Cisco 3020 - Cisco Catalyst Blade Switch Command Reference Manual

Download

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Cisco Catalyst Blade Switch 3020 for HP Command Reference

Cisco IOS Release 12.2(25)SEF June 2006

Text Part Number: OL-8916-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Catalyst Blade Switch 3020 for HP Command Reference

iii

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

CONTENTS

Preface xv

Audience xv

Purpose xv

Conventions xv

Related Publications xvi

Obtaining Documentation xvii

Cisco.com xvii Product Documentation DVD xvii Ordering Documentation xvii

Documentation Feedback xviii

Cisco Product Security Overview xviii

Reporting Security Problems in Cisco Products xviii

Obtaining Technical Assistance xix

Cisco Technical Support & Documentation Website xix Submitting a Service Request xx Definitions of Service Request Severity xx

Obtaining Additional Publications and Information xx

CHAPTER

1 Using the Command-Line Interface 1-1

CLI Command Modes 1-1

User EXEC Mode 1-3 Privileged EXEC Mode 1-3 Global Configuration Mode 1-3 Interface Configuration Mode 1-4 config-vlan Mode 1-4 VLAN Configuration Mode 1-5 Line Configuration Mode 1-5

CHAPTER

2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands 2-1

aaa accounting dot1x 2-1

aaa authentication dot1x 2-3

aaa authorization network 2-5

action 2-6

Contents

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

archive download-sw 2-8

archive tar 2-11

archive upload-sw 2-14

auto qos voip 2-16

boot boothlpr 2-20

boot config-file 2-21

boot enable-break 2-22

boot helper 2-23

boot helper-config-file 2-24

boot manual 2-25

boot private-config-file 2-26

boot system 2-27

channel-group 2-28

channel-protocol 2-31

class 2-32

class-map 2-34

clear dot1x 2-36

clear eap sessions 2-37

clear lacp 2-38

clear mac address-table 2-39

clear mac address-table move update 2-41

clear pagp 2-42

clear port-security 2-43

clear spanning-tree counters 2-45

clear spanning-tree detected-protocols 2-46

clear vmps statistics 2-47

clear vtp counters 2-48

define interface-range 2-49

delete 2-51

deny (MAC access-list configuration) 2-52

dot1x 2-55

dot1x auth-fail max-attempts 2-57

dot1x auth-fail vlan 2-59

dot1x control-direction 2-61

dot1x critical (global configuration) 2-63

Contents

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

dot1x critical (interface configuration) 2-65

dot1x default 2-67

dot1x guest-vlan 2-68

dot1x host-mode 2-70

dot1x initialize 2-71

dot1x mac-auth-bypass 2-72

dot1x max-reauth-req 2-74

dot1x max-req 2-75

dot1x pae 2-76

dot1x port-control 2-77

dot1x re-authenticate 2-79

dot1x reauthentication 2-80

dot1x timeout 2-81

duplex 2-84

errdisable detect cause 2-86

errdisable recovery 2-88

exception crashinfo 2-90

flowcontrol 2-91

interface port-channel 2-93

interface range 2-95

interface vlan 2-97

ip access-group 2-98

ip address 2-100

ip dhcp snooping 2-102

ip dhcp snooping information option 2-103

ip dhcp snooping information option allow-untrusted 2-105

ip dhcp snooping information option format remote-id 2-107

ip dhcp snooping limit rate 2-109

ip dhcp snooping trust 2-110

ip dhcp snooping verify 2-111

ip dhcp snooping vlan 2-112

ip dhcp snooping vlan information option format-type circuit-id string 2-113

ip igmp filter 2-115

ip igmp max-groups 2-116

ip igmp profile 2-118

Contents

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

ip igmp snooping 2-120

ip igmp snooping last-member-query-interval 2-122

ip igmp snooping querier 2-124

ip igmp snooping report-suppression 2-126

ip igmp snooping tcn 2-128

ip igmp snooping tcn flood 2-130

ip igmp snooping vlan immediate-leave 2-131

ip igmp snooping vlan mrouter 2-133

ip igmp snooping vlan static 2-135

ip ssh 2-137

lacp port-priority 2-139

lacp system-priority 2-141

link state group 2-143

link state track 2-145

logging event 2-146

logging file 2-147

mac access-group 2-149

mac access-list extended 2-151

mac address-table aging-time 2-153

mac address-table move update 2-154

mac address-table notification 2-156

mac address-table static 2-158

mac address-table static drop 2-159

macro apply 2-161

macro description 2-164

macro global 2-165

macro global description 2-168

macro name 2-169

match (access-map configuration) 2-171

match (class-map configuration) 2-173

mdix auto 2-175

media-type 2-177

mls qos 2-179

mls qos aggregate-policer 2-181

mls qos cos 2-183

Contents

vii

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

mls qos dscp-mutation 2-185

mls qos map 2-187

mls qos queue-set output buffers 2-191

mls qos queue-set output threshold 2-193

mls qos rewrite ip dscp 2-195

mls qos srr-queue input bandwidth 2-197

mls qos srr-queue input buffers 2-199

mls qos srr-queue input cos-map 2-201

mls qos srr-queue input dscp-map 2-203

mls qos srr-queue input priority-queue 2-205

mls qos srr-queue input threshold 2-207

mls qos srr-queue output cos-map 2-209

mls qos srr-queue output dscp-map 2-211

mls qos trust 2-213

mls qos vlan-based 2-215

monitor session 2-216

mvr (global configuration) 2-220

mvr (interface configuration) 2-223

pagp learn-method 2-226

pagp port-priority 2-228

permit (MAC access-list configuration) 2-230

police 2-233

police aggregate 2-235

policy-map 2-237

port-channel load-balance 2-240

priority-queue 2-242

queue-set 2-244

radius-server dead-criteria 2-245

radius-server host 2-247

remote-span 2-249

rmon collection stats 2-253

service password-recovery 2-254

service-policy 2-256

set 2-259

setup 2-261

Contents

viii

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

setup express 2-264

show access-lists 2-266

show archive status 2-269

show auto qos 2-270

show boot 2-273

show cable-diagnostics tdr 2-275

show class-map 2-277

show controllers cpu-interface 2-278

show controllers ethernet-controller 2-280

show controllers tcam 2-288

show controllers utilization 2-290

show dot1x 2-292

show dtp 2-296

show eap 2-298

show env 2-301

show errdisable detect 2-302

show errdisable flap-values 2-304

show errdisable recovery 2-306

show etherchannel 2-308

show flowcontrol 2-311

show interfaces 2-313

show interfaces counters 2-321

show inventory 2-323

show ip dhcp snooping 2-324

show ip dhcp snooping binding 2-325

show ip igmp profile 2-327

show ip igmp snooping 2-328

show ip igmp snooping groups 2-330

show ip igmp snooping mrouter 2-332

show ip igmp snooping querier 2-334

show lacp 2-336

show link state group 2-340

show mac access-group 2-342

show mac address-table 2-344

show mac address-table address 2-346

Contents

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

show mac address-table aging-time 2-348

show mac address-table count 2-349

show mac address-table dynamic 2-351

show mac address-table interface 2-353

show mac address-table move update 2-355

show mac address-table notification 2-357

show mac address-table static 2-359

show mac address-table vlan 2-361

show mls qos 2-363

show mls qos aggregate-policer 2-364

show mls qos input-queue 2-365

show mls qos interface 2-367

show mls qos maps 2-371

show mls qos queue-set 2-374

show mls qos vlan 2-376

show monitor 2-377

show mvr 2-379

show mvr interface 2-381

show mvr members 2-383

show pagp 2-385

show parser macro 2-387

show policy-map 2-390

show port-security 2-392

show setup express 2-395

show spanning-tree 2-396

show storm-control 2-402

show system mtu 2-404

show udld 2-405

show version 2-408

show vlan 2-410

show vlan access-map 2-415

show vlan filter 2-416

show vmps 2-417

show vtp 2-420

shutdown 2-423

Contents

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

shutdown vlan 2-424

snmp-server enable traps 2-425

snmp-server host 2-428

snmp trap mac-notification 2-432

spanning-tree backbonefast 2-434

spanning-tree bpdufilter 2-435

spanning-tree bpduguard 2-437

spanning-tree cost 2-439

spanning-tree etherchannel guard misconfig 2-441

spanning-tree extend system-id 2-443

spanning-tree guard 2-445

spanning-tree link-type 2-447

spanning-tree loopguard default 2-449

spanning-tree mode 2-451

spanning-tree mst configuration 2-453

spanning-tree mst cost 2-455

spanning-tree mst forward-time 2-457

spanning-tree mst hello-time 2-458

spanning-tree mst max-age 2-459

spanning-tree mst max-hops 2-460

spanning-tree mst port-priority 2-462

spanning-tree mst pre-standard 2-464

spanning-tree mst priority 2-465

spanning-tree mst root 2-466

spanning-tree port-priority 2-468

spanning-tree portfast (global configuration) 2-470

spanning-tree portfast (interface configuration) 2-472

spanning-tree transmit hold-count 2-474

spanning-tree uplinkfast 2-475

spanning-tree vlan 2-477

speed 2-480

srr-queue bandwidth limit 2-482

srr-queue bandwidth shape 2-484

srr-queue bandwidth share 2-486

storm-control 2-488

Contents

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

switchport access 2-491

switchport backup interface 2-493

switchport block 2-496

switchport host 2-497

switchport mode 2-498

switchport nonegotiate 2-500

switchport port-security 2-502

switchport port-security aging 2-507

switchport priority extend 2-509

switchport protected 2-511

switchport trunk 2-512

switchport voice vlan 2-515

system mtu 2-517

test cable-diagnostics tdr 2-519

traceroute mac 2-520

traceroute mac ip 2-523

trust 2-525

udld 2-527

udld port 2-529

udld reset 2-531

vlan (global configuration) 2-532

vlan (VLAN configuration) 2-537

vlan access-map 2-543

vlan database 2-545

vlan filter 2-548

vmps reconfirm (privileged EXEC) 2-550

vmps reconfirm (global configuration) 2-551

vmps retry 2-552

vmps server 2-553

vtp (global configuration) 2-555

vtp (VLAN configuration) 2-559

APPENDIX

A Cisco Catalyst Switch 3020 for HP Boot Loader Commands A-1

boot A-2

cat A-4

copy A-5

Contents

xii

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

delete A-6

dir A-7

flash_init A-9

format A-10

fsck A-11

help A-12

load_helper A-13

memory A-14

mkdir A-15

more A-16

rename A-17

reset A-18

rmdir A-19

set A-20

type A-23

unset A-24

version A-26

APPENDIX

B Cisco Catalyst Blade Switch 3020 for HP Debug Commands B-1

debug auto qos B-2

debug backup B-4

debug dot1x B-5

debug dtp B-7

debug eap B-8

debug etherchannel B-10

debug interface B-12

debug ip igmp filter B-14

debug ip igmp max-groups B-15

debug ip igmp snooping B-16

debug lacp B-17

debug mac-notification B-18

debug matm B-19

debug matm move update B-20

debug monitor B-21

debug mvrdbg B-22

debug nvram B-23

Contents

xiii

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

debug pagp B-24

debug platform acl B-25

debug platform backup interface B-26

debug platform cpu-queues B-27

debug platform dot1x B-29

debug platform etherchannel B-30

debug platform forw-tcam B-31

debug platform ip dhcp B-32

debug platform ip igmp snooping B-33

debug platform led B-35

debug platform matm B-36

debug platform messaging application B-38

debug platform phy B-39

debug platform pm B-41

debug platform port-asic B-43

debug platform port-security B-44

debug platform qos-acl-tcam B-45

debug platform remote-commands B-46

debug platform resource-manager B-47

debug platform snmp B-48

debug platform span B-49

debug platform supervisor-asic B-50

debug platform sw-bridge B-51

debug platform tcam B-52

debug platform udld B-54

debug platform vlan B-55

debug pm B-56

debug port-security B-58

debug qos-manager B-59

debug spanning-tree B-60

debug spanning-tree backbonefast B-62

debug spanning-tree bpdu B-63

debug spanning-tree bpdu-opt B-64

debug spanning-tree mstp B-65

debug spanning-tree switch B-67

Contents

xiv

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

debug spanning-tree uplinkfast B-69

debug sw-vlan B-70

debug sw-vlan ifs B-72

debug sw-vlan notification B-74

debug sw-vlan vtp B-76

debug udld B-78

debug vqpc B-80

APPENDIX

C Cisco Catalyst Blade Switch 3020 for HP Show Platform Commands C-1

show platform acl C-2

show platform backup interface C-3

show platform configuration C-4

show platform etherchannel C-5

show platform forward C-6

show platform ip igmp snooping C-8

show platform layer4op C-10

show platform mac-address-table C-11

show platform messaging C-12

show platform monitor C-13

show platform mvr table C-14

show platform pm C-15

show platform port-asic C-16

show platform port-security C-21

show platform qos C-22

show platform resource-manager C-23

show platform snmp counters C-25

show platform spanning-tree C-26

show platform stp-instance C-27

show platform tcam C-28

show platform vlan C-30

NDEX

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Preface

Audience

This guide is for the networking professional using the Cisco IOS command-line interface (CLI) to manage the Cisco Catalyst Blade Switch 3020 for HP, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS commands and the switch software features. Before using this guide, you should have experience working with the concepts and terminology of Ethernet and local area networking.

Purpose

This guide provides the information that you need about the Layer 2 commands that have been created or changed for use with the switch. For information about the standard Cisco IOS Release 12.2 commands, see the Cisco IOS documentation set available from the Cisco.com home page by selecting Technical Support & Documentation > Cisco IOS Software.

This guide does not provide procedures for configuring your switch. For detailed configuration procedures, see the software configuration guide for this release.

This guide does not describe system messages you might encounter. For more information, see the system message guide for this release.

For documentation updates, see the release notes for this release.

Conventions

This publication uses these conventions to convey instructions and information:

Command descriptions use these conventions:

• Commands and keywords are in boldface text.

• Arguments for which you supply values are in italic.

• Square brackets ([ ]) means optional elements.

• Braces ({}) group required choices, and vertical bars ( | ) separate the alternative elements.

• Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional

element.

xvi

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Preface

Related Publications

Interactive examples use these conventions:

• Terminal sessions and system displays are in screen font.

• Information you enter is in boldface screen font.

• Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).

Notes, cautions, and warnings use these conventions and symbols:

Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in

this manual.

Caution Means reader be careful. In this situation, you might do something that could result in equipment

damage or loss of data.

Related Publications

These documents provide complete information about the switch and are available from this Cisco.com site:

http://www.cisco.com/en/US/products/ps6748/tsd_products_support_series_home.html

Note Before installing, configuring, or upgrading the switch, see these documents:

• For initial configuration information, see the “Configuring the Switch Module” section in the getting

started guide or the “Configuring the Switch with the CLI-Based Setup Program” appendix in the hardware installation guide.

• For device manager requirements, see the “System Requirements” section in the release notes (not

orderable but available on Cisco.com).

• For upgrade information, see the “Downloading Software” section in the release notes.

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xvii.

• Release Notes for the Cisco Catalyst Blade Switch 3020 for HP (not orderable but available on

Cisco.com)

• Cisco Catalyst Blade Switch 3020 for HP System Message Guide (not orderable but available on

Cisco.com)

• Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide (not orderable but available

on Cisco.com)

• Cisco Catalyst Blade Switch 3020 for HP Command Reference (not orderable but available on

Cisco.com)

• Device manager online help (available on the switch)

• Cisco Catalyst Blade Switch 3020 for HP Hardware Installation Guide (not orderable but available

on Cisco.com)

• Cisco Catalyst Blade Switch 3020 for HP Getting Started Guide (order number DOC-7817364=)

xvii

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Preface

Obtaining Documentation

• Regulatory Compliance and Safety Information for the Cisco Catalyst Blade Switch 3020 for HP

(order number DOC-7817607=)

• Cisco Small Form-Factor Pluggable Modules Installation Notes (order number DOC-7815160=)

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD

The Product Documentation DVD is a comprehensive library of technical product documentation on a portable medium. The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .PDF versions of the documentation available.

The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Ordering Documentation

Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at

tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,

or elsewhere at 011 408 519-5001.

xviii

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Preface

Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.

You can submit comments about Cisco documentation by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to:

• Report security vulnerabilities in Cisco products.

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:

• For Emergencies only— security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

• For Nonemergencies—psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

xix

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Preface

Obtaining Technical Assistance

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to

encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers before sending any sensitive material to find other means of encrypting the data.

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting

a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose

Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by

product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Preface

Obtaining Additional Publications and Information

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired, while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief

product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:

http://www.cisco.com/go/guide

xxi

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Preface

Obtaining Additional Publications and Information

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo

merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and

networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies

learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

or view the digital edition at this URL:

http://ciscoiq.texterity.com/ciscoiq/sample/

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

• Networking products offered by Cisco Systems, as well as customer support services, can be

obtained at this URL:

http://www.cisco.com/en/US/products/index.html

• Networking Professionals Connection is an interactive website for networking professionals to share

questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

• World-class networking training is available from Cisco. You can view current offerings at

this URL:

http://www.cisco.com/en/US/learning/index.html

xxii

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Preface

Obtaining Additional Publications and Information

CHAPTER

1-1

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Using the Command-Line Interface

The switch is supported by Cisco IOS software. This chapter describes how to use the switch command-line interface (CLI) to configure software features.

• For a complete description of the commands that support these features, see Chapter 2, “Cisco

Catalyst Blade Switch 3020 for HP Cisco IOS Commands.”

• For information on the boot loader commands, see Appendix A, “Cisco Catalyst Switch 3020 for

HP Boot Loader Commands.”

• For information on the debug commands, see Appendix B, “Cisco Catalyst Blade Switch 3020 for

HP Debug Commands.”

• For information on the show platform commands, see Appendix C, “Cisco Catalyst Blade Switch

3020 for HP Show Platform Commands.”

• For more information on Cisco IOS Release 12.2, see the Cisco IOS Release 12.2 Command

Summary.

• For task-oriented configuration steps, see the software configuration guide for this release.

In this document, IP refers to IP version 4 (IPv4).

CLI Command Modes

This section describes the CLI command mode structure. Command modes support specific Cisco IOS commands. For example, the interface interface-id command only works when entered in global configuration mode.

These are the main command modes for the switch:

• User EXEC

• Privileged EXEC

• Global configuration

• Interface configuration

• Config-vlan

• VLAN configuration

• Line configuration

1-2

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 1 Using the Command-Line Interface

CLI Command Modes

Table 1 - 1 lists the main command modes, how to access each mode, the prompt you see in that mode,

and how to exit that mode. The prompts listed use the default name Switch.

Table 1-1 Command Modes Summary

Command Mode Access Method Prompt Exit or Access Next Mode

User EXEC This is the first level of access.

(For the switch) Change terminal settings, perform basic tasks, and list system information.

Switch>

Enter the logout command.

To enter privileged EXEC mode, enter the enable command.

Privileged EXEC From user EXEC mode, enter the

enable command.

Switch#

To exit to user EXEC mode, enter the disable command.

To enter global configuration mode, enter the configure command.

Global configuration

From privileged EXEC mode, enter the configure command.

Switch(config)#

To exit to privileged EXEC mode, enter the exit or end command, or press Ctrl-Z.

To enter interface configuration mode, enter the interface configuration command.

Interface configuration

From global configuration mode, specify an interface by entering the interface command followed by an interface identification.

Switch(config-if)#

To exit to privileged EXEC mode, enter the end command, or press Ctrl-Z.

To exit to global configuration mode, enter the exit command.

Config-vlan In global configuration mode,

enter the vlan vlan-id command.

Switch(config-vlan)#

To exit to global configuration mode, enter the exit command.

To return to privileged EXEC mode, enter the end command, or press Ctrl-Z.

VLAN configuration

From privileged EXEC mode, enter the vlan database command.

Switch(vlan)#

To exit to privileged EXEC mode, enter the exit command.

Line configuration From global configuration mode,

specify a line by entering the line command.

Switch(config-line)#

To exit to global configuration mode, enter the exit command.

To return to privileged EXEC mode, enter the end command, or press Ctrl-Z.

1-3

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 1 Using the Command-Line Interface

CLI Command Modes

User EXEC Mode

After you access the device, you are automatically in user EXEC command mode. The EXEC commands available at the user level are a subset of those available at the privileged level. In general, use the user EXEC commands to temporarily change terminal settings, perform basic tests, and list system information.

The supported commands can vary depending on the version of software in use. To display a comprehensive list of commands, enter a question mark (?) at the prompt.

Switch> ?

Privileged EXEC Mode

Because many of the privileged commands configure operating parameters, privileged access should be password-protected to prevent unauthorized use. The privileged command set includes those commands contained in user EXEC mode, as well as the configure privileged EXEC command through which you access the remaining command modes.

If your system administrator has set a password, you are prompted to enter it before being granted access to privileged EXEC mode. The password does not appear on the screen and is case sensitive.

The privileged EXEC mode prompt is the device name followed by the pound sign (

#).

Switch#

Enter the enable command to access privileged EXEC mode:

Switch> enable Switch#

The supported commands can vary depending on the version of software in use. To display a comprehensive list of commands, enter a question mark (?) at the prompt.

Switch# ?

To return to user EXEC mode, enter the disable privileged EXEC command.

Global Configuration Mode

Global configuration commands apply to features that affect the device as a whole. Use the configure privileged EXEC command to enter global configuration mode. The default is to enter commands from the management console.

When you enter the configure command, a message prompts you for the source of the configuration commands:

Switch# configure Configuring from terminal, memory, or network [terminal]?

You can specify either the terminal or NVRAM as the source of configuration commands.

This example shows you how to access global configuration mode:

Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.

1-4

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 1 Using the Command-Line Interface

CLI Command Modes

The supported commands can vary depending on the version of software in use. To display a comprehensive list of commands, enter a question mark (?) at the prompt.

Switch(config)# ?

To exit global configuration command mode and to return to privileged EXEC mode, enter the end or exit command, or press Ctrl-Z.

Interface Configuration Mode

Interface configuration commands modify the operation of the interface. Interface configuration commands always follow a global configuration command, which defines the interface type.

Use the interface interface-id command to access interface configuration mode. The new prompt means interface configuration mode.

Switch(config-if)#

The supported commands can vary depending on the version of software in use. To display a comprehensive list of commands, enter a question mark (?) at the prompt.

Switch(config-if)# ?

To exit interface configuration mode and to return to global configuration mode, enter the exit command. To exit interface configuration mode and to return to privileged EXEC mode, enter the end command, or press Ctrl-Z.

config-vlan Mode

Use this mode to configure normal-range VLANs (VLAN IDs 1 to 1005) or, when VTP mode is transparent, to configure extended-range VLANs (VLAN IDs 1006 to 4094). When VTP mode is transparent, the VLAN and VTP configuration is saved in the running configuration file, and you can save it to the switch startup configuration file by using the copy running-config startup-config privileged EXEC command. The configurations of VLAN IDs 1 to 1005 are saved in the VLAN database if VTP is in transparent or server mode. The extended-range VLAN configurations are not saved in the VLAN database.

Enter the vlan vlan-id global configuration command to access config-vlan mode:

Switch(config)# vlan 2000 Switch(config-vlan)#

The supported keywords can vary but are similar to the commands available in VLAN configuration mode. To display a comprehensive list of commands, enter a question mark (?) at the prompt.

Switch(config-vlan)# ?

For extended-range VLANs, all characteristics except the MTU size must remain at the default setting.

To return to global configuration mode, enter exit; to return to privileged EXEC mode, enter end. All the commands except shutdown take effect when you exit config-vlan mode.

1-5

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 1 Using the Command-Line Interface

CLI Command Modes

VLAN Configuration Mode

You can use the VLAN configuration commands to create or modify VLAN parameters for VLAN IDs 1 to 1005.

Enter the vlan database privileged EXEC command to access VLAN configuration mode:

Switch# vlan database Switch(vlan)#

The supported commands can vary depending on the version of software in use. To display a comprehensive list of commands, enter a question mark (?) at the prompt.

Switch(vlan)# ?

To return to privileged EXEC mode, enter the abort VLAN configuration command to abandon the proposed database. Otherwise, enter exit to implement the proposed new VLAN database and to return to privileged EXEC mode. When you enter exit or apply, the configuration is saved in the VLAN database; configuration from VLAN configuration mode cannot be saved in the switch configuration file.

Line Configuration Mode

Line configuration commands modify the operation of a terminal line. Line configuration commands always follow a line command, which defines a line number. Use these commands to change terminal parameter settings line-by-line or for a range of lines.

Use the line vty line_number [ending_line_number] command to enter line configuration mode. The new prompt means line configuration mode. The following example shows how to enter line configuration mode for virtual terminal line 7:

Switch(config)# line vty 0 7

The supported commands can vary depending on the version of software in use. To display a comprehensive list of commands, enter a question mark (?) at the prompt.

Switch(config-line)# ?

To exit line configuration mode and to return to global configuration mode, use the exit command. To exit line configuration mode and to return to privileged EXEC mode, enter the end command, or press Ctrl-Z.

1-6

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 1 Using the Command-Line Interface

CLI Command Modes

CHAPTER

2-1

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

aaa accounting dot1x

Use the aaa accounting dot1x global configuration command to enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions. Use the no form of this command to disable IEEE 802.1x accounting.

aaa accounting dot1x {name | default} start-stop {broadcast group {name | radius | tacacs+}

[group {name | radius | tacacs+} ... ] | group {name | radius | tacacs+} [group {name | radius | tacacs+} ... ]}

no aaa accounting dot1x {name | default}

Syntax Description name Name of a server group. This is optional when you enter it after the

broadcast group and group keywords.

default Use the accounting methods that follow as the default list for accounting

services.

start-stop Send a start accounting notice at the beginning of a process and a stop

accounting notice at the end of a process. The start accounting record is sent in the background. The requested-user process begins regardless of whether or not the start accounting notice was received by the accounting server.

broadcast Enable accounting records to be sent to multiple AAA servers and send

accounting records to the first server in each group. If the first server is unavailable, the switch uses the list of backup servers to identify the first server.

group Specify the server group to be used for accounting services. These are valid

server group names:

• name—Name of a server group.

• radius—List of all RADIUS hosts.

• tacacs+—List of all TACACS+ hosts.

The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.

2-2

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

aaa accounting dot1x

Defaults AAA accounting is disabled.

Command Modes Global configuration

Command History

Usage Guidelines This command requires access to a RADIUS server.

We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.

Examples This example shows how to configure IEEE 802.1x accounting:

Switch(config)# aaa new-model Switch(config)# aaa accounting dot1x default start-stop group radius

Note The RADIUS authentication server must be properly configured to accept and log update or watchdog

packets from the AAA client.

Related Commands

radius (Optional) Enable RADIUS authorization.

tacacs+ (Optional) Enable TACACS+ accounting.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

aaa authentication dot1x

Specifies one or more AAA methods for use on interfaces running IEEE 802.1x.

aaa new-model Enables the AAA access control model. For syntax information, see the

Cisco IOS Security Command Reference, Release 12.2 > Authentication, Authorization, and Accounting > Authentication Commands.

dot1x reauthentication Enables or disables periodic reauthentication.

dot1x timeout

reauth-period

Sets the number of seconds between re-authentication attempts.

2-3

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

aaa authentication dot1x

Use the aaa authentication dot1x global configuration command to specify the authentication, authorization, and accounting (AAA) method to use on ports complying with the IEEE 802.1x authentication. Use the no form of this command to disable authentication.

aaa authentication dot1x {default} method1

no aaa authentication dot1x {default}

Syntax Description

Note Though other keywords are visible in the command-line help strings, only the default and group radius

keywords are supported.

Defaults No authentication is performed.

Command Modes Global configuration

Command History

Usage Guidelines The method argument identifies the method that the authentication algorithm tries in the given sequence

to validate the password provided by the client. The only method that is truly IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.

If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command.

Use the show running-config privileged EXEC command to display the configured lists of authentication methods.

Examples This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication

list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.

Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius

You can verify your settings by entering the show running-config privileged EXEC command.

default Use the listed authentication method that follows this argument as the default

method when a user logs in.

method1 Enter the group radius keywords to use the list of all RADIUS servers for

authentication.

Release Modification

12.2(25)SEF This command was introduced.

2-4

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

aaa authentication dot1x

Related Commands Command Description

aaa new-model Enables the AAA access control model. For syntax information, see the

Cisco IOS Security Command Reference, Release 12.2 > Authentication, Authorization, and Accounting > Authentication Commands.

show running-config Displays the current operating configuration. For syntax information, select

Cisco IOS Configuration Fundamentals Command Reference, Release

12.2 > File Management Commands > Configuration File Management Commands.

2-5

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

aaa authorization network

Use the aaa authorization network global configuration command to the configure the switch to use user-RADIUS authorization for all network-related service requests, such as IEEE 802.1x per-user access control lists (ACLs) or VLAN assignment. Use the no form of this command to disable RADIUS user authorization.

aaa authorization network default group radius

no aaa authorization network default

Syntax Description

Defaults Authorization is disabled.

Command Modes Global configuration

Command History

Usage Guidelines Use the aaa authorization network default group radius global configuration command to allow the

switch to download IEEE 802.1x authorization parameters from the RADIUS servers in the default authorization list. The authorization parameters are used by features such as per-user ACLs or VLAN assignment to get parameters from the RADIUS servers.

Use the show running-config privileged EXEC command to display the configured lists of authorization methods.

Examples This example shows how to configure the switch for user RADIUS authorization for all network-related

service requests:

Switch(config)# aaa authorization network default group radius

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands

default group radius

Use the list of all RADIUS hosts in the server group as the default authorization list.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show running-config Displays the current operating configuration. For syntax information, select

Cisco IOS Configuration Fundamentals Command Reference, Release

12.2 > File Management Commands > Configuration File Management Commands.

2-6

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

action

Use the action access-map configuration command to set the action for the VLAN access map entry. Use the no form of this command to return to the default setting.

action {drop | forward}

no action

Syntax Description

Defaults The default action is to forward packets.

Command Modes Access-map configuration

Command History

Usage Guidelines You enter access-map configuration mode by using the vlan access-map global configuration command.

If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.

In access-map configuration mode, use the match access-map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.

The drop and forward parameters are not used in the no form of the command.

Examples This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes

the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:

Switch(config)# vlan access-map vmap4 Switch(config-access-map)# match ip address al2 Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan filter vmap4 vlan-list 5-6

You can verify your settings by entering the show vlan access-map privileged EXEC command.

drop Drop the packet when the specified conditions are matched.

forward Forward the packet when the specified conditions are matched.

Release Modification

12.2(25)SEF This command was introduced.

2-7

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

action

Related Commands Command Description

access-list {deny | permit} Configures a standard numbered ACL. For syntax information, select

Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.

ip access-list Creates a named access list. For syntax information, select Cisco

IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.

mac access-list extended Creates a named MAC address access list.

match (class-map configuration)

Defines the match conditions for a VLAN map.

show vlan access-map Displays the VLAN access maps created on the switch.

vlan access-map Creates a VLAN access map.

2-8

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

archive download-sw

Use the archive download-sw privileged EXEC command to download a new image from a TFTP server to the switch and to overwrite or keep the existing image.

archive download-sw {/force-reload | /imageonly | /leave-old-sw | /no-set-boot | /overwrite |

/reload | /safe} source-url

Syntax Description /force-reload Unconditionally force a system reload after successfully downloading the

software image.

/imageonly Download only the software image but not the HTML files associated with

the embedded device manager. The HTML files for the existing version are deleted only if the existing version is being overwritten or removed.

/leave-old-sw Keep the old software version after a successful download.

/no-set-boot Do not alter the setting of the BOOT environment variable to point to the new

software image after it is successfully downloaded.

/overwrite Overwrite the software image in flash memory with the downloaded one.

/reload Reload the system after successfully downloading the image unless the

configuration has been changed and not been saved.

/safe Keep the current software image; do not delete it to make room for the new

software image before the new image is downloaded. The current image is deleted after the download.

source-url The source URL alias for a local or network file system. These options are

supported:

• The syntax for the local flash file system:

flash:

• The syntax for the FTP:

ftp:[[//username[:password]@location]/directory]/image-name.tar

• The syntax for an HTTP server:

http://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar

• The syntax for a secure HTTP server:

https://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar

• The syntax for the Remote Copy Protocol (RCP):

rcp:[[//username@location]/directory]/image-name.tar

• The syntax for the TFTP:

tftp:[[//location]/directory]/image-name.tar

The image-name.tar is the software image to download and install on the switch.

2-9

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

archive download-sw

Defaults The current software image is not overwritten with the downloaded image.

Both the software image and HTML files are downloaded.

The new image is downloaded to the flash: file system.

The BOOT environment variable is changed to point to the new software image on the flash: file system.

Image names are case sensitive; the image file is provided in tar format.

Command Modes Privileged EXEC

Command History

Usage Guidelines The /imageonly option removes the HTML files for the existing image if the existing image is being

removed or replaced. Only the Cisco IOS image (without the HTML files) is downloaded.

Using the /safe or /leave-old-sw option can cause the new image download to fail if there is insufficient flash memory. If leaving the software in place prevents the new image from fitting in flash memory due to space constraints, an error results.

If you used the /leave-old-sw option and did not overwrite the old image when you downloaded the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the “delete” section on page 2-51.

Use the /overwrite option to overwrite the image on the flash device with the downloaded one.

If you specify the command without the /overwrite option, the download algorithm verifies that the new image is not the same as the one on the switch flash device. If the images are the same, the download does not occur. If the images are different, the old image is deleted, and the new one is downloaded.

After downloading a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive download-sw command.

Examples This example shows how to download a new image from a TFTP server at 172.20.129.10 and overwrite

the image on the switch:

Switch# archive download-sw /overwrite tftp://172.20.129.10/test-image.tar

This example shows how to download only the software image from a TFTP server at 172.20.129.10 to the switch:

Switch# archive download-sw /imageonly tftp://172.20.129.10/test-image.tar

This example shows how to keep the old software version after a successful download:

Switch# archive download-sw /leave-old-sw tftp://172.20.129.10/test-image.tar

Release Modification

12.2(25)SEF This command was introduced.

2-10

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

archive download-sw

Related Commands Command Description

archive tar Creates a tar file, lists the files in a tar file, or extracts the files from a tar file.

archive upload-sw Uploads an existing image on the switch to a server.

delete Deletes a file or directory on the flash memory device.

2-11

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

archive tar

Use the archive tar privileged EXEC command to create a tar file, list files in a tar file, or extract the files from a tar file.

archive tar {/create destination-url flash:/file-url} | {/table source-url} | {/xtract source-url

flash:/file-url [dir/file...]}

Syntax Description /create destination-url

flash:/file-url

Create a new tar file on the local or network file system.

For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create. These options are supported:

• The syntax for the local flash filesystem:

flash:

• The syntax for the FTP:

ftp:[[//username[:password]@location]/directory]/tar-filename.tar

• The syntax for an HTTP server:

http://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar

• The syntax for a secure HTTP server:

https://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar

• The syntax for the Remote Copy Protocol (RCP) is:

rcp:[[//username@location]/directory]/tar-filename.tar

• The syntax for the TFTP:

tftp:[[//location]/directory]/tar-filename.tar

The tar-filename.tar is the tar file to be created.

For flash:/file-url, specify the location on the local flash file system from which the new tar file is created.

An optional list of files or directories within the source directory can be specified to write to the new tar file. If none are specified, all files and directories at this level are written to the newly created tar file.

2-12

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

archive tar

Defaults There is no default setting.

/table source-url Display the contents of an existing tar file to the screen.

For source-url, specify the source URL alias for the local or network file system. These options are supported:

• The syntax for the local flash file system:

flash:

• The syntax for the FTP:

ftp:[[//username[:password]@location]/directory]/tar-filename.tar

• The syntax for an HTTP server:

http://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar

• The syntax for a secure HTTP server:

https://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar

• The syntax for the RCP:

rcp:[[//username@location]/directory]/tar-filename.tar

• The syntax for the TFTP:

tftp:[[//location]/directory]/tar-filename.tar

The tar-filename.tar is the tar file to display.

/xtract source-url flash:/file-url [dir/file...]

Extract files from a tar file to the local file system.

For source-url, specify the source URL alias for the local file system. These options are supported:

• The syntax for the local flash file system:

flash:

• The syntax for the FTP:

ftp:[[//username[:password]@location]/directory]/tar-filename.tar

• The syntax for an HTTP server:

http://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar

• The syntax for a secure HTTP server:

https://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar

• The syntax for the RCP:

rcp:[[//username@location]/directory]/tar-filename.tar

• The syntax for the TFTP:

tftp:[[//location]/directory]/tar-filename.tar

The tar-filename.tar is the tar file from which to extract.

For flash:/file-url [dir/file...], specify the location on the local flash file system into which the tar file is extracted. Use the dir/file... option to specify an optional list of files or directories within the tar file to be extracted. If none are specified, all files and directories are extracted.

2-13

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

archive tar

Command Modes Privileged EXEC

Command History

Usage Guidelines Filenames and directory names are case sensitive.

Image names are case sensitive.

Examples This example shows how to create a tar file. The command writes the contents of the new-configs

directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30:

Switch# archive tar /create tftp:172.20.10.30/saved.tar flash:/new-configs

This example shows how to display the contents of the cbs30x0-lanbasek9-tar.122-25.SEF.tar file that is in flash memory. The contents of the tar file appear on the screen:

Switch# archive tar /table flash:cbs30x0-lanbase-tar.122-25.SEF.tar info (219 bytes)

cbs30x0

-lanbasek9-mz.122-25.SEF

/ (directory) (610856 bytes) /info (219 bytes) info.ver (219 bytes)

This example shows how to display only the cbs30x0-lanbasek9-tar.122-25.SEF/html directory and its contents:

Switch# archive tar /table flash:cbs30x0-lanbasek9-tar.122-25.SEF.tar cbs30x0-lanbasek9-tar.122-25.SEF

cbs30x0

-lanbasek9-mz.122-25.SEF

/html/ (directory) cbs30x0

-lanbasek9-mz.122-25.SEF

/html/const.htm (556 bytes) cbs30x0

-lanbasek9-mz.122-25.SEF

/html/xhome.htm (9373 bytes) cbs30x0

-lanbasek9-mz.122-25.SEF

/html/menu.css (1654 bytes) <output truncated>

This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored.

Switch# archive tar /xtract tftp:/172.20.10.30/saved.tar flash:/ new-configs

Related Commands

Release Modification

12.2(25)SEF This command was introduced.

Command Description

archive download-sw Downloads a new image from a TFTP server to the switch.

archive upload-sw Uploads an existing image on the switch to a server.

2-14

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

archive upload-sw

Use the archive upload-sw privileged EXEC command to upload an existing switch image to a server.

archive upload-sw [/version version_string] destination-url

Syntax Description

Defaults Uploads the currently running image from the flash: file system.

Command Modes Privileged EXEC

Command History

Usage Guidelines Use the upload feature only if the HTML files associated with the embedded device manager have been

installed with the existing image.

The files are uploaded in this sequence: the Cisco IOS image, the HTML files, and info. After these files are uploaded, the software creates the tar file.

Image names are case sensitive.

/version version_string (Optional) Specify the specific version string of the image to be uploaded.

destination-url The destination URL alias for a local or network file system. These options

are supported:

• The syntax for the local flash file system:

flash:

• The syntax for the FTP:

ftp:[[//username[:password]@location]/directory]/image-name.tar

• The syntax for an HTTP server:

http://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar

• The syntax for a secure HTTP server:

https://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar

• The syntax for the Remote Copy Protocol (RCP):

rcp:[[//username@location]/directory]/image-name.tar

• The syntax for the TFTP:

tftp:[[//location]/directory]/image-name.tar

The image-name.tar is the name of software image to be stored on the server.

Release Modification

12.2(25)SEF This command was introduced.

2-15

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

archive upload-sw

Examples This example shows how to upload the currently running image to a TFTP server at 172.20.140.2:

Switch# archive upload-sw tftp://172.20.140.2/test-image.tar

Related Commands Command Description

archive download-sw Downloads a new image to the switch.

archive tar Creates a tar file, lists the files in a tar file, or extracts the files from a tar file.

2-16

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

auto qos voip

Use the auto qos voip interface configuration command to automatically configure quality of service (QoS) for voice over IP (VoIP) within a QoS domain. Use the no form of this command to return to the default setting.

auto qos voip {cisco-phone | cisco-softphone | trust}

no auto qos voip [cisco-phone | cisco-softphone | trust]

Syntax Description

Defaults Auto-QoS is disabled on the port.

When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Ta b le 2 - 1.

cisco-phone Identify this port as connected to a Cisco IP Phone, and automatically configure QoS

for VoIP. The QoS labels of incoming packets are trusted only when the telephone is detected.

cisco-softphone Identify this port as connected to a device running the Cisco SoftPhone, and

automatically configure QoS for VoIP.

trust Identify this port as connected to a trusted switch or router, and automatically

configure QoS for VoIP. The QoS labels of incoming packets are trusted. For nonrouted ports, the CoS value of the incoming packet is trusted.

Table 2-1 Traffic Types, Packet Labels, and Queues

VoIP Data Traffic

VoIP Control Traffic

Routing Protocol Traffic

STP1 BPDU2 Traffic

1. STP = Spanning Tree Protocol

2. BPDU = bridge protocol data unit

Real-Time Video Traffic All Other Traffic

DSCP

3. DSCP = Differentiated Services Code Point

46 24, 26 48 56 34 –

CoS

4. CoS = class of service

53 6 73–

CoS-to-Ingress Queue Map

2, 3, 4, 5, 6, 7 (queue 2) 0, 1 (queue 1)

CoS-to-Egress Queue Map

5 (queue 1) 3, 6, 7 (queue 2) 4 (queue 3) 2

(queue 3)

0, 1 (queue 4)

2-17

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

auto qos voip

Table 2 - 2 shows the generated auto-QoS configuration for the ingress queues.

Table 2 - 3 shows the generated auto-QoS configuration for the egress queues.

Command Modes Interface configuration

Command History

Usage Guidelines Use this command to configure the QoS appropriate for VoIP traffic within the QoS domain. The QoS

domain includes the switch, the interior of the network, and edge devices that can classify incoming traffic for QoS.

Auto-QoS configures the switch for VoIP with Cisco IP Phones on switch and routed ports and for VoIP with devices running the Cisco SoftPhone application. These releases support only Cisco IP SoftPhone Version 1.3(3) or later. Connected devices must use Cisco Call Manager Version 4 or later.

To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.

Note The switch applies the auto-QoS-generated commands as if the commands were entered from the

command-line interface (CLI). An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning. If all the generated commands are successfully applied, any user-entered configuration that was not overridden remains in the running configuration. Any user-entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory. If the generated commands fail to be applied, the previous running configuration is restored.

Table 2-2 Auto-QoS Configuration for the Ingress Queues

Ingress Queue Queue Number CoS-to-Queue Map

Queue Weight (Bandwidth)

Queue (Buffer) Size

SRR

shared

1. SRR = shaped round robin. Ingress queues support shared mode only.

1 0, 1 81 percent 67 percent

Priority 2 2, 3, 4, 5, 6, 7 19 percent 33 percent

Table 2-3 Auto-QoS Configuration for the Egress Queues

Egress Queue Queue Number CoS-to-Queue Map

Queue Weight (Bandwidth)

Queue (Buffer) Size for Gigabit-Capable Ports

Queue (Buffer) Size for 10/100 Ethernet Ports

Priority (shaped) 1 5 10 percent 16 percent 10 percent

SRR shared 2 3, 6, 7 10 percent 6 percent 10 percent

SRR shared 3 2, 4 60 percent 17 percent 26 percent

SRR shared 4 0, 1 20 percent 61 percent 54 percent

Release Modification

12.2(25)SEF This command was introduced.

2-18

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

auto qos voip

If this is the first port on which you have enabled auto-QoS, the auto-QoS-generated global configuration commands are executed followed by the interface configuration commands. If you enable auto-QoS on another port, only the auto-QoS-generated interface configuration commands for that port are executed.

When you enable the auto-QoS feature on the first port, these automatic actions occur:

• QoS is globally enabled (mls qos global configuration command), and other global configuration

commands are added.

• When you enter the auto qos voip cisco-phone interface configuration command on a port at the

edge of the network that is connected to a Cisco IP Phone, the switch enables the trusted boundary feature. The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress and egress queues on the port according to the settings in Tab l e 2-2 and Ta b l e 2-3 .

• When you enter the auto qos voip cisco-softphone interface configuration command on a port at

the edge of the network that is connected to a device running the Cisco SoftPhone, the switch uses policing to decide whether a packet is in or out of profile and to specify the action on the packet. If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. The switch configures ingress and egress queues on the port according to the settings in Tab le 2 -2 and Ta b le 2- 3 .

• When you enter the auto qos voip trust interface configuration command on a port connected to the

interior of the network, the switch trusts the CoS value for nonrouted ports in ingress packets (the assumption is that traffic has already been classified by other edge devices). The switch configures the ingress and egress queues on the port according to the settings in Tab le 2 -2 and Tab l e 2-3 .

You can enable auto-QoS on static, dynamic-access, and voice VLAN access, and trunk ports. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to the IP phone.

Note When a device running Cisco SoftPhone is connected to a switch or routed port, the switch supports only

one Cisco SoftPhone application per port.

After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy map from the interface, and apply the new policy map.

To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging. For more information, see the debug auto qos command.

To disable auto-QoS on a port, use the no auto qos voip interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos voip command, auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain (to avoid disrupting traffic on other ports affected by the global configuration). You can use the no mls qos global configuration command to disable the auto-QoS-generated global configuration commands. With QoS disabled, there is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).

2-19

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

auto qos voip

Examples This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets

when the switch or router connected to the port is a trusted device:

Switch(config)# interface gigabitethernet0/21 Switch(config-if)# auto qos voip trust

You can verify your settings by entering the show auto qos interface interface-id privileged EXEC command.

Related Commands Command Description

debug auto qos Enables debugging of the auto-QoS feature.

mls qos cos Defines the default CoS value of a port or assigns the default

CoS to all incoming packets on the port.

mls qos map {cos-dscp dscp1 ... dscp8

| dscp-cos dscp-list to cos}

Defines the CoS-to-DSCP map or the DSCP-to-CoS map.

mls qos queue-set output buffers Allocates buffers to a queue-set.

mls qos srr-queue input bandwidth Assigns shaped round robin (SRR) weights to an ingress

queue.

mls qos srr-queue input buffers Allocates the buffers between the ingress queues.

mls qos srr-queue input cos-map Maps CoS values to an ingress queue or maps CoS values to

a queue and to a threshold ID.

mls qos srr-queue input dscp-map Maps DSCP values to an ingress queue or maps DSCP values

to a queue and to a threshold ID.

mls qos srr-queue input priority-queue

Configures the ingress priority queue and guarantees bandwidth.

mls qos srr-queue output cos-map Maps CoS values to an egress queue or maps CoS values to

a queue and to a threshold ID.

mls qos srr-queue output dscp-map Maps DSCP values to an egress queue or maps DSCP values

to a queue and to a threshold ID.

mls qos trust Configures the port trust state.

queue-set Maps a port to a queue-set.

show auto qos Displays auto-QoS information.

show mls qos interface Displays QoS information at the port level.

srr-queue bandwidth shape Assigns the shaped weights and enables bandwidth shaping

on the four egress queues mapped to a port.

srr-queue bandwidth share Assigns the shared weights and enables bandwidth sharing

on the four egress queues mapped to a port.

2-20

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

boot boothlpr

Use the boot boothlpr global configuration command to load a special Cisco IOS image, which when loaded into memory, can load a second Cisco IOS image into memory and launch it. This variable is used only for internal development and testing. Use the no form of this command to return to the default setting.

boot boothlpr filesystem:/file-url

no boot boothlpr

Syntax Description

Defaults No helper image is loaded.

Command Modes Global configuration

Command History

Usage Guidelines Filenames and directory names are case sensitive.

This command changes the setting of the BOOTHLPR environment variable. For more information, see

Appendix A, “Cisco Catalyst Switch 3020 for HP Boot Loader Commands.”

Related Commands

filesystem: Alias for a flash file system. Use flash: for the system board flash device.

/file-url The path (directory) and name of a bootable helper image.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show boot Displays the settings of the boot environment variables.

2-21

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

boot config-file

Use the boot config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the system configuration. Use the no form of this command to return to the default setting.

boot config-file flash:/file-url

no boot config-file

Syntax Description

Defaults The default configuration file is flash:config.text.

Command Modes Global configuration

Command History

Usage Guidelines Filenames and directory names are case sensitive.

This command changes the setting of the CONFIG_FILE environment variable. For more information, see Appendix A, “Cisco Catalyst Switch 3020 for HP Boot Loader Commands.”

Related Commands

flash:/file-url The path (directory) and name of the configuration file.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show boot Displays the settings of the boot environment variables.

2-22

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

boot enable-break

Use the boot enable-break global configuration command to enable interrupting the automatic boot process. Use the no form of this command to return to the default setting.

boot enable-break

no boot enable-break

Syntax Description This command has no arguments or keywords.

Defaults Disabled. The automatic boot process cannot be interrupted by pressing the Break key on the console.

Command Modes Global configuration

Command History

Usage Guidelines When you enter this command, you can interrupt the automatic boot process by pressing the Break key

on the console after the flash file system is initialized.

Note Despite the setting of this command, you can interrupt the automatic boot process at any time by pressing

the MODE button on the switch front panel.

This command changes the setting of the ENABLE_BREAK environment variable. For more information, see Appendix A, “Cisco Catalyst Switch 3020 for HP Boot Loader Commands.”

Related Commands

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show boot Displays the settings of the boot environment variables.

2-23

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

boot helper

Use the boot helper global configuration command to dynamically load files during boot loader initialization to extend or patch the functionality of the boot loader. Use the no form of this command to return to the default.

boot helper filesystem:/file-url ...

no boot helper

Syntax Description

Defaults No helper files are loaded.

Command Modes Global configuration

Command History

Usage Guidelines This variable is used only for internal development and testing.

Filenames and directory names are case sensitive.

This command changes the setting of the HELPER environment variable. For more information, see

Appendix A, “Cisco Catalyst Switch 3020 for HP Boot Loader Commands.”

Related Commands

filesystem: Alias for a flash file system. Use flash: for the system board flash device.

/file-url The path (directory) and a list of loadable files to dynamically load during

loader initialization. Separate each image name with a semicolon.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show boot Displays the settings of the boot environment variables.

2-24

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

boot helper-config-file

Use the boot helper-config-file global configuration command to specify the name of the configuration file to be used by the Cisco IOS helper image. If this is not set, the file specified by the CONFIG_FILE environment variable is used by all versions of Cisco IOS that are loaded. Use the no form of this command to return to the default setting.

boot helper-config-file filesystem:/file-url

no boot helper-config file

Syntax Description

Defaults No helper configuration file is specified.

Command Modes Global configuration

Command History

Usage Guidelines This variable is used only for internal development and testing.

Filenames and directory names are case sensitive.

This command changes the setting of the HELPER_CONFIG_FILE environment variable. For more information, see Appendix A, “Cisco Catalyst Switch 3020 for HP Boot Loader Commands.”

Related Commands

filesystem: Alias for a flash file system. Use flash: for the system board flash

device.

/file-url The path (directory) and helper configuration file to load.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show boot Displays the settings of the boot environment variables.

2-25

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

boot manual

Use the boot manual global configuration command to enable manually booting the switch during the next boot cycle. Use the no form of this command to return to the default setting.

boot manual

no boot manual

Syntax Description This command has no arguments or keywords.

Defaults Manual booting is disabled.

Command Modes Global configuration

Command History

Usage Guidelines The next time you reboot the system, the switch is in boot loader mode, which is shown by the switch:

prompt. To boot the system, use the boot boot loader command, and specify the name of the bootable image.

This command changes the setting of the MANUAL_BOOT environment variable. For more information, see Appendix A, “Cisco Catalyst Switch 3020 for HP Boot Loader Commands.”

Related Commands

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show boot Displays the settings of the boot environment variables.

2-26

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

boot private-config-file

Use the boot private-config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the private configuration. Use the no form of this command to return to the default setting.

boot private-config-file filename

no boot private-config-file

Syntax Description

Defaults The default configuration file is private-config.

Command Modes Global configuration

Command History

Usage Guidelines Filenames are case sensitive.

Examples This example shows how to specify the name of the private configuration file to be pconfig:

Switch(config)# boot private-config-file pconfig

Related Commands

filename The name of the private configuration file.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show boot Displays the settings of the boot environment variables.

2-27

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

boot system

Use the boot system global configuration command to specify the Cisco IOS image to load during the next boot cycle. Use the no form of this command to return to the default setting.

boot system filesystem:/file-url ...

no boot system

Syntax Description

Defaults The switch attempts to automatically boot the system by using information in the BOOT environment

variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.

Command Modes Global configuration

Command History

Usage Guidelines Filenames and directory names are case sensitive.

If you are using the archive download-sw privileged EXEC command to maintain system images, you never need to use the boot system command. The boot system command is automatically manipulated to load the downloaded image.

This command changes the setting of the BOOT environment variable. For more information, see

Appendix A, “Cisco Catalyst Switch 3020 for HP Boot Loader Commands.”

Related Commands

filesystem: Alias for a flash file system. Use flash: for the system board flash device.

/file-url The path (directory) and name of a bootable image. Separate image names

with a semicolon.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show boot Displays the settings of the boot environment variables.

2-28

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

channel-group

Use the channel-group interface configuration command to assign an Ethernet port to an EtherChannel group, to enable an EtherChannel mode, or both. Use the no form of this command to remove an Ethernet port from an EtherChannel group.

channel-group channel-group-number mode {active | {auto [non-silent]} | {desirable

[non-silent]} | on | passive}

no channel-group

PAg P mo d es :

channel-group channel-group-number mode {{auto [non-silent]} | {desirable [non-silent}}

LACP modes:

channel-group channel-group-number mode {active | passive}

On mode:

channel-group channel-group-number mode on

Syntax Description channel-group-number Specify the channel group number. The range is 1 to 48.

mode Specify the EtherChannel mode.

active Unconditionally enable Link Aggregation Control Protocol (LACP).

Active mode places a port into a negotiating state in which the port initiates negotiations with other ports by sending LACP packets. A channel is formed with another port group in either the active or passive mode.

auto Enable the Port Aggregation Protocol (PAgP) only if a PAgP device is

detected.

Auto mode places a port into a passive negotiating state in which the port responds to PAgP packets it receives but does not start PAgP packet negotiation. A channel is formed only with another port group in desirable mode. When auto is enabled, silent operation is the default.

desirable Unconditionally enable PAgP.

Desirable mode places a port into an active negotiating state in which the port starts negotiations with other ports by sending PAgP packets. An EtherChannel is formed with another port group that is in the desirable or auto mode. When desirable is enabled, silent operation is the default.

non-silent (Optional) Use in PAgP mode with the auto or desirable keyword when

traffic is expected from the other device.

on Enable on mode.

In on mode, a usable EtherChannel exists only when both connected port groups are in the on mode.

passive Enable LACP only if a LACP device is detected.

Passive mode places a port into a negotiating state in which the port responds to received LACP packets but does not initiate LACP packet negotiation. A channel is formed only with another port group in active mode.

2-29

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

channel-group

Defaults No channel groups are assigned.

No mode is configured.

Command Modes Interface configuration

Command History

Usage Guidelines For Layer 2 EtherChannels, you do not have to create a port-channel interface first by using the interface

port-channel global configuration command before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel interface when the channel group gets its first physical port if the logical interface is not already created. If you create the port-channel interface first, the channel-group-number can be the same as the port-channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.

After you configure an EtherChannel, configuration changes that you make on the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.

If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. A example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port prevents that port from ever becoming operational. However, it allows PAgP to operate, to attach the port to a channel group, and to use the port for transmission. Both ends of the link cannot be set to silent.

In the on mode, an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode.

Caution You should use care when using the on mode. This is a manual configuration, and ports on both ends of

the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.

Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.

If you set the protocol by using the channel-protocol interface configuration command, the setting is not overridden by the channel-group interface configuration command.

Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x authentication on an EtherChannel port, an error message appears, and IEEE 802.1x authentication is not enabled.

Do not configure a secure port as part of an EtherChannel or an EtherChannel port as a secure port.

Release Modification

12.2(25)SEF This command was introduced.

2-30

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

channel-group

For a complete list of configuration guidelines, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.

Examples This example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10

to channel 5 with the PAgP mode desirable:

Switch# configure terminal Switch(config)# interface range gigabitethernet0/21 -22 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 10 Switch(config-if-range)# channel-group 5 mode desirable Switch(config-if-range)# end

This example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10 to channel 5 with the LACP mode active:

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands Command Description

channel-protocol Restricts the protocol used on a port to manage channeling.

interface port-channel Accesses or creates the port channel.

show etherchannel Displays EtherChannel information for a channel.

show lacp Displays LACP channel-group information.

show pagp Displays PAgP channel-group information.

show running-config Displays the current operating configuration. For syntax

information, select Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

2-31

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

channel-protocol

Use the channel-protocol interface configuration command to restrict the protocol used on a port to manage channeling. Use the no form of this command to return to the default setting.

channel-protocol {lacp | pagp}

no channel-protocol

Syntax Description

Defaults No protocol is assigned to the EtherChannel.

Command Modes Interface configuration

Command History

Usage Guidelines Use the channel-protocol command only to restrict a channel to LACP or PAgP. If you set the protocol

by using the channel-protocol command, the setting is not overridden by the channel-group interface configuration command.

You must use the channel-group interface configuration command to configure the EtherChannel parameters. The channel-group command also can set the mode for the EtherChannel.

You cannot enable both the PAgP and LACP modes on an EtherChannel group.

PAgP and LACP are not compatible; both ends of a channel must use the same protocol.

Examples This example shows how to specify LACP as the protocol that manages the EtherChannel:

Switch(config-if)# channel-protocol lacp

You can verify your settings by entering the show etherchannel [channel-group-number] protocol privileged EXEC command.

Related Commands

lacp Configure an EtherChannel with the Link Aggregation Control Protocol (LACP).

pagp Configure an EtherChannel with the Port Aggregation Protocol (PAgP).

Release Modification

12.2(25)SEF This command was introduced.

Command Description

channel-group Assigns an Ethernet port to an EtherChannel group.

show etherchannel protocol Displays protocol information the EtherChannel.

2-32

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

class

Use the class policy-map configuration command to define a traffic classification match criteria (through the police, set, and trust policy-map class configuration commands) for the specified class-map name. Use the no form of this command to delete an existing class map.

class class-map-name

no class class-map-name

Syntax Description

Defaults No policy map class-maps are defined.

Command Modes Policy-map configuration

Command History

Usage Guidelines Before using the class command, you must use the policy-map global configuration command to

identify the policy map and to enter policy-map configuration mode. After specifying a policy map, you can configure a policy for new classes or modify a policy for any existing classes in that policy map. You attach the policy map to a port by using the service-policy interface configuration command.

After entering the class command, you enter policy-map class configuration mode, and these configuration commands are available:

• exit: exits policy-map class configuration mode and returns to policy-map configuration mode.

• no: returns a command to its default setting.

• police: defines a policer or aggregate policer for the classified traffic. The policer specifies the

bandwidth limitations and the action to take when the limits are exceeded. For more information, see the police and police aggregate policy-map class commands.

• set: specifies a value to be assigned to the classified traffic. For more information, see the set

command.

• trust: defines a trust state for traffic classified with the class or the class-map command. For more

information, see the trust command.

To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.

The class command performs the same function as the class-map global configuration command. Use the class command when a new classification, which is not shared with any other ports, is needed. Use the class-map command when the map is shared among many ports.

class-map-name Name of the class map.

Release Modification

12.2(25)SEF This command was introduced.

2-33

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

class

Examples This example shows how to create a policy map called policy1. When attached to the ingress direction,

it matches all the incoming traffic defined in class1, sets the IP Differentiated Services Code Point (DSCP) to 10, and polices the traffic at an average rate of 1 Mbps and bursts at 20 KB. Traffic exceeding the profile is marked down to a DSCP value gotten from the policed-DSCP map and then sent.

Switch(config)# policy-map policy1 Switch(config-pmap)# class class1 Switch(config-pmap-c)# set dscp 10 Switch(config-pmap-c)# police 1000000 20000 exceed-action policed-dscp-transmit Switch(config-pmap-c)# exit

You can verify your settings by entering the show policy-map privileged EXEC command.

Related Commands Command Description

class-map Creates a class map to be used for matching packets to the class whose name

you specify.

police Defines a policer for classified traffic.

policy-map Creates or modifies a policy map that can be attached to multiple ports to

specify a service policy.

set Classifies IP traffic by setting a DSCP or IP-precedence value in the packet.

show policy-map Displays quality of service (QoS) policy maps.

trust Defines a trust state for the traffic classified through the class policy-map

configuration command or the class-map global configuration command.

2-34

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

class-map

Use the class-map global configuration command to create a class map to be used for matching packets to the class name you specify and to enter class-map configuration mode. Use the no form of this command to delete an existing class map and to return to global configuration mode.

class-map [match-all | match-any] class-map-name

no class-map [match-all | match-any] class-map-name

Syntax Description

Defaults No class maps are defined.

If neither the match-all or match-any keyword is specified, the default is match-all.

Command Modes Global configuration

Command History

Usage Guidelines Use this command to specify the name of the class for which you want to create or modify class-map

match criteria and to enter class-map configuration mode.

The class-map command and its subcommands are used to define packet classification, marking, and aggregate policing as part of a globally named service policy applied on a per-port basis.

After you are in quality of service (QoS) class-map configuration mode, these configuration commands are available:

• description: describes the class map (up to 200 characters). The show class-map privileged EXEC

command displays the description and the name of the class-map.

• exit: exits from QoS class-map configuration mode.

• match: configures classification criteria. For more information, see the match (class-map

configuration) command.

• no: removes a match statement from a class map.

• rename: renames the current class map. If you rename a class map with a name that is already used,

the message

A class-map with this name already exists appears.

match-all (Optional) Perform a logical-AND of all matching statements under this class

map. All criteria in the class map must be matched.

match-any (Optional) Perform a logical-OR of the matching statements under this class

map. One or more criteria must be matched.

class-map-name Name of the class map.

Release Modification

12.2(25)SEF This command was introduced.

2-35

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

class-map

To define packet classification on a physical-port basis, only one match command per class map is supported. In this situation, the match-all and match-any keywords are equivalent.

Only one access control list (ACL) can be configured in a class map. The ACL can have multiple access control entries (ACEs).

Examples This example shows how to configure the class map called class1 with one match criterion, which is an

access list called 103:

Switch(config)# access-list 103 permit any any dscp 10 Switch(config)# class-map class1 Switch(config-cmap)# match access-group 103 Switch(config-cmap)# exit

This example shows how to delete the class map c

lass1

Switch(config)# no class-map class1

You can verify your settings by entering the show class-map privileged EXEC command.

Related Commands Command Description

class Defines a traffic classification match criteria (through the police,

set, and trust policy-map class configuration commands) for the

specified class-map name.

match (class-map configuration)

Defines the match criteria to classify traffic.

policy-map Creates or modifies a policy map that can be attached to multiple

ports to specify a service policy.

show class-map Displays QoS class maps.

2-36

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear dot1x

Use the clear dot1x privileged EXEC command to clear IEEE 802.1x information for the switch or for the specified port.

clear dot1x {all | interface interface-id}

Syntax Description

Defaults No default is defined.

Command Modes Privileged EXEC

Command History

Usage Guidelines You can clear all the information by using the clear dot1x all command, or you can clear only the

information for the specified interface by using the clear dot1x interface interface-id command.

Examples This example shows how to clear all IEEE 8021.x information:

Switch# clear dot1x all

This example shows how to clear IEEE 8021.x information for the specified interface:

Switch# clear dot1x interface gigabithethernet0/21

You can verify that the information was deleted by entering the show dot1x privileged EXEC command.

Related Commands

all Clear all IEEE 802.1x information for the switch.

interface interface-id Clear IEEE 802.1x information for the specified interface.

Release Modification

12.2(25)SEE This command was introduced.

12.2(25)SEF This command was introduced.

Command Description

show dot1x Displays IEEE 802.1x statistics, administrative status, and operational

status for the switch or for the specified port.

2-37

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear eap sessions

Use the clear eap sessions privileged EXEC command to clear Extensible Authentication Protocol (EAP) session information for the switch or for the specified port.

clear eap sessions [credentials name [interface interface-id] | interface interface-id | method

name | transport name] [credentials name | interface interface-id | transport name] ...

Syntax Description

Defaults No default is defined.

Command Modes Privileged EXEC

Command History

Usage Guidelines You can clear all counters by using the clear eap sessions command, or you can clear only the specific

information by using the keywords.

Examples This example shows how to clear all EAP information:

Switch# clear eap

This example shows how to clear EAP-session credential information for the specified profile:

Switch# clear eap sessions credential type1

You can verify that the information was deleted by entering the show dot1x privileged EXEC command.

Related Commands

credentials name Clear EAP credential information for the specified profile.

interface interface-id Clear EAP information for the specified interface.

method name Clear EAP information for the specified method.

transport name Clear EAP transport information for the specified lower level.

Release Modification

12.2(25)SEE This command was introduced.

Command Description

show eap Displays EAP registration and session information for the switch or for

the specified port

2-38

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear lacp

Use the clear lacp privileged EXEC command to clear Link Aggregation Control Protocol (LACP) channel-group counters.

clear lacp {channel-group-number counters | counters}

Syntax Description

Defaults No default is defined.

Command Modes Privileged EXEC

Command History

Usage Guidelines You can clear all counters by using the clear lacp counters command, or you can clear only the counters

for the specified channel group by using the clear lacp channel-group-number counters command.

Examples This example shows how to clear all channel-group information:

Switch# clear lacp counters

This example shows how to clear LACP traffic counters for group 4:

Switch# clear lacp 4 counters

You can verify that the information was deleted by entering the show lacp counters or the show lacp 4 counters privileged EXEC command.

Related Commands

channel-group-number (Optional) Channel group number. The range is 1 to 48.

counters Clear traffic counters.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show lacp Displays LACP channel-group information.

2-39

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear mac address-table

Use the clear mac address-table privileged EXEC command to delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, or all dynamic addresses on a particular VLAN. This command also clears the MAC address notification global counters.

clear mac address-table {dynamic [address mac-addr | interface interface-id | vlan vlan-id] |

notification}

Syntax Description

Defaults No default is defined.

Command Modes Privileged EXEC

Command History

Examples This example shows how to remove a specific MAC address from the dynamic address table:

Switch# clear mac address-table dynamic address 0008.0070.0007

You can verify that the information was deleted by entering the show mac address-table privileged EXEC command.

dynamic Delete all dynamic MAC addresses.

dynamic address

mac-addr

(Optional) Delete the specified dynamic MAC address.

dynamic interface

interface-id

(Optional) Delete all dynamic MAC addresses on the specified physical port or port channel.

dynamic vlan vlan-id (Optional) Delete all dynamic MAC addresses for the specified VLAN. The

range is 1 to 4094.

notification Clear the notifications in the history table and reset the counters.

Release Modification

12.2(25)SEF This command was introduced.

2-40

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear mac address-table

Related Commands Command Description

mac address-table notification Enables the MAC address notification feature.

show mac address-table Displays the MAC address table static and dynamic entries.

show mac address-table notification Displays the MAC address notification settings for all

interfaces or the specified interface.

snmp trap mac-notification Enables the Simple Network Management Protocol (SNMP)

MAC address notification trap on a specific interface.

2-41

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear mac address-table move update

Use the clear mac address-table move update privileged EXEC command to clear the mac address-table-move update-related counters.

clear mac address-table move update

Syntax Description This command has no arguments or keywords.

Defaults No default is defined.

Command Modes Privileged EXEC

Command History

Examples This example shows how to clear the mac address-table move update related counters.

Switch# clear mac address-table move update

You can verify that the information was cleared by entering the show mac address-table move update privileged EXEC command.

Related Commands

Release Modification

12.2(25)SEF This command was introduced.

Command Description

mac address-table move update

{receive | transmit}

Configures MAC address-table move update on the switch.

show mac address-table move update Displays the MAC address-table move update information on

the switch.

2-42

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear pagp

Use the clear pagp privileged EXEC command to clear Port Aggregation Protocol (PAgP) channel-group information.

clear pagp {channel-group-number counters | counters}

Syntax Description

Defaults No default is defined.

Command Modes Privileged EXEC

Command History

Usage Guidelines You can clear all counters by using the clear pagp counters command, or you can clear only the counters

for the specified channel group by using the clear pagp channel-group-number counters command.

Examples This example shows how to clear all channel-group information:

Switch# clear pagp counters

This example shows how to clear PAgP traffic counters for group 10:

Switch# clear pagp 10 counters

You can verify that information was deleted by entering the show pagp privileged EXEC command.

Related Commands

channel-group-number (Optional) Channel group number. The range is 1 to 48.

counters Clear traffic counters.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show pagp Displays PAgP channel-group information.

2-43

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear port-security

Use the clear port-security privileged EXEC command to delete from the MAC address table all secure addresses or all secure addresses of a specific type (configured, dynamic, or sticky) on the switch or on an interface.

clear port-security {all | configured | dynamic | sticky} [[address mac-addr | interface

interface-id] [vlan {vlan-id | {access | voice}}]]

Syntax Description

Defaults No default is defined.

Command Modes Privileged EXEC

Command History

Examples This example shows how to clear all secure addresses from the MAC address table:

Switch# clear port-security all

This example shows how to remove a specific configured secure address from the MAC address table:

Switch# clear port-security configured address 0008.0070.0007

all Delete all secure MAC addresses.

configured Delete configured secure MAC addresses.

dynamic Delete secure MAC addresses auto-learned by hardware.

sticky Delete secure MAC addresses, either auto-learned or configured.

address mac-addr (Optional) Delete the specified dynamic secure MAC address.

interface interface-id (Optional) Delete all the dynamic secure MAC addresses on the specified

physical port or VLAN.

vlan (Optional) Delete the specified secure MAC address from the specified

VLAN. Enter one of these options after you enter the vlan keyword:

• vlan-id—On a trunk port, specify the VLAN ID of the VLAN on which

this address should be cleared.

• access—On an access port, clear the specified secure MAC address on

the access VLAN.

• voice—On an access port, clear the specified secure MAC address on the

voice VLAN.

Note The voice keyword is available only if voice VLAN is configured on

a port and if that port is not the access VLAN.

Release Modification

12.2(25)SEF This command was introduced.

2-44

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear port-security

This example shows how to remove all the dynamic secure addresses learned on a specific interface:

Switch# clear port-security dynamic interface gigabitethernet0/21

This example shows how to remove all the dynamic secure addresses from the address table:

Switch# clear port-security dynamic

You can verify that the information was deleted by entering the show port-security privileged EXEC command.

Related Commands Command Description

switchport port-security Enables port security on an interface.

switchport port-security

mac-address mac-address

Configures secure MAC addresses.

switchport port-security maximum

value

Configures a maximum number of secure MAC addresses on a secure interface.

show port-security Displays the port security settings defined for an interface or for

the switch.

2-45

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear spanning-tree counters

Use the clear spanning-tree counters privileged EXEC command to clear the spanning-tree counters.

clear spanning-tree counters [interface interface-id]

Syntax Description

Defaults No default is defined.

Command Modes Privileged EXEC

Command History

Usage Guidelines If the interface-id is not specified, spanning-tree counters are cleared for all interfaces.

Examples This example shows how to clear spanning-tree counters for all interfaces:

Switch# clear spanning-tree counters

Related Commands

interface interface-id (Optional) Clear all spanning-tree counters on the specified interface. Valid

interfaces include physical ports, VLANs, and port channels. The VLAN range is 1 to 4094. The port-channel range is 1 to 48.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show spanning-tree Displays spanning-tree state information.

2-46

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear spanning-tree detected-protocols

Use the clear spanning-tree detected-protocols privileged EXEC command to restart the protocol migration process (force the renegotiation with neighboring switches) on all interfaces or on the specified interface.

clear spanning-tree detected-protocols [interface interface-id]

Syntax Description

Defaults No default is defined.

Command Modes Privileged EXEC

Command History

Usage Guidelines A switch running the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol or the Multiple

Spanning Tree Protocol (MSTP) supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If a rapid-PVST+ switch or an MSTP switch receives a legacy IEEE 802.1D configuration bridge protocol data unit (BPDU) with the protocol version set to 0, it sends only IEEE 802.1D BPDUs on that port. A multiple spanning-tree (MST) switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (Version 3) associated with a different region, or a rapid spanning-tree (RST) BPDU (Version 2).

However, the switch does not automatically revert to the rapid-PVST+ or the MSTP mode if it no longer receives IEEE 802.1D BPDUs because it cannot learn whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the clear spanning-tree detected-protocols command in this situation.

Examples This example shows how to restart the protocol migration process on a port:

Switch# clear spanning-tree detected-protocols interface gigabitethernet0/1

Related Commands

interface interface-id (Optional) Restart the protocol migration process on the specified interface.

Valid interfaces include physical ports, VLANs, and port channels. The VLAN range is 1 to 4094. The port-channel range is 1 to 48.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show spanning-tree Displays spanning-tree state information.

spanning-tree link-type Overrides the default link-type setting and enables rapid spanning-tree

changes to the forwarding state.

2-47

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear vmps statistics

Use the clear vmps statistics privileged EXEC command to clear the statistics maintained by the VLAN Query Protocol (VQP) client.

clear vmps statistics

Syntax Description This command has no arguments or keywords.

Defaults No default is defined.

Command Modes Privileged EXEC

Command History

Examples This example shows how to clear VLAN Membership Policy Server (VMPS) statistics:

Switch# clear vmps statistics

You can verify that information was deleted by entering the show vmps statistics privileged EXEC command.

Related Commands

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show vmps Displays the VQP version, reconfirmation interval, retry count, VMPS IP

addresses, and the current and primary servers.

2-48

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

clear vtp counters

Use the clear vtp counters privileged EXEC command to clear the VLAN Trunking Protocol (VTP) and pruning counters.

clear vtp counters

Syntax Description This command has no arguments or keywords.

Defaults No default is defined.

Command Modes Privileged EXEC

Command History

Examples This example shows how to clear the VTP counters:

Switch# clear vtp counters

You can verify that information was deleted by entering the show vtp counters privileged EXEC command.

Related Commands

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show vtp Displays general information about the VTP management domain, status,

and counters.

2-49

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

define interface-range

Use the define interface-range global configuration command to create an interface-range macro. Use the no form of this command to delete the defined macro.

define interface-range macro-name interface-range

no define interface-range macro-name interface-range

Syntax Description

Defaults This command has no default setting.

Command Modes Global configuration

Command History

Usage Guidelines The macro name is a 32-character maximum character string.

A macro can contain up to five ranges.

All interfaces in a range must be the same type; that is, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.

When entering the interface-range, use this format:

• type {first-interface} - {last-interface}

• You must add a space between the first interface number and the hyphen when entering an

interface-range. For example, gigabitethernet 0/1 - 2 is a valid range; gigabitethernet 0/1-2 is not a valid range

Valid values for type and interface:

• vlan vlan-id , where the VLAN ID is 1 to 4094

VLAN interfaces must have been configured with the interface vlan command (the show running-config privileged EXEC command displays the configured VLAN interfaces). VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges.

• port-channel port-channel-number, where port-channel-number is from 1 to 48

• gigabitethernet module/{first port} - {last port}

For physical interfaces:

• module is always 0.

• the range is type 0/number - number (for example, gigabitethernet 0/1 - 2).

macro-name Name of the interface-range macro; up to 32 characters.

interface-range Interface range; for valid values for interface ranges, see “Usage Guidelines.”

Release Modification

12.2(25)SEF This command was introduced.

2-50

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

define interface-range

When you define a range, you must enter a space before the hyphen (-), for example:

gigabitethernet0/1 - 2

You can also enter multiple ranges. When you define multiple ranges, you must enter a space after the first entry before the comma (,). The space after the comma is optional, for example:

gigabitethernet0/3, gigabitethernet 0/6 - 7

gigabitethernet0/3 -4, gigabitethernet 0/6 - 7

Examples This example shows how to create a multiple-interface macro:

Switch(config)# define interface-range macro1 gigabitethernet0/1 - 2

Related Commands Command Description

interface range Executes a command on multiple ports at the same time.

show running-config Displays the current operating configuration, including defined

macros. For syntax information, select Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

2-51

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

delete

Use the delete privileged EXEC command to delete a file or directory on the flash memory device.

delete [/force] [/recursive] filesystem:/file-url

Syntax Description

Command Modes Privileged EXEC

Command History

Usage Guidelines If you use the /force keyword, you are prompted once at the beginning of the deletion process to confirm

the deletion.

If you use the /recursive keyword without the /force keyword, you are prompted to confirm the deletion of every file.

The prompting behavior depends on the setting of the file prompt global configuration command. By default, the switch prompts for confirmation on destructive file operations. For more information about this command, see the Cisco IOS Command Reference for Release 12.1.

Examples This example shows how to remove the directory that contains the old software image after a successful

download of a new image:

Switch# delete /force /recursive flash:/old-image

You can verify that the directory was removed by entering the dir filesystem: privileged EXEC command.

Related Commands

/force (Optional) Suppress the prompt that confirms the deletion.

/recursive (Optional) Delete the named directory and all subdirectories and the files contained in

it.

filesystem: Alias for a flash file system.

The syntax for the local flash file system:

flash:

/file-url The path (directory) and filename to delete.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

archive download-sw Downloads a new image to the switch and overwrites or keeps the existing

image.

2-52

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

deny (MAC access-list configuration)

Use the deny MAC access-list configuration command to prevent non-IP traffic from being forwarded if the conditions are matched. Use the no form of this command to remove a deny condition from the named MAC access list.

{deny | permit} {any | host src-MAC-addr | src-MAC-addr mask} {any | host dst-MAC-addr |

dst-MAC-addr mask} [type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask |mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp]

no {deny | permit} {any | host src-MAC-addr | src-MAC-addr mask} {

any | host dst-MAC-addr | dst-MAC-addr mask} [type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp]

Syntax Description any Keyword to specify to deny any source or destination MAC address.

host src MAC-addr |

src-MAC-addr mask

Define a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied.

host dst-MAC-addr | dst-MAC-addr mask

Define a destination MAC address and optional subnet mask. If the destination address for a packet matches the defined address, non-IP traffic to that address is denied.

type mask (Optional) Use the Ethertype number of a packet with Ethernet II or

SNAP encapsulation to identify the protocol of the packet.

The type is 0 to 65535, specified in hexadecimal.

The mask is a mask of don’t care bits applied to the Ethertype before testing for a match.

aarp (Optional) Select Ethertype AppleTalk Address Resolution Protocol that

maps a data-link address to a network address.

amber (Optional) Select EtherType DEC-Amber.

cos

cos (Optional) Select a class of service (CoS) number from 0 to 7 to set

priority. Filtering on CoS can be performed only in hardware. A warning message reminds the user if the cos option is configured.

dec-spanning (Optional) Select EtherType Digital Equipment Corporation (DEC)

spanning tree.

decnet-iv (Optional) Select EtherType DECnet Phase IV protocol.

diagnostic (Optional) Select EtherType DEC-Diagnostic.

dsm (Optional) Select EtherType DEC-DSM.

etype-6000 (Optional) Select EtherType 0x6000.

etype-8042 (Optional) Select EtherType 0x8042.

lat (Optional) Select EtherType DEC-LAT.

lavc-sca (Optional) Select EtherType DEC-LAVC-SCA.

2-53

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

deny (MAC access-list configuration)

Note Though visible in the command-line help strings, appletalk is not supported as a matching condition.

To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in Table 2- 4 .

Defaults This command has no defaults. However; the default action for a MAC-named ACL is to deny.

Command Modes MAC-access list configuration

Command History

lsap lsap-number mask (Optional) Use the LSAP number (0 to 65535) of a packet with 802.2

encapsulation to identify the protocol of the packet.

mask is a mask of don’t care bits applied to the LSAP number before testing for a match.

mop-console (Optional) Select EtherType DEC-MOP Remote Console.

mop-dump (Optional) Select EtherType DEC-MOP Dump.

msdos (Optional) Select EtherType DEC-MSDOS.

mumps (Optional) Select EtherType DEC-MUMPS.

netbios (Optional) Select EtherType DEC- Network Basic Input/Output System

(NETBIOS).

vines-echo (Optional) Select EtherType Virtual Integrated Network Service (VINES)

Echo from Banyan Systems.

vines-ip (Optional) Select EtherType VINES IP.

xns-idp (Optional) Select EtherType Xerox Network Systems (XNS) protocol

suite (0 to 65535), an arbitrary Ethertype in decimal, hexadecimal, or octal.

Table 2-4 IPX Filtering Criteria

IPX Encapsulation Type

Filter CriterionCisco IOS Name Novel Name

arpa Ethernet II Ethertype 0x8137

snap Ethernet-snap Ethertype 0x8137

sap Ethernet 802.2 LSAP 0xE0E0

novell-ether Ethernet 802.3 LSAP 0xFFFF

Release Modification

12.2(25)SEF This command was introduced.

2-54

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

deny (MAC access-list configuration)

Usage Guidelines You enter MAC-access list configuration mode by using the mac access-list extended global

configuration command.

If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.

When an access control entry (ACE) is added to an access control list, an implied deny-any-any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.

For more information about named MAC extended access lists, see the software configuration guide for this release.

Examples This example shows how to define the named MAC extended access list to deny NETBIOS traffic from

any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.

Switch(config-ext-macl)# deny any host 00c0.00a0.03fa netbios.

This example shows how to remove the deny condition from the named MAC extended access list:

Switch(config-ext-macl)# no deny any 00c0.00a0.03fa 0000.0000.0000 netbios.

This example denies all packets with Ethertype 0x4321:

Switch(config-ext-macl)# deny any any 0x4321 0

You can verify your settings by entering the show access-lists privileged EXEC command.

Related Commands Command Description

mac access-list extended Creates an access list based on MAC addresses for non-IP traffic.

permit (MAC access-list configuration)

Permits non-IP traffic to be forwarded if conditions are matched.

show access-lists Displays access control lists configured on a switch.

2-55

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x

Use the dot1x global configuration command to globally enable IEEE 802.1x authentication. Use the no form of this command to return to the default setting.

dot1x {critical {eapol | recovery delay milliseconds} | system-auth-control}

no dot1x {credentials | critical {eapol | recovery delay} | system-auth-control}

Note Though visible in the command-line help strings, the credentials name keywords are not supported.

Syntax Description

Defaults IEEE 802.1x authentication is disabled.

Command Modes Global configuration

Command History

Usage Guidelines You must enable authentication, authorization, and accounting (AAA) and specify the authentication

method list before globally enabling IEEE 802.1x authentication. A method list describes the sequence and authentication methods to be used to authenticate a user.

Before globally enabling IEEE 802.1x authentication on a switch, remove the EtherChannel configuration from the interfaces on which IEEE 802.1x authentication and EtherChannel are configured.

If you are using a device running the Cisco Access Control Server (ACS) application for IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and with EAP-MD5, make sure that the device is running ACS Version 3.2.1 or later.

Examples This example shows how to globally enable IEEE 802.1x authentication on a switch:

Switch(config)# dot1x system-auth-control

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

critical {eapol | recovery delay

milliseconds}

Configure the inaccessible authentication bypass parameters. For more information, see the dot1x critical (global configuration) command.

system-auth-control Enable IEEE 802.1x authentication globally on the switch.

Release Modification

12.2(25)SEF This command was introduced.

2-56

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x

Related Commands Command Description

dot1x critical (global configuration)

Configures the parameters for the inaccessible authentication bypass feature on the switch.

dot1x guest-vlan Enables and specifies an active VLAN as an IEEE 802.1x guest VLAN.

dot1x port-control Enables manual control of the authorization state of the port.

show dot1x [interface

interface-id]

Displays IEEE 802.1x status for the specified port.

2-57

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x auth-fail max-attempts

Use the dot1x auth-fail max-attempts interface configuration command to configure the maximum allowable authentication attempts before a port is moved to the restricted VLAN. To return to the default setting, use the no form of this command.

dot1x auth-fail max-attempts max-attempts

no dot1x auth-fail max-attempts

Syntax Description

Defaults The default value is 3 attempts.

Command Modes Interface configuration

Command History

Usage Guidelines If you reconfigure the maximum number of authentication attempts allowed by the VLAN, the change

takes effect after the re-authentication timer expires.

Examples This example shows how to set 2 as the maximum number of authentication attempts allowed before the

port is moved to the restricted VLAN on port 23:

Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/23 Switch(config-if)# dot1x auth-fail max-attempts 2 Switch(config-if)# end Switch(config)# end Switch#

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

max-attempts Specify a maximum number of authentication attempts allowed before a port

is moved to the restricted VLAN. The range is 1 to 3, the default value is 3.

Release Modification

12.2(25)SEF This command was introduced.

2-58

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x auth-fail max-attempts

Related Commands Command Description

dot1x auth-fail vlan [vlan id] Enables the optional restricted VLAN feature.

dot1x max-reauth-req [count] Sets the maximum number of times that the switch restarts

the authentication process before a port changes to the unauthorized state.

show dot1x [interface interface-id] Displays IEEE 802.1x status for the specified port.

2-59

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x auth-fail vlan

Use the dot1x auth-fail vlan interface configuration command to enable the restricted VLAN on a port. To return to the default setting, use the no form of this command.

dot1x auth-fail vlan vlan-id

no dot1x auth-fail vlan

Syntax Description

Defaults No restricted VLAN is configured.

Command Modes Interface configuration

Command History

Usage Guidelines You can configure a restricted VLAN on ports configured as follows:

• single-host (default) mode

• auto mode for authorization

You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication requests if it is disabled. To start the re-authentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub, the port might never receive a link-down event when that host is disconnected, and, as a result, might not detect any new hosts until the next re-authentication attempt occurs.

If the supplicant fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the supplicant. Because the supplicant is not notified of the actual authentication failure, there might be confusion about this restricted network access. An EAP success message is sent for these reasons:

• If the EAP success message is not sent, the supplicant tries to authenticate every 60 seconds (the

default) by sending an EAP-start message.

• Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive

an EAP success message.

A supplicant might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication. Until the supplicant sends the correct username and password combination, the port remains in the restricted VLAN.

Internal VLANs used for Layer 3 ports cannot be configured as restricted VLANs.

You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN. If you do this, a syslog message is generated.

vlan-id Specify a VLAN in the range of 1 to 4094.

Release Modification

12.2(25)SEF This command was introduced.

2-60

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x auth-fail vlan

When a restricted VLAN port is moved to an unauthorized state, the authentication process restarts. If the supplicant fails the authentication process again, the authenticator waits in the held state. After the supplicant has correctly re-authenticated, all IEEE 802.1x ports are reinitialized and treated as normal IEEE 802.1x ports.

When you reconfigure a restricted VLAN as a different VLAN, any ports in the restricted VLAN are also moved, and the ports stay in their currently authorized state.

When you shut down or remove a restricted VLAN from the VLAN database, any ports in the restricted VLAN are immediately moved to an unauthorized state, and the authentication process restarts. The authenticator does not wait in a held state because the restricted VLAN configuration still exists. While the restricted VLAN is inactive, all authentication attempts are counted so that when the restricted VLAN becomes active, the port is immediately placed in the restricted VLAN.

The restricted VLAN is supported only in single host mode (the default port mode). For this reason, when a port is placed in a restricted VLAN, the supplicant’s MAC address is added to the MAC address table, and any other MAC address that appears on the port is treated as a security violation.

Examples This example shows how to configure a restricted VLAN on port 21:

Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/21 Switch(config-if)# dot1x auth-fail vlan 40 Switch(config-if)# end Switch#

You can verify your configuration by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands Command Description

dot1x auth-fail max-attempts

[max-attempts]

Configures the number of authentication attempts allowed before assigning a supplicant to the restricted VLAN.

show dot1x [interface interface-id] Displays IEEE 802.1x status for the specified port.

2-61

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x control-direction

Use the dot1x control-direction interface configuration command to enable the IEEE 802.1x authentication with the wake-on-LAN (WoL) feature and to configure the port control as unidirectional or bidirectional. Use the no form of this command to return to the default setting.

dot1x control-direction {both | in}

no dot1x control-direction

Syntax Description

Defaults The port is in bidirectional mode.

Command Modes Interface configuration

Command History

Usage Guidelines Use the both keyword or the no form of this command to return to the default setting, bidirectional

mode.

For more information about WoL, see the “Using IEEE 802.1x Authentication with Wake-on-LAN” section in the “Configuring IEEE 802.1x Port-Based Authentication” chapter in the software configuration guide.

Examples This example shows how to enable unidirectional control:

Switch(config-if)# dot1x control-direction in

This example shows how to enable bidirectional control:

Switch(config-if)# dot1x control-direction both

You can verify your settings by entering the show dot1x all privileged EXEC command.

The show dot1x all privileged EXEC command output is the same for all switches except for the port names and the state of the port. If a host is attached to the port but is not yet authenticated, a display similar to this appears:

Supplicant MAC 0002.b39a.9275 AuthSM State = CONNECTING BendSM State = IDLE PortStatus = UNAUTHORIZED

both Enable bidirectional control on port. The port cannot receive

packets from or send packets to the host.

in Enable unidirectional control on port. The port can send packets to

the host but cannot receive packets from the host.

Release Modification

12.2(25)SEF This command was introduced.

2-62

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x control-direction

If you enter the dot1x control-direction in interface configuration command to enable unidirectional control, this appears in the show dot1x all command output:

ControlDirection = In

If you enter the dot1x control-direction in interface configuration command and the port cannot support this mode due to a configuration conflict, this appears in the show dot1x all command output:

ControlDirection = In (Disabled due to port settings)

Related Commands Command Description

show dot1x [all | interface

interface-id]

Displays control-direction port setting status for the specified interface.

2-63

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x critical (global configuration)

Use the dot1x critical global configuration command on a standalone switch to configure the parameters for the inaccessible authentication bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting (AAA) fail policy. To return to default settings, use the no form of this command.

dot1x critical {eapol | recovery delay milliseconds}

no dot1x critical {eapol | recovery delay}

Syntax Description

Defaults The switch does not send an EAPOL-Success message to the host when the switch successfully

authenticates the critical port by putting the critical port in the critical-authentication state.

The recovery delay period is 1000 milliseconds (1 second).

Command Modes Global configuration

Command History

Usage Guidelines Use the eapol keyword to specify that the switch sends an EAPOL-Success message when the switch

puts the critical port in the critical-authentication state.

Use the recovery delay milliseconds keyword to set the recovery delay period during which the switch waits to re-initialize a critical port when a RADIUS server that was unavailable becomes available. The default recovery delay period is 1000 milliseconds. A port can be re-initialized every second.

To enable inaccessible authentication bypass on a port, use the dot1x critical interface configuration command. To configure the access VLAN to which the switch assigns a critical port, use the dot1x critical vlan vlan-id interface configuration command.

Examples This example shows how to set 200 as the recovery delay period on the switch:

Switch# dot1x critical recovery delay 200

You can verify your configuration by entering the show dot1x privileged EXEC command.

eapol Specify that the switch sends an EAPOL-Success message when the

switch puts the critical port in the critical-authentication state.

recovery delay milliseconds Set the recovery delay period in milliseconds. The range is from 1

to 10000 milliseconds.

Release Modification

12.2(25)SEE This command was introduced.

12.2(25)SEF This command was introduced.

2-64

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x critical (global configuration)

Related Commands Command Description

dot1x critical (interface configuration)

Enables the inaccessible authentication bypass feature, and configures the access VLAN for the feature.

show dot1x Displays IEEE 802.1x status for the specified port.

2-65

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x critical (interface configuration)

Use the dot1x critical interface configuration command on a standalone switch to enable the inaccessible-authentication-bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting (AAA) fail policy. You can also configure the access VLAN to which the switch assigns the critical port when the port is in the critical-authentication state. To disable the feature or return to default, use the no form of this command.

dot1x critical [recovery action reinitialize | vlan vlan-id]

no dot1x critical [recovery | vlan]

Syntax Description

Defaults The inaccessible-authentication-bypass feature is disabled.

The recovery action is not configured.

The access VLAN is not configured.

Command Modes Interface configuration

Command History

Usage Guidelines To specify the access VLAN to which the switch assigns a critical port when the port is in the

critical-authentication state, use the vlan vlan-id keywords. The specified type of VLAN must match the type of port, as follows:

• If the critical port is an access port, the VLAN must be an access VLAN.

• If the critical port is a private VLAN host port, the VLAN must be a secondary private VLAN.

• If the critical port is a routed port, you can specify a VLAN, but this is optional.

If the client is running Windows XP and the critical port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated.

If the Windows XP client is configured for DHCP and has an IP address from the DHCP server, receiving an EAP-Success message on a critical port might not re-initiate the DHCP configuration process.

recovery action reinitialize Enable the inaccessible-authentication-bypass recovery feature, and

specify that the recovery action is to authenticate the port when an authentication server is available.

vlan vlan-id Specify the access VLAN to which the switch can assign a critical

port. The range is from 1 to 4094.

Release Modification

12.2(25)SEF This command was introduced.

2-66

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x critical (interface configuration)

You can configure the inaccessible authentication bypass feature and the restricted VLAN on an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all the RADIUS servers are unavailable, the switch changes the port state to the critical authentication state, and it remains in the restricted VLAN.

You can configure the inaccessible bypass feature and port security on the same switch port.

Examples This example shows how to enable the inaccessible authentication bypass feature on port 21:

Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/21 Switch(config-if)# dot1x critical Switch(config-if)# end Switch(config)# end Switch#

You can verify your configuration by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands Command Description

dot1x critical (global configuration) Configures the parameters for the inaccessible authentication

bypass feature on the switch.

show dot1x [interface interface-id] Displays IEEE 802.1x status for the specified port.

2-67

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x default

Use the dot1x default interface configuration command to reset the IEEE 802.1x parameters to their default values.

dot1x default

Syntax Description This command has no arguments or keywords.

Defaults These are the default values:

• The per-port IEEE 802.1x protocol enable state is disabled (force-authorized).

• The number of seconds between re-authentication attempts is 3600 seconds.

• The periodic re-authentication is disabled.

• The quiet period is 60 seconds.

• The retransmission time is 30 seconds.

• The maximum retransmission number is 2 times.

• The host mode is single host.

• The client timeout period is 30 seconds.

• The authentication server timeout period is 30 seconds.

Command Modes Interface configuration

Command History

Examples This example shows how to reset the IEEE 802.1x parameters on a port:

Switch(config-if)# dot1x default

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show dot1x [interface interface-id] Displays IEEE 802.1x status for the specified port.

2-68

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x guest-vlan

Use the dot1x guest-vlan interface configuration command to specify an active VLAN as an IEEE 802.1x guest VLAN. Use the no form of this command to return to the default setting.

dot1x guest-vlan vlan-id

no dot1x guest-vlan

Syntax Description

Defaults No guest VLAN is configured.

Command Modes Interface configuration

Command History

Usage Guidelines You can configure a guest VLAN on one of these switch ports:

• A static-access port that belongs to a nonprivate VLAN.

• A private-VLAN port that belongs to a secondary private VLAN. All the hosts connected to the

switch port are assigned to private VLANs, whether or not the posture validation was successful. The switch determines the primary private VLAN by using the primary- and secondary-private-VLAN associations on the switch.

For each IEEE 802.1x port on the switch, you can configure a guest VLAN to provide limited services to clients (a device or workstation connected to the switch) not running IEEE 802.1x authentication. These users might be upgrading their systems for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.

When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL) request/identity frame or when EAPOL packets are not sent by the client.

The switch maintains the EAPOL packet history. If another EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL history is reset upon loss of link.

Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the RADIUS-configured or user-configured access VLAN, and authentication is restarted.

Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.

vlan-id Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1

to 4094.

Release Modification

12.2(25)SEF This command was introduced.

2-69

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x guest-vlan

You can configure any active VLAN except an Remote Switched Port Analyzer (RSPAN) VLAN or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.

After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you might need to get a host IP address from a DHCP server. You can change the settings for restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x client type.

The switch supports MAC authentication bypass. When it is enabled on an IEEE 802.1x port, the switch can authorize clients based on the client MAC address when IEEE 802.1x authentication times out while waiting for an EAPOL message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is specified. For more information, see the “Using IEEE

802.1x Authentication with MAC Authentication Bypass” section in the “Configuring IEEE 802.1x Port-Based Authentication” chapter of the software configuration guide.

Examples This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN:

Switch(config-if)# dot1x guest-vlan 5

This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request, and to enable VLAN 2 as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected to a DHCP client:

Switch(config-if)# dot1x timeout quiet-period 3 Switch(config-if)# dot1x timeout tx-period 15 Switch(config-if)# dot1x guest-vlan 2

This example shows how to enable the optional guest VLAN behavior and to specify VLAN 5 as an IEEE 802.1x guest VLAN:

Switch(config)# dot1x guest-vlan supplicant Switch(config)# interface gigabitethernet0/21 Switch(config-if)# dot1x guest-vlan 5

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands Command Description

dot1x Enables the optional guest VLAN supplicant feature.

show dot1x [interface interface-id] Displays IEEE 802.1x status for the specified port.

2-70

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x host-mode

Use the dot1x host-mode interface configuration command to allow a single host (client) or multiple hosts on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the no form of this command to return to the default setting.

dot1x host-mode {multi-host | single-host}

no dot1x host-mode [multi-host | single-host]

Syntax Description

Defaults The default is single-host mode.

Command Modes Interface configuration

Command History

Usage Guidelines Use this command to limit an IEEE 802.1x-enabled port to a single client or to attach multiple clients to

an IEEE 802.1x-enabled port. In multiple-hosts mode, only one of the attached hosts needs to be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (re-authentication fails or an Extensible Authentication Protocol over LAN [EAPOL]-logoff message is received), all attached clients are denied access to the network.

Before entering this command, make sure that the dot1x port-control interface configuration command is set to auto for the specified port.

Examples This example shows how to enable IEEE 802.1x authentication globally, to enable IEEE 802.1x

authentication on a port, and to enable multiple-hosts mode:

Switch(config)# dot1x system-auth-control Switch(config)# interface gigabitethernet0/21 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x host-mode multi-host

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

multi-host Enable multiple-hosts mode on the switch.

single-host Enable single-host mode on the switch.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show dot1x [interface interface-id] Displays IEEE 802.1x status for the specified port.

2-71

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x initialize

Use the dot1x initialize privileged EXEC command to manually return the specified IEEE 802.1x-enabled port to an unauthorized state before initiating a new authentication session on the port.

dot1x initialize [interface interface-id]

Syntax Description

Defaults There is no default setting.

Command Modes Privileged EXEC

Command History

Usage Guidelines Use this command to initialize the IEEE 802.1x state machines and to set up a fresh environment for

authentication. After you enter this command, the port status becomes unauthorized.

There is not a no form of this command.

Examples This example shows how to manually initialize a port:

Switch# dot1x initialize interface gigabitethernet0/22

You can verify the unauthorized port status by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

interface interface-id (Optional) Port to be initialized.

Release Modification

12.2(25)SEF This command was introduced.

Command Description

show dot1x [interface interface-id] Displays IEEE 802.1x status for the specified port.

2-72

Cisco Catalyst Blade Switch 3020 for HP Command Reference

OL-8916-01

Chapter 2 Cisco Catalyst Blade Switch 3020 for HP Cisco IOS Commands

dot1x mac-auth-bypass

Use the dot1x mac-auth-bypass interface configuration command to enable the MAC authentication bypass feature. Use the no form of this command to disable MAC authentication bypass feature.

dot1x mac-auth-bypass [eap]

no dot1x mac-auth-bypass

Syntax Description

Defaults MAC authentication bypass is disabled.

Command Modes Interface configuration

Command History

Usage Guidelines Unless otherwise stated, the MAC authentication bypass usage guidelines are the same as the

IEEE 802.1x authentication guidelines.

If you disable MAC authentication bypass from a port after the port has been authenticated with its MAC address, the port state is not affected.

If the port is in the unauthorized state and the client MAC address is not the authentication-server database, the port remains in the unauthorized state. However, if the client MAC address is added to the database, the switch can use MAC authentication bypass to re-authorize the port.

If the port is in the authorized state, the port remains in this state until re-authorization occurs.

If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.1x-capable supplicant and uses IEEE 802.1x authentication (not MAC authentication bypass) to authorize the interface.

Clients that were authorized with MAC authentication bypass can be re-authenticated.

For more information about how MAC authentication bypass and IEEE 802.lx authentication interact, see the “Understanding IEEE 802.1x Authentication with MAC Authentication Bypass” section and the “IEEE 802.1x Authentication Configuration Guidelines” section in the “Configuring IEEE 802.1x Port-Based Authentication” chapter of the software configuration guide.

eap (Optional) Configure the switch to use Extensible Authentication Protocol

(EAP) for authentication.

Release Modification

12.2(25)SEE This command was introduced.

12.2(25)SEF This command was introduced.

Cisco 3020 - Cisco Catalyst Blade Switch Command Reference Manual

Specifications and Main Features

Frequently Asked Questions

User Manual