Cisco 220 Series Smart Plus Switches Command
Line Interface Reference Guide Release 1.0.0.x
CLI GUIDE
© 2014 Cisco Systems, Inc. All rights reserved. OL-30456-01
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Contents
Chapter 1: Introduction 22
Overview 22
User (Privilege) Levels 23
CLI Command Modes 24
User EXEC Mode 24
Privileged EXEC Mode 25
Global Configuration Mode 25
Global Configuration Submodes 26
Accessing the CLI 27
Using HyperTerminal over the Console Interface 28
Using Telnet over an Ethernet Interface 30
CLI Command Conventions 30
Editing Features 31
Entering Commands 31
Terminal Command Buffer 32
Negating the Effect of Commands 32
Command Completion 33
Keyboard Shortcuts 33
Copying and Pasting Text 33
Interface Naming Conventions 34
Interface ID 34
Interface Range 35
Interface List 35
Chapter 2: 802.1X Commands 36
dot1x guest-vlan enable 36
dot1x guest-vlan enable (Interface) 37
dot1x max-req 38
dot1x port-control 39
dot1x reauthentication 40
dot1x system-auth-control 41
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 1
Contents
dot1x timeout quiet-period 41
dot1x timeout reauth-period 42
dot1x timeout supp-timeout 43
show dot1x 44
show dot1x authenticated-hosts 45
show dot1x guest-vlan 46
show dot1x interfaces 48
Chapter 3: AAA Commands 50
aaa authentication enable 50
aaa authentication login 52
enable authentication 53
enable password 54
ip http authentication 56
login authentication 57
passwords aging 58
passwords complexity <attributes> 59
passwords complexity enable 60
show aaa authentication lists 62
show line lists 62
show passwords configuration 63
show username 64
username 65
Chapter 4: ACL Commands 67
deny (MAC) 67
deny (IP) 68
deny (IPv6) 71
ip access-group in 73
ip access-list extended 74
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 2
ipv6 access-group in 75
ipv6 access-list 75
mac access-group in 77
mac access-list extended 77
no sequence 78
permit (IP) 79
permit (IPv6) 81
permit (MAC) 84
show access-lists 85
show access-lists 86
show access-lists utilization 86
Contents
Chapter 5: Address Table Commands 88
bridge multicast reserved-address 88
clear mac address-table 89
mac address-table aging-time 90
mac address-table static 90
show bridge multicast reserved-address 93
show mac address-table 94
show mac address-table aging-time 95
show port-security 96
switchport port-security 97
switchport port-security mode maximum 98
Chapter 6: Bonjour Commands 101
bonjour enable 101
show bonjour 102
Chapter 7: CDP Commands 103
cdp advertise-v2 103
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 3
Contents
cdp appliance-vlan enable 104
cdp device-id format 105
cdp enable 105
cdp holdtime 106
cdp log mismatch duplex 107
cdp log mismatch native 108
cdp log mismatch voip 109
cdp mandatory-tlvs validation 110
cdp pdu 110
cdp run 111
cdp timer 112
clear cdp counter 113
clear cdp table 114
show cdp 114
show cdp entry 115
show cdp interfaces 116
show cdp neighbor 116
show cdp tlv 118
show cdp traffic global 118
show cdp traffic (Interface) 120
Chapter 8: Clock Commands 124
clock set 124
clock source 125
clock summer-time 125
clock timezone 127
show clock 128
show sntp configuration 129
sntp server 129
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 4
Contents
Chapter 9: Configuration and Image File Commands 131
boot host auto-config 131
boot system 132
copy 133
delete backup-config 135
delete startup-config 136
dir 136
ip dhcp tftp-server file 137
ip dhcp tftp-server ip address 138
management vlan ipv6 dhcp client information refresh 139
management vlan ipv6 dhcp client stateless 140
renew dhcp force-autoconfig 141
show backup-config 142
show boot 144
show bootvar 145
show ip dhcp tftp-server 146
show running-config 147
show startup-config 150
write 152
Chapter 10: EEE Commands 154
eee enable (Interface) 154
Chapter 11: Ethernet Configuration Commands 155
clear counters 155
clear etherlike statistics 156
default interface 156
description 157
duplex 158
errdisable recovery 158
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 5
Contents
flowcontrol 160
interface 161
interface range 162
jumbo-frame 162
show errdisable recovery 163
show interface status 164
show storm-control 165
shutdown 167
speed 168
storm-control action 169
storm-control broadcast 170
storm-control broadcast level 171
storm-control enable 172
storm-control ifg 173
storm-control unit 173
storm-control unknown-multicast 174
storm-control unknown-multicast level 175
storm-control unknown-unicast 176
storm-control unknown-unicast level 176
Chapter 12: GVRP Commands 178
clear gvrp statistics 178
gvrp enable (Global) 179
gvrp enable (Interface) 179
gvrp registration-mode 180
gvrp vlan-creation-forbid 181
show gvrp 182
show gvrp configuration 182
show gvrp error-statictics 184
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 6
Contents
show gvrp statistics 185
Chapter 13: IGMP Snooping Commands 196
clear ip igmp snooping groups 196
clear ip igmp snooping statistics 196
ip igmp filter 197
ip igmp max-groups 198
ip igmp profile 199
ip igmp snooping 200
ip igmp snooping version 201
ip igmp snooping report-suppression 201
ip igmp snooping unknown-multicast action 202
ip igmp snooping vlan 203
ip igmp snooping vlan immediate-leave 204
ip igmp snooping vlan forbidden mrouter 205
ip igmp snooping vlan forbidden forward-all 206
ip igmp snooping vlan last-member-query-count 207
ip igmp snooping vlan last-member-query-interval 207
ip igmp snooping vlan mrouter 208
ip igmp snooping vlan querier 209
ip igmp snooping vlan querier version 210
ip igmp snooping vlan query-interval 211
ip igmp snooping vlan response-time 212
ip igmp snooping vlan robustness-variable 212
ip igmp snooping vlan static 213
ip igmp snooping vlan mrouter 214
ip igmp snooping vlan forward-all 215
profile range 216
show ip igmp filter 217
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 7
Contents
show ip igmp max-group 218
show ip igmp max-group action 219
show ip igmp profile 219
show ip igmp snooping 220
show ip igmp snooping forward-all 221
show ip igmp snooping groups 222
show ip igmp snooping mrouter 223
show ip igmp snooping querier 224
show ip igmp snooping vlan 224
Chapter 14: IP Addressing Commands 226
clear arp-cache 226
ip default-gateway 226
ip domain lookup 227
ip domain name 228
ip host 229
ip name-server 230
management vlan ip-address 231
management vlan ip dhcp client 232
show arp 233
show hosts 233
show ip 234
show ip dhcp 235
Chapter 15: IP ARP Inspection Commands 236
clear ip arp inspection statistics vlan 236
ip arp inspection 236
ip arp inspection limit rate 237
ip arp inspection trust 239
ip arp inspection validate 240
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 8
Contents
ip arp inspection vlan 241
show ip arp inspection 242
show ip arp inspection interfaces 243
show ip arp inspection statistics 244
Chapter 16: IP DHCP Snooping Commands 246
clear ip dhcp snooping binding 246
clear ip dhcp snooping binding interface 246
clear ip dhcp snooping binding vlan 247
clear ip dhcp snooping database statistics 248
clear ip dhcp snooping interfaces statistics 248
ip dhcp snooping 249
ip dhcp snooping database 249
ip dhcp snooping information option 251
ip dhcp snooping information option allow-untrusted 252
ip dhcp snooping limit rate 253
ip dhcp snooping trust 254
ip dhcp snooping verify mac-address 255
ip dhcp snooping vlan 256
ip dhcp snooping vlan information option circuit-id 257
renew ip dhcp snooping database 258
show ip dhcp snooping 259
show ip dhcp snooping binding 259
show ip dhcp snooping database 260
show ip dhcp snooping information option format remote-id 261
show ip dhcp snooping interfaces 261
show ip dhcp snooping interfaces statistics 262
Chapter 17: IP Source Guard Commands 264
ip source binding 264
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 9
Contents
ip source binding max-entry 265
ip verify source 266
show ip source binding 267
show ip verify source interfaces 268
Chapter 18: IPv6 Addressing Commands 270
ipv6 default-gateway 270
management vlan ipv6-address 271
management vlan ipv6-address-autoconfig 272
management vlan ipv6-address-dhcp 273
show ipv6 274
show ipv6 dhcp 274
Chapter 19: IPv6 MLD Snooping Commands 276
clear ipv6 mld snooping groups 276
clear ipv6 mld snooping statistics 276
ipv6 mld filter 277
ipv6 mld max-groups 278
ipv6 mld profile 279
ipv6 mld snooping 280
ipv6 mld snooping report-suppression 281
ipv6 mld snooping vlan 281
ipv6 mld snooping vlan immediate-leave 282
ipv6 mld snooping vlan forbidden mrouter 283
ipv6 mld snooping vlan forbidden forward-all 284
ipv6 mld snooping vlan last-member-query-count 285
ipv6 mld snooping vlan last-member-query-interval 286
ipv6 mld snooping vlan mrouter learn pim-dvmrp 287
ipv6 mld snooping vlan query-interval 288
ipv6 mld snooping vlan response-time 289
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 10
Contents
ipv6 mld snooping vlan robustness-variable 290
ipv6 mld snooping vlan static interface 291
ipv6 mld snooping vlan mrouter 292
ipv6 mld snooping vlan forward-all 293
profile range 294
show ipv6 mld filter 295
show ipv6 mld max-group 296
show ipv6 mld max-group action 297
show ipv6 mld profile 297
show ipv6 mld snooping 298
show ipv6 mld snooping forward-all 299
show ipv6 mld snooping groups 300
show ipv6 mld snooping mrouter 301
show ipv6 mld snooping vlan 302
Chapter 20: LACP Commands 303
lacp port-priority 303
lacp system-priority 304
lacp timeout 304
show lacp 305
Chapter 21: Line Commands 311
clear line 311
exec-timeout 311
line 312
password-thresh 313
show line 314
silent-time 315
speed 315
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 11
Contents
Chapter 22: LLDP Commands 317
clear lldp statistics 317
lldp holdtime-multiplier 317
lldp lldpdu 319
lldp med 320
lldp med fast-start-repeat-count 321
lldp med location 321
lldp med network-policy voice auto 322
lldp med network-policy (Global) 323
lldp med network-policy (Interface) 325
lldp med tlv-select 326
lldp receive 327
lldp reinit 328
lldp run 328
lldp tlv-select 802.1 329
lldp tlv-select TLV 330
lldp transmit 331
lldp tx-delay 332
lldp timer 332
show lldp 333
show lldp interfaces 337
show lldp interfaces tlvs-overloading 338
show lldp local-device 339
show lldp med 340
show lldp neighbor 341
show lldp statistics 343
Chapter 23: Management ACL Commands 345
deny (Management) 345
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 12
management access-class 346
management access-list 347
no sequence (Management) 348
permit (Management) 349
show management access-class 350
show management access-list 351
Contents
Chapter 24: PHY Diagnostics Commands 352
show cable-diagnostics cable-length 352
show fiber-ports optical-transceiver 355
Chapter 25: Power over Ethernet (PoE) Commands 357
power inline 357
power inline legacy enable 358
power inline limit 358
power inline limit-mode 359
power inline priority 360
power inline traps enable 361
power inline usage-threshold 361
show env all 362
show power inline 363
show power inline consumption 367
Chapter 26: Port Channel Commands 368
channel-group 368
port-channel load-balance 369
show etherchannel summary 370
Chapter 27: Port Monitor Commands 371
monitor session destination interface 371
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 13
Contents
monitor session destination remote-span 372
monitor session source interfaces 373
monitor session source remote-span 374
no monitor session 375
remote-span 376
show monitor 377
show vlan remote-span 378
Chapter 28: QoS Commands 379
class 379
class-map 380
match 381
police 382
police aggregate 383
policy-map 384
priority-queue out num-of-queues 386
qos 387
qos advanced-mode trust 388
qos aggregate-policer 389
qos cos 391
qos map cos-queue 391
qos map dscp-queue 392
qos map precedence-queue 393
qos map queue-cos 394
qos map queue-dscp 395
qos map queue-precedence 395
qos remark 396
qos trust (Global) 397
qos trust (Interface) 398
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 14
Contents
service-policy 399
set 400
show class-map 401
show policy-map 401
show policy-map interface 402
show qos 403
show qos aggregate-policer 404
show qos interfaces 404
show qos map 405
show qos queueing 407
show rate-limit vlan 407
traffic-shape 408
trust-shape (Interface) 409
traffic-shape queue 410
trust 410
rate-limit (Interface) 412
rate-limit (VLAN) 413
wrr-queue bandwidth 414
Chapter 29: RADIUS Commands 416
radius-server default-param 416
radius-server host 417
show radius-server 419
show radius-server default-param 420
Chapter 30: RMON Commands 422
clear rmon statistics 422
rmon alarm 422
rmon event 425
rmon history 426
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 15
Contents
show rmon alarm 427
show rmon event 429
show rmon event log 430
show rmon history 431
show rmon statistics interfaces 432
Chapter 31: Security DoS Commands 436
security-suite dos (Global) 436
security-suite dos (Interface) 438
security-suite dos ip gratuitous-arps 439
show security-suite dos 439
show security-suite dos interfaces 440
Chapter 32: SNMP Commands 442
show snmp-server 442
show snmp-server community 443
show snmp-server engineid 444
show snmp-server group 445
show snmp-server host 446
show snmp-server trap 447
show snmp-server view 448
show snmp-server user 449
snmp-server 451
snmp-server community 451
snmp-server contact 453
snmp-server engineid 454
snmp-server engineid remote 454
snmp-server group 455
snmp-server host 456
snmp-server location 458
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 16
Contents
snmp-server trap 459
snmp-server user 459
snmp-server view 461
Chapter 33: STP Commands 463
clear spanning-tree detected-protocols 463
instance (MST) 464
name (MST) 465
revision (MST) 465
show spanning-tree 466
show spanning-tree interfaces 467
show spanning-tree mst 468
show spanning-tree mst configuration 469
show spanning-tree mst interfaces 470
spanning-tree 471
spanning-tree bpdu (Global) 471
spanning-tree bpdu-filter (Interface) 472
spanning-tree bpdu-guard (Interface) 473
spanning-tree cost (Interface) 474
spanning-tree forward-time 475
spanning-tree hello-time 475
spanning-tree link-type (Interface) 476
spanning-tree mst port-priority 477
spanning-tree max-hops 478
spanning-tree max-age 479
spanning-tree mode 480
spanning-tree mst configuration 480
spanning-tree mst cost 481
spanning-tree mst priority 482
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 17
spanning-tree pathcost method 483
spanning-tree portfast 484
spanning-tree port-priority 485
spanning-tree priority 485
spanning-tree tx-hold-count 486
Contents
Chapter 34: SYN Protection Commands 488
security-suite syn protection mode 488
security-suite syn protection recovery 489
security-suite syn protection threshold 489
show security-suite syn protection 490
Chapter 35: Syslog Commands 492
clear logging 492
logging host 492
logging on 494
logging severity 495
show logging 496
Chapter 36: System Management Commands 499
hostname 499
ping 499
reload 501
show cpu input rate 501
show cpu utilization 502
show memory statistics 503
show services tcp-udp 504
show system languages 505
show tech-support 506
show username 509
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 18
show users 510
show version 511
traceroute 512
Contents
Chapter 37: TACACS+ Commands 514
show tacacs default-config 514
show tacacs 515
tacacs-server default-param 516
tacacs-server host 517
Chapter 38: Telnet and SSH Commands 519
crypto certificate generate 519
crypto key generate 520
ip ssh server 521
ip telnet server 522
Chapter 39: User Interface Commands 524
banner exec 524
banner login 525
configure 527
do 527
disable 528
end 529
enable 529
exit (Configuration) 530
exit (EXEC) 531
history 531
show banner 532
show history 533
show privilege 534
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 19
Contents
terminal length 535
Chapter 40: Voice VLAN Commands 537
show voice vlan 537
voice vlan enable 539
voice vlan aging-timeout 539
voice vlan cos 540
voice vlan cos mode 541
voice vlan dscp 542
voice vlan mode 542
voice vlan oui-table 543
voice vlan state 545
voice vlan id 546
voice vlan vpt 546
Chapter 41: VLAN Commands 548
name (vlan) 548
management-vlan 549
show interfaces protected-ports 549
show interfaces switchport 550
show management-vlan 552
show vlan 553
show vlan default-vlan 554
switchport access vlan 554
switchport default-vlan tagged 555
switchport dot1q-tunnel vlan 557
switchport forbidden default-vlan 558
switchport forbidden vlan 559
switchport general acceptable-frame-type 559
switchport general allowed vlan 560
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 20
Contents
switchport general ingress-filtering disable 562
switchport general pvid 562
switchport mode 564
switchport mode trunk uplink 565
switchport protected 566
switchport trunk allowed vlan 567
switchport trunk native vlan 568
switchport vlan tpid 569
vlan 569
vlan default-vlan 570
Chapter 42: Web Server Commands 572
ip http secure-server 572
ip http server 573
ip http timeout-policy 573
show ip http 574
show ip https 575
show services tcp-udp 576
Appendix A: Where to Go From Here 579
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 21
Introduction
The command-line interface (CLI) provides a text-based method for managing and
monitoring the switch. You can access the command-line interface using a
physical serial connection or a remote logical connection with Telnet.
This chapter describes how to use the command-line interface and contains the
following topics:
1
• Overview
• User (Privilege) Levels
• CLI Command Modes
• Accessing the CLI
Overview
• CLI Command Conventions
• Editing Features
• Interface Naming Conventions
The command-line interface is divided into various modes. Each mode has a group
of commands available in it. These modes are described in the CLI Command
Modes section.
Users are assigned privilege levels. Each privilege level can access the CLI modes
permitted to that level. User privilege levels are described in the User (Privilege)
Levels section.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 22
Introduction
User (Privilege) Levels
User (Privilege) Levels
Users may be created with one of the following user levels:
• Level 1—Users with this level can only run the User EXEC mode commands.
Users at this level cannot access the web-based interface.
• Level 15—Users with this level can run all commands. Only users at this
level can access the web-based interface.
A system administrator (user with level 15) can create passwords that allow a
lower-level user to temporarily become a higher-level user. For example, the user
may go from level 1 to 15.
Users with a lower level can raise their level by entering the enable command and
the password for level 15. The higher level holds only for the current session.
1
The disable command returns the user to a lower level.
To create a user and assign a user level, use the username command. Only users
with privilege level 15 can create users at this level.
Example 1—The following example creates the password for level 15 (by the
administrator):
switchxxxxxx# configure
switchxxxxxx(config)# enable privilege 15 password level15@abc
Example 2—The following example creates a user with privilege level 1:
switchxxxxxx# configure
switchxxxxxx(config)# username john privilege 1 secret John1234
Example 3—The following example switches between level 1 to level 15. The user
must know the password for level 15.
switchxxxxxx# exit
switchxxxxxx> enable 15
Password: ****** (this is the password for level 15)
switchxxxxxx#
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 23
Introduction
CLI Command Modes
NOTE If the authentication of passwords is performed on the RADIUS or TACACS+
servers, the passwords assigned to user level 15 must be configured on the
external server and associated with the $enab15$ username. See the AAA
Commands chapter for details.
CLI Command Modes
The command-line interface is divided into four command modes. These are the
command modes in the order in which they are accessed:
• User EXEC Mode
• Privileged EXEC Mode
• Global Configuration Mode
1
• Global Configuration Submodes
Each command mode has its own unique console prompt and set of CLI
commands. Entering a question mark at the console prompt displays a list of
available commands for the current mode and for the level of the user. Specific
commands are used to switch from one mode to another.
Users are assigned privilege levels that determine the modes and commands
available to them. User levels are described in the User (Privilege) Levels section.
User EXEC Mode
Users with level 1 initially log into the User EXEC mode. The User EXEC mode is
used for tasks that do not change the configuration, such as performing basic tests
and listing system information.
The user-level prompt consists of the switch hostname followed by a >. The
default hostname is switchxxxxxx where xxxxxx is the last six digits of the
switch’s MAC address, as shown here:
switchxxxxxx>
The default hostname can be changed by using the hostname Global
Configuration mode command.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 24
Introduction
CLI Command Modes
1
Privileged EXEC Mode
A user with level 15 automatically logs into the Privileged EXEC mode.
The user-level prompt consists of the switch hostname followed by a #. The
default hostname is switchxxxxxx where xxxxxx is the last six digits of the
switch’s MAC address, as shown here:
switchxxxxxx#
Users with level 1 can enter the Privileged EXEC mode by entering the enable
command, and when prompted, the password for level 15.
To return from the Privileged EXEC mode to the User EXEC mode, use the disable
command.
Global Configuration Mode
The Global Configuration mode is used to run the commands that configure the
features at the system level, as opposed to the interface level.
Only users with command level 15 can access this mode.
To access the Global Configuration mode from the Privileged EXEC mode, enter
the configure command at the Privileged EXEC mode prompt and press Enter. The
Global Configuration mode prompt, consisting of the switch hostname followed by
(config)#, is displayed:
switchxxxxxx(config)#
Use any of the following commands to return from the Global Configuration mode
to the Privileged EXEC mode:
• exit
• end
• Ctrl+Z
The following example shows how to access the Global Configuration mode and
return to the Privileged EXEC mode:
switchxxxxxx#
switchxxxxxx# configure
switchxxxxxx(config)# exit
switchxxxxxx#
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 25
Introduction
CLI Command Modes
1
Global Configuration Submodes
Various submodes may be entered from the Global Configuration mode. These
submodes enable performing commands on a group of interfaces or lines,
defining conditions required to allow traffic based on IPv4, IPv6, and MAC
addresses, or defining the settings for management ACL, IGMP profiles, and MLD
profiles.
For instance, to perform several operations on a specific interface, you can enter
the Interface Configuration mode for that interface.
The following example enters the Interface Configuration mode for fa1-5 and then
sets their speeds:
switchxxxxxx#
switchxxxxxx# configure
switchxxxxxx(config)# interface range gi1-5
switchxxxxxx(config-if-range)# speed 1000
switchxxxxxx(config-if-range)# exit
switchxxxxxx(config)#
The exit command returns to the Global Configuration mode.
The following submodes are available:
• Interface—Contains commands that configure a specific interface (port or
port channel) or a range of interfaces. The interface Global Configuration
mode command is used to enter the Interface Configuration mode.
• Port Channel—Contains commands used to configure port channels; for
example, assigning ports to a port channel. Most of these commands are
the same as the commands in the Ethernet Interface Configuration mode,
and are used to manage the member ports as a single entity. The interface
Port-Channel Global Configuration mode command is used to enter the Port
Channel Interface Configuration mode.
• IP Access-List—Configures conditions required to allow traffic based on IP
addresses. The ip access-list Global Configuration mode command is used
to enter the IP Access-List Configuration mode.
• IPv6 Access-List—Configures conditions required to allow traffic based on
IPv6 addresses. The ipv6 access-list Global Configuration mode command
is used to enter the IPv6 Access-List Configuration mode.
• Line Interface—Contains commands used to configure the management
connections for the console, Telnet, and SSH. These commands configure
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 26
Introduction
Accessing the CLI
1
connection operations such as line timeout settings. The line Global
Configuration command is used to enter the Line Configuration mode.
• MAC Access-List—Configures conditions required to allow traffic based on
MAC addresses. The mac access-list Global Configuration mode command
is used to enter the MAC Access-List Configuration mode.
• Management Access-List—Contains commands used to define
management access-lists. The management access-list Global
Configuration mode command is used to enter the Management AccessList Configuration mode.
• IGMP Profile—Contains commands used to define the settings of IGMP
profiles. The ip igmp profile Global Configuration mode command is used to
enter the IGMP Profile Configuration mode.
• MLD Profile—Contains commands used to define the settings of MLD
profiles. The ipv6 mld profile Global Configuration mode command is used
to enter the MLD Profile Configuration mode.
To return from any Interface Configuration mode to the Global Configuration mode,
use the exit command.
Accessing the CLI
The command-line interface can be accessed from a terminal or computer by
performing one of the following tasks:
• Running a terminal application, such as HyperTerminal, on a computer that is
• Running a Telnet session from a command prompt on a computer with a
• Using SSH.
NOTE Telnet and SSH are disabled by default on the switch.
If the access is through a Telnet connection, ensure that the following conditions
are met before using CLI commands:
directly connected to the switch’s console port.
network connection to the switch.
• The switch has a defined IP address.
• Corresponding management access is granted.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 27
Introduction
Accessing the CLI
1
• An IP path is available so that the computer and the switch can reach each
other.
Using HyperTerminal over the Console Interface
The switch’s serial console port provides a direct connection to a computer’s
serial port using a standard DB-9 null modem or crossover cable. Once the
computer and the switch are connected, run a terminal application to access the
command-line interface.
To access the command-line interface using the HyperTerminal application,
perform the following steps:
STEP 1 Click the Start button.
STEP 2 Select All Programs > Accessories > Communications > HyperTerminal.
STEP 3 Enter a name for this connection. Select an icon for the application, then click OK.
STEP 4 Select a port (such as COM1) to communicate with the switch.
STEP 5 Set the serial port settings, then click OK.
• Bits per second = 9600
• Data bits = 8
• Parity = None
• Stop bits = 1
• Flow control = None
STEP 6 When the command-line interface appears, enter cisco at the Username prompt
and press Enter.
STEP 7 Enter cisco at the Password prompt and press Enter.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 28
Introduction
Accessing the CLI
1
If this is the first time that you have logged on with the default username and
password, or the switch has been rebooted to factory defaults, you are asked to
change your password. The following message appears:
Please change your password from the default settings. Please change the
password for better protection of your network. Do you want to change the
password (Y/N) [Y]?
STEP 8 Enter Y, and set a new administrator password.
Password complexity is enabled on the switch by default. Passwords must
conform to the following default settings:
• Have a minimum length of eight characters.
• Contain characters from at least three character classes (uppercase letters,
lowercase letters, numbers, and special characters available on a standard
keyboard).
• Are different from the current password.
• Contain no character that is repeated more than three times consecutively.
STEP 9 Press Enter.
The switchxxxxxx# prompt is displayed. You can now enter the commands to
manage the switch. For detailed information about the commands, refer to the
appropriate chapters of this reference guide.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 29
Introduction
CLI Command Conventions
STEP 1 Click Start, then select All Programs > Accessories > Command Prompt to open a
1
Using Telnet over an Ethernet Interface
Telnet provides a method of connecting to the command-line interface over an IP
network.
To establish a Telnet session from the command prompt, perform the following
steps:
command prompt.
STEP 2 At the prompt, enter telnet <IP address of switch>, then press Enter.
The command-line interface is displayed.
CLI Command Conventions
There are certain command entry standards that apply to all commands. The
following table describes the command conventions:
[ ] In a command line, square brackets indicate an
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 30
optional entry.
Introduction
Editing Features
1
{ } In a command line, curly brackets indicate a selection
of compulsory parameters separated with the |
character. One option must be selected. For example,
flowcontrol {auto | on | off} means that for the
flowcontrol command, either auto, on, or off must be
selected.
parameter Italic text indicates a parameter.
bold Command names and keywords are shown in bold.
italics
press key Names of keys to be pressed are shown in bold.
Ctrl+F4 Keys separated by the + character are to be pressed
Screen Display
Editing Features
Entering Commands
A CLI command is a series of keywords and arguments. Keywords identify a
command, and arguments specify configuration parameters. For example, in the
command show interfaces status
is an argument that specifies the interface type, and 1 specifies the port.
Variables and arguments are shown in
simultaneously on the keyboard.
Fixed-width font indicates CLI prompts, CLI commands
entered by the user, and system messages displayed
on the console.
gi1
, show, interfaces, and status are keywords, gi
italics
.
To enter the commands that require parameters, enter the required parameters
after the command keyword. For example, to set a password for the administrator,
enter:
switchxxxxxx(config)# username admin secret Nn148279
When working with the CLI, the command options are not displayed. The standard
command to request help is ?.
There are two instances where help information can be displayed:
• Keyword lookup—The character ? is entered in place of a command. A list
of all valid commands and corresponding help messages are displayed.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 31
Introduction
Editing Features
1
• Partial keyword lookup—If a command is incomplete and the character ? is
entered in place of a parameter, the matched keyword or parameters for
this command are displayed.
Terminal C o m m an d B u f fer
Every time a command is entered in the CLI, it is recorded on an internally
managed command history buffer. Commands stored in the buffer are maintained
on a First In First Out (FIFO) basis. These commands can be recalled, reviewed,
modified, and reissued. This buffer is not preserved across device resets.
Up-Arrow key
Ctrl+P
Down-Arrow key Returns to more recent commands in the history buffer
By default, the history buffer system is enabled, but it can be disabled at any time.
For more information on enabling or disabling the history buffer, refer to the history
command.
There is a standard default number of commands that are stored in the buffer. The
standard number of 10 commands can be increased to 256. For more information
on configuring the command history buffer, refer to the history command.
To display the history buffer, refer to the show history command.
Recalls commands in the history buffer, beginning with
the most recent command. Repeat the key sequence
to recall successively older commands.
after recalling commands with the up-arrow key.
Repeating the key sequence will recall successively
more recent commands.
Negating the Effect of Commands
For many configuration commands, the prefix keyword no can be entered to
cancel the effect of a command or reset the configuration to the default value. This
reference guide provides a description of the negation effect for each CLI
command.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 32
Introduction
Editing Features
1
Command Completion
If the command entered is incomplete, invalid, or has missing or invalid
parameters, then the appropriate error message is displayed. This assists in
entering the correct command. By pressing Ta b after an incomplete command is
entered, the system will attempt to identify and complete the command. If the
characters already entered are not enough for the system to identify a single
matching command, press ? to display the available commands matching the
characters already entered.
Keyboard Shortcuts
The CLI has a range of keyboard shortcuts to assist in editing the CLI commands.
The following table describes the CLI shortcuts:
Up-arrow Recalls commands from the history buffer, beginning
with the most recent command. Repeat the key
sequence to recall successively older commands.
Down-arrow Returns the most recent commands from the history
buffer after recalling commands with the up-arrow key.
Repeating the key sequence will recall successively
more recent commands.
Ctrl+A Moves the cursor to the beginning of the command
line.
Ctrl+E Moves the cursor to the end of the command line.
Ctrl+Z / End Returns back to the Privileged EXEC mode from any
configuration mode.
Backspace Deletes one character left to the cursor position.
Copying and Pasting Text
Up to 1000 lines of text (or commands) can be copied and pasted into the device.
NOTE It is the user’s responsibility to ensure that the text copied into the device consists
of legal commands only.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 33
Introduction
Interface Naming Conventions
When copying and pasting commands from a configuration file, make sure that the
following conditions exist:
• A device Configuration mode has been accessed.
• The commands contain no encrypted data, such as encrypted passwords
or keys. Encrypted data cannot be copied and pasted into the device
except for encrypted passwords where the keyword encrypted is used
before the encrypted data.
Interface Naming Conventions
Interface ID
1
Within the command-line interface, the interfaces are denoted by concatenating
the following elements:
• Type of interface—The following types of interfaces are found on the
various types of devices:
- Fast Ethernet (10/100 bits)—This can be written as FastEthernet or fa.
- Gigabit Ethernet ports (10/100/1000 bits)—This can be written either
GigabitEthernet or gi.
- LAG (Port Channel)—This can be written as either Port-Channel or po.
• Interface Number—Port, LAG, tunnel, or VLAN ID.
The syntax for this is:
{<port-type>[ ]<port-number>}|{Port-Channel|po}[ ]<port-channel-number>
Sample of these various options are shown in the example below:
switchxxxxxx# configure
switchxxxxxx(config)# interface gi1
switchxxxxxx(config)# interface fa1
switchxxxxxx(config)# interface Port-Channel 1
switchxxxxxx(config-if)#
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 34
Introduction
Interface Naming Conventions
Interface Range
Interfaces may be described on an individual basis or within a range. The interface
range command has the following syntax:
<interface-range> ::=
{<port-type>[ ][<first-port-number>[ - <last-port-number]}|
{Port-Channel|po}[ ]<first-port-channel-number>[ - <last-port-channelnumber>]
A sample of this command is shown in the example below:
switchxxxxxx# configure
switchxxxxxx(config)# interface range gi1-5
switchxxxxxx(config-if-range)#
1
Interface List
A combination of interface types can be specified in the interface range command
in the following format:
<range-list> ::= <interface-range> | <range-list>,< interface-range>
NOTE Range lists can contain either ports or port channels. The space after the comma is
optional. When a range list is defined, a space after the first entry and before the
comma (,) must be entered.
A sample of this command is shown in this example:
switchxxxxxx# configure
switchxxxxxx(config)# interface range gi1,gi4-5
switchxxxxxx(config-if-range)#
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 35
802.1X Commands
dot1x guest-vlan enable
To enable the guest VLAN feature on the switch and specify a VLAN as the guest
VLAN, use the dot1x guest-vlan enable Global Configuration mode command.
To disable the guest VLAN feature on the switch, use the no form of this command.
Syntax
2
dot1x guest-vlan
no dot1x guest-vlan enable
Parameters
vlan-id
•
Default Configuration
Guest VLAN is disabled on the switch.
Command Mode
Global Configuration mode
User Guidelines
Use the dot1x guest-vlan enable Interface Configuration mode command to
enable unauthorized users on an interface to access the guest VLAN.
If the guest VLAN is defined and enabled, the interface automatically joins the
guest VLAN when the interface is unauthorized and leaves it when the interface
becomes authorized. To be able to join or leave the guest VLAN, the interface
should not be a static member of the guest VLAN.
vlan-id
—Identifier of the VLAN set as the guest VLAN.
enable
Example
The following example sets VLAN 2 as the guest VLAN:
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 36
802.1X Commands
dot1x guest-vlan enable (Interface)
switchxxxxxx(config)# dot1x guest-vlan 2 enable
dot1x guest-vlan enable (Interface)
To enable unauthorized users on the interface accessing the guest VLAN, use the
dot1x guest-vlan enable Interface Configuration (Ethernet) mode command.
To disable unauthorized users on the interface accessing the guest VLAN, use the
no form of this command.
Syntax
dot1x guest-vlan enable
no dot1x guest-vlan enable
2
Parameters
N/A
Default Configuration
Unauthorized users cannot access the guest VLAN by default.
Command Mode
Interface Configuration (Ethernet) mode
User Guidelines
The switch can have only one guest VLAN. The guest VLAN is defined in the dot1x
guest-vlan enable
Example
The following example enables unauthorized users on gi15 to access the guest
VLAN:
switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x guest-vlan enable
Global Configuration mode command.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 37
802.1X Commands
dot1x max-req
dot1x max-req
2
To set the maximum number of times that the switch sends an Extensible
Authentication Protocol (EAP) request or identity frame (assuming that no
response is received) to the client before restarting the authentication process,
use the dot1x max-req Interface Configuration mode command.
To revert to its default setting, use the no form of this command.
Syntax
dot1x max-req
no dot1x max-req
Parameters
count
•
request or identity frame before restarting the authentication process.
(Range: 1 to 10)
Default Configuration
The default maximum number of attempts is 2.
Command Mode
Interface Configuration (Ethernet) mode
User Guidelines
The default value of this command should be changed only to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
Example
count
—The maximum number of times that the switch sends an EAP
The following example sets the maximum number of EAP requests to 6:
switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x max-req 6
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 38
802.1X Commands
dot1x port-control
dot1x port-control
To enable manual control of the port authorization state, use the dot1x port-control
Interface Configuration (Ethernet) mode command.
To disable manual control of the port authorization state, use the no form of this
command.
Syntax
dot1x port-control
no dot1x port-control
Parameters
• auto—Enables 802.1X authentication on the interface and causes it to
2
{auto | force-authorized | force-unauthorized}
transition to the authorized or unauthorized state, based on the 802.1X
authentication exchange between the switch and the client.
• force-authorized—Disables 802.1X authentication on the interface and
causes the interface to transition to the authorized state without any
authentication exchange required. The interface resends and receives
normal traffic without 802.1X-based client authentication.
• force-unauthorized—Denies all access through this interface by forcing it to
transition to the unauthorized state and ignoring all attempts by the client to
authenticate. The switch cannot provide authentication services to the
client through this interface.
Default Configuration
The interface is in the force-authorized state.
Command Mode
Interface Configuration (Ethernet) mode
User Guidelines
In order to proceed to the forwarding state immediately after successful
authentication, we recommend that you disable STP or enable the STP PortFast
mode on 802.1X edge ports (ports in auto state that are connected to end
stations).
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 39
802.1X Commands
dot1x reauthentication
Example
The following example enables 802.1X authentication in auto mode on gi15:
switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x port-control auto
dot1x reauthentication
To enable periodic reauthentication of the client, use the dot1x reauthentication
Interface Configuration (Ethernet) mode command.
To disable periodic reauthentication of the client, use the no form of this command.
2
Syntax
dot1x reauthentication
no dot1x reauthentication
Parameters
N/A
Default Configuration
Periodic reauthentication is disabled.
Command Mode
Interface Configuration (Ethernet) mode
Example
switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x reauthentication
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 40
802.1X Commands
dot1x system-auth-control
dot1x system-auth-control
To enable 802.1X globally on the switch, use the dot1x system-auth-control Global
Configuration mode command.
To disable 802.1X globally on the switch, use the no form of this command.
Syntax
dot1x system-auth-control
no dot1x system-auth-control
Parameters
N/A
Default Configuration
2
802.1X is disabled.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)# dot1x system-auth-control
dot1x timeout quiet-period
To set the time interval that the switch remains in a quiet state following a failed
authentication exchange (for example, the client provided an invalid password),
use the dot1x timeout quiet-period Interface Configuration (Ethernet) mode
command.
To revert to its default setting, use the no form of this command.
Syntax
dot1x timeout quiet-period
no dot1x timeout quiet-period
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 41
seconds
802.1X Commands
dot1x timeout reauth-period
2
Parameters
seconds
•
state following a failed authentication exchange with the client. (Range: 0 to
65535 seconds)
Default Configuration
The default quiet period is 60 seconds.
Command Mode
Interface Configuration (Ethernet) mode
User Guidelines
During the quiet period, the switch does not accept or initiate the authentication
requests.
The default value of this command should only be changed to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
To provide faster response time to the user, a smaller number than the default
value should be entered.
—The time interval in seconds that the switch remains in a quiet
Example
The following example sets the time interval to 10 seconds:
switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x timeout quiet-period 10
dot1x timeout reauth-period
To set the number of seconds between reauthentication attempts, use the dot1x
timeout reauth-period Interface Configuration (Ethernet) mode command.
To revert to its default setting, use the no form of this command.
Syntax
dot1x timeout reauth-period
no dot1x timeout reauth-period
seconds
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 42
802.1X Commands
dot1x timeout supp-timeout
2
Parameters
seconds
•
30 to 65535)
Default Configuration
3600 seconds
Command Mode
Interface Configuration (Ethernet) mode
Example
switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x timeout reauth-period 5000
—Number of seconds between reauthentication attempts. (Range:
dot1x timeout supp-timeout
To set the time interval during which the switch waits for a response to an
Extensible Authentication Protocol (EAP) request frame from the client before
resending the request, use the dot1x timeout supp-timeout Interface Configuration
(Ethernet) mode command.
To revert to its default setting, use the no form of this command.
Syntax
dot1x timeout supp-timeout
no dot1x timeout supp-timeout
Parameters
seconds
•
response to an EAP request frame from the client before resending the
request. (Range: 1 to 65535 seconds)
Default Configuration
The default timeout period is 30 seconds.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 43
—The time interval in seconds during which the switch waits for a
seconds
802.1X Commands
show dot1x
2
Command Mode
Interface Configuration (Ethernet) mode
User Guidelines
The default value of this command should be changed only to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
Example
The following example sets the time interval to 3600 seconds:
switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x timeout supp-timeout 3600
show dot1x
To show the 802.1X status, use the show dot1x Privileged EXEC mode command.
Syntax
show dot1x
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show dot1x
802.1x protocol is: Enabled
802.1x protocol version: 2
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 44
802.1X Commands
show dot1x authenticated-hosts
The following table describes the significant fields shown in the example:
Field Description
2
802.1x protocol is
802.1x protocol
version
Port-based 802.1X authentication is enabled or
disabled on the switch.
Version of the 802.1X protocol.
show dot1x authenticated-hosts
To show information for all dot1x authenticated hosts, use the show dot1x
authenticated-hosts Privileged EXEC mode command.
Syntax
show dot1x authenticated-hosts
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Examples
switchxxxxxx# show dot1x authenticated-hosts
User Name | Port | Session Time | Authentication Method | MAC
Address
------------+-------+-------------------+-----------------------+-----------
The following table describes the significant fields shown in the example:
Field Description
User Name Supplicant name that was authenticated on the port.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 45
802.1X Commands
show dot1x guest-vlan
2
Field Description
Port Port number.
Session Time Amount of time that the supplicant was logged on the
port.
Authentication
Method
MAC Address Supplicant MAC address.
show dot1x guest-vlan
To show the 802.1X guest VLAN information for all interfaces, use the show dot1x
guest-vlan Privileged EXEC mode command.
Syntax
show dot1x guest-vlan
Parameters
N/A
Default Configuration
N/A
Method used to authenticate the last session.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show dot1x guest-vlan
Guest VLAN ID: none (disabled)
Port | Guest VLAN | In Guest VLAN
--------+------------+-------------- gi1 | Enabled | No
gi2 | Disabled | -- gi3 | Disabled | -- gi4 | Disabled | -- gi5 | Disabled | -- gi6 | Disabled | -- gi7 | Disabled | ---
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 46
802.1X Commands
show dot1x guest-vlan
2
gi8 | Disabled | -- gi9 | Disabled | -- gi10 | Disabled | -- gi11 | Disabled | -- gi12 | Disabled | -- gi13 | Disabled | -- gi14 | Disabled | -- gi15 | Enabled | No
gi16 | Disabled | -- gi17 | Disabled | -- gi18 | Disabled | -- gi19 | Disabled | -- gi20 | Disabled | -- gi21 | Disabled | -- gi22 | Disabled | -- gi23 | Disabled | -- gi24 | Disabled | -- gi25 | Disabled | -- gi26 | Disabled | -- gi27 | Disabled | -- gi28 | Disabled | -- gi29 | Disabled | -- gi30 | Disabled | -- gi31 | Disabled | -- gi32 | Disabled | -- gi33 | Disabled | -- gi34 | Disabled | -- gi35 | Disabled | -- gi36 | Disabled | -- gi37 | Disabled | -- gi38 | Disabled | -- gi39 | Disabled | -- gi40 | Disabled | -- gi41 | Disabled | -- gi42 | Disabled | -- gi43 | Disabled | -- gi44 | Disabled | -- gi45 | Disabled | -- gi46 | Disabled | -- gi47 | Disabled | -- gi48 | Disabled | -- gi49 | Disabled | -- gi50 | Disabled | -- gi51 | Disabled | -- gi52 | Disabled | ---
The following table describes the significant fields shown in the example:
Field Description
Guest VLAN ID Identifier of the VLAN as the guest VLAN.
Port Port number.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 47
802.1X Commands
show dot1x interfaces
Field Description
Guest VLAN Shows whether 802.1X authentication is enabled or
In Guest VLAN Shows whether the unauthorized port is in or not in the
show dot1x interfaces
To show 802.1X configuration on specific interfaces, use the show dot1x
interfaces Privileged EXEC mode command.
Syntax
2
disabled on the port.
guest VLAN.
show dot1x interfaces {
Parameters
interface-id
•
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show dot1x interfaces gi11
Port | Mode | Current State | Reauth Control | Reauth P
eriod
--------+--------------------+----------------------+-----------------+-----
--------gi11 | Authentication | Initialize | Enabled |
5000
interface-id
—An interface ID or a list of interfaces.
}
Quiet Period: 60 Second
Supplicant timeout: 30 Second
Max req: 2
Session Time (HH:MM:SS): 0: 0: 0: 0
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 48
802.1X Commands
show dot1x interfaces
2
The following table describes the significant fields shown in the example:
Field Description
Port
Mode
Current State
Reauth Control
Reauth Period Number of seconds after which the selected port is
Quiet Period Number of seconds that the switch remains in the quiet
Supplicant timeout Number of seconds that lapses before EAP requests
Max req Maximum number of EAP requests that can be sent.
Session Time
(HH:MM:SS)
Port number.
802.1X port-based authentication mode.
Current port authorization state.
Shows that reauthentication is enabled or disabled on
the port.
reauthenticated.
state following a failed authentication exchange.
are resent to the supplicant.
Amount of time that the supplicant was logged on the
port.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 49
AAA Commands
This chapter describes the Authentication, Authorization, and Accounting (AAA)
commands.
aaa authentication enable
To set one or more authentication methods for accessing higher privilege levels,
use the aaa authentication enable Global Configuration mode command.
To restore the default authentication method, use the no form of this command.
Syntax
3
aaa authentication enable {default |
no aaa authentication enable {default |
Parameters
• default—Uses the default authentication method list when accessing higher
privilege levels.
LISTNAME
•
access higher privilege levels. (Length: 1 to 32 characters)
•
method1 [method2
tries, in the given sequence.
Default Configuration
The enable password command defines the default authentication login method.
This command functions the same as the aaa authentication enable default enable
command.
On a console, the enable password is used if a password exists. If no password is
set, the authentication still succeeds. This command functions the same as
entering the aaa authentication enable default enable none command.
—Name of the authentication method list activated when users
...]—A list of methods that the authentication algorithm
LISTNAME} method1 [method2
LISTNAME
}
...]
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 50
AAA Commands
aaa authentication enable
3
Command Mode
Global Configuration mode
User Guidelines
A user who logs on with a lower privilege level must pass these authentication
methods to access a higher level.
The additional authentication methods are used only if the previous method
returns an error, not if it fails. Specify none as the final method in the command line
to ensure that the authentication succeeds, even if all methods return an error.
Select one or more methods from the following list:
Keyword Description
enable Uses the enable password for authentication.
none Uses no authentication.
radius Uses a list of RADIUS servers for authentication.
tacacs+ Uses a list of TACACS servers for authentication.
Create a list by entering the aaa authentication enable
where
argument identifies the list of methods that the authentication algorithm tries in the
given sequence.
All aaa authentication enable default requests sent by the switch to a RADIUS or a
TACACS+ server include the username $enabx$., where x is the requested
privilege level.
The no aaa authentication enable
has not been referenced.
Example
The following example sets the enable password for authentication for accessing
higher privilege levels:
LISTNAME
is any character string used to name this list. The method
LISTNAME
command deletes the list name if it
LISTNAME
command
switchxxxxxx(config)# aaa authentication enable enable-list radius none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication enable-list
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 51
AAA Commands
aaa authentication login
aaa authentication login
To set one or more authentication methods to be applied during login, use the aaa
authentication login Global Configuration mode command.
To restore the default authentication method, use the no form of this command.
Syntax
3
aaa authentication login {default |
no aaa authentication login {default |
Parameters
• default—Uses the default authentication method list when a user logs in
(this list is unnamed).
LISTNAME
•
logs in. (Length: 1 to 32 characters)
method1 [method2...]
•
tries (in the given sequence).
Default Configuration
If no authentication method is specified, the default is to use the locally-defined
users and passwords. It is the same as entering the aaa authentication login local
command.
NOTE If no authentication method is defined, the console users can log in without any
authentication verification.
—Name of the authentication method list activated when a user
LISTNAME} method1 [method2...]
LISTNAME
—A list of methods that the authentication algorithm
}
Command Mode
Global Configuration mode
User Guidelines
A list of authentication methods may be assigned a list name, and this list name
can be used in the aaa authentication enable command.
Create a list of authentication methods by entering this command with the
LISTNAME
argument identifies the list of methods that the authentication algorithm tries in the
given sequence.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 52
parameter where
LISTNAME
is any character string. The method
AAA Commands
enable authentication
3
Each additional authentication method is used only if the previous method returns
an error, not if it fails. To ensure that the authentication succeeds even if all
methods return an error, specify none as the final method in the command line.
Select one or more methods from the following list:
Keyword Description
enable Uses the enable password for authentication.
local Uses the locally defined usernames for authentication.
none Uses no authentication.
radius Uses a list of RADIUS servers for authentication.
tacacs+ Uses a list of TACACS+ servers for authentication.
The default and list names created with this command are used with the aaa
authentication enable command.
The no aaa authentication login
has not been referenced by another command.
Example
The following example sets the authentication login method for console sessions:
switchxxxxxx(config)# aaa authentication login authen-list radius local none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication authen-list
enable authentication
To specify the authentication method for accessing a higher privilege level from a
remote Telnet or console, use the enable authentication Line Configuration mode
command.
LISTNAME
command deletes a list name only if it
To restore the default authentication method, use the no form of this command.
Syntax
enable authentication
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 53
LISTNAME
AAA Commands
enable password
3
no enable authentication
Parameters
LISTNAME
•
aaa authentication enable command.
Command Mode
Line Configuration mode
Examples
Example 1—The following example uses the default authentication method when
accessing a higher privilege level from a console:
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication default
Example 2—The following example sets a list of authentication methods for
accessing higher privilege levels:
switchxxxxxx(config)# aaa authentication enable enable-list radius none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication enable-list
—Name of a specific authentication method list created with the
enable password
To set a local password to control access to normal and privilege levels, use the
enable password Global Configuration mode command.
To restore the default password, use the no form of this command.
Syntax
enable password [level
enable secret [level
no enable [password | secret] [level
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 54
privilege-level] unencrypted-password
privilege-level
] encrypted
privilege-level
encrypted-password
]
AAA Commands
enable password
3
Parameters
• level
•
•
Default Configuration
The default level is 15.
The passwords are encrypted by default.
Command Mode
Global Configuration mode
User Guidelines
When the administrator configures a new enable password, this password is
encrypted automatically and saved to the configuration file. No matter how the
password was entered, it appears in the configuration file with the keyword
encrypted and the encrypted value.
privilege-level
applies. If not specified, the level is 15. (Range: 1 to 15)
unencrypted-password
characters)
encrypted-password
enter a password that is already encrypted, such as a password that you
copied from the configuration file of another device.
—(Optional) Specifies the level for which the password
—Password for this level. (Range: 0 to 80
—The encrypted password. Use this keyword to
If the administrator wants to manually copy a password that was configured on
one switch (switch B) to another switch (switch A), the administrator must add
encrypted in front of this encrypted password when entering the enable
command in switch A. In this way, the two switches will have the same password.
The passwords are encrypted by default. You only are required to use the
encrypted keyword when you are actually entering an encrypted keyword.
Example
The following command sets an unencrypted password for level 15 (it will be
encrypted in the configuration file):
switchxxxxxx(config)# enable password level 15 let-me-in
switchxxxxxx(config)# enable secret level l
4b529f21c93d4706090285b0c10172eb073ffebc4
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 55
AAA Commands
ip http authentication
ip http authentication
To specify one or more AAA methods for HTTP and HTTPS login authentications,
use the ip http authentication Global Configuration mode command.
Syntax
3
ip http authentication aaa login-authentication [http | https] {default |
no ip http authentication aaa login-authentication [http | https]
Parameters
• http—(Optional) Binds a login authentication list to user access with the
HTTP protocol.
• https—(Optional) Binds a login authentication list to user access with the
HTTPS protocol.
• default—Uses the default login authentication method list.
LISTNAME
•
Default Configuration
The default login authentication list is used for HTTP and HTTPS sessions by
default.
Command Mode
Global Configuration mode
—Name of the login authentication method list.
LISTNAME
}
Example
The following example creates two login authentication method lists and binds
them to HTTP and HTTPS separately:
switchxxxxxx(config)# ip http authentication aaa login-authentication http
test1
switchxxxxxx(config)# ip http authentication aaa login-authentication https
test2
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 56
AAA Commands
login authentication
login authentication
To specify the login authentication method list for a remote Telnet or console
session, use the login authentication Line Configuration mode command.
To restore the default authentication method, use the no form of this command.
Syntax
3
login authentication {default |
no login authentication
Parameters
• default—Uses the default login authentication list.
LISTNAME
•
authentication login command.
Default Configuration
The default login authentication list is used used for each line.
Command Mode
Line Configuration mode
Examples
Example 1—The following example specifies the default login authentication
method for a console session:
—Name of a specific authentication list created with the aaa
LISTNAME
}
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication default
Example 2—The following example sets an authentication login method list for the
console:
switchxxxxxx (config)# aaa authentication login authen-list radius local none
switchxxxxxx (config)# line console
switchxxxxxx (config-line)# login authentication authen-list
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 57
AAA Commands
passwords aging
passwords aging
To enforce the password aging, use the passwords aging Global Configuration
mode command.
To revert to its default setting, use the no form of this command.
Syntax
3
passwords aging
no passwords aging
Parameters
days
•
Default Configuration
The number of days is 180.
Command Mode
Global Configuration mode
User Guidelines
Aging is relevant only to local users with the privilege level 15.
To disable the password aging, use passwords aging 0. Using no passwords
aging restores the aging time to its default setting.
Example
—The number of days before a password change is forced. The value
of zero means disabling aging. (Range: 0 to 365)
days
The following example configures the aging time to 24 days:
switchxxxxxx(config)# passwords aging 24
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 58
AAA Commands
passwords complexity <attributes>
passwords complexity <attributes>
To configure the minimum password requirements when the password complexity
is enabled, use the passwords complexity <attributes> Global Configuration
mode commands.
To revert to its default setting, use the no form of these commands.
Syntax
passwords complexity
no passwords complexity min-length
min-length
number
3
passwords complexity min-classes
no passwords complexity min-classes
passwords complexity not-current
no passwords complexity not-current
passwords complexity no-repeat
no password complexity no-repeat
passwords complexity not-username
no passwords complexity not-username
Parameters
• min-length
(Range: 0 to 64 characters)
• min-classes
(uppercase letters, lowercase letters, numbers, and special characters
available on a standard keyboard). (Range: 0 to 4)
number
number
—Specifies the minimum length of the password.
—Specifies the minimum character classes
number
number
• not-current—Specifies that the new password cannot be same as the
current password.
• no-repeat
be repeated consecutively. Zero specifies that there is no limit on repeated
characters. (Range: 0 to 16)
• not-username—Specifies that the new password cannot be same as the
current username.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 59
number
—Specifies the maximum number of characters that can
AAA Commands
passwords complexity enable
3
Default Configuration
The minimum length is 8.
The number of classes is 3.
The default for no-repeat is 3.
All other controls are enabled by default.
Command Mode
Global Configuration mode
Example
The following example changes the minimum required password length to 10
characters:
switchxxxxxx(config)# passwords complexity min-length 10
passwords complexity enable
To enforce the minimum password complexity, use the passwords complexity
enable Global Configuration mode command.
To disable enforcing the password complexity, use the no form of this command.
Syntax
passwords complexity enable
no passwords complexity enable
Parameters
N/A
Default Configuration
Password complexity is enabled on the switch.
Command Mode
Global Configuration mode
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 60
AAA Commands
passwords complexity enable
3
User Guidelines
The password complexity is enabled by default. The user is required to enter a
password that:
• Has a minimum length of 8 characters.
• Contains characters from at least 3 character classes (uppercase letters,
lowercase letters, numbers, and special characters available on a standard
keyboard).
• Is different from the current password.
• Contains no character that is repeated more than 3 times consecutively.
You can control these attributes of the password complexity with specific
commands described in this section.
If you have previously configured other complexity settings, then those settings
are used. This command does not eliminate the other settings. It works only as a
toggle.
Example
The following example enables enforcing the password complexity on the switch
and shows the current password complexity settings:
switchxxxxxx(config)# passwords complexity enable
switchxxxxxx(config)# exit
switchxxxxxx# show passwords configuration
Passwords aging is enabled with aging time 180 days.
Passwords complexity is enabled with the following attributes:
Minimal length: 3 characters
Minimal classes: 3
New password must be different than the current: Enabled
Maximum consecutive same characters: 3
New password must be different than the user name: Enabled
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 61
AAA Commands
show aaa authentication lists
show aaa authentication lists
To show information for the AAA authentication lists, use the show aaa
authentication lists Privileged EXEC command.
Syntax
show aaa authentication {login | enable} lists
Parameters
• login—Displays information for the AAA authentication login lists.
• enable—Displays information for the AAA authentication enable lists.
Command Mode
Privileged EXEC mode
3
show line lists
Example
The following examples show information for all existing login and enable
authentication lists:
switchxxxxxx# show aaa authentication login lists
Login List Name | Authentication Method List
-----------------+------------------------------ default | local
switchxxxxxx# show aaa authentication enable lists
Enable List Name | Authentication Method List
-----------------+------------------------------ default | enable
To show all AAA method lists for different line types, use the show line lists
Privileged EXEC mode command.
Syntax
show line lists
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 62
AAA Commands
show passwords configuration
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays all AAA method lists for different line types:
switchxxxxxxx# show line lists
Line Type | AAA Type | List Name
-------------+-----------------+---------------- console | login | default
| enable | default
telnet | login | default
| enable | default
ssh | login | default
| enable | default
http | login | default
https | login | default
3
show passwords configuration
To show the password management configuration, use the show passwords
configuration Privileged EXEC mode command.
Syntax
show passwords configuration
Parameters
N/A
Default Configuration
N/A
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 63
AAA Commands
show username
3
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show passwords configuration
Passwords aging is enabled with aging time 180 days.
Passwords complexity is enabled with the following attributes:
Minimal length: 3 characters
Minimal classes: 3
New password must be different than the current: Enabled
Maximum consecutive same characters: 3
New password must be different than the user name: Enabled
show username
To show all user accounts in local database, use the show username Privileged
EXEC mode command.
Syntax
show username
Parameters
None
Default Configuration
None
Command Mode
Privileged EXEC mode
Example
The following example shows information for all user accounts defined on the
switch:
switchxxxxxx# show username
Priv | Type | User Name | Password
-------+--------+--------------------------------+--------------------------
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 64
AAA Commands
username
username
3
15 | secret | cisco |
ZmZmNzVhZTAzYjAyODkzZjlkM2JjZGIyMGYyMzY0NDM=
To add a new user or edit an existing user, use the username Global Configuration
mode command.
To delete a username, use the no form of this command.
Syntax
username
{Encrypted
no username
Parameters
•
• privilege 1 —(Optional) Specifies the privilege level to 1.
• privilege 15
• privilege admin
• privilege user
• nopassword—No password is required for this user to log in.
• secret Encrypted
• secret
USERNAME
encrypted-password
USERNAME
USERNAME
password for the user. Use this keyword to enter a password that is already
encrypted, such as a password that you copied from another the
configuration file of another device.
unencrypted-password
automatically encrypted. (Range: 0 to 80 characters)
[privilege {1 | 15 | admin | user}] {nopassword | secret
|
unencrypted-password
—Name of the user. (Range: 0 to 32 characters)
—(Optional) Specifies the privilege level to 15.
—(Optional) Specifies the privilege level to 15.
—(Optional) Specifies the privilege level to 1.
encrypted-password
—Specifies a password that will be
—Specifies an encrypted
}}
Default Configuration
The privilege level of the default user cisco is 15. The default password of this
user is cisco.
Command Mode
Global Configuration mode
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 65
AAA Commands
username
3
Examples
Example 1—The following example adds a user tom (level 15) with no password:
switchxxxxxx(config)# username tom privilege 15 nopassword
Example 2—The following example sets a password for user jerry (level 15) that
has already been encrypted. It will be copied to the configuration file just as it is
entered. To use it, the user must know its unencrypted form.
switchxxxxxx(config)# username jerry privilege 15 secret encrypted
4b529f21c93d4706090285b0c10172eb073ffebc4
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 66
ACL Commands
deny (MAC)
To set deny conditions (conditions are also known as access control entries
[ACEs]) for a MAC-based ACL, use the deny MAC Access-List Configuration mode
command.
To remove a MAC-based ACE, use the no sequence command.
Syntax
4
deny {any |
vlan-id
no sequence
Parameters
• any—Any source or destination MAC address of the packet.
•
•
•
•
• vlan
• cos
•
source source-wildcard
] [cos
cos cos-wildcard
value
source
source-wildcard
destination
destination-wildcard
address.
4094)
cos-wildcard
—Source MAC address of the packet.
—Wildcard bits to be applied to the source MAC address.
—Destination MAC address of the packet.
vlan-id
cos
—(Optional) Specifies the VLAN ID of the packet. (Range: 1 to
—(Optional) Specifies the CoS value of the packet. (Range: 0 to 7)
—(Optional) Wildcard bits to be applied to the CoS value.
—Wildcard bits to be applied to the destination MAC
} {any |
] [ethtype
destination destination-wildcard
value
] [disable-port]
} [vlan
• ethtype
format of the packet.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 67
value
—(Optional) Specifies the Ethernet type in hexadecimal
ACL Commands
deny (IP)
4
• disable-port—(Optional) Disables the Ethernet interface if the condition is
matched.
Default Configuration
No MAC-based ACE is defined.
Command Mode
MAC Access-List Configuration mode
User Guidelines
After an ACE is added to an ACL, an implicit deny any any condition exists at the
end of the list. That is, if there are no matches, the packets are denied. However,
before the first ACE is added, the list permits all packets.
Example
deny (IP)
switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-acl)# deny 00:00:00:00:00:01 00:00:00:00:00:ff any
To set deny conditions for an IPv4-based ACL, use the deny IP Access-List
Configuration mode command.
To remove an IPv4-based ACE, use the no sequence command.
Syntax
value
[sequence
] deny
destination-wildcard
value
[sequence
] deny
destination-wildcard
precedence
[sequence
range
[dscp
} }{any |
number
number
value
] deny
destination destination-wildcard
| precedence
protocol
} [dscp
icmp
} [any |
] [disable-port]
tcp
{any |
number |
{any |
icmp-type
{any | {
source source-wildcard
number
source source-wildcard
precedence
number
source source-wildcard
] [any |
] [match-all
icmp-code
} {any |
destination-port/port-range
list-of-flags
] [dscp
} {any |
] [disable-port]
} {any |
destination
destination
number
} {any |
source-port/port-
] [disable-port]
|
}
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 68
ACL Commands
deny (IP)
4
[sequence
range
[dscp
no sequence
Parameters
• sequence
•
•
•
•
value
} {any |
number
based ACL. The acceptable range is from 1 to 2147483547. If not specified,
the switch provides a number starting from 1 in ascending order.
protocol
names are icmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout,
ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, and
isis. To match any protocol, use the ip keyword. (Range: 0 to 255)
source
source-wildcard
source-port/port range
are defined in the
65535)
] deny
destination destination-wildcard
| precedence
udp
{any |
source source-wildcard
number
} {any |
] [disable-port]
} {any |
source-port/port-
destination-port/port-range
value
value
—(Optional) Specifies the sequence number of the IPv4-
—The name or the number of an IP protocol. Available protocol
—Source IP address of the packet.
—Wildcard bits to be applied to the source IP address.
—UDP or TCP source port. Predefined port names
destination-port/port-range
parameter. (Range: 0 to
}
destination
•
destination-wildcard
•
address.
destination-port/port range
•
range of ports by using hyphen, such as 20 - 21. For TCP enter a number or
one of the following values: bgp (179), chargen (19), daytime (13), discard (9),
domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher
(70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119),
pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds
(49), talk (517), telnet (23), time (35), uucp (117), whois (43), www (80). For
UDP enter a number or one of the following values: biff (512), bootpc (68),
bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434),
nameserver (42), netbios-dgm (138), netbios-ns (135), non500-isakmp
(4500), ntp (123), rip (520), snmp 161), snmptrap (162), sunrpc (111), syslog
(514), tacacs-ds (49), talk (517), tftp (69), time (35), who (513), or xdmcp
(177). (Range: 0 to 65535)
• dscp
• precedence
—Destination IP address of the packet.
—Wildcard bits to be applied to the destination IP
—UDP or TCP destination port. You can enter a
number
—(Optional) Specifies the DSCP value.
number
—(Optional) Specifies the IP precedence value.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 69
ACL Commands
deny (IP)
4
• disable-port—(Optional) The Ethernet interface is disabled if the condition
is matched.
icmp-type
•
Enter a number or one of these values: echo-reply, destination-unreachable,
source-quench, redirect, alternate-host-address, echo-request, routeradvertisement, router-solicitation, time-exceeded, parameter-problem,
timestamp, timestamp-reply, information-request, information-reply,
address-mask-request, address-mask-reply, traceroute, datagramconversion-error, mobile-host-redirect, mobile-registration-request, mobileregistration-reply, domain-name-request, domain-name-reply, skip, or
photuris. (Range: 0 to 255)
•
icmp-code
(Range: 0 to 255)
• match-all
occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it
is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, urg, -ack, -psh, -rst, -syn, and -fin. The flags are concatenated to one string,
such as +fin-ack.
Default Configuration
No IPv4-based ACE is defined.
—(Optional) The ICMP message type for filtering ICMP packets.
—(Optional) ICMP message code for filtering ICMP packets.
list-of-flags
—(Optional) Specifies a list of TCP flags that should
Command Mode
IP Access-List Configuration mode
User Guidelines
After an ACE is added to an ACL, an implicit deny any any condition exists at the
end of the list. That is, if there are no matches, the packets are denied. However,
before the first ACE is added, the list permits all packets.
The number of TCP or UDP ranges that can be defined in ACLs is limited. You can
define up to #ASIC-specific ranges for TCP and up to #ASIC-specific ranges for
UDP.
If a range of ports is used for a source port in ACE, it is not counted again if it is
also used for a source port in another ACE.
If a range of ports is used for a destination port in ACE, it is not counted again if it is
also used for a destination port in another ACE.
If a range of ports is used for a source port, it is counted again if it is also used for a
destination port.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 70
ACL Commands
deny (IPv6)
deny (IPv6)
4
Example
switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-acl)# deny ip 172.212.0.0/0.0.255.255 any
To set deny conditions for an IPv6-based ACL, use the deny IPv6 Access-List
Configuration mode command.
To remove an IPv6-based ACE, use the no sequence command.
Syntax
[sequence
prefix/length
[sequence
value
] deny
} [dscp
] deny
protocol
number |
icmp
value
destination- prefix/length
precedence
[sequence
range
} {any |
number
[sequence
range
} {any |
number
no sequence
Parameters
• sequence
•
number
value
] [disable-port]
] deny
tcp
destination- prefix/length
| precedence
value
number
] deny
udp
destination- prefix/length
| precedence
number
value
value
—(Optional) Specifies the sequence number of the IPv6based ACL. The acceptable range is from 1 to 2147483547. If not specified,
the switch provides a number starting from 1 in ascending order.
protocol
names are icmp (58), tcp (6), and udp (17). To match any protocol, use the
ipv6 keyword. (Range: 0 to 255)
—The name or the number of an IP protocol. Available protocol
{any |
precedence
{any |
} {any |
icmp-type
{any |
] [match-all
{any |
] [match-all
source-prefix/length
number
source-prefix
} {any |
] [disable-port]
{any |
icmp-code
source-prefix/length
} {any|
destination-port/port-range
list-of-flags
source-prefix/length
} {any |
destination-port/port-range
list-of-flags
} {any |
destination-
source-prefix/length
} [dscp
} {any |
] [disable-port]
] [disable-port]
} {any |
source-port/port-
source-port/port-
number
} {any |
|
} [dscp
} [dscp
•
source-prefix/length
which to set permit conditions. This argument must be in the format
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 71
—The source IPv6 network or class of networks about
ACL Commands
deny (IPv6)
4
documented in RFC 3513 where the address is specified in hexadecimal
using 16-bit values between colons.
source-port/port-range
•
names are defined in the
to 65535)
destination-prefix/length
•
networks about which to set permit conditions. This argument must be in
the format documented in RFC 3513 where the address is specified in
hexadecimal using 16-bit values between colons.
•
destination-port/port-range
enter a range of ports by using a hyphen, such as 20 - 21. For TCP enter a
number or one of these values: bgp (179), chargen (19), daytime (13),
discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data
20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515),
nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514),
tacacs-ds (49), talk (517), telnet (23), time (37), uucp (117), whois (43), www
(80). For UDP enter a number or one of the following values: biff (512),
bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7),
mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137),
non500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162),
sunrpc (111), syslog (514), tacacs (49), talk (517), tftp (69), time (37), who
(513), or xdmcp (177). (Range: 0 to 65535)
—The UDP or TCP source port. Predefined port
destination-port/port-range
—The destination IPv6 network or class of
—The UDP or TCP destination port. You can
parameter. (Range: 0
• dscp
• precedence
• disable-port—(Optional) Disables the Ethernet interface if the condition is
•
•
• match-all
number
matched.
icmp-type
Enter a number or one of these values: destination-unreachable (1), packettoo-big (2), time-exceeded (3), parameter-problem (4), echo-request (128),
echo-reply (129), mld-query (130), mld-report (131), mldv2-report (143),
mld-done (132), router-solicitation (133), router-advertisement (134), nd-ns
(135), or nd-na (135). (Range: 0 to 255)
icmp-code
(Range: 0 to 255)
occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it
is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -
—(Optional) Specifies the DSCP value. (Range: 0 to 63)
number
—(Optional) The ICMP message type for filtering ICMP packets.
—(Optional) The ICMP message code for filtering ICMP packets.
list-of-flags
—(Optional) Specifies the IP precedence value.
—(Optional) Specifies a list of TCP flags that should
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 72
ACL Commands
ip access-group in
4
urg, -ack, -psh, -rst, -syn, and -fin. The flags are concatenated to one string,
such as +fin-ack.
Default Configuration
No IPv6-based ACE is defined.
Command Mode
IPv6 Access-List Configuration mode
User Guidelines
The number of TCP/UDP ranges that can be defined in ACLs is limited. You can
define up to #ASIC-specific ranges for TCP and up to #ASIC-specific ranges for
UDP.
If a range of ports is used for a source port in ACE, it is not counted again if it is
also used for a source port in another ACE.
If a range of ports is used for a destination port in ACE, it is not counted again if it is
also used for a destination port in another ACE.
If a range of ports is used for a source port, it is counted again if it is also used for a
destination port.
Example
switchxxxxxx(config)# ipv6 access-list server
switchxxxxxx(config-ipv6-acl)# deny tcp 3001::2/64 any any 80
ip access-group in
To bind an IPv4-based ACL to an interface, use the ip access-group in Interface
Configuration mode command.
To remove all IPv4-based ACLs from an interface, use the no form of this
command.
Syntax
ip access-group
no ip access-group in
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 73
acl-name
in
ACL Commands
ip access-list extended
4
Parameters
acl-name
•
Default Configuration
No IPv4-based ACL is applied to the interface.
Command Mode
Interface Configuration (Ethernet) mode
Example
switchxxxxxx(config)# interface gi11
switchxxxxxx(config-if)# ip access-group v4acl1 in
ip access-list extended
To name an IPv4-based ACL and to enter the IPv4 Access-List Configuration
mode, use the ip access-list extended Global Configuration mode command.
—Name of the IPv4-based ACL. (Range: 1 to 32 characters)
To remove an IPv4-based ACL, use the no form of this command.
Syntax
ip access-list extended
no ip access-list extended
Parameters
acl-name
•
Default Configuration
No IPv4-based ACL is configured.
Command Mode
Global Configuration mode
User Guidelines
The IPv4-based ACEs for this IPv4-based ACL are defined in the permit (IP) and
deny (IP) commands.
—Name of the IPv4-based ACL. (Range: 1 to 32 characters)
acl-name
acl-name
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 74
ACL Commands
ipv6 access-group in
An IPv4-based ACL is defined by a unique name. IPv4-based ACL, IPv6-based
ACL, MAC-based ACL, or policy map cannot have the same name.
Example
switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-acl)#
ipv6 access-group in
To bind an IPv6-based ACL to an interface, use the ipv6 access-group in Interface
Configuration mode command.
4
To remove all IPv6-based ACLs from an interface, use the no form of this
command.
Syntax
ipv6 access-group
no ipv6 access-group in
Parameters
acl-name
•
Default Configuration
No IPv6-based ACL is applied to the interface.
Command Mode
Interface Configuration (Ethernet) mode
Example
switchxxxxxx(config)# interface gi11
switchxxxxxx(config-if)# ipv6 access-group v6acl1 in
acl-name
—Name of the IPv6-based ACL. (Range: 1 to 32 characters)
in
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 75
ACL Commands
ipv6 access-list
ipv6 access-list
To define an IPv6-based ACL and to enter the IPv6 Access-List Configuration
mode, use the ipv6 access-list Global Configuration mode command.
To remove an IPv6-based ACL, use the no form of this command.
Syntax
4
ipv6 access-list
no ipv6 access-list
Parameters
acl-name
•
Default Configuration
No IPv6-based ACL is defined.
Command Mode
Global Configuration mode
User Guidelines
The IPv6-based ACEs for this IPv6-based ACL are defined in the permit (IPv6) and
deny (IPv6) commands.
An IPv6-based ACL is defined by a unique name. IPv4-based ACL, IPv6-based
ACL, MAC-based ACL, or policy map cannot have the same name.
Each IPv6-based ACL has implicit permit icmp any any nd-ns any, permit icmp any
any nd-na any, and deny ipv6 any any statements as its last match conditions. (The
former two match conditions allow for ICMPv6 neighbor discovery.)
acl-name
acl-name
—Name of the IPv6-based ACL. (Range: 1 to 32 characters)
The IPv6 neighbor discovery process uses the IPv6 network layer service,
therefore, by default, IPv6-based ACLs implicitly allow IPv6 neighbor discovery
packets to be sent and received on an interface. In IPv4, the Address Resolution
Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a
separate data link layer protocol; therefore, by default, IPv4-based ACLs implicitly
allow ARP packets to be sent and received on an interface.
Example
switchxxxxxx(config)# ipv6 access-list test
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 76
ACL Commands
mac access-group in
switchxxxxxx(config-ipv6-acl)#
mac access-group in
To bind a MAC-based ACL to an interface, use the mac access-group in Interface
Configuration mode command.
To remove all MAC-based ACLs from an interface, use the no form of this
command.
Syntax
mac access-group
no mac access-group in
acl-name
4
in
Parameters
acl-name
•
Default Configuration
No MAC-based ACL is applied to the interface.
Command Mode
Interface Configuration (Ethernet) mode
Example
witchxxxxxx(config)# interface gi11
witchxxxxxx(config-if)# mac access-group macac11 in
—Name of the MAC-based ACL. (Range: 1 to 32 characters)
mac access-list extended
To define a Layer 2 ACL based on source MAC address filtering and to enter the
MAC Access-List Configuration mode, use the mac access-list extended Global
Configuration mode command.
To remove a MAC-based ACL, use the no form of this command.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 77
ACL Commands
no sequence
4
Syntax
mac access-list extended
no mac access-list extended
Parameters
•
acl-name
Default Configuration
No MAC-based ACL is defined.
Command Mode
Global Configuration mode
User Guidelines
The MAC-based ACEs for this MAC-based ACL are defined in the permit (MAC)
and deny (MAC) commands.
A MAC-based ACL is defined by a unique name. IPv4-based ACL, IPv6-based
ACL, MAC-based ACL, or policy map cannot have the same name.
Example
—Name of the MAC-based ACL. (Range: 1 to 32 characters)
acl-nam
e
acl-name
switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-acl)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
no sequence
To remove a permit or deny ACE for an IPv4-based ACL, an IPv6-based ACL, or a
MAC-based ACL, use the no sequence command in the IP Access-List
Configuration mode, in the IPv6 Access-List Configuration mode, or in the MAC
Access-List Configuration mode.
Syntax
no sequence
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 78
value
ACL Commands
permit (IP)
4
Parameters
value
•
Command Mode
IP Access-List Configuration mode, IPv6 Access-List Configuration mode, and
MAC Access-List Configuration mode
Example
switchxxxxxx(config)# mac access-list extended macac11
switchxxxxxx(config-mac-acl)# show access-list
MAC access list macac11
....sequence 1 permit any any
—Sequence name of the ACL. The acceptable range is from 1 to
2147483547.
permit (IP)
switchxxxxxx(config-mac-acl)# no sequence 1
To set permit conditions for an IPv4-based ACL, use the permit IP Access-List
Configuration mode command.
To remove an IPv4-based ACE, use the no sequence command.
Syntax
value
[sequence
] permit
destination-wildcard
value
[sequence
] permit
destination-wildcard
precedence
[sequence
port-range
range
} [dscp
number
value
} {any |
number
] permit
destination destination-wildcard
protocol
} [dscp
} [any |
]
| precedence
number
icmp
{any |
icmp-type
tcp
{any |
{any |
source source-wildcard
| precedence
number
source source-wildcard
] [any |
icmp-code
] [dscp
source source-wildcard
} {any |
number
] [match-all
list-of-flags
} {any |
]
} {any |
number
} {any |
destination
destination
|
source-port/
destination-port/port-
]
[sequence
port-range
range
} [dscp
no sequence
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 79
value
] permit
} {any |
number
value
udp
{any |
source source-wildcard
destination destination-wildcard
| precedence
number
]
} {any |
} {any |
source-port/
destination-port/port-
ACL Commands
permit (IP)
Parameters
• sequence
based ACL. The acceptable range is from 1 to 2147483547. If not specified,
the switch provides a number starting from 1 in ascending order.
•
protocol
names are icmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout,
ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, and
isis. To match any protocol, use the IP keyword. (Range: 0 to 255)
4
value
—(Optional) Specifies the sequence number for the IPv4-
—The name or the number of an IP protocol. Available protocol
source
•
source-wildcard
•
•
source-port/port-range
Predefined port names are defined in the
parameter. (Range: 0 to 65535)
destination
•
destination-wildcard
•
address.
destination-port/port-range
•
You can enter a range of ports by using hyphen such as 20 - 21. For TCP
enter a number or one of these values: bgp (179), chargen (19), daytime (13),
discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data
(20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd
(515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog
(514), tacacs-ds (49), talk (517), telnet (23), time (35), uucp (117), whois (43),
www (80). For UDP enter a number or one of the following values: biff (512),
bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7),
mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (135),
on500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162),
sunrpc (111), syslog (514), tacacs-ds (49), talk (517), tftp (69), time (35), who
(513), or xdmcp (177). (Range: 0 to 65535)
—Source IP address of the packet.
—Wildcard bits to be applied to the source IP address.
—(Optional) The UDP or TCP source port.
destination-port/port-range
—Destination IP address of the packet.
—Wildcard bits to be applied to the destination IP
—(Optional) The UDP or TCP destination port.
• dscp
• precedence
icmp-type
•
Enter a number or one of these values: echo-reply, destination-unreachable,
source-quench, redirect, alternate-host-address, echo-request, routeradvertisement, router-solicitation, time-exceeded, parameter-problem,
timestamp, timestamp-reply, information-request, information-reply,
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 80
number
—(Optional) Specifies the DSCP value.
number
—(Optional) The ICMP message type for filtering ICMP packets.
—(Optional) Specifies the IP precedence value.
ACL Commands
permit (IP)
address-mask-request, address-mask-reply, traceroute, datagramconversion-error, mobile-host-redirect, mobile-registration-request, mobileregistration-reply, domain-name-request, domain-name-reply, skip, or
photuris. (Range: 0 to 255)
•
icmp-code
(Range: 0 to 255)
—(Optional) The ICMP message code for filtering ICMP packets.
4
• match-all
occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it
is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, urg, -ack, -psh, -rst, -syn, and -fin. The flags are concatenated to one string,
such as +fin-ack.
Default Configuration
No IPv4-based ACE is defined.
Command Mode
IP Access-List Configuration mode
User Guidelines
After an ACE is added to an ACL, an implicit deny any any condition exists at the
end of the list. That is, if there are no matches, the packets are denied. However,
before the first ACE is added, the list permits all packets up to #ASIC-specific
ranges for TCP and up to #ASIC-specific ranges for UDP.
If a range of ports is used for a source port in an ACE, it is not counted again if it is
also used for a source port in another ACE.
list-of-flags
—(Optional) Specifies a list of TCP flags that should
If a range of ports is used for a destination port in an ACE, it is not counted again if
it is also used for a destination port in another ACE.
If a range of ports is used for a source port, it is counted again if it is also used for a
destination port.
Example
switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-acl)# permit ip 176.212.0.0 0.0.255.255 any
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 81
ACL Commands
permit (IPv6)
permit (IPv6)
4
To set permit conditions for an IPv6-based ACL, use the permit command in the
IPv6 Access-List Configuration mode.
To remove an IPv6-based ACE, use the no sequence command.
Syntax
value
[sequence
prefix/length
[sequence
value
prefix/length
number
[sequence
range
number
]
value
} {any |
| precedence
] permit
} [dscp
] permit
} {any |
] permit
destination- prefix/length
protocol
number
| precedence
icmp
{any | {
icmp-type
tcp
{any |
number
{any |
source-prefix/length
number
source-prefix/length
} {any |
icmp-code
source-prefix/length
} {any |
] [match-all
destination-port/port-range
list-of-flags
]
} [dscp
} {any |
]
} {any |
} {any |
number |
destination-
destination-
precedence
source-port/port-
} [dscp
[sequence
range
number |
no sequence
Parameters
• sequence
•
•
•
value
} {any |
precedence
The acceptable range is from 1 to 2147483547. If not specified, the switch
provides a number starting from 1 in ascending order.
protocol
names are icmp (58), tcp (6), and udp (17). To match any protocol, use the
ipv6 keyword. (Range: 0 to 255)
source-prefix/length
which to set permit conditions. This argument must be in the form
documented in RFC 3513 where the address is specified in hexadecimal
using 16-bit values between colons.
source-port/port-range
names are defined in the
to 65535)
] permit
destination- prefix/length
udp
{any |
number
source-prefix/length
} {any |
]
destination-port/port-range
} {any |
source-port/port-
value
value
—(Optional) The sequence number for the IPv6-based ACL.
—The name or the number of an IP protocol. Available protocol
—The source IPv6 network or class of networks about
—The UDP or TCP source port. Predefined port
destination-port/port-range
parameter. (Range: 0
} [dscp
•
destination-prefix/length
networks about which to set permit conditions. This argument must be in
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 82
—The destination IPv6 network or class of
ACL Commands
permit (IPv6)
4
the form documented in RFC 3513 where the address is specified in
hexadecimal using 16-bit values between colons.
destination-port/port-range
•
enter a range of ports by using a hyphen, such as 20 - 21. For TCP enter a
number or one of these values: bgp (179), chargen (19), daytime (13),
discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data
(20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd
(515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog
(514), tacacs-ds (49), talk (517), telnet (23), time (35), uucp (117), whois (43),
www (80). For UDP enter a number or one of the following values: biff (512),
bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7),
mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (135),
non500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162),
sunrpc (111), syslog (514), tacacs (49), talk (517), tftp (69), time (35), who
(513), or xdmcp (177). (Range: 0 to 65535)
• dscp
• precedence
•
number
icmp-type
Enter a number or one of these values: destination-unreachable (1), packettoo-big (2), time-exceeded (3), parameter-problem (4), echo-request (128),
echo-reply (129), mld-query (130), mld-report (131), mldv2-report (143),
mld-done (132), router-solicitation (133), router-advertisement (134), nd-ns
(135), or nd-na (135). (Range: 0 to 255)
—(Optional) Specifies the DSCP value. (Range: 0 to 63)
number
—(Optional) The ICMP message type for filtering ICMP packets.
—(Optional) Specifies the IP precedence value.
—The UDP or TCP destination port. You can
•
icmp-code
(Range: 0 to 255)
• match-all
occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it
is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, urg, -ack, -psh, -rst, -syn, and -fin. The flags are concatenated to one string,
such as +fin-ack.
Default Configuration
No IPv6-based ACE is defined.
Command Mode
Ipv6 Access-List Configuration mode
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 83
—(Optional) The ICMP message code for filtering ICMP packets.
list-of-flag
—(Optional) Specifies a list of TCP flags that should
ACL Commands
permit (MAC)
4
User Guidelines
The number of TCP/UDP ranges that can be defined in ACLs is limited. You can
define up to #ASIC-specific ranges for TCP and up to #ASIC-specific ranges for
UDP.
If a range of ports is used for a source port in ACE, it is not counted again if it is
also used for a source port in another ACE.
If a range of ports is used for a destination port in ACE, it is not counted again if it is
also used for a destination port in another ACE.
If a range of ports is used for a source port, it is counted again if it is also used for a
destination port.
Example
This example defines an IPv6-based ACL by the server name and enters an IPv6based ACE for TCP packets:
permit (MAC)
switchxxxxxx(config)# ipv6 access-list server
switchxxxxxx(config-ipv6-acl)# permit tcp 3001::2/64 any any 80
To set permit conditions for a MAC-based ACL, use the permit command in the
MAC Access-List Configuration mode.
To remove a MAC-based ACE, use the no sequence command.
Syntax
value
[sequence
] permit {any |
destination-wildcard
no sequence
Parameters
• sequence
based ACL. The acceptable range is from 1 to 2147483547. If not specified,
the switch provides a number starting from 1 in ascending order.
value
value
} [any | vlan
—(Optional) Specifies the sequence number for the MAC-
source source-wildcard
vlan-id
] [cos
cos cos-wildcard
} {any |
destination
] [ethtype
value
]
•
source
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 84
—Source MAC address of the packet.
ACL Commands
show access-lists
•
source-wildcard
4
—Wildcard bits to be applied to the source MAC address.
destination
•
destination-wildcard
•
address.
• vlan
•
•
• ethtype
Default Configuration
No MAC-based ACE is defined.
Command Mode
MAC Access-List Configuration mode
User Guidelines
vlan-id
4094)
cos
—(Optional) The CoS value of the packet. (Range: 0 to 7)
cos-wildcard
format of the packet. (Range: 1501 to 65535)
—Destination MAC address of the packet.
—Wildcard bits to be applied to the destination MAC
—(Optional) Specifies the VLAN ID of the packet. (Range: 1 to
—(Optional) Wildcard bits to be applied to the CoS.
value
—(Optional) Specifies the Ethernet type in hexadecimal
After an ACE is added to an ACL, an implicit deny any any condition exists at the
end of the list. That is, if there are no matches, the packets are denied. However,
before the first ACE is added, the list permits all packets.
Example
switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-acl)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
show access-lists
To display the ACLs for a specific class defined on the switch, use the show
access-lists Privileged EXEC mode command.
Syntax
show {ip | ipv6 | mac} access-lists [
acl-name
]
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 85
ACL Commands
show access-lists
4
Parameters
• ip | ipv6 | mac—Specifies the ACL type.
•
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show ip access-lists
show access-lists
To display all ACLs configured on the switch, use the show access-lists Privileged
EXEC mode command.
Syntax
show access-lists
acl-name
—(Optional) Name of the ACL. (Range: 1 to 32 characters)
Parameters
N/A
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show access-lists
MAC access list macacl1
sequence 1 permit any any cos 7 5
IPv6 access list v6acl1
sequence 1 permit ipv6 abcd::/64 aacc::/64
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 86
ACL Commands
show access-lists utilization
show access-lists utilization
To display the utilization of the access-list group, use the show access-lists
utilization Privileged EXEC mode command.
Syntax
show access-lists utilization
Parameters
N/A
Command Mode
Privileged EXEC mode
Example
4
switchxxxxxx# show access-lists utilization
Max TCAM entries: 1408
In used: 0
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 87
Address Table Commands
bridge multicast reserved-address
To define the action on multicast reserved-address packets, use the bridge
multicast reserved-address Global Configuration mode command.
Syntax
5
bridge multicast reserved-address
Parameters
mac-multicast-address
•
• bridge—Forwards the packets.
• discard—Discards the packets.
• peer—Processes the packets based on its protocols or applications.
Default Configuration
If the MAC address is not used by any protocol, the default action is bridge.
Command Mode
Global Configuration mode
User Guidelines
The configurations (that contain service type) have precedence over less specific
configurations (that contain only MAC address).
mac-multicast-address
—Multicast MAC address to be reserved.
{discard | bridge | peer}
The packets that are bridged are subject to security ACLs.
The action defined by this command has precedence over the forwarding rules
defined by the applications or protocols (such as STP and LLDP) supported on the
switch.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 88
Address Table Commands
clear mac address-table
Example
switchxxxxxx(config)# bridge multicast reserved-address 00:3f:bd:45:5a:b1
discard
clear mac address-table
To clear the learned entries from the forwarding database (FDB), use the clear mac
address-table Privileged EXEC command.
Syntax
5
clear mac address-table dynamic [interfaces
Parameters
vlan-id
interface-id
—(Optional) Deletes all secure addresses learned on a VLAN.
• interfaces
on specific interfaces. The interface can be one of these types: Ethernet
port, or port channel.
• vlan
Default Configuration
If no interface or VLAN is specified, all entries in the dynamic MAC address table
will be cleared.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# clear mac address-table dynamic interfaces gi11
—(Optional) Deletes all dynamic (learned) addresses
interface-id
| vlan
vlan-id
]
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 89
Address Table Commands
mac address-table aging-time
mac address-table aging-time
To set the aging time of the MAC address table, use the mac address-table agingtime Global Configuration mode command.
Syntax
5
mac address-table aging-time
Parameters
seconds
•
table. (Range:10 to 1000000 seconds, 0 indicates no aging)
Default Configuration
The default aging time is 300 seconds.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)# mac address-table aging-time 600
—The time in seconds that an entry remains in the MAC address
mac address-table static
seconds
To add a MAC-layer station source address to the MAC address table, use the mac
address-table static Global Configuration mode command.
To delete a MAC address from the MAC address table, use the no form of this
command.
Syntax
mac address-table static
on-reboot | delete-on-timeout | permanent | secure]
mac address-table static
no mac address-table static
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 90
mac-address
mac-address
mac-address
vlan
vlan
vlan
vlan-id
vlan-id
vlan-id
interfaces
drop
interface-id
[delete-
Address Table Commands
mac address-table static
Parameters
5
mac-address
•
• vlan
• interfaces
• delete-on-reboot—(Optional) Specifies that the static MAC address is
• delete-on-timeout—(Optional) Deletes the MAC address when aging
• permanent—(Optional) Specifies that the static MAC address never be
• secure—(Optional) Specifies that the MAC address is secure when the
• drop—Drops the packets with the specified source or destination unicast
Default Configuration
vlan-id
The interface can be one of these types: Ethernet port or port channel.
never aged out of the table and will be deleted after the switch reboots.
occurs.
aged out of the table and if it is saved to the Startup Configuration, it is
retained after rebooting. The keyword is applied by the default.
interface is in classic locked mode.
MAC address.
—MAC address of the interface.
—VLAN ID for the interface.
interface-id
—Specifies an interface ID or a list of interface IDs.
No static addresses are defined. The default mode for an added address is
permanent.
Command Mode
Global Configuration mode
User Guidelines
Use the command to add a static MAC address with the given time-to-live in any
mode or to add a secure MAC address in a secure mode.
Each MAC address in the MAC address table is assigned two attributes: type and
time-to-live.
The following time-to-live values are supported:
• delete-on-reboot—A MAC address is saved until the next reboot.
• delete-on-timeout—A MAC address that may be removed by the aging
timer.
• permanent—A MAC address is saved until it is removed manually.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 91
Address Table Commands
mac address-table static
The following types are supported:
5
• static— MAC address is manually added by the command with the
following keywords specifying its time-to-live:
- permanent
- delete-on-reboot
- delete-on-timeout
A static MAC address may be added in any port mode.
• secure—A MAC address added manually or learned in a secure mode. Use
the mac address-table static command with the secure keyword to add a
secure MAC address. The MAC address cannot be relearned. A secure
MAC address may be added only in a secure port mode.
• dynamic—A MAC address learned by the switch in nonsecure mode. A
value of its time-to-live attribute is delete-on-timeout.
Examples
Example 1—The following example adds two permanent static MAC addresses:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b1 vlan 1
interfaces gi1
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interfaces gi1 permanent
Example 2—The following example adds a deleted-on-reboot static MAC
address:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interfaces gi1 delete-on-reboot
Example 3—The following example adds a deleted-on-timeout static MAC
address:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interfaces gi1 delete-on-timeout
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 92
Address Table Commands
show bridge multicast reserved-address
Example 4—The following example adds a secure MAC address:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interfaces gi1 secure
show bridge multicast reserved-address
To show information for all reserved MAC addresses, use the show bridge
multicast reserved-address Privileged EXEC mode command.
Syntax
show bridge multicast reserved-address
5
Command Mode
Privileged EXEC mode
Example
switchxxxxxx # show bridge multicast reserved-address
Reserved mac-address | action
---------------------+-------- 01:80:C2:00:00:02 | peer
01:80:C2:00:00:03 | bridge
01:80:C2:00:00:04 | bridge
01:80:C2:00:00:05 | bridge
01:80:C2:00:00:06 | bridge
01:80:C2:00:00:07 | bridge
01:80:C2:00:00:08 | bridge
01:80:C2:00:00:09 | bridge
01:80:C2:00:00:0A | bridge
01:80:C2:00:00:0B | bridge
01:80:C2:00:00:0C | bridge
01:80:C2:00:00:0D | bridge
01:80:C2:00:00:0E | bridge
01:80:C2:00:00:0F | bridge
01:80:C2:00:00:10 | bridge
01:80:C2:00:00:11 | bridge
01:80:C2:00:00:12 | bridge
01:80:C2:00:00:13 | bridge
01:80:C2:00:00:14 | bridge
01:80:C2:00:00:15 | bridge
01:80:C2:00:00:16 | bridge
01:80:C2:00:00:17 | bridge
01:80:C2:00:00:18 | bridge
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 93
Address Table Commands
show mac address-table
01:80:C2:00:00:19 | bridge
01:80:C2:00:00:1A | bridge
01:80:C2:00:00:1B | bridge
01:80:C2:00:00:1C | bridge
01:80:C2:00:00:1D | bridge
01:80:C2:00:00:1E | bridge
01:80:C2:00:00:1F | bridge
01:80:C2:00:00:20 | bridge
01:80:C2:00:00:21 | bridge
01:80:C2:00:00:22 | bridge
01:80:C2:00:00:23 | bridge
01:80:C2:00:00:24 | bridge
01:80:C2:00:00:25 | bridge
01:80:C2:00:00:26 | bridge
01:80:C2:00:00:27 | bridge
01:80:C2:00:00:28 | bridge
01:80:C2:00:00:29 | bridge
01:80:C2:00:00:2A | bridge
01:80:C2:00:00:2B | bridge
01:80:C2:00:00:2C | bridge
01:80:C2:00:00:2D | bridge
01:80:C2:00:00:2E | bridge
5
show mac address-table
To show the entries in the MAC address table, use the show mac address-table
Privileged EXEC command.
Syntax
show mac address-table [dynamic | static] [interfaces
show mac address-table [
Parameters
• dynamic—(Optional) Displays only dynamic MAC addresses.
• static—(Optional) Displays only static MAC addresses.
• interfaces
interface. The interface can be one of these types: Ethernet port or port
channel.
• vlan
•
vlan
—(Optional) Displays the entries for a specific VLAN.
mac-address
interface-id
mac-address
interface-id
—(Optional) Displays the entries for a specific
] [vlan
vlan
]
—(Optional) Entries for a specific MAC address.
] [vlan
vlan
]
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 94
Address Table Commands
show mac address-table aging-time
Default Configuration
If no parameters are entered, the entire table is displayed.
Command Mode
Privileged EXEC mode
User Guidelines
Internal usage VLANs that are automatically allocated on the routed ports are
presented in the VLAN column by a port number and not by a VLAN ID.
Example
Example 1—Displays the entire MAC address table:
5
switchxxxxxx# show mac address-table
VID | MAC Address | Type | Ports
-----+-------------------+--------------+--------------- 1 | 00:03:6D:00:01:20 | Management | CPU
1 | 00:10:60:DB:6E:FE | Dynamic | fa1
1 | 10:8C:CF:CD:0C:05 | Dynamic | fa1
Total number of entries: 3
Example 2—Displays the address entries containing the specified MAC address:
switchxxxxxx# show mac address-table 00:3f:bd:45:5a:b1 vlan 1
Aging time is 300 sec
VLAN MAC Address Port Type
-------- ------------------ ------------ ---------1 00:3f:bd:45:5a:b1 static fa9
show mac address-table aging-time
To show the MAC address aging time, use the show mac address-table agingtime Privileged EXEC mode command.
Syntax
show mac address-table aging-time
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 95
Address Table Commands
show port-security
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
switchxxxxxx # show mac address-table aging-time
Mac Address Table aging time: 300
5
show port-security
To show the port security status, use the show port-security Privileged EXEC
mode command.
Syntax
show port-security interfaces
Parameters
• interfaces
Ethernet interface IDs.
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
interface-id
interface-id
—Specifies an Ethernet interface ID or a list of
switchxxxxxx# show port-security interfaces fa1-10
Port | Mode | Security | CurrentAddr | Action |
Trap Freq
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 96
Address Table Commands
switchport port-security
---------+---------+---------------+-------------+-------------------+------
---- fa1 | Classic | Disabled | 3 | Discard|
-- fa2 | Classic | Disabled | 0 | Discard|
-- fa3 | Classic | Disabled | 0 | Discard|
-- fa4 | Classic | Disabled | 0 | Discard|
-- fa5 | Classic | Disabled | 0 | Discard|
-- fa6 | Classic | Disabled | 0 | Discard|
-- fa7 | Classic | Disabled | 0 | Discard|
-- fa8 | Classic | Disabled | 0 | Discard|
-- fa9 | Classic | Disabled | 0 | Discard|
-- fa10 | Classic | Disabled | 0 | Discard|
---
5
The following table describes the significant fields shown in the example:
Field Description
Port The port number.
Mode The learning mode: classic or dynamic.
Security The port security status. The possible values are
Action The action taken on violation.
CurrentAddr The number of addresses currently learned.
Trap Freq The minimum time interval between consecutive traps.
switchport port-security
Enabled or Disabled.
To enable the port security on an interface, use the switchport port-security
Interface Configuration mode command.
To disable the port security on an interface, use the no form of this command.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 97
Address Table Commands
switchport port-security mode maximum
Syntax
switchport port-security
no switchport port-security
Parameters
N/A
Default Configuration
The port security is disabled by default.
Command Mode
Interface Configuration mode
Example
5
switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# switchport port-security
switchport port-security mode maximum
To set the port security learning mode and the maximum number of MAC
addresses that can be learned on an interface, use the switchport port-security
mode maximum Interface Configuration mode command.
To revert to its default settings, use the no form of this command.
Syntax
switchport port-security mode {classic | dynamic} maximum
discard | {discard-snmp-log trap-freq
trap-freq
no switchport port-security maximum
Parameter
seconds
} | forward}
seconds
max-addr
} | {discard-snmp-log-shutdown
action {
• classic— Classic lock. All learned MAC addresses on the port are locked
and the switch learns up to the maximum number of addresses allowed on
the port. The learned addresses are not subject to aging or re-learning.
Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 98
Loading...