- Quick Links to Catalyst 4500 Series Switch Cisco IOS Commands
- Index
- Preface
- Command-Line Interface
- aaa accounting dot1x default start-stop group radius through instance
- interface port-channel through shape
- show access-group mode interface through show vtp
- snmp ifindex clear through vtp v2-mode
- Acronyms
- Acknowledgements for Open-Source Software
- #macro keywords
- aaa accounting dot1x default start-stop group radius
- aaa accounting system default start-stop group radius
- access-group mode
- access-list hardware entries
- access-list hardware region
- action
- apply
- arp access-list
- attach module
- auto qos voip
- auto-sync
- channel-group
- channel-protocol
- class-map
- clear counters
- clear hw-module slot password
- clear interface gigabitethernet
- clear interface vlan
- clear ip access-template
- clear ip arp inspection log
- clear ip arp inspection statistics
- clear ip dhcp snooping database
- clear ip dhcp snooping database statistics
- clear ip igmp group
- clear ip igmp snooping membership
- clear ip mfib counters
- clear ip mfib fastdrop
- clear lacp counters
- clear mac-address-table
- clear mac-address-table dynamic
- clear pagp
- clear port-security
- clear qos
- clear vlan counters
- clear vmps statistics
- control-plane
- debug adjacency
- debug backup
- debug condition interface
- debug condition standby
- debug condition vlan
- debug dot1x
- debug etherchnl
- debug interface
- debug ipc
- debug ip dhcp snooping event
- debug ip dhcp snooping packet
- debug ip verify source packet
- debug lacp
- debug monitor
- debug nvram
- debug pagp
- debug platform packet protocol lacp
- debug platform packet protocol pagp
- debug pm
- debug port-security
- debug redundancy
- debug spanning-tree
- debug spanning-tree backbonefast
- debug spanning-tree switch
- debug spanning-tree uplinkfast
- debug sw-vlan
- debug sw-vlan ifs
- debug sw-vlan notification
- debug sw-vlan vtp
- debug udld
- debug vqpc
- define interface-range
- deny
- diagnostic monitor action
- diagnostic start
- dot1x auth-fail max-attempts
- dot1x auth-fail vlan
- dot1x control-direction
- dot1x critical
- dot1x critical eapol
- dot1x critical recovery delay
- dot1x critical vlan
- dot1x guest-vlan
- dot1x guest-vlan supplicant
- dot1x host-mode
- dot1x initialize
- dot1x mac-auth-bypass
- dot1x max-reauth-req
- dot1x max-req
- dot1x port-control
- dot1x re-authenticate
- dot1x re-authentication
- dot1x system-auth-control
- dot1x timeout
- duplex
- erase
- errdisable detect
- errdisable recovery
- flowcontrol
- hw-module power
- hw-module uplink select
- instance
Cisco IOS Commands for the Catalyst 4500 Series Switches
This chapter contains an alphabetical listing of Cisco IOS commands for the Catalyst 4500 series switches. For information about Cisco IOS commands that are not included in this publication, refer to Cisco IOS Release 12.2 Configuration Guides and Command References at this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_product_indices_list.html
#macro keywords
To specify the help string for the macro keywords, use the #macro keywords command.
#macro keywords [keyword1] [keyword2] [keyword3]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
|
|
12.2(18)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
If you do not specify the mandatory keywords for a macro, the macro is to be considered invalid and fails when you attempt to apply it. By enteringthe #macro keywords command, you will receive a message indicating what you need to include to make the syntax valid.
Examples
This example shows how to specify the help string for keywords associated with a macro named test:
Switch(config)# macro name test
macro name test
Enter macro commands one per line. End with the character '@'.
#macro keywords $VLAN $MAX
swichport
@
Switch(config)# int gi1/1
Switch(config-if)# macro apply test ?
WORD Keyword to replace with a value e.g $VLAN, $MAX << It is shown as help
<cr>
Related Commands
macro apply cisco-desktop
macro apply cisco-phone
macro apply cisco-router
macro apply cisco-switch
aaa accounting dot1x default start-stop group radius
To enable accounting for 802.1X authentication sessions, use the aaa accounting dot1x default start-stop group radius command. To disable accounting, use the no form of this command.
aaa accounting dot1x default start-stop group radius
no aaa accounting dot1x default start-stop group radius
Syntax Description
This command has no arguments or keywords.
Defaults
Accounting is disabled.
Command Modes
Global configuration
Command History
|
|
12.2(18)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
802.1X accounting requires a RADIUS server.
This command enables the Authentication, Authorization, and Accounting (AAA) client's accounting feature to forward 802.1X update and watchdog packets from the 802.1X supplicant (workstation client) to the authentication (RADIUS) server. (Watchdog packets are defined as EAPOL-LOGON, EAPOL-LOGOFF, and EAPOL-INTERIM messages.) Successful authentication and authorization of the supplicant by the authentication server is required before these packets are considered valid and are forwarded. When the client is reauthenticated, an interim-update accounting notice is sent to the accounting server.
Examples
This example shows how to configure 802.1X accounting:
Switch(config)# aaa accounting dot1x default start-stop group radius
Note The RADIUS authentication server must be properly configured to accept and log update or watchdog packets from the AAA client.
Related Commands
aaa accounting system default start-stop group radius
aaa accounting system default start-stop group radius
To receive the session termination messages after the switch reboots, use the aaa accounting system default start-stop group radius command. To disable accounting, use the no form of this command.
aaa accounting system default start-stop group radius
no aaa accounting system default start-stop group radius
Syntax Description
This command has no arguments or keywords.
Defaults
Accounting is disabled.
Command Modes
Global configuration mode
Command History
|
|
12.2(18)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
802.1X accounting requires the RADIUS server.
This command enables the AAA client's accounting feature to forward 802.1X update and watchdog packets from the 802.1X supplicant (workstation client) to the authentication (RADIUS) server. (Watchdog packets are defined as EAPOL-LOGON, EAPOL-LOGOFF, and EAPOL-INTERIM messages.) Successful authentication and authorization of the supplicant by the authentication server is required before these packets are considered valid and are forwarded. When the client is reauthenticated, an interim-update accounting notice is sent to the accounting server.
Examples
This example shows how to generate a logoff after a switch reboots:
Switch(config)# aaa accounting system default start-stop group radius
Note The RADIUS authentication server must be properly configured to accept and log update or watchdog packets from the AAA client.
Related Commands
aaa accounting dot1x default start-stop group radius
access-group mode
To specify the override modes (for example, VACL overrides PACL) and the non-override modes (for example, merge or strict mode), use the access-group mode command. To return to preferred port mode, use the no form of this command.
access-group mode {prefer {port | vlan} | merge}
no access-group mode {prefer {port | vlan} | merge}
Syntax Description
Defaults
PACL override mode
Command Modes
Interface configuration
Command History
|
|
---|---|
12.1(19)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
On the Layer 2 interface, prefer port, prefer VLAN, and merge modes are supported. A Layer 2 interface can have one IP ACL applied in either direction (one inbound and one outbound).
Examples
This example shows how to make the PACL mode on the switch take effect:
(config-if)# access-group mode prefer port
This example shows how to merge applicable ACL features:
(config-if)# access-group mode merge
Related Commands
show access-group mode interface
show ip interface (refer to Cisco IOS documentation)
show mac access-group interface
access-list hardware entries
To designate how ACLs are programmed into the switch hardware, use the access-list hardware entries command.
access-list hardware entries {packed | scattered}
Syntax Description
Defaults
The ACLs are programmed as packed.
Command Modes
Global configuration
Command History
|
|
---|---|
12.2(20)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Two types of hardware resources are used when ACLs are programmed: entries and masks. If one of these resources is consumed, no additional ACLs can be programmed into the hardware. If the masks are consumed, but the entries are available, change the programming algorithm from packed to scattered to make the masks available. This action allows additional ACLs to be programmed into the hardware.
The goal is to use TCAM resources more efficiently; that is, to minimize the number of masks per ACL entries. To compare TCAM utilization when using the scattered or packed algorithms, use the
show platform hardware acl statistics utilization brief command. To change the algorithm from packed to scattered, use the access-list hardware entries command.
Examples
This example shows how to program ACLs into the hardware as packed. After they are programmed, you will need 89 percent of the masks to program only 49 percent of the ACL entries.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# access-list hardware entries packed
Switch(config)# end
Switch#
01:15:34: %SYS-5-CONFIG_I: Configured from console by console
Switch#
Switch# show platform hardware acl statistics utilization brief
Entries/Total(%) Masks/Total(%)
----------------- ---------------
Input Acl(PortAndVlan) 2016 / 4096 ( 49) 460 / 512 ( 89)
Input Acl(PortOrVlan) 6 / 4096 ( 0) 4 / 512 ( 0)
Input Qos(PortAndVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
Input Qos(PortOrVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
Output Acl(PortAndVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
Output Acl(PortOrVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
Output Qos(PortAndVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
Output Qos(PortOrVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
L4Ops: used 2 out of 64
Switch#
This example shows how to reserve space (scatter) between ACL entries in the hardware. The number of masks required to program 49 percent of the entries has decreased to 49 percent.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# access-list hardware entries scattered
Switch(config)# end
Switch#
01:39:37: %SYS-5-CONFIG_I: Configured from console by console
Switch#
Switch# show platform hardware acl statistics utilization brief
Entries/Total(%) Masks/Total(%)
----------------- ---------------
Input Acl(PortAndVlan) 2016 / 4096 ( 49) 252 / 512 ( 49)
Input Acl(PortOrVlan) 6 / 4096 ( 0) 5 / 512 ( 0)
Input Qos(PortAndVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
Input Qos(PortOrVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
Output Acl(PortAndVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
Output Acl(PortOrVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
Output Qos(PortAndVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
Output Qos(PortOrVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
L4Ops: used 2 out of 64
Switch#
access-list hardware region
To modify the balance between TCAM regions in hardware, use the access-list hardware region command.
access-list hardware region {feature | qos} {input | output} balance {bal-num}
Syntax Description
Defaults
The default region balance for each TCAM is 50.
Command Modes
Global configuration
Command History
|
|
---|---|
12.2(31)SG |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
PandV is a TCAM region containing entries which mask in both the port and VLAN tag portions of the flow label.
PorV is a TCAM region containing entries which mask in either the port or VLAN tag portion of the flow label, but not both.
A balance of 1 allocates the minimum number of PandV region entries and the maximum number of PorV region entries. A balance of 99 allocates the maximum number of PandV region entries and the minimum number of PorV region entries. A balance of 50 allocates equal numbers of PandV and PorV region entries in the specified TCAM.
Balances for the four TCAMs can be modified independently.
Examples
This example shows how to enable the MAC notification trap when a MAC address is added to a port:
Switch# configure terminal
Switch(config)# access-list hardware region feature input balance 75
Switch(config)#
action
To specify an action to be taken when a match occurs in a VACL, use the action command. To remove an action clause, use the no form of this command.
action {drop | forward}
no action {drop | forward}
Syntax Description
drop |
Sets the action to drop packets. |
forward |
Sets the action to forward packets to their destination. |
Defaults
This command has no default settings.
Command Modes
VLAN access-map
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
In a VLAN access map, if at least one ACL is configured for a packet type (IP or MAC), the default action for the packet type is drop (deny).
If an ACL is not configured for a packet type, the default action for the packet type is forward (permit).
If an ACL for a packet type is configured and the ACL is empty or undefined, the configured action will be applied to the packet type.
Examples
This example shows how to define a drop action:
Switch(config-access-map)# action drop
Switch(config-access-map)#
This example shows how to define a forward action:
Switch(config-access-map)# action forward
Switch(config-access-map)#
Related Commands
match
show vlan access-map
vlan access-map
apply
To implement a new VLAN database, increment the configuration number, save the configuration number in NVRAM, and propagate the configuration number throughout the administrative domain, use the apply command.
apply
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
VLAN configuration
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The apply command implements the configuration changes that you made after you entered VLAN database mode and uses them for the running configuration. This command keeps you in VLAN database mode.
You cannot use this command when the switch is in the VTP client mode.
You can verify that the VLAN database changes occurred by entering the show vlan command from privileged EXEC mode.
Examples
This example shows how to implement the proposed new VLAN database and to recognize it as the current database:
Switch(config-vlan)#
apply
Switch(config-vlan)#
Related Commands
abort (refer to Cisco IOS documentation)
exit (refer to Cisco IOS documentation)
reset
show vlan
shutdown vlan (refer to Cisco IOS documentation)
vtp (global configuration mode)
arp access-list
To define an ARP access list or add clauses at the end of a predefined list, use the arp access-list command.
arp access-list name
Syntax Description
name |
Specifies the access control list name. |
Defaults
None
Command Modes
Configuration
Command History
|
|
---|---|
12.1(19)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to define an ARP access list named static-hosts:
Switch(config)# arp access-list static-hosts
Switch(config)#
Related Commands
deny
ip arp inspection filter vlan
permit
attach module
To remotely connect to a specific module, use the attach module configuration command.
attach module mod
Syntax Description
mod |
Target module for the command. |
Defaults
This command has no default settings.
Command Modes
Privileged
Command History
|
|
---|---|
12.1(19)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command applies only to the Access Gateway Module on Catalyst 4500 series switches.
The valid values for mod depend on the chassis that are used. For example, if you have a Catalyst 4006 chassis, valid values for the module are from 2 to 6. If you have a 4507R chassis, valid values are from 3 to 7.
When you execute the attach module mod command, the prompt changes to Gateway#.
This command is identical in the resulting action to the session module mod and the remote login module mod commands.
Examples
This example shows how to remotely log in to an Access Gateway Module:
Switch# attach module 5
Attaching console to module 5
Type 'exit' at the remote prompt to end the session
Gateway>
Related Commands
remote login module
session module
auto qos voip
To automatically configure quality of service (auto-QoS) for voice over IP (VoIP) within a QoS domain, use the auto qos voip interface configuration command. To change the auto-QoS configuration settings to the standard QoS defaults, use the no form of this command.
auto qos voip {cisco-phone | trust}
no auto qos voip {cisco-phone | trust}
Syntax Description
Defaults
Auto-QoS is disabled on all interfaces.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.1(19)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Use this command to configure the QoS that is appropriate for VoIP traffic within the QoS domain. The QoS domain includes the switch, the interior of the network, and the edge devices that can classify incoming traffic for QoS.
Use the cisco-phone keyword on the ports at the edge of the network that are connected to Cisco IP phones. The switch detects the telephone through the Cisco Discovery Protocol (CDP) and trusts the CoS labels in packets that are received from the telephone.
Use the trust keyword on the ports that are connected to the interior of the network. Because it is assumed that the traffic has already been classified by the other edge devices, the CoS/DSCP labels in these packets are trusted.
When you enable the auto-QoS feature on the specified interface, these actions automatically occur:
•QoS is globally enabled (qos global configuration command).
•DBL is enabled globally (qos dbl global configuration command).
•When you enter the auto qos voip cisco-phone interface configuration command, the trusted boundary feature is enabled. It uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP phone. When a Cisco IP phone is detected, the ingress classification on the specific interface is set to trust the CoS label that is received in the packet because some old phones do not mark DSCP. When a Cisco IP phone is absent, the ingress classification is set to not trust the CoS label in the packet.
•When you enter the auto qos voip trust interface configuration command, the ingress classification on the specified interface is set to trust the CoS label that is received in the packet if the specified interface is configured as Layer 2 (and is set to trust DSCP if the interface is configured as Layer 3).
You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports.
To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging.
To disable auto-QoS on an interface, use the no auto qos voip interface configuration command. When you enter this command, the switch enables standard QoS and changes the auto-QoS settings to the standard QoS default settings for that interface. This action will not change any global configuration performed by auto-QoS; the global configuration remains the same.
Examples
This example shows how to enable auto-QoS and to trust the CoS and DSCP labels that are received in the incoming packets when the switch or router that is connected to Gigabit Ethernet interface 1/1 is a trusted device:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# auto qos voip trust
This example shows how to enable auto-QoS and to trust the CoS labels that are received in incoming packets when the device connected to Fast Ethernet interface 2/1 is detected as a Cisco IP phone:
Switch(config)# interface fastethernet2/1
Switch(config-if)# auto qos voip cisco-phone
This example shows how to display the QoS configuration that is automatically generated when auto-QoS is enabled:
Switch# debug auto qos
AutoQoS debugging is on
Switch# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# auto qos voip trust
Switch(config-if)#
00:00:56:qos
00:00:57:qos map cos 3 to dscp 26
00:00:57:qos map cos 5 to dscp 46
00:00:58:qos map dscp 32 to tx-queue 1
00:00:58:qos dbl
00:01:00:policy-map autoqos-voip-policy
00:01:00: class class-default
00:01:00: dbl
00:01:00:interface GigabitEthernet1/1
00:01:00: qos trust cos
00:01:00: tx-queue 3
00:01:00: priority high
00:01:00: shape percent 33
00:01:00: service-policy output autoqos-voip-policy
Switchconfig-if)# interface gigabitethernet1/1
Switch(config-if)# auto qos voip cisco-phone
Switch(config-if)#
00:00:55:qos
00:00:56:qos map cos 3 to dscp 26
00:00:57:qos map cos 5 to dscp 46
00:00:58:qos map dscp 32 to tx-queue 1
00:00:58:qos dbl
00:00:59:policy-map autoqos-voip-policy
00:00:59: class class-default
00:00:59: dbl
00:00:59:interface GigabitEthernet1/1
00:00:59: qos trust device cisco-phone
00:00:59: qos trust cos
00:00:59: tx-queue 3
00:00:59: priority high
00:00:59: shape percent 33
00:00:59: bandwidth percent 33
00:00:59: service-policy output autoqos-voip-policy
You can verify your settings by entering the show auto qos interface command.
Related Commands
debug auto qos (refer to Cisco IOS documentation)
qos map cos
qos trust
show auto qos
show qos
show qos interface
show qos maps
auto-sync
To enable automatic synchronization of the configuration files in NVRAM, use the auto-sync command. To disable automatic synchronization, use the no form of this command.
auto-sync {startup-config | config-register | bootvar | standard}
no auto-sync {startup-config | config-register | bootvar | standard}
Syntax Description
Defaults
Standard automatic synchronization of all configuration files
Command Modes
Redundancy main-cpu
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch (Catalyst 4507R only). |
Usage Guidelines
If you enter the no auto-sync standard command, no automatic synchronizations occur.
Examples
This example shows how (from the default configuration) to enable automatic synchronization of the configuration register in the main CPU:
Switch#
config terminal
Switch (config)#
redundancy
Switch (config-r)#
main-cpu
Switch (config-r-mc)#
no auto-sync standard
Switch (config-r-mc)#
auto-sync configure-register
Switch (config-r-mc)#
Related Commands
channel-group
To assign and configure an EtherChannel interface to an EtherChannel group, use the channel-group command. To remove a channel group configuration from an interface, use the no form of this command.
channel-group number mode {active | on | auto [non-silent]} | {passive | desirable [non-silent]}
no channel-group
Syntax Description
Defaults
No channel groups are assigned.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.1(13)EW |
Support for LACP was added. |
Usage Guidelines
You do not have to create a port-channel interface before assigning a physical interface to a channel group. If a port-channel interface has not been created, it is automatically created when the first physical interface for the channel group is created.
If a specific channel number is used for the PAgP-enabled interfaces of a channel group, that same channel number cannot be used for configuring a channel that has LACP-enabled interfaces or vice versa.
You can also create port channels by entering the interface port-channel command. This will create a Layer 3 port channel. To change the Layer 3 port channel into a Layer 2 port channel, use the switchport command before you assign physical interfaces to the channel group. A port channel cannot be changed from Layer 3 to Layer 2 or vice versa when it contains member ports.
You do not have to disable the IP address that is assigned to a physical interface that is part of a channel group, but we recommend that you do so.
Any configuration or attribute changes that you make to the port-channel interface are propagated to all interfaces within the same channel group as the port channel (for example, configuration changes are also propagated to the physical interfaces that are not part of the port channel, but are part of the channel group).
You can create in on mode a usable EtherChannel by connecting two port groups together.
Examples
This example shows how to add Gigabit Ethernet interface 1/1 to the EtherChannel group that is specified by port-channel 45:
Switch(config-if)#
channel-group 45 mode on
Creating a port-channel interface Port-channel45
Switch(config-if)#
Related Commands
interface port-channel
show interfaces port-channel (refer to Cisco IOS documentation)
channel-protocol
To enable LACP or PAgP on an interface, use the channel-protocol command. To disable the protocols, use the no form of this command.
channel-protocol {lacp | pagp}
no channel-protocol {lacp | pagp}
Syntax Description
lacp |
Enables LACP to manage channeling. |
pagp |
Enables PAgP to manage channeling. |
Defaults
PAgP
Command Modes
Interface configuration
Command History
|
|
---|---|
12.1(13)EW |
Support for this command was introduced on the Catalyst 4500 series switches. |
Usage Guidelines
This command is not supported on systems that are configured with a Supervisor Engine I.
You can also select the protocol using the channel-group command.
If the interface belongs to a channel, the no form of this command is rejected.
All ports in an EtherChannel must use the same protocol; you cannot run two protocols on one module.
PAgP and LACP are not compatible; both ends of a channel must use the same protocol.
You can manually configure a switch with PAgP on one side and LACP on the other side in the on mode.
You can change the protocol at any time, but this change causes all existing EtherChannels to reset to the default channel mode for the new protocol. You can use the channel-protocol command to restrict anyone from selecting a mode that is not applicable to the selected protocol.
Configure all ports in an EtherChannel to operate at the same speed and duplex mode (full duplex only for LACP mode).
For a complete list of guidelines, refer to the "Configuring EtherChannel" section of the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
Examples
This example shows how to select LACP to manage channeling on the interface:
Switch(config-if)# channel-protocol lacp
Switch(config-if)#
Related Commands
channel-group
show etherchannel
class-map
To access the QoS class map configuration mode to configure QoS class maps, use the class-map command. To delete a class map, use the no form of this command.
class-map [match-all | match-any] name
no class-map [match-all | match-any] name
Syntax Description
match-all |
(Optional) Specifies that all match criteria in the class map must be matched. |
match-any |
(Optional) Specifies that one or more match criteria must match. |
name |
Name of the class map. |
Defaults
Match all criteria.
Command Modes
Global configuration
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The name and acl_name arguments are case sensitive.
Use the class-map command and its subcommands on individual interfaces to define packet classification, marking, aggregate, and flow policing as part of a globally named service policy.
These commands are available in QoS class map configuration mode:
•exit—Exits you from QoS class map configuration mode.
•no—Removes a match statement from a class map.
•match—Configures classification criteria.
These optional subcommands are also available:
–access-group {acl_index | name acl_name}
–ip {dscp | precedence} value1 value2... value8
–any
The following subcommands appear in the CLI help, but they are not supported on LAN interfaces:
•input-interface {interface interface_number | null number | vlan vlan_id}
•protocol linktype
•destination-address mac mac_address
•source-address mac mac_address
•qos-group
•mpls
•no
After you have configured the class map name and are in class map configuration mode, you can enter the match subcommands. The syntax for these subcommands is as follows:
match {[access-group {acl_index | name acl_name}] | [ip {dscp | precedence} value1 value2... value8]}
See Table 2-1 for a syntax description of the match subcommands.
Examples
This example shows how to access the class-map commands and subcommands and to configure a class map named ipp5 and enter a match statement for ip precedence 5:
Switch# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# class-map ipp5
Switch(config-cmap)# match ip precedence 5
Switch(config-cmap)#
This example shows how to configure the class map to match an already configured access list:
Switch(config-cmap)# match access-group IPacl1
Switch(config-cmap)#
Related Commands
policy-map
service-policy
show class-map
show policy-map
show policy-map interface
clear counters
To clear the interface counters, use the clear counters command.
clear counters [{FastEthernet interface_number} | {GigabitEthernet interface_number} |
{null interface_number} | {port-channel number} | {vlan vlan_id}]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.1(12c)EW |
Support for extended VLAN addresses was added. |
Usage Guidelines
This command clears all the current interface counters from all the interfaces unless you specify an interface.
Note This command does not clear the counters that are retrieved using SNMP, but only those seen when you enter the show interface counters command.
Examples
This example shows how to clear all the interface counters:
Switch#
clear counters
Clear "show interface" counters on all interfaces [confirm] y
Switch#
This example shows how to clear the counters on a specific interface:
Switch#
clear counters vlan 200
Clear "show interface" counters on this interface [confirm]y
Switch#
Related Commands
show interface counters (refer to Cisco IOS documentation)
clear hw-module slot password
To clear the password on an intelligent line module, use the clear hw-module slot password command.
clear hw-module slot slot_num password
Syntax Description
slot_num |
Slot on a line module. |
Defaults
The password is not cleared.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.2(18)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You only need to change the password once unless the password is reset.
Examples
This example shows how to clear the password from slot 5 on a line module:
Switch# clear hw-module slot 5 password
Switch#
Related Commands
clear interface gigabitethernet
To clear the hardware logic from a Gigabit Ethernet IEEE 802.3z interface, use the clear interface gigabitethernet command.
clear interface gigabitethernet mod/port
Syntax Description
mod/port |
Number of the module and port. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to clear the hardware logic from a Gigabit Ethernet IEEE 802.3z interface:
Switch#
clear interface gigabitethernet 1/1
Switch#
Related Commands
clear interface vlan
To clear the hardware logic from a VLAN, use the clear interface vlan command.
clear interface vlan number
Syntax Description
number |
Number of the VLAN interface; valid values are from 1 to 4094. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.1(12c)EW |
Support for extended VLAN addresses added. |
Examples
This example shows how to clear the hardware logic from a specific VLAN:
Switch#
clear interface vlan 5
Switch#
Related Commands
clear ip access-template
To clear the statistical information in access lists, use the clear ip access-template command.
clear ip access-template access-list
Syntax Description
access-list |
Number of the access list; valid values are from 100 to 199 for an IP extended access list, and from 2000 to 2699 for an expanded range IP extended access list. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to clear the statistical information for an access list:
Switch#
clear ip access-template 201
Switch#
clear ip arp inspection log
To clear the status of the log buffer, use the clear ip arp inspection log command.
clear ip arp inspection log
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(19)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to clear the contents of the log buffer:
Switch#
clear ip arp inspection log
Switch#
Related Commands
arp access-list
show ip arp inspection log
clear ip arp inspection statistics
To clear the dynamic ARP inspection statistics, use the clear ip arp inspection statistics command.
clear ip arp inspection statistics [vlan vlan-range]
Syntax Description
vlan vlan-range |
(Optional) Specifies the VLAN range. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(19)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to clear the DAI statistics from VLAN 1 and how to verify the removal:
Switch# clear ip arp inspection statistics vlan 1
Switch# show ip arp inspection statistics vlan 1
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ----------
1 0 0 0 0
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
1 0 0 0
Vlan Dest MAC Failures IP Validation Failures
---- ----------------- ----------------------
1 0 0
Switch#
Related Commands
arp access-list
clear ip arp inspection log
show ip arp inspection
clear ip dhcp snooping database
To clear the DHCP binding database, use the clear ip dhcp snooping database command.
clear ip dhcp snooping database
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(19)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to clear the DHCP binding database:
Switch#
clear ip dhcp snooping database
Switch#
Related Commands
ip dhcp snooping
ip dhcp snooping binding interface (refer to Cisco IOS documentation)
ip dhcp snooping information option
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping binding
clear ip dhcp snooping database statistics
To clear the DHCP binding database statistics, use the clear ip dhcp snooping database statistics command.
clear ip dhcp snooping database statistics
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(19)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to clear the DHCP binding database:
Switch#
clear ip dhcp snooping database statistics
Switch#
Related Commands
ip dhcp snooping
ip dhcp snooping binding
ip dhcp snooping information option
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping binding
clear ip igmp group
To delete the IGMP group cache entries, use the clear ip igmp group command.
clear ip igmp group [{fastethernet mod/port} | {GigabitEthernet mod/port} | {host_name | group_address} {Loopback interface_number} | {null interface_number} |
{port-channel number} | {vlan vlan_id}]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The IGMP cache contains a list of the multicast groups of which hosts on the directly connected LAN are members.
To delete all the entries from the IGMP cache, enter the clear ip igmp group command with no arguments.
Examples
This example shows how to clear the entries for a specific group from the IGMP cache:
Switch# clear ip igmp group 224.0.255.1
Switch#
This example shows how to clear the IGMP group cache entries from a specific interface:
Switch# clear ip igmp group gigabitethernet 2/2
Switch#
Related Commands
ip host (refer to Cisco IOS documentation)
show ip igmp groups (refer to Cisco IOS documentation)
show ip igmp interface
clear ip igmp snooping membership
To clear the explicit host tracking database, use the clear ip igmp snooping membership command.
clear ip igmp snooping membership [vlan vlan_id]
Syntax Description
vlan vlan_id |
(Optional) Specifies a VLAN; valid values are from 1 to 1001 and from 1006 to 4094. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(20)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
By default, the explicit host tracking database maintains a maximum of 1-KB entries. After you reach this limit, no additional entries can be created in the database. To create more entries, you will need to delete the database with the clear ip igmp snooping statistics vlan command.
Examples
This example shows how to display the IGMP snooping statistics for VLAN 25:
Switch# clear ip igmp snooping membership vlan 25
Switch#
Related Commands
ip igmp snooping vlan explicit-tracking
show ip igmp snooping membership
clear ip mfib counters
To clear the global MFIB counters and the counters for all active MFIB routes, use the clear ip mfib counters command.
clear ip mfib counters
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to clear all the active MFIB routes and global counters:
Switch# clear ip mfib counters
Switch#
Related Commands
clear ip mfib fastdrop
To clear all the MFIB fast-drop entries, use the clear ip mfib fastdrop command.
clear ip mfib fastdrop
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
If new fast-dropped packets arrive, the new fast-drop entries are created.
Examples
This example shows how to clear all the fast-drop entries:
Switch# clear ip mfib fastdrop
Switch#
Related Commands
ip mfib fastdrop
show ip mfib fastdrop
clear lacp counters
To clear the statistics for all the interfaces belonging to a specific channel group, use the clear lacp counters command.
clear lacp [channel-group] counters
Syntax Description
channel-group |
(Optional) Channel-group number; valid values are from 1 to 64. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC mode
Command History
|
|
---|---|
12.1(13)EW |
Support for this command was introduced on the Catalyst 4500 series switches. |
Usage Guidelines
This command is not supported on systems that are configured with a Supervisor Engine I.
If you do not specify a channel group, all channel groups are cleared.
If you enter this command for a channel group that contains members in PAgP mode, the command is ignored.
Examples
This example shows how to clear the statistics for a specific group:
Switch# clear lacp 1 counters
Switch#
Related Commands
clear mac-address-table
To clear the global counter entries from the Layer 2 MAC address table, use the clear mac-address-table command.
clear mac-address-table {dynamic [{address mac_addr} | {interface interface}] [vlan vlan_id] | notification}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Enter the clear mac-address-table dynamic command with no arguments to remove all dynamic entries from the table.
The clear mac-address-table notification command only clears the global counters which are displayed with show mac-address-table notification command. It does not clear the global counters and the history table of the CISCO-MAC-NATIFICATION-MIB.
Examples
This example shows how to clear all the dynamic Layer 2 entries for a specific interface (gi1/1):
Switch#
clear mac-address-table dynamic interface gi1/1
Switch#
This example shows how to clear the MAC address notification counters:
Switch#
clear mac-address-table notification
Switch#
Related Commands
clear mac-address-table dynamic
mac-address-table aging-time
mac-address-table notification
main-cpu
show mac-address-table address
mac-address-table notification
snmp-server enable traps
snmp trap mac-notification change
clear mac-address-table dynamic
To clear the dynamic address entries from the Layer 2 MAC address table, use the clear mac-address-table dynamic command.
clear mac-address-table dynamic [{address mac_addr} | {interface interface}] [vlan vlan_id]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.1(12c)EW |
Support for extended VLAN addresses added. |
Usage Guidelines
Enter the clear mac-address-table dynamic command with no arguments to remove all dynamic entries from the table.
Examples
This example shows how to clear all the dynamic Layer 2 entries for a specific interface (gi1/1):
Switch#
clear mac-address-table dynamic interface gi1/1
Switch#
Related Commands
mac-address-table aging-time
main-cpu
show mac-address-table address
clear pagp
To clear the port-channel information, use the clear pagp command.
clear pagp {group-number | counters}
Syntax Description
group-number |
Channel-group number; valid values are from 1 to 64. |
counters |
Clears traffic filters. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to clear the port-channel information for a specific group:
Switch#
clear pagp 32
Switch#
This example shows how to clear all the port-channel traffic filters:
Switch#
clear pagp counters
Switch#
Related Commands
clear port-security
To delete all configured secure addresses or a specific dynamic or sticky secure address on an interface from the MAC address table, use the clear port-security command.
clear port-security dynamic [address mac-addr [vlan vlan-id]] | [interface interface-id] [vlan access | voice]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Usage Guidelines
If you enter the clear port-security all command, the switch removes all the dynamic secure MAC addresses from the MAC address table.
Note You can clear sticky and static secure MAC addresses one at a time with the
no switchport port-security mac-address command.
If you enter the clear port-security dynamic interface interface-id command, the switch removes all the dynamic secure MAC addresses on an interface from the MAC address table.
Command History
|
|
---|---|
12.2(18)EW |
This command was first introduced on the Catalyst 4500 series switch. |
12.2(31)SG |
Add support for sticky port security. |
Examples
This example shows how to remove all the dynamic secure addresses from the MAC address table:
Switch# clear port-security dynamic
This example shows how to remove a dynamic secure address from the MAC address table:
Switch# clear port-security dynamic address 0008.0070.0007
This example shows how to remove all the dynamic secure addresses learned on a specific interface:
Switch# clear port-security dynamic interface gigabitethernet0/1
You can verify that the information was deleted by entering the show port-security command.
Related Commands
show port-security
switchport port-security
clear qos
To clear the global and per-interface aggregate QoS counters, use the clear qos command.
clear qos [aggregate-policer [name] | interface {{fastethernet | GigabitEthernet} {mod/interface}} | vlan {vlan_num} | port-channel {number}]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Note When you enter the clear qos command, the way that the counters work is affected and the traffic that is normally restricted could be forwarded for a short period of time.
The clear qos command resets the interface QoS policy counters. If no interface is specified, the clear qos command resets the QoS policy counters for all interfaces.
Examples
This example shows how to clear the global and per-interface aggregate QoS counters for all the protocols:
Switch#
clear qos
Switch#
This example shows how to clear the specific protocol aggregate QoS counters for all the interfaces:
Switch#
clear qos aggregate-policer
Switch#
Related Commands
clear vlan counters
To clear the software-cached counter values to start from zero again for a specified VLAN or all existing VLANs, use the clear vlan counters command.
clear vlan [vlan-id] counters
Syntax Description
vlan-id |
(Optional) VLAN number; see the "Usage Guidelines" section for valid values. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(13)EW |
Support for this command was introduced on the Catalyst 4500 series switches. |
Usage Guidelines
If you do not specify a vlan-id value; the software-cached counter values for all the existing VLANs are cleared.
Examples
Switch# clear vlan 10 counters
Clear "show vlan" counters on this vlan [confirm]y
Switch#
Related Commands
clear vmps statistics
To clear the VMPS statistics, use the clear vmps statistics command.
clear vmps statistics
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(13)EW |
Support for this command was introduced on the Catalyst 4500 series switches. |
Examples
Switch# clear vmps statistics
Switch#
Related Commands
show vmps
vmps reconfirm (privileged EXEC)
control-plane
To enter control-plane configuration mode, which allows users to associate or modify attributes or parameters (such as a service policy) that are associated with the control plane of the device, use the control-plane command.
control-plane
Syntax Description
This command has no arguments or keywords.
Defaults
Default service police named "system-cpp-policy" is attached.
Command Modes
Global configuration
Command History
|
|
---|---|
12.2(31)SG |
Support for this command was introduced. |
Usage Guidelines
Note You must set a policy action for every class. If you do not set a policy action for every class, the traffic skips the class that does not have a policy action and matches against the subsequent classes.
After you enter the control-plane command, you can define control plane services for your route processor. For example, you can associate a service policy with the control plane to police all traffic that is destined to the control plane.
Examples
These examples show how to configure trusted hosts with source addresses 10.1.1.1 and 10.1.1.2 to forward Telnet packets to the control plane without constraint, while allowing all remaining Telnet packets to be policed at the specified rate:
Switch(config)# access-list 140 deny tcp host 10.1.1.1 any eq telnet
! Allow 10.1.1.2
trusted host traffic.
Switch(config)# access-list 140 deny tcp host 10.1.1.2 any eq telnet
! Rate limit all other Telnet traffic.
Switch(config)# access-list 140 permit tcp any any eq telnet
! Define class-map "telnet-class."
Switch(config)# class-map telnet-class
Switch(config-cmap)# match access-group 140
Switch(config-cmap)# exit
Switch(config)# policy-map control-plane
Switch(config-pmap)# class telnet-class
Switch(config-pmap-c)# police 32000 1000 conform transmit exceed drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
! Define aggregate control plane service for the active Route Processor.
Switch(config-cp)# macro global apply system-cpp
Switch(config)# control-plane
Switch(config-cp)# service-police input system-cpp-policy
Switch(config-cp)# exit
Related Commands
class (refer to the Cisco IOS Release 12.2 Command Reference)
class-map
drop (refer to the Cisco IOS Release 12.2 Command Reference)
match access-group (refer to the Cisco IOS Release 12.2 Command Reference)
policy-map
service-policy
show policy-map control-plane
debug adjacency
To display information about the adjacency debugging, use the debug adjacency command. To disable debugging output, use the no form of this command.
debug adjacency [ipc]
no debug adjacency
Syntax Description
ipc |
(Optional) Displays the IPC entries in the adjacency database. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to display the information in the adjacency database:
Switch# debug adjacency
4d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:00
4d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:00
4d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:00
4d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:00
4d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:00
4d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:00
4d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:00
4d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:00
<... output truncated...>
Switch#
Related Commands
undebug adjacency (same as no debug adjacency)
debug backup
To debug the backup events, use the debug backup command. To disable the debugging output, use the no form of this command.
debug backup
no debug backup
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to debug the backup events:
Switch# debug backup
Backup events debugging is on
Switch#
Related Commands
undebug backup (same as no debug backup)
debug condition interface
To limit the debugging output of interface-related activities, use the debug condition interface command. To disable the debugging output, use the no form of this command.
debug condition interface {fastethernet mod/port | GigabitEthernet mod/port |
null interface_num | port-channel interface-num | vlan vlan_id}
no debug condition interface {fastethernet mod/port | GigabitEthernet mod/port | null interface_num | port-channel interface-num | vlan vlan_id}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.1(12c)EW |
Support for extended VLAN addresses added. |
Examples
This example shows how to limit the debugging output to VLAN interface 1:
Switch# debug condition interface vlan 1
Condition 2 set
Switch#
Related Commands
debug interface
undebug condition interface (same as no debug condition interface)
debug condition standby
To limit the debugging output for the standby state changes, use the debug condition standby command. To disable the debugging output, use the no form of this command.
debug condition standby {fastethernet mod/port | GigabitEthernet mod/port |
port-channel interface-num | vlan vlan_id group-number}
no debug condition standby {fastethernet mod/port | GigabitEthernet mod/port |
port-channel interface-num | vlan vlan_id group-number}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.1(12c)EW |
Support for extended VLAN addresses added. |
Usage Guidelines
If you attempt to remove the only condition set, you will be prompted with a message asking if you want to abort the removal operation. You can enter n to abort the removal or y to proceed with the removal. If you remove the only condition set, an excessive number of debugging messages might occur.
Examples
This example shows how to limit the debugging output to group 0 in VLAN 1:
Switch# debug condition standby vlan 1 0
Condition 3 set
Switch#
This example shows the display if you try to turn off the last standby debug condition:
Switch# no debug condition standby vlan 1 0
This condition is the last standby condition set.
Removing all conditions may cause a flood of debugging
messages to result, unless specific debugging flags
are first removed.
Proceed with removal? [yes/no]: n
% Operation aborted
Switch#
Related Commands
undebug condition standby (same as no debug condition standby)
debug condition vlan
To limit the VLAN debugging output for a specific VLAN, use the debug condition vlan command. To disable the debugging output, use the no form of this command.
debug condition vlan {vlan_id}
no debug condition vlan {vlan_id}
Syntax Description
vlan_id |
Number of the VLAN; valid values are from 1 to 4096. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.1(12c)EW |
Support for extended VLAN addresses added. |
Usage Guidelines
If you attempt to remove the only VLAN condition set, you will be prompted with a message asking if you want to abort the removal operation. You can enter n to abort the removal or y to proceed with the removal. If you remove the only condition set, it could result in the display of an excessive number of messages.
Examples
This example shows how to limit the debugging output to VLAN 1:
Switch# debug condition vlan 1
Condition 4 set
Switch#
This example shows the message that is displayed when you attempt to disable the last VLAN debug condition:
Switch# no debug condition vlan 1
This condition is the last vlan condition set.
Removing all conditions may cause a flood of debugging
messages to result, unless specific debugging flags
are first removed.
Proceed with removal? [yes/no]: n
% Operation aborted
Switch#
Related Commands
undebug condition vlan (same as no debug condition vlan)
debug dot1x
To enable the debugging for the 802.1X feature, use the debug dot1x command. To disable the debugging output, use the no form of this command.
debug dot1x {all | errors | events | packets | registry | state-machine}
no debug dot1x {all | errors | events | packets | registry | state-machine}
Syntax Description
Defaults
Debugging is disabled.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to enable the 802.1X debugging for all conditions:
Switch# debug dot1x all
Switch#
Related Commands
show dot1x
undebug dot1x (same as no debug dot1x)
debug etherchnl
To debug EtherChannel, use the debug etherchnl command. To disable the debugging output, use the no form of this command.
debug etherchnl [all | detail | error | event | idb | linecard]
no debug etherchnl
Syntax Description
Defaults
The default settings are as follows:
•Debug is disabled.
•All messages are displayed.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
If you do not specify a keyword, all debug messages are displayed.
Examples
This example shows how to display all the EtherChannel debug messages:
Switch# debug etherchnl
PAgP Shim/FEC debugging is on
22:46:30:FEC:returning agport Po15 for port (Fa2/1)
22:46:31:FEC:returning agport Po15 for port (Fa4/14)
22:46:33:FEC:comparing GC values of Fa2/25 Fa2/15 flag = 1 1
22:46:33:FEC:port_attrib:Fa2/25 Fa2/15 same
22:46:33:FEC:EC - attrib incompatable for Fa2/25; duplex of Fa2/25 is half, Fa2/15 is full
22:46:33:FEC:pagp_switch_choose_unique:Fa2/25, port Fa2/15 in agport Po3 is incompatable
Switch#
This example shows how to display the EtherChannel IDB debug messages:
Switch# debug etherchnl idb
Agport idb related debugging is on
Switch#
This example shows how to disable the debugging:
Switch# no debug etherchnl
Switch#
Related Commands
undebug etherchnl (same as no debug etherchnl)
debug interface
To abbreviate the entry of the debug condition interface command, use the debug interface command. To disable debugging output, use the no form of this command.
debug interface {FastEthernet mod/port | GigabitEthernet mod/port | null |
port-channel interface-num | vlan vlan_id}
no debug interface {FastEthernet mod/port | GigabitEthernet mod/port | null |
port-channel interface-num | vlan vlan_id}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.1(12c)EW |
Support for extended VLAN addresses added. |
Examples
This example shows how to limit the debugging to interface VLAN 1:
Switch# debug interface vlan 1
Condition 1 set
Switch#
Related Commands
debug condition interface
undebug interface (same as no debug interface)
debug ipc
To debug the IPC activity, use the debug ipc command. To disable the debugging output, use the no form of this command.
debug ipc {all | errors | events | headers | packets | ports | seats}
no debug ipc {all | errors | events | headers | packets | ports | seats}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to enable the debugging of the IPC events:
Switch# debug ipc events
Special Events debugging is on
Switch#
Related Commands
undebug ipc (same as no debug ipc)
debug ip dhcp snooping event
To debug the DHCP snooping events, use the debug ip dhcp snooping event command. To disable debugging output, use the no form of this command.
debug ip dhcp snooping event
no debug ip dhcp snooping event
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging of snooping event is disabled.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to enable the debugging for the DHCP snooping events:
Switch# debug ip dhcp snooping event
Switch#
This example shows how to disable the debugging for the DHCP snooping events:
Switch# no debug ip dhcp snooping event
Switch#
Related Commands
debug ip dhcp snooping packet
To debug the DHCP snooping messages, use the debug ip dhcp snooping packet command. To disable the debugging output, use the no form of this command.
debug ip dhcp snooping packet
no debug ip dhcp snooping packet
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging of snooping packet is disabled.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to enable the debugging for the DHCP snooping packets:
Switch# debug ip dhcp snooping packet
Switch#
This example shows how to disable the debugging for the DHCP snooping packets:
Switch# no debug ip dhcp snooping packet
Switch#
Related Commands
debug ip verify source packet
To debug the IP source guard messages, use the debug ip verify source packet command. To disable the debugging output, use the no form of this command.
debug ip verify source packet
no debug ip verify source packet
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging of snooping security packets is disabled.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to enable debugging for the IP source guard:
Switch# debug ip verify source packet
Switch#
This example shows how to disable debugging for the IP source guard:
Switch# no debug ip verify source packet
Switch#
Related Commands
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping limit rate
ip dhcp snooping trust
ip verify source vlan dhcp-snooping (refer to Cisco IOS documentation)
show ip dhcp snooping
show ip dhcp snooping binding
show ip verify source (refer to Cisco IOS documentation)
debug lacp
To debug the LACP activity, use the debug lacp command. To disable the debugging output, use the no form of this command.
debug lacp [all | event | fsm | misc | packet]
no debug lacp
Syntax Description
Defaults
Debugging of LACP activity is disabled.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(13)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command is supported only by the supervisor engine and can be entered only from the Catalyst 4500 series switch console.
Examples
This example shows how to enable the LACP miscellaneous debugging:
Switch# debug lacp
Port Aggregation Protocol Miscellaneous debugging is on
Switch#
Related Commands
undebug pagp (same as no debug pagp)
debug monitor
To display the monitoring activity, use the debug monitor command. To disable the debugging output, use the no form of this command.
debug monitor {all | errors | idb-update | list | notifications | platform | requests}
no debug monitor {all | errors | idb-update | list | notifications | platform | requests}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to debug the monitoring errors:
Switch# debug monitor errors
SPAN error detail debugging is on
Switch#
Related Commands
undebug monitor (same as no debug monitor)
debug nvram
To debug the NVRAM activity, use the debug nvram command. To disable the debugging output, use the no form of this command.
debug nvram
no debug nvram
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to debug NVRAM:
Switch# debug nvram
NVRAM behavior debugging is on
Switch#
Related Commands
undebug nvram (same as no debug nvram)
debug pagp
To debug the PAgP activity, use the debug pagp command. To disable the debugging output, use the no form of this command.
debug pagp [all | event | fsm | misc | packet]
no debug pagp
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command is supported only by the supervisor engine and can be entered only from the Catalyst 4500 series switch console.
Examples
This example shows how to enable the PAgP miscellaneous debugging:
Switch# debug pagp misc
Port Aggregation Protocol Miscellaneous debugging is on
Switch#
*Sep 30 10:13:03: SP: PAgP: pagp_h(Fa5/6) expired
*Sep 30 10:13:03: SP: PAgP: 135 bytes out Fa5/6
*Sep 30 10:13:03: SP: PAgP: Fa5/6 Transmitting information packet
*Sep 30 10:13:03: SP: PAgP: timer pagp_h(Fa5/6) started with interval 30000
<... output truncated...>
Switch#
Related Commands
undebug pagp (same as no debug pagp)
debug platform packet protocol lacp
To debug the LACP protocol packets, use the debug platform packet protocol lacp command. To disable the debugging output, use the no form of this command.
debug platform packet protocol lacp [receive | transmit | vlan]
no debug platform packet protocol lacp [receive | transmit | vlan]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to enable all PM debugging:
Switch# debug platform packet protocol lacp
Switch#
Related Commands
undebug platform packet protocol lacp (same as no debug platform packet protocol lacp)
debug platform packet protocol pagp
To debug the PAgP protocol packets, use the debug platform packet protocol pagp command. To disable the debugging output, use the no form of this command.
debug platform packet protocol pagp [receive | transmit | vlan]
no debug platform packet protocol pagp [receive | transmit | vlan]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(13)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to enable all PM debugging:
Switch# debug platform packet protocol pagp
Switch#
Related Commands
undebug platform packet protocol pagp (same as no debug platform packet protocol pagp)
debug pm
To debug the port manager (PM) activity, use the debug pm command. To disable the debugging output, use the no form of this command.
debug pm {all | card | cookies | etherchnl | messages | port | registry | scp | sm | span | split |
vlan | vp}
no debug pm {all | card | cookies | etherchnl | messages | port | registry | scp | sm | span | split |
vlan | vp}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to enable all PM debugging:
Switch# debug pm all
Switch#
Related Commands
undebug pm (same as no debug pm)
debug port-security
To debug port security, use the debug port-security command. To disable the debugging output, use the no form of this command.
debug port-security
no debug port-security
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(13)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to enable all PM debugging:
Switch# debug port-security
Switch#
Related Commands
debug redundancy
To debug the supervisor engine redundancy, use the debug redundancy command. To disable the debugging output, use the no form of this command.
debug redundancy {errors | fsm | kpa | msg | progression | status | timer}
no debug redundancy
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch (Catalyst 4507R only). |
Examples
This example shows how to debug the redundancy facility timer event debugging:
Switch# debug redundancy timer
Redundancy timer debugging is on
Switch#
debug spanning-tree
To debug the spanning-tree activities, use the debug spanning-tree command. To disable the debugging output, use the no form of this command.
debug spanning-tree {all | backbonefast | pdu | bpdu-opt | etherchannel | config | events | exceptions | general | ha | mstp | pvst+ | root | snmp | synchronization | uplinkfast}
no debug spanning-tree {all | backbonefast | pdu | bpdu-opt | etherchannel | config | events | exceptions | general | ha | mstp | pvst+ | root | snmp | synchronization | uplinkfast}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to debug the spanning-tree PVST+:
Switch# debug spanning-tree pvst+
Spanning Tree PVST+ debugging is on
Switch#
Related Commands
undebug spanning-tree (same as no debug spanning-tree)
debug spanning-tree backbonefast
To enable debugging of the spanning-tree BackboneFast events, use the debug spanning-tree backbonefast command. To disable the debugging output, use the no form of this command.
debug spanning-tree backbonefast [detail | exceptions]
no debug spanning-tree backbonefast
Syntax Description
detail |
(Optional) Displays the detailed BackboneFast debugging messages. |
exceptions |
(Optional) Enables the debugging of spanning-tree BackboneFast exceptions. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command is supported only by the supervisor engine and can be entered only from the Catalyst 4500 series switch console.
Examples
This example shows how to enable the debugging and to display the detailed spanning-tree BackboneFast debugging information:
Switch# debug spanning-tree backbonefast detail
Spanning Tree backbonefast detail debugging is on
Switch#
Related Commands
undebug spanning-tree backbonefast (same as no debug spanning-tree backbonefast)
debug spanning-tree switch
To enable the switch shim debugging, use the debug spanning-tree switch command. To disable the debugging output, use the no form of this command.
debug spanning-tree switch {all | errors | general | pm | rx {decode | errors | interrupt |
process} | state | tx [decode]}
no debug spanning-tree switch {all | errors | general | pm | rx {decode | errors | interrupt | process} | state | tx [decode]}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command is supported only by the supervisor engine and can be entered only from the switch console.
Examples
This example shows how to enable the transmit BPDU debugging on the spanning-tree switch shim:
Switch# debug spanning-tree switch tx
Spanning Tree Switch Shim transmit bpdu debugging is on
*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 303
*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 304
*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 305
*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 349
*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 350
*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 351
*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 801
<... output truncated...>
Switch#
Related Commands
undebug spanning-tree switch (same as no debug spanning-tree switch)
debug spanning-tree uplinkfast
To enable the debugging of the spanning-tree UplinkFast events, use the debug spanning-tree uplinkfast command. To disable the debugging output, use the no form of this command.
debug spanning-tree uplinkfast [exceptions]
no debug spanning-tree uplinkfast
Syntax Description
exceptions |
(Optional) Enables the debugging of the spanning-tree UplinkFast exceptions. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command is supported only by the supervisor engine and can be entered only from the switch console.
Examples
This example shows how to debug the spanning-tree UplinkFast exceptions:
Switch# debug spanning-tree uplinkfast exceptions
Spanning Tree uplinkfast exceptions debugging is on
Switch#
Related Commands
undebug spanning-tree uplinkfast (same as no debug spanning-tree uplinkfast)
debug sw-vlan
To debug the VLAN manager activities, use the debug sw-vlan command. To disable the debugging output, use the no form of this command.
debug sw-vlan {badpmcookies | events | management | packets | registries}
no debug sw-vlan {badpmcookies | events | management | packets | registries}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to debug the software VLAN events:
Switch# debug sw-vlan events
vlan manager events debugging is on
Switch#
Related Commands
undebug sw-vlan (same as no debug sw-vlan)
debug sw-vlan ifs
To enable the VLAN manager Cisco IOS file system (IFS) error tests, use the debug sw-vlan ifs command. To disable the debugging output, use the no form of this command.
debug sw-vlan ifs {open {read | write} | read {1 | 2 | 3 | 4} | write}
no debug sw-vlan ifs {open {read | write} | read {1 | 2 | 3 | 4} | write}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The following are four types of file read operations:
•Operation 1—Reads the file header, which contains the header verification word and the file version number.
•Operation 2—Reads the main body of the file, which contains most of the domain and VLAN information.
•Operation 3—Reads TLV descriptor structures.
•Operation 4—Reads TLV data.
Examples
This example shows how to debug the TLV data errors during a file-read operation:
Switch# debug sw-vlan ifs read 4
vlan manager ifs read # 4 errors debugging is on
Switch#
Related Commands
undebug sw-vlan ifs (same as no debug sw-vlan ifs)
debug sw-vlan notification
To enable the debugging of the messages that trace the activation and deactivation of the ISL VLAN IDs, use the debug sw-vlan notification command. To disable the debugging output, use the no form of this command.
debug sw-vlan notification {accfwdchange | allowedvlancfgchange | fwdchange | linkchange | modechange | pruningcfgchange | statechange}
no debug sw-vlan notification {accfwdchange | allowedvlancfgchange | fwdchange | linkchange | modechange | pruningcfgchange | statechange}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to debug the software VLAN interface mode change notifications:
Switch# debug sw-vlan notification modechange
vlan manager port mode change notification debugging is on
Switch#
Related Commands
undebug sw-vlan notification (same as no debug sw-vlan notification)
debug sw-vlan vtp
To enable the debugging of messages to be generated by the VTP protocol code, use the debug sw-vlan vtp command. To disable the debugging output, use the no form of this command.
debug sw-vlan vtp {events | packets | pruning [packets | xmit] | xmit}
no debug sw-vlan vtp {events | packets | pruning [packets | xmit] | xmit}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
If you do not enter any more parameters after entering pruning, the VTP pruning debugging messages are displayed.
Examples
This example shows how to debug the software VLAN outgoing VTP packets:
Switch# debug sw-vlan vtp xmit
vtp xmit debugging is on
Switch#
Related Commands
undebug sw-vlan vtp (same as no debug sw-vlan vtp)
debug udld
To enable the debugging of UDLD activity, use the debug udld command. To disable the debugging output, use the no form of this command.
debug udld {events | packets | registries}
no debug udld {events | packets | registries}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
This command is supported only by the supervisor engine and can be entered only from the Catalyst 4500 series switch console.
Examples
This example shows how to debug the UDLD events:
Switch# debug udld events
UDLD events debugging is on
Switch#
This example shows how to debug the UDLD packets:
Switch# debug udld packets
UDLD packets debugging is on
Switch#
This example shows how to debug the UDLD registry events:
Switch# debug udld registries
UDLD registries debugging is on
Switch#
Related Commands
undebug udld (same as no debug udld)
debug vqpc
To debug the VLAN Query Protocol (VQP), use the debug vqpc command. To disable the debugging output, use the no form of this command.
debug vqpc [all | cli | events | learn | packet]
no debug vqpc [all | cli | events | learn | packet]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(13)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to enable all VQP debugging:
Switch# debug vqpc all
Switch#
Related Commands
vmps reconfirm (privileged EXEC)
define interface-range
To create a macro of interfaces, use the define interface-range command.
define interface-range macro-name interface-range
Syntax Description
macro-name |
Name of the interface range macro; up to 32 characters. |
interface-range |
List of valid ranges when specifying interfaces; see the "Usage Guidelines" section. |
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The macro name is a character string of up to 32 characters.
A macro can contain up to five ranges. An interface range cannot span modules.
When entering the interface-range, use these formats:
•interface-type {mod}/{first-interface} - {last-interface}
•interface-type {mod}/{first-interface} - {last-interface}
The valid values for interface-type are as follows:
•FastEthernet
•GigabitEthernet
•Vlan vlan_id
Examples
This example shows how to create a multiple-interface macro:
Switch(config)#
define interface-range macro1 gigabitethernet 4/1-6, fastethernet 2/1-5
Switch(config)#
Related Commands
deny
To deny an ARP packet based on matches against the DHCP bindings, use the deny command. To remove the specified ACEs from the access list, use the no form of this command.
deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
no deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
Syntax Description
Defaults
At the end of the ARP access list, there is an implicit deny ip any mac any command.
Command Modes
arp-nacl configuration
Command History
|
|
---|---|
12.1(19)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Deny clauses can be added to forward or drop ARP packets based on some matching criteria.
Examples
This example shows a host with a MAC address of 0000.0000.abcd and an IP address of 1.1.1.1. This example shows howto deny both requests and responses from this host:
Switch(config)# arp access-list static-hosts
Switch(config-arp-nacl)# deny ip host 1.1.1.1 mac host 0000.0000.abcd
Switch(config-arp-nacl)# end
Switch# show arp access-list
ARP access list static-hosts
deny ip host 1.1.1.1 mac host 0000.0000.abcd
Switch#
Related Commands
arp access-list
ip arp inspection filter vlan
permit
diagnostic monitor action
To direct the action of the switch when it detects a packet memory failure, use the diagnostic monitor action command.
diagnostic monitor action [conservative | normal | aggressive]
Syntax Description
Defaults
normal mode
Command Modes
Global configuration mode
Command History
|
|
---|---|
12.2(18)EW |
This command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Use the conservative keyword when you do not want the switch to reboot so that the problem can be fixed.
Use the aggressive keyword when you have redundant supervisor engines, or when network-level redundancy has been provided.
Examples
This example shows how to configure the switch to initiate an RPR switchover when an ongoing failure occurs:
Switch# configure terminal
Switch (config)# diagnostic monitor action normal
Related Commands
show diagnostic result module test 2
show diagnostic result module test 3
diagnostic start
To run the specified diagnostic test, use the diagnostic start command.
diagnostic start {module num} {test test-id} [port num]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.2(25)SG |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to run the specified diagnostic test at the specified module:
This exec command starts the TDR test on specified interface
Switch# diagnostic start module 1 test cable-tdr port 3
diagnostic start module 1 test cable-tdr port 3
module 1: Running test(s) 5 Run interface level cable diags
module 1: Running test(s) 5 may disrupt normal system operation
Do you want to continue? [no]: yes
yes
Switch#
2d16h: %DIAG-6-TEST_RUNNING: module 1: Running online-diag-tdr{ID=5} ...
2d16h: %DIAG-6-TEST_OK: module 1: online-diag-tdr{ID=5} has completed successfully
Switch#
Note The show cable-diagnostic tdr command is used to display the results of a TDR test. The test results will not be available until approximately 1 minute after the test starts. If you type the
show cable-diagnostic tdr command within 1 minute of the test starting, you may see a "TDR test is in progress on interface..." message.
Related Commands
dot1x auth-fail max-attempts
To configure the max number of attempts before a port is moved to the auth-fail VLAN, use the
dot1x auth-fail max-attempts command. To return to the default setting, use the no form of this command.
dot1x auth-fail max-attempts max-attempts
no dot1x auth-fail max-attempts max-attempts
Syntax Description
max-attempts |
Specifies a maximum number of attempts before a port is moved to the auth-fail VLAN in the range of 1 to 10. |
Defaults
Default is 3.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.2(25)SG |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to configure the maximum number of attempts before the port is moved to the auth-fail VLAN on Fast Ethernet interface 4/3:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet4/3
Switch(config-if)# dot1x auth-fail max-attempts 5
Switch(config-if)# end
Switch#
Related Commands
dot1x max-reauth-req
show dot1x
dot1x auth-fail vlan
To enable the auth-fail VLAN on a port, use the dot1x auth-fail vlan command. To return to the default setting, use the no form of this command.
dot1x auth-fail vlan vlan-id
no dot1x auth-fail vlan vlan-id
Syntax Description
vlan-id |
Specifies a VLAN in the range of 1 to 4094. |
Defaults
None
Command Modes
Interface configuration
Command History
|
|
---|---|
12.2(25)SG |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to configure the auth-fail VLAN on Fast Ethernet interface 4/3:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet4/3
Switch(config-if)# dot1x auth-fail vlan 40
Switch(config-if)# end
Switch#
Related Commands
dot1x max-reauth-req
show dot1x
dot1x control-direction
To enable unidirectional port control on a per-port basis on a switch, use the dot1x control-direction command. Use the no form of this command to disable unidirectional port control.
dot1x control-direction [in | both]
no dot1x control-direction
Syntax Description
in |
(Optional) Specifies controlling in-bound traffic on a port. |
both |
(Optional) Specifies controlling both in-bound and out-bound traffic on a port. |
Defaults
Both in-bound and out-bound traffic will be controlled.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.2(31)SG |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You can manage remote systems using unidirectional control. Unidirectional control enables you to turn on systems remotely using a specific Ethernet packet, known as a magic packet.
Using unidirectional control enables you to remotely manage systems using 802.1X ports. In the past, the port became unauthorized after the systems was turned off. In this state, the port only allowed the receipt and transmission of EAPoL packets. Therefore, there was no way for the unidirectional control magic packet to reach the host and without being turned on there was no way for the system to authenticate and open the port.
Examples
This example shows how to enable unidirectional control on incoming packets:
Switch(config-if)#
dot1x control-direction in
Switch(config-if)#
Related Commands
dot1x critical
To enable the 802.1X critical authentication on a port, use the dot1x critical command. To return to the default setting, use the no form of this command.
dot1x critical
no dot1x critical
Syntax Description
This command has no keywords or variables.
Defaults
Critical authentication is disabled.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.2(31)SG |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Examples
This example shows how to enable 802.1x critical authentication:
Switch(config-if)#
dot1x critical
Switch(config-if)#
Related Commands
dot1x critical eapol
dot1x critical recovery delay
dot1x critical vlan
show dot1x
dot1x critical eapol
To enable sending EAPOL success packets when a port is critically authorized partway through an EAP exchange, use the dot1x critical eapol command. To return to the default setting, use the no form of this command.
dot1x critical eapol
no dot1x critical eapol
Syntax Description
This command has no keywords or variables.
Defaults
The default is to not send EAPOL success packets.
Command Modes
Global configuration
Command History
|
|
---|---|
12.2(31)SG |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Examples
This example shows how to enable sending EAPOL success packets:
Switch(config-if)#
dot1x critical eapol
Switch(config-if)#
Related Commands
dot1x critical
dot1x critical recovery delay
dot1x critical vlan
show dot1x
dot1x critical recovery delay
To set the time interval between port reinitializations, use the dot1x critical recovery delay command. To return to the default setting, use the no form of this command.
dot1x critical recovery delay delay-time
no dot1x critical recovery delay
Syntax Description
delay-time |
Specifies the interval between port reinitializations when AAA transistion occurs; valid values are from 1 to 10,000 milliseconds. |
Defaults
Delay time is set to 100 milliseconds.
Command Modes
Global configuration
Command History
|
|
---|---|
12.2(31)SG |
Support for this command was introduced on the Catalyst 4500 series switch. |
Examples
This example shows how to set the 802.1x critical recovery delay time to 500:
Switch(config-if)#
dot1x critical recovery delay 500
Switch(config-if)#
Related Commands
dot1x critical
dot1x critical eapol
dot1x critical vlan
show dot1x
dot1x critical vlan
To assign a critically authenticated port to a specific VLAN, use the dot1x critical vlan command. To return to the default setting, use the no form of this command
dot1x critical vlan vlan-id
no dot1x critical vlan-id
Syntax Description
vlan-id |
(Optional) Specifies the VLANs; valid values are from 1 to 4094. |
Defaults
Critical authentication is disabled on a ports VLAN.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.2(31)SG |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The type of VLAN specified must match the type of the port. If the port is an access port, the VLAN must be a regular VLAN. If the port is a private-VLAN host port, the VLAN must be the secondary VLAN of a valid private-VLAN domain. If the port is a routed port, no VLAN may be specified.
This command is not supported on platforms such as Layer 3 switches that do not include the Critical Auth VLAN subsystem.
Examples
This example shows how to enable 802.1x critical authentication on a ports VLAN:
Switch(config-if)#
dot1x critical vlan 350
Switch(config-if)#
Related Commands
dot1x critical
dot1x critical eapol
dot1x critical recovery delay
show dot1x
dot1x guest-vlan
To enable a guest VLAN on a per-port basis, use the dot1x guest-vlan command. To return to the default setting, use the no form of this command.
dot1x guest-vlan vlan-id
no dot1x guest-vlan vlan-id
Syntax Description
vlan-id |
Specifies a VLAN in the range of 1 to 4094. |
Defaults
None; the guest VLAN feature is disabled.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.1(19)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.2(25)EWA |
Support for secondary VLAN as the configured guest VLAN ID was added. |
Usage Guidelines
Guest VLANs can be configured only on ports that are statically configured as access ports or private VLAN host ports. Statically configured access ports can be configured with regular VLANs as guest VLANs; statically configured private VLAN host ports can be configured with secondary private VLANs as guest VLANs.
Examples
This example shows how to enable a guest VLAN on Fast Ethernet interface 4/3:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet4/3
Switch(config-if)# dot1x port-control auto
Switch(config-if)# dot1x guest-vlan 26
Switch(config-if)# end
Switch(config)# end
Switch#
Related Commands
dot1x max-reauth-req
show dot1x
dot1x guest-vlan supplicant
To place an 802.1X-capable supplicant (host) into a guest VLAN, use the dot1x guest-vlan supplicant global configuration command. To return to the default setting, use the no form of this command.
dot1x quest-vlan supplicant
no dot1x quest-vlan supplicant
Syntax Description
This command has no arguments or keywords.
Defaults
802.1X-capable hosts are not put into a guest VLAN.
Command Modes
Global configuration
Command History
|
|
---|---|
12.2(25)EWA |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
With Cisco Release 12.2(25) EWA, you can use the dot1x guest-vlan supplicant command to place an 802.1X-capable host into a guest VLAN. Prior to Cisco Release 12.2(25)EWA, you could only place non-802.1X capable hosts into a guest VLAN.
When guest VLAN supplicant behavior is enabled, the Catalyst 4500 series switch does not maintain EAPOL packet history. The switch allows clients that fail 802.1X authentication to access a guest VLAN, whether or not EAPOL packets have been detected on the interface.
Examples
This example shows how to place an 802.1X-capable supplicant (host) into a guest VLAN:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# dot1x guest-vlan supplicant
Switch(config)# end
Switch#
Related Commands
dot1x system-auth-control
show dot1x
dot1x host-mode
Use the dot1x host-mode interface configuration command on the switch stack or on a standalone switch to allow a single host (client) or multiple hosts on an IEEE 802.1x-authorized port. Use the multi-domain keyword to enable multidomain authentication (MDA) on an IEEE 802.1x-authorized port. Use the no form of this command to return to the default setting.
dot1x host-mode {multi-host | single-host}
no dot1x host-mode [multi-host | single-host}
Syntax Description
multi-host |
Enable multiple-hosts mode on the switch. |
single-host |
Enable single-host mode on the switch. |
Defaults
The default is single-host mode.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.2(20)EWA |
Support for this command was introduced on the Catalyst 4500 series switch.. |
Usage Guidelines
Use this command to limit an IEEE 802.1x-enabled port to a single client or to attach multiple clients to an IEEE 802.1x-enabled port. In multiple-hosts mode, only one of the attached hosts needs to be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (re-authentication fails or an Extensible Authentication Protocol over LAN [EAPOL]-logoff message is received), all attached clients are denied access to the network.
Before entering this command, make sure that the dot1x port-control interface configuration command is set to auto for the specified port.
Examples
This example shows how to enable MDA and to allow both a host and a voice device on the port:
Switch# configure t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface FastEthernet6/1
Switch(config-if)# switchport access vlan 12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport voice vlan 10
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x port-control auto
Switch(config-if)# dot1x host-mode multi-domain
Switch(config-if)# no shutdown
Switch(config-if)# end
Switch#
You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
dot1x initialize
To unauthorize an interface before reinitializing 802.1X, use the dot1x initialize command.
dot1x initialize interface
Syntax Description
interface |
Number of the interface. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Use this command to initialize state machines and to set up the environment for fresh authentication.
Examples
This example shows how to initialize the 802.1X state machines on an interface:
Switch# dot1x initialize
Switch#
Related Commands
dot1x mac-auth-bypass
To enable the 802.1X MAC address bypassing on a switch, use the dot1x mac-auth-bypass command. Use the no form of this command to disable MAC address bypassing.
dot1x mac-auth-bypass [eap]
no dot1x mac-auth-bypass [eap]
Syntax Description
eap |
(Optional) Specifies using EAP MAC address authentication. |
Defaults
There is no default setting.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.2(31)SG |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The removal of the dot1x mac-auth-bypass configuration from a port does not affect the authorization or authentication state of a port. If the port is in unauthenticated state, it remains unauthenticated, and if MAB is active, the authentication will revert back to the 802.1X Authenticator. If the port is authorized with a MAC address, and the MAB configuration is removed the port remains authorized until re-authentication takes place. When re-authentication occurs the MAC address is removed in favor of an 802.1X supplicant, which is detected on the wire.
Examples
This example shows how to enable EAP MAC address authentication:
Switch(config-if)#
dot1x mac-auth-bypass
Switch(config-if)#
dot1x max-reauth-req
To set the maximum number of times that the switch will retransmit an EAP-Request/Identity frame to the client before restarting the authentication process, use the dot1x max-reauth-req command. To return to the default setting, use the no form of this command.
dot1x max-reauth-req count
no dot1x max-reauth-req
Syntax Description
count |
Number of times that the switch retransmits EAP-Request/Identity frames before restarting the authentication process; valid values are from 1 to 10. |
Defaults
The switch sends a maximum of two retransmissions.
Command Modes
Interface configuration.
Command History
|
|
---|---|
12.1(19)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. This setting impacts the wait before a non-dot1x-capable client is admitted to the guest VLAN, if one is configured.
You can verify your settings by entering the show dot1x privileged EXEC command.
Examples
This example shows how to set 5 as the number of times that the switch retransmits an EAP-Request/Identity frame before restarting the authentication process:
Switch(config-if)# dot1x max-reauth-req 5
Switch(config-if)#
Related Commands
dot1x max-req
To set the maximum number of times that the switch retransmits an Extensible Authentication Protocol (EAP)-Request frame of types other than EAP-Request/Identity to the client before restarting the authentication process, use the dot1x max-req command. To return to the default setting, use the no form of this command.
dot1x max-req count
no dot1x max-req
Syntax Description
count |
Number of times that the switch retransmits EAP-Request frames of types other than EAP-Request/Identity before restarting the authentication process; valid values are from 1 to 10. |
Defaults
The switch sends a maximum of two retransmissions.
Command Modes
Interface configuration
Command History
Usage Guidelines
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
You can verify your settings by entering the show dot1x privileged EXEC command.
Examples
This example shows how to set 5 as the number of times that the switch retransmits an EAP-Request frame before restarting the authentication process:
Switch(config-if)# dot1x max-req 5
Switch(config-if)#
Related Commands
dot1x initialize
dot1x max-reauth-req
show dot1x
dot1x port-control
To enable manual control of the authorization state on a port, use the dot1x port-control command. To return to the default setting, use the no form of this command.
dot1x port-control {auto | force-authorized | force-unauthorized}
no dot1x port-control {auto | force-authorized | force-unauthorized}
Syntax Description
Defaults
The port 802.1X authorization is disabled.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The 802.1X protocol is supported on both the Layer 2 static-access ports and the Layer 3-routed ports.
You can use the auto keyword only if the port is not configured as follows:
•Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed.
•Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode is not changed.
•EtherChannel port—Before enabling 802.1X on the port, you must first remove it from the EtherChannel. If you try to enable 802.1X on an EtherChannel or on an active port in an EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on an inactive port of an EtherChannel, the port does not join the EtherChannel.
•Switch Port Analyzer (SPAN) destination port—You can enable 802.1X on a port that is a SPAN destination port; however, 802.1X is disabled until the port is removed as a SPAN destination. You can enable 802.1X on a SPAN source port.
To globally disable 802.1X on the switch, you must disable it on each port. There is no global configuration command for this task.
Examples
This example shows how to enable 802.1X on Gigabit Ethernet 1/1:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# dot1x port-control auto
Switch#
You can verify your settings by usingthe show dot1x all or show dot1x interface int commands to show the port-control status. An enabled status indicates that the port-control value is set either to auto or to force-unauthorized.
Related Commands
dot1x re-authenticate
To manually initiate a reauthentication of all 802.1X-enabled ports or the specified 802.1X-enabled port, use the dot1x re-authenticate command.
dot1x re-authenticate [interface interface-id]
Syntax Description
interface interface-id |
(Optional) Module and port number of the interface. |
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You can use this command to reauthenticate a client without waiting for the configured number of seconds between reauthentication attempts (re-authperiod) and automatic reauthentication.
Examples
This example shows how to manually reauthenticate the device connected to Gigabit Ethernet interface 1/1:
Switch# dot1x re-authenticate interface gigabitethernet1/1
Starting reauthentication on gigabitethernet1/1
Switch#
dot1x re-authentication
To enable the periodic reauthentication of the client, use the dot1x re-authentication command. To return to the default setting, use the no form of this command.
dot1x re-authentication
no dot1x re-authentication
Syntax Description
This command has no arguments or keywords.
Defaults
The periodic reauthentication is disabled.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You configure the amount of time between the periodic reauthentication attempts by using the dot1x timeout re-authperiod global configuration command.
Examples
This example shows how to disable the periodic reauthentication of the client:
Switch(config-if)# no dot1x re-authentication
Switch(config-if)#
This example shows how to enable the periodic reauthentication and set the number of seconds between the reauthentication attempts to 4000 seconds:
Switch(config-if)# dot1x re-authentication
Switch(config-if)# dot1x timeout re-authperiod 4000
Switch#
You can verify your settings by entering the show dot1x privileged EXEC command.
Related Commands
dot1x system-auth-control
To enable 802.1X authentication on the switch, use the dot1x system-auth-control command. To disable 802.1X authentication on the system, use the no form of this command.
dot1x system-auth-control
no dot1x system-auth-control
Syntax Description
This command has no arguments or keywords.
Defaults
The 802.1X authentication is disabled.
Command Modes
Global configuration
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
You must enable dot1x system-auth-control if you want to use the 802.1X access controls on any port on the switch. You can then use the dot1x port-control auto command on each specific port on which you want the 802.1X access controls to be used.
Examples
This example shows how to enable 802.1X authentication:
Switch(config)# dot1x system-auth-control
Switch(config)#
Related Commands
dot1x timeout
To set the reauthentication timer, use the dot1x timeout command. To return to the default setting, use the no form of this command.
dot1x timeout {reauth-period {seconds | server} | quiet-period seconds | tx-period seconds |
supp-timeout seconds | server-timeout seconds}
no dot1x timeout {reauth-period | quiet-period | tx-period | supp-timeout | server-timeout}
Syntax Description
Defaults
The default settings are as follows:
•Reauthentication period is 3600 seconds.
•Quiet period is 60 seconds.
•Transmission period is 30 seconds.
•Supplicant timeout is 30 seconds.
•Server timeout is 30 seconds.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.1(12)EW |
Support for this command was introduced on the Catalyst 4500 series switches. |
12.2(25)EWA |
Support for selecting the reauthentication timer from the "server" was added. |
Usage Guidelines
The periodic reauthentication must be enabled before entering the dot1x timeout re-authperiod command. Enter the dot1x re-authentication command to enable periodic reauthentication.
Examples
This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet4/3
Switch(config-if)# dot1x timeout tx-period 60
Switch(config-if)#
end
Switch#
You can verify your settings by entering the show dot1x privileged EXEC command.
This example shows how to set up the switch to use a reauthentication timeout derived from a Session-Timeout attribute taken from the RADIUS Access-Accept message received when a host successfully authenticates via 802.1X:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet4/3
Switch(config-if)# dot1x timeout reauth-period server
Switch(config-if)#
end
Switch#
Related Commands
duplex
To configure the duplex operation on an interface, use the duplex command. To return to the default setting, use the no form of this command.
duplex {auto | full | half}
no duplex
Syntax Description
auto |
Specifies the autonegotiation operation. |
full |
Specifies the full-duplex operation. |
half |
Specifies the half-duplex operation. |
Defaults
Half-duplex operation
Command Modes
Interface configuration
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
Table 2-2 lists the supported command options by interface.
If the transmission speed on a 16-port RJ-45 Gigabit Ethernet port is set to 1000, the duplex mode is set to full. If the transmission speed is changed to 10 or 100, the duplex mode stays at full. You must configure the correct duplex mode on the switch when the transmission speed changes to 10 or 100 from 1000 Mbps.
Note Catalyst 4006 switches cannot automatically negotiate interface speed and duplex mode if either connecting interface is configured to a value other than auto.
Table 2-3 describes the system performance for different combinations of the duplex and speed modes. The specified duplex command that is configured with the specified speed command produces the resulting action shown in the table.
Examples
This example shows how to configure the interface for full-duplex operation:
Switch(config-if)#
duplex full
Switch(config-if)#
Related Commands
speed
interface (refer to Cisco IOS documentation)
show controllers (refer to Cisco IOS documentation)
show interfaces (refer to Cisco IOS documentation)
erase
To erase a file system, use the erase command.
erase {/all [non-default | nvram:] | cat4000_flash | nvram: | startup-config}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
|
|
---|---|
12.2(25)SG |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
In addition to the command options shown above, options with the prefix slave that are used to identify nvram: and flash (like slavenvram: and slavecat4000_flash:) appear in the command help messages on the dual supervisor redundancy switch.
The erase nvram: command replaces the write erase and the erase startup-confg commands. Like these two commands, it erases both the startup-config and the private-config file.
The erase /all nvram: command erases all files in nvram: in addition to startup-config file and private-config file.
The erase cat4000_flash: command erases the VLAN database configuration file.
The erase /all non-default command facilitates the work of a manufacturing facility and repair center. It erases the configuration and states stored in the non-volatile storage and resets the Catalyst 4500 series switch to the factory default settings. The default settings include those mentioned in the IOS library (below) as well as those set by the erase /all non-default command (vtp mode=transparent, and the ROMMON variables: ConfigReg=0x2101, PS1= "rommon ! >" and EnableAutoConfig=1).
•Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fun_c/index.htm
•Cisco IOS Configuration Fundamentals Configuration Command Reference, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fun_r/index.htm
Examples
This example shows how to erase the files and configuration in a non-volatile storage and reset the switch to factory default settings:
Switch# erase /all non-default
Switch#
Erase and format operation will destroy all data in non-volatile storage. Continue? [confirm]
Formatting bootflash: ...
Format of bootflash complete
Erasing nvram:
Erasing cat4000_flash:
Clearing crashinfo:data
Clearing the last power failure timestamp
Clearing all ROMMON variables
Setting default ROMMON variables:
ConfigReg=0x2101
PS1=rommon ! >
EnableAutoConfig=1
Setting vtp mode to transparent
%WARNING! Please reboot the system for the changes to take effect
Switch#
00:01:48: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Switch#
This example shows how to erase the contents in nvram.
Switch# erase /all nvram:
Erasing the nvram filesystem will remove all files! Continue? [confirm]
[OK]
Erase of nvram: complete
Switch#
00:38:10: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvram
Switch#
This example shows how to erase filesystem cat4000_flash.
Switch# erase cat4000_flash:
Erasing the cat4000_flash filesystem will remove all files! Continue? [confirm]
[OK]
Erase of cat4000_flash:complete
Switch#
Related Commands
boot config (refer to Cisco IOS documentation)
delete (refer to Cisco IOS documentation)
more nvram:startup-config: (refer to Cisco IOS documentation)
show bootvar
undelete (refer to Cisco IOS documentation)
errdisable detect
To enable error-disable detection, use the errdisable detect command. To disable the error-disable detection feature, use the no form of this command.
errdisable detect cause {all | arp-inspection | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap}
no errdisable detect cause {all | arp-inspection | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap}
Syntax Description
Defaults
All error-disable causes are detected.
Command Modes
Global configuration
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
A cause (dtp-flap, link-flap, pagp-flap) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state (an operational state that is similar to link-down state).
You must enter the shutdown command and then the no shutdown command to recover an interface manually from the error-disable state.
Examples
This example shows how to enable error-disable detection for the link-flap error-disable cause:
Switch(config)#
errdisable detect cause link-flap
Switch(config)#
This example shows how to disable error-disable detection for DAI:
Switch(config)# no errdisable detect cause arp-inspection
Switch(config)# end
Switch# show errdisable detect
ErrDisable Reason Detection status
----------------- ----------------
udld Enabled
bpduguard Enabled
security-violatio Enabled
channel-misconfig Disabled
psecure-violation Enabled
vmps Enabled
pagp-flap Enabled
dtp-flap Enabled
link-flap Enabled
l2ptguard Enabled
gbic-invalid Enabled
dhcp-rate-limit Enabled
unicast-flood Enabled
storm-control Enabled
ilpower Enabled
arp-inspection Disabled
Switch#
Related Commands
show errdisable detect
show interfaces status
errdisable recovery
To configure the recovery mechanism variables, use the errdisable recovery command. To return to the default setting, use the no form of this command.
errdisable recovery [cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap | pesecure-violation | security-violation | storm-control | udld | unicastflood | vmps} [arp-inspection] [interval {interval}]]
no errdisable recovery [cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap | pesecure-violation | security-violation | storm-control | udld | unicastflood | vmps} [arp-inspection] [interval {interval}]]
Syntax Description
Defaults
Error disable recovery is disabled.
The recovery interval is set to 300 seconds.
Command Modes
Configuration
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.1(19)EW |
Support for the storm-control feature. |
Usage Guidelines
A cause (bpduguard, dtp-flap, link-flap, pagp-flap, udld) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state (an operational state that is similar to the link-down state). If you do not enable error-disable recovery for the cause, the interface stays in the error-disabled state until a shutdown and no shutdown occurs. If you enable recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry operation again once all the causes have timed out.
You must enter the shutdown command and then the no shutdown command to recover an interface manually from error disable.
Examples
This example shows how to enable the recovery timer for the BPDU guard error disable cause:
Switch(config)#
errdisable recovery cause bpduguard
Switch(config)#
This example shows how to set the timer to 300 seconds:
Switch(config)#
errdisable recovery interval 300
Switch(config)#
This example shows how to enable the errdisable recovery for arp-inspection:
Switch(config)# errdisable recovery cause arp-inspection
Switch(config)# end
Switch# show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
udld Disabled
bpduguard Disabled
security-violatio Disabled
channel-misconfig Disabled
vmps Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
l2ptguard Disabled
psecure-violation Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
unicast-flood Disabled
storm-control Disabled
arp-inspection Enabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Switch#
Related Commands
show errdisable recovery
show interfaces status
flowcontrol
To configure a Gigabit Ethernet interface to send or receive pause frames, use the flowcontrol command. To disable the flow control setting, use the no form of this command.
flowcontrol {receive | send} {off | on | desired}
no flowcontrol {receive | send} {off | on | desired}
Syntax Description
Defaults
The default settings for Gigabit Ethernet interfaces are as follows:
•Sending pause frames is off—non-oversubscribed Gigabit Ethernet interfaces.
•Receiving pause frames is desired—non-oversubscribed Gigabit Ethernet interfaces.
•Sending pause frames is on—Oversubscribed Gigabit Ethernet interfaces.
•Receiving pause frames is desired—Oversubscribed Gigabit Ethernet interfaces
Table 2-4 shows the default settings for the modules.
Command Modes
Interface configuration
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The pause frames are special packets that signal a source to stop sending frames for a specific period of time because the buffers are full.
Table 2-5 describes the guidelines for using the different configurations of the send and receive keywords with the flowcontrol command.
Table 2-6 identifies how the flow control will be forced or negotiated on the Gigabit Ethernet interfaces based on their speed settings.
Note Catalyst 4006 switches support flow control only on the gigabit interfaces.
Examples
This example shows how to enable send flow control:
Switch(config-if)# flowcontrol receive on
Switch(config-if)#
This example shows how to disable send flow control:
Switch(config-if)# flowcontrol send off
Switch(config-if)#
This example shows how to set receive flow control to desired:
Switch(config-if)# flowcontrol receive desired
Switch(config-if)#
Related Commands
interface port-channel
interface range
interface vlan
show flowcontrol
show running-config (refer to Cisco IOS documentation)
speed
hw-module power
To turn the power off on a slot or line module, use the no hw-module power command. To turn the power back on, use the hw-module power command.
hw-module [slot | module] number power
no hw-module [slot | module] number power
Syntax Description
slot |
(Optional) Specifies a slot on a chassis. |
module |
(Optional) Specifies a line module. |
number |
(Optional) Slot or module number. |
Defaults
After a boot up, the power is on.
Command Modes
Global configuration
Command History
|
|
---|---|
12.1(8a)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.2(18)EW |
Add slot and module keywords. |
Examples
This example shows how to shut off power to a module in slot 5:
Switch# no hw-module slot 5 power
Switch#
Related Commands
hw-module uplink select
Use the hw-module uplink select command to select the 10-Gigabit Ethernet or Gigabit Ethernet uplinks on the Supervisor Engine V-10GE within the W-C4510R chassis.
hw-module uplink select {tengigabitethernet | gigabitethernet | all}
Syntax Description
Defaults
tengigabitethernet
Command Modes
Global configuration
Command History
|
|
---|---|
12.2(25)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
12.2(25)SG |
Support for the all keyword was added. |
Usage Guidelines
Supervisor Engine V-10GE and Supervisor Engine II+10GE support 10-Gigabit Ethernet and Gigabit Ethernet uplink ports. On the Supervisor Engine II+10GE, all uplink ports are always available. Similarly, when a Supervisor Engine V-10GE is plugged into a W-C4503, W-4506, or W-4507R chassis, all uplink ports are always available. When a Supervisor Engine V-10GE is plugged into a W-4510R chassis, you can choose to use the 10-Gigabit Ethernet uplink ports, the Gigabit Ethernet uplink ports, or all uplink ports. If you choose to use all uplink ports, then the tenth slot will support only the WS-X4302-GB switching linecard. Be aware that this command takes effect only after a reload (after you have executed the redundancy reload shelf command).
Because the uplink selection is programmed into hardware during initialization, changing the active uplinks requires saving the configuration and reloading the switch. When you are configuring a change to the uplinks, the system responds with a message informing you that the switch must be reloaded and suggesting the appropriate command (depending on redundancy mode) to reload the switch.
If you select the all keyword, ensure that the tenth slot is either empty or has a WS-X4302-GB switching module.
A no form of this command does not exist. To undo the configuration, you must configure the uplinks.
Examples
This example shows how to select the Gigabit Ethernet uplinks:
Switch(config)# hw-module uplink select gigabitethernet
A reload of the active supervisor is required to apply the new configuration.
Switch(config)# exit
Switch#
Note The Gigabit Ethernet uplinks will be active after the next reload.
This example shows how to select the Gigabit Ethernet uplinks in a redundant system in SSO mode:
Switch(config)# hw-module uplink select gigabitethernet
A 'redundancy reload shelf' or power-cycle of chassis is required to apply the new configuration
Switch(config)# exit
Switch#
Note The Gigabit Ethernet uplinks will be active after the next reload of the chassis/shelf. Use the
redundancy reload shelf command to reload the chassis/shelf.
This example shows how to select the Gigabit Ethernet uplinks in a redundant system in RPR mode:
Switch(config)# hw-module uplink select gigabitethernet
A reload of the active supervisor is required to apply the new configuration.
Switch(config)# exit
Switch#
Note The Gigabit Ethernet uplinks will be active on a switchover or reload of the active supervisor engine.
This example shows how to select all the uplinks in a redundant system in SSO mode:
Switch(config)# hw-module uplink select all
Warning: This configuration mode may disable slot10.
A 'redundancy reload shelf' or power-cycle of chassis is required to apply the new configuration.
Switch(config)# exit
Switch#
Note If you select the all keyword, only the Drome board will be supported in the tenth slot of the supervisor engine.
Related Commands
instance
To map a VLAN or a set of VLANs to an MST instance, use the instance command. To return the VLANs to the common instance default, use the no form of this command.
instance instance-id {vlans vlan-range}
no instance instance-id
Syntax Description
Defaults
Mapping is disabled.
Command Modes
MST configuration
Command History
|
|
---|---|
12.1(12c)EW |
Support for this command was introduced on the Catalyst 4500 series switch. |
Usage Guidelines
The mapping is incremental, not absolute. When you enter a range of VLANs, this range is added or removed to the existing ones.
Any unmapped VLAN is mapped to the CIST instance.
Examples
This example shows how to map a range of VLANs to instance 2:
Switch(config-mst)# instance 2 vlans 1-100
Switch(config-mst)#
This example shows how to map a VLAN to instance 5:
Switch(config-mst)# instance 5 vlans 1100
Switch(config-mst)#
This example shows how to move a range of VLANs from instance 2 to the CIST instance:
Switch(config-mst)# no instance 2 vlans 40-60
Switch(config-mst)#
This example shows how to move all the VLANs mapped to instance 2 back to the CIST instance:
Switch(config-mst)# no instance 2
Switch(config-mst)#
Related Commands
name
revision
show spanning-tree mst
spanning-tree mst configuration