Page 1
3Com® Unified Gigabit Wireless
PoE Switch 24
Command Reference Guide
3CRUS2475
www.3Com.com
Part No. 10015248 Rev. AA
Published October 2006
Page 2
3Com Corporation
350 Campus Drive
Marlborough,
MA 01752-3064
Copyright © 2006, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced
in any form or by any means or used to make any derivative work (such as translation, transformation, or
adaptation) without written permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time
to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either
implied or expressed, including, but not limited to, the implied warranties, terms or conditions of
merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or
changes in the product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license
agreement included with the product as a separate document, in the hard copy documentation, or on the
removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy,
please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are
provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense.
Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or
as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are
provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights
only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.
You agree not to remove or deface any portion of any legend provided on any licensed program or
documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not
be registered in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
ntel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows
NT are registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of
Novell, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively
through X/Open Company, Ltd.
IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.
All other company and product names may be trademarks of the respective companies with which they are
associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally friendly in all operations. To uphold our policy, we
are committed to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental
standards. Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
Environmental Statement about the Documentation
The documentation for this product is printed on paper that comes from sustainable, managed forests; it is
fully biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally friendly, and
the inks are vegetable-based with a low heavy-metal content.
Page 3
CONTENTS
USING THE CLI
Overview 19
CLI Command Modes 19
Introduction 19
User EXEC Mode 20
Privileged EXEC 20
Global Configuration Mode 21
Interface Configuration and Specific Configuration Modes 21
Starting the CLI 22
Editing Features 23
Entering Commands 23
Terminal Command Buffer 24
Negating the Effect of Commands 25
Command Completion 25
Nomenclature 25
Keyboard Shortcuts 26
CLI Command Conventions 27
Copying and Pasting Text 27
AAA COMMANDS
aaa authentication login 29
aaa authentication enable 30
login authentication 32
enable authentication 33
ip http authentication 33
ip https authentication 34
show authentication methods 35
password 37
enable password 37
username 38
Page 4
ACL COMMANDS
ip access-list 41
permit (ip) 41
deny (IP) 45
mac access-list 47
permit (MAC) 48
deny (MAC) 49
service-acl 50
show access-lists 51
show interfaces access-lists 52
ADDRESS TABLE COMMANDS
bridge address 55
bridge multicast filtering 56
bridge multicast address 57
bridge multicast forbidden address 58
bridge multicast forward-all 59
bridge multicast forbidden forward-all 60
bridge aging-time 62
clear bridge 62
port security 63
port security mode 64
port security routed secure-address 65
show bridge address-table 66
show bridge address-table static 67
show bridge address-table count 68
show bridge multicast address-table 70
show bridge multicast filtering 72
show ports security 73
show ports security addresses 74
ETHERNET CONFIGURATION COMMANDS
interface ethernet 77
interface range ethernet 77
shutdown 78
Page 5
description 79
speed 80
duplex 81
negotiation 81
flowcontrol 82
mdix 83
clear counters 84
set interface active 85
show interfaces advertise 85
show interfaces configuration 87
show interfaces status 88
show interfaces description 90
show interfaces counters 91
port storm-control include-multicast (GC) 94
port storm-control include-multicast (IC) 95
port storm-control broadcast enable 96
port storm-control broadcast rate 97
show ports storm-control 97
LINE COMMANDS
line 99
speed 99
autobaud 100
exec-timeout 101
history 102
history size 102
terminal history 103
terminal history size 104
show line 105
PHY DIAGNOSTICS COMMANDS
test copper-port tdr 107
show copper-ports tdr 108
show copper-ports cable-length 109
show fiber-ports optical-transceiver 110
Page 6
PORT CHANNEL COMMANDS
interface port-channel 113
interface range port-channel 113
channel-group 114
show interfaces port-channel 115
QOS COMMANDS
qos 117
show qos 118
class-map 118
show class-map 120
match 120
policy-map 121
class 122
show policy-map 123
trust cos-dscp 124
set 125
police 126
service-policy 127
qos aggregate-policer 128
show qos aggregate-policer 129
police aggregate 130
wrr-queue cos-map 131
wrr-queue bandwidth 132
priority-queue out num-of-queues 133
traffic-shape 134
rate-limit interface configuration 135
show qos interface 136
qos map policed-dscp 138
qos map dscp-queue 139
qos trust (Global) 140
qos trust (Interface) 141
qos cos 142
qos dscp-mutation 143
qos map dscp-mutation 143
security-suite enable 144
Page 7
security-suite dos protect 145
security-suite deny martian-addresses 146
CLOCK COMMANDS
clock set 149
clock source 150
clock timezone 150
clock summer-time 151
sntp authentication-key 153
sntp authenticate 154
sntp trusted-key 155
sntp client poll timer 156
sntp anycast client enable 157
sntp client enable (Interface) 157
sntp unicast client enable 158
sntp unicast client poll 159
sntp server 159
show clock 160
show sntp configuration 162
show sntp status 163
RMON COMMANDS
show rmon statistics 167
rmon collection history 169
show rmon collection history 170
show rmon history 172
rmon alarm 175
show rmon alarm-table 177
show rmon alarm 178
rmon event 180
show rmon events 181
show rmon log 182
rmon table-size 183
Page 8
IGMP SNOOPING COMMANDS
ip igmp snooping (Global) 185
ip igmp snooping (Interface) 185
ip igmp snooping mrouter learn-pim-dvmrp 186
ip igmp snooping host-time-out 187
ip igmp snooping mrouter-time-out 188
ip igmp snooping leave-time-out 189
show ip igmp snooping mrouter 189
show ip igmp snooping interface 190
show ip igmp snooping groups 191
LACP COMMANDS
lacp system-priority 193
lacp port-priority 193
lacp timeout 194
show lacp ethernet 195
show lacp port-channel 198
POWER OVER ETHERNET COMMANDS
power inline 201
power inline powered-device 202
power inline priority 202
power inline usage-threshold 203
power inline traps enable 204
show power inline 204
SPANNING-TREE COMMANDS
spanning-tree 209
spanning-tree mode 209
spanning-tree forward-time 210
spanning-tree hello-time 211
spanning-tree max-age 212
spanning-tree priority 213
spanning-tree disable 213
Page 9
spanning-tree cost 214
spanning-tree port-priority 215
spanning-tree portfast 216
spanning-tree link-type 217
spanning-tree pathcost method 217
spanning-tree bpdu 218
clear spanning-tree detected-protocols 219
spanning-tree mst priority 220
spanning-tree mst max-hops 220
spanning-tree mst port-priority 221
spanning-tree mst cost 222
spanning-tree mst configuration 223
instance (mst) 224
name (mst) 224
revision (mst) 225
show (mst) 226
exit (mst) 227
abort (mst) 227
spanning-tree guard root 228
show spanning-tree 229
CONFIGURATION AND IMAGE FILE COMMANDS
copy 263
delete 266
boot system 267
show running-config 268
show startup-config 268
show bootvar 269
RADIUS COMMAND
radius-server host 271
radius-server key 272
radius-server retransmit 273
radius-server source-ip 274
radius-server timeout 275
radius-server deadtime 275
Page 10
show radius-servers 276
PORT MONITOR COMMANDS
port monitor 279
show ports monitor 280
SNMP COMMANDS
snmp-server community 283
snmp-server view 284
snmp-server group 286
snmp-server user 287
snmp-server engineID local 289
snmp-server enable traps 291
snmp-server filter 291
snmp-server host 292
snmp-server v3-host 294
snmp-server trap authentication 295
snmp-server contact 296
snmp-server location 297
snmp-server set 297
show snmp 298
show snmp engineid 300
show snmp views 301
show snmp groups 302
show snmp filters 303
show snmp users 304
IP ADDRESS COMMANDS
ip address 307
ip address dhcp 308
ip default-gateway 309
show ip interface 310
arp 311
arp timeout 312
clear arp-cache 312
Page 11
show arp 313
ip domain-name 314
ip name-server 315
MANAGEMENT ACL COMMANDS
management access-list 317
permit (Management) 318
deny (Management) 319
management access-class 320
show management access-list 321
show management access-class 322
WIRELESS ROGUE AP COMMANDS
rogue-detect enable (Radio) 323
rogue-detect rogue-scan-interval 324
wlan rogue-detect rogue-ap 325
clear wlan rogue-ap 326
show wlan rogue-aps configuration 326
show wlan rogue-aps list 327
show wlan rogue-aps neighborhood 328
WIRELESS ESS COMMANDS
wlan ess create 331
wlan ess configure 331
ssid 332
open vlan 333
qos 334
load-balancing 334
mac-filtering action 335
mac-filtering list 336
security suite create 337
security suite configure 339
vlan (Security-Suite ESS) 340
timer (Security-Suite ESS) 341
update-gkey-on-leave (Security-Suite ESS) 342
Page 12
wpa2 pre-authentication 343
show wlan ess 344
show wlan ess mac-filtering lists 347
show wlan ess counters 348
WIRELESS AP GENERAL COMMANDS
clear wlan ap 351
wlan ap active 352
wlan ap key 352
wlan ap config 353
name 354
tunnel priority 355
wan enable 355
interface ethernet 356
vlan allowed 357
vlan native 358
wlan template ap configure 358
set wlan copy 359
show wlan aps 360
show wlan ap interface radio 364
show wlan ap interface ethernet 365
show wlan aps counters 366
show wlan aps discovered 368
show wlan template aps 369
SSH COMMANDS
ip ssh port 371
ip ssh server 372
crypto key generate dsa 372
crypto key generate rsa 373
ip ssh pubkey-auth 374
crypto key pubkey-chain ssh 374
user-key 375
key-string 376
show ip ssh 378
show crypto key mypubkey 379
Page 13
show crypto key pubkey-chain ssh 380
WEB SERVER COMMANDS
ip http server 383
ip http port 383
ip http exec-timeout 384
ip https server 385
ip https port 385
crypto certificate generate 386
crypto certificate request 388
crypto certificate import 389
ip https certificate 390
show crypto certificate mycertificate 391
show ip http 392
show ip https 393
TACACS+ COMMANDS
tacacs-server host 395
tacacs-server key 396
tacacs-server timeout 397
tacacs-server source-ip 398
show tacacs 399
SYSLOG COMMANDS
logging on 401
logging 402
logging console 403
logging buffered 403
logging buffered size 404
clear logging 405
logging file 406
clear logging file 406
aaa logging 407
file-system logging 408
management logging 408
Page 14
show logging 409
show logging file 411
show syslog-servers 413
WIRELESS AP BSS COMMANDS
bss 415
bss enable 415
advertise-ssid 416
data-rates 417
SYSTEM MANAGEMENT COMMANDS
ping 419
traceroute 421
telnet 424
resume 427
reload 428
hostname 429
show users 429
show sessions 430
show system 431
show version 432
service cpu-utilization 433
show cpu utilization 434
USER INTERFACE COMMANDS
enable 435
disable 436
login 436
configure 437
exit (Configuration) 438
exit 438
end 439
help 439
terminal data-dump 440
debug-mode 441
Page 15
show history 442
show privilege 443
GVRP COMMANDS
gvrp enable (Global) 445
gvrp enable (Interface) 446
garp timer 446
gvrp vlan-creation-forbid 448
gvrp registration-forbid 448
clear gvrp statistics 449
show gvrp configuration 450
show gvrp statistics 451
show gvrp error-statistics 452
VLAN COMMANDS
vlan database 455
vlan 455
interface vlan 456
interface range vlan 457
name 458
switchport access vlan 458
switchport trunk allowed vlan 459
switchport trunk native vlan 460
switchport general allowed vlan 461
switchport general pvid 462
switchport general ingress-filtering disable 463
switchport general acceptable-frame-type tagged-only 463
switchport forbidden vlan 464
show vlan 465
show vlan internal usage 466
show interfaces switchport 467
802.1X COMMANDS
aaa authentication dot1x 469
dot1x system-auth-control 470
Page 16
dot1x port-control 470
dot1x re-authentication 471
dot1x timeout re-authperiod 472
dot1x re-authenticate 473
dot1x timeout quiet-period 473
dot1x timeout tx-period 475
dot1x max-req 475
dot1x timeout supp-timeout 476
dot1x timeout server-timeout 477
show dot1x 478
show dot1x users 481
show dot1x statistics 483
dot1x auth-not-req 485
dot1x multiple-hosts 486
dot1x single-host-violation 487
dot1x guest-vlan 488
dot1x guest-vlan enable 489
show dot1x advanced 490
WIRELESS AP RADIO COMMANDS
interface radio 493
enable (ap radio) 494
channel 494
power 496
allow traffic 497
preamble 497
rts threshold 498
antenna 499
beacon period 500
WIRELESS WLAN COMMANDS
wlan tx-power off 501
wlan country-code 502
wlan tx-power auto enable 504
wlan tx-power auto interval 505
wlan tx-power auto signal-strength 506
Page 17
wlan tx-power auto signal-loss 506
wlan station idle-timeout 507
clear wlan station 508
show wlan 509
show wlan auto-tx-power 510
show wlan logging configuration 511
show wlan stations 512
show wlan stations counters 513
TROUBLESHOOTING
Problem Management 515
Troubleshooting Solutions 515
Page 18
Page 19
USING THE CLI
1
Overview This document describes the Command Line Interface (CLI) used to
manage the 3Com Unified Gigabit Wireless PoE switch.
Most of the CLI commands are applicable to all devices.
This chapter describes how to start using the CLI and the CLI command
editing features.
CLI Command Modes
Introduction To assist in configuring the device, the Command Line Interface (CLI) is
divided into different command modes. Each command mode has its
own set of specific commands. Entering a question mark ? at the system
prompt (console prompt) displays a list of commands available for that
particular command mode.
From each mode, a specific command is used to navigate from one
command mode to another. The standard order to access the modes is as
follows: User EXEC mode, Privileged EXEC mode, Global Configuration
mode, and Interface Configuration mode.
When starting a session, the initial mode is the User EXEC mode. Only a
limited subset of commands are available in User EXEC mode. This level is
reserved for tasks that do not change the configuration. To enter the next
level, the Privileged EXEC mode, a password is required.
The Privileged EXEC mode gives access to commands that are restricted
on User EXEC mode and provides access to the device Configuration
mode.
The Global Configuration mode manages the device configuration on a
global level.
The Interface Configuration mode configures specific interfaces in the
device.
Page 20
20 CHAPTER 1: USING THE CLI
User EXEC Mode After logging into the device, the user is automatically in User EXEC
command mode unless the user is defined as a privileged user. In general,
the User EXEC commands allow the user to perform basic tests, and list
system information.
The user-level prompt consists of the device host name followed by the
angle bracket (>).
Console>
The default host name is Console unless it has been changed using the
hostname command in the Global Configuration mode.
Privileged EXEC Privileged access is password protected to prevent unauthorized use
because many of the Privileged commands set operating system
parameters. The password is not displayed on the screen and is case
sensitive.
Privileged users enter directly into the Privileged EXEC mode. To enter the
Privileged EXEC mode from the User EXEC mode, perform the following
steps:
1 At the prompt enter the enable command and press <Enter>. A
password prompt is displayed.
2 Enter the password and press <Enter>. The password is displayed as *.
The Privileged EXEC mode prompt is displayed. The Privileged EXEC mode
prompt consists of the device host name followed by #.
3 To return from the Privileged EXEC mode to the User EXEC mode, use the
disable command.
The following example illustrates how to access the Privileged EXEC
mode and return to the User EXEC mode:
Console>
Enter Password: ******
Console#
Console#
Console>
enable
disable
4 The exit command is used to return from any mode to the previous
mode except when returning to the User EXEC mode from the Privileged
EXEC mode. For example, the exit command is used to return from the
Interface Configuration mode to the Global Configuration mode.
Page 21
Overview 21
Global Configuration
Mode
Global Configuration mode commands apply to features that affect the
system as a whole, rather than just a specific interface. The configure
Privileged EXEC mode command is used to enter the Global
Configuration mode.
To enter the Global Configuration mode perform the following steps:
1 At the Privileged EXEC mode prompt, enter the configure command and
press <Enter>. The Global Configuration mode prompt is displayed. The
Global Configuration mode prompt consists of the device host name
followed by (config) and #.
Console(config)#
2 To return from the Global Configuration mode to the Privileged EXEC
mode, the user can use one of the following commands:
■ exit
■ end
■ Ctrl+Z
The following example illustrates how to access the Global Configuration
mode and return to the Privileged EXEC mode:
Console#
Console#
Console(config)#
Console#
configure
exit
Interface
Configuration and
Specific
Configuration Modes
Interface Configuration mode commands modify specific interface
operations. The following are the Interface Configuration modes:
■ Line Interface — Contains commands to configure the management
connections. These include commands such as line timeout settings,
etc. The line Global Configuration mode command is used to enter
the Line Configuration command mode.
■ VLAN Database — Contains commands to create a VLAN as a
whole. The vlan database Global Configuration mode command is
used to enter the VLAN Database Interface Configuration mode.
■ Management Access List — Contains commands to define
management access-lists. The management access-list Global
Configuration mode command is used to enter the Management
Access List Configuration mode.
Page 22
22 CHAPTER 1: USING THE CLI
■ Ethernet — Contains commands to manage port configuration. The
■ Port Channel — Contains commands to configure port-channels, for
■ SSH Public Key-chain — Contains commands to manually specify
■ QoS — Contains commands related to service definitions. The qos
■ MAC Access-List — Configures conditions required to allow traffic
interface ethernet Global Configuration mode command is used to
enter the Interface Configuration mode to configure an Ethernet type
interface.
example, assigning ports to a port-channel. Most of these commands
are the same as the commands in the Ethernet interface mode, and
are used to manage the member ports as a single entity. The
interface port-channel Global Configuration mode command is
used to enter the Port Channel Interface Configuration mode.
other device SSH public keys. The crypto key pubkey-chain ssh
Global Configuration mode command is used to enter the SSH Public
Key-chain Configuration mode.
Global Configuration mode command is used to enter the QoS
services configuration mode.
based on MAC addresses. The mac access-list Global Configuration
mode command is used to enter the MAC access-list configuration
mode.
Starting the CLI The device can be managed over a direct connection to the device
console port or via a Telnet connection. The device is managed by
entering command keywords and parameters at the prompt. Using the
device command-line interface (CLI) is very similar to entering commands
on a UNIX system.
If access is via a Telnet connection, ensure that the device has a defined IP
address, corresponding management access is granted, and the
workstation used to access the device is connected to the device prior to
using CLI commands.
The following instructions are for use on the console line only.
Page 23
Editing Features 23
To start using the CLI, perform the following steps:
1 Connect the DB9 null-modem or cross over cable to the RS-232 serial
port of the device to the RS-232 serial port of the terminal or computer
running the terminal emulation application.
a Set the data format to 8 data bits, 1 stop bit, and no parity.
b Set Flow Control to none.
c Under Properties, select VT100 for Emulation mode.
d Select Terminal keys for Function, Arrow, and Ctrl keys. Ensure
that the setting is for Terminal keys (not Windows keys).
Note: When using HyperTerminal with Microsoft® Windows 2000,
ensure that Windows® 2000 Service Pack 2 or later is installed.With
Windows 2000 Service Pack 2, the arrow keys function properly in
HyperTerminal’s VT100 emulation. Go to www.microsoft.com for
information on Windows 2000 service packs.
2 Enter the following commands to begin the configuration procedure:
Console>
Console#
Console(config)#
enable
configure
3 Configure the device and enter the necessary commands to complete the
required tasks.
4 When finished, exit the session with the exit command.
When a different user is required to log onto the system, use the login
Privileged EXEC mode command. This effectively logs off the current user
and logs on the new user.
Editing Features
Entering Commands A CLI command is a series of keywords and arguments. Keywords identify
a command, and arguments specify configuration parameters. For
example, in the command show interfaces status ethernet g11,
show, interfaces and status are keywords, ethernet is an argument
that specifies the interface type, and g11 specifies the port.
Page 24
24 CHAPTER 1: USING THE CLI
To enter commands that require parameters, enter the required
parameters after the command keyword. For example, to set a password
for the administrator, enter:
Console(config)#
username
admin
password
alansmith
When working with the CLI, the command options are not displayed. The
command is not selected from a menu, but is manually entered. To see
what commands are available in each mode or within an Interface
Configuration, the CLI does provide a method of displaying the available
commands, the command syntax requirements and in some instances
parameters required to complete the command. The standard command
to request help is ?.
There are two instances where help information can be displayed:
■ Keyword lookup — The character ? is entered in place of a
command. A list of all valid commands and corresponding help
messages are is displayed.
■ Partial keyword lookup — If a command is incomplete and or the
character ? is entered in place of a parameter. The matched keyword
or parameters for this command are displayed.
To assist in using the CLI, there is an assortment of editing features. The
following features are described:
■ Terminal Command Buffer
■ Command Completion
■ Nomenclature
■ Keyboard Shortcuts
Terminal Command Buffer
Every time a command is entered in the CLI, it is recorded on an internally
managed Command History buffer. Commands stored in the buffer are
maintained on a First In First Out (FIFO) basis. These commands can be
recalled, reviewed, modified, and reissued. This buffer is not preserved
across device resets.
Table 1: Keyword Table 2: Description
Page 25
Editing Features 25
Up-arrow key
Ctrl+P
Down-arrow key Returns to more recent commands in
Recalls commands in the history buffer,
beginning with the most recent
command. Repeats the key sequence
to recall successively older commands.
the history buffer after recalling
commands with the up-arrow key.
Repeating the key sequence will recall
successively more recent commands.
By default, the history buffer system is enabled, but it can be disabled at
any time. For information about the command syntax to enable or disable
the history buffer, see history.
There is a standard default number of commands that are stored in the
buffer. The standard number of 10 commands can be increased to 216.
By configuring 0, the effect is the same as disabling the history buffer
system. For information about the command syntax for configuring the
command history buffer, see history size.
To display the history buffer, see “show history”.
Negating the Effect of Commands
For many configuration commands, the prefix keyword no can be
entered to cancel the effect of a command or reset the configuration to
the default value. This guide describes the negation effect for all
applicable commands.
Command Completion
If the command entered is incomplete, invalid or has missing or invalid
parameters, then the appropriate error message is displayed. This assists
in entering the correct command. By pressing the <Tab> button, an
incomplete command is entered. If the characters already entered are not
enough for the system to identify a single matching command, press ? to
display the available commands matching the characters already entered.
Nomenclature
When referring to an Ethernet port in a CLI command, the following
format is used:
■ For an Ethernet port: Ethernet_type port_number
The Ethernet type may be Gigabit Ethernet (indicated by “g”).
For example, g3 stands for Gigabit Ethernet port 3 on the device.
Page 26
26 CHAPTER 1: USING THE CLI
The ports may be described on an individual basis or within a range. Use
format port number-port number to specify a set of consecutive ports
and port number, port number to indicates a set of non-consecutive
ports. For example, g1-3 stands for Gigabit Ethernet ports 1, 2 and 3, and
g1,5 stands for Gigabit Ethernet ports 1 and 5.
Keyboard Shortcuts
The CLI has a range of keyboard shortcuts to assist in editing the CLI
commands. The following table describes the CLI shortcuts.
Table 3: Keyboard Key Table 4: Description
Up-arrow key Recalls commands from the history
buffer, beginning with the most recent
command. Repeat the key sequence to
recall successively older commands.
Down-arrow key Returns the most recent commands
from the history buffer after recalling
commands with the up arrow key.
Repeating the key sequence will recall
successively more recent commands.
Ctrl+A Moves the cursor to the beginning of
the command line.
Ctrl+E Moves the cursor to the end of the
command line.
Ctrl+Z / End Returns back to the Privileged EXEC
mode from any configuration mode.
Backspace key Deletes one character left to the cursor
position.
Page 27
Editing Features 27
CLI Command Conventions
When entering commands there are certain command entry standards
that apply to all commands. The following table describes the command
conventions.
Convention Description
[ ] In a command line, square brackets
{ } In a command line, curly brackets
Italic font Indicates a parameter.
<Enter> Indicates an individual key on the
Ctrl+F4 Any combination keys pressed
Screen Display
all When a parameter is required to define
indicates an optional entry.
indicate a selection of compulsory
parameters separated by the |
character. One option must be
selected. For example: flowcontrol
{auto|on|off} means that for the
flowcontrol command either auto,
on or off must be selected.
keyboard. For example, <Enter>
indicates the Enter key.
simultaneously on the keyboard.
Indicates system messages and
prompts appearing on the console.
a range of ports or parameters and all
is an option, the default for the
command is all when no parameters
are defined. For example, the
command interface range
port-channel has the option of either
entering a range of channels, or
selecting all. When the command is
entered without a parameter, it
automatically defaults to all.
Copying and Pasting
Te xt
Up to 1000 lines of text (or commands) can be copied and pasted into
the device.
It is the user’s responsibility to ensure that the text copied into the device
consists of legal commands only.
This feature is dependent on the baud rate of the device.
When copying and pasting commands from a configuration file, make
sure that the following conditions exist:
Page 28
28 CHAPTER 1: USING THE CLI
■ A device Configuration mode has been accessed.
■ The commands contain no encrypted data, like encrypted passwords
or keys. Encrypted data cannot be copied and pasted into the device.
Page 29
2
AAA COMMANDS
aaa authentication login
The aaa authentication login Global Configuration mode command
defines login authentication. To restore defaults, use the no form of this
command.
Syntax
aaa authentication login {default | list-name} method1 [method2...]
no aaa authentication login {default | list-name}
Parameters
■ default — Uses the listed authentication methods that follow this
argument as the default list of methods when a user logs in.
■ list-name — Character string used to name the list of authentication
methods activated when a user logs in. (Range: 1-12 characters)
■ method1 [method2...] — Specify at least one method from the
following list:
Keyword Description
enable Uses the enable password for authentication.
line Uses the line password for authentication.
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS+ servers for authentication.
Default Configuration
The local user database is checked. This has the same effect as the
command aaa authentication login list-name local.
Page 30
30 CHAPTER 2: AAA COMMANDS
On the console, login succeeds without any authentication check if the
authentication method is not defined.
Command Mode
Global Configuration mode
User Guidelines
The default and optional list names created with the aaa authentication
login command are used with the login authentication command.
Create a list by entering the aaa authentication login list-name method
command for a particular protocol, where list-name is any character
string used to name this list. The method argument identifies the list of
methods that the authentication algorithm tries, in the given sequence.
The additional methods of authentication are used only if the previous
method returns an error, not if it fails. To ensure that the authentication
succeeds even if all methods return an error, specify none as the final
method in the command line.
Example
aaa authentication enable
The following example configures the authentication login.
Console(config)#
login default radius tacacs enable line local none
aaa authentication
The aaa authentication enable Global Configuration mode command
defines authentication method lists for accessing higher privilege levels.
To restore defaults, use the no form of this command.
Syntax
aaa authentication enable {default | list-name} method1 [method2...]
no aaa authentication enable {default | list-name}
Parameters
■ default — Uses the listed authentication methods that follow this
argument as the default list of methods, when using higher privilege
levels.
Page 31
aaa authentication enable 31
■ list-name — Character string used to name the list of authentication
methods activated, when using access higher privilege levels. (Range:
1-12 characters)
■ method1 [method2...] — Specify at least one method from the
following list:
Keyword Description
enableT Uses the enable password for authentication.
line Uses the line password for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
Uses username $enabx$., where x is the privilege level.
tacacs Uses the list of all TACACS+ servers for authentication.
Uses username "$enabx$." where x is the privilege level.
Default Configuration I
If the default list is not set, only the enable password is checked. This has
the same effect as the command aaa authentication enable default
enable.
On the console, the enable password is used if it exists. If no password is
set, the process still succeeds. This has the same effect as using the
command aaa authentication enable default enable none.
Command Mode
Global Configuration mode
User Guidelines
The default and optional list names created with the aaa authentication
enable command are used with the enable authentication command.
The additional methods of authentication are used only if the previous
method returns an error, not if it fails. To ensure that the authentication
succeeds even if all methods return an error, specify none as the final
method in the command line.
All aaa authentication enable default requests sent by the device to a
RADIUS or TACACS+ server include the username $enabx$., where x is
the requested privilege level.
Example
Page 32
32 CHAPTER 2: AAA COMMANDS
The following example sets the enable password for authentication when
accessing higher privilege levels.
login authentication
Console(config)#
aaa authentication enable default enable
The login authentication Line Configuration mode command specifies
the login authentication method list for a remote telnet or console. To
restore the default configuration specified by the aaa authentication
login command, use the no form of this command.
Syntax
Login authentication {default | list-name}
no login authentication
Parameters
■ default — Uses the default list created with the aaa authentication
❥
login command.
■ list-name — Uses the indicated list created with the aaa
authentication login command.
Default Configuration
Uses the default set with the command aaa authentication login.
Command Mode
Line Configuration mode
User Guidelines
To change (or rename) an authentication method, use the negate
command and create a new rule with the new method name.
Example
The following example specifies the default authentication method for a
console.
Console(config)#
Console(config-line)#
line console
login authentication default
Page 33
enable authentication 33
enable authentication
The enable authentication Line Configuration mode command
specifies the authentication method list when accessing a higher privilege
level from a remote Telnet or console. To restore the default configuration
specified by the aaa authentication enable command, use the no form
of this command.
Syntax
enable authentication {default | list-name}
no enable authentication
Parameters
■ default — Uses the default list created with the aaa authentication
enable command.
■ list-name — Uses the indicated list created with the aaa
authentication enable command.
Default Configuration
Uses the default set with the aaa authentication enable command.
Command Mode
Line Configuration mode
ip http authentication
User Guidelines
There are no user guidelines for this command.
Example
The following example specifies the default authentication method when
accessing a higher privilege level from a console.
Console(config)#
Console(config-line)#
line console
enable authentication default
The ip http authentication Global Configuration mode command
specifies authentication methods for HTTP server users. To restore the
default configuration, use the no form of this command.
Page 34
34 CHAPTER 2: AAA COMMANDS
Syntax
ip http authentication method1 [method2...]
no ip http authentication
Parameters
■ Method1 [method2...] — Specify at least one method from the
Keyword Description
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS+ servers for
Default Configuration
The local user database is checked. This has the same effect as the
command ip http authentication local.
following list:
authentication.
ip https authentication
Command Mode
Global Configuration mode
User Guidelines
The additional methods of authentication are used only if the previous
method returns an error, not if it fails. To ensure that the authentication
succeeds even if all methods return an error, specify none as the final
method in the command line.
Example
The following example configures the HTTP authentication.
Console(config)#
none
ip http authentication radius tacacs local
The ip https authentication Global Configuration mode command
specifies authentication methods for HTTPS server users. To restore the
default configuration, use the no form of this command.
Page 35
show authentication methods 35
Syntax
ip https authentication method1 [method2...]
no ip https authentication
Parameters
■ method1 [method2...] — Specify at least one method from the
following list:
Keyword Source or Destination
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS+ servers for authentication.
Default Configuration
The local user database is checked. This has the same effect as the
command ip https authentication local.
show authentication methods
Command Mode
Global Configuration mode
User Guidelines
The additional methods of authentication are used only if the previous
method returns an error, not if it fails. To ensure that the authentication
succeeds even if all methods return an error, specify none as the final
method in the command line.
Example
The following example configures HTTPS authentication.
Console(config)#
none
ip https authentication radius tacacs local
The show authentication methods Privileged EXEC mode command
displays information about the authentication methods.
Syntax
show authentication methods
Page 36
36 CHAPTER 2: AAA COMMANDS
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the authentication configuration.
Console#
Login Authentication Method Lists
--------------------------------Default: Local
Enable Authentication Method Lists
---------------------------------Default: Radius, Enable
Console_Enable:
Line Login Method List Enable Method List
-------------- ----------------- -----------------Console Default Default
Telnet Default Default
SSH Default Default
http: Local
https: Local
dot1x:
show authentication methods
Enable, None
Page 37
password 37
password The password Line Configuration mode command specifies a password
on a line. To remove the password, use the no form of this command.
Syntax
password password [encrypted]
no password
Parameters
■ password — Password for this level. (Range: 1-159 characters)
■ encrypted — Encrypted password to be entered, copied from
another device configuration.
Default Configuration
No password is defined.
Command Mode
Line Configuration mode
User Guidelines
If a password is defined as encrypted, the required password length is 32
characters.
Example
The following example specifies the password called ‘secret’ on a console.
Console(config)#
Console(config-line)#
line console
password
secret
enable password The enable password Global Configuration mode command sets a local
password to control access to user and privilege levels. To remove the
password requirement, use the no form of this command.
Syntax
enable password [level level] password [encrypted]
no enable password [level level]
Page 38
38 CHAPTER 2: AAA COMMANDS
Parameters
■ password — Password for this level. (Range: 1-159 characters)
■ level — Level for which the password applies. If not specified the level
■ encrypted — Encrypted password entered, copied from another
Default Configuration
No enable password is defined.
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example sets a local level 15 password called ‘secret’ to
control access to user and privilege levels. .
is 15
(Range: 1-15).
device configuration.
Console(config)#
enable password secret level 15
username The username Global Configuration mode command creates a user
account in the local database. To remove a user name, use the no form of
this command.
Syntax
username name [password password] [level level] [encrypted]
no username name
Parameters
■ name — The name of the user. (Range: 1-20 characters)
■ password — The authentication password for the user. (Range: 1-159
characters)
■ level — The user level (Range: 1-15). If a level is not specified, the level
is automaically set to 1.
Page 39
username 39
■ encrypted — Encrypted password entered, copied from another
device configuration.
Default Configuration
No user is defined.
Command Mode
Global Configuration mode
User Guidelines
User account can be created without a password.
Example
The following example configures user called bob with password ‘lee’
and user level 15 to the system.
Console(config)#
username
bob
password
lee
level
15
Page 40
40 CHAPTER 2: AAA COMMANDS
Page 41
ACL COMMANDS
3
ip access-list The ip access-list Global Configuration mode command enables the
IP-Access Configuration mode and creates Layer 3 ACLs. To delete an
ACL, use the no form of this command.
Syntax
ip access-list name
no ip access-list name
Parameters
■ name — Specifies the name of the ACL. (Range: 0-32 characters)
Default Configuration
The default for all ACLs is deny-all.
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example shows how to create an IP ACL.
Console(config)#
Console(config-ip-al)#
permit (ip) The permit IP-Access List Configuration mode command permits traffic if
the conditions defined in the permit statement match.
ip access-list
ip-acl1
Page 42
42 CHAPTER 3: ACL COMMANDS
Syntax
permit {any | protocol} {any | {source source-wildcard}} {any |
{destination destination-wildcard}} [dscp dscp number | ip-precedence
ip-precedence]
permit-icmp {any | {source source-wildcard}} {any | {destination
destination-wildcard}} {any | icmp-type} {any | icmp-code} [dscp number |
ip-precedence number]
permit-igmp {any | {source source-wildcard}} {any | {destination
destination-wildcard}} {any | igmp-type} [dscp number | ip-precedence
number]
permit-tcp {any | {source source-wildcard}} {any | source-port} {any
|{destination destination-wildcard}} {any | destination-port} [dscp number
| ip-precedence number] [flags list-of-flags]
permit-udp {any | {source source-wildcard}} {any | source-port} {any |
{destination destination-wildcard}} {any | destination-port} [dscp number
| ip-precedence number]
Parameters
■ source — Specifies the source IP address of the packet. Specify any to
indicate IP address 0.0.0.0 and mask 255.255.255.255.
■ source-wildcard — Specifies wildcard to be applied to the source IP
address. Use 1s in bit positions to be ignored. Specify any to indicate
IP address 0.0.0.0 and mask 255.255.255.255.
■ destination — Specifies the destination IP address of the packet.
Specify any to indicate IP address 0.0.0.0 and mask 255.255.255.255.
■ destination-wildcard — Specifies wildcard to be applied to the
destination IP address. Use 1s in bit positions to be ignored. Specify
any to indicate IP address 0.0.0.0 and mask 255.255.255.255.
■ protocol — Specifies the abbreviated name or number of an IP
protocol. (Range: 0-255)
Page 43
permit (ip) 43
The following table lists the protocols that can be specified:
Protocol
IP Protocol Abbreviated Name
Internet Control Message Protocol icmp 1
Internet Group Management Protocol igmp 2
IP in IP (encapsulation) Protocol ipinip 4
Transmission Control Protocol tcp 6
Exterior Gateway Protocol egp 8
Interior Gateway Protocol igp 9
User Datagram Protocol udp 17
Host Monitoring Protocol hmp 20
Reliable Data Protocol rdp 27
Inter-Domain Policy Routing Protocol idpr 35
Ipv6 protocol ipv6 41
Routing Header for IPv6 ipv6-route 43
Fragment Header for IPv6 ipv6-frag 44
Inter-Domain Routing Protocol idrp 45
Reservation Protocol rsvp 46
General Routing Encapsulation gre 47
Encapsulating Security Payload (50) esp 50
Authentication Header ah 51
ICMP for IPv6 ipv6-icmp 58
EIGRP routing protocol eigrp 88
Open Shortest Path Protocol ospf 89
Protocol Independent Multicast pim 103
Layer Two Tunneling Protocol l2tp 115
ISIS over IPv4 isis 124
(any IP protocol) any (25504)
Number
■ dscp — Indicates matching the dscp number with the packet dscp
value.
■ ip-precedence — Indicates matching ip-precedence with the packet
ip-precedence value.
■ icmp-type — Specifies an ICMP message type for filtering ICMP
packets. Enter a value or one of the following values: echo-reply,
destination-unreachable, source-quench, redirect,
Page 44
44 CHAPTER 3: ACL COMMANDS
■ icmp-code — Specifies an ICMP message code for filtering ICMP
■ igmp-type — IGMP packets can be filtered by IGMP message type.
■ destination-port — Specifies the UDP/TCP destination port. (Range:
■ source-port — Specifies the UDP/TCP source port. (Range: 0-65535)
alternate-host-address, echo-request, router-advertisement,
router-solicitation, time-exceeded, parameter-problem,
timestamp, timestamp-reply, information-request,
information-reply, address-mask-request, address-mask-reply,
traceroute, datagram-conversion-error, mobile-host-redirect,
ipv6-where-are-you, ipv6-i-am-here,
mobile-registration-request, mobile-registration-reply,
domain-name-request, domain-name-reply, skip and photuris.
(Range: 0-255)
packets. ICMP packets that are filtered by ICMP message type can also
be filtered by the ICMP message code. (Range: 0-255)
Enter a number or one of the following values: dvmrp, host-query,
host-report, pim or trace. (Range: 0-255)
0-65535)
■ list-of-flags — Specifies a list of TCP flags that can be triggered. If a
flag is set, it is prefixed by “+”. If a flag is not set, it is prefixed by “-”.
The possible values are: +urg, +ack, +psh, +rst, +syn, +fin, -urg,
-ack, -psh, -rst, -syn and -fin. The flags are concatenated into one
string. For example: +fin-ack.
Default Configuration
No IPv4 ACL is defined.
Command Mode
IP-Access List Configuration mode
User Guidelines
Use the ip access-list Global Configuration mode command to enable
the IP-Access List Configuration mode.
Before an Access Control Element (ACE) is added to an ACL, all packets
are permitted. After an ACE is added, an implied deny-any-any
condition exists at the end of the list and those packets that do not match
the conditions defined in the permit statement are denied.
Page 45
deny (IP) 45
Example
The following example shows how to define a permit statement for an IP
ACL.
Console(config)#
Console(config-ip-al)#
ip access-list
permit
rsvp 192.1.1.1 0.0.0.0
ip-acl1
any dscp
56
deny (IP) The deny IP-Access List Configuration mode command denies traffic if
the conditions defined in the deny statement match.
Syntax
deny [disable-port] {any | protocol} {any | {source source-wildcard}}
{any | {destination destination-wildcard}} [dscp dscp number |
ip-precedence ip-precedence]
deny-icmp
deny-igmp
deny-tcp
deny-udp
Parameters
■ disable-port — Specifies that the port is disabled.
■ source — Specifies the IP address or host name from which the packet
was sent. Specify any to indicate IP address 0.0.0.0 and mask
255.255.255.255.
■ source-wildcard — (Optional for the first type) Specifies wildcard bits
by placing 1s in bit positions to be ignored. Specify any to indicate IP
address 0.0.0.0 and mask 255.255.255.255.
■ destination — Specifies the IP address or host name to which the
packet is being sent. Specify any to indicate IP address 0.0.0.0 and
mask 255.255.255.255.
■ destination-wildcard — (Optional for the first type) Specifies wildcard
bits by placing 1s in bit positions to be ignored. Specify any to
indicate IP address 0.0.0.0 and mask 255.255.255.255.
■ protocol — Specifies the abbreviated name or number of an IP
protocol. The following table lists protocols that can be specified:
Page 46
46 CHAPTER 3: ACL COMMANDS
IP Protocol
Abbreviated
Name
Protocol
Number
Internet Control Message Protocol icmp 1
Internet Group Management Protocol igmp 2
IP in IP (encapsulation) Protocol ip 4
Transmission Control Protocol tcp 6
Exterior Gateway Protocol egp 8
Interior Gateway Protocol igp 9
User Datagram Protocol udp 17
Host Monitoring Protocol hmp 20
Reliable Data Protocol rdp 27
Inter-Domain Policy Routing Protocol idpr 35
Ipv6 protocol ipv6 41
Routing Header for IPv6 ipv6-route 43
Fragment Header for IPv6 ipv6-frag 44
Inter-Domain Routing Protocol idrp 45
Reservation Protocol rsvp 46
General Routing Encapsulation gre 47
Encapsulating Security Payload (50) esp 50
Authentication Header ah 51
ICMP for IPv6 ipv6-icmp 58
EIGRP routing protocol eigrp 88
Open Shortest Path Protocol ospf 89
IP-within-IP Encapsulation Protocol ipip 94
Protocol Independent Multicast pim 103
Layer Two Tunneling Protocol l2tp 115
ISIS over IPv4 isis 124
(any IP protocol) any (25504)
■ dscp — Indicates matching the dscp number with the packet dscp
value.
■ ip-precedence — Indicates matching ip-precedence with the packet
ip-precedence value.
Page 47
mac access-list 47
Default Configuration
This command has no default configuration
Command Mode
IP-Access List Configuration mode
User Guidelines
Use the ip access-list Global Configuration mode command to enable
the IP-Access List Configuration mode.
Before an Access Control Element (ACE) is added to an ACL, all packets
are permitted. After an ACE is added, an implied deny-any-any
condition exists at the end of the list and those packets that do not match
the defined conditions are denied.
Example
The following example shows how to define a permit statement for an IP
ACL.
Console(config)# ip access-list ip-acl1
Console(config-ip-al)# deny rsvp 192.1.1.1 0.0.0.255 any
mac access-list The mac access-list Global Configuration mode command enables the
MAC-Access List Configuration mode and creates Layer 2 ACLs. To delete
an ACL, use the no form of this command.
Syntax
mac access-list name
no mac access-list name
Parameters
■ name — Specifies the name of the ACL. (Range: 0-32 characters)
Default Configuration
The default for all ACLs is deny all.
Command Mode
Global Configuration mode
Page 48
48 CHAPTER 3: ACL COMMANDS
User Guidelines
There are no user guidelines for this command.
Example
The following example shows how to create a MAC ACL.
Console(config)#
Console(config-mac-al)#
mac access-list
macl-acl1
permit (MAC) The permit MAC-Access List Configuration mode command defines
permit conditions of an MAC ACL.
Syntax
permit {any | {host source source-wildcard} any | {destination
destination-wildcard}} [vlan vlan-id] [cos cos cos-wildcard] [ethtype
eth-type]
Parameters
■ source — Specifies the source MAC address of the packet.
■ source-wildcard — Specifies wildcard bits to be applied to the source
MAC address. Use 1s in bit positions to be ignored.
■ destination — Specifies the MAC address of the host to which the
packet is being sent.
■ destination-wildcard — Specifies wildcard bits to be applied to the
destination MAC address. Use 1s in bit positions to be ignored.
■ vlan-id — Specifies the ID of the packet vlan. (Range: 0-4095)
■ cos — Specifies the Class of Service (CoS) for the packet. (Range: 0-7)
■ cos-wildcard — Specifies wildcard bits to be applied to the CoS.
■ eth-type — Specifies the Ethernet type of the packet .(Range:
0-65535)
Default Configuration
No MAC ACL is defined.
Command Mode
MAC-Access List Configuration mode
Page 49
deny (MAC) 49
User Guidelines
Before an Access Control Element (ACE) is added to an ACL, all packets
are permitted. After an ACE is added, an implied deny-any-any
condition exists at the end of the list and those packets that do not match
the conditions defined in the permit statement are denied.
If the VLAN ID is specified, the policy map cannot be connected to the
VLAN interface.
Example
The following example shows how to create a MAC ACL with permit
rules.
Console(config)#
Console(config-mac-al)#
vlan 6
mac access-list
permit 6:6:6:6:6:6 0:0:0:0:0:0 any
macl-acl1
deny (MAC) The deny MAC-Access List Configuration mode command denies traffic
if the conditions defined in the deny statement match.
Syntax
deny [disable-port] {any | {source source-wildcard} {any | {destination
destination- wildcard}}[vlan vlan-id] [cos cos cos-wildcard] [ethtype
eth-type]
Parameters
■ disable-port — Indicates that the port is disabled if the statement is
deny.
■ source — Specifies the MAC address of the host from which the
packet was sent.
■ source-wildcard — (Optional for the first type) Specifies wildcard bits
by placing 1s in bit positions to be ignored.
■ destination — Specifies the MAC address of the host to which the
packet is being sent.
■ destination-wildcard — (Optional for the first type) Specifies wildcard
bits by placing 1s in bit positions to be ignored.
■ vlan-id — Specifies the ID of the packet vlan.
■ cos — Specifies the packets’s Class of Service (CoS).
Page 50
50 CHAPTER 3: ACL COMMANDS
■ cos-wildcard — Specifies wildcard bits to be applied to the CoS.
■ eth-type — Specifies the packet’s Ethernet type.
Default Configuration
This command has no default configuration.
Command Mode
MAC-Access List Configuration mode
User Guidelines
MAC BPDU packets cannot be denied.
This command defines an Access Control Element (ACE). An ACE can
only be removed by deleting the ACL, using the no mac access-list
Global Configuration mode command. Alternatively, the Web-based
interface can be used to delete ACEs from an ACL.
Before an Access Control Element (ACE) is added to an ACL, all packets
are permitted. After an ACE is added, an implied deny-any-any
condition exists at the end of the list and those packets that do not match
the conditions defined in the permit statement are denied.
If the VLAN ID is specified, the policy map cannot be connected to the
VLAN interface.
Example
The following example shows how to create a MAC ACL with deny rules
on a device.
Console(config)#
Console (config-mac-acl)#
mac access-list
deny
6:6:6:6:6:6:0:0:0:0:0:0
macl1
any
service-acl The service-acl Interface Configuration mode command applies an ACL
to the input interface. To detach an ACL from an input interface, use the
no form of this command.
Syntax
service-acl {input acl-name}
no service-acl {input}
Page 51
show access-lists 51
Parameters
■ acl-name—Specifies the ACL to be applied to the input interface.
Default Configuration
This command has no default configuration.
Command Mode
Interface (Ethernet, port-channel) Configuration mode.
User Guidelines
In advanced mode, when an ACL is bound to an interface, the port trust
mode is set to trust 12-13 and not to 12.
Example
The following example binds (services) an ACL to VLAN 2.
Console(config)#
Console(config-if)#
interface vlan
service-acl input
2
macl1
show access-lists The show access-lists Privileged EXEC mode command displays access
control lists (ACLs) defined on the device.
Syntax
show access-lists [name]
Parameters
■ name — The name of the ACL.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Page 52
52 CHAPTER 3: ACL COMMANDS
Example
The following example displays access lists defined on a device.
show interfaces access-lists
Console#
IP access list ACL1
permit ip host 172.30.40.1 any
permit rsvp host 172.30.8.8 any
show access-lists
The show interfaces access-lists Privileged EXEC mode command
displays access lists applied on interfaces.
Syntax
show interfaces access-lists [ethernet interface | port-channel
port-channel-number]
Parameters
■ interface — Valid Ethernet port.
■ port-channel-number — Valid port-channel number.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Page 53
show interfaces access-lists 53
Example
The following example displays ACLs applied to the interfaces of a device:
Console#
Interface Input ACL
--------- --------g1 ACL1
g1 ACL3
show interfaces access-lists
Page 54
54 CHAPTER 3: ACL COMMANDS
Page 55
ADDRESS TABLE COMMANDS
4
bridge address The bridge address Interface Configuration (VLAN) mode command
adds a MAC-layer station source address to the bridge table. To delete
the MAC address, use the no form of this command.
Syntax
bridge address mac-address {ethernet interface | port-channel
port-channel-number} [permanent | delete-on-reset |
delete-on-timeout | secure]
no bridge address [mac-address]
Parameters
■ mac-address — A valid MAC address.
■ interface — A valid Ethernet port.
■ port-channel-number — A valid port-channel number.
■ permanent — The address can only be deleted by the no bridge
address command.
■ delete-on-reset — The address is deleted after reset.
■ delete-on-timeout — The address is deleted after "age out" time
has expired.
■ secure — The address is deleted after the port changes mode to
unlock learning (no port security command). This parameter is only
available when the port is in the learning locked mode.
Default Configuration
No static addresses are defined. The default mode for an added address is
permanent.
Page 56
56 CHAPTER 4: ADDRESS TABLE COMMANDS
Command Mode
Interface Configuration (VLAN) mode
User Guidelines
Using the no form of the command without specifying a MAC address
deletes all static MAC addresses belonging to this VLAN).
Example
The following example adds a permanent static MAC-layer station source
address 3aa2.64b3.a245 on port 1 to the bridge table.
bridge multicast filtering
Console(config)#
Console(config-if)#
permanent
interface vlan
bridge address
2
3aa2.64b3.a245
ethernet
g16
The bridge multicast filtering Global Configuration mode command
enables filtering multicast addresses. To disable filtering multicast
addresses, use the no form of this command.
Syntax
bridge multicast filtering
no bridge multicast filtering
Default Configuration
Filtering multicast addresses is disabled. All multicast addresses are
flooded to all ports.
Command Mode
Global Configuration mode
User Guidelines
If multicast devices exist on the VLAN, do not change the unregistered
multicast addresses state to drop on the switch ports.
Page 57
bridge multicast address 57
If multicast devices exist on the VLAN and IGMP-snooping is not enabled,
the bridge multicast forward-all command should be used to enable
forwarding all multicast packets to the multicast switches.
Example
In the folowing example, bridge multicast filtering is enabled.
bridge multicast address
Console(config)#
bridge multicast filtering
The bridge multicast address Interface Configuration (VLAN) mode
command registers a MAC-layer multicast address in the bridge table and
statically adds ports to the group. To unregister the MAC address, use the
no form of this command.
Syntax
bridge multicast address {mac-multicast-address | ip-multicast-address}
bridge multicast address {mac-multicast-address | ip-multicast-address}
[add | remove] {ethernet interface-list | port-channel
port-channel-number-list}
no bridge multicast address {mac-multicast-address |
ip-multicast-address}
Parameters
■ add — Adds ports to the group. If no option is specified, this is the
default option.
■ remove — Removes ports from the group.
■ mac-multicast-address — A valid MAC multicast address.
■ ip- multicast-address — A valid IP multicast address.
■ interface-list — Separate nonconsecutive Ethernet ports with a
comma and no spaces; a hyphen is used to designate a range of ports.
■ port-channel-number-list — Separate nonconsecutive port-channels
with a comma and no spaces; a hyphen is used to designate a range
of ports.
Page 58
58 CHAPTER 4: ADDRESS TABLE COMMANDS
Default Configuration
No multicast addresses are defined.
Command Mode
Interface Configuration (VLAN) mode
User Guidelines
If the command is executed without add or remove, the command only
registers the group in the bridge database.
Static multicast addresses can only be defined on static VLANs.
Example
The following example registers the MAC address:
bridge multicast forbidden address
Console(config)#
Console(config-if)#
interface vlan
bridge multicast address
8
01:00:5e:02:02:03
The following example registers the MAC address and adds ports
statically.
Console(config)#
Console(config-if)#
add ethernet
interface vlan
bridge multicast address
g1, g2
8
01:00:5e:02:02:03
The bridge multicast forbidden address Interface Configuration
(VLAN) mode command forbids adding a specific multicast address to
specific ports. Use the no form of this command to restore the default
configuration.
Syntax
bridge multicast forbidden address {mac-multicast-address |
ip-multicast-address} {add | remove} {ethernet interface-list |
port-channel port-channel-number-list}
no bridge multicast forbidden address {mac-multicast-address |
ip-multicast-address}
Page 59
bridge multicast forward-all 59
Parameters
■ add — Adds ports to the group.
■ remove — Removes ports from the group.
■ mac-multicast-address — A valid MAC multicast address.
■ ip- multicast-address — A valid IP multicast address.
■ interface-list — Separate nonconsecutive Ethernet ports with a
comma and no spaces; hyphen is used to designate a range of ports.
■ port-channel-number-list — Separate nonconsecutive valid
port-channels with a comma and no spaces; a hyphen is used to
designate a range of port-channels.
Default Configuration
No forbidden addresses are defined.
Command Modes
Interface Configuration (VLAN) mode
bridge multicast forward-all
User Guidelines
Before defining forbidden ports, the multicast group should be
registered.
Example
In this example, MAC address 0100.5e02.0203 is forbidden on port g9
within VLAN 8.
Console(config)#
Console(config-if)#
Console(config-if)#
0100.5e02.0203
interface vlan
bridge multicast address
bridge multicast forbidden address
add ethernet g
8
9
0100.5e.02.0203
The bridge multicast forward-all Interface Configuration (VLAN) mode
command enables forwarding all multicast packets on a port. To restore
the default configuration, use the no form of this command.
Page 60
60 CHAPTER 4: ADDRESS TABLE COMMANDS
Syntax
bridge multicast forward-all {add | remove} {ethernet interface-list |
port-channel port-channel-number-list}
no bridge multicast forward-all
Parameters
■ add — Force forwarding all multicast packets.
■ remove — Do not force forwarding all multicast packets.
■ interface-list — Separate nonconsecutive Ethernet ports with a
comma and no spaces; a hyphen is used to designate a range of ports.
■ port-channel-number-list — Separates nonconsecutive port-channels
with a comma and no spaces; a hyphen is used to designate a range
of port-channels.
Default Configuration
This setting is disabled.
bridge multicast forbidden forward-all
Command Mode
Interface Configuration (VLAN) mode
User Guidelines
There are no user guidelines for this command.
Example
In this example, all multicast packets on port 8 are forwarded.
Console(config)#
Console(config-if)#
ethernet g8
interface vlan 2
bridge multicast forward-all add
The bridge multicast forbidden forward-all Interface Configuration
(VLAN) mode command forbids a port to be a forward-all-multicast port.
To restore the default configuration, use the no form of this command.
Page 61
bridge multicast forbidden forward-all 61
Syntax
bridge multicast forbidden forward-all {add | remove} {ethernet
interface-list | port-channel port-channel-number-list}
no bridge multicast forbidden forward-all
Parameters
■ add — Forbids forwarding all multicast packets.
■ remove — Does not forbid forwarding all multicast packets.
■ interface-list — Separates nonconsecutive Ethernet ports with a
comma and no spaces; a hyphen is used to designate a range of ports.
■ port-channel-number-list — Separates nonconsecutive port-channels
with a comma and no spaces; a hyphen is used to designate a range
of port-channels.
Default Configuration
This setting is disabled.
Command Mode
Interface Configuration (VLAN) mode
User Guidelines
IGMP snooping dynamically discovers multicast device ports. When a
multicast device port is discovered, all the multicast packets are
forwarded to it unconditionally.
This command prevents a port from becoming a multicast device port.
Example
In this example, forwarding all multicast packets to g1 with VLAN 2 is
forbidden.
Console(config)#
Console(config-if)#
add ethernet g
interface vlan
bridge multicast forbidden forward-all
1
2
Page 62
62 CHAPTER 4: ADDRESS TABLE COMMANDS
bridge aging-time The bridge aging-time Global Configuration mode command sets the
address table aging time. To restore the default configuration, use the no
form of this command.
Syntax
bridge aging-time seconds
no bridge aging-time
Parameters
■ seconds — Time in seconds. (Range: 10-630 seconds)
Default Configuration
The default setting is 300 seconds.
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
In the following example, the bridge aging time is set to 250 seconds.
Console(config)#
bridge aging-time
250
clear bridge The clear bridge Privileged EXEC mode command removes any learned
entries from the forwarding database.
Syntax
clear bridge
Default Configuration
This command has no default configuration.
Page 63
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
In the following example, the bridge tables are cleared.
port security 63
Console#
clear bridge
port security The port security Interface Configuration mode command locks the port
to block unknown traffic and prevent the port from learning new
addresses. To restore the default configuration, use the no form of this
command.
Syntax
port security [forward | discard | discard-shutdown] [trap seconds]
[max]
no port security
Parameters
■ forward — Forwards packets with unlearned source addresses, but
does not learn the address.
■ discard — Discards packets with unlearned source addresses. This is
the default if no option is indicated.
■ discard-shutdown — Discards packets with unlearned source
addresses. The port is also shut down.
■ trap seconds — Sends SNMP traps and defines the minimum amount
of time in seconds between consecutive traps. (Range: 1-1000000)
■ max — Maximum number of addresses that can be learned on the
interface. (Range: 1-128)
Page 64
64 CHAPTER 4: ADDRESS TABLE COMMANDS
Default Configuration
This setting is disabled.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
There are no user guidelines for this command.
Example
In this example, port g1 forwards all packets without learning addresses
of packets from unknown sources and sends traps every 100 seconds if a
packet with an unknown source address is received.
Console(config)#
Console(config-if)#
interface ethernet
port security forward trap
g1
100
port security mode The port security mode Interface Configuration mode command
configures the port security mode. To restore the default configuration,
use the no form of this command.
Syntax
port security mode {lock | mac-addresses}
no port security mode
Parameters
■ lock — Saves the current dynamic MAC addresses associated with the
port and disables learning, relearning and aging.
■ mac-addresses — Deletes the current dynamic MAC addresses
associated with the port and learns up to the maximum number
addresses allowed on the port. Relearning and aging are enabled.
Default Configuration
This setting is disabled.
Page 65
port security routed secure-address 65
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
There are no user guidelines for this command.
Example
In this example, port security mode is set to dynamic for Ethernet
interface g7.
port security routed secure-address
Console(config)#
Console(config-if)#
interface ethernet
port security mode mac-addresses
g7
The port security routed secure-address Interface Configuration
(Ethernet, port-channel) mode command adds a MAC-layer secure
address to a routed port. Use the no form of this command to delete a
MAC address.
Syntax
port security routed secure-address mac-address
no port security routed secure-address mac-address
Parameters
■ mac-address — A valid MAC address.
Default Configuration
No addresses are defined.
Command Mode
Interface Configuration (Ethernet, port-channel) mode. Cannot be
configured for a range of interfaces (range context).
User Guidelines
Page 66
66 CHAPTER 4: ADDRESS TABLE COMMANDS
The command enables adding secure MAC addresses to a routed port in
port security mode. The command is available when the port is a routed
port and in port security mode. The address is deleted if the port exits the
security mode or is not a routed port.
Example
In this example, the MAC-layer address 66:66:66:66:66:66 is added to
port g1.
show bridge address-table
Console(config)#
Console(config-if)#
66:66:66:66:66:66
interface ethernet
port security routed secure-address
g1
The show bridge address-table Privileged EXEC mode command
displays all entries in the bridge-forwarding database.
Syntax
show bridge address-table [vlan vlan] [ethernet interface |
port-channel port-channel-number | address mac address]
Parameters
■ vlan — Specifies a valid VLAN, such as VLAN 1.
■ interface — A valid Ethernet port.
■ port-channel-number — A valid port-channel number.
■ mac address — A valid MAC address.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
Page 67
show bridge address-table static 67
User Guidelines
Internal usage VLANs (VLANs that are automatically allocated on ports
with a defined Layer 3 interface) are presented in the VLAN column by a
port number and not by a VLAN ID.
"Special" MAC addresses that were not statically defined or dynamically
learned are displayed in the MAC address table. This includes, for
example, MAC addresses defined in ACLS.
Example
In this example, all classes of entries in the bridge-forwarding database
are displayed.
show bridge address-table static
Console#
Aging time is 300 sec
interface mac address Port Type
--------- -------------- ---- ------1 00:60:70:4C:73
1 00:60:70:8C:73
200 00:10:0D:48:37
show bridge address-table
g8 dynamic
:FF
g8 dynamic
:FF
g9 static
:FF
The show bridge address-table static Privileged EXEC mode command
displays statically created entries in the bridge-forwarding database.
Syntax
show bridge address-table static [vlan vlan] [ethernet interface |
port-channel port-channel-number]
Page 68
68 CHAPTER 4: ADDRESS TABLE COMMANDS
Parameters \
■ vlan — Specifies a valid VLAN, such as VLAN 1.
■ interface — A valid Ethernet port.
■ port-channel-number — A valid port-channel number.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
In this example, all static entries in the bridge-forwarding database are
displayed.
show bridge address-table count
Console#
Aging time is 300 sec
vlan mac address port type
---- --------------
1 00:60:70:4C:73
1 00:60.70.8C.73
200 00:10:0D:48:37
show bridge address-table static
---- --------------
--g8 Permanent
:FF
g8 delete-on-time
:FF
g9 delete-on-rese
:FF
---
out
t
The show bridge address-table count Privileged EXEC mode command
displays the number of addresses present in the Forwarding Database.
Page 69
show bridge address-table count 69
Syntax
show bridge address-table count [vlan vlan] [ethernet
interface-number | port-channel port-channel-number]
Parameters
■ vlan — Specifies a valid VLAN, such as VLAN 1.
■ interface — A valid Ethernet port.
■ port-channel-number — A valid port-channel number.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
In this example, the number of addresses present in all VLANs are
displayed.
Console#
Capacity: 8192
Free: 8083
Used: 109
Secure addresses: 2
Static addresses: 1
Dynamic addresses: 97
Internal addresses: 9
show bridge address-table count
Page 70
70 CHAPTER 4: ADDRESS TABLE COMMANDS
show bridge multicast address-table
The show bridge multicast address-table Privileged EXEC mode
command displays multicast MAC address or IP address table
information.
Syntax
show bridge multicast address-table [vlan vlan-id] [address
mac-multicast-address | ip-multicast-address] [format ip | format mac]
Parameters
■ vlan-id — Indicates the VLAN ID. This has to be a valid VLAN ID value.
■ mac-multicast-address — A valid MAC multicast address.
■ ip-multicast-address — A valid IP multicast address.
■ format ip / mac — Multicast address format. Can be ip or mac. If the
format is unspecified, the default is mac.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
A MAC address can be displayed in IP format only if it is in the range of
0100.5e00.0000-0100.5e7f.ffff.
Example
In this example, multicast MAC address and IP address table information
is displayed.
Console#
Vlan MAC Address Type Ports
---- -------------- ------- ---------1 01:00:5e:02:02
show bridge multicast address-table
static g1, g2
:03
Page 71
show bridge multicast address-table 71
19 01:00:5e:02:02
:08
19 00:00:5e:02:02
:08
Forbidden ports for multicast addresses:
Vlan MAC Address Ports
---- -------------- ----1 01:00:5e:02:02
:03
19 01:00:5e:02:02
:08
Console#
Vlan IP/MAC Address Type Ports
---- --------------
1 224-239.130|2.
19 224-239.130|2.
19 224-239.130|2.
show bridge multicast address-table format ip
---
2.3
2.8
2.8
static g1-8
dynamic g9-11
8
8
------ ---------
static g1, g2
static g1-8
dynamic g9-11
Forbidden ports for multicast addresses:
Vlan IP/MAC Address Ports
---- --------------
---
1 224-239.130|2.
2.3
19 224-239.130|2.
2.8
------
g8
g8
A multicast MAC address maps to multiple IP addresses as shown above.
Page 72
72 CHAPTER 4: ADDRESS TABLE COMMANDS
show bridge multicast filtering
The show bridge multicast filtering Privileged EXEC mode command
displays the multicast filtering configuration.
Syntax
show bridge multicast filtering vlan-id
Parameters
■ vlan-id — Indicates the VLAN ID. This has to be a valid VLAN ID value.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
In this example, the multicast configuration for VLAN 1 is displayed.
Console#
Filtering: Enabled
VLAN: 1
Port Static Status
---- --------- --------g1 Filter
g2 Filter
g3 - Filter
show bridge multicast filtering
1
Page 73
show ports security 73
show ports security The show ports security Privileged EXEC mode command displays the
port-lock status.
Syntax
show ports security [ethernet interface | port-channel
port-channel-number]
Parameters
■ interface — A valid Ethernet port.
■ port-channel-number — A valid port-channel number.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
In this example, all classes of entries in the port-lock status are displayed:
Console#
Port Status LearningAction MaximumTrap Frequency
---- ---------------------------------------------
g1 Locked DynamicDiscard3 Enable 100
show ports security
Page 74
74 CHAPTER 4: ADDRESS TABLE COMMANDS
g2 UnlockedDynamic- 28 - -
g3 Locked DisabledDiscar
d,
Shutdo
wn
8 Disable-
The following table describes the fields shown above.
Field Description
Port The port number.
Status The values are: Locked/Unlocked.
Learning The learning mode.
Action Action on violation.
Maximum The maximum number of addresses that can be associated on
this port in theStatic Learning mode or in the Dynamic Learning mode.
Trap Sends traps in case of a violation.
Frequency The minimum time interval between consecutive traps.
show ports security addresses
The show ports security addresses Privileged EXEC mode command
displays the current dynamic addresses in locked ports.
Syntax
show ports security addresses [ethernet interface | port-channel
port-channel-number]
Parameters
■ interface — A valid Ethernet port.
■ port-channel-number — A valid port-channel number
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
Page 75
show ports security addresses 75
User Guidelines
There are no user guidelines for this command.
Example
This example displays dynamic addresses in all currently locked ports.
Console#
Port Status Learning Current Maximum
---- -------- -------- ------- ------g1 Disabled Lock - 1
g2 Disabled Lock - 1
g3 Enabled Max-addres
g4 Port is a member in port-channel ch1
g5 Disabled Lock - 1
6 Enabled Max-addres
ch1 Enabled Max-addres
ch2 Enabled Max-addres
show ports security addresses
01
ses
010
ses
050
ses
0 128
ses
This example displays dynamic addresses in the currently locked port 1.
Console#
show ports security addresses ethernet 1
Port Status Learning Current Maximum
---- -------- -------- ------- ------g1 Disabled Lock - 1
Page 76
76 CHAPTER 4: ADDRESS TABLE COMMANDS
Page 77
ETHERNET CONFIGURATION
5
COMMANDS
interface ethernet The interface ethernet Global Configuration mode command enters
the interface configuration mode to configure an Ethernet type interface.
Syntax
interface ethernet interface
Parameters
■ interface — Valid Ethernet port. Elana
Default Configuration
This command has no default configuration.
Command Mode
interface range ethernet
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example enables configuring Ethernet port g18.
Console(config)#
The interface range ethernet Global Configuration mode command
configures multiple Ethernet type interfaces at the same time.
Syntax
interface range ethernet {port-list | all}
interface ethernet
g18
Page 78
78 CHAPTER 5: ETHERNET CONFIGURATION COMMANDS
Parameters
■ port-list — List of valid ports. Where more than one port is listed,
separate the nonconsecutive ports with a comma and no spaces, use a
hyphen to designate a range of ports and group a list separated by
commas in brackets.
■ all — All Ethernet ports.
Default Configuration
This command has no default configuration.
Command Mode
Global Configuration mode
User Guidelines
Commands under the interface range context are executed
independently on each active interface in the range. If the command
returns an error on one of the active interfaces, it does not stop executing
commands on other active interfaces.
Example
The following example shows how ports g18 to g20 and g1 to g24 are
grouped to receive the same command.
Console(config)#
Console(config-if)#
interface range ethernet
g18-g20,g1-g24
shutdown The shutdown Interface Configuration (Ethernet, port-channel) mode
command disables an interface. To restart a disabled interface, use the no
form of this command.
Syntax
shutdown
no shutdown
Default Configuration
The interface is enabled.
Page 79
description 79
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
There are no user guidelines for this command.
Example
The following example disables Ethernet port g5 operations.
Console(config)#
Console(config-if)#
interface ethernet g
shutdown
5
The following example restarts the disabled Ethernet port.
Console(config)#
Console(config-if)#
interface ethernet g
no shutdown
5
description The description Interface Configuration (Ethernet, port-channel) mode
command adds a description to an interface. To remove the description,
use the no form of this command.
Syntax
description string
no description
Parameters
■ string — Comment or a description of the port to enable the user to
remember what is attached to the port. (Range: 1-64 characters)
Default Configuration
The interface does not have a description.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
There are no user guidelines for this command.
Page 80
80 CHAPTER 5: ETHERNET CONFIGURATION COMMANDS
Example
The following example adds a description to Ethernet port g5.
Console(config)#
Console(config-if)#
interface ethernet g
description
"RD SW#3"
5
speed The speed Interface Configuration (Ethernet, port-channel) mode
command configures the speed of a given Ethernet interface when not
using auto-negotiation. To restore the default configuration, use the no
form of this command.
Syntax
speed {10 | 100 | 1000| 10000}
Parameters
■ 10 — Forces10 Mbps operation.
■ 100 — Forces 100 Mbps operation.
■ 1000 — Forces 1000 Mbps operation.
■ 10000 — Forces 10000 Mbps operation.
Default Configuration
Maximum port capability
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
There are no user guidelines for this command.
Example
The following example configures the speed operation of Ethernet port
g5 to 100 Mbps operation.
Console(config)#
Console(config-if)#
interface ethernet g
speed 100
5
Page 81
duplex 81
duplex The duplex Interface Configuration (Ethernet) mode command
configures the full/half duplex operation of a given Ethernet interface
when not using auto-negotiation. To restore the default configuration,
use the no form of this command.
Syntax
duplex {half | full}
Parameters
■ no duplex
■ half — Forces half-duplex operation
■ full — Forces full-duplex operation
Default Configuration
The interface is set to full duplex.
Command Mode
Interface Configuration (Ethernet) mode
User Guidelines
When configuring a particular duplex mode on the port operating at
10/100 Mbps, disable the auto-negotiation on that port.
Half duplex mode can be set only for ports operating at 10 Mbps or 100
Mbps.
Example
The following example configures the duplex operation of Ethernet port
g1 to full duplex operation.
Console(config)#
Console(config-if)#
interface ethernet g
duplex full
1
negotiation The negotiation Interface Configuration (Ethernet, port-channel) mode
command enables auto-negotiation operation for the speed and duplex
parameters of a given interface. To disable auto-negotiation, use the no
form of this command.
Page 82
82 CHAPTER 5: ETHERNET CONFIGURATION COMMANDS
Syntax
negotiation [capability1 [capability2…capability5]]
no negotiation
Parameters
■ capability — Specifies the capabilities to advertise. (Possible values:
10h, 10f, 100h,100f, 1000f)
Default Configuration
Auto-negotiation is enabled.
If unspecified, the default setting is to enable all capabilities of the port.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
If capabilities were specified when auto-negotiation was previously
entered, not specifying capabilities when currently entering
auto-negotiation overrides the previous configuration and enables all
capabilities.
Example
The following example enables auto-negotiation on Ethernet port 1.
Console(config)#
Console(config-if)#
interface ethernet
negotiation
1
flowcontrol The flowcontrol Interface Configuration (Ethernet, port-channel) mode
command configures flow control on a given interface. To disable flow
control, use the no form of this command.
Syntax
flowcontrol {auto | on | off}
no flowcontrol
Page 83
Parameters
■ auto — Indicates auto-negotiation
■ on — Enables flow control.
■ off — Disables flow control.
Default Configuration
Flow control is off.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
Negotiation should be enabled for flow control auto.
Example
In the following example, flow control is enabled on port 1.
mdix 83
Console(config)#
Console(config-if)#
interface ethernet
flowcontrol on
1
mdix The mdix Interface Configuration (Ethernet) mode command enables
cable crossover on a given interface. To disable cable crossover, use the
no form of this command.
Syntax
mdix {on | auto}
no mdix
Parameters
■ on — Manual mdix is enabled.
■ auto — Automatic mdi/mdix is enabled.
Default Configuration
The default setting is on.
Command Mode
Interface Configuration (Ethernet) mode
Page 84
84 CHAPTER 5: ETHERNET CONFIGURATION COMMANDS
User Guidelines
Auto: All possibilities to connect a PC with cross or normal cables are
supported and are automatically detected.
On: It is possible to connect to a PC only with a normal cable and to
connect to another device only with a cross cable.
No: It is possible to connect to a PC only with a cross cable and to
connect to another device only with a normal cable.
Example
In the following example, automatic crossover is enabled on port 1.
Console(config)#
Console(config-if)#
interface ethernet
mdix auto
1
clear counters The clear counters Privileged EXEC mode command clears statistics on
an interface.
Syntax
clear counters [ethernet interface | port-channel
port-channel-number]
Parameters
■ interface — Valid Ethernet port. Elana
■ port-channel-number — Valid port-channel number.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Page 85
set interface active 85
Example
In the following example, the counters for interface 1 are cleared.
Console#
clear counters ethernet
g2
set interface active The set interface active Privileged EXEC mode command reactivates an
interface that was shutdown.
Syntax
set interface active {ethernet interface | port-channel
port-channel-number}
Parameters
■ interface — Valid Ethernet port. Elana
■ port-channel-number — Valid port-channel number.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
This command is used to activate interfaces that were configured to be
active, but were shutdown by the system for some reason (e.g., port
security).
show interfaces advertise
Example
The following example reactivates interface 1.
Console# set interface active ethernet g1
The show interfaces advertise Privileged EXEC mode command
displays auto-negotiation data.
Page 86
86 CHAPTER 5: ETHERNET CONFIGURATION COMMANDS
Syntax
show interfaces advertise [ethernet interface | port-channel
port-channel-number]
Parameters
■ interface — Valid Ethernet port.Elana
■ port-channel-number — Valid port-channel number.
Default Configuration
This command has no default configuration.
Command Modes
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays auto-negotiation information.
Console#
Port Type Neg Operational
---- ----------- ------- --------------
1 100M-Copper Enabled -2 100M-Copper Enabled -3 100M-Copper Enabled -4 100M-Copper Enabled -5 100M-Copper Enabled 100f, 100h,
6 100M-Copper Enabled -7 100M-Copper Enabled --
show interfaces advertise
Link
Advertisement
--------------
--
10f, 10h
Page 87
show interfaces configuration 87
8 100M-Copper Enabled -9 100M-Copper Enabled -10 100M-Copper Enabled -11 100M-Copper Enabled -12 100M-Copper Enabled --
show interfaces configuration
The show interfaces configuration Privileged EXEC mode command
displays the configuration for all configured interfaces.
Syntax
show interfaces configuration [ethernet interface | port-channel
port-channel-number]
Parameters
■ interface — Valid Ethernet port.Elana
■ port-channel-number — Valid port-channel number.
Default Configuration
This command has no default configuration.
Command Modes
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the configuration of all configured
interfaces:
Console#
Port Type DuplexSpeedNeg Flow
show interfaces configuration
Ctrl
Admi
n
Stat
e
Back
Pres
sure
Mdix
Mode
Page 88
88 CHAPTER 5: ETHERNET CONFIGURATION COMMANDS
---- ----
----
---
1 100M
-Cop
per
2 100M
-Cop
per
3 100M
-Cop
per
4 100M
-Cop
per
5 100M
-Cop
per
6 100M
-Cop
per
7 100M
-Cop
per
8 100M
-Cop
per
9 100M
-Cop
per
10 100M
-Cop
per
11 100M
-Cop
per
---------------
---
Full 100 Enab
led
Full 100 Enab
led
Full 100 Enab
led
Full 100 Enab
led
Full 100 Enab
led
Full 100 Enab
led
Full 100 Enab
led
Full 100 Enab
led
Full 100 Enab
led
Full 100 Enab
led
Full 100 Enab
led
---- ---------
----
Off Up Disa
bled
Off Up Disa
bled
Off Up Disa
bled
Off Up Disa
bled
Off Up Disa
bled
Off Up Disa
bled
Off Up Disa
bled
Off Up Disa
bled
Off Up Disa
bled
Off Up Disa
bled
Off Up Disa
bled
----
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
show interfaces status
The show interfaces status Privileged EXEC mode command displays
the status of all configured interfaces.
Page 89
show interfaces status 89
Syntax
show interfaces status [ethernet interface| port-channel
port-channel-number |]
Parameters
■ interface — A valid Ethernet port. Elana
■ port-channel-number — A valid port-channel number.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the status of all configured interfaces.
Console#
Port Type DuplexSpeedNeg Flow
---- ----
1 100M
2 100M
3 100M
show interfaces status
---------------
----
---
-- -- -- -- Down -- --
-Cop
per
-- -- -- -- Down -- --
-Cop
per
-- -- -- -- Down -- --
-Cop
per
---
Link
Ctrl
---- ---------
Stat
e
Back
Pres
sure
----
Mdix
Mode
----
Page 90
90 CHAPTER 5: ETHERNET CONFIGURATION COMMANDS
4 100M
-Cop
per
5 100M
-Cop
per
6 100M
-Cop
per
7 100M
-Cop
per
8 100M
-Cop
per
9 100M
-Cop
per
10 100M
-Cop
per
11 100M
-Cop
per
12 100M
-Cop
per
-- -- -- -- Down -- --
Full 100 Enab
led
-- -- -- -- Down -- --
-- -- -- -- Down -- --
-- -- -- -- Down -- --
-- -- -- -- Down -- --
-- -- -- -- Down -- --
-- -- -- -- Down -- --
-- -- -- -- Down -- --
Off Up Disa
bled
Auto
show interfaces description
The show interfaces description Privileged EXEC mode command
displays the description for all configured interfaces.
Syntax
show interfaces description [ethernet interface | port-channel
port-channel-number]
Parameters
■ interface — Valid Ethernet port. (Full syntax: unit/port)
■ port-channel-number — A valid port-channel number.
Page 91
show interfaces counters 91
Default Configuration
This command has no default configuration.
Command Modes
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays descriptions of configured interfaces.
show interfaces counters
Console#
Port Description
---- ----------g1 lab
g2
g3
g4
g5
g6
ch1
ch2
show interfaces description
The show interfaces counters Privileged EXEC mode command displays
traffic seen by the physical interface.
Syntax
show interfaces counters [ethernet interface | port-channel
port-channel-number]
Parameters
■ interface — A valid Ethernet port. Elana
■ port-channel-number — A valid port-channel number.
Page 92
92 CHAPTER 5: ETHERNET CONFIGURATION COMMANDS
Default Configuration
This command has no default configuration.
Command Modes
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays traffic seen by the physical interface.
Console#
Port InOctets InUcastPkts InMcastPkts InBcastPkts
---- -------- ----------- ----------- ----------g1 183892 0 0 0
g10000
g1 123899 0 0 0
Port OutOctets OutUcastPktsOutMcastPktsOutBcastPkt
----- ---------- -----------------------------------
g1 9188 0 0 0
g10000
g1 8789 0 0 0
Ch InOctets InUcastPkts InMcastPkts InBcastPkts
--- -------- ---------- ----------- ----------1 27889 0 0 0
show interfaces counters
s
-
Page 93
show interfaces counters 93
Ch OutOctets OutUcastPktsOutMcastPktsOutBcastPkt
s
--- --------- -----------------------------------
-
1 23739 0 0 0
The following table describes the fields shown in the display.
Console#
Port InOctets InUcastPkts InMcastPkts InBcastPkts
------ ----------- -----------
g1 183892 0 0 0
Port OutOctets OutUcastPktsOutMcastPktsOutBcastPkt
------ ----------- -----------
g1 9188 0 0 0
FCS Errors: 0
Single Collision Frames: 0
Late Collisions: 0
Excessive Collisions: 0
Oversize Packets: 0
Internal MAC Rx Errors: 0
Received Pause Frames: 0
Transmitted Pause Frames: 0
show interfaces counters ethernet
----------- -----------
---
-----------------------
---
1
s
-
The following table describes the fields shown in the display.
Field Description
InOctets Counted received octets.
InUcastPkts Counted received unicast packets.
InMcastPkts Counted received multicast packets.
Page 94
94 CHAPTER 5: ETHERNET CONFIGURATION COMMANDS
Field Description
InBcastPkts Counted received broadcast packets.
OutOctets Counted transmitted octets.
OutUcastPkts Counted transmitted unicast packets.
OutMcastPkts Counted transmitted multicast packets.
OutBcastPkts Counted transmitted broadcast packets.
FCS Errors Counted received frames that are an integral number of
Single Collision
Frames
Late Collisions Number of times that a collision is detected later than one
Excessive Collisions Number of excessive collisions received on the selected
Oversize Packets Counted frames received that exceed the maximum
Internal MAC Rx
Errors
Received Pause
Frames
Transmitted Pause
Frames
octets in length but do not pass the FCS check.
Counted frames that are involved in a single collision, and
are subsequently transmitted successfully.
slotTime into the transmission of a packet.
interface.
permitted frame size.
Counted frames for which reception fails due to an
internal MAC sublayer received error.
Counted MAC Control frames received with an opcode
indicating the PAUSE operation.
Counted MAC Control frames transmitted on this
interface with an opcode indicating the PAUSE operation.
port storm-control include-multicast (GC)
The port storm-control include-multicast Interface Configuration
mode command enables counting multicast packets in the port
storm-control broadcast rate command. To disable counting multicast
packets, use the no form of this command.
Syntax
port storm-control include-multicast
no port storm-control include-multicast
Default Configuration
Multicast packets are not counted.
Command Modes
Interface Configuration (Ethernet) mode
Page 95
port storm-control include-multicast (IC) 95
User Guidelines
To control multicasts storms, use the port storm-control broadcast
enable and port storm-control broadcast rate commands.
Example
The following example enables counting multicast packets.
port storm-control include-multicast (IC)
Console#
Console(config-if)#
Console(config-if)# port storm-control iinclude-multicast
unknown-unicast
configure
port storm-control include-multicast
The port storm-control include-multicast Interface Configuration
(Ethernet) mode command counts multicast packets in broadcast storm
control. To disable counting multicast packets, use the no form of this
command.
Syntax
port storm-control include-multicast [unknown-unicast]
no port storm-control include-multicast
Parameters
■ unknown-unicast — Specifies also counting unknown unicast
packets.
Default Configuration
Multicast packets are not counted.
Command Modes
Interface Configuration (Ethernet) mode
User Guidelines
There are no user guidelines for this command.
Page 96
96 CHAPTER 5: ETHERNET CONFIGURATION COMMANDS
Example
The following example enables counting broadcast and multicast packets
on Ethernet port 2.
port storm-control broadcast enable
Console(config)#
Console(config-if)#
unknown-unicast
interface ethernet
port storm-control include-multicast
2
The port storm-control broadcast enable Interface Configuration
(Ethernet) mode command enables broadcast storm control. To disable
broadcast storm control, use the no form of this command.
Syntax
port storm-control broadcast enable
no port storm-control broadcast enable
Default Configuration
Broadcast storm control is disabled.
Command Modes
Interface Configuration (Ethernet) mode
User Guidelines
Use the port storm-control broadcast rate Interface Configuration
(Ethernet) mode command, to set the maximum allowable broadcast
rate.
Use the port storm-control include-multicast Global Configuration
mode command to enable counting multicast packets in the storm
control calculation.
Example
The following example enables broadcast storm control on port 1 of a
device.
Console(config)#
Console(config-if)#
interface ethernet
port storm-control broadcast enable
1
Page 97
port storm-control broadcast rate 97
port storm-control broadcast rate
The port storm-control broadcast rate Interface Configuration
(Ethernet) mode command configures the maximum broadcast rate. To
restore the default configuration, use the no form of this command.
Syntax
port storm-control broadcast rate rate
no port storm-control broadcast rate
Parameters
■ rate — Maximum kilobits per second of broadcast and multicast traffic
on a port. (Range of 3500-1000000)
Default Configuration
The default storm control broadcast rate is 3500 Kbits/Sec.
Command Mode
Interface Configuration (Ethernet) mode
User Guidelines
Use the port storm-control broadcast enable Interface Configuration
mode command to enable broadcast storm control.
show ports storm-control
Example
The following example configures a port storm-control broadcast rate
4000 on port g2.
(config)#
Console(config-if)#
interface ethernet
port storm-control broadcast rate
g2
4000
The show ports storm-control Privileged EXEC mode command
displays the storm control configuration.
Syntax
show ports storm-control [interface]
Parameters
■ interface — A valid Ethernet port. Elana
Page 98
98 CHAPTER 5: ETHERNET CONFIGURATION COMMANDS
Default Configuration
This command has no default configuration.
Command Modes
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the storm control configuration.
Console#
Port State Rate
---- ----- ------------------------
g1 Disabled 3500 Broadcast
g2 Disabled 3500 Broadcast
g3 Disabled 3500 Broadcast
g4 Disabled 3500 Broadcast
g5 Disabled 3500 Broadcast
g6 Disabled 3500 Broadcast
show ports storm-control
Included
[Kbits/Sec]
Page 99
LINE COMMANDS
6
line The line Global Configuration mode command identifies a specific line
for configuration and enters the Line Configuration command mode.
Syntax
line {console | telnet | ssh}
Parameters
■ console — Console terminal line.
■ telnet — Virtual terminal for remote console access (Telnet).
■ ssh — Virtual terminal for secured remote console access (SSH).
Default Configuration
This command has no default configuration.
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example configures the device as a virtual terminal for
remote console access.
Console(config)#
Console(config-line)#
speed The speed Line Configuration mode command sets the line baud rate.
line telnet
Page 100
100 CHAPTER 6: LINE COMMANDS
Syntax
speed bps
Parameters
■ bps — Baud rate in bits per second (bps). Possible values are 2400,
Default Configuration
The default speed is 19200 bps.
Command Mode
Line Configuration (console) mode
User Guidelines
This command is available only on the line console.
The configured speed is applied when Autobaud is disabled. This
configuration applies only to the current session.
Example
4800, 9600, 19200, 38400, 57600 and 115200.
The following example configures the line baud rate.
Console(config)#
Console(config-line)#
line console
speed
115200
autobaud The autobaud Line Configuration mode command sets the line for
automatic baud rate detection (autobaud). To disable automatic baud
rate detection, use the no form of the command.
Syntax
autobaud
no autobaud
Default Configuration
Autobaud is disabled.
Command Mode
Line Configuration (console) mode
Loading...