DGS-6600-48T - NAS D-LINK - Free user manual and instructions

USER MANUAL DGS-6600-48T D-LINK

X CHASSIS

CLI Reference Guide

Product Model: DGS-6600 Series

Modular Layer 3 Chassis Ethernet Managed Switch

Software Release 1.00.029

DGS-6604 CLI Reference Guide

Software Release 1.00.029

Date: March 15, 2011

Copyright Statement

D-Link Corporation © 2011

All rights reserved.

Without our written permission this document may not be excerpted, reproduced, transmitted, or otherwise in all or part by any party by any means.

Preface

Version Description

This manual's command descriptions are based on the software release 1.00.029. The commands listed here are the subset of commands that are supported by the DGS-6600 series switches.

Note: Other Ethernet L2/L3 Chassis-Based Switch series Hardware using similar software may support a different subset of commands although generally the majority of the supported commands and options will be similar.

Audience

This reference manual is intended for network administrators and other IT networking professionals responsible for managing the DGS-6604 by using the D-LINK Command Line Reference (CLI). The CLI is the primary management interface to the D-LINK DGS-6604 which will be generally referred to as the “switch” within this manual. This manual is written in a way that assumes that you already have the experience and knowledge of Ethernet and modern networking principles for Local Area Networks.

Document Organization

Other Documentation

The documents below are a further source of information in regards to configuring and troubleshooting the switch. All the documents are available for download from D-Links web site www.d-link.com.

• DGS-6600 Series Quick Installation Guide
• DGS-6600 Series Hardware Installation Guide

Conventions

Notes, Notices, and Cautions

Below are examples of the 3 types of indicators used in this manual. When administering your switch using the information in this document, you should pay special attention to these indicators. Each example below provides an explanatory remark regarding each type of indicator.

NOTE: A NOTE indicates important information that helps you make better use of your device

NOTICE: A NOTICE indicates either potential damage to hardware or loss of data and tells you how to avoid the problem

CAUTION: A CAUTION indicates a potential for property damage, personal injury, or death.

Command Descriptions:

The information pertaining to each command in this reference guide is presented using a number of template fields. The fields are:

• Description - This is a short and consise statement describing the commands functionality.

- Syntax - The precise form to use when entering and issuing the command. The form conventions are described in the table shown under the section "Conventions" on page iv of this guide.

- Syntax Description - A table where each row describes the optional or required arguments, and their use, that can be issued with the command.

- Default - If the command sets a configuration value or administrative state of the switch then any default settings (i.e. without issuing the command) of the configuration is shown here.

- Command Mode - The mode in which the command can be issued. The modes are either User EXEC, Privileged EXEC, Global Configuration or a specific configuration mode. These modes are described in the section titled “Command Modes” on page v below.

- Command Usage - If necessary, a detailed description of the command and its various utilization scenarios is given here.

- Example(s) - Each command is accompanied by a practical example of the command being issued in a suitable scenario.

Command Modes

There are several command modes available in the command-line interface (CLI). The set of commands available to the user depends on both the mode the user is currently in and their privilege level. For each case, the user can see all the commands that are available in a particular command mode by entering a question mark (?) at the system prompt.

The command-line interface has four privilege levels:

- Basic User- Privilege Level 1. This user account level has the lowest priority of the user accounts and is allowed to configure the terminal control settings. The purpose of this type of user account level is for basic system checking. This user account can only show limited information that is not related to security. The most important limitation of this account is that there is no way of changing the access right level.

- Advanced User- Privilege Level 2. This user account level is very similar to a basic user except that an advanced user can enter privileged EXEC mode.

- Power User- Privilege Level 12. This user account level is used to grant system configuration rights for users who need to change or monitor system configuration, except for security related information such as user accounts and SNMP account settings, etc.

- Administrator- Privilege Level 15. This administrator user account level can monitor all system information and change any of the system configuration settings expressed in this configuration guide.

The command-line interface has a number of command modes. There are three basic command modes:

• User EXEC mode
• Privileged EXEC mode

• Global Configuration mode

All other sub-configuration modes can be accessed via global configuration mode.

When a user logs in to the Switch, the privilege level of the user determines the command mode the user will enter after initially logging in. The user will either log into user EXEC mode or privileged EXEC mode. Users with a basic user and advanced user level will log into the Switch in user EXEC mode. Users with power user and administrator level accounts will log into the Switch in privileged EXEC mode. Therefore, user EXEC mode can operate at either basic user level or advanced user level, and privileged EXEC mode can operate at either power user level or administrator level. The user can only enter global configuration mode from privileged EXEC mode. Therefore, global configuration mode can be accessed by users who have power user or administrator level user accounts. As for sub-configuration modes, a subset of those can only be accessed by users who have the highest secure administrator level privileges.

In user EXEC mode at advanced user level, the user is allowed to enter privileged EXEC mode by entering the enable password. In privileged EXEC mode, the user is allowed to exit to the user EXEC mode at advanced user level by entering the disable command. The enable password and disable commands are functions that can be used to switch between user EXEC mode and privileged EXEC mode.

The following state diagram describes the main command modes and how to enter each one:

graph TD
    A["Login"] -->|Basic User| B["User EXEC mode\nBasic user"]
    A -->|Advanced User| C["User EXEC mode\nAdvanced user"]
    A -->|Administrator| D["Privileged EXEC mode\nAdministrator"]
    B -->|Disable Power User| E["Privileged EXEC mode\nPower user"]
    C -->|Enable Administrator| F["Privileged EXEC mode\nAdministrator"]
    D -->|Disable Administrator| F
    E -->|config| G["Global configuration mode\nAdministrator/Power user"]
    F -->|config| G
    G -->|interface| H["Interface configuration mode\nAdministrator/Power user"]
    G -->|vlan| I["VLAN configuration mode\nAdministrator/Power user"]
    G -->|mgmt-if| J["Mgmt-if configuration mode\nAdministrator"]
    A -->|Power User| B
    A -->|Power User| C
    A -->|Power User| D
    B -->|Power User| E
    C -->|Power User| F
    D -->|Power User| G

Note: Not all configuration modes are listed in the above figure. For example, in global configuration mode, enter “router ospf” to enter OSPF router configuration mode

The following table briefly lists the available command modes. Only the basic command modes and some of the sub-configuration modes are enumerated. The basic command modes and basic sub-configuration modes are further described in the following chapters. Descriptions for the rest of the sub-configuration modes are not provided in this section. For more information on the additional sub-configuration modes, the user should refer to the chapters relating to these functions.

The available command modes and privilege levels are described below:

Command Mode & Privilege Level Purpose

VLAN Interface Configuration Mode For applying VLAN interface related settings.

VLAN Configuration Mode For applying settings to a VLAN.

IP Access-List Configuration Mode For specifying filtering criteria for an IP access list.

User EXEC Mode at Basic User Level

This command mode is mainly designed for checking basic system settings, allowing users to change the local terminal session settings and carry out basic network connectivity verification. One limitation of this command mode is that it cannot be used to display information related to security. The most significant limitation of this command mode is that there is no way of changing the access right level of the logged in user.

This command mode can be entered by logging in as a basic user.

User EXEC Mode at Advanced User Level

User EXEC mode at advanced user level has the same purpose as user EXEC mode at basic user level, except that user EXEC mode at advanced user level is allowed to use the enable command to enter privileged EXEC mode.

This command mode can be entered by logging in as an advanced user or by using the disable command in privileged EXEC mode.

In the following example, the user is currently logged in as an advanced user in privileged EXEC mode and uses the disable command to return to user EXEC mode at advanced user level:

DGS-6604:15#disable
DGS-6604:2> 

Privileged EXEC Mode at Power User Level

Users logged into the Switch in privileged EXEC mode at this level can change both local and global terminal settings, monitor, and perform system administration tasks like clearing configuration settings (except for security related information such as user accounts, SNMP account settings etc.)

There are two methods that a user can use to enter privileged EXEC mode at power user level. The first method is to login to the Switch with a user account that has a privilege level of 12. The other method is to use the enable privilege LEVEL command in user EXEC mode.

In the following example, the user enters privileged EXEC mode at power user level by logging in with a user account called “power-user” that has a privilege level of 12:

User Access Verification

Username: power-user
Password:
DGS-6604 Chassis-based High-Speed Switch
Command Line Interface
Firmware: 1.00.029
Copyright (c) 2010 D-Link Corporation. All rights reserved.
DGS-6604:12# 

In the following example, the user enters the enable privilege LEVEL command in user EXEC mode to enter privileged EXEC mode at Power User level:

DGS-6604:2>enable privilege 12
DGS-6604:12# 

Privileged EXEC Mode at Administrator Level

This command mode has a privilege level of 15. Users logged in with this command mode can monitor all system information and change any system configuration settings mentioned in this Configuration Guide.

There are two methods that a user can use to enter privileged EXEC mode at administrator level. The first method is to login to the Switch with a user account that has a privilege level of 15. The second method requires a user to login to the Switch in as a user with an advanced user or power user level and and use the enable privilege LEVEL command.

In this command mode, the user can return to user EXEC mode at an advanced user level by entering the disable command.

In the following example, the user is currently logged in as an administrator in privileged EXEC mode and uses the disable command to return to user EXEC mode at an advanced user level:

DGS-6604:15#disable
DGS-6604:2> 

In the following example, the user enters the enable privilege LEVEL command in privileged EXEC mode at power user level to enter privileged EXEC mode at an administrator level:

DGS-6604:12#enable privilege 15
DGS-6604:15# 

Global Configuration Mode

The primary purpose of global configuration mode is to apply global settings on the entire Switch. Global configuration mode can be accessed at both power user and administrator level. However, security related settings are not accessible at power user level. In addition to applying global settings on the entire Switch, the user can also access other sub-configuration modes.

In order to access global configuration mode, the user must be logged in as an administrator or power user and use the configure terminal command in privileged EXEC mode.

In the following example, the user is logged in as an Administrator in privileged EXEC mode and uses the configure terminal command to access global configuration mode:

DGS-6604:15#configure terminal
DGS-6604:15(config)#

The exit command is used to exit global configuration mode and return to privileged EXEC mode.

The procedures to enter the different sub-configuration modes can be found in the related chapters in this Configuration Guide. The command modes are used to configure the individual functions.

Interface Configuration Mode

Interface configuration mode is used to configure the parameters for an interface or a range of interfaces. An interface can be a physical port, VLAN, or other virtual interface. Thus, interface configuration mode is distinguished further according to the type of interface. The command prompt for each type of interface is slightly different.

VLAN Interface Configuration Mode

VLAN interface configuration mode is one of the available interface modes and is used to configure the parameters of a VLAN interface.

To access VLAN interface configuration mode, use the following command in global configuration mode:

Command Explanation

DGS-6604:15 (config) #interface vlanVLAN-ID 

Enters VLAN interface configuration mode.

Command Listing by Feature

802.1x dot1x auth-mode — 125

dot1x auth-protocol — 126

dot1x control-direction — 127

dot1x default — 128

dot1x forward-pdu — 129

dot1x guest-vlan — 130

dot1x initialize — 132

dot1x max-req — 133

dot1x pae authenticator — 134

dot1x port-control — 135

dot1x re-authenticate — 136

dot1x re-authentication — 137

dot1x system-auth-control — 138

dot1x timeout — 139

dot1x user — 140

show dot1x — 439

show dot1x user — 442

AAA aaa authentication — 1

aaa authorization — 3

aaa group server — 4

show aaa — 423

show aaa group server — 426

server — 410

Access

Control Lists

ip access-group — 162

ip access-list — 163

mac access-group — 302

mac access-list — 303

ipv6 access-group — 245

ipv6 access-list — 247

periodic — 348

permit | deny (ip access-list) — 349

permit | deny (ipv6 access list) — 352

permit | deny (mac access-list) — 354

resequence access-list — 396

show access-group — 427

show access-list — 428

show time-range — 607

time-range — 692

Access

Management

banner login — 31

command prompt — 92

configure terminal — 94

disable — 115

enable — 142

enable password — 143

end — 144

exit — 145

help — 154

ip http server — 185

ip http service-port — 186

ip telnet server — 241

ip telnet service-port — 242 ip trusted-host — 243 login — 300 logout — 301 password encryption — 347 show enable password — 443 show history — 450 show ip trusted-host — 538 show username — 610 show user-session — 611 telnet — 679 terminal length — 684 terminal timeout — 685 terminal width — 686 username — 702

Basic IPv4 arp — 27

arp timeout — 28 clear arp-cache — 63 ip address — 164 show arp — 429 show ip interface — 490

Basic IPv6 clear ipv6 neighbors — 78

default ipv6 nd prefix — 106 ipv6 enable — 258 ipv6 address — 248 ipv6 hop-limit — 259

ipv6 nd managed-config-flag — 260
ipv6 nd other-config-flag — 261
ipv6 nd prefix — 262
ipv6 nd ra-interval — 263
ipv6 nd ra-lifetime — 264
ipv6 nd reachable-time — 265
ipv6 nd retrans-timer — 266
ipv6 nd suppress-ra — 267
ipv6 neighbor — 268
show ipv6 interface — 545
show ipv6 interface brief — 546
show ipv6 neighbors — 547

Basic Switch show environment — 444

show system — 604

show unit — 609

show version — 612

BGP address-family ipv4 — 11

aggregate-address — 12

bgp asnotation dot — 42

bgp always-compare-med — 41

bgp bestpath as-path ignore — 44

bgp bestpath compare-routerid — 46

bgp default ipv4-unicast — 47

bgp default local-preference — 48

bgp deterministic-med — 49

bgp enforce-first-as — 50

bgp log-neighbor-changes — 51
bgp router-id — 52
clear ip bgp — 67
clear ip bgp peer-group — 69
ip as-path access-list — 168
ip community-list — 169
match as-path — 312
match community — 313
neighbor advertisement-interval — 324
neighbor description — 325
neighbor filter-list — 326
neighbor peer-group (create group) — 327
neighbor peer-group (add group member) — 328
neighbor remote-as — 329
neighbor route-map — 330
neighbor send-community — 331
neighbor shutdown — 332
neighbor timers — 333
neighbor update-source — 334
neighbor weight — 335
network (BGP) — 340
router bgp — 401
set as-path — 418
set community — 419
set origin — 421
set weight — 422
show ip as-path access-list — 453

DHCP Relay (IPv6)

ip dhcp relay information trusted — 182 show ip dhcp relay — 469 show ip dhcp relay information trusted-sources — 470

DHCP Server (IPv4)

ipv6 dhcp relay destination — 256 show ipv6 dhcp relay interface — 542

accept dhcp client-identifier — 5 accept dhcp relay-agent — 6 bootfile — 55 based-on client-id — 33 based-on c-vid — 34 based-on interface-ip-address — 35 based-on mac-address — 36 based-on relay-ip-address — 37 based-on s-vid — 38 based-on vendor-class — 39 based-on user-class — 40 clear ip dhcp binding — 71 clear ip dhcp conflict — 73 clear ip dhcp server statistics — 75 default-router — 111 dns-server — 118 domain-name — 119 ip address-list — 167 ip dhcp ping packets — 171 ip dhcp ping timeout — 172 ip dhcp pool — 173

gvrp advertise (Interface) — 149 gvrp advertise (VLAN) — 150 gvrp dynamic-vlan-creation — 151 gvrp forbidden — 152 gvrp timer — 153 show gvrp configuration — 447 show gvrp statistics — 449

IGMP ip igmp access-group — 187

ip igmp last-member-query-interval — 189 iip igmp query-interval — 190 ip igmp query-max-response-time — 191 ip igmp robustness-variable — 192 ip igmp version — 201 show ip igmp group — 480 show ip igmp interface — 483

IGMP

Snooping

ip igmp snooping — 193 ip igmp snooping immediate-leave — 197 ip igmp snooping (multicast router) — 195 ip igmp snooping querier — 198 ip igmp snooping static-group — 199 show ip igmp snooping — 484 show ip igmp snooping group — 486 show ip igmp snooping mrouter — 489

Interface clear counters — 64

description — 113

interface — 159

interface range — 160

show interface — 451

IP Utility ping — 356

traceroute — 693

IP Multicast ip multicast-routing — 206

ip mroute — 202

show ip mroute — 493

IPv6 Protocol Independent

ipv6 route — 279

show ipv6 protocols — 556

show ipv6 route — 560

show ipv6 route summary — 562

IPv6 Tunnel interface tunnel — 161

ipv6 nd suppress-ra — 267

tunnel destination — 699

tunnel mode — 700

tunnel source — 701

Jumbo Frame ip mtu — 204

max-rcv-frame-size — 315

mtu — 319

L2 FDB clear mac address-table — 82

mac address-table aging destination-hit — 304

mac address-table aging-time — 305

mac address-table static — 306

multicast filtering-mode — 320

show mac address-table — 566

show mac address-table aging destination-hit — 568

show mac address-table aging-time — 569

show multicast filtering-mode — 572

LACP channel-group — 58

Iacp port-priority — 292

Iacp system-priority — 293

port-channel load-balance — 370

show channel-group — 431

Management Port

default-gateway (management port) — 101

ip address (management port) — 166

ip mtu (management port) — 205

ipv6 address (management port) — 251

ipv6 default-gateway (management port) — 252

mgmt-if — 316

show mgmt-if — 570

shutdown (Management Port) — 627

Mirror monitor session — 317

show monitor session — 571

MSTP instance — 158

name — 321

revision — 397

show spanning-tree mst — 597

spanning-tree mst (cost | port-priority) — 654

spanning-tree mst (forward | max-age | max-hops) — 655

spanning-tree mst configuration — 656

spanning-tree mst hello-time — 657

spanning-tree mst priority — 658

OSPFv2 area default-cost — 13

area nssa — 15

area range — 17

area stub — 19

area virtual-link — 21

auto-cost reference-bandwidth — 29

clear ip ospf — 76

default-information originate — 102

default-metric (OSPF) — 107

host area — 155

ip ospf authentication — 207

ip ospf authentication-key — 208

ip ospf cost — 209

ip ospf dead-interval — 210

ip ospf hello-interval — 211

ip ospf message-digest-key — 212

ip ospf priority — 213

ip ospf retransmit-interval — 214

ip ospf shutdown — 215

ip ospf transmit-delay — 216

network area — 341

passive-interface — 343

redistribute (OSPF) — 388

router-id — 402

router ospf — 406

show ip ospf — 495

show ip ospf border-routers — 497

show ip ospf database — 498 show ip ospf database asbr-summary — 500 show ip ospf database external — 502 show ip ospf database network — 503 show ip ospf database nssa-external — 505 show ip ospf database router — 507 show ip ospf database summary — 510 show ip ospf host-route — 512 show ip ospf interface — 513 show ip ospf neighbor — 515 show ip ospf virtual-links — 516

OSPFv3 area default-cost (IPv6) — 14

area range (IPv6) — 18 area stub (IPv6) — 20 area virtual-link (IPv6) — 25 auto-cost reference-bandwidth (IPv6) — 30 clear ipv6 ospf process — 79 default-information originate (IPv6 OSPF) — 103 default-metric (IPv6 OSPF) — 108 ipv6 ospf cost — 269 ipv6 ospf dead-interval — 270 ipv6 ospf hello-interval — 271 ipv6 ospf priority — 272 ipv6 ospf retransmit-interval — 273 ipv6 ospf shutdown — 274 ipv6 ospf transmit delay — 275 ipv6 router ospf area — 284

passive-interface (IPv6 OSPF) — 344 redistribute (IPv6 OSPF) — 390 router-id (IPv6) — 403 router ipv6 ospf — 405 show ipv6 ospf — 548 show ipv6 ospf border-routers — 550 show ipv6 ospf database — 551 show ipv6 ospf interface — 552 show ipv6 ospf neighbor — 553 show ipv6 ospf route — 554 show ipv6 ospf virtual-links — 555 show ipv6 protocols — 556

PIM ip pim — 217

ip pim accept-register — 218 ip pim bsr-candidate — 219 ip pim dr-priority — 221 ip pim join-prune-interval — 222 ip pim prune-limit-interval — 223 ip pim query-interval — 224 ip pim register-checksum - include-data — 225 ip pim register-suppression — 226 ip pim rp-address — 227 ip pim rp-candidate — 228 ip pim state - refresh origination - interval — 230 show ip pim — 518 show ip pim bsr — 519 show ip pim interface — 520

show ip pim mroute — 522 show ip pim neighbor — 524 show ip pim rp mapping — 526 show ip pim rp-hash — 527

Power Saving power-saving — 371

show power-saving — 577

Port Security clear port-security — 83

show port-security — 575 switchport port-security — 674

Protocol distance — 116

Independent

ip route — 237 ip route multi-path — 238 maximum-paths — 314 show ip protocols — 528 show ip route — 532 show ip route summary — 536

QoS class — 60

class class-default — 60 class-map — 61 color-aware — 91 match — 308 police — 358 police aggregate — 363 police cir — 364 policy-map — 368 qos aggregate-policer — 373

QinQ (VLAN Tunnel)

qos bandwidth — 376 qos cos — 377 qos deficit-round-robin — 378 qos dscp-mutation — 381 qos map cos-color — 382 qos map dscp-color — 383 qos map dscp-cos — 384 qos map dscp-mutation — 385 qos trust — 386 service-policy — 413 set — 416 show class-map — 435 show policy-map — 573 show qos aggregate-policer — 578 show qos interface — 579 show qos map — 583

clear vlan-tunnel ctag-mapping dynamic — 86 cos remarking — 98 show vlan-tunnel — 618 show vlan-tunnel ctag-mapping — 621 vlan encapsulation — 706 vlan remarking — 708 vlan-tunnel — 710 vlan-tunnel ctag-mapping dynamic — 711 vlan-tunnel ctag-mapping static — 712 vlan-tunnel ingress checking — 713 vlan-tunnel interface-type — 714

vlan-tunnel remove-inner-tag — 715

vlan-tunnel tpid — 716

RIP accept-lifetime — 7

default-information originate (RIP) — 104

default-metric (RIP) — 109

ip rip authentication key-chain — 231

ip rip authentication mode — 233

ip rip receive version — 234

ip rip send version — 235

ip rip v2-broadcast — 236

key chain — 288

key — 286

key-string — 290

neighbor — 322

network — 339

passive interface (RIP) — 345

redistribute (RIP) — 392

router rip — 407

send-lifetime — 408

show ip key-chain — 492

show ip rip database — 530

show ip rip interface — 531

timers — 688

version — 704

RIPng clear ipv6 rip — 80

default-information originate (RIP IPv6) — 105

default-metric (RIP IPv6) — 110

ipv6 rip metric-offset — 276

ipv6 rip split-horizon — 277

ipv6 rip split-horizon poisoned — 278

ipv6 router rip — 285

neighbor (RIP IPv6) — 323

passive-interface (RIP IPv6) — 346

redistribute (RIP IPv6) — 394

router ipv6 rip — 404

show ipv6 rip database — 558

show ipv6 rip interface — 559

show ipv6 protocols — 556

timers basic — 689

RMON rmon statistics — 398

Route Map route-map — 399

show route-map — 584

SNMP

Management

show snmp-server — 589

snmp-server — 628

snmp-server contact — 631

snmp-server enable traps — 632

snmp-server enable traps snmp — 633

snmp-server location — 640

system-name — 678

SNMPv3 show snmp — 586

show snmp user — 591

snmp-server community — 629

snmp-server engineID local — 635

snmp-server group — 636

snmp-server host — 638

snmp-server user — 641

snmp-server view — 643

SSH crypto key — 100

ip ssh — 239

show ip ssh — 537

show ssh — 600

STP clear spanning-tree detected-protocols — 85

show spanning-tree — 594

spanning-tree (Global configuration) — 646

spanning-tree (timers) — 648

spanning-tree ( Interface configuration ) — 647

spanning-tree cost — 649

spanning-tree fast-forwarding — 650

spanning-tree guard root — 651

spanning-tree link-type — 652

spanning-tree mode — 653

spanning-tree port-priority — 659

spanning-tree priority — 660

spanning-tree tcnfilter — 661

spanning-tree transmit hold-count — 662

Switch Port duplex — 141

flowcontrol — 146

shutdown (interface) — 626

speed — 663

Syslog clear logging — 81

logging file — 295

logging host — 296

logging level — 298

logging on — 299

show logging — 563

System File Management

boot config — 53

boot image — 56

copy — 95

clear running-config factory-defaults — 84

show boot — 430

show running-config — 585

show startup-config — 601

Time and SNTP clock set — 87

clock summer-time — 88

clock timezone — 90

show clock — 436

show sntp — 593

sntp server — 645

Traffic

show traffic-segmentation — 608

Segmentation

traffic-segmentation forward — 696

VLAN acceptable-frame — 9

access vlan — 10

dot1v binding protocol-group — 123

dot1v protocol-group — 124

hybrid vlan VLAN-ID — 156

ingress-checking — 157

mac-base ( VLAN ) — 307

pvid VLAN-ID — 372

show dot1v — 438

show vlan — 613

subnet-base ( VLAN ) — 672

trunk allowed-vlan — 698

vlan — 705

vlan name — 707

VRRP show vrrp — 622

show vrrp brief — 625

vrrp critical-ip — 717

vrrp ip — 719

vrrp preempt — 720

vrrp priority — 722

vrrp shutdown — 724

vrrp timers advertise — 725

aaa authentication

Use this command to enable the AAA authentication function (console, telnet, ssh or http) using the method or methods specified and to create a login list to specify the application or applications used for system access.

Note: Use aaa group server to first define authentication servers before aaa authentication can be configured.

aaa authentication [ login | enable ] [ console | telnet | http | ssh ] METHOD1 [ METHOD2...]

no aaa authentication [ login | enable ] [ console | telnet | http | ssh ] METHOD1 [ METHOD2...]

Default

No aaa authentication, local user authentication is specified for console, telnet, http, etc. application.

Command Mode Global configuration at privilege level 15

Usage Guideline

Use aaa authentication to enable authentication and create a login list to specify the application or applications used for system access.

If neither login or enable are specified, both are implied. If no application is specified, all applications (console, telnet, ssh, or http) are assumed valid for sytem access.

Multiple methods for the login/enable authentication per application can be specified. The new setting will overwrite the old association.

Use no aaa authentication to disable authentication for system access or to disable the login list of applications used for system access.

To configure AAA authentication, first define a group of authentication servers (use aaa group server command). If a specified group server cannot be found, an error message is displayed. The group server defines the type of authentication to be performed and the sequence in which they will be performed.

A method list describes authentication methods used in the sequential order listed. The method defines a security protocol, if any is used, for user authentication. More than one method can be defined to provide a backup authentication procedure. If the first method cannot be used or there is no response, the next method listed is used and so on for up to 2 defined methods. The process continues until either the user is authenticated successfully, or all methods listed are exhausted.

Note that if, at any point, access is denied by an authentication method employed, the authentication process is stopped, no more methods are eligible and no other attempts to authenticate are made.

The local method for authentication uses locally configured login and enable passwords to authenticate login attempts. The login and enable passwords are local to each switch and are not mapped to the individual user names. The local method is used by default for authentication if no method is listed. If a different authentication method is listed for login or enable, the switch will not attempt local authentication.

In order to use AAA authentication, at least one local user account for login must first be created and the enable password set up.

Example

The following example sets a login method list for an authenticate login attempt from all of the applications (including console, telnet, ssh, http). The methods start from group2.

Switch(config)# aaa authentication login group group2 local Switch(config)#

Verify the settings by entering the show aaa command.

aaa authorization

Use this command to enable the authorization function. Use the no form of the command to disable AAA authorization.

aaa authorization

no aaa authorization

Syntax None

Default Disabled

Command Mode Global configuration at privilege level 15

Usage Guideline

When the AAA authorization function is enabled, the system will use configuration settings authorized by the RADIUS server in addition to the RADIUS server authentication function. Settings can include VLAN assignment, user priority assignment and bandwidth assignment.

If AAA authorization is disabled, the system only accepts the authentication function from the RADIUS server and ignore any additional configuration settings supplied by the RADIUS server.

Example This example shows how to enable the authorization:

Switch# configure terminal
Switch(config)# aaa authorization 

Verify the settings by entering the show system protocol-state command.

aaa group server

Use the aaa group server command to enter AAA group server mode and identify AAA server groups used for AAA authentication. In AAA group server mode server hosts are grouped into distinct lists and distinct methods.

To remove a group server from the configuration list, use the no aaa group server form of this command.

aaa group server GROUP-NAME

no aaa group server GROUP-NAME

Syntax Description

Default There is no aaa group server.

Command Mode Global configuration at privilege level 15

Usage Guideline

The AAA group server method is defined for AAA authentication for user login or configuration. The aaa authentication command is used to define the group server method and specify the AAA server group.

Use aaa group server command to enter AAA group server mode. If the group name specified does not exist, the switch creates the new group. Once in AAA group server mode, use the server command to define and configure servers added to the group.

Example
The following example shows the network access server configured to recognize two RADIUS host entries. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries are tried in the order in which they are configured.)

Switch(config)#aaa group server group1
Switch(config-aaa-group-server)# server radius 172.19.10.100 key 12345678
Switch(config-aaa-group-server)# server radius 172.19.10.200 key 12345678
Switch(config-aaa-group-server)# end
Switch# 

Verify the settings by entering the show aaa group server command.

accept dhcp client-identifier

Use this command to turn on validation checking of the Client Identifier. Use the no form of the command to turn off validation checking of the Client Identifier.

accept dhcp client-identifier

no accept dhcp client-identifier

Syntax None

Default client identifier: not evaluated

Command Mode DHCP pool configuration

Usage Guideline

To validate the DHCP Client Identifier value sent by the client. If a DHCP client sends a DHCP Client Identifier option, the DHCP server validates the value to ensure it matches the hardware type and client hardware address. If the values match, the DHCP server provides service to the client. If the values do not match, the DHCP server does not respond to the client's request.

If the command is used to set the validation to not check the DHCP Client Identifier value sent by the client, then the DHCP server only checks the matching of the client's hardware type and hardware address as a host ID.

Example

The following example sets the DHCP pool1 to check the validation of the client identifier option as DHCP pool1 offers IP addresses.

switch > enable
switch# configure terminal
switch(config)# ip dhcp pool pool1
switch(config-dhcp)# accept dhcp client-identifier
switch(config-dhcp)# 

accept dhcp relay-agent

To accept relay agent information use the accept dhcp relay-agent command, use the no form of the command to reject DHCP relay agent information.

accept dhcp relay-agent [circuit-id|remote-id]

no accept dhcp relay-agent [circuit-id|remote-id]

Syntax Description

circuit-id (Optional) Agent Circuit ID Sub-option.

remote-id (Optional) Agent Remote ID Sub-option

Default DHCP relay-agent is not accepted.

Command Mode DHCP pool configuration

Usage Guideline

If either of circuit-id and remote-id is not specified, it implies that both the circuit-id and remote-id options are applied with the command. If only the circuit-id or remote-id is specified, it implies that it only accepts DHCP packets containing either only a circuit-id or a remote-id.

Examples

The following example sets DHCP pool1 to accept circuit id and remote id relay agent information.

switch > enable
switch# configure terminal
switch(config)# ip dhcp pool pool1
switch(config-dhcp)# accept dhcp relay-agent
switch(config-dhcp)# 

The following example sets DHCP pool1 to not accept remote id relay agent information.

switch > enable
switch# configure terminal
switch(config)# ip dhcp pool pool1
switch(config-dhcp)# no accept dhcp relay-agent remote-id
switch(config-dhcp)# 

accept-lifetime

The accept-lifetime command is used to set a time period when an authentication key on a key chain is accepted as the valid key.

accept-lifetime START-TIME { infinite | END-TIME | duration SECONDS }

Syntax Description

Default Infinite

Command Mode Key-chain key configuration

Usage Guideline Only Routing Information Protocol (RIP) Version 2 uses key chains.

Specify a start time value and one of the following values: infinite, end-time, or duration seconds.

Example

The following example configures a key chain named chain1. Key 1 named "forkey1string" will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. Key 3 named "forkey3string" will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m.

Switch(config)# interface vlan1
Switch(config-if)# ip rip authentication key-chain chain1
Switch(config-if)# ip rip authentication mode text
Switch(config-if)# exit
Switch(config)# router rip
Switch(config-router)# network 172.19.0.0/8
Switch(config-router)# version 2
Switch(config-router)# exit
Switch(config)# key chain chain1
Switch(config-keychain)# key 1
Switch(config-keychain-key)# key-string forkey1string
Switch(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 2009 duration 7200
Switch(config-keychain-key)# send-lifetime 14:00:00 Jan 25 2009 duration 3600
Switch(config-keychain-key)# exit
Switch(config-keychain)# key 3
Switch(config-keychain-key)# key-string forkey3string
Switch(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 2009 duration 7200
Switch(config-keychain-key)# send-lifetime 15:00:00 Jan 25 2009 duration 3600
Switch(config-keychain-key)# exit
Switch(config-keychain)# exit 

Verify the settings by entering the show ip key-chain command.

acceptable-frame

Use the acceptable-frame interface command to set the acceptable frame type of a port for IEEE 802.1Q VLANs. The default acceptable frame type is admit-all.

acceptable-frame { tagged-only | untagged-only | admit-all }

Syntax Description

tagged-only Set acceptable frame type for tagged only of the interface.

untagged-only Set acceptable frame type for untagged only of the interface.

admit-all Set acceptable frame type for all packets of the interface.

Default admit-all

Command Mode interface configuration

Usage Guideline The valid interfaces for this command are physical ports.

The acceptable-frame interface command can be used to set the acceptable frame types for physical port interfaces. If an acceptable frame type is tagged-only, only tagged packets of incoming packets will be received by the interface and untagged packets will be dropped. If untagged-only, only untagged packets will be received and tagged packets will be dropped. If admit-all, all packets will be received.

Example This example shows how to set the acceptable frame type to tagged-only of eth3.1.

Switch(config)# interface eth3.1
Switch(config-if)# acceptable-frame tagged-only

Verify the settings by entering the show vlan interface command.

access vlan

Use the access vlan interface configuration command to specify the access VLAN for the interface. Use default interface vlan command to reset to default setting.

access vlan VLAN-ID

default access vlan

Default VLAN 1

Command Mode Interface configuration

Usage Guideline The command is valid for physical ports or port-channel interfaces. If the VLAN does not exist, the VLAN will be automatically created and a message pompt will appear. By default, the port has access VLAN 1.

The following applies to access VLANs:

• An interface can be specified with only one access VLAN. The succeeding command overwrites the previous command.
• When this command is applied, the port will change to Access mode. If the port has been configured for other modes, Access mode will overwrite the previous mode. The port's PVID is changed to the specified VLAN.

Examples This example shows how to set an interface eth3.1 to an untagged member of VLAN 1000.

Switch(config)# interface eth3.1
Switch(config-if)# access vlan 1000 

Verify the settings by entering the show vlan interface command.

address-family ipv4

Use this command to enter address family configuration mode to configure a routing session using standard IP Version 4 address prefixes. Use the no form of this command to remove the IPv4 address family configuration from the running configuration.

address-family ipv4 [unicast]

no address-family ipv4 [unicast]

Syntax Description

unicast (Optional) Specifies IP Version 4 unicast address prefixes.

Default

Unicast prefix support is enabled by default when this command is entered without any optional keywords.

Command Mode Router configuration

Usage Guideline

Routing information for address family IPv4 unicast is advertised by default for each BGP routing session configured with the neighbor remote-as command unless the no bgp default ipv4-unicast command is used before configuring the neighbor remote-as command.

For all settings configured for IPv4 unicast, the settings also appear in BGP router configuration mode. That is, for address-family associated settings, the settings defined in IPv4 unicast address family mode is equivalent to the settings defined in the router configuration mode.

To leave address family configuration mode and return to router configuration mode without removing the existing configuration, enter the exit command.

Example

This example shows how to enter address family configuration mode for the IP Version 4 address family:

Switch(config)# router bgp 65100
Switch(config-router)# address-family ipv4
Switch(config-router-af)# exit
Switch(config-router)# 

aggregate-address

Use this command to configure BGP aggregate entries. Use the no form of the command to disable this function.

aggregate-address NETWORK-NUMBER/SUBNET-LENGTH [summary-only] [as-set]

no aggregate-address NETWORK-NUMBER/SUBNET-LENGTH [summary-only] [as-set]

Syntax Description

summary-only (Optional) Filters all more-specific routes from updates.

as-set (Optional) Generates autonomous system set path information.

Default Disabled

Command Mode Router configuration

Usage Guideline

Aggregates are used to minimize the size of routing tables. Aggregation combines the characteristics of several different routes and advertises a single route. The aggregate-address command creates an aggregate entry in the BGP routing table if any more-specific BGP routes are available in the specified range. Using the summary-only parameter advertises the prefix only, suppressing the more-specific routes to all neighbors.

The as-set parameter creates an aggregate entry advertising the path for this route, consisting of all elements contained in all paths being summarized. Use the as-set parameter to reduce the size of the path information by listing the AS number only once, even if it was included in multiple paths that were aggregated. The as-set parameter is useful when aggregation of information results in an incomplete path information.

Example This example shows how to propagate network 172.0.0.0 and suppresses the more specific route 172.10.0.0:

Switch(config)# router bgp 65534
Switch(config-router)# aggregate-address 172.0.0.0/8 summary-only 

area default-cost

The cost of the default summary route sent into a not-so-stubby area (NSSA) or a stub area is defined with the area default-cost command in router configuration mode. The no area default-cost command is used to remove an assigned default route cost.

area AREA-ID default-cost COST

no area AREA-ID default-cost

Default COST: 1

Command Mode Router configuration

Usage Guideline Use this command only on an Area Border Router (ABR) attached to a stub area or NSSA. The two stub area router configuration commands are area stub and area default-cost are configured as follows: for all routers and access servers attached to the stub area, the area should be configured as a stub area using the area stub option; the area default-cost command is used only on an ABR attached to the stub area. The default-cost provides the metric for the summary default route generated by the ABR into the stub area.

Example The following example assigns a default cost of 20 to stub network 10.0.0.0

Switch# configure terminal
Switch (config)# router ospf
Switch (config-router)# area 10.0.0.0 default-cost 20 

Verify the settings by entering the show ip ospf interface command.

area default-cost (IPv6)

To set the summary-default cost of a stub area, use the area default-cost command. To disable this function, use the no form of this command.

area AREA-ID default-cost COST

no area AREA-ID default-cost

Default Disabled

Command Mode Router configuration

Usage Guideline

This command is used only on an Area Border Router (ABR) attached to a stub area. In all routers and access servers attached to the stub area, the area should be configured as a stub area using the stub option of the area command. Use the area default-cost command only on an ABR attached to the stub area. The default-cost option provides the metric for the summary default route generated by the ABR into the stub area.

Examples The following example assigns a default cost of 10 to stub area 1.

Switch > enable
Switch # configure terminal
Switch (config) # router ipv6 ospf
Switch (config-router) # area 1 stub
Switch (config-router) # area 1 default-cost 10 

area nssa

Use this command to define an area as an NSSA (not-so-stubby) area. Use the no nssa command to remove the NSSA designation.

Note: For OSPFv3 this command is not supported.

area AREA-ID nssa [no-redistribution] [default-information-originate [metric METRIC-VALUE] [metric-type TYPE-VALUE]] [no-summary]

no area AREA-ID nssa [no-redistribution] [default-information-originate] [no-summary]

Default • No NSSA area is configured.

• External routes will be redistributed to the NSSA area in type 7 unless no-redistribute is specified.
• Type 7 default route will only be advertised by default when default-information-originate is specified.
• If no-summary is specified, the summary route will not be advertised to the NSSA area.

Command Mode Router configuration

Usage Guideline

There are no external routes in an OSPF stub area, so it is not possible to redistribute from another protocol into a stub area.

An NSSA allows external routes to be advertised to the area in type 7 link state advertisement (LSA). These routes are then leaked into other areas. Although, the external routes from other areas still do not enter the NSSA.

Use the area nssa command to simplify the administration of connecting a central site using OSPF to a remote site that is using a different routing protocol. Use this command to extend OSPF to cover the remote connection by defining the area between the central router and the remote router as an NSSA.

For ASBR NSSA re-distribution, external routes will only be redistributed to the NSSA when redistribution is configured for the associated OSPF process.

The external routes from other areas within the same AS will not be injected to the NSSA.

For an ASBR, a Type 7 default route will be generated into the NSSA when it exists in the redistributed routes.

For an ABR, when this option is specified, the type-7 default route will always be generated into the NSSA.

If there are multiple default routes generated into the NSSA, the following priority will be followed: Type 3 priority > Type 7 priority.

Example This command show how to set the nssa area:

Switch# configure terminal
Switch(config)# router ospf
Switch(config-router)# area 1 nssa 

Verify the settings by entering the show ip ospf command.

area range

Use this command to summarize and consolidate routes at an area boundary. Use the no area range command to disable this function.

area AREA-ID range PREFIX/PREFIX-LENGTH [advertise | not-advertise] [cost COST]

no area AREA-ID range [PREFIX/PREFIX-LENGTH]

Default Disabled

The default is advertise.

If cost is not specified, the cost of this route is found from the cost sets of component subnets and the maximum cost of those is chosen. (based on RFC2328).

Command Mode Router configuration

Switch# configure terminal
Switch(config)# router ospf
Switch(config-router)# area 1 range 192.168.0.0/16 

Verify the settings by entering the show ip ospf command.

area range (IPv6)

To consolidate and summarize routes at an area boundary, use the area range command. To disable this function, use the no form of this command.

area AREA-ID range IPv6-PREFIX/PREFIX-LENGTH [advertise | not-advertise]

no area AREA-ID range IPv6-PREFIX / PREFIX-LENGTH

Default Disabled

Command Mode Router configuration

Switch> enable
Switch# configure terminal
Switch(config)# router ipv6 ospf
Switch(config-router)# router-id 20.0.1.10
Switch(config-router)# area 1 range 2001:0DB8:0:1::/64 

area stub

Use this command to configure an area as a stub area. Use the no area stub command to disable this function.

area AREA-ID stub [no-summary]

no area AREA-ID stub [no-summary]

Default Stub areas are not configured.

Summary link advertisements are sent into the stub area.

Command Mode Router configuraiton

Usage Guideline

When employed, this command must be configured on all routers and access servers in the stub area. Use area default-cost to specify the cost of the default internal route sent into a stub area by an Area Border Router (ABR).

Two router configuration commands, area stub and area default-cost are used for stub area router configuration. In all routers attached to the stub area, configure the area using the area stub command. Use the area default-cost command only for ABRs attached to the stub area.

To prevent advertising LSA summaries into a stub area use the no-summary option on ABRs attached to the stub area. The area is defined as a “totally stubby” area using the area stub no-summary command on the ABR.

The default summary route (Type 3) will be generated to the stub area (or NSSA area) when no-summary is specified in the command.

Example This command show how to set stub area:

Switch# configure terminal
Switch(config)# router ospf
Switch(config-router)# area 1 stub 

Verify the settings by entering the show ip ospf command.

area stub (IPv6)

To set the summary-default cost of a stub area, use the area default-cost command. To disable this function, use the no form of this command.

area AREA-ID stub [no-summary]

no area AREA-ID stub [no-summary]

Syntax Description

Default Disabled

Command Mode Router configuration

Usage Guideline

This command is used only on an ABR attached to a stub area. In all routers and access servers attached to the stub area, the area should be configured as a stub area using the area stub command. Use the area default-cost (IPv6) command on page 14 only on an ABR attached to the stub area. The area default-cost command provides the metric for the summary default route generated by the ABR into the stub area.

Use the no-summary argument with this command to define a totally stubby area. When routers in the area do not require to learn about summary LSAs from other areas, then a totally stubby area should be defined. To define a totally stubby area configure the ABR of that area using the area stub no-summary command.

Examples

In the following example, the area stub command is used to configure the router as a stub that advertises connected and summary routes.

Switch > enable
Switch # configure terminal
Switch (config) # router ipv6 ospf
Switch (config-router)# router-id 20.0.1.10
Switch (config-router)# area 1 stub 

area virtual-link

Use this command to configure a link between two backbone areas that are physically separated through other non-backbone area. Use the no area virtual-link command to remove a virtual link.

area AREA-ID virtual-link ROUTER-ID [ authentication [ message-digest ] ] [ hello-interval SECONDS ] [ dead-interval SECONDS ] [ transmit-delay SECONDS ] [ retransmit-interval SECONDS ] [ [ authentication-key PASSWORD ] | [ message-digest-key KEY-ID md5 KEY ] ]

no area AREA-ID virtual-link ROUTER-ID [dead-interval|hello-interval|tansmit-interval|retransmitinterval|authentication|authentication-key|message-digest-key KEY-ID]

Default • AREA-ID: None

• ROUTER-ID: None
• authentication: null
• hello-interval:10 seconds
  • dead-interval: 40 seconds
  • transmit-delay: 1 second
• retransmit-interval: 5 seconds
• authentication-key: None
• message-digest-key: None

Command Mode Router configuration

Usage Guideline

In OSPF, all non-backbone areas must be connected to a backbone area. If the connection to the backbone is broken, the virtual link is used to re-establish the connection. Virtual links between any two backbone-routers that have an interface to a common non-backbone area can be configured. The protocol treats these two routers joined by a virtual link as if they were connected by an un-numbered point-to-point network. To configure a virtual link, include both the transit AREA ID and the corresponding virtual link neighbor's ROUTER-ID in the virtual link neighbor.

Configure the hello-interval to be the same for all routers attached to a common network. A short hello interval results in the router detecting topological changes faster but also an increase in the routing traffic.

As with the hello interval, the value of dead-interval must be the same for all routers and access servers attached to a common network.

The retransmit-interval is the expected round-trip delay between any two routers in a network. Set the value to be greater than the expected round-trip delay to avoid needless retransmissions.

The transmit-delay is the time taken to transmit a link state update packet on the interface. Before transmission, the link state advertisements in the update packet, are incremented by this amount. Set the transmit-delay to be greater than zero. Also, take into account the transmission and propagation delays for the interface.

Before using the area virtual-link authentication command, configure a password for virtual link using the area virtual-link authentication-key command. If the area virtual-link authentication message-digest command is used, configure the message-digest key for the virtual link using area virtual-link message-digest-key command.

The password created by the area virtual-link authentication-key command is used as a "key" that is inserted directly into the OSPF header when the switch system software originates routing protocol packets over this virtual link.

Usually, one key per interface (or virtual link) is used to generate authentication information when sending packets and to authenticate incoming packets. The same key identifier on the neighbor router must have the same KEY value.

The process of changing keys is as follows. Suppose the current configuration is as follows:

area 1 virtual-link 192.168.255.1 message-digest-key 100 md5 OLD

The configuration can be changed to the following:

area 1 virtual-link 192.168.255.1 message-digest-key 101 md5 NEW

The system assumes its neighbors do not have the new key yet, so it begins a rollover process. It sends multiple copies of the same packet, each authenticated by different keys. In this example, the system sends out two copies of the same packet; the first one authenticated by key 100 and the second one authenticated by key 101

Rollover allows neighboring routers to continue communication while the network administrator is updating them with the new key. Rollover stops once the local system finds that all its neighbors know the new key. The system detects that a neighbor has the new key when it receives packets from the neighbor authenticated by the new key.

After all neighbors have been updated with the new key, the old key should be removed. In this example, the following entry is used:

no area 1 virtual-link 192.168.255.1 message-digest-key 100

Examples

This following example shows how to establish a virtual link with hello-interval and dead-interval to 5 and 10 seconds respectively.

Switch# configure terminal
Switch(config)# router ospf
Switch(config-router)# area 1 virtual-link 10.10.11.50 hello-interval 5 dead-interval 10 

Verify the settings by entering the show ip ospf virtual-links command.

This following example (on the next page) shows how to configure the following parameters for a virtual link at area 1 with the remote id as 192.168.255.1.

1. Specify "yourpass" as the key for simple password authentication.
2. Set authentication type to simple password.

Switch# configure terminal
Switch(config)# router ospf 1
Switch(config-router)# area virtual-link 192.168.255.1 authentication-key yourpass
Switch(config-router)# area 1 virtual-link 192.168.255.1 authentication 

Verify the settings by entering the show ip ospf virtual-links command.

area virtual-link (IPv6)

To define an OSPF virtual link, use the area virtual-link command with the optional parameters. To remove a virtual link, use the no form of this command.

area AREA-ID virtual-link ROUTER-ID [instance-id INSTANCE-ID] [hello-interval SECONDS] [dead-interval SECONDS] [transmit-delay SECONDS] [retransmit-interval SECONDS]

no area AREA-ID virtual-link ROUTER-ID

Default No OSPF virtual link is configured.

hello-interval SECONDS: 10 seconds

dead-interval SECONDS: 40 seconds

transmit-delay SECONDS: 1 second

retransmit-interval SECONDS: 5 seconds

Command Mode Router configuration

Usage Guideline

All areas in an OSPF autonomous system must be physically connected to the backbone area (area 0). In some cases where this physical connection is not possible, use a virtual link to connect to the backbone through a non-backbone area. As mentioned, use virtual links to connect two parts of a partitioned backbone through a non-backbone area. The area through which the virtual link is configured, is known as a transit area, and it must have the full routing information. The transit area cannot be a stub area.

In OSPF, all non-backbone areas must be connected to a backbone area. If the connection to the backbone is lost, the virtual link repairs the connection. Virtual links can be configured between any two backbone-routers that have an interface to a common non-backbone area. The protocol treats these two routers joined by a virtual link as if they were connected by an un-numbered point-to-point network. To configure a virtual link, include both the transit area ID and the corresponding virtual link neighbor's router ID in the virtual link neighbor.

Configure the hello-interval to be the same for all routers attached to a common network. A short hello interval results in the router detecting topological changes faster but also an increase in the routing traffic.

As with the hello interval, the value of dead-interval must be the same for all routers and access servers attached to a common network.

The retransmit-interval is the expected round-trip delay between any two routers in a network. Set the value to be greater than the expected round-trip delay to avoid needless retransmissions.

The transmit-delay is the time taken to transmit a link state update packet on the interface. Before transmission, the link state advertisements in the update packet, are incremented by this amount. Set the transmit-delay to be greater than zero. Also, take into account the transmission and propagation delays for the interface.

To configure a virtual link in OSPF for IPv6, a router ID must be used instead of an address. In the IPv6 version of OSPF, the virtual link takes the router ID rather than the IPv6 prefix of the remote router.

Examples

The following example establishes a virtual link with default values for all optional parameters.

Switch > enable
Switch # configure terminal
Switch (config) # router ipv6 ospf
Switch (config-router)# area 1 virtual-link 192.168.255.1 

arp

Use this command to add a static entry in the Address Resolution Protocol (ARP) cache. Use the no arp command to remove a static entry in the ARP cache.

arp IP-ADDRESS HARDWARE-ADDRESS

no arp IP-ADDRESS HARDWARE-ADDRESS

Default No entries are entered in the ARP cache.

Command Mode Global configuration

Switch(config)# arp 10.31.7.19 0800.0900.1834

Verify the settings by entering the show arp command.

arp timeout

Use the arp timeout command to set the ARP aging time for the ARP table.

arp timeout SECONDS

Syntax Description

SECONDS Number of seconds that dynamic entries will remain in the ARP table before being deleted; valid values are from 0 to 65535.

Default 14400 seconds (4 hours)

Command Mode VLAN interface configuration

Usage Guideline Only VLAN interfaces are valid for this command.

Example This example shows how to set the ARP timeout to 12000 seconds to allow entries to time out faster than the default setting:

Switch(config)# interface vlan1
Switch(config-if)# arp timeout 12000 

Verify the settings by using show ip interface command

auto-cost reference-bandwidth

Use this command to control how OSPF calculates default metrics for the interface. The no form of this command will reset the reference bandwidth to the default value.

auto-cost reference-bandwidth MBPS

no aut-cost reference-bandwidth

Syntax Description

MBPS The reference bandwidth in Mbps. The default reference bandwidth is 100 Mbps. The valid setting is 1 to 4294967.

Default Enabled

MBPS: 100

Command Mode Router configuration

Usage Guideline

By default OSPF calculates the OSPF metric for an interface by dividing the reference bandwidth by the bandwidth of interface. The default value for the reference bandwidth is 100Mbps. For example, a 100Mbps will have a metric of 1 and a 64K link will have a metric of 1562,

The auto-cost command is used to differentiate high bandwidth links. For multiple links with high bandwidth, specify a larger reference bandwidth value to differentiate costs on those links.

Before the cost is changed to the manual configuration mode, the cost must be configured in advance.

Example This following example shows how to set reference bandwidth to 50 Mbps.

Switch# configure terminal
Switch(config)# router ospf
Switch(config-router)# auto-cost reference-bandwidth 50 

Verify the settings by entering the show ip protocol ospf command.

auto-cost reference-bandwidth (IPv6)

To control the reference value IPv6 OSPF uses when calculating metrics for interfaces, use the auto-cost reference-bandwidth command. To return the reference value to its default, use the no form of this command.

auto-cost reference-bandwidth MBPS

no auto-cost reference-bandwidth

Syntax Description

Default MBPS: 100.

Command Mode Router configuration

Usage Guideline

The IPv6 OSPF metric is calculated as the Mbps value divided by the bandwidth, with Mbps equal to 100 by default, and bandwidth determined by the bandwidth command. The calculation gives Fast Ethernet a metric of 1.

Examples

The following example sets the auto-cost reference bandwidth to 1000 Mbps.

Switch > enable
Switch # configure terminal
Switch (config) # router ipv6 ospf
Switch (config-router)# auto-cost reference-bandwidth 1000 

banner login

Use banner login to enter the banner login mode in order to configure the banner login message. Use the default form of the command to set the login banner to factory default.

banner login LINE

default banner login

Syntax Description

Default Project dependent

Sample Banner Login Message:

DGS-6604 Chassis Ethernet Switch

Command Line Interface,

Firmware: Build 1.00.027

Copyright (c) 2011 D-Link Corporation, all rights reserved.

Where 2011 represents the year for release of the new firmware. It should be updated if needed by the subsequent release of the firmware.

Command Mode Global configuration

Usage Guideline

Use this command to define a customized banner to be displayed before the user is prompted for their username and password. Enter the banner login command followed by a desired display string and then execute the command by pressing ENTER to complete the modification.

When a multiple lines banner is needed, use special character sequences such as '/n' which represents a new line and '/r' which represents a carriage return. However if '/n' or '/r' is required to be displayed as part of the string in the line, then both '/n' and 'r' must be prefixed with another '/' as an escape sequence to override the special character sequence functionality, for example '/n', or '/r'.

At the end of each line is either a '/n' or '/r'. If more than 80 characters are entered without an '/n' or '/r' ending the line, then the line will be truncated and the first 80 characters are displayed.

Example This example shows how to modify the banner login message:

Switch:12(config)# banner login DGS-6604 Chassis Ethernet Switch Command Line Interface, Access for authorized users only. Please enter your username and password. Switch:12# 

based-on client-id

This command is used to specify the client identifier as a rule for IP address assignment from the DHCP address pool. Use the no form to remove the rule from DHCP address pool.

based-on client -id {hex|string} CLIENT-ID

no based-on client -id {hex|string} CLIENT-ID

Syntax Description

CLIENT-ID A sequence of bytes or a string defined on the client that is an unique identification of client.

HEXADECIMAL: The maximum length is 128 bytes.

STRING: The maximum length is up to 64 bytes.

Default None

Command Mode DHCP pool configuration

Usage Guideline

All rules take effect on the corresponding DHCP address pool and will have a logical AND operation conditions combined with other rules set by other based-on commands.

If a DHCP client sends the no DHCP Client Identifier option, the service continues to operate as it bases it on the hardware type and a client hardware address. If a DHCP client sends a DHCP Client Identifier option, the DHCP server validates the value to ensure the client identifier optional field matches the configured Client Identifier. If the values match, the DHCP server provides service to the client. If the values do not match, the DHCP server does not respond to the client's request.

Multiple based-on client-id commands create a list of client-ids for the DHCP address pool. When any request has a match in the list, the server will provide an IP address to the server based on DHCP Client Identifier option, but not the received client Hardware address.

Examples The following sets a rule used for the IP address assignment based 0x0152415320 for a Microsoft "Remote Access Server" (RAS).

switch(config)#ip dhcp pool pool1 switch(config-dhcp)#based-on client-id hex 0x0152415320

based-on c-vid

This command is used to specify the customer vlan ID (C-VID) as a rule for IP address assignment from the DHCP address pool. Use the no form of the command to remove the C-VID rule from DHCP address pool.

based-on c-vid V-ID [,|-]

no based-on c-vid V-ID [,|-]

Syntax Description

Default None

Command Mode DHCP pool configuration

Usage Guideline

This command is used to create the address binding rule for the DHCP address pool. The based-on c-vid command creates the address binding rules in an incremental way. That is, all of the C-VIDs created by based-on c-vid commands take effect on the corresponding DHCP address pool. However this command will be combined with logical AND operations with the other rules set by other based-on commands. For example if the first rule is based-on c-vid 100 and there is another based-on s-vid 200 command, then the address pool will only assign an IP address to the client with C-VID=100 and S-VID=200.

Examples

The following sets a rule used for IP address assignment based on C-VID 100 or 200 from the DHCP address pool1.

switch(config)#ip dhcp pool pool1
switch(config-dhcp)#based-on c-vid 100,200 

Then the rule is added to and now based on C-VID 100/200 and S-VID 1000.

switch(config-dhcp)#based-on s-vid 1000 

based-on interface-ip-address

This command is used to specify a rule for a DHCP address pool to respond to a request from the specified IP interface. Use the no form of the command to remove the rule from the DHCP address pool.

based-on interface-ip-address IP-ADDRESS

no based-on interface-ip-address IP-ADDRESS

Syntax Description

IP-ADDRESS Specifies the IP address of the interface.

Default None

Command Mode DHCP pool configuration

Usage Guideline

An additional rule can be set for a DHCP address pool based on interface IP address.

All of the DHCP IP address assignment rules take effect on the corresponding DHCP address pool. A based-on command will be combined using logical AND operations with the other rules set by all other based-on commands.

Examples

The following example sets a rule used for the IP address assignment (DHCP IP address pool1) based on interface 172.19.10.100.

switch(config)#ip dhcp pool pool1 switch(config-dhcp)#based-on interface-ip-address 172.19.10.100

based-on mac-address

This command is used to specify the host MAC address as a rule for IP address assignment from the DHCP address pool. Use the no form to remove the MAC address rule from the DHCP address pool.

based-on mac-address MAC-ADDRESS [,|-]

no based-on mac-address MAC-ADDRESS [,|-]

Syntax Description

MAC-ADDRESS [,|-] Specifies the MAC address list.

Default None

Command Mode DHCP pool configuration

Usage Guideline

This command is used to create the address binding rule for the DHCP address pool. based-on mac-address command creates the address binding rules in an incremental way. That is, all of the mac-addresses created by the based-on mac-address commands take effect on the corresponding DHCP address pool. However this command will be combined using logical AND operations with the other rules is set by all other based-on commands. For example if the first rule is based-on mac-address 00:80:00:11:22:00- 00:80:00:11:22:FF and there is another based-on c-vid 200 command, the address pool will only assign an IP address to the client with a MAC address in range of 00:80:11:22:xx and with its C-VID=200. Other than that, no IP address is offered from the corresponding DHCP address pool.

Examples

The following sets a rule used for IP address assignment based on MAC address 00:80:C8:11:22:xx from the DHCP address pool1.

switch(config)#ip dhcp pool pool1
switch(config-dhcp)#based-on mac-address 00:80:C8:11:22:00-00:80:C8:11:22:FF 

The following sets an additional rule used for IP address assignment based on MAC address 00:80:C8:11:33:00 and 00:80:C8:11:33:FF from the DHCP address pool1.

switch(config-dhcp)#based-on mac-address 00:80:C8:11:33:00,00:80:C8:11:33:FF 

based-on relay-ip-address

This command is used to specify a rule for the DHCP address pool's only response for BOOTP forwarder or relay. Use the no form of the command to remove the rule from a DHCP address pool.

based-on relay-ip-address IP-ADDRESS

no based-on relay-ip-address IP-ADDRESS

Syntax Description

IP-ADDRESS Specifies the IP address of BOOTP forwarder for relay.

Default None

Command Mode DHCP pool configuration

Usage Guideline

An additional rule can be set for DHCP address pool for each relay IP address.

All of the DHCP IP address assignment rules take effect to the corresponding DHCP address pool. All of the based-on commands will be combined using logical AND operations with other rules set by all the other based-on commands.

Examples The following example sets a rule used for IP address assignment (DHCP IP address pool1) based on the Relay IP address.

switch(config)#ip dhcp pool pool1
switch(config-dhcp)#based-on relay-ip-address 10.1.1.254 

based-on s-vid

This command is used to specify the service provider vlan ID (S-VID) as a rule for IP address assignment from the DHCP address pool. Use the no form of the command to remove the S-VID rule from the DHCP address pool.

based-on s-vid V-ID [,|-]

no based-on s-vid V-ID [,|-]

Syntax Description

V-ID [,|-] Specifies the V-ID list.

Default None

Command Mode DHCP pool configuration

Usage Guideline

This command is used to create the address binding rule for the DHCP address pool. The based-on s-vid command creates the address binding rules in an incremental way. That is, all of S-VID created by based-on s-vid commands take effect on the corresponding DHCP address pools. However this command will be combined using logical AND operations with the other rules set by other based-on commands. For example if the first rule is based-on s-vid 100 and there is another based-on c-vid 200 command, then the address pool will only assign an IP address to the client with C-VID=200 and S-VID=100.

Examples

The following sets a rule used for IP address assignment based on S-VID 100 or 200 from the DHCP address pool1.

switch(config)#ip dhcp pool pool1
switch(config-dhcp)#based-on s-vid 100,200 

Below the rule becomes based on S-VID 100/200 and C-VID 1000.

switch(config-dhcp)#based-on c-vid 1000 

based-on vendor-class

This command is used to create an address binding rule for the DHCP address pool based on the vendor class. Use the no form of the command to delete the related rule setting.

based-on vendor-class {hex HEXADECIMAL |string STRING}

no based-on vendor-class {hex HEXADECIMAL |string STRING}

Default None

Command Mode DHCP pool configuration

Usage Guideline

This command is used to create the address binding rule for the DHCP address pool. One vendor class is allowed in one DHCP address pool. Use the no form of the command to remove the user-class rule.

For vendor classes, e.g. DHCP-requests from Windows 98SE/ME are sent with a vendor class of MSFT 98 and from Windows 2000/XP with a vendor class of MSFT 5.0. The received VendorClass-ID string is compared with the specified string. If the received string is longer than the specified string, then the excess characters are ignored. For example, specifying MSFT will match both Win98SE/ME and 2000/XP.

This command will be combined using logical AND operations with the other rules set by all the other based-on commands. For example if the first rule is based-on vendor-class string MSFT 5.0 and there is another based-on c-vid 200 command, the address pool only assigns an IP address to the client which has C-VID=200 and its vendor class set to MSFT 5.0.

Examples The following example sets the vendor class to match both Win98SE/ME and 2000/XP.

switch(config)#ip dhcp pool pool1
switch(config-dhcp)#based-on vendor-class string MSFT 

based-on user-class

This command is used so that DHCP administrators can define specific user class identifiers to convey information about a client's software configuration or about its user's preferences. Use the no form of the command to remove the related setting rule.

based-on user-class {hex HEXADECIMAL |string STRING}

no based-on user-class {hex HEXADECIMAL | string STRING}

Default None

Command Mode DHCP pool configuration

switch(config)#ip dhcp pool pool1 switch(config-dhcp)#based-on user-class string alpha

The following sets a rule used for IP address assignment based on the user class 0x8080 from DHCP address pool1.

switch(config)#ip dhcp pool pool1 switch(config-dhcp)#based-on user-class hex 0x8080

bgp always-compare-med

Use this command to compare the Multi-Exit Discriminator (MED) for paths from neighbors in different autonomous systems. Use the no bgp always-comparemed command to disallow the comparison.

bgp always-compare-med

no bgp always-compare-med

Syntax None

Default Disabled

Command Mode Router configuration

Usage Guideline

The MED, as stated in RFC 1771, is an optional nontransitive attribute that is a four octet non-negative integer. The value of this attribute may be used by the BGP best path selection process to discriminate among multiple exit points to a neighboring autonomous system.

The MED is one of the parameters that is considered when selecting the best path among many alternative paths. The path with a lower MED is preferred over a path with a higher MED. During the best-path selection process, MED comparison is done only among paths from the same autonomous system. The bgp always-compare-med command is used to change this behavior by enforcing MED comparisons between all paths, regardless of the autonomous system from which the paths are received.

The bgp deterministic-med command on page 49 can be configured to enforce a deterministic comparison of the MED value between all paths received from within the same autonomous system.

Example This example shows how to configure the comparison of the MED from alternative paths, regardless of the autonomous system from which the paths are received:

Switch(config)# router bgp 65534
Switch(config-router)# bgp always-compare-med 

bgp asnotation dot

Use this command to change the default display and regular expression match format of BGP 4-byte AS numbers from asplain (decimal values) to dot notation. Use the no form of the command to reset the default 4-byte autonomous system number display and regular expression match format to asplain.

bgp asnotation dot

no bgp asnotation dot

Syntax None

Default

BGP AS numbers are displayed using asplain (decimal value) format in screen output, and the default format for matching 4-byte autonomous system numbers in regular expressions is asplain.

Command Mode Router configuration

Usage Guideline

BGP AS numbers that were allocated to companies were 2-byte numbers in the range from 1 to 65535 as described in RFC 4271. Due to increased demand for AS numbers, the IANA will start, in January 2009, to allocate four-byte AS numbers in the range from 65536 to 4294967295. RFC 5396 documents three methods of representing autonomous system numbers. BGP has implemented the following two methods:

• Asplain-Decimal value notation where both 2-byte and 4-byte AS numbers are represented by their decimal value. For example, 65525 is a 2-byte AS number and 65545 is a 4-byte autonomous system number.
• Asdot-Autonomous system dot notation where 2-byte AS numbers are represented by their decimal value and 4-byte AS numbers are represented by a dot notation. For example, 65525 is a 2-byte autonomous system number and 1.10 is a 4-byte AS number (this is dot notation for the 65545 decimal number).

After the command is performed, the output is converted in order to format it. For some of the information which is learned prior, for example: routes, the AS notation format follows the previous format. Therefore, the clear ip bgp command on page 67 must be used to convert to the current format.

Example

This example (on the next page) shows how to configure asnotation and shows the difference using the command show ip bgp:

Switch # show ip bgp
BGP table version is 30, local router ID is 10.10.11.50
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete 

Network Next Hop Metric LocPrf Weight Path  
*> 192.0.1.0/24 10.10.71.100 0 0 65636 i  
*> 192.0.2.0/24 10.10.71.100 0 0 65636 {80} i 

Total Entries: 2 entries, 2 routes
Switch #config terminal
Switch(config)# router bgp 1.6553465636
Switch(config-router)# bgp asnotation dot
Switch(config-router)# end
Switch # clear ip bgp *
Switch # show ip bgp
BGP table version is 30, local router ID is 10.10.11.50
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale 

Origin codes: i - IGP, e - EGP, ? - incomplete 

Network Next Hop Metric LocPrf Weight Path  
*> 192.0.1.0/24 10.10.71.100 0 0 1.101 100 i  
*> 192.0.2.0/24 10.10.71.100 0 0 1.101 100 {80} i 

Total Entries: 2 entries, 2 routes
Switch # 

bgp bestpath as-path ignore

Use this command to ignore AS path as a factor in the selection of the best path. Use the no form of the command to restore the default behavior and configure BGP to consider the AS path during route selection.

bgp bestpath as-path ignore

no bgp bestpath as-path ignore

Syntax None

Default AS path is considered in the best path selection.

Command Mode Router configuration

Usage Guideline

The following are the rules used for the best path selection process.

1. If the next hop associated with the route is unreachable, then the route is 1. If the next hop associated with the route is unreachable, then the route is dropped.
2. The next choice is the route with the largest weight is selected.
3. If weight cannot make the determination, then the largest LOCAL_PREF is used to determine the preferred route.
4. If the preferred route can still not be determined, then the route with the shortest AS_PATH list is preferred.
5. If the preferred route can still not be determined, then lowest origin type is preferred.
6. If the preferred route can still not be determined, then the lowest MED is preferred.
7. If the preferred route can still not be determined, then eBGP is preferred over iBGP paths.
8. Always prefer the path with the lowest IGP metric to the BGP next hop.
9. Check to determine if multiple paths require installation in the routing table for BGP Multipath.
10. When both paths are external, always prefer the path that was received first (the oldest one).
11. Always prefer the route that comes from the BGP router with the lowest router ID.
12. If the originator or router ID is the same for multiple paths, prefer the path with the minimum cluster list length.
13. Always prefer the path that comes from the lowest neighbor address.

Use the commands, bgp bestpath as-path ignore, bgp bestpath compare-router-id or bgp default local-preference to customize the path selection process.

Example

This example shows how to configure to ignore the AS path as the best path for autonomous system 65534:

Switch(config)# router bgp 65534 Switch(config-router)# bgp bestpath as-path ignore

bgp bestpath compare-routerid

Use this command to compare router IDs for the best-path selection process when external BGP (eBGP) paths are identical. Use the no form of the command to disable this function.

bgp bestpath compare-routerid

no bgp bestpath compare-routerid

Syntax None

Default

BGP receives routes with identical eBGP paths from eBGP peers and selects the first route received as the best path.

Command Mode Router configuration

Usage Guideline

When comparing similar routes from peers the BGP router does not consider the router ID of the routes. By default, it selects the first received route. Use this command to include the router ID in the selection process. When enabled, similar routes are compared and the route with the lowest router ID is selected. Unless manually defined, the router ID is the highest IP address on the router, with preference given to loopback addresses. Router ID can be manually set by using the bgp router-id command on page 52.

Example This example shows how to configure to compare the router-ids of identical eBGP paths for autonomous system 65534:

Switch(config)# router bgp 65534
Switch(config-router)# bgp bestpath compare-routerid 

bgp default ipv4-unicast

Use this command to enable the IP version 4 (IPv4) unicast address family for all neighbors. This affects the BGP global configuration. Use the no form of the command to disable this function.

bgp default ipv4-unicast

no bgp default ipv4-unicast

Syntax None

Default bgp default ipv4-unicast

Command Mode Router configuration

Usage Guideline

The bgp default ipv4-unicast command is used to enable the automatic exchange of IPv4 address family prefixes.

Example

This example shows how to configure BGP defaults and activate ipv4-unicast of a peer by default for autonomous system 65534:

Switch(config)# router bgp 65534
Switch(config-router)# bgp default ipv4-unicast 

bgp default local-preference

Use this command to change the default local preference value. To return the local preference value to the default setting, use the no form of this command.

bgp default local-preference NUMBER

no bgp default local-preference

Syntax Description

NUMBER Range of local preference is 0 to 4294967295. A higher number is preferred to a lower number in the comparison.

Default NUMBER: 100

Command Mode Router configuration.

Usage Guideline

The local preference attribute is a discretionary attribute that is used to apply a degree of preference to a route during the BGP best path selection process.

This attribute is exchanged only between iBGP peers and used to determine local policy. The route with the highest local preference becomes the preferred route.

Example

This example shows how to configure default value of the local preference to 200 for autonomous system 65534:

Switch(config)# router bgp 65534
Switch(config-router)# bgp default local-preference 200 

Verify the settings by entering show ip protocols bgp command.

bgp deterministic-med

Use this command to include the Multi Exit Discriminator (MED) value for comparison of the best path selection between all paths received from the same autonomous system. Use the no form of the command to prevent BGP from considering the MED attribute in path comparison.

bgp deterministic-med

no bgp deterministic-med

Syntax None

Default The default value is disabled.

Command Mode Router configuration

Usage Guideline

The bgp always-compare-med command on page 41 is used to enable the comparison of the MED value for paths from neighbors in different autonomous systems. After the bgp always-compare-med is enabled, all paths for the same prefix that are received from different neighbors in the same autonomous system, will be grouped together and sorted by the ascending MED value (received-only paths are ignored and not grouped or sorted).

The best path selection algorithm then picks the best paths using the existing rules; the comparison is first made on a per neighbor autonomous system basis and then on a global basis. The grouping and sorting of paths occurs immediately after this command is entered. For correct results, all routers in the local autonomous system must have this command enabled (or disabled).

The bgp deterministic-med command is used to enforce deterministic comparison of the MED value between all paths received from within the same autonomous system. When enabled, the result of the selection algorithm is the same regardless of the order in which the paths are received on the local router.

Example

This example shows how to configure to enable comparison of MED values for autonomous system 65534:

Switch(config)# router bgp 65534
Switch(config-router)# bgp deterministic-med 

bgp enforce-first-as

Use this command to enforce the first AS for the eBGP routes. To disable this feature, use the no form of this command.

bgp enforce-first-as

no bgp enforce-first-as

Syntax None

Default Disabled

Command Mode Router configuration.

Usage Guideline

This command specifies that any updates received from an external neighbor that do not have the neighbor's configured Autonomous System (AS), at the beginning of the AS path, in the received update must be denied. Enabling this feature adds to the security of the BGP network by not allowing traffic from unauthorized systems.

Example This example shows how to enable the security of the BGP network for autonomous system 65534. All incoming updates from eBGP peers are examined to ensure that the first AS number in the AS path is the local AS number of the transmitting peer:

Switch(config)# router bgp 65534
Switch(config-router)# bgp enforce-first-as 

bgp log-neighbor-changes

Use the bgp log-neighbor-changes command to enable logging of BGP neighbor resets. Use no bgp log-neighbor-changes to disable the logging.

bgp log-neighbor-changes

no bgp log-neighbor-changes

Syntax None

Default Disabled.

Command Mode Router configuration.

Usage Guideline

This command enables logging of both BGP resets and alternating status changes to use for troubleshooting purposes.

Unexpected neighbor resets might indicate high error rates or high packet loss in the network and should be investigated.

The neighbor status change messages are not tracked if the bgp log-neighbor-changes command is not enabled. The exception to this is for a reset reason, which is always available as output of the show ip bgp neighbors and show bgp ipv6 neighbors commands.

The logs for BGP neighbor changes will display on the console.

Example This example shows how to enable logging of BGP neighbor changes for autonomous system 65534:

Switch(config)# router bgp 65534
Switch(config-router)# bgp log-neighbor-changes 

Use the show logging buffer command to display the log for the BGP neighbor changes.

bgp router-id

Use this command to configure a fixed router ID for the Border Gateway Protocol (BGP) routing process. Use the no form of this command to remove the fixed router ID from the running configuration file.

bgp router-id IP-ADDRESS

no bgp router-id [IP-ADDRESS]

Default The router ID is set to the highest IP address on a physical interface.

Command Mode Router configuration

Address family configuration

Example This example shows how to change the router ID with 192.168.1.1

Switch(config)# router bgp 65100
Switch(config-router)# bgp router-id 192.168.1.1 

boot config

Use this command to specify the file that will be used as the configuration file for the next boot up.

boot config [check] MEDIUM: URL

no boot config

Default Default configuration file is def_usr.conf

Command Mode Global configuration

Usage Guideline

The boot config command specifies the file system and file name of the configuration file to use for initialization (startup). The configuration file must be an ASCII file located in the specified file system.

The command takes affect immediately and will be kept in NVRAM.

In the following situations the boot configuration does not update and an error message is displayed:

• A configuration file is specified where the filename argument does not exist or is not valid causing the boot configuration to not update and an error message to be displayed.
• During initialization, the factory default configuration is used when the boot config setting does not exist or when it is null (such as at a first-time start-up). If the software detects a problem with the boot config file, the device uses the factory default configuration for system boot up.
• When using the no form of this command, the boot configuration resets to the default configuration

Use the show boot command to view the contents of the boot config configuration file.

Initially, a system file is used as the factory default configuration.

The specified URL must be represented by an absolute path. It cannot be represented by a relative path.

Examples

The following example shows how to specify the file switch-config as the startup configuration file:

Switch# configure terminal
Switch(config)# boot config flash:\switch-config
Switch(config)# end

Verify the settings by entering the show boot command.

The following example shows the result of specifying the incorrectly formed file yyy-config as the startup configuration file.

Switch# configure terminal
Switch(config)# boot config flash:\yyy-config.exe
Illegal configuration file
Switch(config)# end 

bootfile

This command is used to specify the name of the default boot image for a Dynamic Host Configuration Protocol (DHCP) client. To delete the boot image name, use the no form of the command.

boofile URL

no bootfile

Syntax Description

URL Specifies the path name and file name of the file that is used as a boot image. The maximum allowed string length is 127 characters

Default None

Command Mode DHCP pool configuration

Usage Guideline

Use this command to specify the name of the default boot image for a Dynamic Host Configuration Protocol (DHCP) client. The boot image can be located in the same DHCP server or other network servers.

Examples

The following example specifies mdubootfile as the name of the boot file for DHCP pool1.

switch > enable
switch# configure terminal
switch(config)# ip dhcp pool pool1
switch(config-dhcp)# bootfile \dgs-6600\bootimage\mdubootfile.bin
switch(config-dhcp)# 

boot image

Use this command to specify the file used as the image file for the next boot.

boot image [ check ] MEDIUM: URL

Default None

Command Mode Global configuration

Usage Guideline This command is only available at privilege level 15.

The boot image command specifies the boot image file to be used for the next start up. Upon start up, the previous boot image becomes the secondary boot up image file.

There can be up to three boot image files in the list with the secondary position and tertiary position used as backup boot image files in sequence.

When this command is used to assign a file as the next-boot image file, the system will check the checksum and model to determine whether the file is a correct image file.

The specified URL must be represented by the absolute path. It cannot be represented by the relative path. Spaces are not allowed in either directory or file names of the absolute path as they will cause load failure of the boot image.

The check keyword option allows the user to check a new image file format to verify whether it is suitable to be a boot image or not. The option verifies and displays information such as the file name/content, version number, time stamp (it any), checksum, file size, etc.. The check option compares the information with that in the current boot image file.

If the storage media for the specified URL (filename) does not exist, an error message is displayed with the notification of the URL error.

Switch# configure terminal
Switch(config)#boot image flash:\images\switch_image1.had
Checking image at local flash:\images\switch_image1.had ... Done.
Update bootlist .... Done.

Success 

Verify the settings by entering the show boot command.

channel-group

Use the channel-group command to assign an interface to a channel group.

Use no channel-group to remove an interface from a channel-group.

channel-group CHANNEL-NO mode { on| active| passive }

no channel-group

Default None

Command Mode Interface configuration

- In order to be a member of the LACP channel-group, the member ports must have the same speed setting. LACP will not prevent the user configuration if these ports have difference speed setting in the same channel group. LACP protocol behavior will choose the members that have the same speed to for the link aggregation.

Example

This example shows how to configure a channel group. It assigns the eth3.4 to 3.5 to port-channel 3 with the LACP mode active.

Switch(config)# interface range eth3.4-3.5
Switch(config-if)# channel-group 3 mode active 

Verify the settings by entering the show channel-group command

class

Use this command to specify the name of the class map in order to define its traffic policy and enter into policy-map class configuration mode. Use the no form of the command to remove the policy definition for the specified class. All the traffic that does not match any defined class will be classified to default class, class-default.

class NAME

no class NAME

class class-default

Syntax Description

Default None

Command Mode Policy-map configuration

Usage Guideline

The class map needs to be created before the policy can be configured for it. A class-map without any match commands cannot be configured as a class policy.

This command enters the policy-map class configuration mode. The user can use the set command and police command to define the QoS policy for the class.

class-default is the reserved name for the default class. All the traffic that does not match any defined class will be classified to class-default.

Examples
This example shows how to define a policy map, policy1 which defines policies for class, class-dscp-red. The packet that matches DSCP 10, 12, or 14 will be set to new DSCP 10 and policed by a single rate policer.

Switch(config)# class-map class-dscp-red
Switch(config-cmap)# match ip dscp 10,12,14
Switch(config-cmap)# exit
Switch(config)# policy-map policy1
Switch(config-pmap)# class class-dscp-red
Switch(config-pmap-c)# set ip dscp 10
Switch(config-pmap-c)# police 64 128 exceed-action set-dscp-transmit 0
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit

Verify the settings by entering the show policy-map command.

class-map

To create a class map to be used for matching packets to a specified class, use the class-map command. To remove an existing class map from the switch, use the no form of this command. The class-map command enters the class-map configuration mode in which multiple issues of the match command on page 308 can be entered to configure the match criteria for this class.

class-map [ match-any] NAME

no class-map NAME

Syntax Description

Default Only the class-default exists by default.

All traffic that does not match any defined class will be classified to class-default.

Command Mode Global configuration

Usage Guideline

Use the class-map command to specify the class that will create or modify the match criteria. This command enters class-map configuration mode where match commands are entered to configure the match criteria for this class. Packets that arrive at the ingress port are checked against the match criteria for a class map to determine if the packets belong to that class.

When configuring a class map, use one or more match commands to specify multiple match criteria. For example, use the match access-list command, the match protocol command, the match vlan command, the match dscp command, the match precedence command or the match cos command.

When configuring multiple match commands for a class, use the match-any keyword to specify whether to evaluate the multiple match criteria based on using logical OR.

A maximum of 256 class maps are allowed.

The name class-default is reserved.

Example

The following example (on the next page) specifies class_home_user as the name of a class map. In this class map, a match statement specifies that the

traffic that matches the access control list acl_home_user or match ipv6 protocol will be included in class_home_user.

Switch(config)# class-map match-any class_home_user
Switch(config-cmap)# match access-list acl_home_user
Switch(config-cmap)# match protocol ipv6
Switch(config-cmap)# exit
Switch(config)# 

Verify the settings by entering the show class-map command.

clear arp-cache

To remove dynamically created entries from the Address Resolution Protocol (ARP) cache, use the clear arp-cache command in Privileged EXEC mode.

clear arp-cache [interface INTERFACE-ID | IP-ADDRESS]

Default None

Command Mode Privileged EXEC

Usage Guideline This command is used to delete dynamic entries from the ARP cache. The user can select to delete all dynamic entries, specific dynamic entries, or dynamic entries that are associated with a specific IP interface.

Example This example shows how to remove all dynamic entries from the ARP cache.

Switch#clear arp-cache

clear counters

Use the command to clear counters for a specific port interface or all port interfaces.

clear counters [INTERFACE-ID [, | - ]]

Default None

Command Mode Privileged EXEC

Usage Guideline For now, only physical port counters are provided.

Examples This example shows how to clear counters of interface eth3.10.

Switch# clear counters eth3.10
Switch# 

The following example will clear all of physical ports' statistic counters.

Switch# clear counters
Switch# 

The following example will clear eth 3.1-3.24 physical port s' statistic counters.

Switch# clear counters eth3.1-3.24
Switch# 

clear dos prevention counter

Use this command to clear the counter of all attack types.

clear dos_prevention counter

Syntax None

Default None

Command Mode Global configuration.

Usage Guideline Use to reset counters of DoS prevention to zero.

Examples This example shows how to clear counters.

Switch(config)# clear dos_prevention counter
Switch(config)# 

Below is an example of using the show dos_prevention command to display the DoS frame counts:

Switch(config)#show dos_prevention
DoS Prevention Information
Action: Drop
Mirror Dst Port: Mirror Not Enable
Frame Counts: 242 

DoS Type State 

Land Attack Enabled
Blat Attack Enabled
Smurf Attack Enabled
TCP Null Enabled
TCP Xmas Enabled
TCP SYNFIN Enabled
TCP SYN SrcPort Less Than 1024 Enabled 

clear gvrp statistics interface

Use the clear gvrp statistics command to clear the statistics of a single port, a range of ports or all gvrp ports.

clear gvrp statistics [ interface INTERFACE-ID [, | -] ]

Default None

Command Mode Privileged EXEC

Usage Guideline This command clears the GVRP counters. If the interface-ID is not specified all GVRP counters for all interfaces will be cleared.

Example This example shows how to clear the GVRP statistics on all interfaces.

Switch# clear gvrp statistics
Switch# 

clear ip bgp

To reset BGP connections using hard or soft reconfiguration, use the clear ip bgp command.

clear ip bgp { * | AUTONOMOUS-SYSTEM-NUMBER | NEIGHBOR-ADDRESS} [ soft ] [ in | out ]

Default None

Command Mode Privileged EXEC

Usage Guideline

Use of the clear ip bgp command allows a reset of the neighbor sessions with varying degrees of severity, depending on the specified keywords and arguments.

Use the * keyword to reset all neighbor sessions. The software will clear and then reset the neighbor connections. Use this form of the command in the following situations:

• Modifying the BGP timer specification
• Modifying the BGP administrative distances

Use the soft and out keywords to clear and reset only the outbound neighbor connections. Inbound neighbor sessions will not be reset. Use this form of the command in the following situations:

• Additions or modifications are made to the BGP-related access lists
• Modifying the BGP-related weights
• Modifying the BGP-related distribution lists
• Modifying the BGP-related route maps

Use the in keyword to clear only the inbound neighbor connections. Outbound neighbor sessions will not be reset. Use this form of the command in the following situations:

• Modifying the BGP-related weights
• Modifying the BGP-related distribution lists
• Modifying the BGP-related route maps

- Additions or modifications to BGP-related access lists.

If inbound routing tables are reset, all BGP routers must support route refresh capability (RFC 2918).

Example In the following example, the BGP session is reset for BGP neighbor 172.5.78.12:

Switch# clear ip bgp 172.5.78.12
Switch# 

clear ip bgp peer-group

To reset BGP connections using hard or soft reconfiguration for all the members of a BGP peer group, use the clear ip bgp peer-group command.

Without Address Family Syntax

clear ip bgp peer-group PEER-GROUP-NAME [soft] [in | out]

Default None

Command Mode Privileged EXEC

Usage Guideline

The clear ip bgp peer-group command is used to initiate a hard reset or soft reconfiguration for neighbor sessions of BGP peer groups. A hard reset tears down and rebuilds the specified peering sessions and rebuilds the BGP routing tables. A soft reconfiguration uses stored prefix information to reconfigure and activate BGP routing tables without tearing down existing peering sessions.

Soft reconfiguration uses stored update information, at the cost of additional memory for storing the updates, to allow application of a new BGP policy without disrupting the network. Soft reconfiguration can be configured for inbound or outbound sessions.

Use this command whenever any of the following changes occur:

• Modifications to BGP-related weights
• Modifications to BGP-related distribution lists
• Modifications to BGP-related route maps

- Additions or modifications to the BGP-related access lists

The route refresh capability, as defined in RFC 2918, allows the local router to reset inbound routing tables dynamically by exchanging route refresh requests to supporting peers. The route refresh capability does not store update information locally for nondisruptive policy changes. It instead relies on dynamic exchange with supporting peers. Route refresh is advertised through BGP capability negotiation. All BGP routers must support the route refresh capability.

To determine if a BGP router supports this capability, use the show ip bgp neighbors command on page 459 command. The following message is displayed in the output when the router supports the route refresh capability:

Received route refresh capability from peer

If all BGP routers support the route refresh capability, use the clear ip bgp peer-group command with the in keyword. It is not necessary to use the soft keyword, because soft reset is automatically assumed when the route refresh capability is supported.

Examples

In the following example, all members of the BGP peer group named INTERNAL are reset:

Switch# clear ip bgp peer-group INTERNAL
Switch# 

In the following example, a soft reconfiguration is initiated for the inbound session with members of the peer group INTERNAL, and the outbound session is unaffected:

Switch# clear ip bgp peer-group INTERNAL soft in Switch# 

clear ip dhcp binding

Use this command to delete an address binding from the DHCP Server database.

clear ip dhcp binding [pool NAME] [ADDRESS]

Default None

Command Mode Privileged EXEC

Usage Guideline

Use this command to delete the address of the binding. The address denotes the assigned client's IP address. If no IP address is specified, DHCP server clears all bindings.

Note the following behavior for the clear ip dhcp binding command:

• If the pool NAME option is not specified and an IP ADDRESS is specified, it is assumed that the IP address is an address in the global address space and the command will parse all the DHCP pools for the specified binding.
• If both the pool NAME option and the ADDRESS option are not specified, it is assumed that all bindings in all pools are to be deleted.
• If the pool NAME option is specified without the ADDRESS option being specified, then all the bindings in the specified pool will only be cleared.
• If the pool NAME option and an IP ADDRESS is specified, the specified binding will be deleted from the specified pool.

Examples The following example deletes the address binding 10.12.1.99 from DHCP server database:

swtich# clear ip dhcp binding 10.12.1.99
swtich# 

The following example deletes all bindings from all pools:

switch# clear ip dhcp binding 

The following example deletes address binding 10.13.2.99 from the address pool named pool2:

switch# clear ip dhcp pool pool2 binding 10.13.2.99
switch# 

Verify the settings by entering the show ip dhcp binding command.

clear ip dhcp conflict

Use this command to clear an address conflict from the DHCP server database.

clear ip dhcp conflict [pool NAME] [ADDRESS]

Syntax Description

Default None

Command Mode Privileged EXEC

Usage Guideline

Use this command to delete the address in conflict. The DHCP server detects the conflict of an IP address by using a ping session. If no IP address is specified, DHCP server clears all known IP addresses that are in conflict.

The server detects conflicts using a ping session. The client detects conflicts using gratuitous Address Resolution Protocol (ARP).

Note the following behavior for the clear ip dhcp conflict command:

• If the pool NAME option is not specified and an IP ADDRESS is specified, the system parses all the DHCP pools for the address of the specified conflict.
• If the pool NAME option is not specified and no IP ADDRESS is specified, then the system deletes all address conflicts from all DHCP pools.
• If the pool NAME option is specified but no IP ADDRESS is specified, then all conflicts in the specified pool will only be cleared.
• If both the pool NAME option and an IP ADDRESS are specified, the specified address conflict will be deleted from the specified pool.

Examples

The following example shows an address conflict of 10.12.1.99 being deleted from the DHCP server database

switch# clear ip dhcp conflict 10.12.1.99
switch# 

The following example deletes all the address conflicts from the entire DHCP server database.

switch#clear ip dhcp conflict
switch# 

The following example deletes all the address conflicts from the address pool named pool1:

switch#clear ip dhcp conflict pool pool1
switch# 

clear ip dhcp server statistics

Use this command to reset all Dynamic Host Configuration Protocol (DHCP) server counters.

clear ip dhcp server statistics

Syntax None

Default None

Command Mode Privileged EXEC

Usage Guideline

This command clears all of the DHCP statistic counters. That is all of counters will be initialized, or set to zero.

Example The following example resets all DHCP counters to zero.

switch# clear ip dhcp server statistics
switch# 

clear ip ospf

Use this command to restart the OSPF process.

clear ip ospf

Syntax None

Default None

Command Mode Privileged EXEC

Usage Guideline

This command is used to restart the OSPF routing process. The following is a situation where this command can be used:

- When a new route-ID is configured, it will not take effect until next time the switch h is booted. When the OSPF process is restarted by this command, the new router-ID will take effect immediately without having to reboot the switch.

Example This example shows how to restart all of OSPF processes

Switch>enable
Switch# clear ip ospf 

clear ipv6 dhcp client

This command is used to restart the DHCPv6 client on an interface.

clear ipv6 dhcp client INTERFACE-NAME

Default None

Command Mode Privileged EXEC

Switch > enable
Switch # clear ipv6 dhcp client vlan1
Success.
Switch # 

clear ipv6 neighbors

This command is used to clear the IPv6 neighbor information.

clear ipv6 neighbors [IFNAME]

Syntax None

Default None

Command Mode Privileged EXEC

Usage Guideline The command clear ipv6 neighbors will only clear dynamic entries.

Example This example shows how to clear instances of IPv6 neighbors:

Switch > enable
Switch # clear ipv6 neighbors vlan1
Switch # 

clear ipv6 ospf process

To restart the state of IPv6 OSPF, use the clear ipv6 ospf process command.

clear ipv6 ospf [PROCESS-ID] process

Syntax Description

PROCESS-ID (Optional) Internally used identification parameter for an IPv6 OSPF routing process. It is locally assigned and can be any positive integer. A unique value is assigned for each IPv6 OSPF routing process.

Default None

Command Mode User EXEC

Usage Guideline

When the clear ipv6 ospf process command is used, the IPv6 OSPF database is cleared and repopulated. Once the database is cleared and repopulated the SPF algorithm will be performed.

Use the PROCESS-ID option to clear only one IPv6 OSPF process. If the PROCESS-ID option is not specified, all IPv6 OSPF processes are cleared.

Example The following example restarts the SPF algorithm by clearing the IPv6 OSPF processes from the database.

Switch > enable
Switch # clear ipv6 ospf process 

clear ipv6 rip

To delete routes from the IPv6 RIP routing table, use the clear ipv6 rip command.

clear ipv6 rip

Syntax None

Default None

Command Mode Privileged EXEC

Usage Guideline All IPv6 RIP routes are deleted.

Examples The following example deletes all the IPv6 routes for the RIP process.

Switch > enable
Switch # clear ipv6 rip 

clear logging

Use this command to clear log messages from the system logging buffer.

clear logging

Syntax None

Default None

Command Mode Privileged EXEC

Usage Guideline Use this command to clear log messages from the logging buffer.

Example The following example to show how to clear log messages in buffer.

Switch# enable
Switch# clear logging
Switch# 

clear mac address-table

Use the clear mac address-table command to delete from the MAC address table:

• specific dynamic address,
• all dynamic addresses on a particular interface,
• all dynamic addresses,
  • or all dynamic addresses on a particular VLAN.

clear mac address-table { dynamic [ address MAC-ADDR | interface INTERFACE-ID | vlan VLAN-ID ] }

Default None

Command Mode Privileged EXEC

Switch# clear mac address-table dynamic address 00:08:00:70:00:07

Verify the information was deleted by entering the show mac address-table command.

clear port-security

To delete all of the secured MAC addresses, except for manually configured secured MAC addresses, from the MAC address table, use the clear port-security command.

clear port-security [{address MAC-ADDR} | {interface INTEFACE-ID}] [vlan VLAN-ID]

Default None

Command Mode Privileged EXEC

Usage Guideline

This command clears secure MAC address that are auto-learned only and not manually configured MAC addresses.

If the clear port-security command is entered without adding any keywords or arguments, the switch removes all the secure MAC addresses from the MAC address table.

If the clear port-security interface INTERFACE-ID command is entered, all the secure MAC addresses auto-learned on the specified interface are removed from the MAC address table.

Example This example shows how to remove a specific secure address from the MAC address table:

Switch# clear port-security address 0080.0070.0007
Switch# 

This example shows how to remove all the secure MAC addresses auto-learned on a specific interface:

Switch# clear port-security interface eth3.1 

clear running-config factory-defaults

Use this command to clear the system's running configuration.

clear running-config factory-defaults

Syntax None

Command Mode Privileged EXEC at level 15

Usage Guideline

The user can enter the clear running-config factory-defaults command to clear the system configuration retained in Dynamic RAM.

Before using the clear running-config factory-defaults command, save a backup of the configuration using the copy command or upload a configuration profile into the system. When the clear running-config factory-defaults command is entered, the system resets the running configuration with the factory default settings.

Since the command clears all of system configuration settings including IP parameters, any remote management applications will lose their connections. Therefore, before proceeding, a confirmation should be applied. In addition, it is suggested to reload a configuration file immediately after clearing the configuration.

The clear running-config command clears all system configuration settings including the MGMT-IP address which is set back to the factory default of 10.90.90.90/8.

Example

The following example demonstrates how to clear system running configuration.

Switch# clear running-config factory-defaults
...
Switch# 

clear spanning-tree detected-protocols

To restart the protocol migration, use the clear spanning-tree detected-protocol command.

clear spanning-tree detected-protocols [interface INTERFACE-ID]

Default None

Command Mode Privileged EXEC.

Usage Guideline

This configuration is only effective for RSTP version or MSTP mode. By issuing the command the port protocol migrating state machine will be forced to SEND_RSTP state. This action can be used to test whether all legacy bridges on a given LAN have been removed. If there is no STP Bridge on the LAN, the port will operate in the configured mode, either in RSTP or MSTP mode. Otherwise, the port will operate in STP mode.

RSTP and MST have built-in compatibility mechanisms that allow them to interact properly with other versions of IEEE spanning tree or other regions. For example, a bridge running RSTP can send 802.1D BPDUs on one of its ports when it is connected to a legacy bridge. An MST bridge can detect that a port is at the boundary of a region when it receives a legacy BPDU or an MST BPDU that is associated with a different region. These mechanisms are not always able to revert to the most efficient mode. For example, an RSTP bridge that is designated for a legacy 802.1D stays in 802.1D mode even after the legacy bridge has been removed from the link. Similarly, an MST port assumes that it is a boundary port when the bridges which it is connected to have joined the same region. To force the MST port to renegotiate with the neighbors, enter the clear spanning-tree detected-protocol command.

Entering the clear spanning-tree detected-protocol command with no arguments, applies the command to every port of the switch.

Example

This example shows how to trigger the protocol migration event for all ports:

Switch# clear spanning-tree detected-protocols

clear vlan-tunnel ctag-mapping dynamic

Use this command to clear all dynamically learned mappings between customer VLAN tags and source IPs.

clear vlan-tunnel ctag-mapping dynamic

Syntax None

Default None

Command Mode User EXEC

Usage Guideline

This command is used to clear all dynamically learned mappings between a customer VLAN tag and source IP in the switch software. When the setting of a VLAN tunnel is changed, as for example its interface-type or TPID, then the new setting could for example cause the system to send out control packets with the wrong customer VLAN tag. In this situation, use this command to clear the incorrect dynamically learned mapping entries to re-learn the correct customer VLAN tag mapping with the source IP.

Examples This example shows how to clear all dynamically learned customer VLAN tag mappings.

Switch# clear vlan-tunnel ctag-mapping dynamic
Switch# 

clock set

Use this command to manually set the system clock.

clock set HH:MM:SS DAY MONTH YEAR

Syntax Description

Default Hardware Generated - 00:00:00 01 January 1993

Command Mode Privileged EXEC at Privilege level 15

Usage Guideline

Generally, if the system is synchronized by a valid outside timing mechanism, such as SNTP, it is not necessary to set the clock manually. Use this command if no other time sources are available. Use the clock timezone command on page 90 to configure the timezone applied to the clock settings. The clock configured by this command will be applied to RTC if it is available. The configured clock will not be stored in the configuration file.

If the clock is manually set and the SNTP server is configured, the system will still try to sync the clock with the server. If time sync is successful, the SNTP server set time replaces the manually set time.

If the SNTP state changes from enabled to disabled, the system clock continues operations but no longer attempts to sync time with the server.

Example
The following example shows how to manually set the software clock to 6:00 p.m. on Aug 22, 2010:

Switch# clock set 18:00:00 22 Aug 2010
Switch# 

Verify the settings by entering the show clock privileged EXEC command.

clock summer-time

Use one of the optional keyword formats of the clock summer-time command to configure the system time to automatically set the seasonal time adjustment (daylight saving time). To disable automatic seasonal time adjustment, use the no form of this command.

clock summer-time recurring WEEK DAY MONTH HH:MM WEEK DAY MONTH HH:MM [OFFSET]

clock summer-time date DATE MONTH HH:MM DATE MONTH HH:MM [OFFSET]

no clock summer-time

Default Disabled

OFFSET: 60

Command Mode Global configuration

Usage Guideline

Use this command to automatically make seasonal time changes for the system clock.

The recurring mode is used to make time adjustment to begin and end on a specified week day, week and month. Use the date mode to make the time change begin and end on specified calendar dates. The syntax for both modes uses the first portion of the parameter to express the beginning of the time adjustment period while the ending of the period is expressed in the second portion.

Example

The following example shows how to specify that summer time starts on the first Sunday in April at 2 a.m. and ends on the last Sunday in October at 2 a.m:

Switch# configure terminal
Switch(config)# clock summer-time recurring 1 sun April 2:00 last sun October 2:00
Switch(config)# end 

Verify the settings by entering the show clock command.

clock timezone

Use the command to set the time zone for display purpose. To set the time to Coordinated Universal Time (UTC), use the no form of this command.

clock timezone {+|-} HOURS-OFFSET [MINUTES-OFFSET]

no clock timezone

Syntax Description

+|- '+' means time to be added to the UTC; '-' means time to be subtracted from the UTC.

HOURS-OFFSET Hours difference from UTC.

MINUTES-OFFSET (Optional) Minutes difference from UTC.

Default UTC

Command Mode Global configuration

Usage Guideline

The time obtained by SNTP server refers to the UTC time. The local time will be calculated based on UTC time, time zone, and the daylight saving configuration.

Example

The following example shows how to set the time zone to Pacific Standard Time (PST), which is 8 hours ahead of UTC:

Switch# configure terminal
Switch(config)# clock timezone - 8
Switch(config)# end 

Verify the settings by entering the show clock command.

color-aware

Use the color-aware command to specify the color aware mode for a class. Use the no form of the command to set the class to color blind mode.

color-aware

no color-aware

Syntax None

Default color-blind mode

Command Mode Policy-map class configuration

Usage Guideline

The color-aware command specifies that the configured policer for the traffic class will operate in color aware mode. In color aware mode, the initial color of the packet and the policer metering result determines the final color. The initial color of the packet is mapped from the incoming DSCP based on the DSCP to color map if the receiving port trusts DSCP. If the receiving port trusts CoS, then the initial color is mapped from the incoming CoS based on the CoS to color map

If the configured policer operates in color blind mode, then the policer metering result determines the final color.

Examples

The following example creates the policy map pcolor-map1 and configures the policy of running color aware mode and two rate policing for the class1 class in the policy map.

Switch(config)# policy-map pcolor-map1
Switch(config-pmap)# class class1
Switch(config-pmap-c)# color-aware
Switch(config-pmap-c)# police cir 500000 bc 10000 pir 1000000 be 10000 exceed-action set-dscp-transmit 2 violate-action drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit

The following example attach the pcolor-map1 policy map to eth3.1 and sets the port to trust CoS and defines the CoS to color map.

Switch(config)# interface eth3.1
Swtich (config-if)# service-policy pcolor-map1
Swtich (config-if)# qos trust cos
Swtich (config-if)# qos map cos-color 1-7 to green
Swtich (config-if)# exit 

Verify the settings by entering the show policy-map command.

command prompt

Use this command to change the device cli prompt to, for example: the product name, system name, or other user-defined strings. The command can also specify whether to display the current privilege level in the prompt.

command prompt [level | no-level] [string STRING | product-name | system-name]

Default product-name with privilege level

Command Mode Privileged EXEC

Examples This example shows how to change the prompt to use the system name.

DGS-6600:15# command prompt system-name switch:15# 

The following example shows how to set the command prompt back to default setting: (product name and privilege level).

switch:15# command prompt
DGS-6600:15# 

The following example shows how to hide the privilege information from the console prompt.

DGS-6600:15# command prompt no-level
DGS-6600# 

This example shows define alpha as the console prompt.

DGS-6600:15# command prompt level string alpha alpha:15# 

configure terminal

Use this command to enter the global configuration mode

configure terminal

Syntax None

Default None

Command Mode Privileged EXEC

Usage Guideline

Entering into the configuration mode allows configuration settings of the switch to be entered or modified i.e. performing switch configuration.

Example This example shows how to enter into the configuration mode:

Switch#configure terminal
Switch(config)#

copy

Use the copy command to copy a image, log or configuration file from a remote or local source to a local or remote destination file.

copy SOURCE-URL DESTINATION-URL

copy SOURCE-URL tftp:\ IP-ADDRESS DIRECTORY FILENAME

copy tftp:\ IP-ADDRESS \ [ DIRECTORY \ ] FILENAME DESTINATION-URL

Syntax Description

DESTINATION-URL Specifies the destination URL as the target for the copied file.

The URL has two forms. One of them is represented by keyword. For the second form, it is prefixed by media. The acceptable media are flash:\, cf1:.

Flash:\ refers to system internal on-board FLASH memory

cf1:\ represents the first opened slot compact FLASH memory.

The destination can be either local or remote. When downloading the destination is target is the local file system. When uploading the destination is on a remote server.

When running-config is specified as the DESTINATION-URL, it will write the source file contents as the running configuration.

When startup-config is specified as DESTINATION-URL, the source file contents will be saved as the next-boot configuration. It will save into the current configuration file in NVRAM and the file name will be maintained as the file name specified with boot config command.

IP-ADDRESS\ The IP address of TFTP server.

DIRECTORY\ The directory name of the source or destination file in TFTP server.

Default None

Command Mode Privileged EXEC

Level 15 for configuration copy.

Usage Guideline

The copy command (when the source/destination URL is running-config, startupconfig is only available at privilege level 15.

Use this command to download or upload the image file or the configuration file between remote TFTP server and the local file system. Also use this command to upload system log to TFTP server.

The copy SOURCE-URL DESTINATION-URL command is used to copy file from system flash to compact flash or vice versa.

To upload the running configuration or save the running-configuration to startup configuration, specify running-config as the SOURCE-URL. To save it to the startup config, specifies startup-config as the DESTINATION-URL.

Notice: If the destination is the startup-config file, the source file is directly copied to the file specified in boot config command. This means the original startup-config file is overwritten by the running configuration.

To apply a configuration file to the running configuration, specify running-config as the DESTINATION-URL.

Notice: If the source is a system-log and the destination is a file, the current system log information is saved to NVRAM with the specified name. Be aware that any copy running-config action does not imply any system log copy or saving action.

To represent a file in the remote TFTP server, the URL must be prefixed with tftp:.

If the SOURCE-URL or DESTINATION-URL is a tftp server, it uses switch port to connect the network under execution mode. Under management mode It uses the management port to connect the network.

In this chassis based switch, the runtime image also contains the operational code for the line cards. The operational code is automatically synced to the line card during the boot-up procedure.

Any file to be downloaded (or copied) to the directory to be an image file in the system's flash or downloaded (or copied) to be the startup-image will be checked and verified whether it is an image file with a correct checksum and model ID.

Any file to be downloaded (or copied) as the startup-config or the running-config will be checked and verified whether it is a configuraiton file or not (the boot config command will also check whether it is a configuraiton file or not first).

Examples

This example shows how to configure the switch (running configuration) to use a configuration (switch-config.txt) that is download from a TFTP server(10.1.1.254).

Switch# copy tftp:\10.1.1.254\config\switch-config.txt running-config
Configure using 10.1.1.254\config\switch-config.txt (y/n) [n]? y
Finished network download. (134 bytes)
Apply to system configuration... Completed.
Switch# 

This example shows how to upload (retrieve) the running configuration to a TFTP server for storage:

Switch# copy running-config tftp:\10.1.1.254\config\switch-config.txt
Upload configuration to tftp:10.1.1.254 \config\switch-config.txt, (y/n)[n]? y
Configuration has been copied successfully.
Switch# 

This example shows how to save the system running configuration into FLASH memory and use it for the next boot configuration:

Switch# copy running-config startup-config
Save system configuration (y/n) [n], y
Configuration has been copied successfully.
Switch# 

cos remarking

Use this command to remark the receiving CoS priority for a VLAN tunnel application. Use the no form of this command to set as customer CoS trusted.

cos remarking NEW-COS [C-VID [, | -]]

no cos remarking [ C-VID[, | -]]

Default No COS remarking is set. The user/inner cost is trusted at the interface.

Command Mode Interface configuration

Usage Guideline This command is used for UNI port for VLAN tunnel application.

Use the cos remarking command to remark the outer tag priority. As CoS remarking is applied for VLAN encapsulation, the new CoS value is added into the outer priority tag. As CoS remarking is applied to VLAN remarking, the new CoS value is used to remark(replace) the priority tag.

To retain the priority from the receiving packet, use no cos remarking to make the system replicate or retain the original priority tag value to/as the out-going priority tag. This is also referred as user/inner COS trusted. The COS tag replication is only applied to outer priority tag in VLAN encapsulation and the COS remarking (replacement) is applied for the VLAN remarking.

Verify the settings by entering show vlan-tunnel command.

crypto key

To generate and configure an RSA or DSA key pair, use the crypto key command.

crypto key { rsa|dsa } NBITS [ force ]

Default None

Command Mode Privileged EXEC

Usage Guideline

To support SSH login, an RSA or DSA key pair must first be generated. This command can generate either an RSA or DSA key to provide greater security when logging into the server using SSH. The NBITS value is required to specify the size of the key pair.

Example This example shows how to create an RSA key, 1024 bits:

Switch# crypto key rsa 1024
Generating RSA keys.... [OK]
Switch# 

default-gateway (management port)

Use this command to set the IP address of the default gateway. Use the no form of this command to revert to the default value.

default-gateway IP-ADDRESS

no default-gateway

Syntax Description

IP-ADDRESS IP address in four-part dotted decimal format.

Default IP-ADDRESS: 0.0.0.0.

Command Mode Management interface

Usage Guideline The management port will send out IP packets for other IP subnets through this IP address.

Example This example shows how to set 10.1.1.254 as the IP address of the default gateway.

switch#configure terminal
switch(config)#
switch(config)#mgmt-if
switch(mgmt-if)#default-gateway 10.1.1.254
switch(mgmt-if)#end 

Verify the settings by entering the show mgmt-if command

default-information originate

Use the default-information originate command to configure OSPF to generate a default external route (type 5 LSA) network 0.0.0.0. Use the no form of the command to disable the originate type 5 LSA default route.

default-information originate [always] [metric METRIC-VLAUE] [metric-type TYPE-VALUE]

no default-information originate

Default None

Command Mode Router configuration

Usage Guideline

The default-information originate command is used to configure a routing process, in order to advertise a default route (network 0.0.0.0). If always is not specified, then the default route will only be advertised when the redistribution statement is configured and the default route exists in the redistributed routes.

Example This example shows how to advertise the default route regardless whether a default route exists in the configuration or not.

Switch(config)#router ospf
Switch(config-router)# default-information originate always 

Verify the settings by entering the show ip protocols ospf command.

default-information originate (IPv6 OSPF)

Use default-information originate to configure an IPv6 OSPF to generate a default external route (type 0x4005 LSA). Use the no form of the command to disable the originate type 0x4005 LSA default route.

default-information originate [always] [metric METRIC-VALUE] [metric-type TYPE-VALUE]

no default-information originate

Default None

Command Mode Router configuration

Usage Guideline

The default-information originate command is used to configure a routing process, in order to advertise a default route (prefix ::/0). When always is not specified, the default route will only be advertised when the redistribution statement is configured and the default route exists in the redistributed routes.

Example This example shows how to advertise the default route regardless whether a default route exists in the configuration or not.

Switch > enable
Switch # configure terminal
Switch (config) # router ipv6 ospf
Switch(config-router)# default-information originate always 

default-information originate (RIP)

To generate a default route into Routing Information Protocol (RIP), use the default-information originate command. To disable this feature, use the no form of this command.

default-information originate

no default-information originate

Syntax None

Default Disabled

Command Mode Router configuration

Usage Guideline Issuing this command generates a default route into RIP. The metric will always be one.

Example The following example shows how to generate a default route into RIP:

Switch# configure terminal
Switch(config)# router rip
Switch(config-router)# default-information originate 

Verify the settings by entering the show running-config command.

default-information originate (RIP IPv6)

To originate a default IPv6 route into RIP, use the default-information originate command. To remove the default IPv6 RIP route, use the no form of this command.

default-information originate

no default-information originate

Syntax None

Default Disabled

Command Mode Router configuration

Usage Guideline

Originating a default IPv6 route into RIP also forces the advertisement of the route in router updates sent on the interface. The advertisement of the route occurs regardless of whether the route is present in the IPv6 routing table.

Example

The following example originates a default IPv6 route into RIP and advertises the default route with all other routes.

Switch > enable
Switch # configure terminal
Switch (config) # router ipv6 rip
Switch (config-router) # default-information originate 

default ipv6 nd prefix

This command is used to default the IPv6 RA prefix information.

default ipv6 nd prefix X:X::X:X/M

Syntax Description

X:X::X:X/M IPv6 network address. This argument must be in the form documented in RFC2373 where the address is specified in hexadecimal using 16-bit value between colons.
X:X::X:X: IPv6 address
M: IPv6 prefix length 

Default None

Command Mode VLAN interface configuration

Usage Guideline RA prefix entry must be created first.

Example This example shows how to default the IPv6 nd prefix instance:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (vlan1) # default ipv6 nd prefix 3ffe:501:ffff::/64
Switch (vlan1) # 

default-metric (OSPF)

To set default metric values for OSPF, use the default-metric command. Use the no form of the command to remove the default-metric setting.

default-metric METRIC-VALUE

no default-metric

Syntax Description

METRIC-VALUE Default metric value appropriate for the specified routing protocol.

Default METRIC-VALUE: 20

Command Mode Router configuration

Usage Guideline

The default-metric command is used in conjunction with the redistribute router command (redistribute (OSPF) command on page 388) to cause the current routing protocol to use the same metric value for all redistributed routes.

A default metric helps solve the problem of redistributing routes with incompatible metrics. Whenever metrics do not convert, using a default metric provides a reasonable substitute and enables the redistribution to proceed.

The setting precedence that determines the metric is:

metric in redistributed command > default-metric setting.

Example

The following example shows a router redistributing RIP-derived routes into the OSPF domain and all redistributed routes are advertised with an OSPF metric of 10.

Switch(config)# router ospf
Switch(config-router)# default-metric 10
Switch(config-router)# redistribute rip
Switch(config-router)# end
Switch#

default-metric (IPv6 OSPF)

To set the default metric for IPv6 OSPF, use the default-mentic command. To return the metric to its default value, use the no form of this command.

default-metric METRIC-VALUE

no default-metric [METRIC-VALUE]

Syntax Description

METRIC-VALUE Default metric value. A number from 1 to 16777214.

Default METRIC-VALUE: 20

Command Mode Router configuration

Usage Guideline

The default-metric command is used in conjunction with the redistribute router configuration command (redistribute (IPv6 OSPF) command on page 390) to cause the current routing protocol to use the same metric value for all redistributed routes. A default metric helps solve the problem of redistributing routes with an incompatible metric. Whenever metrics do not convert, using a default metric provides a reasonable substitute and enables the redistribution to proceed.

The order of the setting precedence to determine the metric is:

set metric in redistributed command > default-metric setting.

Example

The following example shows an IPv6 OSPF redistributing routes from RIP. All redistributed routes are advertised with a metric of 10.

Switch > enable
Switch # configure terminal
Switch (config) # router ipv6 ospf
Switch (config-router) # default-metric 10
Switch (config-router) # redistribute rip 

default-metric (RIP)

To set default metric values for Routing Information Protocol (RIP), use the default-metric command. To return to the default state, use the default form of the command.

default-metric METRIC-VALUE

default default-metric

Syntax Description

METRIC-VALUE Default metric value. (From 1 to 16).

Default METRIC-VALUE: 1

Command Mode Router configuration

Usage Guideline

The default-metric command is used in conjunction with the redistribute router configuration (redistribute (RIP) command on page 392) command to cause the current routing protocol to use the same metric value for all redistributed routes. A default metric helps solve the problem of redistributing routes with incompatible metrics. Whenever metrics do not convert, using a default-metric provides a reasonable substitute and enables the redistribution to proceed.

Example

The following example shows how to configure the default metric 5 to redistribute the OSPF routes. In other words, it assigns the OSPF-derived routes a RIP metric of 5. Note that the command redistribute ospf without a metric option, causes the OSPF redistribution to use the default metric.

Switch# configure terminal
Switch(config)# router rip
Switch(config-router)# default-metric 5
Switch(config-router)# redistribute ospf

Verify the settings by entering the show ip protocols rip command.

default-metric (RIP IPv6)

To set the default metric for IPv6 RIP, use the default-metric. To return the metric to its default value, use the no form of this command.

default-metric METRIC-VALUE

no default-metric [ METRIC-VALUE ]

Syntax Description

METRIC-VALUE Default metric value. A number from 1 to 16.

Default

no default METRIC-VALUE

Command Mode Router configuration

Usage Guideline

The default-metric command is used in conjunction with the redistribute router configuration command to cause the current routing protocol to use the same metric value for all redistributed routes. A default metric helps solve the problem of redistributing routes with an incompatible metric. Whenever metrics cannot convert, using a default metric provides a reasonable substitute and enables the redistribution to proceed.

Example The following example shows IPv6 RIP redistributing routes from OSPF. All redistributed routes are advertised with a metric of 10.

Switch > enable
Switch # configure terminal
Switch (config) # router ipv6 rip
Switch (config-router) # default-metric 10
Switch (config-router) # redistribute ospf 

default-router

This command specifies the default router list for a DHCP client. Use the no form of this command to remove the default router list.

default-router IP-ADDRESS

no default-router IP-ADDRESS

Syntax Description

IP-ADDRESS Specifies the IP address of the default-router to DHCP clients.

Default None

Command Mode DHCP pool configuration

Usage Guideline

The IP address of the router should be on the same subnet as the client subnet. If the number of servers is more than one, then execute this command multiple times with different server IP addresses. Routers are listed in order of preference (address1 is the most preferred router, address2 is the next most preferred router, and so on).

Exmaple

This example shows how to specify 10.1.1.1 as the IP address of default-router in DHCP address pool.

switch# configure terminal
switch(config)# ip dhcp pool pool1
switch(config-dhcp)# default-router 10.1.1.1 

delete

Use this command to delete a file.

delete FILE-SYSTEM: PATH-NAME FILE-NAME

Default None

Command Mode Privileged EXEC

Usage Guideline A firmware image or a configuration file that is specified as the boot-up file cannot be deleted.

Example This example shows how to delete the file named test from the Flash card inserted in cf1.

If the file to be deleted is used as boot up image or configuration file, then it cannot be deleted and an error message will be displayed.

Switch#delete cf1:\test.txt
Delete cf1:\test.txt, (y/n) [n]? 

description

Use this command to add a description for an interface. Use the no description to clear the interface description.

description DESCRIPTION

no description

Default None

Command Mode Interface configuration

Usage Guideline None

Example This example shows how to add a description for interface eth 3.10

Switch(config)# interface eth3.10
Switch(config-if)# description Physical Port 10 

Verify the settings by entering the show interface command.

dir

Use the dir command to display the information for a file or the list of files in the specified path name.

dir FILESYSTEM: [\PATH-NAME]

Default None

Command Mode Any EXEC or configuration mode

Usage Guideline None

Example

This example displays the list of files on the root directory of the file system on the system's cf1 flash.

Switch>dir cf1:\
log <DIR>
customer <DIR>
system <DIR>
runtime.1.00.017_DGS-6600.had 64212362 bytes
runtime.1.00.018_DGS-6600.had 73087296 bytes
Switch> 

disable

Use this command to return to the User EXEC mode from the Privileged EXEC mode.

disable

Syntax None

Default None

Command Mode Privileged EXEC

Usage Guideline

The command will go to the User EXEC level from the power user level.

Example

This example shows how to logout after executing the disable command to return to the User EXEC mode.

Switch# disable
Switch> logout 

distance

Use the command distance to define an administrative distance for a protocol (RIP, OSPF, etc) or the routes that fall in the range of the specified networks-prefix. Use the no form of the command to remove the distance configuration and then the distance will go back to the default.

distance DISTANCE [NETWORK-PREFIX/PREFIX-LENGTH]

no distance DISTANCE [NETWORK-PREFIX/PREFIX-LENGTH]

Default No static routes are established.

The table below shows the default distance of protocols:

Command Mode Router configuration

Usage Guideline

This command is only used for routing protocols (RIP, OSPF). The distance command of a static route uses the ip route command on page 237 with the distance option. The distance of local interface can not be configured.

Numerically, an administrative distance is an integer from 1 to 255. In general, the higher the value is, the lower the trust rating is. An administrative distance of 255 means that the routing information source cannot be trusted at all and should be ignored.

Use the distance command to set the administrative distance for all the routes that fall in the range of the specified networks-prefix. That is, if the route is in the range of the networks-prefix, the distance specified for the network prefix will be applied to this route.

If the distances for specific routes are not specified, the distances of the routes learned by a routing protocol follows the distance of the routing protocol.

In the current configuration, there is a difference between RIP and RIPng.

1. The specified network prefix means the interface address for RIP.
2. The specified network prefix means the specific routes for RIPng.

If the distances for specific routes are specified, the distances of the routes are set to the specified value.

If the switch is operated at multi-path disabled mode, then the route with the lowest distance will be established as the active route. If the route that is found has failed, then this route will be automatically deactivated and the route with the next lower distance will be the active route.

If the switch is operated in the multi-path enabled mode, then routes with the same distances will be active at the same time.

Note 1: BGP Protocol does not support this command.

Note 2: OSPF does not support the parameter: [NETWORK-PREFIX/PREFIX-LENGTH].

Examples

This example shows how to set rip distance as 100, and route 30.0.0.0/8 with distance 90

Switch(config)# router rip
Switch(config-router)# distance 100
Switch(config-router)# distance 90 30.0.0.0/8 

This example shows how to remove the distance configuration of RIP (set to default distance of RIP, 120) and network 30.0.0.0/8

Switch(config)# router rip
Switch(config-router)# no distance 100
Switch(config-router)# no distance 90 30.0.0.0/8 

Verify the settings by entering the show ip protocols command.

dns-server

This command configures the IP address list of DNS servers available to DHCP clients. Use the no form of this command to remove the DNS server list.

dns-server IP-ADDRESS

no dns-server [IP-ADDRESS]

Syntax Description

IP-ADDRESS Specifies the IP address of DNS server to DHCP clients.

Default None

Command Mode DHCP pool configuration

Usage Guideline

This command configures the IP address list of DNS servers available to DHCP clients under the DHCP pool configuration mode. Servers are listed in order of preference. If the number of servers is more than 1, then execute this command multiple times with different server IP addresses.

Example

This example shows how to specify 10.1.1.1 as the IP address of DNS server in DHCP address pool.

switch# configure terminal
switch(config)# ip dhcp pool pool1
switch(config-dhcp)# dns-server 10.1.1.1 

domain-name

This command configures the domain name for a DHCP client. Use the no form of this command to remove the domain name.

domain-name DOMAIN

no domain-name

Syntax Description

DOMAIN Specifies the domain name.

Default None

Command Mode DHCP pool configuration

Usage Guideline This command configures the domain name for a DHCP client.

Example

This example shows how to specify domain name as "dlink.com" in a DHCP address pool.

switch# configure terminal
switch(config)# ip dhcp pool pool1
switch(config-dhcp)# domain-name dlink.com 

dos\_prevention action

Use this command to specify the action to perform when a DoS attack occurs

dos_prevention action {mirror INTERFACE-ID | trap_log}

no dos_prevention action {mirror|trap_log|all}

Default drop

Command Mode Global configuration

Switch(config)# dos_prevention action mirror eth4.1

The following example shows how to remove all actions.

Switch(config)# no dos_prevention action all

dos\_prevention type

Use this command to enable/disable DoS prevention mechanism. The packet matching and actions are handled by hardware. For each type of attack, the device will match the specific pattern automatically.

dos_prevention type {ATTACK-TYPES}

no dos_preventioin type {ATTACK-TYPES}

Syntax Description

Default Disabled.

DoS prevention of all supported ATTACK-TYPE is disabled.

Command Mode Global configuration

Usage Guideline This command is used to enable/disable the DoS prevention mechanism for specific attack types or for all supported types.

Examples The following example shows how to enable the DoS prevention mechanism for a land_attack.

Switch# configure terminal
Switch(config)# dos_prevention type land_attack 

The following example shows how to enable the DoS prevention mechanism for all supported types.

Switch# configure terminal
Switch(config)# dos_prevention type all 

The following example shows how to disable the DoS prevention mechanism for all supported types.

Switch# configure terminal
Switch(config)# no dos_prevention type all 

dot1v binding protocol-group

Use the dot1v binding protocol-group interface configuration command to set a protocol VLAN group and bind VLAN of the port. The no form of this command can remove the port from the specific protocol VLAN group.

dot1v binding protocol-group GROUP-ID vlan VLAN-ID

no dot1v binding protocol-group [GROUP-ID]

Default The default port is not bound to any protocol VLAN group.

Command Mode Interface configuration

Usage Guideline The valid interface for this command can be either a physical port or a port-channel. Use the dot1v binding protocol-group command to bind a protocol VLAN group with a VLAN ID. As a result, the packet that matches the specified protocol group will be associated with the VLAN binding with this group. The VLAN does not need to exist for the command to succeed. If the GROUP ID is not specified when using the command no dot1v binding protocol-group, the switch will remove all the protocol group and VLAN bindings at the specified interface.

Example This example shows how to bind a protocol VLAN group 10, VLAN id 3000 of ethernet port 3.2

Switch(config)# interface eth3.2
Switch(config-if)# dot1v binding protocol-group 10 vlan 3000 

Verify the settings by entering the show dot1v interface command.

dot1v protocol-group

Use the dot1v protocol-group global configuration command to add a protocol to a protocol group. Use no command to remove the specified protocol group, or to remove a protocol VLAN from the specified group.

dot1v protocol-group GROUP-ID frame { ethernet2 | snap | llc } TYPE-VLAUE

no dot1v protocol-group GROUP-ID [ frame { ethernet2 | snap | llc } TYPE-VLAUE ]

Syntax Description

Default The default protocol VLAN table is empty.

Command Mode Global configuration

Usage Guideline

The dot1v protocol-group command adds a protocol to a protocol group.

By setting the command multiple times, multiple protocols can be added to the same group.

The no dot1v protocol-group command will delete an existing protocol VLAN group.

If a specific protocol is specified with the no command, then this specific protocol will be removed from the specified group.

Example

This example shows how to create a protocol VLAN group with id 10, and bind protocol IPv6 (frame type is ethernet2 value is 0x86dd).

Switch(config)# dot1v protocol-group 10 frame ethernet2 0x86dd

Verfiy the settings by entering the show dot1v protocol-group command.

dot1x auth-mode

Use the dot1x auth-mode command to specify the 802.1x authentication mode.

dot1x auth-mode {port-based | host-based}

Default port-based mode

Command Mode Interface configuration

Usage Guideline The maximum number of hosts allowed to connect to an 802.1X-enabled port is project-dependent.

Example The following example shows how to specify the authentication mode as host-based.

Switch(config)#interface eth4.3
Switch(config-if)# dot1x auth-mode host-based 

Verify the settings by entering the show dot1x auth-configuration command.

dot1x auth-protocol

Use this command to specify the authentication method used for 802.1x authentication.

dot1x auth-protocol {local | radius}

Syntax Description

local Specifies local accounts for authentication

radius Specifies RADIUS servers for authentication

Default radius

Command Mode Global configuration

Usage Guideline

If local is specified, a user account should be configured. Please refer to the dot1x user command on page 140 to create new user accounts.

If radius is specified, a RADIUS server should be configured for authentication. Please refer to the server command on page 410 in AAA module.

Example The following example shows how to specify the authentication method as RADIUS.

Switch# configure terminal
Switch(config)# dot1x auth-protocol radius

Verify the settings by entering the show dot1x auth-configuration command.

dot1x control-direction

Use this command to configure the direction of the traffic on a controlled port as unidirectional (in) or bidirectional (both).

dot1x control-direction { both | in }

Default both

Command Mode Interface configuration

Usage Guideline This command is only valid for physical port interface.

This command takes effect only when the global and per-port 802.1x enable command is configured.

When the port is in force-unauthorized or un-authorized state, the traffic direction is controlled based on this command.

When the port is in force-authorized or authorized state, the traffic is allowed in both directions.

Example The following example shows how to specifies the direction of the traffic through port eth4.1 as unidirectional.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# dot1x control-direction in 

Verify the settings by entering the show dot1x auth-configuration command.

dot1x default

Using this command resets the configurable 802.1X parameters to the default values.

dot1x default

Syntax None

Default The default values are listed as following:

The authorization state on a controlled port is auto.

The direction of the traffic through a controlled port is bidirectional.

The number of maximum retransmit times which the switch will retransmit an EAP request frame to the supplicant before restarting the authentication process is 2.

The quiet-period, reauth-period, server-timeout, supp-timeout, and tx-period are 60, 3600, 30, 30, and 30 seconds, respectively.

Periodic re-authentication is disabled.

Command Mode Interface configuration

Usage Guideline This command is only valid on physical port interface.

Example

The following example shows how to reset the IEEE 802.1X parameters on port eth4.1.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# dot1x default 

Verify the settings by entering the show dot1x auth-configuration command.

dot1x forward-pdu

Use this command to allow a 1X-disabled interface to forward 802.1X BPDU. Use the no form of this command to disable the forwarding function on a 1X-disabled interface.

dot1x forward-pdu

no dot1x forward-pdu

Syntax None

Default 802.1x BPDU is not forwarded when 802.1x is disabled.

Command Mode Interface configuration

Usage Guideline This command is only valid for physical port interface.

When the 802.1X functionality is disabled, and dot1x forward-pdu is configured for a port, the received 1x BPDU on the port will be flooded to the ports where forward-pdu is enabled and that are in the same VLAN.

Example This example shows how to enable 802.1X forward-pdu on a given interface.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# dot1x forward-pdu

Verify the settings by entering the show dot1x auth-configuration command.

dot1x guest-vlan

Use this command to enable the 802.1X guest VLAN function and specify the guest VLAN. Use the no form of this command to disable the guest VLAN function.

dot1x guest-vlan VLAN-ID

no dot1x guest-vlan

Syntax None

Default Disabled

Command Mode Interface configuration

Usage Guideline This command is only valid for physical port interfaces.

The guest VLAN is not supported in host-based mode.

The guest VLAN is only effective when a port is configured as 1X-enabled and dot1x port-control is in auto mode.

This command only supports ports in access VLAN mode. When configuring a guest VLAN for a port in other VLAN modes, an error messages appears.

The VLAN assignment of the guest VLAN is determined by following rules:

• If the guest VLAN is enabled, and the authentication state is unauthorized, the port belongs to the guest VLAN.
• If the guest VLAN is enabled with the authentication state authorized, and if RADIUS is authorizing VLAN access then the configured port will belong to the VLAN assigned by RADIUS server, else the port belong to the VLAN configured in the VLAN module.
• If guest VLAN is disabled, and the authentication state is unauthorized, the port belongs to the VLAN configured in VLAN module.
• If guest VLAN is disabled, with the authentication state authorized, and if RADIUS is authorizing VLAN access then the configured port will belong to the VLAN assigned by RADIUS server, else the port belong to the VLAN configured in the VLAN module.
• For a port configured for guest VLAN or RADIUS assigned VLAN, if the configured VLAN is not existing on the switch, the port will belong to the VLAN configured in VLAN module.

Examples

The example, on the next page, shows how to make eth4.1 join the IEEE 802.1x guest VLAN.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# dot1x guest-vlan 99

This example shows how to make eth4.1 leave the guest VLAN.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# no dot1x guest-vlan

Verify the settings by entering show do1x auth-configuration and show vlan interface command.

dot1x initialize

Use this command to initialize the authentication state machine of:

- a port in port-based mode.

-or-

- an associated MAC address in host-based mode.

dot1x initialize [ interface INTERFACE-ID [ mac-address MAC-ADDRESS ] ]

Default None

Command Mode Privileged EXEC

Usage Guideline Entering dot1x initialize without any keyword will initialize all authentication states for all ports in port-based mode, or all MAC addresses associated in host-base mode.

Examples This example shows how to initialize the authentication state machine on eth4.1.

Switch# dot1x initialize interface eth4.1

This example shows how to initialize the authentication state machine associated with MAC address 00-40-10-28-19-78 on eth4.1.

Switch# dot1x initialize interface eth4.1 mac-address 00-40-10-28-19-78

dot1x max-req

Use this command to set the maximum number of times that the switch sends EAP-request/identity frames to the client before restarting the authentication process.

dot1x max-req TIMES

Syntax Description

Default TIMES: 2

Command Mode Interface configuration

Usage Guideline This command is only valid for physical port interface.

Example

This example shows how to set the maximum number of retransmit times on port eth4.1 to be 3.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# dot1x max-req 3

Verify the settings with the show dot1x auth-configuration command.

dot1x pae authenticator

Use this command to enable 802.1X authentication on a specific port. Use the no form of this command to disable 802.1X authentication on the port.

dot1x pae authenticator

no dot1x pae

Syntax Description

authenticator Enable 802.1X authentication on a specific port.

Default Disabled

Command Mode Interface configuration

Usage Guideline This command is only valid for physical port interface.

Use the dot1x system-auth-control command on page 138 to enable global 802.1x function before enabling 802.1X authentication on a specific port.

A port can be configured as a 1x-enable port only if the port is not a member port of a port channel, or a destination port of a port mirroring session.

Examples This example shows how to configure port eth4.1 as a 1X-enabled port.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# dot1x pae authenticator

This example shows how to disable 802.1x authentication on port eth4.1.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# no dot1x pae

Verify the settings by entering the show dot1x auth-configuration command.

dot1x port-control

Use this command to manually control the authorization state on a specific port.

dot1x port-control { auto | force-authorized | force-unauthorized }

Default auto

Command Mode Interface configuration

Usage Guideline This command is valid only for physical port interface.

Global 802.1x authentication function should be enabled using the dot1x system-auth-control command on page 138 before enabling 802.1X authentication on a specific port.

Example This example shows how to deny all access on eth4.1.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# dot1x port-control force-unauthorized 

Verify the settings with the show dot1x auth-configuration command.

dot1x re-authenticate

Use this command to re-authenticate a specific port or a specific MAC address.

dot1x re-authenticate [ interface INTERFACE-ID [ mac-address MAC-ADDRESS ] ]

Default None

Command Mode Privileged EXEC

Usage Guideline

Entering dot1x re-authenticate without any keyword will re-authenticate all 1x-enabled ports in the port-based mode or all MAC addresses associated with 1x-enabled port in the host-based mode.

Examples This example shows how to re-authenticate eth4.1.

Switch# dot1x re-authenticate interface eth4.1

This example shows how to re-authenticate MAC address 00-40-10-28-19-78 on eth4.1.

Switch# dot1x re-authenticate interface eth4.1 mac-address 00-40-10-28-19-78

dot1x re-authentication

Use this command to enable periodic re-authentication. Use the no form of this command to disable periodic re-authentication.

dot1x re-authentication

no dot1x re-authentication

Syntax None

Default Disabled

Command Mode Interface configuration

Usage Guideline This command is valid only for physical port interface.

The number of seconds between re-authentication attempts can be configured using the dot1x timeout command on page 139 with the reauth-period keyword.

Examples This example enables periodic re-authentication on eth4.1.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# dot1x re-authentication 

This example shows how to disable periodic-re-authentication.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# no dot1x re-authentication 

Verify the settings by entering the show dot1x auth-configuration command.

dot1x system-auth-control

Use dot1x system-auth-control to globally enable 802.1X authentication on a switch. Use the no form of this command to return to globally disable 802.1X function.

dot1x system-auth-control

no dot1x system-auth-control

Syntax None

Default Disabled

Command Mode Global configuration

Usage Guideline None

Examples

This example shows how to globally enable 802.1X authentication on a switch.

Switch# configure terminal
Switch(config)# dot1x system-auth-control 

This example shows how to disable 802.1x authentication globally on a switch.

Switch# configure terminal
Switch(config)# no dot1x system-auth-control 

Verify the settings by entering the show dot1x auth-configuration command.

dot1x timeout

Use this command to set timeout values for various 802.1X timers.

dot1x timeout {quiet-period SECONDS | reauth-period SECONDS | server-timeout SECONDS | supp-timeout SECONDS | tx-period SECONDS}

Default quiet-period: 60 seconds

reauth-period:3600 seconds

server-timeou: 30 seconds

supp-timeout: 30 seconds

tx-period: 30 seconds

Command Mode Interface configuration

Usage Guideline This command is only valid for physical port interface.

The reauth-period takes effect when re-authentication is configured by the dot1x re-authentication command on page 137.

Example This example sets quiet-period, reauth-period, server-timeout, supp-timeout, and tx-period on eth4.1 to be 20, 1000, 15, 15, and 10 seconds, respectively.

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if)# dot1x timeout quiet-period 20
Switch(config-if)# dot1x timeout reauth-period 1000
Switch(config-if)# dot1x timeout server-timeout 15
Switch(config-if)# dot1x timeout supp-timeout 15
Switch(config-if)# dot1x timeout tx-period 10 

Verify the settings by entering the show dot1x auth-configuration command.

dot1x user

Use this command to create a local account used for authentication. Use the no form of this command to delete local accounts.

dot1x user NAME password PASSWORD

no dot1x user [ NAME ]

Default No local account is created.

Command Mode Global configuration

Switch# configure terminal
Switch(config)# dot1x user yourname password yourpass
Switch(config)#

This example deletes a local account with a username as "yourname".

Switch# configure terminal
Switch(config)# no dot1x user yourname 

Verify the settings by entering the show dot1x user command.

duplex

Use this command to configure the physical port interface speed/duplex setting.

duplex { full | half | auto }

Syntax Description

full Specifies to operate in full duplex mode.

half Specifies to operate in half duplex mode.

auto Specifies that the duplex mode will be determined by auto-negotiation.

Default auto

Command Mode Interface configuration

Usage Guideline

Physical port interfaces are valid for this configuration. If the duplex mode is not supported by the hardware, an error message will be returned.

The following hardware restrictions apply:

- 1000SX/LX is always fixed to 1000 and full duplex.

- For the 1000SX/LX module, the duplex command will not take any effect.

Auto-negotiation is enabled if either for speed or duplex. If speed is set to auto, and duplex is set to full or half mode, then only the speed will be negotiated. The advertised capability will be the configured duplex mode combined with all possible speeds. If speed is to set to a fixed speed and duplex is set to auto, then only duplex mode is negotiated. The advertised capability will be both full and half duplex mode combined with the configured speeds.

Before adding ports to a Port-Channel, please verify that all settings are identical on the candidate ports; otherwise the port members of a Port-Channel with different settings will operate in an indeterminate manner.

Example

This example shows how to configure interface eth3.1 to force the settings to a speed of 100Mbits and auto-negotiate to the duplex mode.

Switch(config)# interface eth3.1
Switch(config-if)# speed 100
Switch(config-if)# duplex auto

Verify the settings by entering the show interface command.

enable

Use this command to enter a Privileged EXEC mode.

enable [privilege LEVEL]

Default LEVEL: 15

Command Mode User EXEC

Usage Guideline Use the enable command to enter the Privileged EXEC mode and use the disable command on page 115 to return to the User EXEC mode from the power user level. The command only accepts level 12 and 15. An error message will appear if other levels are specified. If the enable password is configured for a level, the user will be requested to enter the password for the specified privileged level.

Example This example shows how to enter the Privileged EXEC mode:

Switch> enable
Input privileged level 15 password:
Switch# 

enable password

Use this command to setup the enable password to enter into different privileged modes. Use the no form of the command to return the password for all levels to an empty string. When a level is specified, the password for that level is returned to an empty string.

enable password privilege LEVEL password {plain-text| encrypted} PASSWORD

no enable password [privilege LEVEL]

Default No enable password is configured.

Command Mode Global configuration at privilege level 15

Usage Guideline Only accepts level 12 and 15.

An error message will appear if other levels are specified.

The exact password for the specific level needs to be used in order to enter the specific level of the privileged EXEC mode.

Each level has only one password in order to enter that level.

Example This example shows how to create an enable password for privilege level 15 with "MyEnablePassword".

Switch(config)# enable password MyEnablePassword

Verify the settings by entering the show enable password command.

end

Use this command to end the current configuration session and go back to the Privileged EXEC mode.

end

Syntax None

Default None

Command Mode Any configuration mode

Usage Guideline Using this command will end the configuration task in any configuration mode and go back to the Privileged EXEC mode.

If the current mode in any of the EXEC mode, this command will logout the session.

Example This example shows how to end the interface configuration and go back to privileged mode.

Switch (config-if) #end
Switch# 

exit

Use this command to end the current configuration mode and go back to the to the last mode used.

exit

Syntax None

Default None

Command Mode Any

Usage Guideline

The user can exit the current configuration mode and go back to the last mode used.

When the user is in User EXEC mode, this command will logout the session.

Example

This example shows how to exit from the interface configuration mode and return to the global configuration mode.

Switch (config-if) #exit

Switch (config) #

flowcontrol

Use this command to configure the flow control capability of the port interface.

flowcontrol [ send | receive ] { on | off }

Syntax Description

send (Optional) Flow control setting on send.

receive (Optional) Flow control setting on receive.

on Turn on the flow control.

off Turn off the flow control.

Default send: off

receive: off

Command Mode Interface configuration

Usage Guideline Only physical port interfaces are valid for this configuration.

The command only assures that either the software configured or the administration state complies with the flowcontrol command.

The actual operation of the hardware may prevent the flowcontrol command to take effect. This is because flow control capability is determined by both the local port, device and its linked partner instead of just the local setting.

If auto-negotiation is disabled (i.e. the speed and duplex are both set to a non-auto setting), then the final flow-control setting will be determined by the configured flow control setting.

If auto-negotiation is enabled (i.e. the speed or duplex setting is set to auto), the final flow control setting will be based on the negotiated result between local side setting and the partner side setting. The configured flow control setting here is the local side setting.

If no option is selected for the direction, then both send and receive are applied.

Example

This example shows how to turn on the flow control send capability of interface eth3.1.

Switch# configure terminal
Switch(config)# interface eth3.1
Switch(config-if)# flowcontrol send on
Switch(config-if)# end

Verify the settings by entering the show interface command.

gvrp (Global)

Use the gvrp interface command to enable GVRP function globally, and use the no gvrp command to disable the GVRP function globally.

gvrp

no gvrp

Syntax None

Default Disabled

Command Mode Global configuration

Usage Guideline None

Example

This example shows how to enable the GVRP protocol global state.

Switch(config)# gvrp
Switch(config)# 

Verify the settings by entering the show gvrp configuration command.

gvrp (Interface)

Use the gvrp interface command to enable GVRP function for a port, and use the no gvrp command to disable the GVRP function for a port.

gvrp

no gvrp

Syntax None

Default Disabled

Command Mode Interface configuration

Usage Guideline

Use the gvrp interface configuration command to enable/disable the GVRP protocol state.

Both physical port and port-channel interfaces are valid for this command. If a physical port is member of a port-channel, then this command should return an error message to indicate it.

The GVRP function cannot be enabled when the interface is at access mode.

Example This example shows how to enable Ethernet eth3.1 GVRP protocol state.

Switch(config)# interface eth3.1
Switch(config-if)# gvrp

Verify the settings by entering the show gvrp configuration interface command.

gvrp advertise (Interface)

Use the gvrp advertise command to specify that this VLAN will be advertised out by GVRP protocol. Use no gvrp advertise to disable this function.

gvrp advertise [ VLAN-ID [, | - ] ]

no gvrp advertise [ VLAN-ID [, | - ] ]

Default Advertise

Command Mode Interface configuration

Example This example shows how to enabled advertise function of VLAN 1000 at interface Ethernet eth4.1.

Switch(config)# interface eth4.1
Switch(config-if)# gvrp advertise 1000 

Verify the settings by entering the show gvrp configuration command.

gvrp advertise (VLAN)

Use the gvrp advertise command to specify that this VLAN will be advertised out by GVRP protocol. Use no gvrp advertise to disable this function.

gvrp advertise

no gvrp advertise

Syntax None

Default Advertise is enabled

Command Mode Config-VLAN configuration

Usage Guideline

If a VLAN has been configured to be advertised under the config-VLAN mode, GVRP protocol will advertise this VLAN if it has any member ports. However the command takes effect only in the running configuration, it is not stored in NV-RAM for the next start up configuration. In the interface mode, the command is stored in NV-RAM for next startup system configuration mode.

Example

This example shows how to configure VLAN 1000 to be advertised.

Switch(config)# VLAN 1000
Switch(config-VLAN)# gvrp advertise 

Verify the settings by entering the show gvrp configuration command.

gvrp dynamic-vlan-creation

Use the gvrp dynamic-vlan-creation command to enable dynamic VLAN creation, and use the no form of the command to disable the dynamic VLAN creation function.

gvrp dynamic-vlan-creation

no gvrp dynamic-vlan-creation

Syntax None

Default Disabled

Command Mode Global configuration

Usage Guideline

When gvrp dynamic-vlan-creation is enabled, and a port learns a new VLAN membership where the VLAN does not exist, the VLAN will be created automatically. Otherwise, the newly learned VLAN will not be created.

Example This example shows how to enable dynamic VLAN creation for GVRP.

Switch(config)# gvrp
Switch(config)# gvrp dynamic-vlan-creation

Verify the settings by entering the show gvrp configuration command.

gvrp forbidden

Use the gvrp forbidden command to specify the port as a forbidden member. Use the no gvrp forbidden command to remove the port as a forbidden member.

gvrp forbidden

no gvrp forbidden

Syntax None

Default None

Command Mode Interface configuration

Usage Guideline

The physical port and port-channel interfaces are both valid for this command. If a physical port is a member of a port-channel, entering the command returns an error message. If multiple interfaces are specified, the command can be executed partially. Error messages are sent if the interfaces fail to execute this command.

When the gvrp forbidden command is configured, all VLANs will be forbidden except the default VLAN (1) of this port.

If some VLANs have already been defined as allowable VLANs for the port, then these VLAN memberships will be removed when issuing the gvrp forbidden command. These memberships will not be recovered even when the no gvrp forbidden command is applied.

Example This example shows how to set Ethernet eth3.1 as a GVRP forbidden port.

Switch(config)# interface eth3.1
Switch(config-if)# gvrp forbidden

Verify the settings by entering the show gvrp configuration interface command

gvrp timer

Use the gvrp timer command to set the GVRP timer value for a port.

gvrp timer { join | leave | leave-all } TIMER-VALUE

Syntax Description

Default join: 20

leave : 60

leave-all : 1000

Command Mode Interface configuration

Usage Guideline The value of these parameters must comply to the following rules:

1. LEAVE_TIMER >= 3 * JOIN_TIMER
2. LEAVE_ALL_TIMER > LEAVE_TIMER

Example

This example shows how to set the leave-all timer to 5 seconds using the value 500 (hundredths of a second).

Switch(config)# interface eth3.1
Switch(config-if)# gvrp timer leave-all 500 

Verify the settings by entering the show gvrp configuration interface command.

help

To display a brief description of the help system, use the help command in any command mode.

help

Syntax None

Default None

Command Mode User EXEC or any configuration mode

Usage Guideline

The help command provides a brief description of the context-sensitive help system, which functions as follows:

To list all commands available for a particular command mode, enter a question mark (?) at the system prompt.

To obtain a list of commands that begin with a particular character string, enter the abbreviated command entry immediately followed by a question mark (?). This form of help is called word help, because it lists only the keywords or arguments that begin with the abbreviation entered.

To list the keywords and arguments associated with a command, enter a question mark (?) in place of a keyword or argument on the command line. This form of help is called command syntax help, because it lists the keywords or arguments that apply based on the command, keywords, and arguments that have already been entered.

Example

In the following example, the help command is used to display a brief description of the help system:

Switch# help

The switch CLI provides advanced help feature. When you need help, anytime at the command line please press '?'.

If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options.

Two styles of help are provided:

1. Full help is available when you are ready to enter a command argument (e.g. 'show ?') and describes each possible argument.

2. Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (e.g. 'show ve?').

host area

Use the host area command to configure a stub host entry belonging to a particular area. Use the no form of this command to remove the host area configuration.

host IP-ADDRESS area AREA-ID [ cost COST ]

no host IP-ADDRESS area AREA-ID

Default No host entry is configured.

Command Mode Router configuration

Usage Guideline Using this command, specific host routes can be advertised in the router-LSA as stub link.

Example This following example shows how to configure a stub host 172.16.10.100 at area 1.

Switch# configure terminal
Switch (config)# router ospf
Switch (config-router)# host 172.16.10.100 area 1 

Verify the settings by entering the show ip ospf host-route command.

hybrid vlan VLAN-ID

Use the hybrid VLAN command to set the VLAN characteristic. It sets the interface as a tagged member or untagged member.

hybrid vlan VLAN-ID [, | - ] { tagged | untagged }

no hybrid vlan [ VLAN-ID [, | - ] ]

Default The default hybrid-vlan is empty.

Command Mode Interface configuration

Example This example shows how to set an interface port 3.1 as a tagged member of VLAN 1000.

Switch(config)# interface eth3.1
Switch(config-if)# hybrid vlan 1000 tagged 

Verify the settings by entering the show vlan command.

ingress-checking

Use the ingress-checking to enable ingress frame checking at a port. Use the no ingress-checking to disable the ingress frame checking function.

ingress-checking

no ingress-checking

Syntax None

Default Enabled

Command Mode Interface configuration

Usage Guideline The valid interfaces for this command are physical ports.

Use the ingress-checking interface command to enable ingress checking at the switch interfaces. When ingress checking is enabled, if the port is not a member port of the VLAN associated with the incoming frames, the frames will be dropped. Use the no ingress-checking interface command to disable this function of a port.

Example

This example shows how to set ingress checking to enabled at ethernet port 4.1.

Switch(config)# interface eth4.1
Switch(config-if)# ingress-checking

Verify the settings by entering the show vlan interface command.

instance

To map a VLAN or a set of VLANs to a single Multiple Spanning Tree (MST) instance, use the instance command. To return the VLANs to the default instance (CIST), use the no form of this command.

instance INSTANCE-ID vlans VLANDID [, | .]

no instance INSTANCE-ID

Default No VLANs are mapped to any MST instance (all VLANs are mapped to the CIST instance).

Command Mode MST configuration

Usage Guideline Any unmapped VLAN is mapped to the CIST instance.

Examples This example shows how to map a range of VLANs to instance 2:

Switch(config)#spanning-tree mst configuration
Switch(config-mst)# instance 2 vlans 1-100 

This example shows how to map a VLAN to instance 5:

Switch(config)#spanning-tree mst configuration
Switch(config-mst)# instance 5 vlans 1100 

Verify the settings by entering the show spanning-tree mst configuration command.

interface

Enter the interface command to go into interface configuration mode. The command executed in this mode will be applied to the interface specified by the command.

interface INTERFACE-ID

Syntax Description

INTERFACE-ID The interface can be a physical port, port-channel, or VLAN.

Default None

Command Mode Global configuration

Usage Guideline The interface command puts the command line interface into interface configuration mode for a specified interface.

For the port-channel interface, it must be an existing channel-group.

For the VLAN interface, it must be a previously created VLAN.

Example This example shows how to enter the interface configuration mode for eth2.5:

Switch(config)# interface eth2.5
Switch(config-if)# 

interface range

Enter the interface range command to go into interface range configuration mode. The command executed in this mode will be applied to all interfaces specified by the command.

interface range INTERFACE-ID [, | - ]

Syntax Description

Default None

Command Mode Global configuration

Usage Guideline

This command puts the command line interface into configuration mode for the specified range of interfaces. The interfaces specified in a range can be different types, such as eth2.1-2.5, vlan100-200.

Example
This example shows how to enter the interface configuration mode for a range of ports from eth2.1-2.5.

Switch(config)# interface range eth2.1-2.5
Switch(config-if)# 

interface tunnel

Use the interface tunnel configuration command to add a tunnel and to enter the interface configuration mode. Use the no interface tunnel configuration command to remove a tunnel.

interface tunnel {tunnel-ID}

no interface tunnel {tunnel-ID}

Syntax Description

tunnel-ID Specifies the ID of the tunnel to be added, removed or configured. The valid tunnel ID range is 1-127.

Default None

Command Mode Global configuration

Usage Guideline None

Examples

The following example will add a tunnel of 2, and then enter into the interface configuration mode.

Switch(config)# interface tunnel 2
Switch (config-if)# 

The following example will remove IPv6 tunnel 2.

Switch(config)# no interface tunnel 2
Switch (config)# 

ip access-group

Use the ip access-group command to specify the IP access-list to be applied to an interface. Use the no form of this command to remove an IP access list.

ip access-group NAME [ in ]

no ip access-group NAME [ in ]

Default None

Command Mode Interface configuration

Switch(config)# interface eth3.2 Switch(config-if)#ip access-group Strict-Control

Verify the settings by entering the show access-group privileged EXEC command.

ip access-list

Use the command to create or modify an IP access list. This command enters the user interface into the ip access-list configuration mode. Use no command to remove an IP access-list.

ip access-list [ extended ] NAME

no ip access-list [ extended ] NAME

Default Deny all traffic (implicit).

Command Mode Global configuration

Switch(config)#ip access-list extended Strict-Control
Swtch(config-ip-ext-acl)#permit tcp any 10.20.0.0 255.255.0.0
Swtch(config-ip-ext-acl)#exit
Swtch(config)#ip access-list pim-srcfilter
Switch(config-ip-acl)#permit host 172.16.65.193 any
Switch(config-ip-acl)# 

Verfiy the settings by entering the show access-list command.

ip address

Use ip address to set a primary or secondary IP address for an interface, or acquire an IP address on an interface from DHCP. Use the no form of the command to remove the IP settings configuration from the interface.

ip address { IP-ADDRESS SUBNET-MASK[ secondary ] | dhcp }

no ip address [ IP-ADDRESS SUBNET-MASK ]

Default 0.0.0.0/32.

Command Mode VLAN Interface configuration

Usage Guideline Only VLAN interfaces are valid for this command.

An interface can have one primary IP address and multiple secondary IP addresses. IP processing can be disabled on a particular interface by removing its IP address with the no ip address command. If the software detects another host using one of its IP addresses, an error message appears on the console.

The optional secondary keyword allows assignment of multiple secondary addresses. Secondary addresses are treated like the primary address, except that the system does not generate datagrams other than a routing update packet with secondary source addresses. For example, an SNMP trap is always generated with the primary address. However, the system can respond to a packet sent to the secondary address.

For now, only VLAN interfaces can be configured by this command.

If a VLAN interface has been configured with static IP address (except 0.0.0.0) or DHCP, a Layer 3 IP interface is created.

The no ip address command will remove all of the IP settings from the interface.

Example

This example (on the next page) shows how to set 10.108.1.27 as the primary address and 192.31.7.17 and 192.31.8.17 as the secondary addresses for VLAN 100:

Switch# configure terminal
Switch(config)# interface vlan100
Switch(config-if)# ip address 10.108.1.27 255.255.255.0
Switch(config-if)# ip address 192.31.7.17 255.255.255.0 secondary
Switch(config-if)# ip address 192.31.8.17 255.255.255.0 secondary
Switch(config)# end

Verify the settings by entering the show ip interface command.

ip address (management port)

Use the command to set the IP address of the Management Port. Use the no form of this command to revert to the default IP address.

ip address IP-ADDRESS / PREFIX-LENGTH

no ip address

Syntax Description

IP-ADDRESS IP address to be configured for the Management Port.

PREFIX-LENGTH Prefix Length.

Default 10.90.90.90/8.

Command Mode Management interface configuration

Usage Guideline

This is the IP address used for management access to the system. Use no ip address command to restore the default IP address 10.90.90.90/8.

Example This example shows how to set 10.1.1.1 as the IP address of the Management Port.

Switch#configure terminal
Switch(config)#mgmt-if
Switch(mgmt-if)#ip address 10.1.1.1/8
Switch(mgmt-if)#end 

Verify the settings by entering the show mgmt-if command.

ip address-list

Use this command to specify the IP addresse range in a DHCP address pool and one of which is allowed to be bound with a DHCP client. Use the no form of this command to remove the range of IP addresses from the DHCP address pool.

ip address-list IP-ADDRESS [,|-]

no ip address-list IP-ADDRESS [,|-]

Syntax Description

Default No IP addresses exist in any DHCP pool.

Command Mode DHCP pool configuration

Usage Guideline

This command is used to define the IP address list for a DHCP pool. Reasonable IP addresses should be carefully defined for the pool. For example, use the same network ID or same subnet for the all IP addresses.

Specify a host by specifying the IP address explicitly or specify a range of IP addresses using a hyphen between the start IP address and end IP address. Both the host and the range of IP addresses can be mixed together. Verify and confirm that the IP addresses chosen are part of the same network.

Example
This example shows how to configure the IP address range for pool1 in the IP address range of 10.1.1.1\~10.1.1.255 and exclude the address 10.1.1.200 from the pool.

Switch# configure terminal
Switch(config)# ip dhcp pool pool1
Switch(config-dhcp)# ip address-list 10.1.1.1-10.1.1.255
Switch(config-dhcp)# no ip address-list 10.1.1.200
Switch(config-dhcp)# 

Verify the address pool is added with the show ip dhcp pool command.

ip as-path access-list

Use this command to define a BGP Autonomous System (AS) path access list. Use the no form of this command to disable use of the access list.

ip as-path access-list ACCESS-LIST-NAME { permit | deny } REGEXP

no ip as-path access-list ACCESS-LIST-NAME

Syntax Description

Default None

Command Mode Global configuration

Usage Guideline

The named community access list is a filter based on regular expressions. If the regular expression matches the specified string representing the AS path of the route, then the permit or deny condition applies. Use this command to define the BGP access list globally, use the neighbor filter-list command in the router configuration mode to apply a specific access list.

Multiple commands can be applied to a list name.

Example
This example shows how to define an AS path access list named "mylist" to deny access to the neighbor with AS number 65535:

Switch(config)# ip as-path access-list mylist deny ^65535$
Switch(config)# ip as-path access-list mylist permit .*

Verify the settings by entering the show ip as-path access-list command.

ip community-list

Use this command to add a community list entry. Use the no form of this command to delete the community list entry.

ip community-list COMMUNITY-LIST-NAME { permit | deny } COMMUNITY

no ip community-list COMMUNITY-LIST-NAME [ {permit | deny } COMMUNITY]

Default BGP community exchange is not enabled by default. It is enabled on a per-neighbor basis with the neighbor send-community command.

The Internet community is applied to all routes or prefixes by default, until any other community value is configured with this command or the set community command.

Command Mode Global configuration

Example This example (on the next page) shows how to configure a community list

named“mycommlist” that permit routes from network 10 in autonomous system 50000:

Switch(config)# ip community-list mycommlist permit 50000:10

Verify the settings by entering the show ip community-list command.

ip dhcp ping packets

User this command to specify the number of packets that the DHCP server will send as a part of the ping operation. Use the no form of this command to prevent the server from pinging pool addresses.

ip dhcp ping packets COUNT

no ip dhcp ping packets

Syntax Description

COUNT The number of ping packets the DHCP server will send. From 0 to 10 where 0 stops the ping checks from being sent upon address assignment.

Default Two packets.

Command Mode Global configuration

Usage Guideline

Before a DHCP server attempts to assign a pool address a to client, it tries to ping the specific pool address. If the ping packet is unanswered, the DHCP server assumes this pool address is currently available and is safe to assign to a requesting client.

Example The following is a sample of configuring the number of ping packets as 3.

switch# configure terminal
switch(config)# ip dhcp ping packets 3 

ip dhcp ping timeout

Use this command to specify how long the DHCP server will wait for the ping reply from a pool address. Use the no form of this command to restore the wait time for the ping reply back to the default value (500ms).

ip dhcp ping timeout MILLISECONDS

no ip dhcp ping timeout

Default 500 milliseconds.

Command Mode Global configuration

Usage Guideline Before the DHCP server attempts to assign a pool address to a client, it tries to ping the specific pool address. If the ping packet is unanswered, the DHCP server assumes this pool address is currently available and is safe to assign to the requesting client. This command sets the time that the DHCP server will wait for a reply from the address that it pinged.

Example The following is sample of configuring the ping timeout as 100.

switch# configure terminal
switch(config)# ip dhcp ping timeout 100 

ip dhcp pool

Use this command to configure a DHCP address pool on a DHCP Server and enter the DHCP pool configuration mode. Use the no form of this command to remove the address pool.

ip dhcp pool NAME

no ip dhcp pool NAME

Syntax Description

NAME The address pool name can either be a symbolic string or an integer. The maximum length is up to 64 characters.

Default Not configured

Command Mode Global configuration

Usage Guideline

This command changes the configuration mode to DHCP pool configuration mode, identified by the (config-dhcp)# prompt. In this mode, the administrator can configure pool parameters, for example, the IP subnet number and default router list.

Note that the DHCP pool name can play an important role if the DHCP host requests meet the IP address offering criteria of more than one DHCP pool. The pool name with the shortest name and lowest alphabet is the only pool allowed to offer the correct IP address to the host.

Example

The following example configures the address pool named "pool1".

switch# configure terminal
switch(config)# ip dhcp pool pool1 

ip dhcp relay

Use this command to enable Dynamic Host Configuration Protocol (DHCP) relay agent features on the switch. Use the no form of this command to disable DHCP relay agent features.

ip dhcp relay

no ip dhcp relay

Syntax None

Default Disabled

Command Mode Global configuration

Usage Guideline

Use this command to enable DHCP relay function. The DHCP relay function is disabled by default.

Example Enable DHCP relay function:

Switch > enable
Switch# configure terminal
Switch(config)# ip dhcp relay 

Verify the settings by entering the show ip dhcp relay command.

ip dhcp relay address

Use this command to specify the DHCP relay server IP address. Use the no form of the command to delete a DHCP server. When using the no form of the command if no IP address is specified, all DHCP servers will be deleted.

ip dhcp relay address IP-ADDRESS

no ip dhcp relay address [IP-ADDRESS]

Syntax Description

IP-ADDRESS DHCP server IP address

Default None

Command Mode VLAN Interface configuration

Usage Guideline

Use this command to specify the DHCP server IP address. The DHCP request packets received by the device will be relayed to the specified DHCP servers.

Only VLAN interfaces are valid interfaces for this command.

Multiple DHCP server addresses can be specified on the same IP interface.

The specified DHCP servers are only effective when the interface is an IP interface.

For layer 2 devices, the DHCP servers need to be specified on the system IP interface. All the DHCP request packets received by a device will be relayed to these DHCP servers.

For layer 3 devices, all the DHCP request packets received by the IP interfaces will be relayed to the DHCP servers configured on this interface. If there are no DHCP servers configured on an IP interface, then the DHCP request packets will not be relayed. DHCP request packets received by the non-IP interfaces, will be relayed to the first IP interface that has DHCP servers configured.

Example

Enable DHCP relay function and set interface VLAN 100 with DHCP server ip address 10.1.1.1, the DHCP packet received on VLAN 100 will relay to DHCP server 10.1.1.1:

Switch# configure terminal
Switch(config)# interface vlan100
Switch(config-if)# ip dhcp relay address 10.1.1.1 

Verify the settings by entering the show ip dhcp relay command.

ip dhcp relay hops

Use this command to configure the maximum number of relay hops that the DHCP packets can traverse.

ip dhcp relay hops HOP-COUNT

Default 4

Command Mode Global configuration

Usage Guideline Use this command to specify the maximum number of relay hops that the DHCP packets can traverse.

Example This example shows how to set maximum number of router hops 5:

Switch# configure terminal
Switch(config)#ip dhcp relay hops 5 

Verify the settings by entering the show ip dhcp relay command.

ip dhcp relay information check

Use this command to configure the DHCP relay agent to validate the relay agent information option in the received DHCP reply packet.

ip dhcp relay information check

no ip dhcp relay information check

Syntax None

Default Enabled

Command Mode Global configuration

Usage Guideline

When this check for the reply packet is enabled, the device will check that the option-82 field in DHCP reply packets it receives from the DHCP server is valid. If an invalid message is received, the relay agent drops it. If a valid message is received, the relay agent removes the option-82 field and forwards the packet.

If the check is disabled, a packet with an invalid option-82 field will be directly forwarded.

Example

Enabled DHCP relay agent check for the reply packet.

Switch# configure terminal
Switch(config)# ip dhcp relay information check 

Verify the settings by entering the show ip dhcp relay command.

ip dhcp relay information option

Use this command to enable the insertion of the relay agent information option (option 82). Use the no form of the command to disable this function.

ip dhcp relay information option

no ip dhcp relay information option

Syntax None

Default Disabled

Command Mode Global configuration

Usage Guideline

Use this command to enable insertion of DHCP option 82.

When the DHCP 82 option is enabled, a DHCP packet received from a client will have the option 82 field inserted before being relayed to the server. The DHCP option 82 contains 2 suboptions: circuit ID and remote ID sub-options.

If the switch is standalone then the module field, within the circuit ID suboption, is always set to zero. The following describes the format of the Circuit and Remote ID suboption formats:

Circuit ID suboption format:

4

VLAN ID - The incoming VLAN ID of DHCP client packet.

Module # - For a standalone switch, Module # is always 0; For a stackable switch, Module is Unit ID.

Port # - The receiving port number of DHCP client packet, port number starts from 1.

Remote ID suboption format:

MAC address: the switch's system MAC address.

Example This example shows how to enable insertion of the option-82 field during the relay of DHCP request packets.

Switch# configure terminal
Switch(config)# ip dhcp relay information option 

Verify the settings by entering the show ip dhcp relay command.

ip dhcp relay information policy

Use this command to configure the information re-forwarding policy for the DHCP relay agent.

ip dhcp relay information policy {drop | keep | replace}

Default replace

Command Mode Global configuration

Switch# configure terminal
Switch(config)# ip dhcp relay information policy drop 

Verify the settings by entering the show ip dhcp relay command.

ip dhcp relay information trust-all

Use this global command to direct the DHCP relay agent to accept the packets with giaddr==0 (this relay agent is the first relay of this DHCP request packet) and the relay agent information option already present in the packet. Use the no form of the command to specify to drop these DHCP request packets.

ip dhcp relay information trust-all

no ip dhcp relay information trust-all

Syntax None

Default The interface default is un-trusted.

Command Mode Global configuration

Usage Guideline

When the IP DHCP relay information is trusted, and the gateway address in the DHCP request packet is set to all zeros, but the relay agent information option is present in the packet, then the DHCP relay agent will accept the packet.

When the packet is not trusted, then it will be discarded.

This command is under global configuration; it will enable/disable all existing VLANs' DHCP Relay Agent trusted relay agent information. However, the command takes effect only in the running configuration and is not kept in NVRAM for the next boot cycle using the startup configuration.

To configure a specific interface's trust status, use the ip dhcp relay information trusted interface command.

Example

This command shows how to enable all interfaces with the DHCP relay agent set to accept the packets with giaddr==0 and the relay agent information option already present in the packet.

Switch# configure
Switch(config)# ip dhcp relay information trust-all
Swtch(config)# 

Verify the settings by entering the show ip dhcp relay information trusted-sources command

ip dhcp relay information trusted

Use this interface command to direct the DHCP relay agent to accept the packets with giaddr==0 (this relay agent is the first relay of this DHCP request packet) and relay agent information option is already present in the packet. Use the no form of the command to configure to drop these DHCP request packet.

ip dhcp relay information trusted

no ip dhcp relay information trusted

Syntax None

Default The interface default is un-trusted.

Command Mode VLAN interface configuration

Usage Guideline

When IP DHCP relay information is trusted, if the gateway address in the DHCP request packet is set to all zeros but the relay agent information option is already present in the packet, the DHCP relay agent will accept the packet.

If it is un-trusted, then the packet will be discarded.

Example

This example shows how to enabled interface vlan100's DHCP relay agent to accept the packets with giaddr==0 and relay agent information option is already present in the packet.

Switch# configure
Switch# interface vlan100
Switch(config-if)# ip dhcp relay information trusted
Swtich(config-if)# end 

Verify the settings by entering the show ip dhcp relay information trusted-sources command.

ip dvmrp

Use this command to enable DVMRP on the current interface. Use the no form to disable DVMRP on the interface.

ip dvmrp

no ip dvmrp

Syntax None

Default Disabled

Command Mode VLAN interface configuration

Usage Guideline This command is only valid for the VLAN interface.

The VLAN interface will have DVMRP protocol enabled (or disabled).

Before enabling DVMRP function on an interface, it is necessary to enable IP multicast routing with the ip multicast-routing command in global configuration mode.

Only one multicast routing protocol can be enabled on an interface, make sure no other multicast routing protocol is configured before DVMRP is enabled. If another protocol is enabled, an error message is displayed.

Example This example shows how to enable the DVMRP protocol on the interface VLAN 1.

Switch(config)# interface vlan1
Switch(config-if)# ip dvmrp

Verify the settings by the show ip dvmrp interface command.

ip dvmrp metric

Use this command to configure the metric value on the current interface.

ip dvmrp metric METRIC

Default 1

Command Mode VLAN interface configuration

Usage Guideline This command is only valid for the VLAN interface.

For each source network reported, a route metric is associated with the route being reported. The metric is the sum of the interface metrics between the router originating the report and the source network. DVMRP uses the infinite or unreachable metric which is defined to be 32. This limits the breadth across the entire DVMRP network and is necessary to place an upper boundary on the convergence time of the protocol.

By default, a metric value of 1 is associated with each DVMRP route. Use the command to modify the metric value.

Example This example shows how to change the metric value to 2 of an interface.

Switch(config)# interface vlan1
Switch(config-if)# ip dvmrp metric 2 

Verfiy the settings by the show ip dvmrp interface command.

ip http server

Use this command to enable HTTP server. Use the no form of the command to disable HTTP server function.

ip http server

no ip http server

Syntax None

Default HTTP interface is enabled.

Command Mode Global configuration

Usage Guideline This command enables HTTP server function.

Example This example will disable the http server

Switch(config)# no ip http server

Verify the settings by entering the show system protocol-state command.

ip http service-port

Use this command to specify the HTTP service port. And use the default command to return the service port to 80.

ip http service-port TCP-PORT

default ip http service-port

Syntax Description

TCP-PORT TCP port number. TCP ports are numbered between 1 and 65535. The "well-known" TCP port for the HTTP protocol is 80.

Default Port 80

Command Mode Global configuration

Usage Guideline This command configures the TCP port number for HTTP.

Example This example set HTTP TCP port number to 100

Switch(config)# ip http service-port 100

Verify the settings by entering the show system protocol-state command.

ip igmp access-group

Using the ip igmp access-group command in interface configuration restricts a subnet's hosts to join only multicast groups that are permitted by an IP basic access list. It also can be used to restrict hosts (receivers) on a subnet to membership of only the (S,G) channels that are permitted by an IP basic access list. To disable the restrictions, use the no form of this command.

ip igmp access-group IP-ACL

no ip igmp access-group

Default No access group is set.

Command Mode VLAN interface configuration

Switch#configure terminal
Switch(config)# ip access-list igmp_filter
Switch(config-ip-acl)#permit any 226.1.1.1 255.255.255.255
Switch(config-ip-acl)# exit
Switch(config)# interface vlan1000
Switch(config-if)# ip igmp access-group igmp_filter
Switch(config-if)# end 

Verfiy the settings by entering the show ip igmp interface command.

ip igmp last-member-query-interval

Use this command to configure the interval at which the router sends IGMP group-specific or group-source-specific (with IGMP Version 3) query messages. The command sets the timer value for both IGMP L3 queries and IGMP snooping.

ip igmp last-member-query-interval MILLISECONDS

Default 1000 milliseconds

Command Mode VLAN interface configuration

Usage Guideline

When an IGMP querier receives a leave packet, it will send a group specific query or group source specific query. The leave timer starts once the IGMP querier receives a leave packet from an interface. If the interface does not receive the report packet before the leave timer expires, then the interface's membership will be removed from the group or channel that is to be leaved. The value of the leave timer is the value of the last-member-query-interval * the last-member-query-count.

The IGMP last-member-query-interval will be carried within IGMP group-specific queries or group-source-specific (with IGMP Version 3) query messages.

The last-member-query-count will have the same value as the robustness-variable.

When IGMP is disabled but IGMP snooping is enabled at the interface, then the IGMP last-member-query-interval value set with this command is used for IGMP snooping. If the command “ip igmp snooping immediate-leave” on page 197 is enabled, then this timer value is ignored and the interface's group or channel membership, identified in the leave request from the host, will be immediately removed from the IGMP snooping membership table.

Example

This example shows how to configure IGMP last member query interval value. It configures IGMP last member query interval value to 2 seconds on interface VLAN 1000.

Switch#configure terminal
Switch(config)# interface vlan1000
Switch(config-if)# ip igmp last-member-query-interval 2000
Switch(config-if)# end 

Verify the settings by entering the show ip igmp interface command.

ip igmp query-interval

Use this command to configure the interval at which the router sends IGMP general-query messages periodically.

ip igmp query-interval SECONDS

Syntax Description

SECONDS Configure the frequency at which the designated router sends IGMP general-query messages.

By default, the designated router sends IGMP general-query messages every 125 seconds to keep the IGMP overhead very low on the hosts and networks.

The range is 1 to 31744.

Default 125 seconds

Command Mode VLAN interface configuration

Usage Guideline

This command is for use on the VLAN interface only. Use this Interface configuration command for modifying IGMP Group Member Query Interval on an interface.

The IGMP querier sends IGMP membership query messages at the interval specified by the ip igmp query-interval command to discover which multicast groups have members on the attached networks of the router. Hosts respond with IGMP report messages indicating that they want to receive multicast packets for specific groups (that is, indicating that the host wants to become a member of the group). IGMP query messages are addressed to the all-hosts multicast group, which has the address 224.0.0.1, and has an IP time-to-live (TTL) value of 1.

The igmp query-interval is also used for igmp snooping as IGMP is disabled but igmp snooping is enabled at the interface.

Example

This example shows how to configure the IGMP query interval to 300 seconds on interface VLAN 1000.

Switch# configure terminal
Switch(config)# interface vlan1000
Switch(config-if)# ip igmp query-interval 300
Switch(config-if)# end

Verify the settings by entering the show ip igmp interface command.

ip igmp query-max-response-time

Use this command to configure the maximum response time advertised in IGMP queries.

ip igmp query-max-response-time SECONDS

Syntax Description

SECONDS Set the maximum response time, in seconds, advertised in IGMP queries. The range is 1 to 25.

Default 10 seconds

Command Mode VLAN interface configuration

Usage Guideline

This command controls the period during which the group member can respond to an IGMP query message before the router deletes the membership.

This command applies to interfaces configured for both IGMP Layer-3 multicast protocols and IGMP Snooping (L2 mode and the interface function as a querier). The group membership interval is equal to query-interval* robustness + max response time.

Example This example shows how to configure IGMP max query response time to 10 seconds on VLAN 1000.

Switch# configure terminal
Switch(config)# interface vlan1000
Switch(config-if)# ip igmp query-max-response-time 10
Switch(config-if)# end 

Verify the settings by entering the show ip igmp interface command.

ip igmp robustness-variable

Use this command to tune for the expected packet loss on a network, i.e. the Robustness Variable of IGMP.

ip igmp robustness-variable VALUE

Syntax Description

VALUE Provides fine-tuning to allow for expected packet loss on a subnet. The value of the robustness variable is used in calculating the following IGMP message intervals:

• Group membership interval - Amount of time that must pass before a multicast router decides there are no more members of a group on a network. This interval is calculated as follows: (robustness variable * query interval) + (1 * query response interval).
• Other querier present interval - Amount of time that must pass before a multicast router decides that there is no longer another multicast router that is the querier. This interval is calculated as follows: (robustness variable * query interval) + (0.5 * query response interval).
• Last member query count - Number of group-specific queries or group-source-specific (with IGMP Version 3) query messages sent before the router assumes there are no local members of a group. The default number is the value of the robustness variable.

The robustness variable range is from 1 to 7.

Default VALUE: 2

Command Mode VLAN Interface configuration

Usage Guideline

This command is valid for the VLAN interface only. Use this command to modify the IGMP Robustness Variable on an interface.

The IGMP Robustness Variable determines the number of general queries that IGMP sends before aging out a multicast address when there is no IGMP report response. In other words, this variable is also used as "last member query count". The group membership interval is equal to query-interval* robustness + max response time.

The larger the Robustness Variable is set, the higher IGMP protocol packet loss is acceptable. IGMP can recover from robustness variable minus 1 lost IGMP packet.

Example

This example shows how to configure IGMP Robustness Variable value. It configures IGMP Robustness Variable value to 5 on interface VLAN 1000.

Switch# configure terminal
Switch(config)# interface vlan1000
Switch(config-if)# ip igmp robustness-variable 5
Switch(config-if)# end 

Verify the settings by entering the show ip igmp interface command.

ip igmp snooping

Use this command to enable IGMP Snooping function on the switch. Use the no form of this command to disable IGMP Snooping function.

ip igmp snooping

no ip igmp snooping

Syntax None

Default IGMP snooping is disabled on all VLAN interfaces

The IGMP snooping global state is disabled by default. The global function control is not stored in NVRAM.

Command Mode VLAN interface configuration or Global configuration

Usage Guideline

Under interface configuration for an interface, the corresponding VLAN must first be created.

When the user executes the command under global configuration, it will enable/disable all existing VLAN IGMP snooping function. However the command takes effect only in the running configuration and it will not be kept in NVRAM for the next start up configuration. For a VLAN interface, the command can be kept in NVRAM for the next startup system configuration mode.

To disable IGMP snooping on a VLAN interface, use the no ip igmp snooping under VLAN interface configuration mode.

Under global configuration mode, the command has a one time use limit. The command will, in that mode, enable IGMP snooping functions for all existing VLANs. Similarly, no ip igmp snooping will disable IGMP snooping function for all of the existing VLANs.

As a VLAN is deleted, the related IGMP snooping setting for the VLAN is also removed from system configuration.

Examples

This example shows how to globally enable IGMP Snooping for all existing VLANs.

Switch(config)# ip igmp snooping
Switch(config)# end
Switch# 

This example shows how to enable IGMP Snooping on VLAN1

Switch(config)# interface vlan1
Switch(config-if)# ip igmp snooping
Switch(config-if)# end
Switch#

Verfiy the settings by entering the show ip igmp snooping command.

ip igmp snooping (multicast router)

Use this command to configure the specified interface(s) as multicast router ports, or forbidden to be multicast router ports on the switch. Use the no form of this command to remove the interface(s) from multicast router ports, or forbidden multicast router ports.

ip igmp snooping { mrouter-designate | mrouter-not-allowed } interface INTERFACE-ID [, | - ]

no ip igmp snooping { mrouter-designate | mrouter-not-allowed } interface INTERFACE-ID [, | - ]

Default No IGMP snooping multicast router port is configured.

Command Mode VLAN interface configuration

Usage Guideline

The valid interface can be a physical port or a port-channel for the INTERFACE-ID parameter.

The router member port can be either dynamically learned or statically configured into an IGMP snooping entity. With dynamic learning, the IGMP snooping entity will listen to IGMP, PIM, and DVMRP packet to identify whether the partner device is a multicast router.

To add a multicast router port statically, use the ip igmp snooping mrouter-designate configuration. On the opposite side, it is also possible to use ip igmp snooping mrouter-not-allowed to configure those ports that cannot become multicast router ports even the port has received IP multicast control protocol message.

The member port of a port channel can not be enabled with the ip igmp snooping {mrouter-designate | mrouter-not-allowed} command, an error message is displayed if the designated port is ineligible.

Examples This example shows how to add a multicast router port on vlan1.

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip igmp snooping mrouter-designate interface eth3.1
Switch(config-if)# exit
Switch(config)# 

Verfiy the settings by entering the show ip igmp snooping mrouter command.

This example displays a configuration error, eth3.1 (on vlan4) is not eligible to be designated as a multicast router interface for VLAN 5.

Switch(config)# interface vlan5
Switch(config-if)# ip igmp snooping mrouter-designate interface eth3.1
Error: eth3.1 is not vlan5 member
Switch(config-if)#exit
Switch(config)# 

This example displays an error, the system is not allowing the configuraiton because the VLAN interface is not eligible to be designated as a multicast router interface.

Switch(config)# interface vlan4
Switch(config-if)# ip igmp snooping mrouter-designate interface vlan5
% Interface type not support vlan5
Switch(config-if)# exit
Switch(config)# 

Verfiy the settings by entering the show ip igmp snooping mrouter command.

ip igmp snooping immediate-leave

Use this command to configure the IGMP Snooping immediate-leave function on VLAN interfaces. Use no ip igmp snooping immediate-leave to disable the immediate-leave function on the specified VLAN.

ip igmp snooping immediate-leave

no ip igmp snooping immediate-leave

Syntax None

Default Disabled

Command Mode VLAN Interface configuration

Usage Guideline

The ip igmp snooping immediate-leave command allows IGMP Snooping membership of an interface to be removed immediately without any further confirmation mechanism (such as time out) when the interface receives an IGMP leave message from the IGMP client.

Example

This example shows how to enable IGMP Snooping immediate-leave on VLAN 1.

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)#ip igmp snooping immediate-leave
Switch(config-if)# end 

Verfiy the settings by entering the show ip igmp snooping command.

ip igmp snooping querier

Use this command to enable the IGMP Snooping query function in Layer 2 networks. Use the no form of this command to disable the function of the IGMP Snooping Querier.

ip igmp snooping querier

no ip igmp snooping querier

Syntax None

Default Disabled

Command Mode VLAN Interface configuration

Usage Guideline

The system can work as the querier role when the querier for an IGMP snooping domain is enabled. If the system receives query packets from other routers, the IP address of the system and the IP address of the other routers is used to determine the final querier. The routers (network devices) with lower IP addresses become the querier.

The querier sends a general query at the interval specified by query-interval. Upon receiving the general query, the IGMP client (or host) needs to respond to the query packet in order to express that it remains in the specified group. The maximum response time instructs the client to report within the time period specified.

If the IGMP snooping entity does not receive a report from a client for a specific group after a specific time period, the port is removed from the member port list of the specific group. This specific time period is referred to as the group membership interval. The group membership interval is equal to query-interval* robustness variable + max response time.

The timeout period for a querier (other querier present interval) is query-interval * robustness variable + 1/2 max response time. The time-out period for learning of a router port is the same value as for the other querier present interval.

The query-interval value can be changed using the ip igmp query-interval command (defined in IGMP command document).

As IGMP is enabled on the specified VLAN of the switch, the IGMP snooping querier is suspended at the VLAN as if it were disabled, because of IGMP.

Example This example shows how to enable IGMP Snooping querier state on VLAN 1.

Switch> configure terminal
Switch(config)# interface vlan1
Switch(config-if)#ip igmp snooping querier
Switch(config-if)# end
Switch# 

Verfiy the settings by entering the show ip igmp snooping command.

ip igmp snooping static-group

Use this command to configure an IGMP snooping static group.

Use the no form of this command to delete an IGMP snooping static group.

ip igmp snooping static-group IP-ADDRESS [ source IP-ADDRESS] interface INTERFACE-ID [,|-]

no ip igmp snooping static-group [IP-ADDRESS [source IP-ADDRESS]

[ interface INTERFACE-ID [, | - ] ]]

Default No static-group

Command Mode VLAN interface configuration

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip igmp snooping static-group 226.1.2.3 interface eth3.5
Switch(config-if)# exit
Switch(config)#interface vlan1
Switch(config-if)#ip igmp snooping static-group 226.1.2.6 source 10.1.2.3 interface eth3.5 

Verify the settings by entering the show ip igmp snooping group command.

ip igmp version

Use this command to change the IGMP version on the specified interface.

ip igmp version {1|2|3}

Syntax Description

Default 3

Command Mode VLAN interface configuration

Usage Guideline

If the IGMP interface version is configured to a lower version, then the higher version IGMP Report/Leave messages are ignored.

This version will apply to both IGMP and IGMP snooping operation.

Example

This example shows how to configure IGMP version. It configures the IGMP version to 3.

Switch# configure terminal
Switch(config)# interface vlan1000
Switch(config-if)# ip igmp version 3
Switch(config-if)# end

Verify the settings by entering the show ip igmp interface command.

ip mroute

Use this command to create a multicast static route (mroute).

Use the no form of this command to delete the route.

ip mroute SOURCE-NETWORK{ RPF-ADDRESS | Null } [ DISTANCE ]

no ip mroute SOURCE-NETWORK

Default DISTANCE: 0

Command Mode Global configuration

Usage Guideline This command statically configures where multicast sources are located even when the unicast routing table shows something different. If the RPF-ADDRESS is a PIM neighbor, PIM join, graft, and prune messages are sent to it.

Examples The following example configures the multicast data source within network 192.168.6.0/24 to be accessible with the neighbor router 10.1.1.1.

Switch(config)#ip mroute 192.168.6.0/24 10.1.1.1

The following example configures the multicast data source within network 192.168.7.0/24 to be accessible with the neighbor router 10.1.1.1 and with the distance value of 100.

Switch(config)#ip mroute 192.168.7.0/24 10.1.1.1 100

The following example configures the multicast data source within a network number 192.168.8.0/24 to be discarded.

Switch(config)#ip mroute 192.168.8.0/24 null

The following example removes a previously configured ip mroute entry of 192.168.8.0/24.

Switch(config)#no ip mroute 192.168.8.0/24

Verify the settings using the show running-config command.

ip mtu

Use this command to set the MTU value in TCP/IP stack. Use the default form to restore to the default ip mtu size.

ip mtu BYTES

default ip mtu

Syntax Description

BYTES Set the IP MTU value in TCP/IP stack. The range is 1280 to 9692 bytes.

Default 1500 bytes

Command Mode VLAN interface configuration

Usage Guideline

IP packets sent by the device will be fragmented based on this value.

Some routing protocols, such as OSPF, will use this value to advertise routing updates.

Examples This example shows how to set ip mtu as 6000 bytes at vlan 4.

Switch# configure terminal
Switch(config)# interface vlan4
Switch(config-if) ip mtu 6000
Switch(config-if)# end

This example shows how to restore the default ip mtu.

Switch# configure terminal
Swtich(config)# interface vlan4
Switch(config-if)# default ip mtu
Switch(config-if)# end 

Verify the settings by entering the show interface command.

ip mtu (management port)

Use this command to set the IP layer maximum transfer unit of the Management Port. Use no form command to reset to the default ip mtu.

ip mtu BYTES

no ip mtu

Syntax Description

BYTES The maximum transfer unit in bytes. The range is 1500 to 9180 bytes.

Default 1500 bytes

Command Mode Management interface configuration

Usage Guideline IP packets sent by the device will be fragmented based on this value.

Example This example shows how to set the ip mtu of the Management Port to 1600 bytes.

Switch#configure terminal
Switch(config)#mgmt-if
Switch(mgmt-if)#ip mtu 1600
Switch(mgmt-if)#end 

Verify the settings by entering the show mgmt-if command

ip multicast-routing

Use this command to enable IP multicast routing. Use the no form of this command to disable IP Multicast routing.

ip multicast-routing

no ip multicast-routing

Syntax None

Default Disabled

Command Mode Global configuration

Usage Guideline If the no ip multicast-routing command is used, the device stops routing multicast packets even when the protocols are enabled.

Example This example shows how to enable IP multicast routing.

Switch(config)# ip multicast-routing

Verify the settings by the show system protocol-state command.

ip ospf authentication

Use this command to send and receive OSPF packets with the specified authentication method. Use the no form of this command to disable the authentication.

ip ospf authentication [ message-digest ]

no ip ospf authentication

Syntax Description

message-digest (Optional) Use the message digest authentication.

Default No authentication

Command Mode Interface configuration

Usage Guideline

The authentication mode can be: no-authentication, use authentication key for authentication, or use message-digest key for authentication.

When it is specified to use the authentication key but the key is not configured, then null key will be used.

When it is specified to use the message digest but the digest key is not configured, then the null key will be used.

Example In the following example shows how to enable message authentication on interface VLAN 1.

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip ospf message-digest-key 10 md5 yourpass
Switch(config-if)# ip ospf authentication message-digest 

Verify the settings by entering the show ip ospf interface command.

ip ospf authentication-key

Use this command to specify an OSPF authentication password for the neighboring routers. Use the no form of this command to remove an OSPF authentication password.

ip ospf authentication-key PASSWORD

no ip ospf authentication-key

Syntax Description

Default None

Command Mode Interface configuration

Usage Guideline

This command creates a password (key) that is inserted into the OSPF header when the router originates routing protocol packets. Assign a separate password to each network for different interfaces. All neighboring routers on the same network with the same password exchange OSPF routing data.

Use the ip ospf authentication command to enable authentication. Simple password authentication allows a password to be configured for each interface. Configure the routers in the same routing domain with the same password.

Example

In the following example, an authentication key test is created on interface VLAN 1 in area 0. Note that first authentication is enabled for area 0.

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip ospf authentication-key test
Switch(config-if)# ip ospf authentication 

Verify the settings by entering the show ip ospf interface command

ip ospf cost

Use this command to explicitly specify the cost of sending a packet on an interface. Use the no form of the command to remove the assignment.

ip ospf cost COST

no ip ospf cost

Syntax Description

COST Specifies the value of the link-state metric. The range is 1 to 65535.

Default Cost is not configured

Command Mode Interface configuration

Usage Guideline

The interface cost indicates the overhead required to send packets across a certain interface. This cost is advertised as the link cost in the router link advertisement. The cost is inversely proportional to the bandwidth of an interface. The cost can be either manually assigned or be automatically determined.

By default, the cost of an interface is calculated based on the bandwidth (10E8 / bandwidth); use the ip ospf cost command to set the cost manually.

If the cost is explicitly assigned, the assigned cost will override the auto-determined cost. Otherwise, the auto-determined cost will be adopted.

Example

The following example shows sets the interface cost value to 10 on interface VLAN 1.

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip ospf cost 10 

Verify the settings by entering the show ip ospf interface command.

ip ospf dead-interval

Use this command to set the interval during which no hello packets are received and after which a neighbor is declared dead. The no form of this command will reset the dead-interval to the default value.

ip ospf dead-interval SECONDS

no ospf dead-interval

Syntax Description

SECONDS Specifies the interval in seconds. The range is 1 to 65535.

Default 40 seconds

Command Mode Interface configuration

Usage Guideline

The dead-interval is the amount of time that the router waits to receive an OSPF hello packet from a neighbor before declaring the neighbor down.

This value is advertised in the router's hello packets. It must be the same for all routers on a specific network.

Specifying a smaller dead interval in seconds will give faster detection of a neighbor being down and improve convergence, but it may cause additional routing instability.

Example

The following example shows configuring dead-interval to 10 seconds on VLAN 1 interface.

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip ospf dead-interval 10 

Verify the settings by entering the show ip ospf interface command.

ip ospf hello-interval

Use this command to specify the interval between hello packets. The no-form of this command will reset the hello-interval to the default value.

ip ospf hello-interval SECONDS

no ip ospf hello-interval

Syntax Description

SECONDS Specifies the interval in seconds. The range is 1 to 65535.

Default 10 seconds

Command Mode Interface configuration

Usage Guideline

The hello-interval is advertised in the hello packets. Configure the same hello-interval for all routers on a specific network. A shorter hello interval ensures faster detection of topological changes but results in more routing traffic.

When configuring the hello-interval, if the hello-interval*4<=65535, then the dead-interval will be automatically updated to hello-interval*4.

Example

The following example shows setting the hello-interval to 3 seconds on interface VLAN 1.

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip ospf hello-interval 3 

Verify the settings by entering the show ip ospf interface command.

ip ospf message-digest-key

Use this command to register an MD5 key for OSPF MD5 authentication.

Use the no form of this command to remove an MD5 key.

ip ospf message-digest-key KEY-ID md5 KEY

no ip ospf message-digest-key KEY-ID

Syntax Description

KEY-ID Specifies a value for key identifier. The range is 1 to 255.

KEY Specifies the OSPF password. The syntax is a general string, 1-16 characters with no spaces.

Default None

Command Mode Interface configuration

Usage Guideline

Message Digest Authentication is a cryptographic authentication. A key (password) and key-id are configured on each router. The router uses an algorithm based on the OSPF packet, the key, and the KEY-ID to generate a message digest that gets appended to the packet. Use this command for uninterrupted transitions between passwords. This is helpful for administrators who want to change the OSPF password without disrupting communication. The system begins a rollover process until all the neighbors have adopted the new password. This allows neighboring routers to continue communication while the network administrator is updating them with a new password. The router will stop sending duplicate packets once it detects that all of its neighbors have adopted the new password.

Maintain only one password per interface, removing the old password whenever a new one is added. This prevents the local system from continuing to communicate with the system that is using the old password. Removing the old password also reduces overhead during rollover. All neighboring routers on the same network must have the same password value to enable exchange of OSPF routing data.

Example

The following example shows how to set a new key 10 with password yourpass on interface VLAN 1.

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip ospf authentication message-digest
Switch(config-if)# ip ospf message-digest-key 10 md5 yourpass 

Verify the settings by entering the show ip ospf interface command.

ip ospf priority

Use this command to set the router priority to determine the designated router for the network. The no form of this command will reset the priority to the default value.

ip ospf priority PRIORITY

no ip ospf prority

Syntax Description

PRIORITY Specifies the priority of the router on the interface. The range is 0 to 255.

Default PRIORITY: 1

Command Mode Interface configuration

Usage Guideline

Set the priority to help determine the OSPF Designated Router (DR) for a network. If two routers attempt to become the DR, the router with the higher router priority becomes the DR. If the router priority is the same for two routers, the router with the higher router ID takes precedence.

Only routers with nonzero router priority values are eligible to become the designated or backup designated router. Configure router priority for multi-access networks (not point-to-point) only.

Example The following example shows setting the OSPF priority value to 3 on VLAN 1 interface.

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip ospf priority 3 

Verfiy the settings by entering the show ip ospf interface command.

ip ospf retransmit-interval

Use this command to specify the time between link-state advertisement (LSA) retransmissions for adjacencies belonging to the interface. The no form of this command will reset the retransmit-interval to the default value.

ip ospf retransmit-interval SECONDS

no ip ospf retransmit-interval

Syntax Description

SECONDS Specifies the interval in seconds. The range is 1 to 65535.

Default 5 seconds

Command Mode Interface configuration

Usage Guideline

After sending an LSA to a neighbor, the router keeps the LSA until it receives an acknowledgement. In case the router does not receive an acknowledgement during the set time (the retransmit interval value) it retransmits the LSA. Set the retransmission interval value conservatively to avoid needless retransmission. The interval should be greater than the expected round-trip delay between two routers.

Example

The following example shows setting the ospf retransmit interval to 10 seconds on sVLAN 1 interface

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip ospf retransmit interval 10 

Verfiy the settings by entering the show ip ospf interface command

ip ospf shutdown

To initiate a graceful shutdown of Open Shortest Path First (OSPF) protocol at interface level, use the ip ospf shutdown command in router configuration mode. To restart the OSPF protocol on an interface, use the no form of this command.

ip ospf shutdown [ IFNAME ]

no ip ospf shutdown [ IFNAME ]

Syntax Description

Default None

Command Mode Router configuration

Usage Guideline

Use the ip ospf shutdown command to place the OSPF protocol, on a specific interface, into shutdown mode.

If no interface is specified with this command, the entire protocol will shutdown in the least disruptive manner and notify its neighbors that it is not available.

Traffic that can follow another route through the network, will be directed to that alternate path.

Example
The following example shows how to initiate an OSPF protocol shutdown on the layer 3 interface (VLAN 1):

Switch(config)# router ospf
Switch(config-router)# ip ospf shutdown vlan1 

ip ospf transmit-delay

Use this command to set the estimated time it takes to transmit a link-state-update packet on the interface.

Use the no parameter with this command to return to the default value.

ip ospf transmit-delay SECONDS

no ip ospf transmit-delay

Syntax Description

SECONDS Specifies the interval in seconds. The range is 1 to 65535.

Default 1 second

Command Mode Interface configuration

Usage Guideline

The transmit delay value adds a specified time to the age field of an update. If the delay is not added, the time in which the LSA transmits over the link is not considered. This command is especially useful for low speed links. Remember to add transmission and propagation delays when setting the transmit delay value.

Example

The following example shows setting the OSPF transmit delay to 10 seconds on the VLAN 1 interface.

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip ospf transmit delay 10 

Verify the settings by entering the show ip ospf interface command.

ip pim

Enable PIM on the interface for either sparse mode or dense mode operation. Use the no form of the command to disable the PIM function on the interface.

ip pim {sparse-mode | dense-mode}

no ip pim {sparse-mode | dense-mode}

Syntax Description

sparse-mode Enables sparse mode of operation.

dense-mode Enables dense mode of operation.

Default IP multicast routing is disabled on all interfaces.

Command Mode Interface configuration.

Usage Guideline This command is only valid for the VLAN interface.

Use this command to specify the PIM operating mode for an interface. The interface can be either operated in the sparse mode or the dense mode.

To switch the PIM operating mode please use no ip pim {sparse-mode | dense-mode} to disable PIM at first then set the new mode required. PIM needs to be disabled first since only one multicast routing protocol can be enabled on one interface. When the command ip pim dense-mode is issued, PIM dense mode will be configured on the interface. Therefore when the command ip pim sparse-mode is issued, attempting to execute sparse mode on the interface, the system will reply with an error message because PIM dense mode is already configured on that interface.

Enabling PIM on an interface also enables Internet Group Management Protocol (IGMP) operation on that interface.

Before the PIM function is enabled on an interface, enable IP multicast routing by issuing the command ip multicast-routing in global configuration mode.

Example This example shows how to enable PIM-SM protocol on a specified interface.

Switch(config)# interface vlan1
Switch(config-if)# ip pim sparse-mode 

Verify the settings by entering the show ip pim interface command.

ip pim accept-register

To configure a candidate rendezvous point (RP) router to filter PIM register messages, use the ip pim accept-register command in global configuration mode. To disable this function, use the no form of this command.

ip pim accept-register source-list ACCESS-LIST-NAME

no ip pim accept-register

Syntax Description

source-list ACCESS- Specifies the name of the basic IP access list name. LIST-NAME

Default Disabled

Command Mode Global configuration

Usage Guideline This command can be only specified once. The later applied command will override the previous setting. Use this command to prevent unauthorized sources from registering with the RP. If an unauthorized source sends a register message to the RP, the RP will immediately send back a register-stop message.

Example The following example shows how to restrict the RP from allowing sources in the Source Specific Multicast (SSM) range of addresses to register with the RP. These statements need to be configured only on the RP.

Switch# configure terminal
Switch(config)# ip access-list Summer-Movie
Switch(config-ip-acl)# deny any 232.0.0.0 255.0.0.0
Switch(config-ip-acl)# permit any any
Switch(config-ip-acl)# exit
Switch(config)# ip pim accept-register source-list Summer-Movie 

Verify the settings by the show ip pim command.

ip pim bsr-candidate

Use this command to configure the router to advertise itself as a candidate bootstrap router (BSR). Use the no form of this command to remove this router as a candidate for being a BSR.

ip pim bsr-candidate INTERFACE-ID [HASH-MASK-LENGTH] [PRIORITY]

no ip pim bsr-candidate

Default The router is not a BSR candidate.

HASH-MASK-LENGTH: 30

Priority : 64.

Command Mode Global configuration

Usage Guideline This command is valid in the SM mode

This command causes the router to send bootstrap messages to all its PIM neighbors, with the address of the designated interface as the BSR address.

The following 2 conditions will cause BSR changes:

(1) Bootstrap Timer Expires
(2) Receive Preferred BSM.

In condition (1), the router is a Candidate-BSR, it will start to originate Bootstrap messages and perform the BSR election. For condition (2), the router will store the RP-Set from the preferred BSR.

Functionality of hash-mask is defined in RFC4601 4.7.2. The hash function is used by all routers within a domain, to map a group to one of the RPs from the matching set of group-range-to-RP mappings (all of this set has the same longest mask length and the same highest priority). The algorithm takes as input the group address, and the addresses of the candidate RPs from the mappings, and gives as output, one RP address to be used.

Example

The following example shows how to configure the IP address of the router on VLAN 1 to be a candidate BSR with hash-mask length of 20 and priority of 192:

Switch(config)# ip pim bsr-candidate vlan1 20 192
Switch(config)# 

Verify the settings by using the show ip pim command.

ip pim dr-priority

Use this command to change the Designated Router Priority value inserted into the DR Priority option of the PIM Hello message. Use default command to return the setting to default.

ip pim dr-priority PRIORITY

default ip pim dr-priority

Syntax Description

PRIORITY The value of DR priority in the range of 0 to 4294967295. A larger value of this argument means a higher priority.

Default PRIORITY: 1

Command Mode VLAN interface configuration

Usage Guideline This command is only valid for the VLAN interface.

This command is only effective for the SM mode.

When a DR is a candidate for election, the following conditions apply:

• The router with the highest priority value configured on an interface will be elected as the DR. If this priority value is the same on multiple routers, then the router with the highest IP address configured on an interface will be elected as the DR.
• If a router does not advertise a priority value in its hello messages, the router is regarded as having the highest priority and will be elected as the DR. If there are multiple routers with this priority status, then the router with the highest IP address configured on an interface will be elected as the DR.

Example The following example sets the DR priority of the vlan 1 interface to 200.

Switch(config)# interface vlan1
Switch(config-if)# ip pim dr-priority 200 

Verify the settings by entering the show ip pim interface command.

ip pim join-prune-interval

Use this command to configure a Join/Prune interval value different from the default (60 seconds).

ip pim join-prune-interval SECONDS

Syntax Description

SECONDS The number of seconds that can be configured for the interval between Join/Prune messages. The range is 1 to 18000.

Default 60 seconds

Command Mode VLAN interface configuration

Usage Guideline This command is only valid for the VLAN interface.

This command is valid for SM only.

When configuring the Join/Prune interval, the user needs to consider the factors, such as configured bandwidth and expected average number of multicast route entries for the attached network or link (for example, the period would be longer for lower-speed links, or for routers in the center of the network that expect to have a larger number of entries).

For SM-mode, the router will periodically send the join message based on this interval. The hold-time in a Join/Prune message is 3.5 * join-prune-interval. The receiving router will start a timer based on this hold-time, and prune the interface if no join message is received on this interface.

Example

The following example changes the PIM Join/Prune timer to 120 seconds.

Switch(config)# interface vlan1
Switch(config-if)# ip pim join-prune-interval 120 

Verify the settings by entering the show ip pim interface command.

ip pim prune-limit-interval

Use this command to configure the time interval for the prune limit timer to limit the Pruning rate on a LAN.

ip pim prune-limit-interval SECONDS

Default 210 seconds

Command Mode VLAN interface configuration

Usage Guideline This command is only valid for the VLAN interface.

This command is valid for PIM-DM only.

This interval is used to configure prune-limit-timer which limits the Pruning rate on a LAN. It is only used when the Upstream(S,G) state machine is in the Pruned state. A Prune cannot be sent if this timer is running. This timer is normally set to default value 210 seconds.

Example The following example configures interface VLAN 1 with the PIM prune limit timer interval set to 120 seconds.

Switch(config)# interface vlan1
Switch(config-if)# ip pim prune-limit-interval 120 

Verify the settings by entering the show ip pim interface command.

ip pim query-interval

Use this command to configure the frequency of PIM hello message.

ip pim query-interval SECONDS

Syntax Description

SECONDS The number of seconds that can be configured for the interval between Hello messages. The range is 1 to 18000.

Default 30 seconds

Command Mode VLAN interface configuration

Usage Guideline This command is only valid for the VLAN interface.

This command is valid for both SM and DM.

A PIM router learns PIM neighbors via the hello message.

Routers configured for IP multicast send PIM hello messages to detect PIM routers. For SM, hello messages are also used to determine which router will be the designated router for each LAN segment.

If the router has interfaces operating in the SM mode, the designated router will send Registration messages to the rendezvous point (RP).

Example The following example changes the PIM hello interval to 45 seconds.

witch(config)# interface vlan1
Switch(config-if)# ip pim query-interval 45

Verify the settings by entering the show ip pim interface command.

ip pim register-checksum-include-data

Use this command to configure the option to calculate the Register checksum over the whole packet. Use the no form of this command to disable calculating the Register checksum over the whole packet.

ip pim register-checksum-include-data { group-list ACCESS-LIST-NAME}

no ip pim register-checksum-include-data

Syntax Description

Default Disabled

By default, the Register Checksum is calculated only over the header.

Command Mode Global configuration

Switch(config)# ip pim register-checksum-include-data

Verify the settings by using the show ip pim command.

ip pim register-suppression

Use this command to configure the register-suppression time.

ip pim register-suppression SECONDS

Syntax Description

SECONDS Register suppression time-out value in seconds. The range is 11 to 255.

Default 60 seconds

Command Mode Global configuration

Usage Guideline This command is valid for SM mode.

When a DR receives the register-stop message, it will start the suppression timer. During the suppression time a DR will stop sending Register-encapsulated data to the RP.

This timer should be configured on the designated router.

Note: the parameter Register Probe Time in RFC 4601 is fixed to 5 (not configurable). It is fixed to 5 because the value of the Register Probe Time must be less than half the value of the Register Suppression Time to prevent a possible negative value in the setting of the Register-Stop Timer. The minimal value for Register Suppression Time is 11.

Example

This example shows how to configure the register-suppression time to 30 seconds.

Switch(config)# ip pim register-suppression 30

Verify the settings by the show ip pim command.

ip pim rp-address

Use this command to statically configure the rendezvous point (RP) address for multicast groups. To remove an RP address, use the no form of this command.

ip pim rp-address IP-ADDRESS [group-list ACCESS-LIST-NAME] [override]

no ip pim rp-address IP-ADDRESS

Default None

Command Mode Global configuration

Usage Guideline This command is only valid for SM mode.

Use this command to statically define the RP address for multicast groups that are to operate in sparse mode.

A User can use a single RP for more than one group. The conditions specified by the access list determine which groups that the RP can use. A PIM router can define multiple RPs, but only one RP can be defined per multicast group.

To configure the static-RP function in the PIM SM domain, this command needs to be configured across all of the routers in the PIM domain.

Multiple RP addresses can be specified by the command. Only one access-list can be specified for an RP. The new setting overrides the old one.

Example The following example sets the PIM RP address to 10.90.90.90 for multicast group 225.2.2.2 only:

Switch(config)# ip access-list PIM-Control
Switch(config-ip-acl)# permit any host 225.2.2.2
Switch(config-ip-acl)# exit
Switch(config)# ip pim rp-address 10.90.90.90 group-list PIM-Control 

Verify the settings by using the show ip pim command.

ip pim rp-candidate

Use this command to configure the router as an RP candidate. Use the no form of this command to remove the router as a candidate RP.

ip pim rp-candidate INTERFACE-ID [ group-list ACCESS-LIST-NAME ] [interval SECONDS] [priority PRIORITY]

no ip pim rp-candidate [INTERFACE-ID]

Default The router is not an RP candidate by default.

interval: 60 seconds

priority: 192

Command Mode Global configuration

Usage Guideline This command is valid for SM mode.

Only one group access list can be specified for the command.

The command can be applied multiple times, each for a different interface.

This command causes the router to send a PIM Version 2 message advertising itself as a candidate RP to the BSR.

Use this command only in backbone routers that have good connectivity to all parts of the PIM domain. That is, a stub router that relies on an on-demand dialup link to connect to the rest of the PIM domain is not a good candidate RP.

Example The following example (on the next page) shows how to configure the router to advertise itself as a candidate RP to the BSR in its PIM domain. A basic IP access list, named PIM-Control, which specifies the group prefix (239.0.0.0/8), is

associated with the RP that has the address identified by VLAN interface 1 and with priority 3.

Switch(config)# ip access-list PIM-Control
Switch(config-ip-acl)# permit any 239.0.0.0 255.0.0.0
Switch(config-ip-acl)# exit
Switch(config)# ip pim rp-candidate vlan1 group-list PIM-Control priority 3 

Verify the settings by using the show ip pim command.

ip pim state-refresh origination-interval

Configure a PIM-DM State-Refresh origination interval different from the default value (60 seconds). The origination interval is the number of seconds between PIM-DM State Refresh control messages.

ip pim state-refresh origination-interval SECONDS

Syntax Description

SECONDS The number of seconds that can be configured for the interval between state-refresh messages. The range is 4 to 100.

Default 60 seconds

Command Mode Interface configuration

Usage Guideline This command is valid for the DM mode.

Configure this command on the first hop, PIM dense mode routers that are directly connected to sources for PIM-DM multicast groups.

The purpose of this message is to reduce overhead spent on the cycle in flooding and pruning of traffic. For each state-refresh origination interval, the first-hop router will initiate this message and send it to the down-stream hops. Thus, the down-stream routers can do an action similar to prune. On receiving this prune, the upstream will refresh the Prune timer, and thus not flood the traffic to the corresponding interfaces.

Example The following example sets the State Refresh Origination Interval to 100 seconds.

Switch(config)# interface vlan1
Switch(config-if)# ip pim state-refresh origination-interval 100

Verify the settings by entering the show ip pim interface command.

ip rip authentication key-chain

Use this command to enable authentication for RIP Version 2 packets and to specify the key that can be used on an interface. To prevent authentication, use the no form of this command.

ip rip authentication key-chain NAME-OF-KEY

no ip rip authentication key-chain

Syntax Description

NAME-OF-KEY Enables authentication and specifies the key that are valid.

Default No authentication is provided for RIP packets.

Command Mode Interface configuration

Usage Guideline

If no key is configured with the key-chain command, no authentication is performed on the interface.

This command also specifies that the interface will use the key chain for authentication.

Example

The following example configures a key chain named chain1. Key1 named "forkey1string" will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. Key3 named "forkey3string" will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m.

Switch(config)# interface vlan1
Switch(config-if)# ip rip authentication key-chain chain1
Switch(config-if)# ip rip authentication mode text
Switch(config-if)# exit
Switch(config)# router rip
Switch(config-router)# network 172.19.0.0/8
Switch(config-router)# version 2
Switch(config-router)# exit
Switch(config)# key chain chain1
Switch(config-keychain)# key 1
Switch(config-keychain-key)# key-string forkey1string
Switch(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 2009 duration 7200
Switch(config-keychain-key)# send-lifetime 14:00:00 Jan 25 2009 duration 3600
Switch(config-keychain-key)# exit
Switch(config-keychain)# key 3
Switch(config-keychain-key)# key-string forkey3string
Switch(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 2009 duration 7200
Switch(config-keychain-key)# send-lifetime 15:00:00 Jan 25 2009 duration 3600
Switch(config-keychain-key)# exit 

Verify the settings by entering the show ip protocols rip command.

ip rip authentication mode

To configure the type of authentication used in Routing Information Protocol (RIP) Version 2 packets, use the ip rip authentication mode command in interface configuration mode. Use the no form of the command to disable the authentication function.

ip rip authentication mode { text | md5 }

no ip rip authentication mode

Syntax Description

Default Clear text authentication (text)

Command Mode Interface configuration

Switch(config)# interface vlan2
Switch(config-if)# ip rip authentication mode md5 

Verify the settings by entering the show ip rip interface command.

ip rip receive version

Use this command to specify a RIP version to receive on each interface. Use the no form of the command to let the version follow the setting specified in the router configuration mode.

ip rip receive version VERSION-ID [, | - ]

no ip rip receive version

Syntax Description

Default Global RIP version receive setting

Command Mode Interface configuration

Usage Guideline This command applies only to the interface being configured.

Examples

The following example shows how to configure interface (VLAN 1) to accept both RIP Version 1 and Version 2 packets:

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip rip receive version 1-2
Switch(config-if)# end 

The following example shows how to configure the interface (VLAN 1) to only accept RIP Version 1 packets:

Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ip rip receive version 1
Switch(config-if)# end 

Verify the settings by entering the show ip rip interface command.

ip rip send version

Use this command to specify a RIP version to send on an interface basis. Use the no form of the command to let the version following the setting specified in the router configuration mode.

ip rip send version VERSION-ID [, | - ]

no ip rip send version

Default Global RIP version transmitt setting

Command Mode Interface configuration

Usage Guideline This command applies only to the interface being configured.

Examples The following example shows how to configure the interface (VLAN 100) to send both RIP Version 1 and Version 2 packets:

Switch# configure terminal
Switch(config)# interface vlan100
Switch(config-if)# ip rip send version 1,2
Switch(config-if)# end

The following example shows how to configure the interface (VLAN 100) to send only RIP Version 2 packets:

Switch# configure terminal
Switch(config)# interface vlan100
Switch(config-if)# ip rip send version 2
Switch(config-if)# end

Verify the settings by entering the show ip rip interface command.

ip rip v2-broadcast

Use this command to allow Routing Information Protocol (RIP) Version 2 update packets to be sent as broadcast packets instead of multicast packets, Use the no form of the command to go back to multicast sending of the packet.

ip rip v2-broadcast

no ip rip v2-broadcast

Syntax None

Default Disabled

The RIPv2 update packets are to be sent as multicast packets.

Command Mode Interface configuration

Usage Guideline

Use the ip rip v2-broadcast command to broadcast RIP Version 2 broadcast updates to hosts that do not listen to multicast broadcasts. Version 2 updates (requests and responses) will be sent to the IP broadcast address (e.g. 10.70.89.255) instead of the IP multicast address 224.0.0.9.

In order to reduce unnecessary load on those hosts that are not listening to RIP Version 2 broadcasts, the system uses an IP multicast address for periodic broadcasts. The IP multicast address is 224.0.0.9.

This command applies only to the interface being configured.

Example

The following example shows how to configure the interface (VLAN 100) to broadcast Version 2 RIP packets:

Switch# configure terminal
Switch(config)# interface vlan100
Switch(config-if)# ip rip send version 2
Switch(config-if)# ip rip v2-broadcast
Switch(config-if)# end

Verify the settings by entering the show ip rip interface command.

ip route

Use ip route to add a static route entry. Use the no form of the command to remove a static route entry.

ip route {NETWORK-PREFIX NETWORK-MASK | NETWORK-PREFIX/PREFIX-LENGTH} IP-ADDRESS [distance DISTANCE]

no ip route {NETWORK-PREFIX NETWORK-MASK | NETWORK-PREFIX/PREFIX-LENGTH} [IP-ADDRESS]

Default No static routes are configured.

Command Mode Global configuration

Usage Guideline

When an administrative distance is specified, it flags a static route that can be overridden by dynamic information.

When the NETWORK -PREFIX is 0.0.0.0 and the NETWORK -MASK is 0, then the command will create a static default route.

The distances of routes are used in the following ways:

In single path mode, the route with the best distance will be the active route if multiple routes can reach the same destination. If multiple routes are equidistant, then one of them must be chosen as the active route.

For the single path mode, the route with the best distance and route type is selected as the primary, (active path) the other distances are available as backup paths. The active path is always considered the path with the best route type selected from the reachable paths with the best distance.

Examples This example shows how to add static default route entry with next-hop 10.1.1.254:

Switch(config)# ip route 0.0.0.0/0 10.1.1.254

Verify the settings by entering the show ip route command.

ip route multi-path

Use ip route multi-path to enable multiple paths for same route. Use the no form of the command to disable multiple paths.

ip route multi-path

no ip route multi-path

Syntax None Description

Default Enabled

Command Mode Global configuration

Usage Guideline If there are multiple routes with the same network-prefix co-existing, specify the route operation mode (multi-path or not) to select the routes that will be active.

For the no command, it disables the multiple path function. Only one of the multiple paths will be active.

Note: The active path may change from one path to the other under multiple paths mode, as long as the available route with a greater priority becomes reachable.

Examples This example shows how to enable multiple paths function.

Switch(config)# ip route multi-path 

This example shows how to disable multiple paths function.

Switch(config)# no ip route multi-path 

Verify the settings by entering the show ip route summary command.

ip ssh

Use this command to configure Secure Shell (SSH) control parameters or enable the SSH service on the switch. Use the no ip ssh command to disable the SSH service.

ip ssh [ timeout SECONDS | authentication-retries NUMBER | service-port TCP-PORT]

no ip ssh

Default Initial SSH service: Disabled

timeout: 120 seconds.

Maximum authentication retries: 3

service port: 22

Command Mode Global configuration

Usage Guideline

The command configures Secure Shell (SSH) server parameters on the switch.

The idle timer ("timeout" option) is refreshed when the SSH client sends the message to the server. When the idle timer expires and the SSH server does not receive any messages from the client, the session will be released.

The SSH server can be configured with extra authentication retries for setting up an SSH session. The connection will be failed when the number of authentication attempts equals the maximum number of authentication attempts (retries) allowable.

Examples This example shows how to enable the SSH service.

Switch# configure terminal
Switch(config)# ip ssh

This example shows how to set the SSH timeout to 160 seconds.

Switch# configure terminal
Switch(config)# ip ssh timeout 160

This example shows how to set the number of SSH authentication-retries to 2. The connection will be failed when the number of authentication retries reaches 2 tries without success.

Switch# configure terminal
Switch(config)# ip ssh authentication-retries 2 

This example shows how to change the service-port to 3000. The SSH client must connect using this service port number.

Switch# configure terminal
Switch(config)# ip ssh service-port 3000

Verify the settings by entering the show ip ssh command.

ip telnet server

Use this command to enable the TELNET server function. Use the no form of the command to disable the TELNET server function.

ip telnet server

no ip telnet server

Syntax None

Default Enabled

Command Mode Global configuration

Usage Guideline

Telnet is a network protocol used on the Internet or local area networks to provide a general bidirectional interactive communications facility. Using the Telnet protocol, users can control a device, through a TCP connection which transmits data in plain text.

This command is used to enable/disable the IP TELNET server function. The SSH access interface is separated controlled through SSH commands.

Example This example shows how to enable telnet server function.

Switch(config)# ip telnet server

Verify the settings by entering the show system protocol-state command.

ip telnet service-port

Use this command to specify the service port for the TELNET server. Use the default command to return the service port to 23.

ip telnet service-port TCP-PORT

default ip telnet service-port

Default TCP-PORT 23

Command Mode Global configuration

Usage Guideline This command configures the TCP port number for the TELNET server. The Telnet server listens on port number 23 for connection requests in the default configuration.

Example This example shows how to change the service port to 3000.

Switch(config)# ip telnet service-port 3000

Verify the settings by entering the show system protocol-state command.

ip trusted-host

Use this command to create the trusted host entries on the switch. Use the no ip trusted-host command to remove the trusted host entries.

ip trusted-host {IP-ADDRESS / NETWORK-ADDRESS/PREFIX-LENGTH} [snmp] [http] [telnet]]

no ip trusted-host [IP-ADDRESS | NETWORK-ADDRESS/PREFIX-LENGTH] [snmp] [http] [telnet]

Syntax Description

Default No default hosts

Command Mode Global configuration at privilege level 15.

Usage Guideline

The ip-trusted host command creates the trusted host entries with access to the management interface. When a trusted-host is not configured, then all hosts are trusted. When adding a trusted-host, if the access interface (snmp, http, or telnet) is not specified, then it applies to all interfaces.

Once a trusted-host is configured with an access interface allowed, then only the configured trusted-hosts are allowed access to the access interfaces associated with their entry. If an access interface is not specified in the trusted-host list, then all access to that access interface will be blocked.

The number of trusted hosts is project dependent.

For the no command, when the host is not specified, all hosts will be deleted for the specified access interface. If no access interface is specified, the specified host will be deleted for all access interfaces. If both the host and access interface are not specified, all trusted hosts will be deleted.

Examples

This example shows how to add a trusted host with IP address 163.10.50.126 to snmp access interface.

Switch(config)# ip trusted-host 163.10.50.126 snmp

This example shows how to remove the trusted host with IP address 163.10.50.126 for all access interfaces.

Switch(config)# no ip trusted-host 163.10.50.126

You can verify your settings by entering the show ip trusted-host command.

ipv6 access-group

Use the ipv6 access-group command to specify the IPv6 access-list to be applied to an interface. Use the no form of the command to remove an IPv6 access list.

Ipv6 access-group NAME [in]

no ipv6 access-group NAME [in]

Default None

Command Mode Interface configuration

Usage Guideline

Up to one MAC access-list, one IP access-list and one IPv6 access-list can be applied to the same interface. An error message will be displayed if the user attempts to apply the second IPv6 access list.

The IPv6 access list must be created before it can be applied to the interface. Otherwise, an error message will be displayed.

The keyword in specifies the ingress direction check.

The association of an access-group with an interface will consume the filtering entry resource of the switch controller. If the command is applied successfully, the number of remaining maximum entries will be displayed. If the rule of the access-group contains port operator, gt/lt operator, the number of remaining port operators will be displayed. If the resources are insufficient to commit the command, an error message will be displayed.

There is limitation on the number of port operator resources. The maximum number is project dependent.

If the commit, of the command, will exceed the maximum number of available port selectors, an error message will be displayed.

An access-group is applied to the interface, which will consume the filter entry resource. When the access-group is applied successfully, the number of remaining filter entry resource will be displayed. If the access-group were using a port operator (for example: gt/lt) for the rule, it will display the number of remaining port operator resource.

If the remaining resources of filter entry or port operator is insufficient, an error message will display when the access-group is applied.

Example

This example shows how to specify the IPv6 access-list ip6-control as an IPv6 access group for eth3.3

Switch(config)# interface eth3.3
Switch(config-if)#ipv6 access-group ip6-control in 

Verify the settings by entering show access-group.

ipv6 access-list

Use this command to create or modify an IPv6 access list. This command will enter into the ipv6 access-list configuration mode. Use the no form of the command to remove an IPv6 access-list.

ipv6 access-list extended NAME

no ipv6 access-list extended NAME

Default No IPv6 access list is defined.

The access list defaults to an implicit deny statement for all traffic.

Command Mode Global configuration

Switch(config)#ipv6 access-list extended ip6-control
Swtich(config-ipv6-ext-acl)#permit tcp any 2002:f03::1 ffff::
Switch(config-ipv6-ext-acl)# 

This example shows how configure an IPv6 extended access-list, named ip6-std-control.

Switch(config)#ipv6 access-list extended ip6-std-control
Swtich(config-ipv6-ext-acl)#permit tcp any fe80::101:1 ffff:ffff:ffff::
Switch(config-ipv6-ext-acl)# 

Verify the settings by entering the show access-list command.

ipv6 address

This command is used to assign the IPv6 address to an interface of the switch. The no form of this command deletes the IPv6 address assigned to the interface.

ipv6 address X:X::X:X/M

no ipv6 address [X:X::X:X/M]

Syntax Description

X:X::X:X/M IPv6 network address. This argument must be in the form documented in RFC2373 where the address is specified in hexadecimal format using a 16-bit value between colons.

X:X::X:X: IPv6 address

M: IPv6 prefix length, maximum length is 64.

Default None

Command Mode VLAN interface configuration

Usage Guideline

The VLAN interface must be created first. If IPv6 is disabled, it will be enabled after the IPv6 address is configured. When using the no ipv6 address command without other parameters, it removes all ipv6 global addresses configured on this interface.

Example This example shows how to add an IPv6 address to a VLAN interface:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 address 3ffe:501:ffff:0:a01:2ff:fe39:1/64
Switch (config-if) # 

ipv6 address

This command is used to add or delete an IPv6 address to an interface. The address is configured using an IPv6 general prefix and when set it enables IPv6 processing on the interface. To remove the address from the interface, use the no form of this command.

ipv6 address { IPV6-ADDRESS/PREFIX-LENGTH | PREFIX-NAME SUB-BITS/PREFIX-LENGTH }

no ipv6 address { IPV6-ADDRESS/ PREFIX-LENGTH | PREFIX-NAME SUB-BITS/ PREFIX-LENGTH }

Default No IPv6 addresses are assigned to the interface.

Command Mode Interface configuration

Usage Guideline

The ipv6 address command allows multiple IPv6 addresses to be configured on an interface in a variety of forms with varying options. The most common way is to specify the IPv6 address with the prefix length.

Addresses may also be defined using the general prefix mechanism, which separates the aggregated IPv6 prefix bits from the subprefix and host bits. In this case, the leading bits of the address are defined in a general prefix, which is globally configured or learned (for example, through use of DHCP-PD), and then applied using the prefix-name argument. The subprefix bits and host bits are defined using the sub-bits argument.

Examples

The following example shows how to enable IPv6 processing on the interface and configure an address based on the general prefix called my-prefix and the directly specified bits:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan2
Switch (config-if) # ipv6 address my-prefix 0:0:0:1::1/64 

Assuming the general prefix named my-prefix has the value of 3ffe:1:2::/48, then the interface would be configured with the global address: 3ffe:1:2:1::1/64. If no general prefix named my-prefix is set, then no IPv6 address will be set.

If the general prefix named my-prefix is an acquired through a DHCPv6 Client prefix delegation, then the global address would be configured after the prefix is received from the DHCPv6 Client.

The following example shows how to remove a general prefix named my-prefix on the interface:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan2
Switch (config-if) # no ipv6 address my-prefix 0:0:0:1::1/64 

The following example shows how to manually configure a global address:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan2
Switch (config-if) # ipv6 address 3ffe:22:22:22::2/64 

After the command is entered, the global address 3ffe:22:22:22::2/64 will be immediately set.

The following example shows how to manually remove a global address from the configuration:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan2
Switch (config-if) # no ipv6 address 3ffe:22:22:22::2/64 

After the command is entered, the global address 3ffe:22:22:22::2/64 will be immediately removed.

ipv6 address (management port)

Use this command to set the IPv6 address of the Management Port. Use the no form of this command to set the IPv6 address of the Management Port to the default value.

ipv6 address IPv6-ADDRESS/PREFIX-LENGTH

no ipv6 address

Syntax Description

IPv6-ADDRESS IPv6 address, X:X::X:X

PREFIX-LENGTH Prefix Length.

Default

Default IPv6 address is: ::/0.

Command Mode Management interface configuration

Usage Guideline

Users can manage the system by accessing this IPv6 address. Use the no ipv6 address command to restore the default IPv6 address

Example This example shows how to set 2000::1/64 as the IPv6 address of the Management Port.

Switch (mgmt-if) #
Switch (mgmt-if) #ipv6 address 2000::1/64 

Verify the settings by entering the show mgmt-if command

ipv6 default-gateway (management port)

Use this command to set the IPv6 address of the IPv6 default gateway that is used by the management port. Use the no form of this command to set the IPv6 default gateway to the default value.

ipv6 default-gateway IPv6-ADDRESS

no ipv6 default-gateway

Syntax Description

IPv6-ADDRESS IPv6 address, X:X::X:X

Default Empty

Command Mode Management interface configuration

Usage Guideline

The management port will send out IPv6 packets destined for other IP subnets using this IPv6 address as the gateway router.

Example This example shows how to set 2000::2 as the IPv6 address of the default gateway.

Switch(mgmt-if)#ipv6 default-gateway 2000::2
Switch(mgmt-if)# 

Verify the settings by entering the show mgmt-if command

ipv6 dhcp client information refresh minimum

To configure the minimum acceptable refresh time of the DHCPv6 client information on a specified interface. To remove the configured refresh time, use the no form of this command.

ipv6 dhcp client information refresh minimum SECONDS

no ipv6 dhcp client information refresh minimum

Syntax Description

SECONDS The refresh time, in seconds. The minimum value that can be used is 600 seconds, and the maximum value can be 65535 seconds.

Default Unlimited

Command Mode Interface configuration

Usage Guideline

The ipv6 dhcp client information refresh minimum command specifies the minimum acceptable refresh time of the DHCPv6 client information. If the server sends an information refresh time option of less than the configured minimum refresh time, the configured minimum refresh time will be used instead.

This command may be configured in several situations:

• In unstable environments where unexpected changes are likely to occur.
• For planned changes, including renumbering, an administrator can gradually decrease the time as the planned event nears.
• Limit the amount of time before new services or servers are available to the client, such as the addition of a new Simple Network Time Protocol (SNTP) server or a change of address for a Domain Name System (DNS) server.

Setting ipv6 dhcp client information refresh minimum or no ipv6 dhcp client information refresh minimum will not enable or disable the DHCPv6 client prefix delegation function.

Example The following example configures a maximum of 2 hours before the DHCPv6 client information will be refreshed:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 dhcp client information refresh minimum 7200 

ipv6 dhcp client pd

This command enables a specified IPv6 interface's DHCP client process and it enables the request for prefix delegation through the same interface. To disable requests for prefix delegation, use the no form of this command.

ipv6 dhcp client pd { PREFIX-NAME | hint IPV6-PREFIX } [ rapid-commit ]

no ipv6 dhcp client pd

Default The prefix delegation is disabled.

Command Mode Interface configuration

Usage Guideline

If DHCPv6 is not running yet, executing the ipv6 dhcp client pd command starts the DHCPv6 protocol for an IPv6 client process. Use no ipv6 dhcp client pd to disable the DHCPv6 client.

Further, the ipv6 dhcp client pd command enables request for prefix delegation on the interface where this command is configured. When prefix delegation is enabled and a prefix is successfully acquired, the prefix is stored in the IPv6 general prefix pool with an internal name defined by the IPV6-PREFIX argument. Other commands and applications (such as the ipv6 address command) can then refer to the prefixes in the general prefix pool.

The hint keyword with the IPV6-PREFIX argument enables the configuration of an IPv6 prefix. That prefix will be included in DHCHv6 solicit and request messages sent by the interface's IPv6 client DHCP. The included prefixes, in the messages, are sent as a hint for the prefix-delegating routers. Only one prefix can be configured for each delegation hint request message.

Re-configuring prefix hint will change the hint setting, and setting no ipv6 dhcp client pd will clear the prefix hint option. Care should be taken in setting the hint option as it will not enable DHCPv6 client prefix delegation function.

The rapid-commit keyword enables the use of the two-message exchange protocol for prefix delegation and other settings. If it is enabled, the client will include the rapid commit option in a solicit message.

The DHCP for IPv6 client, server, and relay functions are mutually exclusive on an interface.

Examples

The following example enables prefix delegation, where dhcp-prefix is the general prefix name configured by ipv6 address command.

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan2
Switch (config-if) # ipv6 address dhcp-prefix 0:0:0:7272::72/64
Switch (config-if) # exit
Switch (config) # interface vlan1
Switch (config-if) # ipv6 dhcp client pd dhcp-prefix 

The following example configures a hint for prefix-delegation.

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 dhcp client pd hint 2001:0DB8:1::/48 

The following example configures a rapid-commit delegation.

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 dhcp client pd dhcp-prefix rapid-commit 

The following example configures a delegation with hint prefix and rapid-commit simultaneously.

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 dhcp client pd hint 2001:0DB8:1::/48
Switch (config-if) # ipv6 dhcp client pd dhcp-prefix rapid-commit 

ipv6 dhcp relay destination

These commands are used to enable or disable the DHCP relay function.

ipv6 dhcp relay destination IPV6-ADDRESS [VLAN-INTERFACE]

no ipv6 dhcp relay destination

Syntax Description

IPV6-ADDRESS Relay destination address.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

VLAN-INTERFACE Relay to which VLAN-interface.

Valn-interface specifies output interface for a destination. If this argument is configured, client messages are forwarded to the destination address through the link to which the output interface is connected.

Default DHCP relay: Disabled

IPV6-ADDRESS: None

VLAN-INTERFACE: NULL.

Command Mode Interface configuration

Usage Guideline

The ipv6 dhcp relay destination command specifies a destination address to which client messages are forwarded and it enables DHCP for IPv6 relay service on the interface. When relay service is enabled on an interface, a DHCP for IPv6 message received on that interface will be forwarded to all configured relay destinations. The incoming DHCP for IPv6 message may have come from a client on that interface, or it may have been relayed by another relay agent.

The relay destination can be a unicast address of a server or another relay agent, or it may be a multicast address. The following are the two types of relay destination addresses:

• A link-scoped unicast or multicast IPv6 address, for which, a user must specify an output interface
• A global or site-scoped unicast or multicast IPv6 address, for which, a user CANNOT specify the output interface. The output interface will be determined by routing table.

If no output interface is configured for a destination, the output interface is determined by routing tables. In this case, it is recommended that a unicast or multicast routing protocol be running on the router. Multiple destinations can be configured on one interface, and multiple output interfaces can be configured for one destination. When the relay agent relays messages to a multicast address, it sets the hop limit field in the IPv6 packet header to 32.

Unspecified, loopback and node-local multicast addresses are not acceptable as the relay destination. If any one of them is configured, the message "Invalid destination address" is displayed.

Note that it is not necessary to enable the relay function on an interface for it to accept and forward an incoming relay reply message from servers. By default, the relay function is disabled, and there is no relay destination on an interface. The no form of the command removes a relay destination on an interface or deletes an output interface for a destination. If all relay destinations are removed, the relay service is disabled on the interface.

DHCP for the IPv6 client, server, and relay functions is mutually exclusive on an interface. When one of these functions is already enabled and a user tries to configure a different function on the same interface, one of the following messages is displayed: "Interface is in DHCP client mode," "Interface is in DHCP server mode," or "Interface is in DHCP relay mode."

One VLAN interface only can be configured to one DHCP relay server.

Example

This example shows how to sets the relay destination server address on vlan1:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 dhcp relay destination FE80::250:A2FF:FEBF:A056 vlan2 

This example shows how to disable relay agent on vlan1

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # no ipv6 dhcp relay destination 

ipv6 enable

This command is used to enable and disable the IPv6 protocol on an interface of the switch. The no form of this command can disable the IPv6 protocol.

ipv6 enable

no ipv6 enable

Syntax None

Default Disabled.

Command Mode VLAN interface configuration

Usage Guideline

The interface must be created before the ipv6 enable command is executed. When the interface up, ipv6 enable will also add a link-local address to the interface and remove it when using the no form of the command. This means that when using ipv6 enable, depending whether the interface is up or down, the command will add or delete the link-local address respectively.

Example This example shows how to enable the IPv6 protocol:

Switch> enable
Switch# configure terminal
Switch(config)# interface vlan1
Switch(config-if)# ipv6 enable
Switch(config-if)# 

ipv6 hop-limit

This command is used to configure the IPv6 hop limit setting for an interface of this switch. The no form of this command resets the IPv6 hop limit to the default value.

ipv6 hop-limit <0-255>

no ipv6 hop-limit

Syntax Description

Default Hop limit: 64

Command Mode VLAN interface configuration

Usage Guideline The VLAN interface must be created first before this command can be used.

Example This example shows how to configure IPv6 hop limit setting:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 hop-limit 255
Switch (config-if) # 

ipv6 nd managed-config-flag

This command is used to turn on the IPv6 RA (router advertisement) management configure flag setting on an interface of this switch. The no form of this command turns off this flag.

ipv6 nd managed-config-flag

no ipv6 nd managed-config-flag

Syntax None

Default Off

Command Mode VLAN interface configuration

Usage Guideline The VLAN interface must be created first before this command can be used.

Example This example shows how to configure IPv6 manage config flag setting:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 nd managed-config-flag
Switch (config-if) # 

ipv6 nd other-config-flag

This command is used to turn on the IPv6 RA (router advertisement) other configure flag incidence per interface on this switch. The no form of this command turns off this flag.

ipv6 nd other-config-flag

no ipv6 nd other-config-flag

Syntax None

Default other configure flag: off

Command Mode VLAN interface configuration

Usage Guideline The VLAN interface must be created first before this command can be used.

Example This example shows how to configure IPv6 other configure flag incidence:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 nd other-config-flag
Switch (config-if) # 

ipv6 nd prefix

This command is used to add or modify IPv6 prefix information to RA (router advertisement) for an interface of this switch. If the prefix already exists, then the command modifies the parameter. The no form of the command removes it.

ipv6 nd prefix X:X::X:X/M <0-4294967295> <0-4294967295> [off-link | no-autoconfig]

no ipv6 nd prefix X:X::X:X/M

Syntax Description

X:X::X:X/M IPv6 network address. This argument must be in the form documented in RFC2373 where the address is specified in hexadecimal format using a 16-bit value between colons.

X:X::X:X: IPv6 address

M: IPv6 prefix length

<0-4294967295> Valid life time in seconds.

<0-4294967295> Preferred lifetime in seconds.

off-link Turn off on-link flag.

no-autoconfig Turn off autoconfig flag.

Default 0-4294967295: 2592000

0-4294967295: 604800

off-link: On

no-autoconfig: On

Command Mode VLAN interface configuration

Usage Guideline The VLAN interface must be created first before this command can be used.

Example This example shows how to configure IPv6 prefix information incidence:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 nd prefix 3ffe:501:ffff:100::/64 30000 20000
Switch (config-if) # 

ipv6 nd ra-interval

This command is used to configure the IPv6 RA (router advertisement) interval timer for an interface of this switch. The no form of this command sets the lifetime to the default value.

ipv6 nd ra-interval <4-1800> [<3-1350>]

no ipv6 nd ra-interval

Syntax Description

<4-1800> Maximum interval value in seconds.

<3-1350> Minimum interval value in seconds.

Must be smaller than the maximaum value * 0.75

Default <4-1800>: 600

<3-1350>: 198

Command Mode VLAN interface configuration

Usage Guideline

The VLAN interface must be created first before this command can be used. If the minimum interval value is not configured, the minimum interval value will be automatically assigned per the following rules.

1. If maximum timer >= 9 seconds, then it is configured to the maximum value * 0.33.
2. If maximum timer < 9 seconds, then it is configured to the maximum value.

Example This example shows how to configure the IPv6 RA interval timer setting:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 nd ra-interval 1500 1000
Switch (config-if) # 

ipv6 nd ra-lifetime

This command is used to configure the IPv6 RA (router advertisement) lifetime on an interface of this switch. The no form of this command sets the lifetime to the default value.

ipv6 nd ra-lifetime <0-9000>

no ipv6 nd ra-lifetime

Syntax Description

<0-9000> The IPv6 router advertisement lifetime range in seconds.

Default 1800

Command Mode VLAN interface configuration

Usage Guideline The VLAN interface must be created first before this command can be used.

Example This example shows how to configure IPv6 ra lifetime incidence:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 nd ra-lifetime 9000
Switch (config-if) # 

ipv6 nd reachable-time

This command is used to configure IPv6 RA (router advertisement) reachable time on an interface of this switch. The no form of this command sets the reachable time to the default value.

ipv6 nd reachable-time <0-3600000>

no ipv6 nd reachable-time

Syntax Description

Default 0

Command Mode VLAN interface configuration

Usage Guideline

The VLAN interface must be created first before this command can be used. When the reachable time is set to the default value or set to "0", the system will run for 30 seconds on this interface, but the RA packet will be set to "0".

Example This example shows how to configure the IPv6 reachable time setting:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 nd reachable time 3600000
Switch (config-if) # 

ipv6 nd retrans-timer

This command is used to configure IPv6 RA (router advertisement) retrans timer per interface on this switch. The no form of this command sets the retrans timer to the default value.

ipv6 nd retrans-timer <0-4294967295>

no ipv6 nd retrans-timer

Syntax Description

<0-4294967295> The IPv6 router advertisement retrans timer range in milliseconds.

Default 0

Command Mode VLAN interface configuration

Usage Guideline

The VLAN interface must be created first before this command can be used. When the reachable time is set to the default value or set to "0", the system will use 1 second for this interface, but the RA packet will be set to "0".

Example This example shows how to configure the IPv6 retrans timer setting:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 nd retrans-timer 4294967295
Switch (config-if) # 

ipv6 nd suppress-ra

This command is used to suppress IPv6 RA (router advertisement) on an interface of this switch. Use the no ipv6 nd suppress-ra configuration command to enable the sending of IPv6 router advertisements on an ISATAP tunnel interface.

ipv6 nd suppress-ra

no ipv6 nd suppress-ra

Syntax None

Default Suppress RA

(Sending of IPv6 router advertisements is disabled by default on an ISATAP tunnel interface)

Command Mode VLAN interface configuration

Usage Guideline

The VLAN interface must be created first before this command can be used.

ISATAP tunnel interfaces are valid for this command. Other types of tunnel interfaces are invalid.

Example This example shows how to suppress IPv6 RA's:

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if) # ipv6 nd suppress-ra 

ipv6 neighbor

This command is used to add a static ipv6 neighbor entry. The no form of this command deletes the IPv6 neighbor entry.

ipv6 neighbor X:X::X:X IFNAME MAC

no ipv6 neighbor X:X::X:X IFNAME

Syntax Description

X:X::X:X IPv6 address. This argument must be in the form documented by RFC2373 where the address is specified in hexadecimal using a 16-bit value between colons.

XXXX: IPv6 address

IFNAME The IP Interface name

MAC The MAC address, in XX-XX-XX-XX-XX-XX format

Default None

Command Mode Global configuration.

Usage Guideline None

Example This example shows how to configure an IPv6 neighbor entry:

Switch > enable
Switch # configure terminal
Switch (config) # ipv6 neighbor fe80::1 vlan1 00-01-80-11-22-99
Switch (config) # 

ipv6 ospf cost

To explicitly specify the cost of sending a packet on an interface, use the ipv6 ospf cost command. To reset the interface cost to the default value, use the no form of this command.

ipv6 ospf cost COST [instance-id INSTANCE-ID]

no ipv6 ospf cost [instance-id INSTANCE-ID]

Default Cost: Unconfigured

INSTANCE-ID: 0

Command Mode Interface configuration

Usage Guideline

To modify the cost from the default value, set the metric manually using the ipv6 ospf cost command. Using the bandwidth command changes the link cost as long as the ipv6 ospf cost command is not used. The link-state metric is advertised as the link cost in the router link advertisement.

Example The following example sets the interface cost value to 65.

Switch > enable
Switch # configure terminal
Switch (config)# interface vlan1
Switch (config-if)# ipv6 ospf cost 65 

ipv6 ospf dead-interval

To set the time period used, during which hello packets are not detected, before neighbors declare the router down, use the ipv6 ospf dead-interval command. To return to the default time, use the no form of this command.

ipv6 ospf dead-interval SECONDS [instance-id INSTANCE-ID]

no ipv6 ospf dead-interval [instance-id INSTANCE-ID]

Default Seconds: 40

Default INSTANCE-ID: 0

Command Mode Interface configuration

Usage Guideline The interval is advertised in router hello packets. This value must be the same for all routers and access servers on a specific network.

Example The following example sets the IPv6 OSPF dead interval to 60 seconds.

Switch > enable
Switch # configure terminal
Switch (config)# interface vlan1
Switch (config-if)# ipv6 ospf dead-interval 60 

ipv6 ospf hello-interval

To specify the interval between hello packets sent from an interface, use the ipv6 ospf hello-interval command. To return to the default time, use the no form of this command.

ipv6 ospf hello-interval SECONDS [instance-id INSTANCE-ID]

no ipv6 ospf hello-interval [instance-id INSTANCE-ID]

Default Seconds: 10

INSTANCE-ID: 0

Command Mode Interface configuration

Usage Guideline This value is advertised in the hello packets. The shorter the hello interval, the earlier topological changes will be detected, but more routing traffic will ensue. This value must be the same for all routers and access servers on a specific network.

Example The following example sets the interval between hello packest to 15 seconds.

Switch > enable
Switch # configure terminal
Switch (config)# interface vlan1
Switch (config-if)# ipv6 ospf hello-interval 15 

ipv6 ospf priority

To set the router priority, which helps determine the designated router for this network, use the ipv6 ospf priority. To return to the default value, use the no form of this command.

ipv6 ospf priority PRIORITY [instance-id INSTANCE-ID]

no ipv6 ospf priority [instance-id INSTANCE-ID]

Default Priority: 1

INSTANCE-ID: 0

Command Mode Interface configuration

Usage Guideline

Setting the priority helps determine the OSPF Designated Router (DR) for a network. If two routers attempt to become the DR, the router with the higher router priority becomes the DR. If the router priority is the same for two routers, the router with the higher router ID takes precedence.

Only routers with non-zero router priority values are eligible to become the designated or backup designated router. Configure router priority for multi-access networks (not point-to-point) only.

Example The following example sets the router priority value to 4.

Switch > enable
Switch # configure terminal
Switch (config)# interface vlan1
Switch (config-if)# ipv6 ospf priority 4 

ipv6 ospf retransmit-interval

This command specifies the time between link-state advertisement (LSA) retransmissions for adjacencies belonging to an interface.

ipv6 ospf retransmit-interval SECONDS [instance-id INSTANCE-ID]

no ipv6 ospf retransmit-interval [instance-id INSTANCE-ID]

Default Seconds: 5

INSTANCE-ID: 0

Command Mode Interface configuration

Usage Guideline

After sending an LSA to a neighbor, the router keeps the LSA until it receives an acknowledgement. In case the router does not receive an acknowledgement, during the set time (the retransmit interval value), it retransmits the LSA. Set the retransmission interval value conservatively to avoid needless retransmissions. The interval should be greater than the expected round-trip delay between two routers.

Example The following example sets the retransmit interval value to 6 seconds.

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if)# ipv6 ospf retransmit-interval 6 

ipv6 ospf shutdown

To initiate an IPv6 OSPF protocol graceful shutdown at the interface level, use the ipv6 ospf shutdown command. To restart the OSPF protocol on an interface, use the no form of this command

ipv6 ospf shutdown [IFNAME]

no ipv6 ospf shutdown [IFNAME]

Syntax Description

Default Disabled

Command Mode Router configuration

Usage Guideline

Use the ipv6 ospf shutdown command to put IPv6 OSPF under a specific interface in shutdown mode. If no interface is specified for this command in router configuration mode, it will shutdown the protocol in the least disruptive manner and notify its neighbors that it is leaving. All traffic, that has another path through the network, will be directed to that alternate path.

Note: When this command is used to shutdown IPv6 OSPF on all interfaces, then at this time the device will clear the LSDBs and leave them empty. This behavior is not the same as with the IPv4 OSPF protocol.

Example

The following example shows how to initiate an IPv6 OSPF protocol shutdown on the layer 3 interface (VLAN 1):

Switch > enable
Switch # configure terminal
Switch (config) # router ipv6 ospf
Switch (config-router)# ipv6 ospf shutdown vlan1 

ipv6 ospf transmit delay

To set the estimated time required to send a link-state update packet on the interface, use the ipv6 ospf transmit-delay command. To return to the default value, use the no form of this command.

ipv6 ospf transmit-delay SECONDS [instance-id INSTANCE-ID]

no ipv6 ospf transmit-delay [instance-id INSTANCE-ID]

Default SECONDS: 1

INSTANCE-ID: 0

Command Mode Interface configuration

Usage Guideline

Before being transmitted, Link-State Advertisements (LSAs) in the update packet must have their ages incremented by the amount specified in the seconds. The value assigned should take into account the transmission and propagation delays for the interface.

If the delay is not added before transmission over a link, the time in which LSAs propagate over the link will not be considered. This setting has more significance on very low-speed links.

Example The following example sets the transmit delay value to 3 seconds.

Switch > enable
Switch # configure terminal
Switch (config) # interface vlan1
Switch (config-if)# ipv6 ospf transmit-delay 3 

ipv6 rip metric-offset

To set the IPv6 RIP metric for an interface, use the ipv6 rip metric-offset command. To return the metric to its default value, use the no form of this command.

ipv6 rip metric-offset METRIC-VALUE

no ipv6 rip metric-offset

Default The default metric value is 1.

Command Mode Interface configuration

Usage Guideline When an IPv6 RIP route is received, the interface metric value set by the ipv6 rip metric-offset command is added before the route is inserted into the routing table. Increasing the IPv6 RIP metric value of an interface will increase the metric value of IPv6 RIP routes received over the interface.

Use the ipv6 rip metric-offset command to influence which routes are used.

The IPv6 RIP metric is in the hop count.

Example The following example configures a metric increment of 10 for the RIP routing process.

Switch > enable
Switch # configure terminal
Switch (config)# interface vlan1
Switch (config-if)# ipv6 rip metric-offset 10 

ipv6 rip split-horizon

To enable IPv6 RIP split-horizon mechanism, use the ipv6 rip split-horizon command. To disable the split horizon processing of IPv6 RIP updates, use the no form of this command.

ipv6 rip split-horizon

no ipv6 rip split-horizon

Syntax None

Default This command is disabled by default.

Command Mode Interface configuration

Usage Guideline

This command configures split horizon processing of IPv6 RIP router updates. If split horizon is configured on interfaces where the networks are learned, then the advertisement of networks sent out from those same interfaces is suppressed.

When both split horizon and poison reverse are configured, then split horizon behavior is replaced by poison reverse behavior routes. The poison reverse behavior routes are learned via RIP and are advertised out the interface over which they were learned. They are advertised with an unreachable metric.

Example

The following example configures split horizon processing for the IPv6 RIP routing process.

Switch > enable
Switch # configure terminal
Switch (config)# interface vlan1
Switch (config-if)# ipv6 rip split-horizon 

ipv6 rip split-horizon poisoned

To configure the poison reverse processing of IPv6 RIP router updates, use the ipv6 rip split-horizon poisoned command. To disable the poison reverse processing of IPv6 RIP updates, use the no form of this command.

ipv6 rip split-horizon poisoned

no ipv6 rip split-horizon

Syntax None

Default Poison reverse is configured.

Command Mode Interface configuration

Usage Guideline

This command configures poison reverse processing of IPv6 RIP router updates. When poison reverse is configured, routes learned via RIP are advertised with an unreachable metric out from the interface over which they were learned.

If both poison reverse and split horizon are configured, then simple split horizon behavior is replaced by poison reverse behavior.

Example

The following example configures poison reverse processing for the IPv6 RIP routing process.

Switch > enable
Switch # configure terminal
Switch (config)# interface vlan1
Switch (config-if)# ipv6 rip split-horizon poisoned 

ipv6 route

Use ipv6 route to add an IPv6 static route entry. Use the no form of the command to remove an IPv6 static route entry.

ipv6 route NETWORK-PREFIX / PREFIX-LENGTH {NEXT-HOP-ADDRESS | INTERFACE-TYPE INTERFACE-NUMBER NEXT-HOP-ADDRESS} [distance DISTANCE]

no ipv6 route NETWORK-PREFIX / PREFIX-LENGTH [NEXT-HOP-ADDRESS | INTERFACE-TYPE INTERFACE-NUMBER NEXT-HOP-ADDRESS]

Default No static route is configured.

Command Mode Global configuration

Usage Guideline: See the following sections.

Configuring Default Route

Configuring a default route is useful and simple for managing the IPv6 forwarding path. By giving the NETWORK-PREFIX and PREFIX-LENGTH as zero, the system will setup the default path(s) for IPv6 traffic. Using the following commands to create or delete the default route of the system.

Practical Usage

Operators may prefer to specify a default path for the managed devices. By specifying a default gateway, traffic inside the managed topology always has the proper path to follow. Usually, routers on smaller networks may need this configuration, since they have less CPU computing power or less memory to keep the entire routing table of the topology.

Examples

Imagine the topology is illustrated below. The device on the edge may not have enough power to forward all the IPv6 traffic to the world. Therefore, it needs a default route to serve the connected IPv6 nodes to communicate with nodes on Internet.

graph TD
    A["User Group"] --> B["Intranet"]
    C["User Group"] --> B
    D["User Group"] --> B
    E["User Group"] --> B
    F["User Group"] --> B
    G["User Group"] --> B
    H["Internet"] --> B
    I["Internet"] --> B
    B --> J["Cloud Node"]
    style A fill:#f9f,stroke:#333
    style C fill:#bbf,stroke:#333
    style D fill:#bfb,stroke:#333
    style E fill:#ffb,stroke:#333
    style F fill:#fbb,stroke:#333
    style G fill:#fbb,stroke:#333
    style H fill:#bbf,stroke:#333
    style I fill:#bbf,stroke:#333

This example shows how to create a default route.

Switch > enable
Switch # configure terminal
Switch (config) # ipv6 route ::/0 vlan 1 fe80::0200:00ff:fe00:a0a0 

After configuring the default route, the edge router will forward the unknown IPv6 traffic to the core router. By doing this, users connected to the edge router can connect to the world (WAN/internet).

This example shows how to delete an existing default route.

Switch > enable
Switch # configure terminal
Switch (config) # no ipv6 route ::/0 vlan 1 fe80::0200:00ff:fe00:a0a0 

Configuring a General Static Route

To establish static IPv6 routes, use the ipv6 route command in global configuration mode. To remove a previously configured static route, use the no form of this command.

Default No static routes are configured.

Practical Usage

Operators may prefer to specify the forwarding path of certain traffic. By doing this, the traffic of certain applications in the managed domain will always be forwarded to the expected destination. When the network prefixes and prefix-length are both zero, it implies the specific static route is the default route. A default route presents the final forwarding path of choice should the system not find the matched forwarding rule in routing table. By assigning the address of the next-hop only, the system will forward the IP traffic to this address if, there is no matched forwarding rule by default.

Examples

Imagine the topology as illustrated below. There is a proxy server to access the Intranet. All the users on the Intranet are required to setup this same proxy to communicate with the WEB servers outside the Intranet. However, there is a default gateway configured on the edge route. The HTTP communication from users connected to the edge router will exhaust all the bandwidth available for the Intranet. Therefore, we need a static route to save the bandwidth available for the Intranet.

graph TD
    A["Internet"] --> B["Intranet"]
    B --> C["PROXY"]
    C --> D["User Group 1"]
    C --> E["User Group 2"]
    C --> F["User Group 3"]
    B --> G["User Group 4"]
    B --> H["User Group 5"]
    style A fill:#90EE90,stroke:#333
    style B fill:#90EE90,stroke:#333
    style C fill:#FFD700,stroke:#333
    style D fill:#E6F1E6,stroke:#333
    style E fill:#E6F1E6,stroke:#333
    style F fill:#E6F1E6,stroke:#333
    style G fill:#B2C4A2,stroke:#333

This example shows how to create a static route destined for the network where proxy server resides.

Switch > enable
Switch # configure terminal
Switch (config) # ipv6 route 2001:0DB8::/32 vlan 1 fe80::0200:00ff:fe00:a0a0 

Then we can use the show command to check whether the configured static route works or not.

Switch > enable
Switch # show ipv6 route
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP

C 2177:0:4:141::/64 is directly connected, vlan141
S 2177:0:3:134::/64 [1/0] via 2177:0:4:906::8003

Total Entries: 2 entries, 2 routes 

This example shows how to delete an existing static route.

Switch > enable
Switch # configure terminal
Switch (config) # no ipv6 route 2001:0DB8::/32 vlan 1 fe80::0200:00ff:fe00:a0a0 

Configuring a Floating Static Route

Usually, floating static routes are static routes that are being used to back up dynamic routes learned through configured routing protocols. Normally a floating static route is configured with a higher administrative distance than the dynamic routing protocol it is backing up. As a result, the dynamic route learned through the routing protocol is always used in preference to the floating static route. If the dynamic route learned through the routing protocol is lost, the floating static route will be used in its place. That is an IPv6 floating static route can be achieved through the ipv6 route command with a greater distance number. Additionally, to extend the usability, floating static routes can also be allowed to back up static routes, since each route in a system has its own distance.

To establish floating static IPv6 routes, use the ipv6 route command in global configuration mode. To remove a previously configured floating static route, use the no form of this command.

Default No floating static routes are configured.

Practical Usage

Operators may like to specify the priorities of multiple routes destined for the same network. When multiple routes destined for the same network exist, a network device needs to decide which route should be registered into the routing table. The higher priority routes will be active, while lower priority routes will be backup. The following lists the default priority of available kinds of routes in the system.

• LOCAL INTERFACE 0

• STATIC 1

• RIP 120

• RIPNG 120
• OSPF 110
• OSPF6 110
• EBGP 20
• IBGP 200
  • ISIS 115

Examples

Assume that a routing protocol originates the same route to the same destination as an existing static route. However, an operator would like to select the calculation of the best route to choose from the routing protocols first. To do that the operator needs to change the priority of the static route, since the default priority of static routes is usually higher than dynamic routes.

This example shows how to create floating static routes. The System will ultimately choose the higher priority (with less distance value) route to be the master route toward the same destination. In this case, the route with distance 11 will be chosen as the master route toward the destination 2001:0DB8::/32.

Switch > enable
Switch # configure terminal
Switch (config) # ipv6 route 2001:0DB8::/32 vlan 1 fe80::0200:00ff:fe00:a0a0 distance 11
Switch (config) # ipv6 route 2001:0DB8::/32 vlan 2 fe80::0200:00ff:fe00:b0b0 distance 22 

This example shows how to delete the previously configured static route.

Switch > enable
Switch # configure terminal
Switch (config) # no ipv6 route 2001:0DB8::/32 vlan 1 fe80::0200:00ff:fe00:a0a0 

ipv6 router ospf area

To enable IPv6 OSPF on an interface, use the ipv6 router ospf area command. To disable IPv6 OSPF routing for interfaces defined, use the no form of this command.

ipv6 router ospf area AREA-ID [tag PROCESS-ID] [instance-id INSTANCE-ID]

no ipv6 router ospf area AREA-ID [tag PROCESS-ID] [instance-id INSTANCE-ID]

Default IPv6 OSPF is disabled.

PROCESS-ID: null

INSTANCE-ID: 0

Command Mode Interface configuration

Usage Guideline

Before enabling IPv6 OSPF on an interface using the ipv6 router ospf area command, IPv6 must be enabled on the interface, and IPv6 routing must be enabled on the switch. There is no limit to the number of ipv6 router ospf area commands that can be used on the router. At least two interfaces must be configured for IPv6 OSPF to run.

If the configuration is based on a specific process, then the no form of the command must include the process information.

Example The following example enables IPv6 OSPF on an interface.

Switch > enable
Switch # configure terminal
Switch (config)# interface vlan1
Switch (config-if)# ipv6 router ospf area 0 instance-id 2 

ipv6 router rip

To enable the IPv6 RIP routing process on an interface, use the ipv6 router rip command. To disable the IPv6 RIP routing process on an interface, use the no form of this command.

ipv6 router rip

no ipv6 router rip

Syntax None

Default Disabled

Command Mode Interface configuration

Usage Guideline

The ipv6 router rip interface configuration command is used to enable IPv6 RIP explicitly on required interfaces. In IPv4, the network network-number router configuration command is used to implicitly specify the interfaces on which to run IPv4 RIP.

Example

The following example enables the IPv6 RIP routing process on VLAN 1.

Switch > enable
Switch # configure terminal
Switch (config)# interface vlan1
Switch (config-if)# ipv6 router rip 

key

Use the key command to identify a key on a key chain used for routing protocol authentication. Use the no key command to remove the key from the key chain.

key KEY-ID

no key KEY-ID

Default There are no keys configured on the key chain.

Command Mode key-chain configuration

Usage Guideline

Only Routing Information Protocol (RIP) Version 2 uses key chains.

Using the key command will enter into the key-chain key configuration mode.

It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid over a period of time. This is based on the accept-lifetime, send-lifetime and key chain key command settings.

If the last key expires, authentication will be invalid.

If there was a discrepancy in the set time of the router's keys, the first valid key will be chosen.

To remove all keys, remove the key chain with the no key chain command.

Example

The following example configures a key chain named chain1. Key1 named "forkey1string" will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. Key3 named "forkey3string" will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m.

Switch(config)# interface vlan1
Switch(config-if)# ip rip authentication key-chain chain1
Switch(config-if)# ip rip authentication mode text
Switch(config-if)# exit
Switch(config)# router rip
Switch(config-router)# network 172.19.0.0/8
Switch(config-router)# version 2
Switch(config-router)# exit
Switch(config)# key chain chain1
Switch(config-keychain)# key 1
Switch(config-keychain-key)# key-string forkey1string
Switch(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 2009 duration 7200
Switch(config-keychain-key)# send-lifetime 14:00:00 Jan 25 2009 duration 3600
Switch(config-keychain-key)# exit
Switch(config-keychain)# key 3
Switch(config-keychain-key)# key-string forkey3string
Switch(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 2009 duration 7200
Switch(config-keychain-key)# send-lifetime 15:00:00 Jan 25 2009 duration 3600
Switch(config-keychain-key)# exit 

To verify the settings, enter the show ip key-chain command.

key chain

To manage authentication keys, define a key chain, identify the keys that belong to the key chain, and specify how long each key is valid by using the key chain command. To remove the key chain, use the no form of this command.

key chain NAME-OF-KEY

no key chain NAME-OF-KEY

Syntax Description

Default No key chains are configured.

Command Mode Global configuration

Usage Guideline

Routing Information Protocol (RIP) Version 2 uses key chains for authentication.

To enable authentication, a key chain with named keys must first be created.

It is recommended that only one key chain be configured per interface.

Example

The following example configures a key chain named chain1. Key1 named "forkey1string" will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. Key3 named "forkey3string" will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m.

Switch(config)# interface vlan1
Switch(config-if)# ip rip authentication key-chain chain1
Switch(config-if)# ip rip authentication mode text
Switch(config-if)# exit
Switch(config)# router rip
Switch(config-router)# network 172.19.0.0/8
Switch(config-router)# version 2
Switch(config-router)# exit
Switch(config)# key chain chain1
Switch(config-keychain)# key 1
Switch(config-keychain-key)# key-string forkey1string
Switch(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 2009 duration 7200
Switch(config-keychain-key)# send-lifetime 14:00:00 Jan 25 2009 duration 3600
Switch(config-keychain-key)# exit
Switch(config-keychain)# key 3
Switch(config-keychain-key)# key-string forkey3string
Switch(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 2009 duration 7200
Switch(config-keychain-key)# send-lifetime 15:00:00 Jan 25 2009 duration 3600
Switch(config-keychain-key)# end 

To verify the settings, use the show ip key-chain command.

key-string

Use the key-string command ito specify the authentication string for a key. Use the no key-string command to remove the authentication string.

key-string TEXT

no key-string [TEXT]

Syntax Description

TEXT The required authentication string sent and received in packets using the routing protocol being authenticated. The string can consist of 1 to 16 alphanumeric characters, the first character cannot be a number.

Default No key chains are configured.

Command Mode key-chain key configuration

Usage Guideline Routing Information Protocol (RIP) Version 2 uses key chains for authentication. Each key can have only one key string.

Example

The following example configures a key chain named chain1. Key1 named forkey1string will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. Key3 named forkey3string will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m.

Switch(config)# interface vlan1
Switch(config-if)# ip rip authentication key-chain chain1
Switch(config-if)# ip rip authentication mode text
Switch(config-if)# exit
Switch(config)# router rip
Switch(config-router)# network 172.19.0.0/8
Switch(config-router)# version 2
Switch(config)# key chain chain1
Switch(config-keychain)# key 1
Switch(config-keychain-key)# key-string forkey1string
Switch(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 2009 duration 7200
Switch(config-keychain-key)# send-lifetime 14:00:00 Jan 25 2009 duration 3600
Switch(config-keychain-key)# exit
Switch(config-keychain)# key 3
Switch(config-keychain-key)# key-string forkey3string
Switch(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 2009 duration 7200
Switch(config-keychain-key)# send-lifetime 15:00:00 Jan 25 2009 duration 3600
Switch(config-keychain-key)# end 

Verify the settings by entering the show ip key-chain command.

lapc port-priority

Use the lacp port-priority command to configure the port priority. Use the no form to configure the port priority to the default.

Iacp port-priority PRIORITY

no lacp port-priority

Syntax Description

PRIORITY Specifies the port priority. The range is 1 to 65535.

Default 32768

Command Mode Interface configuration

Usage Guideline

The lacp port-priority command is used to specify which ports can join a port channel and which ports are specified to be in backup mode. In a port priority comparison, a numerically lower value has a higher priority. If two or more ports have the same priority, the port number determines the priority.

Example

This example shows how to configure the port priority to 20000 on interface eth3.4 to eth3.5.

Switch(config)# interface range eth3.4-3.5
Switch(config-if)# lacp port-priority 20000 

Verify the settings with the show channel-group command.

lapc system-priority

Use the lacp system-priority command to configure the system priority used for LACP ports. Use the no form to configure the system priority to the default.

Iacp system-priority PRIORITY

no lacp system-priority

Syntax Description

PRIORITY Specifies the system priority. The range is 1 to 65535.

Default 32768.

Command Mode Global configuration

Usage Guideline

During Link Aggregation Control Protocol (LACP) negotiation, the system priority and port priority of the local partner are exchanged with the remote partner. If the maximum number of actual members exceeds the limitation, the switch uses port priority to determine whether the port status will be in backup mode or active mode. The LACP system priority determines which switch controls the port priority for the aggregated link. The port priorities of the other switch are ignored.

In a system priority comparison, a numerically lower value has a higher priority.

If two switches have the same system priority, the LACP system ID (MAC address) determines the priority.

The LACP system priority command applies to all LACP port channels on the switch.

Example

This example shows how to configuration the system priority to 30000.

Switch(config)# lacp system-priority 30000

Verify the settings with the show channel-group command

lease

Use this command to configure the lease duration of an IP address that is assigned from a DHCP server to a client. Use the no form of this command to restore the default value.

lease { DAYS [HOURS | MINUTES] | infinite }

no lease

Default 1 day

Command Mode DHCP pool configuration

Usage Guideline This command specified the duration of a lease. This command can only be executed under DHCP pool configuration mode, identified by the (config-dhcp)# prompt. Examples The following is a sample of configuring the lease, in address pool "pool1", to 1 day.

switch# configure terminal
switch(config)# ip dhcp pool pool1
switch(config-dhcp)# lease 1 

The following is sample of configuring the lease, in address pool "pool1", to 1 hour.

switch# configure terminal
switch(config)# ip dhcp pool pool1
switch(config-dhcp)# lease 0 1 

logging file

Use the logging file command to enable the storage of log messages to FLASH memory from the logging buffer.

logging file

Syntax None

Default None

Command Mode Global configuration

Usage Guideline Use this command to save log messages from the logging buffer to flash.

Example The example below sets log messages to be saved to flash.

Switch> enable
Switch# configure terminal
Switch(config)# logging file 

logging host

Use the logging host command to log system messages to a remote host. Remove logging hosts from the configuration with the no logging host command.

logging host IPADDRESS [ port UDP-PORT] [severity {emergency |alert |critical |error |warning |notice |informational|debugging}] [facility {local0|local1| local2| local3| local4| local5| local6| local7}]

no logging host [IP-ADDRESS]

Default IP-ADDRESS: None

UDP port: 514.

severity: informational

facility: local7

Command Mode Global configuration

Usage Guideline

The number of supporting SYSLOG servers is project dependent. When the number of configured SYSLOG servers reaches the maximum capacity, a new SYSLOG server is unable to be configured before and existing entry is deleted using the command no logging host.

The severity level limits the logging of system messages sent to Syslog servers to only those messages at and up to the specified level. For example, if the trap severity is debugging, all logs in the Syslog daemon are sent to the log server host. If the level of log trap is alert, then only alert and emergency logs are sent.

The keyword facility specifies the syslog facility in the SYSLOG messages which are sent to the server.

For the no command, if the IP address is not specified, all logging hosts will be deleted.

Example The below example shows how to create a log server with the host address

20.3.3.3 . The command configures the server to receive logs with a severity level set to critical

Switch> enable
Switch# configure terminal
Switch(config)# logging host 20.3.3.3 severity critical 

Verify the settings with the show logging host command.

logging level

Use this command to limit messages logged to the message buffer based on facility (type of messages to capture) and severity level.

logging level all SEVERITY

Default SEVERITY: 5

Command Mode Global configuration

Usage Guideline The command limits the logging of system messages to the syslog buffer to only those messages for the specified facility at and up to the specified severity level. For example, if the buffer severity is 7 (debugging) then all logs in syslog daemon will log to buffer. If buffer severity is 1 (alert), then only alert and emergency logs will be logged to buffer.

Example The below example limits logs with severity alert and emergency to be logged to buffer for all facilities.

switch> enable
switch# configure terminal
Switch(config)# logging level all 1 

Verify the settings by entering the show logging command.

logging on

Use the logging on command to start logging system messages on this switch. Use the no form of this command to stop logging.

logging on

no logging on

Syntax None

Default Logging of system messages is on.

Command Mode Global configuration

Usage Guideline To enable logging of system messages, use the logging on command in global configuration mode.

Example To set logging of system messages to on, execute the below commands.

Switch> enable
switch# configure terminal
Switch(config)# logging on 

Verify the settings with the show logging command.

login

Use this command to login to the switch with a specified username.

login

Syntax None

Default None

Command Mode User EXEC

Usage Guideline Change a login username by using this command.

When logging in using a TELNET connection, if all of the attempts fail, the connection will be returned to the logout state. For a direct console connection, the session will also be returned to the logout state.

Example

This example shows how to login with username user1.

Switch>login

User Access Verification

Username: user1
Password:

DGS-6604 Chassis-based High-Speed Switch
Command Line Interface

Firmware: 1.00.029
Copyright (c) 2011 D-Link Corporation. All rights reserved.
Switch# 

logout

Use this command to close an active terminal session by logging off the switch.

logout

Syntax None

Default None

Command Mode User EXEC

Usage Guideline

Close an active terminal session by logging off the device using the logout command.

Example This example shows how to logout from the switch.

Switch# disable
Switch> logout 

mac access-group

Use the mac access-group command to specify a MAC access list to be applied to an interface. Use the no mac access-group command to remove the access group control from the interface.

mac access-group NAME [in]

no mac access-group NAME [in]

Default If the in direction is not specified, the default will be the in direction.

Command Mode Interface configuration

Example This example shows applied MAC access-list "daily-profile" to eth3.1

Switch(config)# interface eth3.1
Switch(config-if)# mac access-group daily-profile in 

Verify the settings with the show access-group command.

mac access-list

Use the mac access-list command to create a MAC access list in the configuration. Enter this command to go into mac access-list configuration mode. Use the no form of the command to delete a MAC access list.

mac access-list extended NAME

no mac acces-list extended NAME

Syntax Description

NAME The name of the MAC access list being created. The syntax is a general string with no spaces of up to 32 characters.

Default An implicit deny statement for all addresses.

Command Mode Global configuration

Usage Guideline

To apply an access list to an interface, create the list with the mac access-list extended command. An interface can have only one MAC access list, one IP access list and one IPv6 access list applied to it. Use this command to enter the mac access-list configuration mode, then use the permit/deny command to specify the entries.

Access lists names must be unique among access lists. Access list names are case sensitive.

A configured access list is always terminated by an implicit deny statement for all addresses.

An error message will appear if the allowed number of lists is exceeded.

If both a MAC access list and an IP access-list or IPv6 access-list are applied to an interface, the packet will be processed using the MAC access list first. If the packet is not dropped by the MAC access list, the packet will be then processed by the IP access list or the IPv6 access list. This order of packet handling therefore gives higher priority to the MAC access list.

Example

This example shows how to enter the mac access-list configuration mode for "daily-profile":

Switch(config)# mac access-list extended daily-profile Switch(config-mac-ext-acl)#

Verify the access list configuration settings with the show access-list command.

mac address-table aging destination-hit

Use the MAC address-table aging destination-hit command to enable the destination MAC address triggered update function (Updates the hit bit of the MAC address entry based on the destination MAC of the forwarding packet).

Use the no form of the command to disable the triggered updated function.

mac address-table aging destination-hit

no mac address-table aging destination-hit

Syntax None

Default Disabled

Command Mode Global configuration

Usage Guideline

The source MAC address triggered update function is always enabled. When a user enables the destination MAC address triggered update function by entering the "mac address-table aging destination-hit" command, the hit bit of MAC address entries will be updated. It will be updated for either the destination MAC addresses or the source MAC addresses when the forwarding packet is matched. The destination MAC address triggered update function increases the frequency of the MAC address entries hit bit update and will reduce the traffic flooding when the aging of MAC address entries expires.

Example This example shows how to enable the destination MAC address triggered update function.

Switch:15(config)# mac address-table aging destination-hit

Verify the setting by entering the show mac address-table aging destination-hit command.

mac address-table aging-time

Use this command to set the length of time that a dynamic entry remains in the MAC address table.

mac address-table aging-time SECONDS

Syntax Description

SECONDS Aging time in seconds. The valid range is 0 or 10 to 1000000 seconds. 0 means that the aging function is disabled so entries never age out.

Default SECONDS: 300

Command Mode Global configuration

Usage Guideline Set the aging time to 0 to disable the MAC address table aging out function.

Example This example shows how to set the aging time to 200 seconds:

Switch(config)# mac address-table aging-time 200

Verify the setting by entering the show mac address-table aging-time command.

mac address-table static

Use the mac address-table static command to add a static address to the MAC address table. Use the no mac address-table static command to remove static addresses from the table.

mac address-table static MAC-ADDR vlan VLAN-ID interface INTERFACE-ID [, | - ]

no mac address-table static MAC-ADDR vlan VLAN-ID [interface INTERFACE-ID] [, | - ]

Default Not configured

Command Mode Global configuration

Usage Guideline A unicast MAC address entry can be specified with only one interface.

A multicast MAC address entry can be specified with multiple interfaces.

To delete a unicast MAC address entry, it is not necessary to specify the interface ID. When deleting a multicast MAC address entry, if the interface ID is specified, only that interface is removed. Otherwise, the entire multicast MAC entry will be removed.

An error message will appear if the entry to be removed does not exist.

Example This example shows how to add static address C2:F3:22:0A:12:F4 to the MAC address table. When a packet is received in VLAN 4, with this MAC address as its destination, the packet is forwarded to the specified interface:

Switch(config)# mac address-table static C2:F3:22:0A:12:F4 vlan 4 interface eth3.1

Verify the setting by entering the show mac address-table command.

mac-base ( VLAN )

Use the mac-base command to create a MAC-based VLAN ID assignment entry. Use the no form of this command to remove a MAC-based VLAN ID assignment entry.

mac-base MAC-ADDRESS

no mac-base MAC-ADDRESS

Syntax Description

MAC-ADDRESS Specifies the MAC address for the entry.

VLAN-ID Specifies the VLAN ID for the entry.

Default Not configured

Command Mode VLAN configuration

Usage Guideline

Use the mac-base command to create a MAC-based VLAN ID assignment entry. Any frame with a source MAC address matching the entry is classified as a member of the VLAN associated with the entry.

Example This example shows how to create a MAC-based VLAN ID entry.

Switch(config)#vlan 101
Switch(config-vlan)#mac-base 00-80-cc-00-00-11
Switch(config-vlan)#exit

Verify the settings with the show vlan command.

match

Use the match command in the class map configuration mode to configure the match criteria for a class-map. Use the no form of the command to remove the match criteria.

match {access-list ACCESS-LIST-NAME | cos COS-LIST | [ip] dscp DSCP-LIST | [ip] precedence IP-PRECEDENCE-LIST/| protocol PROTOCOL-NAME | vlan VLAN-LIST}

no match { access-list ACCESS-LIST-NAME | cos COS-LIST | [ip] dscp DSCP-LIST | [ip] precedence IP-PRECEDENCE-LIST | protocol PROTOCOL-NAME | vlan VLAN-ID-LIST}

Default Not configured

Command Mode Class-map configuration

Usage Guideline

To use the match command, the user must first enter the class-map command to specify the name of the class to establish the match criteria with. The treatment of these matched packets is defined by the user through the setting of Quality of Service (QoS) policies in the policy-map class configuration mode.

The match access-list command specifies a named ACL whose contents are used as the match criteria against which packets are checked to determine if they belong to the class. The packets that are permitted by the access list will be included in the class.

To match a packet on the basis of a Layer 2 class of service (CoS) marking, use the match cos command in class-map configuration mode. To remove a specific Layer 2 CoS marking as a match criterion, use the no form of this command.

To identify one or more differentiated service code point (DSCP), use the match dscp command in class-map configuration mode. To remove a specific DSCP

value from a class map, use the no form of this command. As an example for the match dscp command, if the user wants to match the DCSP values of 0, 1, 2, 3, 4, 5, 6, or 7 (note that only one of the IP DSCP values needs to be matched, not all of the specified DSCP values), enter the match dscp 0,1,2,3,4,5,6,7 command. This command is used by the class map to identify the specified DSCP value on a packet as a match with the traffic class configured.

To identify IP precedence values to use as the match criteria, use the match precedence command in class-map configuration mode. To remove IP precedence values from a class map, use the no form of this command. For example, to use the precedence values of 0, 1, 2, or 3 (note that only one of the precedence values needs to be matched, not all of the specified precedence values), enter the match ip precedence 0,1.2.3 command or match ip precedence 0-3 command.

To configure the match criteria for a class map on the basis of the specified protocol, use the match protocol command in class-map configuration mode. To remove protocol-based match criterion from a class map, use the no form of this command.

To match and classify traffic on the basis of the virtual local-area network (VLAN) identification number, use the match vlan command in class-map configuration mode. To remove a previously specified VLAN identification number as a match criterion, use the no form of this command

The match protocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class.

Supported Protocols:
The following table lists the reference for the supported protocols.

Examples The following example specifies a class map called class-home-user and configures the access list named acl-home-user to be used as the match criteria for that class:

Switch(config)# class-map class-home-user
Switch(config-cmap)# match access-list acl-home-user
Switch(config-cmap)# exit

In the following example, classes called voice and video-n-data are created to classify traffic based on the CoS values. QoS treatment is then given to the appropriate packets in the cos-based-treatment policy map (in this example, the QoS treatment is a single rate policer and a two rate policer for class voice and video-n-data respectively). The service policy configured in this example is attached to Ethernet interface 3.1.

Switch(config)# class-map voice
Switch(config-cmap)# match cos 7
Switch(config-cmap)# exit
Switch(config)# class-map video-n-data
Switch(config-cmap)# match cos 5
Switch(config-cmap)# exit
Switch(config)# policy-map cos-based-treatment
Switch(config-pmap)# class voice
Switch(config-pmap-c)# police 8000 1000 exceed-action drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# class video-n-data
Switch(config-pmap-c)# police cir 500000 bc 10000 pir 1000000 be 10000 exceed-action drop violate-action drop
exceed-action 2 violate-action drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# interface eth3.1
Switch(config-if)# service-policy cos-based-treatment 

The following example specifies a class map called cos and specifies that the CoS values of 1, 2, and 3 are match criteria for the class:

Switch(config)# class-map cos
Switch(config-cmap)# match cos 1,2,3
Switch(config-cmap)# exit

Verify the settings by entering the show class-map command.

match as-path

Use this command to match a BGP autonomous system path access list. To delete an entry, use the no form of this command.

match as-path ACCESS-LIST-NAME

no match as-path ACCESS-LIST-NAME

Syntax Description

ACCESS-LIST-NAME Specifies the name of AS path access list.

Default Not configured

Command Mode Route-map configuration

Usage Guideline

The values set by the match as-path and set weight commands override global values. For example, the weights assigned with the match as-path and set weight route-map configuration commands override the weight assigned using the neighbor weight command.

A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command will be ignored; that is, the route will not be advertised for outbound route maps and will not be accepted for inbound route maps. To modify only a portion of the data, a second route-map section must be configured with an explicit match statement.

match means that the AS path list exactly matches the AS path, or is a subset of the AS path list.

Example This example shows how to add a match statement to the policy routing entry with name myPolicy:

Switch(config)# route-map myPolicy permit 1
Switch(config-route-map)# match as-path PATH_ACL

Verify the settings with the show route-map command.

match community

Use the match community command to match a Border Gateway Protocol (BGP) community. Use the no match community command to remove the entry from the list and return to the default condition.

match community COMMUNITY-LIST-NAME [exact]

no match community COMMUNITY-LIST-NAME [exact]

Syntax Description

Default Not configured

Command Mode Route-map configuration

Usage Guideline

A route is not advertised for outbound route maps or accepted for inbound route maps if the route does not match at least one match clause relating to a route-map command. In order to modify only a portion of the route data it is necessary to configure a second route-map section that specifies an explicit match.

Matching based on the community list number is one of the types of match commands applicable to BGP.

This route map set command is only for BGP.

When exact is specified, the communities of the route must be exactly the same as the permitted communities specified in the community-list (by the command ip community-list).

When exact is not specified, at least one community of the route must match one of the permitted communities in the community-list, and that community does not match any deny community.

Example

In the following example, routes that match the community list ALPHA-COMMUNITY, which is 101:200, have their weights then set to 100. Any route that has community 101:200 alone (exact match) will have its weight set to 100. The route policy is named myPolicy:

Switch(config)#ip community-list ALPHA-COMMUNITY permit 101:200
Switch(config)# route-map myPolicy permit 1
Switch(config-route-map)# match community ALPHA-COMMUNITY exact
Switch(config-route-map)# set weight 100 

Verify the settings with the show route-map command

maximum-paths

To control the maximum number of parallel routes that an IP routing protocol can support, use the maximum-paths command in router configuration mode.

maximum-paths NUMBER-PATHS

Default NUMBER-PATHS: 6

Command Mode Global configuration

Usage Guideline None

Example The following example shows how to allow a maximum of 8 paths to a destination for an Open Shortest Path First (OSPF) routing process::

Router(config)# maximum-paths 8

Verify the settings by entering the show ip route summary command.

max-rcv-frame-size

Use the command to set the maximum Ethernet frame size allowed. Use the default form to restore the default max-rcv-frame-size size.

max-rcv-frame-size BYTES

default max-rcv-frame-size

Syntax Description

BYTES Set the maximum Ethernet frame size allowed. The range is 1536 to 9728 bytes.

Default BYTES: 1536 bytes

Command Mode Interface command for physical port and port channel but not for VLAN.

Usage Guideline

Oversize frames will be dropped and the check is done within the ingress ports.

Use the command to transfer large frames or jumbo frames through the switch system to optimize server-to-server performance.

When a port is removed from the port-channel member list, the max-rcv-frame-size setting for the port will be reset to the default setting.

Examples This example shows how to set max-rcv-frame-size as 6000 bytes at eth4.1

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if) max-rcv-frame-size 6000
Switch(config-if)# end

This example shows how to restore the default max-rcv-frame-size

Switch# configure terminal
Swtich(config)# interface eth4.1
Switch(config-if)# default max-rcv-frame-size
Switch(config-if)# end

Verify the settings by entering the show interface command.

mgmt-if

Use this command to enter into the management interface mode. Commands entered in this mode will be applied to the management port.

mgmt-if

Syntax None

Default None

Command Mode Global configuration

Usage Guideline None

Example The following example displays how to enter the management interface mode.

Switch(config)# mgmt-if
Switch(mgmt-if)# 

Verify the settings using the show mgmt-if command.

monitor session

Use monitor session to create a port mirroring session, allowing source ports as mirrored ports to be monitored through a destination port. Use the no form of this command to delete all or a specific port mirroring session, or remove either a destination port or a source port within a specific port mirroring session.

monitor session SESSION-NUMBER destination interface INTERFACE-ID

monitor session SESSION-NUMBER source interface INTERFACE-ID [, | - ] [both | rx | tx ]

no monitor session SESSION-NUMBER destination interface INTERFACE-ID

no monitor session SESSION-NUMBER source interface INTERFACE-ID [, | - ] [ both | rx | tx]

no monitor session [ SESSION-NUMBER ]

Default Not configured

Command Mode Global configuration

Usage Guideline The following applies to monitoring:

• A desination port and source port cannot be the same port.
• A port-channel can be specified as a monitor source or as a monitor destination.
• A channel-group member port cannot be specified as a monitor source port or destination port.
• For a monitor session, multiple source interfaces can be specified. However, only one destination interface can be specified. An interface cannot

be a source interface of one session and destination port of another session simultaneously.

• For a destination port, all the layer 2 settings configured for this port are all ineffective.
• IEEE 802.1x authentication on a port cannot be enabled for a destination port, but is allowed on the source port.

Entering no monitor session without specifying a session number deletes all port mirroring sessions.

Examples

This example shows how to create a port mirroring session with session number 1. It assigns a physical port (eth3.1) as a destination port and three source physical ports (eth3.2, eth3.3, and eth3.4) as mirrored ports.

Switch# configure terminal
Switch(config)# monitor session 1 destination interface eth3.1
Switch(config)# monitor session 1 source interface eth3.2-3.4
Switch(config)# end

This example shows how to remove two source ports from a created port mirroring session with session number 1.

Switch# configure terminal
Switch(config)# no monitor session 1 source interface eth3.2,eth3.4
Switch(config)# end

Verify the settings by entering the show monitor session command.

mtu

Use the command to set the MTU value. This value is used to monitor oversize IP packets. Use default form to restore to the default mtu size.

mtu BYTES

default mtu

Syntax Description

BYTES Set the monitor threshold. The settable range is 1280 to 9692 bytes.

Default BYTES: 1500 bytes

Command Mode Interface command for physical port and port channel but not for VLAN.

Usage Guideline

Oversize packets will be sent to the control module blade for further processing and the check is done in egress ports. This is especially important to support IPv6 because an IPv6 router should send out ICMP messages to source device for an MTU violation situation.

As a port is removed from the port-channel member list, the MTU setting for the port will be reset to the default setting.

One should set appropriate values to these MTUs to avoid unexpected results. In the general case, max- rcv-frame-size is larger than the ip mtu and mtu to cover L2 header size. mtu is set as the same value as ip mtu.

Examples This example shows how to set mtu as 6000 bytes at eth4.1

Switch# configure terminal
Switch(config)# interface eth4.1
Switch(config-if) mtu 6000
Switch(config-if)# end

This example shows how to restore the default mtu

Switch# configure terminal
Swtich(config)# interface eth4.1
Switch(config-if)# default mtu
Switch(config-if)# end

Verify the settings by entering the show interface command

multicast filtering-mode

Use the multicast filtering mode command to configure the method how an interface handles unknown multicast packets.

multicast filtering-mode { forward-all | forward-unregistered | filter-unregistered }

Default forward-unregistered

Command Mode Interface configuration

Usage Guideline Only VLAN interfaces support this command.

Example This example shows how to set the multicast filtering mode to filter-unregistered.

Switch(config)# interface vlan1
Switch(config-if)# multicast filtering-mode filter-unregistered 

Verify the setting by entering the show multicast filtering-mode command.

name

Use the name command to set the name of an MST region. To return to the default name, use the no form of this command.

name NAME

no name

Syntax Description

Default NAME: (The MAC Address of the Bridge)

Command Mode MST configuration

Usage Guideline

If two or more switches have the same VLAN mapping and configuration version number, the switches are considered to be in different MST regions if the region names are different. Use the name command to differentiate MST regions.

Caution: Use care when the name command is used to set the name of an MST region. A mistake can put the switch in a wrong or different region. The MST region name is a case-sensitive parameter.

Example

This example shows how to configure the MSTP configuration name to 'alpha'.

Switch(config)#spanning-tree mst configuration
Switch(config-mst)# name alpha

Verify the settings by entering the show spanning-tree mst configuration command.

neighbor

Use the neighbor command to define a neighboring router with which to exchange routing information. Use the no form to remove an entry.

neighbor IP-ADDRESS

no neighbor IP-ADDRESS

Syntax Description

Default Not configured

Command Mode Router configuration

Usage Guideline

This command allows point-to-point (non-broadcast) exchange of routing information. Additional neighbors or peers can be specified using multiple neighbor commands.

When used in combination with the passive-interface router configuration command, routing information can be exchanged between a subset of routers and access servers on a LAN.

Example

In the following example, RIP updates are sent to all interfaces except vlan1 on network 10.0.0.0/8. However, in this case a neighbor router configuration command is included. This command permits routing updates to be sent to specific neighbors. One copy of the routing update is generated per neighbor:

Switch# configure terminal
Switch(config)# router rip
Switch(config-router)# network 10.0.0.0/8
Switch(config-router)# passive-interface vlan1
Switch(config-router)# neighbor 10.50.71.50 

Verify the settings by entering the show ip protocols rip command

neighbor (RIP IPv6)

To define a neighboring router with which to exchange routing information, use the neighbor command in router configuration mode. Use the no form of the command to remove an entry.

neighbor IPv6-ADDRESS IFNAME

no neighbor IPv6-ADDRESS IFNAME

Default Not configured

Command Mode Router configuration

Switch# configure terminal
Switch(config)# router ipv6 rip
Switch(config-router)# neighbor fe80::1 vlan1 

Verify the settings by entering the show ipv6 rip database command

neighbor advertisement-interval

Use this command to set the minimum interval between each transmission of Border Gateway Protocol (BGP) routing updates. Use the no form of the command to return to the default configuration.

neighbor { IP-ADDRESS | PEER-GROUP-NAME } advertisement-interval SECONDS

default neighbor { IP-ADDRESS | PEER-GROUP-NAME } advertisement-interval

Default SECONDS: 30 seconds for external peers

SECONDS: 5 seconds for internal peers

Command Mode Address family configuration

Router configuration

Usage Guideline When a BGP peer group is specified using the PEER-GROUP-NAME argument, all the members of the peer group inherit the characteristic configured with this command.

Example The following address family configuration mode example sets the minimum time between sending BGP routing updates to 15 seconds:

Switch(config)# router bgp 65100
Switch(config-router)# address-family ipv4
Switch(config-router-af)# neighbor 10.4.4.4 advertisement-interval 15 

Verify the settings by entering the show ip bgp neighbor command.

neighbor description

Use this command to associate a text description with a neighbor. Use the no form of the command to remove the description.

neighbor { IP-ADDRESS | PEER-GROUP-NAME } description TEXT

no neighbor { IP-ADDRESS | PEER-GROUP-NAME } description

Syntax Description

Default None

Command Mode Router configuration

Usage Guideline

When a BGP peer group is specified using the PEER-GROUP-NAME argument, all the members of the peer group inherit the characteristics configured with this command.

Example

The following example shows how to configure a description for the neighbor 172.16.10.10:

Switch(config)# router bgp 65100
Switch(config-router)# neighbor 172.16.10.10 description ABC in China 

Verify the settings by entering the show ip bgp neighbor command.

neighbor filter-list

Use this command to create a BGP filter. Use the no form of the command to disable this function.

neighbor { IP-ADDRESS | PEER-GROUP-NAME } filter-list AS-PATH-LIST-NAME { in | out }

no neighbor { IP-ADDRESS | PEER-GROUP-NAME } filter-list AS-PATH-LIST-NAME { in | out }

Syntax Description

Default Disabled

Command Mode Router configuration

Usage Guideline

This command specifies an access list filter for updates based on BGP autonomous system paths. Each filter is an as-path access list based on regular expressions.

Each neighbor can only have 1 in and 1 out access list.

Example The following example shows how to configure the BGP neighbor with IP address 172.16.1.1 to not send advertisements about any path which is through or from the adjacent autonomous system 123:

Switch(config)# ip as-path access-list myacl deny _123_
Switch(config)# ip as-path access-list myacl deny ^123$
Switch(config)# ip as-path access-list myacl permit .* 
Switch(config)# router bgp 65100
Switch(config-router)# network 10.108.0.0
Switch(config-router)# neighbor 192.168.6.6 remote-as 123
Switch(config-router)# neighbor 172.16.1.1 remote-as 47
Switch(config-router)# neighbor 172.16.1.1 filter-list myacl out 

Verify the settings, in User Exec Mode, by entering the show ip protocols bgp command.

neighbor peer-group (create group)

Use this command to create a peer group. Use the no form of the command to remove a peer group.

neighbor PEER-GROUP-NAME peer-group

no neighbor PEER-GROUP-NAME peer-group

Syntax Description

PEER-GROUP-NAME Name of the BGP peer group

Default Not configured

Command Mode Router configuration

Address family configuration

Usage Guideline

Often in a BGP or multiprotocol BGP speaker, multiple neighbors are configured with the same update policies (that is, the same outbound route maps, distribution lists, filter lists, update source, and so on).

Neighbors with the same update policies can be grouped into peer groups to simplify configuration and make update calculations more efficient.

Example This example shows how to create a peer group named ALPHA-GROUP

Switch(config)# router bgp 65100
Switch(config-router)# neighbor ALPHA-GROUP peer-group 

neighbor peer-group (add group member)

Use this command to add a neighbor into a peer group. Use the no form of the command to remove a neighbor from a peer group.

neighbor IP-ADDRESS peer-group PEER-GROUP-NAME

no neighbor IP-ADDRESS peer-group PEER-GROUP-NAME

Syntax Description

IP-ADDRESS IP address of the neighbor.

PEER-GROUP-NAME Name of the BGP peer group

Default None

Command Mode Router configuration

Address family configuration

Usage Guideline

The neighbor at the specified IP address inherits all the configured options of the peer group.

Example This example shows how to add a group member 10.1.1.254 to the peer group, named ALPHA-GROUP.

Switch(config)# router bgp 65100
Switch(config-router)# neighbor ALPHA-GROUP peer-group
Switch(config-router)# neighbor 10.1.1.254 peer-group ALPHA-GROUP 

Verify the settings by entering the show ip bgp neighbor command in User EXEC mode.

neighbor remote-as

Use this command to add an entry to the Border Gateway Protocol (BGP) neighbor table. Use the no form of this command to remove an entry from the table.

neighbor { IP-ADDRESS | PEER-GROUP-NAME} remote-as AS-NUMBER

no neighbor { IP-ADDRESS | PEER-GROUP-NAME} remote-as AS-NUMBER

Syntax Description

Default Not configured

Command Mode Router configuration

Usage Guideline

Use this command to add the IP address of the neighbor, in the specified autonomous system, to the BGP neighbor table of the local router.

Specifying a neighbor with an autonomous system number, that matches the autonomous system number specified in the router bgp global configuration command, identifies the neighbor as internal to the local autonomous system. Otherwise, the neighbor will be considered as external.

When a BGP peer group is specified using the PEER-GROUP-NAME argument, all the members of the peer group inherit the characteristics configured with this command.

By default, neighbors that are defined using the neighbor remote-as command in router configuration mode exchange only unicast address prefixes.

Example
This example shows how to specify a router with the address 10.108.2.1 as a neighbor in autonomous system number 110:

Switch(config)# router bgp 65100
Switch(config-router)# network 10.108.0.0
Switch(config-router)# neighbor 10.108.2.1 remote-as 110 

Verify the settings by entering the show ip bgp neighbor command.

neighbor route-map

Use this command to apply a route map to incoming or outgoing routes. Use the no form of the command to remove the route map.

neighbor { IP-ADDRESS | PEER-GROUP-NAME } route-map MAP-NAME { out }

no neighbor { IP-ADDRESS | PEER-GROUP-NAME } route-map MAP-NAME { out }

Syntax Description

Default None

Command Mode Address family configuration

Router configuration

Usage Guideline

When issued in address family configuration mode, this command applies a route map to that particular address family only. When issued in router configuration mode, this command applies a route map to IP Version 4 unicast routes only.

If an outbound route map is specified, it is proper behavior to only advertise routes that match at least one section of the route map.

When a BGP peer group is specified using the PEER-GROUP-NAME argument, all the members of the peer group inherit the characteristic configured with this command. Specifying the command for a neighbor overrides the inbound policy that is inherited from the peer group.

Example

The following example in router configuration mode applies a route map named internal-map to a BGP outgoing route from 172.16.70.24:

Switch(config)#router bgp 5
Switch(config)#neighbor 172.16.70.24 route-map internal-map out
Switch(config)#route-map internal-map permit 10
Switch(config-route-map)#match as-path 1
Switch(config-route-map)#set origin incomplete
Swtch(config-route-map)#end
Switch(config)# 

Verify the settings by entering the show ip bgp neighbor command.

neighbor send-community

Use this command to specify that the communities attribute should be sent to a BGP neighbor, use the no form of this command to remove the entry.

neighbor { IP-ADDRESS | PEER-GROUP-NAME } send-community [both | standard | extended]

no neighbor { IP-ADDRESS | PEER-GROUP-NAME } send-community [both | standard | extended]

Syntax Description

Default None

Command Mode Address family configuration

Router configuration

Usage Guideline

When a BGP peer group is specified using the PEER-GROUP-NAME argument, then all the members of the peer group inherit the characteristics configured with this command.

Example
The following example, using the address family configuration mode, sets the send-community with the both option (standard and extended):

Switch(config)# router bgp 65100
Switch(config-router)# address-family ipv4
Switch(config-router-af)# neighbor 10.4.4.4 send-community both 

Verify the settings by entering the show ip bgp neighbor command.

neighbor shutdown

Use this command to disable a neighbor or peer group. Use the no form of this command to re-enable a neighbor or peer group.

neighbor { IP-ADDRESS | PEER-GROUP-NAME} shutdown

no neighbor { IP-ADDRESS | PEER-GROUP-NAME} shutdown

Syntax Description

Default None

Command Mode Router configuration

Usage Guideline

Use this command to terminate any active session for the specified neighbor or peer group and remove all associated routing information. In the case of a peer group, a large number of peering sessions could be suddenly terminated.

Example

The following example shows how to disable any active session for the neighbor 172.16.10.10:

Switch(config)# router bgp 65100
Switch(config-router)# neighbor 172.16.10.10 shutdown 

Verify the settings by entering the show ip bgp neighbor command.

neighbor timers

Use this command to set the timers for a specific BGP peer or peer group. Use the no form of this command to clear the timers for a specific BGP neighbor.

neighbor { IP-ADDRESS | PEER-GROUP-NAME} timers KEEP-ALIVE HOLD-TIME

no neighbor { IP-ADDRESS | PEER-GROUP-NAME} timers

Default KEEPALIVE: 60 seconds

HOLDTIME: 180 seconds

Command Mode Router configuration

Usage Guideline The timers configured for a specific neighbor, or peer group, override the timers configured for all BGP neighbors using the timers bgp command.

Example The following example shows how to configure the KEEP-ALIVE timer to 120 seconds and the HOLD-TIME timer to 360 seconds for the neighbor 172.16.10.10:

Switch(config)# router bgp 65100
Switch(config-router)# neighbor 172.16.10.10 timer 120 360 

Verify the settings by entering the show ip bgp neighbor command.

neighbor update-source

Use this command to allow internal BGP sessions to use any operational interface for TCP connections. Use the no form of this command to restore the interface assignment to the closest interface.

neighbor { IP-ADDRESS | PEER-GROUP-NAME } update-source INTERFACE-ID

no neighbor { IP-ADDRESS | PEER-GROUP-NAME } update-source INTERFACE-ID

Syntax Description

IP-ADDRESS Specifies IP address prefixes

PEER-GROUP-NAME Name of a Border Gateway Protocol (BGP) peer group

INTERFACE-ID Specifies the interface ID

Default The best local address is used.

Command Mode Router configuration

Usage Guideline Use this command in conjunction with any specified interface on the router.

Example The following example shows how to configure the internal BGP sessions to use VLAN 1 for the neighbor 172.16.10.10:

Switch(config)# router bgp 65100
Switch(config-router)# neighbor 172.16.10.10 update-source vlan1 

Verify the settings by entering the show ip bgp neighbor command.

neighbor weight

Use this command to specify the weight associated with a specific neighbor. To remove a weight assignment, use the no form of this command.

neighbor {IP-ADDRESS | PEER-GROUP-NAME} weight NUMBER

no neighbor {IP-ADDRESS | PEER-GROUP-NAME} weight

Syntax Description

Default Routes learned through another BGP peer have a default weight: 0

Routes sourced by the local router have a default weight: 32768.

Command Mode Address family configuration

Router configuration

Usage Guideline The weight specified by this command determines the weight to be associated with the routes learned from a specified neighbor.

Example The following address family configuration mode example sets the weight of the neighbor 10.4.4.4 to 10000:

Switch(config)# router bgp 65100
Switch(config-router)# address-family ipv4
Switch(config-router-af)# neighbor 10.4.4.4 weight 10000 

Verify the settings by entering the show ip bgp neighbor command.

netbios node-type

This command is used to configure the NetBIOS node's type for Microsoft Dynamic Host Configuration Protocol (DHCP) clients. Use the no form of this command to restore the configuration of the NetBIOS node's type back to default configuration (Hybrid).

netbios node-type NTYPE

no netbios node-type

Syntax Description

NTYPE Specifies the type of NetBIOS node. Valid types are listed below:

• b-node - Broadcast
• p-node - Peer-to-peer
• m-node - Mixed
  • h-node - Hybrid (recommended)

Default NTYPE: h-node

Command Mode DHCP pool configuration

Usage Guideline

This command configures the NetBIOS node's type; the recommended type is h-node (Hybrid). It determines what methods NetBios will use to register and resolve names.

• b-node - The broadcast system uses broadcasts.
• p-node - A p-node system uses only point-to-point name queries to a name server (WINS).
• m-node - An m-node system broadcasts first, and then queries the name server.
• Hybrid - A hybrid system queries the name server first, and then broadcasts.

Resolution through LMHOSTS and/or Domain Name Service (DNS), if enabled, will follow these methods.

Example The following is sample of configuring the Netbios node type as h-node.

switch# configure terminal
switch(config)# ip dhcp pool pool1
switch(config-dhcp)# netbios node-type h-node 

netbios scope-id

This command configures the NetBIOS scope id for Microsoft Dynamic Host Configuration Protocol (DHCP) clients. Use the no form of this command to remove the configuration of NetBIOS scope id.

netbios scope-id STRING

no netbios scope-id

Syntax Description

STRING A character string. The maximum length is 18 characters.

Default None

Command Mode DHCP pool configuration

Usage Guideline

The Scope ID is a character string which is appended to the NetBIOS name for all NetBIOS communications over TCP/IP. It provides a method to isolate a collection of computers that can then only communicate with each other.

Example

The following is sample of configuring the NetBIOS Scope ID as the string "alpha".

switch#configure terminal
switch(config)#ip dhcp pool pool1
switch(config-dhcp)#netbios scope-id alpha
switch(config-dhcp)# 

netbios wins-server

To configure the IP address of a WINS server for Microsoft Dynamic Host Configuration Protocol (DHCP) clients. Use the no form of this command to remove the configuration of WINS server.

netbios wins-server [IP-ADDRESS]

no netbios wins-server [IP-ADDRESS]

Syntax Description

IP-ADDRESS The IP address of the WINS server.

Default Not configured

Command Mode DHCP pool configuration

Usage Guideline

This command is used to configure a primary and secondary WINS server. The primary preference is the old WINS. The maximum number of configurable WINS servers is dependent on each project.

Examples The following example configures a primary WINS server as 10.1.1.100.

switch(config-dhcp)#netbios wins-server 10.1.1.100

The following example configures a secondary WINS server as 10.1.1.200.

switch(config-dhcp)#netbios wins-server 10.1.1.200

The following example removes the WINS server 10.1.1.100 so that 10.1.1.200 becomes the primary WINS server.

switch(config-dhcp)#no netbios wins-server 10.1.1.100

network

Use the command to specify that the network utilizes Routing Information Protocol (RIP). To remove an RIP network entry, use the no form of this command.

network NETWORK-PREFIX / MASK

no network NETWORK-PREFIX / MASK

Syntax Description

Default Not configured

Command Mode Router configuration

Usage Guideline

Use this command to specify networks to which routing updates are sent and received. If a network is not specified, the interfaces in that network will not be advertised in any RIP update.

Example

The following example shows how to define RIP as the routing protocol to be used on all interfaces connected to networks 192.168.70.0/24 and network 10.99.0.0/16

Switch# configure terminal
Switch(config)# router rip
Switch(config-router)# network 192.168.70.0/24
Swtch(config-router)# network 10.99.0.0/16
Switch(config-router)# end 

Verify the settings by entering the show ip protocols rip command.

network (BGP)

Use this command to configure the networks to be advertised by the Border Gateway Protocol (BGP) protocol. To remove an entry from the routing table, use the no form of this command.

network { NETWORK-NUMBER [/SUBNET-LENGTH] | NETWORK-NUMBER [mask NETWORK-NUMBER]} [route-map MAP-TAG]

no network { NETWORK-NUMBER [/SUBNET-LENGTH] | NETWORK-NUMBER [mask NETWORK-NUMBER]} [route-map MAP-TAG]

Syntax Description

* Note: Specification of the sub-network can be in the form of a subnet mask or a stated length. It is recommended to use the subnet mask form as xxx.xxx.xxx.xxx which is similar to Windows or Linux OS setting. However, that form will be interchangeable between for example, 10.9.18.2/8 and 10.9.18.2 255.0.0.0.

Default None

Command Mode Router configuration

Address family configuration

Usage Guideline

BGP networks are learned from connected routes, from dynamic routing and from static route sources.

Use this command to specify a network as local to this autonomous system; this will then add it to the BGP routing table. For exterior protocols, the network command controls which networks are advertised. Interior protocols use the network command to determine where to send updates.

When the synchronized state is enabled, BGP advertises a network entry if the router has the route information for the entry

Example The following example sets up network 10.108.0.0 to be included in the BGP updates for the AS number of 65100

Switch(config)# router bgp 65100 Switch(config-router)# network 10.108.0.0

network area

Use this command to enable OSPF routing with a specified Area ID. It enables this routing on interfaces with IP addresses that match the specified network address. Use the no parameter with this command to remove the configuration and disable OSPF routing on the interfaces.

network SUBNET-PREFIX/ SUBNET-MASK-LENGTH area AREA-ID

network SUBNET-PREFIX SUBNET-MASK area AREA-ID

no network SUBNET-PREFIX/ SUBNET-MASK-LENGTH area AREA-ID

no network SUBNET-PREFIX SUBNET-MASK area AREA-ID

Default None

Command Mode Router configuration

Usage Guideline OSPF routing can be enabled per IPv4 subnet basis. Each subnet can belong to one particular OSPF area. Network addresses can be defined using the prefix length or a wild card mask.

If there are conflicts, error messages will be returned.

Example The following example shows how to define OSPF area 3 for the interfaces belonging to 10.0.0.0/8:

Switch# configure terminal
Switch(config)# router ospf
Switch(config-router)# network 10.0.0.0/8 area 3 

Verify the settings with the show ip ospf command.

next-server

Configure the next server in a DHCP client's boot process. Use the no form of this command to remove the boot server list.

next-server IP-ADDRESS

no next-server

Syntax Description

Default Not configured

Command Mode DHCP pool configuration

Usage Guideline

The configured IP addresses of next-server are used as a boot server in the DHCP client's boot process. Typically, servers are Trivial File Transfer Protocol (TFTP) servers and are listed in order of preference.

Example

The following is a sample of configuring 10.1.1.1 as the IP address of next-server in the DHCP client's boot process in pool named "pool1"

switch# configure terminal
switch(config)# ip dhcp pool pool1
switch(config-dhcp)# next-server 10.1.1.1 

passive-interface

Use the passive-interface command to disable sending OSPF protocol packets on an interface. To re-enable sending and receiving routing updates, use the no form of this command.

passive-interface IFNAME

no passive-interface IFNAME

Syntax Description

IFNAME Specifies a layer 3 interface (VLAN).

Default Routing updates are sent on the interface.

Command Mode Router configuration

Usage Guideline The valid interface for this configuration is VLAN.

If an interface is passive, no adjacency can be formed on the passive interface and the OSPF protocol packets are not sent or received through the specified interface. However, the network of the passive interface will be advertised through another non-passive interface.

Example This command shows how to set interface VLAN 1 to the passive mode.

Switch# configure terminal
Switch (config)# router ospf
Switch(config-router)##passive-interface vlan1 

Verify the settings by entering the show ip ospf interface command.

passive-interface (IPv6 OSPF)

To disable sending IPv6 OSPF protocol packets on an interface, use the passive-interface command. To re-enable sending and receiving routing updates, use the no form of this command.

passive-interface IFNAME

no passive-interface IFNAME

Syntax Description

IFNAME Interface type and number i.e VLAN 1.

Default

Routing updates are sent and received on all interfaces where the routing protocol is enabled.

No interfaces are configured as passive.

Command Mode Router configuration

Usage Guideline

If the sending of routing updates is disabled on an interface, the particular address prefix will continue to be advertised to other interfaces, and updates from other routers on that interface continue to be received and processed.

IPv6 OSPF routing information is neither sent nor received through the specified router interface. The specified interface address appears as a stub network in the IPv6 OSPF domain.

Example The following example sets interface VLAN 1 to the passive mode:

Switch > enable
Switch # configure terminal
Switch (config) # router ipv6 ospf
Switch (config-router)# passive-interface vlan1 

Verify the settings by entering the show ipv6 ospf interface command.

passive interface (RIP)

To disable sending routing updates on an interface, use the passive-interface command. To re-enable sending routing updates, use the no form of this command.

passive-interface IFNAME

no passive-interface IFNAME

Syntax Description

IFNAME Specifies the Interface type and Interface number.

Default Routing updates are sent on the interface.

Command Mode Router configuration

Usage Guideline

If the sending of routing updates is disabled on an interface, the particular subnet will continue to be advertised to other interfaces. In addition, updates from other routers on that interface will continue to be received and processed.

Examples

The following example shows how to disable sending routing updates on the interface VLAN 1:

Switch# configure terminal
Switch(config)#router rip
Switch(config-router)# passive-interface vlan1
Switch(config-router)#exit
Switch(config)# 

Verify the settings by entering the show ip rip interface command.

passive-interface (RIP IPv6)

To disable sending routing updates on an interface, use the passive-interface command. To re-enable sending routing updates, use the no form of this command.

passive-interface IFNAME

no passive-interface IFNAME

Syntax Description

IFNAME Specifies the Interface type and Interface number.

Default Routing updates are sent on the interface.

Command Mode Router configuration

Usage Guideline

If the sending of routing updates is disabled on an interface, the particular subnet will continue to be advertised to other interfaces. In addition, updates from other routers on that interface will continue to be received and processed.

Example The following example shows how to disable sending routing updates on the interface VLAN 1:

Switch# configure terminal
Switch(config)#router ipv6 rip
Switch(config-router)# passive-interface vlan1
Switch(config-router)#exit 

Verify the settings by entering the show ipv6 rip interface command.

password encryption

Use the password encryption command to enable encryption of the password defined by both:

- the username command

- and -

- the enable command

before they are stored in the configuration file. Using the no command will disable the encryption.

password encryption

no password encryption

Syntax None

Default Disabled

Command Mode Global configuration at privilege level 15

Usage Guideline

The user account configuration information will be stored in the configuration file, and can be applied to the system later.

If the password encryption is enabled, the password will be in encrypted form.

When password encryption is disabled, and the user specifies the password in plain text form, the password will be in plain text form. However, if the user specifies the password in encrypted form, or if the password has been converted to encrypted form by the last enable password encryption command, the password will stay in the encrypted form. Once in the encrypted form it cannot revert to plaintext.

Example

The below example shows how to enable password encryption.

Switch(config)# password encrypt

Verify the settings by entering the show system protocol-state command.

periodic

Use the periodic command to specify the period of time to be covered in a time range profile.

periodic { daily HH:MM to HH:MM | monthly DATE HH:MM to [DATE] HH:MM | weekly WEEKLY-DAY HH:MM to [WEEKLY-DAY] HH:MM }

Default None

Command Mode Time-range configuration

Usage Guideline

Up to 6 periods can be specified in the same profile. A new period entry can partially overlap an older existing one. If a new period's starting and the ending time are identical to a previous entry, a warning message is displayed and the configuration will not be accepted.

Note: To remove an individual period entry delete the time-range and then create a new time-range to which the correct period entry can be added.

Example

This example shows how to make a time-range which includes the periods daily 09:00 to 12:00, 00:00 Saturday to 23:59 Sunday, and 19:00 of the 1st day to 17:00 of the 2nd day of every month.

Switch(config)#time-range rdtim
Switch(config-time-range)#periodic daily 9:00 to 12:00
Switch(config-time-range)#periodic weekly saturday 00:00 to sunday 23:59
Switch(config-time-range)#periodic monthly 1 19:00 to 2 17:00
Switch(config)#end 

Verify the settings by entering the show time-range command.

permit | deny (ip access-list)

Use the permit command to define the rule for packets to be access based on their IP header information. Use the no permit command to remove a permit entry. Use the deny command to add a deny entry. Use the no deny command to remove a deny entry.

{ permit | deny } tcp { any | host SRC-IP-ADDR | SRC-IP-ADDR MASK } [ OPERATOR PORT ] { any | host DST-IP-ADDR | DST-IP-ADDR MASK } [ OPERATOR PORT ] [ precedence PRECEDENCE | tos TOS | dscp DSCP ] [time-range PROFILE-NAME ] [ priority PRIORITY ]

{ permit | deny } udp { any | host SRC-IP-ADDR | SRC-IP-ADDR MASK } [ OPERATOR PORT ] { any | host DST-IP-ADDR | DST-IP-ADDR MASK } [ OPERATOR PORT ] [ precedence PRECEDENCE | tos TOS | dscp DSCP ] [ time-range PROFILE-NAME ] [ priority PRIORITY ]

{ permit | deny } [ gre | esp | eigrp | icmp | igmp | ospf | pim | vrrp | protocol-id PROTOCOL-ID ] { any | host SRC-IP-ADDR | SRC-IP-ADDR MASK } { any | host DST-IP-ADDR | DST-IP-ADDR MASK } [ precedence PRECEDENCE | tos TOS | dscp DSCP ] [ time-range PROFILE-NAME ] [ priority PRIORITY ]

no { permit | deny } tcp { any | host SRC-IP-ADDR | SRC-IP-ADDR MASK} [OPERATOR PORT] { any | host DST-IP-ADDR | DST-IP-ADDR MASK} [OPERATOR PORT] [precedence PRECEDENCE|tos TOS|dscp DSCP] [time-range]

no { permit | deny} udp { any | host SRC-IP-ADDR | SRC-IP-ADDR MASK } [ OPERATOR PORT ] { any | host DST-IP-ADDR | DST-IP-ADDR MASK } [ OPERATOR PORT ] [ precedence PRECEDENCE | tos TOS | dscp DSCP ] [ time-range ]

no { permit | deny } [ gre | esp | eigrp | icmp | igmp | ospf | pim | vrrp | protocol-id PROTOCOL-ID ] {any | host SRC-IP-ADDR | SRC-IP-ADDR MASK } { any | host DST-IP-ADDR | DST-IP-ADDR MASK } [ precedence PRECEDENCE | tos TOS | dscp DSCP ] [ time-range ]

Syntax Description

Default None

Command Mode

Usage Guideline

ip access-list configuration or ip extended access-list configuration

An interface can have only one MAC access list, one IP access list and one IPv6 access list applied to it.

The time range profile must be created before it can be specified in the statement. Otherwise an error message will be displayed.

An error message will be displayed if the maximum number defined by the system is exceeded.

All the configurable arguments (excluding time-range and priority) can be used to differentiate one from another. These arguments are called differentiated arguments. To remove an entry with the no form of this command, it is necessary to specify the entry using the same value of all differentiating arguments that have been specified (includes all optional parameters except time-range and priority).

To update the time-range or priority, specify the entry with the same value of all differentiating arguments, that have been configured, and the update value for the time-range or priority.

The priority value must be unique in the domain of an access-list. If a priority value that is already present is entered, an error message will be shown.

Example

This example shows create three entries for an ip access-list, named "Strict-Control". The three entries are: tcp packets destined to network 10.20.0.0/16, tcp packets destined to host 10.100.1.2 and all icmp packets.

Switch(config)# ip access-list extended Strict-Control
Switch(config-ip-ext-acl)# permit tcp any 10.20.0.0 255.255.0.0
Switch(config-ip-ext-acl)# permit tcp any host 10.100.1.2
Switch(config-ip-ext-acl)# permit icmp any any
Switch(config-ip-ext-acl)# exit 

Verify the settings by entering the show access-list command.

permit | deny (ipv6 access list)

Use the permit command to add an entry to the IPv6 access-list. Use the no permit command to remove a permit entry from the IPv6 access-list. Use the deny command to add a deny entry to the IPv6 access-list. Use the no deny command to remove a deny entry from the IPv6 access-list.

{ permit | deny } {tcp | udp} { any | host SRC-IPV6-ADDR | SRC-IPV6-ADDR MASK } [ OPERATOR PORT ] { any | host DST-IPV6-ADDR | DST-IPV6-ADDR MASK } [ OPERATOR PORT ] [traffic-class TRAFFIC-CLASS ] [time-range PROFILE-NAME] [ priority PRIORITY ]

{ permit | deny } [icmpv6 | ospfv3 | nextheader NEXTHEADER] { any | host SRC-IPV6-ADDR | SRC-IPV6-ADDR MASK } { any | host DST-IPV6-ADDR | DST-IPV6-ADDR MASK } [traffic-class TRAFFIC-CLASS] [time-range PROFILE-NAME ] [priority PRIORITY ]

no { permit | deny } {tcp | udp} { any | host SRC-IPV6-ADDR | SRC-IPV6-ADDR MASK } [OPERATOR PORT ] { any | host DST-IPV6-ADDR | DST-IPV6-ADDR MASK } [OPERATOR PORT ] [traffic-class TRAFFIC-CLASS ] [time-range ]

no { permit | deny} [icmpv6 | ospfv3 | nextheader NEXTHEADER] { any | host SRC-IPV6-ADDR | SRC-IPV6-ADDR MASK} { any | host DST-IPV6-ADDR | DST-IPV6-ADDR MASK} [traffic-class TRAFFIC-CLASS ] [time-range ]

Syntax Description

Default None

Command Mode IPv6 access-list extended configuration

Usage Guideline

The time range profile needs to be created before it can be specified in the statement. Otherwise an error message will be displayed.

All the configurable arguments (time-range and priority are excluded) can be used to differentiate one from another. These arguments are called differentiated arguments. To remove an entry, in the no form of this command, specify the entry with the same value of all differentiating arguments specified prior (includes all optional parameters but the time-range and priority are excluded).

Tto update the time-range or priority, specify the entry with the same value of all differentiating arguments, which are configured, and the update value for time-range or priority.

The priority value must be unique in the domain of an access-list. If a priority value entered is already present, an error message will be shown.

Example

This example shows create three entries for an ipv6 extended access-list, named "ipv6-control". The three entries are: permit tcp packets destined to network ff02::0:2/16, permit tcp packets destined to host ff02::1:2 and permit all icmp packets.

Switch(config)# ipv6 access-list extended ipv6-control
Switch(config-ipv6-ext-acl)#permit tcp any ff02::0:2 ffff::
Switch(config-ipv6-ext-acl)#permit tcp any host ff02::1:2
Switch(config-ipv6-ext-acl)#permit icmpv6 any any
Switch(config-ipv6-ext-acl)# exit 

Verify the settings by entering the show access-list command.

permit | deny (mac access-list)

Use the permit command to define the rule for packets to be based on their MAC address. Use the deny command to define the rule for packets that are to be denied. Use the no permit command to remove a permit entry, and use the no deny command to remove a deny entry.

{ permit | deny } { any | host SRC-MAC-ADDR | SRC-MAC-ADDR MASK } { any | host DST-MAC-ADDR | DST-MAC-ADDR MASK } [ ethernet-type TYPE | llc dsap DSAP ssap SSAP cntl CNTL ] [ dot1p PRIORITY-TAG ] [ VLAN VLAN-ID ] [ time-range PROFILE-NAME ] [ priority PRIORITY ]

no { permit | deny } { any | host SRC-MAC-ADDR | SRC-MAC-ADDR MASK } { any | host DST-MAC-ADDR | DST-MAC-ADDR MASK } [ ethernet-type TYPE | llc dsap DSAP ssap SSAP cntl CNTL ] [ dot1p PRIORITY-TAG ] [ VLAN VLAN-ID ] [ time-range ]

Default

If the priority is not specified, the system assigns it with a priority value 10 or greater than the largest sequence in that access list and it is placed at the end of the list.

If the priority is manually assigned, it is better to have a reserved interval for a future higher priority entry. Otherwise the system attempts to insert an entry with a higher priority.

Command Mode MAC access-list extended configuration

Usage Guideline

The time-range profile must be created before it can be specified in the statement. Otherwise, an error message will be displayed.

Multiple entries can be added to the list; use permit for one entry and use deny for the other entry.

Different permit and deny commands can match different fields available for setting.

The priority can be directly updated by specifying the command with the value for all other parameters except time-range & priority.

All the configurable arguments (time-range and priority are excluded) can be used to differentiate one from another. These arguments are called differentiating arguments. To remove an entry, using the no form of this command, specify the entry with same value of all differentiating arguments specified (includes all optional parameters but time-range and priority are excluded). The time-range option in no form of this command means to remove the time-range association from this entry.

To update the time-range or priority, specify the entry with the same value of all differentiating arguments, which are configured, and the update value for time-range or priority.

The priority value must be unique in the domain of an access-list. If r a priority value is entered that is already present, an error message will be shown.

When the time-range is not specified, the statement will be always effective.

Example

This example shows how to configure access entries in the profile daily-profile to allow two sets of source MAC addresses. Others are denied due to default implicit deny rule.

Switch(config)# mac access-list extended daily-profile
Switch(config-mac-ext-acl)# permit 00:80:33:00:00:00 ff:ff:ff:00:00:00 any
Switch(config-mac-ext-acl)#permit 00:f4:57:00:00:00 ff:ff:ff:00:00:00 any
Switch(config-mac-ext-acl)# exit
Switch(config)# 

Verify the settings by entering the show show access-list command.

ping

Use ping to diagnose basic network connectivity.

ping [OPTIONS] { IP-ADDRESS | IPV6-ADDRESS }

Syntax Description

OPTIONS (Optional) The option can be any combination of the following parameters:

-A

Adapt to return interval of packets. That is to send packets at approximately the rate at which they are received.

-c COUNT

Stop after sending count ECHO_RESPONSE packets.

-i WAIT

Wait WAIT seconds between sending each packet. Default is to wait one second between each packet. This option is incompatible with -A option and it will be ignored when it is along with -A option.

-Q TOS

Set Quality of Service on ICMP data grams.

-s PACKETSIZE

Specifies the number of data bytes to be sent. Default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data. It does not include any VLAN or IEEE802.1Q tag length.

-w N

Stop ping after N seconds.

-W N

When waiting for a response, time out after N seconds. If N is not specified, the default is one second.

IP-ADDRESS IPv4 address in dot notation (a.b.c.d) of the destination host.

IPV6-ADDRESS IPv6 address of the system to discover.

Default -s: 56 bytes

-c: 5 count packets

-i: 1 second

-Q: 0 TOS

-w: 0 (Don't stop)

-W: 1 second

Command Mode

Management interface configuration or User EXEC

Usage Guideline

The ping command sends an echo request packet to an address, and then awaits a reply. Ping output can help to evaluate path-to-host reliability, delays over the path, and whether the host can be reached or is functioning.

Note : The specified "OPTIONS" can be any combination of the parameters but the parameters must be specified in the alphabetical order and the upper case is ahead of the lower case. For example, e the following sequences cannot be used with the specified parameters: "ping -c COUNT -Q TOS -A 10.90.90.90". The correct usage is: "ping -A -Q TOS -c COUNT 10.90.90.90".

Examples This example shows how to ping the host with IP address 172.50.71.123.

Switch# ping 172.50.71.123
PING 172.50.71.123 (172.50.71.123): 56(84) data bytes
64 bytes from 172.50.71.123, icmp_seq=1 ttl=128 time=0.226 ms
64 bytes from 172.50.71.123, icmp_seq=2 ttl=128 time=0.184 ms
--- 172.50.71.123 ping statistics ---
packets transmitted = 2, received = 2, packet loss = 0 (0%)
round trip times min/avg/max/mdev = 0.184/0.205/0.226/0.021 ms
Switch# 

This example shows how to ping the host with IPv6 address 2001:e10:5c00:2::101:150.

Switch# ping 2001:e10:5c00:2::101:150
PING 2001:e10:5c00:2::101:150 (2001:e10:5c00:2::101:150):56(104) data bytes
64 bytes from 2001:e10:5c00:2::101:150, icmp_seq=1 ttl=128 time=92.1 ms
64 bytes from 2001:e10:5c00:2::101:150, icmp_seq=2 ttl=128 time=0.766 ms
64 bytes from 2001:e10:5c00:2::101:150, icmp_seq=3 ttl=128 time=0.781 ms
64 bytes from 2001:e10:5c00:2::101:150, icmp_seq=4 ttl=128 time=0.774 ms
64 bytes from 2001:e10:5c00:2::101:150, icmp_seq=5 ttl=128 time=0.760 ms
--- 2001:e10:5c00:2::101:150 ping statistics ---
packets transmitted=5, received=5, packet loss=0 (0%)
round trip times min/avg/max/mdev= 0.760/19.040/92.120/36.540 ms
Switch# 

police

To configure traffic policing using single rate, use the police command in policy-map class configuration mode. To remove traffic policing from the configuration, use the no form of this command.

police BPS [BURST-NORMAL] [BURST-MAX] exceed-action ACTION [violate-action ACTION]

no police BPS [BURST-NORMAL] [BURST-MAX] exceed-action ACTION [violate-action ACTION]

Valid and default

Syntax Description

Syntax Description

ACTION Action to take on packets. Specifies one of the following keywords:

"drop-Drops the packet."

"set-dscp-transmit value-Sets the IP differentiated services code point (DSCP) value and transmits the packet with the new IP DSCP value.

"transmit-Transmits the packet. The packet is not altered."

Default None

Command Mode Policy-map class configuration

Usage Guideline

Use the police command to drop the packet or mark the packet with different quality of service (QoS) values based on conformance to the service agreement.

As a packet arrives at a port, the packet will be initialized with a color. This color will be used in control of congestion.

If the policer is operated in color blind mode, the packet is re-colored and the actions are taken based on the policer metering result.

If the policer is operated in color aware mode, the packet is re-colored and the actions are taken based on the policer metering result and the initial color of the packet.

The actions configured by the set command for the traffic class will be applied to the conforming packet. They will not be applied to the exceeding packet and the violating packets.

Note: Either one of police command and police cir command can be activated for the refereed traffic class. The latter command will overwrite the previous policer command setting within the same traffic class.

The following example show the precedence between police command and police cir commands: create a policy-map, police-map1 and have a traffic class, class-movie with single rate police (police command).

Switch(config)# policy-map police-map1
Switch(config-pmap)# class class-movie
Switch(config-pmap-c)# police 8000 1000 exceed-action drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# 

Later it is realized that a two rate police should be applied to class-movie traffic and a two rate police (police cir command) is added. The newer police cir command will overwrite the previous police command setting.

Switch(config)# policy-map police-map1
Switch(config-pmap)# class class-movie
Switch(config-pmap-c)# police cir 8000 pir 1000 exceed-action drop violate-action drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit 

Specifying Multiple Actions

The police command allows to specify actions for different policing result. When specifying multiple policing actions, contradictory actions, such as violate-action transmit and exceed-action drop, cannot be specified.

Using the Police Command with the Traffic Policing Feature

The Traffic Policing feature works with a token bucket algorithm. Two types of token bucket algorithms are available: a one-token bucket algorithm and a two-token bucket algorithm. A single-token bucket system is used when the violate-action option is not specified, and a two-token bucket system is used when the violate-action option is specified.

The following are explanations of how the token bucket algorithms work.

Token Bucket Algorithm with One Token Bucket

The one-token bucket algorithm is used when the violate-action option is not specified in the police command CLI. The conform bucket is initially set to the full size (the full size is the number of bytes specified as the normal burst size).

When a packet of a given size (for example, "B" bytes) arrives at specific time (time "T"), the following actions occur:

"Tokens are updated in the conform bucket. If the previous arrival of the packet was at T1 and the current time is T, the bucket is updated with (T - T1) worth of bits based on the token arrival rate. The token arrival rate is calculated as follows: (time between packets (which is equal to T - T1) * policer rate)/8 bytes. The policer rate here is average rate (BPS).

"If the number of bytes in the conform bucket is greater than or equal to the packet size, the packet conforms and the conform action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action is completed for the packet."

"If the number of bytes in the conform bucket (minus the packet size to be limited) is fewer than B, the exceed action is taken.

Token Bucket Algorithm with Two Token Buckets

The two-token bucket algorithm is used when the violate-action option is specified in the police command. The conform bucket is initially full (the full size

is the number of bytes specified as the normal burst size). The exceed bucket is initially full (the full exceed bucket size is the number of bytes specified in the maximum burst size). The tokens for both the conform and exceed token buckets are updated based on the token arrival rate, or committed information rate (CIR).

When a packet of given size (for example, "B" bytes) arrives at specific time (time "T") the following actions occur:

"Tokens are updated in the conform bucket. If the previous arrival of the packet was at T1 and the current arrival of the packet is at T, the bucket is updated with T -T1 worth of bits based on the token arrival rate. The refill tokens are placed in the conform bucket. If the tokens overflow the conform bucket, the overflow tokens are placed in the exceed bucket."

The token arrival rate is calculated as follows:

(time between packets (which is equal to T-T1) * policer rate)/8 bytes. The policer rate here is average rate (BPS).

"If the number of bytes in the conform bucket is greater than or equal to B, the packet conforms and the conform action is taken on the packet. If the packet conforms, B bytes are removed from the conform bucket and the conform action is taken. The exceed bucket is unaffected in this scenario."

"If the number of bytes in the conform bucket is less than B, the excess token bucket is checked for bytes by the packet. If the number of bytes in the exceed bucket is greater than or equal to B, the exceed action is taken and B bytes are removed from the exceed token bucket. No bytes are removed from the conform bucket."

"If the number bytes in the exceed bucket is fewer than B, the packet violates the rate and the violate action is taken. The action is complete for the packet."

Example

The following example shows how to define a traffic class (using the class-map command) and associate the policy with the match criteria for the traffic class in a policy map (using the policy-map command). The service-policy command is then used to attach this service policy to the interface.

In this particular example, traffic policing is configured with an average rate at 8000 bits per second and the normal burst size at 1000 bytes for all packets ingress at eth 3.1:

Switch(config)# class-map access-match
Switch(config-cmap)# match access-list acl_rd
Switch(config-cmap)# exit
Switch(config)# policy-map police-setting
Switch(config-pmap)# class access-match
Switch(config-pmap-c)# police 8000 1000 exceed-action drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# interface eth3.1
Switch(config-if)# service-policy police-setting

Verify the settings by entering the show policy-map command.

police aggregate

To configure a named aggregate policer as the policy for a traffic class in a policy map, use police aggregate command in the policy map class configuration mode. To delete the name aggregate policer from class policy, use the no form of this command.

police aggregate NAME

no police aggregate NAME

Syntax Description

NAME Specifies a previously defined aggregate policer name as the aggregate policer for a traffic class. Up to 32 characters are allowed.

Default None

Command Mode Policy map class configuration

Usage Guideline

Use the qos aggregate-policer command in global configuration mode to create a named aggregate policer, and then use the police aggregate command in the policy-map class configuration mode to configure the named aggregate policer as the policy for a traffic class. A named aggregate policer cannot be referred from different policy map.

Example

This example shows how to configure a named aggregate policer parameters and apply the policer to multiple classes in a policy map: An aggregate policer with single rate policing named agg_policer1 is created. This policer is configured as the policy for traffic class class1, class2, and class3.

Switch(config)# qos aggregate-policer agg_policer1 64 128 exceed-action drop
Switch(config)# policy-map policy2
Switch(config-pmap)# class class1
Switch(config-pmap-c)# police aggregate agg_policer1
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class2
Switch(config-pmap-c)# police aggregate agg_policer1
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class3
Switch(config-pmap-c)# police aggregate agg_policer1
Switch(config-pmap-c)# exit

Verify the settings by entering the show policy-map command.

police cir

To configure traffic policing using two rates, the committed information rate (CIR) and the peak information rate (PIR), use the police cir command in policy-map class configuration mode. To remove two-rate traffic policing from the configuration, use the no form of this command

police cir CIR [bc CONFORM-BURST] pir PIR [be PEAK-BURST] [exceed-action ACTION [violate-action ACTION]]

no police cir CIR [bc CONFORM-BURST] pir PIR [be PEAK-BURST] [exceed-action ACTION [violate-action ACTION]]

ACTION The actions can be

drop - Packets will be dropped.

set-dscp-transmit VALUE - Sets the IP differentiated services code point (DSCP) value and transmits the packet with the new IP DSCP value.

transmit - Transmits the packet. The packet is not altered.

Default Disabled

exceed-action: drop

violate-action: equals exceed-action

Command Mode Policy map class configuration

Usage Guideline

As a packet arrives at a port, the packet will be initialized with a color. This color will be used in control of congestion.

If the policer is operated in color blind mode, the packet is re-colored and the actions are taken based on the policer metering result.

If the policer is operated in color aware mode, the packet is re-colored and the actions are taken based on the policer metering result and the initial color of the packet.

The actions configured by the set command for the traffic class will be applied to the conforming packet. They will not be applied to the exceeding packet and the violating packet.

Note: Either one of police command and police cir command can be activated for the refereed traffic class. The latter command will overwrite the previous policer command setting within the same traffic class.

The following example show the precedence between police and police cir comands: create a policy-map, police-map1 and have a traffic class class-movie with a two rate policer (police cir command).

Switch(config)# policy-map police-map1
Switch(config-pmap)# class class-movie
Switch(config-pmap-c)# police cir 8000 pir 1000 exceed-action drop violate-action drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit 

Later it is realized that a single rate policer should be applied to class-movie traffic and singe rate policer (police cir command) is added. The newer police command will overwrite the previous police cir command setting.

Switch(config)# policy-map police-map1
Switch(config-pmap)# class class-movie
Switch(config-pmap-c)# police 8000 1000 exceed-action drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit

Two-rate traffic policing uses two token buckets-Tc and Tp-for policing traffic at two independent rates. Note the following points about the two token buckets:

"The Tc token bucket is updated at the CIR value. The Tc token bucket can contain up to the confirm burst (Bc) value.

"The Tp token bucket is updated at the PIR value. The Tp token bucket can contain up to the peak burst (Be) value."

Updating Token Buckets

The following scenario illustrates how the token buckets are updated:

A packet of B bytes arrives at time t. The last packet arrived at time t1. The CIR and the PIR token buckets at time t are represented by Tc(t) and Tp(t), respectively. Using these values and in this scenario, the token buckets are updated as follows:

$$ \mathrm{Tc} (\mathrm{t}) = \min (\mathrm{CIR} ^ {*} (\mathrm{t} - \mathrm{t} 1) + \mathrm{Tc} (\mathrm{t} 1), \mathrm{Bc}) $$

$$ \mathrm{Tp} (t) = \min (\mathrm{PIR} ^ {*} (t - t 1) + \mathrm{Tp} (t 1), \mathrm{Be}) $$

Marking Traffic

The two-rate policer marks packets as either conforming, exceeding, or violating a specified rate. The following points (using a packet of B bytes) illustrate how a packet is marked:

"If B > Tp(t), the packet is marked as violating the specified rate.

"If B > Tc(t), the packet is marked as exceeding the specified rate, and the Tp(t) token bucket is updated as Tp(t) = Tp(t) - B.

Otherwise, the packet is marked as conforming to the specified rate, and both token buckets-Tc(t) and Tp(t)-are updated as follows:

$$ \mathrm{Tp} (t) = \mathrm{Tp} (t) - B $$

$$ \mathrm{Tc} (\mathrm{t}) = \mathrm{Tc} (\mathrm{t}) - \mathrm{B} $$

Example

Example In the following example, two-rate traffic policing is configured on a class called police to limit traffic to an average committed rate of 64 kbps and a peak rate of 128 kbps, and the policy map named policy1 is attached to eth3.1.

Switch(config)# class-map police
Switch(config-cmap)# match access-list 101
Switch(config-cmap)# policy-map policy1
Switch(config-pmap)# class police
Switch(config-pmap-c)# police cir 64 bc 128 pir 128 be 256 exceed-action drop violate-action drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# interface eth3.1
Switch(config-if)# service-policy policy1
Switch(config-if)# end
Switch# show policy-map policy1
Policy Map policy1
Class police
police tr-tcm cir 64 bc 128 pir 128 be 256
exceed-action : drop
violate-action : drop
Switch# 

Verify the settings by entering the show policy-map command.

policy-map

To enter policy-map configuration mode and create or modify a policy map that can be attached to one or more interfaces as a service policy, use the policy-map command in global configuration mode. To delete a policy map, use the no form of this command.

policy-map NAME

no policy-map NAME

Syntax Description

NAME Name of the policy map. The name can be a maximum of 32 alphanumeric characters

Default None

Command Mode Global configuration

Usage Guideline

Use the policy-map command to specify the name of the policy map to be created, or modified before policies are configured for classes whose match criteria are defined in a class map. The policy-map command enters policy-map configuration mode, in which the user can configure or modify the policy for the traffic class.

The user can configure class policies in a policy map only if the classes have match criteria defined for them. Use the class-map and match commands to configure the match criteria for a class. Because a maximum of 32 class maps is allowed, a policy map cannot contain more than 32 class policies.

A single policy map can be attached to more than one interface concurrently.

Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. Create as many traffic classes as needed.

Example

The following example (on the next page) creates a policy map called policy and configures two class policies in that policy map. The class policy called class1 specifies policy for traffic that matches access control list (ACL) acl_rd. The

second class is the default class, named class-default to which packets that do not satisfy the defined classes are included.

Switch(config)# class-map class1
Switch(config-cmap)# match access-list acl_rd
Switch(config-cmap)# exit
Switch(config)# policy-map policy
Switch(config-pmap)# class class1
Switch(config-pmap-c)# set ip dscp 46
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class-default
Switch(config-pmap-c)# set ip dscp 00
Switch(config-pmap-c)# exit

Verify the settings by entering the show policy-map command

port-channel load-balance

Use port-channel load-balance to configure the load balance algorithm that the switch uses to distribute packets across ports in the same channel. To reset the load distribution to the default settings, use the no from of this command.

port-channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac}

no port-channel load-balance

Syntax Description

Default src-dst-mac

Command Mode Global configuration

Usage Guideline Use this command to specify the load balance algorithm. Only one algorithm can be specified.

Example This example shows how to configure load balance algorithm for src-ip:

Switch# configure terminal
Switch(config)# port-channel load-balance src-ip
Switch(config)# end 

Verify the settings by entering the show channel-group load-balance EXEC command.

power-saving

Use the power-saving command to enable "Power Saving" function in the device. And use the no form of this command to disable "Power Saving" function.

power-saving {phy}

no power-saving {phy}

Default Disabled

Command Mode Global configuration.

Usage Guideline

The "power-saving" command can enable the "Power Saving" function on different hardware components. Currently, one component is supported: phy. Select the option "phy", it will set the PHY into "Power Saving" mode. The "no power-saving" command disables this function.

The "PHY Power Saving" function could be enabled or disabled per-system base. There are two operation modes: "low-power" mode and "normal" mode. When power saving is enabled, the chips automatically enter "low-power" mode if the signal from a copper link partner is lost. They will go to normal mode when a signal is detected.

If "PHY Power Saving" function is disabled, PHY will always be in normal mode no matter that the signal from a link partner is presented or not.

Example

The following example shows how to enable/disable "Power Saving" function.

Switch(config)#power-saving
Switch(config)#
Switch(config)show power-saving

Power-saving status
====================
phy power-saving:Enabled

Switch(config)#no power-saving
Switch(config)#show power-saving

Power-saving status
====================
phy power-saving:Disabled 

pvid VLAN-ID

Use the pvid interface configuration command to specify the native VLAN for the trunk or hybrid interface. Use default interface command to reset to default setting.

pvid VLAN-ID

default pvid

Syntax Description

Verify the settings by entering the show vlan command.

qos aggregate-policer

To define a named aggregate policer for use in policy maps, use the qos aggregate-policer command in global configuration mode. To delete a named aggregate policer, use the no form of this command. The qos aggregate-policer command is for single rate policing and the qos aggregate-policer cir command is for two rate policing.

qos aggregate-policer NAME BPS [BURST-NORMAL] [BURST-MAX] exceed-action ACTION [violate-action ACTION]

qos aggregate-policer NAME cir CIR [bc CONFORM-BURST] pir PIR [be PEAK-BURST] [exceed-action ACTION [violate-action ACTION]]

no qos aggregate-policer NAME

Syntax Description

Default Not configured

For a two rate policer, the defaults for unspecified options are as follows:

• exceed-action: drop.
  • violate-action equals exceed-action

Command Mode Global configuration

Usage Guideline

An aggregate policer can be shared by different policy map classes and on different interfaces. It cannot be shared by different policy map.

For detailed description regarding how to configure the policer, refers to the usage guideline for police and police cir command.

Note: Either one of qos aggregate-policer NAME command and qos aggregate-policer NAME cir command can be activated for the refereed traffic class. The latter command will overwrite the previous qos aggregate-policer NAME setting once the reference aggregator name are the same.

Example

In the following example, an aggregate policer named agg-policer5 with single rate two colors is configured. This named aggregator policer is applied as the service policy for the class1 and class2 traffic class in the policy2 policy map.

Switch(config)# qos aggregate-policer agg-policer5 10000 128 exceed-action drop
Switch(config)# policy-map policy2
Switch(config-pmap)# class class1
Switch(config-pmap-c)# police aggregate agg-policer5
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class2
Switch(config-pmap-c)# police aggregate agg-policer5
Switch(config-pmap-c)# exit

Verify the settings by entering the show qos aggregate-policer command.

qos bandwidth

To set the received bandwidth limit values for an interface, use the bandwidth ingress command in interface configuration mode. To set the transmit bandwidth limit values on an interface use the bandwidth egress command in interface configuration mode. To disable bandwidth limit, use the no form of this command.

qos bandwidth {egress | ingress} NUMBER-KBPS

no qos bandwidth {egress | ingress}

Default Disabled

Command Mode Interface configuration

Usage Guideline Only physical ports are valid for this command.

The specified limitation should not exceed the maximum speed of the specified interface.

For ingress bandwidth limitation, the ingress will send pause frame or flow control frame when the received traffic exceeds the limitation.

Example In the following example, bandwidth limitations are configured on eth 2.5. The ingress bandwidth is limited to 128 Kbps and the egress bandwidth is limited to 256 Kbps.

Switch(config)#interface eth2.5
Switch(config-if)#qos bandwidth ingress 128
Switch(config-if)#qos bandwidth egress 256 

Verify the settings by entering the show qos interface bandwidth command.

qos cos

To configure the default class of service (CoS) value of a port, use the qos cos command in interface configuration mode.

qos cos COS-VALUE

Default COS-VALUE: 0

Command Mode Interface configuration

Usage Guideline Only physical ports are valid.

Example In the following example, default COS of eth3.1 is set to 3.

Switch(config)# interface eth3.1
switch(config-if)# qos cos 3 

Verify the settings by entering the show qos interface cos command.

qos deficit-round-robin

Use the qos command in interface configuration mode to enable the Deficit Round Robin (DRR)/Weighted Round Robin (WRR) packet scheduling mechanism. To restore the packet scheduling mechanism, use the default form of this command.

qos {deficit-round-robin [COS-QUEUE quantum WEIGHT] | weight-round-robin [COS-QUEUE weight WEIGHT]}

default qos

Default Strict priority mode and DRR mode is disabled.

quantum WEIGHT: 1

wrr-WEIGHT: 1

Command Mode Interface configuration

Usage Guideline Only physical port interfaces are valid for this command.

The port CoS queue can be either strict priority mode, deficit round robin (DRR)mode or Weight round robin (WRR) mode. The strict priority scheduler mode provides strict priority access to the egress port across the transmit priority queue from the highest priority index to the lowest. The purpose of the strict priority scheduler is to provide lower latency service to the higher CoS classes of traffic.

DRR operates by serving a mount of backlogged credits into the transmit queue in round robin order. Initially, each queue sets its credit counter to a configurable quantum value. Every time a packet from a CoS queue is sent, the size of the packet is subtracted from the corresponding credit counter. When the credit counter drops below 0, the queue is no longer serviced until its credits are replenished.

All queues are serviced until their credit counter is zero or negative and a packet is transmitted completely. As this condition happens, the credits are replenished. When the credits are replenished, as a quantum of credits are added to each CoS queue credit counter. The quantum for each CoS queue may different based on the user configuration.

To set a CoS in strict priority mode, any higher priority CoS must be in strict priority mode. For example, to set CoS 5 in strict priority mode, CoS 6 and 7 have to be in strict priority mode.

WRR operates by transmitting permitted packets into the transmit queue in round robin order. Initially, each queue sets its weight to a configurable weighting. Every time a packet from a higher priority CoS queue is sent, the number of the packet is subtracted from the corresponding weight. When the credit counter reaches zero, the queue is no longer serviced until its weight is replenished. After this repeats for each queue, the next lower priority CoS queue is serviced in turn.

All queues are serviced until their weight is zero and a packet is transmitted completely. As this condition happens, the weights are replenished. When the weights are replenished, weight is added to each CoS queue credit counter. The weight for each CoS queue may different based on the user configuration.

Examples

In the following example, deficit round robin is configured on eth 3.1. For this case, quantum for queue 0 is set to 32 Kbytes; quantum for queue 1 is set to 32 Kbytes; quantum for queue 2 is set to 64 Kbytes; quantum for queue 3 is set to 64 Kbytes; quantum for queue 4 is set to 128 Kbytes; quantum for queue 5 is set to 128 Kbytes; quantum for queue 6 is set to 32 Kbytes; and quantum for queue 7 remains as 0.

Switch(config)# interface eth3.1
Switch(config-if)# qos deficit-round-robin 0 quantum 2
Switch(config-if)# qos deficit-round-robin 1 quantum 2
Switch(config-if)# qos deficit-round-robin 2 quantum 4
Switch(config-if)# qos deficit-round-robin 3 quantum 4
Switch(config-if)# qos deficit-round-robin 4 quantum 8
Switch(config-if)# qos deficit-round-robin 5 quantum 8
Switch(config-if)# qos deficit-round-robin 6 quantum 2
Switch(config-if)# qos deficit-round-robin 7 quantum 0 

In the following example, Weight round robin is configured on eth 3.1. For this case, queue 5, 6, and 7 are set to strict priority mode; weight for queue 4 is set to 4 packets; weight for queue 2, 1, and 0 are set to 2 packets.

Switch(config)# interface eth3.1
Switch(config-if)# qos weight-round-robin 0 weight 2
Switch(config-if)# qos weight-round-robin 2 weight 2
Switch(config-if)# qos weight-round-robin 3 weight 2
Switch(config-if)# qos weight-round-robin 4 weight 4
Switch(config-if)# qos weight-round-robin 5 weight 0
Switch(config-if)# qos weight-round-robin 6 weight 0
Switch(config-if)# qos weight-round-robin 7 weight 0
Switch(config-if)# qos weight-round-robin 1 weight 2
Switch(config)# 

Verify the settings by entering the show qos interface command.

qos dscp-mutation

To attach an ingress differentiated-services-code-point (DSCP) mutation map to the interface, use the qos dscp-mutation command in interface configuration mode. To remove the ingress DSCP mutation map from the interface, use the no form of this command.