|
|
Use the set enablepass command to change the password for the privileged level of the CLI.
set enablepassThis command has no arguments or keywords.
The default configuration has no enable password configured.
Switch command.
Privileged.
Passwords are case sensitive and may be 0 to 30 characters in length, including spaces.
The command prompts you for the old password. If the password you enter is valid, you are prompted to enter a new password and to verify the new password.
This example shows how to establish a new password:
Console> (enable) set enablepass Enter old password: <old_password> Enter new password: <new_password> Retype new password: <new_password> Password changed. Console> (enable)
Use the set errdisable-timeout command to configure a timeout for ports in errdisable state, after which the ports are reenabled automatically.
set errdisable-timeout {enable | disable} {reason}
enable | Keyword to enable errdisable timeout. |
disable | Keyword to disable errdisable timeout. |
reason | Reason for the port being in the errdisable state; valid values are bpdu-guard, channel-misconfig, duplex-mismatch, udld, other, and all. |
interval interval | Timeout interval; valid values are 30 to 86400 seconds (30 seconds to 24 hours). |
The default is disable and the interval is 300 seoncds.
Switch command.
Privileged.
These events can set a port to errdisable state:
Ports that are in errdisable state due to a cause other than a channel misconfiguration, duplex mismatch, BPDU port-guard, or UDLD, will have an errdisable cause of Other. If you enter other, the ports are in an errdisable timeout.
This example shows how to enable errdisable timeout for BPDU guard causes:
Console>(enable)set errdisable-timeout enable bpdu-guardSuccessfully enabled errdisable-timeout for bpdu-guard.Console> (enable)
This example shows how to set the errdisable timeout interval to 450 seconds:
Console>(enable)set errdisable-timeout interval 450Successfully set errdisable timeout to 450 seconds.Console>(enable)
Use the set errordetection command set to enable or disable various error detections.
set errordetection inband enable | disable
enable | Keyword to enable the specified error detection. |
disable | Keyword to disable the specified error detection. |
inband | Keyword to specify inband error detection. |
memory | Keyword to specify memory error detection. |
portcounters | Keyword to specify port counter error detection. |
The default is portcounters error detection is enabled and memory and inband error detection is disabled.
Switch command.
Privileged.
The inband keyword is not supported.
This example shows how to enable memory error detection.
Console> (enable) set errordetection memory enable Memory error detection enabled. Console> (enable)
Use the set feature mdg command to enable or disable the multiple default gateway feature.
set feature mdg {enable | disable}
enable | Keyword to enable the multiple default gateway. |
disable | Keyword to disable the multiple default gateway. |
This command has no default setting.
Switch command.
Privilege.
If you enable the multiple default gateway feature, the Catalyst 6000 family switch pings the default gateways every 10 seconds to verify the gateways are still available.
This example shows how to enable the multiple default gateway feature:
Console> (enable) set feature mdg enable Multiple Default Gateway feature enabled. Console> (enable)
This example shows how to disable the multiple default gateway feature:
Console> (enable) set feature mdg disable Multiple Default Gateway feature disabled. Console> (enable)
Use the set garp timer command to adjust the values of the join, leave, and leaveall timers.
set garp timer {timer_type} {timer_value}
timer_type | Type of timer; valid values are join, leave, and leaveall. |
timer_value | Timer values in milliseconds. |
The default is the join timer default is 200 ms; the leave timer default is 600 ms; and the leaveall timer default is 10000 ms.
Switch command.
Privileged.
You must maintain the following relationship for the various timer values:
 | Caution Set the same GARP application (for example, GMRP and GVRP) timer values on all Layer 2-connected devices. If the GARP timers are set differently on the Layer 2-connected devices, GARP applications will not operate successfully. |
This example shows how to set the join timer value to 100 ms for all the ports on all the VLANs:
Console> (enable) set garp timer join 100 GMRP/GARP Join timer value is set to 100 milliseconds. Console> (enable)
This example shows how to set the leave timer value to 300 ms for all the ports on all the VLANs:
Console> (enable) set garp timer leave 300 GMRP/GARP Leave timer value is set to 300 milliseconds. Console> (enable)
This example shows how to set the leaveall timer value to 20000 ms for all the ports on all the VLANs:
Console> (enable) set garp timer leaveall 20000 GMRP/GARP LeaveAll timer value is set to 20000 milliseconds. Console> (enable)
set gmrp timer
set gvrp timer
show gmrp timer
Use the set gmrp command to enable or disable GMRP on this switch in all VLANs on all ports.
set gmrp {enable | disable}
enable | Keyword to enable GMRP on the switch. |
disable | Keyword to disable GMRP on the switch. |
The default is GMRP is disabled.
Switch command.
Privileged.
You cannot enable GMRP if IGMP snooping is already enabled.
This example shows how to enable GMRP on the switch:
Console> (enable) set gmrp enable GMRP is enabled. Console> (enable)
This example shows how to disable GMRP on the switch:
Console> (enable) set gmrp disable GMRP is disabled. Console> (enable)
This example shows the display if you try to enable GMRP on the switch with IGMP enabled:
Console> (enable) set gmrp enable Disable IGMP to enable GMRP snooping feature. Console> (enable)
Use the set gmrp fwdall command to enable or disable the Forward All feature on a specified port or module and port list.
set gmrp fwdall {enable | disable} mod/ports..
enable | Keyword to enable GMRP Forward All on a specified port. |
disable | Keyword to disable GMRP Forward All on a specified port. |
mod/ports.. | Module number and port number list. |
The default is the Forward All feature is disabled for all ports.
Switch command.
Privileged.
Forward All indicates that a port is interested in receiving all the traffic for all the multicast groups.
If the port is trunking, then this feature is applied to all the VLANs on that port.
This example shows how to enable GMRP Forward All on module 5, port 5:
Console> (enable) set gmrp fwdall enable 5/5 GMRP Forward All groups option enabled on port(s) 5/5. Console> (enable)
This example shows how to disable the GMRP Forward All on module 3, port 2:
Console> (enable) set gmrp service fwdall disable 3/2 GMRP Forward All groups option disabled on port(s) 3/2. Console> (enable)
Use the set gmrp registration command to specify the GMRP registration type.
set gmrp registration {normal | fixed | forbidden} mod/ports..
normal | Keyword to specify dynamic GMRP multicast registration and deregistration on the port. |
fixed | Keyword to specify the multicast groups currently registered on the switch are applied to the port, but any subsequent registrations or deregistrations do not affect the port. Any registered multicast groups on the port are not deregistered based on the GARP timers. |
forbidden | Keyword to specify that all GMRP multicasts are deregistered and prevent any further GMRP multicast registration on the port. |
mod/ports.. | Module number and port number list. |
The default is administrative control is normal.
Switch command.
Privileged.
You must return the port to normal registration mode to deregister multicast groups on the port.
GMRP supports a total of 3072 multicast addresses for the whole switch.
This example shows how to set the registration type to fixed on module 3, port 3:
Console> (enable) set gmrp registration fixed 3/3 GMRP Registration is set to Fixed for port(s) 3/3. Console> (enable)
This example shows how to set the registration type to forbidden on module 1, port 1:
Console> (enable) set gmrp registration forbidden 1/1 GMRP Registration is set to Forbidden for port(s) 1/1. Console> (enable)
Use the set gmrp timer command to adjust the values of the join, leave, and leaveall timers.
set gmrp timer {timer_type} {timer_value}
timer_type | Type of timer; valid values are join, leave, and leaveall. |
timer_value | Timer values in milliseconds. |
The default is the join timer is 200 ms; the leave timer is 600 ms; and the leaveall timer is 10000 ms.
Switch command.
Privileged.
You must maintain the following relationship for the various timer values:
| Caution Set the same GARP application (for example, GMRP and GVRP) timer values on all Layer 2-connected devices. If the GARP timers are set differently on the Layer 2-connected devices, GARP applications will not operate successfully. |
This example shows how to set the join timer value to 100 ms for all the ports on all the VLANs:
Console> (enable) set gmrp timer join 100 GARP Join timer value is set to 100 milliseconds. Console> (enable)
This example shows how to set the leave timer value to 300 ms for all the ports on all the VLANs:
Console> (enable) set gmrp timer leave 300 GARP Leave timer value is set to 300 milliseconds. Console> (enable)
This example shows how to set the leaveall timer value to 20000 ms for all the ports on all the VLANs:
Console> (enable) set gmrp timer leaveall 20000 GARP LeaveAll timer value is set to 20000 milliseconds. Console> (enable)
show gmrp timer
set gvrp timer
set garp timer
Use the set gvrp command to enable or disable GVRP globally in the switch or on a per-port basis.
set gvrp {enable | disable} [mod/port]
enable | Keyword to enable GVRP on the switch. |
disable | Keyword to disable GVRP on the switch. |
mod/port | (Optional) Number of the module and port. |
The default is GVRP is globally set to disabled.
Switch command.
Privileged.
When you enable VTP pruning, VTP pruning runs on all the GVRP-disabled trunks.
To run GVRP on a trunk, you need to enable GVRP both globally on the switch and individually on the trunk.
This example shows how to enable GVRP globally on the switch:
Console> (enable) set gvrp enable GVRP enabled. Console> (enable)
This example shows how to disable GVRP:
Console> (enable) set gvrp disable GVRP disabled. Console> (enable)
This example shows how to enable GVRP on module 2, port 1:
Console> (enable) set gvrp enable 2/1 GVRP enabled on port 2/1. Console> (enable)
show gmrp timer
show gvrp configuration
set gvrp timer
set garp timer
Use the set gvrp applicant command to specify whether or not a VLAN is declared out of blocking ports.
set gvrp applicant {normal | active} {mod/port...}
normal | Keyword to disallow the declaration of any VLAN out of blocking ports. |
active | Keyword to enforce the declaration of all active VLANs out of blocking ports. |
mod/port... | Module number and port number list. |
The default is GVRP applicant set to normal.
Switch command.
Privileged.
To run GVRP on a trunk, you need to enable GVRP both globally on the switch and individually on the trunk.
On a port connected to a device that does not support the per-VLAN mode of STP, the port state may continuously cycle from blocking to listening to learning to learning, and back to blocking. To prevent this, you must enter the set gvrp applicant active mod/port... command on the port to send GVRP VLAN declarations when the port is in the STP blocking state.
This example shows how to enforce the declaration of all active VLANs out of specified blocking ports:
Console> (enable) set gvrp applicant active 4/2-3,4/9-10,4/12-24 Applicant was set to active on port(s) 4/2-3,4/9-10,4/12-24. Console> (enable)
This example shows how to disallow the declaration of any VLAN out of specified blocking ports:
Console> (enable) set gvrp applicant normal 4/2-3,4/9-10,4/12-24 Applicant was set to normal on port(s) 4/2-3,4/9-10,4/12-24. Console> (enable)
Use the set gvrp dynamic-vlan-creation command to enable or disable dynamic VLAN creation.
set gvrp dynamic-vlan-creation {enable | disable}
enable | Keyword to enable dynamic VLAN creation. |
disable | Keyword to disable dynamic VLAN creation. |
The default is dynamic VLAN creation is disabled.
Switch command.
Privileged.
You can enable dynamic VLAN creation only when VTP is in transparent mode and no ISL trunks exist in the switch.
This feature is not allowed when there are 802.1q trunks that are not configured with GVRP.
This example shows how to enable dynamic VLAN creation:
Console> (enable) set gvrp dynamic-vlan-creation enable Dynamic VLAN creation enabled. Console> (enable)
This example shows what happens if you try to enable dynamic VLAN creation and VTP is not in transparent mode:
Console> (enable) set gvrp dynamic-vlan-creation enable VTP has to be in TRANSPARENT mode to enable this feature. Console> (enable)
This example shows how to disable dynamic VLAN creation:
Console> (enable) set gvrp dynamic-vlan-creation disable Dynamic VLAN creation disabled. Console> (enable)
set vtp
show gvrp configuration
Use the set gvrp registration command to set the administrative control of an outbound port and apply to all VLANs on the trunk. GVRP registration commands are entered on a per-port basis.
set gvrp registration {normal | fixed | forbidden} mod/ports..
normal | Keyword to allow dynamic registering and deregistering each VLAN (except VLAN 1) on the port. |
fixed | Keyword to support manual VLAN creation and registration, prevent VLAN deregistration, and register all VLANs known to other ports. |
forbidden | Keyword to specify that all the VLANs (except VLAN 1) are statically deregistered from the port. |
mod/ports.. | Module number and port number list. |
The default is administrative control is normal.
Switch command.
Privileged.
When you set VLAN registration, you are telling the switch that the VLAN is interested in the user(s) connecting to this port and the VLAN's broadcast and multicast traffic is allowed to send to the port.
For static VLAN configuration, you should set the mod/ports.. control to fixed or forbidden if the mod/ports.. will not receive or process any GVRP message.
For each dynamically configured VLAN on a port, you should set the mod/ports.. control to normal (default), except for VLAN 1; GVRP registration mode for VLAN 1 is always fixed and is not configurable. VLAN 1 is always carried by 802.1Q trunks on which GVRP is enabled.
When GVRP is running, you can create a VLAN through a GVRP trunk port only if you enter the set gvrp dynamic-vlan-creation enable and the set gvrp registration normal commands.
This example shows how to set the administrative control to normal on module 3, port 7:
Console> (enable) set gvrp registration normal 3/7 Registrar Administrative Control set to normal on port 3/7. Console> (enable)
This example shows how to set the administrative control to fixed on module 5, port 10:
Console> (enable) set gvrp registration fixed 5/10 Registrar Administrative Control set to fixed on Port 5/10. Console> (enable)
This example shows how to set the administrative control to forbidden on module 5, port 2:
Console> (enable) set gvrp registration forbidden 5/2 Registrar Administrative Control set to forbidden on port 5/2. Console> (enable)
Use the set gvrp timer command to adjust the values of the join, leave, and leaveall timers.
set gvrp timer {timer_type} {timer_value}
timer_type | Type of timer; valid values are join, leave, and leaveall. |
timer_value | Timer values in milliseconds. |
The default is the join timer is 200 ms; the leave timer is 600 ms; and the leaveall timer is 10000 ms.
Switch command.
Privileged.
You must maintain the following relationship for the various timer values:
| Caution Set the same GARP application (for example, GMRP and GVRP) timer values on all Layer 2-connected devices. If the GARP timers are set differently on the Layer 2-connected devices, GARP applications will not operate successfully. |
This example shows how to set the join timer value to 100 ms for all the ports on all the VLANs:
Console> (enable) set gvrp timer join 100 GVRP/GARP Join timer value is set to 100 milliseconds. Console> (enable)
This example shows how to set the leave timer value to 300 ms for all the ports on all the VLANs:
Console> (enable) set gvrp timer leave 300 GVRP/GARP Leave timer value is set to 300 milliseconds. Console> (enable)
This example shows how to set the leaveall timer value to 20000 ms for all the ports on all the VLANs:
Console> (enable) set gvrp timer leaveall 20000 GVRP/GARP LeaveAll timer value is set to 20000 milliseconds. Console> (enable)
set garp timer
show gvrp configuration
Use the set igmp command to enable or disable IGMP snooping on the switch.
set igmp {enable | disable}
enable | Keyword to enable IGMP snooping on the switch. |
disable | Keyword to disable IGMP snooping on the switch. |
The default is IGMP snooping is disabled.
Switch command.
Privileged.
IGMP can be enabled only if you disable GMRP.
You must enable IGMP snooping to use the RGMP feature.
This example shows how to enable IGMP snooping on the switch:
Console> (enable) set igmp enable IGMP Snooping is enabled. Console> (enable)
This example shows how to disable IGMP snooping on the switch:
Console> (enable) set igmp disable IGMP Snooping is disabled. Console> (enable)
This example shows the display if you try to enable GMRP on the switch with IGMP enabled:
Console> (enable) set igmp enable Disable GMRP to enable IGMP snooping feature. Console> (enable)
clear igmp statistics
show igmp statistics
show rgmp group
show rgmp statistics
clear rgmp statistics
Use the set igmp fastleave command to enable or disable IGMP fastleave processing.
set igmp fastleave {enable | disable}
enable | Keyword to enable IGMP fastleave processing. |
disable | Keyword to disable IGMP fastleave processing. |
The default is disabled.
Switch command.
Privileged.
This command shows how to enable IGMP fastleave processing:
Console> (enable) set igmp fastleave enable IGMP fastleave set to enable. Warning: Can cause disconnectivity if there are more than one host joining the same group per access port. Console> (enable) This command shows how to disable IGMP fastleave processing: Console> (enable) set igmp fastleave disable IGMP fastleave set to disable. Console> (enable)
clear igmp statistics
set igmp
show igmp statistics
Use the set interface commands to configure the in-band and SLIP interfaces on the switch.
set interface {sc0 | sl0} {up | down}
sc0 | Keyword to specify the in-band interface. |
sl0 | Keyword to specify the SLIP interface. |
up | Keyword to bring the interface into operation. |
down | Keyword to bring the interface out of operation. |
vlan | (Optional) Number of the VLAN to be assigned to the interface. |
ip_addr | (Optional) IP address. |
/netmask | (Optional) Subnet mask. |
broadcast | (Optional) Broadcast address. |
slip_addr | IP address of the console port. |
dest_addr | IP address of the host to which the console port will be connected. |
dhcp | Keyword to perform DHCP operations on the sc0 interface. |
renew | Keyword used to renew the lease on a DHCP-learned IP address. |
release | Keyword used to release a DHCP-learned IP address back to the DHCP IP address pool. |
requestnew | Keyword used to request a new lease on a DHCP-learned IP address. |
The default configuration is the in-band interface (sc0) in VLAN 1 with the IP address, subnet mask, and broadcast address set to 0.0.0.0. The default configuration for the SLIP interface (sl0) is that the IP address and broadcast address are set to 0.0.0.0.0.
Switch command.
Privileged.
Two configurable network interfaces are on a Catalyst 6000 family switch: in-band (sc0) and SLIP (sl0). Configuring the sc0 interface with an IP address and subnet mask allows you to access the switch CLI via Telnet from a remote host. You should assign the sc0 interface to an active VLAN configured on the switch (the default is VLAN 1). Make sure the IP address you assign is in the same subnet as other stations in that VLAN.
Configuring the sl0 interface with an IP address and destination address allows you to make a point-to-point connection to a host through the console port. Use the slip attach command to activate SLIP on the console port (you will not be able to access the CLI via a terminal connected to the console port until you use the slip detach command to deactivate SLIP on the console port).
When you specify the netmask, this indicates the number of bits allocated to subnetting in the hostid section of the given Class A, B or C address. For example, if you enter an IP address for the sc0 interface as 172.22.20.7, the hostid bits for this Class B address is 16. Any number of bits in the hostid bits can be allocated to the subnet field. If you do not enter the netmask, the number of bits is assumed to be the natural netmask.
The set interface sc0 dchp command is valid only when the address is learned from the DHCP server and available in privilege mode only.
This example shows how to use set interface sc0 and set interface sl0 from the console port. It also shows how to bring down interface sc0 using a terminal connected to the console port:
Console> (enable) set interface sc0 192.20.11.44/255.255.255.0 Interface sc0 IP address and netmask set. Console> (enable) set interface sl0 192.200.10.45 192.200.10.103 Interface sl0 SLIP and destination address set. Console> (enable) set interface sc0 down. Interface sc0 administratively down. Console> (enable)
This example shows how to set the IP address for sc0 through a Telnet session. Note that the default netmask for that IP address class is used (for example, a Class C address uses 255.255.255.0, and a Class B uses 255.255.0.0):
Console> (enable) set interface sc0 192.200.11.40 This command may disconnect active telnet sessions. Do you want to continue (y/n) [n]? y Interface sc0 IP address set.
This example shows how to take the interface out of operation through a Telnet session:
Console> (enable) set interface sc0 down This command will inactivate telnet sessions. Do you want to continue (y/n) [n]? y Interface sc0 administratively down.
This example shows how to assign the sc0 interface to a particular VLAN:
Console> (enable) set interface sc0 5 Interface sc0 vlan set. Console> (enable)
This example shows what happens when you assign the sc0 interface to a nonactive VLAN:
Console> (enable) set interface sc0 200 Vlan is not active, user needs to set vlan 200 active Interface sc0 vlan set. Console> (enable)
This example shows how to release a DHCP-learned IP address back to the DHCP IP address pool:
Console> (enable)set interface sc0 dhcp releaseReleasing IP address...DoneConsole> (enable)
This example shows how to renew a lease on a DHCP-learned IP address:
Console> (enable)set interface sc0 dhcp renewRenewing IP address...DoneConsole> (enable)
This example shows how to request a new lease on a DHCP-learned IP address:
Console> (enable)set interface sc0 dhcp requestnewRequesting new IP address...DoneConsole> (enable)
Use the set ip alias command to add aliases of IP addresses.
set ip alias name ip_addr
name | Name of the alias being defined. |
ip_addr | IP address of the alias being defined. |
The default configuration is one IP alias (0.0.0.0) configured as the default.
Switch command.
Privileged.
This example shows how to define an IP alias of mercury for IP address 192.122.174.234:
Console> (enable) set ip alias mercury 192.122.174.234 IP alias added. Console> (enable)
Use the set ip dns command to enable or disable DNS.
set ip dns {enable | disable}
enable | Keyword to enable DNS. |
disable | Keyword to disable DNS. |
The default is DNS is disabled.
Switch command.
Privileged.
This example shows how to enable DNS:
Console> (enable) set ip dns enable DNS is enabled. Console> (enable)
This example shows how to disable DNS:
Console> (enable) set ip dns disable DNS is disabled. Console> (enable)
Use the set ip dns domain command to set the default DNS domain name.
set ip dns domain name
name | Default DNS domain name. |
This command has no default setting.
Switch command.
Privileged.
If you specify a domain name on the command line, the system attempts to resolve the host name as entered. If the system cannot resolve the host name as entered, it appends the default DNS domain name as defined with the set ip dns domain command. If you specify a domain name with a trailing dot, the program considers this an absolute domain name.
This example shows how to set the default DNS domain name:
Console> (enable) set ip dns domain yow.com Default DNS domain name set to yow.com. Console> (enable)
clear ip dns domain
show ip dns
Use the set ip dns server command to set the IP address of a DNS server.
set ip dns server ip_addr [primary]
ip_addr | IP address of the DNS server. |
primary | (Optional) Keyword to configure a DNS server as the primary server. |
This command has no default setting.
Switch command.
Privileged.
You can configure up to three DNS name servers as backup. You can also configure any DNS server as the primary server. The primary server is queried first. If the primary server fails, the backup servers are queried.
If DNS is disabled, you must use the IP address with all commands that require explicit IP addresses or manually define an alias for that address. The alias has priority over DNS.
These examples show how to set the IP address of a DNS server:
Console> (enable) set ip dns server 198.92.30.32 198.92.30.32 added to DNS server table as primary server. Console> (enable) set ip dns server 171.69.2.132 primary 171.69.2.132 added to DNS server table as primary server. Console> (enable) set ip dns server 171.69.2.143 primary 171.69.2.143 added to DNS server table as primary server.
This example shows what happens if you enter more than three DNS name servers as backup:
Console> (enable) set ip dns server 161.44.128.70 DNS server table is full. 161.44.128.70 not added to DNS server table.
clear ip dns server
show ip dns
Use the set ip fragmentation command to enable or disable the fragmentation of IP packets bridged between FDDI and Ethernet networks. Note that FDDI and Ethernet networks have different MTUs.
set ip fragmentation {enable | disable}
enable | Keyword to permit fragmentation for IP packets bridged between FDDI and Ethernet networks. |
disable | Keyword to disable fragmentation for IP packets bridged between FDDI and Ethernet networks. |
The default value is IP fragmentation enabled.
Switch command.
Privileged.
If IP fragmentation is disabled, packets are dropped.
This example shows how to disable IP fragmentation:
Console> (enable) set ip fragmentation disable Bridge IP fragmentation disabled. Console> (enable)
Use the set ip permit command to enable or disable the IP permit list and to specify IP addresses to be added to the IP permit list. You can also use this command to enable or disable the IP permit restriction for the web interface for HTTP users.
set ip permit {enable | disable}
enable | Keyword to enable the IP permit list. |
disable | Keyword to disable the IP permit list. |
telnet | (Optional) Keyword to specify removal from the Telnet IP permit list. |
snmp | (Optional) Keyword to specify removal from the SNMP IP permit list. |
all | Keyword to specify all entries in the IP permit list be removed. |
ip_addr | IP address to be added to the IP permit list. An IP alias or host name that can be resolved through DNS can also be used. |
mask | (Optional) Subnet mask of the specified IP address. |
The default is IP permit list is disabled.
Switch command.
Privileged.
The same functionality of the IP permit list can be achieved by using VACLs. VACLs are handled by hardware (PFC) and the processing is considerably faster. For VACL configuration information, refer to the Catalyst 6000 Family Multilayer Switch Feature Card and Policy Feature Card Configuration Guide.
You can configure up to ten entries in the permit list. If the IP permit list is enabled, but the permit list has no entries configured, a caution displays on the screen.
Make sure you enter the entire disable keyword when entering the set ip permit disable command. If you abbreviate the keyword, the abbreviation is interpreted as a host name to add to the IP permit list.
If you do not specfiy the snmp, telnet, or all keyword, the IP address is added to both the SNMP and Telnet permit lists.
You enter the mask in dotted decimal format, for example, 255.255.0.0.
This example shows how to add an IP address to the IP permit list:
Console> (enable) set ip permit 192.168.255.255 192.168.255.255 added to IP permit list. Console> (enable)
This example shows how to add an IP address using an IP alias or host name to both the SNMP and Telnet permit lists:
Console> (enable) set ip permit batboy batboy added to IP permit list. Console> (enable)
This example shows how to add a subnet mask of the IP address to both the SNMP and Telnet permit lists:
Console> (enable) set ip permit 192.168.255.255 255.255.192.0 192.168.255.255 with mask 255.255.192.0 added to IP permit list. Console> (enable)
This example shows how to add an IP address to the Telnet IP permit list:
Console> (enable) set ip permit 172.16.0.0 255.255.0.0 telnet 172.16.0.0 with mask 255.255.0.0 added to telnet permit list. Console> (enable)
This example shows how to add an IP address to the SNMP IP permit list:
Console> (enable) set ip permit 172.20.52.32 255.255.255.224 snmp 172.20.52.32 with mask 255.255.255.224 added to snmp permit list. Console> (enable)
This example shows how to add an IP address to the all IP permit lists:
Console> (enable) set ip permit 172.20.52.3 all 172.20.52.3 added to IP permit list. Console> (enable)
This example shows how to enable the IP permit list:
Console> (enable) set ip permit enable IP permit list enabled. Console> (enable)
This example shows how to disable the IP permit list:
Console> (enable) set ip permit disable IP permit list disabled. Console> (enable)
clear ip permit
set ip permit
show ip permit
Use the set ip redirect command to enable or disable ICMP redirect messages on the Catalyst 6000 family switches.
set ip redirect {enable | disable}
enable | Keyword to permit ICMP redirect messages to be returned to the source host. |
disable | Keyword to prevent ICMP redirect messages from being returned to the source host. |
The default configuration is ICMP redirect is enabled.
Switch command.
Privileged.
This example shows how to deactivate ICMP redirect messages:
Console> (enable) set ip redirect disable ICMP redirect messages disabled. Console> (enable)
Use the set ip route command to add IP addresses or aliases to the IP routing table.
set ip route {destination}[/netmask] {gateway} [metric] [primary]
destination | IP address, IP alias of the network, or specific host to be added. Use default as the destination to set the new entry as the default route. |
/netmask | (Optional) Number of bits in netmask or dot format (for example, 172.20.22.7/24 or 172.20.22.7/255.255.255.0). |
gateway | IP address or IP alias of the router. |
metric | (Optional) Value used to indicate the number of hops between the switch and the gateway. |
primary | (Optional) Keyword used with the Multiple Default IP Gateways feature to specify the default IP gateway with the highest priority. |
The default configuration routes the local network through the sc0 interface with metric 0 as soon as sc0 is configured.
Switch command.
Privileged.
You can configure up to three default gateways. The primary is the highest priority. If you do not designate a primary gateway, priority is based on the order of input. If you enter two primary definitions, the second definition becomes the primary and the first definition is now the secondary default IP gateway.
You can only specify the primary keyword for a default route.
When you enter the destination or gateway, enter it in dot notation, for example, a.b.c.d.
When you specify the netmask, this indicates the number of bits allocated to subnetting in the hostid section of the given Class A, B or C address. For example, if you enter an IP address for the sc0 interface as 172.22.20.7, the hostid bits for this Class B address is 16. Any number of bits in the hostid bits can be allocated to the netmask field. If you do not enter the netmask, the number of bits is assumed to be the natural netmask.
When you enter the netmask, enter it as the number of bits or dot format, for example, destination/24 or destination/255.255.255.0. If you enter the netmask in dot format, you must have contiguous 1s.
These examples show how to add three default routes to the IP routing table, checking after each addition using the show ip route command:
Console> (enable) set ip route default 192.122.173.42 1 primary Route added. Console> (enable) Console> (enable) show ip route Fragmentation Redirect Unreachable ------------- -------- ----------- enabled enabled enabled Destination Gateway Flags Use Interface --------------- --------------- ------ ---------- --------- default 192.122.173.42 UG 59444 sc0 192.22.74.0 192.22.74.223 U 5 sc0 Console> (enable) Console> (enable) set ip route default 192.122.173.43 1 Route added. Console> (enable) Console> (enable) show ip route Fragmentation Redirect Unreachable ------------- -------- ----------- enabled enabled enabled Destination Gateway Flags Use Interface --------------- --------------- ------ ---------- --------- default 192.122.173.43 UG 59444 sc0 default 192.122.173.42 UG 59444 sc0 192.22.74.0 192.22.74.223 U 5 sc0 Console> (enable) Console> (enable) set ip route default 192.122.173.44 1 Route added. Console> (enable) Console> (enable) show ip route Fragmentation Redirect Unreachable ------------- -------- ----------- enabled enabled enabled Destination Gateway Flags Use Interface --------------- --------------- ------ ---------- --------- default 192.122.173.44 UG 59444 sc0 default 192.122.173.43 UG 59444 sc0 default 192.122.173.42 UG 59444 sc0 192.22.74.0 192.22.74.223 U 5 sc0 Console> (enable)
Use the set ip unreachable command to enable or disable ICMP unreachable messages on the Catalyst 6000 family switch.
set ip unreachable {enable | disable}
enable | Keyword to allow IP unreachable messages to be returned to the source host. |
disable | Keyword to prevent IP unreachable messages from being returned to the source host. |
The default is ICMP unreachable messages is enabled.
Switch command.
Privileged.
When you enable ICMP unreachable messages, the switch returns an ICMP unreachable message to the source host whenever it receives an IP datagram that it cannot deliver. When you disable ICMP unreachable messages, the switch does not notify the source host when it receives an IP datagram that it cannot deliver.
For example, a switch has the ICMP unreachable message function enabled and IP fragmentation disabled. If a FDDI frame is received and needs to transmit to an Ethernet port, the switch cannot fragment the packet. The switch drops the packet and returns an IP unreachable message to the Internet source host.
This example shows how to disable ICMP unreachable messages:
Console> (enable) set ip unreachable disable ICMP Unreachable message disabled. Console> (enable)
Use the set kerberos clients mandatory command to make Kerberos authentication mandatory for authenticating to services on the network.
set kerberos clients mandatoryThis command has no arguments or keywords.
Kerberos clients are not set to mandatory.
Switch command.
Privileged.
As an added layer of security, you can optionally configure the switch so that after users authenticate to it, they can authenticate to other services on the network only with Kerberos clients. If you do not make Kerberos authentication mandatory and Kerberos authentication fails, the application attempts to authenticate users using the default method of authentication for that network service. For example, Telnet prompts for a password.
This example shows how to make Kerberos authentication mandatory:
Console> (enable) set kerberos clients mandatory Kerberos clients set to mandatory Console> (enable)
set kerberos credentials forward
clear kerberos clients mandatory
show kerberos
Use the set kerberos credentials forward command to configure clients to forward users' credentials as they connect to other hosts in the Kerberos realm.
set kerberos credentials forwardThis command has no arguments or keywords.
Forwarding is disabled by default.
Switch command.
Privileged.
A user authenticated to a Kerberized switch has a ticket granting ticket (TGT) and can use it to authenticate to a host on the network. However, if forwarding is not enabled and a user tries to list credentials after authenticating to a host, the output will show no Kerberos credentials present.
You can optionally configure the switch to forward user TGTs as they authenticate from the switch to Kerberized remote hosts on the network by using Kerberized Telnet.
This example shows how to enable Kerberos credentials forwarding:
Console> (enable) set kerberos credentials forward Kerberos credentials forwarding enabled Console> (enable)
set kerberos credentials forward
set kerberos clients mandatory
show kerberos creds
Use the set kerberos local-realm command to configure a switch to authenticate users defined in the Kerberos database.
set kerberos local-realm kerberos_realm
kerberos_realm | IP address or name (in uppercase characters) of the Kerberos realm. |
Default value is a NULL string.
Switch command.
Privileged.
To authenticate a user defined in the Kerberos database, you must configure the switch to know the host name or IP address of the host running the KDC and the name of the Kerberos realm.
This example shows how to set a default Kerberos local realm for the switch:
Console> (enable) set kerberos local-realm CISCO.COM Kerberos local realm for this switch set to CISCO.COM. Console> (enable)
set kerberos realm
clear kerberos realm
show kerberos
Use the set kerberos realm command to map the name of a Kerberos realm to a DNS domain name or a host name.
set kerberos realm {dns_domain | host} kerberos_realm
dns_domain | DNS domain name to map to Kerberos realm. |
host | IP address or name to map to Kerberos host realm. |
kerberos_realm | IP address or name of Kerberos realm. |
This command has no default setting.
Switch command.
Privileged.
You can map the name of the Kerberos realm to a DNS domain name or a host name by entering the set kerberos realm command. The information entered with this command is stored in a table with one entry for each Kerberos realm. The maximum number of entries in the table is 100.
This example shows how to map the Kerberos realm to a domain name:
Console> (enable) set kerberos realm CISCO CISCO.COM Kerberos DnsDomain-Realm entry set to CISCO - CISCO.COM Console> (enable)
set kerberos local-realm
clear kerberos realm
show kerberos
Use the set kerberos server command to specify which KDC to use on the switch.
set kerberos server kerberos_realm {hostname | ip_address} [port_number]
kerberos_realm | Keyword specifying Kerberos realm. |
hostname | Name of host running the KDC. |
ip_address | IP address of host running the KDC. |
port_number | (Optional) Number of the port. |
This command has no default setting.
Switch command.
Privileged.
You can specify to the switch which KDC to use in a Kerberos realm. Optionally, you can also specify the port number which the KDC is monitoring. The Kerberos server information you enter is maintained in a table with one entry for each Kerberos realm. The maximum number of entries in the table is 100.
This example shows how to specify the Kerberos server:
Console> (enable) set kerberos server CISCO.COM 187.0.2.1 750 Kerberos Realm-Server-Port entry set to:CISCO.COM - 187.0.2.1 - 750 Console> (enable)
set kerberos server
clear kerberos server
show kerberos
Use the set kerberos srvtab entry command to enter the SRVTAB file directly into the switch from the command line.
set kerberos srvtab entry kerberos_principal principal_type timestamp key_version number key_type key_length encrypted_keytab
kerberos_principal | Service on the switch. |
principal_type | Version of the Kerberos SRVTAB. |
timestamp | Number representing the date and time the SRVTAB entry was created. |
key_version_number | Version of the encrypted key format. |
key_type | Type of encryption used. |
key_length | Length, in bytes, of the encryption key. |
encrypted_keytab | Secret key the switch shares with the KDC. This key is encrypted with the private DES key when you copy the configuration to a file or enter the show config command. |
This command has no default setting.
Switch command.
Privileged.
When you enter the SRVTAB directly into the switch, create an entry for each Kerberos principal (service) on the switch. The entries are maintained in the SRVTAB table. The maximum size of the table is 20 entries.
This example shows how to enter a SRVTAB file directly into the switch:
Console> (enable) set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Kerberos SRVTAB entry set to Principal:host/niners.cisco.com@CISCO.COM Principal Type:0 Timestamp:932423923 Key version number:1 Key type:1 Key length:8 Encrypted key tab:03;;5>00>50;0=0=0 Console> (enable)
set kerberos srvtab entry
clear kerberos clients mandatory
show kerberos
Use the set kerberos srvtab remote command to provide the switch with a copy of the SRVTAB file from the KDC that contains the secret key.
set kerberos srvtab remote {hostname | ip_address} filename
hostname | Name of host running the KDC. |
ip_address | IP address of host running the KDC |
filename | Name of the SRVTAB file. |
This command has no default setting.
Switch command.
Privileged.
To make it possible for remote users to authenticate to the switch using Kerberos credentials, the switch must share a secret key with the KDC. To do this, you must give the switch a copy of the file that is stored in the KDC, which contains the secret key. These files are called SRVTAB files.
The most secure method to copy SRVTAB files to the hosts in your Kerberos realm is to copy them onto physical media and go to each host in turn and manually copy the files onto the system. To copy SRVTAB files to the switch, which does not have a physical media drive, you must transfer them through the network using the TFTP.
This example shows how to remotely copy SRVTAB files to the switch from the KDC:
Console> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab
Console> (enable)
set kerberos srvtab entry
clear kerberos creds
show kerberos
Use the set key config-key command to define a private DES key.
set key config-key string
string | DES key name; should be no longer than eight bytes. |
This command has no default setting.
Switch command.
Privileged.
You can define a private DES key for the switch. You can use the private DES key to encrypt the secret key that the switch shares with the KDC. If you set the DES key, the secret key is not displayed in clear text when you execute the show kerberos command. The key length should be eight characters or less.
This example shows how to define a DES key:
Console> (enable) set key config-key abcd Kerberos config key set to abcd Console> (enable)
clear key config-key
Use the set lda commands to configure the ASLB information on the Catalyst 6000 family switch.
set lda enable | disable
enable | disable | Keyword to enable or disable the ASLB feature. |
vip server_virtual_ip destination_tcp_port | Keyword and variables to specify the virtual IP address of the server and the number of the destination TCP port that will be accelerated by the switch (up to 1024). |
vip destination_tcp_port | Number of the destination TCP port. |
mac ld ld_mac_address | Keyword and variables to specify the LD MAC address. |
mac router mac_address... | Keyword and variable to specify the router MAC address. |
router router_vlan | Keyword and variable to specify the router VLAN. |
ld_mod/port | Module and port number of the port connected to the LD on the VLAN. |
backup_ld_mod/port | (Optional) Module and port number of the port connected to the backup LD. |
server server_vlan | Keyword and variable to specify the server VLAN. |
udpage udpagetime | Keyword and variable to specify the UDP aging time for Local Director Acceleration. |
The default is the ASLB is disabled.
Switch command.
Privileged.
You can enter a zero (0) as a wildcard (don't care) digit for the destination_tcp_port.
To cancel a previously entered VIP, use the clear lda vip command.
To cancel a previously entered MAC LD or router, use the clear lda mac command.
You need to enter the set lda commands to provide all the necessary information before using the commit lda command to program the setup into hardware.
The information you enter through the set lda commands are immediately saved into NVRAM, but you must enter the commit lda command for the setting to take effect.
When you disable the ASLB feature, you can enter the set lda commands, but the commit lda command will fail.
When you enter the set lda mac router command, you can enter up to 32 MAC addresses.
You can enter the value zero (0) to disable the udpage option. The udpagingtime is specified in milliseconds; values are from 0 ms to 2024000 ms.
This example shows how to enable the ASLB feature:
Console> (enable)set lda enableSuccessfully enabled Local Director Acceleration.Console> (enable)
This example shows how to disable the ASLB feature:
Console> (enable)set lda disableDisabling Local Director Acceleration.....Successfully disabled Local Director Acceleration.Console> (enable)
This example shows how to specify the virtual IP address:
Console> (enable)set lda vip 10.0.0.8 8Successfully set server virtual ip and port information.Use commit lda command to save settings to hardware.Console> (enable)
This example shows how to specify the MAC address for the local director:
Console> (enable)set lda mac ld 1-2-3-4-5-6Successfully set mac address.Use commit lda command to save settings to hardware.Console> (enable)
This example shows how to specify multiple router MAC addresses:
Console> (enable)set lda mac router 1-2-3-4-5-6 3-4-56-67-4-5Successfully set mac address.Use commit lda command to save settings to hardware.Console> (enable)
This example shows how to specify the router VLAN:
Console> (enable)set lda router 110 4/26Successfully set router vlan and ld port.Use commit lda command to save settings to hardware.Console> (enable)
This example shows how to specify the udpage aging time:
Console> (enable) set lda udpage 20 Succesfully set LDA UDP aging time to 20ms. Console> (enable)
This example shows how to specify the server VLAN:
Console> (enable)set lda server 105 4/40Successfully set server vlan and LD port.Use commit lda command to save settings to hardware.Console> (enable)
Use the set length command to configure the number of lines in the terminal display screen.
set length number [default]
number | Number of lines to display on the screen (0 to 512). |
default | (Optional) Keyword to set the number of lines in the terminal display screen for the current administration session and all other sessions. This keyword is only available in privileged mode. |
The default value is 24 lines upon starting a session. When the value is changed in a session, it applies only to that session. When you use the clear config command, the number of lines in the terminal display screen is reset to the factory default of 100.
Switch command.
Privileged.
Output from a single command that overflows a single display screen is followed by the --More-- prompt. At the --More-- prompt, you can press Ctrl-C, q, or Q to interrupt the output and return to the prompt, press the Spacebar to display an additional screen of output, or press Return to display one more line of output.
Setting the screen length to 0 turns off the scrolling feature and causes the entire output to display at once. Unless the default keyword is used, a change to the terminal length value applies only to the current session.
This example shows how to set the screen length to 60 lines:
Console> (enable) set length 60 Screen length for this session set to 60. Console> (enable)
This example shows how to set the default screen length to 40 lines:
Console> (enable) set length 40 default Screen length set to 40. Console> (enable)
Use the set logging console command to enable and disable the sending of system logging messages to the console.
set logging console {enable | disable}
enable | Keyword to enable system message logging to the console. |
disable | Keyword to disable system message logging to the console. |
The default is system message logging to the console is enabled.
Switch command.
Privileged.
This example shows how to enable system message logging to the console:
Console> (enable) set logging console enable
System logging messages will be sent to the console.
Console> (enable)
This example shows how to disable system message logging to the console:
Console> (enable) set logging console disable
System logging messages will not be sent to the console.
set logging level
set logging session
show logging
show logging buffer
Use the set logging history command to set the size of the syslog history table.
set logging history syslog_history_table_size
syslog_history_table_size | Size of the syslog history table; valid values are from 0 to 500. |
This command has no default setting.
Switch command.
Privileged.
This example shows how to set the size of the syslog history table to 400:
Console> (enable) set logging history 400
System logging history table size set to <400>.
Console> (enable)
Use the set logging level command to set the facility and severity level used when logging system messages.
set logging level facility severity [default]
facility | Value that specifies the type of system messages to capture; facility types are listed in Table 2-6. |
severity | Value that specifies the severity level of system messages to capture. Severity level definitions are listed in Table 2-7. |
default | (Optional) Keyword to cause the specified logging level to apply to all sessions. If default is not used, the specified logging level applies only to the current session. |
| Facility Name | Definition |
|---|---|
all | All facilites |
acl | ACL facility |
cdp | Cisco Discovery Protocol |
dtp | Dynamic Trunking Protocol |
drip | DRIP facility |
earl | Enhanced Address Recognition Logic |
fddi | FDDI facility |
gvrp | GARP VLAN Registration Protocol |
ip | Internet Protocol |
kernel | Kernel |
ld | ASLB facility |
mcast | Multicast |
mgmt | Management |
mls | Multilayer Switching |
pagp | Port Aggregation Protocol |
protfilt | Protocol Filter |
pruning | VTP pruning |
privatevlan | Private VLAN facility |
radius | Remote Access Dial-In User Service |
security | Security |
snmp | Simple Network Management Protocol |
spantree | Spanning Tree Protocol |
sys | System |
tac | Terminal Access Controller |
tcp | Transmission Control Protocol |
telnet | Terminal Emulation Protocol |
tftp | Trivial File Transfer Protocol |
udld | User Datagram Protocol |
vtp | Virtual Terminal Protocol |
| Severity Level | Description |
|---|---|
0---emergencies | System unusable |
1---alerts | Immediate action required |
2---critical | Critical condition |
3---errors | Error conditions |
4---warnings | Warning conditions |
5---notifications | Normal bug significant condition |
6---informational | Informational messages |
7---debugging | Debugging messages |
The default is facility is set to all, and level is set to 0.
Switch command.
Privileged.
You can also set the logging level by using the set logging server command.
This example shows how to set the default facility and severity level for system message logging:
Console> (enable) set logging level snmp 2 default
System logging facility <snmp> set to severity 2(critical).
Console> (enable)
show logging
show logging buffer
clear logging buffer
clear logging server
set logging server
set logging session
Use the set logging server commands to enable and disable system message logging to configured syslog servers and to add a syslog server to the system logging server table.
set logging server {enable | disable}
enable | Keyword to enable system message logging to configured syslog servers. |
disable | Keyword to disable system message logging to configured syslog servers. |
ip_addr | IP address of the syslog server to be added to the configuration. An IP alias or a host name that can be resolved through DNS can also be used. |
severity severity | Keyword and variable to globally set the syslog maximum severity control for all message types. Severity level definitions are listed in Table 2-7. |
facility | Value that specifies the type of system messages to capture. Server facility types are listed in Table 2-8. |
| Severity Level | Description |
|---|---|
local 0 | Server facility local 0 |
local 1 | Server facility local 1 |
local 2 | Server facility local 2 |
local 3 | Server facility local 3 |
local 4 | Server facility local 4 |
local 5 | Server facility local 5 |
local 6 | Server facility local 6 |
local 7 | Server facility local 7 |
syslog | Syslog facility |
The default is no syslog servers are configured to receive system messages.
Switch command.
Privileged.
You can also set the logging level by using the set logging level command. If you do not enter the facility or server keywords, the parameter is applied to all levels.
This example shows how to enable system message logging to the server:
Console> (enable) set logging server enable
System logging messages will be sent to the configured syslog servers.
Console> (enable)
This example shows how to disable system message logging to the server:
Console> (enable) set logging server disable
System logging messages will not be sent to the configured syslog servers.
Console> (enable)
This example shows how to add a server to the system logging server table using its IP address:
Console> (enable) set logging server 171.69.192.205
171.69.192.205 added to the System logging server table.
Console> (enable)
This example shows how to globally set the syslog maximum severity control for all message types:
Console> (enable) set logging server severity 4
System logging server severity set to 4(warnings).
Console> (enable)
clear logging server
show logging
set logging server
Posted: Mon Jul 24 08:59:23 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.