form of this command to remove the schedule.
diagnostic schedule test { name | test-id | test-id-range | all | basic | non-disruptive } { daily hh : mm | on mm dd yyyy hh : mm | weekly day-of-week hh : mm }
no diagnostic schedule test { name | test-id | test-id-range | all | basic | non-disruptive } { daily hh : mm | on mm dd yyyy hh : mm | weekly day-of-week hh : mm }
Specify the name of the test. To display the test names in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify the ID number of the test. The range is from 1 to 6. To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify more than one test with the range of test ID numbers. Enter the range as integers separated by a comma and a hyphen (for example, 1,3-6 specifies test IDs 1, 3, 4, 5, and 6). To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify the daily scheduling of the diagnostic tests. hh : mm— Enter the time as a 2-digit number (for a 24-hour clock) for hours:minutes; the colon ( : ) is required, such as 12:30. |
|
Specify the scheduling of the diagnostic tests on a specific day and time. |
|
Specify the weekly scheduling of the diagnostic tests. day-of-week— Spell out the day of the week, such as Monday, Tuesday, and so on, with upper-case or lower-case characters. |
This example how to schedule diagnostic testing for a specific day and time:
This example shows how to schedule diagnostic testing to occur weekly at a specific time:
Use the diagnostic start test privileged EXEC command to run an online diagnostic test.
diagnostic start test { name | test-id | test-id-range | all | basic | non-disruptive }
Specify the name of the test. To display the test names in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify the ID number of the test. The range is from 1 to 6. To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify more than one test with the range of test ID numbers. Enter the range as integers separated by a comma and a hyphen (for example, 1,3-6 specifies test IDs 1, 3, 4, 5, and 6). To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
After you start the tests by using the diagnostic start command, you cannot stop the testing process.
The switch supports these tests:
To identify a test name, use the show diagnostic content privileged EXEC command to display the test ID list. To specify test 3 by using the test name, enter the diagnostic start switch number test TestPortAsicCam privileged EXEC command.
To specify more than one test, use the test-id-range parameter, and enter integers separated by a comma and a hyphen. For example, to specify tests 2, 3, and 4, enter the diagnostic start test 2-4 comman d. To specify tests 1, 3, 4, 5, and 6, enter the diagnostic start test 1,3-6 comman d.
This example shows how to start diagnostic test 1:
This example shows how to start diagnostic test 2. Running this test disrupts the normal system operation and then reloads the switch.
Use the dot1x default interface configuration command to reset the configurable IEEE 802.1x parameters to their default values.
This example shows how to reset the configurable IEEE 802.1x parameters on a port:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
show dot1x [ interface interface-id ] |
Use the dot1x host-mode interface configuration command to allow a single host (client) or multiple hosts on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto . Use the no form of this command to return to the default setting.
dot1x host-mode { multi-host | single-host }
no dot1x host-mode [ multi-host | single-host ]
Note Although visible in the command-line interface help, the multi-domain keyword is not supported.
Use this command to limit an IEEE 802.1x-enabled port to a single client or to attach multiple clients to an IEEE 802.1x-enabled port. In multiple-hosts mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (re-authentication fails or an Extensible Authentication Protocol over LAN [EAPOL]-logoff message is received), all attached clients are denied access to the network.
Before entering this command, make sure that the dot1x port-control interface configuration command is set to auto for the specified port.
The dot1x host-mode multi-domain interface configuration command is not supported on the switch. Configuring this command on an interface causes the interface to go into the error-disabled state.
This example shows how to enable IEEE 802.1x globally, to enable IEEE 802.1x on a port, and to enable multiple-hosts mode:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
show dot1x [ interface interface-id ] |
Use the dot1x initialize privileged EXEC command to manually return the specified IEEE 802.1x-enabled port to an unauthorized state before initiating a new authentication session on the port.
Use this command to initialize the IEEE 802.1x state machines and to set up a fresh environment for authentication. After you enter this command, the port status becomes unauthorized.
This example shows how to manually initialize a port:
You can verify the unauthorized port status by entering the show dot1x [ interface interface-id ] privileged EXEC command.
show dot1x [ interface interface-id ] |
Use the dot1x max-reauth-req interface configuration command to set the maximum number of times that the switch restarts the authentication process before a port transitions to the unauthorized state. Use the no form of this command to return to the default setting.
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port transitions to the unauthorized state:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
Sets the maximum number of times that the switch forwards an EAP frame (assuming that no response is received) to the authentication server before restarting the authentication process. |
|
dot1x timeout tx-period |
Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. |
show dot1x [ interface interface-id ] |
Use the dot1x max-req interface configuration command to set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP) frame from the authentication server (assuming that no response is received) to the client before restarting the authentication process. Use the no form of this command to return to the default setting.
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
This example shows how to set 5 as the number of times that the switch sends an EAP frame from the authentication server before restarting the authentication process:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
dot1x timeout tx-period |
Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. |
show dot1x [ interface interface-id ] |
Use the dot1x port-control interface configuration command to enable manual control of the authorization state of the port. Use the no form of this command to return to the default setting.
dot1x port-control { auto | force-authorized | force-unauthorized }
You must globally enable IEEE 802.1x on the switch by using the dot1x system-auth-control global configuration command before enabling IEEE 802.1x on a specific port.
The IEEE 802.1x protocol is supported on Layer 2 static-access ports and Layer 3 routed ports.
You can use the auto keyword only if the port is not configured as one of these:
To globally disable IEEE 802.1x on the switch, use the no dot1x system-auth-control global configuration command. To disable IEEE 802.1x on a specific port, use the no dot1x port-control interface configuration command.
This example shows how to enable IEEE 802.1x on a port:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
show dot1x [ interface interface-id ] |
Use the dot1x re-authenticate privileged EXEC command to manually initiate a re-authentication of the specified IEEE 802.1x-enabled port.
Use the dot1x reauthentication interface configuration command to enable periodic re-authentication of the client. Use the no form of this command to return to the default setting.
You configure the amount of time between periodic re-authentication attempts by using the dot1x timeout reauth-period interface configuration command.
This example shows how to disable periodic re-authentication of the client:
This example shows how to enable periodic re-authentication and to set the number of seconds between re-authentication attempts to 4000 seconds:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
dot1x timeout reauth-period |
Sets the number of seconds between re-authentication attempts. |
show dot1x [ interface interface-id ] |
Use the dot1x supplicant force-multicast global configuration command to force a supplicant switch to send only multicast Extensible Authentication Protocol over LAN (EAPOL) packets whenever it receives multicast or unicast EAPOL packets. Use the no form of this command to return to the default setting.
Enable this command on the supplicant switch for Network Edge Access Topology (NEAT) to work in all host modes.
This example shows how force a supplicant switch to send multicast EAPOL packets to authenticator switch:
Use the dot1x system-auth-control global configuration command to globally enable IEEE 802.1x. Use the no form of this command to return to the default setting.
You must enable authentication, authorization, and accounting (AAA) and specify the authentication method list before globally enabling IEEE 802.1x. A method list describes the sequence and authentication methods to be queried to authenticate a user.
Before globally enabling IEEE 802.1x on a switch, remove the EtherChannel configuration from the interfaces on which IEEE 802.1x and EtherChannel are configured.
This example shows how to globally enable IEEE 802.1x on a switch:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
Enables manual control of the authorization state of the port. |
|
show dot1x [ interface interface-id ] |
Use the dot1x test eapol-capable privileged EXEC command to monitor IEEE 802.1x activity on all the switch ports and to display information about the devices that are connected to the ports that support IEEE 802.1x.
Use this command to test the IEEE 802.1x capability of the devices connected to all ports or to specific ports on a switch.
This example shows how to enable the IEEE 802.1x readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:
dot1x test timeout timeout |
Configures the timeout used to wait for EAPOL response to an IEEE 802.1x readiness query. |
Use the dot1x test timeout global configuration command to configure the timeout used to wait for EAPOL response from a port being queried for IEEE 802.1x readiness.
This example shows how to configure the switch to wait 27 seconds for an EAPOL response:
You can verify the timeout configuration status by entering the show run privileged EXEC command.
dot1x test eapol-capable [ interface interface-id ] |
Checks for IEEE 802.1x readiness on devices connected to all or to specified IEEE 802.1x-capable ports. |
Use the dot1x timeout interface configuration command to set IEEE 802.1x timers. Use the no form of this command to return to the default setting.
dot1x timeout { quiet-period seconds | reauth-period seconds | server-timeout seconds | supp-timeout seconds | tx-period seconds }
no dot1x timeout { quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
The dot1x timeout reauth-period interface configuration command affects the behavior of the switch only if you have enabled periodic re-authentication by using the dot1x reauthentication interface configuration command.
During the quiet period, the switch does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a number smaller than the default.
This example shows how to enable periodic re-authentication and to set 4000 as the number of seconds between re-authentication attempts:
This example shows how to set 30 seconds as the quiet time on the switch:
This example shows how to set 45 seconds as the switch-to-authentication server retransmission time:
This example shows how to set 45 seconds as the switch-to-client retransmission time for the EAP request frame:
This example shows how to set 60 as the number of seconds to wait for a response to an EAP-request/identity frame from the client before re-transmitting the request:
You can verify your settings by entering the show dot1x privileged EXEC command.
Use the dot1x violation-mode interface configuration command to configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.
This example shows how to configure an IEEE 802.1x-enabled port as error disabled and to shut down when a new device connects to the port:
This example shows how to configure an IEEE 802.1x-enabled port to generate a system error message and change the port to restricted mode when a new device connects to the port:
This example shows how to configure an IEEE 802.1x-enabled port to ignore a new connected device when it is connected to the port:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
show dot1x [ interface interface-id ] |
Use the duplex interface configuration command to specify the duplex mode of operation for a port. Use the no form of this command to return the port to its default value.
This command is only available when a 1000BASE-T SFP module or a 100BASE-FX MMF SFP module is in the SFP module slot. All other SFP modules operate only in full-duplex mode.
When a 1000BASE-T SFP module is in the SFP module slot, you can configure duplex mode to auto or full .
When a 100BASE-FX MMF SFP module is in the SFP module slot, you can configure duplex mode to half or full . Although the auto keyword is available, it puts the interface in half-duplex mode (the default) because the 100BASE-FX MMF SFP module does not support autonegotiation.
Certain ports can be configured to be either full duplex or half duplex. Applicability of this command depends on the device to which the switch is attached.
For Fast Ethernet ports, setting the port to auto has the same effect as specifying half if the attached device does not autonegotiate the duplex parameter.
For Gigabit Ethernet ports, setting the port to auto has the same effect as specifying full if the attached device does not autonegotiate the duplex parameter.
Note Half-duplex mode is supported on Gigabit Ethernet interfaces if duplex mode is auto and the connected device is operating at half duplex. However, you cannot configure these interfaces to operate in half-duplex mode.
If both ends of the line support autonegotiation, we highly recommend using the default autonegotiation settings. If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do use the auto setting on the supported side.
If the speed is set to auto , the switch negotiates with the device at the other end of the link for the speed setting and then forces the speed setting to the negotiated value. The duplex setting remains as configured on each end of the link, which could result in a duplex setting mismatch.
You can configure the duplex setting when the speed is set to auto .
Note For guidelines on setting the switch speed and duplex parameters, see the software configuration guide for this release.
This example shows how to configure an interface for full duplex operation:
You can verify your setting by entering the show interfaces privileged EXEC command.
Use the errdisable detect cause global configuration command to enable error-disabled detection for a specific cause or all causes. Use the no form of this command to disable the error-disabled detection feature.
errdisable detect cause { all | arp-inspection | dhcp-rate-limit | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | small-frame }
no errdisable detect cause { all | arp-inspection | dhcp-rate-limit | gbic-invalid | l2ptguard | link-flap | pagp-flap | small-frame }
Note Although visible in the command line interface, small-frame keyword is not needed on the switch because the existing broadcast storm disable feature correctly handles small frames.
A cause ( all , dhcp-rate-limit , and so forth) is the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state, an operational state that is similar to a link-down state.
When a port is error-disabled, it is effectively shut down, and no traffic is sent or received on the port. For the BPDU guard and port-security features, you can configure the switch to shut down just the offending VLAN on the port when a violation occurs, instead of shutting down the entire port.
If you set a recovery mechanism for the cause by entering the errdisable recovery global configuration command for the cause, the interface is brought out of the error-disabled state and allowed to retry the operation when all causes have timed out. If you do not set a recovery mechanism, you must enter the shutdown and then the no shutdown commands to manually recover an interface from the error-disabled state.
This example shows how to enable error-disabled detection for the link-flap error-disabled cause:
You can verify your setting by entering the show errdisable detect privileged EXEC command.
show interfaces status err-disabled |
Displays interface status or a list of interfaces in the error-disabled state. |
Use the errdisable recovery global configuration command to configure the recover mechanism variables. Use the no form of this command to return to the default setting.
errdisable recovery { cause { all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | small-frame | udld | unicast-flood | vmps } | { interval interval }
no errdisable recovery { cause { all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | small-frame | udld | unicast-flood | vmps } | { interval interval }
Note Although visible in the command-line help strings, the storm-control and unicast-flood keywords are not supported. The small-frame keyword is not used because the broadcast-storm disable feature processes small frames
A cause ( all , bpduguard and so forth) is defined as the reason that the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state, an operational state similar to link-down state. If you do not enable errdisable recovery for the cause, the interface stays in error-disabled state until you enter a shutdown and no shutdown interface configuration command. If you enable the recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out.
Otherwise, you must enter the shutdown then no shutdown commands to manually recover an interface from the error-disabled state
This example shows how to enable the recovery timer for the BPDU guard error-disabled cause:
This example shows how to set the timer to 500 seconds:
You can verify your settings by entering the show errdisable recovery privileged EXEC command.
show interfaces status err-disabled |
Displays interface status or a list of interfaces in error-disabled state. |
To configure an IEEE 802.1ad port, use the ethernet dot1ad interface configuration command. To disable an 802.1ad port, use the no form of the command.
ethernet dot1ad { nni | uni { c-port | s-port | c-port isolate | s-port isolate }}
The 802.1ad UNI port commands are typically used on the provider-edge switch ports interfacing with a customer device. For S-bridge UNI ports, you configure the customer device switch port as a trunk port and the S-bridge UNI on the interfacing PE device as an access port. The 802.1ad S-bridge UNI port provides an all-to-one bundling function for the set of customer C-VLANs in the provider network.
The 802.1ad C-bridge UNI ports provide selective bundling as well as all-to-one bundling capabilities for customer VLANs.
You should configure an 802.1ad NNI on all the interconnecting trunk links in the 802.1ad provider cloud to achieve end-to-end Layer 2 protocol tunneling.
You cannot configure a port as an isolated C-UNI or S-UNI port if the port is already configured as an 802.1ad port type. However, you can use the ethernet dot1ad interface command to change an isolated dot1ad port to a nonisolated S-UNI or C-UNI port.
An S-UNI or isolated S-UNI port must be an access port. A C-UNI or isolated C-UNI port can be an access port or a trunk port.
Use the ethernet evc global configuration command to define an Ethernet virtual connection (EVC) and to enter EVC configuration mode. Use the no form of this command to delete the EVC.
After you enter the ethernet evc evc-id command, the switch enters EVC configuration mode, and these configuration commands are available:
service instance id ethernet evc-id |
Configures an Ethernet service instance and attaches an EVC to it. |
Use the ethernet lmi global configuration command to configure enable Ethernet Local Management Interface (E-LMI) and to configure the switch as a provider-edge (PE) or customer-edge (CE) device. Use the no form of this command to disable E-LMI globally or to disable E-LMI CE.
Use ethernet lmi global command to enable E-LMI globally. Use ethernet lmi ce command to enable the switch as E-LMI CE device.
Ethernet LMI is disabled by default on an interface and must be explicitly enabled by entering the ethernet lmi interface interface configuration command. The ethernet lmi global command enables Ethernet LMI in PE mode on all interfaces for an entire device. The benefit of this command is that you can enable Ethernet LMI on all interfaces with one command instead of enabling Ethernet LMI separately on each interface. To enable the interface in CE mode, you must also enter the ethernet lmi ce global configuration command.
To disable Ethernet LMI on a specific interface after you have entered the ethernet lmi global command, enter the no ethernet lmi interface interface configuration command.
The sequence in which you enter the ethernet lmi interface interface configuration and ethernet lmi global global configuration commands is important. The latest command entered overrides the prior command entered.
Note For information about the ethernet lmi interface configuration command, see the Cisco IOS Carrier Ethernet Command Reference at this URL:
http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html
To enable the switch as an Ethernet LMI CE device, you must enter both the ethernet lmi global and ethernet lmi ce commands. By default Ethernet LMI is disabled, and, when enabled the switch is in provider-edge mode unless you also enter the ethernet lmi ce command.
When the switch is configured as an Ethernet LMI CE device, these interface configuration commands and keywords are visible, but not supported:
Use the ethernet lmi ce-vlan map Ethernet service configuration command to configure Ethernet Local Management Interface (E-LMI) parameters. Use the no form of this command to remove the configuration.
ethernet lmi ce-vlan map { vlan-id | any | default | untagged}
no ethernet lmi ce-vlan map { vlan-id | any | default | untagged}
Ethernet service configuration
Use this command to configure an E-LMI customer VLAN-to-EVC map for a particular user-network interface (UNI).
On an ME-3400E interface configured for VLAN mapping, use the customer VLAN ID (C-VLAN) value when entering the ethernet lmi ce-vlan map vlan-id service instance configuration mode command. Do not use the service-provider VLAN ID (S-VLAN).
E-LMI mapping parameters are related to the bundling characteristics set by entering the ethernet uni { bundle [ all-to-one ] | multiplex } interface configuration command.
This example shows how to configure an E-LMI customer VLAN-to-EVC map to map EVC test to customer VLAN 101 in service instance 333 on the interface:
service instance id ethernet |
Defines an Ethernet service instance and enters Ethernet service configuration mode. |
Displays information about configured Ethernet service instances. |
Use the ethernet loopback facility interface configuration command to configure per-port loopbacks for testing connectivity across multiple switches. Use the ethernet loopback terminal interface configuration command to test quality of service (QoS). Use the no form of this command to remove the configuration.
ethernet loopback facility [ vlan vlan-list ] [ mac-address { swap | copy }] [ timeout { seconds | none }] supported
ethernet loopback terminal [ mac-address { swap | copy }] [ timeout { seconds | none }] supported
You can configure Ethernet loopback only on physical ports, not on VLANs or port channels.
A facility loopback puts the port into a state where the link is up, but the line protocol is down for regular traffic. The switch loops back all received traffic.
When you configure VLAN loopback by entering the vlan vlan-list keywords, the other VLANs on the port continue to be switched normally, allowing non-disruptive loopback testing.
The loopback ends after a port event, such as a port shutdown or a change from a switchport to a routed port.
For a terminal loopback, the software sees the port as up, but the link is down, and no packets are sent. Any configuration changes on the port immediately affect the traffic being looped back.
You can configure one loopback per port, and a maximum of two loopbacks per switch. You can configure only on terminal loopback per switch. Therefore, a switch could have one facility loopback and one terminal loopback or two facility loopbacks.
Ethernet loopback interactions with other features:
After you have configured Ethernet loopback, you enter the ethernet loopback start interface-id privileged EXEC command to begin the loopback. To stop loopback, enter the ethernet loopback stop { interface-id | all } command.
This example shows how to configure an Ethernet loopback to swap the MAC source and destination addresses, to time out after 30 seconds, to start the loopback process, and to verify the configuration. You must confirm the action before configuring.
This example shows how to remove Ethernet loopback facility configuration on two interfaces and to configure Ethernet terminal loopback on an interface.
Use the ethernet loopback privileged EXEC command to start or stop an Ethernet loopback function on an interface.
ethernet loopback { start interface-id | stop { interface-id | all }}
Before starting or stopping an Ethernet loopback operation, you must configure it on an interface by entering the ethernet loopback interface configuration command. When you start loopback, you see a warning message.
You can configure Ethernet loopback and enter the ethernet loopback start or ethernet loopback stop command only for physical ports, not for VLANs or port channels.
You cannot start VLAN loopback on nontrunk interfaces. You cannot start terminal loopback on routed interfaces.
You can configure only one loopback per port and a maximum of two loopbacks per switch. You can configure only one terminal loopback per switch.
This example shows how to start a facility port loopback process, to verify it, and then to stop it:
This example shows how to start a VLAN non-intrusive loopback process:
Use the ethernet oam remote-failure interface configuration or configuration template command to configure Ethernet operations, maintenance, and administration (EOM) remote failure indication. Use the no form of this command to remove the configuration.
ethernet oam remote-failure { critical-event | dying-gasp | link-fault } action error-disable-interface
no ethernet oam remote-failure { critical-event | dying-gasp | link-fault } action
Ethernet service configuration
You can apply this command to an Ethernet OAM template and to an interface. The interface configuration takes precedence over template configuration. To enter OAM template configuration mode, use the template template-name global configuration command.
The Cisco ME switch does not generate Link Fault or Critical Event OAM PDUs. However, if these PDUs are received from a link partner, they are processed. The switch supports generating and receiving Dying Gasp OAM PDUs when Ethernet OAM is disabled, the interface is shut down, the interface enters the error-disabled state, or the switch is reloading. The switch can also generate and receive Dying Gasp PDUs based on loss of power. The PDU includes a reason code to indicate why it was sent.
You can configure an error-disable action to occur if the remote link goes down, if the remote device is disabled, or if the remote device disables Ethernet OAM on the interface.
For complete command and configuration information for the Ethernet OAM protocol, see the
Cisco IOS Carrier Ethernet Configuration Guide
at:
http://www.cisco.com/en/US/docs/ios/cether/configuration/guide/12_2sr/ce_12_2sr_book.html
For information about other CFM and Ethernet OAM commands, see the
Cisco IOS Carrier Ethernet Command Reference
at:
http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html
Use the ethernet uni interface configuration command to set UNI bundling attributes. Use the no form of this command to return to the default bundling configuration.
ethernet uni { bundle [ all-to-one ] | multiplex }
no ethernet uni { bundle | multiplex }
The UNI attributes determine the functionality that the interface has regarding bundling VLANs, multiplexing EVCs, and the combination of these.
If you want both bundling and multiplexing services for a UNI, you do not need to configure bundling or multiplexing. If you want only bundling, or only multiplexing, you need to configure it appropriately.
When you configure, change, or remove a UNI service type, the EVC and CE-VLAN ID configurations are checked to ensure that the configurations and the UNI service types match. If the configurations do not match, the command is rejected.
If you intend to use the ethernet lmi ce-vlan map any service configuration command, you must first configure all-to-one bundling on the interface. See the ethernet lmi ce-vlan map section for more information.
This example shows how to configure bundling without multiplexing:
To verify UNI service type, enter the show ethernet service interface detail privileged EXEC command.
Use the ethernet uni interface configuration command to create an Ethernet user-network interface (UNI) ID. Use the no form of this command to remove the UNI ID.
When you configure a UNI ID on a port, that ID is used as the default name for all maintenance end points (MEPs) configured on the port.
You must enter the ethernet uni id name command on all ports that are directly connected to customer-edge (CE) devices. If the specified ID is not unique on the device, an error message appears.
Use the exceed-action policy-map class police configuration command to set multiple actions for a policy-map class for packets with a rate between the committed information rate (CIR) or peak information rate (PIR) conform rate and the conform rate plus the exceed burst. Use the no form of this command to cancel the action or to return to the default action.
exceed-action { drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ]}
no exceed-action { drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ]}
Policy-map class police configuration
You configure exceed actions for packets when the packet rate is between the configured conform rate and the conform rate plus the exceed burst.
If the conform action is set to drop , the exceed and violate actions are automatically set to drop . If the exceed action is set to drop , the violate action is automatically set to drop .
You can configure exceed-action to send the packet unmodified, mark using explicit values, and use all combinations of enhanced packet marking. Enhanced packet marking provides the ability to modify a QoS marking based on any incoming QoS marking and table maps. The switch also supports the ability to mark multiple QoS parameters for the same class and to simultaneously configure conform-action, exceed-action, and violate-action marking.
Access policy-map class police configuration mode by entering the police policy-map class command. See the police command for more information.
You can use this command to set one or more exceed actions for a traffic class.
This example shows how configure multiple actions in a policy map that sets an information rate of 23000 bits per second (b/s) and a burst rate of 10000 bps:
You can verify your settings by entering the show policy-map privileged EXEC command.
Use the flowcontrol interface configuration command to set the receive flow-control state for an interface. When flow control send is operable and on for a device and it detects any congestion at its end, it notifies the link partner or the remote device of the congestion by sending a pause frame. When flow control receive is on for a device and it receives a pause frame, it stops sending any data packets. This prevents any loss of data packets during the congestion period.
Use the receive off keywords to disable flow control.
flowcontrol receive { desired | off | on }
Note The Cisco ME switch can only receive pause frames.
The switch does not support sending flow-control pause frames. If the port is a user network interface (UNI) or enhanced network interface (ENI), you must use the no shutdown interface configuration command to enable it before using the flowcontrol command. UNIs and ENIs are disabled by default. Network node interfaces (NNIs) are enabled by default.
Note that the on and desired keywords have the same result.
When you use the flowcontrol command to set a port to control traffic rates during congestion, you are setting flow control on a port to one of these conditions:
Table 2-2 shows the flow control results on local and remote ports for a combination of settings. The table assumes that receive desired has the same results as using the receive on keywords.
This example shows how to configure the local port to not support flow control by the remote port:
You can verify your settings by entering the show interfaces privileged EXEC command.
Use the hw-module module logging onboard global configuration command to enable on-board failure logging (OBFL). Use the no form of this command to disable this feature.
hw-module module [ slot-number ] logging onboard [ message level level ]
no hw-module module [ slot-number ] logging onboard [ message level ]
We recommend that you keep OBFL enabled and do not clear the data stored in the flash memory.
To ensure that the time stamps in the OBFL data logs are accurate, manually set the system clock, or configure it by using Network Time Protocol (NTP).
If you do not enter the message level level parameter, all the hardware-related messages generated by the switch are stored in the flash memory.
The optional slot number is always 1. Entering the hw-module module [ slot-number ] logging onboard [ message level level ] command has the same result as entering the hw-module module logging onboard [ message level level ] command.
This example shows how to enable OBFL on a switch stack and to specify that all the hardware-related messages are stored in the flash memory:
This example shows how to enable OBFL on a switch and to specify that only severity 1 hardware-related messages are stored in the flash memory:
You can verify your settings by entering the show logging onboard privileged EXEC command.
Use the interface port-channel global configuration command to access or create the port-channel logical interface. Use the no form of this command to remove the port-channel.
For Layer 2 EtherChannels, you do not have to create a port-channel interface first before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel interface when the channel group gets its first physical port. If you create the port-channel interface first, the channel-group-number can be the same as the port - channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.
You create Layer 3 port channels by using the interface port-channel command followed by the no switchport interface configuration command. You should manually configure the port-channel logical interface before putting the interface into the channel group.
Only one port channel in a channel group is allowed.
Follow these guidelines when you use the interface port-channel command:
Note CDP is available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
For a complete list of configuration guidelines, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
This example shows how to create a port-channel interface with a port channel number of 5:
You can verify your setting by entering the show running-config privileged EXEC or show etherchannel channel-group-number detail privileged EXEC command.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the interface range global configuration command to enter interface range configuration mode and to execute a command on multiple ports at the same time. Use the no form of this command to remove an interface range.
interface range { port-range | macro name }
When you enter interface range configuration mode, all interface parameters you enter are attributed to all interfaces within the range.
For VLANs, you can use the interface range command only on existing VLAN switch virtual interfaces (SVIs). To display VLAN SVIs, enter the show running-config privileged EXEC command. VLANs not displayed cannot be used in the interface range command. The commands entered under interface range command are applied to all existing VLAN SVIs in the range.
All configuration changes made to an interface range are saved to NVRAM, but the interface range itself is not saved to NVRAM.
You can enter the interface range in two ways:
All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs. However, you can define up to five interface ranges with a single command, with each range separated by a comma.
Valid values for port-range type and interface :
– the range is type 0/number - number (for example, gigabitethernet0/1 - 2)
Note When you use the interface range command with port channels, the first and last port channel number in the range must be active port channels.
When you define a range, you must enter a space between the first entry and the hyphen (-):
When you define multiple ranges, you must still enter a space after the first entry and before the comma (,):
You cannot specify both a macro and an interface range in the same command.
A single interface can also be specified in port-range (this would make the command similar to the interface interface-id global configuration command).
Note For more information about configuring interface ranges, see the software configuration guide for this release.
This example shows how to use the interface range command to enter interface range configuration mode to apply commands to two ports:
This example shows how to use a port-range macro macro1 for the same function. The advantage is that you can reuse macro1 until you delete it.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the interface vlan global configuration command to create or access a switch virtual interface (SVI) and to enter interface configuration mode. Use the no form of this command to delete an SVI.
SVIs are created the first time that you enter the interface vlan vlan-id command for a particular vlan . The vlan-id corresponds to the VLAN-tag associated with data frames on an IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access port.
Note When you create an SVI, it does not become active until it is associated with a physical port.
If you delete an SVI by entering the no interface vlan vlan -id command, the deleted interface is no longer visible in the output from the show interfaces privileged EXEC command.
Note You cannot delete the VLAN 1 interface.
You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but much of the previous configuration will be gone.
The interrelationship between the number of SVIs configured on a switch and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables. For more information, see the sdm prefer command.
This example shows how to create VLAN ID 23 and enter interface configuration mode:
You can verify your setting by entering the show interfaces and show interfaces vlan vlan-id privileged EXEC commands.
show interfaces vlan vlan-id |
Displays the administrative and operational status of all interfaces or the specified VLAN. |
Use the ip access-group interface configuration command to control access to a Layer 2 or Layer 3 interface. Use the no form of this command to remove all access groups or the specified access group from the interface. If the switch is running the metro IP access image, you can also control access to Layer 3 interfaces.
ip access-group { access-list-number | name } { in | out }
no ip access-group [ access-list-number | name ] { in | out }
You can apply named or numbered standard or extended IP access lists to an interface. To define an access list by name, use the ip access-list global configuration command. To define a numbered access list, use the access list global configuration command. You can used numbered standard access lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199 and 2000 to 2699.
The switch must be running the metro IP access image for Layer 3 support.
You can use this command to apply an access list to a Layer 2 interface (port ACL) or Layer 3 interface. However, note these limitations for port ACLs:
You can use router ACLs, input port ACLs, and VLAN maps on the same switch. However, a port ACL always takes precedence. When both an input port ACL and a VLAN map are applied, incoming packets received on ports with the port ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map.
You can apply IP ACLs to both outbound or inbound Layer 3 interfaces.
A Layer 3 interface can have one IP ACL applied in each direction.
You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN interface.
For standard inbound access lists, after the switch receives a packet, it checks the source address of the packet against the access list. IP extended access lists can optionally check other fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access list permits the packet, the switch continues to process the packet. If the access list denies the packet, the switch discards the packet. If the access list has been applied to a Layer 3 interface, discarding a packet (by default) causes the generation of an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP Host Unreachable messages are not generated for packets discarded on a Layer 2 interface.
For standard outbound access lists, after receiving a packet and sending it to a controlled interface, the switch checks the packet against the access list. If the access list permits the packet, the switch sends the packet. If the access list denies the packet, the switch discards the packet and, by default, generates an ICMP Host Unreachable message.
If the specified access list does not exist, all packets are passed.
This example shows how to apply IP access list 101 to inbound packets on a port:
You can verify your settings by entering the show ip interface, show access-lists, or show ip access-lists privileged EXEC command.
Use the ip address interface configuration command to set an IP address for the Layer 2 switch or to set an IP address for each switch virtual interface (SVI) or routed port on the Layer 3 switch. Use the no form of this command to remove an IP address or to disable IP processing.
ip address ip-address subnet-mask [ secondary ]
no ip address [ ip-address subnet-mask ] [ secondary ]
Note You can configure routed ports and SVIs only when the switch is running the metro IP access image.
If you remove the switch IP address through a Telnet session, your connection to the switch will be lost.
Hosts can find subnet masks using the Internet Control Message Protocol (ICMP) Mask Request message. Routers respond to this request with an ICMP Mask Reply message.
You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the switch detects another host using one of its IP addresses, it will send an error message to the console.
You can use the optional keyword secondary to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and ARP requests are handled properly, as are interface routes in the IP routing table.
Note If any router on a network segment uses a secondary address, all other devices on that same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can very quickly cause routing loops.
When you are routing Open Shortest Path First (OSPF), ensure that all secondary addresses of an interface fall into the same OSPF area as the primary addresses.
If your switch receives its IP address from a Bootstrap Protocol (BOOTP) or a DHCP server and you remove the switch IP address by using the no ip address command, IP processing is disabled, and the BOOTP or the DHCP server cannot reassign the address.
A Layer 3 switch can have an IP address assigned to each routed port and SVI. The number of routed ports and SVIs that you can configure is not limited by software; however, the interrelationship between this number and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables. For more information, see the sdm prefer command.
This example shows how to configure the IP address for the Layer 2 switch on a subnetted network:
This example shows how to configure the IP address for a Layer 3 port on the switch:
You can verify your settings by entering the show running-config privileged EXEC command.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the ip arp inspection filter vlan global configuration command to permit or deny Address Resolution Protocol (ARP) requests and responses from a host configured with a static IP address when dynamic ARP inspection is enabled. Use the no form of this command to return to the default settings.
ip arp inspection filter arp-acl-name vlan vlan-range [ static ]
no ip arp inspection filter arp-acl-name vlan vlan-range [ static ]
When an ARP ACL is applied to a VLAN for dynamic ARP inspection, only the ARP packets with IP-to-MAC address bindings are compared against the ACL. If the ACL permits a packet, the switch forwards it. All other packet types are bridged in the ingress VLAN without validation.
If the switch denies a packet because of an explicit deny statement in the ACL, the packet is dropped. If the switch denies a packet because of an implicit deny statement, the packet is then compared against the list of DHCP bindings (unless the ACL is static , which means that packets are not compared against the bindings).
Use the arp access-list acl-name global configuration command to define the ARP ACL or to add clauses to the end of a predefined list.
This example shows how to apply the ARP ACL static-hosts to VLAN 1 for dynamic ARP inspection:
You can verify your settings by entering the show ip arp inspection vlan 1 privileged EXEC command.
Denies an ARP packet based on matches against the DHCP bindings. |
|
Permits an ARP packet based on matches against the DHCP bindings. |
|
show ip arp inspection vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
Use the ip arp inspection limit interface configuration command to limit the rate of incoming Address Resolution Protocol (ARP) requests and responses on an interface. It prevents dynamic ARP inspection from using all of the switch resources if a denial-of-service attack occurs. Use the no form of this command to return to the default settings.
ip arp inspection limit { rate pps [ burst interval seconds ] | none }
The rate applies to both trusted and untrusted interfaces. Configure appropriate rates on trunks to process packets across multiple dynamic ARP inspection-enabled VLANs, or use the none keyword to make the rate unlimited.
After a switch receives more than the configured rate of packets every second consecutively over a number of burst seconds, the interface is placed into an error-disabled state.
Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.
You should configure trunk ports with higher rates to reflect their aggregation. When the rate of incoming packets exceeds the user-configured rate, the switch places the interface into an error-disabled state. The error-disable recovery feature automatically removes the port from the error-disabled state according to the recovery setting.
The rate of incoming ARP packets on EtherChannel ports equals the sum of the incoming rate of ARP packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on all the channel members.
This example shows how to limit the rate of incoming ARP requests on a port to 25 pps and to set the interface monitoring interval to 5 consecutive seconds:
You can verify your settings by entering the show ip arp inspection interfaces interface-id privileged EXEC command.
show ip arp inspection interfaces |
Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces. |
Use the ip arp inspection log-buffer global configuration command to configure the dynamic Address Resolution Protocol (ARP) inspection logging buffer. Use the no form of this command to return to the default settings.
ip arp inspection log-buffer { entries number | logs number interval seconds }
no ip arp inspection log-buffer { entries | logs }
A value of 0 is not allowed for both the logs and the interval keywords.
The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. For example, if the logs number is 20 and the interval seconds is 4, the switch generates system messages for five entries every second while there are entries in the log buffer.
A log buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a system message as a single entry.
If the log buffer overflows, it means that a log event does not fit into the log buffer, and the output display for the show ip arp inspection log privileged EXEC command is affected. A -- in the output display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer, or increase the logging rate.
This example shows how to configure the logging buffer to hold up to 45 entries:
This example shows how to configure the logging rate to 20 log entries per 4 seconds. With this configuration, the switch generates system messages for five entries every second while there are entries in the log buffer.
You can verify your settings by entering the show ip arp inspection log privileged EXEC command.
Use the ip arp inspection trust interface configuration command to configure an interface trust state that determines which incoming Address Resolution Protocol (ARP) packets are inspected. Use the no form of this command to return to the default setting.
The switch does not check ARP packets that it receives on the trusted interface; it simply forwards the packets.
For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command.
This example shows how to configure a port to be trusted:
You can verify your setting by entering the show ip arp inspection interfaces interface-id privileged EXEC command.
show ip arp inspection interfaces |
Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces. |
Displays the configuration and contents of the dynamic ARP inspection log buffer. |
Use the ip arp inspection validate global configuration command to perform specific checks for dynamic Address Resolution Protocol (ARP) inspection. Use the no form of this command to return to the default settings.
ip arp inspection validate {[ src-mac ] [ dst-mac ] [ ip [allow zeros] ]}
no ip arp inspection validate [ src-mac ] [ dst-mac ] [ ip [allow zeros] ]
You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src-mac and dst-mac validations, and a second command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.
The allow-zeros keyword interacts with ARP access control lists (ACLs) in this way:
The no form of the command disables only the specified checks. If none of the options are enabled, all checks are disabled.
This example show how to enable source MAC validation:
You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
show ip arp inspection vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
Use the ip arp inspection vlan global configuration command to enable dynamic Address Resolution Protocol (ARP) inspection on a per-VLAN basis. Use the no form of this command to return to the default setting.
ip arp inspection vlan vlan-range
You must specify the VLANs on which to enable dynamic ARP inspection.
Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, or private VLAN ports.
This example shows how to enable dynamic ARP inspection on VLAN 1:
You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
show ip arp inspection vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
Use the ip arp inspection vlan logging global configuration command to control the type of packets that are logged per VLAN. Use the no form of this command to disable this logging control.
ip arp inspection vlan vlan-range logging { acl-match { matchlog | none } | dhcp-bindings { all | none | permit } | arp-probe }
no ip arp inspection vlan vlan-range logging { acl-match | dhcp-bindings | arp-probe }
The term logged means that the entry is placed into the log buffer and that a system message is generated.
The acl-match and dhcp-bindings keywords merge with each other; that is, when you configure an ACL match, the DHCP bindings configuration is not disabled. Use the no form of the command to reset the logging criteria to their defaults. If neither option is specified, all types of logging are reset to log when ARP packets are denied. These are the options:
If neither the acl-match or the dhcp-bindings keywords are specified, all denied packets are logged.
The implicit deny at the end of an ACL does not include the log keyword. This means that when you use the static keyword in the ip arp inspection filter vlan global configuration command, the ACL overrides the DHCP bindings. Some denied packets might not be logged unless you explicitly specify the deny ip any mac any log ACE at the end of the ARP ACL.
This example shows how to configure ARP inspection on VLAN 1 to log packets that match the permit commands in the ACL:
You can verify your settings by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
Displays the configuration and contents of the dynamic ARP inspection log buffer. |
|
show ip arp inspection vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
Use the ip dhcp snooping global configuration command to globally enable DHCP snooping. Use the no form of this command to return to the default setting.
For any DHCP snooping configuration to take effect, you must globally enable DHCP snooping.
DHCP snooping is not active until you enable snooping on a VLAN by using the ip dhcp snooping vlan vlan-id global configuration command.
This example shows how to enable DHCP snooping:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping binding privileged EXEC command to configure the DHCP snooping binding database and to add binding entries to the database. Use the no form of this command to delete entries from the binding database.
ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds
no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id
Use this command when you are testing or debugging the switch.
In the DHCP snooping binding database, each database entry, also referred to a binding , has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database can have up to 8192 bindings.
Use the show ip dhcp snooping binding privileged EXEC command to display only the dynamically configured bindings. Use the show ip source binding privileged EXEC command to display the dynamically and statically configured bindings.
This example shows how to generate a DHCP binding configuration with an expiration time of 1000 seconds on a port in VLAN 1:
You can verify your settings by entering the show ip dhcp snooping binding or the show ip dhcp source binding privileged EXEC command.
Use the ip dhcp snooping database global configuration command to configure the DHCP snooping binding database agent. Use the no form of this command to disable the agent, to reset the timeout value, or to reset the write-delay value.
ip dhcp snooping database {{ flash:/ filename | ftp:// user:password@host/filename | http: //[[username:password]@]{hostname | host-ip}[/directory]/image-name .tar | rcp:// user@host/filename | tftp:// host/filename } | timeout seconds | write-delay seconds }
no ip dhcp snooping database [ timeout | write-delay ]
The DHCP snooping binding database can have up to 8192 bindings.
To ensure that the lease time in the database is accurate, we recommend that Network Time Protocol (NTP) is enabled and configured for these features:
If NTP is configured, the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP.
Because both NVRAM and the flash memory have limited storage capacity, we recommend that you store a binding file on a TFTP server. You must create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write bindings to the binding file at that URL for the first time.
Use the no ip dhcp snooping database command to disable the agent.
Use the no ip dhcp snooping database timeout command to reset the timeout value.
Use the no ip dhcp snooping database write-delay command to reset the write-delay value.
This example shows how to store a binding file at an IP address of 10.1.1.1 that is in a directory called directory . A file named file must be present on the TFTP server.
You can verify your settings by entering the show ip dhcp snooping database privileged EXEC command.
Use the ip dhcp snooping information option global configuration command to enable DHCP option-82 data insertion. Use the no form of this command to disable DHCP option-82 data insertion.
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled and a switch receives a DHCP request from a host, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port , from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
When the DHCP server receives the packet, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or a circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply.
The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch inspects the remote ID and possibly the circuit ID fields to verify that it originally inserted the option-82 data. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP host that sent the DHCP request.
This example shows how to enable DHCP option-82 data insertion:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping information option allowed-untrusted global configuration command on an aggregation switch to configure it to accept DHCP packets with option-82 information that are received on untrusted ports that might be connected to an edge switch. Use the no form of this command to configure the switch to drop these packets from the edge switch.
You might want an edge switch to which a host is connected to insert DHCP option-82 information at the edge of your network. You might also want to enable DHCP security features, such as DHCP snooping, IP source guard, or dynamic Address Resolution Protocol (ARP) inspection, on an aggregation switch. However, if DHCP snooping is enabled on the aggregation switch, the switch drops packets with option-82 information that are received on an untrusted port and does not learn DHCP snooping bindings for connected devices on a trusted interface.
If the edge switch to which a host is connected inserts option-82 information and you want to use DHCP snooping on an aggregation switch, enter the ip dhcp snooping information option allowed-untrusted command on the aggregation switch. The aggregation switch can learn the bindings for a host even though the aggregation switch receives DHCP snooping packets on an untrusted port. You can also enable DHCP security features on the aggregation switch. The port on the edge switch to which the aggregation switch is connected must be configured as a trusted port.
Note Do not enter the ip dhcp snooping information option allowed-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.
This example shows how to configure an access switch to not check the option-82 information in untrusted packets from an edge switch and to accept the packets:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping information option format remote-id global configuration command to configure the option-82 remote-ID suboption. Use the no form of this command to configure the default remote-ID suboption.
ip dhcp snooping information option format remote-id [string ASCII-string | hostname]
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled, the default remote-ID suboption is the switch MAC address. This command allows you to configure either the switch hostname or a string of up to 63 ASCII characters (but no spaces) to be the remote ID.
Note If the hostname exceeds 63 characters, it is truncated to 63 characters in the remote-ID configuration.
This example shows how to configure the option-82 remote-ID suboption:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
Use the ip dhcp snooping limit rate interface configuration command to configure the number of DHCP messages an interface can receive per second. Use the no form of this command to return to the default setting.
ip dhcp snooping limit rate rate
Normally, the rate limit applies to untrusted interfaces. If you want to configure rate limiting for trusted interfaces, keep in mind that trusted interfaces might aggregate DHCP traffic on multiple VLANs (some of which might not be snooped) in the switch, and you will need to adjust the interface rate limits to a higher value.
If the rate limit is exceeded, the interface is error-disabled. If you enabled error recovery by entering the errdisable recovery dhcp-rate-limit global configuration command, the interface retries the operation again when all the causes have timed out. If the error-recovery mechanism is not enabled, the interface stays in the error-disabled state until you enter the shutdown and no shutdown interface configuration commands.
This example shows how to set a message rate limit of 150 messages per second on an interface:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping trust interface configuration command to configure a port as trusted for DHCP snooping purposes. Use the no form of this command to return to the default setting.
Configure as trusted ports those that are connected to a DHCP server or to other switches or routers. Configure as untrusted ports those that are connected to DHCP clients.
This example shows how to enable DHCP snooping trust on a port:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping verify mac-address global configuration command to configure the switch to verify on an untrusted port that the source MAC address in a DHCP packet matches the client hardware address. Use the no form of this command to configure the switch to not verify the MAC addresses.
In a service-provider network, when a switch receives a packet from a DHCP client on an untrusted port, it automatically verifies that the source MAC address and the DHCP client hardware address match. If the addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the packet.
This example shows how to disable the MAC address verification:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping vlan global configuration command to enable DHCP snooping on a VLAN. Use the no form of this command to disable DHCP snooping on a VLAN.
ip dhcp snooping vlan vlan-range
no ip dhcp snooping vlan vlan-range
You must first globally enable DHCP snooping before enabling DHCP snooping on a VLAN.
This example shows how to enable DHCP snooping on VLAN 10:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping vlan information option format-type circuit-id string interface configuration command to configure the option-82 circuit-ID suboption. Use the no form of this command to configure the default circuit-ID suboption.
ip dhcp snooping vlan vlan information option format-type circuit-id [override] string ASCII-string
no ip dhcp snooping vlan vlan information option format-type circuit-id [override] string
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled, the default circuit-ID suboption is the switch VLAN and the port identifier, in the format vlan-mod-port . This command allows you to configure a string of ASCII characters to be the circuit ID. When you want to override the vlan-mod-port format type and instead use the circuit-ID to define subscriber information, use the override keyword.
Note When configuring a large number of circuit IDs on a switch, consider the impact of lengthy character strings on the NVRAM or flash memory. If the circuit-ID configurations, combined with other data, exceed the capacity of the NVRAM or the flash memory, an error message appears.
This example shows how to configure the option-82 circuit-ID suboption:
This example shows how to configure the option-82 circuit-ID override suboption:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
Note The show ip dhcp snooping user EXEC command only displays the global command output, including a remote-ID configuration. It does not display any per-interface, per-VLAN string that you have configured for the circuit ID.
Use the ip igmp filter interface configuration command to control whether or not all hosts on a Layer 2 interface can join one or more IP multicast groups by applying an Internet Group Management Protocol (IGMP) profile to the interface. Use the no form of this command to remove the specified profile from the interface.
You can apply IGMP filters only to Layer 2 physical interfaces.
You cannot apply IGMP filters to routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.
An IGMP profile can be applied to one or more switch port interfaces, but one port can have only one profile applied to it.
This example shows how to apply IGMP profile 22 to a port.
You can verify your setting by using the show running-config privileged EXEC command and by specifying an interface.
Use the ip igmp max-groups interface configuration command to set the maximum number of Internet Group Management Protocol (IGMP) groups that a Layer 2 interface can join or to configure the IGMP throttling action when the maximum number of entries is in the forwarding table. Use the no form of this command to set the maximum back to the default, which is to have no maximum limit, or to return to the default throttling action, which is to drop the report.
ip igmp max-groups { number | action { deny | replace }}
no ip igmp max-groups { number | action }
You can use this command only on Layer 2 physical interfaces and on logical EtherChannel interfaces.
You cannot set IGMP maximum groups for routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.
Follow these guidelines when configuring the IGMP throttling action:
This example shows how to limit to 25 the number of IGMP groups that a port can join.
This example shows how to configure the switch to replace the existing group with the new group for which the IGMP report was received when the maximum number of entries is in the forwarding table:
You can verify your setting by using the show running-config privileged EXEC command and by specifying an interface.
Use the ip igmp profile global configuration command to create an Internet Group Management Protocol (IGMP) profile and enter IGMP profile configuration mode. From this mode, you can specify the configuration of the IGMP profile to be used for filtering IGMP membership reports from a switchport. Use the no form of this command to delete the IGMP profile.
ip igmp profile profile number
When you are in IGMP profile configuration mode, you can create the profile by using these commands:
When entering a range, enter the low IP multicast address, a space, and the high IP multicast address.
You can apply an IGMP profile to one or more Layer 2 interfaces, but each interface can have only one profile applied to it.
This example shows how to configure IGMP profile 40 that permits the specified range of IP multicast addresses.
You can verify your settings by using the show ip igmp profile privileged EXEC command.
Use the ip igmp snooping global configuration command to globally enable Internet Group Management Protocol (IGMP) snooping on the switch or to enable it on a per-VLAN basis. Use the no form of this command to return to the default setting.
ip igmp snooping [ vlan vlan-id ]
When IGMP snooping is enabled globally, it is enabled in all the existing VLAN interfaces. When IGMP snooping is disabled globally, it is disabled on all the existing VLAN interfaces.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This example shows how to globally enable IGMP snooping:
This example shows how to enable IGMP snooping on VLAN 1:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping last-member-query-interval global configuration command to enable the Internet Group Management Protocol (IGMP) configurable-leave timer globally or on a per-VLAN basis. Use the no form of this command to return to the default setting.
ip igmp snooping [vlan vlan-id ] last-member-query-interval time
no ip igmp snooping [vlan vlan-id ] last-member-query-interval
When IGMP snooping is globally enabled, IGMP snooping is enabled on all the existing VLAN interfaces. When IGMP snooping is globally disabled, IGMP snooping is disabled on all the existing VLAN interfaces.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
Configuring the leave timer on a VLAN overrides the global setting.
The IGMP configurable leave time is only supported on devices running IGMP Version 2.
This example shows how to globally enable the IGMP leave timer for 2000 milliseconds:
This example shows how to configure the IGMP leave timer for 3000 milliseconds on VLAN 1:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping querier global configuration command to globally enable the Internet Group Management Protocol (IGMP) querier function in Layer 2 networks. Use the command with keywords to enable and configure the IGMP querier feature on a VLAN interface. Use the no form of this command to return to the default settings.
ip igmp snooping querier [ vlan vlan-id ] [ address ip-address | max-response-time response-time | query-interval interval-count | tcn query [ count count | interval interval ] | timer expiry | version version ]
no ip igmp snooping querier [ vlan vlan-id ] [ address | max-response-time | query-interval | tcn query { count count | interval interval } | timer expiry | version ]
Use this command to enable IGMP snooping to detect the IGMP version and IP address of a device that sends IGMP query messages, which is also called a querier .
By default, the IGMP snooping querier is configured to detect devices that use IGMP Version 2 (IGMPv2) but does not detect clients that are using IGMP Version 1 (IGMPv1). You can manually configure the max-response-time value when devices use IGMPv2. You cannot configure the max-response-time when devices use IGMPv1. (The value cannot be configured and is set to zero).
Non-RFC compliant devices running IGMPv1 might reject IGMP general query messages that have a non-zero value as the max-response-time value. If you want the devices to accept the IGMP general query messages, configure the IGMP snooping querier to run IGMPv1.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This example shows how to globally enable the IGMP snooping querier feature:
This example shows how to set the IGMP snooping querier maximum response time to 25 seconds:
This example shows how to set the IGMP snooping querier interval time to 60 seconds:
This example shows how to set the IGMP snooping querier TCN query count to 25:
This example shows how to set the IGMP snooping querier timeout to 60 seconds:
This example shows how to set the IGMP snooping querier feature to version 2:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping report-suppression global configuration command to enable Internet Group Management Protocol (IGMP) report suppression. Use the no form of this command to disable IGMP report suppression and to forward all IGMP reports to multicast routers.
IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports.
The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast devices. When IGMP router suppression is enabled (the default), the switch sends the first IGMP report from all hosts for a group to all the multicast routers. The switch does not send the remaining IGMP reports for the group to the multicast routers. This feature prevents duplicate reports from being sent to the multicast devices.
If the multicast router query includes requests only for IGMPv1 and IGMPv2 reports, the switch forwards only the first IGMPv1 or IGMPv2 report from all hosts for a group to all the multicast routers. If the multicast router query also includes requests for IGMPv3 reports, the switch forwards all IGMPv1, IGMPv2, and IGMPv3 reports for a group to the multicast devices.
If you disable IGMP report suppression by entering the no ip igmp snooping report-suppression command, all IGMP reports are forwarded to all the multicast routers.
This example shows how to disable report suppression:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping tcn global configuration command to configure the Internet Group Management Protocol (IGMP) Topology Change Notification (TCN) behavior. Use the no form of this command to return to the default settings.
ip igmp snooping tcn { flood query count count | query solicit }
no ip igmp snooping tcn { flood query count | query solicit }
You can prevent the loss of the multicast traffic that might occur because of a topology change by using this command. If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command, the flooding stops after receiving one general query. If you set the count to 7, the flooding of multicast traffic due to the TCN event lasts until seven general queries are received. Groups are relearned based on the general queries received during the TCN event.
This example shows how to specify 7 as the number of IGMP general queries for which the multicast traffic is flooded:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping tcn flood interface configuration command to specify multicast flooding as the Internet Group Management Protocol (IGMP) snooping spanning-tree Topology Change Notification (TCN) behavior. Use the no form of this command to disable the multicast flooding.
When the switch receives a TCN, multicast traffic is flooded to all the ports until two general queries are received. If the switch has many ports with attached hosts that are subscribed to different multicast groups, this flooding behavior might not be desirable because the flooded traffic might exceed the capacity of the link and cause packet loss.
You can change the flooding query count by using the ip igmp snooping tcn flood query count count global configuration command.
This example shows how to disable the multicast flooding on an interface:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping vlan vlan-id immediate-leave global configuration command to enable Internet Group Management Protocol (IGMP) snooping immediate-leave processing on a per-VLAN basis. Use the no form of this command to return to the default setting.
ip igmp snooping vlan vlan-id immediate-leave
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
You should only configure the Immediate Leave feature when there is a maximum of one receiver on every port in the VLAN. The configuration is saved in NVRAM.
The Immediate Leave feature is supported only with IGMP Version 2 hosts.
This example shows how to enable IGMP immediate-leave processing on VLAN 1:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping vlan vlan-id mrouter global configuration command to add a multicast router port or to configure the multicast learning method. Use the no form of this command to return to the default settings.
ip igmp snooping vlan vlan-id mrouter { interface interface-id | learn pim-dvmrp }
no ip igmp snooping vlan vlan-id mrouter { interface interface-id | learn pim-dvmrp }
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This example shows how to configure a port as a multicast router port:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping vlan vlan-id static global configuration command to enable Internet Group Management Protocol (IGMP) snooping and to statically add a Layer 2 port as a member of a multicast group. Use the no form of this command to remove ports specified as members of a static multicast group.
ip igmp snooping vlan vlan-id static ip-address interface interface-id
no ip igmp snooping vlan vlan-id static ip-address interface interface-id
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This example shows how to statically configure a port as a multicast router port:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip sla responder twamp global configuration command to configure the switch as a Two-Way Active Measurement Protocol (TWAMP) responder. Use the no form of this command to disable the IP SLA TWAMP responder.
ip sla responder twamp [ timeout seconds ]
After entering the ip sla responder twamp command, you enter IP SLA TWAMP reflector configuration mode, and these configuration commands are available:
For the TWAMP server and reflector to function, you must also configure a TWAMP control device, which serves as the client and session sender. These functions are not configured on a Cisco device.
Enables the Cisco IOS IP Service Level Agreements (SLAs) responder for general IP SLAs operations. |
|
Configures the switch as a Two-Way Active Measurement Protocol (TWAMP) server. |
|
(Optional) Display the IP SLAs standards configured on the switch. |
|
show ip sla twamp connection {detail | requests} |
(Optional) Displays the current Cisco IOS IP Service Level Agreements (SLAs) Two-Way Active Measurement Protocol (TWAMP) connections |
Use the ip sla server twamp global configuration command to configure the switch as a Two-Way Active Measurement Protocol (TWAMP) server. Use the no form of this command to disable the IP SLA TWAMP server.
After entering the ip sla server twamp command, you enter IP SLA TWAMP server configuration mode, and these configuration commands are available:
For the TWAMP server and reflector to function, you must also configure a TWAMP control device, which serves as the client and session sender. These functions are not configured on a Cisco device.
Enables the Cisco IOS IP Service Level Agreements (SLAs) responder for general IP SLAs operations. |
|
Configures the switch as a Two-Way Active Measurement Protocol (TWAMP) responder. |
|
(Optional) Displays the IP SLAs standards configured on the switch. |
|
show ip sla twamp connection {detail | requests} |
(Optional) Displays the current Cisco IOS IP Service Level Agreements (SLAs) Two-Way Active Measurement Protocol (TWAMP) connections. |
Use the ip source binding global configuration command to configure static IP source bindings on the switch. Use the no form of this command to delete static bindings.
ip source binding mac-address vlan vlan-id ip-address interface interface-id
no source binding mac-address vlan vlan-id ip-address interface interface-id
A static IP source binding entry has an IP address, its associated MAC address, and its associated VLAN number. The entry is based on the MAC address and the VLAN number. If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.
This example shows how to add a static IP source binding:
This example shows how to add a static binding and then modify the IP address for it:
You can verify your settings by entering the show ip source binding privileged EXEC command.
Use the ip ssh global configuration command to configure the switch to run Secure Shell (SSH) Version 1 or SSH Version 2. Use the no form of this command to return to the default setting.
This command is available only when your switch is running the cryptographic (encrypted) software image.
If you do not enter this command or if you do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.
The switch supports an SSHv1 or an SSHv2 server. It also supports an SSHv1 client. For more information about the SSH server and the SSH client, see the software configuration guide for this release.
A Rivest, Shamir, and Adelman (RSA) key pair generated by an SSHv1 server can be used by an SSHv2 server and the reverse.
This example shows how to configure the switch to run SSH Version 2:
You can verify your settings by entering the show ip ssh or show ssh privileged EXEC command.
Use the ip sticky-arp global configuration command to enable sticky Address Resolution Protocol (ARP) on a switch virtual interface (SVI) that belongs to a private VLAN. Use the no form of this command to disable sticky ARP.
Sticky ARP entries are those learned on private-VLAN SVIs. These entries do not age out.
The ip sticky-arp global configuration command is supported only on SVIs belonging to private VLANs.
If you enter the ip sticky-arp interface configuration command, it does not take effect.
If you enter the no ip sticky-arp interface configuration command, you do not disable sticky ARP on an interface.
Note We recommend that you use the show arp privileged EXEC command to display and verify private-VLAN interface ARP entries.
Use the ip sticky-arp interface configuration command to enable sticky Address Resolution Protocol (ARP) on a switch virtual interface (SVI) or a Layer 3 interface. Use the no form of this command to disable sticky ARP.
Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. These entries do not age out.
The ip sticky-arp interface configuration command is only supported on
On a Layer 3 interface or on an SVI belonging to a normal VLAN
If you enter the ip sticky-arp interface configuration command, it does not take effect.
If you enter the no ip sticky-arp interface configuration command, you do not disable sticky ARP on an interface.
Note We recommend that you use the show arp privileged EXEC command to display and verify private-VLAN interface ARP entries.
To enable sticky ARP on a normal SVI:
To disable sticky ARP on a Layer 3 interface or an SVI:
You can verify your settings by using the show arp privileged EXEC command.
Use the ip verify source interface configuration command to enable IP source guard on an interface. Use the no form of this command to disable IP source guard.
ip verify source { vlan dhcp-snooping | tracking } [ port-security ]
no ip verify source { vlan dhcp-snooping | tracking } [ port-security ]
To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.
To enable IP source guard with source IP and MAC address filtering, use the ip verify source port-security interface configuration command.
To enable IP source guard with source IP and MAC address filtering, you must enable port security on the interface.
This example shows how to enable IP source guard with source IP address filtering:
This example shows how to enable IP source guard on VLANs 10 through 20 on a per-port basis:
This example shows how to enable IP port security with IP-MAC filters on a Layer 2 access port:
Verify your settings by entering the show ip verify source privileged EXEC command.
Use the ipv6 access-list global configuration command to define an IPv6 access list and to place the switch in IPv6 access list configuration mode. To remove the access list, use the no form of this command.
ipv6 access-list access-list-name
no ipv6 access-list access-list-name
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 { default | routing | vlan ) global configuration command, and reload the switch.
The ipv6 access-list command is similar to the ip access-list command, but it is IPv6-specific.
IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.
See the deny (IPv6 access-list configuration) and permit (IPv6 access-list configuration) commands for more information on filtering IPv6 traffic based on IPv6 option headers and optional, upper-layer protocol-type information. See the “Examples” section for an example of a translated IPv6 ACL configuration.
Every IPv6 ACL has implicit permit icmp any any nd-na , permit icmp any any nd-ns , and deny ipv6 any any statements as its last match conditions. The two permit conditions allow ICMPv6 neighbor discovery. To disallow ICMPv6 neighbor discovery and to deny icmp any any nd-na or icmp any any nd-ns , there must be an explicit deny entry in the ACL. For the implicit deny ipv6 any any statement to take effect, an IPv6 ACL must contain at least one entry.
The IPv6 neighbor discovery process uses the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data-link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply an IPv6 ACL to an IPv6 interface. You can apply inbound and outbound IPv6 ACLs to Layer 3 physical interfaces or to switch virtual interfaces for routed ACLs, but only inbound IPv6 ACLs to Layer 2 interfaces for port ACLs.
Note An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded by the switch and does not filter traffic generated by the switch.
This example puts the switch in IPv6 access list configuration mode, configures the IPv6 ACL named list2, and applies the ACL to outbound traffic on an interface. The first ACL entry prevents all packets from the network FE80:0:0:2::/64 (packets that have the link-local prefix FE80:0:0:2 as the first 64 bits of their source IPv6 address) from leaving the interface. The second entry in the ACL permits all other traffic to leave the interface. The second entry is necessary because an implicit deny-all condition is at the end of each IPv6 ACL.
Note IPv6 ACLs that rely on the implicit deny condition or specify a deny any any statement to filter traffic should contain permit statements for link-local addresses to avoid the filtering of protocol packets. Additionally IPv6 ACLs that use deny statements to filter traffic should also use a permit any any statement as the last statement in the list.
Use the ipv6 address dhcp interface configuration command to acquire an IPv6 address on an interface from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server. To remove the address from the interface, use the no form of this command.
ipv6 address dhcp [rapid-commit]
no ipv6 address dhcp [rapid-commit]
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 { default | routing | vlan } global configuration command, and reload the switch.
The ipv6 address dhcp interface configuration command allows any interface to dynamically learn its IPv6 address by using DHCP.
The rapid-commit keyword enables the use of the two-message exchange for address allocation and other configuration. If it is enabled, the client includes the rapid-commit option in a solicit message.
Use the ipv6 dhcp client request interface configuration command to configure an IPv6 client to request an option from a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server. To remove the request, use the no form of this command.
ipv6 dhcp client request vendor
no ipv6 dhcp client request vendor
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 { default | routing | vlan } global configuration command, and reload the switch.
Use the ipv6 dhcp client request vendor interface configuration to request a vendor-specific option. When enabled, the command is verified only when an IPv6 address is acquired from DHCP. If you enter the command after the interface has an IPv6 address, the command does not take effect until the next time the client acquires an IPv6 address from DHCP.
Use the ipv6 dhcp ping packets global configuration command to specify the number of packets a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server sends to a pool address as part of a ping operation. To prevent the server from pinging pool addresses, use the no form of this command.
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 { default | vlan} global configuration command, and reload the switch.
The DHCPv6 server pings a pool address before assigning it to a requesting client. An unanswered ping indicates that the address is not in use and the server assigns the address to the requesting client.
Setting the number argument to 0 turns off the DHCPv6 server ping operation.
This example specifies two ping attempts by the DHCPv6 server before further ping attempts stop:
Use the ipv6 dhcp pool global configuration command to enter Dynamic Host Configuration Protocol for IPv6 (DHCPv6) pool configuration mode. Use the no form of this command to return to the default settings.
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 { default | vlan } global configuration command, and reload the switch.
DHCPv6 pool configuration mode commands:
– vendor-id : enter a vendor-specific identification number. This number is the vendor IANA Private Enterprise Number. The range is 1 to 4294967295.
– suboption number : sets vendor-specific suboption number. The range is 1 to 65535. Enter an IPv6 address, ASCII text, or a hexadecimal string as defined by the suboption parameters.
After you create the DHCPv6 configuration information pool, use the ipv6 dhcp server interface configuration command to associate the pool with a server on an interface. However, if you do not configure an information pool, you still need to use the ipv6 dhcp server interface configuration command to enable the DHCPv6 server function on an interface.
When you associate a DHCPv6 pool with an interface, only that pool services requests on the associated interface. The pool also services other interfaces. If you do not associate a DHCPv6 pool with an interface, it can service requests on any interface.
Not using any IPv6 address prefix means that the pool only returns configured options.
The link-address keyword allows matching of a link-address without necessarily allocating an address. You can match the pool from multiple relays by using multiple link-address configuration commands inside a pool.
Because a longest match is performed on either the address pool information or the link information, you can configure one pool to allocate addresses and another pool on a subprefix that only returns configured options.
This example shows how to configure a pool called engineering with an IPv6 address prefix :
This example shows how to configure a pool called testgroup with three link-address prefixes and an IPv6 address prefix:
This example shows how to configure a pool called 350 with vendor-specific options:
Use the ipv6 dhcp server interface configuration command to enable Dynamic Host Configuration Protocol for IPv6 (DHCPv6) service on an interface. To disable DHCPv6 service on an interface, use the no form of this command.
ipv6 dhcp server [ poolname | automatic ] [ allow-hint ] [ rapid-commit ] [ preference value ]
Note This command is available only if the is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
The ipv6 dhcp server interface configuration command enables DHCPv6 service on a specified interface.
If you enter the automatic keyword, the system automatically determine which pool to use when allocating addresses for a client. When the server receives an IPv6 DHCP packet, the server determines if it was received from a DHCP relay or if it was directly received from the client. If the packet was received from a relay, the server verifies the link-address field inside the packet associated with the first relay that is closest to the client. The server matches this link-address against all address prefix and link-address configurations in IPv6 DHCP pools to find the longest prefix match. The server selects the pool associated with the longest match.
If the packet was received directly from the client, the server performs this same matching, but it uses all the IPv6 addresses configured on the incoming interface when performing the match. Once again, the server selects the longest prefix match.
If you enter the allow-hint keyword, the server allocates a valid client-suggested address in the solicit and request messages. The prefix address is valid if it is in the associated local prefix address pool and it is not assigned to a device. If the allow-hint keyword is not specified, the server ignores the client hint, and an address is allocated from the free list in the pool.
If you configure the preference keyword with a value other than 0, the server adds a preference option to carry the preference value for the advertise messages. This action affects the selection of a server by the client. Any advertise message that does not include a preference option is considered to have a preference value of 0. If the client receives an advertise message with a preference value of 255, the client immediately sends a request message to the server from which the message was received.
Entering the rapid-commit keyword enables the use of the two-message exchange.
The DHCPv6 client, server, and relay functions are mutually exclusive on an interface. When one of these functions is already enabled and you try to configure a different function on the same interface, the switch returns one of these messages:
Use the ipv6 mld snooping global configuration command without keywords to enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping globally or on the specified VLAN. Use the no form of this command to disable MLD snooping on the switch or switch stack or the VLAN.
ipv6 mld snooping [ vlan vlan-id ]
no ipv6 mld snooping [ vlan vlan-id ]
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
When MLD snooping is globally disabled, it is disabled on all the existing VLAN interfaces. When you globally enable MLD snooping, it is enabled on all VLAN interfaces that are in the default state (enabled). VLAN configuration will override global configuration on interfaces on which MLD snooping has been disabled.
If MLD snooping is globally disabled, you cannot enable it on a VLAN. If MLD snooping is globally enabled, you can disable it on individual VLANs.
When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs (in the range 1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
This example shows how to globally enable MLD snooping:
This example shows how to disable MLD snooping on a VLAN:
You can verify your settings by entering the show ipv6 mld snooping user EXEC command.
ipv6 mld snooping [ vlan vlan-id ] last-listener-query-count integer_value
no ipv6 mld snooping [ vlan vlan-id ] last-listener-query-count
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
In MLD snooping, the IPv6 multicast router periodically sends out queries to hosts belonging to the multicast group. If a host wants to leave a multicast group, it can silently leave or it can respond to the query with a Multicast Listener Done message (equivalent to an IGMP Leave message). When Immediate Leave is not configured (which it should not be if multiple clients for a group exist on the same port), the configured last-listener query count determines the number of MASQs that are sent before an MLD client is aged out.
When the last-listener query count is set for a VLAN, this count overrides the value configured globally.When the VLAN count is not configured (set to the default of 0), the global count is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
This example shows how to globally set the last-listener query count:
This example shows how to set the last-listener query count for VLAN 10:
You can verify your settings by entering the show ipv6 mld snooping [ vlan vlan-id ] user EXEC command.
Use the ipv6 mld snooping last-listener-query-interval global configuration command to configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping last-listener query interval on the switch or on a VLAN. This time interval is the maximum time that a multicast router waits after issuing a Mulitcast Address Specific Query (MASQ) before deleting a port from the multicast group. Use the no form of this command to reset the query time to the default settings.
ipv6 mld snooping [ vlan vlan-id ] last-listener-query-interval integer_value
no ipv6 mld snooping [ vlan vlan-id ] last-listener-query-interval
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
In MLD snooping, when the IPv6 multicast router receives an MLD leave message, it sends out queries to hosts belonging to the multicast group. If there are no responses from a port to a MASQ for a length of time, the router deletes the port from the membership database of the multicast address. The last listener query interval is the maximum time that the router waits before deleting a nonresponsive port from the multicast group.
When a VLAN query interval is set, this overrides the global query interval. When the VLAN interval is set at 0, the global value is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
This example shows how to globally set the last-listener query interval to 2 seconds:
This example shows how to set the last-listener query interval for VLAN 1 to 5.5 seconds:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
Use the ipv6 mld snooping listener-message-suppression global configuration command to enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping listener message suppression. Use the no form of this command to disable MLD snooping listener message suppression.
ipv6 mld snooping listener-message-suppression
no ipv6 mld snooping listener-message-suppression
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
MLD snooping listener message suppression is equivalent to IGMP snooping report suppression. When enabled, received MLDv1 reports to a group are forwarded to IPv6 multicast routers only once in every report-forward time. This prevents the forwarding of duplicate reports.
This example shows how to enable MLD snooping listener-message-suppression:
This example shows how to disable MLD snooping listener-message-suppression:
You can verify your settings by entering the show ipv6 mld snooping [ vlan vlan-id ] user EXEC command.
Use the ipv6 mld snooping robustness-variable global configuration command to configure the number of IP version 6 (IPv6) Multicast Listener Discovery (MLD) queries that the switch sends before deleting a listener that does not respond, or enter a VLAN ID to configure on a per-VLAN basis. Use the no form of this command to reset the variable to the default settings.
ipv6 mld snooping [ vlan vlan-id ] robustness-variable integer_value
no ipv6 mld snooping [ vlan vlan-id ] robustness-variable
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
Robustness is measured in terms of the number of MLDv1 queries sent with no response before a port is removed from a multicast group. A port is deleted when there are no MLDv1 reports received for the configured number of MLDv1 queries. The global value determines the number of queries that the switch waits before deleting a listener that does not respond and applies to all VLANs that do not have a VLAN value set.
The robustness value configured for a VLAN overrides the global value. If the VLAN robustness value is 0 (the default), the global value is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
This example shows how to configure the global robustness variable so that the switch sends out three queries before it deletes a listener port that does not respond:
This example shows how to configure the robustness variable for VLAN 1. This value overrides the global configuration for the VLAN:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
Use the ipv6 mld snooping tcn global configuration commands to configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) Topology Change Notifications (TCNs). Use the no form of the commands to reset the default settings.
ipv6 mld snooping tcn { flood query count integer_value | query solicit }
no ipv6 mld snooping tcn { flood query count integer_value | query solicit }
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
This example shows how to enable TCN query soliciting:
This example shows how to set the flood query count to 5:
You can verify your settings by entering the show ipv6 MLD snooping [ vlan vlan-id ] user EXEC command.
Use the ipv6 mld snooping vlan global configuration command to configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping parameters on the VLAN interface. Use the no form of this command to reset the parameters to the default settings.
ipv6 mld snooping vlan vlan-id [ immediate-leave | mrouter interface interface-id | static ipv6-multicast-address interface interface-id ]
no ipv6 mld snooping vlan vlan-id [ immediate-leave | mrouter interface interface-id | static ip-address interface interface-id ]
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 global configuration command and reload the switch.
You should only configure the Immediate-Leave feature when there is only one receiver on every port in the VLAN. The configuration is saved in NVRAM.
The static keyword is used for configuring the MLD member ports statically.
The configuration and the static ports and groups are saved in NVRAM.
When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs (in the range 1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
This example shows how to enable MLD Immediate-Leave processing on VLAN 1:
This example shows how to disable MLD Immediate-Leave processing on VLAN 1:
This example shows how to configure a port as a multicast router port:
This example shows how to configure a static multicast group:
You can verify your settings by entering the show ipv6 mld snooping vlan vlan-id user EXEC command.
Use the ipv6 traffic-filter interface configuration command to filter IPv6 traffic on an interface. Use the no form of this command to disable the filtering of IPv6 traffic on an interface.
ipv6 traffic-filter access-list-name { in | out }
no ipv6 traffic-filter { in | out }
Note This command is available only if you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 { default | routing | vlan ) global configuration command, and reload the switch.
You can use the ipv6 traffic-filter command on physical interfaces (Layer 2 or Layer 3 ports), Layer 3 port channels, or switch virtual interfaces (SVIs).
If the switch is running the metro IP access image, you can apply an ACL to outbound or inbound traffic on Layer 3 interfaces (router ACLs), or to inbound traffic on Layer 2 interfaces (port ACLs). If the switch is running the metro access image, you can apply ACLs only to inbound management traffic on Layer 2 interfaces. These images do not support router ACLs.
If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL filters packets, and any router ACLs attached to the SVI of the port VLAN are ignored.
This example filters inbound IPv6 traffic on an IPv6-configured interface as defined by the access list named cisco :
Use the l2protocol-tunnel interface configuration command to enable tunneling of Layer 2 protocols on an access port, a trunk port, an IEEE 802.1Q tunnel port, or a port channel. You can enable tunneling for Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. You can also enable point-to-point tunneling for Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), or UniDirectional Link Detection (UDLD) packets. Use the no form of this command to disable tunneling on the interface.
l2protocol-tunnel [ cdp | stp | vtp ] | [ drop-threshold [ cdp | stp | vtp | point-to-point [ pagp | lacp | udld ]] value ] | [ point-to-point [ pagp | lacp | udld ]] | [ shutdown-threshold [ cdp | stp | vtp | point-to-point [ pagp | lacp | udld ]] value ]
no l2protocol-tunnel [ cdp | stp | vtp] | [ drop-threshold [ cdp | stp | vtp | point-to-point [ pagp | lacp | udld ]]] | [ point-to-point [ pagp | lacp | udld ]] | [ shutdown-threshold [ cdp | stp | vtp | [ point-to-point [ pagp | lacp | udld ]]]
You must enter this command, with or without protocol types, to tunnel Layer 2 packets.
If you enter this command for a port channel, all ports in the channel must have the same configuration.
Layer 2 protocol tunneling across a service-provider network ensures that Layer 2 information is propagated across the network to all customer locations. When protocol tunneling is enabled, protocol packets are encapsulated with a well-known Cisco multicast address for transmission across the network. When the packets reach their destination, the well-known MAC address is replaced by the Layer 2 protocol MAC address.
You can enable Layer 2 protocol tunneling for CDP, STP, and VTP individually or for all three protocols.
Note The switch does not support VTP. CDP and STP are enabled by default network node interfaces (NNIs) and disabled by default but can be enabled on enhanced network interfaces (ENIs). User network interfaces (UNIs) do not support any of these protocols.
In a service-provider network, you can use Layer 2 protocol tunneling to enhance the creation of EtherChannels by emulating a point-to-point network topology. When protocol tunneling is enabled on the service-provider switch for PAgP or LACP, remote customer switches receive the protocol data units (PDUs) and can negotiate automatic creation of EtherChannels.
Note Only NNIs and ENIs support PAgP and LACP.
To enable tunneling of PAgP, LACP, and UDLD packets, you must have a point-to-point network topology. To decrease the link-down detection time, you should also enable UDLD on the interface when you enable tunneling of PAgP or LACP packets.
You can enable point-to-point protocol tunneling for PAgP, LACP, and UDLD individually or for all three protocols.
Enter the shutdown-threshold keyword to control the number of protocol packets per second that are received on an interface before it shuts down. When no protocol option is specified with the keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a drop threshold on the interface, the shutdown-threshold value must be greater than or equal to the drop-threshold value.
When the shutdown threshold is reached, the interface is error-disabled. If you enable error recovery by entering the errdisable recovery cause l2ptguard global configuration command, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out. If the error recovery mechanism is not enabled for l2ptguard , the interface stays in the error-disabled state until you enter the shutdown and no shutdown interface configuration commands.
Enter the drop-threshold keyword to control the number of protocol packets per second that are received on an interface before it drops packets. When no protocol option is specified with a keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a shutdown threshold on the interface, the drop-threshold value must be less than or equal to the shutdown-threshold value.
When the drop threshold is reached, the interface drops Layer 2 protocol packets until the rate at which they are received is below the drop threshold.
The configuration is saved in NVRAM.
Note For more information about Layer 2 protocol tunneling, see the software configuration guide for this release.
This example shows how to enable protocol tunneling for CDP packets and to configure the shutdown threshold as 50 packets per second:
This example shows how to enable protocol tunneling for STP packets and to configure the drop threshold as 400 packets per second:
This example shows how to enable point-to-point protocol tunneling for PAgP and UDLD packets and to configure the PAgP drop threshold as 1000 packets per second:
Use the l2protocol-tunnel cos global configuration command to configure class of service (CoS) value for all tunneled Layer 2 protocol packets. Use the no form of this command to return to the default setting.
Use the lacp port-priority interface configuration command to configure the port priority for the Link Aggregation Control Protocol (LACP). Use the no form of this command to return to the default setting.
Note LACP is available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
The lacp port-priority interface configuration command determines which ports are bundled and which ports are put in hot-standby mode when there are more than eight ports in an LACP channel group. This command takes effect only on EtherChannel ports that are already configured for LACP. If the interface is a user network interface (UNI), you must use the port-type nni or port-type eni interface configuration command to change the interface to an NNI or ENI before configuring lacp port-priority.
In priority comparisons, numerically lower values have higher priority. The switch uses the priority to decide which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from being active. If two or more ports have the same LACP port priority (for example, they are configured with the default setting of 65535), an internal value for the port number determines the priority.
Note The LACP port priorities are only effective if the ports are on the switch that controls the LACP link. See the lacp system-priority global configuration command for information about determining which switch controls the link.
Use the show lacp internal privileged EXEC command to display LACP port priorities and internal port number values.
For information about configuring LACP on physical ports, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
This example shows how to configure the LACP port priority on a port:
You can verify your settings by entering the show lacp [ channel-group-number ] internal privileged EXEC command.
show lacp [ channel-group-number ] internal |
Displays internal information for all channel groups or for the specified channel group. |
Use the lacp system-priority global configuration command to configure the system priority for the Link Aggregation Control Protocol (LACP). Use the no form of this command to return to the default setting.
Note LACP is available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
The lacp system-priority command determines which switch in an LACP link controls port priorities. Although this is a global configuration command, the priority only takes effect on EtherChannels that have physical ports that are already configured for LACP.
An LACP channel group can have up to 16 Ethernet ports of the same type. Up to eight ports can be active, and up to eight ports can be in standby mode. When there are more than eight ports in an LACP channel group, the switch on the controlling end of the link uses port priorities to determine which ports are bundled into the channel and which ports are put in hot-standby mode. Port priorities on the other switch (the noncontrolling end of the link) are ignored.
In priority comparisons, numerically lower values have higher priority. Therefore, the switch with the numerically lower system value (higher priority value) for LACP system priority becomes the controlling switch. If both switches have the same LACP system priority (for example, they are both configured with the default setting of 32768), the LACP system ID (the switch MAC address) determines which switch is in control.
The lacp system-priority command applies to all LACP EtherChannels on the switch.
Use the show etherchannel summary privileged EXEC command to see which ports are in the hot-standby mode (denoted with an H port-state flag).
For more information about configuring LACP on physical ports, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
This example shows how to set the LACP system priority:
You can verify your settings by entering the show lacp sys-id privileged EXEC command.
show lacp sys-id |
Use the link state group interface configuration command to configure a port as a member of a link-state group. Use the no form of this command to remove the port from the link-state group.
link state group [ number ] { upstream | downstream }
Use the link state group interface configuration command to configure a port as an upstream or downstream port for a specific link-state group. If the group number is omitted, the default group is assumed.
An interface can be an aggregation of ports (an EtherChannel), a single switch port in access or trunk mode, or a routed port. Each downstream interface can be associated with one or more upstream interfaces. Upstream interfaces can be bundled together, and each downstream interface can be associated with a single group consisting of multiple upstream interfaces, referred to as link-state groups.
The link state of the downstream interfaces are dependent on the link state of the upstream interfaces in the associated link-state group. If all of the upstream interfaces in a link-state group are in a link-down state, the associated downstream interfaces are forced into a link-down state. If any one of the upstream interfaces in the link-state group is in a link-up state, the associated downstream interfaces are allowed to change to, or remain in, a link-up state.
This example shows how to configure the interfaces as upstream in group 2 :
You can verify your settings by entering the show running-config privileged EXEC command.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the link state track user EXEC command to enable a link-state group. Use the no form of this command to disable a link-state group.
Use the link state track global configuration command to enable a link-state group.
This example shows how enable link-state group 2:
You can verify your settings by entering the show running-config privileged EXEC command.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the location global configuration command to configure location information for an endpoint. Use the no form of this command to remove the location information.
location { admin-tag string | civic-location identifier id | elin-location string identifier id}
no location { admin-tag string | civic-location identifier id | elin-location string identifier id}
After entering the location civic-location identifier id global configuration command, you enter civic location configuration mode. In this mode, you can enter the civic location and the postal location information.
The civic-location identifier must not exceed 250 bytes.
Use the no lldp med-tlv-select location information interface configuration command to disable the location TLV. The location TLV is enabled by default. For more information, see the “Configuring LLDP and LLDP-MED” chapter of the software configuration guide for this release.
This example shows how to configure civic location information on the switch:
You can verify your settings by entering the show location civic-location privileged EXEC command.
This example shows how to configure the emergency location information location on the switch:
You can verify your settings by entering the show location elin privileged EXEC command.
Use the location interface command to enter location information for an interface. Use the no form of this command to remove the interface location information.
location { additional-location-information word | civic-location-id id | elin-location-id id}
no location { additional-location-information word | civic-location-id id | elin-location-id id}
After entering the location civic-location-id id interface configuration command, you enter civic location configuration mode. In this mode, you can enter the additional location information.
These examples show how to enter civic location information for an interface:
You can verify your settings by entering the show location civic interface privileged EXEC command.
This example shows how to enter emergency location information for an interface:
You can verify your settings by entering the show location elin interface privileged EXEC command.
Use the logging event interface configuration command to enable notification of interface link status changes. Use the no form of this command to disable notification.
logging event { bundle-status | link-status | spanning-tree | status | trunk status }
no logging event { bundle-status | link-status | spanning-tree | status | trunk status }
Use the logging file global configuration command to set logging file parameters. Use the no form of this command to return to the default setting.
logging file filesystem : filename [ max-file-size [ min-file-size ]] [ severity-level-number | type ]
no logging file filesystem: filename [ severity-level-number | type ]
The log file is stored in ASCII text format in an internal buffer on the switch. You can access logged system messages by using the switch command-line interface (CLI) or by saving them to a properly configured syslog server. If the switch fails, the log is lost unless you had previously saved it to flash memory by using the logging file flash: filename global configuration command.
After saving the log to flash memory by using the logging file flash: filename global configuration command, you can use the more flash: filename privileged EXEC command to display its contents.
The command rejects the minimum file size if it is greater than the maximum file size minus 1024; the minimum file size then becomes the maximum file size minus 1024.
Specifying a level causes messages at that level and numerically lower levels to be displayed.
This example shows how to save informational log messages to a file in flash memory:
You can verify your setting by entering the show running-config privileged EXEC command.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the mac access-group interface configuration command to apply a MAC access control list (ACL) to a Layer 2 interface. Use the no form of this command to remove all MAC ACLs or the specified MAC ACL from the interface. You create the MAC ACL by using the mac access-list extended global configuration command.
Interface configuration (Layer 2 interfaces only)
You can apply MAC ACLs only to ingress Layer 2 interfaces. You cannot apply MAC ACLs to Layer 3 interfaces.
On Layer 2 interfaces, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC access lists. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP ACL and a MAC ACL to the interface. You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface.
If a MAC ACL is already configured on a Layer 2 interface and you apply a new MAC ACL to the interface, the new ACL replaces the previously configured one.
If you apply an ACL to a Layer 2 interface on a switch, and the switch has an input Layer 3 ACL or a VLAN map applied to a VLAN that the interface is a member of, the ACL applied to the Layer 2 interface takes precedence.
When an inbound packet is received on an interface with a MAC ACL applied, the switch checks the match conditions in the ACL. If the conditions are matched, the switch forwards or drops the packet, according to the ACL.
If the specified ACL does not exist, the switch forwards all packets.
Note For more information about configuring MAC extended ACLs, see the “Configuring Network Security with ACLs” chapter in the software configuration guide for this release.
This example shows how to apply a MAC extended ACL named macacl2 to an interface:
You can verify your settings by entering the show mac access-group privileged EXEC command. You can see configured ACLs on the switch by entering the show access-lists privileged EXEC command.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the mac access-list extended global configuration command to create an access list based on MAC addresses for non-IP traffic. Using this command puts you in the extended MAC access-list configuration mode. Use the no form of this command to return to the default setting.
Note You cannot apply named MAC extended ACLs to Layer 3 interfaces.
MAC named extended lists are used with VLAN maps and class maps.
You can apply named MAC extended ACLs to VLAN maps or to Layer 2 interfaces.
You cannot apply named MAC extended ACLs to Layer 3 interfaces.
Entering the mac access-list extended command enables the MAC access-list configuration mode. These configuration commands are available:
Note For more information about MAC extended access lists, see the software configuration guide for this release.
This example shows how to create a MAC named extended access list named mac1 and to enter extended MAC access-list configuration mode:
This example shows how to delete MAC named extended access list mac1 :
You can verify your settings by entering the show access-lists privileged EXEC command.
Use the mac address-table aging-time global configuration command to set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. Use the no form of this command to return to the default setting. The aging time applies to all VLANs or a specified VLAN.
mac address-table aging-time { 0 | 10-1000000 } [ vlan vlan-id ]
no mac address-table aging-time { 0 | 10-1000000 } [ vlan vlan-id ]
If hosts do not send continuously, increase the aging time to record the dynamic entries for a longer time. Increasing the time can reduce the possibility of flooding when the hosts send again.
If you do not specify a specific VLAN, this command sets the aging time for all VLANs.
This example shows how to set the aging time to 200 seconds for all VLANs:
You can verify your setting by entering the show mac address-table aging-time privileged EXEC command.
Use the mac address-table learning global configuration command to enable MAC address learning on a VLAN. This is the default state. Use the no form of this command to disable MAC address learning on a VLAN to control which VLANs can learn MAC addresses.
mac address-table learning vlan vlan-id
Customers in a service provider network can tunnel a large number of MAC addresses through the network and fill the available MAC address table space. When you control MAC address learning on a VLAN, you can manage the available MAC address table space by controlling which VLANs, and therefore which ports, can learn MAC addresses.
You can disable MAC address learning on a single VLAN (for example, no mac address-table learning vlan 223 ) or on a range of VLANs (for example, mac address-table learning vlan 1-10, 15 ).
Before you disable MAC address learning, be sure that you are familiar with the network topology and the switch system configuration. Disabling MAC address learning on a VLAN could cause flooding in the network. For example, if you disable MAC address learning on a VLAN with a configured switch virtual interface (SVI), the switch floods all IP packets in the Layer 2 domain. If you disable MAC address learning on a VLAN that includes more than two ports, every packet entering the switch is flooded in that VLAN domain. We recommend that you disable MAC address learning only in VLANs that contain two ports and that you use caution before disabling MAC address learning on a VLAN with an SVI.
You cannot disable MAC address learning on a VLAN that the switch uses internally. If the VLAN ID that you enter in the no mac address-table learning vlan vlan-id command is an internal VLAN, the switch generates an error message and rejects the command. To view used internal VLANs, enter the show vlan internal usage privileged EXEC command.
If you disable MAC address learning on a VLAN configured as a private VLAN primary or a secondary VLAN, the MAC addresses are still learned on the other VLAN (primary or secondary) that belongs to the private VLAN.
You cannot disable MAC address learning on an RSPAN VLAN. The configuration is not allowed.
If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning is not disabled on the secure port. If you later disable port security on the interface, the disabled MAC address learning state is enabled.
To display MAC address learning status of all VLANs or a specified VLAN, enter the show mac-address-table learning [ vlan vlan-id command].
This example shows how to disable MAC address learning on VLAN 2003:
To display MAC address learning status of all VLANs or a specified VLAN, enter the show mac address-table learning [ vlan vlan-id ] command.
Use the mac address-table move update global configuration command to enable the MAC address-table move update feature. Use the no form of this command to return to the default setting.
The MAC address-table move update feature allows the switch to provide rapid bidirectional convergence if a primary (forwarding) link goes down and the standby link begins forwarding traffic.
You can configure the access switch to send the MAC address-table move update messages if the primary link goes down and the standby link comes up. You can configure the uplink switches to receive and process the MAC address-table move update messages.
This example shows how to configure an access switch to send MAC address-table move update messages:
This example shows how to configure an uplink switch to get and process MAC address-table move update messages:
You can verify your settings by entering the show mac address-table move update privileged EXEC command.
Use the mac address-table notification global configuration command to enable the MAC address notification feature on the switch. Use the no form of this command to return to the default setting.
mac address-table notification { change [ history-size value | interval value ] | mac-move | threshold [[ limit percentage ] interval time ]}
no mac address-table notification { change [ history-size value | interval value ] | mac-move | threshold [[ limit percentage ] interval time ]}
By default, the MAC address notification, MAC move, and MAC threshold monitoring are disabled.
The default MAC change trap interval is 1 second.
The default number of entries in the history table is 1.
The default MAC utilization threshold is 50 percent.
The default time between MAC threshold notifications is 120 seconds.
The MAC address notification change feature sends Simple Network Management Protocol (SNMP) traps to the network management system (NMS) whenever a new MAC address is added or an old address is deleted from the forwarding tables. MAC change notifications are generated only for dynamic and secure MAC addresses and are not generated for self addresses, multicast addresses, or other static addresses.
When you configure the history-size option, the existing MAC address history table is deleted, and a new table is created.
You enable the MAC address notification change feature by using the mac address-table notification change command. You must also enable MAC address notification traps on an interface by using the snmp trap mac-notification change interface configuration command and configure the switch to send MAC address traps to the NMS by using the snmp-server enable traps mac-notification change global configuration command.
You can also enable traps whenever a MAC address is moved from one port to another in the same VLAN by entering the mac address-table notification mac-move command and the snmp-server enable traps mac-notification move global configuration command.
To generate traps whenever the MAC address table threshold limit is reached or exceeded, enter the mac address-table notification threshold [ limit percentage ] | [ interval time ] command and the snmp-server enable traps mac-notification threshold global configuration command.
This example shows how to enable the MAC address-table change notification feature, set the interval time to 60 seconds, and set the history-size to 100 entries:
You can verify your settings by entering the show mac address-table notification privileged EXEC command.
clear mac address-table notification |
|
Displays the MAC address notification settings on all interfaces or on the specified interface. |
|
Sends the SNMP MAC notification traps when the mac-notification keyword is appended. |
|
Enables the SNMP MAC notification trap on a specific interface. |
Use the mac address-table static global configuration command to add static addresses to the MAC address table. Use the no form of this command to remove static entries from the table.
mac address-table static mac-addr vlan vlan-id interface interface-id
no mac address-table static mac-addr vlan vlan-id [ interface interface-id ]
This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination, the packet is forwarded to the specified interface:
You can verify your setting by entering the show mac address-table privileged EXEC command.
Use the mac address-table static drop global configuration command to enable unicast MAC address filtering and to configure the switch to drop traffic with a specific source or destination MAC address. Use the no form of this command to return to the default setting.
mac address-table static mac-addr vlan vlan-id drop
Follow these guidelines when using this feature:
For example, if you enter the mac address-table static mac-addr vlan vlan-id interface interface-id global configuration command followed by the mac address-table static mac-addr vlan vlan-id drop command, the switch drops packets with the specified MAC address as a source or destination.
If you enter the mac address-table static mac-addr vlan vlan-id drop global configuration command followed by the mac address-table static mac-addr vlan vlan-id interface interface-id command, the switch adds the MAC address as a static address.
This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped:
This example shows how to disable unicast MAC address filtering:
You can verify your setting by entering the show mac address-table static privileged EXEC command.
Use the macro apply interface configuration command to apply a macro to an interface or to apply and trace a macro configuration on an interface.
macro
{
apply
|
trace
}
macro-name
[
parameter
{
value
}] [
parameter
{
value
}]
[
parameter
{
value
}]
You can use the macro trace macro-name interface configuration command to apply and show the macros running on an interface or to debug the macro to find any syntax or configuration errors.
If a command fails because of a syntax error or a configuration error when you apply a macro, the macro continues to apply the remaining commands to the interface.
When creating a macro that requires the assignment of unique values, use the parameter value keywords to designate values specific to the interface.
Keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value. Any full match of a keyword, even if it is part of a larger string, is considered a match and is replaced by the corresponding value.
Some macros might contain keywords that require a parameter value. You can use the macro apply macro-name ? command to display a list of any required values in the macro. If you apply a macro without entering the keyword values, the commands are invalid and are not applied.
When you apply a macro to an interface, the macro name is automatically added to the interface. You can display the applied commands and macro names by using the show running-configuration interface interface-id user EXEC command.
A macro applied to an interface range behaves the same way as a macro applied to a single interface. When you use an interface range, the macro is applied sequentially to each interface within the range. If a macro command fails on one interface, it is still applied to the remaining interfaces.
You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command.
After you have created a macro by using the macro name global configuration command, you can apply it to an interface. This example shows how to apply a user-created macro called duplex to an interface:
To debug a macro, use the macro trace interface configuration command to find any syntax or configuration errors in the macro as it is applied to an interface. This example shows how troubleshoot the user-created macro called duplex on an interface:
Use the macro description interface configuration command to enter a description about which macros are applied to an interface. Use the no form of this command to remove the description.
Use the description keyword to associate comment text, or the macro name, with an interface. When multiple macros are applied on a single interface, the description text will be from the last applied macro.
This example shows how to add a description to an interface:
You can verify your settings by entering the show parser macro description privileged EXEC command.
Use the macro global global configuration command to apply a macro to a switch or to apply and trace a macro configuration on a switch.
macro global
{
apply
|
trace
}
macro-name
[
parameter
{
value
}] [
parameter
{
value
}]
[
parameter
{
value
}]
You can use the macro trace macro-name global configuration command to apply and to show the macros running on a switch or to debug the macro to find any syntax or configuration errors.
If a command fails because of a syntax error or a configuration error when you apply a macro, the macro continues to apply the remaining commands to the switch.
When creating a macro that requires the assignment of unique values, use the parameter value keywords to designate values specific to the switch.
Keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value. Any full match of a keyword, even if it is part of a larger string, is considered a match and is replaced by the corresponding value.
Some macros might contain keywords that require a parameter value. You can use the macro global apply macro-name ? command to display a list of any required values in the macro. If you apply a macro without entering the keyword values, the commands are invalid and are not applied.
When you apply a macro to a switch, the macro name is automatically added to the switch. You can display the applied commands and macro names by using the show running-configuration user EXEC command.
You can delete a global macro-applied configuration on a switch only by entering the no version of each command contained in the macro.
After you have created a new macro by using the macro name global configuration command, you can apply it to a switch. This example shows how see the snmp macro and how to apply the macro and set the hostname to test-server and set the IP precedence value to 7:
To debug a macro, use the
macro global trace
global configuration command to find any syntax or configuration errors in the macro when it is applied to a switch. In this example, the
ADDRESS
parameter value was not entered, causing the
snmp-server host
command to fail while the remainder of the macro is applied to the switch:
Use the macro global description global configuration command to enter a description about the macros that are applied to the switch. Use the no form of this command to remove the description.
Use the description keyword to associate comment text, or the macro name, with a switch. When multiple macros are applied on a switch, the description text will be from the last applied macro.
This example shows how to add a description to a switch:
You can verify your settings by entering the show parser macro description privileged EXEC command.
Use the macro name global configuration command to create a configuration macro. Use the no form of this command to delete the macro definition.
A macro can contain up to 3000 characters. Enter one macro command per line. Use the @ character to end the macro. Use the # character at the beginning of a line to enter comment text within the macro.
You can define mandatory keywords within a macro by using a help string to specify the keywords. Enter # macro keywords word to define the keywords that are available for use with the macro. You can enter up to three help string keywords separated by a space. If you enter more than three macro keywords, only the first three are shown.
Macro names are case sensitive. For example, the commands macro name Sample-Macro and macro name sample-macro will result in two separate macros.
When creating a macro, do not use the exit or end commands or change the command mode by using interface interface-id . This could cause commands that follow exit , end , or interface interface-id to execute in a different command mode.
The no form of this command only deletes the macro definition. It does not affect the configuration of those interfaces on which the macro is already applied. You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. Alternatively, you can create an anti-macro for an existing macro that contains the no form of all the corresponding commands in the original macro. Then apply the anti-macro to the interface.
You can modify a macro by creating a new macro with the same name as the existing macro. The newly created macro overwrites the existing macro but does not affect the configuration of those interfaces on which the original macro was applied.
This example shows how to create a macro that defines the duplex mode and speed:
This example shows how create a macro with # macro keywords :
This example shows how to display the mandatory keyword values before you apply the macro to an interface:
Use the match access-map configuration command to set the VLAN map to match packets against one or more access lists. Use the no form of this command to remove the match parameters.
match { ip address { name | number } [ name | number ] [ name | number ]...} | { mac address { name } [ name ] [ name ]...}
no match { ip address { name | number } [ name | number ] [ name | number ]...} | { mac address { name } [ name ] [ name ]...}
You enter access-map configuration mode by using the vlan access-map global configuration command.
You must enter one access list name or number; others are optional. You can match packets against one or more access lists. Matching any of the lists counts as a match of the entry.
In access-map configuration mode, use the match command to define the match conditions for a VLAN map applied to a VLAN. Use the action command to set the action that occurs when the packet matches the conditions.
Packets are matched only against access lists of the same protocol type; IP packets are matched against IP access lists, and all other packets are matched against MAC access lists.
Both IP and MAC addresses can be specified for the same map entry.
This example shows how to define and apply a VLAN access map vmap4 to VLANs 5 and 6 that will cause the interface to drop an IP packet if the packet matches the conditions defined in access list al2 .
You can verify your settings by entering the show vlan access-map privileged EXEC command.
Use the match access-group class-map configuration command to configure the match criteria for a class map on the basis of the specified access control list (ACL). Use the no form of this command to remove the ACL match criteria.
match access-group acl-index-or-name
The match access-group command specifies a numbered or named ACL to use as the match criteria to determine if packets belong to the class specified by the class map.
Before using the match access-group command, you must enter the class-map global configuration command to specify the name of the class whose match criteria you want to establish.
You can use the match access-group classification only on input policy maps.
This example shows how to create a class map called in class , which uses the access control list acl1 as the match criterion:
You can verify your settings by entering the show class-map privileged EXEC command.
Use the match cos class-map configuration command to match a packet based on a Layer 2 class of service (CoS) marking. Use the no form of this command to remove the CoS match criteria.
The match cos command specifies a CoS value to use as the match criteria to determine if packets belong to the class specified by the class map.
Before using the match cos command, you must enter the class-map global configuration command to specify the name of the class whose match criteria you want to establish.
You can spe cify up to four Layer 2 CoS values to match against the packet. Separate each value with a space. The range is 0 to 7.
Matching of CoS values is supported only on ports carrying Layer 2 VLAN-tagged traffic. That is, you can use the cos classification only on IEEE 802.1Q trunk ports.
You can use match cos classification in input and output policy maps.
This example shows how to create a class map called in class , which matches all the incoming traffic with service provider CoS values of 1 and 4:
This example shows how to create a class map called video-L2 , which matches all the incoming traffic with customer CoS value of 3:
You can verify your settings by entering the show class-map privileged EXEC command.
Use the match dot1ad dei class-map configuration command to match a packet based on the drop eligibility indicator (DEI) in an IEEE 802.1ad frame. Use the no form of this command to remove the DEI match criteria.
The match dot1ad dei command specifies using the DEI bit of the incoming packet as the match criteria to determine if packets belong to the class specified by the class map.
You can use the command with match-any or match-all options.
You can use this match criteria for per-port and per-port, per-VLAN policies within a child policy map.
Matching on the DEI bit is supported for both ingress and egress classification, but only 802.1ad S-NNI ports can match on the DEI bit.
You can verify your settings by entering the show class-map privileged EXEC command.
This example shows how to create a class map called class1 , which matches traffic on the DEI bit and the CoS value:
Use the match ip dscp class-map configuration command to identify a specific IPv4 Differentiated Service Code Point (DSCP) value as match criteria for a class. Use the no form of this command to remove the match criteria.
The match ip dscp command specifies a DSCP value to use as the match criteria to determine if packets belong to the class specified by the class map.
This command is used by the class map to identify a specific DSCP value marking on a packet. In this context, DSCP values are used as markings only and have no mathematical significance. For example, the DSCP value of 2 is not greater than 1, but merely indicates that a packet marked with a value of 2 is different than one marked with a value of 1. You define the treatment of these marked packets by setting QoS policies in policy-map class configuration mode.
Before using the match ip dscp command, you must enter the class-map global configuration command to specify the name of the class whose match criteria you want to establish.
You can enter up to eight DSCP values in one match statement. For example, if you wanted the DCSP values of 0, 1, 2, 3, 4, 5, 6, or 7, enter the match ip dscp 0 1 2 3 4 5 6 7 command. The packet must match only one (not all) of the specified IPv4 DSCP values to belong to the class.
You can use match ip dscp classification in input and output policy maps.
This example shows how to create a class map called in class , which matches all the incoming traffic with DSCP values of 10, 11, and 12:
You can verify your settings by entering the show class-map privileged EXEC command.
Use the match ip precedence class-map configuration command to identify IPv4 precedence values as match criteria for a class. Use the no form of this command to remove the match criteria.
match ip precedence ip-precedence-list
The match ip precedence command specifies an IPv4 precedence value to use as the match criteria to determine if packets belong to the class specified by the class map.
The precedence values are used as marking only. In this context, the IP precedence values have no mathematical significance. For example, the precedence value of 2 is not greater than 1, but merely indicates that a packet marked with a value of 2 is different than one marked with a value of 1. You define the treatment of these marked packets by setting QoS policies in policy-map class configuration mode.
Before using the match ip precedence command, you must enter the class-map global configuration command to specify the name of the class whose match criteria you want to establish.
You can enter up to four IPv4 precedence values in one match statement. For example, if you wanted the IP precedence values of 0, 1, 2, or 7, enter the match ip precedence 0 1 2 7 command. The packet must match only one (not all) of the specified IP precedence values to belong to the class.
You can use match ip precedence classification in input and output policy maps.
This example shows how to create a class map called class , which matches all the incoming traffic with IP-precedence values of 5, 6, and 7:
You can verify your settings by entering the show class-map privileged EXEC command.
Use the match qos-group class-map configuration command to identify a specific quality of service (QoS) group value as a match criterion for a class. Use the no form of this command to remove the match criterion.
The match qos-group command specifies a QoS group value to use as the match criterion to determine if packets belong to the class specified by the class map.
The QoS-group values are used as marking only and have no mathematical significance. For example, the precedence value of 2 is not greater than 1, but merely indicates that a packet marked with a value of 2 is different than one marked with a value of 1. You define the treatment of these marked packets by setting QoS policies in policy-map class configuration mode.
The QoS-group value is local to the switch, meaning that the QoS-group value marked on a packet does not leave the switch when the packet leaves the switch. If you require a marking that remains with the packet, use IP Differentiated Service Code Point (DSCP) values, IP precedence values, or another method of packet marking.
Before using the match qos-group command, you must enter the class-map global configuration command to specify the name of the class whose match criteria you want to establish.
You can use the match qos-group classification only on output policy maps.
There can be no more than 100 QoS groups on the switch (0 to 99).
This example shows how to classify traffic by using QoS group 13 as the match criterion:
You can verify your settings by entering the show class-map privileged EXEC command.
Use the match vlan class-map configuration command in the parent policy of a hierarchical policy map to apply QoS policies to frames carried on a user-specified VLAN for a given interface. You can use hierarchical policy maps for per-VLAN classification on trunk ports Use the no form of this command to remove the match criteria.
match vlan [ inner ] vlan-list
no match vlan [ inner ] vlan-list
The feature is supported only using a 2-level hierarchical input policy map, where the parent-level defines the VLAN-based classification, and the child-level defines the QoS policy to be applied to the corresponding VLAN(s).
You can configure multiple service classes at the parent-level to match different combinations of VLANs, and you can apply independent QoS policies to each parent-service class using any child-policy map
A policy is considered a parent policy map when it has one or more of its classes associated with a child policy-map. Each class within a parent policy map is called a parent class. You can configure only the match vlan command in parent classes. You cannot configure the match vlan command in classes within the child policy map.
A per-port, per-VLAN parent-level class map supports only a child-policy association; it does not allow any actions to be configured. In addition, for a parent-level class map, you cannot configure an action or a child-policy association for the class class-default .
You cannot configure a mixture of Layer 2 and Layer 3 class maps in a child policy map. When you attempt to associate such a child policy map with a parent policy, the configuration is rejected. However, you can associate Layer 2 child policies and Layer 3 child policies with different parent-level class maps.
Per-port, per-VLAN QoS is supported only on IEEE 802.1Q trunk ports.
Once a per-port, per-vlan hierarchical policy-map is attached to an interface, a parent-class with vlan-based classification can not be dynamically added or removed. The service policy needs to be detached from the interface before making this configuration change.
When the child policy map attached to a VLAN or set of VLANs contains only Layer 3 classification ( match ip dscp , match ip precedence , match IP ACL ), you must be careful to ensure that these VLANs are not carried on any port other than the one on which this per-port, per-VLAN policy is attached. Not following this restriction could result in improper QoS behavior for traffic ingressing the switch on these VLANs.
We also recommend that you restrict VLAN membership on the trunk ports to which the per-port, per-VLAN is applied by using the switchport trunk allowed vlan interface configuration command. Overlapping VLAN membership between trunk ports that have per-port, per-VLAN policies with Layer 3 classification could also result in unexpected QoS behavior.
Before using the match vlan command, you must enter the class-map global configuration command to specify the name of the class whose match criteria you want to establish.
In this example, the class maps in the child-level policy map specify matching criteria for voice and video traffic, and the child policy map sets the action for input policing each type of traffic. The parent-level policy map specifies the VLANs to which the child policy maps are applied on the specified port.
Note You can also enter the match criteria as match vlan 100 200 300 with the same result.
In this example, all packets with an S-VLAN of 100 and a C-VLAN of 200 (packets with C-VLAN 200 tunneled into S-VLAN 100) are classified by the class L2-vpn and packets with an S-VLAN of 110 and a C-VLAN in the range of 210 to 220 (packets with C-VLANs 210 to 220 tunneled into S-VLAN 110) are classified by the class voice-gateway .
You can verify your settings by entering the show class-map privileged EXEC command.
Use the mdix auto interface configuration command to enable the automatic medium-dependent interface crossover (auto-MDIX) feature on the interface. When auto-MDIX is enabled, the interface automatically detects the required cable connection type (straight-through or crossover) and configures the connection appropriately. Use the no form of this command to disable auto-MDIX.
When you enable auto-MDIX on an interface, you must also set the speed and duplex on the interface to auto so that the feature operates correctly. If the port is a user network interface (UNI) or enhanced network interfaces (ENI), you must use the no shutdown interface configuration command to enable it before using the mdix auto command. UNIs and ENIs are disabled by default. Network node interfaces (NNIs) are enabled by default.
When auto-MDIX (along with autonegotiation of speed and duplex) is enabled on one or both of connected interfaces, link up occurs, even if the required cable type (straight-through or crossover) is not present.
Auto-MDIX is supported on all 10/100-Mbps interfaces and on 10/100/1000BASE-T/BASE-TX small form-factor pluggable (SFP)-module interfaces. It is not supported on 1000BASE-SX or -LX SFP module interfaces.
This example shows how to enable auto-MDIX on a port:
You can verify the operational state of auto-MDIX on the interface by entering the show controllers ethernet-controller interface-id phy privileged EXEC command.
show controllers ethernet-controller interface-id phy |
Displays general information about internal registers of an interface, including the operational state of auto-MDIX. |
Use the media-type interface configuration command to manually select the interface and type of a dual-purpose port or to enable the switch to dynamically select the type that first links up. Use the no form of this command to return to the default setting.
You cannot use the RJ-45 interface and the SFP interface of the dual-purpose ports simultaneously to provide redundant links.
When you select auto-select , the switch dynamically selects the type that first links up. This is the default mode. The switch disables the other media type until the active link goes down. When the active link goes down, the switch enables both types until one of them links up. If there are active links on both media, the SFP link has priority. In auto-select mode, the switch configures both types with autonegotiation of speed and duplex (the default).
When you select rj45 , the switch disables the SFP module interface. If you connect a cable to the SFP port, it cannot attain a linkup even if the RJ-45 side is down or is not connected. In this mode, the dual-purpose port behaves like a 10/100/1000BASE-TX interface. You can configure the speed and duplex settings consistent with this interface type.
When you select sfp, the switch disables the RJ-45 interface. If you connect a cable to this port, it cannot attain a linkup even if the SFP module side is down or if the SFP module is not present. Based on the type of installed SFP module, you can configure the speed and duplex settings consistent with this interface type.
To configure speed or duplex settings on a dual-purpose port, you must first select the media type. If you configure auto-select , you cannot configure the speed and duplex interface configuration commands. When you change the interface type, the speed and duplex configurations are removed. The switch configures both types to autonegotiate speed and duplex (the default).
When the media type ia auto-select , the switch uses these criteria to select the media type:
Note An SFP is not installed until it has a fiber or copper cable plugged into the SFP module.
This example shows how to select the SFP interface:
You can verify your setting by entering the show interfaces interface-id capabilities or the show interfaces interface-id transceiver properties privileged EXEC commands.
show interfaces capabilities |
Displays the capabilities of all interfaces or the specified interface. |
show interfaces transceiver properties |
Displays speed, duplex, and media-type settings on all interfaces or the specified interface. |
Use the monitor session global configuration command to start a new Switched Port Analyzer (SPAN) session or Remote SPAN (RSPAN) source or destination session, to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance), to add or delete interfaces or VLANs to or from an existing SPAN or RSPAN session, and to limit (filter) SPAN source traffic to specific VLANs. Use the no form of this command to remove the SPAN or RSPAN session or to remove source or destination interfaces or filters from the SPAN or RSPAN session. For destination interfaces, the encapsulation dot1q or encapsulation replicate keywords are ignored with the no form of the command.
monitor session session_number destination { interface interface-id [, | -] [ encapsulation { dot1q | replicate }] [ ingress {[ dot1q | untagged ] vlan vlan-id }] | { remote vlan vlan-id }
monitor session session_number filter vlan vlan-id [, | -]
monitor session session_number source { interface interface-id [, | -] [ both | rx | tx ]} | { vlan vlan-id [, | -] [ both | rx | tx ]}| { remote vlan vlan-id }
no monitor session { session_number | all | local | remote }
no monitor session session_number destination { interface interface-id [, | -] [ encapsulation { dot1q | replicate} ] [ ingress {[ dot1q | untagged] vlan vlan-id }] | { remote vlan vlan-id }
no monitor session session_number filter vlan vlan-id [, | -]
no monitor session session_number source { interface interface-id [, | -] [ both | rx | tx ]} | { vlan vlan-id [, | -] [ both | rx | tx ]} | { remote vlan vlan-id }
No monitor sessions are configured.
On a source interface, the default is to monitor both received and transmitted traffic.
On a trunk interface used as a source port, all VLANs are monitored.
If encapsulation dot1q or encapsulation replicate is not specified on a local SPAN destination port, packets are sent in native form with no encapsulation tag.
Traffic that enters or leaves source ports or source VLANs can be monitored by using SPAN or RSPAN. Traffic routed to source ports or source VLANs cannot be monitored.
You can set a combined maximum of two local SPAN sessions and RSPAN source sessions. You can have a total of 66 SPAN and RSPAN sessions on a switch.
You can have a maximum of 64 destination ports on a switch.
Each session can include multiple ingress or egress source ports or VLANs, but you cannot combine source ports and source VLANs in a single session. Each session can include multiple destination ports.
When you use VLAN-based SPAN (VSPAN) to analyze network traffic in a VLAN or set of VLANs, all active ports in the source VLANs become source ports for the SPAN or RSPAN session. Trunk ports are included as source ports for VSPAN, and only packets with the monitored VLAN ID are sent to the destination port.
You can monitor traffic on a single port or VLAN or on a series or range of ports or VLANs. You select a series or range of interfaces or VLANs by using the [ , | - ] options.
If you specify a series of VLANs or interfaces, you must enter a space before and after the comma. If you specify a range of VLANs or interfaces, you must enter a space before and after the hyphen ( - ).
EtherChannel ports cannot be configured as SPAN or RSPAN destination ports. A physical port that is a member of an EtherChannel group can be used as a destination port, but it cannot participate in the EtherChannel group while it is as a SPAN destination.
A private-VLAN port cannot be configured as a SPAN destination port.
You can monitor individual ports while they participate in an EtherChannel, or you can monitor the entire EtherChannel bundle by specifying the port-channel number as the RSPAN source interface.
A port used as a destination port cannot be a SPAN or RSPAN source, nor can a port be a destination port for more than one session at a time.
You can enable IEEE 802.1x on a port that is a SPAN or RSPAN destination port; however, IEEE 802.1x is disabled until the port is removed as a SPAN destination. (If IEEE 802.1x is not available on the port, the switch returns an error message.) You can enable IEEE 802.1x on a SPAN or RSPAN source port.
VLAN filtering refers to analyzing network traffic on a selected set of VLANs on trunk source ports. By default, all VLANs are monitored on trunk source ports. You can use the monitor session session_number filter vlan vlan-id command to limit SPAN traffic on trunk source ports to only the specified VLANs.
VLAN monitoring and VLAN filtering are mutually exclusive. If a VLAN is a source, VLAN filtering cannot be enabled. If VLAN filtering is configured, a VLAN cannot become a source.
If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.
Destination ports can be configured to act in these ways:
This example shows how to create a local SPAN session 1 to monitor both sent and received traffic on source port 1 to destination port 2:
This example shows how to delete a destination port from an existing local SPAN session:
This example shows how to limit SPAN traffic in an existing session only to specific VLANs:
This example shows how to configure RSPAN source session 1 to monitor multiple source interfaces and to configure the destination RSPAN VLAN 900.
This example shows how to configure an RSPAN destination session 10 in the switch receiving the monitored traffic.
This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports IEEE 802.1Q encapsulation. Egress traffic replicates the source; ingress traffic uses IEEE 802.1Q encapsulation.
This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that does not support encapsulation. Egress traffic and ingress traffic are untagged.
You can verify your settings by entering the show monitor privileged EXEC command. You can display SPAN and RSPAN configuration on the switch by entering the show running-config privileged EXEC command. SPAN information appears near the end of the output.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the mvr global configuration command without keywords to enable the multicast VLAN registration (MVR) feature on the switch. Use the command with keywords to set the MVR mode for a switch, to configure the MVR IP multicast address, to set the maximum time to wait for a query reply before removing a port from group membership, and to specify the MVR multicast VLAN. Use the no form of this command to return to the default settings.
mvr [ group ip-address [ count ] | mode [ compatible | dynamic ] | querytime value | ringmode flood | vlan vlan-id ]
no mvr [ group ip-address | mode [ compatible | dynamic ] | querytime | ringmode flood | vlan vlan-id ]
Use the mvr group command to statically set up all the IP multicast addresses that will take part in MVR. Any multicast data sent to a configured multicast address is sent to all the source ports on the switch and to all receiver ports that have registered to receive data on that IP multicast address.
When MVR mode is compatible (the default), you can configure 512 multicast entries (MVR group addresses). Although the range appears in the command line help as 1 to 2000, the switch allows only 512 groups.
When MVR mode is dynamic, you can configure a maximum of 2000 MVR group addresses on the switch. The maximum number of simultaneous active multicast streams (that is, the maximum number of television channels that can be receiving) is 512. When this limit is reached, a message is generated that the Maximum hardware limit of groups had been reached . Note that a hardware entry occurs when there is an IGMP join on a port or when you configure a port to join a group by entering the mvr vlan vlan-id group ip-address interface configuration command.
MVR supports aliased IP multicast addresses on the switch. However, if the switch is interoperating with Catalyst 3550 or 3500 XL switches, you should not configure IP addresses that alias between themselves or with the reserved IP multicast addresses (in the range 224.0.0.xxx).
The mvr querytime command applies only to receiver ports.
If the switch MVR is interoperating with Catalyst 2900 XL or 3500 XL switches, set the multicast mode to compatible.
When operating in compatible mode, MVR does not support IGMP dynamic joins on MVR source ports.
MVR can coexist with IGMP snooping on a switch.
Multicast routing and MVR cannot coexist on a switch. If you enable multicast routing and a multicast routing protocol while MVR is enabled, MVR is disabled and a warning message appears. If you try to enable MVR while multicast routing and a multicast routing protocol are enabled, the operation to enable MVR is cancelled with an Error message.
Starting with Cisco IOS release 12.2(52)SE, you can enter the mvr ringmode flood global configuration command to ensure that data forwarding in a ring topology is limited to membership detected ports and excludes forwarding to multicast router ports. This prevents unicast traffic from being dropped in a ring environment when MVR multicast traffic is flowing in one direction and unicast traffic is flowing in the other direction.
This example shows how to enable MVR:
Use the show mvr privileged EXEC command to display the current setting for maximum multicast groups.
This example shows how to configure 228.1.23.4 as an IP multicast address:
This example shows how to configure ten contiguous IP multicast groups with multicast addresses from 228.1.23.1 to 228.1.23.10:
Use the show mvr members privileged EXEC command to display the configured IP multicast group addresses.
This example shows how to set the maximum query response time as one second (10 tenths):
This example shows how to set VLAN 2 as the multicast VLAN:
You can verify your settings by entering the show mvr privileged EXEC command.
Use the mvr interface configuration command to configure a Layer 2 port as a multicast VLAN registration (MVR) receiver or source port, to set the Immediate Leave feature, and to statically assign a port to an IP multicast VLAN and IP address. Use the no form of this command to return to the default settings.
mvr {immediate | type {receiver | source} | vlan vlan-id {[group ip-address] [receiver vlan vlan-id]}}
no mvr {immediate | type {receiver | source} | vlan vlan-id {[group ip-address] [receiver vlan vlan-id]}}
Configure a port as a source port if that port should be able to both send and receive multicast data bound for the configured multicast groups. Multicast data is received on all ports configured as source ports.
Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN.
A port that is not taking part in MVR should not be configured as an MVR receiver port or a source port. A non-MVR port is a normal switch port, able to send and receive multicast data with normal switch behavior.
When Immediate Leave is enabled, a receiver port leaves a multicast group more quickly. Without Immediate Leave, when the switch receives an IGMP leave message from a group on a receiver port, it sends out an IGMP MAC-based query on that port and waits for IGMP group membership reports. If no reports are received in a configured time period, the receiver port is removed from multicast group membership. With Immediate Leave, an IGMP MAC-based query is not sent from the receiver port on which the IGMP leave was received. As soon as the leave message is received, the receiver port is removed from multicast group membership, which speeds up leave latency.
The Immediate Leave feature should be enabled only on receiver ports to which a single receiver device is connected.
The mvr vlan group command statically configures ports to receive multicast traffic sent to the IP multicast address. A port statically configured as a member of group remains a member of the group until statically removed. In compatible mode, this command applies only to receiver ports; in dynamic mode, it can also apply to source ports. Receiver ports can also dynamically join multicast groups by using IGMP join messages.
When operating in compatible mode, MVR does not support IGMP dynamic joins on MVR source ports.
This example shows how to configure a port as an MVR receiver port:
Use the show mvr interface privileged EXEC command to display configured receiver ports and source ports.
This example shows how to enable Immediate Leave on a port:
This example shows how to add a port on VLAN 1 as a static member of IP multicast group 228.1.23.4:
This example shows how to add a port 2 on VLAN 100 as a static member of IP multicast group 228.1.23.4. In this example, the receive port is an access port:
This example shows how to add on port 5 the receiver VLAN 201 with an MVR VLAN of 100.
This example shows how to add on port 5 the receiver VLAN 201 as a static member of the IP multicast group 239.1.1.1, with an MVR VLAN of 100:
You can verify your settings by entering the show mvr members privileged EXEC command.
Use the no authentication logging verbose global configuration command on the switch stack or on a standalone switch to filter detailed information from authentication system messages.
This command filters details, such as anticipated success, from authentication system messages.
Use the no dot1x logging verbose global configuration command on the switch stack or on a standalone switch to filter detailed information from 802.1x system messages.
This command filters details, such as anticipated success, from 802.1x system messages.
Use the no mab logging verbose global configuration command on the switch stack or on a standalone switch to filter detailed information from MAC authentication bypass (MAB) system messages.
This command filters details, such as anticipated success, from MAC authentication bypass (MAB) system messages.
Use the oam protocol cfm svlan EVC configuration command to configure the Ethernet virtual connection (EVC) operation, administration, and maintenance (OAM) protocol as IEEE 801.2ag Connectivity Fault Management (CFM) and to identify the service provider VLAN-ID for a CFM domain level. Use the no form of this command to remove the OAM protocol configuration for the EVC.
When you enter domain domain-name , the CFM domain must have already been created by entering the ethernet cfm domain domain-name level level-id global configuration command. If the CFM domain does not exist, the command is rejected, and an error message appears.
This example shows how to enter EVC configuration mode and to configure the OAM protocol as CFM:
ethernet evc evc-id |
|
Use the pagp learn-method interface configuration command to learn the source address of incoming packets received from an EtherChannel port. Use the no form of this command to return to the default setting.
pagp learn-method { aggregation-port | physical-port }
Note PAgP is available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
If the interface is a user network interface (UNI), you must enter the port-type nni or port-type eni interface configuration command before configuring pagp learn-method. Learn must be configured to the same method at both ends of the link.
Note The Cisco ME switch supports address learning only on aggregate ports even though the physical-port keyword is provided in the command-line interface (CLI). The pagp learn-method and the pagp port-priority interface configuration commands have no effect on the switch hardware, but they are required for PAgP interoperability with devices that only support address learning by physical ports.
Note When the link partner to the Cisco ME switch is a physical learner, we recommend that you configure the switch as a physical-port learner. Use the pagp learn-method physical-port interface configuration command, and set the load-distribution method based on the source MAC address by using the port-channel load-balance src-mac global configuration command. Only use the pagp learn-method interface configuration command in this situation.
This example shows how to set the learning method to learn the address on the physical port within the EtherChannel:
This example shows how to set the learning method to learn the address on the port-channel within the EtherChannel:
You can verify your settings by entering the show running-config privileged EXEC command or the show pagp channel-group-number internal privileged EXEC command.
Selects a port over which all traffic through the EtherChannel is sent. |
|
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the pagp port-priority interface configuration command to select a port over which all Port Aggregation Protocol (PAgP) traffic through the EtherChannel is sent. If all unused ports in the EtherChannel are in hot-standby mode, they can be placed into operation if the currently selected port and link fails. Use the no form of this command to return to the default setting.
Note PAgP is available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
If the interface is a user network interface (UNI), you must enter the port-type nni or port-type eni interface configuration command before configuring pagp port-priority.
The physical port with the highest operational priority and that has membership in the same EtherChannel is the one selected for PAgP transmission.
Note The Cisco ME switch supports address learning only on aggregate ports even though the physical-port keyword is provided in the command-line interface (CLI). The pagp learn-method and the pagp port-priority interface configuration commands have no effect on the switch hardware, but they are required for PAgP interoperability with devices that only support address learning by physical ports.
When the link partner to the Cisco ME switch is a physical learner, we recommend that you configure the switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command and to set the load-distribution method based on the source MAC address by using the port-channel load-balance src-mac global configuration command. Use the pagp learn-method interface configuration command only in this situation.
This example shows how to set the port priority to 200:
You can verify your setting by entering the show running-config privileged EXEC command or the show pagp channel-group-number internal privileged EXEC command.
Provides the ability to learn the source address of incoming packets. |
|
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the permit Address Resolution Protocol (ARP) access-list configuration command to permit an ARP packet based on matches against the Dynamic Host Configuration Protocol (DHCP) bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access control list.
permit {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
no permit {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
(Optional) Requests a match for the ARP request. When request is not specified, matching is performed against all ARP packets. |
|
(Optional) Accept the specified range of target IP addresses. |
|
(Optional) Accept the specified range of target MAC addresses. |
|
(Optional) Log a packet when it matches the ACE. Matches are logged if you also configure the matchlog keyword in the ip arp inspection vlan logging global configuration command. |
This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
You can verify your settings by entering the show arp access-list privileged EXEC command.
Use the permit IPv6 access list configuration command to set permit conditions for an IPv6 access list. Use the no form of this command to remove the permit conditions.
permit { protocol } { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ fragments ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
no permit { protocol } { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ fragments ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
Note Although visible in the command-line help strings, the flow-label and reflect keywords are not supported.
Internet Control Message Protocol
permit icmp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ icmp-type [ icmp-code ] | icmp-message ] [ dscp value ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
permit tcp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ ack ] [ dscp value ] [ established ] [ fin ] [ log ] [ log-input ] [ neq { port | protocol }] [ psh ] [ range { port | protocol }] [ rst ] [ routing ] [ sequence value ] [ syn ] [ time-range name ] [ urg ]
permit udp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ log ] [ log-input ] [ neq { port | protocol }] [ range { port | protocol }] [ routing ] [ sequence value ] [ time-range name ]
Note Although visible in the command-line help strings, the flow-label and reflect keywords are not supported.
This command is available only if your switch has a switch database management (SDM) dual IPv4 and IPv6 template configured.
IPv6 access-list configuration
The permit (IPv6 access-list configuration mode) command is similar to the permit (IPv4 access-list configuration mode) command, but it is IPv6-specific.
Use the permit (IPv6) command after the ipv6 access-list command to enter IPv6 access-list configuration mode and to define the conditions under which a packet passes the access list.
Specifying IPv6 for the protocol argument matches against the IPv6 header of the packet.
By default, the first statement in an access list is number 10, and the subsequent statements increment by 10.
You can add permit , deny , or remark statements to an existing access list without re-entering the entire list. To add a new statement somewhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to show where it belongs.
See the ipv6 access-list command for more information on defining IPv6 ACLs.
Every IPv6 ACL has implicit permit icmp any any nd-na , permit icmp any any nd-ns , and deny ipv6 any any statements as its last match conditions. The two permit conditions allow ICMPv6 neighbor discovery. To disallow ICMPv6 neighbor discovery and to deny icmp any any nd-na or icmp any any nd-ns , there must be an explicit deny entry in the ACL. For the three implicit statements to take effect, an IPv6 ACL must contain at least one entry.
The IPv6 neighbor discovery process uses the IPv6 network layer service. Therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data link layer protocol. Therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Both the source-ipv6-prefix / prefix-length and destination-ipv6-prefix / prefix-length arguments are used for traffic filtering (the source prefix filters traffic based upon its source; the destination prefix filters traffic based upon its destination).
The switch supports IPv6 address matching for a full range of prefix-lengths.
The fragments keyword is an option only if the operator [ port-number ] arguments are not specified.
This is a list of ICMP message names:
This example configures two IPv6 access lists named OUTBOUND and INBOUND and applies both access lists to outbound and inbound traffic on a Layer 3 interface. The first and second permit entries in the OUTBOUND list permit all TCP and UDP packets from network 2001:ODB8:0300:0201::/64 to leave the interface. The deny entry in the OUTBOUND list prevents all packets from the network FE80:0:0:0201::/64 (packets that have the link-local prefix FE80:0:0:0201 as the first 64 bits of their source IPv6 address) from leaving the interface. The third permit entry in the OUTBOUND list permits all ICMP packets to leave the interface.
The permit entry in the INBOUND list permits all ICMP packets to enter the interface.
Note Given that a permit any any statement is not included as the last entry in the OUTBOUND or the INBOUND access list, only TCP, UDP, and ICMP packets can leave or enter the interface (the implicit deny-all condition at the end of the access list denies all other packet types on the interface).
Use the permit MAC access-list configuration command to allow non-IP traffic to be forwarded if the conditions are matched. Use the no form of this command to remove a permit condition from the extended MAC access list.
{ permit | deny } { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | cos cos | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp ]
no { permit | deny } { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | cos cos | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp ]
Note Though visible in the command-line help strings, appletalk is not supported as a matching condition.
To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in Table 2-3 .
You enter MAC access-list configuration mode by using the mac access-list extended global configuration command.
If you use the host keyword, you cannot enter an address mask; if you do not use the any or host keywords, you must enter an address mask.
After an access control entry (ACE) is added to an access control list, an implied deny - any - any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.
Note For more information about MAC-named extended access lists, see the software configuration guide for this release.
This example shows how to define the MAC-named extended access list to allow NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is allowed.
This example shows how to remove the permit condition from the MAC-named extended access list:
This example permits all packets with Ethertype 0x4321:
You can verify your settings by entering the show access-lists privileged EXEC command.
Use the police policy-map class configuration command to define an individual policer for classified traffic and to enter policy-map class police configuration mode. A policer defines a maximum permissible rate of transmission, a maximum burst size and an excess burst size for transmissions, and an action to take if a maximum is exceeded. In policy-map class police configuration mode, you can specify multiple actions for a packet. Use the no form of this command to remove a policer.
Note Although visible in the command-line help, the police rate and percent keywords are not supported.
police { cir cir-bps | rate-bps } [ burst-bytes ] | bc [ burst-value ] | pir pir-bps [ be burst-bytes ] [ conform-action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ] [ exceed action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ] [ violate-action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ]]
no police { cir cir-bps | rate-bps } [ burst-bytes ] | bc [ burst-value ] | pir pir-bps [ be burst-bytes ] [ conform-action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ] [ exceed action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ] [ violate-action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ]]
Note When police is used with the priority policy-map class command for unconditionally rate-limiting the priority queue, burst size values are not supported, and the rate-bps range is smaller. Only the default conform-action of transmit and the default exceed-action of drop are supported.
Policy-map class configuration
You can configure conform-action marking by using enhanced packet marking and configure exceed-action to send the packet unmodified, mark using explicit values, and use all combinations of enhanced packet marking. Enhanced packet marking modifies a QoS marking based on any incoming QoS marking and table maps. The switch also supports marking multiple QoS parameters for the same class and simultaneously configuring conform-action, exceed-action, and violate-action marking.
If the conform action is set to drop , the exceed and violate actions are automatically set to drop . If the exceed action is set to drop , the violate action is automatically set to drop .
The switch supports a maximum of 254 policer profiles. The number of supported policer instances is 1024 minus 1 more than the total number of interfaces on the switch. You can apply the same profile in multiple instances.
VLAN label resources exceeded
error message.
TCAM resources exceeded
error message.– When CPU protection is disabled, you can configure a maximum of 63 policers per port (62 on every fourth port) for user-defined classes and one for class-default for all switches. Any policy attachment or change that causes this limit to be exceeded fails with a policer resources exceeded error message.
– When CPU protection is disabled, you can configure 255 policers on the switch for platform. Any policy attachment or change that causes this limit to be exceeded fails with a policer resources exceeded error message.
– If you disable CPU protection and attach a policy map with more than 45 policers, and enable CPU protection again, and then reload, 19 policers per port are again required for CPU protection. During reload, the policers 46 and above will reach the policer resources exceeded error condition, and no policers are attached to those classes.
Policing is only supported in input policies or in output policies that were configured with the priority policy-map class configuration command to reduce bandwidth in the priority queue.
Note When used with the priority command in an output policy, the police rate range is 64000 to 1000000000 bps, even though the range that appears in the command-line interface help is 8000 to 1000000000. You cannot attach an output service policy with an out-of-range rate.
An output policy map should match only the modified values of the out-of-profile traffic and not the original values.
Only 802.1ad S-UNI and S-NNI ports can use policers marking the DEI bit.
To configure multiple conform-actions or multiple exceed-actions, enter policy-map class police configuration mode, and use the conform-action , exceed-action , and violate-action policy-map class police configuration commands.
If you do not configure a violate-action , by default the violate class is assigned the same action as the exceed action.
When you define the policer and press Enter, you enter policy-map class police configuration mode, in which you can configure multiple policing actions:
This example shows how to configure a policer with a 1-Mb/s average rate with a burst size of 20 KB. The policer sets a new DSCP precedence value if the packets conform to the rate and drops the packet if traffic exceeds the rate.
This example shows how to configure 2-rate, 3-color policing by using policy-map configuration mode.
This example shows how to create the same configuration by using policy-map class police configuration mode.
You can verify your settings by entering the show policy-map privileged EXEC command.
Use the policer aggregate global configuration command to create an aggregate policer to police all traffic across multiple classes in an input policy map. An aggregate policer can be shared by multiple classes in the same policy map. A policer defines a maximum permissible rate of transmission or committed information rate, a maximum burst size for transmissions, and an action to take if the maximum is met or exceeded. Use the no form of this command to remove the specified policer.
policer aggregate aggregate-policer-name { rate-bps | cir cir-bps } [ bc burst- value ]| [ pir pir-bps [be burst-bytes ]] [ conform-action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ] [ exceed-action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit] [violate-action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ]} | set-qos-transmit qos-group-value | transmit ]]
no policer aggregate aggregate-policer-name { rate-bps | cir cir-bps } [ bc burst- value ]| [ pir pir-bps [be burst-bytes ]] [ conform-action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ] [ exceed-action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit] [violate-action [ drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ]} | set-dot1ad-dei-transmit { new-dei-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ]} | set-qos-transmit qos-group-value | transmit ]]
You can configure conform-action marking using enhanced packet marking and configure exceed-action and violate-action to send the packet unmodified, mark using explicit values, and use all combinations of enhanced packet marking. Enhanced packet marking modifies a QoS marking based on any incoming QoS marking and table maps. The switch also supports marking multiple QoS parameters for the same class, and simultaneously configuring conform-action, exceed-action, and violate-action marking.
If the conform action is set to drop , the exceed and violate actions are automatically set to drop . If the exceed action is set to drop , the violate action is automatically set to drop .
If you do not configure a violate-action , by default the violate class is assigned the same action as the exceed-action .
The switch supports a maximum of 254 unique aggregate policers.
Aggregate policing is supported only in input policy maps.
Table maps are not supported for violate-action for aggregate policing unless a table map is configured for exceed-action and no explicit action is configured for violate action.
You can simultaneously configure multiple conform, exceed, and violate actions for an aggregate policer as parameters in the policer aggregate global configuration command, but you must enter the actions in this order:
set-dscp-transmit or set-prec-transmit
set-dscp-transmit or set-prec-transmit
set-dscp-transmit or set-prec-transmit
An output policy map should match only the modified values of the out-of-profile traffic and not the original values.
Only 802.1ad S-UNI and S-NNI ports can use policers marking the DEI bit.
When you configure an aggregate policer, you can configure specific burst sizes and conform and exceed actions. If burst size ( bc ) is not specified, the system calculates an appropriate burst size value that equals the number of bytes that can be sent in 250 ms at the CIR rate. In most cases, the automatically calculated value is appropriate. Enter a new value only if you are aware of all implications.
This example shows how to configure an aggregate policer named agg-pol-1 and attach it to multiple classes within a policy map:
This example shows how to create a 2-rate, 3-color aggregate policer and attach it to multiple classes within a policy map. The policy map is attached to an ingress port.
You can verify your settings by entering the show aggregate-policer privileged EXEC command.
Use the police aggregate policy-map class configuration command to apply an aggregate policer to multiple classes in the same policy map. A policer defines a maximum permissible rate of transmission, a maximum burst size for transmissions, and an action to take if either maximum is exceeded. Use the no form of this command to remove the specified policer.
Policy-map class configuration
The switch supports a maximum of 229 policer instances associated with ports (228 user-configurable policers and 1 policer reserved for internal use). When CPU protection is enabled (the default), you can configure 45 ingress policers per port. If you disable CPU protection by entering the no policer cpu uni all global configuration command and reloading the switch, you can configure up to 64 ingress policers per port (63 policers on every fourth port). For more information, see the policer cpu uni command.
Aggregate policing applies only to input policy maps.
An aggregate policer differs from an individual policer in that it is shared by multiple traffic classes within a policy map. You use an aggregate policer to police traffic streams across multiple classes in a policy map attached to an interface. You cannot use aggregate policing to aggregate traffic streams across multiple interfaces.
This example shows how to configure the aggregate policing with default actions and apply it across all classes on the same port:
You can verify your settings by entering the show aggregate policer privileged EXEC command.
Use the policer cpu uni global configuration command to enable or disable CPU protection and to configure the CPU policing threshold for all user network interfaces (UNIs) and enhanced network interfaces (ENIs) on the switch. Use the no form of this command to return to the default rate or to disable CPU protection.
policer cpu uni {all | rate-bps }
To protect against accidental or intentional CPU overload, the switch automatically provides CPU protection or control-plane security by dropping or rate-limiting a predefined set of Layer 2 control packets and some Layer 3 control packets for UNIs and ENIs. The switch pre-allocates 27 control-plane security policers for CPU protection, numbered 0 to 26. A policer of 26 means a drop policer. A policer value of 0 to 25 means that the port uses a rate-limiting policer for the control protocol.
CPU policers are pre-allocated. You can configure only the rate-limiting threshold by using the policer cpu uni rate-bps command. The configured threshold applies to all control protocols and all UNIs and ENIs.
CPU protection policing uses 19 policers per port, which allows attaching a maximum of 45 ingress policers to a port. If you need more than 45 policers on a port, you can disable CPU protection by entering the no cpu policer uni all global configuration command before you attach a policy map with more than 45 policers. When CPU protection is disabled, you can attach up to 64 ingress policers to a port.
Note these limitations when you disable CPU protection:
Note For every four ports on a switch (port 1-4, 5-8, etc.), the first three ports support 64 policers, but the fourth port can support only 63 policers.
When you disable or enable the CPU protection feature, you must reload the switch by entering the reload privileged EXEC command before the configuration takes effect.
Note When CPU protection is turned off, protocol packets can reach the CPU, which could cause CPU processing overload and storm control through software.
You can enter the show policer cpu uni-eni {drop | rate} privileged EXEC command to see if CPU protection is enabled.
For more information about control-plane security, see the software configuration guide for this release.
This example shows how to set CPU protection threshold to 10000 b/s and to verify the configuration.
You can verify your settings by entering the show policer cpu uni-eni rate privileged EXEC command.
This example shows how to disable CPU protection and to reload the switch.
This is an example of the output from the show policer cpu uni-eni rate privileged EXEC command when CPU protection is disabled:
Use the policy-map global configuration command to create or to modify a policy map that can be attached to multiple physical ports and to enter policy-map configuration mode. Use the no form of this command to delete an existing policy map.
The switch supports a maximum of 256 unique policy maps.
Before configuring policies for classes whose match criteria are defined in a class map, use the policy-map command to specify the name of the policy map to be created or modified. Entering the policy-map command also enables the policy-map configuration mode, in which you can configure or modify the class policies for that policy map.
After entering the policy-map command, you enter policy-map configuration mode, and these configuration commands are available:
Note If you enter the no policy-map configuration command or the no policy-map policy-map-name global configuration command to delete a policy map that is attached to an interface, a warning message appears that lists any interfaces from which the policy map is being detached. The policy map is then detached and deleted. For example:Warning: Detaching Policy test1 from Interface GigabitEthernet0/1
You can configure class policies in a policy map only if the classes have match criteria defined for them. To configure the match criteria for a class, use the class-map global configuration and match class-map configuration commands. You define packet classification on a physical-port basis.
You can create input policy maps and output policy maps, and you can assign one input policy map and one output policy map to a port. The input policy map acts on incoming traffic on the port; the output policy map acts on outgoing traffic.
You can apply the same policy map to multiple physical ports.
Follow these guidelines when configuring input policy maps:
Follow these guidelines when configuring output policy maps:
For more information about policy maps, see the software configuration guide for this release.
This example shows how to create an input policy map for three classes:
This example shows how to configure an output policy map that provides priority with rate limiting to the gold class and guarantees a minimum remaining bandwidth percent of 20 percent to the silver class and 10 percent to the bronze class:
This example shows how to delete the policy map output-2 :
You can verify your settings by entering the show policy-map privileged EXEC command.
Use the port-channel load-balance global configuration command to set the load-distribution method among the ports in the EtherChannel. Use the no form of this command to return to the default setting.
port-channel load-balance { dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac }
For information about when to use these forwarding methods, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
This example shows how to set the load-distribution method to dst-mac :
You can verify your setting by entering the show running-config privileged EXEC command or the show etherchannel load-balance privileged EXEC command.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the port-type interface configuration command to change the port type on a Cisco ME switch from its existing port type to a network node interface (NNI), a user network interface (UNI), or an enhanced network interfaces (ENI). Use the no form of this command to return the port to its default setting.
If no configuration file exists, all the 10/100 ports on the Cisco ME switch are UNIs, and the small form-factor pluggable (SFP) module slots on the Cisco ME switch are NNIs. You must configure a port to be an ENI port.
A port configured as an ENI has the same defaults as a UNI port, but the you can configure control protocols (CDP, STP, LLDP, LACP and PAgP) on ENIs. These protocols are not supported on UNIs.
The default status for a UNI or ENI is administratively down to prevent unauthorized users from gaining access to other ports as you configure the switch. You must use the no shutdown interface configuration command to enable a UNI or ENI before you can configure it.
The default status for an NNI is administratively up to allow a service provider remote access to the switch during initial configuration.
Configuring a port as an ENI does not change the administrative state of the port. If the port state is shutdown before a port-type change, it remains in shutdown state; if the state is no shutdown , it remains in no shutdown state.
A port can be reconfigured to another port type. When a port is reconfigured as the other interface type, it inherits all the characteristics of that interface type. By default all ports on the switch are either UNI or NNI. At any time, all ports on the Cisco ME switch are UNIs, NNIs, or ENIs.
Some features are not supported only on all port types. Control protocols (CDP, STP, LLDP, and EtherChannel LACP and PAgP) have different support on each port type:
For information about specific feature support, see the software configuration guide for this release.When you change a port from one type to another, any features exclusive to a port type are removed from the configuration to prevent conflicting configuration options on a specific interface.
Every port on the switch can be a UNI or ENI, but when the switch is running the metro access image, only four ports can be NNIs at the same time. If the switch is running the metro IP access image, you can configure all ports as NNIs.
Entering the no port-type or default port-type interface configuration command returns the port to the default state: UNI for Fast Ethernet ports and NNI for Gigabit Ethernet ports.
Traffic is not switched between UNIs or ENIs, and all traffic incoming on UNIs or ENIs must exit on NNIs to prevent a user from gaining access to another user’s private network. If it is appropriate for two or more UNIs or ENIs to exchange traffic within the switch, you can assign the interface to a community VLAN. A community VLAN can contain a maximum of eight UNIs or ENIs. We do not recommend mixing UNIs and ENIs in the same community VLAN.
For more information about configuring VLANs, see the software configuration guide for this release.
no shutdown |
|
Displays the statistical information specific to all interfaces or to a specific interface. |
|
Use the power-supply dual global configuration command to enable power-supply alarms (LED state, MIB state, and MIB traps) when only one power supply is installed in the switch. Use the no form of this command when running the switch on a single power supply to suppress the power-supply alarm for the missing second power supply. Use the power-supply dual dc-feed command to enable an alarm when a DC-power input is not present.
Entering the no power-supply dual global configuration command (the default) specifies that only one power supply is expected to be present. The switch does not generate an alarm when a power supply is missing.
This command controls only the sending of messages about the absence of a second power supply or the absence of input to the second power supply. The software detects whether a power supply is present and if there is an input voltage. When there is input, the software can detect if there is an output voltage and if the fan is operating.
Note The switch always sends an error message when an AC-power supply is connected to an AC input but is not receiving or sending power.
If you operate the switch with two power supplies, enter the power-supply dual global configuration command to configure the switch to send a message when one power supply is missing.
When one or two DC-power supplies are installed, if the switch does not detect both DC inputs, it creates an LED alarm color and sends a system message. If you want to use only one DC input, enter the no power-supply dual dc-feed global configuration command to disable alarm messages if the second DC input is not present. This command is valid only when DC-power supplies are installed in the switch.
This example shows how to suppress power-supply alarms for a missing second power supply and to verify the configuration:
This example shows how to suppress power-supply alarms when a DC-power supply is installed and only one DC input is present:
You can display the power-supply alarm status by entering the show env all or show env power privileged EXEC commands.
show env { all | power } |
Use the priority policy-map class configuration command to configure class-based priority queuing for a class of traffic belonging to an output policy map. The switch supports strict priority queuing or priority used with the police policy-map command. Use the no form of this command to remove a priority specified for a class.
Note When the police command is used with the priority policy-map class command for unconditionally rate-limiting the priority queue, burst size values are not supported for the police command.
Policy-map class configuration
When used by itself (not followed by the police policy-map command), the priority command assigns traffic to a low-latency path and ensures that packets belonging to the class have the lowest possible latency. With strict priority queuing, packets in the priority queue are scheduled and sent until the queue is empty.
Note You should exercise care when using the priority command without the policy command. Excessive use of strict priority queuing might cause congestion in other queues.
You can use priority with the police { rate-bps | cir cir-bps } policy-map command to reduce the bandwidth used by the priority queue. This is the only form of policing that is supported in output policy maps. Using this combination of commands configures a maximum rate on the priority queue and allows you to use the bandwidth and shape average policy-map commands for other classes to allocate traffic rates on other queues.
Note When you use the police command with the priority command in an output policy, the police rate range is 64000 to 1000000000 bps, even though the range that appears in the command-line help is 8000 to 1000000000. Configured burst size is ignored when you try to attach the output service policy.
When you configure priority in an output policy map without the police command, you can only configure the other queues for sharing by using the bandwidth remaining percent policy-map class command. This command does not guarantee the allocated bandwidth, but the rate of distribution.
When you configure priority in an output policy map with the police command, you can configure other queues for sharing by using the bandwidth policy-map class command and for shaping by using the shape average policy-map class command.
You can associate the priority command only with a single unique class for all attached output policies on the switch.
You cannot associate the priority command with the class-default of the output policy map.
You cannot configure priority and any other scheduling action ( shape average or bandwidth ) in the same class.
The priority command uses a default queue limit for the class. You can change the queue limit by using the queue-limit policy-map class command, overriding the default set by the priority command.
This example shows how to configure the class out-class1 as a strict priority queue so that all packets in that class are sent before any other class of traffic. Other traffic queues are configured so that out-class-2 gets 50 percent of the remaining bandwidth and out-class3 gets 20 percent of the remaining bandwidth. The class class-default receives the remaining 30 percent with no guarantees.
This example shows how to use the priority with police commands to configure out-class1 as the priority queue, with traffic going to the queue limited to 20000000 bits per second (bps) so that the priority queue never uses more than that. Traffic above that rate is dropped. The other traffic queues are configured as in the previous example.
You can verify your settings by entering the show policy-map privileged EXEC command.
Use the private-vlan VLAN configuration command to configure private VLANs and to configure the association between private-VLAN primary and secondary VLANs. Use the no form of this command to return the VLAN to normal VLAN configuration.
private-vlan { association [ add | remove ] secondary-vlan-list | community | isolated | primary }
no private-vlan { association | community | isolated | primary }
You must manually configure private VLANs on all switches in the Layer 2 network to merge their Layer 2 databases and to prevent flooding of private-VLAN traffic.
You cannot include VLAN 1 or VLANs 1002 to 1005 in the private-VLAN configuration. Extended VLANs (VLAN IDs 1006 to 4094) can be configured as private VLANs.
You can associate a secondary (isolated or community) VLAN with only one primary VLAN. A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it.
A community VLAN carries traffic among community ports and from community ports to the promiscuous ports on the corresponding primary VLAN. A community VLAN can include no more than eight user network interfaces (UNIs).
An isolated VLAN is used by isolated ports to communicate with promiscuous ports. It does not carry traffic to other community ports or to isolated ports with the same primary VLAN domain.
A primary VLAN is the VLAN that carries traffic from a gateway to customer end stations on private ports.
Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.
The private-vlan commands do not take effect until you exit from VLAN configuration mode.
Do not configure private-VLAN ports as EtherChannels. While a port is part of the private-VLAN configuration, any EtherChannel configuration for it is inactive.
A private VLAN cannot be a Remote Switched Port Analyzer (RSPAN) VLAN.
A private VLAN cannot be a user network interface-enhanced network interface (UNI-ENI) VLAN. If the VLAN is a UNI-ENI isolated VLAN (the default), you can change it to a private VLAN by entering the private-vlan VLAN configuration command. If a VLAN has been configured as a UNI-ENI community VLAN, you must first enter the no uni-vlan VLAN configuration command before configuring it as a private VLAN.
Although a private VLAN contains more than one VLAN, only one STP instance runs for the entire private VLAN. When a secondary VLAN is associated with the primary VLAN, the STP parameters of the primary VLAN are propagated to the secondary VLAN.
See the switchport private-vlan command for information about configuring host ports and promiscuous ports.
Note For more information about private-VLAN interaction with other features, see the software configuration guide for this release.
This example shows how to configure VLAN 20 as a primary VLAN, VLAN 501 as an isolated VLAN, VLANs 502 and 503 as community VLANs, and to associate them in a private VLAN. The example assumes that VLANs 502 and 503 were previously configured as UNI-ENI community VLANs.
You can verify your setting by entering the show vlan private-vlan or show interfaces status privileged EXEC command.
show interfaces status |
Displays the status of interfaces, including the VLANs to which they belong. |
show vlan private-vlan |
Displays the private VLANs and VLAN associations configured on the switch. |
Configures a private-VLAN port as a host port or promiscuous port. |
Use the private-vlan mapping interface configuration command on a switch virtual interface (SVI) to create a mapping between a private-VLAN primary and secondary VLANs so that both VLANs share the same primary VLAN interface. Use the no form of this command to remove private-VLAN mappings from the interface.
private-vlan mapping {[ add | remove ] secondary-vlan-list }
The SVI of the primary VLAN is created at Layer 3.
Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.
The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs. The list can contain one isolated VLAN and multiple community VLANs.
Traffic that is received on the secondary VLAN is routed by the interface of the primary VLAN.
A secondary VLAN can be mapped to only one primary VLAN. IF you configure the primary VLAN as a secondary VLAN, all SVIs specified in this command are brought down.
If you configure a mapping between two VLANs that do not have a valid Layer 2 private-VLAN association, the mapping configuration does not take effect.
This example shows how to map the interface of VLAN 20 to the SVI of VLAN 18:
This example shows how to permit routing of secondary VLAN traffic from secondary VLANs 303 to 305 and 307 through VLAN 20 SVI:
You can verify your setting by entering the show interfaces private-vlan mapping privileged EXEC command.
show interfaces private-vlan mapping |
Display private-VLAN mapping information for interfaces or VLAN SVIs. |
Use the queue-limit policy-map class configuration command to set the queue maximum threshold for weighted tail drop (WTD) in an output policy map. Use the no form of this command to return to the default.
queue-limit [ cos value | dot1ad dei value | dscp value | precedence value | qos-group value ] number-of-packets [ packets ]
no queue-limit [ cos value | dot1ad dei value | dscp value | precedence value | qos-group value ] number-of-packets [ packets ]
Policy-map class configuration
You use the queue-limit policy-map class command to control output traffic. Queue-limit settings are not supported in input policy maps.
Beginning with Cisco IOS Release 12.2(35)SE, the switch supports one output policy map for each interface. However, the limit of three unique queue-limit configurations across all output policy maps remains in effect You can use the same queue-limit configuration across multiple policy maps.
Within an output policy map only four queues (classes) are allowed, including the class default. Each queue has three defined thresholds (queue limits). Only three queue-limit configurations are allowed on the switch, but multiple policy maps can share the same queue-limits. For two policy maps to share a queue-limit configuration, all threshold values must be the same for all classes in both policy maps.
If you try to attach an output policy map that contains a fourth queue-limit configuration to an interface, you see an error message, and the attachment is not allowed.
The queue-limit command is supported only after you first configure a scheduling action, such as bandwidth , shape-average , or priority , except when you configure queue-limit in the class-default of an output policy map.
You cannot configure more than two unique threshold values for WTD qualifiers ( cos , dscp , precedence , or qos-group ) in the queue-limit command. However, you can map any number of qualifiers to those thresholds. You can configure a third unique threshold value to set the maximum queue, using the queue-limit command with no qualifiers.
When you use the queue-limit command to configure thresholds within a class map, the WTD thresholds must be less than or equal to the maximum threshold of the queue. This means that the queue size configured without a qualifier must be larger than any of the queue sizes configured with a qualifier.
This example shows how to configure WTD so that out-class1 , out-class2 , out-class3 , and class-default get a minimum of 40, 20, 10 and 10 percent of the traffic bandwidth respectively. The corresponding queue-sizes are set to 48, 32, 16 and 272 (256-byte) packets:
This example shows how to configure WTD for a Fast Ethernet port where outclass1 , outclass2 , and outclass3 get a minimum of 50, 20, and 10 percent of the traffic bandwidth. The class-default gets the remaining 20 percent. Each corresponding queue size is set to 64, 32, and 16 (256-byte) packets, respectively. The example also shows how if outclass1 matches to dscp 46, 56, 57, 58, 60, 63, a DSCP value of 46 gets a queue size of 32 (256-byte) packets; DSCP values 56, 57, and 58 get queue sizes of 48 (256-byte) packets; and the remaining DSCP values of 60 and 63 get the default queue size of 64 (256-byte) packets.
You can use these same queue-limit values in multiple output policy maps on the switch. However, changing one of the queue-limit values in a class would create a new, unique queue-limit configuration. You can attach only three unique queue-limit configurations in output policy maps to interfaces at any one time. If you try to attach an output policy map with a fourth unique queue-limit configuration, you see this error message:
You can verify your settings by entering the show policy-map privileged EXEC command.
Use the remote-span VLAN configuration command to configure a VLAN as a Remote Switched Port Analyzer (RSPAN) VLAN. Use the no form of this command to remove the RSPAN designation from the VLAN.
VLAN configuration (config-VLAN)
Valid RSPAN VLAN IDs are 2 to 1001 and 1006 to 4094. The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or VLAN IDs 1002 to 1005 (reserved for Token Ring and FDDI VLANs).
Before you configure the RSPAN remote-span command, use the vlan global configuration command to create the VLAN.
The RSPAN VLAN has these characteristics:
You must manually also configure both source, destination, and intermediate switches (those in the RSPAN VLAN between the source switch and the destination switch) with the RSPAN VLAN ID.
When an existing VLAN is configured as an RSPAN VLAN, the VLAN is first deleted and then recreated as an RSPAN VLAN. Any access ports become inactive until the RSPAN feature is disabled.
This example shows how to configure a VLAN as an RSPAN VLAN.
This example shows how to remove the RSPAN feature from a VLAN.
You can verify your settings by entering the show vlan remote-span user EXEC command.
Use the renew ip dhcp snooping database privileged EXEC command to renew the DHCP snooping binding database.
renew ip dhcp snooping database [ validation none ] [ { flash:/ filename | ftp:// user:password@host/filename | nvram:/ filename | rcp:// user@host/filename | tftp:// host/filename } ] [ validation none ]
If you do not specify a URL, the switch tries to read the file from the configured URL.
This example shows how to renew the DHCP snooping binding database without checking CRC values:
You can verify settings by entering the show ip dhcp snooping database privileged EXEC command.
Use the rep admin vlan global configuration command to configure a Resilient Ethernet Protocol (REP) administrative VLAN for REP to transmit hardware flood layer (HFL) messages. Use the no form of this command to return to the default configuration with VLAN 1 as the administrative VLAN.
If the VLAN does not already exist, this command does not create the VLAN.
To avoid the delay introduced by relaying messages in software for link-failure or VLAN-blocking notification during load balancing, REP floods packets at the hardware flood layer (HFL) to a regular multicast address. These messages are flooded to the whole network, not just the REP segment. Switches that do not belong to the segment treat them as data traffic. Configuring an administrative VLAN for the whole domain can control flooding of these messages.
If no REP administrative VLAN is configured, the default is VLAN 1.
There can be only one administrative VLAN on a switch and on a segment.
This example shows how to configure VLAN 100 as the REP administrative VLAN:
You can verify your settings by entering the show interface rep detail privileged EXEC command.
show interfaces rep detail |
Displays detailed REP configuration and status for all interfaces or the specified interface, including the administrative VLAN. |
Use the rep block port interface configuration command on the REP primary edge port to configure Resilient Ethernet Protocol (REP) VLAN load balancing. Use the no form of this command to return to the default configuration.
rep block port { id port-id | neighbor_offset | preferred } vlan { vlan-list | all }
no rep block port { id port-id | neighbor_offset | preferred }
The default behavior after you enter the rep preempt segment privileged EXEC command (for manual preemption) is to block all VLANs at the primary edge port. This behavior remains until you configure the rep block port command.
If the primary edge port cannot determine which port is to be the alternate port, the default action is no preemption and no VLAN load balancing.
You must enter this command on the REP primary edge port.
When you select an alternate port by entering an offset number, this number identifies the downstream neighbor port of an edge port. The primary edge port has an offset number of 1; positive numbers above 1 identify downstream neighbors of the primary edge port. Negative numbers identify the secondary edge port (offset number -1) and its downstream neighbors. See Neighbor Offset Numbers in a REP SegmentFigure 2-1.
Figure 2-1 Neighbor Offset Numbers in a REP Segment
Note You would never enter an offset value of 1 because that is the offset number of the primary edge port itself.
If you have configured a preempt delay time by entering the rep preempt delay seconds interface configuration command and a link failure and recovery occurs, VLAN load balancing begins after the configured preemption time period elapses without another link failure. The alternate port specified in the load-balancing configuration blocks the configured VLANs and unblocks all other segment ports. If the primary edge port cannot determine the alternate port for VLAN balancing, the default action is no preemption.
Each port in a segment has a unique port ID. The port ID format is similar to the one used by the spanning tree algorithm: a port number (unique on the bridge) associated to a MAC address (unique in the network). To determine the port ID of a port, enter the show interface interface-id rep detail privileged EXEC command.
There is no limit to the number of times that you can enter the rep block port id port-id vlan vlan-list interface configuration command. You can block an unlimited number, range, or sequence of VLANs.
When you use the rep block port id port-id vlan vlan-list interface configuration command on a REP primary edge port to block a VLAN list and then use the same command to block another VLAN list on the same port, the second VLAN list does not replace the first VLAN list but is appended to the first VLAN list.
When you use the rep block port id port-id vlan vlan-list interface configuration command on a REP primary edge port to block a VLAN list on one port and then use the same command to block another VLAN list on another port, the original port number and VLAN list are overwritten.
This example shows how to configure REP VLAN load balancing on the Switch B primary edge port (Gigabit Ethernet port 0/1) and to configure Gigabit Ethernet port 0/2 of Switch A as the alternate port to block VLANs 1 to 100. The alternate port is identified by its port ID, shown in bold in the output of the show interface rep detail command for the Switch A port.
This example shows how to configure VLAN load balancing by using a neighbor offset number and how to verify the configuration by entering the show interfaces rep detail privileged EXEC command:
Configures a waiting period after a segment port failure and recovery before REP VLAN load balancing is triggered. |
|
show interfaces rep detail |
Displays REP detailed configuration and status for all interfaces or the specified interface, including the administrative VLAN. |
Use the rep lsl-age-timer interface configuration command on a Resilient Ethernet Protocol (REP) port to configure the Link Status Layer (LSL) age timer for the time period that the REP interface remains up without receiving a hello from the REP neighbor. Use the no form of this command to return to the default time.
The LSL hello timer is set to the age-timer value divided by 3 so that there should be at least two LSL hellos sent during the LSL age timer period. If no hellos are received within that time, the REP link shuts down.
In Cisco IOS Release 12.2(52)SE, the LSL age-timer range changed from 3000 to 10000 ms in 500-ms increments to 120 to 10000 ms in 40-ms increments. If the REP neighbor device is not running Cisco IOS Release 12.2(52)SE or later, you must use the shorter time range because the device does not accept values out of the earlier range.
EtherChannel port channel interfaces do not support LSL age-timer values less than 1000 ms. If you try to configure a value less than 1000 ms on a port channel, you receive an error message and the command is rejected.
This example shows how to configure the REP LSL age timer on a REP link to 7000 ms:
You can verify the configured ageout time by entering the show interfaces rep detail privileged EXEC command.
show interfaces rep [ detail ] |
Displays REP configuration and status for all interfaces or the specified interface, including the configured LSL age-out timer value. |
Use the rep preempt delay interface configuration command on the REP primary edge port to configure a waiting period after a segment port failure and recovery before Resilient Ethernet Protocol (REP) VLAN load balancing is triggered. Use the no form of this command to remove the configured delay.
You must enter this command on the REP primary edge port.
You must enter this command and configure a preempt time delay if you want VLAN load balancing to automatically trigger after a link failure and recovery.
If VLAN load balancing is configured, after a segment port failure and recovery, the REP primary edge port starts a delay timer before VLAN load balancing occurs. Note that the timer restarts after each link failure. When the timer expires, the REP primary edge alerts the alternate port to perform VLAN load balancing (configured by using the rep block port interface configuration command) and prepares the segment for the new topology. The configured VLAN list is blocked at the alternate port, and all other VLANs are blocked at the primary edge port.
This example shows how to configure a REP preemption time delay of 100 seconds on the primary edge port:
You can verify your settings by entering the show interfaces rep privileged EXEC command.
Use the rep preempt segment privileged EXEC command to manually start Resilient Ethernet Protocol (REP) VLAN load balancing on a segment.
When you enter the rep preempt segment segment-id command, a confirmation message appears before the command is executed because preemption can cause network disruption.
Enter this command on the switch on the segment that has the primary edge port.
If you do not configure VLAN load balancing, entering this command results in the default behavior—the primary edge port blocks all VLANs.
You configure VLAN load balancing by entering the rep block port { id port-id | neighbor_offset | preferred } vlan { vlan-list | all } interface configuration command on the REP primary edge port before you manually start preemption.
This example shows how to manually trigger REP preemption on segment 100 with the confirmation message:
show interfaces rep [ detail ] |
Displays REP configuration and status for all interfaces or the specified interface. |
Use the rep segment interface configuration command to enable Resilient Ethernet Protocol (REP) on the interface and to assign a segment ID to it. Use the no form of this command to disable REP on the interface.
rep segment segment-id [ edge [ no-neighbor ] [ primary ]] [ preferred ]
REP ports must be Layer 2 trunk ports.
A non-ES REP port can be either an IEEE 802.1Q trunk port or an ISL trunk port.
REP ports should not be configured as one of these port types:
You must configure two edge ports on each REP segment, a primary edge port and a port to act as a secondary edge port. If you configure two ports in a segment as the primary edge port, for example ports on different switches, the configuration is allowed, but the REP selects one of them to serve as the segment primary edge port.
– There is no limit to the number of REP ports on a switch; however, only two ports on a switch can belong to the same REP segment.
– If only one port on a switch is configured in a segment, the port should be an edge port.
– If two ports on a switch belong to the same segment, they must be both edge ports, both regular segment ports, or one regular port and one edge no-neighbor port. An edge port and regular segment port on a switch cannot belong to the same segment.
– If two ports on a switch belong to the same segment and one is configured as an edge port and one as a regular segment port (a misconfiguration), the edge port is treated as a regular segment port.
If you configure two ports in a segment as the primary edge port, for example ports on different switches, the REP selects one of them to serve as the segment primary edge port. Enter the show rep topology privileged EXEC command on a port in the segment to verify which port is the segment primary edge port.
REP interfaces come up in a blocked state and remain in a blocked state until notified that it is safe to unblock. You need to be aware of this to avoid sudden connection losses.
You should configure REP only in networks with redundancy. Configuring REP in a network without redundancy causes loss of connectivity.
In networks where ports on a neighboring switch do not support REP, you can configure the non-REP facing ports as edge no-neighbor ports. These ports inherit all properties of edge ports and you can configure them as any other edge port, including to send STP or REP topology change notices to the aggregation switch. In this case, the STP topology change notice (TCN) that is sent is a multiple spanning-tree (MST) STP message.
This example shows how to enable REP on a regular (nonedge) segment port:
This example shows how to enable REP on a port and to identify the port as the REP primary edge port:
This example shows how to configure the same configuration when the interface has no external REP neighbor:
This example shows how to enable REP on a port and to identify the port as the REP secondary edge port:
You can verify your settings by entering the show interfaces rep privileged EXEC command. To verify which port in the segment is the primary edge port, enter the show rep topology privileged EXEC command.
show interfaces rep [ detail ] |
Displays REP configuration and status for all interfaces or the specified interface. |
show rep topology [ detail ] |
Displays information about all ports in the segment, including which one was configured and selected as the primary edge port. |
Use the rep stcn interface configuration command on a Resilient Ethernet Protocol (REP) edge port to configure the port to send REP segment topology change notifications (STCNs) to another interface, to other segments, or to Spanning Tree Protocol (STP) networks. Use the no form of this command to disable the sending of STCNs to the interface, segment, or STP network.
rep stcn { interface interface-id | segment id-list | stp }
Enter this command on a segment edge port.
You use this command to notify other portions of the Layer 2 network of topology changes that occur in the local REP segment. This removes obsolete entries in the Layer 2 forwarding table in other parts of the network, which allows faster network convergence.
This example shows how to configure the REP primary edge port to send STCNs to segments 25 to 50:
You can verify your settings by entering the show interfaces rep detail privileged EXEC command.
show interfaces rep [ detail ] |
Displays REP configuration and status for all interfaces or the specified interface. |
Use the reserved-only DHCP pool configuration mode command to allocate only reserved addresses in the Dynamic Host Configuration Protocol (DHCP) address pool. Use the no form of the command to return to the default.
Entering the reserved-only command restricts assignments from the DHCP pool to preconfigured reservations. Unreserved addresses that are part of the network or on pool ranges are not offered to the client, and other clients are not served by the pool.
By entering this command, users can configure a group of switches with DHCP pools that share a common IP subnet and that ignore requests from clients of other switches.
To access DHCP pool configuration mode, enter the ip dhcp pool name global configuration command.