The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Use the aaa accounting dot1x global configuration command to enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions. Use the no form of this command to disable IEEE 802.1x accounting.
aaa accounting dot1x { name | default} start-stop {broadcast group { name | radius | tacacs+ } [group { name | radius | tacacs+ }... ] | group { name | radius | tacacs+ } [ group { name | radius | tacacs+ } ... ]}
no aaa accounting dot1x { name | default }
This command requires access to a RADIUS server.
Note We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.
This example shows how to configure IEEE 802.1x accounting:
Note The RADIUS authentication server must be properly configured to accept and log update or watchdog packets from the AAA client.
Specifies one or more AAA methods for use on interfaces running IEEE 802.1x. |
|
Enables the AAA access control model. For syntax information, see the Cisco IOS Security Command Reference, Release 12.2> Authentication, Authorization, and Accounting > Authentication Commands . |
|
dot1x timeout reauth period |
Sets the number of seconds between re-authentication attempts. |
Use the aaa authentication dot1x global configuration command to specify the authentication, authorization, and accounting (AAA) method to use on ports complying with IEEE 802.1x. Use the no form of this command to disable authentication.
aaa authentication dot1x { default } method1
no aaa authentication dot1x { default }
Use the listed authentication method that follows this argument as the default method when a user logs in. |
|
Enter the group radius keywords to use the list of all RADIUS servers for authentication. |
Note Though other keywords are visible in the command-line help strings, only the default and group radius keywords are supported.
The method argument identifies the method that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.
If you specify group radius , you must configure the RADIUS server by entering the radius-server host global configuration command.
Use the show running-config privileged EXEC command to display the configured lists of authentication methods.
This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.
You can verify your settings by entering the show running-config privileged EXEC command.
Enables the AAA access control model. For syntax information, see the Cisco IOS Security Command Reference, Release 12.2 > Authentication, Authorization, and Accounting > Authentication Commands . |
|
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the action access-map configuration command to set the action for the VLAN access map entry. Use the no form of this command to set the action to the default value, which is to forward.
You enter access-map configuration mode by using the vlan access-map global configuration command.
If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.
In access-map configuration mode, use the match access-map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.
The drop and forward parameters are not used in the no form of the command.
This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2 :
You can verify your settings by entering the show vlan access-map privileged EXEC command.
Use the alarm-contact global configuration command to configure triggers and severity levels for external alarms. Use the no form of this command to remove the configuration.
alarm-contact { contact-number { description string | severity { critical | major | minor } | trigger { closed | open }} | all { severity { critical | major | minor } | trigger { closed | open }}
no alarm-contact { contact-number { description | severity | trigger } | all { severity | trigger }
The no alarm-contact contact-number description sets the description to an empty string.
The no alarm-contact { contact-number | all } severity sets the alarm-contact severity to minor.
The no alarm-contact { contact-number | all } trigger sets the external alarm-contact trigger to closed.
This example shows how to configure alarm contact number 1 to report a critical alarm when the contact is open.
You can verify your settings by entering the show env alarm-contact or the show running-config privileged EXEC command.
This example shows how to configure clear alarm contact number 1 and the show command outputs.
show env alarm-contact |
Use the archive download-sw privileged EXEC command to download a new image from a TFTP server to the switch and to overwrite or keep the existing image.
archive download-sw { /force-reload | /imageonly | /leave-old-sw | /no-set-boot | /no-version-check | /overwrite | /reload | /safe } source-url
The current software image is not overwritten with the downloaded image.
Both the software image and HTML files are downloaded.
The new image is downloaded to the flash: file system.
The BOOT environment variable is changed to point to the new software image on the flash: file system.
Image names are case sensitive; the image file is provided in tar format.
Compatibility of the version on the image to be downloaded is checked.
The /imageonly option removes the HTML files for the existing image if the existing image is being removed or replaced. Only the Cisco IOS image (without the HTML files) is downloaded.
Using the /safe or /leave-old-sw option can cause the new image download to fail if there is insufficient flash memory. If leaving the software in place prevents the new image from fitting in flash memory due to space constraints, an error results.
If you used the /leave-old-sw option and did not overwrite the old image when you downloaded the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the “delete” section.
Note Use the /no-version-check option with care. This option allows an image to be downloaded without first confirming that it is not incompatible with the switch.
Use the /overwrite option to overwrite the image on the flash device with the downloaded one.
If you specify the command without the /overwrite option, the download algorithm verifies that the new image is not the same as the one on the switch flash device. If the images are the same, the download does not occur. If the images are different, the old image is deleted, and the new one is downloaded.
After downloading a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive download-sw command.
This example shows how to download a new image from a TFTP server at 172.20.129.10 and overwrite the image on the switch:
This example shows how to download only the software image from a TFTP server at 172.20.129.10 to the switch:
This example shows how to keep the old software version after a successful download:
Use the archive tar privileged EXEC command to create a tar file, list files in a tar file, or extract the files from a tar file.
archive tar { /create destination-url flash:/ file-url } | { /table source-url } | { /xtract source-url flash:/ file-url [ dir / file... ]}
This example shows how to create a tar file. The command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30:
This example shows how to display the contents of the file that is in flash memory. The contents of the tar file appear on the screen:
This example shows how to display only the html directory and its contents:
This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored.
Use the archive upload-sw privileged EXEC command to upload an existing switch image to a server.
archive upload-sw [ /version version_string ] destination-url
Use the upload feature only if the HTML files associated with the embedded device manager have been installed with the existing image.
The files are uploaded in this sequence: the Cisco IOS image, the HTML files, and info. After these files are uploaded, the software creates the tar file.
This example shows how to upload the currently running image to a TFTP server at 172.20.140.2:
Use the arp access-list global configuration command to define an Address Resolution Protocol (ARP) access control list (ACL) or to add clauses to the end of a previously defined list. Use the no form of this command to delete the specified ARP access list.
After entering the arp access-list command, you enter ARP access-list configuration mode, and these configuration commands are available:
Use the permit and deny access-list configuration commands to forward and to drop ARP packets based on the specified matching criteria.
When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement, the switch compares the packet to the list of DHCP bindings (unless the ACL is static , which means that packets are not compared to the bindings).
This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
You can verify your settings by entering the show arp access-list privileged EXEC command.
Use the bandwidth policy-map class configuration command to configure class-based weighted fair queuing (CBWFQ) by setting the output bandwidth for a policy-map class. Use the no form of this command to remove the bandwidth setting for the class.
bandwidth { rate | percent value | remaining percent value }
no bandwidth [ rate | percent value | remaining percent value ]
Policy-map class configuration
You use the bandwidth policy-map class command to control output traffic. The bandwidth command specifies the bandwidth for traffic in that class. CBWFQ derives the weight for packets belonging to the class from the bandwidth allocated to the class and uses the weight to ensure that the queue for that class is serviced fairly. Bandwidth settings are not supported in input policy maps.
When you configure bandwidth for a class of traffic as an absolute rate (kbps) or a percentage of bandwidth ( percent value) , it represents the minimum bandwidth guarantee or committed information rate (CIR) for that traffic class. This means that the traffic class gets at least the bandwidth specified in the command, but is not limited to that bandwidth. Any excess bandwidth on the port is allocated to each class in the same ratio as the configured CIR rates.
When you enter the bandwidth remaining percent command, hard bandwidths are not guaranteed, and only relative bandwidths are assured. Class bandwidths are always proportional to the specified bandwidth percentages configured for the port.
When you configure bandwidth in an output policy, you must specify the same units in each bandwidth configuration; that is, all absolute values (rates) or percentages.
The total rate of the minimum bandwidth guarantees for each queue of the policy cannot exceed the total speed for the interface. If the percent keyword is used, the sum of the class bandwidth percentages cannot exceed 100 percent.
Using the queue-limit command to modify the default queue limit is especially important on higher-speed interfaces so that they meet the minimum bandwidth guarantees required by the interface.
You cannot use the bandwidth policy-map class configuration command to configure CBWFQ and the shape average command to configure class-based shaping for the same class in a policy map.
You cannot configure bandwidth in a class that includes priority queuing (configured with the priority policy-map class configuration command).
This example shows how to set the precedence of output queues by setting bandwidth in kilobits per second. The classes outclass1 , outclass2 , and outclass3 get a minimum of 50000, 20000, and 10000 kbps. The class class-default at a minimum gets the remaining bandwidth.
This example shows how to set the precedence of output queues by allocating percentages of the total available bandwidth to each traffic class.The classes outclass1 , outclass2 , and outclass3 get a minimum of 50, 20, and 10 percent. The class class-default at a minimum gets 20 percent.
This example shows how to set outclass1 as a priority queue, with outclass2 , and outclass3 getting 50 and 20 percent, respectively, of the bandwidth remaining after the priority queue is serviced. The class class-default gets the remaining 30 percent with no guarantees.
You can verify your settings by entering the show policy-map privileged EXEC command.
Use the boot buffersize global configuration command to configure the NVRAM size. Use the no form of this command to return to the default.
The default NVRAM buffer size is 512 KB. In some cases, the configuration file might be too large to save to NVRAM. You can configure the size of the NVRAM buffer to support larger configuration files.
After you configure the NVRAM buffer size, reload the switch.
Use the boot config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the system configuration. Use the no form of this command to return to the default setting.
Filenames and directory names are case sensitive.
This command changes the setting of the CONFIG_FILE environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the boot enable-break global configuration command to enable interrupting the automatic boot process. Use the no form of this command to return to the default setting.
When you enter this command, you can interrupt the automatic boot process by pressing the break key on the console after the flash file system is initialized. The break key is different for each operating system:
This command changes the setting of the ENABLE_BREAK environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the boot helper global configuration command to dynamically load files during boot loader initialization to extend or patch the functionality of the boot loader. Use the no form of this command to return to the default.
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the boot helper-config-file global configuration command to specify the name of the configuration file to be used by the Cisco IOS helper image. If this is not set, the file specified by the CONFIG_FILE environment variable is used by all versions of Cisco IOS that are loaded. Use the no form of this command to return to the default setting.
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER_CONFIG_FILE environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the boot manual global configuration command to enable manually booting the switch during the next boot cycle. Use the no form of this command to return to the default setting.
The next time you reboot the system, the switch is in boot loader mode, which is shown by the switch: prompt. To boot the system, use the boot boot loader command, and specify the name of the bootable image.
This command changes the setting of the MANUAL_BOOT environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the boot private-config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the private configuration. Use the no form of this command to return to the default setting.
This example shows how to specify the name of the private configuration file to be pconfig :
Use the boot system global configuration command to specify the Cisco IOS image to load during the next boot cycle. Use the no form of this command to return to the default setting.
boot system filesystem:/file-url ...
The switch attempts to automatically boot the system by using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.
Filenames and directory names are case sensitive.
If you are using the archive download-sw privileged EXEC command to maintain system images, you never need to use the boot system command. The boot system command is automatically manipulated to load the downloaded image.
This command changes the setting of the BOOT environment variable. For more information, see Appendix A, “Cisco ME 3400E Ethernet Access Switch Boot Loader Commands.”
Use the channel-group interface configuration command to assign an Ethernet port to an EtherChannel group. Use the no form of this command to remove an Ethernet port from an EtherChannel group.
channel-group channel -group-number mode { active | { auto [ non-silent ] | desirable [ non-silent ] | on } | passive }
PAgP modes:
channel-group
channel
-group-number
mode
{
auto
[
non-silent
] | {
desirable
[
non-silent
]}
LACP modes:
channel-group
channel
-group-number
mode {active | passive}
On mode:
channel-group
channel
-group-number
mode on
Note Link Aggregation Control Protocol (LACP.) and Port Aggregation Protocol (PAgP) are available only on network node interfaces (NNIs) or enhanced network interfaces (ENIs). The active, auto, desirable, and passive keywords are not visible on user network interfaces (UNIs).
For Layer 2 EtherChannels, you do not have to create a port-channel interface first by using the interface port-channel global configuration command before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel interface when the channel group gets its first physical port if the logical interface is not already created. If you create the port-channel interface first, the channel-group-number can be the same as the port - channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.
If the port is a UNI or an ENI, you must use the no shutdown interface configuration command to enable it before using the channel-group command. UNIs and ENIs are disabled by default. NNIs are enabled by default.
You do not have to disable the IP address that is assigned to a physical port that is part of a channel group, but we strongly recommend that you do so.
You create Layer 3 port channels by using the interface port-channel command followed by the no switchport interface configuration command. You should manually configure the port-channel logical interface before putting the interface into the channel group.
After you configure an EtherChannel, configuration changes that you make on the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.
If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. A example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port prevents that port from ever becoming operational. However, it allows PAgP to operate, to attach the port to a channel group, and to use the port for transmission. Both ends of the link cannot be set to silent.
In the on mode, an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode.
Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.
Note PAgP and LACP are available only on NNIs and ENIs.
If you set the protocol by using the channel-protocol interface configuration command, the setting is not overridden by the channel-group interface configuration command.
Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x on an EtherChannel port, an error message appears, and IEEE 802.1x is not enabled.
Do not configure a secure port as part of an EtherChannel or an EtherChannel port as a secure port.
For a complete list of configuration guidelines, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
This example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable :
This example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10 to channel 5 with the LACP mode active :
You can verify your settings by entering the show running-config privileged EXEC command.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the channel-protocol interface configuration command to restrict the protocol used on a port to manage channeling. Use the no form of this command to return to the default setting.
Use the channel-protocol command only to restrict a channel to LACP or PAgP. If you set the protocol by using the channel-protocol command, the setting is not overridden by the channel-group interface configuration command.
Note PAgP and LACP are available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
If the port is a user network interface (UNI) or an ENI, you must use the no shutdown interface configuration command to enable it before using the channel-protocol command. UNIs and ENIs are disabled by default. NNIs are enabled by default.
You must use the channel-group interface configuration command to configure the EtherChannel parameters. The channel-group command also can set the mode for the EtherChannel.
You cannot enable both the PAgP and LACP modes on an EtherChannel group.
PAgP and LACP are not compatible; both ends of a channel must use the same protocol.
This example shows how to specify LACP as the protocol that manages the EtherChannel:
You can verify your settings by entering the show etherchannel [ channel-group-number ] protocol privileged EXEC command.
show etherchannel protocol |
Use the class policy-map configuration command to specify the name of the class whose policy you want to create or to change or to specify the system default class before you configure a policy and to enter policy-map class configuration mode. Use the no form of this command to remove the class from a policy map.
class { class-map-name| class-default }
Before using the class class-map-name command in policy-map configuration mode, you must create the class by using the class-map class-map-name global configuration command. The class class-default is the class to which traffic is directed if that traffic does not match any of the match criteria in the configured class maps.
Use the policy-map global configuration command to identify the policy map and to enter policy-map configuration mode. After specifying a policy map, you can configure a policy for new classes or modify a policy for any existing classes in that policy map.
An input policy map can have a maximum of 64 classes, plus class-default .
You attach the policy map to a port by using the service-policy interface configuration command.
After entering the class command, you enter policy-map class configuration mode, and these configuration commands are available:
To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
This example shows how to create a policy map called policy1, define a class class1 , and enter policy-map class configuration mode to set a criterion for the class.
You can verify your settings by entering the show policy-map privileged EXEC command.
Creates a class map to be used for matching packets to the class whose name you specify. |
|
Creates or modifies a policy map that can be attached to multiple ports to specify a service policy. |
|
show policy-map interface [ interface-id ] |
Displays policy maps configured on the specified interface or on all interfaces. |
Use the class-map global configuration command to create a class map to be used for matching packets to a specified criteria and to enter class-map configuration mode. Use the no form of this command to delete an existing class map.
class-map [ match-all | match-any ] class-map-name
Use this command to specify the name of the class for which you want to create or to modify class-map match criteria and to enter class-map configuration mode.
The switch supports a maximum of 1024 unique class maps.
You use the class-map command and class-map configuration mode to define packet classification as part of a globally named service policy applied on a per-port basis. When you configure a class map, you can use one or more match commands to specify match criteria. Packets arriving at either the input or output interface (determined by how you configure the service-policy interface configuration command) are checked against the class-map match criteria to determine if the packet belongs to that class.
A match-all class map means that the packet must match all entries and can have no other match statements.
After you are in class-map configuration mode, these configuration commands are available:
This example shows how to configure the class map called class1. By default, the class map is match-all and therefore can contain no other match criteria.
This example shows how to configure a match-any class map with one match criterion, which is an access list called 103. This class map (matching an ACL) is supported only in an input policy map.
This example shows how to delete the class map cla ss1:
You can verify your settings by entering the show class-map privileged EXEC command.
Use the clear ip arp inspection log privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection log buffer.
This example shows how to clear the contents of the log buffer:
You can verify that the log was cleared by entering the show ip arp inspection log privileged command.
Use the clear ip arp inspection statistics privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection statistics.
This example shows how to clear the statistics for VLAN 1:
You can verify that the statistics were deleted by entering the show ip arp inspection statistics vlan 1 privileged EXEC command.
show ip arp inspection statistics |
Displays statistics for forwarded, dropped, MAC validation failure, and IP validation failure packets for all VLANs or the specified VLAN. |
Use the clear ip dhcp snooping privileged EXEC command to clear the DHCP binding database agent statistics or the DHCP snooping statistics counters.
clear ip dhcp snooping { binding {* | ip-address | interface interface-id | vlan vlan-id } | database statistics | statistics }
When you enter the clear ip dhcp snooping database statistics command, the switch does not update the entries in the binding database and in the binding file before clearing the statistics.
This example shows how to clear the DHCP snooping binding database agent statistics:
You can verify that the statistics were cleared by entering the show ip dhcp snooping database privileged EXEC command.
This example shows how to clear the DHCP snooping statistics counters:
You can verify that the statistics were cleared by entering the show ip dhcp snooping statistics user EXEC command.
Use the clear ipc privileged EXEC command to clear Interprocess Communications Protocol (IPC) statistics.
You can clear all statistics by using the clear ipc statistics command, or you can clear only the queue statistics by using the clear ipc queue-statistics command.
This example shows how to clear all statistics:
This example shows how to clear only the queue statistics:
You can verify that the statistics were deleted by entering the show ipc rpc or the show ipc session privileged EXEC command.
show ipc { rpc | session } |
Use the clear ipv6 dhcp conflict privileged EXEC command to clear an address conflict from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server database.
clear ipv6 dhcp conflict {* | IPv6-address}
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 { default | routing | vlan } global configuration command, and reload the switch.
When you configure the DHCPv6 server to detect conflicts, it uses ping. The client uses neighbor discovery to detect clients and reports to the server through a DECLINE message. If an address conflict is detected, the address is removed from the pool and is not assigned until the administrator removes the address from the conflict list.
If you use the asterisk (*) character as the address parameter, DHCP clears all conflicts.
Use the clear l2protocol-tunnel counters privileged EXEC command to clear the protocol counters in protocol tunnel ports.
clear l2protocol-tunnel counters [ interface-id ]
This command is supported only when the switch is running the metro IP access or metro access image.
Use this command to clear protocol tunnel counters on the switch or on the specified interface.
Use the clear lacp privileged EXEC command to clear Link Aggregation Control Protocol (LACP) channel-group counters.
clear lacp { channel-group-number counters | counters }
Note LACP is available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
You can clear all counters by using the clear lacp counters command, or you can clear only the counters for the specified channel group by using the clear lacp channel-group-number counters command.
This example shows how to clear all channel-group information:
This example shows how to clear LACP traffic counters for group 4:
You can verify that the information was deleted by entering the show lacp counters or the show lacp 4 counters privileged EXEC command.
Use the clear logging onboard privileged EXEC command to clear all the on-board failure logging (OBFL) data except for the uptime and CLI-command information stored in the flash memory.
We recommend that you keep OBFL enabled and do not clear the data stored in the flash memory.
These examples show how to clear all the OBFL information except for the uptime and CLI-command information:
You can verify that the information was cleared by entering the show logging onboard onboard privileged EXEC command.
Use the clear mac address-table privileged EXEC command to delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, or all dynamic addresses on a particular VLAN. This command also clears the MAC address notification global counters.
clear mac address-table { dynamic [ address mac-addr | interface interface-id | vlan vlan-id ] | notification }
This example shows how to remove a specific MAC address from the dynamic address table:
You can verify that the information was deleted by entering the show mac address-table privileged EXEC command.
Use the clear mac address-table move update privileged EXEC command to clear the mac address-table-move update-related counters.
clear mac address-table move update
This command is supported only when the switch is running the metro IP access or metro access image.
This example shows how to clear the mac address-table move update related counters.
You can verify that the information was cleared by entering the show mac address-table move update privileged EXEC command.
Use the clear pagp privileged EXEC command to clear Port Aggregation Protocol (PAgP) channel-group information.
clear pagp { channel-group-number counters | counters }
Note PAgP is available only on network node interfaces (NNIs) enhanced network interfaces (ENIs).
You can clear all counters by using the clear pagp counters command, or you can clear only the counters for the specified channel group by using the clear pagp channel-group-number counters command.
This example shows how to clear all channel-group information:
This example shows how to clear PAgP traffic counters for group 10:
You can verify that information was deleted by entering the show pagp privileged EXEC command.
Use the clear policer cpu uni-eni counters privileged EXEC command to clear control-plane policer statistics. The control-plane policer drops or rate-limits control packets from user network interfaces (UNIs) and enhanced network interfaces (ENIs) to protect the CPU from overload.
clear policer cpu uni-eni counters { classification | drop }
You can use this command to clear statistics maintained per feature or statistics about dropped frames.
You can enter the show platform policer cpu classification or show policer cpu uni drop command to view feature statistics or dropped frames before and after you use the clear command.
show platform policer cpu classification |
|
Use the clear port-security privileged EXEC command to delete from the MAC address table all secure addresses or all secure addresses of a specific type (configured, dynamic, or sticky) on the switch or on an interface.
clear port-security { all | configured | dynamic | sticky } [[ address mac-addr | interface interface-id ] [ vlan { vlan-id | {access | voice}}]]
This example shows how to clear all secure addresses from the MAC address table:
This example shows how to remove a specific configured secure address from the MAC address table:
This example shows how to remove all the dynamic secure addresses learned on a specific interface:
This example shows how to remove all the dynamic secure addresses from the address table:
You can verify that the information was deleted by entering the show port-security privileged EXEC command.
switchport port-security mac-address mac-address |
|
switchport port-security maximum value |
Configures a maximum number of secure MAC addresses on a secure interface. |
Displays the port security settings defined for an interface or for the switch. |
Use the clear rep counters privileged EXEC command to clear Resilient Ethernet Protocol (REP) counters for the specified interface or all interfaces.
You can clear all REP counters by using the clear rep counters command, or you can clear only the counters for the interface by using the clear rep counters interface interface-id command.
When you enter the clear rep counters command, only the counters visible in the output of the show interface rep detail command are cleared. SNMP visible counters are not cleared as they are read-only.
This example shows how to clear all REP counters for all REP interfaces:
You can verify that REP information was deleted by entering the show interfaces rep detail privileged EXEC command.
show interfaces rep detail |
Use the clear spanning-tree counters privileged EXEC command to clear the spanning-tree counters.
clear spanning-tree counters [ interface interface-id ]
If the interface-id is not specified, spanning-tree counters are cleared for all STP ports.
Use the clear spanning-tree detected-protocols privileged EXEC command to restart the protocol migration process (force the renegotiation with neighboring switches) on all spanning-tree interfaces or on the specified interface.
clear spanning-tree detected-protocols [ interface interface-id ]
A switch running the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol or the Multiple Spanning Tree Protocol (MSTP) supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If a rapid-PVST+ switch or an MSTP switch receives a legacy IEEE 802.1D configuration bridge protocol data unit (BPDU) with the protocol version set to 0, it sends only IEEE 802.1D BPDUs on that port. A multiple spanning-tree (MST) switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (Version 3) associated with a different region, or a rapid spanning-tree (RST) BPDU (Version 2).
However, the switch does not automatically revert to the rapid-PVST+ or the MSTP mode if it no longer receives IEEE 802.1D BPDUs. It cannot learn whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the clear spanning-tree detected-protocols command in this situation.
Use the clear vmps statistics privileged EXEC command to clear the statistics maintained by the VLAN Query Protocol (VQP) client.
This example shows how to clear VLAN Membership Policy Server (VMPS) statistics:
You can verify that information was deleted by entering the show vmps statistics privileged EXEC command.
Use the conform-action policy-map class police configuration command to set multiple actions for a policy-map class for packets that conform to the committed information rate (CIR) or peak information rate (PIR) by having a rate less than the conform burst. Use the no form of this command to cancel the action or to return to the default action.
conform-action { drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ]}
no conform-action { drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ]}
Policy-map class police configuration
You configure conform actions for packets when the packet rate is less than the configured conform burst.
If the conform action is set to drop , the exceed and violate actions are automatically set to drop .
You can configure conform-action marking by using enhanced packet marking to modify a QoS marking based on any incoming QoS marking and table maps. The switch also supports simultaneously marking multiple QoS parameters for the same class and configuring conform-action, exceed-action, and violate-action marking.
Access policy-map class police configuration mode by entering the police policy-map class command. See the police policy-map class configuration command for more information.
Use this command to set one or more conform actions for a traffic class.
This example shows how configure multiple conform actions in a policy map that sets a committed information rate of 23000 bits per second (bps) and a conform burst rate of 10000 bps. The policy map includes multiple conform actions (for DSCP and for Layer 2 CoS) and an exceed action.
You can verify your settings by entering the show policy-map privileged EXEC command.
Use the copy logging onboard module privileged EXEC command to copy on-board failure logging (OBFL) data to the local network or a specific file system.
copy logging onboard module [ slot-number ] destination
For information about OBFL, see the hw-module module logging onboard global configuration command.
This example shows how to copy the OBFL data messages to the obfl_file file on the flash file system:
Use the cpu traffic qos cos command in global configuration mode to configure quality of service (QoS) marking based on class of service (CoS) for control plane traffic. To return to the default value, use the no form of this command.
cpu traffic qos cos { cos_value | cos [table-map table-map-name ] | dscp [table-map table-map-name ] | precedence [table-map table-map-name ]}
no cpu traffic qos cos { cos_value | cos [table-map table-map-name ] | dscp [table-map table-map-name ] | precedence [table-map table-map-name ]}
Configure any desired table-maps before configuring marking or queuing of CPU traffic.
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos cos global configuration command configures CoS marking for CPU-generated traffic by using either a specific CoS value or a table map, but not both. A new configuration overwrites the existing configuration.
When the cpu traffic qos cos global configuration command is configured with table maps, you can configure two map from values at a time—CoS and either DSCP or precedence.
If the cpu traffic qos cos global configuration command is configured with only a map from value of IP-DSCP or IP-precedence:
If the cpu traffic qos cos global configuration command is configured with a map from value of CoS:
If the cpu traffic qos cos global configuration command is configured with a map from value of DSCP or precedence and CoS:
This example shows how to mark the CoS of CPU-generated IP traffic (including IP-SLA and TWAMP) based on the DSCP value in the packet and to configure egress queuing based on the CoS value.
The sample configuration has these results:
Use the cpu traffic qos dscp command in global configuration mode to configure quality of service (QoS) marking based on a differentiated services code point (DSCP) value for control plane traffic. To return to the default value, use the no form of this command.
cpu traffic qos dscp { dscp_value | cos [table-map table-map-name ] | dscp [table-map table-map-name ] | precedence [table-map table-map-name ]}
no cpu traffic qos dscp { dscp_value | cos [table-map table-map-name ] | dscp [table-map table-map-name ] | precedence [table-map table-map-name ]}
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos dscp global configuration command configures IP-DSCP marking for CPU-generated IP traffic by using either a specific DSCP value or a table map, but not both. A new configuration overwrites the existing configuration.
The cpu traffic qos dscp and cpu traffic qos precedence global configuration commands are mutually exclusive. A new configuration overwrites the existing configuration.
When the cpu traffic qos dscp global configuration command is configured with table maps, you can configure only one map from value at a time—DSCP, precedence, or CoS. A new configuration overwrites the existing configuration. Packets marked by this command can be classified and queued by an output policy map based on the marked DSCP or precedence value.
You cannot configure a map from value of both DSCP and precedence. A new configuration overwrites the existing configuration.
This example shows how to configure egress queuing based on the DSCP value of CPU-generated IP packets.
The sample configuration has these results:
The example has these results:
Use the cpu traffic qos precedence command in global configuration mode to configure quality of service (QoS) marking for control plane traffic. To return to the default value, use the no form of this command.
cpu traffic qos precedence { precedence_value | cos [ table-map table-map-name ] | dscp [ table-map table-map-name ] | precedence [ table-map table-map-name ]}
no cpu traffic qos precedence { precedence_value | cos [ table-map table-map-name ] | dscp [ table-map table-map-name ] | precedence [ table-map table-map-name ]}
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos dscp and cpu traffic qos precedence global configuration commands are mutually exclusive. A new configuration overwrites the existing configuration.
When the cpu traffic qos precedence global configuration command is configured with table maps, you can configure only one map from value at a time—DSCP, precedence, or CoS. A new configuration overwrites the existing configuration. Packets marked by this command can be classified and queued by an output policy map based on the marked precedence or DSCP value.
You cannot configure a map from value of both DSCP and precedence. A new configuration overwrites the existing configuration.
The following example shows how to mark the precedence based on the DSCP value in the packet and configure egress queuing based on the precedence value.
The example has these results:
Use the cpu traffic qos qos-group command in global configuration mode to map all CPU-generated traffic to a single class in the output policy-maps without changing the class of service (CoS), IP differentiated services code point (DSCP), or IP-precedence packet markings. To return to the default settings, use the no form of this command.
This feature must be configured globally for a switch; it cannot be configured per-port or per-protocol.
Enter each cpu traffic qos marking action on a separate line.
The cpu traffic qos qos-group global configuration command can be used to configure QoS group marking for CPU-generated traffic only for a specific QoS group. The table-map option is not available.
The following example shows how to mark all the CPU-generated traffic with a QoS-group and configure egress queuing based on that QoS-group.
Use the define interface-range global configuration command to create an interface-range macro. Use the no form of this command to delete the defined macro.
define interface-range macro-name interface-range
The macro name is a 32-character maximum character string.
A macro can contain up to five ranges.
All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.
When entering the interface-range , use this format:
Valid values for type and interface :
VLAN interfaces must have been configured with the interface vlan command (the show running-config privileged EXEC command displays the configured VLAN interfaces). VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges.
When you define a range, you must enter a space before the hyphen (-), for example:
You can also enter multiple ranges. When you define multiple ranges, you must enter a space after the first entry before the comma (,). The space after the comma is optional, for example:
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the delete privileged EXEC command to delete a file or directory on the flash memory device.
If you use the /force keyword, you are prompted once at the beginning of the deletion process to confirm the deletion.
If you use the /recursive keyword without the /force keyword, you are prompted to confirm the deletion of every file.
The prompting behavior depends on the setting of the file prompt global configuration command. By default, the switch prompts for confirmation on destructive file operations. For more information about this command, see the Cisco IOS Command Reference for Release 12.1 .
This example shows how to remove the directory that contains the old software image after a successful download of a new image:
You can verify that the directory was removed by entering the dir filesystem : privileged EXEC command.
Use the deny Address Resolution Protocol (ARP) access-list configuration command to deny an ARP packet based on matches against the DHCP bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access list.
deny {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
no deny {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
This example shows how to define an ARP access list and to deny both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
You can verify your settings by entering the show arp access-list privileged EXEC command.
Use the deny command in IPv6 access list configuration mode to set deny conditions for an IPv6 access list. Use the no form of this command to remove the deny conditions.
deny { protocol } { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ fragments ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
no deny { protocol } { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ fragments ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
Internet Control Message Protocol
deny icmp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ icmp-type [ icmp-code ] | icmp-message ] [ dscp value ] [ log ] [ log-input ] [ routing ] [ sequence value ] [ time-range name ]
deny tcp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ ack ] [ dscp value ] [ established ] [ fin ] [ log ] [ log-input ] [ neq { port | protocol }] [ psh ] [ range { port | protocol }] [ rst ] [ routing ] [ sequence value ] [ syn ] [ time-range name ] [ urg ]
deny udp { source-ipv6-prefix / prefix-length | any | host source-ipv6-address } [ operator [ port-number ]] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address } [ operator [ port-number ]] [ dscp value ] [ log ] [ log-input ] [ neq { port | protocol }] [ range { port | protocol }] [ routing ] [ sequence value ] [ time-range name ]
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
Note Although visible in the command-line help strings, the flow-label, routing, and undetermined-transport keywords are not supported.
IPv6 access list configuration
The deny (IPv6 access-list configuration mode) command is similar to the deny (IPv4 access-list configuration mode) command, but it is IPv6-specific.
Use the deny (IPv6) command after the ipv6 access-list command to enter IPv6 access list configuration mode and to define the conditions under which a packet passes the access list.
Specifying IPv6 for the protocol argument matches the IPv6 header of the packet.
By default, the first statement in an access list is number 10, and the subsequent statements are numbered in increments of 10.
You can add permit , deny , or remark statements to an existing access list without re-entering the entire list. To add a new statement somewhere other than at the end of the list, create a new statement with an appropriate entry number between two existing entry numbers to show where it belongs.
Note Every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. The two permit conditions allow ICMPv6 neighbor discovery. To disallow ICMPv6 neighbor discovery and to deny icmp any any nd-na or icmp any any nd-ns, there must be an explicit deny entry in the ACL. For the three implicit statements to take effect, an IPv6 ACL must contain at least one entry.
The IPv6 neighbor discovery process uses the IPv6 network layer service. Therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data-link layer protocol. Therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Both the source-ipv6-prefix / prefix-length and destination-ipv6-prefix / prefix-length arguments are used for traffic filtering. (The source prefix filters traffic based upon its source; the destination prefix filters traffic based upon its destination.)
The switch supports IPv6 address matching for a full range of prefix lengths.
The fragments keyword is an option only if the protocol is ipv6 and the operator [ port-number ] arguments are not specified.
This is a list of ICMP message names:
This example configures the IPv6 access list named CISCO and applies the access list to outbound traffic on a Layer 3 interface. The first deny entry prevents all packets that have a destination TCP port number greater than 5000 from leaving the interface. The second deny entry prevents all packets that have a source UDP port number less than 5000 from leaving the interface. The second deny also logs all matches to the console. The first permit entry permits all ICMP packets to leave the interface. The second permit entry permits all other traffic to leave the interface. The second permit entry is necessary because an implicit deny-all condition is at the end of each IPv6 access list.
Use the deny MAC access-list configuration command to prevent non-IP traffic from being forwarded if the conditions are matched. Use the no form of this command to remove a deny condition from the named MAC access list.
{ deny | permit } { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask |mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp ]
no { deny | permit } { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp ]
Note Though visible in the command-line help strings, appletalk is not supported as a matching condition.
To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in Table 2-1 .
You enter MAC-access list configuration mode by using the mac access-list extended global configuration command.
If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.
When an access control entry (ACE) is added to an access control list, an implied deny - any - any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.
Note For more information about named MAC extended access lists, see the software configuration guide for this release.
This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.
This example shows how to remove the deny condition from the named MAC extended access list:
This example denies all packets with Ethertype 0x4321:
You can verify your settings by entering the show access-lists privileged EXEC command.
Use the diagnostic monitor global configuration command to configure health-monitoring diagnostic testing. Use the no form of this command to disable testing and to return to the default settings.
diagnostic monitor interval test { name | test-id | test-id-range | all } hh:mm:ss milliseconds day
diagnostic monitor test { name | test-id | test-id-range | all }
diagnostic monitor threshold test { name | test-id | test-id-range | all } failure count count
no diagnostic monitor interval test { name | test-id | test-id-range | all }
no diagnostic monitor test { name | test-id | test-id-range | all }
no diagnostic monitor threshold test { name | test-id | test-id-range | all } failure coun t count
Specify the test name. To display the test names in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify the ID number of the test. The range is from 1 to 6. To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify more than one test with the range of test ID numbers. Enter the range as integers separated by a comma and a hyphen (for example, 1,3-6 specifies test IDs 1, 3, 4, 5, and 6). To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Configure the monitoring interval in hours, minutes, and seconds. |
|
Configure the monitoring interval (test time) in milliseconds (ms). The range is from 0 to 999 ms. |
|
Configure the monitoring interval in the number of days between tests. The range is from 0 to 20 days. |
|
Enable the generation of a syslog message when a health-monitoring test fails. |
|
Set the failure threshold count. The range for count is from 0 to 99. |
Use the diagnostic schedule test global configuration command to configure the diagnostic test schedule. Use the no form of this command to remove the schedule.
diagnostic schedule test { name | test-id | test-id-range | all | basic | non-disruptive } { daily hh : mm | on mm dd yyyy hh : mm | weekly day-of-week hh : mm }
no diagnostic schedule test { name | test-id | test-id-range | all | basic | non-disruptive } { daily hh : mm | on mm dd yyyy hh : mm | weekly day-of-week hh : mm }
Specify the name of the test. To display the test names in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify the ID number of the test. The range is from 1 to 6. To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify more than one test with the range of test ID numbers. Enter the range as integers separated by a comma and a hyphen (for example, 1,3-6 specifies test IDs 1, 3, 4, 5, and 6). To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify the daily scheduling of the diagnostic tests. hh : mm— Enter the time as a 2-digit number (for a 24-hour clock) for hours:minutes; the colon ( : ) is required, such as 12:30. |
|
Specify the scheduling of the diagnostic tests on a specific day and time. |
|
Specify the weekly scheduling of the diagnostic tests. day-of-week— Spell out the day of the week, such as Monday, Tuesday, and so on, with upper-case or lower-case characters. |
This example how to schedule diagnostic testing for a specific day and time:
This example shows how to schedule diagnostic testing to occur weekly at a specific time:
Use the diagnostic start test privileged EXEC command to run an online diagnostic test.
diagnostic start test { name | test-id | test-id-range | all | basic | non-disruptive }
Specify the name of the test. To display the test names in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify the ID number of the test. The range is from 1 to 6. To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
Specify more than one test with the range of test ID numbers. Enter the range as integers separated by a comma and a hyphen (for example, 1,3-6 specifies test IDs 1, 3, 4, 5, and 6). To display the test numbers in the test-ID list, enter the show diagnostic content privileged EXEC command. |
|
After you start the tests by using the diagnostic start command, you cannot stop the testing process.
The switch supports these tests:
To identify a test name, use the show diagnostic content privileged EXEC command to display the test ID list. To specify test 3 by using the test name, enter the diagnostic start switch number test TestPortAsicCam privileged EXEC command.
To specify more than one test, use the test-id-range parameter, and enter integers separated by a comma and a hyphen. For example, to specify tests 2, 3, and 4, enter the diagnostic start test 2-4 comman d. To specify tests 1, 3, 4, 5, and 6, enter the diagnostic start test 1,3-6 comman d.
This example shows how to start diagnostic test 1:
This example shows how to start diagnostic test 2. Running this test disrupts the normal system operation and then reloads the switch.
Use the dot1x default interface configuration command to reset the configurable IEEE 802.1x parameters to their default values.
This example shows how to reset the configurable IEEE 802.1x parameters on a port:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
show dot1x [ interface interface-id ] |
Use the dot1x host-mode interface configuration command to allow a single host (client) or multiple hosts on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto . Use the no form of this command to return to the default setting.
dot1x host-mode { multi-host | single-host }
no dot1x host-mode [ multi-host | single-host ]
Note Although visible in the command-line interface help, the multi-domain keyword is not supported.
Use this command to limit an IEEE 802.1x-enabled port to a single client or to attach multiple clients to an IEEE 802.1x-enabled port. In multiple-hosts mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (re-authentication fails or an Extensible Authentication Protocol over LAN [EAPOL]-logoff message is received), all attached clients are denied access to the network.
Before entering this command, make sure that the dot1x port-control interface configuration command is set to auto for the specified port.
The dot1x host-mode multi-domain interface configuration command is not supported on the switch. Configuring this command on an interface causes the interface to go into the error-disabled state.
This example shows how to enable IEEE 802.1x globally, to enable IEEE 802.1x on a port, and to enable multiple-hosts mode:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
show dot1x [ interface interface-id ] |
Use the dot1x initialize privileged EXEC command to manually return the specified IEEE 802.1x-enabled port to an unauthorized state before initiating a new authentication session on the port.
Use this command to initialize the IEEE 802.1x state machines and to set up a fresh environment for authentication. After you enter this command, the port status becomes unauthorized.
This example shows how to manually initialize a port:
You can verify the unauthorized port status by entering the show dot1x [ interface interface-id ] privileged EXEC command.
show dot1x [ interface interface-id ] |
Use the dot1x max-reauth-req interface configuration command to set the maximum number of times that the switch restarts the authentication process before a port transitions to the unauthorized state. Use the no form of this command to return to the default setting.
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port transitions to the unauthorized state:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
Sets the maximum number of times that the switch forwards an EAP frame (assuming that no response is received) to the authentication server before restarting the authentication process. |
|
dot1x timeout tx-period |
Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. |
show dot1x [ interface interface-id ] |
Use the dot1x max-req interface configuration command to set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP) frame from the authentication server (assuming that no response is received) to the client before restarting the authentication process. Use the no form of this command to return to the default setting.
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
This example shows how to set 5 as the number of times that the switch sends an EAP frame from the authentication server before restarting the authentication process:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
dot1x timeout tx-period |
Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. |
show dot1x [ interface interface-id ] |
Use the dot1x port-control interface configuration command to enable manual control of the authorization state of the port. Use the no form of this command to return to the default setting.
dot1x port-control { auto | force-authorized | force-unauthorized }
You must globally enable IEEE 802.1x on the switch by using the dot1x system-auth-control global configuration command before enabling IEEE 802.1x on a specific port.
The IEEE 802.1x protocol is supported on Layer 2 static-access ports and Layer 3 routed ports.
You can use the auto keyword only if the port is not configured as one of these:
To globally disable IEEE 802.1x on the switch, use the no dot1x system-auth-control global configuration command. To disable IEEE 802.1x on a specific port, use the no dot1x port-control interface configuration command.
This example shows how to enable IEEE 802.1x on a port:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
show dot1x [ interface interface-id ] |
Use the dot1x re-authenticate privileged EXEC command to manually initiate a re-authentication of the specified IEEE 802.1x-enabled port.
Use the dot1x reauthentication interface configuration command to enable periodic re-authentication of the client. Use the no form of this command to return to the default setting.
You configure the amount of time between periodic re-authentication attempts by using the dot1x timeout reauth-period interface configuration command.
This example shows how to disable periodic re-authentication of the client:
This example shows how to enable periodic re-authentication and to set the number of seconds between re-authentication attempts to 4000 seconds:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
dot1x timeout reauth-period |
Sets the number of seconds between re-authentication attempts. |
show dot1x [ interface interface-id ] |
Use the dot1x supplicant force-multicast global configuration command to force a supplicant switch to send only multicast Extensible Authentication Protocol over LAN (EAPOL) packets whenever it receives multicast or unicast EAPOL packets. Use the no form of this command to return to the default setting.
Enable this command on the supplicant switch for Network Edge Access Topology (NEAT) to work in all host modes.
This example shows how force a supplicant switch to send multicast EAPOL packets to authenticator switch:
Use the dot1x system-auth-control global configuration command to globally enable IEEE 802.1x. Use the no form of this command to return to the default setting.
You must enable authentication, authorization, and accounting (AAA) and specify the authentication method list before globally enabling IEEE 802.1x. A method list describes the sequence and authentication methods to be queried to authenticate a user.
Before globally enabling IEEE 802.1x on a switch, remove the EtherChannel configuration from the interfaces on which IEEE 802.1x and EtherChannel are configured.
This example shows how to globally enable IEEE 802.1x on a switch:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
Enables manual control of the authorization state of the port. |
|
show dot1x [ interface interface-id ] |
Use the dot1x test eapol-capable privileged EXEC command to monitor IEEE 802.1x activity on all the switch ports and to display information about the devices that are connected to the ports that support IEEE 802.1x.
Use this command to test the IEEE 802.1x capability of the devices connected to all ports or to specific ports on a switch.
This example shows how to enable the IEEE 802.1x readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:
dot1x test timeout timeout |
Configures the timeout used to wait for EAPOL response to an IEEE 802.1x readiness query. |
Use the dot1x test timeout global configuration command to configure the timeout used to wait for EAPOL response from a port being queried for IEEE 802.1x readiness.
This example shows how to configure the switch to wait 27 seconds for an EAPOL response:
You can verify the timeout configuration status by entering the show run privileged EXEC command.
dot1x test eapol-capable [ interface interface-id ] |
Checks for IEEE 802.1x readiness on devices connected to all or to specified IEEE 802.1x-capable ports. |
Use the dot1x timeout interface configuration command to set IEEE 802.1x timers. Use the no form of this command to return to the default setting.
dot1x timeout { quiet-period seconds | reauth-period seconds | server-timeout seconds | supp-timeout seconds | tx-period seconds }
no dot1x timeout { quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
The dot1x timeout reauth-period interface configuration command affects the behavior of the switch only if you have enabled periodic re-authentication by using the dot1x reauthentication interface configuration command.
During the quiet period, the switch does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a number smaller than the default.
This example shows how to enable periodic re-authentication and to set 4000 as the number of seconds between re-authentication attempts:
This example shows how to set 30 seconds as the quiet time on the switch:
This example shows how to set 45 seconds as the switch-to-authentication server retransmission time:
This example shows how to set 45 seconds as the switch-to-client retransmission time for the EAP request frame:
This example shows how to set 60 as the number of seconds to wait for a response to an EAP-request/identity frame from the client before re-transmitting the request:
You can verify your settings by entering the show dot1x privileged EXEC command.
Use the dot1x violation-mode interface configuration command to configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.
This example shows how to configure an IEEE 802.1x-enabled port as error disabled and to shut down when a new device connects to the port:
This example shows how to configure an IEEE 802.1x-enabled port to generate a system error message and change the port to restricted mode when a new device connects to the port:
This example shows how to configure an IEEE 802.1x-enabled port to ignore a new connected device when it is connected to the port:
You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command.
show dot1x [ interface interface-id ] |
Use the duplex interface configuration command to specify the duplex mode of operation for a port. Use the no form of this command to return the port to its default value.
This command is only available when a 1000BASE-T SFP module or a 100BASE-FX MMF SFP module is in the SFP module slot. All other SFP modules operate only in full-duplex mode.
When a 1000BASE-T SFP module is in the SFP module slot, you can configure duplex mode to auto or full .
When a 100BASE-FX MMF SFP module is in the SFP module slot, you can configure duplex mode to half or full . Although the auto keyword is available, it puts the interface in half-duplex mode (the default) because the 100BASE-FX MMF SFP module does not support autonegotiation.
Certain ports can be configured to be either full duplex or half duplex. Applicability of this command depends on the device to which the switch is attached.
For Fast Ethernet ports, setting the port to auto has the same effect as specifying half if the attached device does not autonegotiate the duplex parameter.
For Gigabit Ethernet ports, setting the port to auto has the same effect as specifying full if the attached device does not autonegotiate the duplex parameter.
Note Half-duplex mode is supported on Gigabit Ethernet interfaces if duplex mode is auto and the connected device is operating at half duplex. However, you cannot configure these interfaces to operate in half-duplex mode.
If both ends of the line support autonegotiation, we highly recommend using the default autonegotiation settings. If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do use the auto setting on the supported side.
If the speed is set to auto , the switch negotiates with the device at the other end of the link for the speed setting and then forces the speed setting to the negotiated value. The duplex setting remains as configured on each end of the link, which could result in a duplex setting mismatch.
You can configure the duplex setting when the speed is set to auto .
Note For guidelines on setting the switch speed and duplex parameters, see the software configuration guide for this release.
This example shows how to configure an interface for full duplex operation:
You can verify your setting by entering the show interfaces privileged EXEC command.
Use the errdisable detect cause global configuration command to enable error-disabled detection for a specific cause or all causes. Use the no form of this command to disable the error-disabled detection feature.
errdisable detect cause { all | arp-inspection | dhcp-rate-limit | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | small-frame }
no errdisable detect cause { all | arp-inspection | dhcp-rate-limit | gbic-invalid | l2ptguard | link-flap | pagp-flap | small-frame }
Note Although visible in the command line interface, small-frame keyword is not needed on the switch because the existing broadcast storm disable feature correctly handles small frames.
A cause ( all , dhcp-rate-limit , and so forth) is the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state, an operational state that is similar to a link-down state.
When a port is error-disabled, it is effectively shut down, and no traffic is sent or received on the port. For the BPDU guard and port-security features, you can configure the switch to shut down just the offending VLAN on the port when a violation occurs, instead of shutting down the entire port.
If you set a recovery mechanism for the cause by entering the errdisable recovery global configuration command for the cause, the interface is brought out of the error-disabled state and allowed to retry the operation when all causes have timed out. If you do not set a recovery mechanism, you must enter the shutdown and then the no shutdown commands to manually recover an interface from the error-disabled state.
This example shows how to enable error-disabled detection for the link-flap error-disabled cause:
You can verify your setting by entering the show errdisable detect privileged EXEC command.
show interfaces status err-disabled |
Displays interface status or a list of interfaces in the error-disabled state. |
Use the errdisable recovery global configuration command to configure the recover mechanism variables. Use the no form of this command to return to the default setting.
errdisable recovery { cause { all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | small-frame | udld | unicast-flood | vmps } | { interval interval }
no errdisable recovery { cause { all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | small-frame | udld | unicast-flood | vmps } | { interval interval }
Note Although visible in the command-line help strings, the storm-control and unicast-flood keywords are not supported. The small-frame keyword is not used because the broadcast-storm disable feature processes small frames
A cause ( all , bpduguard and so forth) is defined as the reason that the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state, an operational state similar to link-down state. If you do not enable errdisable recovery for the cause, the interface stays in error-disabled state until you enter a shutdown and no shutdown interface configuration command. If you enable the recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out.
Otherwise, you must enter the shutdown then no shutdown commands to manually recover an interface from the error-disabled state
This example shows how to enable the recovery timer for the BPDU guard error-disabled cause:
This example shows how to set the timer to 500 seconds:
You can verify your settings by entering the show errdisable recovery privileged EXEC command.
show interfaces status err-disabled |
Displays interface status or a list of interfaces in error-disabled state. |
To configure an IEEE 802.1ad port, use the ethernet dot1ad interface configuration command. To disable an 802.1ad port, use the no form of the command.
ethernet dot1ad { nni | uni { c-port | s-port | c-port isolate | s-port isolate }}
The 802.1ad UNI port commands are typically used on the provider-edge switch ports interfacing with a customer device. For S-bridge UNI ports, you configure the customer device switch port as a trunk port and the S-bridge UNI on the interfacing PE device as an access port. The 802.1ad S-bridge UNI port provides an all-to-one bundling function for the set of customer C-VLANs in the provider network.
The 802.1ad C-bridge UNI ports provide selective bundling as well as all-to-one bundling capabilities for customer VLANs.
You should configure an 802.1ad NNI on all the interconnecting trunk links in the 802.1ad provider cloud to achieve end-to-end Layer 2 protocol tunneling.
You cannot configure a port as an isolated C-UNI or S-UNI port if the port is already configured as an 802.1ad port type. However, you can use the ethernet dot1ad interface command to change an isolated dot1ad port to a nonisolated S-UNI or C-UNI port.
An S-UNI or isolated S-UNI port must be an access port. A C-UNI or isolated C-UNI port can be an access port or a trunk port.
Use the ethernet evc global configuration command to define an Ethernet virtual connection (EVC) and to enter EVC configuration mode. Use the no form of this command to delete the EVC.
After you enter the ethernet evc evc-id command, the switch enters EVC configuration mode, and these configuration commands are available:
service instance id ethernet evc-id |
Configures an Ethernet service instance and attaches an EVC to it. |
Use the ethernet lmi global configuration command to configure enable Ethernet Local Management Interface (E-LMI) and to configure the switch as a provider-edge (PE) or customer-edge (CE) device. Use the no form of this command to disable E-LMI globally or to disable E-LMI CE.
Use ethernet lmi global command to enable E-LMI globally. Use ethernet lmi ce command to enable the switch as E-LMI CE device.
Ethernet LMI is disabled by default on an interface and must be explicitly enabled by entering the ethernet lmi interface interface configuration command. The ethernet lmi global command enables Ethernet LMI in PE mode on all interfaces for an entire device. The benefit of this command is that you can enable Ethernet LMI on all interfaces with one command instead of enabling Ethernet LMI separately on each interface. To enable the interface in CE mode, you must also enter the ethernet lmi ce global configuration command.
To disable Ethernet LMI on a specific interface after you have entered the ethernet lmi global command, enter the no ethernet lmi interface interface configuration command.
The sequence in which you enter the ethernet lmi interface interface configuration and ethernet lmi global global configuration commands is important. The latest command entered overrides the prior command entered.
Note For information about the ethernet lmi interface configuration command, see the Cisco IOS Carrier Ethernet Command Reference at this URL:
http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html
To enable the switch as an Ethernet LMI CE device, you must enter both the ethernet lmi global and ethernet lmi ce commands. By default Ethernet LMI is disabled, and, when enabled the switch is in provider-edge mode unless you also enter the ethernet lmi ce command.
When the switch is configured as an Ethernet LMI CE device, these interface configuration commands and keywords are visible, but not supported:
Use the ethernet lmi ce-vlan map Ethernet service configuration command to configure Ethernet Local Management Interface (E-LMI) parameters. Use the no form of this command to remove the configuration.
ethernet lmi ce-vlan map { vlan-id | any | default | untagged}
no ethernet lmi ce-vlan map { vlan-id | any | default | untagged}
Ethernet service configuration
Use this command to configure an E-LMI customer VLAN-to-EVC map for a particular user-network interface (UNI).
On an ME-3400E interface configured for VLAN mapping, use the customer VLAN ID (C-VLAN) value when entering the ethernet lmi ce-vlan map vlan-id service instance configuration mode command. Do not use the service-provider VLAN ID (S-VLAN).
E-LMI mapping parameters are related to the bundling characteristics set by entering the ethernet uni { bundle [ all-to-one ] | multiplex } interface configuration command.
This example shows how to configure an E-LMI customer VLAN-to-EVC map to map EVC test to customer VLAN 101 in service instance 333 on the interface:
service instance id ethernet |
Defines an Ethernet service instance and enters Ethernet service configuration mode. |
Displays information about configured Ethernet service instances. |
Use the ethernet loopback facility interface configuration command to configure per-port loopbacks for testing connectivity across multiple switches. Use the ethernet loopback terminal interface configuration command to test quality of service (QoS). Use the no form of this command to remove the configuration.
ethernet loopback facility [ vlan vlan-list ] [ mac-address { swap | copy }] [ timeout { seconds | none }] supported
ethernet loopback terminal [ mac-address { swap | copy }] [ timeout { seconds | none }] supported
You can configure Ethernet loopback only on physical ports, not on VLANs or port channels.
A facility loopback puts the port into a state where the link is up, but the line protocol is down for regular traffic. The switch loops back all received traffic.
When you configure VLAN loopback by entering the vlan vlan-list keywords, the other VLANs on the port continue to be switched normally, allowing non-disruptive loopback testing.
The loopback ends after a port event, such as a port shutdown or a change from a switchport to a routed port.
For a terminal loopback, the software sees the port as up, but the link is down, and no packets are sent. Any configuration changes on the port immediately affect the traffic being looped back.
You can configure one loopback per port, and a maximum of two loopbacks per switch. You can configure only on terminal loopback per switch. Therefore, a switch could have one facility loopback and one terminal loopback or two facility loopbacks.
Ethernet loopback interactions with other features:
After you have configured Ethernet loopback, you enter the ethernet loopback start interface-id privileged EXEC command to begin the loopback. To stop loopback, enter the ethernet loopback stop { interface-id | all } command.
This example shows how to configure an Ethernet loopback to swap the MAC source and destination addresses, to time out after 30 seconds, to start the loopback process, and to verify the configuration. You must confirm the action before configuring.
This example shows how to remove Ethernet loopback facility configuration on two interfaces and to configure Ethernet terminal loopback on an interface.
Use the ethernet loopback privileged EXEC command to start or stop an Ethernet loopback function on an interface.
ethernet loopback { start interface-id | stop { interface-id | all }}
Before starting or stopping an Ethernet loopback operation, you must configure it on an interface by entering the ethernet loopback interface configuration command. When you start loopback, you see a warning message.
You can configure Ethernet loopback and enter the ethernet loopback start or ethernet loopback stop command only for physical ports, not for VLANs or port channels.
You cannot start VLAN loopback on nontrunk interfaces. You cannot start terminal loopback on routed interfaces.
You can configure only one loopback per port and a maximum of two loopbacks per switch. You can configure only one terminal loopback per switch.
This example shows how to start a facility port loopback process, to verify it, and then to stop it:
This example shows how to start a VLAN non-intrusive loopback process:
Use the ethernet oam remote-failure interface configuration or configuration template command to configure Ethernet operations, maintenance, and administration (EOM) remote failure indication. Use the no form of this command to remove the configuration.
ethernet oam remote-failure { critical-event | dying-gasp | link-fault } action error-disable-interface
no ethernet oam remote-failure { critical-event | dying-gasp | link-fault } action
Ethernet service configuration
You can apply this command to an Ethernet OAM template and to an interface. The interface configuration takes precedence over template configuration. To enter OAM template configuration mode, use the template template-name global configuration command.
The Cisco ME switch does not generate Link Fault or Critical Event OAM PDUs. However, if these PDUs are received from a link partner, they are processed. The switch supports generating and receiving Dying Gasp OAM PDUs when Ethernet OAM is disabled, the interface is shut down, the interface enters the error-disabled state, or the switch is reloading. The switch can also generate and receive Dying Gasp PDUs based on loss of power. The PDU includes a reason code to indicate why it was sent.
You can configure an error-disable action to occur if the remote link goes down, if the remote device is disabled, or if the remote device disables Ethernet OAM on the interface.
For complete command and configuration information for the Ethernet OAM protocol, see the
Cisco IOS Carrier Ethernet Configuration Guide
at:
http://www.cisco.com/en/US/docs/ios/cether/configuration/guide/12_2sr/ce_12_2sr_book.html
For information about other CFM and Ethernet OAM commands, see the
Cisco IOS Carrier Ethernet Command Reference
at:
http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html
Use the ethernet uni interface configuration command to set UNI bundling attributes. Use the no form of this command to return to the default bundling configuration.
ethernet uni { bundle [ all-to-one ] | multiplex }
no ethernet uni { bundle | multiplex }
The UNI attributes determine the functionality that the interface has regarding bundling VLANs, multiplexing EVCs, and the combination of these.
If you want both bundling and multiplexing services for a UNI, you do not need to configure bundling or multiplexing. If you want only bundling, or only multiplexing, you need to configure it appropriately.
When you configure, change, or remove a UNI service type, the EVC and CE-VLAN ID configurations are checked to ensure that the configurations and the UNI service types match. If the configurations do not match, the command is rejected.
If you intend to use the ethernet lmi ce-vlan map any service configuration command, you must first configure all-to-one bundling on the interface. See the ethernet lmi ce-vlan map section for more information.
This example shows how to configure bundling without multiplexing:
To verify UNI service type, enter the show ethernet service interface detail privileged EXEC command.
Use the ethernet uni interface configuration command to create an Ethernet user-network interface (UNI) ID. Use the no form of this command to remove the UNI ID.
When you configure a UNI ID on a port, that ID is used as the default name for all maintenance end points (MEPs) configured on the port.
You must enter the ethernet uni id name command on all ports that are directly connected to customer-edge (CE) devices. If the specified ID is not unique on the device, an error message appears.
Use the exceed-action policy-map class police configuration command to set multiple actions for a policy-map class for packets with a rate between the committed information rate (CIR) or peak information rate (PIR) conform rate and the conform rate plus the exceed burst. Use the no form of this command to cancel the action or to return to the default action.
exceed-action { drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ]}
no exceed-action { drop | set-cos-transmit { new-cos-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-dscp-transmit { new-dscp-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-prec-transmit { new-precedence-value | [ cos | dscp | precedence ] [ table table-map name ]} | set-qos-transmit qos-group-value | transmit ]}
Policy-map class police configuration
You configure exceed actions for packets when the packet rate is between the configured conform rate and the conform rate plus the exceed burst.
If the conform action is set to drop , the exceed and violate actions are automatically set to drop . If the exceed action is set to drop , the violate action is automatically set to drop .
You can configure exceed-action to send the packet unmodified, mark using explicit values, and use all combinations of enhanced packet marking. Enhanced packet marking provides the ability to modify a QoS marking based on any incoming QoS marking and table maps. The switch also supports the ability to mark multiple QoS parameters for the same class and to simultaneously configure conform-action, exceed-action, and violate-action marking.
Access policy-map class police configuration mode by entering the police policy-map class command. See the police command for more information.
You can use this command to set one or more exceed actions for a traffic class.
This example shows how configure multiple actions in a policy map that sets an information rate of 23000 bits per second (b/s) and a burst rate of 10000 bps:
You can verify your settings by entering the show policy-map privileged EXEC command.
Use the flowcontrol interface configuration command to set the receive flow-control state for an interface. When flow control send is operable and on for a device and it detects any congestion at its end, it notifies the link partner or the remote device of the congestion by sending a pause frame. When flow control receive is on for a device and it receives a pause frame, it stops sending any data packets. This prevents any loss of data packets during the congestion period.
Use the receive off keywords to disable flow control.
flowcontrol receive { desired | off | on }
Note The Cisco ME switch can only receive pause frames.
The switch does not support sending flow-control pause frames. If the port is a user network interface (UNI) or enhanced network interface (ENI), you must use the no shutdown interface configuration command to enable it before using the flowcontrol command. UNIs and ENIs are disabled by default. Network node interfaces (NNIs) are enabled by default.
Note that the on and desired keywords have the same result.
When you use the flowcontrol command to set a port to control traffic rates during congestion, you are setting flow control on a port to one of these conditions:
Table 2-2 shows the flow control results on local and remote ports for a combination of settings. The table assumes that receive desired has the same results as using the receive on keywords.
This example shows how to configure the local port to not support flow control by the remote port:
You can verify your settings by entering the show interfaces privileged EXEC command.
Use the hw-module module logging onboard global configuration command to enable on-board failure logging (OBFL). Use the no form of this command to disable this feature.
hw-module module [ slot-number ] logging onboard [ message level level ]
no hw-module module [ slot-number ] logging onboard [ message level ]
We recommend that you keep OBFL enabled and do not clear the data stored in the flash memory.
To ensure that the time stamps in the OBFL data logs are accurate, manually set the system clock, or configure it by using Network Time Protocol (NTP).
If you do not enter the message level level parameter, all the hardware-related messages generated by the switch are stored in the flash memory.
The optional slot number is always 1. Entering the hw-module module [ slot-number ] logging onboard [ message level level ] command has the same result as entering the hw-module module logging onboard [ message level level ] command.
This example shows how to enable OBFL on a switch stack and to specify that all the hardware-related messages are stored in the flash memory:
This example shows how to enable OBFL on a switch and to specify that only severity 1 hardware-related messages are stored in the flash memory:
You can verify your settings by entering the show logging onboard privileged EXEC command.
Use the interface port-channel global configuration command to access or create the port-channel logical interface. Use the no form of this command to remove the port-channel.
For Layer 2 EtherChannels, you do not have to create a port-channel interface first before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel interface when the channel group gets its first physical port. If you create the port-channel interface first, the channel-group-number can be the same as the port - channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.
You create Layer 3 port channels by using the interface port-channel command followed by the no switchport interface configuration command. You should manually configure the port-channel logical interface before putting the interface into the channel group.
Only one port channel in a channel group is allowed.
Follow these guidelines when you use the interface port-channel command:
Note CDP is available only on network node interfaces (NNIs) and enhanced network interfaces (ENIs).
For a complete list of configuration guidelines, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
This example shows how to create a port-channel interface with a port channel number of 5:
You can verify your setting by entering the show running-config privileged EXEC or show etherchannel channel-group-number detail privileged EXEC command.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the interface range global configuration command to enter interface range configuration mode and to execute a command on multiple ports at the same time. Use the no form of this command to remove an interface range.
interface range { port-range | macro name }
When you enter interface range configuration mode, all interface parameters you enter are attributed to all interfaces within the range.
For VLANs, you can use the interface range command only on existing VLAN switch virtual interfaces (SVIs). To display VLAN SVIs, enter the show running-config privileged EXEC command. VLANs not displayed cannot be used in the interface range command. The commands entered under interface range command are applied to all existing VLAN SVIs in the range.
All configuration changes made to an interface range are saved to NVRAM, but the interface range itself is not saved to NVRAM.
You can enter the interface range in two ways:
All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs. However, you can define up to five interface ranges with a single command, with each range separated by a comma.
Valid values for port-range type and interface :
– the range is type 0/number - number (for example, gigabitethernet0/1 - 2)
Note When you use the interface range command with port channels, the first and last port channel number in the range must be active port channels.
When you define a range, you must enter a space between the first entry and the hyphen (-):
When you define multiple ranges, you must still enter a space after the first entry and before the comma (,):
You cannot specify both a macro and an interface range in the same command.
A single interface can also be specified in port-range (this would make the command similar to the interface interface-id global configuration command).
Note For more information about configuring interface ranges, see the software configuration guide for this release.
This example shows how to use the interface range command to enter interface range configuration mode to apply commands to two ports:
This example shows how to use a port-range macro macro1 for the same function. The advantage is that you can reuse macro1 until you delete it.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the interface vlan global configuration command to create or access a switch virtual interface (SVI) and to enter interface configuration mode. Use the no form of this command to delete an SVI.
SVIs are created the first time that you enter the interface vlan vlan-id command for a particular vlan . The vlan-id corresponds to the VLAN-tag associated with data frames on an IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access port.
Note When you create an SVI, it does not become active until it is associated with a physical port.
If you delete an SVI by entering the no interface vlan vlan -id command, the deleted interface is no longer visible in the output from the show interfaces privileged EXEC command.
Note You cannot delete the VLAN 1 interface.
You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but much of the previous configuration will be gone.
The interrelationship between the number of SVIs configured on a switch and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables. For more information, see the sdm prefer command.
This example shows how to create VLAN ID 23 and enter interface configuration mode:
You can verify your setting by entering the show interfaces and show interfaces vlan vlan-id privileged EXEC commands.
show interfaces vlan vlan-id |
Displays the administrative and operational status of all interfaces or the specified VLAN. |
Use the ip access-group interface configuration command to control access to a Layer 2 or Layer 3 interface. Use the no form of this command to remove all access groups or the specified access group from the interface. If the switch is running the metro IP access image, you can also control access to Layer 3 interfaces.
ip access-group { access-list-number | name } { in | out }
no ip access-group [ access-list-number | name ] { in | out }
You can apply named or numbered standard or extended IP access lists to an interface. To define an access list by name, use the ip access-list global configuration command. To define a numbered access list, use the access list global configuration command. You can used numbered standard access lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199 and 2000 to 2699.
The switch must be running the metro IP access image for Layer 3 support.
You can use this command to apply an access list to a Layer 2 interface (port ACL) or Layer 3 interface. However, note these limitations for port ACLs:
You can use router ACLs, input port ACLs, and VLAN maps on the same switch. However, a port ACL always takes precedence. When both an input port ACL and a VLAN map are applied, incoming packets received on ports with the port ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map.
You can apply IP ACLs to both outbound or inbound Layer 3 interfaces.
A Layer 3 interface can have one IP ACL applied in each direction.
You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN interface.
For standard inbound access lists, after the switch receives a packet, it checks the source address of the packet against the access list. IP extended access lists can optionally check other fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access list permits the packet, the switch continues to process the packet. If the access list denies the packet, the switch discards the packet. If the access list has been applied to a Layer 3 interface, discarding a packet (by default) causes the generation of an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP Host Unreachable messages are not generated for packets discarded on a Layer 2 interface.
For standard outbound access lists, after receiving a packet and sending it to a controlled interface, the switch checks the packet against the access list. If the access list permits the packet, the switch sends the packet. If the access list denies the packet, the switch discards the packet and, by default, generates an ICMP Host Unreachable message.
If the specified access list does not exist, all packets are passed.
This example shows how to apply IP access list 101 to inbound packets on a port:
You can verify your settings by entering the show ip interface, show access-lists, or show ip access-lists privileged EXEC command.
Use the ip address interface configuration command to set an IP address for the Layer 2 switch or to set an IP address for each switch virtual interface (SVI) or routed port on the Layer 3 switch. Use the no form of this command to remove an IP address or to disable IP processing.
ip address ip-address subnet-mask [ secondary ]
no ip address [ ip-address subnet-mask ] [ secondary ]
Note You can configure routed ports and SVIs only when the switch is running the metro IP access image.
If you remove the switch IP address through a Telnet session, your connection to the switch will be lost.
Hosts can find subnet masks using the Internet Control Message Protocol (ICMP) Mask Request message. Routers respond to this request with an ICMP Mask Reply message.
You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the switch detects another host using one of its IP addresses, it will send an error message to the console.
You can use the optional keyword secondary to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and ARP requests are handled properly, as are interface routes in the IP routing table.
Note If any router on a network segment uses a secondary address, all other devices on that same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can very quickly cause routing loops.
When you are routing Open Shortest Path First (OSPF), ensure that all secondary addresses of an interface fall into the same OSPF area as the primary addresses.
If your switch receives its IP address from a Bootstrap Protocol (BOOTP) or a DHCP server and you remove the switch IP address by using the no ip address command, IP processing is disabled, and the BOOTP or the DHCP server cannot reassign the address.
A Layer 3 switch can have an IP address assigned to each routed port and SVI. The number of routed ports and SVIs that you can configure is not limited by software; however, the interrelationship between this number and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables. For more information, see the sdm prefer command.
This example shows how to configure the IP address for the Layer 2 switch on a subnetted network:
This example shows how to configure the IP address for a Layer 3 port on the switch:
You can verify your settings by entering the show running-config privileged EXEC command.
Displays the operating configuration. For syntax information, use this link to the Cisco IOS Release 12.2 Command Reference listing page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html
|
Use the ip arp inspection filter vlan global configuration command to permit or deny Address Resolution Protocol (ARP) requests and responses from a host configured with a static IP address when dynamic ARP inspection is enabled. Use the no form of this command to return to the default settings.
ip arp inspection filter arp-acl-name vlan vlan-range [ static ]
no ip arp inspection filter arp-acl-name vlan vlan-range [ static ]
When an ARP ACL is applied to a VLAN for dynamic ARP inspection, only the ARP packets with IP-to-MAC address bindings are compared against the ACL. If the ACL permits a packet, the switch forwards it. All other packet types are bridged in the ingress VLAN without validation.
If the switch denies a packet because of an explicit deny statement in the ACL, the packet is dropped. If the switch denies a packet because of an implicit deny statement, the packet is then compared against the list of DHCP bindings (unless the ACL is static , which means that packets are not compared against the bindings).
Use the arp access-list acl-name global configuration command to define the ARP ACL or to add clauses to the end of a predefined list.
This example shows how to apply the ARP ACL static-hosts to VLAN 1 for dynamic ARP inspection:
You can verify your settings by entering the show ip arp inspection vlan 1 privileged EXEC command.
Denies an ARP packet based on matches against the DHCP bindings. |
|
Permits an ARP packet based on matches against the DHCP bindings. |
|
show ip arp inspection vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
Use the ip arp inspection limit interface configuration command to limit the rate of incoming Address Resolution Protocol (ARP) requests and responses on an interface. It prevents dynamic ARP inspection from using all of the switch resources if a denial-of-service attack occurs. Use the no form of this command to return to the default settings.
ip arp inspection limit { rate pps [ burst interval seconds ] | none }
The rate applies to both trusted and untrusted interfaces. Configure appropriate rates on trunks to process packets across multiple dynamic ARP inspection-enabled VLANs, or use the none keyword to make the rate unlimited.
After a switch receives more than the configured rate of packets every second consecutively over a number of burst seconds, the interface is placed into an error-disabled state.
Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.
You should configure trunk ports with higher rates to reflect their aggregation. When the rate of incoming packets exceeds the user-configured rate, the switch places the interface into an error-disabled state. The error-disable recovery feature automatically removes the port from the error-disabled state according to the recovery setting.
The rate of incoming ARP packets on EtherChannel ports equals the sum of the incoming rate of ARP packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on all the channel members.
This example shows how to limit the rate of incoming ARP requests on a port to 25 pps and to set the interface monitoring interval to 5 consecutive seconds:
You can verify your settings by entering the show ip arp inspection interfaces interface-id privileged EXEC command.
show ip arp inspection interfaces |
Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces. |
Use the ip arp inspection log-buffer global configuration command to configure the dynamic Address Resolution Protocol (ARP) inspection logging buffer. Use the no form of this command to return to the default settings.
ip arp inspection log-buffer { entries number | logs number interval seconds }
no ip arp inspection log-buffer { entries | logs }
A value of 0 is not allowed for both the logs and the interval keywords.
The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. For example, if the logs number is 20 and the interval seconds is 4, the switch generates system messages for five entries every second while there are entries in the log buffer.
A log buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a system message as a single entry.
If the log buffer overflows, it means that a log event does not fit into the log buffer, and the output display for the show ip arp inspection log privileged EXEC command is affected. A -- in the output display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer, or increase the logging rate.
This example shows how to configure the logging buffer to hold up to 45 entries:
This example shows how to configure the logging rate to 20 log entries per 4 seconds. With this configuration, the switch generates system messages for five entries every second while there are entries in the log buffer.
You can verify your settings by entering the show ip arp inspection log privileged EXEC command.
Use the ip arp inspection trust interface configuration command to configure an interface trust state that determines which incoming Address Resolution Protocol (ARP) packets are inspected. Use the no form of this command to return to the default setting.
The switch does not check ARP packets that it receives on the trusted interface; it simply forwards the packets.
For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command.
This example shows how to configure a port to be trusted:
You can verify your setting by entering the show ip arp inspection interfaces interface-id privileged EXEC command.
show ip arp inspection interfaces |
Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces. |
Displays the configuration and contents of the dynamic ARP inspection log buffer. |
Use the ip arp inspection validate global configuration command to perform specific checks for dynamic Address Resolution Protocol (ARP) inspection. Use the no form of this command to return to the default settings.
ip arp inspection validate {[ src-mac ] [ dst-mac ] [ ip [allow zeros] ]}
no ip arp inspection validate [ src-mac ] [ dst-mac ] [ ip [allow zeros] ]
You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src-mac and dst-mac validations, and a second command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.
The allow-zeros keyword interacts with ARP access control lists (ACLs) in this way:
The no form of the command disables only the specified checks. If none of the options are enabled, all checks are disabled.
This example show how to enable source MAC validation:
You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
show ip arp inspection vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
Use the ip arp inspection vlan global configuration command to enable dynamic Address Resolution Protocol (ARP) inspection on a per-VLAN basis. Use the no form of this command to return to the default setting.
ip arp inspection vlan vlan-range
You must specify the VLANs on which to enable dynamic ARP inspection.
Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, or private VLAN ports.
This example shows how to enable dynamic ARP inspection on VLAN 1:
You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
show ip arp inspection vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
Use the ip arp inspection vlan logging global configuration command to control the type of packets that are logged per VLAN. Use the no form of this command to disable this logging control.
ip arp inspection vlan vlan-range logging { acl-match { matchlog | none } | dhcp-bindings { all | none | permit } | arp-probe }
no ip arp inspection vlan vlan-range logging { acl-match | dhcp-bindings | arp-probe }
The term logged means that the entry is placed into the log buffer and that a system message is generated.
The acl-match and dhcp-bindings keywords merge with each other; that is, when you configure an ACL match, the DHCP bindings configuration is not disabled. Use the no form of the command to reset the logging criteria to their defaults. If neither option is specified, all types of logging are reset to log when ARP packets are denied. These are the options:
If neither the acl-match or the dhcp-bindings keywords are specified, all denied packets are logged.
The implicit deny at the end of an ACL does not include the log keyword. This means that when you use the static keyword in the ip arp inspection filter vlan global configuration command, the ACL overrides the DHCP bindings. Some denied packets might not be logged unless you explicitly specify the deny ip any mac any log ACE at the end of the ARP ACL.
This example shows how to configure ARP inspection on VLAN 1 to log packets that match the permit commands in the ACL:
You can verify your settings by entering the show ip arp inspection vlan vlan-range privileged EXEC command.
Displays the configuration and contents of the dynamic ARP inspection log buffer. |
|
show ip arp inspection vlan vlan-range |
Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN. |
Use the ip dhcp snooping global configuration command to globally enable DHCP snooping. Use the no form of this command to return to the default setting.
For any DHCP snooping configuration to take effect, you must globally enable DHCP snooping.
DHCP snooping is not active until you enable snooping on a VLAN by using the ip dhcp snooping vlan vlan-id global configuration command.
This example shows how to enable DHCP snooping:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping binding privileged EXEC command to configure the DHCP snooping binding database and to add binding entries to the database. Use the no form of this command to delete entries from the binding database.
ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds
no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id
Use this command when you are testing or debugging the switch.
In the DHCP snooping binding database, each database entry, also referred to a binding , has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database can have up to 8192 bindings.
Use the show ip dhcp snooping binding privileged EXEC command to display only the dynamically configured bindings. Use the show ip source binding privileged EXEC command to display the dynamically and statically configured bindings.
This example shows how to generate a DHCP binding configuration with an expiration time of 1000 seconds on a port in VLAN 1:
You can verify your settings by entering the show ip dhcp snooping binding or the show ip dhcp source binding privileged EXEC command.
Use the ip dhcp snooping database global configuration command to configure the DHCP snooping binding database agent. Use the no form of this command to disable the agent, to reset the timeout value, or to reset the write-delay value.
ip dhcp snooping database {{ flash:/ filename | ftp:// user:password@host/filename | http: //[[username:password]@]{hostname | host-ip}[/directory]/image-name .tar | rcp:// user@host/filename | tftp:// host/filename } | timeout seconds | write-delay seconds }
no ip dhcp snooping database [ timeout | write-delay ]
The DHCP snooping binding database can have up to 8192 bindings.
To ensure that the lease time in the database is accurate, we recommend that Network Time Protocol (NTP) is enabled and configured for these features:
If NTP is configured, the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP.
Because both NVRAM and the flash memory have limited storage capacity, we recommend that you store a binding file on a TFTP server. You must create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write bindings to the binding file at that URL for the first time.
Use the no ip dhcp snooping database command to disable the agent.
Use the no ip dhcp snooping database timeout command to reset the timeout value.
Use the no ip dhcp snooping database write-delay command to reset the write-delay value.
This example shows how to store a binding file at an IP address of 10.1.1.1 that is in a directory called directory . A file named file must be present on the TFTP server.
You can verify your settings by entering the show ip dhcp snooping database privileged EXEC command.
Use the ip dhcp snooping information option global configuration command to enable DHCP option-82 data insertion. Use the no form of this command to disable DHCP option-82 data insertion.
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled and a switch receives a DHCP request from a host, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port , from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
When the DHCP server receives the packet, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or a circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply.
The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch inspects the remote ID and possibly the circuit ID fields to verify that it originally inserted the option-82 data. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP host that sent the DHCP request.
This example shows how to enable DHCP option-82 data insertion:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping information option allowed-untrusted global configuration command on an aggregation switch to configure it to accept DHCP packets with option-82 information that are received on untrusted ports that might be connected to an edge switch. Use the no form of this command to configure the switch to drop these packets from the edge switch.
You might want an edge switch to which a host is connected to insert DHCP option-82 information at the edge of your network. You might also want to enable DHCP security features, such as DHCP snooping, IP source guard, or dynamic Address Resolution Protocol (ARP) inspection, on an aggregation switch. However, if DHCP snooping is enabled on the aggregation switch, the switch drops packets with option-82 information that are received on an untrusted port and does not learn DHCP snooping bindings for connected devices on a trusted interface.
If the edge switch to which a host is connected inserts option-82 information and you want to use DHCP snooping on an aggregation switch, enter the ip dhcp snooping information option allowed-untrusted command on the aggregation switch. The aggregation switch can learn the bindings for a host even though the aggregation switch receives DHCP snooping packets on an untrusted port. You can also enable DHCP security features on the aggregation switch. The port on the edge switch to which the aggregation switch is connected must be configured as a trusted port.
Note Do not enter the ip dhcp snooping information option allowed-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.
This example shows how to configure an access switch to not check the option-82 information in untrusted packets from an edge switch and to accept the packets:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping information option format remote-id global configuration command to configure the option-82 remote-ID suboption. Use the no form of this command to configure the default remote-ID suboption.
ip dhcp snooping information option format remote-id [string ASCII-string | hostname]
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled, the default remote-ID suboption is the switch MAC address. This command allows you to configure either the switch hostname or a string of up to 63 ASCII characters (but no spaces) to be the remote ID.
Note If the hostname exceeds 63 characters, it is truncated to 63 characters in the remote-ID configuration.
This example shows how to configure the option-82 remote-ID suboption:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
Use the ip dhcp snooping limit rate interface configuration command to configure the number of DHCP messages an interface can receive per second. Use the no form of this command to return to the default setting.
ip dhcp snooping limit rate rate
Normally, the rate limit applies to untrusted interfaces. If you want to configure rate limiting for trusted interfaces, keep in mind that trusted interfaces might aggregate DHCP traffic on multiple VLANs (some of which might not be snooped) in the switch, and you will need to adjust the interface rate limits to a higher value.
If the rate limit is exceeded, the interface is error-disabled. If you enabled error recovery by entering the errdisable recovery dhcp-rate-limit global configuration command, the interface retries the operation again when all the causes have timed out. If the error-recovery mechanism is not enabled, the interface stays in the error-disabled state until you enter the shutdown and no shutdown interface configuration commands.
This example shows how to set a message rate limit of 150 messages per second on an interface:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping trust interface configuration command to configure a port as trusted for DHCP snooping purposes. Use the no form of this command to return to the default setting.
Configure as trusted ports those that are connected to a DHCP server or to other switches or routers. Configure as untrusted ports those that are connected to DHCP clients.
This example shows how to enable DHCP snooping trust on a port:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping verify mac-address global configuration command to configure the switch to verify on an untrusted port that the source MAC address in a DHCP packet matches the client hardware address. Use the no form of this command to configure the switch to not verify the MAC addresses.
In a service-provider network, when a switch receives a packet from a DHCP client on an untrusted port, it automatically verifies that the source MAC address and the DHCP client hardware address match. If the addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the packet.
This example shows how to disable the MAC address verification:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping vlan global configuration command to enable DHCP snooping on a VLAN. Use the no form of this command to disable DHCP snooping on a VLAN.
ip dhcp snooping vlan vlan-range
no ip dhcp snooping vlan vlan-range
You must first globally enable DHCP snooping before enabling DHCP snooping on a VLAN.
This example shows how to enable DHCP snooping on VLAN 10:
You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.
Use the ip dhcp snooping vlan information option format-type circuit-id string interface configuration command to configure the option-82 circuit-ID suboption. Use the no form of this command to configure the default circuit-ID suboption.
ip dhcp snooping vlan vlan information option format-type circuit-id [override] string ASCII-string
no ip dhcp snooping vlan vlan information option format-type circuit-id [override] string
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled, the default circuit-ID suboption is the switch VLAN and the port identifier, in the format vlan-mod-port . This command allows you to configure a string of ASCII characters to be the circuit ID. When you want to override the vlan-mod-port format type and instead use the circuit-ID to define subscriber information, use the override keyword.
Note When configuring a large number of circuit IDs on a switch, consider the impact of lengthy character strings on the NVRAM or flash memory. If the circuit-ID configurations, combined with other data, exceed the capacity of the NVRAM or the flash memory, an error message appears.
This example shows how to configure the option-82 circuit-ID suboption:
This example shows how to configure the option-82 circuit-ID override suboption:
You can verify your settings by entering the show ip dhcp snooping user EXEC command.
Note The show ip dhcp snooping user EXEC command only displays the global command output, including a remote-ID configuration. It does not display any per-interface, per-VLAN string that you have configured for the circuit ID.
Use the ip igmp filter interface configuration command to control whether or not all hosts on a Layer 2 interface can join one or more IP multicast groups by applying an Internet Group Management Protocol (IGMP) profile to the interface. Use the no form of this command to remove the specified profile from the interface.
You can apply IGMP filters only to Layer 2 physical interfaces.
You cannot apply IGMP filters to routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.
An IGMP profile can be applied to one or more switch port interfaces, but one port can have only one profile applied to it.
This example shows how to apply IGMP profile 22 to a port.
You can verify your setting by using the show running-config privileged EXEC command and by specifying an interface.
Use the ip igmp max-groups interface configuration command to set the maximum number of Internet Group Management Protocol (IGMP) groups that a Layer 2 interface can join or to configure the IGMP throttling action when the maximum number of entries is in the forwarding table. Use the no form of this command to set the maximum back to the default, which is to have no maximum limit, or to return to the default throttling action, which is to drop the report.
ip igmp max-groups { number | action { deny | replace }}
no ip igmp max-groups { number | action }
You can use this command only on Layer 2 physical interfaces and on logical EtherChannel interfaces.
You cannot set IGMP maximum groups for routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.
Follow these guidelines when configuring the IGMP throttling action:
This example shows how to limit to 25 the number of IGMP groups that a port can join.
This example shows how to configure the switch to replace the existing group with the new group for which the IGMP report was received when the maximum number of entries is in the forwarding table:
You can verify your setting by using the show running-config privileged EXEC command and by specifying an interface.
Use the ip igmp profile global configuration command to create an Internet Group Management Protocol (IGMP) profile and enter IGMP profile configuration mode. From this mode, you can specify the configuration of the IGMP profile to be used for filtering IGMP membership reports from a switchport. Use the no form of this command to delete the IGMP profile.
ip igmp profile profile number
When you are in IGMP profile configuration mode, you can create the profile by using these commands:
When entering a range, enter the low IP multicast address, a space, and the high IP multicast address.
You can apply an IGMP profile to one or more Layer 2 interfaces, but each interface can have only one profile applied to it.
This example shows how to configure IGMP profile 40 that permits the specified range of IP multicast addresses.
You can verify your settings by using the show ip igmp profile privileged EXEC command.
Use the ip igmp snooping global configuration command to globally enable Internet Group Management Protocol (IGMP) snooping on the switch or to enable it on a per-VLAN basis. Use the no form of this command to return to the default setting.
ip igmp snooping [ vlan vlan-id ]
When IGMP snooping is enabled globally, it is enabled in all the existing VLAN interfaces. When IGMP snooping is disabled globally, it is disabled on all the existing VLAN interfaces.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This example shows how to globally enable IGMP snooping:
This example shows how to enable IGMP snooping on VLAN 1:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping last-member-query-interval global configuration command to enable the Internet Group Management Protocol (IGMP) configurable-leave timer globally or on a per-VLAN basis. Use the no form of this command to return to the default setting.
ip igmp snooping [vlan vlan-id ] last-member-query-interval time
no ip igmp snooping [vlan vlan-id ] last-member-query-interval
When IGMP snooping is globally enabled, IGMP snooping is enabled on all the existing VLAN interfaces. When IGMP snooping is globally disabled, IGMP snooping is disabled on all the existing VLAN interfaces.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
Configuring the leave timer on a VLAN overrides the global setting.
The IGMP configurable leave time is only supported on devices running IGMP Version 2.
This example shows how to globally enable the IGMP leave timer for 2000 milliseconds:
This example shows how to configure the IGMP leave timer for 3000 milliseconds on VLAN 1:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping querier global configuration command to globally enable the Internet Group Management Protocol (IGMP) querier function in Layer 2 networks. Use the command with keywords to enable and configure the IGMP querier feature on a VLAN interface. Use the no form of this command to return to the default settings.
ip igmp snooping querier [ vlan vlan-id ] [ address ip-address | max-response-time response-time | query-interval interval-count | tcn query [ count count | interval interval ] | timer expiry | version version ]
no ip igmp snooping querier [ vlan vlan-id ] [ address | max-response-time | query-interval | tcn query { count count | interval interval } | timer expiry | version ]
Use this command to enable IGMP snooping to detect the IGMP version and IP address of a device that sends IGMP query messages, which is also called a querier .
By default, the IGMP snooping querier is configured to detect devices that use IGMP Version 2 (IGMPv2) but does not detect clients that are using IGMP Version 1 (IGMPv1). You can manually configure the max-response-time value when devices use IGMPv2. You cannot configure the max-response-time when devices use IGMPv1. (The value cannot be configured and is set to zero).
Non-RFC compliant devices running IGMPv1 might reject IGMP general query messages that have a non-zero value as the max-response-time value. If you want the devices to accept the IGMP general query messages, configure the IGMP snooping querier to run IGMPv1.
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This example shows how to globally enable the IGMP snooping querier feature:
This example shows how to set the IGMP snooping querier maximum response time to 25 seconds:
This example shows how to set the IGMP snooping querier interval time to 60 seconds:
This example shows how to set the IGMP snooping querier TCN query count to 25:
This example shows how to set the IGMP snooping querier timeout to 60 seconds:
This example shows how to set the IGMP snooping querier feature to version 2:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping report-suppression global configuration command to enable Internet Group Management Protocol (IGMP) report suppression. Use the no form of this command to disable IGMP report suppression and to forward all IGMP reports to multicast routers.
IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports.
The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast devices. When IGMP router suppression is enabled (the default), the switch sends the first IGMP report from all hosts for a group to all the multicast routers. The switch does not send the remaining IGMP reports for the group to the multicast routers. This feature prevents duplicate reports from being sent to the multicast devices.
If the multicast router query includes requests only for IGMPv1 and IGMPv2 reports, the switch forwards only the first IGMPv1 or IGMPv2 report from all hosts for a group to all the multicast routers. If the multicast router query also includes requests for IGMPv3 reports, the switch forwards all IGMPv1, IGMPv2, and IGMPv3 reports for a group to the multicast devices.
If you disable IGMP report suppression by entering the no ip igmp snooping report-suppression command, all IGMP reports are forwarded to all the multicast routers.
This example shows how to disable report suppression:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping tcn global configuration command to configure the Internet Group Management Protocol (IGMP) Topology Change Notification (TCN) behavior. Use the no form of this command to return to the default settings.
ip igmp snooping tcn { flood query count count | query solicit }
no ip igmp snooping tcn { flood query count | query solicit }
You can prevent the loss of the multicast traffic that might occur because of a topology change by using this command. If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command, the flooding stops after receiving one general query. If you set the count to 7, the flooding of multicast traffic due to the TCN event lasts until seven general queries are received. Groups are relearned based on the general queries received during the TCN event.
This example shows how to specify 7 as the number of IGMP general queries for which the multicast traffic is flooded:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping tcn flood interface configuration command to specify multicast flooding as the Internet Group Management Protocol (IGMP) snooping spanning-tree Topology Change Notification (TCN) behavior. Use the no form of this command to disable the multicast flooding.
When the switch receives a TCN, multicast traffic is flooded to all the ports until two general queries are received. If the switch has many ports with attached hosts that are subscribed to different multicast groups, this flooding behavior might not be desirable because the flooded traffic might exceed the capacity of the link and cause packet loss.
You can change the flooding query count by using the ip igmp snooping tcn flood query count count global configuration command.
This example shows how to disable the multicast flooding on an interface:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping vlan vlan-id immediate-leave global configuration command to enable Internet Group Management Protocol (IGMP) snooping immediate-leave processing on a per-VLAN basis. Use the no form of this command to return to the default setting.
ip igmp snooping vlan vlan-id immediate-leave
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
You should only configure the Immediate Leave feature when there is a maximum of one receiver on every port in the VLAN. The configuration is saved in NVRAM.
The Immediate Leave feature is supported only with IGMP Version 2 hosts.
This example shows how to enable IGMP immediate-leave processing on VLAN 1:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping vlan vlan-id mrouter global configuration command to add a multicast router port or to configure the multicast learning method. Use the no form of this command to return to the default settings.
ip igmp snooping vlan vlan-id mrouter { interface interface-id | learn pim-dvmrp }
no ip igmp snooping vlan vlan-id mrouter { interface interface-id | learn pim-dvmrp }
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This example shows how to configure a port as a multicast router port:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip igmp snooping vlan vlan-id static global configuration command to enable Internet Group Management Protocol (IGMP) snooping and to statically add a Layer 2 port as a member of a multicast group. Use the no form of this command to remove ports specified as members of a static multicast group.
ip igmp snooping vlan vlan-id static ip-address interface interface-id
no ip igmp snooping vlan vlan-id static ip-address interface interface-id
VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.
This example shows how to statically configure a port as a multicast router port:
You can verify your settings by entering the show ip igmp snooping privileged EXEC command.
Use the ip sla responder twamp global configuration command to configure the switch as a Two-Way Active Measurement Protocol (TWAMP) responder. Use the no form of this command to disable the IP SLA TWAMP responder.
ip sla responder twamp [ timeout seconds ]
After entering the ip sla responder twamp command, you enter IP SLA TWAMP reflector configuration mode, and these configuration commands are available:
For the TWAMP server and reflector to function, you must also configure a TWAMP control device, which serves as the client and session sender. These functions are not configured on a Cisco device.
Enables the Cisco IOS IP Service Level Agreements (SLAs) responder for general IP SLAs operations. |
|
Configures the switch as a Two-Way Active Measurement Protocol (TWAMP) server. |
|
(Optional) Display the IP SLAs standards configured on the switch. |
|
show ip sla twamp connection {detail | requests} |
(Optional) Displays the current Cisco IOS IP Service Level Agreements (SLAs) Two-Way Active Measurement Protocol (TWAMP) connections |
Use the ip sla server twamp global configuration command to configure the switch as a Two-Way Active Measurement Protocol (TWAMP) server. Use the no form of this command to disable the IP SLA TWAMP server.
After entering the ip sla server twamp command, you enter IP SLA TWAMP server configuration mode, and these configuration commands are available:
For the TWAMP server and reflector to function, you must also configure a TWAMP control device, which serves as the client and session sender. These functions are not configured on a Cisco device.
Enables the Cisco IOS IP Service Level Agreements (SLAs) responder for general IP SLAs operations. |
|
Configures the switch as a Two-Way Active Measurement Protocol (TWAMP) responder. |
|
(Optional) Displays the IP SLAs standards configured on the switch. |
|
show ip sla twamp connection {detail | requests} |
(Optional) Displays the current Cisco IOS IP Service Level Agreements (SLAs) Two-Way Active Measurement Protocol (TWAMP) connections. |
Use the ip source binding global configuration command to configure static IP source bindings on the switch. Use the no form of this command to delete static bindings.
ip source binding mac-address vlan vlan-id ip-address interface interface-id
no source binding mac-address vlan vlan-id ip-address interface interface-id
A static IP source binding entry has an IP address, its associated MAC address, and its associated VLAN number. The entry is based on the MAC address and the VLAN number. If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.
This example shows how to add a static IP source binding:
This example shows how to add a static binding and then modify the IP address for it:
You can verify your settings by entering the show ip source binding privileged EXEC command.
Use the ip ssh global configuration command to configure the switch to run Secure Shell (SSH) Version 1 or SSH Version 2. Use the no form of this command to return to the default setting.
This command is available only when your switch is running the cryptographic (encrypted) software image.
If you do not enter this command or if you do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.
The switch supports an SSHv1 or an SSHv2 server. It also supports an SSHv1 client. For more information about the SSH server and the SSH client, see the software configuration guide for this release.
A Rivest, Shamir, and Adelman (RSA) key pair generated by an SSHv1 server can be used by an SSHv2 server and the reverse.
This example shows how to configure the switch to run SSH Version 2:
You can verify your settings by entering the show ip ssh or show ssh privileged EXEC command.
Use the ip sticky-arp global configuration command to enable sticky Address Resolution Protocol (ARP) on a switch virtual interface (SVI) that belongs to a private VLAN. Use the no form of this command to disable sticky ARP.
Sticky ARP entries are those learned on private-VLAN SVIs. These entries do not age out.
The ip sticky-arp global configuration command is supported only on SVIs belonging to private VLANs.
If you enter the ip sticky-arp interface configuration command, it does not take effect.
If you enter the no ip sticky-arp interface configuration command, you do not disable sticky ARP on an interface.
Note We recommend that you use the show arp privileged EXEC command to display and verify private-VLAN interface ARP entries.
Use the ip sticky-arp interface configuration command to enable sticky Address Resolution Protocol (ARP) on a switch virtual interface (SVI) or a Layer 3 interface. Use the no form of this command to disable sticky ARP.
Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. These entries do not age out.
The ip sticky-arp interface configuration command is only supported on
On a Layer 3 interface or on an SVI belonging to a normal VLAN
If you enter the ip sticky-arp interface configuration command, it does not take effect.
If you enter the no ip sticky-arp interface configuration command, you do not disable sticky ARP on an interface.
Note We recommend that you use the show arp privileged EXEC command to display and verify private-VLAN interface ARP entries.
To enable sticky ARP on a normal SVI:
To disable sticky ARP on a Layer 3 interface or an SVI:
You can verify your settings by using the show arp privileged EXEC command.
Use the ip verify source interface configuration command to enable IP source guard on an interface. Use the no form of this command to disable IP source guard.
ip verify source { vlan dhcp-snooping | tracking } [ port-security ]
no ip verify source { vlan dhcp-snooping | tracking } [ port-security ]
To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.
To enable IP source guard with source IP and MAC address filtering, use the ip verify source port-security interface configuration command.
To enable IP source guard with source IP and MAC address filtering, you must enable port security on the interface.
This example shows how to enable IP source guard with source IP address filtering:
This example shows how to enable IP source guard on VLANs 10 through 20 on a per-port basis:
This example shows how to enable IP port security with IP-MAC filters on a Layer 2 access port:
Verify your settings by entering the show ip verify source privileged EXEC command.
Use the ipv6 access-list global configuration command to define an IPv6 access list and to place the switch in IPv6 access list configuration mode. To remove the access list, use the no form of this command.
ipv6 access-list access-list-name
no ipv6 access-list access-list-name
Note This command is available only if the switch is running the metro IP access image and you have configured a dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 { default | routing | vlan ) global configuration command, and reload the switch.
The ipv6 access-list command is similar to the ip access-list command, but it is IPv6-specific.
IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.
See the deny (IPv6 access-list configuration) and permit (IPv6 access-list configuration) commands for more information on filtering IPv6 traffic based on IPv6 option headers and optional, upper-layer protocol-type information. See the “Examples” section for an example of a translated IPv6 ACL configuration.
Every IPv6 ACL has implicit permit icmp any any nd-na , permit icmp any any nd-ns , and deny ipv6 any any statements as its last match conditions. The two permit conditions allow ICMPv6 neighbor discovery. To disallow ICMPv6 neighbor discovery and to deny icmp any any nd-na or icmp any any nd-ns , there must be an explicit deny entry in the ACL. For the implicit deny ipv6 any any statement to take effect, an IPv6 ACL must contain at least one entry.
The IPv6 neighbor discovery process uses the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery pack