Table of Contents

2 2

set rcp username

Use the set rcp username command to specify your username for rcp file transfers.

Syntax Description

username

Username up to 14 characters long.

Defaults

There are no default settings for this command.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The username must be different from "root" and not a null string. The only case where you cannot configure the rcp username is for the VMPS database where you will use an rcp VMPS username.

Console> (enable) set rcp username jdoe
Console> (enable) 

set rgmp

Use the set rgmp command to enable or disable the RGMP feature on the switch.

Syntax Description

enable	Keyword to enable RGMP on the switch.
disable	Keyword to disable RGMP on the switch.

Defaults

The default is RGMP is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

RGMP is a global command. You cannot enable or disable RGMP on a per-VLAN basis.

The RGMP feature is operational only if IGMP snooping is enabled on the switch (see the set igmp command).

Examples

This example shows how to enable RGMP on the switch:

Console> (enable) set rgmp enable
RGMP is enabled.
Console> (enable)
 

This example shows how to disable RGMP on the switch:

Console> (enable) set rgmp disable
RGMP is disabled.
Console> (enable)

Related Commands

show rgmp group
show rgmp statistics
clear rgmp statistics
set igmp

set rspan

Use the set rspan command set to create remote SPAN sessions.

Syntax Description

disable source	Keywords to disable remote SPAN source information.
rspan_vlan	(Optional) Remote SPAN VLAN.
all	(Optional) Keyword to disable all remote SPAN source or destination sessions.
disable destination	Keywords to disable remote SPAN destination information.
mod/port	(Optional) Remote SPAN destination port.
src_mod/src_ports...	Monitored ports (remote SPAN source).
vlans...	Monitored VLANs (remote SPAN source).
sc0	Keyword to specify the inband port is a valid source.
rx	(Optional) Keyword to specify that information received at the source (ingress SPAN) is monitored.
tx	(Optional) Keyword to specify that information transmitted from the source (egress SPAN) is monitored.
both	(Optional) Keyword to specify that information both transmitted from the source (ingress SPAN) and received (egress SPAN) at the source are monitored.
multicast enable	(Optional) Keywords to enable monitoring multicast traffic (egress traffic only).
multicast disable	(Optional) Keywords to disable monitoring multicast traffic (egress traffic only).
filter vlans	(Optional) Keywords to monitor traffic on selected VLANs on source trunk ports.
create	(Optional) Keyword to create a new remote SPAN session instead of overwriting the previous SPAN session.
inpkts enable	(Optional) Keywords to allow the remote SPAN destination port to receive normal ingress traffic (from the network to the bus) while forwarding the remote SPAN traffic.
inpkts disable	(Optional) Keywords to disable the receiving of normal inbound traffic on the remote SPAN destination port.
learning enable	(Optional) Keywords to enable learning for the remote SPAN destination port.
learning disable	(Optional) Keywords to disable learning for the remote SPAN destination port.

Defaults

The defaults are as follows:

• Remote SPAN is disabled.

• No VLAN filtering.

• Monitoring multicast traffic is enabled.

• Learning is enabled.

• inpkts is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

The rspan_vlan variable is optional in the set rspan disable source command and required in the set rspan source and set rspan destination command set.

After you enable SPAN, system defaults are used if no parameters were ever set. If you changed parameters, these are stored in NVRAM, and the new parameters are used.

Use a network analyzer to monitor ports.

Use the inpkts keyword with the enable option to allow the remote SPAN destination port to receive normal incoming traffic in addition to the traffic mirrored from the remote SPAN source. Use the disable option to prevent the remote SPAN destination port from receiving normal incoming traffic.

You can specify an MSM port as the remote SPAN source port. However, you cannot specify an MSM port as the remote SPAN destination port.

When you enable the inpkts option, a warning message notifies you that the destination port does not join STP and may cause loops if this option is enabled.

If you do not specify the keyword create and you have only one session, the session will be overwritten. If a matching rspan_vlan or destination port exists, the particular session will be overwritten (with or without specifying create). If you specify the keyword create and there is no matching rspan_vlan or destination port, the session will be created.

Each switch can source only one remote SPAN session (ingress, egress, or both). When you configure a remote ingress or bidirectional SPAN session in a source switch, the limit for local ingress or bidirectional SPAN session is reduced to one. There are no limits on the number of remote SPAN sessions carried across the network within the remote SPAN session limits.

You can configure any VLAN as a remote SPAN VLAN as long as these conditions are met:

• The same remote SPAN VLAN is used for a remote SPAN session in the switches.

• All the participating switches have appropriate hardware and software.

• No unwanted access port is configured in the remote SPAN VLAN.

Examples

This example shows how to disable all enabled source sessions:

Console> (enable) set rspan disable source all
This command will disable all remote span source session(s).
Do you want to continue (y/n) [n]? y
Disabled monitoring of all source(s) on the switch for remote span.
Console> (enable) 
 

This example shows how to disable one source session to a specific VLAN:

Console> (enable) set rspan disable source 903
Disabled monitoring of all source(s) on the switch for rspan_vlan 903.
Console> (enable) 
 

This example shows how to disable all enabled destination sessions:

Console> (enable) set rspan disable destination all
This command will disable all remote span destination session(s).
Do you want to continue (y/n) [n]? y
Disabled monitoring of remote span traffic on ports 9/1,9/2,9/3,9/4,9/5,9/6.
Console> (enable) 
 

This example shows how to disable one destination session to a specific port:

Console> (enable) set rspan disable destination 4/1
Disabled monitoring of remote span traffic on port 4/1.
Console> (enable) 

Related Commands

show rspan

set security acl capture-ports

Use the set security acl capture-ports command to set the ports (specified with the capture option in the set security acl ip, set security acl ipx, and set security acl mac commands) to show traffic captured on these ports.

Syntax Description

mod/ports...

Module and port number.

Defaults

This command has no default setting.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved in NVRAM. This command does not require that you enter the commit command.

The module and port specified in this command are added to the current ports configuration list.

This command works with Ethernet ports only; you cannot set ATM ports.

The ACL capture will not work unless the capture port is in the spanning tree forwarding state for the VLAN.

Examples

This example shows how to set a port to capture traffic:

Console> (enable) set security acl capture 3/1
Successfully set 3/1 to capture ACL traffic.
Console> (enable) 
 

This example shows how to set multiple ports to capture traffic:

Console> (enable) set security acl capture 1/1-10
Successfully set the following ports to capture ACL traffic: 1/1-2.
Console> (enable) 

Related Commands

clear security acl capture-ports
show security acl capture-ports

set security acl ip

Use the set security acl ip command set to create a new entry in a standard IP VACL and append the new entry at the end of VACL.

Syntax Description

acl_name	Unique name that identifies the lists to which the entry belongs.
permit	Keyword to allow traffic from the source IP address.
deny	Keyword to block traffic from the source IP address.
src_ip_spec	Source IP address and the source mask. See the "Usage Guidelines" section for the format.
before editbuffer_index	(Optional) Keyword and variable to insert the new ACE in front of another ACE.
modify editbuffer_index	(Optional) Keyword and variable to replace an ACE with the new ACE.
redirect	Keyword to specify to which switched ports the packet is redirected.
mod_num/port_num	Number of the module and port.
protocol	Keyword or number of an IP protocol; valid numbers are from 0 to 255 representing an IP protocol number. See the "Usage Guidelines" section for the list of valid keywords.
dest_ip_spec	Destination IP address and the destination mask. See the "Usage Guidelines" section for the format.
precedence precedence	(Optional) Keyword and variable to specify the precedence level; valid values are from 0 to 7 or by name. See the "Usage Guidelines" section for a list of valid names.
tos tos	(Optional) Keyword and variable to specify the type of service level; valid values are from 0 to 15 or by name. See the "Usage Guidelines" section for a list of valid names.
capture	(Optional) Keyword to specify packets are switched normally and captured; permit must also be enabled.
ip | 0	(Optional) Keyword or number to match any Internet Protocol packets.
icmp | 1	(Optional) Keyword or number to match ICMP packets.
icmp-type	(Optional) ICMP message type name or a number; valid values are from 0 to 255. See the "Usage Guidelines" section for a list of valid names.
icmp-code	(Optional) ICMP message code name or a number; valid values are from 0 to 255. See the "Usage Guidelines" section for a list of valid names.
icmp-message	(Optional) ICMP message type name or ICMP message type and code name. See the "Usage Guidelines" section for a list of valid names.
igmp | 2	(Optional) Keyword or number to match IGMP packets.
igmp-type	(Optional) IGMP message type or message name; valid message type numbers are from 0 to 15. See the "Usage Guidelines" section for a list of valid names and corresponding numbers.
tcp | 6	(Optional) Keyword or number to match TCP packets.
operator	(Optional) Operands; valid values include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
port	(Optional) Number or name of a TCP or UDP port; valid port numbers are from 0 to 65535. See the "Usage Guidelines" section for a list of valid names.
established	(Optional) Keyword to specify an established connection; used only for TCP protocol.
udp | 17	(Optional) Keyword or number to match UDP packets.

Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and hardware only after you enter the commit command. Enter ACEs in batches and then enter the commit command to save them in NVRAM and in the hardware.

If you use the redirect keyword, the destination must be 255.255.255.255.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

When you enter the ACL name, follow these naming conventions:

• Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

• Must start with an alpha character and must be unique across all ACLs of all types

• Case sensitive

• Cannot be a number

• Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

When you specify the source IP address and the source mask, use the form source_ip_address source_mask and follow these guidelines:

• The source_mask is required; 0 indicates a care bit, 1 indicates a don't-care bit.

• Use a 32-bit quantity in four-part dotted-decimal format.

• Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

• Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

When you enter a destination IP address and the destination mask, use the form destination_ip_address destination_mask. The destination mask is required.

• Use a 32-bit quantity in a four-part dotted-decimal format.

• Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

• Use host/source as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

Valid names for precedence are critical, flash, flash-override, immediate, internet, network, priority, and routine.

Valid names for tos are max-reliability, max-throughput, min-delay, min-monetary-cost, and normal.

Valid protocol keywords include icmp (1), igmp (2), ip (0), ipinip (4), tcp (6), udp (17), igrp (9), eigrp (88), gre (47), nos (94), ospf (89), ahp (51), esp (50), pcp (108), and pim (103). The IP number is displayed in parentheses. Use the keyword ip to match any Internet Protocol.

ICMP packets that are matched by ICMP message type can also be matched by the ICMP message code.

Valid names for icmp_type and icmp_code are administratively-prohibited, alternate-address, conversion-error, dod-host-prohibited, dod-net-prohibited, echo, echo-reply, general-parameter-problem, host-isolated, host-precedence-unreachable, host-redirect, host-tos-redirect, host-tos-unreachable, host-unknown, host-unreachable, information-reply, information-request, mask-reply, mask-request, mobile-redirect, net-redirect, net-tos-redirect, net-tos-unreachable, net-unreachable, network-unknown, no-room-for-option, option-missing, packet-too-big, parameter-problem, port-unreachable, precedence-unreachable, protocol-unreachable, reassembly-timeout, redirect, router-advertisement, router-solicitation, source-quench, source-route-failed, time-exceeded, timestamp-reply, timestamp-request, traceroute, ttl-exceeded, and unreachable.

Valid names and corresponding numbers for igmp_message are dvmrp (3), host-query (1), host-report (2), pim (4), and trace (5).

If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.

TCP port names can be used only when filtering TCP. Valid names for TCP ports are bgp, chargen, daytime, discard, domain, echo, finger, ftp, ftp-data, gopher, hostname, irc, klogin, kshell, lpd, nntp, pop2, pop3, smtp, sunrpc, syslog, tacacs-ds, talk, telnet, time, uucp, whois, and www.

UDP port names can be used only when filtering UDP. Valid names for UDP ports are biff, bootpc, bootps, discard, dns, dnsix, echo, mobile-ip, nameserver, netbios-dgm, netbios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs-ds, talk, tftp, time, who, and xdmcp.

The number listed with the protocol type is the layer protocol number (for example, udp | 17).

If no layer protocol number is entered, you can enter the following syntax:

If a Layer 4 protocol is specified, you can enter the following syntax:

For IP, you can enter the following syntax:

For ICMP, you can enter the following syntax:

For IGMP, you can use the following syntax:

For TCP, you can use the following syntax:

For UDP, you can use the following syntax:

Examples

These examples show different ways to use the set security acl ip commands to configure IP security ACL:

Console> (enable) set security acl ip IPACL1 deny 1.2.3.4 0.0.0.0
IPACL1 editbuffer modified.  Use `commit' command to apply changes.
Console> (enable) 
 
Console> (enable) set security acl ip IPACL1 deny host 171.3.8.2 before 2 
IPACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)
 
Console> (enable) set security acl ip IPACL1 permit any any
IPACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable) 
 
Console> (enable) set security acl ip IPACL1 redirect 3/1 ip 3.7.1.2 0.0.0.255 host 255.255.255.255 precedence 1 tos min-delay
IPACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable) 
 
Console> (enable) set security acl ip IPACL1 permit ip host 60.1.1.1 host 60.1.1.98 capture 
IPACL1 editbuffer modified. Use 'commit' command to apply changes.

Related Commands

clear security acl
clear security acl capture-ports
clear security acl map
commit
show security acl
show security acl capture-ports
set security acl map
set security acl capture-ports

set security acl ipx

Use the set security acl ipx command to create a new entry in a standard IPX VACL and to append the new entry at the end of the VACL.

Syntax Description

acl_name	Unique name that identifies the list to which the entry belongs.
permit	Keyword to allow traffic from the specified source IPX address.
deny	Keyword to block traffic from the specified source IPX address.
redirect	Keyword to redirect traffic from the specified source IPX address.
mod_num/port_num	Number of the module and port.
protocol	Keyword or number of an IPX protocol; valid values are from 0 to 255 representing an IPX protocol number. See the "Usage Guidelines" section for a list of valid keywords amd corresponding numbers.
src_net	Number of the network from which the packet is being sent. See the "Usage Guidelines" section for format guidelines.
dest_net.	(Optional) Number of the network from which the packet is being sent.
.dest_node	(Optional) Node on destination-network to which the packet is being sent.
dest_net_mask.	(Optional) Mask to be applied to the destination network. See the "Usage Guidelines" section for format guidelines.
dest_node_mask	(Optional) Mask to be applied to the destination-node. See the "Usage Guidelines" section for format guidelines.
capture	(Optional) Keyword to specify packets are switched normally and captured.
before editbuffer_index	(Optional) Keyword and variable to insert the new ACE in front of another ACE.
modify editbuffer_index	(Optional) Keyword and variable to replace an ACE with the new ACE.

Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and hardware only after you enter the commit command. Enter ACEs in batches and then enter the commit command to save all of them in NVRAM and in the hardware.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

When you enter the ACL name, follow these naming conventions:

• Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

• Must start with an alpha character and must be unique across all ACLs of all types

• Case sensitive

• Cannot be a number

• Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

Valid protocol keywords include ncp (17), netbios (20), rip (1), sap (4), and spx (5).

The src_net and dest_net variables are eight-digit hexadecimal numbers that uniquely identify network cable segments. When you specify the src_net or dest_net, use the following guidelines:

• It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all networks.

• You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA.

The .dest_node is a 48-bit value represented by a dotted triplet of 4-digit hexadecimal numbers (xxxx.xxxx.xxxx).

The dest_net_mask is an eight-digit hexadecimal mask. Place ones in the bit positions you want to mask. The mask must be immediately followed by a period, which must in turn be immediately followed by the destination-node-mask. You can enter this value only when dest_node is specified.

The dest_node_mask is a 48-bit value represented as a dotted triplet of 4-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. You can enter this value only when dest_node is specified.

The dest_net_mask is an eight-digit hexadecimal number that uniquely identifies the network cable segment. It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all networks. You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. Following are dest_net_mask examples:

• 123A

• 123A.1.2.3

• 123A.1.2.3 ffff.ffff.ffff

• 1.2.3.4 ffff.ffff.ffff.ffff

Use the show security acl command to display the list.

Examples

This example shows how to block traffic from a specified source IP address:

Console> (enable) set security acl ipx IPXACL1 deny 1.a
IPXACL1 editbuffer modified. Use `commit' command to apply changes.
Console> (enable)

Related Commands

clear security acl
clear security acl capture-ports
clear security acl map
commit
show security acl
show security acl capture-ports
set security acl map
set security acl capture-ports

set security acl mac

Use the set security acl mac command to create a new entry in a non-IP or non-IPX protocol VACL and to append the new entry at the end of the VACL.

Syntax Description

acl_name	Unique name that identifies the list to which the entry belongs.
permit	Keyword to allow traffic from the specified source MAC address.
deny	Keyword to block traffic from the specified source MAC address.
src_mac_addr_spec	Source MAC address and mask in the form source_mac_address source_mac_address_mask.
dest_mac_addr_spec	Destination MAC address and mask.
ether-type	(Optional) Number or name that matches the ethertype for Ethernet-encapsulated packets; valid values are 0x0600, 0x0601, 0x0BAD, 0x0BAF, 0x6000-0x6009, 0x8038-0x8042, 0x809b, and 0x80f3. See the "Usage Guidelines" section for a list of valid names.
capture	(Optional) Keyword to specify packets are switched normally and captured.
before editbuffer_index	(Optional) Keyword and variable to insert the new ACE in front of another ACE.
modify editbuffer_index	(Optional) Keyword and variable to replace an ACE with the new ACE.

Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and hardware only after you enter the commit command. Enter ACEs in batches and then enter the commit command to save all of them in NVRAM and in the hardware.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

When you enter the ACL name, follow these naming conventions:

• Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

• Must start with an alpha character and must be unique across all ACLs of all types

• Case sensitive

• Cannot be a number

• Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

The src_mac_addr_spec is a 48-bit source MAC address and mask and entered in the form of source_mac_address source_mac_address_mask (for example, 08-11-22-33-44-55 ff-ff-ff-ff-ff-ff). Place ones in the bit positions you want to mask. When you specify the src_mac_addr_spec, follow these guidelines:

• The source_mask is required; 0 indicates a care bit, 1 indicates a don't care bit.

• Use a 32-bit quantity in four-part dotted-decimal format.

• Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

• Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

The dest_mac_spec is a 48-bit destination MAC address and mask and entered in the form of dest_mac_address dest_mac_address_mask (for example, 08-00-00-00-02-00/ff-ff-ff-00-00-00). Place ones in the bit positions you want to mask. The destination mask is mandatory. When you specify the dest_mac_spec, use the following guidelines:

• Use a 48-bit quantity in 6-part dotted-hexadecimal format for source address and mask.

• Use the keyword any as an abbreviation for a source and source-wildcard of 0-0-0-0-0-0-0 ff-ff-ff-ff-ff-ff.

• Use host source as an abbreviation for a destination and destination-wildcard of destination 0-0-0-0-0-0.

Valid names for Ethertypes (and corresponding numbers) are Ethertalk (0x809B), AARP (0x8053), dec-mop-dump (0x6001), dec-mop-remote-console (0x6002), dec-phase-iv (0x6003), dec-lat (0x6004), dec-diagnostic-protocol (0x6005), dec-lavc-sca (0x6007), dec-amber (0x6008), dec-mumps (0x6009), dec-lanbridge (0x8038), dec-dsm (0x8039), dec-netbios (0x8040), dec-msdos (0x8041), banyan-vines-echo (0x0baf), xerox-ns-idp (0x0600), and xerox-address-translation (0x0601).

Use the show security acl command to display the list.

Examples

This example shows how to block traffic to an IP address:

Console> (enable) set security acl mac MACACL1 deny 01-02-02-03-04-05
MACACL1 editbuffer modified. User `commit' command to apply changes.
Console> (enable)

Related Commands

clear security acl
clear security acl capture-ports
clear security acl map
commit
show security acl
show security acl capture-ports
set security acl map
set security acl capture-ports

set security acl map

Use the set security acl map command to map an existing VACL to a VLAN.

Syntax Description

acl_name	Unique name that identifies the list to which the entry belongs.
vlan	Number of the VLAN to be mapped to the VACL.

Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved in NVRAM. This command does not require that you enter the commit command. Each VLAN can be mapped to only one ACL of each type (IP, IPX, and MAC). An ACL can be mapped to a VLAN only after you have committed the ACL.

When you enter the ACL name, follow these naming conventions:

• Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

• Must start with an alpha character and must be unique across all ACLs of all types

• Case sensitive

• Cannot be a number

• Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

---

Caution Use the copy command to save the ACL configuration to Flash memory.

---

Examples

This example shows how to map an existing VACL to a VLAN:

Console> (enable) set security acl map IPACL1 1
ACL IPACL1 mapped to vlan 1
Console> (enable)
 

This example shows the output if you try to map an ACL that has not been committed:

Console> (enable) set security acl map IPACL1 1
Commit ACL IPACL1 before mapping.
Console> (enable)
 

This example shows the output if you try to map an ACL that is already mapped to a VLAN for the ACL type (IP, IPX, or MAC):

Console> (enable) set security acl map IPACL2 1
Mapping for this type already exists for this VLAN.
Console> (enable)

Related Commands

clear security acl
clear security acl map
commit
show security acl

set snmp access

Use the set snmp access command set to define the access rights of an SNMP group with a specific security model in different security levels.

Syntax Description

-hex	(Optional) Keyword to display the groupname, readview, writeview, and notifyview in a hexadecimal format.
groupname	Name of the SNMP group.
security-model v1 | v2c	Keywords to specify security-model v1 or v2c.
read readview	(Optional) Keyword and variable to specify the name of the view that allows you to see the MIB objects.
write writeview	(Optional) Keyword and variable to specify the name of the view that allows you to configure the contents of the agent.
notify notifyview	(Optional) Keyword and variable to specify the name of the view that allows you to send a trap about MIB objects.
v3	Keyword to specify security model v3.
noauthentication	Keyword to specify security model is not set to use authentication protocol.
authentication	Keyword to specify the type of authentication protocol.
privacy	Keyword to specify that the messages sent on behalf of the user are protected from disclosure.
volatile	(Optional) Keyword to specify that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Keyword to specify that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

The defaults are as follows:

• storage type is nonvolatile.

• read readview is Internet OID space.

• write writeview is NULL OID.

• notify notifyview is NULL OID.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for groupname, readview, writeview, and notifyview (nonprintable delimiters for these parameters), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

readview is assumed to be every object belonging to the Internet (1.3.6.1) OID space; you can use the read option to override this state.

For writeview, you must also configure write access.

For notifyview, if a view is specified, any notifications in that view are sent to all users associated with the group (an SNMP server host configuration must exist for the user).

Examples

This example shows how to set the SNMP access rights for a group:

Console> (enable) set snmp access cisco-group security-model v3 authentication
SNMP access group was set to cisco-group version v3 level authentication, readview internet, nonvolatile.
Console> (enable) 

Related Commands

clear snmp access
show snmp access

set snmp community

Use the set snmp community command to set SNMP communities and associated access types.

Syntax Description

read-only	Keyword to assign read-only access to the specified SNMP community.
read-write	Keyword to assign read-write access to the specified SNMP community.
read-write-all	Keyword to assign read-write access to the specified SNMP community.
community_string	(Optional) Name of the SNMP community.

Defaults

The default is the following communities and access types are defined:

• public—read-only

• private—read-write

• secret—read-write-all

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

There are three configurable SNMP communities, one for each access type. If you do not specify the community string, the community string configured for that access type is cleared.

To support the access types, you also need to configure four MIB tables: vacmContextTable, vacmSecurityToGroupTable, vacmAccessTable, and vacmViewTreeFamilyTable. Use the clear config snmp command to reset these tables to the default values.

Examples

This example shows how to set read-write access to the SNMP community called yappledapple:

Console> (enable) set snmp community read-write yappledapple
SNMP read-write community string set to yappledapple.
Console> (enable)
 

This example shows how to clear the community string defined for read-only access:

Console> (enable) set snmp community read-only
SNMP read-only community string cleared.
Console> (enable)

Related Commands

clear config
show snmp

set snmp extendedrmon netflow

Console> (enable) set snmp extendedrmon netflow enable 2
Snmp extended RMON netflow enabled
Console> (enable) 
 

Console> (enable) set snmp extendedrmon netflow disable 2
Snmp extended RMON netflow disabled
Console> (enable) 
 

Console> (enable) set snmp extendedrmon enable 4 
NAM card is not installed.
Console> (enable) 

set snmp rmon
show snmp

set snmp group

Use the set snmp group command to establish the relationship between an SNMP group and a user with a specific security model.

Syntax Description

-hex	(Optional) Keyword to display the groupname and username in a hexadecimal format.
groupname	Name of the SNMP group that defines an access control; the maximum length is 32 bytes.
user	Keyword to specify the SNMP group user name.
username	Name of the SNMP user that belongs to the SNMP group; the maximum length is 32 bytes.
security-model v1 | v2c | v3	Keywords to specify security-model v1, v2c, or v3.
volatile	(Optional) Keyword to specify that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Keyword to specify that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for groupname or username (nonprintable delimiters for these parameters), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

Examples

This example shows how to set the SNMP group:

Console> (enable) set snmp group cisco-group user joe security-model v3
SNMP group was set to cisco-group user joe and version v3,nonvolatile.
Console> (enable)

Related Commands

clear snmp group
show snmp group

set snmp notify

Use the set snmp notify command to set the notifyname entry in the snmpNotifyTable and the notifytag entry in the snmpTargetAddrTable.

Syntax Description

-hex	(Optional) Keyword to display the notifyname and notifytag in a hexadecimal format.
notifyname	Identifier to index the snmpNotifyTable.
tag	Keyword to specify the tag name in the taglist.
notifytag	Name of entries in the snmpTargetAddrTable.
trap	(Optional) Keyword to specify all messages that contain snmpv2-Trap PDUs.
inform	(Optional) Keyword to specify all messages that contain InfoRequest PDUs.
volatile	(Optional) Keyword to specify that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Keyword to specify that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

The defaults are as follows:

• storage type is volatile.

• notify type is trap.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for the notifyname and notifytag (nonprintable delimiters for these parameters), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

Examples

This example shows how to set the SNMP notify for a specific notifyname:

Console> (enable) set snmp notify hello tag world inform
SNMP notify name was set to hello with tag world notifyType inform, and storageType nonvolatile.
Console> (enable)

Related Commands

clear snmp notify
show snmp notify

set snmp rmon

Use the set snmp rmon command to enable or disable SNMP RMON support.

Syntax Description

enable	Keyword to activate SNMP RMON support.
disable	Keyword to deactivate SNMP RMON support.

Defaults

The default is RMON support is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Console> (enable) set snmp rmon enable
SNMP RMON support enabled.
Console> (enable)
 

Console> (enable) set snmp rmon disable
SNMP RMON support disabled.
Console> (enable)

show port counters

set snmp targetaddr

Use the set snmp targetaddr command to configure the SNMP target address entries in the snmpTargetAddressTable.

Syntax Description

-hex	(Optional) Keyword to display addrname, paramsname, tagvalue, and tag in a hexadecimal format.
addrname	Unique identifier to index the snmpTargetAddrTable; the maximum length is 32 bytes.
param	Keyword to specify an entry in the snmpTargetParamsTable that provides parameters to be used when generating a message to the target; the maximum length is 32 bytes.
paramsname	Entry in the snmpTargetParamsTable; the maximum length is 32 bytes.
ipaddr	IP address of the target.
udpport port	(Optional) Keyword and variable to specify which UDP port of the target host to use.
timeout value	(Optional) Keyword and variable to specify the number of timeouts.
retries value	(Optional) Keyword and variable to specify the number of retries.
volatile	(Optional) Keyword to specify that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Keyword to specify that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.
taglist tag	(Optional) Keyword and variable to specify a tag name in the taglist.
tag tagvalue	(Optional) Keyword and variable to specify the tag name.

Defaults

The defaults are as follows:

• storage type is nonvolatile.

• udpport is 162.

• timeout is 1500.

• retries is 3.

• taglist is NULL.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for the addrname, paramsname, tag, and tagvalue (nonprintable delimiters for these parameters), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

The maximum tagvalue and taglist length is 255 bytes.

Examples

This example shows how to set the target address in the snmpTargetAddressTable:

Console> (enable) set snmp targetaddr foo param bar 10.1.2.4 udp 160 timeout 10 retries 3 taglist tag1 tag2 tag3
SNMP targetaddr name was set to foo with param bar ipAddr 10.1.2.4, udpport 160, timeout 10, retries 3, storageType nonvolatile with taglist tag1 tag2 tag3.
Console> (enable)

Related Commands

clear snmp targetaddr
show snmp targetaddr

set snmp targetparams

Use the set snmp targetparams command set to configure the SNMP parameters used in the snmpTargetParamsTable when generating a message to a target.

Syntax Description

-hex	(Optional) Keyword to display the paramsname and username in a hexadecimal format.
paramsname	Name of the parameter in the snmpTargetParamsTable; the maximum length is 32 bytes.
user	Keyword to specify the SNMP group username.
username	Name of the SNMP user that belongs to the SNMP group; the maximum length is 32 bytes.
security-model v1 | v2c	Keywords to specify security-model v1 or v2c.
message-processing v1 | v2c | v3	Keywords to specify the version number used by the message processing model.
security-model v3	Keyword to specify security-model v3.
message-processing v3	Keywords to specify v3 is used by the message-processing model.
noauthentication	Keyword to specify security model is not set to use authentication protocol.
authentication	Keyword to specify the type of authentication protocol.
privacy	Keyword to specify the messages sent on behalf of the user are protected from disclosure.
volatile	(Optional) Keyword to specify that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Keyword to specify that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

The default storage type is volatile.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for the paramsname and username (nonprintable delimiters for these parameters), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

Examples

This example shows how to set target parameters in the snmpTargetParamsTable:

Console> (enable) set snmp targetparams bar user joe security-model v3 message-processing v3 authentication
SNMP target params was set to bar v3 authentication, message-processing v3, user joe nonvolatile.
Console> (enable)

Related Commands

clear snmp targetparams
show snmp targetparams

set snmp trap

Use the set snmp trap command set to enable or disable the different SNMP traps on the system or to add an entry into the SNMP authentication trap receiver table.

Usage Guidelines

This command is not supported by the NAM.

Use the show snmp command to verify the appropriate traps were configured.

To use this command, you must configure all notification tables: snmpTargetAddrTable, snmpTargetParamsTable, and snmpNotifyTable.

Use the all option to enable or disable all ports.

Use the set port trap command to enable or disable a single port or a range of ports.

Examples

This example shows how to enable SNMP chassis traps:

Console> (enable) set snmp trap enable chassis
SNMP chassis alarm traps enabled.
Console> (enable) 
 

This example shows how to enable all traps:

Console> (enable) set snmp trap enable
All SNMP traps enabled.
Console> (enable) 
 

This example shows how to disable SNMP chassis traps:

Console> (enable) set snmp trap disable chassis
SNMP chassis alarm traps disabled.
Console> (enable) 
 

This example shows how to add an entry in the SNMP trap receiver table:

Console> (enable) set snmp trap 192.122.173.42 public
SNMP trap receiver added.
Console> (enable) 

Related Commands

show snmp
test snmp trap
clear snmp trap
set port trap

set snmp user

Use the set snmp user command to configure a new SNMP user.

Syntax Description

-hex	(Optional) Keyword to display username in a hexadecimal format.
username	Name of the SNMP user.
remote engineid	Keyword and variable to specify the remote SNMP engine ID.
authentication	(Optional) Keyword to specify the authentication protocol.
md5	Keyword to specify HMAC-MD5-96 authentication protocol.
sha	Keyword to specify HMAC-SHA-96 authentication protocol.
authpassword	Password for authentication.
privacy privpassword	(Optional) Keyword and variable to enable the host to encrypt the contents of the message sent to or from the agent; the maximum length is 32 bytes.
volatile	(Optional) Keyword to specify that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Keyword to specify that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

The default storage type is volatile. If you do not specify authentication, the security level default will be noauthentication. If you do not specify privacy, the default will be no privacy.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for username (nonprintable delimiters for this parameter), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

authpassword and privpassword must be hexadecimal characters without delimiters in between.

Examples

This example shows how to set a specific username:

Console> (enable) set snmp user joe
Snmp user was set to joe authProt no-auth  privProt no-priv with engineid 00:00.
Console> (enable)
 

This example shows how to set a specific username, authentication, and authpassword:

Console> (enable) set snmp user John authentication md5 arizona2
Snmp user was set to John authProt md5 authPasswd arizona2. privProt no-priv wi.
Console> (enable)

Related Commands

clear snmp user
show snmp user

set snmp view

Use the set snmp view command to configure the SNMP MIB view.

Syntax Description

-hex	(Optional) Keyword to display the viewname in a hexadecimal format.
viewname	Name of a MIB view.
subtree	MIB subtree.
mask	(Optional) Keyword to specify that the bit mask is used with the subtree. A bit mask can be all ones, all zeros, or any combination; the maximum length is 3 bytes.
included | excluded	(Optional) Keywords to specify that the MIB subtree is included or excluded.
volatile	(Optional) Keyword to specify that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Keyword to specify that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

The defaults are as follows:

• storage type is volatile.

• bit mask is NULL.

• MIB subtree is included.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for viewname (nonprintable delimiters for this parameter), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

A MIB subtree with a mask defines a view subtree. The MIB subtree can be in OID format or a text name mapped to a valid OID.

Examples

This example shows how to assign a subtree to the view public:

Console> (enable) set snmp view public 1.3.6.1 included
Snmp view name was set to public with subtree 1.3.6.1 included, nonvolatile.
Control> (enable)
 

This example shows the response when the subtree is incorrect:

Console> (enable) set snmp view stats statistics excluded
Statistics is not a valid subtree OID
Control> (enable)

Related Commands

clear snmp view
show snmp view

set span

Use the set span command set to configure and display SPAN.

Syntax Description

disable	Keyword to disable SPAN.
dest_mod	(Optional) Monitoring module (SPAN destination).
dest_port	(Optional) Monitoring port (SPAN destination).
all	(Optional) Keyword to disable all SPAN sessions.
src_mod	Monitored module (SPAN source).
src_ports	Monitored ports (SPAN source).
src_vlans	Monitored VLANs (SPAN source).
sc0	Keyword to specify the inband port is a valid source.
rx	(Optional) Keyword to specify that information received at the source (ingress SPAN) is monitored.
tx	(Optional) Keyword to specify that information transmitted from the source (egress SPAN) is monitored.
both	(Optional) Keyword to specify that information both transmitted from the source (ingress SPAN) and received (egress SPAN) at the source are monitored.
inpkts enable	(Optional) Keywords to enable the receiving of normal inbound traffic on the SPAN destination port.
inpkts disable	(Optional) Keywords to disable the receiving of normal inbound traffic on the SPAN destination port.
learning enable	(Optional) Keywords to enable learning for the SPAN destination port.
learning disable	(Optional) Keywords to disable learning for the SPAN destination port.
multicast enable	(Optional) Keywords to enable monitoring multicast traffic (egress traffic only).
multicast disable	(Optional) Keywords to disable monitoring multicast traffic (egress traffic only).
filter vlans	(Optional) Keyword and variable to monitor traffic on selected VLANs on source trunk ports.
create	(Optional) Keyword to create a SPAN port.

Defaults

The default is SPAN is disabled, no VLAN filtering is enabled, multicast is enabled, input packets are disabled, and learning is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

After you enable SPAN, system defaults are used if no parameters were ever set. If you changed parameters, the old parameters are stored in NVRAM, and the new parameters are used.

Use a network analyzer to monitor ports.

If you specify multiple SPAN source ports, the ports can belong to different VLANs.

A maximum of two rx or both SPAN sessions and four tx SPAN sessions can exist simultaneously. If you use a remote SPAN station, the maximum number of rx or both SPAN sessions is one.

Use the inpkts keyword with the enable option to allow the SPAN destination port to receive normal incoming traffic in addition to the traffic mirrored from the SPAN source. Use the disable option to prevent the SPAN destination port from receiving normal incoming traffic.

You can specify an MSM port as the SPAN source port. However, you cannot specify an MSM port as the SPAN destination port.

When you enable the inpkts option, a warning message notifies you that the destination port does not join STP and may cause loops if this option is enabled.

When you configure multiple SPAN sessions, the destination module number/port number must be known to index the particular SPAN session.

If you do not specify the keyword create and you have only one session, the session will be overwritten. If a matching destination port exists, the particular session will be overwritten (with or without specifying create). If you specify the keyword create and there is no matching destination port, the session will be created.

Examples

This example shows how to configure SPAN so that both transmit and receive traffic from port 1/1 (the SPAN source) is mirrored on port 2/1 (the SPAN destination):

Console> (enable) set span 1/1 2/1
Enabled monitoring of Port 1/1 transmit/receive traffic by Port 2/1
Console> (enable)
 

This example shows how to set VLAN 522 as the SPAN source and port 2/1 as the SPAN destination:

Console> (enable) set span 522 2/1
Enabled monitoring of VLAN 522 transmit/receive traffic by Port 2/1
Console> (enable) 
 

This example shows how to set VLAN 522 as the SPAN source and port 3/12 as the SPAN destination. Only transmit traffic is monitored. Normal incoming packets on the SPAN destination port are allowed.

Console> (enable) set span 522 2/12 tx inpkts enable
SPAN destination port incoming packets enabled.
Enabled monitoring of VLAN 522 transmit traffic by Port 2/12
Console> (enable) 
 

This example shows how to set port 3/2 as the SPAN source and port 2/2 as the SPAN destination:

Console> (enable) set span 3/2 2/2 tx create
Enabled monitoring of port 3/2 transmit traffic by Port 2/1
Console> (enable)
 

This example shows what happens if you try to enter the set span disable command (without the destination module number/port number defined) and multiple SPAN sessions are defined:

Console> (enable) set span disable
Multiple active span sessions. Please specify span destination to disable.
Console> (enable) 

Related Commands

clear config
show span

set spantree backbonefast

Use the set spantree backbonefast command to enable or disable the spanning tree Backbone Fast Convergence feature.

Syntax Description

enable	Keyword to enable Backbone Fast Convergence.
disable	Keyword to disable Backbone Fast Convergence.

Defaults

The default is Backbone Fast Convergence is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

For Backbone Fast Convergence to work, you must enable it on all switches in the network.

Examples

This example shows how to enable Backbone Fast Convergence:

Console> (enable) set spantree backbonefast enable
Backbonefast enabled for all VLANs.
Console> (enable) 

Related Commands

show spantree

set spantree disable

Use the set spantree disable command to disable the spanning tree algorithm for all VLANs or a specific VLAN.

Syntax Description

vlan	(Optional) Number of the VLAN.
all	(Optional) Keyword to specify all VLANs.

Defaults

The default is spanning tree is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Examples

This example shows how to disable the spanning tree algorithm for VLAN 1:

Console> (enable) set spantree disable 1
VLAN 1 bridge spanning tree disabled.
Console> (enable) 

Related Commands

set spantree enable
show spantree

set spantree enable

Use the set spantree enable command to enable the spanning tree algorithm for all VLANs or a specific VLAN.

Syntax Description

vlan	(Optional) Number of the VLAN.
all	(Optional) Keyword to specify all VLANs.

Defaults

The default is spanning tree is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Examples

This example shows how to activate the spanning tree algorithm for VLAN 1:

Console> (enable) set spantree enable 1
VLAN 1 bridge spanning tree enabled.
Console> (enable) 

Related Commands

set spantree disable
show spantree

set spantree fwddelay

Use the set spantree fwddelay command to set the bridge forward delay for a VLAN.

Syntax Description

delay	Number of seconds for the bridge forward delay; valid values are from 4 to 30 seconds.
vlan	(Optional) Number of the VLAN.

Defaults

The default is the bridge forward delay is set to 15 seconds for all VLANs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you do not specify a VLAN number, VLAN 1 is assumed.

Usage Guidelines

This command is not supported by the NAM.

Examples

This example shows how to set the bridge forward delay for VLAN 100 to 16 seconds:

Console> (enable) set spantree fwddelay 16 100
Spantree 100 forward delay set to 16 seconds.
Console> (enable)

Related Commands

show spantree

set spantree hello

Use the set spantree hello command to set the bridge hello time for a VLAN.

Syntax Description

interval	Number of seconds the system waits before sending a bridge hello message (a multicast message indicating that the system is active); valid values are from 1 to 10 seconds.
vlan	(Optional) Number of the VLAN.

Defaults

The default is the bridge hello time is set to 2 seconds for all VLANs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you do not specify a VLAN number, VLAN 1 is assumed.

Usage Guidelines

This command is not supported by the NAM.

Examples

This example shows how to set the spantree hello time for VLAN 100 to 3 seconds:

Console> (enable) set spantree hello 3 100
Spantree 100 hello time set to 3 seconds.
Console> (enable)

Related Commands

show spantree

set spantree maxage

Use the set spantree maxage command to set the bridge maximum aging time for a VLAN.

Syntax Description

agingtime	Maximum number of seconds that the system retains the information received from other bridges through Spanning Tree Protocol; valid values are from 6 to 40 seconds.
vlan	(Optional) Number of the VLAN.

Defaults

The default configuration is 20 seconds for all VLANs.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you do not specify a VLAN number, VLAN 1 is assumed.

Usage Guidelines

This command is not supported by the NAM.

Examples

This example shows how to set the maximum aging time for VLAN 1000 to 25 seconds:

Console> (enable) set spantree maxage 25 1000
Spantree 1000 max aging time set to 25 seconds.
Console> (enable)

Related Commands

show spantree

set spantree portcost

Use the set spantree portcost command to set the path cost for a port.

Console> (enable) set spantree portcost 2/12 19
Spantree port 2/12 path cost set to 19.
Console> (enable) 

show spantree

set spantree portfast

Use the set spantree portfast command to allow a port that is connected to a single workstation or PC to start faster when it is connected.

Syntax Description

mod/port	Number of the module and the port on the module.
enable	Keyword to enable the spanning tree port fast-start feature on the port.
disable	Keyword to disable the spanning tree port fast-start feature on the port.

Defaults

The default is the port fast-start feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

When a port configured with the spantree portfast enable command is connected, the port immediately enters the spanning tree forwarding state rather than going through the normal spanning tree states such as listening and learning. Use this command on ports that are connected to a single workstation or PC only; do not use it on ports that are connected to networking devices such as hubs, routers, switches, bridges, or concentrators.

Examples

This example shows how to enable the spanning tree port fast-start feature on port 2 on module 1:

Console> (enable) set spantree portfast 1/2 enable
 
Warning: Spantree port fast start should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc. to a fast start port can cause temporary spanning tree loops. Use with caution.
 
Spantree port 1/2 fast start enabled.
Console> (enable)

Related Commands

show spantree

set spantree portfast bpdu-guard

Use the set spantree portfast bpdu-guard command to enable or disable BPDU guard on the switch.

Syntax Description

enable	Keyword to enable the spanning tree PortFast BPDU guard.
disable	Keyword to disable the spanning tree PortFast BPDU guard.

Defaults

The default is PortFast BPDU guard is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

When you enable PortFast BPDU guard, a nontrunking PortFast-enabled port is moved into an errdisable state when a BPDU is received on that port. When you disable a PortFast BPDU guard, a PortFast enabled nontrunking port will stay up when it receives BPDUs, which may cause spanning tree loops.

Examples

This example shows how to enable the spanning tree PortFast BPDU guard:

Console> (enable) set spantree portfast bpdu-guard enable
Spantree portfast bpdu-guard enabled on this switch.
Console> (enable) 
 

This example shows how to disable the spanning tree PortFast BPDU guard:

Console> (enable) set spantree portfast bpdu-guard disable
Spantree portfast bpdu-guard disabled on this switch.
Console> (enable) 

Related Commands

show spantree summary

set spantree portpri

Use the set spantree portpri command to set the bridge priority for a spanning tree port or TrCRF.

Syntax Description

mod/port	Number of the module and the port on the module.
trcrf	Keyword to specify the number of the TrCRF for which you are setting the bridge priority.
priority	(Optional) Number that represents the cost of a link in a spanning tree bridge; valid values are from 0 to 63, with 0 indicating high priority and 63, low priority.
trcrf_priority	(Optional) Number that represents the cost of the TrCRF; valid values are from 0 to 7, with 0 indicating high priority and 7, low priority.

Defaults

The default is all ports with bridge priority are set to 32.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Examples

This example shows how to set the priority of port 1 on module 4 to 63:

Console> (enable) set spantree portpri 4/1 63
Bridge port 4/1 priority set to 63.
Console> (enable)

Related Commands

show spantree

set spantree portstate

Use the set spantree portstate command to set the state of a TrCRF manually.

Syntax Description

trcrf	Number of the TrCRF for which you are manually setting the state.
block | forward | auto	Keywords to set the TrCRF to a blocked state (block), forwarding state (forward), or to have the Spanning Tree Protocol determine the correct state automatically (auto).
trbrf	(Optional) Number of the parent TrBRF.

Defaults

There is no default configuration for this command.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Use this command only to set the port state when the TrCRF is in SRT mode and the TrBRF is running the IBM Spanning Tree Protocol, or the TrCRF is in SRB mode and the TrBRF is running the IEEE Spanning Tree Protocol.

When you enable Spanning Tree Protocol, every switch in the network goes through the blocking state and the transitory states of listening and learning at power up. If properly configured, the ports then stabilize to the forwarding or blocking state. However, with TrBRFs and TrCRFs, there are two exceptions to this rule that require you to set the state of the logical ports of a TrBRF manually:

• The TrBRF is running the IBM Spanning Tree Protocol, and the TrCRF is in SRT mode.

• The TrBRF is running the IEEE Spanning Tree Protocol, and the TrCRF is in SRB mode.

If either condition exists, use the set spantree portstate command to set the state of a TrCRF manually to blocked or forwarding mode or set the Spanning Tree Protocol to determine the correct state automatically.

Examples

This example shows the manual setting of TrCRF 900 to a forwarding state:

Console> (enable) set spantree portstate 900 forward
reserve_nvram : requested by block = 0
reserve_nvram : granted to block = 0
release_nvram : releasing block = 0
Console> (enable)

Related Commands

show spantree

set spantree portvlancost

Use the set spantree portvlancost command to assign a lower path cost to a set of VLANs on a port.

Syntax Description

mod/port	Number of the module and the port on the module.
cost cost	(Optional) Keyword to indicate the path cost. The portvlancost applies only to trunk ports.
vlan_list	(Optional) If you do not list a VLAN explicitly, the VLANs listed in prior invocations of this command are affected. If no cost is listed explicitly, and previous cost values are specified in prior invocations, then the portvlancost is set to 1 less than the current port cost for a port. However, this may not assure load balancing in all cases.

Defaults

The default is portvlancost is 3.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

The value specified is used as the path cost of the port for the specified set of VLANs. The rest of the VLANs have a path cost equal to the port path cost, set via the set spantree portcost command (if not set, the value is the default path cost of the port).

Examples

These examples show various ways to use the set spantree portvlancost command:

Console> (enable) set spantree portvlancost 2/10 cost 25 1-20
Cannot set portvlancost to a higher value than the port cost, 10, for port 2/10.
Console> (enable)
 
Console> (enable) set spantree portvlancost 2/10 1-20
Port 2/10 VLANs 1-20 have a path cost of 9.
Console> (enable)
 
Console> (enable) set spantree portvlancost 2/10 cost 4 1-20
Port 2/10 VLANs 1-20 have path cost 4.
Port 2/10 VLANs 21-1000 have path cost 10.
Console> (enable)
 
Console> (enable) set spantree portvlancost 2/10 cost 6 21
Port 2/10 VLANs 1-21 have path cost 6.
Port 2/10 VLANs 22-1000 have path cost 10.
Console> (enable) 
 

These examples show how to use the set spantree portvlancost command without explicitly specifying cost:

Console> (enable) set spantree portvlancost 1/2
Port 1/2 VLANs 1-1005 have path cost 3100.
Console> (enable)
 
Console> (enable) set spantree portvlancost 1/2 21
Port 1/2 VLANs 1-20,22-1005 have path cost 3100.
Port 1/2 VLANs 21 have path cost 3099.
Console> (enable) 

Related Commands

show spantree

set spantree portvlanpri

Use the set spantree portvlanpri command to set the port priority for a subset of VLANs in the trunk port.

Syntax Description

mod/port	Number of the module and the port on the module.
priority	Number that represents the cost of a link in a spanning tree bridge. The priority level is from 0 to 63, with 0 indicating high priority and 63 indicating low priority.
vlans	(Optional) VLANs that use the specified priority level.

Defaults

The default is the port VLAN priority is set to 0, with no VLANs specified.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

Use this command to add VLANs to a specified port priority level. Subsequent calls to this command do not replace VLANs that are already set at a specified port priority level.

This feature is not supported for the MSM.

The set spantree portvlanpri command applies only to trunk ports. If you enter this command, you see this message:

Port xx is not a trunk-capable port

Examples

This example shows how to set the port priority for module 1, port 2, on VLANs 21 to 40:

Console> (enable) set spantree portvlanpri 1/2 16 21-40
Port 1/2 vlans 3,6-20,41-1000 using portpri 32
Port 1/2 vlans 1-2,4-5,21-40 using portpri 16
Console> (enable)

Related Commands

clear spantree portvlancost
show spantree

set spantree priority

Use the set spantree priority command to set the bridge priority for a VLAN.

Syntax Description

bridge_priority	Number representing the priority of the bridge. The priority level is from 0 to 65535, with 0 indicating high priority and 65535, low priority.
vlan	(Optional) Number of the VLAN. If you do not specify a VLAN number, VLAN 1 is used.

Defaults

The default is the bridge priority is set to 32768.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

This feature is not supported for the MSM.

Examples

This example shows how to set the bridge priority of VLAN 1 to 4096:

Console> (enable) set spantree priority 4096
VLAN 1 bridge priority set to 4096.
Console> (enable)

Related Commands

show spantree

set spantree root

Use the set spantree root command to set the primary or secondary root for specific VLANs or for all VLANs of the switch.

Syntax Description

secondary	(Optional) Keyword to designate this switch as a secondary root, should the primary root fail.
vlan_list	(Optional) Number of the VLAN.
dia network_diameter	(Optional) Keyword to specify the maximum number of bridges between any two points of attachment of end stations; valid values are from 1 through 7.
hello hello_time	(Optional) Keyword to specify in seconds, the duration between the generation of configuration messages by the root switch.

Defaults

If you do not specify the secondary keyword, the default is to make the switch the primary root.

The default value of the network diameter is 7.

If you do not specify the hello_time, the current value of hello_time from the NVRAM is used.

Usage Guidelines

If you do not specify a VLAN number, VLAN 1 is assumed.

This command is not supported by the NAM.

This command is run on backbone or distribution switches.

You can run the secondary root many times to create backup switches in case of a root failure.

The secondary command reduces the bridge priority value to 16384.

This command increases path costs to a value greater than 3000.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to use the set spantree root command:

Console> (enable) set spantree root 1-10 dia 4
VLANs 1-10 bridge priority set to 8192
VLANs 1-10 bridge max aging time set to 14 seconds.
VLANs 1-10 bridge hello time set to 2 seconds.
VLANs 1-10 bridge forward delay set to 9 seconds.
Switch is now the root switch for active VLANs 1-6.
Console> (enable) 
 

These examples show that setting the bridge priority to 8192 was not sufficient to make this switch the root. So, the priority was further reduced to 7192 (100 less than the current root switch) to make this switch the root switch. However, reducing it to this value did not make it the root switch for active VLANs 16 and 17.

Console> (enable) set spantree root 11-20.
VLANs 11-20 bridge priority set to 7192
VLANs 11-10 bridge max aging time set to 20 seconds.
VLANs 1-10 bridge hello time set to 2 seconds.
VLANs 1-10 bridge forward delay set to 13 seconds.
Switch is now the root switch for active VLANs 11-15,18-20.
Switch could not become root switch for active VLAN 16-17.
Console> (enable) 
 
Console> (enable) set spantree root secondary 22,24 dia 5 hello 1
VLANs 22,24 bridge priority set to 16384.
VLANs 22,24 bridge max aging time set to 10 seconds.
VLANs 22,24 bridge hello time set to 1 second.
VLANs 22,24 bridge forward delay set to 7 seconds.
Console> (enable) 

Related Commands

show spantree

set spantree uplinkfast

Use the set spantree uplinkfast command to enable fast switchover to alternate ports when the root port fails. This command applies to a switch, not to a WAN.

Syntax Description

enable	Keyword to enable fast switchover.
disable	Keyword to disable fast switchover.
rate	(Optional) Keyword to specify the number of multicast packets transmitted per 100 ms when an alternate port is chosen after the root port goes down.
station_update_rate	(Optional) Number of multicast packets transmitted per 100 ms when an alternate port is chosen after the root port goes down.
all-protocols	(Optional) Keyword to specify whether or not to generate multicast packets for all protocols (IP, IPX, AppleTalk, and Layer 2 packets).
off	(Optional) Keyword to turn off the all-protocols feature.
on	(Optional) Keyword to turn on the all-protocols feature.

Defaults

The default station_update_rate is 15 packets per 100 ms.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command is not supported by the NAM.

The set spantree uplinkfast enable command has the following results:

• Changes the bridge priority to 49152 for all VLANs (allowed VLANs).

• Increases the path cost and portvlancost of all ports to a value greater than 3000.

• On detecting the failure of a root port, an instant cutover occurs to an alternate port selected by Spanning Tree Protocol.

If you run set spantree uplinkfast enable on a switch that has this feature already enabled, only the station update rate is updated. The rest of the parameters are not modified.

If you run set spantree uplinkfast disable on a switch, the UplinkFast feature is disabled but the switch priority and port cost values are not reset to the factory-set defaults. To reset the values to the factory-set defaults, enter the clear spantree uplinkfast command.

The default station_update_rate value is 15 packets per 100 ms, which is equivalent to a 1 percent load on a 10-Mbps Ethernet. If you specify this value as 0, the generation of these packets is turned off.

You do not have to turn on the all-protocols feature on Catalyst 6000 family switches that have both the UplinkFast and protocol filtering features enabled. Use the all-protocols feature only on Catalyst 6000 family switches that have UplinkFast enabled but do not have protocol filtering; upstream switches in the network use protocol filtering. You must enter the all-protocols option to inform the UplinkFast task whether or not to generate multicast packets for all protocols.

Examples

This example shows how to enable spantree UplinkFast and specify the number of multicast packets transmitted to 40 packets per 100 ms:

Console> (enable) set spantree uplinkfast enable rate 40
VLANs 1-1000 bridge priority set to 49152.
The port cost and portvlancost of all ports increased to above 3000.
Station update rate set to 40 packets/100ms.
uplinkfast turned on for bridge.
Console> (enable) 
 

This example shows how to disable spantree UplinkFast:

Console> (enable) set spantree uplinkfast disable
Uplinkfast disabled for switch. 
Use clear spantree uplinkfast to return stp parameters to default.
Console> (enable) clear spantree uplink
This command will cause all portcosts, portvlancosts, and the 
bridge priority on all vlans to be set to default.
Do you want to continue (y/n) [n]? y
VLANs 1-1005 bridge priority set to 32768.
The port cost of all bridge ports set to default value.
The portvlancost of all bridge ports set to default value.
uplinkfast disabled for bridge.
Console> (enable) 
 

This example shows how to turn on the all-protocols feature:

Console> (enable) set spantree uplinkfast enable all-protocols on
uplinkfast update packets enabled for all protocols.
uplinkfast already enabled for bridge.
Console> (enable)
 

This example shows how to turn off the all-protocols feature:

Console> (enable) set spantree uplinkfast enable all-protocols off
uplinkfast all-protocols field set to off.
uplinkfast already enabled for bridge.
Console> (enable)

Related Commands

show spantree

Posted: Wed Aug 23 13:32:34 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.