Dell™ PowerConnect™ 5400
Systems
CLI Reference Guide
www.dell.com | support.dell.com
Notes, Cautions, and Warnings
NOTE: A NOTE indicates important information that helps you make better use of your computer.
CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
____________________
Information in this document is subject to change without notice.
© 2008 Dell Inc. All rights reserved.
Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden.
Trademarks used in this text: Dell , the DELL logo, PowerConnect are trademarks of Dell Inc.
Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products.
Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.
December 2008 Rev. A01
Contents
1 Using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
CLI Command Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Introduction
User EXEC Mode
Privileged EXEC Mode
Global Configuration Mode
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
. . . . . . . . . . . . . . . . . . . . . . . . . . . 26
. . . . . . . . . . . . . . . . . . . . . . . . . 27
Interface Configuration Mode and Specific
Configuration Modes
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Starting the CLI
Editing Features
Setup Wizard
Terminal Command Buffer
Negating the Effect of Commands
Command Completion
Keyboard Shortcuts
CLI Command Conventions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
. . . . . . . . . . . . . . . . . . . . . . . . . 30
. . . . . . . . . . . . . . . . . . . . . 30
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
. . . . . . . . . . . . . . . . . . . . . . . . . 32
2 Command Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Command Groups
ACL Commands
AAA Commands
Address Table Commands
Clock Commands
Configuration and Image Files Commands
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
. . . . . . . . . . . . . . . . . . . 38
DHCP Snooping Commands
. . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Ethernet Configuration Commands
GVRP Commands
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
. . . . . . . . . . . . . . . . . . . . . . . 39
Contents 3
IGMP Snooping Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
IP Addressing Commands
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
IPv6 Addressing Commands
iSCSI Commands
LACP Commands
Line Commands
LLDP Commands
Login Banner Commands
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Management ACL Commands
PHY Diagnostics Commands
Port Channel Commands
Port Monitor Commands
QoS Commands
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
RADIUS Commands
RMON Commands
SNMP Commands
Spanning Tree Commands
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
. . . . . . . . . . . . . . . . . . . . . . . . . . . 43
. . . . . . . . . . . . . . . . . . . . . . . . . . 46
. . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4 Contents
SSH Commands
Syslog Commands
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
System Management Commands
TACACS Commands
TIC Commands
Tunnel Commands
User Interface Commands
VLAN Commands
Voice VLAN Commands
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
. . . . . . . . . . . . . . . . . . . . . . . . 54
Web Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
802.1x Commands
802.1x Advanced Commands
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
. . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3 Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
GC (Global Configuration) Mode. . . . . . . . . . . . . . . . . . . . . . . . . 63
IC (Interface Configuration) Mode
LC (Line Configuration) Mode
MA (Management Access-level) Mode
PE (Privileged User EXEC) Mode
SP (SSH Public Key) Mode
UE (User EXEC) Mode
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
VC (VLAN Configuration) Mode
. . . . . . . . . . . . . . . . . . . . . . . . 67
. . . . . . . . . . . . . . . . . . . . . . . . . . 70
. . . . . . . . . . . . . . . . . . . . . 70
. . . . . . . . . . . . . . . . . . . . . . . . 70
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
. . . . . . . . . . . . . . . . . . . . . . . . . 74
4 ACL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
ip access-list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
mac access-list
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
permit (ip)
deny (IP)
permit (MAC)
deny (MAC)
service-acl
show access-lists
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
show interfaces access-lists
. . . . . . . . . . . . . . . . . . . . . . . . . . 84
Contents 5
5 AAA Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
aaa authentication login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
aaa authentication enable
login authentication
enable authentication
ip http authentication
ip https authentication
show authentication methods
password
enable password
username
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
show users accounts
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
. . . . . . . . . . . . . . . . . . . . . . . . . . 90
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6 Address Table Commands . . . . . . . . . . . . . . . . . . . . . . . 95
bridge address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
bridge multicast filtering
bridge multicast address
bridge multicast forbidden address
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
. . . . . . . . . . . . . . . . . . . . . . . 98
6 Contents
bridge multicast unregistered
bridge multicast forward-all
. . . . . . . . . . . . . . . . . . . . . . . . . . 99
. . . . . . . . . . . . . . . . . . . . . . . . . . 100
bridge multicast forbidden forward-all
bridge aging-time
clear bridge
port security
port security mode
port security max
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
port security routed secure-address
. . . . . . . . . . . . . . . . . . . . 100
. . . . . . . . . . . . . . . . . . . . . 105
show bridge address-table . . . . . . . . . . . . . . . . . . . . . . . . . . 106
show bridge address-table static
show bridge address-table count
show bridge multicast address-table
show bridge multicast filtering
show ports security
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
show ports security addresses
. . . . . . . . . . . . . . . . . . . . . . . 107
. . . . . . . . . . . . . . . . . . . . . . . 108
. . . . . . . . . . . . . . . . . . . . . 109
. . . . . . . . . . . . . . . . . . . . . . . . 110
. . . . . . . . . . . . . . . . . . . . . . . . 113
7 Login Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
banner exec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
banner login
banner motd
exec-banner
login-banner
motd-banner
show banner
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
8 Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
clock set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
clock source
clock timezone
clock summer-time
sntp authentication-key
sntp authenticate
sntp trusted-key
sntp client poll timer
sntp broadcast client enable
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
. . . . . . . . . . . . . . . . . . . . . . . . . 129
Contents 7
sntp anycast client enable. . . . . . . . . . . . . . . . . . . . . . . . . . . 130
sntp client enable
sntp client enable (interface)
sntp unicast client enable
sntp unicast client poll
sntp server
show clock
show sntp configuration
show sntp status
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
. . . . . . . . . . . . . . . . . . . . . . . . . 131
. . . . . . . . . . . . . . . . . . . . . . . . . . . 132
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
9 Configuration and Image Files. . . . . . . . . . . . . . . . . . . . 139
dir. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
more
rename
delete startup-config
copy
delete
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
10 Ethernet Configuration Commands . . . . . . . . . . . . . . . . 151
8 Contents
boot system
show running-config
show startup-config
show bootvar
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
interface ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
interface range ethernet
shutdown
description
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
duplex
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
negotiation
flowcontrol
system flowcontrol
mdix
back-pressure
port jumbo-frame
clear counters
set interface active
show interfaces configuration
show interfaces status
show interfaces advertise
show interfaces description
show interfaces counters
show ports jumbo-frame
port storm-control include-multicast
port storm-control broadcast enable
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
. . . . . . . . . . . . . . . . . . . . . . . . . 160
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
. . . . . . . . . . . . . . . . . . . . . . . . . . . 165
. . . . . . . . . . . . . . . . . . . . . . . . . . 167
. . . . . . . . . . . . . . . . . . . . . . . . . . . 168
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
. . . . . . . . . . . . . . . . . . . . . 173
. . . . . . . . . . . . . . . . . . . . . 173
port storm-control broadcast rate
show ports storm-control
show system flowcontrol
. . . . . . . . . . . . . . . . . . . . . . . 174
. . . . . . . . . . . . . . . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . 176
11 DHCP Snooping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
ip dhcp snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
ip dhcp snooping vlan
ip dhcp snooping trust
ip dhcp snooping information option allowed-untrusted
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
. . . . . . . . . . . 180
Contents 9
ip dhcp snooping verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
ip dhcp snooping database
ip dhcp snooping database update-freq
ip dhcp snooping binding
clear ip dhcp snooping database
show ip dhcp snooping
show ip dhcp snooping binding
. . . . . . . . . . . . . . . . . . . . . . . . . . 182
. . . . . . . . . . . . . . . . . . . . 182
. . . . . . . . . . . . . . . . . . . . . . . . . . . 183
. . . . . . . . . . . . . . . . . . . . . . . 184
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
. . . . . . . . . . . . . . . . . . . . . . . . 185
12 GVRP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
gvrp enable (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
gvrp enable (interface)
garp timer
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
gvrp vlan-creation-forbid
gvrp registration-forbid
clear gvrp statistics
show gvrp configuration
show gvrp statistics
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
. . . . . . . . . . . . . . . . . . . . . . . . . . . 189
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
13 IGMP Snooping Commands . . . . . . . . . . . . . . . . . . . . . 195
10 Contents
ip igmp snooping (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
ip igmp snooping (Interface)
ip igmp snooping mrouter
ip igmp snooping host-time-out
ip igmp snooping mrouter-time-out
ip igmp snooping leave-time-out
ip igmp snooping querier enable
ip igmp snooping querier address
. . . . . . . . . . . . . . . . . . . . . . . . . . 195
. . . . . . . . . . . . . . . . . . . . . . . . . . . 196
. . . . . . . . . . . . . . . . . . . . . . . . 197
. . . . . . . . . . . . . . . . . . . . . . 197
. . . . . . . . . . . . . . . . . . . . . . . 198
. . . . . . . . . . . . . . . . . . . . . . . 199
. . . . . . . . . . . . . . . . . . . . . . . 200
show ip igmp snooping mrouter . . . . . . . . . . . . . . . . . . . . . . . . 200
show ip igmp snooping interface
show ip igmp snooping groups
. . . . . . . . . . . . . . . . . . . . . . . 201
. . . . . . . . . . . . . . . . . . . . . . . . 202
14 IP Addressing Commands . . . . . . . . . . . . . . . . . . . . . . 205
clear host dhcp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
ip address
ip address dhcp
ip default-gateway
show ip interface
arp
arp timeout
clear arp-cache
show arp
ip domain-lookup
ip domain-name
ip name-server
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
ip host
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
clear host
show hosts
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
15 IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
ipv6 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
ipv6 address autoconfig
ipv6 icmp error-interval
show ipv6 icmp error-interval
ipv6 address
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
. . . . . . . . . . . . . . . . . . . . . . . . . 219
Contents 11
ipv6 address link-local. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
ipv6 unreachables
ipv6 default-gateway
ipv6 mld join-group
ipv6 mld version
show ipv6 interface
show ipv6 route
ipv6 nd dad attempts
ipv6 host
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
ipv6 neighbor
ipv6 set mtu
show ipv6 neighbors
clear ipv6 neighbors
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
16 iSCSI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
iscsi enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
iscsi target port
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
17 LACP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
12 Contents
iscsi cos
iscsi aging time
iscsi max connections
show iscsi
show iscsi sessions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
lacp system-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
lacp port-priority
lacp timeout
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
show lacp ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
show lacp port-channel
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
18 Line Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
speed
autobaud
show line
terminal history
terminal history size
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
exec-timeout
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
19 LLDP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
lldp enable (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
lldp enable (interface)
lldp timer
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
lldp hold-multiplier
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
lldp reinit-delay
lldp tx-delay
lldp optional-tlv
lldp management-address
lldp med enable
lldp med network-policy (global)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
. . . . . . . . . . . . . . . . . . . . . . . . . . . 258
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
. . . . . . . . . . . . . . . . . . . . . . . 259
lldp med network-policy (interface)
lldp med location
clear lldp rx
show lldp configuration
show lldp local
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
. . . . . . . . . . . . . . . . . . . . . . 260
Contents 13
show lldp neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
show lldp med configuration
. . . . . . . . . . . . . . . . . . . . . . . . . 266
20 Management ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
management access-list. . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
permit (management)
deny (management)
management access-class
show management access-list
show management access-class
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
. . . . . . . . . . . . . . . . . . . . . . . . . . 273
. . . . . . . . . . . . . . . . . . . . . . . . 273
. . . . . . . . . . . . . . . . . . . . . . . 274
21 PHY Diagnostics Commands. . . . . . . . . . . . . . . . . . . . . 275
test copper-port tdr. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
show copper-ports tdr
show copper-ports cable-length
show fiber-ports optical-transceiver
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
. . . . . . . . . . . . . . . . . . . . . . . 276
. . . . . . . . . . . . . . . . . . . . . 277
22 Port Channel Commands . . . . . . . . . . . . . . . . . . . . . . . 281
23 Port Monitor Commands . . . . . . . . . . . . . . . . . . . . . . . 285
14 Contents
interface port-channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
interface range port-channel
channel-group
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
port-channel load-balance
show interfaces port-channel
. . . . . . . . . . . . . . . . . . . . . . . . . 281
. . . . . . . . . . . . . . . . . . . . . . . . . . 283
. . . . . . . . . . . . . . . . . . . . . . . . . 284
port monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
show ports monitor
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
24 QoS Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
show qos
wrr-queue cos-map
wrr-queue bandwidth
priority-queue out num-of-queues
traffic-shape
rate-limit (Ethernet)
show qos interface
qos map dscp-queue
qos trust (Global)
qos trust (Interface)
qos cos
show qos map
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
. . . . . . . . . . . . . . . . . . . . . . . 292
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
25 Radius Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
radius-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
radius-server key
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
radius-server retransmit
radius-server source-ip
radius-server source-ipv6
radius-server timeout
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
radius-server deadtime
show radius-servers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
. . . . . . . . . . . . . . . . . . . . . . . . . . . 304
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Contents 15
26 RMON Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
show rmon statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
rmon collection history
show rmon collection history
show rmon history
rmon alarm
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
show rmon alarm-table
show rmon alarm
rmon event
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
show rmon events
show rmon log
rmon table-size
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
. . . . . . . . . . . . . . . . . . . . . . . . . 312
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
27 SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
snmp-server community . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
snmp-server view
snmp-server filter
snmp-server contact
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
16 Contents
snmp-server location
snmp-server enable traps
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
. . . . . . . . . . . . . . . . . . . . . . . . . . . 331
snmp-server trap authentication
snmp-server host
snmp-server set
snmp-server group
snmp-server user
snmp-server v3-host
snmp-server engineID local
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
. . . . . . . . . . . . . . . . . . . . . . . . . . 339
. . . . . . . . . . . . . . . . . . . . . . . 332
show snmp engineid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
show snmp
show snmp views
show snmp groups
show snmp filters
show snmp users
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
28 Spanning-Tree Commands . . . . . . . . . . . . . . . . . . . . . . 347
spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
spanning-tree mode
spanning-tree forward-time
spanning-tree hello-time
spanning-tree max-age
spanning-tree priority
spanning-tree disable
spanning-tree cost
spanning-tree port-priority
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
. . . . . . . . . . . . . . . . . . . . . . . . . . 348
. . . . . . . . . . . . . . . . . . . . . . . . . . . 349
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
. . . . . . . . . . . . . . . . . . . . . . . . . . 352
spanning-tree portfast
spanning-tree link-type
spanning-tree mst priority
spanning-tree mst max-hops
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
. . . . . . . . . . . . . . . . . . . . . . . . . . . 354
. . . . . . . . . . . . . . . . . . . . . . . . . 355
spanning-tree mst port-priority
spanning-tree mst cost
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
spanning-tree mst configuration
instance (mst)
name (mst)
revision (mst)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
. . . . . . . . . . . . . . . . . . . . . . . . 356
. . . . . . . . . . . . . . . . . . . . . . . 357
Contents 17
show (mst) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
exit (mst)
abort (mst)
spanning-tree pathcost method
spanning-tree bpdu
clear spanning-tree detected-protocols
show spanning-tree
Spanning-tree guard root
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
. . . . . . . . . . . . . . . . . . . . . . . . 362
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
. . . . . . . . . . . . . . . . . . . 363
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
. . . . . . . . . . . . . . . . . . . . . . . . . . . 376
29 SSH Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
ip ssh port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
ip ssh server
crypto key generate dsa
crypto key generate rsa
ip ssh pubkey-auth
crypto key pubkey-chain ssh
user-key
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
. . . . . . . . . . . . . . . . . . . . . . . . . 380
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
30 Syslog Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
18 Contents
key-string
show ip ssh
show crypto key mypubkey
show crypto key pubkey-chain ssh
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
. . . . . . . . . . . . . . . . . . . . . . . . . . 384
. . . . . . . . . . . . . . . . . . . . . . 385
logging on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
logging
logging console
logging buffered
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
logging buffered size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
clear logging
logging file
clear logging file
aaa logging
file-system logging
management logging
show logging
show logging file
show syslog-servers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
31 System Management . . . . . . . . . . . . . . . . . . . . . . . . . . 401
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
traceroute
telnet
resume
reload
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
hostname
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
service cpu-utilization
show cpu utilization
show users
show sessions
show system
set system
show system mode
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Contents 19
show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
asset-tag
show system id
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
32 TACACS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
tacacs-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
tacacs-server key
tacacs-server timeout
tacacs-server source-ip
show tacacs
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
33 TIC Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
passwords min-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
password-aging
passwords aging
passwords history
passwords history hold-time
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
. . . . . . . . . . . . . . . . . . . . . . . . . 426
20 Contents
passwords lockout
aaa login-history file
set username active
set line active
set enable-password active
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
. . . . . . . . . . . . . . . . . . . . . . . . . . 429
show passwords configuration
show users login-history
. . . . . . . . . . . . . . . . . . . . . . . . . . . 431
. . . . . . . . . . . . . . . . . . . . . . . . 429
34 Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
interface tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
tunnel mode ipv6ip
tunnel isatap router
tunnel source
tunnel isatap query-interval
tunnel isatap solicitation-interval
tunnel isatap robustness
show ipv6 tunnel
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
. . . . . . . . . . . . . . . . . . . . . . . . . . 436
. . . . . . . . . . . . . . . . . . . . . . . 436
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
35 User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
disable
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
login
configure
exit(configuration)
exit(EXEC)
end
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
help
history
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
terminal datadump
history size
debug-mode
show history
show privilege
do
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Contents 21
36 VLAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
vlan database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
vlan
interface vlan
interface range vlan
name
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
switchport access vlan
switchport trunk allowed vlan
switchport trunk native vlan
switchport general allowed vlan
switchport general pvid
switchport general ingress-filtering disable
switchport general acceptable-frame-type tagged-only
switchport forbidden vlan
switchport mode
switchport customer vlan
map protocol protocols-group
switchport general map protocols-group vlan
switchport protected
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
. . . . . . . . . . . . . . . . . . . . . . . . . 455
. . . . . . . . . . . . . . . . . . . . . . . . . . 455
. . . . . . . . . . . . . . . . . . . . . . . 456
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
. . . . . . . . . . . . . . . . . 458
. . . . . . . . . . . 458
. . . . . . . . . . . . . . . . . . . . . . . . . . . 459
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
. . . . . . . . . . . . . . . . . . . . . . . . . . . 460
. . . . . . . . . . . . . . . . . . . . . . . . . 461
. . . . . . . . . . . . . . . . 462
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
22 Contents
ip internal-usage-vlan
show vlan
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
show vlan internal usage
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
. . . . . . . . . . . . . . . . . . . . . . . . . . . 465
show vlan protocols-groups
show interfaces switchport
. . . . . . . . . . . . . . . . . . . . . . . . . . 466
. . . . . . . . . . . . . . . . . . . . . . . . . . 467
37 Voice VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
voice vlan id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
voice vlan oui-table
voice vlan cos
voice vlan aging-timeout
voice vlan enable
voice vlan secure
show voice vlan
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
. . . . . . . . . . . . . . . . . . . . . . . . . . . 471
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
38 Web Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
ip http server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
ip http port
ip http exec-timeout
ip https server
ip https port
ip https exec-timeout
crypto certificate generate
crypto certificate request
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
. . . . . . . . . . . . . . . . . . . . . . . . . . 481
. . . . . . . . . . . . . . . . . . . . . . . . . . . 482
crypto certificate import
ip https certificate
crypto certificate import pkcs12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
. . . . . . . . . . . . . . . . . . . . . . . . 485
show crypto certificate mycertificate
show ip http
show ip https
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
. . . . . . . . . . . . . . . . . . . . . 487
Contents 23
39 802.1x Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
aaa authentication dot1x . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
dot1x system-auth-control
dot1x port-control
dot1x re-authentication
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
dot1x timeout re-authperiod
dot1x re-authenticate
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
dot1x timeout quiet-period
dot1x timeout tx-period
dot1x max-req
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
dot1x timeout supp-timeout
dot1x timeout server-timeout
dot1x send-async-request-id
show dot1x
show dot1x users
show dot1x statistics
ADVANCED FEATURES
dot1x auth-not-req
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
. . . . . . . . . . . . . . . . . . . . . . . . . . . 492
. . . . . . . . . . . . . . . . . . . . . . . . . . 494
. . . . . . . . . . . . . . . . . . . . . . . . . . . 495
. . . . . . . . . . . . . . . . . . . . . . . . . . 498
. . . . . . . . . . . . . . . . . . . . . . . . . 498
. . . . . . . . . . . . . . . . . . . . . . . . . 499
24 Contents
dot1x multiple-hosts
dot1x single-host-violation
dot1x guest-vlan
dot1x guest-vlan enable
dot1x mac-authentication
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
. . . . . . . . . . . . . . . . . . . . . . . . . . 506
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
. . . . . . . . . . . . . . . . . . . . . . . . . . . 509
dot1x traps mac-authentication failure
dot1x radius-attributes vlan
show dot1x advanced
. . . . . . . . . . . . . . . . . . . . . . . . . . 510
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
. . . . . . . . . . . . . . . . . . . . 509
Using the CLI
This chapter describes how to start using the CLI and describes implemented command editing
features to assist in using the CLI.
CLI Command Modes
Introduction
To assist in configuring devices, the CLI (Command Line Interface) is divided into different command
modes. Each command mode has its own set of specific commands. Entering a question mark "? " at the
system prompt (console prompt) displays a list of commands available for that particular command mode.
From each mode a specific command is used to navigate from one command mode to another.
The standard order to access the modes is as follows: User EXEC mode, Privileged EXEC mode,
Global Configuration mode, and Interface Configuration mode. The following figure illustrates the
command mode access path.
Using the CLI 25
When starting a session, the initial mode is the User EXEC mode. Only a limited subset of commands
are available in User EXEC Mode. This level is reserved for tasks that do not change the configuration.
To enter the next level, the Privileged EXEC mode, a password is required.
The Privileged mode gives access to commands that are restricted on EXEC mode and provides access to
the device Configuration mode.
The Global Configuration mode manages the device configuration on a global level.
The Interface Configuration mode configures specific interfaces in the device.
User EXEC Mode
After logging into the device, the user is automatically in User EXEC command mode unless the user is
defined as a privileged user. In general, the User EXEC commands allow the user to perform basic tests,
and list system information.
The user-level prompt consists of the device "host name" followed by the angle bracket (>).
console
The default host name is "Console" unless it has been changed using the hostname command in the
Global Configuration mode.
>
Privileged EXEC Mode
Privileged access is password protected to prevent unauthorized use because many of the privileged
commands set operating system parameters: The password is not displayed on the screen and is case
sensitive.
Privileged users enter directly into the Privileged EXEC mode. To enter the Privileged EXEC mode from
the User EXEC mode, perform the following steps:
1
At the prompt enter the command
2
Enter the password and press <Enter>. The password is displayed as "*". The Privileged EXEC mode
prompt is displayed. The Privileged EXEC mode prompt consists of the device "host name" followed
by "
#
".
console#
To return from Privileged Exec mode to User EXEC mode, type the disable command at the command
prompt.
enable
and press <Enter>. A password prompt is displayed.
26 Using the CLI
The following example illustrates how to access Privileged Exec mode and return back to the User EXEC
mode:
console>enable
Enter Password: ******
console#
console#disable
console>
The Exit command is used to return from any mode to the previous mode except when returning to User
EXEC mode from the Privileged EXEC mode. For example, the Exit command is used to return from
the Interface Configuration mode to the Global Configuration mode
Global Configuration Mode
Global Configuration mode commands apply to features that affect the system as a whole, rather than
just a specific interface. The Privileged EXEC mode command configure is used to enter the Global
Configuration mode.
To enter the Global Configuration mode perform the following steps:
1
At the Privileged EXEC mode prompt enter the command
Configuration mode prompt is displayed. The Global Configuration mode prompt consists of the
device "host name" followed by the word "(config)" and "
configure
#
".
and press
<Enter>
. The Global
console(config)#
2
Use one of the following commands to return from the Global Configuration mode to the Privileged
EXEC mode:
•e x i t
•e n d
• Ctrl+Z
The following example illustrates how to access Global Configuration mode and returns to the Privileged
EXEC mode:
console#
console#configure
console(config)#exit
console#
Using the CLI 27
Interface Configuration Mode and Specific Configuration Modes
Interface Configuration mode commands are to modify specific interface operations. The following are
the Interface Configuration modes:
•
Line Interface
commands such as line speed, timeout settings, etc. The Global Configuration mode command line is
used to enter the Line Configuration command mode.
•
VLAN Database
mode command vlan database is used to enter the VLAN Database Interface Configuration mode.
•
Management Access List
Configuration mode command management access-list is used to enter the Management Access List
Configuration mode.
•
Ethernet
command interface ethernet is used to enter
Ethernet type interface.
•
Port Channel
VLAN or port-channel. Most of these commands are the same as the commands in the Ethernet
interface mode, and are used to manage the member ports as a single entity. The Global Configuration
mode command interface port-channel is used to enter the Port Channel Interface Configuration
mode.
•
SSH Public Key-chain
Global Configuration mode command crypto key pubkey-chain ssh is used to enter the SSH Public
Key-chain Configuration mode.
•
Interface
command
• QoS — Contains commands related to service definitions. The Global Configuration mode
command qos config-services
— Contains commands to configure the management connections. These include
— Contains commands to create a VLAN as a whole. The Global Configuration
— Contains commands to define management access-lists. The Global
— Contains commands to manage port configuration. The Global Configuration mode
the Interface Configuration mode to configure an
— Contains commands to configure port-channels, for example, assigning ports to a
— Contains commands to manually specify other device SSH public keys. The
— Contains commands that configure the interface. The Global Configuration mode
interface ethernet is used to enter the Interface Configuration mode.
is used to enter the QoS services configuration mode.
Starting the CLI
The switch can be managed over a direct connection to the switch console port, or via a Telnet
connection. The switch is managed by entering command keywords and parameters at the prompt.
Using the switch command-line interface (CLI) is very similar to entering commands on a UNIX system.
If access is via a Telnet connection, ensure the device has an IP address defined, corresponding
management access is granted, and the workstation used to access the device is connected to the device
prior to using CLI commands.
NOTE: The following steps are for use on the console line only.
28 Using the CLI
To start using the CLI, perform the following steps:
1
Start the device and wait until the startup procedure is complete.
The User Exec mode is entered, and the prompt "Console>" is displayed.
2
Configure the device and enter the necessary commands to complete the required tasks.
3
When finished, exit the session with the
When a different user is required to log onto the system, in the Privileged EXEC mode command mode
the login command is entered. This effectively logs off the current user and logs on the new user.
quit
or
exit
command.
Editing Features
Entering Commands
A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments
specify configuration parameters. For example, in the command "show interfaces status ethernet g5 ,"
show , interfaces and status are keywords, ethernet is an argument that specifies the interface type, and g5
specifies the port.
To enter commands that require parameters, enter the required parameters after the command keyword.
For example, to set a password for the administrator, enter:
Console(config)# username admin password smith
When working with the CLI, the command options are not displayed. The command is not selected
from a menu but is manually entered. To see what commands are available in each mode or within an
Interface Configuration, the CLI does provide a method of displaying the available commands, the
command syntax requirements and in some instances parameters required to complete the command.
The standard command to request help is?
There are two instances where the help information can be displayed:
•
Keyword lookup
corresponding help messages are displayed.
•
Partial keyword lookup
parameter. The matched parameters for this command are displayed.
To assist in using the CLI, there is an assortment of editing features. The following features are
described:
• Terminal Command Buffer
• Command Completion
• Keyboard Shortcuts
— The character ? is entered in place of a command. A list of all valid commands and
— A command is incomplete and the character ? is entered in place of a
Using the CLI 29
Setup Wizard
The CLI supports a Setup Wizard. This is an easy-to-use user interface which quickly guides the user in
setting up basic device information, so that the device can be easily managed from a Web Based
Interface. Refer to the Getting Started Guide and User Guide for more information on the Setup
Wizard.
Terminal Command Buffer
Every time a command is entered in the CLI, it is recorded on an internally managed Command History
buffer. Commands stored in the buffer are maintained on a First In First Out (FIFO) basis.These
commands can be recalled, reviewed, modified, and reissued. This buffer is not preserved across device
resets.
Keyword Source or destination
Up-arrow key
Ctrl+P
Down-arrow key Returns to more recent commands in the history buffer after recalling
By default, the history buffer system is enabled, but it can be disabled at any time. For information about
the command syntax to enable or disable the history buffer, see history.
There is a standard default number of commands that are stored in the buffer. The standard number of
10 commands can be increased to 256. By configuring 0, the effect is the same as disabling the history
buffer system. For information about the command syntax for configuring the command history buffer,
see history size.
To display the history buffer, see show history.
Recalls commands in the history buffer, beginning with the most recent
command. Repeats the key sequence to recall successively older
commands.
commands with the up-arrow key. Repeating the key sequence will recall
successively more recent commands.
Negating the Effect of Commands
For many configuration commands, the prefix keyword "no" can be entered to cancel the effect of a
command or reset the configuration to the default value. This guide describes the negation effect for all
applicable commands.
30 Using the CLI
Command Completion
If the command entered is incomplete, invalid, or has missing or invalid parameters, then the
appropriate error message is displayed. This assists in entering the correct command. By pressing the
<Tab> button, an incomplete command is entered. If the characters already entered are not enough for
the system to identify a single matching command, press "?" to display the available commands matching
the characters already entered.
Incorrect or incomplete commands are automatically re-entered next to the cursor. If a parameter must
be added, the parameter can be added to the basic command already displayed next to the cursor. The
following example indicates that the command interface ethernet requires a missing parameter.
(config)#interface ethernet
%missing mandatory parameter
(config)#interface ethernet
Keyboard Shortcuts
The CLI has a range of keyboard shortcuts to assist in editing the CLI commands. The following table
describes the CLI shortcuts.
Keyboard Key Description
Up-arrow key Recalls commands from the history buffer, beginning with the most recent command. Repeat the
key sequence to recall successively older commands.
Down-arrow key Returns the most recent commands from the history buffer after recalling commands with the up
arrow key. Repeating the key sequence will recall successively more recent commands.
Ctrl+A Moves the cursor to the beginning of the command line.
Ctrl+E Moves the cursor to the end of the command line.
Ctrl+Z / End Returns back to the Privileged EXEC mode from any mode.
Backspace key Moves the cursor back one space.
Using the CLI 31
CLI Command Conventions
When entering commands there are certain command entry standards that apply to all commands.
The following table describes the command conventions.
Convention Description
[ ] In a command line, square brackets indicates an optional entry.
{ } In a command line, curly brackets indicate a selection of compulsory parameters
separated by the | character. One option must be selected. For example:
flowcontrol {auto|on|off} means that for the flowcontrol command either auto,
on or off must be selected.
Italic font Indicates a parameter.
<Enter> Any individual key on the keyboard. For example click <Enter>.
Ctrl+F4 Any combination keys pressed simultaneously on the keyboard.
Screen Display Indicates system messages and prompts appearing on the console.
all When a parameter is required to define a range of ports or parameters and all is an
option, the default for the command is all when no parameters are defined.
For example, the command interface range port-channel has the option of either
entering a range of channels, or selecting all . When the command is entered
without a parameter, it automatically defaults to all.
32 Using the CLI
Command Groups
Introduction
The Command Language Interface (CLI) is a network management application operated through
an ASCII terminal without the use of a Graphic User Interface (GUI) driven software application.
By directly entering commands, you have greater configuration flexibility. The CLI is a basic
command-line interpreter similar to the UNIX C shell.
A device can be configured and maintained by entering commands from the CLI, which is based
solely on textual input and output with commands being entered from a terminal keyboard and the
output displayed as text via a terminal monitor. The CLI can be accessed from a VT100 terminal
connected to the console port of the device or through a Telnet connection from a remote host.
The first time you use the CLI from the console a Setup Wizard is invoked. The Setup Wizard
guides you in setting up a minimum configuration, so that the device can be managed from the Web
Based Interface. Refer to the Getting Started Guide and User Guide for more information on the
Setup Wizard.
This guide describes how the Command Line Interface (CLI) is structured, describes the command
syntax, and describes the command functionality.
This guide also provides information for configuring the Dell™ PowerConnect™ switch, details the
procedures and provides configuration examples. Basic installation configuration is described in the
User’s Guide and must be completed before using this document.
Command Groups
The system commands can be broken down into the functional groups shown below.
Command Group Description
ACL Commands Configures and displays ACL configuration and information.
AAA Commands Configures connection security including authorization and
passwords.
Address Table Commands Configures bridging address tables.
Configuration and Image Files Commands Manages the device Configuration files.
Clock Commands Configures clock commands on the device.
DHCP Snooping Commands Configures DHCP snooping and displays DHCP configuration
and DHCP information.
Command Groups 33
Ethernet Configuration Configures all port configuration options for example ports, storm
control, port speed and auto-negotiation.
GVRP Commands Configures and displays GVRP configuration and information.
IGMP Snooping Commands Configures IGMP snooping and displays IGMP configuration and
IGMP information.
IP Addressing Commands Configures and manages IP addresses on the device.
IPv6 Addressing Commands Configures and manages IPv6 addresses on the device.
iSCSI Commands Configures and manages Internet Small Computer Interface
System Information (iSCSI).
LACP Commands Configures and displays LACP information.
Line Commands Configures the console and remote Telnet connection.
Login Banner Commands Cofigures customizable login banners on the device.
Management ACL Commands Configures and displays management access-list information.
PHY Diagnostics Commands Diagnoses and displays the interface status.
Port Channel Commands Configures and displays Port channel information.
Port Monitor Commands Monitors activity on specific target ports.
QoS Commands Configures and displays QoS information.
RADIUS Commands Configures and displays RADIUS information.
RMON Commands Displays RMON statistics.
SNMP Commands Configures SNMP communities, traps and displays SNMP
information.
Spanning Tree Commands
SSH Commands Configures SSH authentication.
Syslog Commands Manages and displays syslog messages.
System Management Commands Configures the device clock, name and authorized users.
TACACS Commands
TIC Commands
Tunnel Commands
User Interface Commands Describes user commands used for entering CLI commands.
VLAN Commands Configures VLANs and displays VLAN information.
Voice VLAN Commands Configures Voice VLANs and displays Voice VLAN information.
Web Server Commands Configures Web based access to the device.
802.1x Commands
Configures and reports on Spanning Tree protocol
Configures TACACS commands
Configures password access and control.
Configures tunnel routing configurations.
Configures commands related to 802.1x security protocol.
34 Command Groups
ACL Commands
Command Group Description Access Mode
ip access-list Defines an IPv4 Access List and places the device in
IPv4 Access List Configuration mode.
mac access-list Enables the MAC-Access List Configuration mode and
creates Layer 2 ACLs.
permit (ip) Permits traffic if the conditions defined in the permit
statement match.
deny (IP) Denies traffic if the conditions defined in the deny
statement match.
permit (MAC) Defines permit conditions of an MAC ACL. MAC-Access List
deny (MAC) Denies traffic if the conditions defined in the deny
statement match.
service-acl Applies an ACL to the input interface.
show access-lists Displays access control lists (ACLs) defined on the
device.
show interfaces access-lists Displays access lists applied on interfaces.
Global
Configuration
Global
Configuration
IP-Access List
Configuration
IP-Access List
Configuration
Configuration
MAC-Access List
Configuration
Interface
Configuration
(Ethernet,
port-channel)
Privileged EXEC
Privileged EXEC
AAA Commands
Command Group Description Access Mode
aaa authentication login Defines login authentication. Global
Configuration
aaa authentication enable Defines authentication method lists for accessing higher
privilege levels.
enable authentication Specifies the authentication method list when accessing
a higher privilege level from a remote telnet or console.
ip http authentication Specifies authentication methods for http. Global
ip https authentication Specifies authentication methods for https. Global
show authentication
methods
Displays information about the authentication methods. Privileged User
Global
Configuration
Line Configuration
Configuration
Configuration
EXEC
Command Groups 35
password Specifies a password on a line. Line Configuration
enable password Sets a local password to control access to normal and
privilege levels.
username Establishes a username-based authentication system. Global
show users accounts Displays information about the local user database. Privileged User
Global
Configuration
Configuration
EXEC
Address Table Commands
Command Group Description Access Mode
bridge address Adds a static MAC-layer station source address to the
bridge table.
bridge multicast filtering Enables filtering of Multicast addresses. Global
bridge multicast address Registers MAC-layer Multicast addresses to the bridge
table, and adds static ports to the group.
bridge multicast forbidden
address
bridge multicast
unregistered
bridge multicast forward-all Enables forwarding of all Multicast frames on a port. VLAN
bridge multicast forbidden
forward-all
bridge aging-time Sets the address table aging time. Global
clear bridge Removes any learned entries from the forwarding
port security Disables new address learning on an interface. Interface
port security routed secureaddress
show bridge address-table Displays dynamically created entries in the
show bridge address-table
static
Forbids adding a specific Multicast address to specific
ports.
Configures the forwarding state of unregistered multicast
addresses.
Enables forbidding forwarding of all Multicast frames to
a port.
database.
Adds MAC-layer secure addresses to a routed port. Interface
bridge-forwarding database.
Displays statically created entries in the
bridge-forwarding database
.
VLAN
Configuration
Configuration
VLAN
Configuration
VLAN
Configuration
Interface
Configuration
Configuration
VLAN
Configuration
Configuration
Privileged User
EXEC
Configuration
Configuration
Privileged User
EXEC
Privileged User
EXEC
36 Command Groups
show bridge address-table
count
show bridge multicast
address-table
show bridge multicast
filtering
show ports security Displays the port-lock status. Privileged User
show ports security
addresses
Displays the number of addresses present in all or at a
specific VLAN.
Displays statically created entries in the bridgeforwarding database.
Displays the Multicast filtering configuration. Privileged User
Displays the current dynamic addresses in locked ports. Privileged User
Privileged User
EXEC
Privileged User
EXEC
EXEC
EXEC
EXEC
Clock Commands
Command Group Description Access Mode
clock set
clock source
clock timezone
clock summer-time
sntp authentication-key
sntp authenticate
sntp trusted-key
sntp client poll timer
sntp broadcast client enable
sntp anycast client enable
sntp client enable
(interface)
Manually sets the system clock.
Configures an external time source for the system
clock.
Sets the time zone for display purposes.
Configures the system to automatically switch to
summer time (daylight saving time).
Defines an authentication key for Simple Network
Time Protocol (SNTP).
Grants authentication for received Network Time
Protocol (NTP) traffic from servers.
Authenticates the identity of a system to which
SNTP will synchronize.
Sets the polling time for the SNTP client.
Enables the SNTP Broadcast clients.
Enables Anycast clients.
Enables the SNTP client on an interface.
Privileged User
EXEC
Privileged User
EXEC
Global
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Interface
Configuration
Command Groups 37
sntp unicast client enable
sntp unicast client poll
sntp server
show clock
show sntp configuration
show sntp status
Enables the device to use the SNTP to request and
accept NTP traffic from servers.
Enables polling for the SNTP predefined Unicast
clients.
Specifies SNTP UDP port of the SNTP server
Displays the time and date from the system clock.
Shows the configuration of the SNTP.
Shows the status of the SNTP.
Global
Configuration
Global
Configuration
Global
Configuration
User EXEC
Privileged User
EXEC
Privileged User
EXEC
Configuration and Image Files Commands
Command Group Description Access Mode
dir Displays list of files on a flash file system Privileged User
EXEC
more Displays a file Privileged EXEC
rename Renames a file. Privileged User
EXEC
delete startup-config Deletes the startup-config file. Privileged User
EXEC
copy Copies files from a source to a destination. Privileged User
EXEC
delete Deletes a file from a Flash memory device. Privileged User
EXEC
boot system Specifies the system image that the device loads at
startup.
show running-config Displays the contents of the currently running
configuration file.
show startup-config Displays the startup configuration file contents. Privileged User
show bootvar Displays the active system image file that the device
loads at startup.
Privileged User
EXEC
Privileged User
EXEC
EXEC
Privileged EXEC
38 Command Groups
DHCP Snooping Commands
Command Group Description Access Mode
ip dhcp snooping Globally enables Dynamic Host Configuration
Protocol (DHCP) snooping
ip dhcp snooping vlan Enables DHCP snooping on a VLAN. Global
ip dhcp snooping trust Configures a port as trusted for DHCP snooping
purposes.
ip dhcp snooping
information option
allowed-untrusted
ip dhcp snooping verify Configures the switch to verify that on an untrusted
ip dhcp snooping database Configures the DHCP snooping binding file. Global
ip dhcp snooping database
update-freq
ip dhcp snooping binding Configures the DHCP snooping binding database and
clear ip dhcp snooping
database
show ip dhcp snooping Displays the DHCP snooping configuration. EXEC
show ip dhcp snooping
binding
Configures a switch to accept DHCP packets with
option-82 information from an untrusted port.
port the source MAC address in a DHCP packet
matches the client hardware address.
Configures the update frequency ofthe DHCP
snooping binding file.
to add binding entries to the database.
Clears the DHCP binding database. Privileged EXEC
Display the DHCP snooping binding database and
configuration information for all interfaces on a
switch.
Global
Configuration
Configuration
Interface
Configuration
(Ethernet,
port-channel)
Global
Configuration
Global
Configuration
Configuration
Global
Configuration
Privileged EXEC
EXEC
Ethernet Configuration Commands
Command Group Description Access Mode
interface ethernet Enters the Interface Configuration mode to configure
an Ethernet type interface.
interface range ethernet Enters the Interface Configuration mode to configure
multiple Ethernet type interfaces.
shutdown Disables interfaces. Interface
Global
Configuration
Global
Configuration
Configuration
Command Groups 39
description Adds a description to an interface. Interface
Configuration
speed Configures the speed of a given Ethernet interface
when not using auto-negotiation.
duplex Configures the full/half duplex operation of a given
Ethernet interface when not using auto-negotiation.
negotiation Enables auto-negotiation operation for the speed and
duplex parameters of a given interface.
flowcontrol Configures the Flow Control on a given interface. Interface
system flowcontrol Enables flow control on cascade ports. Interface
mdix Enables automatic crossover on a given interface. Interface
back-pressure Enables Back Pressure on a given interface. Interface
port jumbo-frame Enables jumbo frames for the device. Global
clear counters Clears statistics on an interface. User EXEC
set interface active Reactivates an interface that was suspended by the
system.
show interfaces
configuration
show interfaces status Displays the status for all configured interfaces. User EXEC
show interfaces description Displays the description for all configured interfaces. User EXEC
show interfaces counters Displays traffic seen by the physical interface. User EXEC
show ports jumbo-frame Displays the jumbo frames configuration. User EXEC
port storm-control includemulticast
port storm-control
broadcast enable
port storm-control
broadcast rate
show ports storm-control Displays the storm control configuration. Privileged User
show system flowcontrol Displays the flow control state on cascade ports. Privileged User
Displays the configuration for all configured
interfaces.
Enables the device to count Multicast packets. Global
Enables Broadcast storm control. Interface
Configures the maximum Broadcast rate. Interface
Interface
Configuration
Interface
Configuration
Interface
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Privileged User
EXEC
User EXEC
Configuration
Configuration
Configuration
EXEC
EXEC
40 Command Groups
GVRP Commands
Command Group Description Mode
gvrp enable (global) Enables GVRP globally. Global Configuration
gvrp enable (interface) Enables GVRP on an interface. Interface
Configuration
garp timer Adjusts the GARP application join, leave,
and leaveall GARP timer values.
gvrp vlan-creation-forbid Enables or disables dynamic VLAN creation. Interface
gvrp registration-forbid De-registers all VLANs, and prevents dynamic
VLAN registration on the port.
clear gvrp statistics Clears all the GVRP statistics information. Privileged User EXEC
show gvrp configuration Displays GVRP configuration information. User EXEC
show gvrp statistics Displays GVRP statistics. User EXEC
Interface
Configuration
Configuration
Interface
Configuration
IGMP Snooping Commands
Command Group Description Access Mode
ip igmp snooping (Global) Enables Internet Group Management Protocol (IGMP)
snooping.
ip igmp snooping (Interface) Enables Internet Group Management Protocol (IGMP)
snooping on a specific VLAN.
ip igmp snooping mrouter Enables automatic learning of Multicast router ports in
the context of a specific VLAN.
ip igmp snooping host-time-out Configures the host-time-out. VLAN
ip igmp snooping mrouter-time-out Configures the mrouter-time-out. VLAN
ip igmp snooping leave-time-out Configures the leave-time-out. VLAN
show ip igmp snooping mrouter Displays information on dynamically learned Multicast
router interfaces.
show ip igmp snooping interface Displays IGMP snooping configuration. User EXEC
show ip igmp snooping groups Displays Multicast groups learned by IGMP snooping. User EXEC
Global
Configuration
VLAN
Configuration
VLAN
Configuration
Configuration
Configuration
Configuration
User EXEC
Command Groups 41
IP Addressing Commands
Command Group Description Access Mode
clear host dhcp Sets an IP address on the device. Interface
Configuration
ip address
ip address dhcp Acquires an IP address on an interface from the DHCP
ip default-gateway
show ip interface Displays the usability status of interfaces configured for IP. User EXEC
arp Adds a permanent entry in the ARP cache. Global
arp timeout Configures how long an entry remains in the ARP cache Global
clear arp-cache Deletes all dynamic entries from the ARP cache. Privileged User
show arp Displays entries in the ARP table. Privileged User
ip domain-lookup Enables the IP Domain Naming System (DNS)-based host
ip domain-name Defines a default domain name, that the software uses to
ip name-server Sets the available name servers.
ip host Defines static host name-to-address mapping in the host
clear host
show hosts Displays the default domain name, a list of name server
Sets an IP address
server.
Defines a default gateway (router)
name-to-address translation.
complete unqualified host names.
cache.
Deletes entries from the host name-to-address cache
hosts, the static and cached list of host names and addresses.
Interface
Configuration
Interface
Configuration
Global
Configuration
Configuration
Configuration
EXEC
EXEC
Global
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Privileged User
EXEC
User EXEC
42 Command Groups
IPv6 Addressing Commands
Command Group Description Access Mode
ipv6 enable Enables IPv6 processing on an interface. Interface Configuration
ipv6 address autoconfig Enables automatic configuration of IPv6 addresses
using stateless autoconfiguration on an interface.
ipv6 icmp error-interval Configures the rate limit interval and bucket size
parameters for IPv6 ICMP error messages.
show ipv6 icmp errorinterval
ipv6 address Configures an IPv6 address for an interface. Interface Configuration
ipv6 address link-local Configures an IPv6 link-local address for an interface. Interface Configuration
ipv6 unreachables Enables the generation of Internet Control Message
ipv6 default-gateway Defines an IPv6 default gateway. Global Configuration
ipv6 mld join-group Configures Multicast Listener Discovery (MLD)
ipv6 mld version Changes the Multicast Listener Discovery Protocol
show ipv6 interface Displays the usability status of interfaces configured
show ipv6 route Displays the current state of the IPv6 routing table. Privileged EXEC
ipv6 nd dad attempts Configures the number of consecutive neighbor
ipv6 host Defines a static host name-to-address mapping in the
ipv6 neighbor Configures a static entry in the IPv6 neighbor
ipv6 set mtu Sets the MTU size of IPv6 packets sent on an
show ipv6 neighbors Displays IPv6 neighbor discovery cache informatio. Privileged EXEC
clear ipv6 neighbors Deletes all entries in the IPv6 neighbor discovery
Displays
Protocol for IPv6 (ICMPv6) unreachable messages for
any packets arriving on a specified interface.
reporting for a specified group.
(MLD) version.
for IPv6.
solicitation messages that are sent on an interface
while duplicate address detection is performed on the
unicast IPv6 addresses of the interface.
host name cache.
discovery cache.
interface.
cache, except static entries.
the IPv6 ICMP error interval setting Privileged EXEC
Interface Configuration
Global Configuration
Interface Configuration
Interface Configuration
Interface Configuration
Privileged EXEC
Interface Configuration
Global Configuration
Global Configuration
Privileged EXEC
Privileged EXEC
Command Groups 43
iSCSI Commands
Command Group Description Access Mode
iscsi enable
iscsi target port Configures iSCSI port(s), target address and name. Global
iscsi cos Sets the quality of service profile applied to iSCSI
iscsi aging time
iscsi max connections Sets the maximum number of iSCSI connections that
show iscsi Displays the iSCSI settings Privileged User
show iscsi sessions Display the iSCSI sessions Privileged EXEC
Globally enables iSCSI awareness.
flows.
Sets aging time for iSCSI sessions.
can be supported
Global
Configuration
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
EXEC
LACP Commands
Command Group Description Access Mode
lacp system-priority Configures the system LACP priority. Global
Configuration
lacp port-priority Configures the priority value for physical ports. Interface
Configuration
lacp timeout Assigns an administrative LACP timeout. Interface
Configuration
show lacp ethernet Displays LACP information for Ethernet ports. User EXEC
show lacp port-channel
Displays LACP information for a port-channel.
User EXEC
Line Commands
Command Group Description Access Mode
line Identifies a specific line for configuration and enters
the Line Configuration command mode.
speed Sets the line baud rate. Line Configuration
autobaud
Sets the line for automatic baud rate detection
44 Command Groups
Global
Configuration
Line Configuration
exec-timeout Configures the interval that the system waits until
user input is detected.
show line Displays line parameters. User EXEC
terminal history Enables the command history function for the current
terminal session.
terminal history size Cand history buffer size for the current terminal
session.
Line Configuration
User EXEC
User EXEC
LLDP Commands
Command Group Description Access Mode
lldp enable (global) Enables Link Layer Discovery Protocol. Interface
Configuration
(Ethernet)
lldp enable (interface) Enables Link Layer Discovery Protocol (LLDP) on an
interface.
lldp timer Specifies how often the software sends LLDP updates. Global
lldp hold-multiplier Specifies the amount of time the receiving device should
hold a Link Layer Discovery Protocol packet before
discarding it.
lldp reinit-delay Specifies the minimum time an LLDP port will wait before
reinitializing LLDP transmission.
lldp tx-delay Specifies the delay between successive LLDP frame
transmissions initiated by value/status
changes in the LLDP local systems MIB.
lldp optional-tlv Specifies which optional TLVs from the basic set should be
transmitted.
lldp managementaddress
lldp med enable Enables LLDP Media Endpoint Discovery (MED) on an
lldp med network-policy
(global)
Specifies the management address to be advertised from an
interface.
interface.
Defines LLDP MED network policy. Global
Interface
Configuration
(Ethernet)
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Interface
Configuration
(Ethernet)
Interface
Configuration
(Ethernet)
Interface
Configuration
(Ethernet)
Configuration
Command Groups 45
lldp med network-policy
(interface)
lldp med location Configures location information for the LLDP MED for an
clear lldp rx Restarts the LLDP RX state machine and clearing the
show lldp configuration Displays the LLDP configuration. Privileged EXEC
show lldp local Displays the LLDP information that is advertised from a
show lldp neighbors Displays information about neighboring devices discovered
show lldp med
configuration
Attaches a LLDP MED network policy to a port. Interface
Configuration
(Ethernet)
Interface
interface.
neighbors table.
specific port.
usingLLDP.
Displays the LLDP MED configuration. Privileged EXEC
Configuration
(Ethernet)
Privileged EXEC
Privileged EXEC
Privileged EXEC
Login Banner Commands
Command Group Description Access Mode
banner exec Specifies and enables a message to be displayed when
an EXEC process is created.
banner login Enables a message to be displayed before the
username and password login prompts.
banner motd Specifies and enables a message-of-the-day banner.. Global
exec-banner Enables the display of exec banners. Line Configuration
login-banner Enables the display of login banners. Line Configuration
motd-banner Enables the display of message-of-the-day banners. Line Configuration
show banner Displays the banners configuration. Privileged EXEC
Global
Configuration
Global
Configuration
Configuration
Management ACL Commands
Command Group Description Access Mode
management access-list Defines a management access-list, and enters the access-
list for configuration.
permit (management) Defines a permit rule. Management
46 Command Groups
Global
Configuration
Access-level
deny (management) Defines a deny rule. Management
Access-level
management access-class Defines which management access-list is used. Global
Configuration
show management
access-list
show management
access-class
Displays management access-lists. Privileged User
EXEC
Displays the active management access-list. Privileged User
EXEC
PHY Diagnostics Commands
Command Group Description Access Mode
test copper-port tdr Diagnoses with TDR (Time Domain Reflectometry)
technology the quality and characteristics of a copper cable
attached to a port.
show copper-ports tdr Displays the last TDR (Time Domain Reflectometry) tests
on specified ports.
show copper-ports cablelength
show fiber-ports opticaltransceiver
Displays the estimated copper cable length attached to a
port.
Displays the optical transceiver diagnostics. Privileged User
Privileged User
EXEC
Privileged User
EXEC
Privileged User
EXEC
EXEC
Port Channel Commands
Command Group Description Access Mode
interface port-channel Enters the Interface Configuration mode of a specific port-
channel.
interface range portchannel
channel-group Associates a port with a port-channel. Interface
port-channel loadbalance
show interfaces portchannel
Enters the Interface Configuration mode to configure
multiple port-channels.
Configures the load balancing policy of the port channeling User EXEC
Displays port-channel information. User EXEC
Global
Configuration
Global
Configuration
Configuration
Command Groups 47
Port Monitor Commands
Command Group Description Access Mode
port monitor Starts a port monitoring session. Interface
Configuration
show ports monitor Displays the port monitoring status. User EXEC
QoS Commands
Command Group Description Access Mode
qos Enables quality of service (QoS) on the device
and enters QoS basic or advance mode.
show qos Displays the QoS status. User EXEC
wrr-queue cos-map
wrr-queue bandwidth Assigns Weighted Round Robin (WRR)
priority-queue out num-ofqueues
traffic-shape Sets the shaper on an egress port. Interface Configuration
rate-limit (Ethernet) Limits the rate of the incoming traffic. Interface Configuration
show qos interface Displays interface QoS data. User EXEC
qos map dscp-queue Modifies the DSCP to CoS map. Global Configuration
qos trust (Global) Configures the system to basic mode and the
qos trust (Interface)
qos cos Configures the default port CoS value. Interface Configuration
show qos map Displays all the maps for QoS. User EXEC
Maps assigned CoS values to select one of
the egress queues.
weights to egress queues.
Enables the egress queues to be expedite
.
queues
"trust" state.
Enables each port trust state
Global Configuration
Global Configuration
Interface Configuration
Global Configuration
(Ethernet, Port-Channel)
Global Configuration
Interface Configuration
48 Command Groups
RADIUS Commands
Command Group Description Access Mode
radius-server host Specifies a RADIUS server host. Global
Configuration
radius-server key Sets the authentication and encryption key for all RADIUS
communications between the router and the RADIUS
daemon.
radius-server retransmit Specifies the number of times the software searches the list
of RADIUS server hosts.
radius-server source-ip Specifies the source IP address used for communication
with RADIUS servers.
radius-server source-ipv6
Specifies the source IPv6 address used for the IPv6
communication with RADIUS servers.
radius-server timeout Sets the interval for which a router waits for a server host to
reply.
radius-server deadtime Improves RADIUS response times when servers are
unavailable.
show radius-servers Displays the RADIUS server settings. Privileged User
Global
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
EXEC
RMON Commands
Command Group Description Mode
show rmon statistics Displays RMON Ethernet Statistics. User EXEC
rmon collection history Enables a Remote Monitoring (RMON) MIB history
statistics group on an interface.
show rmon collection
history
show rmon history Displays RMON Ethernet Statistics history. User EXEC
rmon alarm Configures alarm conditions. Global
show rmon alarm-table Displays the alarms summary table. User EXEC
show rmon alarm Displays alarm configurations. User EXEC
rmon event Configures a RMON event. Global
Displays the requested history group configuration. User EXEC
Interface
Configuration
(Ethernet, portchannel)s
Configuration
Configuration
Command Groups 49
show rmon events Displays the RMON event table. User EXEC
show rmon log Displays the RMON logging table. User EXEC
rmon table-size Configures the maximum RMON tables sizes. Global
Configuration
SNMP Commands
Command Group Description Access Mode
snmp-server community the community access string to permit access to SNMP
protocol.
snmp-server view Creates or update a view entry, Global
snmp-server contact Sets up a system contact. Global
snmp-server location Sets up the information on where the device is located. Global
snmp-server enable traps Enables the switch to send SNMP traps or SNMP
notifications.
snmp-server trap
authentication
snmp-server host Specifies the recipient of Simple Network Management
snmp-server set Sets SNMP MIB value by the CLI. Global
snmp-server group Configures a new Simple Network Management Protocol
snmp-server user Configure a new SNMP Version 3 user.
snmp-server v3-host Specifies the recipient of Simple
snmp-server engineID local Specifies the Simple Network Management Protocol
show snmp engineid Displays the ID of the local Simple Network Management
show snmp Displays the SNMP status. Privileged User
Enables the switch to send Simple Network
Management Protocol traps when authentication failed.
Protocol notification operation,
(SNMP) group, or a table that maps
SNMP users to SNMP views.
Network Management Protocol Version 3 notifications.
(SNMP) engineID on the local device.
Protocol (SNMP) engine
Global
Configuration
Configuration
Configuration
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Privileged User
EXEC
EXEC
50 Command Groups
show snmp views Displays the configuration of views. Privileged EXEC
show snmp groups Displays the configuration of groups. Privileged EXEC
show snmp filters Displays the configuration of filters Privileged EXEC
show snmp users Displays the configuration of groups. Privileged EXEC
Spanning Tree Commands
Command Group Description Access Mode
spanning-tree Enables spanning tree functionality. Global
Configuration
spanning-tree mode Configures the spanning tree protocol. Global
Configuration
spanning-tree forward-time Configures the spanning tree bridge forward time. Global
Configuration
spanning-tree hello-time Configures the spanning tree bridge Hello Time. Global
Configuration
spanning-tree max-age Configures the spanning tree bridge maximum age. Global
Configuration
spanning-tree priority Configures the spanning tree priority. Global
Configuration
spanning-tree disable Disables spanning tree on a specific port. Interface
Configuration
spanning-tree cost Configures the spanning tree path cost for a port. Interface
Configuration
spanning-tree port-priority Configures port priority. Interface
Configuration
spanning-tree portfast Enables PortFast mode. Interface
Configuration
spanning-tree link-type Overrides the default link-type setting. Interface
Configuration
(Ethernet, portchannel)
spanning-tree mst priority Configures the device priority for the specified spanning-
tree instance
spanning-tree mst maxhops
Configures the number of hops in an MST region before
the BDPU is discarded and the port information is aged
out.
Global
Configuration
Global
Configuration
Command Groups 51
spanning-tree mst priority Configures port priority for the specified MST instance Interface
Configuration
sspanning-tree mst cost Configures the path cost for multiple spanning tree
(MST) calculations.
spanning-tree mst
configuration
instance (mst) Maps VLANS to an MST instance. MST
name (mst) Defines the configuration name. MST
revision (mst) Defines the configuration revision number. MST
show (mst) Displays the current or pending MST region
exit (mst) Exits the MST Configuration mode and applies all
abort (mst) Exits the MST Configuration mode without applying
spanning-tree pathcost
method
spanning-tree bpdu Defines BPDU handling when spanning-tree is disabled
clear spanning-tree
detected-protocols
show spanning-tree Displays spanning-tree configuration. Privileged EXEC
Spanning-tree guard root Configure the switch to convert STP/RSTP packets to
Spanning-tree guard root enables root guard on all the spanning tree instances on
Enables configuring an MST region by entering the
Multiple Spanning Tree (MST) mode.
configuration.
configuration changes.
the configuration changes
Sets the default path cost method. Global
on an interface.
Restarts the protocol migration process (force the
renegotiation with neighboring switches) on all
interfaces or on the specified interface.
MSTP instances.
that interface.
Interface
Configuration
Global
Configuration
Configuration
mode
Configuration
mode
Configuration
mode
MST
Configuration
mode
MST
Configuration
mode
MST
Configuration
mode
Configuration
Global
Configuration
Privileged EXEC
mode
mode
Global
Configuration
Interface
Configuration
52 Command Groups
SSH Commands
Command Group Description Access Mode
ip ssh port Specifies the port to be used by the SSH server. Global
Configuration
ip ssh server Enables the device to be configured from a SSH
server.
crypto key generate dsa Generates DSA key pairs. Global
crypto key generate rsa Generates RSA key pairs. Global
ip ssh pubkey-auth Enables public key authentication for incoming
SSH sessions.
crypto key pubkey-chain ssh Enters SSH Public Key-chain Configuration mode. Global
user-key Specifies which SSH public key is manually
configured and enters the SSH public key-string
configuration command.
key-string Manually specifies a SSH public key. SSH Public Key
show ip ssh Displays the SSH server configuration. Privileged User
show crypto key mypubkey Displays the SSH public keys stored on the device. Privileged User
show crypto key pubkey-chain
ssh
Displays SSH public keys stored on the device. Privileged User
Global
Configuration
Configuration
Configuration
Global
Configuration
Configuration
SSH Public Key
EXEC
EXEC
EXEC
Syslog Commands
Command Group Description Access Mode
logging on Controls error messages logging. Global
Configuration
logging Logs messages to a syslog server. Global
Configuration
logging console Limits messages logged to the console based on
severity.
logging buffered Limits syslog messages displayed from an internal
buffer based on severity.
Global
Configuration
Global
Configuration
Command Groups 53
logging buffered size Changes the number of syslog messages stored in
the internal buffer.
clear logging Clears messages from the internal logging buffer. Privileged User
logging file Limits syslog messages sent to the logging file based
on severity.
clear logging file Clears messages from the logging file. Privileged User
aaa logging Controls logging of AAA events. Global
file-system logging Controls logging file system events. Global
management logging Controls logging of management access lists events. Global
show logging Displays the state of logging and the syslog
messages stored in the internal buffer.
show logging file Displays the state of logging and the syslog
messages stored in the logging file.
show syslog-servers Displays the syslog servers settings. Privileged User
Global
Configuration
EXEC
Global
Configuration
EXEC
Configuration
Configuration
Configuration
Privileged User
EXEC
Privileged User
EXEC
EXEC
System Management Commands
Command Group Description Access Mode
ping Sends ICMP echo request packets to another node
on the network.
traceroute Discovers the routes that packets will actually take
when traveling to their destination.
telnet Logs in to a host that supports Telnet. User EXEC
resume Switches to another open Telnet session User EXEC
reload Reloads the operating system Privileged User
hostname Specifies or modifies the device host name. Global
service cpu-utilization Allows the software to measure CPU utilization. Global
show cpu utilization Displays information about the active users. User EXEC
User EXEC
User EXEC
EXEC
Configuration
Configuration
54 Command Groups
show users Lists the open Telnet sessions. User EXEC
show sessions Lists the open Telnet sessions User EXEC
show system Displays system information. User EXEC
set system Activates/deactivates specified features. Priviledged EXEC
show system mode Displays information on features control User EXEC
show version Displays the system version information. User EXEC
asset-tag Specifies the device asset-tag. Global
Configuration
show system id Displays the service ID information. User EXEC
TACACS Commands
Command Group Description Mode
tacacs-server host Specifies a TACACS+ host. Global
Configuration
tacacs-server key Sets the authentication encryption key used for all
TACACS+ communications between the device
and the TACACS+ daemon.
tacacs-server source-ip Specifies the source IP address that will be used for
the communication with TACACS servers.
show tacacs Displays configuration and statistics for a
TACACS+ servers.
Global
Configuration
Global
Configuration
Privileged User
EXEC
TIC Commands
Command Group Description Access Mode
The following example
displays the local users
configured with access to
the system.passwords minlength
passwords aging Configures the aging time of line passwords. Line
passwords aging Configures the aging time of username passwords and
passwords history Configures the number of password changes that are
Configures the minimal length required for passwords in
the local database.
enables passwords.
required before a password in the local database can be
reused.
Global
Configuration
Configuration
Global
Configuration
Global
Configuration
Command Groups 55
passwords history hold-time Configures the duration of time a password is relevant
for tracking passwords history.
passwords lockout Enables lockout of a user account after a series of
authentication failures.
aaa login-history file Enables writing to login history file. Global
set username active Reactivates a previously locked out user account. Privileged EXEC
set line active Reactivates a previously locked out line. Privileged EXEC
set enable-password active Reactivates a previously locked out password. Privileged EXEC
show passwords
configuration
show users login-history Displays information about the login history of users. Privileged EXEC
Displays information about the passwords management
configuration.
Global
Configuration
Global
Configuration
Configuration
Privileged EXEC
Tunnel Commands
Command Group Description Access Mode
interface tunnel Enters tunnel interface configuration mode. Global
Configuration
tunnel mode ipv6ip Configures an IPv6 transition mechanism global
support mode.
tunnel isatap router Configures a global string that represents a specific
automatic tunnel router domain name.
tunnel source Sets the local (source) tunnel interface IPv4 address. Interface Tunnel
tunnel isatap query-interval Configures the interval between DNS Queries (before
the IP address of the ISATAP router is known) for the
automatic tunnel router domain name.
tunnel isatap solicitationinterval
tunnel isatap robustness Configures the number of DNS Query/Router
show ipv6 tunnel Displays information on the ISATAP tunnel. Privileged EXEC
Configures the interval between ISATAP router
solicitations messages (when there is no active ISATAP
router).
Solicitation refresh messages that the device sends.
Interface Tunnel
Configuration
Interface Tunnel
Configuration
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
56 Command Groups
User Interface Commands
Command Group Description Access Mode
enable Enters the privileged EXEC mode. All
disable Returns to User EXEC mode. All
login Changes a login username. All
configure
exit(configuration) Exits any configuration mode to the next highest mode in the
exit(EXEC) Closes an active terminal session by logging off the device. All
end Ends the current configuration session and returns to the
help Displays a brief description of the help system. All
history Enables the command history function. All
terminal datadump Enables dumping of all the output from the show command
history size Changes the command history buffer size for a particular line. All
debug-mode
show history Lists the commands entered in the current session. All
show privilege Displays the current privilege level. All
do Executes a Global Configuration mode or any configuration
Enables the Global Configuration mode
CLI mode hierarchy.
previous command mode.
without ’prompting’.
Switches the mode to debug
submode.
.A l l
All
All
All
Privileged
EXEC
All
VLAN Commands
Command Group Description Access Mode
vlan database Enters the VLAN Database Configuration mode. Global
Configuration
vlan Creates a VLAN. VLAN
Configuration
interface vlan
interface range vlan Enters the Interface Configuration mode to configure
name Configures a name to a VLAN. Interface
Enters the Interface Configuration (VLAN) mode.
multiple VLANs.
Global
Configuration
Global
Configuration
Configuration
Command Groups 57
switchport access vlan Configures the VLAN membership mode of a port. Interface
Configuration
switchport access vlan Configures the VLAN ID when the interface is in access
mode.
switchport trunk allowed
vlan
switchport trunk native
vlan
switchport general
allowed vlan
switchport general pvid Configures the PVID when the interface is in general
switchport general
ingress-filtering disable
switchport general
acceptable-frame-type
tagged-only
switchport forbidden
vlan
map protocol protocolsgroup
switchport general map
protocols-group vlan
ip internal-usage-vlan
Adds or removes VLANs from a port in general mode. Interface
Defines the port as a member of the specified VLAN, and
the VLAN ID is the "port default VLAN ID (PVID)".
Adds or removes VLANs from a general port. Interface
mode.
Disables port ingress filtering. Interface
Discards untagged frames at ingress. Interface
Forbids adding specific VLANs to a port. Interface
Adds a special protocol to a named group of protocols,
which may be used for protocol-based VLAN assignment.
Sets a protocol-based classification rule. Interface
Reserves a VLAN as the internal usage VLAN of an
interface.
show vlan Displays VLAN information. Privileged User
show vlan internal usage Displays a list of VLANs being used internally by the
switch.
show vlan protocolsgroups
show interfaces
switchport
Displays protocols-groups information. Privileged User
Displays switchport configuration. Privileged User
Interface
Configuration
Configuration
Interface
Configuration
Configuration
Interface
Configuration
Configuration
Configuration
Configuration
VLAN
Configuration
Configuration
Interface
Configuration
EXEC
Privileged User
EXEC
EXEC
EXEC
58 Command Groups
Voice VLAN Commands
Command Group Description Access Mode
voice vlan id Enters the VLAN Configuration mode. Global
Configuration
voice vlan oui-table Configure the Voice OUI table. Global
Configuration
voice vlan cos Sets the Voice VLAN Class Of Service. Global
Configuration
voice vlan aging-timeout
voice vlan enable Enables automatic Voice VLAN configuration for a port. Interface
voice vlan secure Configures the secure mode for the Voice VLAN. Interface
show voice vlan Displays the Voice VLAN status. EXEC
Sets the Voice VLAN aging timeout.
Global
Configuration
Configuration
(Ethernet, portchannel)
Configuration
(Ethernet, portchannel)
Web Server Commands
Command Group Description Access Mode
ip http server Enables the device to be configured from a browser. Global
Configuration
ip http port Specifies the TCP port for use by a web browser to
configure the device.
ip https exec-timeout Sets the interval the system waits for user input before
automatically loging off.
ip https server Enables the device to be configured from a secured browser. Global
ip https port Configures a TCP port for use by a secure web browser to
configure the device.
ip https exec-timeout Sets the interval the system waits for user input before
automatically loging off.
crypto certificate
generate
Generates a HTTPS certificate. Global
Global
Configuration
Global
Configuration
Configuration
Global
Configuration
Global
Configuration
Configuration
Command Groups 59
crypto certificate import Imports a certificate signed by Certification Authority for
HTTPS.
ip https certificate Configures the active certificate for HTTPS. Global
ip https port Configures a TCP port for use by a secure web browser to
configure the device.
ip http exec-timeout Sets the interval the system waits for user input before
automatically loging off.
ip https server Enables the device to be configured from a secured browser. Global
crypto certificate request Generates and displays certificate requests for HTTPS. Privileged EXEC
crypto certificate import Imports a certificate signed by Certification Authority for
HTTPS.
ip https certificate Configures the active certificate for HTTPS. Global
crypto certificate import
pkcs12
crypto certificate import
pkcs12
show crypto certificate
mycertificate
show ip http Displays the HTTP server configuration. Privileged User
show ip https Displays the HTTPS server configuration. Privileged User
Exports the certificate and the RSA keys within a PKCS12
file
Imports the certificate and the RSA keys within a
PKCS12 file
Displays the SSL certificates of the device Privileged User
Global
Configuration
Configuration
Global
Configuration
Global
Configuration
Configuration
Global
Configuration
Configuration
Privileged User
EXEC
Privileged User
EXEC
EXEC
EXEC
EXEC
802.1x Commands
Command Description Access Mode
aaa authentication dot1x Specifies one or more authentication, authorization, and
accounting (AAA) methods for use on interfaces running
IEEE 802.1X.
dot1x system-authcontrol
dot1x port-control Enables manual control of the authorization state of the
dot1x re-authentication Enables periodic re-authentication of the client. Interface
Enables 802.1x globally. Global
port
60 Command Groups
Global
Configuration
Configuration
Interface
Configuration
Configuration
dot1x timeout reauthperiod
dot1x re-authenticate Manually initiates a re-authentication of all 802.1X-enabled
dot1x timeout quietperiod
dot1x timeout tx-period Sets the number of seconds that the switch waits for a
dot1x max-req Sets the maximum number of times that the switch sends
dot1x timeout supptimeout
dot1x timeout servertimeout
show dot1x Allows multiple hosts on an 802.1X-authorized port, that
show dot1x users Displays 802.1X statistics for the specified interface. Privileged User
show dot1x statistics Displays 802.1X statistics for the specified interface. Privileged User
Sets the number of seconds between re-authentication attempts
ports or the specified 802.1X-enabled port.
.
Sets the number of seconds that the switch remains
in the quiet state following a failed authentication
exchange
response to an Extensible Authentication Protocol (EAP) request/identity frame, from the client, before resending
the request.
an EAP - request/identity frame to the client, before restarting the authentication process.
.
Sets the time for the retransmission of an Extensible
Authentication Protocol (EAP)-request frame to the
client.
Sets the time for the retransmission of packets to the
authentication server
has the dot1x port-control interface configuration command set to auto.
.
Interface
Configuration
Privileged User
EXEC
Interface
Configuration
Interface
Configuration
Interface
Configuration
Interface
Configuration
Interface
Configuration
Interface
Configuration
EXEC
EXEC
Command Groups 61
802.1x Advanced Commands
dot1x auth-not-req Enables unauthorized users access to that VLAN. VLAN
Configuration
dot1x multiple-hosts Allows multiple hosts (clients) on an 802.1X-authorized
port with the dot1x port-control Interface Configuration
mode command set to auto.
dot1x single-hostviolation
dot1x guest-vlan Defines a Guest VLAN. Use the no form of this command
dot1x guest-vlan enable Enables unauthorized users on the interface access to the
dot1x macauthentication
dot1x traps macauthentication failure
dot1x radius-attributes
vlan
show dot1x advanced Displays 802.1X advanced features for the switch or for the
Configures the action to be taken when a station of which
the MAC address is not the supplicant MAC address
attempts to access the interface.
to return to default.
Guest VLAN.
Enables authentication based on the station’s MAC
address.
Enables sending traps when a MAC address was failed in
authentication of the 802.1X MAC authentication access
control.
Enables user-based VLAN assignment. Interface
specified interface.
Interface Configuration
(Ethernet)
Interface Configuration
(Ethernet)
Interface Configuration (VLAN)
Interface Configuration
(Ethernet)
Interface
Configuration
Global
Configuration
Configuration
Privileged EXEC
62 Command Groups
Command Modes
GC (Global Configuration) Mode
Command Description
aaa authentication enable Defines authentication method lists for accessing higher privilege
levels.
aaa authentication login Defines login authentication.
aaa authentication dot1x Specifies one or more authentication, authorization, and accounting
(AAA) methods for use on interfaces running IEEE 802.1X.
arp Adds a permanent entry in the ARP cache.
arp timeout Configures how long an entry remains in the ARP cache
asset-tag Specifies the device asset-tag.
banner exec Specifies and enables a message to be displayed when an EXEC process
is created.
banner login Enables a message to be displayed before the username and password
login prompts.
banner motd Specifies and enables a message-of-the-day banner..
bridge aging-time Sets the address table aging time.
bridge multicast filtering Enables filtering of Multicast addresses.
clock source Configures an external time source for the system clock.
bridge multicast unregistered Configures the forwarding state of unregistered multicast addresses.
clock timezone Sets the time zone for display purposes
clock summer-time Configures the system to automatically switch to summer time
(daylight saving time).
crypto certificate generate Generates a HTTPS certificate.
crypto certificate import Imports a certificate signed by Certification Authority for HTTPS.
crypto key generate dsa Generates DSA key pairs.
crypto key generate rsa Generates RSA key pairs.
crypto key pubkey-chain ssh Enters SSH Public Key-chain configuration mode.
Command Modes 63
dot1x system-auth-control Enables 802.1x globally.
enable password Sets a local password to control access to normal and privilege levels.
end Ends the current configuration session and returns to the previous
command mode.
gvrp enable (global) Enables GVRP globally.
hostname Specifies or modifies the device host name.
interface ethernet Enters the Interface Configuration mode to configure an Ethernet type
interface.
show interfaces port-channel Enters the Interface Configuration mode of a specific port-channel.
interface ethernet Enters the Interface Configuration mode to configure multiple
ethernet type interfaces.
interface range port-channel Enters the Interface Configuration mode to configure multiple port-
channels.
interface range vlan Enters the Interface Configuration mode to configure multiple VLANs.
interface tunnel Enters tunnel interface configuration mode.
interface vlan Enters the Interface Configuration (VLAN) mode.
ip default-gateway Defines a default gateway.
ip domain-lookup Enables the IP Domain Naming System (DNS)-based host name-to-
address translation.
ip domain-name Defines a default domain name, that the software uses to complete
unqualified host names.
ip host Defines static host name-to-address mapping in the host cache.
ip http authentication Specifies authentication methods for http.
ip http port Specifies the TCP port for use by a web browser to configure the device.
ip https server
ip https authentication Specifies authentication methods for https
ip https certificate Configures the active certificate for HTTPS. Use the no form of this
ip https server
ip https port Configures a TCP port for use by a secure web browser to configure the
ip igmp snooping (Global) Enables Internet Group Management Protocol (IGMP) snooping
ip name-server Sets the available name servers.
ip ssh port Specifies the port to be used by the SSH server.
ip ssh pubkey-auth Enables public key authentication for incoming SSH sessions.
Enables the device to be configured from a browser
command to return to default.
Enables the device to be configured from a secured browser
device.
.
.
64 Command Modes
ip ssh server Enables the device to be configured from a SSH server.
ipv6 default-gateway Defines an IPv6 default gateway.
ipv6 host Defines a static host name-to-address mapping in the host name cache.
ipv6 icmp error-interval Configures the rate limit interval and bucket size parameters for IPv6
ICMP error messages.
ipv6 neighbor Configures a static entry in the IPv6 neighbor discovery cache.
lacp system-priority Configures the system LACP priority.
line Identifies a specific line for configuration and enters the Line
Configuration command mode.
logging Logs messages to a syslog server.
logging buffered Limits syslog messages displayed from an internal buffer based on
severity.
logging buffered size Changes the number of syslog messages stored in the internal buffer.
logging console Limits messages logged to the console based on severity.
The following example clears
messages from the internal
syslog message logging buffer.
logging on Controls error messages logging.
login authentication Specifies the login authentication method list for a remote telnet or
management access-class Defines which management Access-List is used.
management access-list Defines a management Access-List, and enters the Access-List for
port jumbo-frame Enables jumbo frames for the device.
port storm-control includemulticast
priority-queue out num-ofqueues
qos Enables quality of service (QoS) on the device and enters QoS basic or
qos map dscp-queue Modifies the DSCP to CoS map.
qos trust (Global) Configure the system to "trust" state.
radius-server deadtime Improves RADIUS response times when servers are unavailable.
radius-server host Specifies a RADIUS server host.
radius-server key Sets the authentication and encryption key for all RADIUS
Limits syslog messages sent to the logging file based on severity.
console.
configuration.
Enables the device to count Multicast packets.
Enables the egress queues to be expedite queues.
advance mode.
communications between the router and the RADIUS daemon.
Command Modes 65
radius-server retransmit Specifies the number of times the software searches the list of RADIUS
server hosts.
radius-server source-ip Specifies the source IP address used for communication with RADIUS
servers.
radius-server source-ipv6 Specifies the source IPv6 address used for the IPv6 communication
with RADIUS servers.
radius-server timeout Sets the interval for which a router waits for a server host to reply.
rmon alarm Configures alarm conditions.
rmon event Configures a RMON event.
rmon table-size Configures the maximum RMON tables sizes.
snmp-server community Sets up the community access string to permit access to SNMP
protocol.
snmp-server contact Sets up a system contact.
snmp-server enable traps Enables the switch to send SNMP traps or SNMP notifications.
snmp-server host Specifies the recipient of Simple Network Management Protocol
notification operation.
snmp-server location Sets up the information on where the device is located.
snmp-server set Sets SNMP MIB value by the CLI.
snmp-server trap authentication Enables the switch to send Simple Network Management Protocol traps
when authentication failed.
sntp authenticate Grants authentication for received Network Time Protocol (NTP)
traffic from servers.
sntp authentication-key Defines an authentication key for Simple Network Time Protocol
(SNTP).
spanning-tree Enables spanning tree functionality.
spanning-tree bpdu Defines BPDU handling when spanning tree is disabled on an interface
spanning-tree forward-time Configures the spanning tree bridge forward time.
spanning-tree hello-time Configures the spanning tree bridge Hello Time.
spanning-tree max-age Configures the spanning tree bridge maximum age.
spanning-tree mode Configures the spanning tree protocol.
spanning-tree pathcost method Sets the default pathcost method.
spanning-tree priority Configures the spanning tree priority.
tacacs-server key Sets the authentication encryption key used for all TACACS+
communications between the device and the TACACS+ daemon.
66 Command Modes
tacacs-server source-ip Specifies the source IP address that will be used for the communication
with TACACS servers.
tacacs-server timeout Sets the timeout value.
tacacs-server host Specifies a TACACS+ host.
tunnel isatap query-interval Configures the interval between DNS Queries (before the IP address of
the ISATAP router is known) for the automatic tunnel router domain
name.
tunnel isatap robustness Configures the number of DNS Query/Router Solicitation refresh
messages that the device sends.
tunnel isatap solicitationinterval
username Establishes a username-based authentication system.
vlan database Enters the VLAN Database Configuration mode.
wrr-queue cos-map
Configures the interval between ISATAP router solicitations messages
(when there is no active ISATAP router).
Maps assigned CoS values to select one of the egress queues.
IC (Interface Configuration) Mode
Command Description
back-pressure Enables Back Pressure on a given interface.
channel-group Associates a port with a Port-channel.
clear host dhcp Sets an IP address on the device.
description Adds a description to an interface.
dot1x auth-not-req Enables unauthorized users access to that VLAN
dot1x guest-vlan Defines a Guest VLAN.
dot1x guest-vlan enable Enables unauthorized users on the interface an access to the Guest VLAN.
dot1x mac-authentication Enables authentication based on the station’s MAC address.
dot1x radius-attributes vlan Enables user-based VLAN assignment.
dot1x traps mac-authentication
failure
dot1x max-req Sets the maximum number of times that the switch sends an EAP -
dot1x port-control Enables manual control of the authorization state of the port
dot1x re-authentication Enables periodic re-authentication of the client.
Enables sending traps when a MAC address was failed in authentication of
the 802.1X MAC authentication access control.
request/identity frame to the client, before restarting the authentication
process.
Command Modes 67
dot1x single-host-violation Configures the action to be taken, when a station whose MAC address is not
the supplicant MAC address, attempts to access the interface.
dot1x timeout quiet-period Sets the number of seconds that the switch remains in the quiet state
following a failed authentication exchange.
dot1x timeout re-authperiod Sets the number of seconds between re-authentication attempts.
dot1x timeout server-timeout Sets the time for the retransmission of packets to the authentication server
dot1x timeout supp-timeout Sets the time for the retransmission of an EAP-request frame to the client.
dot1x timeout tx-period Sets the number of seconds that the switch waits for a response to an
Extensible Authentication Protocol (EAP) - request/identity frame, from the
client, before resending the request.
duplex Configures the full/half duplex operation of a given ethernet interface when
not using auto-negotiation.
flowcontrol Configures the Flow Control on a given interface.
garp timer Adjusts the GARP application join, leave, and leaveall GARP timer values.
gvrp enable (interface) Enables GVRP on an interface.
gvrp registration-forbid De-registers all VLANs, and prevents dynamic VLAN registration on the port.
gvrp vlan-creation-forbid Enables or disables dynamic VLAN creation.
ip address Sets an IP address
ip address dhcp Acquires an IP address on an interface from the DHCP server.
ip internal-usage-vlan Reserves a VLAN as the internal usage VLAN of an interface.
ipv6 address Configures an IPv6 address for an interface.
ipv6 address autoconfig Enables automatic configuration of IPv6 addresses using stateless
autoconfiguration on an interface.
ipv6 address link-local Configures an IPv6 link-local address for an interface.
ipv6 mld join-group Configures Multicast Listener Discovery (MLD) reporting for a specified
group.
ipv6 mld version Changes the Multicast Listener Discovery Protocol (MLD) version.
ipv6 nd dad attempts Configures the number of consecutive neighbor solicitation messages that
are sent on an interface while duplicate address detection is performed on the
unicast IPv6 addresses of the interface.
ipv6 enable Enables IPv6 processing on an interface.
ipv6 unreachables Enables the generation of Internet Control Message Protocol for IPv6
(ICMPv6) unreachable messages for any packets arriving on a specified
interface.
lacp port-priority Configures the priority value for physical ports.
lacp timeout Assigns an administrative LACP timeout.
68 Command Modes
mdix Enables automatic crossover on a given interface.
name Configures a name to a VLAN.
negotiation Enables auto-negotiation operation for the speed and duplex parameters of a
given interface.
port monitor Starts a port monitoring session.
port security Disables new address learning on an interface.
port security routed secureaddress
port storm-control broadcast
enable
port storm-control broadcast rate Configures the maximum Broadcast rate.
qos cos Configures the default port CoS value.
qos trust (Interface) Enables each port trust state while the system is in basic mode.
rmon collection history Enables a Remote Monitoring (RMON) MIB history statistics group on an
shutdown Disables interfaces.
sntp client enable (interface) Enables the Simple Network Time Protocol (SNTP) client on an interface.
spanning-tree cost Configures the spanning tree path cost for a port.
spanning-tree disable Disables spanning tree on a specific port.
spanning-tree link-type Overrides the default link-type setting.
spanning-tree portfast Enables PortFast mode.
spanning-tree port-priority Configures port priority.
speed Configures the speed of a given ethernet interface when not using auto-
system flowcontrol Enables flow control on cascade ports.
tunnel isatap router Configures a global string that represents a specific automatic tunnel router
tunnel mode ipv6ip Configures an IPv6 transition mechanism global support mode.
tunnel source Sets the local (source) tunnel interface IPv4 address.
qos map dscp-queue Defines the wrr-queue mechanism on an egress queue.
wrr-queue bandwidth Assigns Weighted Round Robin (WRR) weights to egress queues.
Adds MAC-layer secure addresses to a routed port.
Enables Broadcast storm control.
interface.
negotiation.
domain name.
Command Modes 69
LC (Line Configuration) Mode
Command Description
enable authentication Specifies the authentication method list when accessing a higher privilege level
from a remote telnet or console.
exec-banner Enables the display of exec banners.
exec-timeout Configures the interval that the system waits until user input is detected.
history Enables the command history function.
history size Changes the command history buffer size for a particular line.
login-banner Enables the display of login banners.
motd-banner Enables the display of message-of-the-day banners.
password Specifies a password on a line.
autobaud
speed Sets the line baud rate.
Sets the line for automatic baud rate detection
MA (Management Access-level) Mode
Command Description
deny (management) Defines a deny rule.
permit (management) Defines a permit rule.
PE (Privileged User EXEC) Mode
Command Description
boot system Specifies the system image that the device loads at startup.
clear arp-cache Deletes all dynamic entries from the ARP cache.
clear bridge Removes any learned entries from the forwarding database.
clear gvrp statistics Clears all the GVRP statistics information.
clear host Deletes entries from the host name-to-address cache
clear host dhcp Deletes entries from the host name-to-address mapping received from Dynamic
Host Configuration Protocol (DHCP).
clear ipv6 neighbors Deletes all entries in the IPv6 neighbor discovery cache, except static entries.
clear logging Clears messages from the internal logging buffer.
70 Command Modes
clear logging file Clears messages from the logging file
clear spanning-tree detectedprotocols
clock set Manually sets the system clock.
configure Enters the global configuration mode.
copy Copies files from a source to a destination.
crypto certificate request Generates and displays certificate requests for HTTPS.
dot1x re-authenticate Manually initiates a re-authentication of all 802.1X-enabled ports or the specified
ipv6 set mtu Sets the MTU size of IPv6 packets sent on an interface.
login Returns to User EXEC mode.
reload Reloads the operating system.
set interface active Reactivates an interface that was suspended by the system.
set system Activates/deactivates specified features.
show arp Displays entries in the ARP table.
show authentication methods Displays information about the authentication methods.
show banner Displays the banners configuration.
show bootvar Displays the active system image file that the device loads at startup
show bridge address-table Displays dynamically created entries in the bridge-forwarding database.
show bridge address-table count Displays the number of addresses present in all VLANs or at specific VLAN.
show bridge multicast addresstable
show bridge multicast filtering Displays the Multicast filtering configuration.
show copper-ports cable-length Displays the estimated copper cable length attached to a port.
show copper-ports tdr Displays the last TDR (Time Domain Reflectometry) tests on specified ports.
show crypto key mypubkey Displays the SSH public keys stored on the device.
show crypto key pubkey-chain
ssh
show crypto certificate
mycertificate
show dot1x Displays allowed multiple hosts on an 802.1X-authorized port, that has the dot1x
show dot1x advanced Displays 802.1X enhanced features for the switch or for the specified interface.
show dot1x users Displays 802.1X statistics for a specified interface.
Restarts the protocol migration process on all interfaces or on the specified
interface.
802.1X-enabled port.
Displays Multicast MAC address table information.
Displays SSH public keys stored on the device.
Displays the SSL certificates of the device
port-control Interface Configuration command set to auto.
Command Modes 71
show fiber-ports opticaltransceiver
show ip ssh Displays the SSH server configuration.
show ipv6 icmp error-interval
show ipv6 interface Displays the usability status of interfaces configured for IPv6.
show ipv6 neighbors Displays IPv6 neighbor discovery cache information.
show ipv6 route Displays the current state of the IPv6 routing table.
show ipv6 tunnel Displays information on the ISATAP tunnel.
show lacp port-channel Displays LACP information for a port-channel.
show logging Displays the state of logging and the syslog messages stored in the internal buffer.
show logging file Displays the state of logging and the syslog messages stored in the logging file.
show management access-class Displays the active management Access-List.
show management access-list Displays management access-lists.
show ports security Displays the port-lock status.
show ports storm-control Displays the storm control configuration.
show radius-servers Displays the RADIUS server settings.
show running-config Displays the contents of the currently running configuration file.
show snmp Displays the SNMP status.
show spanning-tree Displays spanning tree configuration.
show startup-config Displays the startup configuration file contents.
show syslog-servers Displays the syslog servers settings.
show system flowcontrol Displays the flow control state on cascade ports.
show tacacs Displays configuration and statistics for a TACACS+ servers.
show users accounts Displays information about the local user database.
test copper-port tdr Diagnoses with TDR (Time Domain Reflectometry) technology the quality and
Displays the optical transceiver diagnostics.
Displays
characteristics of a copper cable attached to a port.
the IPv6 ICMP error interval setting
SP (SSH Public Key) Mode
Command Description
key-string Manually specifies a SSH public key.
user-key Specifies which SSH public key is manually configured and enters the SSH public key-string
configuration command
72 Command Modes
UE (User EXEC) Mode
Command Description
clear counters Clears statistics on an interface.
enable Enters the privileged EXEC mode.
exit(EXEC) Closes an active terminal session by logging off the device.
login Changes a login username.
ping Sends ICMP echo request packets to another node on the network.
show clock Displays the time and date from the system clock.
show gvrp configuration Displays GVRP configuration information.
clear gvrp statistics Displays GVRP statistics.
show history Lists the commands entered in the current session.
show hosts Displays the default domain name, a list of name server hosts, the static and the
cached list of host names and addresses.
show interfaces configuration Displays the configuration for all configured interfaces.
show interfaces counters Displays traffic seen by the physical interface.
show interfaces description Displays the description for all configured interfaces.
port-channel load-balance Displays Port-channel information.
show interfaces status Displays the status for all configured interfaces.
show ip igmp snooping groups Displays Multicast groups learned by IGMP snooping.
show ip igmp snooping
interface
show ip igmp snooping mrouter Displays information on dynamically learned Multicast router interfaces.
show ip interface Displays the usability status of interfaces configured for IP.
show lacp ethernet Displays LACP information for Ethernet ports.
show line Displays line parameters.
show ports jumbo-frame Displays the jumbo frames configuration.
show ports monitor Displays the port monitoring status.
show privilege Displays the current privilege level.
show qos Displays the QoS status.
show qos interface Assigns CoS values to select one of the egress queues.
show qos map Displays all the maps for QoS.
show rmon alarm Displays alarm configurations.
Displays IGMP snooping configuration.
Command Modes 73
show rmon alarm-table Displays the alarms summary table.
show rmon collection history Displays the requested history group configuration.
show rmon events Displays the RMON event table.
show rmon history Displays RMON Ethernet Statistics history.
show rmon log Displays the RMON logging table.
show rmon statistics Displays RMON Ethernet Statistics.
show system Displays system information.
show system id Displays the service id information.
show system mode Displays information on features control
service cpu-utilization Displays information about the active users.
show version Displays the system version information.
VC (VLAN Configuration) Mode
Command Description
bridge address Adds a static MAC-layer station source address to the bridge table.
bridge multicast address Registers MAC-layer Multicast addresses to the bridge table, and adds
static ports to the group.
bridge multicast forbidden address Forbids adding a specific Multicast address to specific ports.
bridge multicast forbidden forward-all Enables forbidding forwarding of all Multicast frames to a port.
bridge multicast forward-all Enables forwarding of all Multicast frames on a port.
ip igmp snooping (Interface) Enables Internet Group Management Protocol (IGMP) snooping on a
specific VLAN.
ip igmp snooping leave-time-out Configures the host-time-out.
show ip igmp snooping mrouter Enables automatic learning of Multicast router ports in the context of a
specific VLAN.
ip igmp snooping mrouter-time-out Configures the mrouter-time-out.
vlan Creates a VLAN.
74 Command Modes
ACL Commands
ip access-list
The ip access-list Global Configuration mode command defines an IPv4 Access List and places the
device in IPv4 Access List Configuration mode. Use the no form of this command to remove the
Access List.
Syntax
•
ip access-list
•
no ip access-list
•
access-list-name
Default Configuration
No IPv4 Access List is defined.
Command Mode
Global Configuration mode.
User Guidelines
• IPv4 ACLs are defined by a unique name. An IPv4 ACL and MAC ACL cannot share the same
name.
access-list-name
access-list-name
— Specifies the name
of the IPv4 Access-List
.
Example
The following example shows how to define an IPv4 Access List called dell-access-1 and to place the
device in IPv4 Access List Configuration mode.
Console(config)# ip access-list dell-access-1
Console(config-ip-al)#
mac access-list
The mac access-list Global Configuration mode command enables the MAC-Access List
Configuration mode and creates Layer 2 ACLs. Use the no form of this command to delete an ACL.
ACL Commands 75
Syntax
•
mac access-list
•
no mac access-list
•
access-list-name
Default Configuration
No MAC Access List is defined.
Command Mode
Global Configuration mode.
User Guidelines
• MAC ACLs are defined by a unique name. An IPv4 ACL, IPv6 ACL and MAC ACL cannot share the
same name.
Example
The following example shows how to create a MAC ACL.
Console(config)# mac access-list macl-acl1
Console(config-mac-al)#
name
name
— Name of the MAC Access List.
permit (ip)
The permit IP-Access List Configuration mode command permits traffic if the conditions defined in the
permit statement match.
Syntax
•
permit {any| protocol
[
dscp number
•
permit-icmp {any|{source source-wildcard
type
} {
•
permit-igmp {any|{source source-wildcard
type
} [
76 ACL Commands
|
any|icmp-code
dscp number
} {
any|{source source-wildcard
ip-precedence number
} [
dscp number
|
ip-precedence number
}} {
]
}} {
any|{destination destination-wildcard
|
ip-precedence number
}} {
any|{destination destination-wildcard
]
any|{destination destination-wildcard
}} {
any|icmp-
]
}} {
any|igmp-
}}
•
permit-tcp {any
wildcard
port-wildcard
•
permit-udp {any
wildcard
port-wildcard
•
source
•
source-wildcard
bit positions to be ignored.
•
destination
•
destination-wildcard
placing 1s in bit positions to be ignored.
•
protocol
igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, idrp, rsvp, gre, esp, ah, eigrp, ospf, ipip, pim, l2tp,
isis
•
dscp
•
ip-precedence
•
icmp-type
one
alternate-host-address, echo-request, router-advertisement, router-solicitation, time-exceeded,
parameter-problem, timestamp, timestamp-reply, information-request, information-reply,
address-mask-request, address-mask-reply, traceroute, datagram-conversion-error,
mobile-host-redirect, mobile-registration-request, mobile-registration-reply,
domain-name-request, domain-name-reply, skip, photuris
•
icmp-code
•
igmp-type
the following values:
v2, host-report-v3
•
destination-port
•
destination-port-wildcard
1s in bit positions to be ignored.
•
source-port
•
source-port-wildcard
positions to be ignored.
•
flags list-of-flags
not set, it is prefixed by "-". Available options are
-psh, -rst, -syn
•
byte
|{
source source-wildcard
}} {
any|destination-port
source-port-wildcard
|{
source source-wildcard
}} {
any|destination-port
] [
dst-port-wildcard source-port-wildcard
} [
} [
}} {
any|source-port
dscp number
] [
dst-port-wildcard source-port-wildcard
dscp number
|
ip-precedence number
}} {
any| source-port
|
ip-precedence number
} {
any
|{
} {
any|{destination destination-
]
destination destination-
] [
flags list-of-flags
]
] [
src-port-wildcard source-
— Specifies the source IP address of the packet.
— Specifies wildcard bits to be applied to the sources IP address by placing 1s in
— Specifies the destination IP address of the packet.
— Specifies wildcard bits to be applied to the destination IP address by
— Specifies the name or the number of an IP protocol. Available protocol names:
. (Range: 0 - 255)
number
— Specifies the DSCP value.
number
— Specifies the IP precedence value.
— Specifies an ICMP message type for filtering ICMP packets. Enter a number or
of the following values:
echo-reply, destination-unreachable, source-quench, redirect,
. (Range: 0 - 255)
— Specifies an ICMP message code for filtering ICMP packets. (Range: 0 - 255)
— Specifies IGMP packets filtered by IGMP message type. Enter a number or one of
host-query, host-report, dvmrp, pim, cisco-trace, host-report-v2, host-leave-
. (Range: 0 - 255)
— Specifies the UDP/TCP destination port. (Range: 0 - 65535)
— Specifies wildcard bits to be applied to the destination port by placing
— Specifies the UDP/TCP source port. (Range: 0 - 65535)
— Specifies wildcard bits to be applied to the source port by placing 1s in bit
— Specifies the list of TCP flags. If a flag is set, it is prefixed by "+". If a flag is
+urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack,
and
-fin
. The flags are concatenated to a one string. For example:
+fin-ack
— Specifies the user-defined bytes.
] [
src-
icmp,
.
ACL Commands 77
Default Configuration
No IPv4 ACL is defined.
Command Mode
IP-Access List Configuration mode.
User Guidelines
• Use the
Configuration mode.
• Before an Access Control Element (ACE) is added to an ACL, all packets are permitted. After an ACE
is added, an implied
match the conditions defined in the permit statement are denied.
Example
The following example shows how to define a permit statement for an IP ACL.
Console(config)# ip access-list ip-acl1
Console(config-ip-al)# permit rsvp 192.1.1.1 0.0.0.0 any dscp 56
ip access-list
Global Configuration mode command to enable the IP-Access List
deny-any-any
condition exists at the end of the list and those packets that do not
deny (IP)
The deny IP-Access List Configuration mode command denies traffic if the conditions defined in the
deny statement match.
Syntax
•
deny [disable-port
wildcard
•
deny-icmp [disable-port
{
•
deny-igmp
{
•
deny-tcp [disable-port
destination-wildcard
flags
•
deny-udp [disable-port
destination-wildcard
wildcard
78 ACL Commands
}} [
dscp number
any|icmp-type
[
disable-port
any|igmp-type
] [
src-port-wildcard source-port-wildcard
source-port-wildcard
] {
any| protocol
|
] {
} {
any|icmp-code
} [
dscp number
] {
}} {
any|destination-port
] {
}} {
any|destination-port
} {
any|{source source-wildcard
ip-precedence
any|{source source-wildcard
} [
] {
any|{source source-wildcard
|
ip-precedence number
any
|{
source source-wildcard
any
|{
source source-wildcard
] [
dst-port-wildcard
number
dscp number
} [
] [
} [
]
|
dscp number
dst-port-wildcard source-port-wildcard
dscp number
source-port-wildcard
}} {
any|{destination destination-wildcard
ip-precedence
}} {
any|{destination destination-wildcard
]
}} {
any|source-port
|
ip-precedence number
}} {
any| source-port
|
ip-precedence number
}} {
any|{destination destination-
number
]
} {
any|{destination
] [
]
} {
any|{destination
] [
flags list-of-
src-port-
}}
}}
•
disable-port
•
source
•
source-wildcard
— Specifies that the Ethernet interface is disabled if the condition is matched.
— Specifies the Source IP address of the packet.
— Specifies wildcard bits to be applied to the source IP address by placing 1s in bit
positions to be ignored.
•
destination
•
destination- wildcard
— Specifies the destination IP address of the packet.
— Specifies wildcard bits to be applied to the destination IP address by
placing 1s in bit positions to be ignored.
•
protocol
— Specifies the name or the number of an IP protocol. Available protocol names:
igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, idrp, rsvp, gre, esp, ah, eigrp, ospf, ipip, pim, l2tp,
isis
. (Range: 0 - 255).
•
dscp number
•
ip-precedence number
•
icmp-type
of the following values:
— Specifies the DSCP value.
— Specifies the IP precedence value.
— Specifies an ICMP message type for filtering ICMP packets. Enter a number or one
echo-reply, destination-unreachable, source-quench, redirect, alternatehost-address, echo-request, router-advertisement, router-solicitation, time-exceeded, parameterproblem, timestamp, timestamp-reply, information-request, information-reply, address-maskrequest, address-mask-reply, traceroute, datagram-conversion-error, mobile-host-redirect, mobileregistration-request, mobile-registration-reply, domain-name-request, domain-name-reply, skip,
photuris
•
icmp-code
•
igmp-type
the following values:
v2, host-report-v3
•
destination-port
•
destination-port-wildcard
.
— Specifies an ICMP message code for filtering ICMP packets. (Range: 0 - 255)
— Specifies IGMP packets filtered by IGMP message type. Enter a number or one of
host-query, host-report, dvmrp, pim, cisco-trace, host-report-v2, host-leave-
. (Range: 0 - 255)
— Specifies the UDP/TCP destination port. (Range: 0 - 65535)
— Specifies wildcard bits to be applied to the destination port by placing
1s in bit positions to be ignored.
•
source-port
•
source-port-wildcard
— Specifies the UDP/TCP source port. (Range: 0 - 65535)
— Specifies wildcard bits to be applied to the source port by placing 1s in bit
positions to be ignored.
•
flags list-of-flags
— Specifies the list of TCP flags. If a flag should be set it is prefixed by "+". If a flag is
not set, it is prefixed by "-". Available options are
-rst, -syn
and
-fin
. The flags are concatenated to a one string. For example:
icmp,
+urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh,
+fin-ack
.
Default Configuration
No IPv4 Access List is defined.
Command Mode
IP-Access List Configuration mode.
ACL Commands 79
User Guidelines
• Use the
Configuration mode.
• Before an Access Control Element (ACE) is added to an ACL, all packets are permitted. After an ACE
is added, an implied
match the defined conditions are denied.
Example
The following example shows how to define a permit statement for an IP ACL.
Console(config)# ip access-list ip-acl1
Console(config-ip-al)# deny rsvp 192.1.1.1 0.0.0.255 any
ip access-list
Global Configuration mode command to enable the IP-Access List
deny-any-any
condition exists at the end of the list and those packets that do not
permit (MAC)
The permit MAC-Access List Configuration mode command defines permit conditions of an MAC
ACL.
Syntax
•
permit {any
[
cos cos cos-wildcard
•
source
•
source-wildcard
bit positions to be ignored.
•
any
address 00:00:00:00:10:00 and mask 00:00:00:00:00:FF.
•
destination
•
destination-wildcard
placing 1s in bit positions to be ignored.
•
vlan-id
•
cos
•
cos-wildcard
•
eth-type
•
inner-vlan vlad-id
| {
host source source-wildcard} any
] [
ethtype eth-type
— Specifies the source MAC address of the packet.
— Specifies wildcard bits to be applied to the source MAC address by placing 1s in
— Specify a MAC address and mask. For example, to set 00:00:00:00:10:XX use the Mac
— Specifies the MAC address of the host to which the packet is being sent.
— Specifies wildcard bits to be applied to the destination MAC address by
— Specifies the ID of the packet vlan. (Range: 1 - 4094)
— Specifies the Class of Service (CoS) for the packet. (Range: 0 - 7)
— Specifies wildcard bits to be applied to the CoS.
— Specifies the Ethernet type of the packet in hexadecimal format. (Range: 0 - 05dd-ffff)
— Specifies the inner vlan id of a double tagged packet.
] [
| {
destination destination-wildcard
inner-vlan vlan-id
}} [
vlan vlan-id
]
]
80 ACL Commands
Default Configuration
No MAC ACL is defined.
Command Mode
MAC-Access List Configuration mode.
User Guidelines
• Before an Access Control Element (ACE) is added to an ACL, all packets are permitted. After an ACE
is added, an implied
match the conditions defined in the permit statement are denied.
• If the VLAN ID is specified, the policy map cannot be connected to the VLAN interface.
Example
The following example shows how to create a MAC ACL with permit rules.
Console(config)# mac access-list macl-acl1
Console(config-mac-al)# permit 6:6:6:6:6:6 0:0:0:0:0:0 any vlan 6
deny-any-any
condition exists at the end of the list and those packets that do not
deny (MAC)
The deny MAC-Access List Configuration mode command denies traffic if the conditions defined in the
deny statement match.
Syntax
•
deny [disable-port
vlan-id
•
disable-port
•
source
•
source-wildcard
to be ignored.
•
any
address 00:00:00:00:10:00 and mask 00:00:00:00:00:FF.
•
destination
•
destination-wildcard
positions to be ignored.
•
vlan-id
] {
any
| {
source source-wildcard
] [
cos cos cos-wildcard
— Indicates that the port is disabled if the condition is matched.
— Specifies the MAC address of the host from which the packet was sent.
— Specifies wildcard bits to the source MAC address by placing 1s in bit positions
— Specify a MAC address and mask. For example, to set 00:00:00:00:10:XX use the Mac
— Specifies the MAC address of the host to which the packet is being sent.
— Specifies the vlan id of the packet. (Range: 1 - 4094)
] [
ethtype eth-type
— Specifies wildcard bits to the destination MAC address by placing 1s in bit
} {
any
| {
destination destination- wildcard
] [
inner-vlan vlan-id
}}[
]
ACL Commands 81
vlan
•
cos
— Specifies the packets’s Class of Service (CoS). (Range: 0 - 7)
•
cos-wildcard
•
eth-type
•
inner-vlan vlan id
Default Configuration
No MAC Access List is defined.
Command Mode
MAC-Access List Configuration mode.
User Guidelines
• The MAC ACL Global Configuration command allows access to the IP-Access List Configuration
mode.
• Before an Access Control Element (ACE) is added to an ACL, all packets are permitted. After an ACE
is added, an implied
match the conditions defined in the permit statement are denied.
Example
The following example shows how to create a MAC ACL with deny rules on a device.
Console(config)# mac access-list macl1
Console (config-mac-acl)# deny 6:6:6:6:6:6:0:0:0:0:0:0 any
— Specifies wildcard bits to be applied to the CoS.
— Specifies the packet’s Ethernet type in hexadecimal format. (Range: 0 - 05dd-ffff)
— Specifies the inner vlan id of a double tagged packet.
deny-any-any
condition exists at the end of the list and those packets that do not
service-acl
The service-acl Interface Configuration (Ethernet, port-channel) mode command applies an ACL to the
input interface. Use the no form of this command to detach an ACL from an input interface.
Syntax
•
service-acl {input acl-name | acl-name
•
no service-acl {input
•
input
— Applies the specified ACL to the input interface.
Default Configuration
This command has no default configuration.
Command Mode
Interface Configuration (Ethernet, port-channel) mode.
82 ACL Commands
}
}
User Guidelines
There are no user guidelines for this command.
Example
The following example binds (services) an ACL to VLAN 2.
Console(config)# interface eth g1
Console(config-if)# service-acl input macl1
show access-lists
The show access-lists Privileged EXEC mode command displays access control lists (ACLs) defined on
the device.
Syntax
•
show access-lists [name
•
name
— The name of the ACL.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode.
]
User Guidelines
There are no user guidelines for this command.
Example
The following example displays access lists defined on a device.
Console# show access-lists
IP access list ACL1
permit 234 172.30.40.1 0.0.0.0 any
permit 234 172.30.8.8 0.0.0.0 any
ACL Commands 83
show interfaces access-lists
The show interfaces access-lists Privileged EXEC mode command displays access lists applied on
interfaces.
Syntax
•
show interfaces access-lists
•
interface
•
port-channel-number —
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode.
User Guidelines
There are no user guidelines for this command.
Example
The following example displaynews ACLs applied to the interfaces of a device.
Console# show interfaces access-lists
— Specifies the Valid Ethernet port.
[
ethernet interface
Specifies the port-channel index.
|
port-channel port-channel-number
]
Interface Input ACL
--------- --------- --------g1 ACL1 ACL2
g2 ACL3 ACL4
84 ACL Commands
AAA Commands
aaa authentication login
The aaa authentication login Global Configuration mode commands defines login authentication.
Use the no form of this command to return to the default configuration.
Syntax
•
aaa authentication login {default | list-name} method1 [method2
•
no aaa authentication login {default | list-name
•
default
— Uses the listed authentication methods that follow this argument as the default list
of methods when a user logs in.
•
list-name
a user logs in.
•
method1 [method2
Keyword Source or destination
enable Uses the enable password for authentication.
line Uses the line password for authentication.
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS servers for authentication.
— Character string used to name the list of authentication methods activated when
...] — Specify at least one from the following table:
}
...]
Default Configuration
The local user database is checked. This has the same effect as the command
login list-name local
NOTE: On the console, login succeeds without any authentication check if the authentication method is not
defined.
Command Mode
Global Configuration mode.
.
aaa authentication
AAA Commands 85
User Guidelines
• The default and optional list names created with the
login authentication
the
• Create a list by entering the
protocol, where
list-name
command.
aaa authentication login
is any character string used to name this list. The
aaa authentication login
list-name method
command for a particular
method
command are used with
argument identifies
the list of methods that the authentication algorithm tries, in the given sequence.
• The additional methods of authentication are used only if the previous method returns an error, not if
it fails. To ensure that the authentication succeeds even if all methods return an error, specify
none
the final method in the command line.
Example
The following example configures authentication login.
Console (config)# aaa authentication login default radius local
enable none
aaa authentication enable
The aaa authentication enable Global Configuration mode command defines authentication method
lists for accessing higher privilege levels. Use the no form of this command to return to the default
configuration.
Syntax
•
aaa authentication enable {default | list-name
• no aaa authentication enable default
•
default
— Uses the listed authentication methods that follow this argument as the default list of
methods, when using higher privilege levels.
•
list-name
— Character string used to name the list of authentication methods activated, when
using access higher privilege levels.
•
method1 [method2
...] — Specify at least one from the following table:
}
method1 [method2
...]
as
Keyword Source or destination
enable Uses the enable password for authentication.
line Uses the line password for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication. Uses username
tacacs Uses the list of all TACACS+ servers for authentication. Uses username
86 AAA Commands
"$enabx$." where x is the privilege level.
"$enabx$." where x is the privilege level.
Default Configuration
If the
default
command
list is not set, only the enable password is checked. This has the same effect as the
aaa authentication enable default enable
.
On the console, the enable password is used if it exists. If no password is set, the process still succeeds.
This has the same effect as using the command
Command Mode
aaa authentication enable default enable none
.
Global Configuration mode.
User Guidelines
• The default and optional list names created with the
with the
enable authentication
• Create a list by entering the
command.
aaa authentication enable
any character string used to name this list. The
aaa authentication enable
list-name method
method
argument identifies the list of methods that the
command are used
command where
list-name
authentication algorithm tries, in the given sequence.
• The additional methods of authentication are used only if the previous method returns an error, not if
it fails. To ensure that the authentication succeeds even if all methods return an error, specify
none
the final method in the command line.
•A l l
aaa authentication enable default
requests sent by the device to a RADIUS or TACACS server
include the username "$enab15$".
Example
The following example sets authentication when accessing higher privilege levels.
is
as
Console (config)# aaa authentication enable default enable
login authentication
The login authentication Line Configuration mode command specifies the login authentication
method list for a remote telnet, SSH or console. Use the no form of this command to return to the
default specified by the authentication login command.
Syntax
•
login authentication {default
• no login authentication
•
default
— Uses the default list created with the
•
list-name
Default Configuration
— Uses the indicated list created with the
Uses the default set with the command
|
list-name
}
authentication login
authentication login
authentication login
command.
command.
.
AAA Commands 87
Command Mode
Line Configuration mode.
User Guidelines
• Changing login authentication from default to another value may disconnect the telnet session.
Example
The following example specifies the default authentication method for a console.
Console (config)# line console
Console (config-line)# login authentication default
enable authentication
The enable authentication Line Configuration mode command specifies the authentication method list
when accessing a higher privilege level from a remote telnet, SSH or console. Use the no form of this
command to return to the default specified by the enable authentication command.
Syntax
•
enable authentication {default
• no enable authentication
•
default
— Uses the default list created with the
•
list-name
— Uses the indicated list created with the
|
list-name
}
authentication enable
authentication enable
command.
command.
Default Configuration
Uses the default set with the command
Command Mode
authentication enable
.
Line Configuration mode.
User Guidelines
• There are no user guidelines for this command.
Example
The following example specifies the default authentication method when accessing a higher privilege
level from a console.
Console (config)# line console
Console (config-line)# enable authentication default
88 AAA Commands
ip http authentication
The ip http authentication Global Configuration mode command specifies authentication methods for
http. Use the no form of this command to return to the default.
Syntax
•
ip http authentication
• no ip http authentication
•
method1 [method2
Keyword Source or destination
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS servers for authentication.
Default Configuration
The local user database is checked. This has the same effect as the command
local
.
Command Mode
Global Configuration mode.
method1 [method2
...]
...] — Specify at least one from the following table:
ip http authentication
User Guidelines
• The additional methods of authentication are used only if the previous method returns an error, not if
it fails. To ensure that the authentication succeeds even if all methods return an error, specify
none
as
the final method in the command line.
Example
The following example configures the http authentication.
Console (config)# ip http authentication radius local
Console (config)# ip http authentication tacacs local
ip https authentication
The ip https authentication Global Configuration mode command specifies authentication methods for
https servers. Use the no form of this command to return to the default.
AAA Commands 89
Syntax
•
ip https authentication
method1 [method2
...]
• no ip https authentication
•
method1 [method2
Keyword Source or destination
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS servers for authentication.
Default Configuration
The local user database is checked. This has the same effect as the command
.
local
Command Mode
...] — Specify at least one from the following table:
ip https authentication
Global Configuration mode.
User Guidelines
• The additional methods of authentication are used only if the previous method returns an error, not if
it fails. To ensure that the authentication succeeds even if all methods return an error, specify
none
the final method in the command line.
as
Example
The following example configures https authentication.
Console (config)# ip https authentication radius local
Console (config)# ip https authentication tacacs local
show authentication methods
The authentication methods Privilege EXEC mode command displays information about the
authentication methods.
Syntax
• show authentication methods
Default Configuration
This command has no default configuration.
90 AAA Commands
Command Mode
Privileged EXEC mode.
User Guidelines
• There are no user guidelines for this command.
Example
The following example displays the authentication configuration.
Console# show authentication methods
Login Authentication Method Lists
----------------------------------Console_Default: None
Network_Default: Local
Enable Authentication Method Lists
----------------------------------Console_Default: Enable None
Network_Default: Enable
Line Login Method List Enable Method List
-------------- ----------------- -----------------Console Default Default
Telnet Default Default
SSH Default Default
http : Tacacs Local
https : Tacacs Local
dot1x :
AAA Commands 91
password
The password Line Configuration mode command specifies a password on a line. Use the no form of this
command to remove the password.
Syntax
•
password
• no password
•
•
Default Configuration
No password is required.
Command Mode
Line Configuration mode.
User Guidelines
• There are no user guidelines for this command.
Example
The following example specifies a password ’secret’ on a line.
password [encrypted
password
encrypted
— Password for this level, from 1 to 159 characters in length.
— Encrypted password to be entered, copied from another device configuration.
]
Console (config-line)# password secret
enable password
The enable password Global Configuration mode command sets a local password to control access to
normal and privilege levels. Use the no form of this command to remove the password requirement.
Syntax
•
enable password [level
•
no enable password [level
•
password
•
level level
•
encrypted
Default Configuration
This command has no default configuration.
92 AAA Commands
— Password for this level, from 1 to 159 characters in length.
— Level for which the password applies. If not specified the level is 15. (Range: 1 - 15)
— Encrypted password entered, copied from another device configuration.
level] password [encrypted
level
]
]
Command Mode
Global Configuration mode.
User Guidelines
• There are no user guidelines for this command.
Example
The following example sets a local level 15 password "secret" to control access to user and privilege levels.
Console (config)# enable password level
15 secret
username
The username Global Configuration mode command establishes a username-based authentication
system. Use the no form of this command to remove a user name.
Syntax
•
username
•
no username
•
•
•
•
Default Configuration
No user is defined.
Command Mode
Global Configuration mode.
User Guidelines
• No password is required.
name [password password
name
name
— The name of the user. (Range: 1 - 20 characters)
password
level
encrypted
— The authentication password for the user. (Range: 8 - 64 characters)
— The user level. (Range: 1 -15)
— Encrypted password entered, copied from another device configuration.
] [
level level
] [
encrypted
]
Example
The following example configures user "bob" with the password "lee" and user level 15 to the system.
Console (config)# username bob password lee level 15
AAA Commands 93
show users accounts
The show users accounts Privileged EXEC mode command displays information about the local user
database.
Syntax
• show users accounts
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode.
User Guidelines
• There are no user guidelines for this command.
Example
The following example displays the local users configured with access to the system.
Console# show users accounts
Username Privilege Password Aging Password Expiry Date Lockout
-------- --------- ---------------- -------------------- --------------Bob 15 -- -- -Robert 15 -- -- --
94 AAA Commands
Address Table Commands
bridge address
The bridge address VLAN Interface Configuration mode command adds a static MAC-layer station
source address to the bridge table. To delete the MAC address, use the no form of the bridge address
command (using the no form of the command without specifying a MAC address deletes all static
MAC addresses belonging to this VLAN).
Syntax
•
bridge address
delete-on-reset
•
no bridge address [mac-address
•
mac-address
•
interface —
•
port-channel-number —
•
permanent —
•
delete-on-reset
•
delete-on-timeout —
•
secure
security
mode.
mac-address {ethernet interface | port-channel port-channel-number
|
delete-on-timeout
— A valid MAC address in the format of xx:xx:xx:xx:xx:xx.
A valid Ethernet port.
A valid port-channel number.
The address can only be deleted by the
— The address is deleted after reset.
The address is deleted after "age out" time has expired.
— The address is deleted after the port changes mode to unlock learning (
command). This parameter is only available when the port is in learning locked
|
secure
]
]
no bridge address
} [
permanent
command.
no port
|
Default Configuration
No static addresses are defined. The default mode for an added address is
Command Mode
Interface Configuration (VLAN) mode.
User Guidelines
• There are no user guidelines for this command.
permanent
Address Table Commands 95
.
Example
The following example adds a permanent static MAC-layer station source address 3aa2.64b3.a245 on
port g8 to the bridge table.
Console (config)# interface vlan 2
Console (config-vlan)# bridge address 3a:a2:64:b3:a2:45 ethernet
g8 permanent
bridge multicast filtering
The bridge multicast filtering Global Configuration mode command enables filtering of Multicast
addresses. To disable filtering of Multicast addresses, use the no form of the bridge multicast filtering
command.
Syntax
• bridge multicast filtering
• no bridge multicast filtering
Default Configuration
Disabled. All Multicast addresses are flooded to all ports.
Command Mode
Global Configuration mode.
User Guidelines
• If devices exist on the VLAN, do not change the unregistered Multicast addresses state to drop on the
devices ports.
• If Multicast routers exist on the VLAN and IGMP-snooping is not enabled, the
forward-all
routers.
Example
In this example, bridge Multicast filtering is enabled.
Console (config)# bridge multicast filtering
96 Address Table Commands
command should be used to enable forwarding all Multicast packets to the Multicast
bridge multicast
bridge multicast address
The bridge multicast address Interface Configuration mode command registers MAC-layer Multicast
addresses to the bridge table, and adds static ports to the group. To unregister the MAC address, use the
no form of the bridge multicast address command.
Syntax
•
bridge multicast address {mac-multicast-address | ip-multicast-address
•
bridge multicast address {mac-multicast-address | ip-multicast-address} [add | remove] {ethernet
interface-list | port-channel port-channel-number-list
•
no bridge multicast address {mac-multicast-address | ip-multicast-address
•
add
— Adds ports to the group. If no option is specified, this is the default option.
•
remove
— Removes ports from the group.
•
mac-multicast-address
•
ip- multicast-address
•
interface-list
used to designate a range of ports.
•
port-channel-number-list
a hyphen is used to designate a range of ports.
Default Configuration
No Multicast addresses are defined.
— Separate nonconsecutive Ethernet ports with a comma and no spaces; a hyphen is
— MAC Multicast address in the format of xx:xx:xx:xx:xx:xx.
— IP Multicast address.
— Separate nonconsecutive port-channels with a comma and no spaces;
}
}
}
Command Mode
Interface Configuration (VLAN) mode.
User Guidelines
• If the command is executed without
bridge database.
• Static Multicast addresses can only be defined on static VLANs.
Examples
The following example registers the MAC address.
Console (config)# interface vlan 8
Console (config-if)# bridge multicast address 01:00:5e:02:02:03
add
or
remove
, the command only registers the group in the
Address Table Commands 97
The following example registers the MAC address and adds ports statically.
Console (config)# interface vlan 8
Console (config-if)# bridge multicast address 01:00:5e:02:02:03
add ethernet g1-9
bridge multicast forbidden address
The bridge multicast forbidden address Interface Configuration mode command forbids adding a
specific Multicast address to specific ports. Use the no form of this command to return to default.
Syntax
•
bridge multicast forbidden address {mac-multicast-address | ip-multicast-address
ethernet interface-list | port-channel port-channel-number-list
{
•
no bridge multicast forbidden address {mac-multicast-address | ip-multicast-address
•
add
— Adds ports to the group.
•
remove
— Removes ports from the group.
•
mac-multicast-address
•
ip- multicast-address
•
interface-list —
hyphen is used to designate a range of ports.
•
port-channel-number-list —
spaces; a hyphen is used to designate a range of port-channels.
— MAC Multicast address in the format of xx:xx:xx:xx:xx:xx.
— IP Multicast address is in the format xxx.xxx.xxx.xxx.
Separate non consecutive valid Ethernet ports with a comma and no spaces;
Separate non consecutive valid port-channels with a comma and no
}
} {
add | remove
}
}
Default Configuration
No forbidden addresses are defined.
Command Modes
Interface Configuration (VLAN) mode.
User Guidelines
• Before defining forbidden ports, the Multicast group should be registered.
98 Address Table Commands
Examples
In this example the MAC address 01:00:5e:02:02:03 is forbidden on port g9 within VLAN 8.
Console (config)# interface vlan 8
Console (config-if)# bridge multicast address 01:00:5e:02:02:03
Console (config-if)# bridge multicast forbidden address
01:00:5e:02:02:03 add ethernet g9
bridge multicast unregistered
The bridge multicast unregistered Interface Configuration mode command configures the forwarding
state of unregistered multicast addresses. Use the no form of this command to return to default.
Syntax
•
bridge multicast unregistered {forwarding
• no bridge multicast unregistered
•
forwarding
•
filtering
is a router port.
Default Configuration
Forwarding
— Forward unregistered multicast packets.
— Filter unregistered multicast packets. See usage guidelines for the case where the port
|
filtering
}
Command Modes
Interface configuration (Ethernet, Port-Channel) mode
Default Configuration
• Unregistered multicast filtering should not be enabled on ports that are connected to routers, because
the 224.0.0.x address range should not be filtered. Routers would not necessarily send IGMP reports
for the 224.0.0.x range.
Examples
This example configures the forwarding state of unregistered multicast addresses to allow forwarding.
Console (config)# bridge multicast unregistered forwarding
Address Table Commands 99
bridge multicast forward-all
The bridge multicast forward-all Interface Configuration mode command enables forwarding of all
Multicast packets on a port. To restore the default, use the no form of the bridge multicast forward-all
command.
Syntax
•
bridge multicast forward-all {add | remove} {ethernet interface-list | port-channel port-channel-
number-list
• no bridge multicast forward-all
•
•
•
•
Default Configuration
Disable forward-all on the specified interface.
Command Mode
Interface Configuration (VLAN) mode.
}
add
— Adds ports to the group.
remove
— Removes ports from the group.
interface-list
hyphen is used to designate a range of ports.
port-channel-number-list
spaces; a hyphen is used to designate a range of port-channels.
— Separate non consecutive valid Ethernet ports with a comma and no spaces; a
— Separate non consecutive valid port-channels with a comma and no
User Guidelines
There are no user guidelines for this command.
Example
In this example all Multicast packets on port g8 are forwarded.
Console (config)# interface vlan 2
Console (config-if)# bridge multicast forward-all add ethernet
g8
bridge multicast forbidden forward-all
The bridge multicast forbidden forward-all Interface Configuration mode command forbids a port to be
a forward-all-Multicast port. To restore the default, use the no form of the bridge multicast forward-all
command.
100 Address Table Commands