System Switch Processor Commands

Table 2-1: Command Summary

Commands		Description
User EXEC mode
	show ntp associations	Displays the status of NTP associations.
	show ntp status	Displays the status of NTP.
	show spanning-tree	Displays Spanning Tree Protocol (STP) information.
	show udld	Displays UniDirectional Link Detection (UDLD) status information for all or the specified port.
	show vlan	Displays information about a virtual LAN (VLAN).
	show version	Displays the firmware version for the switch.
	show vtp counters show vtp status	Displays general information about the VLAN Trunk Protocol (VTP) management domain, status, and counters.
Privileged EXEC mode
	clear cgmp	Deletes the multicast addresses and router ports maintained by Cisco Group Management Protocol (CGMP).
	clear ip address	Deletes the IP address without disabling the IP processing. This command should not be invoked through the CLI, because it is configured through the Cisco ICS 7700 System Manager and might conflict with its configurations.
	clear mac-address-table	Deletes all addresses in the MAC address table.
	clear vmps statistics	Clears the statistics maintained by the VLAN Query Protocol (VQP) client.
	clear vtp counters	Clears the VLAN Trunk Protocol (VTP) counters.
	delete	Deletes a file from the file system.
	show cgmp	Displays the current state of the CGMP-learned multicast groups and routers.
	show file systems	Displays information about local and remote file systems.
	show interface	Displays the administrative and operational status of a switching port.
	show mac-address-table	Displays the MAC address table.
	show port block	Displays the blocking of unicast and multicast filtering for the port.
	show port group	Displays the ports that are assigned to groups.
	show port led	Displays the switch port LED colors.
	show port monitor	Displays the ports that have port monitoring enabled.
	show port network	Displays the network ports on the switch.
	show port protected	Displays the ports that are port protected mode.
	show port security	Displays the ports that have port security enabled.
	show port storm-control	Displays the setting of broadcast storm control.
	show rps	Displays the status of the Cisco Redundant Power System (RPS). The show rps command does not apply to the SSP.
	show tacacs	Displays various Terminal Access Controller Access Control System Plus (TACACS+) server statistics.
	show vmps	Displays the VQP version, reconfirmation interval, retry count, server IP addresses, and current and primary servers.
	show vmps statistics	Displays the VQP client-side statistics.
	udld reset	Resets any port that has been shut down by UDLD.
	vlan database	Enters VLAN database mode.
	vmps reconfirm	Sends VQP queries to reconfirm all dynamic VLAN assignments with the VLAN Membership Policy Server (VMPS).
Global configuration mode
	cgmp	Enables CGMP and other CGMP options.
	enable last-resort	Specifies what happens if the Terminal Access Controller Access Control System (TACACS) and Extended TACACS servers used by the enable command do not respond.
	enable use-tacacs	Enables the use of TACACS to determine whether a user can access the privileged command level.
	interface	Selects an interface to configure. Creates a new management VLAN interface.
	mac-address-table aging-time	Sets the length of time that a dynamic entry remains in the address table.
	mac-address-table dynamic	Adds a dynamic address entry to the address table.
	mac-address-table secure	Adds a secure address entry to the address table.
	mac-address-table static	Adds a static address entry to the address table.
	ntp access-group	Controls access to the system Network Time Protocol (NTP) services.
	ntp authenticate	Enables NTP authentication.
	ntp authentication-key	Defines an authentication key for NTP.
	ntp broadcastdelay	Sets the estimated round-trip delay between the Cisco IOS software and an NTP broadcast server.
	ntp clock-period	Determines the clock error.
	ntp max-associations	Sets the maximum number of NTP associations that are allowed on a server.
	ntp peer	Configures the router system clock to synchronize a peer or to be synchronized by a peer.
	ntp server	Allows the router system clock to be synchronized by a time server.
	ntp source	Uses a particular source address in NTP packets.
	ntp trusted-key	Authenticates the identity of a system to which NTP will synchronize.
	shutdown vlan	Shuts down local traffic on the specified VLAN.
	snmp-server enable traps vlan-membership	Enables SNMP notification for VMPS changes. This command should not be invoked through the CLI, because it is configured through the Cisco ICS 7700 System Manager and might conflict with its configurations.
	snmp-server enable traps vtp	Enables SNMP notification for VTP changes. This command should not be invoked through the CLI, because it is configured through the Cisco ICS 7700 System Manager and might conflict with its configurations.
	snmp-server host	Specifies the host that receives SNMP traps. This command should not be invoked through the CLI, because it is configured through the Cisco ICS 7700 System Manager and might conflict with its configurations.
	spanning-tree	Enables an instance of STP.
	spanning-tree forward-time	Specifies the forward delay interval for the switch.
	spanning-tree hello-time	Specifies the interval between hello Bridge Protocol Data Units (BPDUs).
	spanning-tree max-age	Changes the interval the switch waits to receive BPDUs from the root switch.
	spanning-tree priority	Configures the bridge priority for the specified spanning-tree instance.
	spanning-tree protocol	Defines the type of STP.
	spanning-tree uplinkfast	Accelerates the choice of a new root port when a link or switch fails or when STP reconfigures itself.
	tacacs-server attempts	Controls the number of login attempts that can be made on a line set up for TACACS, Extended TACACS, or TACACS+ verification.
	tacacs-server directed-request	Sends only a username to a specified server when a direct request is issued in association with TACACS, Extended TACACS, and TACACS+.
	tacacs-server dns-alias-lookup	Enables IP Domain Name System alias lookup for TACACS+.
	tacacs-server extended	Enables an extended TACACS mode.
	tacacs-server host	Specifies a TACACS, Extended TACACS, or TACACS+ host.
	tacacs-server key	Sets the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon.
	tacacs-server last-resort	Causes the network access server to request the privileged password as verification for TACACS or Extended TACACS or to allow successful login without further input from the user.
	tacacs-server login-timeout	Specifies the maximum number of seconds to wait for a TACACs login.
	tacacs-server optional-passwords	Specifies that the first TACACS request to a TACACS or Extended TACACS server be made without password verification.
	tacacs-server retransmit	Specifies the number of times the Cisco IOS software searches the list of TACACS or Extended TACACS server hosts before giving up.
	tacacs-server timeout	Sets the interval that the server waits for a TACACS, Extended TACACS, or TACACS+ server to reply.
	udld enable	Enables UDLD on all switch ports.
	vmps reconfirm	Changes the reconfirmation interval for the VQP client.
	vmps retry	Configures the per-server retry count for the VQP client.
	vmps server	Configures the primary VMPS and up to three secondary servers.
	vtp file	Modify the VTP configuration storage filename.
VLAN database mode
	abort	Abandons the proposed new VLAN database and returns to privileged EXEC mode.
	apply	Implements the proposed new VLAN database, propagates it throughout the administrative domain, and remains in VLAN database mode.
	exit	Implements the proposed new VLAN database, propagates it throughout the administrative domain, and returns to privileged EXEC mode.
	reset	Abandons the proposed new VLAN database and remains in VLAN database mode.
	show changes	Displays the differences between the currently implemented VLAN database on the switch and the proposed new VLAN database.
	show current	Displays the currently implemented VLAN database on the switch or a single selected VLAN from it.
	show proposed	Displays the proposed new VLAN database or a single selected VLAN from it.
	vlan	Configures a VLAN by its VLAN ID.
	vtp	Configures the VTP mode.
	vtp domain	Configures the VTP administrative domain.
	vtp password	Configures the VTP password.
	vtp pruning	Enables pruning in the VTP administrative domain.
	vtp v2-mode	Enables VTP version 2 mode in the administrative domain.
Interface configuration mode
	duplex	Specifies the duplex mode of operation for a port.
	management	Shuts down the current management VLAN interface.
	ntp broadcast client	Allows the system to receive NTP broadcast packets on a port.
	ntp broadcast destination	Configures an NTP server or peer to restrict broadcast of NTP frames to the IP address of a designated client or a peer.
	ntp broadcast key	Configures an NTP server or peer to broadcast NTP frames with the authentication key embedded into the NTP packet.
	ntp broadcast version	Specifies a port to send NTP broadcast packets.
	ntp disable	Prevents a port from receiving NTP packets.
	ip address	Sets a primary or secondary IP address of a VLAN interface. This command should not be invoked through the CLI, because it is configured through the Cisco ICS 7700 System Manager and might conflict with its configurations.
	port block	Prevents the flooding of unknown destination MAC addresses and multicast addresses on this port.
	port group	Places a port into a port aggregation group.
	port monitor	Implements port monitoring on this port.
	port network	Enables a port as the network port for a VLAN.
	port protected	Isolates unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch.
	port security	Enables port security on a port.
	port storm-control	Disables broadcast, multicast, or unicast traffic if too many packets are seen on this port.
	shutdown	Disables a port.
	spanning-tree cost	Sets a different path cost.
	spanning-tree portfast	Enables the Port Fast option on the switch.
	spanning-tree port-priority	Configures the STP priority of a port.
	spanning-tree rootguard	Enables the root guard feature for all the VLANs associated with the specified port. Controls which ports are allowed to be STP root ports.
	speed	Specifies the speed of a port.
	switchport access	Configures a port as an access or dynamic VLAN port.
	switchport mode	Configures the VLAN membership mode of a port.
	switchport multi	Configures a port to be a multi-VLAN port.
	switchport priority	Configures a port priority for untagged (native Ethernet) frames to provide quality of service (QoS). Also sets the priority of frames received by the appliance connected to the specified port.
	switchport trunk allowed vlan	Controls which VLANs can receive and transmit traffic on the trunk.
	switchport trunk encapsulation	Sets the encapsulation format on the trunk.
	switchport trunk native	Sets the native VLAN for untagged traffic when in IEEE 802.1Q trunking mode.
	switchport trunk pruning	Sets the list of VLANs enabled for VTP pruning when the port is in trunking mode.
	switchport voice vlan	Sets the voice VLAN on the port.
	udld	Enables or disables UDLD on a port.
Line configuration mode
	login authentication	Applies the authentication list to a line or set of lines.
	login local	Changes a login username.
	login tacacs	Configures your switch to use TACACS user authentication.

For task-oriented configuration steps, see the software configuration documentation that came with the system.

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

VLAN database

Command History

Release	Modification
11.2(8)SA4	This command was first introduced.

Usage Guidelines

If you have added, deleted, or modified VLAN parameters in VLAN database mode but you do not want to keep the changes, the abort command causes all the changes to be abandoned. The VLAN configuration that was running before you entered VLAN database mode continues to be used.

Examples

The following example shows how to abandon the proposed new VLAN database and exit to the privileged EXEC mode:

Switch(vlan)# abort

Switch#
 

You can verify that no VLAN database changes occurred by entering the show vlan brief command in privileged EXEC mode.

Related Commands

Command	Description
apply	Implements the proposed new VLAN database, increments the database configuration revision number, propagates it throughout the administrative domain, and remains in VLAN database mode.
exit	Implements the proposed new VLAN database, increments the database configuration number, propagates it throughout the administrative domain, and returns to privileged EXEC mode.
reset	Abandons the proposed VLAN database and remains in VLAN database mode. Resets the proposed database to the currently implemented VLAN database on the switch.
show vlan	Displays the parameters for all configured VLANs in the administrative domain.
shutdown vlan	Shuts down (suspends) local traffic on the specified VLAN.
vlan database	Enters VLAN database mode from the command-line interface (CLI).

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

VLAN database

Command History

Release	Modification
11.2(8)SA4	This command was first introduced.

Usage Guidelines

The apply command implements the configuration changes you made after you entered VLAN database mode and uses them for the running configuration. This command keeps you in VLAN database mode.

You cannot use this command when the switch is in the VLAN Trunk Protocol (VTP) client mode.

Examples

The following example shows how to implement the proposed new VLAN database and recognize it as the current database:

Switch(vlan)# apply

 

You can verify that VLAN database changes occurred by entering the show vlan command in privileged EXEC mode.

Related Commands

Command	Description
apply	Implements the proposed new VLAN database, increments the database configuration revision number, propagates it throughout the administrative domain, and remains in VLAN database mode.
exit	Implements the proposed new VLAN database, increments the database configuration number, propagates it throughout the administrative domain, and returns to privileged EXEC mode.
reset	Abandons the proposed VLAN database and remains in VLAN database mode. Resets the proposed database to the currently implemented VLAN database on the switch.
show vlan	Displays the parameters for all configured VLANs in the administrative domain.
shutdown vlan	Shuts down (suspends) local traffic on the specified VLAN.
vlan database	Enters VLAN database mode from the command-line interface (CLI).

Syntax Description

leave-processing	Enable Fast Leave processing on the switch.
holdtime time	Number of seconds a router connection is retained before the switch ceases to exchange messages with it. You can enter a number from 10 to 6000 (seconds).
reserved	Allow reserved addresses from 0100.5E00.0000 to 0100.5E00.00FF to join as group destination addresses.

Defaults

CGMP is enabled.

Fast Leave is disabled.

The hold time is 300 seconds.

Reserved addresses are allowed as group destination addresses.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA3	This command was first introduced.
12.0(5)XP	The reserved keyword was added.

Usage Guidelines

CGMP must be enabled before the Fast Leave option can be enabled.

Examples

The following example shows how to disable CGMP:

Switch(config)# no cgmp

 

The following example shows how to disable the Fast Leave option:

Switch(config)# no cgmp leave-processing

 

The following example shows how to set 400 seconds as the length of time the switch waits before ceasing to exchange messages with a router:

Switch(config)# cgmp holdtime 400

 

The following example shows how to remove the amount of time the switch waits before ceasing to exchange messages with a router:

Switch(config)# no cgmp holdtime

 

The following example shows how to exclude reserved addresses from the group destination address for compatibility with Catalyst 5000 series switches.

Switch(config)# no cgmp reserved

 

You can verify the previous commands by entering the show cgmp command in privileged EXEC mode.

Related Commands

Command	Description
clear cgmp	Deletes information that was learned by the switch using the CGMP.
show cgmp	Displays the current state of the CGMP-learned multicast groups and routers.

Syntax Description

vlan vlan-id	(Optional) VLAN for which the CGMP groups or routers are to be deleted. Valid IDs are from 1 to 1001; do not enter leading zeroes.
group address	Delete all known multicast groups and their destination ports. Limited to a VLAN if the vlan keyword is entered. Limited to a specific group if the address parameter (MAC address of the group or router) is entered.
router address	(Optional) Delete all routers, their ports, and expiration times. Limited to a given VLAN if the vlan keyword is entered. Limited to a specific router if the address parameter is entered.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2(8)SA3	This command was first introduced.

Usage Guidelines

Using clear cgmp with no arguments deletes all groups and routers in all VLANs.

Examples

The following example shows how to delete all groups and routers on VLAN 2:

Switch# clear cgmp vlan 2

 

The following example shows how to delete all groups on all VLANs:

Switch# clear cgmp group

 

The following example shows how to delete a router address on VLAN 2:

Switch# clear cgmp vlan 2 router 0012.1234.1234

 

You can verify the previous commands by entering the show cgmp command in privileged EXEC mode.

Related Commands

Command	Description
cgmp	Enables CGMP and the Fast Leave option and sets the router port aging time.
show cgmp	Displays the current state of the CGMP-learned multicast groups and routers.

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

static	(Optional) Delete only static addresses.
dynamic	(Optional) Delete only dynamic addresses.
secure	(Optional) Delete only secure addresses.
address hw-addr	(Optional) Delete the address hw-addr of type static, dynamic, and secure as specified.
interface interface	(Optional) Delete an address on the interface interface of type static, dynamic, or secure as specified.
vlan vlan-id	(Optional) Delete all the MAC addresses for vlan-id. Valid IDs are from 1 to 1005; do not enter leading zeroes.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2(8)SA	This command was first introduced.
11.2(8)SA3	The vlan keyword was added.
11.2(8)SA5	The atm keyword was added.

Usage Guidelines

This command deletes entries from the global MAC address table. Specific subsets can be deleted by using the optional keywords and values. If more than one optional keyword is used, all of the conditions in the argument must be true for that entry to be deleted.

Examples

The following example shows how to delete static addresses on port fa0/2:

Switch# clear mac-address-table static interface fa0/2

 

The following example shows how to delete all secure addresses in VLAN 3:

Switch# clear mac-address-table secure vlan 3

 

The following example shows how to delete address 0099.7766.5544 from all ports in all VLANs. If the address exists in multiple VLANs or multiple ports, all the instances are deleted.

Switch# clear mac-address-table address 0099.7766.5544

 

The following example shows how to delete address 0099.7766.5544 only in VLAN 2:

Switch# clear mac-address-table address 0099.7766.5544 vlan 2

 

You can verify the previous commands by entering the show mac-address-table command in privileged EXEC mode.

Related Commands

Command	Description
show mac-address-table	Displays the MAC address table.

Switch# clear vmps statistics

 

You can verify the previous command by entering the show vmps statistics command in privileged EXEC mode.

Related Commands

Command	Description
show vmps statistics	Displays the VLAN Query Protocol (VQP) version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers.

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2(8)SA4	This command was first introduced.

Examples

The following example shows how to clear the VTP counters:

Switch# clear vtp counters

 

You can verify the previous command by entering the show vtp counters command in privileged EXEC mode.

Related Commands

Command	Description
show vtp counters	Displays general information about the VTP management domain, status, and counters.

Syntax Description

device:	Device containing the file to be deleted. Valid devices include the switch Flash memory.
filename	Name of file.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

A colon (:) follows the device variable. Do not enter spaces after the colon.

Examples

The following example shows how to delete a file from the switch Flash memory:

Switch# delete flash:filename

Related Commands

Command	Description
copy tftp	Downloads a file from a TFTP server to a device.

Syntax Description

password	Provide access to enable mode with entry of the privileged command level password. A password must contain from 1 to 25 uppercase and lowercase alphanumeric characters.
succeed	Provide access to enable mode without further question.

Defaults

Authentication is disabled.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

This secondary authentication is used only if the first attempt fails.

Note   This command is not used with Terminal Access Controller Access Control System Plus (TACACS+), a Cisco proprietary protocol that instead uses the authentication, authorization, and accounting (AAA) suite of commands.

Examples

In the following example, if the TACACS servers do not respond to the enable command, you can enable access by entering the privileged-level password:

Switch(config)# enable last-resort <password>
 

You can verify the previous command by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
enable	Accesses privileged EXEC mode.
show running-config	Displays the running configuration on the switch.

Tips If you use the enable use-tacacs command, you must also use the tacacs-server authenticate enable command, or you will be locked out of the privileged command level.

Syntax Description

This command has no arguments or keywords.

Defaults

TACACS verification is disabled.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

When you add this command to the configuration file, the enable privilege EXEC command prompts for a new username and password. This pair is then passed to the TACACS server for authentication. If you are using Extended TACACS, it also sends any existing UNIX user identification code to the server.

Note   This command initializes TACACS. Use the tacacs server-extended command to initialize Extended TACACS or use the aaa new-model command to initialize authentication, authorization, and accounting (AAA) and Terminal Access Controller Access Control System Plus (TACACS+).

Examples

The following example sets TACACS verification on the privileged EXEC login sequence:

Switch(config)# enable use-tacacs

Switch(config)# tacacs-server authenticate enable

 

You can verify the previous commands by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
show running-config	Displays the running configuration on the switch.
tacacs-server authenticate enable	Indicates whether users can perform an attempted action under TACACS and extended TACACS.

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

VLAN database

Command History

Release	Modification
11.2(8)SA4	This command was first introduced.

Usage Guidelines

The exit command implements all the configuration changes you made since you entered VLAN database mode and uses them for the running configuration. This command returns you to privileged EXEC mode.

Examples

The following example shows how to implement the proposed new VLAN database and exit to privileged EXEC mode:

Switch(vlan)# exit

Switch#
 

You can verify the previous command by entering the show vlan brief command in privileged EXEC mode.

Related Commands

Command	Description
abort	Abandons the proposed new VLAN database, exits VLAN database mode, and returns to privileged EXEC mode.
apply	Implements the proposed new VLAN database, increments the database configuration revision number, propagates it throughout the administrative domain, and remains in VLAN database mode.
reset	Abandons the proposed VLAN database and remains in VLAN database mode. Resets the proposed database to the currently implemented VLAN database on the switch.
show vlan	Displays the parameters for all configured VLANs in the administrative domain.
shutdown vlan	Shuts down (suspends) local traffic on the specified VLAN.
vlan database	Enters VLAN database mode from the command-line interface (CLI).

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

type	Type of interface to be configured such as Fast Ethernet.
slot	Slot number 0.
port	Port number 0 or 1.
vlan number	VLAN number from 1 to 1001 to be used as the management VLAN. Do not enter leading zeroes.

Defaults

The default management VLAN interface is VLAN 1.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA	This command was first introduced.
11.2(8)SA3	The vlan keyword was added.

Usage Guidelines

When creating a management VLAN interface, a space between vlan and number is accepted.

Only one management VLAN interface can be active.

You cannot delete the management VLAN 1 interface.

Before bringing up a new management VLAN interface with the no shutdown command, you must issue the shutdown command to disable the old one.

You can use the management command to shut down the active management VLAN interface and to enable the newly created management VLAN interface.

You can configure the management VLAN interface on static-access, multi-VLAN, dynamic-access, and trunk ports.

Examples

The following example shows how to enable the switch to act on port 0/1:

Switch(config)# interface 0/1
Switch(config-if)#
 

The following example shows how to change the management VLAN from VLAN 1 to VLAN 3. This series of commands should only be executed from the console. If these commands are executed through a Telnet session, the shutdown command disconnects the session, and there is no way to use IP to access the system.

Switch# configure terminal

Switch(config)# interface vlan 3

Switch(config-subif)# ip address 172.20.128.176 255.255.255.0

Switch(config-subif)# exit

Switch(config-if)# exit

Switch(config)# interface vlan 1

Switch(config-subif)# shutdown

Switch(config-subif)# exit

Switch(config-if)# exit

Switch(config)# interface vlan 3

Switch(config-subif)# no shutdown

Switch(config-subif)# exit

Switch(config-if)# exit

 

The following example shows how to change the management VLAN from VLAN 1 to VLAN 3 through a Telnet session. In this situation, the management command shuts down VLAN 1 and brings up
VLAN 3. The Telnet session must be re-established through the new management VLAN.

Switch# configure terminal

Switch(config)# interface vlan 3

Switch(config-subif)# ip address 172.20.128.176 255.255.255.0

Switch(config-subif)# management

 

The following example shows how to copy the IP address and network mask information from the current management VLAN to VLAN 3 and make VLAN 3 the new management VLAN:

Switch# configure terminal

Switch(config)# interface vlan 3

Switch(config-subif)# management

 

You can verify the previous commands by entering the show interface and show interface vlan number command in privilege EXEC mode.

Related Commands

Command	Description
management	Shuts down the current management VLAN interface and enables the new management VLAN interface.
show interface	Displays the administrative and operational status of a switching (nonrouting) port.
shutdown	Disables a port and shuts down the management VLAN.

Caution This command should not be invoked through the CLI, because it is configured through the Cisco ICS 7700 System Manager and might conflict with its configurations.

Syntax Description

local	(Optional) Select local password checking. Authentication is based on the username specified with the username global configuration command.
tacacs	(Optional) Select the Terminal Access Controller Access Control System (TACACS)-style user ID and password-checking mechanism.

Defaults

No password is assigned, and you cannot access the switch through Telnet. Virtual terminals require a password. If you do not set a password for a virtual terminal, it responds to attempted connections by displaying an error message and closing the connection.

Command Modes

Line configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

If you specify the login command without the local or tacacs option, authentication is based on the password specified with the line configuration password command.

Note   This command cannot be used with authentication, authorization, and accounting (AAA) and TACACS+. Use the login authentication command instead.

Examples

The following example shows how to set the password letmein on virtual terminal line 4:

Switch(config-line)# line vty 4

Switch(config-line)# password letmein

Switch(config-line)# login

 

The following example shows how to enable the TACACS-style user ID and password-checking mechanism:

Switch(config-line)# line 0

Switch(config-line)# password <mypassword> 
Switch(config-line)# login tacacs

 

You can verify the previous commands by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
enable password	Sets a local password to control access to various privilege levels.
password	Specifies a password on a line.
show running-config	Displays the running configuration on the switch.
username	Establishes a username-based authentication system.

Caution This command should not be invoked through the CLI, because it is configured through the Cisco ICS 7700 System Manager and might conflict with its configurations.

Syntax Description

default	Use the default list created with the AAA authentication login command.
list-name	Use the indicated list created with the AAA authentication login command.

Defaults

Login authentication is disabled.

Command Modes

Line configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

To create a default list that is used if no list is specified in the login authentication command, use the default keyword followed by the methods you want used in default situations. The default method list is automatically applied to all interfaces.

Examples

The following example shows how to specify TACACS+ as the default method for user authentication during login:

Switch(config)# aaa new-model

Switch(config)# aaa authentication login default tacacs

Switch(config)# line vty 0 4

Switch(config-line)# login authentication default tacacs

 

You can verify the previous commands by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
enable password	Sets a local password to control access to various privilege levels.
password	Specifies a password on a line.
show running-config	Displays the running configuration on the switch.
username	Establishes a username-based authentication system.

Note   Option atm slot/port of this command is not supported on the SSP.

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

hw-addr	MAC address added to or removed from the table.
interface	Port to which packets destined for hw-addr are forwarded.
vlan vlan-id	(Optional) The interface and vlan parameters together specify a destination to which packets destined for hw-addr are forwarded. The vlan keyword is optional if the port is a static-access or dynamic-access VLAN port. In this case, the VLAN assigned to the port is assumed to be that of the port associated with the MAC address. Note   When this command is executed on a dynamic-access port, queries to the VLAN Membership Policy Server (VMPS) do not occur. The VMPS cannot verify that the address is allowed or determine to which VLAN the port should be assigned. This command should only be used for testing purposes. The vlan keyword is required for multi-VLAN and trunk ports. This keyword is required on trunk ports to specify to which VLAN the dynamic address is assigned. The vlan-id is the ID of the VLAN to which packets destined for hw-addr are forwarded. Valid IDs are 1 to 1005; do not enter leading zeroes.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA	This command was first introduced.
11.2(8)SA3	The vlan keyword was added.
11.2(8)SA5	The atm keyword was added.

Usage Guidelines

If the variable vlan-id is omitted and the no form of the command is used, the MAC address is removed from all VLANs.

Examples

The following example shows how to add a MAC address on port fa0/1 to VLAN 4:

Switch(config)# mac-address-table dynamic 00c0.00a0.03fa fa0/1 vlan 4

 

You can verify the previous command by entering the show mac-address-table command in privileged EXEC mode.

Related Commands

Command	Description
clear mac-address-table	Deletes entries from the MAC address table.
mac-address-table aging-time	Sets the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated.
mac-address-table static	Adds static addresses to the MAC address table.
show mac-address-table	Displays the MAC address table.

Note   Option atm slot/port of this command is not supported on the SSP.

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

hw-addr	MAC address that is added to the table.
interface	Port to which packets destined for hw-addr are forwarded.
vlan vlan-id	(Optional) The interface and vlan parameters together specify a destination to which packets destined for hw-addr are forwarded. The vlan keyword is optional if the port is a static-access VLAN port. In this case, the VLAN assigned to the port is assumed to be that of the port associated with the MAC address. This keyword is required for multi-VLAN and trunk ports. The vlan-id is the ID of the VLAN to which secure entries are added. Valid IDs are 1 to 1005; do not enter leading zeroes.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA	This command was first introduced.
11.2(8)SA3	The vlan keyword was added.
11.2(8)SA5	The atm keyword was added.

Usage Guidelines

Secure addresses can be assigned only to one port at a time. Therefore, if a secure address table entry for the specified MAC address and VLAN already exists on another port, it is removed from that port and assigned to the specified one.

Dynamic-access ports cannot be configured with secure addresses.

Examples

The following example shows how to add a secure MAC address to VLAN 6 of port fa0/1:

Switch(config)# mac-address-table secure 00c0.00a0.03fa fa0/1 vlan 6

 

You can verify the previous command by entering the show mac-address-table command in privileged EXEC mode.

Related Commands

Command	Description
clear mac-address-table	Deletes entries from the MAC address table.
mac-address-table aging-time	Sets the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated.
mac-address-table dynamic	Adds dynamic addresses to the MAC address table.
mac-address-table static	Adds static addresses to the MAC address table.
show mac-address-table	Displays the MAC address table.

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

hw-addr	MAC address to add to the address table.
in-port	Input port from which packets received with a destination address of hw-addr are forwarded to the list of ports in the out-port-list. The in-port must belong to the same VLAN as all the ports in the out-port-list.
out-port-list	List of ports to which packets received on ports in in-port are forwarded. All ports in the list must belong to the same VLAN.
vlan vlan-id	(Optional) The interface and vlan parameters together specify a destination to which packets destined for the specified MAC address are forwarded. The vlan keyword is optional if all the ports specified by in-port and out-port-list are static-access VLAN ports. The VLAN assigned to the ports is assumed. This keyword is required for multi-VLAN and trunk ports. Dynamic-access ports cannot be included in static addresses as either the source (in-port) or destination (out-port). The vlan keyword is required on trunk ports to specify to which VLAN the static address is assigned. The vlan-id is the ID of the VLAN to which static address entries are forwarded. Valid IDs are 1 to 1005; do not enter leading zeroes.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA	This command was first introduced.
11.2(8)SA3	The vlan keyword was added.
11.2(8)SA5	The atm keyword was added.

Usage Guidelines

When a packet is received on the input port, it is forwarded to the VLAN of each port you specify for the out-port-list. Different input ports can have different output-port lists for each static address. Adding a static address already defined as one modifies the port map (vlan and out-port-list) for the input port specified.

If the variable vlan-id is omitted and the no form of the command is used, the MAC address is removed from all VLANs.

Traffic from a static address is only accepted from a port defined in the in-port variable.

Dynamic-access ports cannot be configured as the source or destination port in a static address entry.

Examples

The following example shows how to add a static address with port 1 as an input port and ports 2 and 8 of VLAN 4 as output ports:

Switch(config)# mac-address-table static c2f3.220a.12f4 fa0/1 fa0/2 fa0/8 vlan 4

 

You can verify the previous command by entering the show mac-address-table command in privileged EXEC mode.

Related Commands

Command	Description
clear mac-address-table	Deletes entries from the MAC address table.
mac-address-table aging-time	Sets the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated.
mac-address-table dynamic	Adds dynamic addresses to the MAC address table.
mac-address-table secure	Adds secure addresses to the MAC address table.
show mac-address-table	Displays the MAC address table.

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Interface configuration

Command History

Release	Modification
12.0(5)XP	This command was first introduced.

Usage Guidelines

No default management or no management command exists to return the management VLAN to its default state.

The management command is not written to the configuration file, and it is not displayed in the output of the show running-config command.

Before entering the management command, make sure the following conditions exist:

• You must be able to move your network management station to a switch port assigned to the same VLAN as the new management VLAN. (Depending on your network topology, you might not need to move your network management station: for example, you have ISL routing configured on a router between two VLANs.)

• Connectivity through the network must exist from the network management station to all switches involved in the management VLAN change.

• The switch must already have a port assigned to the same VLAN as the management VLAN.

Use the management command to change the management VLAN on a single switch.

Examples

The following example shows how to shut down the current management VLAN interface and start VLAN 2 as the management VLAN:

Switch# configure terminal

Switch(config)# interface vlan 2

Switch(config-subif)# ip address 172.20.128.176 255.255.255.0

Switch(config-subif)# management

Switch(config-subif)# exit

Switch(config)#
 

The following example shows how to copy the IP address and network mask from the current management VLAN to VLAN 2 and make VLAN 2 the management VLAN:

Switch# configure terminal

Switch(config)# interface vlan 2

Switch(config-subif)# management

Switch(config-subif)# exit

Switch(config)#
 

You can verify the previous command by entering the show interface vlan number command in privileged EXEC mode.

Related Commands

Command	Description
interface vlan	Configures an interface type, creates a switch virtual interface to be used as the management VLAN interface, and enters interface configuration mode.
show interface vlan number	Displays the administrative and operational status of a switching (nonrouting) port.

Syntax Description

query-only	Enable only NTP control queries. See RFC 1305 (NTP version 3).
serve-only	Enable only time requests.
serve	Enable time requests and NTP control queries, but does not enable the system to synchronize to the remote system.
peer	Enable time requests and NTP control queries; enable the system to synchronize to the remote system.
access-list-number	Number (1 to 99) of a standard IP access list.

Defaults

NTP is disabled.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

The access group options are scanned in the following order from least restrictive to most restrictive:

1. peer

2. serve

3. serve-only

4. query-only

Access is granted for the first match that is found. If no access groups are specified, all access is granted to all sources. If any access groups are specified, only the specified access is granted. This facility provides minimal security for the time services of the system. If tighter security is desired, use the NTP authentication facility.

Examples

The following example shows how to configure the system to be synchronized by a peer from access list 99.

However, the system restricts access to allow only time requests from access list 42:

Switch(config)# ntp access-group peer 99

Switch(config)# ntp access-group serve-only 42

 

You can verify the previous commands by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
access-list	Differentiates one packet from another so that different treatment can be applied.
show running-config	Displays the running configuration on the switch.

Syntax Description

This command has no keywords or arguments.

Defaults

NTP authentication is disabled.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

Use this command if you want authentication. If this command is specified, the system will not synchronize to a system unless it carries one of the authentication keys specified in the ntp trusted-key command.

Examples

The following example shows how to enable NTP authentication:

Switch(config)# ntp authenticate

 

You can verify the previous command by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
ntp authentication-key	Defines an authentication key for NTP.
ntp trusted-key	Authenticates the identity of a system to which NTP will synchronize.
show running-config	Displays the running configuration on the switch.

Syntax Description

number	Key number (1 to 4294967295).
md5	Use MD5 authentication.
value	Key value (an arbitrary string of up to eight characters, with the exception of control or escape characters).

Defaults

No authentication key is defined.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

Use this command to define authentication keys for use with other NTP commands for greater security.

Examples

The following example shows how to set authentication key 10 to aNiceKey:

Switch(config)# ntp authentication-key 10 md5 aNiceKey

 

You can verify the previous command by entering the show running-config command in privileged EXEC mode.

Note   When this command is written to nonvolatile RAM (NVRAM), the key is encrypted so that it is not displayed when the configuration is viewed.

Related Commands

Command	Description
ntp authentication	Enables NTP authentication.
ntp peer	Configures the switch system clock to synchronize a peer or to be synchronized by a peer.
ntp server	Allows the switch system clock to be synchronized by a time server.
ntp trusted-key	Authenticates the identity of a system to which NTP will synchronize.
show running-config	Displays the running configuration on the switch.

Syntax Description

This command has no arguments or keywords.

Defaults

Broadcast client mode is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

Use this command to allow the system to listen to broadcast packets on an interface-by-interface basis. You must configure this command on the management VLAN interface. By default, the management VLAN is VLAN 1, but you can configure a different VLAN as the management VLAN.

Examples

The following example shows how to synchronize the router to NTP packets that are broadcast on interface VLAN1:

Switch(config-if)# interface vlan1

Switch(config-if)# ntp broadcast client

 

You can verify the previous commands by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
ntp broadcastdelay	Sets the estimated round-trip delay between the IOS software and an NTP broadcast server.
show running-config	Displays the running configuration on the switch.

Syntax Description

number

The NTP authentication key that is embedded in the NTP packet. The range is from 0 to 4294967295.

Defaults

No NTP broadcast key is defined.

Command Modes

Interface configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

You must configure this command on the management VLAN interface. By default, the management VLAN is VLAN 1, but you can configure a different VLAN as the management VLAN.

Related Commands

Command	Description
ntp broadcast client	Allows the system to receive NTP broadcast packets on an interface.
ntp broadcastdelay	Sets the estimated round-trip delay between the IOS software and an NTP broadcast server.

Syntax Description

number

Number from 1 to 3.

Defaults

Version 3 is the default.

Command Modes

Interface configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

If you are using version 2 and the NTP synchronization does not occur, use NTP version 2.

You must configure this command on the management VLAN interface. By default, the management VLAN is VLAN 1, but you can configure a different VLAN as the management VLAN.

Examples

The following example shows how to configure interface VLAN 1 to send NTP version 2 packets:

Switch(config-if)# interface vlan1

Switch(config-if)# ntp broadcast version 2

 

You can verify the previous commands by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
ntp broadcast client	Allows the system to receive NTP broadcast packets on an interface.
ntp broadcastdelay	Sets the estimated round-trip delay between the IOS software and an NTP broadcast server.
show running-config	Displays the running configuration on the switch.

As the NTP compensates for the error in the system clock, it keeps track of the correction factor for this error. The system automatically saves this value into the system configuration using the ntp clock-period global configuration command. The system uses the no form of this command to revert to the default.

Syntax Description

value

Amount to add to the system clock for each clock hardware tick (in units of 2 to 32 seconds).

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

If a write memory command is entered to save the configuration to nonvolatile RAM (NVRAM), this command is automatically added to the configuration. It is a good idea to perform this task after NTP has been running for a week or so; NTP synchronizes more quickly if the system is restarted.

Syntax Description

number

(Optional) Specify the number of NTP associations. The range is from 0 to 4294967295.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

This command provides a simple method to control the number of peers that can use the switch to synchronize to it through NTP.

After you enable a switch as an NTP server, use this command to set the maximum number of associations that are allowed on a server.

Examples

The following example shows how to set the maximum number of NTP associations to 44:

Switch(config)# ntp max-associations 44

 

You can verify the previous command by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
show running-config	Displays the running configuration on the switch.

Syntax Description

ip-address	IP address of the peer providing, or being provided, the clock synchronization.
version number	(Optional) Define the Network Time Protocol (NTP) version number as version 1, 2, or 3.
key keyid	(Optional) Define the authentication key, which is used when sending packets to this peer. The range is from 0 to 4294967295.
source interface	(Optional) Authentication key to use when sending packets to this peer. Also includes the name of the interface from which to pick the IP source address.
prefer	(Optional) Make this peer the preferred peer that provides synchronization.

Defaults

No IP address is defined.

NTP version 3 is the default.

No NTP authentication key is defined.

No source interface is defined.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

Using the prefer keyword reduces switching between peers.

If you are using the default NTP version of 3 and NTP synchronization does not occur, try using NTP version 2. Many NTP servers on the Internet run version 2.

Examples

The following example shows how to configure the router to allow its system clock to be synchronized with the clock of the peer (or vice versa) at IP address 131.108.22.33 using NTP version 2. The source IP address will be the address of Ethernet 0.

Switch(config)# ntp peer 131.108.22.33 version 2 source Ethernet 0

 

You can verify the previous command by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
ntp authentication-key	Defines an authentication key for NTP.
ntp server	Allows the switch system clock to be synchronized by a time server.
ntp source	Uses a particular source address in NTP packets.
show running-config	Displays the running configuration on the switch.

Syntax Description

ip-address	IP address of the time server providing the clock synchronization.
version number	(Optional) Define the Network Time Protocol (NTP) version number (1 to 3).
key keyid	(Optional) Define the authentication key. Authentication key to use when sending packets to this peer. The range is from 0 to 4294967295.
source interface	(Optional) Identify the interface from which to pick the IP source address.
prefer	(Optional) Make this server the preferred server that provides synchronization.

Defaults

No IP address is defined.

NTP version 3 is the default.

No NTP authentication key is defined.

No source interface is defined.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

Use this command if you want to allow this machine to synchronize with the specified server. The server will not synchronize to this machine.

Using the prefer keyword reduces switching between servers.

If you are using the default NTP version of 3 and NTP synchronization does not occur, try using NTP version 2. Many NTP servers on the Internet run version 2.

Examples

The following example shows how to configure the router to allow its system clock to be synchronized with the clock of the peer at IP address 128.108.22.44 using NTP version 2:

Switch(config)# ntp server 128.108.22.44 version 2

 

You can verify the previous command by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
ntp authentication-key	Defines an authentication key for NTP.
ntp server	Allows the switch system clock to be synchronized by a time server.
ntp source	Uses a particular source address in NTP packets.
show running-config	Displays the running configuration on the switch.

Syntax Description

interface

Any valid system interface name.

Defaults

No source address is defined.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

Use this command when you want to use a particular source IP address for all NTP packets. The address is taken from the specified interface. This command is useful if the address on an interface cannot be used as the destination for reply packets. If the source keyword is present on an ntp server or ntp peer command, that value overrides the global value.

Examples

The following example shows how to configure the router to use the IP address of VLAN1 as the source address of all outgoing NTP packets:

Switch(config)# ntp source vlan1

You can verify the previous command by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
ntp peer	Configures the switch system clock to synchronize a peer or to be synchronized by a peer.
ntp server	Allows the switch system clock to be synchronized by a time server.
show running-config	Displays the running configuration on the switch.

Syntax Description

key-number

Authentication key to be used for time authentication. The range is from 1 to 4294967295.

Defaults

No key number is defined.

Command Modes

Global configuration

Command History

Release	Modification
11.2(8)SA6	This command was first introduced.

Usage Guidelines

If authentication is enabled, use this command to define one or more key numbers that a peer NTP system must provide in its NTP packets in order for this system to synchronize to it. The key numbers must correspond with the keys defined by the ntp authentication-key command. Because the other system must know the correct authentication key, this provides protection against accidentally synchronizing the system with another system that is incompatible.

Examples

The following example shows how to configure the system to synchronize only to systems providing authentication key 42 in its NTP packets:

Switch(config)# ntp authenticate

Switch(config)# ntp authentication-key 42 md5 aNiceKey

Switch(config)# ntp trusted-key 42

You can verify the previous commands by entering the show running-config command in privileged EXEC mode.

Related Commands

Command	Description
ntp authenticate	Enables NTP authentication.
ntp authentication-key	Defines an authentication key for NTP.
show running-config	Displays the running configuration on the switch.

Syntax Description c

unicast	Packets with unknown unicast addresses are not forwarded to this port
multicast	Packets with unknown multicast addresses are not forwarded to this port.

Defaults

Flood unknown unicast and multicast packets to all ports.

Command Modes

Interface configuration

Command History

Release	Modification
11.2(8)SA	This command was first introduced.

Usage Guidelines

The port block command cannot be entered for a network port.

If a trunk port is not a network port, the unicast keyword applies. The multicast keyword is supported on trunk ports. Both port block features affect all the VLANs associated with the trunk port.

Examples

The following example shows how to block the forwarding of multicast and unicast packets to a port:

Switch(config-if)# port block unicast

Switch(config-if)# port block multicast

 

You can verify the previous commands by entering the show port block command in privileged EXEC mode.

Related Commands

Command	Description
show port block	Displays the blocking of unicast or multicast flooding to a port.

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

group-number	Port group number to which the port belongs. The range is from 1 to 12.
distribution {source | destination}	(Optional) Forwarding method for the port group. source—Set the port to forward traffic to a port group based on the packet source address. This is the default forwarding method destination—Set the port to forward traffic to a port group based on the packet destination address.

Defaults

Port does not belong to a port group.

The default forwarding method is source.

Command Modes

Interface configuration

Command History

Release	Modification
11.2(8)SA3	This command was first introduced.

Usage Guidelines

The following restrictions apply to these ports:

• No port group member can be configured for Switched Port Analyzer (SPAN) port monitoring.

• No port group member can be enabled for port security.

• You can create up to 12 port groups of all source-based, all destination-based, or a combination of source-based and destination-based port groups. A source-based port group can have up to eight ports in its group. A destination-based port group can contain an unlimited number of ports in its group. You cannot mix source-based and destination-based ports in the same group.

• Port group members must belong to the same set of VLANs and must be all static-access, all multi-VLAN, or all trunk ports.

• Dynamic-access ports cannot be grouped with any other port, not even with other dynamic-access ports.

When a group is first formed, the switch automatically sets the following parameters to be the same on all ports:

• VLAN membership of ports in the group

• VLAN mode (static, multi, trunk) of ports in the group

• Encapsulation method of the trunk

• Native VLAN configuration if the trunk uses IEEE 802.1Q

• Allowed VLAN list configuration of the trunk port

• Spanning Tree Protocol (STP) Port Fast option

• STP port priority

• STP path cost

• Network port configuration for source-based port group

• Protected port

Configuration of the first port added to the group is used when setting the above parameters for other ports in the group. After a group is formed, changing any parameter in the above list changes the parameter on all other ports.

Use the distribution keyword to customize the port group to your particular environment. The forwarding method you choose depends on how your network is configured. However, source-based forwarding works best for most network configurations.

Examples

The following example shows how to add a port to a port group using the default source-based forwarding:

Switch(config-if)# port group 1

 

The following example shows how to add a port to a group using destination-based forwarding:

Switch(config-if)# port group 2 distribution destination

 

You can verify the previous commands by entering the show port group command in privileged EXEC mode.

Related Commands

Command	Description
show port group	Displays the ports that belong to a port group.

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

interface	(Optional) SSP port number for the SPAN to be enabled. The interface specified is the port to be monitored.
vlan vlan-id	(Optional) ID of the VLAN to be monitored. Valid IDs are from 1 to 1000; do not enter leading zeroes. A monitor port must be a member of the same VLAN as the port monitored.

Defaults

Port does not monitor any other ports.

Command Modes

Interface configuration

Command History

Release	Modification
11.2(8)SA	This command was first introduced.
11.2(8)SA3	The vlan keyword was added.

Usage Guidelines

Enabling port monitoring without specifying a port causes all other ports in the same VLAN to be monitored.

Entering the port monitor vlan 1 command causes monitoring of all traffic to and from the IP address configured on VLAN 1.

The following restrictions apply for ports that have port-monitoring capability:

• A monitor port cannot be in a Fast EtherChannel port group.

• A monitor port cannot be enabled for port security.

• A monitor port cannot be a multi-VLAN port.

• A monitor port must be a member of the same VLAN as the port monitored. VLAN membership changes are not allowed on monitor ports and ports being monitored.

• A monitor port cannot be a dynamic-access port or a trunk port. However, a static-access port can monitor a VLAN on a trunk, a multi-VLAN, or a dynamic-access port. The VLAN monitored is the one associated with the static-access port.

• Port monitoring does not work if both the monitor and monitored ports are protected ports.

Examples

The following example shows how to enable port monitoring on port fa0/2:

Switch(config-if)# port monitor fa0/2

 

You can verify the previous command by entering the show port monitor command in privileged EXEC mode.

Related Commands

Command	Description
show port monitor	Displays the ports for which SPAN port monitoring is enabled.

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

This command has no arguments or keywords.

Defaults

No network port is defined.

Command Modes

Interface configuration

Command History

Release	Modification
11.2(8)SA4	This command was first introduced.

Usage Guidelines

The following restrictions apply to network ports:

• A network port can be a static-access port, a multi-VLAN port, a port group, or a trunk port. Both the multi-VLAN port and the trunk port become the network port for all the VLANs associated with that port.

• A network port cannot be a secure, a monitor, a protected, or a dynamic-access port. You can assign a dynamic-access port to a VLAN in which another port is the network port.

• Each VLAN can have one network port.

• A network port cannot be in a destination-based port group.

• A network port cannot be a protected port.

Examples

The following example shows how to set a port as a network port:

Switch(config-if)# port network

 

You can verify the previous command by entering the show port network command in privileged EXEC mode.

Related Commands

Command	Description
show port network	Displays the network port defined for the switch or VLAN.

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

This command has no keywords or arguments.

Defaults

No protected port is defined.

A protected port does not forward any unicast, multicast, or broadcast traffic to any other protected port.

A protected port continues to forward unicast, multicast, and broadcast traffic to unprotected ports and vice versa.

Command Modes

Interface configuration

Command History

Release	Modification
12.0(5)XU	This command was first introduced.

Usage Guidelines

The port protection feature is local to the switch; communication between protected ports on the same switch is possible only through a Layer 3 device. To prevent communication between protected ports on different switches, you must configure the protected ports for unique VLANs on each switch and configure a trunk link between the switches.

A protected port cannot be a network port.

Port monitoring does not work if both the monitor and monitored ports are protected ports.

A protected port is different from a secure port.

Examples

The following example shows how to enable a protected port on interface fa0/2:

Switch(config)# interface fa0/2

Switch(config-if)# port protected

 

You can verify the previous command by entering the show port protected command in privileged EXEC mode.

Related Commands

Command	Description
show port protected	Displays the ports that are in port-protected mode.

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

action {shutdown | trap}	(Optional) Action to take when an address violation occurs on this port. shutdown—Disable the port when a security violation occurs. trap—Generate a Simple Management Network Protocol (SNMP) trap when a security violation occurs.
max-mac-count addresses	(Optional) The maximum number of secure addresses that this port can support. The range is from 1 to 132.

Defaults

Port security is disabled.

When enabled, the default action is to generate an SNMP trap.

Command Modes

Interface configuration

Command History

Release	Modification
11.2(8)SA	This command was first introduced.

Usage Guidelines

If you specify trap, use the snmp-server host command to configure the SNMP trap host to receive traps.

The following restrictions apply to secure ports:

• A secure port cannot belong to a Fast EtherChannel port group.

• A secure port cannot have Switched Port Analyzer (SPAN) port monitoring enabled on it.

• A secure port cannot be a multi-VLAN port.

• A secure port cannot be a network port.

• A secure port cannot be a dynamic-access port or a trunk port.

Examples

The following example shows how to enable port security and what action the port takes in case of an address violation (shutdown).

Switch(config-if)# port security action shutdown

 

The following example shows how to set the maximum number of addresses that the port can learn to 8.

Switch(config-if)# port security max-mac-count 8

 

You can verify the previous commands by entering the show port security command in privileged EXEC mode.

Related Commands

Command	Description
show port security	Displays the port security settings defined for the port.

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

{broadcast | multicast | unicast}	Determine the type of packet-storm suppression. broadcast—Enable broadcast storm control on the port. multicast—Enable multicast storm control on the port. unicast—Enable unicast storm control on the port.
{action {filter | shutdown}	(Optional) Determines the type of action to perform. filter—Filter traffic during a storm. shutdown—Disable the port during a storm.
threshold {rising rising-number falling falling-number}	Defines the rising and falling thresholds rising rising-number—Block the flooding of storm packets when the value specified for rising-number is reached. The rising-number is 0 to 4294967295 packets per second. falling falling-number—Restart the normal transmission of broadcast packets when the value specified for falling-number is reached. The falling-number is 0 to 4294967295 packets per second.
trap	(Optional) Generate an Simple Management Network Protocol (SNMP) trap when the traffic on the port crosses the rising or falling threshold. Traps are generated only for broadcast traffic and not for unicast or multicast traffic.

Defaults

Broadcast, multicast, and unicast storm control are disabled.

The rising thresholds are 500 broadcast packets per second, 2500 multicast packets per second, and 5000 unicast packets per second.

The falling thresholds are 250 broadcast packets per second, 1200 multicast packets per second, and 2500 unicast packets per second.

Command Modes

Interface configuration

Command History

Release	Modification
11.2(8)SA	This command was first introduced.
12.0(5)XU	The multicast, unicast, action, and shutdown keywords were added.

Usage Guidelines

Do not set the rising and falling thresholds to the same value. The rising threshold must be higher than the falling threshold.

Examples

The following example shows how to enable broadcast storm control on a port. In this example, transmission is inhibited when the number of broadcast packets arriving on the port reaches 1000 and is restarted when the number drops to 200.

Switch(config-if)# port storm-control broadcast threshold rising 1000 falling 200

 

You can verify the previous command by entering the show port storm-control command in privileged EXEC mode.

Related Commands

Command	Description
show port storm-control	Displays the packet-storm control information.

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

VLAN database

Command History

Release	Modification
11.2(8)SA4	This command was first introduced.

Examples

The following example shows how to abandon the proposed VLAN database and reset to the current VLAN database:

Switch(vlan)# reset

Switch(vlan)#
 

You can verify the previous command by entering the show changes and show proposed commands in VLAN database mode.

Related Commands

Command	Description
abort	Abandons the proposed new VLAN database, exits VLAN database mode, and returns to privileged EXEC mode.
apply	Implements the proposed new VLAN database, increments the database configuration revision number, propagates it throughout the administrative domain, and remains in VLAN database mode.
exit	Implements the proposed new VLAN database, increments the database configuration number, propagates it throughout the administrative domain, and returns to privileged EXEC mode.
show changes	Displays the differences between the VLAN database currently on the switch and the proposed VLAN database.
show proposed	Displays the proposed VLAN database or a selected VLAN from it.
shutdown vlan	Shuts down (suspends) local traffic on the specified VLAN.
vlan database	Enters VLAN database mode from the command-line interface (CLI).

Syntax Description

state	(Optional) Display whether CGMP is enabled or not, whether Fast Leave is enabled or not, and the router port timeout value.
holdtime	(Optional) Display the router port timeout value in seconds.
vlan vlan-id	(Optional) Limit the display to the specified VLAN. Valid IDs are from 1 to 1001; do not enter leading zeroes.
group address	(Optional) Display all known multicast groups and the destination ports. Limited to given VLAN if vlan keyword is entered; limited to a specific group if the address variable is entered. The address is the MAC address of the group.
router address	(Optional) Display all routers, their ports, and expiration times. Limited to given VLAN if the vlan keyword entered; limited to a specific router if the address variable is entered. The address is the MAC address of the router.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2(8)SA3	This command was first introduced.

Usage Guidelines

This command displays CGMP information about known routers and groups, as well as whether CGMP is enabled, whether Fast Leave is enabled, and the current value of the router timeout. If show cgmp is entered with no arguments, all information is displayed.

Examples

The following is sample output from the show cgmp command.

Switch# show cgmp

 
CGMP is running.
CGMP Fast Leave is not running.
CGMP Allow reserved address to join GDA.
Default router timeout is 300 sec.
 
 
vLAN     IGMP MAC Address   Interfaces
------  -----------------   -----------
    1    0100.5e01.0203      Fa0/8
    1    0100.5e00.0128      Fa0/8
 
 
vLAN     IGMP Router        Expire   Interface
------  -----------------  --------  ----------
    1    0060.5cf3.d1b3     197 sec   Fa0/8 

Related Commands

Command	Description
cgmp	Enables CGMP. Also enables and disables the Fast Leave parameter and sets the router port aging time.
clear cgmp	Deletes information that was learned by the switch using CGMP.

Syntax Description

vlan-id

(Optional) ID of the VLAN in the current or proposed database. If this variable is omitted, all the differences between the two VLAN databases are displayed, including the pruning state and Version 2 mode. Valid IDs are from 1 to 1005; do not enter leading zeroes.

Command Modes

VLAN database

Command History

Release	Modification
11.2(8)SA4	This command was first introduced.

Examples

The following is sample output from the show changes command. It displays the differences between the current and proposed databases.

Switch(vlan)# show changes

 
DELETED:
  VLAN ISL Id: 4
    Name: VLAN0004
    Media Type: Ethernet
    VLAN 802.10 Id: 100004
    State: Operational
    MTU: 1500
 
DELETED:
  VLAN ISL Id: 6
    Name: VLAN0006
    Media Type: Ethernet
    VLAN 802.10 Id: 100006
    State: Operational
    MTU: 1500
 
MODIFIED:
  VLAN ISL Id: 7
    Current State: Operational
    Modified State: Suspended 
 

The following is sample output from the show changes 7 command. It displays the differences between VLAN 7 in the current database and the proposed database.

Switch(vlan)# show changes 7

 
MODIFIED:
  VLAN ISL Id: 7
    Current State: Operational
    Modified State: Suspended 

Related Commands

Command	Description
show current	Displays the current VLAN database on the switch or a selected VLAN from it.
show proposed	Displays the proposed VLAN database or a selected VLAN from it.

Syntax Description

vlan-id

(Optional) ID of the VLAN in the current database. If this variable is omitted, the entire VLAN database displays, included the pruning state and Version 2 mode. Valid IDs are from 1 to 1005; do not enter leading zeroes.

Command Modes

VLAN database

Command History

Release	Modification
11.2(8)SA4	This command was first introduced.

Examples

The following is sample output from the show current command. It displays the current VLAN database.

Switch(vlan)# show current

 
VLAN ISL Id: 1
    Name: default
    Media Type: Ethernet
    VLAN 802.10 Id: 100001
    State: Operational
    MTU: 1500
    Translational Bridged VLAN: 1002
    Translational Bridged VLAN: 1003
 
  VLAN ISL Id: 2
    Name: VLAN0002
    Media Type: Ethernet
    VLAN 802.10 Id: 100002
    State: Operational
    MTU: 1500
 
  VLAN ISL Id: 3
    Name: VLAN0003
    Media Type: Ethernet
    VLAN 802.10 Id: 100003
    State: Operational
    MTU: 4000 
 
VLAN ISL Id: 4
    Name: VLAN0004
    Media Type: Ethernet
    VLAN 802.10 Id: 100004
    State: Operational
    MTU: 1500
 
  VLAN ISL Id: 5
    Name: VLAN0005
    Media Type: Ethernet
    VLAN 802.10 Id: 100005
    State: Operational
    MTU: 1500
 
  VLAN ISL Id: 6
    Name: VLAN0006
    Media Type: Ethernet
    VLAN 802.10 Id: 100006
    State: Operational
    MTU: 1500 
 

The following is sample output from the show current 2 command. It displays only VLAN 2 of the current database.

Switch(vlan)# show current 2

 
VLAN ISL Id: 2
    Name: VLAN0002
    Media Type: Ethernet
    VLAN 802.10 Id: 100002
    State: Operational
    MTU: 1500
 

Related Commands

Command	Description
show changes	Displays the differences between the VLAN database currently on the switch and the proposed VLAN database.
show proposed	Displays the proposed VLAN database or a selected VLAN from it.

Syntax Description

The command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2(8)SA5	This command was first introduced.

Examples

The following is sample output from the show file systems command:

Switch# show file systems

File Systems:
 
     Size(b)     Free(b)      Type  Flags  Prefixes
*    3612672     1234432     flash     rw   flash:
     3612672     1234432   unknown     rw   zflash:
           -           -    opaque     ro   bs:
       32768       30917     nvram     rw   nvram:
           -           -   network     rw   tftp:
           -           -    opaque     rw   null:
           -           -    opaque     rw   system:
           -           -   network     rw   rcp:
 

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

interface-id	ID of the port number.
vlan number	VLAN number of the management VLAN. Valid IDs are from 1 to 1000. Do not enter leading zeroes.
flow-control	Displays flowcontrol information for the specified port.
pruning	(Optional) Display pruning information for the trunk port.
switchport	(Optional) Display the administrative and operational status of a switching (nonrouting) port. allowed-vlan—Display the VLAN IDs that receive and transmit all types of traffic on the trunk port. By default, all VLAN IDs are included. prune-elig—Display the VLAN ID whose flood traffic can be pruned. By default, all VLANs, except VLAN 1 and 1002 through 1005, are pruning-eligible on the trunk. native-vlan—Display the native VLAN ID for untagged traffic when the port is in 802.1Q trunking mode.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2(8)SA4	This command was first introduced.
11.2(8)SA5	The native-vlan keyword was added.
12.0(5)XP	The vlan number keyword was added.
12.0(5)XU	The pruning keyword was added.

Examples

The following is sample output from the show interface fa0/1 flow-control command:

Switch# show interface fa0/1 flow-control

Any,Input only 
 

The display shows two values separated by a comma. The first value is the value you configured by using the flowcontrol command (or the default value if you did not configure it). The first value displayed can be one of the following settings:

• None—Flow control is not enabled.

• Asymmetric—Only the transmit or receive flow control is enabled.

• Symmetric—Both the transmit and receive flow control are enabled.

• Any—Any type of flow control is supported.

The second value in the display represents the flow control value that is autonegotiated with the link partner and can be one of the following settings:

• None—Flow control with the link partner did not occur.

• Output only—The interface can only transmit pause frames but not receive any.

• Input only—The interface can only receive pause frames but not transmit any.

• Output and Input—The interface can transmit and receive pause frames.

The following is sample output from the show interface fa0/2 pruning command when pruning is enabled in the VTP domain:

Switch# show interface fa0/2 pruning

Port    Vlans pruned for lack of request by neighbor
Fa0/2 3,4
 
Port    Vlans traffic requested of neighbor
Fa0/2 1-3

Related Commands

Command	Description
switchport access	Configures a port as a static-access or dynamic-access port.
switchport mode	Configures the VLAN membership mode of a port.
switchport multi	Configures a list of VLANs to which the port is associated.
switchport priority default	Provides a default port priority for the incoming untagged frames.
switchport trunk pruning	Configures the VLAN pruning-eligible list for ports in trunking mode.
switchport voice vlan	Configures the voice VLAN on the port.

Note   Option atm slot/port of this command is not supported on the SSP.

Caution Cisco strongly recommends that you do not configure the internal SSP ports (Fast Ethernet 0/3 to 0/8) through the CLI. The SSP internal ports are configured by the Cisco ICS 7750 cards attached to them. Any configuration changes made to the internal ports are not saved and are deleted when the Cisco ICS 7750 reboots.

Syntax Description

static	(Optional) Display only the static addresses.
dynamic	(Optional) Display only the dynamic addresses.
secure	(Optional) Display only the secure addresses.
self	(Optional) Display only addresses added by the switch itself.
aging-time	(Optional) Display aging-time for dynamic addresses for all VLANs.
count	(Optional) Display a count for different kinds of MAC addresses.
address hw-addr	(Optional) Display information for a specific address.
interface interface	(Optional) Display addresses for a specific port.
vlan vlan-id	(Optional) Display addresses for a specific VLAN. Valid IDs are from 1 to 1005; do not enter leading zeroes.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2(8)SA	This command was first introduced.
11.2(8)SA3	The self, aging-time, count, and vlan vlan-id keywords were added.
11.2(8)SA5	The atm slot/port keywords were added.

Usage Guidelines

This command displays the MAC address table for the switch. Specific views can be defined by using the optional keywords and values. If more than one optional keyword is used, then all of the conditions must be true in order for that entry to be displayed.

Examples

The following is sample output from the show mac-address-table command:

Switch# show mac-address-table

 
Dynamic Addresses Count:               9
Secure Addresses (User-defined) Count: 0
Static Addresses (User-defined) Count: 0
System Self Addresses Count:           41
Total MAC addresses:                   50
Non-static Address Table:
Destination Address  Address Type  VLAN  Destination Port
-------------------  ------------  ----  --------------------
0010.0de0.e289       Dynamic          1  FastEthernet0/1
0010.7b00.1540       Dynamic          2  FastEthernet0/5
0010.7b00.1545       Dynamic          2  FastEthernet0/5
0060.5cf4.0076       Dynamic          1  FastEthernet0/1
0060.5cf4.0077       Dynamic          1  FastEthernet0/1
0060.5cf4.1315       Dynamic          1  FastEthernet0/1
0060.70cb.f301       Dynamic          1  FastEthernet0/1
00e0.1e42.9978       Dynamic          1  FastEthernet0/1
00e0.1e9f.3900       Dynamic          1  FastEthernet0/1 

Related Commands

Command	Description
clear mac-address-table	Deletes entries from the MAC address table.

Syntax Description

detail

(Optional) Show detailed information about each NTP association.