1. Software
  2. Cisco
  3. 550X Series Stackable Managed Switches

Cisco 550X Series Stackable Managed Switches Reference guide

Cisco 550X Series Stackable Managed Switches Reference guide | Manualzz 
CLI GUIDE
Cisco Sx550X Product line - Ph. 2.5.7 Command Line
Interface Reference Guide, v1.0
Table of Contents
1
Introduction ....................................................................................................................... 29
2
802.1X Commands............................................................................................................ 53
aaa authentication dot1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
authentication open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear dot1x statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x auth-not-req . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x eap-max-retrans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x guest-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x guest-vlan enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x guest-vlan timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x host-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x mac-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x mac-auth password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x max-hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x max-login-attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x max-req . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x page customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x port-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x radius-attributes vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x re-authenticate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x supplicant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x supplicant traps authentication failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x supplicant traps authentication success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x system-auth-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x timeout eap-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x timeout quiet-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x timeout reauth-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x timeout server-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x timeout silence-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x timeout supp-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x timeout supplicant-held-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x timeout tx-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x traps authentication failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x traps authentication quiet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x traps authentication success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x unlock client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dot1x violation-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
53
54
55
55
57
58
58
60
61
62
63
64
65
68
70
71
72
73
74
75
76
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
93
94
95
96
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
show dot1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
show dot1x credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
show dot1x locked clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
show dot1x statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
show dot1x users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
username (dot1x credentials) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
3
ACL Commands............................................................................................................. 112
ip access-list (IP extended) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
permit ( IP ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
deny ( IP ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 access-list (IPv6 extended) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
permit ( IPv6 ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
deny ( IPv6 ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
mac access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
permit ( MAC ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
deny (MAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service-acl input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service-acl output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
absolute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
periodic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show access-lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show interfaces access-lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear access-lists counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show interfaces access-lists trapped packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip access-list (IP standard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 access-list (IP standard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
112
113
116
119
120
123
126
127
128
130
131
133
134
135
137
137
138
139
139
140
142
Address Table Commands .............................................................................................. 144
bridge multicast filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast forbidden address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast forbidden ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast source group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast forbidden source group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast ipv6 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast ipv6 ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast ipv6 forbidden ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast ipv6 source group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast ipv6 forbidden source group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast unregistered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast forward-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast forbidden forward-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
144
145
146
148
149
151
152
153
154
156
158
159
160
161
162
163
3
bridge unicast unknown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show bridge unicast unknown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
mac address-table static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear mac address-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
mac address-table aging-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
port security mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
port security max . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
port security routed secure-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show mac address-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show mac address-table count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show bridge multicast mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show bridge multicast address-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show bridge multicast address-table static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show bridge multicast filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show bridge multicast unregistered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ports security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ports security addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bridge multicast reserved-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show bridge multicast reserved-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
Authentication, Authorization and Accounting (AAA) Commands ............................... 192
aaa authentication login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
aaa authentication enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
login authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
enable authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip http authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service password-recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show users accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
aaa accounting login start-stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
aaa accounting dot1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
passwords complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
passwords aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show passwords configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
192
194
195
196
197
198
200
201
203
204
206
207
209
210
211
212
213
Auto-Update and Auto-Configuration ............................................................................ 215
boot host auto-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
boot host auto-update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp tftp-server ip address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp tftp-server file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp tftp-server image file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
165
165
166
168
169
170
171
173
174
175
176
179
179
183
185
186
187
188
189
191
215
216
217
220
221
222
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
show ip dhcp tftp-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
7
Bonjour Commands ........................................................................................................ 224
bonjour enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
bonjour interface range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
show bonjour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
8
CA Certificate Commands .............................................................................................. 228
ca-certificate install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ca-certificate revoke . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ca-certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ca-certificate revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
CDP Commands .............................................................................................................. 235
cdp advertise-v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp appliance-tlv enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp device-id format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp holdtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp log mismatch duplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp log mismatch native . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp log mismatch voip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp mandatory-tlvs validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp pdu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cdp timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear cdp counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear cdp table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cdp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cdp entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cdp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cdp neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cdp tlv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cdp traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
228
229
231
233
235
235
237
237
238
239
240
240
241
242
243
244
245
245
246
247
248
249
250
255
259
Clock Commands ............................................................................................................ 262
absolute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clock dhcp timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clock set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clock source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clock summer-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clock timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
periodic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sntp anycast client enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sntp authenticate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sntp authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sntp broadcast client enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
262
263
264
265
266
268
269
270
271
272
273
5
sntp client enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sntp client enable (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sntp server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sntp source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sntp source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sntp trusted-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sntp unicast client enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sntp unicast client poll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sntp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sntp status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
Denial of Service (DoS) Commands .............................................................................. 289
security-suite deny fragmented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
security-suite deny icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
security-suite deny martian-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
security-suite deny syn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
security-suite deny syn-fin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
security-suite dos protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
security-suite dos syn-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
security-suite enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
security-suite syn protection mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
security-suite syn protection recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
security-suite syn protection threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show security-suite configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show security-suite syn protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
305
305
306
307
309
309
311
316
320
326
DHCP Server Commands................................................................................................ 330
address (DHCP Host) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
address (DHCP Network) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
auto-default-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bootfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear ip dhcp binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
client-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
289
290
291
293
294
295
296
298
300
301
302
303
304
DHCP Relay Commands................................................................................................. 305
ip dhcp relay enable (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp relay enable (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp relay address (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp information option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp information option numeric-token-format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp information option circuit-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp information option remote-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp information option tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp information option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
274
274
275
277
278
279
280
280
281
283
285
286
287
330
331
332
333
334
335
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
default-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dns-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
domain-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp excluded-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp pool host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp pool network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
netbios-name-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
netbios-node-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
next-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
next-server-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp allocated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp declined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp excluded-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp expired . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp pool host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp pool network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp pre-allocated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
time-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
335
336
337
338
339
340
341
341
342
343
344
345
346
348
348
350
352
353
353
354
356
357
358
359
DHCP Snooping Commands........................................................................................... 361
ip dhcp snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp snooping vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp snooping trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp snooping information option allowed-untrusted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp snooping verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp snooping database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip dhcp snooping binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear ip dhcp snooping database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp snooping binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip source-guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip source-guard binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip source-guard tcam retries-freq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip source-guard tcam locate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip source-guard configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip source-guard status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip source-guard inactive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip source-guard statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip arp inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip arp inspection vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip arp inspection trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
361
362
362
363
364
365
366
367
368
369
370
371
372
373
373
374
375
376
377
378
379
7
ip arp inspection validate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip arp inspection list create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip arp inspection list assign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip arp inspection logging interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip arp inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip arp inspection list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip arp inspection statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear ip arp inspection statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
DHCPv6 Commands ....................................................................................................... 387
clear ipv6 dhcp client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 address dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 dhcp client information refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 dhcp client information refresh minimum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 dhcp duid-en . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 dhcp relay destination (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 dhcp relay destination (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 dhcp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
416
417
417
418
Ethernet Configuration Commands................................................................................. 425
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
interface range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
operation time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
duplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
flowcontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
406
407
408
409
410
410
411
412
413
EEE Commands .............................................................................................................. 416
eee enable (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
eee enable (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
eee lldp enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show eee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
387
388
391
392
393
394
396
399
400
DNS Client Commands ................................................................................................... 406
clear host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip domain lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip domain polling-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip domain retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip domain timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip name-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
380
381
381
382
383
384
384
385
386
425
426
426
428
429
430
431
432
433
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
mdix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
back-pressure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
port jumbo-frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ports negotiation tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
link-flap prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set interface active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
errdisable recovery cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
errdisable recovery interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
errdisable recovery reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show interfaces configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show interfaces status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show interfaces advertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show interfaces description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show interfaces counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ports jumbo-frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show link-flap prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show errdisable recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show errdisable interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear switchport monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show switchport monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
Green Ethernet................................................................................................................. 461
green-ethernet energy-detect (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
green-ethernet energy-detect (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
green-ethernet short-reach (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
green-ethernet short-reach (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
green-ethernet power-meter reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show green-ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
434
435
435
436
437
438
439
440
441
442
443
444
445
447
448
452
453
453
454
455
456
461
461
462
463
464
464
File System Commands .................................................................................................. 467
File Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Flash Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Flash File System on Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
boot config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
boot localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
boot system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
mkdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rmdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
467
470
471
472
474
475
476
478
480
481
482
483
484
485
487
489
9
service mirror-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show bootvar / show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show mirror-configuration service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show running-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show startup-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
Cisco Business Dashboard Probe Commands............................................................... 504
cbd probe enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cbd address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cbd organization name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cbd network name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cbd key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cbd connection enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cbd reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear cbd probe database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cbd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
522
522
523
524
525
526
527
528
529
531
532
IGMP Proxy Commands ................................................................................................. 534
ip igmp-proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp-proxy downstream protected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp-proxy downstream protected interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp-proxy ssm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip igmp-proxy interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
514
515
515
516
517
518
519
520
IGMP Commands............................................................................................................ 522
clear ip igmp counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp last-member-query-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp last-member-query-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp query-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp query-max-response-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip igmp counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip igmp groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip igmp groups summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip igmp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
504
505
506
507
508
509
510
511
512
GARP VLAN Registration Protocol (GVRP) Commands ............................................. 514
clear gvrp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
gvrp enable (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
gvrp enable (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
gvrp registration-forbid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
gvrp vlan-creation-forbid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show gvrp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show gvrp error-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show gvrp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
490
491
497
497
498
500
502
534
535
536
537
538
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
25
IGMP Snooping Commands ........................................................................................... 541
ip igmp snooping (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping vlan mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping vlan mrouter interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping vlan forbidden mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping vlan static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping vlan multicast-tv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping map cpe vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping vlan querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping vlan querier address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping vlan querier election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping vlan querier version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip igmp snooping vlan immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip igmp snooping cpe vlans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip igmp snooping groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip igmp snooping interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip igmp snooping mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip igmp snooping multicast-tv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26
IP Addressing Commands ............................................................................................... 558
ip address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip address dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
renew dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip default-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
arp timeout (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip arp proxy disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip proxy-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear arp-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show arp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
interface ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip helper-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip helper-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip dhcp client interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
541
541
542
543
544
545
546
547
548
549
549
550
551
552
553
554
555
556
556
558
561
562
562
563
564
565
566
567
568
568
569
570
571
572
573
IP Routing Protocol-Independent Commands ................................................................ 575
accept-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
directed-broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip policy route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
key-string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
575
577
578
580
580
582
583
11
key (key chain) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
key chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
send-lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip route summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show key chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
IP SLA Commands.......................................................................................................... 602
clear ip sla counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
frequency (IP SLA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
icmp-echo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip sla . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip sla schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
request-data-size (IP SLA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip sla operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
timeout (IP SLA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
track ip sla . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
631
632
633
635
IPv6 Commands .............................................................................................................. 638
clear ipv6 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 address anycast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 address autoconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 address eui-64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 address link-local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 default-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 icmp error-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 link-local default zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd advertisement-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd dad attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
619
622
624
628
IPv4 IPM Router Commands .......................................................................................... 631
ip multicast-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip multicast ttl-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip mroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
602
603
604
605
607
609
610
611
614
615
617
IP System Management Commands ............................................................................... 619
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
585
587
588
591
592
598
599
638
638
640
641
642
644
645
646
647
648
649
650
651
653
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
ipv6 nd managed-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd ns-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd other-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd ra interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd ra lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd ra suppress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd reachable-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd router-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 policy route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 unicast-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 unreachables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 link-local default zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 nd prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 route summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32
654
655
656
657
660
662
663
664
665
666
668
670
671
673
674
675
684
685
686
688
691
692
IPv6 First Hop Security................................................................................................... 695
address-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
address-prefix-validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear ipv6 first hop security counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear ipv6 first hop security error counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear ipv6 neighbor binding prefix table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear ipv6 neighbor binding table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
device-role (IPv6 DHCP Guard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
device-role (Neighbor Binding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
device-role (ND Inspection Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
device-role (RA Guard Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
drop-unsecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 dhcp guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 dhcp guard attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 dhcp guard attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 dhcp guard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 dhcp guard preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 first hop security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 first hop security attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 first hop security attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 first hop security logging packet drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 first hop security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
696
697
698
699
699
700
701
703
704
705
706
707
709
710
712
713
716
717
718
720
721
722
724
13
ipv6 nd inspection attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd inspection attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd inspection drop-unsecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd inspection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd inspection sec-level minimum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd inspection validate source-mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd raguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd raguard attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd raguard attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd raguard hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd raguard managed-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd raguard other-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd raguard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 nd raguard router-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor binding address-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor binding address-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor binding address-prefix-validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor binding attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor binding attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor binding lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor binding logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor binding max-entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor binding policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 neighbor binding static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 source guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 source guard attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 source guard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging packet drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
managed-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
match ra address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
match ra prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
match reply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
match server address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
max-entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
other-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
router-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sec-level minimum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 dhcp guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 dhcp guard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 first hop security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 first hop security active policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 first hop security attached policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 first hop security counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 first hop security error counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
725
728
729
730
732
733
733
735
737
738
739
740
741
743
745
746
748
750
751
753
754
755
756
757
759
760
761
762
764
765
766
767
768
769
771
773
774
775
777
778
779
780
782
782
784
786
787
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
show ipv6 first hop security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 nd inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 nd inspection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 nd raguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 nd raguard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 neighbor binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 neighbor binding policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 neighbor binding prefix table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 neighbor binding table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 source guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 source guard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
trusted-port (IPv6 Source Guard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
validate source-mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
IPv6 IPM Router Commands .......................................................................................... 805
ipv6 multicast-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 multicast hop-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 mroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
788
790
791
792
793
795
796
797
798
800
801
802
803
805
806
807
809
IPv6 Prefix List Commands ............................................................................................ 812
clear ipv6 prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
ipv6 prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
show ipv6 prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817
35
iSCSI QoS Commands .................................................................................................... 820
iscsi enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iscsi flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iscsi qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show iscsi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
IPv6 Tunnel Commands ................................................................................................. 826
interface tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tunnel destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tunnel isatap solicitation-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tunnel isatap robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tunnel isatap router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tunnel mode ipv6ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tunnel source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
820
821
822
823
826
827
828
829
829
830
834
835
Line Commands .............................................................................................................. 839
autobaud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exec-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
839
840
840
841
842
15
38
Link Aggregation Control Protocol (LACP) Commands ............................................... 844
lacp port-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lacp system-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lacp timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show lacp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show lacp port-channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
39
Link Layer Discovery Protocol (LLDP) Commands ...................................................... 850
clear lldp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear lldp table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp chassis-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp hold-multiplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp lldpdu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp management-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp med . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp med notifications topology-change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp med fast-start repeat-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp med location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp med network-policy (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp med network-policy (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp med network-policy voice auto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp notifications interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp optional-tlv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp optional-tlv 802.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp receive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp reinit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp transmit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
lldp tx-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show lldp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show lldp local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show lldp local tlvs-overloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show lldp med configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show lldp neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show lldp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40
850
851
851
852
853
854
855
856
857
858
859
861
862
863
863
864
865
866
867
868
868
869
870
871
873
876
877
878
884
Loopback Detection Commands ..................................................................................... 888
loopback-detection enable (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
loopback-detection enable (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
loopback-detection interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show loopback-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
41
844
845
845
846
848
888
889
889
890
Macro Commands ........................................................................................................... 892
macro name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892
macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895
16
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
macro description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro global description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show parser macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
Management ACL Commands........................................................................................ 905
deny (Management) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
permit (Management) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
management access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
management access-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show management access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show management access-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
912
912
913
914
915
916
917
918
919
921
922
MLD Proxy Commands .................................................................................................. 924
ipv6 mld-proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld-proxy downstream protected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld-proxy downstream protected interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld-proxy ssm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 mld-proxy interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45
905
906
907
909
909
910
MLD Commands............................................................................................................. 912
clear ipv6 mld counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld last-member-query-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld last-member-query-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld query-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld query-max-response-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 mld counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 mld groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 mld groups summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 mld interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
897
899
901
901
924
925
926
927
928
MLD Snooping Commands ............................................................................................ 931
ipv6 mld snooping (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld snooping vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld snooping querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld snooping vlan querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld snooping vlan querier election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld snooping vlan querier version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld snooping vlan mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld snooping vlan mrouter interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld snooping vlan forbidden mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld snooping vlan static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 mld snooping vlan immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 mld snooping groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 mld snooping interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ipv6 mld snooping mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
931
931
932
933
934
935
936
937
938
938
939
940
942
943
17
46
Network Management Protocol (SNMP) Commands..................................................... 944
snmp-server community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server community-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show snmp views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show snmp groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show snmp users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show snmp filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server engineID local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server engineID remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show snmp engineID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server enable traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server trap authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp-server set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
snmp trap link-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
PHY Diagnostics Commands.......................................................................................... 974
test cable-diagnostics tdr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cable-diagnostics tdr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cable-diagnostics cable-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show fiber-ports optical-transceiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
979
980
981
982
982
983
984
985
Power over Ethernet (PoE) Commands .......................................................................... 991
power inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
power inline inrush test disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
power inline legacy support disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
power inline class-error-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18
974
975
976
977
PnP Agent Commands .................................................................................................... 979
pnp device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pnp discovery timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pnp enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pnp reconnect interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pnp resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pnp transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pnp watchdog timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show pnp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
944
946
947
948
949
950
951
953
954
955
958
960
961
962
964
965
966
967
967
968
969
970
971
971
991
992
992
993
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
power inline powered-device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994
power inline priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
power inline usage-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996
power inline traps enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996
power inline limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997
power inline limit-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998
power inline four-pair forced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999
show power inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000
show power inline savings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005
clear power inline counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
clear power inline monitor consumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007
show power inline monitor consumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1008
50
Port Channel Commands............................................................................................... 1011
channel-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1011
port-channel load-balance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1012
show interfaces port-channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
51
Quality of Service (QoS) Commands............................................................................ 1014
qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
qos advanced-mode trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
class-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show class-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
policy-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show policy-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
mirror . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
police . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
qos aggregate-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show qos aggregate-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
police aggregate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
wrr-queue cos-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
wrr-queue bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
priority-queue out num-of-queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
traffic-shape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
traffic-shape queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
qos wrr-queue wrtd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show qos wrr-queue wrtd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show qos interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
qos map policed-dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
qos map dscp-queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1025
1026
1027
1028
1030
1032
1034
1035
1036
1038
1039
1040
1041
1042
1043
1043
1048
1049
19
qos trust (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
qos trust (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
qos cos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
qos dscp-mutation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
qos map dscp-mutation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show qos map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear qos statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
qos statistics policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
qos statistics aggregate-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear queue statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show queue statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show qos statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
52
RADIUS Commands..................................................................................................... 1063
radius-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius-server key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius-server retransmit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius-server host source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius-server host source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius-server timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius-server deadtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show radius-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show radius-servers key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
1063
1065
1066
1066
1067
1068
1069
1070
1071
Radius Server Commands ............................................................................................. 1072
allowed-time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear radius server accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear radius server rejected users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear radius server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear radius server unknown nas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
privilege-level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius server accounting-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius server authentication-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius server enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius server nas secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius server traps accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius server traps authentication failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius server traps authentication success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
radius server user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show radius server accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show radius server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show radius server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show radius server rejected users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show radius server nas secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show radius server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show radius server unknown nas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1059
1060
1072
1073
1073
1074
1075
1075
1076
1077
1078
1079
1080
1082
1082
1083
1084
1085
1087
1088
1089
1091
1093
1095
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
show radius server user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096
vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1097
54
Rate Limit and Storm Control Commands.................................................................... 1099
clear storm-control counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rate-limit (Ethernet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rate-limit vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
storm-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rate-limit interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rate-limit vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show storm-control interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
Remote Network Monitoring (RMON) Commands ..................................................... 1109
rmon alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon alarm-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rmon event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rmon table-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rmon collection stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon collection stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
1109
1111
1111
1113
1114
1115
1116
1117
1119
1120
1121
RIP Commands ............................................................................................................. 1125
clear rip statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
default-information originate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
default-metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip rip authentication key-chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip rip authentication mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip rip authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip rip default-information originate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip rip distribute-list in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip rip distribute-list out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip rip offset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip rip passive-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip rip shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
passive-interface (RIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
redistribute (RIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
router rip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip rip database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip rip peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip rip statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
1099
1100
1101
1102
1104
1105
1106
1125
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1141
1142
1146
1146
1147
Router Resources Commands ....................................................................................... 1149
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
21
system resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set router hardware-routing active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show router hardware-routing status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58
Route Map Commands................................................................................................. 1156
match ip address (Policy Routing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
match ipv6 address (Policy Routing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
route-map (Policy Routing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set ip next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set ipv6 next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
59
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1194
1195
1197
1198
1200
sFlow Commands .......................................................................................................... 1202
sflow receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sflow flow-sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sflow counters-sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear sflow statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sflow configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sflow statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sflow receiver source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
1166
1167
1168
1170
1171
1173
1175
1181
Smartport Commands.................................................................................................... 1183
macro auto (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto built-in parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto persistent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto processing cdp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto processing lldp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto processing type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto smartport (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto smartport type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto trunk refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto user smartport macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show macro auto ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show macro auto processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show macro auto smart-macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
smartport storm-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
61
1156
1157
1158
1161
1162
1163
RSA and Certificate Commands ................................................................................... 1165
crypto key generate dsa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto key generate rsa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto key import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show crypto key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto certificate generate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto certificate request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto certificate import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show crypto certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
60
1149
1151
1153
1154
1202
1203
1203
1204
1205
1206
1207
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
sflow receiver source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1208
62
Spanning-Tree Commands ............................................................................................ 1209
spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree forward-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree hello-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree max-age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree port-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree portfast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree link-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree pathcost method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree bpdu (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree bpdu (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree guard root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree bpduguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear spanning-tree counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear spanning-tree detected-protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mst priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mst max-hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mst port-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mst cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mst configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
instance (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
name (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
revision (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
abort (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show spanning-tree bpdu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree loopback-guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree vlan forward-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree vlan hello-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree vlan max-age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree vlan priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree vlan cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree vlan port-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
63
1209
1209
1211
1211
1212
1213
1214
1215
1216
1217
1218
1218
1219
1220
1221
1222
1223
1224
1224
1225
1226
1227
1228
1229
1230
1231
1231
1232
1233
1234
1250
1251
1252
1253
1254
1255
1256
1257
SPAN and RSPAN Commands..................................................................................... 1259
monitor session destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
monitor session source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
remote-span . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show monitor session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1259
1262
1265
1267
23
show vlan remote-span . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1270
64
SSH Client Commands.................................................................................................. 1271
ip ssh-client authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client change server password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client server authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client server fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 ssh-client source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip ssh-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip ssh-client server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
65
SSD Commands ............................................................................................................ 1288
ssd config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssd rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show SSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssd session read . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ssd session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssd file passphrase control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssd file integrity control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
66
1299
1300
1302
1303
1304
1305
1306
SYSLOG Commands .................................................................................................... 1308
aaa logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear logging file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
file-system logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging buffered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging aggregation on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging aggregation aging-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
1288
1288
1290
1292
1294
1295
1296
1297
Stack Commands........................................................................................................... 1299
set stack mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set stack unit-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
stack unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
stack configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show stack configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show stack links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
67
1271
1272
1273
1276
1277
1278
1279
1280
1281
1282
1285
1308
1309
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1318
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
logging origin-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging cbd module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging cbd level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show logging file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show syslog-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
System Management Commands .................................................................................. 1326
disable ports leds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service cpu-utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cpld version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cpu input rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cpu utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system tcam utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show services tcp-udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system fans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system power-supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ports leds configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show hardware version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show hardware components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
system light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
system recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
69
1326
1327
1327
1329
1330
1331
1332
1333
1333
1337
1338
1339
1340
1343
1344
1345
1346
1347
1350
1351
1353
1354
1355
1355
1356
1359
1360
TACACS+ Commands.................................................................................................. 1361
tacacs-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tacacs-server host source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tacacs-server host source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tacacs-server key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tacacs-server timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tacacs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tacacs key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
70
1319
1320
1321
1322
1323
1324
1361
1362
1363
1364
1365
1366
1367
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands ............................. 1368
ip telnet server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1368
ip ssh server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1369
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
25
ip ssh port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh password-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh pubkey-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto key pubkey-chain ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
user-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
key-string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show crypto key pubkey-chain ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
71
UDLD Commands......................................................................................................... 1379
show udld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
udld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
udld message time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
udld port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
72
1387
1388
1390
1391
1391
1392
1393
1394
1395
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1404
1405
1406
1407
Virtual Local Area Network (VLAN) Commands........................................................ 1409
vlan database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
interface vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
interface range vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport protected-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26
1379
1383
1384
1385
User Interface Commands ............................................................................................. 1387
banner exec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
banner login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit (Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit (EXEC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exec-banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
history size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
login-banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal datadump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal history size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal width . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
73
1369
1370
1371
1372
1373
1374
1376
1377
1409
1410
1411
1412
1412
1413
1414
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
show interfaces protected-ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport access vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport trunk allowed vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport trunk native vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general allowed vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general pvid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general ingress-filtering disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general acceptable-frame-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general forbidden vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport customer vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ethtype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport nni ethtype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport vlan-mapping tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport vlan-mapping tunnel l2protocol vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport vlan-mapping tunnel l2protocol cos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport vlan-mapping tunnel l2protocol cos interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport vlan-mapping tunnel l2protocol drop-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport vlan-mapping tunnel l2protocol forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport vlan-mapping one-to-one . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
map protocol protocols-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general map protocols-group vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan protocols-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
map mac macs-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general map macs-group vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan macs-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
map subnet subnets-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general map subnets-group vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan subnets-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show interfaces switchport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
private-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
private-vlan association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport private-vlan mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport private-vlan host-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan private-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport access multicast-tv vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport customer multicast-tv vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan multicast-tv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vlan prohibit-internal-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan internal usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
74
1415
1416
1417
1420
1421
1423
1424
1425
1426
1427
1427
1428
1429
1430
1432
1434
1435
1436
1437
1438
1440
1442
1443
1444
1445
1446
1448
1448
1449
1450
1451
1453
1454
1455
1456
1458
1459
1460
1461
1462
1463
Voice VLAN Commands .............................................................................................. 1465
show voice vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show voice vlan local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1465
1469
1471
1473
27
voice vlan id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan vpt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan oui-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan cos mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan cos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan aging-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
75
VRRP Commands ......................................................................................................... 1483
clear vrrp counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vrrp counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vrrp accept mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vrrp description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vrrp ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vrrp preempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vrrp priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vrrp shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vrrp source-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vrrp timers advertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vrrp track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vrrp version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
76
1483
1484
1488
1489
1490
1491
1492
1493
1494
1495
1495
1496
1498
Web Server Commands................................................................................................. 1500
ip https certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip http port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip http server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip http secure-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip http timeout-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip http . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip https . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
1475
1476
1477
1478
1479
1480
1481
1481
1500
1501
1501
1502
1503
1504
1504
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
This section describes how to use the Command Line Interface (CLI). It contains the following
topics:
•
Product Notes
•
Overview
•
User (Privilege) Levels
•
CLI Command Modes
•
Interfaces for Debug Access
•
Accessing the CLI
•
CLI Command Conventions
•
Editing Features
•
Interface Naming Conventions
•
IPv6z Address Conventions
•
Loopback Interface
•
Remote IP Address and OutOfBand Port
•
PHY Diagnostics
•
CLI Output Modifiers
Product Notes
This CLI guide provides CLI commands and guidelines for both the SG550XG product line
and the Sx550X product line. Besides a few CLI commands, which will be mentioned below,
the CLI commands included in this document can be applied to both product lines. Following
are the notes and differences in CLI command support in regards to these product lines:
•
Ports types—
-
The SG550XG/SX550X type SKUs support ports with the TengigabitEthernet
(XG) speed.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
29
1
Introduction
-
The SF550X SKUs type SKUs support Fastethernt (FE) network ports with 4 XG
uplink ports
-
The SG550X SKUs type SKUs support Gigabitethernet (GE) network ports with 4
XG uplink ports SKUs
CLI examples in this document use the XG port type in examples, but these commands
can be applied to both FE or GE port types, unless there is a difference in feature
implementation between port types.
•
Speed and negotiation settings—Each port type supports the negotiation and speed
setting relevant to the port type. For example a GE or FE interface does not support
speed or negotiation of 10G.
•
OOB interface—The SG550XG and SX550X support an OOB interface, while the
SG550X and SF550X do not. Therefore, OOB as a configurable interface is relevant
only to the SG550XG or SX550X devices.
•
Power Over Ethernet—PoE is supported on some of the SG550X and SF550X devices
and not on the SG550XG or SX550X, therefore PoE commands are relevant only to
the SG550X and SF550X devices.
•
Stacking—On the SG550XG and SX550X, any interface can be defined as a stacking
interface and up to 8 interfaces are supported; On the SG550X and SF550X, only the 4
XG uplink interfaces can be defined as stacking interfaces, with up to 4 interfaces.
•
Short reach and energy detect—Short reach is always enabled on XG ports (all SKUs);
energy detect is always enabled on the XG ports on the SG550XG/SX550X devices;
on FE or GE ports (SG550X or SF550X devices) these features can be
enabled/disabled (default is disabled).
•
MAC address aging time—The maximum value for SG550XG and SX550X is 630
seconds, while the maximum value for SG550X and SF550X (and hybrid mode) is 400
seconds. The default value for both product lines is the same – 300 seconds.
Overview
The CLI is divided into various command modes. Each mode includes a group of commands.
These modes are described in CLI Command Modes.
Users are assigned privilege levels. Each user privilege level can access specific CLI modes.
User levels are described in the section below.
30
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
User (Privilege) Levels
Users can be created with one of the following user levels:
•
Level 1—Users with this level can only run User EXEC mode commands. Users at this
level cannot access the web GUI or commands in the Privileged EXEC mode.
•
Level 7—Users with this level can run commands in the User EXEC mode and a
subset of commands in the Privileged EXEC mode. Users at this level cannot access
the web GUI.
•
Level 15—Users with this level can run all commands. Only users at this level can
access the web GUI.
A system administrator (user with level 15) can create passwords that allow a lower level user
to temporarily become a higher level user. For example, the user may go from level 1 to level
7, level 1 to 15, or level 7 to level 15.
The passwords for each level are set (by an administrator) using the following command:
enable password [level privilege-level]{password|encrypted encrypted-password}
Using these passwords, you can raise your user level by entering the command: enable and the
password for level 7 or 15. You can go from level 1 to level 7 or directly to level 15. The
higher level holds only for the current session.
The disable command returns the user to a lower level.
To create a user and assign it a user level, use the username command. Only users with
command level 15, can create users at this level.
Example—Create passwords for level 7 and 15 (by the administrator):
switchxxxxxx#configure
switchxxxxxx<conf># enable password level 7 level7@aBc
switchxxxxxx<conf># enable password level 15 level15@aBc
switchxxxxxx<conf>#
Create a user with user level 1:
switchxxxxxx#configure
switchxxxxxx<conf> username john password John1234 privilege 1
switchxxxxxx<conf>
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
1
Introduction
Example 2— Switch between Level 1 to Level 15. The user must know the password:
switchxxxxxx#
switchxxxxxx# enable
Enter Password: ****** (this is the password for level 15
- level15@aBc)
switchxxxxxx#
NOTE If authentication of passwords is performed on RADIUS or TACACS+ servers, the passwords
assigned to user level 7 and user level 15 must be configured on the external server and
associated with the $enable7$ and $enable15$ user names, respectively. See the
Authentication, Authorization and Accounting (AAA) Commands chapter for details.
CLI Command Modes
The CLI is divided into four command modes. The command modes are (in the order in which
they are accessed):
•
User EXEC mode
•
Privileged EXEC mode
•
Global Configuration mode
•
Interface Configuration mode
•
Interfaces for debug access
Each command mode has its own unique console prompt and set of CLI commands. Entering
a question mark at the console prompt displays a list of available commands for the current
mode and for the level of the user. Specific commands are used to switch from one mode to
another.
Users are assigned privilege levels that determine the modes and commands available to them.
User levels are described in User (Privilege) Levels.
User EXEC Mode
Users with level 1 initially log into User EXEC mode. User EXEC mode is used for tasks that
do not change the configuration, such as performing basic tests and listing system information.
32
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
The user-level prompt consists of the switch host name followed by a #. The default host name
is switchxxxxxx where xxxxxx is the last six digits of the device’s MAC address, as shown
below
switchxxxxxx#
The default host name can be changed via the hostname command in Global Configuration
mode.
Privileged EXEC Mode
A user with level 7 or 15 automatically logs into Privileged EXEC mode.
Users with level 1 can enter Privileged Exec mode by entering the enable command, and when
prompted, the password for level 15.
To return from the Privileged EXEC mode to the User EXEC mode, use the disable command.
Global Configuration Mode
The Global Configuration mode is used to run commands that configure features at the system
level, as opposed to the interface level.
Only users with command level of 7 or 15 can access this mode.
To access Global Configuration mode from Privileged EXEC mode, enter the configure
command at the Privileged EXEC mode prompt and press Enter. The Global Configuration
mode prompt, consisting of the device host name followed by (config)#, is displayed:
switchxxxxxx(config)#
Use any of the following commands to return from Global Configuration mode to the
Privileged EXEC mode:
•
exit
•
end
•
Ctrl+Z
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
33
1
Introduction
The following example shows how to access Global Configuration mode and return to
Privileged EXEC mode:
switchxxxxxx#
switchxxxxxx# configure
switchxxxxxx(config)# exit
switchxxxxxx#
Interface or Line Configuration Modes
Various submodes may be entered from Global Configuration mode. These submodes enable
performing commands on a group of interfaces or lines.
For instance to perform several operations on a specific port or range of ports, you can enter
the Interface Configuration mode for that interface.
The following example enters Interface Configuration mode for vlan1 and then sets their
speed:
The exit command returns to Global Configuration mode.
switchxxxxxx#
switchxxxxxx# configure
switchxxxxxx(config)# interface range vlan1
switchxxxxxx(config-if)#speed 10
switchxxxxxx(config-if)#exit
switchxxxxxx(config)#
The following is a sample of some of the available submodes:
•
34
Interface—Contains commands that configure a specific interface (port, VLAN, port
channel, or tunnel) or range of interfaces. The Global Configuration mode command
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
interface is used to enter the Interface Configuration mode. The interface Global
Configuration command is used to enter this mode.
•
Line Interface—Contains commands used to configure the management connections
for the console, Telnet and SSH. These include commands such as line timeout settings,
etc. The line Global Configuration command is used to enter the Line Configuration
command mode.
•
VLAN Database—Contains commands used to configure a VLAN as a whole. The
vlan database Global Configuration mode command is used to enter the VLAN
Database Interface Configuration mode.
•
Management Access List—Contains commands used to define management
access-lists. The management access-list Global Configuration mode command is
used to enter the Management Access List Configuration mode.
•
MAC Access-List, IPv6 Access List, IP Access List—Configures conditions required
to allow traffic based on MAC addresses, IPv6 address and IPv4 address, respectively.
The mac access-list, ipv6 access-list and ip access-list Global Configuration mode
commands are used to enter the these configuration mode.
To return from any Interface Configuration mode to the Global Configuration mode, use the
exit command.
Interfaces for Debug Access
In addition to the standard CLI interface modes detailed above, the device supports additional
interfaces for device debug access. These interlaces are intended to be used by a Cisco Support
Team personnel, in cases where it is required to debug device’s behavior. These interfaces are
password protected. The passwords are held by the Cisco support team.
The device supports the following debug interfaces:
•
U-BOOT access during boot sequence (access is possible only via serial console
terminal)
•
Linux Kernel access during boot sequence (access is possible only via serial console
terminal)
•
Run time debug modes - allows Cisco Support Team personnel to view device settings,
and to apply protocol and layer 1 debug commands and settings (access is possible via
serial, telnet or SSH console terminal)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
35
1
Introduction
Accessing the CLI
The CLI can be accessed from a terminal or computer by performing one of the following
tasks:
•
Running a terminal application, such as HyperTerminal, on a computer’s com port that
is directly connected to the switch’s console port,
—or—
•
Running a Telnet session from a command prompt on a computer with a network
connection to the switch.
•
Using SSH from an application that supports SSH client running on a computer with a
network connection to the switch.
NOTE Telnet and SSH are disabled by default on the switch.
If access is via a Telnet or SSH connection, ensure that the following conditions are met before
using CLI commands:
•
The switch has a defined IP address.
•
Corresponding management access is enabled.
•
There is an IP path such that the computer and the switch can reach each other.
Using HyperTerminal over the Console Interface
The switch’s management interface is an RJ45 port. It provides a direct connection to a
computer’s serial port using a standard DB-9 null-modem or crossover cable. After the
computer and switch are connected, run a terminal application to access the CLI.
The terminal emulator must be configured to databits=8 and parity=none.
Click Enter twice, so that the device sets the serial port speed to match the PC's serial port
speed.
When the CLI appears, enter cisco at the User Name prompt and then enter cisco for the
Password prompt.
NOTE If this is the first time that you have logged on with the default username and password, the
device will display a prompt to change username and Password. The new password needs to
comply to password complexity rules.
36
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
The switchxxxxxx# prompt is displayed. You can now enter CLI commands to manage
the switch. For detailed information on CLI commands, refer to the appropriate chapter(s) of
this reference guide.
Using Telnet over an Ethernet Interface
Telnet provides a method of connecting to the CLI over an IP network.
To establish a telnet session from the command prompt, perform the following steps:
STEP 1 Click Start, then select All Programs > Accessories > Command Prompt to open a
command prompt.
Figure 1 Start > All Programs > Accessories > Command Prompt
STEP
2 At the prompt, enter telnet 1<IP address of switch>, then press Enter.
Figure 2 Command Prompt
STEP
3 CLI will be displayed.
STEP
4 When the CLI appears, enter the defined username at the User Name prompt and then enter
the defined password at the Password prompt.
The switchxxxxxx# prompt is displayed. You can now enter CLI commands to manage
the switch. For detailed information on CLI commands, refer to the appropriate chapter(s) of
this reference guide.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
37
1
Introduction
CLI Command Conventions
When entering commands there are certain command entry standards that apply to all
commands. The following table describes the command conventions.
38
Convention
Description
[ ]
In a command line, square brackets indicate an optional entry.
{ }
In a command line, curly brackets indicate a selection of compulsory
parameters separated the | character. One option must be selected. For
example, flowcontrol {auto|on|off} means that for the flowcontrol
command, either auto, on, or off must be selected.
"" (inverted commas)
When the input string contains space and/or reserved words (i.e. VLAN), put
the string in inverted commas.
parameter
Italic text indicates a parameter.
press key
Names of keys to be pressed are shown in bold.
Ctrl+F4
Keys separated by the + character are to be pressed simultaneously on the
keyboard
Screen Display
Fixed-width font indicates CLI prompts, CLI commands entered by the user,
and system messages displayed on the console.
all
When a parameter is required to define a range of ports or parameters and all
is an option, the default for the command is all when no parameters are
defined. For example, the command interface range port-channel has the
option of either entering a range of channels, or selecting all. When the
command is entered without a parameter, it automatically defaults to all.
text
When free text can be entered as a parameter for a command (for example in
command: snmp-server contact) if the text consists of multiple words
separated by blanks, the entire string must appear in double quotes. For
example: snmp-server contact "QA on floor 8"
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
Editing Features
Entering Commands
A CLI command is a series of keywords and arguments. Keywords identify a command, and
arguments specify configuration parameters. For example, in the command show interfaces
status Gigabitethernet 1, show, interfaces and status are keywords, Gigabitethernet is an
argument that specifies the interface type, and1 specifies the port.
To enter commands that require parameters, enter the required parameters after the command
keyword. For example, to set a password for the administrator, enter:
switchxxxxxx(config)# username admin password aLansmith1
When working with the CLI, the command options are not displayed. The standard command
to request help is ?.
There are two instances where help information can be displayed:
•
Keyword lookup—The character ? is entered in place of a command. A list of all valid
commands and corresponding help messages are is displayed.
•
Partial keyword lookup—If a command is incomplete and or the character ? is entered
in place of a parameter, the matched keyword or parameters for this command are
displayed.
To assist in using the CLI, there is an assortment of editing features. The following features are
described:
•
Terminal Command Buffer
•
Command Completion
•
Interface Naming Conventions
•
Keyboard Shortcuts
Terminal Command Buffer
Every time a command is entered in the CLI, it is recorded on an internally managed
Command History buffer. Commands stored in the buffer are maintained on a First In First
Out (FIFO) basis. These commands can be recalled, reviewed, modified, and reissued. This
buffer is not preserved across device resets.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
39
1
Introduction
Keyword
Description
Up-Arrow key
Recalls commands in the history buffer,
beginning with the most recent command.
Repeat the key sequence to recall successively
older commands.
Ctrl+P
Down-Arrow key
Returns to more recent commands in the history
buffer after recalling commands with the
up-arrow key. Repeating the key sequence will
recall successively more recent commands.
By default, the history buffer system is enabled, but it can be disabled at any time. For more
information on enabling or disabling the history buffer, refer to the history command.
There is a standard default number of commands that are stored in the buffer. The standard
number of 10 commands can be increased to 216. By configuring 0, the effect is the same as
disabling the history buffer system. For more information on configuring the command history
buffer, refer to the history size command.
To display the history buffer, refer to the show history command.
Negating the Effect of Commands
For many configuration commands, the prefix keyword no can be entered to cancel the effect
of a command or reset the configuration to the default value. This Reference Guide provides a
description of the negation effect for each CLI command.
Command Completion
If the command entered is incomplete, invalid or has missing or invalid parameters, then the
appropriate error message is displayed. This assists in entering the correct command. By
pressing Tab after an incomplete command is entered, the system will attempt to identify and
complete the command. If the characters already entered are not enough for the system to
identify a single matching command, press ? to display the available commands matching the
characters already entered.
40
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
Keyboard Shortcuts
The CLI has a range of keyboard shortcuts to assist in editing the CLI commands. The
following table describes the CLI shortcuts.
Keyboard Key
Description
Up-arrow
Recalls commands from the history buffer, beginning
with the most recent command. Repeat the key sequence
to recall successively older commands.
Down-arrow
Returns the most recent commands from the history
buffer after recalling commands with the up arrow key.
Repeating the key sequence will recall successively more
recent commands.
Ctrl+A
Moves the cursor to the beginning of the command line.
Ctrl+E
Moves the cursor to the end of the command line.
Ctrl+Z / End
Returns back to the Privileged EXEC mode from any
configuration mode.
Backspace
Deletes one character left to the cursor position.
Copying and Pasting Text
Up to 1000 lines of text (or commands) can be copied and pasted into the device.
NOTE It is the user’s responsibility to ensure that the text copied into the device consists of legal
commands only.
When copying and pasting commands from a configuration file, make sure that the following
conditions exist:
•
A device Configuration mode has been accessed.
The commands contain no encrypted data, like encrypted passwords or keys. Encrypted data
cannot be copied and pasted into the device except for encrypted passwords where the
keyword encrypted is used before the encrypted data (for instance in the enable password
command).
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
41
1
Introduction
Interface Naming Conventions
Interfaces on the device can be one of the following types:
•
Fast Ethernet (10/100 kbits) ports—This can be written as FastEthernet, fa or fe.
•
Gigabit Ethernet (10/100/1000 kbits) ports—These can be written as either
GigabitEthernet or gi or GE.
•
Ten Gigabit Ethernet (10,000 kbits) ports—This can be written as either
TenGigabitEthernet or te or XG.
•
LAG (Port Channel)—Written as either Port-Channel or po.
•
VLAN—Written as VLAN
•
Tunnel—Written as tunnel or tu
•
OOB—Written as OutOfBand or oob
Within the CLI, interfaces are denoted by concatenating the following elements:
•
Type of Interface—As described above
•
Unit Number—Unit in stack.
•
Slot Number—The slot number is always 0.
•
The syntax for interface names in stacking mode is:
{<port-type>[ ][<unit-number>/]<slot-number>/<port-number>} | {port-channel | po |
}[ ]<port-channel-number> |
{tunnel | tu}[ ]<tunnel-number> | vlan[ ]<vlan-id>
•
Interface Number—Port, LAG, tunnel or VLAN numbers
Samples of these various options are shown in the example below:
switchxxxxxx(config)#interface GigabitEthernet 1
switchxxxxxx(config)#interface GE 1
switchxxxxxx(config)#interface FastEthernet
switchxxxxxx((config)#interface fe1
switchxxxxxx((config)#interface te1/0/1
switchxxxxxx(config)#interface po1
switchxxxxxx(config)# interface vlan 1
42
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
NOTE See Loopback Interface for a description of the loopback interface.
Interface Range
Interfaces may be described on an individual basis or within a range. The interface range
command has the following syntax:
<interface-range> ::=
{<port-type>[
][<unit-number>/]<slot-number>/<first-port-number>[ <last-port-number]} |
port-channel[ ]<first-port-channel-number>[ <last-port-channel-number>] |
tunnel[ ]<first-tunnel-number>[ - <last-tunnel-number>] |
vlan[ ]<first-vlan-id>[ - <last-vlan-id>]
A sample of this command is shown in the example below:
switchxxxxxx#configure
switchxxxxxx(config-if)#interface range gi1-5g
switchxxxxxx(config-if)#interface range te1/0/1-5
List of Multiple Interface Types
A combination of interface types can be specified in the interface range command in the
following format:
<range-list> ::= <interface-range> | <range-list>, <
interface-range>
Up to five ranges can be included.
NOTE Range lists can contain either ports and port-channels or VLANs. Combinations of
port/port-channels and VLANs are not allowed
The space after the comma is optional.
When a range list is defined, a space after the first entry and before the comma (,) must be
entered.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
43
1
Introduction
A sample of this command is shown in the example below:
switchxxxxxx#configure
switchxxxxxx(config)#interface range gi1-5, vlan 1-2
switchxxxxxx(config)#interface range te1/0/1-5, vlan 1-2
IPv6z Address Conventions
The following describes how to write an IPv6z address, which is a link-local IPv6 address.
The format is: <ipv6-link-local-address>%<egress-interface>
where:
egress-interface (also known as zone) = vlan<vlan-id> | po<number> | tunnel<number> |
port<number> | 0
If the egress interface is not specified, the default interface is selected. Specifying egress
interface = 0 is equal to not defining an egress interface.
The following combinations are possible:
•
ipv6_address%egress-interface—Refers to the IPv6 address on the interface
specified.
•
ipv6_address%0—Refers to the IPv6 address on the single interface on which an
IPv6 address is defined.
•
ipv6_address—Refers to the IPv6 address on the single interface on which an IPv6
address is defined.
Loopback Interface
When an IP application on a router wants to communicate with a remote IP application, it must
select the local IP address to be used as its IP address. It can use any IP address defined on the
router, but if this link goes down, the communication is aborted, even though there might well
be another IP route between these IP applications.
44
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
The loopback interface is a virtual interface whose operational state is always up. If the IP
address that is configured on this virtual interface is used as the local address when
communicating with remote IP applications, the communication will not be aborted even if the
actual route to the remote application was changed.
The name of the loopback interface is loopback1.
A loopback interface does not support bridging; it cannot be a member of any VLAN, and no
layer 2 protocol can be enabled on it.
Layer 3 Specification
IP Interface
IPv4 and IPv6 addresses can be assigned to a loopback interface.
The IPv6 link-local interface identifier is 1.
Routing Protocols
A routing protocol running on the switch supports the advertising of the IP prefixes defined on
the loopback interfaces via the routing protocol redistribution mechanism.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
45
1
Introduction
Configuration Examples
Static Routing
The following example shows you how to configure IP on a switch with static routing:
Switch# configure terminal
Switch(config)# interface vlan 1
Switch(config-if)# ip address 10.10.10.2 /24
Switch(config-if)# ipv6 address 2001:DB8:2222:7270::2312/64
Switch(config-if)# exit
Switch(config)# interface vlan 2
Switch(config-if)# ip address 10.11.11.2 /24
Switch(config-if)# ipv6 address 2001:DB8:3333:7271::2312/64
Switch(config-if)# exit
Switch(config)# interface loopback 1
Switch(config-if)# ip address 172.25.13.2 /32
Switch(config-if)# ipv6 address 2001:DB8:2222:7272::72/128
Switch(config-if)# exit
Switch(config)# ip route 0.0.0.0/0 10.10.11.1
Switch(config)# ip route 10.11.0.0 /16 10.11.11.1
Switch(config)# ipv6 route 0::/0
2001:DB8:2222:7270::1
Switch(config)# ipv6 route 2001:DB8:3333::/48
2001:DB8:3333:7271::1
The neighbor router 10.10.11.1 should be configured with the following static route: ip route
172.25.13.2 /32 10.10.10.2.
The neighbor router 10.11.11.1 should be configured with the following static route: ip route
172.25.13.2 /32 10.11.11.2.
The neighbor router 2001:DB8:2222:7270::1 connected to VLAN 1 should be configured with
the following static route:
ipv6 route 2001:DB8:2222:7272::72/128 2001:DB8:2222:7270::2312
46
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
The neighbor router 2001:DB8:3333:7271::1 connected to VLAN 1 should be configured with
the static route defined immediately below.
IPv6 Route 2001:DB8:2222:7272::72/128 2001:DB8:3333:7271::2312
Routes with RIP Configuration
The following example describes how to configure IP on a switch, which includes the
loopback interface and with RIP running:
Switch# configure terminal
Switch(config)# interface vlan 1
Switch(config-if)# ip address 10.10.10.2 /24
Switch(config-if)# exit
Switch(config)# interface vlan 2
Switch(config-if)# ip address 10.11.11.2 /24
Switch(config-if)# exit
Switch(config)# interface loopback 1
Switch(config-if)# ip address 172.25.13.2 /32
Switch(config-if)# exit
Switch(config)# router rip
Switch(config-rip)# network 10.10.10.2
Switch(config-rip)# network 10.11.10.2
Switch(config-rip)# network 172.25.13.2
Switch(config-rip)# exit
Switch(config)# interface ip 172.25.13.2
Switch(config-ip)# ip rip passive-interface
Switch(config-ip)# exit
The other routers do not need static routes for 172.25.13.2/32, because the route is advertised
by RIP.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
47
1
Introduction
Remote IP Address and OutOfBand Port
The switch supports an IP stack on the OutOfBand (OOB) port. This IP stack is separate from
the IP stack running on the ASIC ports, and it requires specific route table configuration
If the switch supports more than one IP interface, when you specify a remote IP address or a
DNS name, you must also specify the IP stack that is being referred to.
PHY Diagnostics
The following exceptions exist:
•
Copper Ports—PHY diagnostics are only supported on copper ports.
•
10G ports—TDR test is supported when the operational port speed is 10G. Cable
length resolution is 20 meters.
CLI Output Modifiers
To all show and more commands (except show technical support) an output modifier may be
added as follows:
<show/more command> | <output-modifier> <regular-expression-pattern>
The output modifiers are:
•
begin: Start output from the first line that has a sequence of characters matching the
given regular expression pattern
•
include: Includes only lines that have a sequence of characters matching the given
regular expression pattern.
•
exclude: Excludes all lines that have a sequence of characters matching the given
regular expression pattern.
•
count: Counts all lines that have a sequence of characters matching the given regular
expression pattern and displays the result (no other output is displayed).
NOTE Only 1 output modifier can be used in each command. The remainder of the text typed in is part
of the regular expression pattern.
48
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
A regular expression is a pattern (a phrase, number, or more complex pattern). The CLI String
Search feature matches regular expressions to the show or more command output. Regular
expressions are case-sensitive and allow for complex matching requirements.
A regular expression can be a single-character pattern or a multiple-character pattern. That is,
a regular expression can be a single character that matches the same single character in the
command output or multiple characters that match the same multiple characters in the
command output. The pattern in the command output is referred to as a string. This section
describes creating both single-character patterns and multiple-character patterns. It also
discusses creating more complex regular expressions, using multipliers, alternation,
anchoring, and parentheses.
Single-Character Patterns
The simplest regular expression is a single character that matches the same single character in
the command output. You can use any letter (A-Z, a-z) or digit (0-9) as a single-character
pattern. You can also use other keyboard characters (such as ! or ~) as single-character
patterns, but certain keyboard characters have special meaning when used in regular
expressions. The following table lists the keyboard characters that have special meanings.
Character
Meaning
.
Matches any single character, including white space.
*
Matches 0 or more sequences of the pattern.
+
Matches 1 or more sequences of the pattern.
?
Matches 0 or 1 occurrences of the pattern.
^
Matches the beginning of the string.
$
Matches the end of the string.
To use these special characters as single-character patterns, remove the special meaning by
preceding each character with a backslash (\).
The following examples are single-character patterns matching a dollar sign, an underscore,
and a plus sign, respectively.
\$ \_ \+
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
49
1
Introduction
You can specify a range of single-character patterns to match against command output. For
example, you can create a regular expression that matches a string containing one of the
following letters: a, e, i, o, or u. Only one of these characters must exist in the string for pattern
matching to succeed. To specify a range of single-character patterns, enclose the
single-character patterns in square brackets ([ ]). For example, [aeiou] matches any one of the
five vowels of the lowercase alphabet, while [abcdABCD] matches any one of the first four
letters of the lower- or uppercase alphabet.
You can simplify ranges by entering only the endpoints of the range separated by a dash (-).
Simplify the previous range as follows:
[a-dA-D]
To add a dash as a single-character pattern in your range, include another dash and precede it
with a backslash:
[a-dA-D\-]
You can also include a right square bracket (]) as a single-character pattern in your range, as
shown here:
[a-dA-D\-\]]
The previous example matches any one of the first four letters of the lower- or uppercase
alphabet, a dash, or a right square bracket.
You can reverse the matching of the range by including a caret (^) at the start of the range. The
following example matches any letter except the ones listed:
[^a-dqsv]
The following example matches anything except a right square bracket (]) or the letter d:
[^\]d]
Multiple-Character Patterns
When creating regular expressions, you can also specify a pattern containing multiple
characters. You create multiple-character regular expressions by joining letters, digits, or
keyboard characters that do not have special meaning. For example, a4% is a
multiple-character regular expression.
With multiple-character patterns, order is important. The regular expression a4% matches the
character a followed by a 4 followed by a % sign. If the string does not have a4%, in that
order, pattern matching fails. The multiple-character regular expression a. uses the special
meaning of the period character to match the letter a followed by any single character. With
this example, the strings ab, a!, or a2 are all valid matches for the regular expression.
50
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
1
Introduction
You can remove the special meaning of the period character by inserting a backslash before it.
For example, when the expression a\. is used in the command syntax, only the string a. will be
matched.
You can create a multiple-character regular expression containing all letters, all digits, all
keyboard characters, or a combination of letters, digits, and other keyboard characters. For
example, telebit 3107 v32bis is a valid regular expression.
Multipliers
You can create more complex regular expressions that instruct the system to match multiple
occurrences of a specified regular expression. To do so, use some special characters with your
single-character and multiple-character patterns. Table 1 lists the special characters that
specify multiples of a regular expression.
Table 1:
Special Characters Used as Multipliers
Character
Description
*
Matches 0 or more single-character or multiple-character
patterns.
+
Matches 1 or more single-character or multiple-character
patterns.
?
Matches 0 or 1 occurrences of a single-character or
multiple-character pattern.
The following example matches any number of occurrences of the letter a, including none:
a*
The following pattern requires that at least one letter a be in the string to be matched:
a+
The following pattern matches the string bb or bab:
ba?b
The following string matches any number of asterisks (*):
\**
To use multipliers with multiple-character patterns, enclose the pattern in parentheses. In the
following example, the pattern matches any number of the multiple-character string ab:
(ab)*
The following pattern matches one or more instances of alphanumeric pairs, but not none (that
is, an empty string is not a match):
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
51
1
Introduction
([A-Za-z][0-9])+
The order for matches using multipliers (*, +, or ?) is to put the longest construct first. Nested
constructs are matched from outside to inside. Concatenated constructs are matched beginning
at the left side of the construct. Thus, the regular expression above matches A9b3, but not
9Ab3 because the letters are specified before the numbers.
Alternation
Alternation allows you to specify alternative patterns to match against a string. You separate
the alternative patterns with a vertical bar (|). Only one of the alternatives can match the string.
For example, the regular expression codex|telebit either matches the string codex or the string
telebit, but not both codex and telebit.
Anchoring
You can instruct the system to match a regular expression pattern against the beginning or the
end of the string. You anchor these regular expressions to a portion of the string using the
special characters shown in Table 2..
Table 2:
Special Characters Used for Anchoring
Character
Description
^
Matches the beginning of the string.
$
Matches the end of the string.
For example, the regular expression ^con matches any string that starts with con, and $sole
matches any string that ends with sole.
In addition to indicating the beginning of a string, the ^ symbol can be used to indicate the
logical function not when used in a bracketed range. For example, the expression [^abcd]
indicates a range that matches any single letter, as long as it is not the letters a, b, c, or d.
52
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
2.0
2.1
aaa authentication dot1x
To specify which servers are used for authentication when 802.1X authentication is enabled,
use the aaa authentication dot1x command in Global Configuration mode. To restore the
default configuration, use the no form of this command.
Syntax
aaa authentication dot1x default {radius | none | {radius none}}
no aaa authentication dot1x default
Parameters
•
radius - Uses the list of all RADIUS servers for authentication
•
none - Uses no authentication
Default Configuration
RADIUS server.
Command Mode
Global Configuration mode
User Guidelines
You can select either authentication by a RADIUS server, no authentication (none), or both
methods.
If you require that authentication succeeds even if no RADIUS server response was received,
specify none as the final method in the command line.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
53
2
802.1X Commands
Example
The following example sets the 802.1X authentication mode to RADIUS server
authentication. Even if no response was received, authentication succeeds.
switchxxxxxx(config)# aaa authentication dot1x default radius none
2.2
authentication open
To enable open access (monitoring mode) on this port, use the authentication open command
in Interface Configuration mode. To disable open access on this port, use the no form of this
command.
Syntax
authentication open
no authentication open
Parameters
This command has no arguments or keywords.
Default Configuration
Disabled.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
Open Access or Monitoring mode allows clients or devices to gain network access before
authentication is performed. In the mode the switch performs failure replies received from a
Radius server as success.
Example
The following example enables open mode on interface te1/0/1:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# authentication open
54
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
2.3
clear dot1x statistics
To clear 802.1X statistics, use the clear dot1x statistics command in Privileged EXEC mode.
Syntax
clear dot1x statistics [interface-id]
Parameters
•
interface-id—Specify an Ethernet port ID.
Default Configuration
Statistics on all ports are cleared.
Command Mode
Privileged EXEC mode
User Guidelines
This command clears all the counters displayed in the show dot1x and show dot1x statistics
command.
Example
switchxxxxxx# clear dot1x statistics
2.4
data
To specify web-based page customizing, the data command is used in Web-Based Page
Customization Configuration mode.
Syntax
data value
Parameters
•
value—String of hexadecimal digit characters up to 320 characters.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
55
2
802.1X Commands
Default Configuration
No user customization.
Command Mode
Web-Based Page Customization Configuration mode
User Guidelines
The command should not be entered or edited manually (unless using copy-paste). It is a part
of the configuration file produced by the switch.
A user can only customize the web-based authentication pages by using the WEB interface.
Examples
Example 1—The following example shows a partial web-based page customization
configuration:
switchxxxxxx(config)# dot1x page customization
switchxxxxxx(config-web-page)# data 1feabcde
switchxxxxxx(config-web-page)# data 17645874
switchxxxxxx(config-web-page)# exit
Example 2—The following example shows how Web-Based Page customization is displayed when running the
show running-config command:
switchxxxxxx# show running-config
.
.
.
dot1x page customization
data ********
exit
.
.
.
56
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
2.5
description
To specify a description for an 802.1X credential structure, use the description command in
Dot1x credentials configuration mode. To remove the description, use the no form of this
command.
Syntax
description text
no description
Parameters
•
text—Text description. The description can be up to 80 characters.
Default Configuration
A description is not specified.
Command Mode
Dot1x credentials configuration mode
User Guidelines
An 802.1X credential structure is necessary when configuring the switch as a supplicant
(client). This credentials structure must contain a username and password and may contain a
description.
Example
The following example configures an 802.1X credential structure:
switchxxxxxx(config)# dot1x credentials site-A
switchxxxxxx(config-dot1x-cred)# username inner-switch
switchxxxxxx(config-dot1x-cred)# password 6f3c576n8
switchxxxxxx(config-dot1x-cred)# description This credentials profile should
be used to connected to site-A
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
57
2
802.1X Commands
2.6
dot1x auth-not-req
To enable unauthorized devices access to a VLAN, use the dot1x auth-not-req command in
Interface (VLAN) Configuration mode. To disable access to a VLAN, use the no form of this
command.
Syntax
dot1x auth-not-req
no dot1x auth-not-req
Parameters
N/A
Default Configuration
Access is enabled.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
The guest VLAN cannot be configured as unauthorized VLAN.
Example
The following example enables unauthorized devices access to VLAN 5.
switchxxxxxx(config)# interface vlan 5
switchxxxxxx(config-if)# dot1x auth-not-req
2.7
dot1x authentication
To enable authentication methods on a port, use the dot1x authentication command in
Interface Configuration mode. To restore the default configuration, use the no form of this
command.
58
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Syntax
dot1x authentication [802.1x] [mac] [web]
no dot1x authentication
Parameters
•
802.1x—Enables authentication based on 802.1X (802.1X-based authentication).
•
mac—Enables authentication based on the station's MAC address (MAC-Based
authentication).
•
web—Enables WEB-Based authentication.
Default Configuration
802.1X-Based authentication is enabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Static MAC addresses cannot be authorized by the MAC-based method.
It is not recommended to change a dynamic MAC address to a static one or delete it if the
MAC address was authorized by the MAC-based authentication:
a. If a dynamic MAC address authenticated by MAC-based authentication is changed to a
static one, it will not be manually re-authenticated.
b. Removing a dynamic MAC address authenticated by the MAC-based authentication
causes its re-authentication.
In accordance with the 802.1x standard, the 802.1x protocol runs per each Ethernet port
associated to the port channel by the channel-group command. The “authorized” and
unauthorized states are applied rather to ports associated with a port channel rather to the port
channel itself. Only authorized Ethernet ports can be active in port channel.
802.1x enabled on a port associated with a port channel has the following limitations:
•
Only the 802.1X-based authentication is supported.
•
Only the multi-host (legacy 802.1x mode) mode is supported.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
59
2
802.1X Commands
Example
The following example enables authentication based on 802.1x and the station’s MAC address
on port te1/0/1:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x authentication 802.1x mac
2.8
dot1x credentials
To define the name of an 802.1X credential structure and enter the Dot1x credentials
configuration mode, use the dot1x credentials command in Global Configuration mode. To
remove the credential structure, use the no form of this command.
Syntax
dot1x credentials name
no dot1x credentials name
Parameters
•
name—The credential structure name up to 32 characters.
Default Configuration
A credentials structure is not specified
Command Mode
Global Configuration mode
User Guidelines
Use the dot1x credentials command to start configuration of credential structure. The
credential structure contains the parameters of supplicant (client) and it is used during the
802.1X supplicant enabling on interface. To enable the 802.1X supplicant on an interface, use
the dot1x supplicant command.
The following CLI commands can be configured in Dot1x credentials configuration mode:
60
•
description
•
password
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
•
username (dot1x credentials)
Each of these command can be configured a few times and each next configuration overrides
the previous one.
The credential configuration takes a place only after exit from the credential context.
Changing configuration of used credential causes supplicant logoff and logon.
The switch supports up to 24 credentials.
Use the no dot1x credentials command, to delete a credential. A used credential cannot be
deleted.
Example
The following example configures an 802.1X credential structure:
switchxxxxxx(config)# dot1x credentials site-A
switchxxxxxx(config-dot1x-cred)# username inner-switch
switchxxxxxx(config-dot1x-cred)# password agrcx5642
switchxxxxxx(config-dot1x-cred)# description This credentials profile should
be used to connected to site-A
2.9
dot1x eap-max-retrans
To set the EAP maximum number retransmissions, use the dot1x eap-max-retrans command
in Interface Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
dot1x eap-max-retrans count
no dot1x eap-max-retrans
Parameters
•
count—Specifies the maximum number of times that the EAP Server (EAP
Authenticator) retransmits an EAP request when no response from a EAP client (EAP
Peer) was received. (Range: 1–10).
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
61
2
802.1X Commands
Default Configuration
The default maximum number of attempts is 2.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The default value of this command should be changed only to adjust to unusual circumstances,
such as unreliable links or specific behavioral problems with certain clients and authentication
servers.
The parameter is used by the 802.1x Supplicant.
Example
The following example sets the EAP maximum number retransmissions to 6:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x eap-max-retrans 6
2.10
dot1x guest-vlan
To define a guest VLAN, use the dot1x guest-vlan mode command in Interface (VLAN)
Configuration mode. To restore the default configuration, use the no form of this command.
Syntax
dot1x guest-vlan
no dot1x guest-vlan
Parameters
N/A
Default Configuration
No VLAN is defined as a guest VLAN.
62
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use the dot1x guest-vlan enable command to enable unauthorized users on an interface to
access the guest VLAN.
A device can have only one global guest VLAN.
The guest VLAN must be a static VLAN and it cannot be removed.
An unauthorized VLAN cannot be configured as guest VLAN.
Example
The following example defines VLAN 2 as a guest VLAN.
switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# dot1x guest-vlan
2.11
dot1x guest-vlan enable
To enable unauthorized users on the access interface to the guest VLAN, use the dot1x
guest-vlan enable command in Interface Configuration mode. To disable access, use the no
form of this command.
Syntax
dot1x guest-vlan enable
no dot1x guest-vlan enable
Parameters
N/A
Default Configuration
The default configuration is disabled.
Command Mode
Interface (Ethernet) Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
63
2
802.1X Commands
User Guidelines
The guest VLAN and the WEB-Based authentication cannot be configured on a port at the
same time.
This command cannot be configured if the monitoring VLAN is enabled on the interface.
If the port does not belong to the guest VLAN it is added to the guest VLAN as an egress
untagged port.
If the authentication mode is single-host or multi-host, the value of PVID is set to the guest
VLAN_ID.
If the authentication mode is multi-sessions mode, the PVID is not changed and all untagged
traffic and tagged traffic not belonging to the unauthenticated VLANs from unauthorized hosts
are mapped to the guest VLAN.
If 802.1X is disabled, the port static configuration is reset.
See the User Guidelines of the dot1x host-mode command for more information.
Example
The following example enables unauthorized users on te1/0/1 to access the guest VLAN.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x guest-vlan enable
2.12
dot1x guest-vlan timeout
To set the time delay between enabling 802.1X (or port up) and adding a port to the guest
VLAN, use the dot1x guest-vlan timeout command in Global Configuration mode. To restore
the default configuration, use the no form of this command.
Syntax
dot1x guest-vlan timeout timeout
no dot1x guest-vlan timeout
Parameters
•
64
timeout—Specifies the time delay in seconds between enabling 802.1X (or port up)
and adding the port to the guest VLAN. (Range: 30–180).
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Default Configuration
The guest VLAN is applied immediately.
Command Mode
Global Configuration mode
User Guidelines
This command is relevant if the guest VLAN is enabled on the port. Configuring the timeout
adds a delay from enabling 802.1X (or port up) to the time the device adds the port to the guest
VLAN.
Example
The following example sets the delay between enabling 802.1X and adding a port to a guest
VLAN to 60 seconds.
switchxxxxxx(config)# dot1x guest-vlan timeout 60
2.13
dot1x host-mode
To allow a single host (client) or multiple hosts on an IEEE 802.1X-authorized port, use the
dot1x host-mode command in Interface Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
dot1x host-mode {multi-host | single-host | multi-sessions}
Parameters
•
multi-host—Enable multiple-hosts mode.
•
single-host—Enable single-hosts mode.
•
multi-sessions—Enable multiple-sessions mode.
Default Configuration
Default mode is multi-host.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
65
2
802.1X Commands
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Single-Host Mode
The single-host mode manages the authentication status of the port: the port is authorized if
there is an authorized host. In this mode, only a single host can be authorized on the port.
When a port is unauthorized and the guest VLAN is enabled, untagged traffic is remapped to
the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the guest VLAN or the
unauthenticated VLANs. If guest VLAN is not enabled on the port, only tagged traffic
belonging to the unauthenticated VLANs is bridged.
When a port is authorized, untagged and tagged traffic from the authorized host is bridged
based on the static vlan membership configured at the port. Traffic from other hosts is
dropped.
A user can specify that untagged traffic from the authorized host will be remapped to a VLAN
that is assigned by a RADIUS server during the authentication process. In this case, tagged
traffic is dropped unless the VLAN tag is the RADIUS-assigned VLAN or the unauthenticated
VLANs. See the dot1x radius-attributes vlan command to enable RADIUS VLAN
assignment at a port.
The switch removes from FDB all MAC addresses learned on a port when its authentication
status is changed from authorized to unauthorized.
Multi-Host Mode
The multi-host mode manages the authentication status of the port: the port is authorized after
at least one host is authorized.
When a port is unauthorized and the guest VLAN is enabled, untagged traffic is remapped to
the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the guest VLAN or the
unauthenticated VLANs. If guest VLAN is not enabled on the port, only tagged traffic
belonging to the unauthenticated VLANs is bridged.
When a port is authorized, untagged and tagged traffic from all hosts connected to the port is
bridged based on the static vlan membership configured at the port.
A user can specify that untagged traffic from the authorized port will be remapped to a VLAN
that is assigned by a RADIUS server during the authentication process. In this case, tagged
traffic is dropped unless the VLAN tag is the RADIUS assigned VLAN or the unauthenticated
VLANs. See the dot1x radius-attributes vlan command to enable RADIUS VLAN
assignment at a port.
The switch removes from FDB all MAC addresses learned on a port when its authentication
status is changed from authorized to unauthorized.
66
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Multi-Sessions Mode
Unlike the single-host and multi-host modes (port-based modes) the multi-sessions mode
manages the authentication status for each host connected to the port (session-based mode). If
the multi-sessions mode is configured on a port the port does have any authentication status.
Any number of hosts can be authorized on the port. The dot1x max-hosts command can limit
the maximum number of authorized hosts allowed on the port.
Each authorized client requires a TCAM rule. If there is no available space in the TCAM, the
authentication is rejected.
When using the dot1x host-mode command to change the port mode to single-host or
multi-host when authentication is enabled, the port state is set to unauthorized.
If the dot1x host-mode command changes the port mode to multi-session when
authentication is enabled, the state of all attached hosts is set to unauthorized.
To change the port mode to single-host or multi-host, set the port (dot1x port-control) to
force-unauthorized, change the port mode to single-host or multi-host, and set the port to
authorization auto.
multi-sessions mode cannot be configured on the same interface together with Policy Based
VLANs configured by the following commands:
-
switchport general map protocol-group vlans
-
switchport general map macs-group vlans
Tagged traffic belonging to the unauthenticated VLANs is always bridged regardless if a host
is authorized or not.
When the guest VLAN is enabled, untagged and tagged traffic from unauthorized hosts not
belonging to the unauthenticated VLANs is bridged via the guest VLAN.
Traffic from an authorized hosts is bridged in accordance with the port static configuration. A
user can specify that untagged and tagged traffic from the authorized host not belonging to the
unauthenticated VLANs will be remapped to a VLAN that is assigned by a RADIUS server
during the authentication process. See the dot1x radius-attributes vlan command to enable
RADIUS VLAN assignment at a port.
The switch does not remove from FDB the host MAC address learned on the port when its
authentication status is changed from authorized to unauthorized. The MAC address will be
removed after the aging timeout expires.
In accordance with the 802.1x standard, the 802.1x protocol runs per each Ethernet port
associated to the port channel by the channel-group command. The “authorized” and
unauthorized states are applied rather to ports associated with a port channel rather to the port
channel itself. Only authorized Ethernet ports can be active in port channel.
802.1x enabled on a port associated with a port channel has the following limitations:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
67
2
802.1X Commands
•
Only the 802.1X-based authentication is supported.
•
Only the multi-host (legacy 802.1x mode) mode is supported.
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x host-mode multi-host
2.14
dot1x mac-auth
To specify a type (EAP or Radius), and MAC based username format, that MAC-Based
authentication will use, use the dot1x mac-auth command in Global Configuration mode. To
reset the default configuration, use the no form of the command.
Syntax
dot1x mac-auth {eap | radius} [username groupsize {1|2|4|12} separator {- | : |.}
[lowercase | uppercase]]
no dot1x mac-auth
Parameters
•
eap—Specifies that the EAP MD5-Challenge authentication is used.
•
radius—Specifies that only Radius (without EAP) authentication with the
Service-Type attribute equals to Call-Check(10) is used.
•
username—Specifies the format of the username. If the keyword is not configured the
format without separator with the lower case is applied.
username groupsize 12 separator - lowercase
68
•
groupsize—Specifies the numbers of ASCII characters between delimiters.
•
separator—Specifies the delimiter.
•
lowercase—Specifies that the username is coded in the lower case. The argument is
applied if the case argument is not configured.
•
uppercase—Specifies that the username is coded in the upper case.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Default Configuration
EAP MD5-Challenge Authentication
Command Mode
Global Configuration mode
User Guidelines
The switch supports the following two types of MAC-Based authentication with the host
MAC address as user name and password defined by the dot1x mac-auth password
command:
•
EAP MD5-Challenge authentication.
•
Pure Radius authentication with the Service-Type attribute equals to Call-Check(10)
and with username and password in the ASCII format.
Use the eap keyword, to specify the EAP MD5-Challenge authentication type.
Use the radius keyword, to specify the pure Radius authentication type. The pure Radius
authentication uses the following Radius attributes:
•
User-Name: Host MAC address
•
Password
•
Service-Type: Call-Check(10)
•
Frame-MTU
•
Called-Station-Id: MAC address of the switch
•
Calling-Station-Id: MAC address of the host
•
Message-Authentication
•
NAS-Port-Type: Ethernet(15)
•
NAS-Port: ifIndex of the port where the host is connected to
•
NAS-Port-Id: full CLI name of the port where the host is connected to (for example:
GigabitEthernet2/0/2)
•
NAS-IP-Address: IP address of the switch
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
69
2
802.1X Commands
Use the username keyword, to specify the format of the Username attributes. The following
table gives examples of the Username coding for MAC address 08002b8619de:
Table 3:
Examples of Username coding
Size
Separator
Username
1
-
0-8-0-0-2-b-8-6-1-9-d-e
2
:
08:00:2b:86:19:de
4
.
0800.2b86.19de
12
N/A
08002b8619de
Changing of the username format or the authentication type (EAP or Radius) causes
reauthentication.
Examples
Example 1. The following example specifies that MAC-Based authentication will use the pure
Radius authentication and specifies the attributes to use in username based on the station’s
MAC address:
switchxxxxxx(config)# dot1x mac-auth radius username groupsize 2 separator :
uppercase
Example 2. The following example specifies that MAC-Based authentication will use the EAP
MD5-Challenge authentication. The username format will be set to format without separator
,with lower case:
switchxxxxxx(config)# dot1x mac-auth eap
2.15
dot1x mac-auth password
To specify a global password for MAC-Based authentication, use the dot1x mac-auth
password command in Global Configuration mode. To remove the password, use the no form
of this command.
Syntax
encrypted dot1x mac-auth password encrypted-password
70
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
dot1x mac-auth password password
no dot1x mac-auth password
Parameters
•
encrypted-password—The password in encrypted format.
•
password—The password up to 32 characters.
Default Configuration
Username.
Command Mode
Global Configuration mode
User Guidelines
Use the command, to specify a password that will be used for MAC-Based authentication
instead of the host MAC address.
Changing of the password or its format causes reauthentication.
Example
The following example configures a global password for MAC-Based authentication:
switchxxxxxx(config)# dot1x mac-auth password 87b$#9hv5*
2.16
dot1x max-hosts
To configure the maximum number of authorized hosts allowed on the interface, use the dot1x
max-hosts command in Interface Configuration mode. To restore the default configuration,
use the no form of this command.
Syntax
dot1x max-hosts count
no dot1x max-hosts
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
71
2
802.1X Commands
Parameters
•
count—Specifies the maximum number of authorized hosts allowed on the interface.
May be any 32 bits positive number.
Default Configuration
No limitation.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
By default, the number of authorized hosts allowed on an interface is not limited. To limit the
number of authorized hosts allowed on an interface, use the dot1x max-hosts command.
This command is relevant only for multi-session mode.
Example
The following example limits the maximum number of authorized hosts on Ethernet port
te1/0/1 to 6:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x max-hosts 6
2.17
dot1x max-login-attempts
To set the maximum number of allowed login attempts, use the dot1x max-login-attempts
command in Interface Configuration mode. To restore the default configuration, use the no
form of this command.
Syntax
dot1x max-login-attempts count
no dot1x max-login-attempts
Parameters
•
72
count—Specifies the maximum number of allowed login attempts. A value of 0 means
an infinite numbers of attempts. The valid range is 3-10.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Default Configuration
Unlimited.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
By default, the switch does not limit the number of failed login attempts. To specify the
number of allowed fail login attempts, use this command. After this number of failed login
attempts, the switch does not allow the host to be authenticated for a period defined by the
dot1x timeout quiet-period command.
The command is applied only to the Web-based authentication.
Example
The following example sets maximum number of allowed login attempts to 5:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x max-login-attempts 5
2.18
dot1x max-req
To set the maximum number of times that the device sends an Extensible Authentication
Protocol (EAP) request/identity frame (assuming that no response is received) to the client
before restarting the authentication process, use the dot1x max-req command in Interface
Configuration mode. To restore the default configuration, use the no form of this command.
Syntax
dot1x max-req count
no dot1x max-req
Parameters
•
count—Specifies the maximum number of times that the device sends an EAP
request/identity frame before restarting the authentication process. (Range: 1–10).
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
73
2
802.1X Commands
Default Configuration
The default maximum number of attempts is 2.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The default value of this command should be changed only to adjust to unusual circumstances,
such as unreliable links or specific behavioral problems with certain clients and authentication
servers.
Example
The following example sets the maximum number of times that the device sends an EAP
request/identity frame to 6.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x max-req 6
2.19
dot1x page customization
To enter Web-Based Page Customization Configuration mode, use the dot1x page
customization command in Global Configuration mode.
Syntax
dot1x page customization
Parameters
N/A
Default Configuration
No user customization.
Command Mode
Global Configuration mode
74
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
User Guidelines
The command should not be entered or edited manually (unless when using copy-paste). It is a
part of the configuration file produced by the switch.
A user must customize the web-based authentication pages by using the browser Interface.
Example
The following example shows part of a web-based page customization configuration:
switchxxxxxx(config)# dot1x page customization
switchxxxxxx(config-web-page)# data 1feabcde
switchxxxxxx(config-web-page)# data 17645874
switchxxxxxx(config-web-page)# exit
2.20
dot1x port-control
To enable manual control of the port authorization state, use the dot1x port-control command
in Interface Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
dot1x port-control {auto | force-authorized | force-unauthorized} [time-range
time-range-name]
no dot1x port-control
Parameters
•
auto—Enables 802.1X authentication on the port and causes it to transition to the
authorized or unauthorized state, based on the 802.1X authentication exchange
between the device and the client.
•
force-authorized—Disables 802.1X authentication on the interface and causes the
port to transition to the authorized state without any authentication exchange required.
The port sends and receives traffic without 802.1X-based client authentication.
•
force-unauthorized—Denies all access through this port by forcing it to transition to
the unauthorized state and ignoring all attempts by the client to authenticate. The
device cannot provide authentication services to the client through this port.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
75
2
802.1X Commands
•
time-range time-range-name—Specifies a time range. When the Time Range is not in
effect, the port state is Unauthorized. (Range: 1-32 characters).
Default Configuration
The port is in the force-authorized state.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
802.1X authentication cannot be enabled on an interface if port security feature is
already enabled on the same interface.
The switch removes all MAC addresses learned on a port when its authorization control is
changed from force-authorized to another.
Note. It is recommended to disable spanning tree or to enable spanning-tree PortFast mode on
802.1X edge ports in auto state that are connected to end stations, in order to proceed to the
forwarding state immediately after successful authentication.
Example
The following example sets 802.1X authentication on te1/0/1 to auto mode.
sing
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x port-control auto
2.21
dot1x radius-attributes vlan
To enable RADIUS-based VLAN assignment, use the dot1x radius-attributes vlan
command in Interface Configuration mode. To disable RADIUS-based VLAN assignment, use
the no form of this command.
Syntax
dot1x radius-attributes vlan [reject | static]
no dot1x radius-attributes vlan
76
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Parameters
•
reject—If the RADIUS server authorized the supplicant, but did not provide a
supplicant VLAN the supplicant is rejected. If the parameter is omitted, this option is
applied by default.
•
static—If the RADIUS server authorized the supplicant, but did not provide a
supplicant VLAN, the supplicant is accepted.
Default Configuration
reject
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
If RADIUS provides invalid VLAN information, the authentication is rejected.
If a RADIUS server assigns a client with a non-existing VLAN, the switch creates the VLAN.
The VLAN is removed when it is no longer being used.
If RADIUS provides valid VLAN information and the port does not belong to the VLAN
received from RADIUS, it is added to the VLAN as an egress untagged port. When the last
authorized client assigned to the VLAN becomes unauthorized or 802.1x is disabled on the
port, the port is excluded from the VLAN.
If the authentication mode is single-host or multi-host, the value of PVID is set to the
VLAN_ID.
If an authorized port in the single-host or multi-host mode changes its status to unauthorized,
the port static configuration is reset.
If the authentication mode is multi-sessions mode, the PVID is not changed and all untagged
traffic and tagged traffic not belonging to the unauthenticated VLANs are mapped to the
VLAN using TCAM.
If the last authorized host assigned to a VLAN received from RADIUS connected to a port in
the multi-sessions mode changes its status to unauthorized, the port is removed from the
VLAN if it is not in the static configuration.
See the User Guidelines of the dot1x host-mode command for more information.
If 802.1X is disabled the port static configuration is reset.
If the reject keyword is configured and the RADIUS server authorizes the host but the
RADIUS accept message does not assign a VLAN to the supplicant, authentication is rejected.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
77
2
802.1X Commands
If the static keyword is configured and the RADIUS server authorizes the host then even
though the RADIUS accept message does not assign a VLAN to the supplicant, authentication
is accepted and the traffic from the host is bridged in accordance with port static configuration.
If this command is used when there are authorized ports/hosts, it takes effect at subsequent
authentications. To manually re-authenticate, use the dot1x re-authenticate command.
The command cannot be configured on a port associated to a port channel by the
channel-group command.
The command cannot be configured on the OOB port.
The command cannot be configured on a port if it together with
•
WEB-Based authentication
•
Q-in-Q
Examples
Example 1. This example enables user-based VLAN assignment. If the RADIUS server
authorized the supplicant, but did not provide a supplicant VLAN, the supplicant is rejected.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x radius-attributes vlan
switchxxxxxx(config-if)# exit
Example 2. This example enables user-based VLAN assignment. If the RADIUS server
authorized the supplicant but did not provide a supplicant VLAN, the supplicant is accepted
and the static VLAN configurations is used.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x radius-attributes static
switchxxxxxx(config-if)# exit
2.22
dot1x re-authenticate
To initiate manually re-authentication of all 802.1X-enabled ports or the specified
802.1X-enabled port, use the dot1x re-authenticate command in Privileged EXEC mode.
78
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Syntax
dot1x re-authenticate [interface-id]
Parameters
•
interface-id—Specifies an Ethernet port or OOB port.
Default Configuration
If no port is specified, command is applied to all ports.
Command Mode
Privileged EXEC mode
Example
The following command manually initiates re-authentication of 802.1X-enabled te1/0/1:
switchxxxxxx# dot1x re-authenticate te1/0/1
2.23
dot1x reauthentication
To enable periodic re-authentication of the client, use the dot1x reauthentication command in
Interface Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
dot1x reauthentication
no dot1x reauthentication
Parameters
N/A
Default Configuration
Periodic re-authentication is disabled.
Command Mode
Interface (Ethernet, OOB) Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
79
2
802.1X Commands
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x reauthentication
2.24
dot1x supplicant
To enable the dot1x supplicant role for a given interface, use the dot1x supplicant command
in Interface Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
dot1x supplicant name
no dot1x supplicant
Parameters
•
name—The name of the credential structure applied on the interface.
Default Configuration
The supplicant role is disabled.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
Use the dot1x supplicant command to enable the dot1x supplicant on a given interface. When
the supplicant is enabled on an interface the interface becomes an unauthorized. When the
802.1X authentication successes the interface state is changed to authorized.
If the name argument specifies an undefined or not fully defined (password or username is not
configured) 802.1X credential structure, the command is rejected.
Authenticator and Supplicant cannot be enabled together on the same interface.
The command cannot be configured a few times on the same port. To replace the configured
credential, use the no form of the command before configuration a new credential.
Unlike unauthorized authenticator interface an unauthorized supplicant interface does not
limit any traffic passed through.
80
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
In accordance with the 802.1x standard, the 802.1x protocol runs per each Ethernet port
associated to the port channel by the channel-group command. The authorized and
unauthorized states are applied rather to ports associated with a port channel rather to the port
channel itself.
The following events start the 802.1X supplicant authentication on a port:
•
The dot1x supplicant command enables the supplicant on the port in the UP status.
•
The status of the port is changed to UP and the supplicant is enabled on the port.
•
The EAP Identifier Request message is received on the port and the supplicant is
enabled on the port.
If the supplicant does not receive a response from the Radius server (SUCCESS or FAIL) in
time period specified by the dot1x guest-vlan command, it restarts authentication up to times
specified by the dot1x eap-max-retrans command. After the maximum number of attempts
the supplicant stops authentication and waits for the EAP Identity Request from the
Authenticator that will restart authentication.
If the supplicant receives the FAIL response from the Radius server, it waits for time period
specified by the dot1x timeout supplicant-held-period command before restarting
authentication again.
Supplicant will repeat authentication again in the time specified by the dot1x timeout
supplicant-held-period command.
Example
The following example configures an 802.1X supplicant on port te1/0/1:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x supplicant upstream-port
2.25
dot1x supplicant traps authentication failure
To enable sending traps when an 802.1X supplicant authentication fails, use the dot1x
supplicant traps authentication failure command in Global Configuration mode. To restore
the default configuration, use the no form of this command.
Syntax
dot1x supplicant traps authentication failure
no dot1x supplicant traps authentication failure
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
81
2
802.1X Commands
Parameters
N/A
Default Configuration
Traps are disabled.
Command Mode
Global Configuration mode
User Guidelines
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10 seconds.
Example
The following example enables sending traps when an 802.1X supplicant authentication failed:
switchxxxxxx(config)# dot1x supplicant traps authentication failure
2.26
dot1x supplicant traps authentication success
To enable sending traps when an 802.1X supplicant authentication is succeeded, use the dot1x
supplicant traps authentication success command in Global Configuration mode. To restore
the default configuration, use the no form of this command.
Syntax
dot1x supplicant traps authentication success
no dot1x supplicant traps authentication success
Parameters
N/A
Default Configuration
Traps are disabled.
Command Mode
Global Configuration mode
82
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
User Guidelines
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10 seconds.
Example
The following example enables sending traps when an 802.1X supplicant authentication is
succeeded:
switchxxxxxx(config)# dot1x supplicant traps authentication success
2.27
dot1x system-auth-control
To enable 802.1X globally, use the dot1x system-auth-control command in Global
Configuration mode. To restore the default configuration, use the no form of this command.
Syntax
dot1x system-auth-control
no dot1x system-auth-control
Parameters
N/A
Default Configuration
Disabled.
Command Mode
Global Configuration mode
Example
The following example enables 802.1X globally.
switchxxxxxx(config)# dot1x system-auth-control
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
83
2
802.1X Commands
2.28
dot1x timeout eap-timeout
To set the EAP timeout, use the dot1x timeout eap-timeout command in Interface
Configuration mode. To restore the default configuration, use the no form of this command.
Syntax
dot1x timeout eap-timeout seconds
no dot1x timeout eap-timeout
Parameters
•
seconds—Specifies the time interval in seconds during which the EAP Server (EAP
Authenticator) waits for a response from the EAP client (EAP Peer) before the request
retransmission. (Range: 1–65535 seconds).
Default Configuration
The default timeout period is 30 seconds.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The default value of this command should be changed only to adjust to unusual circumstances,
such as unreliable links or specific behavioral problems with certain clients and authentication
servers.
The parameter is used by the 802.1x Supplicant.
Example
The following example sets the EAP timeout to 45 seconds.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout eap-timeout 45
84
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
2.29
dot1x timeout quiet-period
To set the time interval that the device remains in a quiet state following a failed authentication
exchange, use the dot1x timeout quiet-period command in Interface Configuration mode. To
restore the default configuration, use the no form of this command.
Syntax
dot1x timeout quiet-period seconds
no dot1x timeout quiet-period
Parameters
•
seconds—Specifies the time interval in seconds that the device remains in a quiet state
following a failed authentication exchange with a client. (Range: 10–65535 seconds).
Default Configuration
The default quiet period is 60 seconds.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
During the quiet period, the device does not accept or initiate authentication requests.
The default value of this command should only be changed to adjust to unusual circumstances,
such as unreliable links or specific behavioral problems with certain clients and authentication
servers.
To provide faster response time to the user, a smaller number than the default value should be
entered.
For 802.1x and MAC-based authentication, the number of failed logins is 1.
For WEB-based authentication, the quiet period is applied after a number of failed attempts.
This number is configured by the dot1x max-login-attempts command.
For 802.1x-based and MAC-based authentication methods, the quiet period is applied after
each failed attempt.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
85
2
802.1X Commands
Example
The following example sets the time interval that the device remains in the quiet state
following a failed authentication exchange to 120 seconds.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout quiet-period 120
2.30
dot1x timeout reauth-period
To set the number of seconds between re-authentication attempts, use the dot1x timeout
reauth-period command in Interface Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
dot1x timeout reauth-period seconds
no dot1x timeout reauth-period
Parameters
•
reauth-period seconds—Number of seconds between re-authentication attempts.
(Range: 300-4294967295).
Default Configuration
3600
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The command is only applied to the 802.1x authentication method.
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout reauth-period 5000
86
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
2.31
dot1x timeout server-timeout
To set the time interval during which the device waits for a response from the authentication
server, use the dot1x timeout server-timeout command in Interface Configuration mode. To
restore the default configuration, use the no form of this command.
Syntax
dot1x timeout server-timeout seconds
no dot1x timeout server-timeout
Parameters
•
server-timeout seconds—Specifies the time interval in seconds during which the
device waits for a response from the authentication server. (Range: 1–65535 seconds).
Default Configuration
The default timeout period is 30 seconds.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The actual timeout period can be determined by comparing the value specified by this
command to the result of multiplying the number of retries specified by the radius-server
retransmit command by the timeout period specified by the radius-server retransmit
command, and selecting the lower of the two values.
Example
The following example sets the time interval between retransmission of packets to the
authentication server to 3600 seconds.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout server-timeout 3600
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
87
2
802.1X Commands
2.32
dot1x timeout silence-period
To set the authentication silence time, use the dot1x timeout silence-period command in
Interface Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
dot1x timeout silence-period seconds
no dot1x timeout silence-period
Parameters
•
seconds—Specifies the silence interval in seconds. The valid range is 60 - 65535.
Default Configuration
The silence period is not limited.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
The silence time is the number of seconds that if an authorized client does not send traffic
during this period, the client is changed to unauthorized.
If an authorized client does not send traffic during the silence period specified by the
command, the state of the client is changed to unauthorized.
The command is only applied to WEB-based authentication.
Example
The following example sets the authentication silence time to 100 seconds:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout silence-period 100
88
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
2.33
dot1x timeout supp-timeout
To set the time interval during which the device waits for a response to an Extensible
Authentication Protocol (EAP) request frame from the client before resending the request, use
the dot1x timeout supp-timeout command in Interface Configuration mode. To restore the
default configuration, use the no form of this command.
Syntax
dot1x timeout supp-timeout seconds
no dot1x timeout supp-timeout
Parameters
•
supp-timeout seconds—Specifies the time interval in seconds during which the device
waits for a response to an EAP request frame from the client before resending the
request. (Range: 1–65535 seconds).
Default Configuration
The default timeout period is 30 seconds.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The default value of this command should be changed only to adjust to unusual circumstances,
such as unreliable links or specific behavioral problems with certain clients and authentication
servers.
The command is only applied to the 802.1x authentication method.
Example
The following example sets the time interval during which the device waits for a response to
an EAP request frame from the client before resending the request to 3600 seconds.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout supp-timeout 3600
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
89
2
802.1X Commands
2.34
dot1x timeout supplicant-held-period
To set the time period during which the supplicant waits before restarting authentication after
receiving the FAIL response from the Radius server, use the dot1x timeout
supplicant-held-period command in Interface Configuration mode. To restore the default
configuration, use the no form of this command
Syntax
dot1x timeout supplicant-held-period seconds
no dot1x timeout supplicant-held-period
Parameters
•
seconds—Specifies the time period during which the supplicant waits before restarting
authentication after receiving the FAIL response from the Radius server. (Range: 1–
65535 seconds).
Default Configuration
The default timeout period is 60 seconds.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The default value of this command should be changed only to adjust to unusual circumstances,
such as unreliable links or specific behavioral problems with certain clients and authentication
servers.
Example
The following example sets the time period during which the supplicant waits before restarting
authentication after receiving the FAIL response from the Radius server to 70 seconds.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout supplicant-held-period 70
90
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
2.35
dot1x timeout tx-period
To set the time interval during which the device waits for a response to an Extensible
Authentication Protocol (EAP) request/identity frame from the client before resending the
request, use the dot1x timeout tx-period command in Interface Configuration mode. To
restore the default configuration, use the no form of this command.
Syntax
dot1x timeout tx-period seconds
no dot1x timeout tx-period
Parameters
•
seconds—Specifies the time interval in seconds during which the device waits for a
response to an EAP-request/identity frame from the client before resending the request.
(Range: 30–65535 seconds).
Default Configuration
The default timeout period is 30 seconds.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The default value of this command should be changed only to adjust to unusual circumstances,
such as unreliable links or specific behavioral problems with certain clients and authentication
servers.
The command is only applied to the 802.1x authentication method.
Example
The following command sets the time interval during which the device waits for a response to
an EAP request/identity frame to 60 seconds.
switchxxxxxx(config)# interface te1/0/1:
switchxxxxxx(config-if)# dot1x timeout tx-period 60
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
91
2
802.1X Commands
2.36
dot1x traps authentication failure
To enable sending traps when an 802.1X authentication method failed, use the dot1x traps
authentication failure command in Global Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
dot1x traps authentication failure {[802.1x] [mac] [web]}
no dot1x traps authentication failure
Parameters
•
802.1x—Enables traps for 802.1X-based authentication.
•
mac—Enables traps for MAC-based authentication.
•
web—Enables traps for WEB-based authentication.
Default Configuration
All traps are disabled.
Command Mode
Global Configuration mode
User Guidelines
Any combination of the keywords are allowed. At least one keyword must be configured.
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10 seconds.
Example
The following example enables sending traps when a MAC address fails to be authorized by the
802.1X mac-authentication access control.
switchxxxxxx(config)# dot1x traps authentication failure 802.1x
92
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
2.37
dot1x traps authentication quiet
To enable sending traps when a host state is set to the quiet state after failing the maximum
sequential attempts of login, use the dot1x traps authentication quiet command in Global
Configuration mode. To disable the traps, use the no form of this command.
Syntax
dot1x traps authentication quiet
no dot1x traps authentication quiet
Parameters
N/A
Default Configuration
Quiet traps are disabled.
Command Mode
Global Configuration mode
User Guidelines
The traps are sent after the client is set to the quiet state after the maximum sequential attempts
of login.
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10 seconds.
Example
The following example enables sending traps when a host is set in the quiet state:
switchxxxxxx(config)# dot1x traps authentication quiet
2.38
dot1x traps authentication success
To enable sending traps when a host is successfully authorized by an 802.1X authentication
method, use the dot1x traps authentication success command in Global Configuration mode.
To disable the traps, use the no form of this command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
93
2
802.1X Commands
Syntax
dot1x traps authentication success {[802.1x] [mac] [web]}
no dot1x traps authentication success
Parameters
•
802.1x—Enables traps for 802.1X-based authentication.
•
mac—Enables traps for MAC-based authentication.
•
web—Enables traps for WEB-based authentication.
Default Configuration
Success traps are disabled.
Command Mode
Global Configuration mode
User Guidelines
Any combination of the keywords are allowed. At least one keyword must be configured.
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10 seconds.
Example
The following example enables sending traps when a MAC address is successfully authorized by
the 802.1X MAC-authentication access control.
switchxxxxxx(config)# dot1x traps authentication success mac
2.39
dot1x unlock client
To unlock a locked (in the quiet period) client, use the dot1x unlock client command in
Privileged EXEC mode.
Syntax
dot1x unlock client interface-id mac-address
94
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Parameters
•
interface-id—Interface ID where the client is connected to.
•
mac-address—Client MAC address.
Default Configuration
The client is locked until the silence interval is over.
Command Mode
Privileged EXEC mode
User Guidelines
Use this command to unlock a client that was locked after the maximum allowed
authentication failed attempts and to end the quiet period. If the client is not in the quiet
period, the command has no affect.
Example
switchxxxxxx# dot1x unlock client te1/0/1 00:01:12:af:00:56
2.40
dot1x violation-mode
To configure the action to be taken when an unauthorized host on authorized port in
single-host mode attempts to access the interface, use the dot1x violation-mode command in
Interface Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
dot1x violation-mode {restrict | protect | shutdown} [traps seconds]
no dot1x violation-mode
Parameters
•
restrict—Generates a trap when a station, whose MAC address is not the supplicant
MAC address, attempts to access the interface. The minimum time between the traps is
1 second. Those frames are forwarded but their source addresses are not learned.
•
protect—Discard frames with source addresses that are not the supplicant address.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
95
2
802.1X Commands
•
shutdown—Discard frames with source addresses that are not the supplicant address
and shutdown the port.
•
trap seconds - Send SNMP traps, and specifies the minimum time between
consecutive traps. If seconds = 0 traps are disabled. If the parameter is not specified, it
defaults to 1 second for the restrict mode and 0 for the other modes.
Default Configuration
Protect
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
The command is relevant only for single-host mode.
For BPDU messages whose MAC addresses are not the supplicant MAC address are not
discarded in Protect mode.
BPDU message whose MAC addresses are not the supplicant MAC address cause a shutdown
in Shutdown mode.
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x violation-mode protect
2.41
password
To specify a password for an 802.1X credential structure, use the password command in
Dot1x credentials configuration mode. To remove the password, use the no form of this
command.
Syntax
encrypted password encrypted-password
password password
no password
96
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Parameters
•
encrypted-password—The password in encrypted format.
•
password—The password up to 64 characters.
Default Configuration
A password is not specified.
Command Mode
Dot1x credentials configuration mode
User Guidelines
An 802.1X credential structure is necessary when configuring a supplicant (client). This
credentials structure must contain a username and password and might contain a description.
Example
The following example configures an 802.1X credential structure:
switchxxxxxx(config)# dot1x credentials site-A
switchxxxxxx(config-dot1x-cred)# username inner-switch
switchxxxxxx(config-dot1x-cred)# password 87b$#9hv5*
switchxxxxxx(config-dot1x-cred)# description This credentials profile should
be used to connect to site-A.
2.42
show dot1x
To display the 802.1X interfaces or specified interface status, use the show dot1x command in
Privileged EXEC mode.
Syntax
show dot1x [interface interface-id | detailed]
Parameters
•
interface-id—Specifies an Ethernet port or OOB port.
•
detailed—Displays information for non-present ports in addition to present ports.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
97
2
802.1X Commands
Default Configuration
Display for all ports. If detailed is not used, only present ports are displayed.
If a MAC-Based password is configured using the dot1x mac-auth password command, its
MD5 checksum is displayed, else the Username word is displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays authentication information for all interfaces on which 802.1x
is enabled:
switchxxxxxx# show dot1x
Authentication is enabled
Authenticator Global Configuration:
Authenticating Servers: Radius, None
MAC-Based Authentication:
Type: Radius
Username Groupsize: 2
Username Separator: Username case: Lowercase
Password: MD5 checksum 1238af77aaca17568f12988601fcabed
Unathenticated VLANs: 100, 1000, 1021
Guest VLAN: VLAN 11, timeout 30 sec
Authentication failure traps are enabled for 802.1x+mac
Authentication success traps are enabled for 802.1x
Authentication quiet traps are enabled for 802.1x
Supplicant Global Configuration:
Supplicant Authentication failure traps are enabled
Supplicant Authentication success traps are enabled
te1/0/1
Authenticator is enabled
98
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Supplicant is disabled
Authenticator Configuration:
Host mode: multi-sessions
Authentication methods: 802.1x+mac
Port Adminstrated status: auto
Guest VLAN: enabled
VLAN Radius Attribute: enabled, static
Open access: disabled
Time range name: work_hours (Active now)
Server-timeout: 30 sec
Maximum Hosts: unlimited
Maximum Login Attempts: 3
Reauthentication is enabled
Reauthentication period: 3600 sec
Silence period: 1800 sec
Quiet Period: 60 sec
Interfaces 802.1X-Based Parameters
EAP Timeout: 30 sec
EAP Max-Retrans: 2
Tx period: 30 sec
Supplicant timeout: 30 sec
max-req: 2
Authentication success: 9
Authentication fails: 1
Number of Authorized Hosts: 10
Supplicant Configuration:
retry-max: 2
EAP time period: 15 sec
Supplicant Held Period: 30 sec
te1/0/2
Authenticator is enabled
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
99
2
802.1X Commands
Supplicant is disabled
Authenticator Configuration:
Host mode: single-host
Authentication methods: 802.1x+mac
Port Adminstrated status: auto
Port Operational status: authorized
Guest VLAN: disabled
VLAN Radius Attribute: enabled
Open access: enabled
Time range name: work_hours (Active now)
Server-timeout: 30 sec
Aplied Authenticating Server: Radius
Applied Authentication method: 802.1x
Session Time (HH:MM:SS): 00:25:22
MAC Address: 00:08:78:32:98:66
Username: Bob
Violation:
Mode: restrict
Trap: enabled
Trap Min Interval: 20 sec
Violations were detected: 9
Reauthentication is enabled
Reauthentication period: 3600 sec
Silence period: 1800 sec
Quiet Period: 60 sec
Interfaces 802.1X-Based Parameters
EAP Timeout: 30 sec
EAP Max-Retrans: 2
Tx period: 30 sec
Supplicant timeout: 30 sec
max-req: 2
100
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Authentication success: 2
Authentication fails: 0
te1/0/3
Authenticator is enabled
Supplicant is disabled
Authenticator Configuration:
Host mode: multi-host
Authentication methods: 802.1x+mac
Port Adminstrated status: auto
Port Operational status: authorized
Guest VLAN: disabled
VLAN Radius Attribute: disabled
Time range name: work_hours (Active now)
Open access: disabled
Server-timeout: 30 sec
Aplied Authenticating Server: Radius
Applied Authentication method: 802.1x
Session Time (HH:MM:SS): 00:25:22
MAC Address: 00:08:78:32:98:66
Username: Bob
Violation:
Mode: restrict
Trap: enabled
Trap Min Interval: 20 sec
Violations were detected: 0
Reauthentication is enabled
Reauthentication period: 3600 sec
Silence period: 1800 sec
Quiet Period: 60 sec
Interfaces 802.1X-Based Parameters
EAP Timeout: 30 sec
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
101
2
802.1X Commands
EAP Max-Retrans: 2
Tx period: 30 sec
Supplicant timeout: 30 sec
max-req: 2
Authentication success: 20
Authentication fails: 0
Supplicant Configuration:
retry-max: 2
EAP time period: 15 sec
Supplicant Held Period: 30 sec
te1/0/4
Authenticator is disabled
Supplicant is enabled
Authenticator Configuration:
Host mode: multi-host
Authentication methods: 802.1x+mac
Port Adminstrated status: force-auto
Guest VLAN: disabled
VLAN Radius Attribute: disabled
Time range name: work_hours (Active now)
Open access: disabled
Server-timeout: 30 sec
Aplied Authenticating Server: Radius
Applied Authentication method: 802.1x
Session Time (HH:MM:SS): 00:25:22
MAC Address: 00:08:78:32:98:66
Username: Bob
Violation:
Mode: restrict
Trap: enabled
Trap Min Interval: 20 sec
102
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Violations were detected: 0
Reauthentication is enabled
Reauthentication period: 3600 sec
Silence period: 1800 sec
Quiet Period: 60 sec
Interfaces 802.1X-Based Parameters
EAP Timeout: 30 sec
EAP Max-Retrans: 2
Tx period: 30 sec
Supplicant timeout: 30 sec
max-req: 2
Authentication success: 0
Authentication fails: 0
Supplicant Configuration:
retry-max: 2
EAP time period: 15 sec
Supplicant Held Period: 30 sec
Credentials Name: Basic-User
Supplicant Operational status: authorized
The following describes the significant fields shown in the display:
•
Port—The port interface-id.
•
Host mode—The
port authentication configured mode. Possible values: single-host,
multi-host, multi-sessions.
•single-host
•multi-host
•multi-sessions
•
Authentication methods—Authentication
methods configured on port. Possible values are
combinations of the following methods:
•802.1x
•mac
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
103
2
802.1X Commands
•wba
•
Port Administrated status—The port administration (configured) mode. Possible values: force-auth,
force-unauth, auto.
•
Port Operational status—The port operational (actual) mode. Possible values: authorized or unauthorized.
•
Username—Username representing the supplicant identity. This field shows the username if the port control is
auto. If the port is Authorized, it displays the username of the current user. If the port is Unauthorized, it displays
the last user authorized successfully.
•
Quiet period—Number of seconds that the device remains in the quiet state following a failed authentication
exchange (for example, the client provided an invalid password).
•
Silence period—Number of seconds that If an authorized client does not send traffic during the silence period
specified by the command, the state of the client is changed to unauthorized.
•
EAP timeout—Time interval in seconds during which the EAP Server (EAPAuthenticator) waits for a response
from the EAP client (EAP Peer) before the requestretransmission
•
EAP Max Retrans—Maximum number of times that the EAP Server (EAPAuthenticator) retransmits an EAP
request when no response from a EAP client (EAPPeer) was received.
•
Tx period—Number of seconds that the device waits for a response to an Extensible Authentication Protocol
(EAP) request/identity frame from the client before resending the request.
•
Max req—Maximum number of times that the device sends an EAP request frame (assuming that no response
is received) to the client before restarting the authentication process.
•
Server timeout—Number of seconds that the device waits for a response from the authentication server before
resending the request.
•
Session Time—Amount of time (HH:MM:SS) that the user is logged in.
•
MAC address—Supplicant MAC address.
•
Authentication success—Number of times the state machine received a Success message from the
Authentication Server.
•
Authentication fails—Number of times the state machine received a Failure message from the Authentication
Server.
2.43
show dot1x credentials
To display 802.1X credentials, use the show dot1x credentials mode command in Privileged
EXEC mode.
104
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Syntax
show dot1x credentials
Parameters
N/A
Command Mode
Privileged EXEC mode
Examples
The following example displays dot1x credentials:
switchxxxxxx# show dot1x credentials
downstream-interface
description: should be used for downstream ports
username: downstream
password’s MD5: 1238af77aaca17568f12988601fcabed
upstream-interface
description: should be used for connection to ISP
username: up2isp
password’s MD5: 1238bbff75431230965394466ac76549
2.44
show dot1x locked clients
To display all clients who are locked and in the quiet period, use the show dot1x locked
clients command in Privileged EXEC mode.
Syntax
show dot1x locked clients
Parameters
N/A
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
105
2
802.1X Commands
Command Mode
Privileged EXEC mode
User Guidelines
Use the show dot1x locked clients command to display all locked (in the quiet period) clients.
Examples
The following example displays locked clients:
Example 1
switchxxxxxx# show dot1x locked clients
Port
MAC Address
Remaining Time
-------
--------------
--------------
te1/0/1
0008.3b79.8787
20
te1/0/1
0008.3b89.3128
40
te1/0/2
0008.3b89.3129
10
2.45
show dot1x statistics
To display 802.1X statistics for the specified port, use the show dot1x statistics command in
Privileged EXEC mode.
Syntax
show dot1x statistics interface interface-id
Parameters
•
interface-id—Specifies an Ethernet port or OOB port.
Default Configuration
N/A
106
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
Command Mode
Privileged EXEC mode
Example
The following example displays 802.1X statistics for te1/0/1.
switchxxxxxx# show dot1x statistics interface te1/0/1
EapolEapFramesRx: 10
EapolStartFramesRx: 0
EapolLogoffFramesRx: 1
EapolAnnouncementFramesRx: 0
EapolAnnouncementReqFramesRx: 0
EapolInvalidFramesRx: 0
EapolEapLengthErrorFramesRx: 0
EapolMkNoCknFramesRx: 0
EapolMkInvalidFramesRx: 0
EapolLastRxFrameVersion: 3
EapolLastRxFrameSource: 00:08:78:32:98:78
EapolSuppEapFramesTx: 0
EapolStartFramesTx: 1
EapolLogoffFramesTx: 0
EapolAnnouncementFramesTx: 0
EapolAnnouncementReqFramesTx: 0
EapolAuthEapFramesTx: 9
EapolMkaFramesTx: 0
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
107
2
802.1X Commands
The following table describes the significant fields shown in the display:
108
Field
Description
EapolInvalidFramesRx
The number of invalid EAPOL frames of any type that have been
received by this PAE.
EapolEapLengthErrorFramesRx
The number of EAPOL frames that the Packet Body Length does
not match a Packet Body that is contained within the octets of the
received EAPOL MPDU in this PAE.
EapolAnnouncementFramesRx
The number of EAPOL-Announcement frames that have been
received by this PAE.
EapolAnnouncementReqFramesRx
The number of EAPOL-Announcement-Req frames that have been
received by this PAE.
EapolStartFramesRx
The number of EAPOL-Start frames that have been received by this
PAE.
EapolEapFramesRx
The number of EAPOL-EAP frames that have been received by this
PAE.
EapolLogoffFramesRx
The number of EAPOL-Logoff frames that have been received by
this PAE.
EapolMkNoCknFramesRx
The number of MKPDUs received with MKA not enabled or CKN
not recognized in this PAE.
EapolMkInvalidFramesRx
The number of MKPDUs failing in message authentication on
receipt process in this PAE.
EapolLastRxFrameVersion
The version of last received EAPOL frame by this PAE.
EapolLastRxFrameSource
The source MAC address of last received EAPOL frame by this
PAE.
EapolSuppEapFramesTx
The number of EAPOL-EAP frames that have been transmitted by
the supplicant of this PAE.
EapolLogoffFramesTx
The number of EAPOL-Logoff frames that have been transmitted
by this PAE.
EapolAnnouncementFramesTx
The number of EAPOL-Announcement frames that have been
transmitted by this PAE.
EapolAnnouncementReqFramesTx
The number of EAPOL-Announcement-Req frames that have been
transmitted by this PAE.
EapolStartFramesTx
The number of EAPOL-Start frames that have been received by this
PAE.
EapolAuthEapFramesTx
The number of EAPOL-EAP frames that have been transmitted by
the authenticator of this PAE.
EapolMkaFramesTx
The number of EAPOL-MKA frames with no CKN information
that have been transmitted by this PAE.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
2.46
show dot1x users
To display active 802.1X authorized users for the device, use the show dot1x users command in
Privileged EXEC mode.
Syntax
show dot1x users [username username]
Parameters
•
username username—Specifies the supplicant username (Length: 1–160 characters).
Default Configuration
Display all users.
Command Mode
Privileged EXEC mode
Examples
Example 1. The following commands displays all 802.1x users:
show dot1x users
Port
Username
MAC Address
Auth
Auth
Session
Method
Server
Time
VLAN
----------------
-----------------
--------------------
----------
---------
----------
-------
te1/0/1
Bob
0008.3b71.1111
802.1x
Remote
09:01:00
1020
te1/0/2
00083b798787
0008.3b79.8787
MAC
Remote
00:11:12
te1/0/2
John
0008.3baa.0022
WBA
Remote
00:27:16
Example 2. The following example displays 802.1X user with supplicant username Bob:
switchxxxxxx# show dot1x users username Bob
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
109
2
802.1X Commands
Port
Username
MAC Address
Auth
Auth
Session
Method
Server
Time
VLAN
----------------
---------------
--------------------
----------
---------
----------
-------
te1/0/1
Bob
0008.3b71.1111
802.1x
Remote
09:01:00
1020
2.47
username (dot1x credentials)
To specify a username for an 802.1X credential structure, use the username command in
Dot1x credentials configuration mode. To remove the username, use the no form of this
command.
Syntax
username username
no username
Parameters
•
username—The user name up to 32 characters.
Default Configuration
A username is not specified.
Command Mode
Dot1x credentials configuration mode
User Guidelines
An 802.1X credential structure is necessary when configuring a supplicant (client). This
credentials structure may contain a username, password, and description.
Example
The following example configures an 802.1X credential structure:
switchxxxxxx(config)# dot1x credentials site-A
switchxxxxxx(config-dot1x-cred)# username inner-switch
110
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
2
802.1X Commands
switchxxxxxx(config-dot1x-cred)# password 87%$#bgd98^
switchxxxxxx(config-dot1x-cred)# description This credentials profile should
be used to connected to site-A
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
111
3
ACL Commands
3.0
3.1
ip access-list (IP extended)
Use the ip access-list extended Global Configuration mode command to name an IPv4 access
list (ACL) and to place the device in IPv4 Access List Configuration mode. All commands
after this command refer to this ACL. The rules (ACEs) for this ACL are defined in the permit
( IP ) and deny ( IP ) commands. The service-acl input command is used to attach this ACL to
an interface.
Use the no form of this command to remove the access list.
Syntax
ip access-list extended acl-name
no ip access-list extended acl-name
Parameters
•
acl-name—Name of the IPv4 access list. (Range 1-32 characters)
Default Configuration
No IPv4 access list is defined.
Command Mode
Global Configuration mode
User Guidelines
An IPv4 ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy maps
cannot have the same name.
Example
switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-al)#
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
112
3
ACL Commands
3.2
permit ( IP )
Use the permit IP Access-list Configuration mode command to set permit conditions for an
IPv4 access list (ACL). Permit conditions are also known as access control entries (ACEs).
Use the no form of the command to remove the access control entry.
Syntax
permit protocol {any | source source-wildcard} {any | destination destination-wildcard}
[ace-priority priority] [dscp number | precedence number] [time-range time-range-name]
[log-input]
permit icmp {any | source source-wildcard} {any | destination destination-wildcard} [any |
icmp-type] [any | icmp-code]] [ace-priority priority] [dscp number | precedence number]
[time-range time-range-name] [log-input]
permit igmp {any | source source-wildcard} {any | destination
destination-wildcard}[igmp-type] [ace-priority priority] [dscp number | precedence number]
[time-range time-range-name] [log-input]
permit tcp {any | source source-wildcard} {any|source-port/port-range}{any | destination
destination-wildcard} {any|destination-port/port-range} [ace-priority priority] [dscp
number | precedence number] [match-all list-of-flags] [time-range time-range-name]
[log-input]
permit udp {any | source source-wildcard} {any|source-port/port-range} {any | destination
destination-wildcard} {any|destination-port/port-range} [ace-priority priority] [dscp
number | precedence number] [time-range time-range-name] [log-input]
no permit protocol {any | source source-wildcard} {any | destination destination-wildcard}
[dscp number | precedence number] [time-range time-range-name] [log-input]
no permit icmp {any | source source-wildcard} {any | destination destination-wildcard}
[any | icmp-type] [any | icmp-code]] [dscp number | precedence number] [time-range
time-range-name] [log-input]
no permit igmp {any | source source-wildcard} {any | destination
destination-wildcard}[igmp-type] [dscp number | precedence number] [time-range
time-range-name] [log-input]
no permit tcp {any | source source-wildcard} {any|source-port/port-range}{any |
destination destination-wildcard} {any|destination-port/port-range} [dscp number |
precedence number] [match-all list-of-flags] [time-range time-range-name] [log-input]
no permit udp {any | source source-wildcard} {any|source-port/port-range} {any |
destination destination-wildcard} {any|destination-port/port-range} [dscp number |
precedence number] [time-range time-range-name] [log-input]
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
113
3
ACL Commands
Parameters
114
•
protocol—The name or the number of an IP protocol. Available protocol names are:
icmp, igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout, ipv6:frag, idrp, rsvp,
gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, isis. To match any protocol, use
the ip keyword.(Range: 0–255)
•
source—Source IP address of the packet.
•
source-wildcard—Wildcard bits to be applied to the source IP address. Use ones in the
bit position that you want to be ignored.
•
destination—Destination IP address of the packet.
•
destination-wildcard—Wildcard bits to be applied to the destination IP address. Use
ones in the bit position that you want to be ignored.
•
priority - Specify the priority of the access control entry (ACE) in the access control
list (ACL). "1" value represents the highest priority and "2147483647" number
represents the lowest priority.(Range: 1-2147483647)
•
dscp number—Specifies the DSCP value.
•
precedence number—Specifies the IP precedence value.
•
icmp-type—Specifies an ICMP message type for filtering ICMP packets. Enter a
number or one of the following values: echo-reply, destination-unreachable,
source-quench, redirect, alternate-host-address, echo-request, router-advertisement,
router-solicitation, time-exceeded, parameter-problem, timestamp, timestamp-reply,
information-request, information-reply, address-mask-request, address-mask-reply,
traceroute, datagram-conversion-error, mobile-host-redirect,
mobile-registration-request, mobile-registration-reply, domain-name-request,
domain-name-reply, skip, photuris. (Range: 0–255)
•
icmp-code—Specifies an ICMP message code for filtering ICMP packets. (Range: 0–
255)
•
igmp-type—IGMP packets can be filtered by IGMP message type. Enter a number or
one of the following values: host-query, host-report, dvmrp, pim, cisco-trace,
host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255)
•
destination-port—Specifies the UDP/TCP destination port. You can enter range of
ports by using hyphen. E.g. 20 - 21. For TCP enter a number or one of the following
values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949),
echo (7), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (42), irc (194),
klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25),
sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23), time (37), uucp
(117), whois (43), www (80). For UDP enter a number or one of the following values:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7),
mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137), on500-isakmp
(4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514),
tacacs-ds (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).(Range: 0–
65535).
•
source-port—Specifies the UDP/TCP source port. Predefined port names are defined
in the destination-port parameter. (Range: 0–65535)
•
match-all list-of-flags—List of TCP flags that should occur. If a flag should be set, it is
prefixed by “+”. If a flag should be unset, it is prefixed by “-”. Available options are
+urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin. The flags are
concatenated to a one string. For example: +fin-ack.
•
time-range-name—Name of the time range that applies to this permit statement.
(Range: 1–32)
•
log-input—Specifies sending an informational SYSLOG message about the packet
that matches the entry. Because forwarding/dropping is done in hardware and logging
is done in software, if a large number of packets match an ACE containing a log-input
keyword, the software might not be able to match the hardware processing rate, and
not all packets will be logged.
Default Configuration
No IPv4 access list is defined.
Command Mode
IP Access-list Configuration mode
User Guidelines
If a range of ports is used for source port in an ACE, it is not counted again, if it is also used
for a source port in another ACE. If a range of ports is used for the destination port in an ACE,
it is not counted again if it is also used for destination port in another ACE.
If a range of ports is used for source port it is counted again if it is also used for destination
port.
If ace-priority is omitted, the system sets the rule's priority to the current highest priority ACE
(in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already
existed priority, then the command is rejected.
Example
switchxxxxxx(config)# ip access-list extended server
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
115
3
ACL Commands
switchxxxxxx(config-ip-al)# permit ip 176.212.0.0 00.255.255 any
3.3
deny ( IP )
Use the deny IP Access-list Configuration mode command to set deny conditions for IPv4
access list. Deny conditions are also known as access control entries (ACEs). Use the no form
of the command to remove the access control entry.
Syntax
deny protocol {any | source source-wildcard} {any | destination destination-wildcard}
[ace-priority priority] [dscp number | precedence number] [time-range time-range-name]
[disable-port|log-input ]
deny icmp {any | source source-wildcard} {any | destination destination-wildcard} [any |
icmp-type] [any | icmp-code]][ace-priority priority] [dscp number | precedence
number][time-range time-range-name] [disable-port |log-input ]
deny igmp {any | source source-wildcard} {any | destination
destination-wildcard}[igmp-type][ace-priority priority] [dscp number | precedence
number][time-range time-range-name] [disable-port |log-input ]
deny tcp {any | source source-wildcard} {any|source-port/port-range}{any | destination
destination-wildcard} {any|destination-port/port-range} [ace-priority priority] [dscp
number | precedence number][match-all list-of-flags][time-range time-range-name]
[disable-port |log-input ]
deny udp {any | source source-wildcard} {any|source-port/port-range} {any | destination
destination-wildcard} {any|destination-port/port-range} [ace-priority priority] [dscp
number | precedence number][time-range time-range-name] [disable-port |log-input ]
no deny protocol {any | source source-wildcard} {any | destination destination-wildcard}
[dscp number | precedence number][time-range time-range-name] [disable-port |log-input
]
no deny icmp {any | source source-wildcard} {any | destination destination-wildcard} [any |
icmp-type] [any | icmp-code]] [dscp number | precedence number][time-range
time-range-name] [disable-port |log-input ]
no deny igmp {any | source source-wildcard} {any | destination
destination-wildcard}[igmp-type] [dscp number | precedence number][time-range
time-range-name] [disable-port |log-input ]
no deny tcp {any | source source-wildcard} {any|source-port/port-range}{any | destination
destination-wildcard} {any|destination-port/port-range} [dscp number | precedence
number][match-all list-of-flags] [time-range time-range-name] [disable-port |log-input ]
116
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
no deny udp {any | source source-wildcard} {any|source-port/port-range} {any |
destination destination-wildcard} {any|destination-port/port-range} [dscp number |
precedence number][time-range time-range-name] [disable-port |log-input ]
Parameters
•
protocol—The name or the number of an IP protocol. Available protocol names: icmp,
igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout, ipv6:frag, idrp, rsvp, gre,
esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, isis. To match any protocol, use the Ip
keyword. (Range: 0–255)
•
source—Source IP address of the packet.
•
source-wildcard—Wildcard bits to be applied to the source IP address. Use 1s in the
bit position that you want to be ignored.
•
destination—Destination IP address of the packet.
•
destination-wildcard—Wildcard bits to be applied to the destination IP address. Use 1s
in the bit position that you want to be ignored.
•
priority - Specify the priority of the access control entry (ACE) in the access control
list (ACL). "1" value represents the highest priority and "2147483647" number
represents the lowest priority.(Range: 1-2147483647)
•
dscp number—Specifies the DSCP value.
•
precedence number—Specifies the IP precedence value.
•
icmp-type—Specifies an ICMP message type for filtering ICMP packets. Enter a
number or one of the following values: echo-reply, destination-unreachable,
source-quench, redirect, alternate-host-address, echo-request, router-advertisement,
router-solicitation, time-exceeded, parameter-problem, timestamp, timestamp-reply,
information-request, information-reply, address-mask-request, address-mask-reply,
traceroute, datagram-conversion-error, mobile-host-redirect,
mobile-registration-request, mobile-registration-reply, domain-name-request,
domain-name-reply, skip, photuris. (Range: 0–255)
•
icmp-code—Specifies an ICMP message code for filtering ICMP packets. (Range: 0–
255)
•
igmp-type—IGMP packets can be filtered by IGMP message type. Enter a number or
one of the following values: host-query, host-report, dvmrp, pim, cisco-trace,
host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255)
•
destination-port—Specifies the UDP/TCP destination port. You can enter range of
ports by using hyphen. E.g. 20 - 21. For TCP enter a number or one of the following
values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949),
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
117
3
ACL Commands
echo (7), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (42), irc (194),
klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25),
sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23), time (37), uucp
(117), whois (43), www (80). For UDP enter a number or one of the following values:
biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7),
mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137),
non500-isakmp (4500), ntp (123), rip (520), snmp 161), snmptrap (162), sunrpc (111),
syslog (514), tacacs-ds (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).
(Range: 0–65535)
•
source-port—Specifies the UDP/TCP source port. Predefined port names are defined
in the destination-port parameter. (Range: 0–65535)
•
match-all list-of-flags—List of TCP flags that should occur. If a flag should be set it is
prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available options are
+urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin. The flags are
concatenated to a one string. For example: +fin-ack.
•
time-range-name—Name of the time range that applies to this permit statement.
(Range: 1–32)
•
disable-port—The Ethernet interface is disabled if the condition is matched.
•
log-input—Specifies sending an informational syslog message about the packet that
matches the entry. Because forwarding/dropping is done in hardware and logging is
done in software, if a large number of packets match an ACE containing a log-input
keyword, the software might not be able to match the hardware processing rate, and
not all packets will be logged.
Default Configuration
No IPv4 access list is defined.
Command Mode
IP Access-list Configuration mode
User Guidelines
The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of ports is
used for a source port in ACE it is not counted again if it is also used for source port in another
ACE. If a range of ports is used for destination port in ACE it is not counted again if it is also
used for destination port in another ACE.
If a range of ports is used for source port, it is counted again if it is also used for destination
port.
118
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
If ace-priority is omitted, the system sets the rule's priority to the current highest priority ACE
(in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already
existed priority, then the command is rejected.
Example
switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-al)# deny ip 176.212.0.0 00.255.255 any
3.4
ipv6 access-list (IPv6 extended)
Use the ipv6 access-list Global Configuration mode command to define an IPv6 access list
(ACL) and to place the device in Ipv6 Access-list Configuration mode. All commands after
this command refer to this ACL. The rules (ACEs) for this ACL are defined in the permit (
IPv6 ) and deny ( IPv6 ) commands. The service-acl input command is used to attach this ACL
to an interface.
Use the no form of this command to remove the access list.
Syntax
ipv6 access-list [acl-name]
no ipv6 access-list [acl-name]
Parameters
acl-name—Name of the IPv6 access list. Range 1-32 characters.
Default Configuration
No IPv6 access list is defined.
Command Mode
Global Configuration mode
User Guidelines
IPv6 ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy maps
cannot have the same name.
Every IPv6 ACL has an implicit permit icmp any any nd-ns any, permit icmp any any
nd-na any, and deny ipv6 any any statements as its last match conditions. (The former two
match conditions allow for ICMPv6 neighbor discovery.)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
119
3
ACL Commands
The IPv6 neighbor discovery process uses the IPv6 network layer service, therefore, by
default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received
on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the
IPv6 neighbor discovery process, uses a separate data link layer protocol; therefore, by default,
IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Example
switchxxxxxx(config)# ipv6 access-list acl1
switchxxxxxx(config-ip-al)# permit tcp 2001:0DB8:0300:0201::/64 any any 80
3.5
permit ( IPv6 )
Use the permit command in Ipv6 Access-list Configuration mode to set permit conditions
(ACEs) for IPv6 ACLs. Use the no form of the command to remove the access control entry.
Syntax
permit protocol {any |{source-prefix/length}{any | destination-prefix/length} [ace-priority
priority][dscp number | precedence number] [time-range time-range-name] [log-input]
[flow-label flow-label-value]
permit icmp {any | {source-prefix/length}{any | destination-prefix/length} {any|icmp-type}
{any|icmp-code} [ace-priority priority][dscp number | precedence number] [time-range
time-range-name] [log-input] [flow-label flow-label-value]
permit tcp {any | {source-prefix/length} {any | source-port}}{any |
destination-prefix/length} {any | destination-port} [ace-priority priority][dscp number |
precedence number] [match-all list-of-flags] [time-range time-range-name] [log-input]
[flow-label flow-label-value]
permit udp {any | {source-prefix/length}} {any | source-port}}{any |
destination-prefix/length} {any | destination-port} [ace-priority priority][dscp number |
precedence number][time-range time-range-name] [log-input] [flow-label flow-label-value]
no permit protocol {any |{source-prefix/length}{any | destination-prefix/length} [dscp
number | precedence number] [time-range time-range-name] [log-input] [flow-label
flow-label-value]
no permit icmp {any | {source-prefix/length}{any | destination-prefix/length}
{any|icmp-type} {any|icmp-code} [dscp number | precedence number] [time-range
time-range-name] [log-input] [flow-label flow-label-value]
120
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
no permit tcp {any | {source-prefix/length} {any | source-port}}{any | destinationprefix/length} {any| destination-port} [dscp number | precedence number] [match-all
list-of-flags] [time-range time-range-name] [log-input] [flow-label flow-label-value]
no permit udp {any | {source-prefix/length}} {any | source-port}}{any |
destination-prefix/length} {any| destination-port} [dscp number | precedence number]
[time-range time-range-name] [log-input] [flow-label flow-label-value]
Parameters
•
protocol—The name or the number of an IP protocol. Available protocol names are:
icmp (58), tcp (6) and udp (17). To match any protocol, use the ipv6 keyword. (Range:
0–255)
•
source-prefix/length—The source IPv6 network or class of networks about which to
set permit conditions. This argument must be in the form documented in RFC 3513
where the address is specified in hexadecimal using 16-bit values between colons.
•
destination-prefix/length—The destination IPv6 network or class of networks about
which to set permit conditions. This argument must be in the form documented in RFC
3513 where the address is specified in hexadecimal using 16-bit values between
colons.
•
priority - Specify the priority of the access control entry (ACE) in the access control
list (ACL). "1" value represents the highest priority and "2147483647" number
represents the lowest priority.(Range: 1-2147483647)
•
dscp number—Specifies the DSCP value. (Range: 0–63)
•
precedence number—Specifies the IP precedence value.
•
icmp-type—Specifies an ICMP message type for filtering ICMP packets. Enter a
number or one of the following values: destination-unreachable (1), packet-too-big (2),
time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129),
mld-query (130), mld-report (131), mldv2-report (143), mld-done (132),
router-solicitation (133), router-advertisement (134), nd-ns (135), nd-na (136). (Range:
0–255)
•
icmp-code—Specifies an ICMP message code for filtering ICMP packets. (Range: 0–
255)
•
destination-port—Specifies the UDP/TCP destination port. For TCP enter a number or
one of the following values: bgp (179), chargen (19), daytime (13), discard (9), domain
(53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher (70), hostname
(42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3
(110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23),
time (37), uucp (117), whois (43), www (80). For UDP enter a number or one of the
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
121
3
ACL Commands
following values: biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain
(53), echo (7), mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137),
non500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111),
syslog (514), tacacs (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).
(Range: 0–65535)
•
source-port—Specifies the UDP/TCP source port. Predefined port names are defined
in the destination-port parameter. (Range: 0–65535)
•
match-all list-of-flag—List of TCP flags that should occur. If a flag should be set it is
prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available options are
+urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin. The flags are
concatenated to a one string. For example: +fin-ack.
•
time-range-name—Name of the time range that applies to this permit statement.
(Range: 1–32)
•
log-input—Specifies sending an informational SYSLOG message about the packet
that matches the entry. Because forwarding/dropping is done in hardware and logging
is done in software, if a large number of packets match an ACE containing a log-input
keyword, the software might not be able to match the hardware processing rate, and
not all packets will be logged.
•
flow-label flow-label-value—Specifies the IPv6 Flow Label value. A value of these
arguments must be in range 0–1048575.
Default Configuration
No IPv6 access list is defined.
Command Mode
Ipv6 Access-list Configuration mode
User Guidelines
If ace-priority is omitted, the system sets the rule's priority to the current highest priority ACE
(in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already
existed priority, then the command is rejected.
Flow label and port range cannot be configured together.
Flow label cannot be configured into an output ACL.
122
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
Examples
Example 1. This example defines an ACL by the name of server and enters a rule (ACE) for
tcp packets.
switchxxxxxx(config)# ipv6 access-list server
switchxxxxxx(config-ipv6-al)# permit tcp 3001::2/64 any any 80
Example 2. This example defines an ACL with the flow-label keyword:
switchxxxxxx(config)# ipv6 access-list server
switchxxxxxx(config-ipv6-al)# permit ipv6 any any flow-label 5
3.6
deny ( IPv6 )
Use the deny command in Ipv6 Access-list Configuration mode to set deny conditions (ACEs)
for IPv6 ACLs. Use the no form of the command to remove the access control entry.
Syntax
deny protocol {any | {source-prefix/length}{any | destination-prefix/length} [ace-priority
priority][dscp number | precedence number] [time-range time-range-name] [disable-port
|log-input] [flow-label flow-label-value]
deny icmp {any | {source-prefix/length}{any | destination-prefix/length} {any|icmp-type}
{any|icmp-code} [ace-priority priority][dscp number | precedence number] [time-range
time-range-name] [disable-port |log-input] [flow-label flow-label-value]
deny tcp {any | {source-prefix/length} {any | source-port}}{any | destination-prefix/length}
{any| destination-port} [ace-priority priority][dscp number | precedence number]
[match-all list-of-flags] [time-range time-range-name] [disable-port |log-input] [flow-label
flow-label-value]
deny udp {any | {source-prefix/length}} {any | source-port}}{any |
destination-prefix/length} {any| destination-port} [ace-priority priority][dscp number |
precedence number] [time-range time-range-name] [disable-port |log-input] [flow-label
flow-label-value]
no deny protocol {any | {source-prefix/length}{any | destination-prefix/length} [dscp number
| precedence number] [time-range time-range-name] [disable-port |log-input] [flow-label
flow-label-value]
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
123
3
ACL Commands
no deny icmp {any | {source-prefix/length}{any | destination-prefix/length} {any|icmp-type}
{any|icmp-code} [dscp number | precedence number] [time-range time-range-name]
[disable-port |log-input] [flow-label flow-label-value]
no deny tcp {any | {source-prefix/length} {any | source-port}}{any |
destination-prefix/length} {any| destination-port} [dscp number | precedence number]
[match-all list-of-flags] [time-range time-range-name] [disable-port |log-input] [flow-label
flow-label-value]
no deny udp {any | {source-prefix/length}} {any | source-port}}{any |
destination-prefix/length} {any| destination-port} [dscp number | precedence number]
[time-range time-range-name] [disable-port |log-input] [flow-label flow-label-value]
Parameters
124
•
protocol—The name or the number of an IP protocol. Available protocol names are:
icmp (58), tcp (6) and udp (17). To match any protocol, use the ipv6 keyword. (Range:
0–255)
•
source-prefix/length—The source IPv6 network or class of networks about which to
set permit conditions. This argument must be in the format documented in RFC 3513
where the address is specified in hexadecimal using 16-bit values between colons.
•
destination-prefix/length—The destination IPv6 network or class of networks about
which to set permit conditions. This argument must be in the format documented in
RFC 3513 where the address is specified in hexadecimal using 16-bit values between
colons.
•
priority - Specify the priority of the access control entry (ACE) in the access control
list (ACL). "1" value represents the highest priority and "2147483647" number
represents the lowest priority.(Range: 1-2147483647)
•
dscp number—Specifies the DSCP value. (Range: 0–63)
•
precedence number—Specifies the IP precedence value.
•
icmp-type—Specifies an ICMP message type for filtering ICMP packets. Enter a
number or one of the following values: destination-unreachable (1), packet-too-big (2),
time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129),
mld-query (130), mld-report (131), mldv2-report (143), mld-done (132),
router-solicitation (133), router-advertisement (134), nd-ns (135), nd-na (136). (Range:
0–255)
•
icmp-code—Specifies an ICMP message code for filtering ICMP packets. (Range: 0–
255)
•
destination-port—Specifies the UDP/TCP destination port. For TCP enter a number or
one of the following values: bgp (179), chargen (19), daytime (13), discard (9), domain
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
(53), drip (3949), echo (7), finger (79), ftp (21), ftp-data 20), gopher (70), hostname
(42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3
(110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23),
time (37), uucp (117), whois (43), www (80). For UDP enter a number or one of the
following values: biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain
(53), echo (7), mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137),
non500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111),
syslog (514), tacacs (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).
(Range: 0–65535)
•
source-port—Specifies the UDP/TCP source port. Predefined port names are defined
in the destination-port parameter. (Range: 0–65535)
•
match-all list-of-flags—List of TCP flags that should occur. If a flag should be set it is
prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available options are
+urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin. The flags are
concatenated to a one string. For example: +fin-ack.
•
time-range-name—Name of the time range that applies to this permit statement.
(Range: 1–32)
•
disable-port—The Ethernet interface is disabled if the condition is matched.
•
log-input—Specifies sending an informational syslog message about the packet that
matches the entry. Because forwarding/dropping is done in hardware and logging is
done in software, if a large number of packets match an ACE containing a log-input
keyword, the software might not be able to match the hardware processing rate, and
not all packets will be logged.
•
flow-label flow-label-value—Specifies the IPv6 Flow Label value. A value of these
arguments must be in range 0–1048575.
Default Configuration
No IPv6 access list is defined.
Command Mode
Ipv6 Access-list Configuration mode
User Guidelines
If ace-priority is omitted, the system sets the rule's priority to the current highest priority ACE
(in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already
existed priority, then the command is rejected.
Flow label and port range cannot be configured together.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
125
3
ACL Commands
Flow label cannot be configured into an output ACL.
Example
switchxxxxxx(config)# ipv6 access-list server
switchxxxxxx(config-ipv6-al)# deny tcp 3001::2/64 any any 80
3.7
mac access-list
Use the mac access-list Global Configuration mode command to define a Layer 2 access list
(ACL) based on source MAC address filtering and to place the device in MAC Access-list
Configuration mode. All commands after this command refer to this ACL. The rules (ACEs)
for this ACL are defined in the permit ( MAC ) and deny (MAC) commands. The service-acl
input command is used to attach this ACL to an interface.
Use the no form of this command to remove the access list.
Syntax
mac access-list extended acl-name
no mac access-list extended acl-name
Parameters
acl-name—Specifies the name of the MAC ACL (Range: 1–32 characters).
Default Configuration
No MAC access list is defined.
Command Mode
Global Configuration mode
User Guidelines
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy maps
cannot have the same name
If ace-priority is omitted, the system sets the rule's priority to the current highest priority ACE
(in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already
existed priority, then the command is rejected.
126
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
Example
switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
3.8
permit ( MAC )
Use the permit command in MAC Access-list Configuration mode to set permit conditions
(ACEs) for a MAC ACL. Use the no form of the command to remove the access control entry.
Syntax
permit {any | source source-wildcard} {any | destination destination-wildcard}
[ace-priority priority][eth-type 0 | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm
| etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range time-range-name]
[log-input]
no permit {any | source source-wildcard} {any | destination destination-wildcard} [eth-type
0 | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000] [vlan vlan-id]
[cos cos cos-wildcard] [time-range time-range-name]
[log-input]
Parameters
•
source—Source MAC address of the packet.
•
source-wildcard—Wildcard bits to be applied to the source MAC address. Use 1s in
the bit position that you want to be ignored.
•
destination—Destination MAC address of the packet.
•
destination-wildcard—Wildcard bits to be applied to the destination MAC address.
Use 1s in the bit position that you want to be ignored.
•
priority - Specify the priority of the access control entry (ACE) in the access control
list (ACL). "1" value represents the highest priority and "2147483647" number
represents the lowest priority.(Range: 1-2147483647)
•
eth-type—The Ethernet type in hexadecimal format of the packet.
•
vlan-id—The VLAN ID of the packet. (Range: 1–4094)
•
cos—The Class of Service of the packet. (Range: 0–7)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
127
3
ACL Commands
•
cos-wildcard—Wildcard bits to be applied to the CoS.
•
time-range-name—Name of the time range that applies to this permit statement.
(Range: 1–32)
•
log-input—Specifies sending an informational SYSLOG message about the packet
that matches the entry. Because forwarding/dropping is done in hardware and logging
is done in software, if a large number of packets match an ACE containing a log-input
keyword, the software might not be able to match the hardware processing rate, and
not all packets will be logged.
User Guidelines
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy maps
cannot have the same name
If ace-priority is omitted, the system sets the rule's priority to the current highest priority ACE
(in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already
existed priority, then the command is rejected.
Default Configuration
No MAC access list is defined.
Command Mode
MAC Access-list Configuration mode
Example
switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
3.9
deny (MAC)
Use the deny command in MAC Access-list Configuration mode to set deny conditions
(ACEs) for a MAC ACL. Use the no form of the command to remove the access control entry.
Syntax
deny {any | source source-wildcard} {any | destination destination-wildcard} [ace-priority
priority][{eth-type 0}| aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm |
etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range time-range-name]
[disable-port |log-input ]
128
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
no deny {any | source source-wildcard} {any | destination destination-wildcard} [{eth-type
0}| aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000] [vlan vlan-id]
[cos cos cos-wildcard] [time-range time-range-name] [disable-port |log-input ]
Parameters
•
source—Source MAC address of the packet.
•
source-wildcard—Wildcard bits to be applied to the source MAC address. Use ones in
the bit position that you want to be ignored.
•
destination—Destination MAC address of the packet.
•
destination-wildcard—Wildcard bits to be applied to the destination MAC address.
Use 1s in the bit position that you want to be ignored.
•
priority - Specify the priority of the access control entry (ACE) in the access control
list (ACL). "1" value represents the highest priority and "2147483647" number
represents the lowest priority.(Range: 1-2147483647)
•
eth-type—The Ethernet type in hexadecimal format of the packet.
•
vlan-id—The VLAN ID of the packet. (Range: 1–4094).
•
cos—The Class of Service of the packet.(Range: 0–7).
•
cos-wildcard—Wildcard bits to be applied to the CoS.
•
time-range-name—Name of the time range that applies to this permit statement.
(Range: 1–32)
•
disable-port—The Ethernet interface is disabled if the condition is matched.
•
log-input—Specifies sending an informational syslog message about the packet that
matches the entry. Because forwarding/dropping is done in hardware and logging is
done in software, if a large number of packets match an ACE containing a log-input
keyword, the software might not be able to match the hardware processing rate, and
not all packets will be logged.
Default Configuration
No MAC access list is defined.
Command Mode
MAC Access-list Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
129
3
ACL Commands
User Guidelines
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy maps
cannot have the same name
If ace-priority is omitted, the system sets the rule's priority to the current highest priority ACE
(in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already
existed priority, then the command is rejected.
Example
switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-al)# deny 00:00:00:00:00:01 00:00:00:00:00:ff any
3.10
service-acl input
Use the service-acl input command in Interface Configuration mode to bind an access list(s)
(ACL) to an interface.
Use the no form of this command to remove all ACLs from the interface.
Syntax
sevice-acl input acl-name1 [acl-name2] [default-action {deny-any | permit-any}]
no service-acl input
Parameters
•
acl-name—Specifies an ACL to apply to the interface. See the user guidelines. (Range:
1–32 characters).
•
deny-any—Deny all packets (that were ingress at the port) that do not meet the rules in
this ACL.
•
permit-any—Forward all packets (that were ingress at the port) that do not meet the
rules in this ACL.
Default Configuration
No ACL is assigned. Default action for ACL is deny-any.
Command Mode
Interface Configuration mode (Ethernet, Port-Channel,,VLAN )
130
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
User Guidelines
The following rules govern when ACLs can be bound or unbound from an interface:
•
IPv4 ACLs and IPv6 ACLs can be bound together to an interface.
•
A MAC ACL cannot be bound on an interface which already has an IPv4 ACL or IPv6
ACL bound to it.
•
Two ACLs of the same type cannot be bound to a port.
•
An ACL cannot be bound to a port that is already bound to an ACL, without first
removing the current ACL. Both ACLs must be mentioned at the same time in this
command.
•
MAC ACLs that include a VLAN as match criteria cannot be bound to a VLAN.
•
ACLs with time-based configuration on one of its ACEs cannot be bound to a VLAN.
•
ACLs with the action Shutdown cannot be bound to a VLAN.
•
When the user binds ACL to an interface, TCAM resources will be consumed. One
TCAM rule for each MAC or IP ACE and two TCAM rules for each IPv6 ACE.The
TCAM consumption is always even number, so in case of odd number of rules the
consumption will be increased by 1.
•
An ACL cannot be bound as input if it has been bound as output.
Example
switchxxxxxx(config)# mac access-list extended server-acl
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
switchxxxxxx(config-mac-al)# exit
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# service-acl input server-acl default-action deny-any
3.11
service-acl output
Use the service-acl output command in Interface Configuration mode to control access to an
interface on the egress (transmit path).
Use the no form of this command to remove the access control.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
131
3
ACL Commands
Syntax
service-acl output acl-name1 [acl-name2] [default-action {deny-any | permit-any}]
no service-acl output
Parameters
•
acl-name—Specifies an ACL to apply to the interface. See the user guidelines. (Range:
1–32 characters).
•
deny-any—Deny all packets (on the output of port) that do not meet the rules in this
ACL.
•
permit-any—Forward all packets (on the output of port) that do not meet the rules in
this ACL.
Default
No ACL is assigned. Default action is deny-any
Command Mode
Interface Configuration mode(Ethernet, Port-Channel).
User Guidelines
The rule actions: log-input is not supported. Trying to use it will result in an error.
The deny rule action disable-port is not supported. Trying to use it will result in an error.
IPv4 and IPv6 ACLs can be bound together on an interface.
A MAC ACL cannot be bound on an interface together with an IPv4 ACL or IPv6 ACL.
Two ACLs of the same type cannot be added to a port.
An ACL cannot be added to a port that is already bounded to an ACL, without first removing
the current ACL and binding the two ACLs together.
An ACL cannot be bound as output if it has been bound as input.
Example
This example binds an egress ACL to a port:
switchxxxxxx(config)# mac access-list extended server
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
132
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
switchxxxxxx(config-mac-al)# exit
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# service-acl output server
3.12
time-range
Use the time-range Global Configuration mode command to define time ranges for different
functions. In addition, this command enters the Time-range Configuration mode. All
commands after this one refer to the time-range being defined.
This command sets a time-range name. Use the absolute and periodic commands to actually
configure the time-range.
Use the no form of this command to remove the time range from the device.
Syntax
time-range time-range-name
no time-range time-range-name
Parameters
time-range-name—Specifies the name for the time range. (Range: 1–32 characters)
Default Configuration
No time range is defined
Command Mode
Global Configuration mode
User Guidelines
After adding the name of a time range with this command, use the absolute and periodic
commands to actually configure the time-range. Multiple periodic commands are allowed in a
time range. Only one absolute command is allowed.
If a time-range command has both absolute and periodic values specified, then the periodic
items are evaluated only after the absolute start time is reached, and are not evaluated again
after the absolute end time is reached.
All time specifications are interpreted as local time.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
133
3
ACL Commands
To ensure that the time range entries take effect at the desired times, the software clock should
be set by the user or by SNTP. If the software clock is not set by the user or by SNTP, the time
range ACEs are not activated.
The user cannot delete a time-range that is bound to any features.
When a time range is defined, it can be used in the following commands:
•
dot1x port-control
•
power inline
•
operation time
•
permit (IP)
•
deny (IP)
•
permit (IPv6)
•
deny (IPv6)
•
permit (MAC)
•
deny (MAC)
Example
switchxxxxxx(config)# time-range http-allowed
console(config-time-range)#periodic mon 12:00 to wed 12:00
3.13
absolute
Use the absolute Time-range Configuration mode command to specify an absolute time when
a time range is in effect. Use the no form of this command to remove the time limitation.
Syntax
absolute start hh:mm day month year
no absolute start
absolute end hh:mm day month year
no absolute end
134
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
Parameters
•
start—Absolute time and date that the permit or deny statement of the associated
function going into effect. If no start time and date are specified, the function is in
effect immediately.
•
end—Absolute time and date that the permit or deny statement of the associated
function is no longer in effect. If no end time and date are specified, the function is in
effect indefinitely.
•
hh:mm—Time in hours (military format) and minutes (Range: 0–23, mm: 0–5)
•
day—Day (by date) in the month. (Range: 1–31)
•
month—Month (first three letters by name). (Range: Jan...Dec)
•
year—Year (no abbreviation) (Range: 2000–2097)
Default Configuration
There is no absolute time when the time range is in effect.
Command Mode
Time-range Configuration mode
Example
switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# absolute start 12:00 1 jan 2005
switchxxxxxx(config-time-range)# absolute end 12:00 31 dec 2005
3.14
periodic
Use the periodic Time-range Configuration mode command to specify a recurring (weekly)
time range for functions that support the time-range feature. Use the no form of this command
to remove the time limitation.
Syntax
periodic day-of-the-week hh:mm to day-of-the-week hh:mm
no periodic day-of-the-week hh:mm to day-of-the-week hh:mm
periodic list hh:mm to hh:mm day-of-the-week1 [day-of-the-week2… day-of-the-week7]
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
135
3
ACL Commands
no periodic list hh:mm to hh:mm day-of-the-week1 [day-of-the-week2… day-of-the-week7]
periodic list hh:mm to hh:mm all
no periodic list hh:mm to hh:mm all
Parameters
•
day-of-the-week—The starting day that the associated time range is in effect. The
second occurrence is the ending day the associated statement is in effect. The second
occurrence can be the following week (see description in the User Guidelines).
Possible values are: mon, tue, wed, thu, fri, sat, and sun.
•
hh:mm—The first occurrence of this argument is the starting hours:minutes (military
format) that the associated time range is in effect. The second occurrence is the ending
hours:minutes (military format) the associated statement is in effect. The second
occurrence can be at the following day (see description in the User Guidelines).
(Range: 0–23, mm: 0–59)
•
list day-of-the-week1—Specifies a list of days that the time range is in effect.
Default Configuration
There is no periodic time when the time range is in effect.
Command Mode
Time-range Configuration mode
User Guidelines
The second occurrence of the day can be at the following week, e.g. Thursday–Monday means
that the time range is effective on Thursday, Friday, Saturday, Sunday, and Monday.
The second occurrence of the time can be on the following day, e.g. “22:00–2:00”.
Example
switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# periodic mon 12:00 to wed 12:00
136
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
3.15
show time-range
Use the show time-range User EXEC mode command to display the time range
configuration.
Syntax
show time-range time-range-name
Parameters
time-range-name—Specifies the name of an existing time range.
Command Mode
User EXEC mode
Example
switchxxxxxx> show time-range
http-allowed
-------------absolute start 12:00 1 Jan 2005 end
12:00 31 Dec 2005
periodic Monday 12:00 to Wednesday 12:00
3.16
show access-lists
Use the show access-lists Privileged EXEC mode command to display access control lists
(ACLs) configured on the switch.
Syntax
show access-lists [name]
show access-liststime-range-active [name]
Parameters
•
name—Specifies the name of the ACL.(Range: 1-160 characters).
•
time-range-active—Shows only the Access Control Entries (ACEs) whose time-range
is currently active (including those that are not associated with time-range).
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
137
3
ACL Commands
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show access-lists
Standard IP access list 1
Extended IP access list ACL2
permit 234 172.30.19.1 0.0.0.255 any priority 20 time-range weekdays
permit 234 172.30.23.8 0.0.0.255 any priority 40 time-range weekdays
switchxxxxxx# show access-lists time-range-active
Extended IP access list ACL1
permit 234 172.30.40.1 0.0.0.0 any priority 20
permit 234 172.30.8.8
0.0.0.0 any priority 40
Extended IP access list ACL2
permit 234 172.30.19.1 0.0.0.255 any priority 20 time-range weekdays
switchxxxxxx# show access-lists ACL1
Extended IP access list ACL1
permit 234 172.30.40.1 0.0.0.0 any priority 20
permit 234 172.30.8.8
3.17
0.0.0.0 any priority 40
show interfaces access-lists
Use the show interfaces access-lists Privileged EXEC mode command to display access lists
(ACLs) applied on interfaces.
Syntax
show interfaces access-lists [interface-id]
Parameters
interface-id—Specifies an interface ID. The interface ID can be one of the following types:
Ethernet port, port-channel or VLAN.
138
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
Command Mode
Privileged EXEC mode
Example
Interface
ACLs
---------
-----------------------
te1/0/2
Ingress: server1
Egress : ip
3.18
clear access-lists counters
Use the clear access-lists counters Privileged EXEC mode command to clear access-lists
(ACLs) counters.
Syntax
clear access-lists counters [interface-id]
Parameters
interface-id—Specifies an interface ID. The interface ID can be one of the following types:
Ethernet port or port-channel.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# clear access-lists counters te1/0/1
3.19
show interfaces access-lists trapped packets
Use the show interfaces access-lists trapped packets Privileged EXEC mode command to
display Access List (ACLs) trapped packets.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
139
3
ACL Commands
Syntax
show interfaces access-lists trapped packets [interface-id | port-channel-number | VLAN]
Parameters
•
interface-id—Specifies an interface ID, the interface ID is an Ethernet port
port-channel.
•
port-channel—Specifies a port-channel.
•
VLAN—Specifies a VLAN
Command Mode
Privileged EXEC mode
User Guidelines
This command shows whether packets were trapped from ACE hits with logging enable on an
interface.
Examples
Example 1:
switchxxxxxx# show interfaces access-lists trapped packets
Ports/LAGs: te1/0/1-te1/0/3, ch1-ch3, ch4
VLANs: VLAN1, VLAN12-VLAN15
Packets were trapped globally due to lack of resources
Example 2:
switchxxxxxx# show interfaces access-lists trapped packets te1/0/1
Packets were trapped on interface te1/0/1
3.20
ip access-list (IP standard)
Use the ip access-list Global Configuration mode command to define an IP standard list. The
no format of the command removes the list.
140
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
Syntax
ip access-list access-list-name {deny|permit} {src-addr[/src-len] | any}
no ip access-list access-list-name
Parameters
•
access-list-name—The name of the Standard IP access list. The name may contain
maximum 32 characters.
•
deny/permit—Denies/permits access if the conditions are matched.
-
src-addr[/src-len] | any— IP prefix defined as an IP address and length or any. The
any value matches all IP addresses. If src-len is not defined, a value of 32 is
applied. A value of src-len must be in the interval 1-32.
Default Configuration
No access list is defined.
Command Mode
Global Configuration mode
User Guidelines
Use the ip access-list command to configure IP address filtering. Access lists are configured
with permit or deny keywords to either permit or deny an IP address based on a matching
condition. An implicit deny is applied to address that does not match any access-list entry.
An access-list entry consists of an IP address and a bit mask. The bit mask is a number from 1
to 32.
Evaluation of an IP address by an access list starts with the first entry of the list and continues
down the list until a match is found. When the IP address match is found, the permit or deny
statement is applied to that address and the remainder of the list is not evaluated.
Use the no ip access-list command to delete the access list.
The IPv4 standard access list is used to filter received and sent IPv4 routing information.
Examples
Example 1 - The following example of a standard access list allows only the three specified
networks. Any IP address that does not match the access list statements will be rejected.
switchxxxxxx(config)# ip access-list 1 permit 192.168.34.0/24
switchxxxxxx(config)# ip access-list 1 permit 10.88.0.0/16
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
141
3
ACL Commands
switchxxxxxx(config)# ip access-list 1 permit 10.0.0.0/8
Note: all other access is implicitly denied.
Example 2 - The following example of a standard access list allows access for IP addresses in
the range from 10.29.2.64 to 10.29.2.127. All IP addresses not in this range will be rejected.
switchxxxxxx(config)# ip access-list apo permit 10.29.2.64/26
Note: all other access is implicitly denied.
Example 3 - To specify a large number of individual addresses more easily, you can omit the
mask length if it is 32. Thus, the following two configuration commands are identical in effect:
switchxxxxxx(config)# ip access-list 2aa permit 10.48.0.3
switchxxxxxx(config)# ip access-list 2aa permit 10.48.0.3/32
3.21
ipv6 access-list (IP standard)
The ipv6 access-list Global Configuration mode command defines an IPv6 standard list. The
no format of the command removes the list.
Syntax
ipv6 access-list access-list-name {deny|permit} {src-addr[/src-len] | any}
no ipv6 access-list access-list-name
Parameters
•
access-list-name—The name of the Standard IPv6 access list. The name may contain
maximum 32 characters.
•
deny—Denies access if the conditions are matched.
•
permit—Permits access if the conditions are matched.
•
src-addr[/src-len] | any— IPv6 prefix defined as an IPv6 address and length or any.
The any value matches to all IPv6 addresses. If the src-len is not defined a value of 128
is applied. A value of src-len must be in interval 1-128.
Default Configuration
no access list
142
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
3
ACL Commands
Command Mode
Global Configuration mode
User Guidelines
Use the ipv6 access-list command to configure IPv6 address filtering. Access lists are
configured with permit or deny keywords to either permit or deny an IPv6 address based on a
matching condition. An implicit deny is applied to address that does not match any access-list
entry.
An access-list entry consists of an IP address and a bit mask. The bit mask is a number from 1
to 128.
Evaluation of an IPv6 address by an access list starts with the first entry of the list and
continues down the list until a match is found. When the IPv6 address match is found, the
permit or deny statement is applied to that address and the remainder of the list is not
evaluated.
Use the no ipv6 access-list command to delete the access list.
The IPv6 standard access list is used to filter received and sent IPv6 routing information.
Example
The following example of an access list allows only the one specified prefix: Any IPv6
address that does not match the access list statements will be rejected.
switchxxxxxx(config)# ipv6 access-list 1 permit 3001::2/64
Note: all other access implicitly denied.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
143
4
Address Table Commands
4.0
4.1
bridge multicast filtering
To enable the filtering of Multicast addresses, use the bridge multicast filtering Global
Configuration mode command. To disable Multicast address filtering, use the no form of this
command.
Syntax
bridge multicast filtering
no bridge multicast filtering
Parameters
This command has no arguments or keywords.
Default Configuration
Multicast address filtering is disabled. All Multicast addresses are flooded to all ports.
Command Mode
Global Configuration mode
User Guidelines
When this feature is enabled, unregistered Multicast traffic (as opposed to registered) will still
be flooded.
All registered Multicast addresses will be forwarded to the Multicast groups. There are two
ways to manage Multicast groups, one is the IGMP Snooping feature, and the other is the
bridge multicast forward-all command.
Example
The following example enables bridge Multicast filtering.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
144
4
Address Table Commands
switchxxxxxx(config)#
4.2
bridge multicast filtering
bridge multicast mode
To configure the Multicast bridging mode, use the bridge multicast mode Interface (VLAN)
Configuration mode command. To return to the default configuration, use the no form of this
command.
Syntax
bridge multicast mode {mac-group | ipv4-group | ipv4-src-group}
no bridge multicast mode
Parameters
•
mac-group—Specifies that Multicast bridging is based on the packet's VLAN and
MAC address.
•
ipv4-group—Specifies that Multicast bridging is based on the packet's VLAN and
MAC address for non-IPv4 packets, and on the packet's VLAN and IPv4 destination
address for IPv4 packets.
•
ipv4-src-group—Specifies that Multicast bridging is based on the packet's VLAN and
MAC address for non-IPv4 packets, and on the packet's VLAN, IPv4 destination
address and IPv4 source address for IPv4 packets.
Default Configuration
The default mode is mac-group.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use the mac-group option when using a network management system that uses a MIB based
on the Multicast MAC address. Otherwise, it is recommended to use the ipv4 mode, because
there is no overlapping of IPv4 Multicast addresses in these modes.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
145
4
Address Table Commands
For each Forwarding Data Base (FDB) mode, use different CLI commands to configure static
entries in the FDB, as described in the following table:
FDB Mode
CLI Commands
mac-group
bridge multicast
address
bridge multicast forbidden
address
ipv4-group
bridge multicast
ip-address
bridge multicast forbidden
ip-addresss
ipv4-src-group
bridge multicast source
group
bridge multicast forbidden
source group
The following table describes the actual data that is written to the Forwarding Data Base
(FDB) as a function of the IGMP version that is used in the network:
FDB mode
IGMP version 2
IGMP version 3
mac-group
MAC group address
MAC group address
ipv4-group
IP group address
IP group address
ipv4-src-group
(*)
IP source and group addresses
(*) Note that (*,G) cannot be written to the FDB if the mode is ipv4-src-group. In that case,
no new FDB entry is created, but the port is added to the static (S,G) entries (if they exist) that
belong to the requested group. It is recommended to set the FDB mode to ipv4-group or
mac-group for IGMP version 2.
If an application on the device requests (*,G), the operating FDB mode is changed to
ipv4-group.
Example
The following example configures the Multicast bridging mode as an mac-group on VLAN 2.
switchxxxxxx(config)#
interface vlan 2
switchxxxxxx(config-if)#
4.3
bridge multicast mode mac-group
bridge multicast address
To register a MAC-layer Multicast address in the bridge table and statically add or remove
ports to or from the group, use the bridge multicast address Interface (VLAN) Configuration
mode command. To unregister the MAC address, use the no form of this command.
146
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Syntax
bridge multicast address {mac-multicast-address | ipv4-multicast-address} [{add | remove}
{ethernet interface-list | port-channel port-channel-list}]
no bridge multicast address mac-multicast-address
Parameters
•
mac-multicast-address | ipv4-multicast-address—Specifies the group Multicast
address.
•
add—(Optional) Adds ports to the group.
•
remove—(Optional) Removes ports from the group.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate
a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces; use a hyphen to designate
a range of port channels.
Default Configuration
No Multicast addresses are defined.
If ethernet interface-list or port-channel port-channel-list is specified without specifying
add or remove, the default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
To register the group in the bridge database without adding or removing ports or port channels,
specify the mac-multicast-address parameter only.
Static Multicast addresses can be defined on static VLANs only.
You can execute the command before the VLAN is created.
Examples
Example 1 - The following example registers the MAC address to the bridge table:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
147
4
Address Table Commands
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast address 01:00:5e:02:02:03
Example 2 - The following example registers the MAC address and adds ports statically.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast address 01:00:5e:02:02:03 add
te1/0/1-2
4.4
bridge multicast forbidden address
To forbid adding or removing a specific Multicast address to or from specific ports, use the
bridge multicast forbidden address IInterface (VLAN) Configuration mode command. To
restore the default configuration, use the no form of this command.
Syntax
bridge multicast forbidden address {mac-multicast-address | ipv4-multicast-address} {add
| remove} {ethernet interface-list | port-channel port-channel-list}
no bridge multicast forbidden address mac-multicast-address
Parameters
•
mac-multicast-address | ipv4-multicast-address—Specifies the group Multicast
address.
•
add—Forbids adding ports to the group.
•
remove—Forbids removing ports from the group.
•
ethernet interface-list—Specifies a list of Ethernet ports. Separate nonconsecutive
Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of
ports.
•
port-channel port-channel-list—Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate
a range of port channels.
Default Configuration
No forbidden addresses are defined.
148
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Before defining forbidden ports, the Multicast group should be registered, using bridge
multicast address.
You can execute the command before the VLAN is created.
Example
The following example forbids MAC address 0100.5e02.0203 on port te1/0/4 within VLAN 8.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast address 0100.5e02.0203
switchxxxxxx(config-if)#
bridge multicast forbidden address 0100.5e02.0203
add te1/0/4
4.5
bridge multicast ip-address
To register IP-layer Multicast addresses to the bridge table, and statically add or remove ports
to or from the group, use the bridge multicast ip-address IInterface (VLAN) Configuration
mode command. To unregister the IP address, use the no form of this command.
Syntax
bridge multicast ip-address ip-multicast-address [[add | remove] {interface-list |
port-channel port-channel-list}]
no bridge multicast ip-address ip-multicast-address
Parameters
•
ip-multicast-address—Specifies the group IP Multicast address.
•
add—(Optional) Adds ports to the group.
•
remove—(Optional) Removes ports from the group.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
149
4
Address Table Commands
•
interface-list—(Optional) Specifies a list of Ethernet ports. Separate nonconsecutive
Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of
ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate
a range of port channels.
Default Configuration
No Multicast addresses are defined.
Default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
To register the group in the bridge database without adding or removing ports or port channels,
specify the ip-multicast-address parameter only.
Static Multicast addresses can be defined on static VLANs only.
You can execute the command before the VLAN is created.
Example
The following example registers the specified IP address to the bridge table:
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast ip-address 239.2.2.2
The following example registers the IP address and adds ports statically.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
150
bridge multicast ip-address 239.2.2.2 add te1/0/4
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
4.6
bridge multicast forbidden ip-address
To forbid adding or removing a specific IP Multicast address to or from specific ports, use the
bridge multicast forbidden ip-address Interface (VLAN) Configuration mode command. To
restore the default configuration, use the no form of this command.
Syntax
bridge multicast forbidden ip-address {ip-multicast-address} {add | remove} {ethernet
interface-list | port-channel port-channel-list}
no bridge multicast forbidden ip-address ip-multicast-address
Parameters
•
ip-multicast-address—Specifies the group IP Multicast address.
•
add—(Optional) Forbids adding ports to the group.
•
remove—(Optional) Forbids removing ports from the group.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate
a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate
a range of port channels.
Default Configuration
No forbidden addresses are defined.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Before defining forbidden ports, the Multicast group should be registered.
You can execute the command before the VLAN is created.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
151
4
Address Table Commands
Example
The following example registers IP address 239.2.2.2, and forbids the IP address on port
te1/0/4 within VLAN 8.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast ip-address 239.2.2.2
switchxxxxxx(config-if)# bridge multicast forbidden ip-address 239.2.2.2 add
te1/0/4
4.7
bridge multicast source group
To register a source IP address - Multicast IP address pair to the bridge table, and statically add
or remove ports to or from the source-group, use the bridge multicast source group Interface
(VLAN) Configuration mode command. To unregister the source-group-pair, use the no form
of this command.
Syntax
bridge multicast source ip-address group ip-multicast-address [[add | remove] {ethernet
interface-list | port-channel port-channel-list}]
no bridge multicast source ip-address group ip-multicast-address
Parameters
152
•
ip-address—Specifies the source IP address.
•
ip-multicast-address—Specifies the group IP Multicast address.
•
add—(Optional) Adds ports to the group for the specific source IP address.
•
remove—(Optional) Removes ports from the group for the specific source IP address.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate
a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces; use a hyphen to designate
a range of port channels.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Default Configuration
No Multicast addresses are defined.
The default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
You can execute the command before the VLAN is created.
Example
The following example registers a source IP address - Multicast IP address pair to the bridge
table:
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
4.8
bridge multicast source 13.16.1.1 group 239.2.2.2
bridge multicast forbidden source group
To forbid adding or removing a specific IP source address - Multicast address pair to or from
specific ports, use the bridge multicast forbidden source group IInterface (VLAN)
Configuration mode command. To return to the default configuration, use the no form of this
command.
Syntax
bridge multicast forbidden source ip-address group ip-multicast-address {add | remove}
{ethernet interface-list | port-channel port-channel-list}
no bridge multicast forbidden source ip-address group ip-multicast-address
Parameters
•
ip-address—Specifies the source IP address.
•
ip-multicast-address—Specifies the group IP Multicast address.
•
add—(Optional) Forbids adding ports to the group for the specific source IP address.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
153
4
Address Table Commands
•
remove—(Optional) Forbids removing ports from the group for the specific source IP
address.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate
a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces; use a hyphen to designate
a range of port channels.
Default Configuration
No forbidden addresses are defined.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Before defining forbidden ports, the Multicast group should be registered.
You can execute the command before the VLAN is created.
Example
The following example registers a source IP address - Multicast IP address pair to the bridge
table, and forbids adding the pair to port te1/0/4 on VLAN 8:
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast source 13.16.1.1 group 239.2.2.2
switchxxxxxx(config-if)#
bridge multicast forbidden source 13.16.1.1 group
239.2.2.2 add te1/0/4
4.9
bridge multicast ipv6 mode
To configure the Multicast bridging mode for IPv6 Multicast packets, use the bridge
multicast ipv6 mode Interface (VLAN) Configuration mode command. To return to the
default configuration, use the no form of this command.
154
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Syntax
bridge multicast ipv6 mode {mac-group | ip-group | ip-src-group}
no bridge multicast ipv6 mode
Parameters
•
mac-group—Specifies that Multicast bridging is based on the packet's VLAN and
MAC destination address.
•
ip-group—Specifies that Multicast bridging is based on the packet's VLAN and IPv6
destination address for IPv6 packets.
•
ip-src-group—Specifies that Multicast bridging is based on the packet's VLAN, IPv6
destination address and IPv6 source address for IPv6 packets.
Default Configuration
The default mode is mac-group.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use the mac-group mode when using a network management system that uses a MIB based
on the Multicast MAC address.
For each Forwarding Data Base (FDB) mode, use different CLI commands to configure static
entries for IPv6 Multicast addresses in the FDB, as described in the following table::
FDB Mode
CLI Commands
bridge multicast address
bridge multicast forbidden
address
ipv6-group
bridge multicast ipv6 ip-address
bridge multicast ipv6 forbidden
ip-address
ipv6-src-group
bridge multicast ipv6 source
group
bridge multicast ipv6 forbidden
source group
mac-group
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
155
4
Address Table Commands
The following table describes the actual data that is written to the Forwarding Data Base
(FDB) as a function of the MLD version that is used in the network:
FDB mode
MLD version 1
MLD version 2
mac-group
MAC group address
MAC group address
ipv6-group
IPv6 group address
IPv6 group address
ipv6-src-group
(*)
IPv6 source and group addresses
(*) In ip-src-group mode a match is performed on 4 bytes of the multicast address and 4 bytes
of the source address. In the group address the last 4 bytes of the address are checked for
match. In the source address the last 3 bytes and 5th from last bytes of the interface ID are
examined.
(*) Note that (*,G) cannot be written to the FDB if the mode is ip-src-group. In that case, no
new FDB entry is created, but the port is added to the (S,G) entries (if they exist) that belong to
the requested group.
If an application on the device requests (*,G), the operating FDB mode is changed to
ip-group.
You can execute the command before the VLAN is created.
Example
The following example configures the Multicast bridging mode as an ip-group on VLAN 2.
switchxxxxxx(config)#
interface vlan 2
switchxxxxxx(config-if)#
bridge multicast ipv6 mode
ip-group
4.10
bridge multicast ipv6 ip-address
To register an IPv6 Multicast address to the bridge table, and statically add or remove ports to
or from the group, use the bridge multicast ipv6 ip-address Interface (VLAN) Configuration
mode command. To unregister the IPv6 address, use the no form of this command.
Syntax
bridge multicast ipv6 ip-address ipv6-multicast-address [[add | remove] {ethernet
interface-list | port-channel port-channel-list}]
156
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
no bridge multicast ipv6 ip-address ip-multicast-address
Parameters
•
ipv6-multicast-address—Specifies the group IPv6 multicast address.
•
add—(Optional) Adds ports to the group.
•
remove—(Optional) Removes ports from the group.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces; use a hyphen to designate
a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate
a range of port channels.
Default Configuration
No Multicast addresses are defined.
The default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
To register the group in the bridge database without adding or removing ports or port channels,
specify the ipv6-multicast-address parameter only.
Static Multicast addresses can be defined on static VLANs only.
You can execute the command before the VLAN is created.
Examples
Example 1 - The following example registers the IPv6 address to the bridge table:
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast ipv6 ip-address FF00:0:0:0:4:4:4:1
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
157
4
Address Table Commands
Example 2 - The following example registers the IPv6 address and adds ports statically.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)# bridge multicast ipv6 ip-address FF00:0:0:0:4:4:4:1
add te1/0/1-2
4.11
bridge multicast ipv6 forbidden ip-address
To forbid adding or removing a specific IPv6 Multicast address to or from specific ports, use
the bridge multicast ipv6 forbidden ip-address Interface (VLAN) Configuration mode
command. To restore the default configuration, use the no form of this command.
Syntax
bridge multicast ipv6 forbidden ip-address {ipv6-multicast-address} {add | remove}
{ethernet interface-list | port-channel port-channel-list}
no bridge multicast ipv6 forbidden ip-address ipv6-multicast-address
Parameters
•
ipv6-multicast-address—Specifies the group IPv6 Multicast address.
•
add—(Optional) Forbids adding ports to the group.
•
remove—(Optional) Forbids removing ports from the group.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate
a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate
a range of port channels.
Default Configuration
No forbidden addresses are defined.
The default option is add.
Command Mode
Interface (VLAN) Configuration mode
158
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
User Guidelines
Before defining forbidden ports, the Multicast group should be registered.
You can execute the command before the VLAN is created.
Example
The following example registers an IPv6 Multicast address, and forbids the IPv6 address on
port te1/0/4 within VLAN 8.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast ipv6 ip-address FF00:0:0:0:4:4:4:1
switchxxxxxx(config-if)#
bridge multicast ipv6 forbidden ip-address
FF00:0:0:0:4:4:4:1 add te1/0/4
4.12
bridge multicast ipv6 source group
To register a source IPv6 address - Multicast IPv6 address pair to the bridge table, and
statically add or remove ports to or from the source-group, use the bridge multicast ipv6
source group Interface (VLAN) Configuration mode command. To unregister the
source-group-pair, use the no form of this command.
Syntax
bridge multicast ipv6 source ipv6-source-address group ipv6-multicast-address [[add |
remove] {ethernet interface-list | port-channel port-channel-list}]
no bridge multicast ipv6 source ipv6-address group ipv6-multicast-address
Parameters
•
ipv6-source-address—Specifies the source IPv6 address.
•
ipv6-multicast-address—Specifies the group IPv6 Multicast address.
•
add—(Optional) Adds ports to the group for the specific source IPv6 address.
•
remove—(Optional) Removes ports from the group for the specific source IPv6
address.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate
a range of ports.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
159
4
Address Table Commands
•
port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate
a range of port channels.
Default Configuration
No Multicast addresses are defined.
The default option is add.
Command Mode
Interface (VLAN) Configuration mode
Example
The following example registers a source IPv6 address - Multicast IPv6 address pair to the
bridge table:
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast source 2001:0:0:0:4:4:4 group
FF00:0:0:0:4:4:4:1
4.13
bridge multicast ipv6 forbidden source group
To forbid adding or removing a specific IPv6 source address - Multicast address pair to or
from specific ports, use the bridge multicast ipv6 forbidden source group Interface (VLAN)
Configuration mode command. To return to the default configuration, use the no form of this
command.
Syntax
bridge multicast ipv6 forbidden source ipv6-source-address group ipv6-multicast-address
{add | remove} {ethernet interface-list | port-channel port-channel-list}
no bridge multicast ipv6 forbidden source ipv6-address group ipv6-multicast-address
Parameters
160
•
ipv6-source-address—Specifies the source IPv6 address.
•
ipv6-multicast-address—Specifies the group IPv6 Multicast address.
•
add—Forbids adding ports to the group for the specific source IPv6 address.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
•
remove—Forbids removing ports from the group for the specific source IPv6 address.
•
ethernet interface-list—Specifies a list of Ethernet ports. Separate nonconsecutive
Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of
ports.
•
port-channel port-channel-list—Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces; use a hyphen to designate
a range of port channels.
Default Configuration
No forbidden addresses are defined.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Before defining forbidden ports, the Multicast group should be registered.
You can execute the command before the VLAN is created.
Example
The following example registers a source IPv6 address - Multicast IPv6 address pair to the
bridge table, and forbids adding the pair to te1/0/4 on VLAN 8:
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast source 2001:0:0:0:4:4:4 group
FF00:0:0:0:4:4:4:1
switchxxxxxx(config-if)#
bridge multicast forbidden source
2001:0:0:0:4:4:4:1 group FF00:0:0:0:4:4:4:1 add te1/0/4
4.14
bridge multicast unregistered
To configure forwarding unregistered Multicast addresses, use the bridge multicast
unregistered Interface (Ethernet, Port Channel) Configuration mode command. To restore the
default configuration, use the no form of this command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
161
4
Address Table Commands
Syntax
bridge multicast unregistered {forwarding | filtering}
no bridge multicast unregistered
Parameters
•
forwarding—Forwards unregistered Multicast packets.
•
filtering—Filters unregistered Multicast packets.
Default Configuration
Unregistered Multicast addresses are forwarded.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Do not enable unregistered Multicast filtering on ports that are connected to routers, because
the 224.0.0.x address range should not be filtered. Note that routers do not necessarily send
IGMP reports for the 224.0.0.x range.
You can execute the command before the VLAN is created.
Example
The following example specifies that unregistered Multicast packets are filtered on te1/0/1:
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
4.15
bridge multicast unregistered filtering
bridge multicast forward-all
To enable forwarding all multicast packets for a range of ports or port channels, use the bridge
multicast forward-all Interface (VLAN) Configuration mode command. To restore the
default configuration, use the no form of this command.
162
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Syntax
bridge multicast forward-all {add | remove} {ethernet interface-list | port-channel
port-channel-list}
no bridge multicast forward-all
Parameters
•
add—Forces forwarding of all Multicast packets.
•
remove—Does not force forwarding of all Multicast packets.
•
ethernet interface-list—Specifies a list of Ethernet ports. Separate nonconsecutive
Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of
ports.
•
port-channel port-channel-list—Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate
a range of port channels.
Default Configuration
Forwarding of all Multicast packets is disabled.
Command Mode
Interface (VLAN) Configuration mode
Example
The following example enables all Multicast packets on port te1/0/4 to be forwarded.
switchxxxxxx(config)#
interface vlan 2
switchxxxxxx(config-if)#
4.16
bridge multicast forward-all add te1/0/4
bridge multicast forbidden forward-all
To forbid a port to dynamically join Multicast groups, use the bridge multicast forbidden
forward-all Interface (VLAN) Configuration mode command. To restore the default
configuration, use the no form of this command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
163
4
Address Table Commands
Syntax
bridge multicast forbidden forward-all {add | remove} {ethernet interface-list |
port-channel port-channel-list}
no bridge multicast forbidden forward-all
Parameters
•
add—Forbids forwarding of all Multicast packets.
•
remove—Does not forbid forwarding of all Multicast packets.
•
ethernet interface-list —Specifies a list of Ethernet ports. Separate nonconsecutive
Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of
ports.
•
port-channel port-channel-list—Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces; use a hyphen to designate
a range of port channels.
Default Configuration
Ports are not forbidden to dynamically join Multicast groups.
The default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use this command to forbid a port to dynamically join (by IGMP, for example) a Multicast
group.
The port can still be a Multicast router port.
Example
The following example forbids forwarding of all Multicast packets to te1/0/1 within VLAN 2.
switchxxxxxx(config)#
interface vlan 2
switchxxxxxx(config-if)# bridge multicast forbidden forward-all add ethernet
te1/0/1
164
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
4.17
bridge unicast unknown
To enable egress filtering of Unicast packets where the destination MAC address is unknown
to the device, use the bridge unicast unknown Interface (Ethernet, Port Channel)
Configuration mode command. To restore the default configuration, use the no form of this
command.
Syntax
bridge unicast unknown {filtering | forwarding}
no bridge unicast unknown
Parameters
•
filtering—Filter unregistered Unicast packets.
•
forwarding—Forward unregistered Unicast packets.
Default Configuration
Forwarding.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode.
Example
The following example drops Unicast packets on te1/0/1 when the destination is unknown.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
4.18
bridge unicast unknown filtering
show bridge unicast unknown
To display the unknown Unicast filtering configuration, use the show bridge unicast
unknown Privileged EXEC mode command.
Syntax
show bridge unicast unknown [interface-id]
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
165
4
Address Table Commands
Parameters
interface-id—(Optional) Specify an interface ID. The interface ID can be one of the following
types: Ethernet port or port-channel
Command Mode
Privileged EXEC mode
Example
Console # show bridge unicast unknown
Port
Unregistered
--------
---------------------
te1/0/1
Forward
te1/0/2
Filter
te1/0/3
Filter
4.19
mac address-table static
To add a MAC-layer station source address to the MAC address table, use the mac
address-table static Global Configuration mode command. To delete the MAC address, use
the no form of this command.
Syntax
mac address-table static mac-address vlan vlan-id interface interface-id [permanent |
delete-on-reset | delete-on-timeout | secure]|
no mac address-table static [mac-address] vlan vlan-id
Parameters
166
•
mac-address—MAC address (Range: Valid MAC address)
•
vlan-id— Specify the VLAN
•
interface-id—Specify an interface ID. The interface ID can be one of the following
types: Ethernet port or port-channel (Range: valid ethernet port, valid port-channel)
•
permanent—(Optional) The permanent static MAC address. The keyword is applied
by the default.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
•
delete-on-reset—(Optional)The delete-on-reset static MAC address.
•
delete-on-timeout—(Optional)The delete-on-timeout static MAC address.
•
secure—(Optional)The secure MAC address. May be used only in a secure mode.
Default Configuration
No static addresses are defined. The default mode for an added address is permanent.
Command Mode
Global Configuration mode
User Guidelines
Use the command to add a static MAC address with given time-to-live in any mode or to add a
secure MAC address in a secure mode.
Each MAC address in the MAC address table is assigned two attributes: type and time-to-live.
The following value of time-of-live is supported:
•
permanent—MAC address is saved until it is removed manually.
•
delete-on-reset—MAC address is saved until the next reboot.
•
delete-on-timeout—MAC address that may be removed by the aging timer.
The following types are supported:
•
static— MAC address manually added by the command with the following keywords
specifying its time-of-live:
-
permanent
-
delete-on-reset
-
delete-on-timeout
A static MAC address may be added in any port mode.
•
secure— A MAC address added manually or learned in a secure mode. Use the mac
address-table static command with the secure keyword to add a secure MAC address.
The MAC address cannot be relearned.
A secure MAC address may be added only in a secure port mode.
•
dynamic— a MAC address learned by the switch in non-secure mode. A value of its
time-to-live attribute is delete-on-timeout.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
167
4
Address Table Commands
Examples
Example 1 - The following example adds two permanent static MAC address:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b1 vlan 1
interface te1/0/1
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interface te1/0/1 permanent
Example 2 - The following example adds a deleted-on-reset static MAC address:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interface te1/0/1 delete-on-reset
Example 3 - The following example adds a deleted-on-timeout static MAC address:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interface te1/0/1 delete-on-timeout
Example 4 - The following example adds a secure MAC address:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interface
te1/0/1 secure
4.20
clear mac address-table
To remove learned or secure entries from the forwarding database (FDB), use the clear mac
address-table Privileged EXEC mode command.
Syntax
clear mac address-table dynamic interface interface-id
clear mac address-table secure interface interface-id
168
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Parameters
•
dynamic interface interface-id—Delete all dynamic (learned) addresses on the
specified interface.The interface ID can be one of the following types: Ethernet port or
port-channel. If interface ID is not supplied, all dynamic addresses are deleted.
•
secure interface interface-id—Delete all the secure addresses learned on the specific
interface. A secure address on a MAC address learned on ports on which port security
is defined.
Default Configuration
For dynamic addresses, if interface-id is not supplied, all dynamic entries are deleted.
Command Mode
Privileged EXEC mode
Examples
Example 1 - Delete all dynamic entries from the FDB.
switchxxxxxx#
clear mac address-table dynamic
Example 2 - Delete all secure entries from the FDB learned on secure port te1/0/1.
switchxxxxxx#
4.21
clear mac address-table secure interface te1/0/1
mac address-table aging-time
To set the aging time of the address table, use the mac address-table aging-time Global
configuration command. To restore the default, use the no form of this command.
Syntax
mac address-table aging-time seconds
no mac address-table aging-time
Parameters
seconds—Time is number of seconds. (Range:10-630)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
169
4
Address Table Commands
Default Configuration
300
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)#
4.22
mac address-table aging-time 600
port security
To enable port security learning mode on an interface, use the port security Interface
(Ethernet, Port Channel) Configuration mode command. To disable port security learning
mode on an interface, use the no form of this command.
Syntax
port security [forward | discard | discard-shutdown] [trap seconds]
no port security
Parameters
•
forward—(Optional) Forwards packets with unlearned source addresses, but does not
learn the address.
•
discard—(Optional) Discards packets with unlearned source addresses.
•
discard-shutdown—(Optional) Discards packets with unlearned source addresses and
shuts down the port.
•
trap seconds—(Optional) Sends SNMP traps and specifies the minimum time interval
in seconds between consecutive traps. (Range: 1–1000000)
Default Configuration
The feature is disabled by default.
The default mode is discard.
The default number of seconds is zero, but if traps is entered, a number of seconds must also
be entered.
170
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
The command may be used only when the interface in the regular (non-secure with unlimited
MAC learning) mode.
Port Security cannot be enabled on an interface if 802.1X authentication is already active on
the interface.
See the mac address-table static command for information about MAC address attributes (type
and time-to-live) definitions.
When the port security command enables the lock mode on a port all dynamic addresses
learned on the port are changed to permanent secure addresses.
When the port security command enables a mode on a port differing from the lock mode all
dynamic addresses learned on the port are deleted.
When the no port security command cancels a secure mode on a port all secure addresses
defined on the port are changed to dynamic addresses.
Additionally to set a mode, use the port security command to set an action that the switch
should perform on a frame which source MAC address cannot be learned.
Example
The following example forwards all packets to port te1/0/1 without learning addresses of
packets from unknown sources and sends traps every 100 seconds, if a packet with an
unknown source address is received.
switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# port security mode lock
switchxxxxxx(config-if)# port security forward trap 100
switchxxxxxx(config-if)# exit
4.23
port security mode
To configure the port security learning mode, use the port security mode Interface (Ethernet,
Port Channel) Configuration mode command. To restore the default configuration, use the no
form of this command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
171
4
Address Table Commands
Syntax
port security mode {max-addresses | lock | secure permanent | secure delete-on-reset}
no port security mode
Parameters
•
max-addresses— Non-secure mode with limited learning dynamic MAC addresses.
The static MAC addresses may be added on the port manually by the mac
address-table static command.
•
lock— Secure mode without MAC learning. The static and secure MAC addresses
may be added on the port manually by the mac address-table static command.
•
secure permanent—Secure mode with limited learning permanent secure MAC
addresses with the permanent time-of-live. The static and secure MAC addresses may
be added on the port manually by the mac address-table static command.
•
secure delete-on-reset—Secure mode with limited learning secure MAC addresses
with the delete-on-reset time-of-live. The static and secure MAC addresses may be
added on the port manually by the mac address-table static command.
Default Configuration
The default port security mode is
lock.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
The default port mode is called regular. In this mode, the port allows unlimited learning of
dynamic addresses.
The static MAC addresses may be added on the port manually by the mac address-table static
command.
The command may be used only when the interface in the regular (non-secure with unlimited
MAC learning) mode.
Use the port security mode command to change the default mode before the port security
command.
172
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Example
The following example sets the port security mode to
Lock for te1/0/4.
switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# port security mode
lock
switchxxxxxx(config-if)# port security
switchxxxxxx(config-if)# exit
4.24
port security max
To configure the maximum number of addresses that can be learned on the port while the port
is in port, max-addresses or secure mode, use the port security max Interface (Ethernet, Port
Channel) Configuration mode command. To restore the default configuration, use the no form
of this command.
Syntax
port security max max-addr
no port security max
Parameters
max-addr—Specifies the maximum number of addresses that can be learned on the port.
(Range: 0–256)
Default Configuration
This default maximum number of addresses is 1.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
The command may be used only when the interface in the regular (non-secure with unlimited
MAC learning) mode.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
173
4
Address Table Commands
Use this command to change the default value before the port security command.
Example
The following example sets the port to limited learning mode:
switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# port security mode max
switchxxxxxx(config-if)# port security max 20
switchxxxxxx(config-if)# port security
switchxxxxxx(config-if)# exit
4.25
port security routed secure-address
To add a MAC-layer secure address to a routed port. (port that has an IP address defined on it),
use the port security routed secure-address Interface (Ethernet, Port Channel) Configuration
mode command. To delete a MAC address from a routed port, use the no form of this
command.
Syntax
port security routed secure-address mac-address
no port security routed secure-address mac-address
Parameters
mac-address—Specifies the MAC address.
Default Configuration
No addresses are defined.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode. It cannot be configured for a range of
interfaces (range context).
174
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
User Guidelines
This command enables adding secure MAC addresses to a routed port in port security mode.
The command is available when the port is a routed port and in port security mode. The
address is deleted if the port exits the security mode or is not a routed port.
Example
The following example adds the MAC-layer address 00:66:66:66:66:66 to te1/0/1.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
port security routed secure-address
00:66:66:66:66:66
4.26
show mac address-table
To display entries in the MAC address table, use the show mac address-table Privileged
EXEC mode command.
Syntax
show mac address-table [dynamic | static | secure] [vlan vlan] [interface interface-id]
[address mac-address]
Parameters
•
dynamic—(Optional) Displays only dynamic MAC address table entries.
•
static—(Optional) Displays only static MAC address table entries.
•
secure—(Optional) Displays only secure MAC address table entries.
•
vlan—(Optional) Displays entries for a specific VLAN.
•
interface interface-id—(Optional) Displays entries for a specific interface ID. The
interface ID can be one of the following types: Ethernet port or port-channel.
•
address mac-address—(Optional) Displays entries for a specific MAC address.
Default Configuration
If no parameters are entered, the entire table is displayed.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
175
4
Address Table Commands
Command Mode
Privileged EXEC mode
User Guidelines
Internal usage VLANs (VLANs that are automatically allocated on routed ports) are presented
in the VLAN column by a port number and not by a VLAN ID.
Examples
Example 1 - Displays entire address table.
switchxxxxxx#
show mac address-table
Aging time is 300 sec
VLAN
MAC Address
Port
Type
--------
---------------------
----------
----------
1
00:00:26:08:13:23
0
self
1
00:3f:bd:45:5a:b1
te1/0/1
static
1
00:a1:b0:69:63:f3
te1/0/2
dynamic
2
00:a1:b0:69:63:f3
te1/0/3
dynamic
te1/0/4
00:a1:b0:69:61:12
te1/0/4
dynamic
Example 2 - Displays address table entries containing the specified MAC address.
switchxxxxxx#
show mac address-table address 00:3f:bd:45:5a:b1
Aging time is 300 sec
VLAN
MAC Address
Port
Type
-------- --------------------- ---------- ---------1
4.27
00:3f:bd:45:5a:b1
static
te1/0/4
show mac address-table count
To display the number of addresses present in the Forwarding Database, use the show mac
address-table count Privileged EXEC mode command.
176
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Syntax
show mac address-table count [vlan vlan | interface interface-id]
Parameters
•
vlan vlan—(Optional) Specifies VLAN.
•
interface-id interface-id—(Optional) Specifies an interface ID. The interface ID can
be one of the following types: Ethernet port or port-channel.
Command Mode
Privileged EXEC mode
User Guidelines
Use the show mac address-table count command to display the Forwarding Database
capacity (total number of entries), free entries (the number of entries that can still be used) and
the consumed entries breakdown by type of entry. The following entry types are displayed:
•
Used Unicast - Occupied Forwarding Database entries which are layer 2 MAC unicast
addresses.
•
Used Multicast - Occupied Forwarding Database entries which are layer 2 MAC
Multicast addresses.
•
IPv4 hosts - Occupied Forwarding Database entries which are IPv4 Layer 3 host
entries.
•
IPv6 hosts - Occupied Forwarding Database entries which are IPv6 Layer 3 host
entries.
•
Secure - The amount of the secure unicast entries.
•
Dynamic Unicast- The amount of the dynamic unicast entries.
•
Static Unicast - The amount of the static (configured by user) unicast entries.
•
Internal - The amount of the internal entries. For example device own MAC address.
The Secure, Dynamic Unicast, Static Unicast and Internal entry types present further
breakdown of the Used Unicast entries.
The total number of consumed entries is the aggregate value of the following entry types:
Used Unicast; Used Multicast ;IPv4 hosts ;IPv6 hosts .
If the Interface parameter is used the command will display only the following entry types:
Used Unicast, secure, Dynamic Unicast, Static Unicast and Internal.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
177
4
Address Table Commands
Examples
Example 1 - The following example displays the number of entries present in forwarding
table for the entire device:
switchxxxxxx#
show mac address-table count
This may take some time.
Capacity
: 16384
Free
: 16378
Used unicast
: 5
Used multicast
: 1
Used IPv4 hosts
: 1
Used IPv6 hosts
: 1 (each IPv6 host consumes 2 entires in MAC address table)
Secure
: 0
Dynamic unicast
: 2
Static unicast
: 2
Internal
: 1
console#
Example 2 - The following example displays the number of entries present in forwarding
table for a specific device interface.
switchxxxxxx#
show mac address-table count interface te1/0/1
This may take some time.
Capacity
: 16384
Free
: 16378
Used unicast
: 5
Secure
: 0
Dynamic
unicast : 2
Static unicast
: 2
Internal
: 0
console#
178
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
4.28
show bridge multicast mode
To display the Multicast bridging mode for all VLANs or for a specific VLAN, use the show
bridge multicast mode Privileged EXEC mode command.
Syntax
show bridge multicast mode [vlan vlan-id]
Parameters
vlan vlan-id—(Optional) Specifies the VLAN ID.
Command Mode
Privileged EXEC mode
Example
The following example displays the Multicast bridging mode for all VLANs
switchxxxxxx#
VLAN
show bridge multicast mode
IPv4 Multicast Mode
IPv6 Multicast Mode
Admin
Oper
Admin
Oper
-----
-----------
-----------
-----------
-----------
1
MAC-GROUP
MAC-GROUP
MAC-GROUP
MAC-GROUP
11
IPv4-GROUP
IPv4-GROUP
IPv6-GROUP
IPv6-GROUP
12
IPv4-SRC-
IPv4-SRC-
IPv6-SRC-
IPv6-SRC-
GROUP
GROUP
GROUP
GROUP
4.29
show bridge multicast address-table
To display Multicast MAC addresses or IP Multicast address table information, use the show
bridge multicast address-table Privileged EXEC mode command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
179
4
Address Table Commands
Syntax
show bridge multicast address-table [vlan vlan-id]
show bridge multicast address-table [vlan vlan-id] [address mac-multicast-address]
[format {ip | mac}]
show bridge multicast address-table [vlan vlan-id] [address ipv4-multicast-address]
[source ipv4-source-address]
show bridge multicast address-table [vlan vlan-id] [address ipv6-multicast-address]
[source ipv6-source-address]
Parameters
•
vlan-id vlan-id—(Optional) Display entries for specified VLAN ID.
•
address—(Optional) Display entries for specified Multicast address. The possible
values are:
•
•
-
mac-multicast-address—(Optional) Specifies the MAC Multicast address.
-
ipv4-multicast-address—(Optional) Specifies the IPv4 Multicast address.
-
ipv6-multicast-address—(Optional) Specifies the IPv6 Multicast address.
format—(Optional) Applies if mac-multicast-address was selected. In this case either
MAC or IP format can be displayed. Display entries for specified Multicast address
format. The possible values are:
-
ip—Specifies that the Multicast address is an IP address.
-
mac—Specifies that the Multicast address is a MAC address.
source —(Optional) Specifies the source address. The possible values are:
-
ipv4-address—(Optional) Specifies the source IPv4 address.
-
ipv6-address—(Optional) Specifies the source IPv6 address.
Default Configuration
If the format is not specified, it defaults to mac (only if mac-multicast-address was entered).
If VLAN ID is not entered, entries for all VLANs are displayed.
If MAC or IP address is not supplied, entries for all addresses are displayed.
Command Mode
Privileged EXEC mode
180
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
User Guidelines
A MAC address can be displayed in IP format only if it is within the range 0100.5e00.0000
through 0100.5e7f.ffff.
Multicast router ports (defined statically or discovered dynamically) are members in all MAC
groups.
Ports that were defined via the bridge multicast forbidden forward-all command are displayed
in all forbidden MAC entries.
Changing the Multicast mode can move static Multicast addresses that are written in the
device FDB to a shadow configuration because of FDB hash collisions.
Example
The following example displays bridge Multicast address information.
switchxxxxxx#
show bridge multicast address-table
Multicast address table for VLANs in MAC-GROUP bridging mode:
Vlan
MAC Address
---- ----------------8
01:00:5e:02:02:03
Type
-------------Static
Ports
----1-2
Forbidden ports for Multicast addresses:
Vlan
MAC Address
Ports
---- -----------------
-----
8
te1/0/4
01:00:5e:02:02:03
Multicast address table for VLANs in IPv4-GROUP bridging mode:
Vlan
MAC Address
---- ----------------1
224.0.0.251
Type
-------------Dynamic
Ports
----te1/0/2
Forbidden ports for Multicast addresses:
Vlan
MAC Address
---- ----------------1
232.5.6.5
1
233.22.2.6
Ports
-----
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
181
4
Address Table Commands
Multicast address table for VLANs in IPv4-SRC-GROUP bridging mode:
Vlan
Group Address
Source address
Type
Ports
---- --------------- --------------- --------
-----
1
te1/0/1
224.2.2.251
11.2.2.3
Dynamic
Forbidden ports for Multicast addresses:
Vlan
Group Address
Source Address
Ports
---- --------------- --------------- ------8
239.2.2.2
*
te1/0/4
8
239.2.2.2
1.1.1.11
te1/0/4
Multicast address table for VLANs in IPv6-GROUP bridging mode:
VLAN
IP/MAC Address
Type
Ports
---- ----------------- --------- --------------------8
ff02::4:4:4
Static
te1/0/1-2, te1/0/3, Po1
Forbidden ports for Multicast addresses:
VLAN
IP/MAC Address
Ports
---- ----------------- ----------8
ff02::4:4:4
te1/0/4
Multicast address table for VLANs in IPv6-SRC-GROUP bridging mode:
Vlan
Group Address
Source address
Type
Ports
---- --------------- --------------- -------- -----------------8
ff02::4:4:4
*
Static
8
ff02::4:4:4
fe80::200:7ff:
Static
te1/0/1-2,te1/0/3,Po1
fe00:200
Forbidden ports for Multicast addresses:
Vlan
Group Address
Source address
---- --------------- ---------------
Ports
----------
8
ff02::4:4:4
*
te1/0/4
8
ff02::4:4:4
fe80::200:7ff:f
te1/0/4
e00:200
182
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
4.30
show bridge multicast address-table static
To display the statically-configured Multicast addresses, use the show bridge multicast
address-table static Privileged EXEC mode command.
Syntax
show bridge multicast address-table static [vlan vlan-id] [all]
show bridge multicast address-table static [vlan vlan-id] [address mac-multicast-address]
[mac| ip]
show bridge multicast address-table static [vlan vlan-id] [address ipv4-multicast-address]
[source ipv4-source-address]
show bridge multicast address-table static [vlan vlan-id] [address ipv6-multicast-address]
[source ipv6-source-address]
Parameters
•
vlan vlan-id—(Optional) Specifies the VLAN ID.
•
address—(Optional) Specifies the Multicast address. The possible values are:
•
-
mac-multicast-address—(Optional) Specifies the MAC Multicast address.
-
ipv4-multicast-address—(Optional) Specifies the IPv4 Multicast address.
-
ipv6-multicast-address—(Optional) Specifies the IPv6 Multicast address.
source—(Optional) Specifies the source address. The possible values are:
-
ipv4-address—(Optional) Specifies the source IPv4 address.
-
ipv6-address—(Optional) Specifies the source IPv6 address.
Default Configuration
When all/mac/ip is not specified, all entries (MAC and IP) will be displayed.
Command Mode
Privileged EXEC mode
User Guidelines
A MAC address can be displayed in IP format only if it is within the range 0100.5e00.0000–0100.5e7f.ffff.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
183
4
Address Table Commands
Example
The following example displays the statically-configured Multicast addresses.
switchxxxxxx#
show bridge multicast address-table static
MAC-GROUP table
Vlan
MAC Address
Ports
----
--------------
--------
1
0100.9923.8787
te1/0/1, te1/0/2
Forbidden ports for multicast addresses:
Vlan
MAC Address
Ports
----
--------------
--------
IPv4-GROUP Table
Vlan
IP Address
Ports
----
----------
--------
1
231.2.2.3
te1/0/1, te1/0/2
19
231.2.2.8
te1/0/2-3
Forbidden ports for multicast addresses:
Vlan
IP Address
Ports
----
----------
--------
1
231.2.2.3
te1/0/4
19
231.2.2.8
te1/0/3
IPv4-SRC-GROUP Table:
Vlan
Group Address
Source address
Ports
----
---------------
---------------
------
Forbidden ports for multicast addresses:
Vlan
Group Address
Source address
Ports
----
---------------
---------------
------
IPv6-GROUP Table
Vlan
IP Address
Ports
----
----------------
---------
191
FF12::8
te1/0/1-4
Forbidden ports for multicast addresses:
184
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Vlan
IP Address
Ports
----
----------------
---------
11
FF12::3
te1/0/4
191
FF12::8
te1/0/4
IPv6-SRC-GROUP Table:
Vlan
Group Address
Source address
Ports
----
---------------
---------------
------
192
FF12::8
FE80::201:C9A9:FE40:
te1/0/1-4
8988
Forbidden ports for multicast addresses:
Vlan
Group Address
Source address
Ports
----
---------------
---------------
------
192
FF12::3
FE80::201:C9A9:FE40
te1/0/4
:8988
4.31
show bridge multicast filtering
To display the Multicast filtering configuration, use the show bridge multicast filtering
Privileged EXEC mode command.
Syntax
show bridge multicast filtering vlan-id
Parameters
vlan-id—Specifies the VLAN ID. (Range: Valid VLAN)
Default Configuration
None
Command Mode
Privileged EXEC mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
185
4
Address Table Commands
Example
The following example displays the Multicast configuration for VLAN 1.
switchxxxxxx#
show bridge multicast filtering 1
Filtering: Enabled
VLAN: 1
Forward-All
Port
Static
Status
-----
---------
------
te1/0/1
Forbidden
Filter
te1/0/2
Forward
Forward(s)
te1/0/3
-
Forward(d)
4.32
show bridge multicast unregistered
To display the unregistered Multicast filtering configuration, use the show bridge multicast
unregistered Privileged EXEC mode command.
Syntax
show bridge multicast unregistered [interface-id]
Parameters
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or Port-channel.
Default Configuration
Display for all interfaces.
Command Mode
Privileged EXEC mode
186
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Example
The following example displays the unregistered Multicast configuration.
switchxxxxxx#
show bridge multicast unregistered
Port
Unregistered
-------
-------------
te1/0/1
Forward
te1/0/2
Filter
te1/0/3
Filter
4.33
show ports security
To display the port-lock status, use the show ports security Privileged EXEC mode
command.
Syntax
show ports security [interface-id | detailed]
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition to present
ports.
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays the port-lock status of all ports.
switchxxxxxx#
show ports security
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
187
4
Address Table Commands
Port
Status
------- -------te1/0/1
Learning
Action
Maximum
Trap
Frequency
---------
------
---
-------
--------
Enabled
Max-
Discard
3
Enabled
100
Addresses
te1/0/2
Disabled
Max-
-
28
-
-
Addresses
te1/0/3
Enabled
Lock
Discard
8
Disabled
-
The following table describes the fields shown above.
Field
Description
Port
The port number.
Status
The port security status. The possible values are: Enabled or
Disabled.
Action
The action taken on violation.
Maximum
The maximum number of addresses that can be associated on
this port in the Max-Addresses mode.
Trap
The status of SNMP traps. The possible values are: Enable or
Disable.
Frequency
The minimum time interval between consecutive traps.
4.34
show ports security addresses
To display the current dynamic addresses in locked ports, use the show ports security
addresses Privileged EXEC mode command.
Syntax
show ports security addresses [interface-id | detailed]
Parameters
188
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition to present
ports.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays dynamic addresses in all currently locked port:
Port
Status
Learning
Current
Maximum
-------
--------
--------
----------
----------
te1/0/1
Disabled
Lock
0
10
te1/0/2
Disabled
Lock
0
1
Disabled
Lock
0
1
Disabled
Lock
0
1
te1/0/3
te1/0/4
...
4.35
bridge multicast reserved-address
To define the action on Multicast reserved-address packets, use the bridge multicast
reserved-address Global Configuration mode command. To revert to default, use the no form
of this command.
Syntax
bridge multicast reserved-address mac-multicast-address [ethernet-v2 ethtype | llc sap |
llc-snap pid] {discard | bridge}
no bridge multicast reserved-address mac-multicast-address [ethernet-v2 ethtype | llc sap |
llc-snap pid]
Parameters
•
mac-multicast-address—MAC Multicast address in the reserved MAC addresses
range. (Range: 01-80-C2-00-00-00, 01-80-C2-00-00-02–01-80-C2-00-00-2F)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
189
4
Address Table Commands
•
ethernet-v2 ethtype—(Optional) Specifies that the packet type is Ethernet v2 and the
Ethernet type field (16 bits in hexadecimal format). (Range: 0x0600–0xFFFF)
•
llc sap—(Optional) Specifies that the packet type is LLC and the DSAP-SSAP field
(16 bits in hexadecimal format). (Range: 0xFFFF)
•
llc-snap pid—(Optional) Specifies that the packet type is LLC-SNAP and the PID
field (40 bits in hexadecimal format). (Range: 0x0000000000 - 0xFFFFFFFFFF)
•
discard—Specifies discarding the packets.
•
bridge—Specifies bridging (forwarding) the packets
Default Configuration
•
If the user-supplied MAC Multicast address, ethertype and encapsulation (LLC)
specifies a protocol supported on the device (called Peer), the default action (discard or
bridge) is determined by the protocol.
•
If not, the default action is as follows:
-
For MAC addresses in the range 01-80-C2-00-00-00, 01-80-C2-00-00-02–
01-80-C2-00-00-0F, the default is discard.
-
For MAC addresses in the range 00-80-C2-00-00-10– 01-80-C2-00-00-2F, the
default is bridge.
Command Mode
Global Configuration mode
User Guidelines
If the packet/service type (ethertype/encapsulation) is not specified, the configuration is
relevant to all the packets with the configured MAC address.
Specific configurations (that contain service type) have precedence over less specific
configurations (contain only MAC address).
The packets that are bridged are subject to security ACLs.
The actions define by this command has precedence over forwarding rules defined by
applications/protocols (STP, LLDP etc.) supported on the device.
Example
switchxxxxxx(config)# bridge multicast reserved-address 00:3f:bd:45:5a:b1
190
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
4
Address Table Commands
4.36
show bridge multicast reserved-addresses
To display the Multicast reserved-address rules, use the show bridge multicast
reserved-addresses Privileged EXEC mode command.
Syntax
show bridge multicast reserved-addresses
Command Mode
Privileged EXEC mode
Example
switchxxxxxx # show bridge multicast reserved-addresses
MAC Address
Frame Type
------------------
----------- --------------
01-80-C2-00-00-00
LLC-SNAP
Protocol
Action
------------
00-00-0C-01-29
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Bridge
191
5
Authentication, Authorization and Accounting
(AAA) Commands
5.0f
5.1
aaa authentication login
Use the aaa authentication login Global Configuration mode command to set one or more
authentication methods to be applied during login. Use the no form of this command to restore
the default authentication method.
Syntax
aaa authentication login [authorization] {default | list-name} method1 [method2...]
no aaa authentication login {default | list-name}
Parameters
•
authorization—Specifies that authentication and authorization are applied to the
given list. If the keyword is not configured, then only authentication is applied to the
given list.
•
default—Uses the authentication methods that follow this argument as the default
method list when a user logs in (this list is unnamed).
•
list-name—Specifies a name of a list of authentication methods activated when a user
logs in. (Length: 1–12 characters)
•
method1 [method2...]—Specifies a list of methods that the authentication algorithm
tries (in the given sequence). Each additional authentication method is used only if the
previous method returns an error, not if it fails. To ensure that the authentication
succeeds even if all methods return an error, specify none as the final method in the
command line. Select one or more methods from the following list::
Keyword
Description
enable
Uses the enable password for authentication.
line
Uses the line password for authentication.
local
Uses the locally-defined usernames for authentication.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
192
Authentication, Authorization and Accounting (AAA) Commands
Keyword
Description
none
Uses no authentication.
radius
Uses the list of all RADIUS servers for authentication.
tacacs
Uses the list of all TACACS+ servers for authentication.
5
Default Configuration
If no methods are specified, the default are the locally-defined users and passwords. This is the
same as entering the command aaa authentication login local.
Command Mode
Global Configuration mode
User Guidelines
Create a list of authentication methods by entering this command with the list-name parameter
where list-name is any character string. The method arguments identifies the list of methods
that the authentication algorithm tries, in the given sequence.
The default and list names created with this command are used with the login authentication
command.
Note. If authorization is enabled for login and the switch receives from a TACACS+ server
user level 15, then the enable command is not required and if received level 1 the enable
command is required.
The no aaa authentication login list-name command deletes a list-name only if it has not
been referenced by another command.
Example
The following example sets the authentication login methods for the console.
switchxxxxxx(config)# aaa authentication login authen-list radius local none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication authen-list
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
193
5
Authentication, Authorization and Accounting (AAA) Commands
5.2
aaa authentication enable
The aaa authentication enable Global Configuration mode command sets one or more
authentication methods for accessing higher privilege levels. To restore the default
authentication method, use the no form of this command.
Syntax
aaa authentication enable [authorization] {default | list-name} method [method2...]}
no aaa authentication enable {default | list-name}
Parameters
•
authorization—Specifies that authentication and authorization are applied to the
given list. If the keyword is not configured, then only authentication is applied to the
given list.
•
default—Uses the listed authentication methods that follow this argument as the
default method list, when accessing higher privilege levels.
•
list-name —Specifies a name for the list of authentication methods activated when a
user accesses higher privilege levels. (Length: 1–12 characters)
•
method [method2...]—Specifies a list of methods that the authentication algorithm
tries, in the given sequence. The additional authentication methods are used only if the
previous method returns an error, not if it fails. Specify none as the final method in the
command line to ensure that the authentication succeeds, even if all methods return an
error. Select one or more methods from the following list:
Keyword
Description
enable
Uses the enable password for authentication.
line
Uses the line password for authentication.
none
Uses no authentication.
radius
Uses the list of all RADIUS servers for authentication.
tacacs
Uses the list of all TACACS+ servers for authentication.
Default Configuration
No Authentication lists exist by default.
Command Mode
Global Configuration mode
194
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Authentication, Authorization and Accounting (AAA) Commands
5
User Guidelines
Create a list by entering the aaa authentication enable list-name method1 [method2...]
command where list-name is any character string used to name this list. The method argument
identifies the list of methods that the authentication algorithm tries, in the given sequence.
The default and list names created by this command are used with the enable authentication
command.
All aaa authentication enable requests sent by the device to a RADIUS server include the
username $enabx$., where x is the requested privilege level.
All aaa authentication enable requests sent by the device to a TACACS+ server include the
username that is entered for login authentication.
The additional methods of authentication are used only if the previous method returns an error,
not if it fails. Specify none as the final method in the command line to ensure that the
authentication succeeds even if all methods return an error.
no aaa authentication enable list-name deletes list-name if it has not been referenced.
Example
The following example sets the enable password for authentication for accessing higher
privilege levels.
switchxxxxxx(config)# aaa authentication enable enable-list radius none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication enable-list
5.3
login authentication
The login authentication Line Configuration mode command specifies the login
authentication method list for a remote Telnet or console session. Use the no form of this
command to restore the default authentication method.
Syntax
login authentication {default | list-name}
no login authentication
Parameters
•
default—Uses the default list created with the aaa authentication login command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
195
5
Authentication, Authorization and Accounting (AAA) Commands
•
list-name—Uses the specified list created with the aaa authentication login
command.
Default Configuration
default
Command Mode
Line Configuration Mode
Examples
Example 1 - The following example specifies the login authentication method as the default
method for a console session.
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication default
Example
Example 2 - The following example sets the authentication login methods for the console as a
list of methods.
switchxxxxxx(config)# aaa authentication login authen-list radius local none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication authen-list
5.4
enable authentication
The enable authentication Line Configuration mode command specifies the authentication
method for accessing a higher privilege level from a remote Telnet or console. Use the no form
of this command to restore the default authentication method.
Syntax
enable authentication {default | list-name}
no enable authentication
196
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Authentication, Authorization and Accounting (AAA) Commands
5
Parameters
•
default—Uses the default list created with the aaa authentication enable command.
•
list-name—Uses the specified list created with the aaa authentication enable
command.
Default Configuration
default.
Command Mode
Line Configuration Mode
Examples
Example 1 - The following example specifies the authentication method as the default method
when accessing a higher privilege level from a console.
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication default
Example 2 - The following example sets a list of authentication methods for accessing higher
privilege levels.
switchxxxxxx(config)# aaa authentication enable enable-list radius none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication enable-list
5.5
ip http authentication
The ip http authentication Global Configuration mode command specifies authentication
methods for HTTP server access. Use the no form of this command to restore the default
authentication method.
Syntax
ip http authentication aaa login-authentication [login-authorization] method1 [method2...]
no ip http authentication aaa login-authentication
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
197
5
Authentication, Authorization and Accounting (AAA) Commands
Parameters
•
login-authorization—Specifies that authentication and authorization are applied. If
the keyword is not configured, then only authentication is applied.
•
method [method2...]—Specifies a list of methods that the authentication algorithm
tries, in the given sequence. The additional authentication methods are used only if the
previous method returns an error, not if it fails. Specify none as the final method in the
command line to ensure that the authentication succeeds, even if all methods return an
error. Select one or more methods from the following list:
Keyword
Description
local
Uses the local username database for authentication.
none
Uses no authentication.
radius
Uses the list of all RADIUS servers for authentication.
tacacs
Uses the list of all TACACS+ servers for authentication.
Default Configuration
The local user database is the default authentication login method. This is the same as entering
the ip http authentication local command.
Command Mode
Global Configuration mode
User Guidelines
The command is relevant for HTTP and HTTPS server users.
Example
The following example specifies the HTTP access authentication methods.
switchxxxxxx(config)# ip http authentication aaa login-authentication radius
local none
5.6
show authentication methods
The show authentication methods Privileged EXEC mode command displays information
about the authentication methods.
198
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
5
Authentication, Authorization and Accounting (AAA) Commands
Syntax
show authentication methods
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays the authentication configuration:
switchxxxxxx# show
authentication methods
Login Authentication Method Lists
--------------------------------Default: Radius, Local, Line
Consl_Login(with authorization): Line, None
Enable Authentication Method Lists
---------------------------------Default: Radius, Enable
Consl_Enable(with authorization): Enable, None
.
Line
Login Method List
Enable Method List
--------------
-----------------
------------------
Console
Consl_Login
Consl_Enable
Telnet
Default
Default
SSH
Default
Default
HTTP, HHTPS: Radius, local
Dot1x: Radius
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
199
5
Authentication, Authorization and Accounting (AAA) Commands
5.7
password
Use the password Line Configuration mode command to specify a password on a line (also
known as an access method, such as a console or Telnet). Use the no form of this command to
return to the default password.
Syntax
password {unencrypted-password [method hash-method] | encrypted-password encrypted}
no password
Parameters
•
unencrypted-password—The authentication password for the user. (Range: 1–64)
•
[method hash-method] — (optional) specifies the method used for encrypting the
clear-text password. Supported values:
-
•
sha512 - PBKDF2 encryption with HMAC using the SHA512 as the underlying
Hashing Algorithm. This is the default method if the method parameter is not
specified.
encrypted encrypted-password—Specifies that the password is encrypted and hashed
using a salt. Use this keyword to enter a password that is already encrypted (for
instance, a password that was copied from the configuration file of another device).
The encrypted-password is specified in the format of
$<type>$<salt>$<encrypted-password >, where:
-
<type> - is an integer value that indicates the type of hash algorithm used to
generate the hash
-
<salt> - The base64 encoding of the 96 bits used for salt (length – 16 bytes)
-
<encrypted-password> - The base64 encoding of the encrypted hash output
(length - 86 bytes)
Default Configuration
No password is defined.
Command Mode
Line Configuration Mode
200
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Authentication, Authorization and Accounting (AAA) Commands
5
User Guidelines
The unencrypted-password must comply to password complexity requirements
Example
The following example specifies the password ‘secreT123!’ on the console linel.
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# password secreT123!
5.8
enable password
Use the enable password Global Configuration mode command to set a local password to
control access to normal and privilege levels. Use the no form of this command to return to the
default password.
Syntax
enable password [level privilege-level] {[method hash-method] unencrypted-password |
encrypted encrypted-password}
no enable password [level privilege-level]
Parameters
•
level privilege-level—Level for which the password applies. If not specified, the level
is 15. (Range: 1–15)
•
[method hash-method] — (optional) specifies the method used for encrypting the
clear-text password. Supported values:
-
sha512 - PBKDF2 encryption with HMAC using the SHA512 as the underlying
Hashing Algorithm. This is the default method if the method parameter is not
specified.
•
unencrypted-password—Password for this level. (Range: 0–159 chars)
•
encrypted encrypted-password—Specifies that the password is encrypted and hashed
using a salt. Use this keyword to enter a password that is already encrypted (for
instance, a password that was copied from the configuration file of another device).
The encrypted-password is specified in the format of
$<type>$<salt>$<encrypted-password >, where:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
201
5
Authentication, Authorization and Accounting (AAA) Commands
-
<type> - is an integer value that indicates the type of hash algorithm used to
generate the hash
-
<salt> - The base64 encoding of the 96 bits used for salt (length – 16 bytes)
-
<encrypted-password> - The base64 encoding of the encrypted hash output
(length - 86 bytes)
Default Configuration
Default for level is 15.
Command Mode
Global Configuration mode
User Guidelines
The unencrypted-password must comply to password complexity requirements
When the administrator configures a new enable password, this password is encrypted
automatically and saved to the configuration file. No matter how the password was entered, it
appears in the configuration file with the keyword encrypted and the encrypted value. The
administrator is required to use the encrypted keyword only when actually entering an
encrypted keyword.
If the administrator wants to manually copy a password that was configured on one switch (for
instance, switch B) to another switch (for instance, switch A), the administrator must add
encrypted in front of this encrypted password when entering the enable command in switch
A. In this way, the two switches will have the same password.
The administrator is required to use the encrypted keyword only when actually entering an
encrypted keyword.
Examples
Example 1 - The command sets a password that has already been encrypted. It will be copied
to the configuration file just as it is entered. To login to device using this password, the user
must know its unencrypted form.
switchxxxxxx(config)# enable password encrypted
$15$TqKC13RgV/QJb2Ma$4JmeD7wgRGH2iwGKMM+g4M53uQxpOMlhkUN56UMAEUuMqhw0bsRH27zakc7
2hLxt/YhEknPA6LX7fTgqwZn6Vw==
202
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Authentication, Authorization and Accounting (AAA) Commands
5
Example 2 - The command sets an unencrypted password for level 1 (it will be encrypted in
the configuration file).
switchxxxxxx(config)# enable password level 1 let-me-In
5.9
service password-recovery
Use the service password-recovery Global Configuration mode command to enable the
password-recovery mechanism. This mechanism allows an end user, with physical access to
the console port of the device, to enter the boot menu and trigger the password recovery
process. Use the no service password-recovery command to disable the password-recovery
mechanism. When the password-recovery mechanism is disabled, accessing the boot menu is
still allowed and the user can trigger the password recovery process. The difference is, that in
this case, all the configuration files and all the user files are removed. The following log
message is generated to the terminal: “All the configuration and user files were removed”.
Syntax
service password-recovery
no service password-recovery
Parameters
N/A
Default Configuration
The service password recovery is enabled by default.
Command Mode
Global Configuration mode
User Guidelines
•
If password recovery is enabled, the user can access the boot menu and trigger the
password recovery in the boot menu. All configuration files and user files are kept.
•
If password recovery is disabled, the user can access the boot menu and trigger the
password recovery in the boot menu. The configuration files and user files are
removed.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
203
5
Authentication, Authorization and Accounting (AAA) Commands
•
If a device is configured to protect its sensitive data with a user-defined passphrase for
(Secure Sensitive Data), then the user cannot trigger the password recovery from the
boot menu even if password recovery is enabled.
Example
The following command disables password recovery:
switchxxxxxx(config)# no service password recovery
Note that choosing to use Password recovery option in the Boot Menu during
the boot process will remove the configuration files and the user files.
Would you like to continue ? Y/N.
5.10
username
Use the username Global Configuration mode command to create or edit a username based
user authentication account. Use the no form to remove a user account.
Syntax
username name {[method hash-method] password {unencrypted-password | {encrypted
encrypted-password}} | {privilege privilege-level {[method hash-method]
unencrypted-password | {encrypted encrypted-password}}}}
no username name
Parameters
•
name—The name of the user. (Range: 1–20 characters)
•
[method hash-method] — (optional) specifies the method used for encrypting the
clear-text password. Supported values:
-
204
sha512 - PBKDF2 encryption with HMAC using the SHA512 as the underlying
Hashing Algorithm. This is the default method if the method parameter is not
specified.
•
password—Specifies the password for this username.
•
unencrypted-password—The authentication password for the user. (Range: 1–64)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Authentication, Authorization and Accounting (AAA) Commands
•
•
5
encrypted encrypted-password—Specifies that the password is encrypted and hashed
using a salt. Use this keyword to enter a password that is already encrypted (for
instance, a password that was copied from the configuration file of another device).
The encrypted-password is specified in the format of
$<type>$<salt>$<encrypted-password >, where:
-
<type> - is an integer value that indicates the type of hash algorithm used to
generate the hash
-
<salt> - The base64 encoding of the 96 bits used for salt (length – 16 bytes)
-
<encrypted-password> - The base64 encoding of the encrypted hash output
(length - 86 bytes)
privilege privilege-level —User account privilege level. If not specified the level is 1.
(Range: 1–15).
Default Configuration
No user is defined.
Command Mode
Global Configuration mode
Usage Guidelines
The unencrypted-password must comply to password complexity requirements
The last level 15 user cannot be removed and cannot be a remote user.
Examples
Example 1 - Sets an unencrypted password for user tom (level 15). It will be encrypted in the
configuration file.
switchxxxxxx(config)# username tom password 1234Ab$5678
Example 2 - Sets a password for user jerry (level 15) that has already been encrypted. It will
be copied to the configuration file just as it is entered. To use it, the user must know its
unencrypted form.
switchxxxxxx(config)# username jerry privilege 15 encrypted
$15$TqKC13RgV/QJb2Ma$4JmeD7wgRGH2iwGKMM+g4M53uQxpOMlhkUN56UMAEUuMqhw0bsRH27zakc7
2hLxt/YhEknPA6LX7fTgqwZn6Vw==
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
205
5
Authentication, Authorization and Accounting (AAA) Commands
5.11
show users accounts
The show users accounts Privileged EXEC mode command displays information about the
users local database.
Syntax
show users accounts
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays information about the users local database:
switchxxxxxx# show users accounts
Password
Username
Privilege
Expiry date
--------
---------
----------
Bob
15
Jan 18 2005
Robert
15
Jan 19 2005
Smith
15
The following table describes the significant fields shown in the display:
206
Field
Description
Username
The user name.
Privilege
The user’s privilege level.
Password Expiry
date
The user's password expiration date.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Authentication, Authorization and Accounting (AAA) Commands
5.12
5
aaa accounting login start-stop
Use the aaa accounting login start-stop command in Global Configuration mode to enable
accounting of device management sessions. Use the no form of this command to disable
accounting.
Syntax
aaa accounting login start-stop group {radius | tacacs+}
no aaa accounting login start-stop
Parameters
•
group radius—Uses a RADIUS server for accounting.
•
group tacacs+—Uses a TACACS+ server for accounting.
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
This command enables the recording of device management sessions (Telnet, serial and WEB
but not SNMP).
It records only users that were identified with a username (e.g. a user that was logged in with a
line password is not recorded).
If accounting is activated, the device sends a “start”/“stop” messages to a RADIUS server
when a user logs in / logs out respectively.
The device uses the configured priorities of the available RADIUS/TACACS+ servers in order
to select the RADIUS/TACACS+ server.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
207
5
Authentication, Authorization and Accounting (AAA) Commands
The following table describes the supported RADIUS accounting attributes values, and in
which messages they are sent by the switch.
Name
Start
Messag
e
Stop
Message
Description
User-Name (1)
Yes
Yes
User’s identity.
NAS-IP-Address (4)
Yes
Yes
The switch IP address that is used for
the session with the RADIUS server.
Class (25)
Yes
Yes
Arbitrary value is included in all
accounting packets for a specific
session.
Called-Station-ID
(30)
Yes
Yes
The switch IP address that is used for
the management session.
Calling-Station-ID
(31)
Yes
Yes
The user IP address.
Acct-Session-ID (44)
Yes
Yes
A unique accounting identifier.
Acct-Authentic (45)
Yes
Yes
Indicates how the supplicant was
authenticated.
Acct-Session-Time
(46)
No
Yes
Indicates how long the user was
logged in.
Acct-Terminate-Caus
e (49)
No
Yes
Reports why the session was
terminated.
The following table describes the supported TACACS+ accounting arguments and in which
messages they are sent by the switch.
Name
Description
Start
Message
Stop Message
task_id
A unique accounting session
identifier.
Yes
Yes
user
username that is entered for login
authentication
Yes
Yes
rem-addr
IP address of the user
Yes
Yes
elapsed-time
Indicates how long the user was
logged in.
No
Yes
reason
Reports why the session was
terminated.
No
Yes
Example
208
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Authentication, Authorization and Accounting (AAA) Commands
5
switchxxxxxx(config)# aaa accounting login start-stop group radius
5.13
aaa accounting dot1x
To enable accounting of 802.1x sessions, use the aaa accounting dot1x Global Configuration
mode command. Use the no form of this command to disable accounting.
Syntax
aaa accounting dot1x start-stop group radius
no aaa accounting dot1x start-stop group radius
Parameters
N/A
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
This command enables the recording of 802.1x sessions.
If accounting is activated, the device sends start/stop messages to a RADIUS server when a
user logs in / logs out to the network, respectively.
The device uses the configured priorities of the available RADIUS servers in order to select
the RADIUS server.
If a new supplicant replaces an old supplicant (even if the port state remains authorized), the
software sends a stop message for the old supplicant and a start message for the new
supplicant.
In multiple sessions mode (dot1x multiple-hosts authentication), the software sends start/stop
messages for each authenticated supplicant.
In multiple hosts mode (dot1x multiple-hosts), the software sends start/stop messages only for
the supplicant that has been authenticated.
The software does not send start/stop messages if the port is force-authorized.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
209
5
Authentication, Authorization and Accounting (AAA) Commands
The software does not send start/stop messages for hosts that are sending traffic on the guest
VLAN or on the unauthenticated VLANs.
The following table describes the supported Radius accounting Attributes Values and when
they are sent by the switch.
Name
Start
Stop
Description
User-Name (1)
Yes
Yes
Supplicant’s identity.
NAS-IP-Address (4)
Yes
Yes
The switch IP address that
is used for the session with
the RADIUS server.
NAS-Port (5)
Yes
Yes
The switch port from
where the supplicant has
logged in.
Class (25)
Yes
Yes
The arbitrary value that is
included in all accounting
packets for a specific
session.
Called-Station-ID (30)
Yes
Yes
The switch MAC address.
Calling-Station-ID (31)
Yes
Yes
The supplicant MAC
address.
Acct-Session-ID (44)
Yes
Yes
A unique accounting
identifier.
Acct-Authentic (45)
Yes
Yes
Indicates how the
supplicant was
authenticated.
Acct-Session-Time (46)
No
Yes
Indicates how long the
supplicant was logged in.
Acct-Terminate-Cause
(49)
No
Yes
Reports why the session
was terminated.
Nas-Port-Type (61)
Yes
Yes
Indicates the supplicant
physical port type.
Example
switchxxxxxx(config)# aaa accounting dot1x start-stop group radius
5.14
show accounting
The show accounting EXEC mode command displays information as to which type of
accounting is enabled on the switch.
210
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Authentication, Authorization and Accounting (AAA) Commands
5
Syntax
show accounting
Parameters
N/A
Default Configuration
N/A
Command Mode
User EXEC mode
Example
The following example displays information about the accounting status.
switchxxxxxx# show accounting
Login: Radius
802.1x: Disabled
5.15
passwords complexity
Use the passwords complexity Global Configuration mode commands to control the
minimum requirements from a password when password complexity is enabled. Use the no
form of these commands to return to default.
Syntax
passwords complexity {min-length number} | {min-classes number} | {no-repeat number}
no passwords complexity min-length | min-classes | no-repeat
Parameters
•
min-length number—Sets the minimal length of the password. (Range: 8–64)
•
min-classes number—Sets the minimal character classes (uppercase letters, lowercase
letters, numbers, and special characters available on a standard keyboard). (Range: 1–
4)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
211
5
Authentication, Authorization and Accounting (AAA) Commands
•
no-repeat number—Specifies the maximum number of characters in the new
password that can be repeated consecutively. (Range: 1–16)
Default Configuration
The minimal length is 8.
The number of classes is 3.
The default for no-repeat is 3.
In addition to above setting the new password cannot be the same as the current password,
cannot repeat or reverse the user name or any variant reached by changing the case of the
characters and cannot repeat or reverse the manufacturer’s name or any variant reached by
changing the case of the characters.
Command Mode
Global Configuration mode
Example
The following example configures the minimal required password length to 10 characters.
switchxxxxxx(config)# passwords complexity min-length 10
5.16
passwords aging
Use the passwords aging Global Configuration mode command to enforce password aging.
Use the no form of this command to return to default.
Syntax
passwords aging days
no passwords aging
Parameters
•
days—Specifies the number of days before a password change is forced. You can use 0
to disable aging. (Range: 0–365).
Default Configuration
180
212
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Authentication, Authorization and Accounting (AAA) Commands
5
Command Mode
Global Configuration mode
User Guidelines
Aging is relevant only to users of the local database with privilege level 15 and to enable a
password of privilege level 15.
To disable password aging, use passwords aging 0.
Using no passwords aging sets the aging time to the default.
Example
The following example configures the aging time to be 24 days.
switchxxxxxx(config)# passwords aging 24
5.17
show passwords configuration
The show passwords configuration Privileged EXEC mode command displays information
about the password management configuration.
Syntax
show passwords configuration
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show passwords configuration
Passwords aging is enabled with aging time 180 days.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
213
5
Authentication, Authorization and Accounting (AAA) Commands
Passwords complexity is enabled with the following attributes:
Minimal length: 3 characters
Minimal classes: 3
New password must be different than the current: Enabled
Maximum consecutive same characters: 3
New password must be different than the user name: Enabled
New password must be different than the manufacturer name: Enabled
214
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
6
Auto-Update and Auto-Configuration
6.0
6.1
boot host auto-config
Use the boot host auto-config Global Configuration mode command to enable auto
configuration via DHCP. Use the no form of this command to disable DHCP auto
configuration.
Syntax
boot host auto-config [tftp | scp | auto [extension]]
no boot host auto-config
Parameters
•
tftp—Only the TFTP protocol is used by auto-configuration.
•
scp—Only the SCP protocol is used by auto-configuration.
•
auto—(Default) Auto-configuration uses the TFTP or SCP protocol depending on the
configuration file's extension. If this option is selected, the extension parameter may be
specified or, if not, the default extension is used.
•
extension—The SCP file extension. When no value is specified, 'scp' is used. (Range:
1-16 characters)
Default Configuration
Enabled by default with the auto option.
Command Mode
Global Configuration mode
User Guidelines
The TFTP or SCP protocol is used to download/upload a configuration file.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
215
6
Auto-Update and Auto-Configuration
Examples
Example 1. The following example specifies the auto mode and specifies "scon" as the SCP
extension:
switchxxxxxx(config)# boot host auto-config auto scon
Example 2. The following example specifies the auto mode and does not provide an SCP
extension.
In this case "scp" is used.
switchxxxxxx(config)# boot host auto-config auto
Example 3. The following example specifies that only the SCP protocol will be used:
switchxxxxxx(config)# boot host auto-config scp
6.2
boot host auto-update
Use the boot host auto-update Global Configuration mode command to enable the support of
auto update via DHCP. Use the no form of this command to disable DHCP auto configuration.
Syntax
boot host auto-update [tftp | scp | auto [extension]]
no boot host auto-update
Parameters
216
•
tftp—Only the TFTP protocol is used by auto-update.
•
scp—Only the SCP protocol is used by auto-update.
•
auto (Default)—Auto-update uses the TFTP or SCP protocol depending on the
Indirect image file's extension. If this option is selected, the extension parameter may
be specified or, if not, the default extension is used.
•
extension—The SCP file extension. When no value is specified, 'scp' is used. (Range:
1-16 characters)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
6
Auto-Update and Auto-Configuration
Default Configuration
Enabled by default with the auto option.
Command Mode
Global Configuration mode
User Guidelines
The TFTP or SCP protocol is used to download/upload an image file.
Examples
Example 1—The following example specifies the auto mode and specifies "scon" as the SCP
extension:
switchxxxxxx(config)# boot host auto-update auto scon
Example 2—The following example specifies the auto mode and does not provide an SCP
extension. In this case "scp" is used.
switchxxxxxx(config)# boot host auto-update auto
Example 3—The following example specifies that only the SCP protocol will be used:
switchxxxxxx(config)# boot host auto-update scp
6.3
show boot
Use the show boot Privilege EXEC mode command to show the status of the IP DHCP Auto
Config process.
Syntax
show boot
Parameters
N/A
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
217
6
Auto-Update and Auto-Configuration
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Examples
switchxxxxxx# show boot
Auto Config
-----------Config Download via DHCP: enabled
Download Protocol: auto
SCP protocol will be used for files with extension: scp
Configuration file auto-save: enabled
Auto Config State: Finished successfully
Server IP address: 1.2.20.2
Configuration filename: /config/configfile1.cfg
Auto Update
----------Image Download via DHCP: enabled
switchxxxxxx# show boot
Auto Config
-----------Config Download via DHCP: enabled
Download Protocol: scp
Configuration file auto-save: enabled
Auto Config State: Opening <hostname>-config file
Auto Update
-----------
218
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
6
Auto-Update and Auto-Configuration
Image Download via DHCP: enabled
switchxxxxxx# show boot
Auto Config
-----------Config Download via DHCP: enabled
"Download Protocol: scp
Configuration file auto-save: enabled
Auto Config State: Downloading configuration file
Auto Update
----------Image Download via DHCP: enabled
switchxxxxxx# show boot
Auto Config
-----------Config Download via DHCP: enabled
Download Protocol: tftp
Configuration file auto-save: enabled
Auto Config State: Searching device hostname in indirect file
Auto Update
----------Image Download via DHCP: enabled
switchxxxxxx# show boot
Auto Config
-----------Config Download via DHCP: enabled
Download Protocol: tftp
Configuration file auto-save: enabled
Auto Update
-----------
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
219
6
Auto-Update and Auto-Configuration
Image Download via DHCP: enabled
Auto Update State: Downloaded indirect image file
Indirect Image filename: /image/indirectimage.txt
6.4
ip dhcp tftp-server ip address
Use the ip dhcp tftp-server ip address Global Configuration mode command to set the
backup server’s IP address. This address server as the default address used by a switch when it
has not been received from the DHCP server. Use the no form of the command to return to
default.
Syntax
ip dhcp tftp-server ip address ip-addr
no ip dhcp tftp-server ip address
Parameters
•
ip-addr—IPv4 Address, or IPv6 Address or DNS name of TFTP or SCP server.
Default Configuration
No IP address
Command Mode
Global Configuration mode
User Guidelines
The backup server can be a TFTP server or a SCP server.
Examples
Example 1. The example specifies the IPv4 address of TFTP server:
switchxxxxxx(config)# ip dhcp tftp-server ip address 10.5.234.232
220
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
6
Auto-Update and Auto-Configuration
Example 2. The example specifies the IPv6 address of TFTP server:
switchxxxxxx(config)# ip dhcp tftp-server ip address 3000:1::12
Example 3. The example specifies the IPv6 address of TFTP server:
switchxxxxxx(config)# ip dhcp tftp-server ip address tftp-server.company.com
6.5
ip dhcp tftp-server file
Use the ip dhcp tftp-server file Global Configuration mode command to set the full file name
of the configuration file to be downloaded from the backup server when it has not been
received from the DHCP server. Use the no form of this command to remove the name.
Syntax
ip dhcp tftp-server file file-path
no ip dhcp tftp-server file
Parameters
•
file-path—Full file path and name of the configuration file on the server.
Default Configuration
No file name
Command Mode
Global Configuration mode
User Guidelines
The backup server can be a TFTP server or an SCP server.
Examples
switchxxxxxx(config)# ip dhcp tftp-server file conf/conf-file
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
221
6
Auto-Update and Auto-Configuration
6.6
ip dhcp tftp-server image file
Use the ip dhcp tftp-server image file Global Configuration mode command to set the
indirect file name of the image file to be downloaded from the backup server when it has not
been received from the DHCP server. Use the no form of this command to remove the file
name.
Syntax
ip dhcp tftp-server image file file-path
no ip dhcp tftp-server image file
Parameters
•
file-path—Full indirect file path and name of the configuration file on the server.
Default Configuration
No file name
Command Mode
Global Configuration mode
User Guidelines
The backup server can be a TFTP server or a SCP server.
Examples
switchxxxxxx(config)# ip dhcp tftp-server image file imag/imag-file
6.7
show ip dhcp tftp-server
Use the show ip dhcp tftp-server EXEC mode command to display information about the
backup server.
Syntax
show ip dhcp tftp-server
Parameters
N/A
222
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
6
Auto-Update and Auto-Configuration
Default Configuration
N/A
Command Mode
User EXEC mode
User Guidelines
The backup server can be a TFTP server or a SCP server.
Example
show ip dhcp tftp-server
server address
active
1.1.1.1 from sname
manual
2.2.2.2
file path on server
active
conf/conf-file from option 67
manual
conf/conf-file1
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
223
7
Bonjour Commands
7.0
7.1
bonjour enable
To enable Bonjour globally, use the bonjour enable command in Global Configuration mode.
To disable Bonjour globally, use the no format of the command.
Syntax
bonjour enable
no bonjour enable.
Default Configuration
Enable
Command Mode
Global Configuration mode
Examples
switchxxxxxx(config)# bonjour enable
7.2
bonjour interface range
To add L2 interfaces to the Bonjour L2 interface list, use the bonjour interface range
command in Global Configuration mode. To remove L2 interfaces from this list, use the no
format of the command.
Syntax
bonjour interface range interface-list
no bonjour interface range [interface-list]
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
224
7
Bonjour Commands
Parameters
•
interface-list—Specifies a list of interfaces. Only interfaces supporting L2 Multicast
forwarding can be specified. The follow: LAN and point, which support be of the
following types: OOB, Ethernet port, Port-channel, and VLAN.
Default Configuration
The list includes the Default VLAN and OOB.
Command Mode
Global Configuration mode
User Guidelines
The Bonjour L2 interface list specifies a set of interfaces on which Bonjour is enabled.
Use the bonjour interface range interface-list command, to add the specified interfaces to the
Bonjour L2 interface list.
Use the no bonjour interface range interface-list command, to remove the specified
interfaces from the Bonjour L2 interface list.
Use the no bonjour interface range command, to clear the Bonjour L2 interface list.
Examples
switchxxxxxx(config)# bonjour interface range VLAN 100-103
7.3
show bonjour
To display Bonjour information, use the show bonjour command in Privileged EXEC mode.
Syntax
show bonjour [interface-id]
Parameters
•
interface-id—Specifies an interface.
Command Mode
Privileged EXEC mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
225
7
Bonjour Commands
Examples
The example displays Bonjour status.
switchxxxxxx# show bonjour
Bonjour global status: enabled
Bonjour L2 interfaces list: vlans 1
226
Service
Admin Status
Oper Status
-------
------------
--------------
csco-sb
enabled
enabled
http
enabled
enabled
https
enabled
disabled
ssh
enabled
disabled
telnet
enabled
disabled
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Bonjour Commands
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
7
227
8
CA Certificate Commands
8.0
8.1
ca-certificate install
To manually install a CA certificate, use the ca-certificate install command in Global
Configuration mode. To remove a static CA certificate, use the no form of this command.
Syntax
ca-certificate install name name [owner owner]
no ca-certificate install {name name | owner owner}
Parameters
•
name—Specifies the certificate name. The range is from 1 to 160 characters.
•
owner—specifies the owner of the certificate. This is a string of 0 to 32 characters. If
an owner is not specified, the default owner is "Static".
When adding a certificate, the certificate itself should follow the command on the command
line.
Default Configuration
There are no installed certificates.
Command Mode
Global Configuration mode
User Guidelines
Use the ca-certificate install name command to install a CA certificate.
Following the command, the user will be prompted to enter the certificate in the command
line.
The user will need to enter or paste the certificate. Entering a period on a separate line
indicates that the certificate input is complete.
The entered certificate must use the pem format.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
228
8
CA Certificate Commands
A certificate will not be valid if the system clock was not set by user or synchronized with
SNTP.
Up to 256 certificates can be installed.
When using the no form of the command to remove certificates, a specific certificate can be
removed by name. Alternatively, the owner keyword can be used to remove all static
certificates belonging to a specific owner.
Examples
Example 1. The following example installs a CA certificate from the command line:
switchxxxxxx(config)# ca-certificate install root1
Please paste the input now, add a period (.) on a separate line after the
input,and press Enter.
-----BEGIN CERTIFICATE----MIIBkzCB/QIBADBUMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB
IDEVMBMGA1UEAxMMMTAuNS4yMzQuMjA5MQowCAYDVQQKEwEgMQowCAYDVQQLEwEg
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK+beogIcke73sBSL7tC2DMZrY
OOg9XM1AxfOiqLlQJHd4xP+BHGZWwfkjKjUDBpZn52LxdDu1KrpB/h0+TZP0Fv38
7mIDqtnoF1NLsWxkVKRM5LPka0L/ha1pYxp7EWAt5iDBzSw5sO4lv0bSN7oaGjFA
6t4SW2rrnDy8JbwjWQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAuqYQiNJst6hI
XFDxe7I8Od3Uyt3Dmf7KE/AmUV0Pif2yUluy/RuxRwKhDp/lGrK12tzLQz+s5Ox7
Klft/IcjzbBYXLvih45ASWG3TRv2WVKyWs89rPPXu5hKxggEeTvWqpuS+gXrIqjW
WVZd0n1fXhMacoflgnnEmweIzmrqXBs=
-----END CERTIFICATE----.
switchxxxxxx(config)#
8.2
ca-certificate revoke
To add a certificate to the revocation list, use the ca-certificate revoke command in Global
Configuration mode. To remove a certificate from the revocation list, use the no form of this
command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
229
8
CA Certificate Commands
Syntax
ca-certificate revoke issuer issuer serial-number serial-number
no ca-certificate revoke issuer issuer serial-number serial-number
Parameters
•
issuer—The issuer string as it appears in the revoked certificate - including all
parameters (Range: 1-160 characters).
•
serial-number—The serial number of the revoked certificate. This is a string in
hexadecimal format (Range: 1-16 pairs of characters).
Default Configuration
There are no revoked certificates.
Command Mode
Global Configuration mode
User Guidelines
Use the ca-certificate revoke command to add a certificate to the revocation list.
When entering the issuer information, the full issuer string should be entered as it appears in
the certificate. If the string contains spaces, it must be contained in quotation marks.
Adding a certificate to this list will change the status of this certificate to "revoked" if it is
installed. If the certificate is not installed, it will receive the revoked status if it is installed at a
later date.
Up to 512 certificates can be added to the revocation list.
Examples
Example 1. The following example adds a CA certificate to the revocation list:
switchxxxxxx(config)# ca-certificate revoke issuer "C=US, O=GlobalSign nv-sa,
CN=GlobalSign Organization Validation" serial-number 10ad0044a8418ad5005e45b6
switchxxxxxx(config)#
230
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
8
CA Certificate Commands
8.3
show ca-certificate
To display the CA certificates installed on the device and their status, use the show
ca-certificate command in Privileged EXEC mode.
Syntax
show ca-certificate [name name][type type][owner owner-name][detailed]
Parameters
•
name name - Specifies the certificate name. (Range: 1-160 characters).
•
type type—Specifies the certificate type. The possible values are static, dynamic or
signer.
•
owner owner-name—Specifies the name of the certificate owner - this is the
application that installed a dynamic certificate. (Range: 1-32 characters).
•
detailed - This optional parameter shows detailed information of the displayed
certificates. If this parameter is not used, only limited information will be displayed for
each certificate.
Command Mode
Privileged EXEC mode
User Guidelines
Use the show ca-certificate command to display all installed CA certificates.
Use the optional name, type and owner parameters to display the information of a subset of
certificates.
Example
Example 1 The following example displays brief information for all static CA certificates.
switchxxxxxx# show ca-certificate type static
Name
Type
Owner
Valid From
Valid To
Status
-------------
------
--------
-----------
-----------
----------
local.cert
static
rnd
03-Aug-2019
03-Aug-2020
Valid
app1.cert1
static
app1
16-Jan-2021
16-Jul-2023
Premature
app1.cert2
static
app1
15-Mar-2017
14-Mar-2018
Expired
trusted-cert1
static
app2
27-Jun-2019
26-Jun-2024
Valid
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
231
8
CA Certificate Commands
certif3
static
app3
08-Feb-2018
08-Feb-2020
Revoked
Example 2 The following example displays detailed information for all CA certificates:
switchxxxxxx# show ca-certificate detailed
>C-CountryName, ST-StateOrProvinceName, L-Locality, O-Organization,
>OU-OrganizationalUnit, CN-CommonName
cert1
Type: Signer
Owner: N/A
Version: 3 (0x2)
Serial Number: 10:ad:00:44:a8:41:8a:d5:00:5e:45:b6
Issuer: C=US, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation
Status: Valid
Validity
Not Before: Nov 21 08:00:00 2015 GMT
Not After : Nov 22 07:59:59 2020 GMT
Subject: C=US, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation
Public Key Type: ECDSA_P256
Public Key Length: 2048 bits
Signature Algorithm: sha256RSA
certA
Type: Static
Owner: Static
Parent: cert1
Version: 3 (0x2)
Serial Number: 10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6
Issuer: C=US, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation
Status: Not Valid (expired)
Validity
Not Before: Nov 21 08:00:00 2016 GMT
232
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
8
CA Certificate Commands
Not After : Nov 22 07:59:59 2017 GMT
Subject: C=US, ST=California, L=San Francisco, O=AKB Foundation, Inc.,
CN=*.wikipedia.org
Finger print: DC72343 DC88A988 127897BC BB789788
Public Key Type: ECDSA_P256
Public Key Length: 2048 bits
Signature Algorithm: sha256RSA
certB
Type: Dynamic
Owner: PnP
Parent: cert1
Version: 3 (0x2)
Serial Number: 88:cc:55:ae:a8:41:8a:d5:00:5e:45:b6
Issuer: C=US, O=Google Trust Services, CN=GTS CA 101
Status: Not Valid (revoked)
Validity
Not Before: Sep 21 08:00:00 2019 GMT
Not After : Sep 22 07:59:59 2020 GMT
Subject: C=US, S=California, L=Mountain View O=Google LLC, CN=*.google.com
Finger print: DC789788 DC88A988 127897BC BB789788
Public Key Type: ECDSA_P256
Public Key Length: 2048 bits
Signature Algorithm: sha256RSA
8.4
show ca-certificate revocation
To display the CA certificate revocation list, use the show ca-certificate revocation command
in Privileged EXEC mode.
Syntax
show ca-certificate revocation
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
233
8
CA Certificate Commands
Command Mode
Privileged EXEC mode
User Guidelines
Use the show ca-certificate revocation command to display the CA certificate revocation list.
Example
Example. The following displays the revocation list:
switchxxxxxx# show ca-certificate revocation
>C-CountryName, ST-StateOrProvinceName, L-Locality, O-Organization,
>OU-OrganizationalUnit, CN-CommonName
Issuer: C=US, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation
Serial Number: 10:ad:00:44:a8:41:8a:d5:00:5e:45:b6
-------------------------------------------------------------------------Issuer: C=US, O=Google Trust Services, CN=GTS CA 101
Serial Number: 00:9e:44:1b:49:08:8d:75:bb:02:00:00:00:00:40:a5:b4
234
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
9.0
9.1
cdp advertise-v2
To specify version 2 of transmitted CDP packets, use the cdp advertise-v2 command in
Global Configuration mode. To specify version 1, use the no form of this command.
Syntax
cdp advertise-v2
no cdp advertise-v2
Parameters
N/A
Default Configuration
Version 2.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)# cdp run
switchxxxxxx(config)# cdp advertise-v2
9.2
cdp appliance-tlv enable
To enable sending of the Appliance TLV, use the cdp appliance-tlv enable command in
Global Configuration mode. To disable the sending of the Appliance TLV, use the no form of
this command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
235
9
CDP Commands
Syntax
cdp appliance-tlv enable
no cdp appliance-tlv enable
Parameters
N/A
Default Configuration
Enabled
Command Mode
Global Configuration mode
User Guidelines
This MIB specifies the Voice Vlan ID (VVID) to which this port belongs:
•
0—The CDP packets transmitting through this port contain Appliance VLAN-ID TLV
with value of 0. VoIP and related packets are expected to be sent and received with
VLAN-ID=0 and an 802.1p priority.
•
1..4094—The CDP packets transmitting through this port contain Appliance
VLAN-ID TLV with N. VoIP and related packets are expected to be sent and received
with VLAN-ID=N and an 802.1p priority.
•
4095—The CDP packets transmitting through this port contain Appliance VLAN-ID
TLV with value of 4095. VoIP and related packets are expected to be sent and received
untagged without an 802.1p priority.
•
4096—The CDP packets transmitting through this port do not include Appliance
VLAN-ID TLV; or, if the VVID is not supported on the port, this MIB object will not
be configurable and will return 4096.
Example
switchxxxxxx(config)# cdp appliance-tlv enable
236
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
9.3
cdp device-id format
To specify the format of the Device-ID TLV, use the cdp device-id format command in
Global Configuration mode. To return to default, use the no form of this command.
Syntax
cdp device-id format {mac | serial-number | hostname}
no cdp device-id format
Parameters
•
mac—Specifies that the Device-ID TLV contains the device’s MAC address.
•
serial-number—Specifies that Device-ID TLV contains the device’s hardware serial
number.
•
hostname—Specifies that Device-ID TLV contains the device’s hostname.
Default Configuration
MAC address is selected by default.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)# cdp device-id format serial-number
9.4
cdp enable
Tp enable CDP on interface, use the cdp enable command in Interface (Ethernet)
Configuration mode. To disable CDP on an interface, use the no form of the CLI command.
Syntax
cdp enable
Parameters
N/A
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
237
9
CDP Commands
Default Configuration
Enabled
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
For CDP to be enabled on an interface, it must first be enabled globally using cdp
advertise-v2.
Example
switchxxxxxx(config)# cdp run
switchxxxxxx(config-if)# interface te1/0/1
switchxxxxxx(config-if)# cdp enable
9.5
cdp holdtime
To specify a value of the Time-to-Live field into sent CDP messages, use the cdp holdtime
command in Global Configuration mode. To return to default, use the no form of this
command.
Syntax
cdp holdtime seconds
no cdp holdtime
Parameters
seconds—Value of the Time-to-Live field in seconds. The value should be greater than the
value of the Transmission Timer.
Parameters range
seconds—10 - 255.
Default Configuration
180 seconds.
238
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)# cdp holdtime 100
9.6
cdp log mismatch duplex
To enable validating that the duplex status of a port received in a CDP packet matches the
ports actual configuration and generation the SYSLOG duplex mismatch messages if they do
not match, use the cdp log mismatch duplex command in Global Configuration mode and
Interface (Ethernet) Configuration mode. To disable the generation of the SYSLOG messages,
use the no form of the CLI command.
Syntax
cdp log mismatch duplex
no cdp log mismatch duplex
Parameters
N/A
Default Configuration
The switch reports duplex mismatches from all ports.
Command Mode
Global Configuration mode
Interface (Ethernet) Configuration mode
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# cdp log mismatch duplex
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
239
9
CDP Commands
9.7
cdp log mismatch native
To enable validating that the native VLAN received in a CDP packet matches the actual native
VLAN of the port and generation the SYSLOG VLAN native mismatch messages if they do
not match, use the cdp log mismatch native Global and Interface Configuration mode
command in Global Configuration mode and Interface (Ethernet) Configuration mode. To
disable the generation of the SYSLOG messages, use the no format of the CLI command.
Syntax
cdp log mismatch native
no cdp log mismatch native
Parameters
N/A
Default Configuration
The switch reports native VLAN mismatches from all ports.
Command Mode
Global Configuration mode
Interface (Ethernet) Configuration mode
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# cdp log mismatch native
9.8
cdp log mismatch voip
To enable validating that the VoIP status of the port received in a CDP packet matches its
actual configuration and generation the SYSLOG voip mismatch messages if they do not
match, use the cdp log mismatch voip Global and Interface Configuration mode command in
Global Configuration mode and Interface (Ethernet) Configuration mode. To disable the
generation of the SYSLOG messages, use the no format of the CLI command.
240
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
Syntax
cdp log mismatch voip
no cdp log mismatch voip
Parameters
N/A
Default Configuration
The switch reports VoIP mismatches from all ports.
Command Mode
Global Configuration mode
Interface (Ethernet) Configuration mode
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# cdp log mismatch voip
9.9
cdp mandatory-tlvs validation
To validate that all mandatory (according to the CDP protocol) TLVs are present in received
CDP frames, use the cdp mandatory-tlvs validation command in Global Configuration
mode. To disables the validation, use the no form of this command.
Syntax
cdp mandatory-tlvs validation
no cdp mandatory-tlvs validation
Parameters
N/A
Default Configuration
Enabled.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
241
9
CDP Commands
Command Mode
Global Configuration mode
User Guidelines
Use the command to delete CDP packets not including all the mandatory TLVs.
Example
This example turns off mandatory TLV validation:
switchxxxxxx(config)# no cdp mandatory-tlvs validation
9.10
cdp pdu
To specify CDP packets handling when CDP is globally disabled, use the cdp pdu command
in Global Configuration mode. To return to default, use the no form of this command.
Syntax
cdp pdu [filtering | bridging | flooding]
no cdp pdu
Parameters
•
filtering—Specify that when CDP is globally disabled, CDP packets are filtered
(deleted).
•
bridging—Specify that when CDP is globally disabled, CDP packets are bridged as
regular data packets (forwarded based on VLAN).
•
flooding—Specify that when CDP is globally disabled, CDP packets are flooded to all
the ports in the product that are in STP forwarding state, ignoring the VLAN filtering
rules.
Default Configuration
bridging
Command Mode
Global Configuration mode
242
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
User Guidelines
When CDP is globally enabled, CDP packets are filtered (discarded) on CDP-disabled ports.
In the flooding mode, VLAN filtering rules are not applied, but STP rules are applied. In case
of MSTP, the CDP packets are classified to instance 0.
Example
switchxxxxxx(config)# cdp run
switchxxxxxx(config)# cdp pdu flooding
9.11
cdp run
To enable CDP globally, use the cdp run command in Global Configuration mode. To disable
CDP globally, use the no form of this command.
Syntax
cdp run
no cdp run
Parameters
N/A
Default Configuration
Enabled.
Command Mode
Global Configuration mode
User Guidelines
CDP is a link layer protocols for directly-connected CDP/LLDP-capable devices to advertise
themselves and their capabilities. In deployments where the CDP/LLDP capable devices are
not directly connected and are separated with CDP/LLDP incapable devices, the CDP/LLDP
capable devices may be able to receive the advertisement from other device(s) only if the
CDP/LLDP incapable devices flood the CDP/LLDP packets they receives. If the CDP/LLDP
incapable devices perform VLAN-aware flooding, then CDP/LLDP capable devices can hear
each other only if they are in the same VLAN. It should be noted that a CDP/LLDP capable
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
243
9
CDP Commands
device may receive advertisement from more than one device if the CDP/LLDP incapable
devices flood the CDP/LLDP packets.
To learn and advertise CDP information, it must be globally enabled (it is so by default) and
also enabled on interfaces (also by default).
Example
switchxxxxxx(config)# cdp run
9.12
cdp source-interface
To specify the CDP source port used for source IP address selection, use the cdp
source-interface command in Global Configuration mode. To delete the source interface, use
the no form of this command.
Syntax
cdp source-interface interface-id
no cdp source-interface
Parameters
interface-id—Source port used for Source IP address selection.
Default Configuration
No CDP source interface is specified.
Command Mode
Global Configuration mode
User Guidelines
Use the cdp source-interface command to specify an interface whose minimal IP address will
be advertised in the TVL instead of the minimal IP address of the outgoing interface.
Example
switchxxxxxx(config)# cdp source-interface te1/0/1
244
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
9.13
cdp timer
To specify how often CDP packets are transmitted, use the cdp timer command in Global
Configuration mode. To return to default, use the no form of this command.
Syntax
cdp timer seconds
no cdp timer
Parameters
seconds—Value of the Transmission Timer in seconds. Range: 5-254 seconds.
Default Configuration
60 seconds.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)# cdp timer 100
9.14
clear cdp counters
To reset the CDP traffic counters to 0, use the clear cdp counters command in Privileged
EXEC mode.
Syntax
clear cdp counters [global | interface-id]
Parameters
•
global—Clear only the global counters.
•
interface-id—Specifies the interface identifier of the counters that should be cleared.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
245
9
CDP Commands
Command Mode
Privileged EXEC mode
User Guidelines
Use the command clear cdp counters without parameters to clear all the counters.
Use the clear cdp counters global to clear only the global counters.
Use the clear cdp counters interface-id command to clear the counters of the given interface.
Example
Example 1. The example clears all the CDP counters:
switchxxxxxx# clear cdp couters
Example 2. The example clears the CDP global counters.
switchxxxxxx# clear cdp couters global
Example 3. The example clears the CDP counters of Ethernet port te1/0/1:
switchxxxxxx# clear cdp couters interface te1/0/1
9.15
clear cdp table
To delete the CDP Cache tables, use the clear cdp table command in Privileged EXEC mode.
Syntax
clear cdp table
Parameters
N/A
246
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
Command Mode
Privileged EXEC mode
Example The example deletes all entries from the CDP Cache tables:
switchxxxxxx# clear cdp table
9.16
show cdp
To display the interval between advertisements, the number of seconds the advertisements are
valid and version of the advertisements, use the show cdp Privileged EXEC mode command
in Privileged EXEC mode.
Syntax
show cdp
Parameters
N/A
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show cdp
Global CDP information:
cdp is globally enabled
cdp log duplex mismatch is globally enabled
cdp log voice VLAN mismatch is globally enabled
cdp log native VLAN mismatch is globally disabled
Mandatory TLVs are
Device-ID TLV (0x0001
Address TLV (0x0002)
Port-ID TLV (0x0003)
Capabilities TLV (0x0004)
Version TLV (0x0005)
Platform TLV (0x0006)
Sending CDPv2 advertisements is enabled
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
247
9
CDP Commands
Sending Appliance TLV is enabled
Device ID format is Serial Number
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
9.17
show cdp entry
To display information about specific neighbors, use the show cdp entry command in
Privileged EXEC mode.
Syntax
show cdp entry {* | device-name} [protocol | version]
Parameters
•
*—Specifies all neighbors
•
device-name—Specifies the name of the neighbor.
•
protocol—Limits the display to information about the protocols enabled on neighbors.
•
version—Limits the display to information about the version of software running on
the neighbors.
Default Configuration
Version
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show cdp entry
device.cisco.com
Device ID: device.cisco.com
Advertisement version: 2
Entry address(es):
IP address: 192.168.68.18
CLNS address: 490001.1111.1111.1111.00
248
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
DECnet address: 10.1
Platform: cisco 4500,
Interface: te1/0/1,
Capabilities: Router
Port ID (outgoing port): Ethernet0
Holdtime: 125 sec
Version:
Cisco Internetwork Operating System Software
IOS (tm) 4500 Software (C4500-J-M), Version 11.1(10.4), MAINTENANCE INTERIM
SOFTWARE
Copyright (c) 1986-1997 by cisco Systems, Inc.
Compiled Mon 07-Apr-97 19:51 by dschwart
switchxxxxxx# show cdp entry device.cisco.com protocol
Protocol information for device.cisco.com:
IP address: 192.168.68.18
CLNS address: 490001.1111.1111.1111.00
DECnet address: 10.1
switchxxxxxx# show cdp entry device.cisco.com version
Version information for device.cisco.com:
Cisco Internetwork Operating System Software
IOS (tm) 4500 Software (C4500-J-M), Version 11.1(10.4), MAINTENANCE INTERIM
SOFTWARE
Copyright (c) 1986-1997 by cisco Systems, Inc.
Compiled Mon 07-Apr-97 19:51 by dschwart
9.18
show cdp interface
To display information about ports on which CDP is enabled, use the show cdp interface
command in Privileged EXEC mode.
Syntax
show cdp interface interface-id
Parameters
interface-id—Port ID.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
249
9
CDP Commands
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show cdp interface te1/0/1
CDP is globally enabled
CDP log duplex mismatch
Globally is enabled
Per interface is enabled
CDP log voice VLAN mismatch
Globally is enabled
Per interface is enabled
CDP log native VLAN mismatch
Globally is disabled
Per interface is enabled
te1/0/1 is Down, CDP is enabled
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
9.19
show cdp neighbors
To display information about neighbors kept in the main or secondary cache, use the show cdp
neighbors command in Privileged EXEC mode.
Syntax
show cdp neighbors [interface-id] [detail | secondary]
Parameters
250
•
interface-id—Displays the neighbors attached to this port.
•
detail—Displays detailed information about a neighbor (or neighbors) from the main
cache including network address, enabled protocols, hold time, and software version.
•
secondary—Displays information about neighbors from the secondary cache.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
Default Configuration
If an interface ID is not specified, the command displays information for the neighbors of all
ports.
If detail or secondary are not specified, the default is secondary.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,P - VoIP Phone,
M - Remotely-Managed Device, C - CAST Phone Port, W - Two-Port MAC Relay
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - VoIP Phone
M - Remotely-Managed Device, C - CAST Phone Port,
W - Two-Port MAC Relay
Device ID
Local
Adv
Interface
Ver. Live
Time To Capability
Platform
Port ID
------------------ ----------- ---- ------- ---------- ------------ ----------PTK-SW-A-86.company
gi48
2
147
S I
ESW-520-8P
gi48
2
153
S I M
ESW-520-8P
g1
ESW-540-8P
g9
Company
fa2/1
l.com
Company
gi3/39
XX-10R-E
ESW-540-8P
gi48
2
146
S I M
003106131611
gi48
2
143
S I
001828100211
gi48
2
173
S I
XX-23R-E
Company
fa2/2
XX-23R-E
c47d4fed9302
gi48
2
137
S I
Company
fa2/5
XX-23R-E
switchxxxxxx# show cdp neighbors detail
------------------------Device ID: lab-7206
Advertisement version: 2
Entry address(es):
IP address: 172.19.169.83
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
251
9
CDP Commands
Platform: company x5660,
Interface: Ethernet0,
Capabilities: Router
Port ID (outgoing port): te1/0/0
Time To Live : 123 sec
Version :
Company Network Operating System Software
NOS (tm) x5660 Software (D5660-I-N), Version 18.1(10.4), MAINTENANCE INTERIM
SOFTWARE
Copyright (c) 1986-1997 by company Systems, Inc.
Compiled Mon 07-Apr-97 19:51 by xxdeeert
Duplex: half
------------------------Device ID: lab-as5300-1
Entry address(es):
IP address: 172.19.169.87
Platform: company TD6780,
Capabilities: Router
Device ID: SEP000427D400ED
Advertisement version: 2
Entry address(es):
IP address: 1.6.1.81
Platform: Company IP Phone x8810,
Interface: te1/0/1,
Capabilities: Host
Port ID (outgoing port): Port 1
Time To Live: 150 sec
Version :
P00303020204
Duplex: full
sysName: a-switch
Power drawn: 6.300 Watts
switchxxxxxx# show cdp neighbors secondary
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
252
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
P - VoIP Phone,M - Remotely-Managed Device,
C - CAST Phone Port, W - Two-Port MAC Relay
Local Interface te1/0/1, MAC Address: 00:00:01:23:86:9c
TimeToLive: 157
Capabilities: R S
VLAN-ID: 10
Platform: 206VXRYC
Local Interface te1/0/1, MAC Address: 00:00:01:53:86:9c
TimeToLive: 163
Capabilities: R S
VLAN-ID: 10
Platform: ABCD-VSD
Power Available TLV: Request-ID is 1
Power management-ID is 1;
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
Local Interface te1/0/2, MAC Address: 00:00:01:2b:86:9c
TimeToLive: 140
Capabilities: R S
VLAN-ID: 1210
Platform: QACSZ
4-wire Power-via-MDI (UPOE) TLV:
4-pair PoE Supported: Yes
Spare pair Detection/Classification required: Yes
PD Spare Pair Desired State: Disabled
PSE Spare Pair Operational State: Disabled
Request-ID is 1 Power management-ID is 1;
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
Local Interface te1/0/2, MAC Address: 00:00:01:2c:86:9c
TimeToLive: 132
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
253
9
CDP Commands
Capabilities: T
VLAN-ID: 1005
Platform: CAT-3000
Field Definitions:
254
•
Advertisement version—The version of CDP being used for CDP advertisements.
•
Capabilities—The device type of the neighbor. This device can be a router, a bridge, a
transparent bridge, a source-routing bridge, a switch, a host, an IGMP device, or a
repeater.
•
COS for Untrusted Ports—The COS value with which all packets received on an
untrusted port should be marked by a simple switching device which cannot itself
classify individual packets.
•
Device ID—The name of the neighbor device and either the MAC address or the serial
number of this device.
•
Duplex—The duplex state of connection between the current device and the neighbor
device.
•
Entry address(es)—A list of network addresses of neighbor devices.
•
Extended Trust—The Extended Trust.
•
External Port-ID—Identifies the physical connector port on which the CDP packet is
transmitted. It is used in devices, such as those with optical ports, in which signals
from multiple hardware interfaces are multiplexed through a single physical port. It
contains the name of the external physical port through which the multiplexed signal is
transmitted.
•
Interface—The protocol and port number of the port on the current device.
•
IP Network Prefix—It is used by On Demand Routing (ODR). When transmitted by a
hub router, it is a default route (an IP address). When transmitted by a stub router, it is
a list of network prefixes of stub networks to which the sending stub router can
forward IP packets.
•
Management Address—When present, it contains a list of all the addresses at which
the device will accept SNMP messages, including those it will only accept when
received on interface(s) other than the one over which the CDP packet is being sent.
•
MTU—The MTU of the interface via which the CDP packet is sent.
•
Native VLAN—The ID number of the VLAN on the neighbor device.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
•
Physical Location—A character string indicating the physical location of a connector
which is on, or physically connected to, the interface over which the CDP packet
containing this TLV is sent.
•
Platform—The product name and number of the neighbor device. In the case of the
Secondary Cache only the 8 last characters of the value are printed.
•
Power Available—Every switch interface transmits information in the Power
Available TLV, which permits a device which needs power to negotiate and select an
appropriate power setting. The Power Available TLV includes four fields.
•
Power Consumption—The maximum amount of power, in milliwatts, expected to be
obtained and consumed from the interface over which the CDP packet is sent.
•
Power Drawn—The maximum requested power.
Note: For IP Phones the value shown is the maximum requested power (6.3 Watts).
This value can be different than the actual power supplied by the routing device
(generally 5 watts; shown using the show power command).
•
Protocol-Hello—Specifies that a particular protocol has asked CDP to piggyback
its "hello" messages within transmitted CDP packets.
•
Remote Port_ID—Identifies the port the CDP packet is sent on
•
sysName—An ASCII string containing the same value as the sending device's
sysName MIB object.
•
sysObjectID—The OBJECT-IDENTIFIER value of the sending device's sysObjectID
MIB object.
•
Time To Live—The remaining amount of time, in seconds, the current device will
hold the CDP advertisement from a transmitting router before discarding it.
•
Version—The software version running on the neighbor device.
•
Voice VLAN-ID—The Voice VLAN-ID.
•
VTP Management Domain—A string that is the name of the collective group of
VLANs associated with the neighbor device.
9.20
show cdp tlv
To display information about TLVs sent by CDP on all ports or on a specific port, use the
show cdp tlv command in Privileged EXEC mode.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
255
9
CDP Commands
Syntax
show cdp tlv [interface-id]
Parameters
interface-id—Port ID.
Default Configuration
TLVs for all ports.
Command Mode
Privileged EXEC mode
User Guidelines
You can use the show cdp tlv command to verify the TLVs configured to be sent in CDP
packets. The show cdp tlv command displays information for a single port if specified or for
all ports if not specified. Information for a port is displayed if only CDP is really running on
the port, i.e. CDP is enabled globally and on the port, which is UP.
Examples:
Example 1 - In this example, CDP is disabled and no information is displayed.
switchxxxxxx# show cdp tlv
cdp globally is disabled
Example 2 - In this example, CDP is globally enabled but disabled on the port and no
information is displayed.
switchxxxxxx# show cdp tlv te1/0/2
cdp globally is enabled
Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
P - VoIP Phone,M - Remotely-Managed Device,
C - CAST Phone Port, W - Two-Port MAC Relay
Interface TLV: te1/0/2
256
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
CDP is disabled on te1/0/2
Example 3 - In this example, CDP is globally enabled and enabled on the port, but the port is
down and no information is displayed.
switchxxxxxx# show cdp tlv interface te1/0/2
cdp globally is enabled
Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
P - VoIP Phone,M - Remotely-Managed Device,
C - CAST Phone Port, W - Two-Port MAC Relay
Interface TLV: te1/0/3
CDP is enabled on te1/0/3
Ethernet te1/0/3 is down
Example 4 - In this example, CDP is globally enabled, and no ports are specified, so
information is displayed for all ports on which CDP is enabled who are up.
switchxxxxxx# show cdp tlv interface
cdp globally is enabled
Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
P - VoIP Phone,M - Remotely-Managed Device,
C - CAST Phone Port, W - Two-Port MAC Relay
Interface TLV: te1/0/1
CDP is enabled
Ethernet te1/0/1 is up,
Device ID TLV: type is MAC address; Value is 00:11:22:22:33:33:44:44
Address TLV: IPv4:
1.2.2.2 IPv6:
Port_ID TLV: te1/0/1
Capabilities: S, I
Version TLV: 1 and 2
Platform TLV: VSD Ardd
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
257
9
CDP Commands
Native VLAN TLV: 1
Full/Half Duplex TLV: full-duplex
Appliance VLAN_ID TLV: Appliance-ID is 1; VLAN-ID is 100
COS for Untrusted Ports TLV: 1
sysName: a-switch
4-wire Power-via-MDI (UPOE) TLV:
4-pair PoE Supported: No
Power Available TLV: Request-ID is 1 Power management-ID is 1;
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
Interface TLV: te1/0/2
CDP is disabled on te1/0/2
Interface TLV: te1/0/3
CDP is enabled on te1/0/3
Ethernet te1/0/3 is down
Example 5 - In this example, CDP is globally enabled and enabled on the PSE PoE port,
which is up and information is displayed.
switchxxxxxx# show cdp tlv interface te1/0/1
cdp globally is enabled
Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
P - VoIP Phone,M - Remotely-Managed Device,
C - CAST Phone Port, W - Two-Port MAC Relay
Interface TLV: te1/0/1
CDP is enabled
Ethernet te1/0/1 is up,
Device ID TLV: type is MAC address; Value is 00:11:22:22:33:33:44:44
Address TLV: IPv4:
1.2.2.2 IPv6:
Port_ID TLV: te1/0/1
258
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
Capabilities: S, I
Version TLV: 1 and 2
Platform TLV: VSD Ardd
Native VLAN TLV: 1
Full/Half Duplex TLV: full-duplex
Appliance VLAN_ID TLV: Appliance-ID is 1; VLAN-ID is 100
COS for Untrusted Ports TLV: 1
sysName: a-switch
Power Available TLV: Request-ID is 1 Power management-ID is 1;
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
4-wire Power-via-MDI (UPOE) TLV:
4-pair PoE Supported: Yes
Spare pair Detection/Classification required: Yes
PD Spare Pair Desired State: Disabled
PSE Spare Pair Operational State: Disabled
Request-ID is 1 Power management-ID is 1;
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
9.21
show cdp traffic
To display the CDP counters, including the number of packets sent and received and checksum
errors, use the show cdp traffic command in Privileged EXEC mode.
Syntax
show cdp traffic [global | interface-id]
Parameters
•
global—Display only the global counters
•
interaface-id—Port for which counters should be displayed.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
259
9
CDP Commands
Command Mode
Privileged EXEC mode
User Guidelines
Use the command show cdp traffic without parameters to display all the counters.
Use the show cdp traffic global to display only the global counters.
Use the show cdp traffic interface-id command to display the counters of the given port.
Example
switchxxxxxx# show cdp traffic
CDP Global counters:
Total packets output: 81684,
Hdr syntax:
Input: 81790
0, Chksum error: 0, Invalid packet: 0
No memory in main cache: 0, in secondary cache: 0
CDP version 1 advertisements output:
100,
Input
0
CDP version 2 advertisements output:
81784,
Input
0
te1/0/1
Total packets output: 81684,
Hdr syntax:
Input: 81790
0, Chksum error: 0, Invalid packet: 0
No memory in main cache: 0, in secondary cache: 0
CDP version 1 advertisements output:
100,
Input
0
CDP version 2 advertisements output:
81784,
Input
0
te1/0/2
Total packets output: 81684,
Hdr syntax:
Input: 81790
0, Chksum error: 0, Invalid packet: 0
No memory in main cache: 0, in secondary cache: 0
CDP version 1 advertisements output:
100,
Input
0
CDP version 2 advertisements output:
81784,
Input
0
Field Definition:
260
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
9
CDP Commands
•
Total packets output—The number of CDP advertisements sent by the local device.
Note that this value is the sum of the CDP Version 1 advertisements output and CDP
Version 2 advertisements output fields.
•
Input—The number of CDP advertisements received by the local device. Note that
this value is the sum of the CDP Version 1 advertisements input and CDP Version 2
advertisements input fields.
•
Hdr syntax—The number of CDP advertisements with bad headers, received by the
local device.
•
Chksum error—The number of times the checksum (verifying) operation failed on
incoming CDP advertisements.
•
No memory—The number of times the local device did not have enough memory to
store the CDP advertisements in the advertisement cache table when the device was
attempting to assemble advertisement packets for transmission and parse them when
receiving them.
•
Invalid—The number of invalid CDP advertisements received.
•
CDP version 1 advertisements output The number of CDP Version 1 advertisements
sent by the local device.
•
CDP version 1 advertisements Input—The number of CDP Version 1
advertisements received by the local device.
•
CDP version 2 advertisements output—The number of CDP Version 2
advertisements sent by the local device.
•
CDP version 2 advertisements Input—The number of CDP Version 2
advertisements received by the local device.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
261
10
Clock Commands
10.0
10.1
absolute
To specify an absolute time when a time range is in effect, use the absolute command in
Time-range Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
absolute start hh:mm day month year
no absolute start
absolute end hh:mm day month year
no absolute end
Parameters
•
start—Absolute time and date that the permit or deny statement of the associated
function going into effect. If no start time and date are specified, the function is in
effect immediately.
•
end—Absolute time and date that the permit or deny statement of the associated
function is no longer in effect. If no end time and date are specified, the function is in
effect indefinitely.
•
hh:mm—Time in hours (military format) and minutes (Range: 0–23, mm: 0–5)
•
day—Day (by date) in the month. (Range: 1–31)
•
month—Month (first three letters by name). (Range: Jan...Dec)
•
year—Year (no abbreviation) (Range: 2000–2097)
Default Configuration
There is no absolute time when the time range is in effect.
Command Mode
Time-range Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
262
10
Clock Commands
Example
switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# absolute start 12:00 1 jan 2005
switchxxxxxx(config-time-range)# absolute end 12:00 31 dec 2005
10.2
clock dhcp timezone
To specify that the timezone and the Summer Time (Daylight Saving Time) of the system can
be taken from the DHCP Timezone option, use the clock dhcp timezone command in Global
Configuration mode. To restore the default configuration, use the no form of this command.
Syntax
clock dhcp timezone
no clock dhcp timezone
Parameters
N/A
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
The TimeZone taken from the DHCP server has precedence over the static TimeZone.
The Summer Time taken from the DHCP server has precedence over static SummerTime.
The TimeZone and SummerTime remain effective after the IP address lease time has expired.
The TimeZone and SummerTime that are taken from the DHCP server are cleared after reboot.
The no form of the command clears the dynamic Time Zone and Summer Time from the
DHCP server are cleared.
In case of multiple DHCP-enabled interfaces, the following precedence is applied:
- information received from DHCPv6 precedes information received from DHCPv4
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
263
10
Clock Commands
- information received from DHCP client running on lower interface precedes information
received from DHCP client running on higher interfac
Disabling the DHCP client from where the DHCP-TimeZone option was taken, clears the
dynamic Time Zone and Summer Time configuration.
Example
switchxxxxxx(config)# clock dhcp timezone
10.3
clock set
To set the system clock manually, use the clock set command in Privileged EXEC mode.
Syntax
clock set hh:mm:ss {[day month] | [month day]} year
Parameters
•
hh:mm:ss—Specifies the current time in hours (military format), minutes, and
seconds. (Range: hh: 0-23, mm: 0-59, ss: 0-59)
•
day—Specifies the current day of the month. (Range: 1-31)
•
month—Specifies the current month using the first three letters of the month name.
(Range: Jan–Dec)
•
year—Specifies the current year. (Range: 2000–2037)
Default Configuration
The time of the image creation.
Command Mode
Privileged EXEC mode
User Guidelines
After boot the system clock is set to the time of the image creation.
264
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
Example
The following example sets the system time to 13:32:00 on March 7th, 2005.
switchxxxxxx# clock set 13:32:00 7 Mar 2005
10.4
clock source
To configure an external time source for the system clock, use the clock source command in
Global Configuration mode. To disable the external time source, use the no form of this
command.
Syntax
clock source {sntp | browser}
no clock source {sntp | browser}
Parameters
•
sntp—(Optional) Specifies that an SNTP server is the external clock source.
•
browser—(Optional) Specifies that if the system clock is not already set (either
manually or by SNTP) and a user login to the device using a WEB browser (either via
HTTP or HTTPS), the system clock will be set according to the browser’s time
information.
Default Configuration
SNTP
Command Mode
Global Configuration mode
User Guidelines
After boot the system clock is set to the time of the image creation.
If no parameter is specified, SNTP will be configured as the time source.
if the command is executed twice, each time with a different clock source, both sources will be
operational, SNTP has higher priority than time from browser.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
265
10
Clock Commands
Example
The following example configures an SNTP server as an external time source for the system
clock.
switchxxxxxx(config)# clock source sntp
switchxxxxxx(config)# clock source browser
switchxxxxxx(config)# exit
switchxxxxxx# show clock
*10:46:48 UTC May 28 2013
Time source is sntp
Time from Browser is enabled
10.5
clock summer-time
To configure the system to automatically switch to summer time (Daylight Saving Time), use
the clock summer-time command in Global Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
clock summer-time zone recurring {usa | eu | {week day month hh:mm week day month
hh:mm}} [offset]
clock summer-time zone date day month year hh:mm date month year hh:mm [offset]
clock summer-time zone date month day year hh:mm month day year hh:mm [offset]
no clock summer-time
Parameters
266
•
zone—The acronym of the time zone. (Range: 1- 4 characters). Only letters can be
included in the acronym.
•
recurring—Indicates that summer time starts and ends on the corresponding specified
days every year.
•
date—Indicates that summer time starts on the first date listed in the command and
ends on the second date in the command.
•
usa—The summer time rules are the United States rules.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
•
eu—The summer time rules are the European Union rules.
•
week—Week of the month. Can be 1–5, first to last.
•
day—Day of the week (first three characters by name, such as Sun).
•
date—Date of the month. (Range: 1–31)
•
month—Month (first three characters by name, such as Feb).
•
year—year (no abbreviation). (Range: 2000–2097)
•
hh:mm—Time (military format) in hours and minutes. (Range: hh:mmhh: 0-23, mm:
0-59)
•
offset—(Optional) Number of minutes to add during summer time (default is 60).
(Range: 1440)
Default Configuration
Summer time is disabled.
Command Mode
Global Configuration mode
User Guidelines
In both the date and recurring forms of the command, the first part of the command specifies
when summer time begins, and the second part specifies when it ends. All times are relative to
the local time zone. The start time is relative to standard time. The end time is relative to
summer time. If the starting month is chronologically after the ending month, the system
assumes that you are in the southern hemisphere.
USA rules for Daylight Saving Time:
•
•
From 2007:
-
Start: Second Sunday in March
-
End: First Sunday in November
-
Time: 2 AM local time
Before 2007:
-
Start: First Sunday in April
-
End: Last Sunday in October
-
Time: 2 AM local time
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
267
10
Clock Commands
EU rules for Daylight Saving Time:
•
Start: Last Sunday in March
•
End: Last Sunday in October
•
Time: 1.00 am (01:00) Greenwich Mean Time (GMT)
Example
switchxxxxxx(config)# clock summer-time abc date apr 1 2010 09:00 aug 2 2010
09:00
10.6
clock timezone
To set the time zone for display purposes, use the clock timezone command in Global
Configuration mode. To restore the default configuration, use the no form of this command.
Syntax
clock timezone zone hours-offset [minutes-offset]
no clock timezone
Parameters
•
zone—The acronym of the time zone. (Range: 1- 4 characters). Only letters can be
included in the acronym.
•
hours-offset—Hours difference from UTC. (Range: (-12)–(+13))
•
minutes-offset—(Optional) Minutes difference from UTC. (Range: 0–59)
Default Configuration
Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), which is the same:
•
Offsets are 0.
•
Acronym is empty.
Command Mode
Global Configuration mode
268
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
User Guidelines
The system internally keeps time in UTC, so this command is used only for display purposes
and when the time is manually set.
Example
switchxxxxxx(config)# clock timezone abc +2 minutes 32
10.7
periodic
To specify a recurring (weekly) time range for functions that support the time-range feature,
use the periodic command in Time-range Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
periodic day-of-the-week hh:mm to day-of-the-week hh:mm
no periodic day-of-the-week hh:mm to day-of-the-week hh:mm
periodic list hh:mm to hh:mm day-of-the-week1 [day-of-the-week2… day-of-the-week7]
no periodic list hh:mm to hh:mm day-of-the-week1 [day-of-the-week2… day-of-the-week7]
periodic list hh:mm to hh:mm all
no periodic list hh:mm to hh:mm all
Parameters
•
day-of-the-week—The starting day that the associated time range is in effect. The
second occurrence is the ending day the associated statement is in effect. The second
occurrence can be the following week (see description in the User Guidelines).
Possible values are: mon, tue, wed, thu, fri, sat, and sun.
•
hh:mm—The first occurrence of this argument is the starting hours:minutes (military
format) that the associated time range is in effect. The second occurrence is the ending
hours:minutes (military format) the associated statement is in effect. The second
occurrence can be at the following day (see description in the User Guidelines).
(Range: 0–23, mm: 0–59)
•
list day-of-the-week1—Specifies a list of days that the time range is in effect.
Default Configuration
There is no periodic time when the time range is in effect.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
269
10
Clock Commands
Command Mode
Time-range Configuration mode
User Guidelines
The second occurrence of the day can be at the following week, e.g. Thursday–Monday means
that the time range is effective on Thursday, Friday, Saturday, Sunday, and Monday.
The second occurrence of the time can be on the following day, e.g. “22:00–2:00”.
Example
switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# periodic mon 12:00 to wed 12:00
10.8
sntp anycast client enable
To enable the SNTP Anycast client, use the sntp anycast client enable command in Global
Configuration mode. To restore the default configuration, use the no form of this command.
Syntax
sntp anycast client enable [both | ipv4 | ipv6]
Parameters
•
both—(Optional) Specifies the IPv4 and IPv6 SNTP Anycast clients are enabled. If
the parameter is not defined it is the default value.
•
ipv4—(Optional) Specifies the IPv4 SNTP Anycast clients are enabled.
•
ipv6—(Optional) Specifies the IPv6 SNTP Anycast clients are enabled.
Default Configuration
The SNTP anycast client is disabled.
Command Mode
Global Configuration mode
User Guidelines
Use this command to enable the SNTP Anycast client.
270
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
Example
The following example enables SNTP Anycast clients.
switchxxxxxx(config)# sntp anycast client enable
10.9
sntp authenticate
To enable authentication for received SNTP traffic from servers, use the sntp authenticate
command in Global Configuration mode. To restore the default configuration, use the no form
of this command.
Syntax
sntp authenticate
no sntp authenticate
Parameters
N/A
Default Configuration
Authentication is disabled.
Command Mode
Global Configuration mode
Examples
The following example enables authentication for received SNTP traffic and sets the key and
encryption key.
switchxxxxxx(config)# sntp authenticate
switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey
switchxxxxxx(config)# sntp trusted-key 8
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
271
10
Clock Commands
10.10 sntp authentication-key
To define an authentication key for Simple Network Time Protocol (SNTP), use the sntp
authentication-key command in Global Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
sntp authentication-key key-number md5 key-value
encrypted sntp authentication-key key-number md5 encrypted-key-value
no sntp authentication-key key-number
Parameters
•
key-number—Specifies the key number. (Range: 1–4294967295)
•
key-value—Specifies the key value. (Length: 1–8 characters)
•
encrypted-key-value—Specifies the key value in encrypted format.
Default Configuration
No authentication key is defined.
Command Mode
Global Configuration mode
Examples
The following example defines the authentication key for SNTP.
switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey
switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey
switchxxxxxx(config)# sntp trusted-key 8
switchxxxxxx(config)# sntp authenticate
272
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
10.11 sntp broadcast client enable
To enable SNTP Broadcast clients, use the sntp broadcast client enable command in Global
Configuration mode. To restore the default configuration, use the no form of this command.
Syntax
sntp broadcast client enable [both | ipv4 | ipv6]
no sntp broadcast client enable
Parameters
•
both—(Optional) Specifies the IPv4 and IPv6 SNTP Broadcast clients are enabled. If
the parameter is not defined it is the default value.
•
ipv4—(Optional) Specifies the IPv4 SNTP Broadcast clients are enabled.
•
ipv6—(Optional) Specifies the IPv6 SNTP Broadcast clients are enabled.
Default Configuration
The SNTP Broadcast client is disabled.
Command Mode
Global Configuration mode
User Guidelines
Use the sntp broadcast client enable Interface Configuration mode command to enable the
SNTP Broadcast client on a specific interface.
After entering this command, you must enter the clock source command with the sntp
keyword for the command to be run. If this command is not run, the switch will not
synchronize with Broadcast servers.
Example
The following example enables SNTP Broadcast clients.
s
switchxxxxxx(config)# sntp broadcast client enable
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
273
10
Clock Commands
10.12 sntp client enable
To enable the SNTP Broadcast and Anycast client, use the sntp client enable command in
Global Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
sntp client enable interface-id
no sntp client enable interface-id
Parameters
•
interface-id—Specifies an interface ID, which can be one of the following types:
Ethernet port, Port-channel or VLAN.
Default Configuration
The SNTP client is disabled.
Command Mode
Global Configuration mode
User Guidelines
Use the sntp client enable command to enable SNTP Broadcast and Anycast clients.
Example
The following example enables the SNTP Broadcast and Anycast clients on VLAN 100:
switchxxxxxx(config)# sntp client enable vlan 100
10.13 sntp client enable (interface)
To enable the SNTP Broadcast and Anycast client on an interface, use the sntp client enable
command in Interface Configuration mode. To restore the default configuration, use the no
form of this command.
274
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
Syntax
sntp client enable
no sntp client enable
Parameters
N/A
Default Configuration
The SNTP client is disabled on an interface.
Command Mode
Interface Configuration mode
User Guidelines
This command enables the SNTP Broadcast and Anycast client on an interface. Use the no
form of this command to disable the SNTP client.
Example
The following example enables the SNTP broadcast and anycast client on an interface.
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# sntp client enable
switchxxxxxx(config-if)# exit
10.14 sntp server
To configure the device to use the SNTP to request and accept Network Time Protocol (NTP)
traffic from a specified server (meaning to accept system time from an SNTP server), use the
sntp server command in Global Configuration mode. To remove a server from the list of
SNTP servers, use the no form of this command.
Syntax
sntp server {default | {{ip-address | hostname} [poll] [key keyid]}}
no sntp server [ip-address | hostname]
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
275
10
Clock Commands
Parameters
•
default—Default defined SNTP servers.
•
ip-address—Specifies the server IP address. This can be an IPv4, IPv6 or IPv6z
address.
•
hostname—Specifies the server hostname. Only translation to IPv4 addresses is
supported. (Length: 1–158 characters. Maximum label length for each part of the
hostname: 63 characters)
•
poll—(Optional) Enables polling.
•
key keyid—(Optional) Specifies the Authentication key to use when sending packets
to this peer. (Range:1–4294967295)
Default Configuration
The following servers with polling and without authentication are defined:
•
time-a.timefreq.bldrdoc.gov
•
time-b.timefreq.bldrdoc.gov
•
time-c.timefreq.bldrdoc.gov
•
pool.ntp.org
•
time-pnp.cisco.com
Command Mode
Global Configuration mode
User Guidelines
Use the sntp server {ip-address | hostname} [poll] [key keyid] command to define a SNTP
server. The switch supports up to 8 SNTP servers.
Use the sntp server default command to return to the default configuration.
Use the no sntp server ip-address | hostname command to remove one SNTP server.
Use the no sntp server to remove all SNTP servers.
276
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
Example
The following example configures the device to accept SNTP traffic from the server on
192.1.1.1 with polling.
switchxxxxxx(config)# sntp server 192.1.1.1 poll
10.15 sntp source-interface
To specify the source interface whose IPv4 address will be used as the source IPv4 address for
communication with IPv4 SNTP servers, use the sntp source-interface command in Global
Configuration mode. To restore the default configuration, use the no form of this command.
Syntax
sntp source-interface interface-id
no sntp source-interface
Parameters
•
interface-id—Specifies the source interface.
Default Configuration
The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging
to next hop IPv4 subnet.
Command Mode
Global Configuration mode
User Guidelines
If the source interface is the outgoing interface, the interface IP address belonging to next hop
IPv4 subnet is applied.
If the source interface is not the outgoing interface, the minimal IPv4 address defined on the
interface is applied.
If there is no available IPv4 source address, a SYSLOG message is issued when attempting to
communicate with an IPv4 SNTP server.
OOB cannot be defined as a source interface.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
277
10
Clock Commands
Example
The following example configures the VLAN 10 as the source interface.
switchxxxxxx(config)# sntp source-interface vlan 10
10.16 sntp source-interface-ipv6
To specify the source interface whose IPv6 address will be used ad the Source IPv6 address for
communication with IPv6 SNTP servers, use the sntp source-interface-ipv6 command in
Global Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
sntp source-interface-ipv6 interface-id
no sntp source-interface-ipv6
Parameters
•
interface-id—Specifies the source interface.
Default Configuration
The IPv6 source address is the IPv6 address defined of the outgoing interface and selected in
accordance with RFC6724.
Command Mode
Global Configuration mode
User Guidelines
The outgoing interface is selected based on the SNTP server's IP address. If the source
interface is the outgoing interface, the IPv6 address defined on the interfaces and selected in
accordance with RFC 6724.
If the source interface is not the outgoing interface, the minimal IPv4 address defined on the
interface and with the scope of the destination IPv6 address is applied.
If there is no available IPv6 source address, a SYSLOG message is issued when attempting to
communicate with an IPv6 SNTP server.
278
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
Example
The following example configures the VLAN 10 as the source interface.
switchxxxxxx(config)# sntp source-interface-ipv6 vlan 10
10.17 sntp trusted-key
To define the trusted key, use the sntp trusted-key command in Global Configuration mode.
To restore the default configuration, use the no form of this command.
Syntax
sntp trusted-key key-number
no sntp trusted-key key-number
Parameters
•
key-number—Specifies the key number of the authentication key to be trusted. (Range:
1–4294967295).
Default Configuration
No keys are trusted.
Command Mode
Global Configuration mode
User Guidelines
The trusted key is used for authentication of all servers not having personal keys assigned by
the sntp server command.
Examples
The following example authenticates key 8.
switchxxxxxx(config)# sntp trusted-key 8
switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey
switchxxxxxx(config)# sntp trusted-key 8
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
279
10
Clock Commands
switchxxxxxx(config)# sntp authenticate
10.18 sntp unicast client enable
To enable the device to use Simple Network Time Protocol (SNTP) Unicast clients, use the
sntp unicast client enable command in Global Configuration mode. To disable the SNTP
Unicast clients, use the no form of this command.
Syntax
sntp unicast client enable
no sntp unicast client enable
Parameters
N/A
Default Configuration
The SNTP unicast clients are enabled.
Command Mode
Global Configuration mode
User Guidelines
Use the sntp server Global Configuration mode command to define SNTP servers.
Example
The following example enables the device to use SNTP Unicast clients.
switchxxxxxx(config)# sntp unicast client enable
10.19 sntp unicast client poll
To enable polling for the SNTP Unicast clients, use the sntp unicast client poll command in
Global Configuration mode. To disable the polling, use the no form of this command.
280
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
Syntax
sntp unicast client poll
no sntp unicast client poll
Parameters
N/A
Default Configuration
Polling is enabled.
Command Mode
Global Configuration mode
User Guidelines
The polling interval is 1024 seconds.
Example
The following example enables polling for SNTP unicast clients.
switchxxxxxx(config)# sntp unicast client poll
10.20 show clock
To display the time and date from the system clock, use the show clock command in User
EXEC mode.
Syntax
show clock [detail]
Parameters
•
detail—(Optional) Displays the time zone and summer time configuration.
Command Mode
User EXEC mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
281
10
Clock Commands
User Guidelines
The default output of the command shows the current system date and time, information on the
operational source of the system time and general clock related configurations.
The detailed output of the command shows additional information about time-zone and
daylight savings configuration.
The possible values for operational system time source are:
•
User - If the system clock was last set manually by a user.
•
SNTP - if the system clock was last set by SNTP. In this case, the time since the last
synchronization with the SNTP server is also displayed.
•
None - If the clock hasn’t been set by any method since the last reboot.
Examples
Example 1 - The following example displays general system time and date information.
switchxxxxxx# show clock
15:29:03 PDT(UTC-7) Jun 17 2019
Operational Time Source: SNTP (last synchronized 2 days, 18 hours, 29 minutes
and 3 seconds ago)
Time from SNTP is enabled
Time from Browser is disabled
Example 2 - The following example displays the system time and date along with the time
zone and daylight saving configuration.
switchxxxxxx# show clock detail
15:22:55 SUN Apr 23 2019
Operational Time Source: User
Time from SNTP is disabled
Time from Browser is enabled
Time zone (DHCPv4 on VLAN1):
Acronym is RAIN
Offset is UTC+2
282
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
Time zone (Static):
Offset is UTC+0
Summertime (DHCPv4 on VLAN1):
Acronym is SUN
Recurring every year.
Begins at first Sunday of Apr at 02:00.
Ends at first Tuesday of Sep at 02:00.
Offset is 60 minutes.
Summertime (Static):
Acronym is GMT
Recurring every year.
Begins at first Sunday of Mar at 10:00.
Ends at first Sunday of Sep at 10:00.
Offset is 60 minutes.
DHCP timezone: Enabled
10.21 show sntp configuration
To display the SNTP configuration on the device, use the show sntp configuration command
in Privileged EXEC mode.
Syntax
show sntp configuration
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
283
10
Clock Commands
Examples
The following example displays the device’s current SNTP configuration.
switchxxxxxx# show sntp configuration
SNTP port : 123
Polling interval: 1024 seconds
MD5 Authentication Keys
----------------------------------2
John123
3
Alice456
----------------------------------Authentication is not required for synchronization.
No trusted keys
Unicast Clients: enabled
Unicast Clients Polling: enabled
Server: 1.1.1.121
Polling: disabled
Encryption Key: disabled
Server: 3001:1:1::1
Polling: enabled
Encryption Key: disabled
Server: dns_server1.comapany.com
Polling: enabled
Encryption Key: disabled
Server: dns_server2.comapany.com
Polling: enabled
Encryption Key: disabled
Broadcast Clients: enabled for IPv4 and IPv6
Anycast Clients: disabled
No Broadcast Interfaces
Source IPv4 interface: vlan 1
284
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
Source IPv6 interface: vlan 10
10.22 show sntp status
To display the SNTP servers status, use the show sntp status command in Privileged EXEC
mode.
Syntax
show sntp status
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays the SNTP servers status:
switchxxxxxx# show sntp status
Clock is synchronized, stratum 4, reference is 176.1.1.8, unicast
Reference time is afe2525e.70597b34 (00:10:22.438 PDT Jul 5 1993)
Unicast servers:
Server: 176.1.1.8
Source: DHCPv4 on VLAN 1
Status: Up
Last response: 19:58:22.289 PDT Feb 19 2015
Last request: 19:58:21.555 PDT Feb 19 2015
Stratum Level: 1
Offset: 7.33mSec
Delay: 117.79mSec
Server: dns_server.comapany.com
Source:
static
Status: Unknown
Last response: 12:17.17.987 PDT Feb 19 2015
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
285
10
Clock Commands
Last request: 12:58:21.555 PDT Feb 19 2015
Stratum Level: 1
Offset: 8.98mSec
Delay: 189.19mSec
Server: 3001:1:1::1
Source: DHCPv6 on VLAN 2
Status: Unknown
Last response:
Last request:
Offset: mSec
Delay: mSec
Server: dns1.company.com
Source: DHCPv6 on VLAN 20
Status: Unknown
Last response:
Last request:
Offset: mSec
Delay: mSec
Anycast servers:
Server: 176.1.11.8
Interface:
VLAN 112
Status: Up
Last response: 9:53:21.789 PDT Feb 19 2005
Last request: 9:53:21.689 PDT Feb 19 2005
Stratum Level: 10
Offset: 9.98mSec
Delay: 289.19mSec
Broadcast servers:
Server: 3001:1::12
Interface:
VLAN 101
Last response: 9:53:21.789 PDT Feb 19 2005
Last reqeust: 9:53:21.689 PDT Feb 19 2005
Stratum Level: 255
10.23 show time-range
To display the time range configuration, use the show time-range command in User EXEC
mode.
286
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
10
Clock Commands
Syntax
show time-range time-range-name
Parameters
•
time-range-name—Specifies the name of an existing time range.
Command Mode
User EXEC mode
Example
switchxxxxxx# show time-range
http-allowed
-------------absolute start 12:00 1 Jan 2005 end
12:00 31 Dec 2005
periodic Monday 12:00 to Wednesday 12:00
10.24 time-range
To define time ranges and to enter to Time-range Configuration mode, use the time-range
command to define time ranges and to enter to Time-range Configuration mode in Global
Configuration mode. To restore the default configuration, use the no form of this command.
Syntax
time-range time-range-name
no time-range time-range-name
Parameters
•
time-range-name—Specifies the name for the time range. (Range: 1–32 characters).
Default Configuration
No time range is defined
Command Mode
Global Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
287
10
Clock Commands
User Guidelines
After entering to Time-range Configuration mode with this command, use the absolute and
periodic commands to actually configure the time-range. Multiple periodic commands are
allowed in a time range. Only one absolute command is allowed.
If a time-range command has both absolute and periodic values specified, then the periodic
items are evaluated only after the absolute start time is reached, and are not evaluated again
after the absolute end time is reached.
All time specifications are interpreted as local time.
To ensure that the time range entries take effect at the desired times, the software clock should
be set by the user or by SNTP. If the software clock is not set by the user or by SNTP, the time
range is not activated.
Example
switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# periodic mon 12:00 to wed 12:00
288
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
11
Denial of Service (DoS) Commands
11.0
11.1
security-suite deny fragmented
To discard IP fragmented packets from a specific interface, use the security-suite deny
fragmented Interface (Ethernet, Port Channel) Configuration mode command.
To permit IP fragmented packets, use the no form of this command.
Syntax
security-suite deny fragmented {[add {ip-address | any} {mask | /prefix-length}] | [remove
{ip-address | any} {mask | /prefix-length}]}
no security-suite deny fragmented
Parameters
•
add ip-address | any—Specifies the destination IP address. Use any to specify all IP
addresses.
•
mask—Specifies the network mask of the IP address.
•
prefix-length—Specifies the number of bits that comprise the IP address prefix. The
prefix length must be preceded by a forward slash (/).
Default Configuration
Fragmented packets are allowed from all interfaces.
If mask is unspecified, the default is 255.255.255.255.
If prefix-length is unspecified, the default is 32.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
289
11
Denial of Service (DoS) Commands
User Guidelines
For this command to work, show security-suite configuration must be enabled both globally
and for interfaces.
Example
The following example attempts to discard IP fragmented packets from an interface.
switchxxxxxx(config)# security-suite enable global-rules-only
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite deny fragmented add any /32
To perform this command, DoS Prevention must be enabled in the per-interface mode.
11.2
security-suite deny icmp
To discard ICMP echo requests from a specific interface (to prevent attackers from knowing
that the device is on the network), use the security-suite deny icmp Interface (Ethernet, Port
Channel) Configuration mode command.
To permit echo requests, use the no form of this command.
Syntax
security-suite deny icmp {[add {ip-address | any} {mask | /prefix-length}] | [remove
{ip-address | any} {mask | /prefix-length}]}
no security-suite deny icmp
Parameters
•
ip-address | any—Specifies the destination IP address. Use any to specify all IP
addresses.
•
mask—Specifies the network mask of the IP address.
•
prefix-length—Specifies the number of bits that comprise the IP address prefix. The
prefix length must be preceded by a forward slash (/).
Default Configuration
Echo requests are allowed from all interfaces.
290
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
11
Denial of Service (DoS) Commands
If mask is not specified, it defaults to 255.255.255.255.
If prefix-length is not specified, it defaults to 32.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
For this command to work, show security-suite configuration must be enabled both globally
and for interfaces.
This command discards ICMP packets with "ICMP type= Echo request" that ingress the
specified interface.
Example
The following example attempts to discard echo requests from an interface.
switchxxxxxx(config)# security-suite enable global-rules-only
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite deny icmp add any /32
To perform this command, DoS Prevention must be enabled in the per-interface mode.
11.3
security-suite deny martian-addresses
To deny packets containing system-reserved IP addresses or user-defined IP addresses, use the
security-suite deny martian-addresses Global Configuration mode command.
To restore the default, use the no form of this command.
Syntax
security-suite deny martian-addresses {add {ip-address {mask | /prefix-length}} | remove
{ip-address {mask | /prefix-length}} (Add/remove user-specified IP addresses)
security-suite deny martian-addresses reserved {add | remove} (Add/remove
system-reserved IP addresses, see tables below)
no security-suite deny martian-addresses (This command removes addresses reserved by
security-suite deny martian-addresses {add {ip-address {mask | /prefix-length}} | remove
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
291
11
Denial of Service (DoS) Commands
{ip-address {mask | /prefix-length}}, and removes all entries added by the user. The user can
remove a specific entry by using remove ip-address {mask | /prefix-length} parameter.
There is no no form of the security-suite deny martian-addresses reserved {add | remove}
command. Use instead the security-suite deny martian-addresses reserved remove
command to remove protection (and free up hardware resources).
Parameters
•
reserved add/remove—Add or remove the table of reserved addresses below.
•
ip-address—Adds/discards packets with the specified IP source or destination
address.
•
mask—Specifies the network mask of the IP address.
•
prefix-length—Specifies the number of bits that comprise the IP address prefix. The
prefix length must be preceded by a forward slash (/).
•
reserved—Discards packets with the source or destination IP address in the block of
the reserved (Martian) IP addresses. See the User Guidelines for a list of reserved
addresses.
Default Configuration
Martian addresses are allowed.
Command Mode
Global Configuration mode
User Guidelines
For this command to work, show security-suite configuration must be enabled globally.
security-suite deny martian-addresses reserved adds or removes the addresses in the
following table:
292
Address Block
Present Use
0.0.0.0/8 (except
when 0.0.0.0/32 is the
source address)
Addresses in this block refer to source hosts on
"this" network.
127.0.0.0/8
This block is assigned for use as the Internet host
loopback address.
192.0.2.0/24
This block is assigned as "TEST-NET" for use in
documentation and example code.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
11
Denial of Service (DoS) Commands
Address Block
Present Use
224.0.0.0/4 as source
This block, formerly known as the Class D address
space, is allocated for use in IPv4 multicast address
assignments.
240.0.0.0/4 (except
when
255.255.255.255/32 is
the destination
address)
This block, formerly known as the Class E address
space, is reserved.
Note that if the reserved addresses are included, individual reserved addresses cannot be
removed.
Example
The following example discards all packets with a source or destination address in the block of
the reserved IP addresses.
switchxxxxxx(config)# security-suite deny martian-addresses reserved add
11.4
security-suite deny syn
To block the creation of TCP connections from a specific interface, use the security-suite
deny syn Interface (Ethernet, Port Channel) Configuration mode command. This a complete
block of these connections.
To permit creation of TCP connections, use the no form of this command.
Syntax
security-suite deny syn {[add {tcp-port | any} {ip-address | any} {mask | /prefix-length}] |
[remove {tcp-port | any} {ip-address | any} {mask | /prefix-length}]}
no security-suite deny syn
Parameters
•
ip-address | any—Specifies the destination IP address. Use any to specify all IP
addresses.
•
mask— Specifies the network mask of the destination IP address.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
293
11
Denial of Service (DoS) Commands
•
prefix-length—Specifies the number of bits that comprise the destination IP address
prefix. The prefix length must be preceded by a forward slash (/).
•
tcp-port | any—Specifies the destination TCP port. The possible values are: http,
ftp-control, ftp-data, ssh, telnet, smtp, or port number. Use any to specify all ports.
Default Configuration
Creation of TCP connections is allowed from all interfaces.
If the mask is not specified, it defaults to 255.255.255.255.
If the prefix-length is not specified, it defaults to 32.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
For this command to work, show security-suite configuration must be enabled both globally
and for interfaces.
The blocking of TCP connection creation from an interface is done by discarding ingress TCP
packets with "SYN=1", "ACK=0" and "FIN=0" for the specified destination IP addresses and
destination TCP ports.
Example
The following example attempts to block the creation of TCP connections from an interface. It
fails because security suite is enabled globally and not per interface.
switchxxxxxx(config)# security-suite enable global-rules-only
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite deny syn add any /32 any
To perform this command, DoS Prevention must be enabled in the per-interface mode.
11.5
security-suite deny syn-fin
To drop all ingressing TCP packets in which both SYN and FIN are set, use the security-suite
deny syn-fin Global Configuration mode command.
294
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
11
Denial of Service (DoS) Commands
To permit TCP packets in which both SYN and FIN are set, use the no form of this command.
Syntax
security-suite deny syn-fin
no security-suite deny syn-fin
Parameters
This command has no arguments or keywords.
Default Configuration
The feature is enabled by default.
Command Mode
Global Configuration mode
Example
The following example blocks TCP packets in which both SYN and FIN flags are set.
switchxxxxxx(config)# security-suite deny syn-fin
11.6
security-suite dos protect
To protect the system from specific well-known Denial of Service (DoS) attacks, use the
security-suite dos protect Global Configuration mode command. There are three types of
attacks against which protection can be supplied (see parameters below).
To disable DoS protection, use the no form of this command.
Syntax
security-suite dos protect {add attack | remove attack}
no security-suite dos protect
Parameters
add/remove attack—Specifies the attack type to add/remove. To add an attack is to provide
protection against it; to remove the attack is to remove protection.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
295
11
Denial of Service (DoS) Commands
The possible attack types are:
•
stacheldraht—Discards TCP packets with source TCP port 16660.
•
invasor-trojan—Discards TCP packets with destination TCP port 2140 and source
TCP port 1024.
•
back-orifice-trojan—Discards UDP packets with destination UDP port 31337 and
source UDP port 1024.
Default Configuration
No protection is configured.
Command Mode
Global Configuration mode
User Guidelines
For this command to work, show security-suite configuration must be enabled globally.
Example
The following example protects the system from the Invasor Trojan DOS attack.
switchxxxxxx(config)# security-suite dos protect add invasor-trojan
11.7
security-suite dos syn-attack
To rate limit Denial of Service (DoS) SYN attacks, use the security-suite dos syn-attack
Interface Configuration mode command. This provides partial blocking of SNY packets (up to
the rate that the user specifies).
To disable rate limiting, use the no form of this command.
Syntax
security-suite dos syn-attack syn-rate {any | ip-address} {mask | prefix-length}
no security-suite dos syn-attack {any | ip-address} {mask | prefix-length}
296
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
11
Denial of Service (DoS) Commands
Parameters
•
syn-rate—Specifies the maximum number of connections per second. (Range: 199–
1000)
•
any | ip-address—Specifies the destination IP address. Use any to specify all IP
addresses.
•
mask—Specifies the network mask of the destination IP address.
•
prefix-length—Specifies the number of bits that comprise the destination IP address
prefix. The prefix length must be preceded by a forward slash (/).
Default Configuration
No rate limit is configured.
If ip-address is unspecified, the default is 255.255.255.255
If prefix-length is unspecified, the default is 32.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
For this command to work, show security-suite configuration must be enabled both globally
and for interfaces.
This command rate limits ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0" for the
specified destination IP addresses.
SYN attack rate limiting is implemented after the security suite rules are applied to the
packets. The ACL and QoS rules are not applied to those packets.
Since the hardware rate limiting counts bytes, it is assumed that the size of “SYN” packets is
short.
Example
The following example attempts to rate limit DoS SYN attacks on a port. It fails because
security suite is enabled globally and not per interface.
switchxxxxxx(config)# security-suite enable global-rules-only
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite dos syn-attack 199 any /10
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
297
11
Denial of Service (DoS) Commands
To perform this command, DoS Prevention must be enabled in the per-interface mode.
11.8
security-suite enable
To enable the security suite feature and setting, use the security-suite enable Global
Configuration mode command. The security suite feature supports protection against various
types of attacks. To restore the default configuration, use the no form of this command.
Syntax
security-suite enable [global-rules-only | interface-rules-only]
no security-suite enable
Parameters
•
global-rules-only—(Optional) Specifies that device will support only global level
(and not interface level) security suite commands). This setting saves space in the
Ternary Content Addressable Memory (TCAM). If this keyword is not used,
security-suite commands can be used both globally on per-interface.
•
interface-rules-only—(Optional) Specifies that device will support only interface
level security suite command (See details in user guidelines below). This mode cannot
be enabled if an ACL is applied to any interface on device.
•
(none) - If no keyword is used, security-suite commands can be used both globally and
per-interface.This mode cannot be enabled if an ACL is applied to any interface on
device.
Default Configuration
The security suite feature is disabled.
If neither global-rules-only or interface-rules-only are specified, the default is to enable
security-suite globally and per interfaces.
Command Mode
Global Configuration mode
User Guidelines
Use this command to enable the ability to define security suite settings, and to determine the
type of settings that can be enabled (only global level rules, only interface level rules or both
298
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
11
Denial of Service (DoS) Commands
types). When security-suite is enabled, the following commands can be used, depending on the
mode set by user:
•
•
Global level rules:
-
security-suite deny martian-addresses
-
security-suite dos protect
Interface level rules:
-
security-suite deny fragmented
-
security-suite deny icmp
-
security-suite deny syn
-
security-suite dos syn-attack
When this command is used, hardware resources are reserved. The number of resources
reserved depends on the mode specified in command (global-rules-only, interface-rules-only
or no mode (meaning both types)). Resources are released when the no security-suite enable
command is entered.
MAC ACLs must be removed before the security-suite is enabled. The rules can be re-entered
after the security-suite is enabled.
If ACLs or policy maps are assigned on interfaces, per interface security-suite rules cannot be
enabled.
Examples
Example 1—The following example enables the security suite feature and specifies that
security suite commands are global commands only. When an attempt is made to configure
security-suite on a port, it fails.
switchxxxxxx(config)# security-suite enable global-rules-only
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite dos syn-attack 199 any /10
To perform this command, DoS Prevention must be enabled in the per-interface mode.
Example 2—The following example enables the security suite feature globally and on
interfaces. The security-suite command succeeds on the port.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
299
11
Denial of Service (DoS) Commands
switchxxxxxx(config)# security-suite enable
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite dos syn-attack 199 any /10
switchxxxxxx(config-if)#
11.9
security-suite syn protection mode
To set the TCP SYN protection mode, use the security-suite syn protection mode Global
Configuration mode command.
To set the TCP SYN protection mode to default, use the no form of this command.
Syntax
security-suite syn protection mode {disabled | report | block}
no security-suite syn protection mode
Parameters
•
disabled—Feature is disabled
•
report—Feature reports about TCP SYN traffic per port (including rate-limited
SYSLOG message when an attack is identified)
#Editor: In devices with no TCAM, the below block option is not supported
•
block—TCP SYN traffic from attacking ports destined to the local system is blocked,
and a rate-limited SYSLOG message (one per minute) is generated
Default Configuration
The default mode is block.
Command Mode
Global Configuration mode
User Guidelines
On ports in which an ACL is defined (user-defined ACL etc.), this feature cannot block TCP
SYN packets. In case the protection mode is block but SYN Traffic cannot be blocked, a
relevant SYSLOG message will be created, e.g.: “port te1/0/1 is under TCP SYN attack. TCP
300
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Denial of Service (DoS) Commands
11
SYN traffic cannot be blocked on this port since the port is bound to an ACL.”
Examples
Example 1: The following example sets the TCP SYN protection feature to report TCP SYN
attack on ports in case an attack is identified from these ports.
switchxxxxxx(config)# security-suite syn protection mode report
…
01-Jan-2012 05:29:46: A TCP SYN Attack was identified on port te1/0/1
Example 2: The following example sets the TCP SYN protection feature to block TCP SYN
attack on ports in case an attack is identified from these ports.
switchxxxxxx(config)# security-suite syn protection mode block
…
01-Jan-2012 05:29:46: A TCP SYN Attack was identified on port te1/0/1. TCP SYN
traffic destined to the local system is automatically blocked for 100
seconds.
11.10 security-suite syn protection recovery
To set the time period for the SYN Protection feature to block an attacked interface, use the
security-suite syn protection period Global Configuration mode command.
To set the time period to its default value, use the no form of this command.
Syntax
security-suite syn protection recovery timeout
no security-suite syn protection recovery
Parameters
timeout—Defines the timeout (in seconds) by which an interface from which SYN packets are blocked
gets unblocked. Note that if a SYN attack is still active on this interface it might become blocked again.
(Range: 10-600)
Default Configuration
The default timeout is 60 seconds.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
301
11
Denial of Service (DoS) Commands
Command Mode
Global Configuration mode
User Guidelines
If the timeout is modified, the new value will be used only on interfaces which are not
currently under attack.
Example
The following example sets the TCP SYN period to 100 seconds.
switchxxxxxx(config)# security-suite syn protection recovery 100
11.11
security-suite syn protection threshold
To set the threshold for the SYN protection feature, use the security-suite syn protection
threshold Global Configuration mode command.
To set the threshold to its default value, use the no form of this command.
Syntax
security-suite syn protection threshold syn-packet-rate
no security-suite syn protection threshold
Parameters
syn-packet-rate—defines the rate (number of packets per second) from each specific port that triggers
identification of TCP SYN attack. (Range: 20-200)
Default Configuration
The default threshold is 80pps (packets per second).
Command Mode
Global Configuration mode
Example
The following example sets the TCP SYN protection threshold to 40 pps.
switchxxxxxx(config)# security-suite syn protection threshold 40
302
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
11
Denial of Service (DoS) Commands
11.12 show security-suite configuration
To display the security-suite configuration, use the show security-suite configuration
switchxxxxxx> command.
Syntax
show security-suite configuration
Command Mode
User EXEC mode
Example
The following example displays the security-suite configuration.
switchxxxxxx# show security-suite configuration
Security suite is enabled (Per interface rules are enabled).
Denial Of Service Protect: stacheldraht, invasor-trojan,
back-office-trojan.
Denial Of Service SYN-FIN Attack is enabled
Denial Of Service SYN Attack
Interface
IP Address
SYN Rate (pps)
-----------------
--------------
--------------
te1/0/1
176.16.23.0\24
100
Martian addresses filtering
Reserved addresses: enabled.
Configured addresses: 10.0.0.0/8, 192.168.0.0/16
SYN filtering
Interface
IP Address
TCP port
----------------
--------------
--------------
te1/0/2
176.16.23.0\24
FTP
ICMP filtering
Interface
IP Address
---------------
--------------
te1/0/2
176.16.23.0\24
Fragmented packets filtering
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
303
11
Denial of Service (DoS) Commands
Interface
IP Address
--------------
--------------
te1/0/2
176.16.23.0\24
11.13 show security-suite syn protection
To display the SYN Protection feature configuration and the operational status per interface-id, including
the time of the last attack per interface, use the show security-suite syn protection switchxxxxxx>
command.
Syntax
show security-suite syn protection [interface-id]
Parameters
interface-id—(Optional) Specifies an interface-ID. The interface-ID can be one of the following types:
Ethernet port of Port-Channel.
Command Mode
User EXEC mode
User Guidelines
Use the Interface-ID to display information on a specific interface.
Example
The following example displays the TCP SYN protection feature configuration and current status on all
interfaces. In this example, port te1/0/2 is attacked but since there is a user-ACL on this port, it cannot
become blocked so its status is Reported and not Blocked and Reported.
switchxxxxxx# show security-suite syn protection
Protection Mode: Block
Threshold: 40 Packets Per Second
Period: 100 Seconds
304
Interface Name
Current Status
Last Attack
te1/0/1
Attacked
19:58:22.289 PDT Feb 19 2012 Blocked and Reported
te1/0/2
Attacked
19:58:22.289 PDT Feb 19 2012 Reported
te1/0/3
Attacked
19:58:22.289 PDT Feb 19 2012 Blocked and Reported
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
12.0
12.1
ip dhcp relay enable (Global)
Use the ip dhcp relay enable Global Configuration mode command to enable the DHCP relay
feature on the device. Use the no form of this command to disable the DHCP relay feature.
Syntax
ip dhcp relay enable
no ip dhcp relay enable
Parameters
N/A
Default Configuration
DHCP relay feature is disabled.
Command Mode
Global Configuration mode
Example
The following example enables the DHCP relay feature on the device.
switchxxxxxx(config)# ip dhcp relay enable
12.2
ip dhcp relay enable (Interface)
Use the ip dhcp relay enable Interface Configuration mode command to enable the DHCP
relay feature on an interface. Use the no form of this command to disable the DHCP relay
agent feature on an interface.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
305
12
DHCP Relay Commands
Syntax
ip dhcp relay enable
no ip dhcp relay enable
Parameters
N/A
Default Configuration
Disabled
Command Mode
Interface Configuration mode
User Guidelines
The operational status of DHCP Relay on an interface is active if one of the following
conditions exist:
•
DHCP Relay is globally enabled, and there is an IP address defined on the interface.
Or
•
DHCP Relay is globally enabled, there is no IP address defined on the interface, the
interface is a VLAN, and option 82 is enabled.
Example
The following example enables DHCP Relay on VLAN 21.
switchxxxxxx(config)# interface vlan 21
switchxxxxxx(config-if)# ip dhcp relay enable
12.3
ip dhcp relay address (Global)
Use the ip dhcp relay address Global Configuration mode command to define the DHCP
servers available for the DHCP relay. Use the no form of this command to remove the server
from the list.
306
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
Syntax
ip dhcp relay address ip-address
no ip dhcp relay address [ip-address]
Parameters
•
ip-address—Specifies the DHCP server IP address. Up to 8 servers can be defined.
Default Configuration
No server is defined.
Command Mode
Global Configuration mode
User Guidelines
Use the ip dhcp relay address command to define a global DHCP Server IP address. To
define a few DHCP Servers, use the command a few times.
To remove a DHCP Server, use the no form of the command with the ip-address argument.
The no form of the command without the ip-address argument deletes all global defined
DHCP servers.
Example
The following example defines the DHCP server on the device.
switchxxxxxx(config)# ip dhcp relay address 176.16.1.1
12.4
show ip dhcp relay
Use the show ip dhcp relay EXEC mode command to display the DHCP relay information.
Syntax
show ip dhcp relay
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
307
12
DHCP Relay Commands
Command Mode
User EXEC mode
Examples
Example 1: Option 82 is disabled:
switchxxxxxx# show ip dhcp relay
DHCP relay is globally disabled
Option 82 is disabled
Maximum number of supported VLANs without IP Address: 0
Number of DHCP Relays enabled on VLANs without IP Address: 4
DHCP relay is enabled on Ports: te1/0/1,po1-2
Active:
Inactive: te1/0/1, po1-4
DHCP relay is enabled on VLANs: 1, 2, 4, 5
Active:
Inactive: 1, 2, 4, 5
Global Servers: 1.1.1.1 , 2.2.2.2
Example 2: Option 82 is enabled:
switchxxxxxx# show ip dhcp relay
DHCP relay is globally enabled
Option 82 is enabled
Maximum number of supported VLANs without IP Address is 4
Number of DHCP Relays enabled on VLANs without IP Address: 2
DHCP relay is enabled on Ports: te1/0/1,po1-2
Active: te1/0/1
Inactive: po1-2
DHCP relay is enabled on VLANs: 1, 2, 4, 5
Active: 1, 2, 4, 5
Inactive:
308
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
Global Servers: 1.1.1.1 , 2.2.2.2
12.5
ip dhcp information option
Use the ip dhcp information option Global Configuration mode command to enable DHCP
option-82 data insertion. Use the no form of this command to disable DHCP option-82 data
insertion.
Syntax
ip dhcp information option
no ip dhcp information option
Parameters
N/A
Default Configuration
DHCP option-82 data insertion is disabled.
Command Mode
Global Configuration mode
User Guidelines
DHCP option 82 would be enabled only if DHCP snooping or DHCP relay are enabled.
Example
switchxxxxxx(config)# ip dhcp information option
12.6
ip dhcp information option numeric-token-format
Use the ip dhcp information option numeric-token-format Global Configuration mode
command to define the format of numeric tokens included in the Circuit-ID and Remote-ID
sub-options payload template. Use the no form of this command to return to default format.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
309
12
DHCP Relay Commands
Syntax
ip dhcp information option numeric-token-format {hex|ascii}
no ip dhcp information option numeric-token-format
Parameters
•
hex - Hexadecimal (Numeric value) format will be used in packet for numeric token
included in the Circuit-ID and Remote-ID payload template.
•
ascii - ASCII format will be used in packet for numeric token included in the
Circuit-ID and Remote-ID payload template. If this option is selected, each individual
digit in a numeric token will be represented by its value in the ASCII table.
Default Configuration
The default format used is the hexadecimal/numeric format
Command Mode
Global Configuration mode
User Guidelines
Use this command to configure the format of numeric token included in the Circuit-ID or
Remote-ID sub-options payload templates (commands ip dhcp information option circuit-id
and ip dhcp information option remote-id).
The following are the numeric tokens affected by this command:
•
$int-ifindex$
•
$int-portid$
•
$switch-moduleid$
•
$vlan-id$
Example
Example 1: The following example configures the device to use the ASCII format for insertion of
numeric-tokens:
switchxxxxxx(config)# ip dhcp information option numeric-token-format ascii
310
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
12.7
ip dhcp information option circuit-id
Use the ip dhcp information option circuit-id Global Configuration mode command to
configure the template of DHCP option 82 Circuit-ID sub-option payload. Use the no form of
this command to return to default template.
Syntax
ip dhcp information option circuit-id text
no ip dhcp information option circuit-id
Parameters
•
text - Concatenation of free text and one or more tokens in the format of $tokenname$
(length 1-160).
Default Configuration
The default Circuit-ID payload template is $vlan-id$$switch-moduleid$$int-portid$
Command Mode
Global Configuration mode
User Guidelines
Use this command to configure the template of the option 82 Circuit-ID sub-option payload,
inserted by device. The payload section of the Circuit-ID sub option includes all bytes of sub
option besides the first 4 bytes of the sub option which values are set by device as follows:
•
Circuit ID sub option Type (value = 1)
•
Sub option total length (not including 1st byte and total length byte)
•
Circuit ID type (value= 1);
Note: if default sub option template is used - value of this field equals 0
•
Sub option payload length
The text field is a concatenation of free text and one or more tokens in the format of
$tokenname$. Tokens must be entered in the exact format specified (see table below) or it will
not be recognized as a token
The text can begin or end with free text or a token. Tokens can be concatenated sequentially or
separated by free text. If the free text includes a space character - the text parameter must be
placed between quotation (e.g. "text1 text2").
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
311
12
DHCP Relay Commands
The Circuit-ID payload template must include at least 1 token related to an interface parameter
(token beginning with $int-xxx$). In addition - if the string does not include a VLAN related
token - user will be asked to confirm setting.
The total length of the text field in the command cannot exceed 160 bytes. The byte count
includes all bytes of the text parameter - including all free text and Tokens as written in the text
field.
The combined length of the Circuit-ID payload Remote-ID payload cannot exceed 247 bytes.
The payload byte count takes into account the count of free-text chars (1 byte each) and a
predefined length reserved for each token (see in table below).
The following table details supported tokens, the device parameter they represent and the
reserved and actual byte count per each token:
Token Name
Description
Reserved
Length
Actual
Length
$int-ifindex$
Source interface ifIndex
value
4 bytes
• Hex Format - 2 bytes
• ASCII format - 4 bytes
$int-portid$
Source interface
sequential number on
the specific module (in
stack). For LAG source
interfaces - it is the LAG
ID
2 bytes
• Hex Format - 1 bytes
• ASCII format - 2 bytes
$int-name$
The full name of the
source interface, as used
in CLI commands
32 bytes
The actual number of bytes
needed for ASCII
representation of the
interface full name
$int-abrvname$
The abbreviated name of
the source interface, as
used in CLI commands
8 bytes
The actual number of bytes
needed for ASCII
representation of the
interface full name
$int-desc-16$
The description
configured by user on
source interface. If
description is more than
16 bytes - only the 1st
16 bytes are used
16 bytes
The actual number of bytes
needed for ASCII
representation of the
interface description (max
16 bytes)
If a description is not
configured, the
abbreviated interface
name is used
312
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
Token Name
Description
Reserved
Length
Actual
Length
$int-desc-32$
The description
configured by user on
source interface. If
description is more than
32 bytes - only the 1st
32 bytes are used
32 bytes
The actual number of bytes
needed for ASCII
representation of the
interface description (max
32 bytes)
64 bytes
The actual number of bytes
needed for ASCII
representation of the
interface description
If a description is not
configured, the
abbreviated interface
name is used
$int-desc-64$
The description
configured by user on
source interface.
If a description is not
configured, the
abbreviated interface
name is used
$int-mac$
MAC address of the
source interface (Hex
value with no delimiter)
6 bytes
6 bytes
$switch-mac$
MAC address of the
switch
relaying/forwarding
DHCP packet (Hex
value with no delimiter)
6 bytes
6 bytes
$switch-hostname-16$
The hostname of the
switch
relaying/forwarding
DHCP packet.
16 bytes
The actual number of bytes
needed for ASCII
representation of the
hostname (max 16 bytes)
32 bytes
The actual number of bytes
needed for ASCII
representation of the
hostname (max 32 bytes)
If the hostname is more
than 16 bytes - only the
1st 16 bytes are used
$switch-hostname-32$
The hostname of the
switch
relaying/forwarding
DHCP packet.
If the hostname is more
than 32 bytes - only the
1st 32 bytes are used
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
313
12
DHCP Relay Commands
Token Name
Description
Reserved
Length
Actual
Length
$switch-hostname-58$
The hostname of the
switch
relaying/forwarding
DHCP packet.
58 bytes
The actual number of bytes
needed for ASCII
representation of the
hostname
$switch-moduleid$
The unit ID of the
source interface upon
which the DHCP client
request was received
2 bytes
• Hex Format - 1 bytes
• ASCII format - 2 bytes
$vlan-id$
The Source VLAN ID
(1-4094)
4 bytes
• Hex Format - 2 bytes
• ASCII format - 4 bytes
$vlan-name-16$
The VLAN name
assigned by user to the
VLAN. If the name is
more than 16 bytes only the 1st 16 bytes are
used
16 bytes
The actual number of bytes
needed for ASCII
representation of the
VLAN name (max 16)
32 bytes
The actual number of bytes
needed for ASCII
representation of the
VLAN name (max 32)
If a name is not
configure for the VLAN,
the value is taken from
the relevant VLAN
ifDescr MIB field
$vlan-name-32$
The VLAN name
assigned by user to the
VLAN.
If a name is not
configure for the VLAN,
the value is taken from
the relevant VLAN
ifDescr MIB field
Notes:
314
•
Source Interface or VLAN int table refers to the Interface or VLAN on which the
DHCP client packet (to which the option 82 is added) was received on.
•
Reserved (Byte) Length - The maximum length the token may “consume” in the
packet. This value is used for calculation of the 247 byte limit (for all sub options
payload combined). The reserved length does not change if numeric tokens are filled in
as Hexadecimal or ASCII values (see command ip dhcp information option
numeric-token-format)
•
Actual (Byte) Length - The actual number of bytes the token will “consume” in packet
itself. The actual byte length may change (for relevant tokens) if token is filled in as
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
exadecimal or ASCII values (see command ip dhcp information option
numeric-token-format).
Example
Example 1: The following example configures the Circuit-ID payload template to a concatenation
of free text and tokens representing interface name and VLAN name (up to 16 chars):
switchxxxxxx(config)# ip dhcp information option circuit-id
aaa$int-name$bbb$vlan-name-16$ccc
Example 2: The following example configures the Circuit-ID payload template to - where text
parameter does not include a token related to an interface:
switchxxxxxx(config)# ip dhcp information option circuit-id aaa
Illegal Circuit-ID payload: Cicuit-ID must include at least 1 interface
related Token
Example 3: The following example configures the Circuit-ID payload template to use a
concatenation of free text and tokens - where template does not include a token related to a VLAN:
switchxxxxxx(config)# ip dhcp information option circuit-id aaa$int-name$bbb
Circuit-ID payload does not include a token reflecting DHCP client source
VLAN. Continue? y/n[n] y
Example 4: The following example configures the Circuit-ID payload template to use a
concatenation of free text and tokens - resulting in a combined Circuit-ID and Remote-ID reserved
payloads which exceed 247 bytes:
switchxxxxxx(config)# ip dhcp information option circuit-id
aaa$vlan-name-32$bbb$int-desc-64$ccc$switch-hostname-58$ddd
Illegal Circuit-ID payload: Circuit-ID and Remote-ID payload reserved byte
count exceeds 247 bytes
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
315
12
DHCP Relay Commands
12.8
ip dhcp information option remote-id
Use the ip dhcp information option remote-id Global Configuration mode command to
configure the template of DHCP option 82 Remote-ID sub-option payload. Use the no form of
this command to return to default template.
Syntax
ip dhcp information option remote-id text
no ip dhcp information option remote-id
Parameters
•
text - concatenation of free text and one or more tokens in the format of $tokenname$
(length 1-160).
Default Configuration
The default Remote-ID payload template is $switch-mac$
Command Mode
Global Configuration mode
User Guidelines
Use this command to configure the template of the option 82 Remote-ID sub-option payload,
inserted by device. The payload section of the Remote-ID sub option includes all bytes of sub
option besides the first 4 bytes of the sub option which values are set by device as follows:
•
Remote-ID sub option Type (value = 2)
•
Sub option total length (not including 1st byte and total length byte)
•
Remote-ID type (value= 1);
Note: if default sub option template is used - value of this field equals 0
•
Sub option payload length
The text field is a concatenation of free text and one or more tokens in the format of
$tokenname$. Tokens must be entered in the exact format specified (see table below) or it will
not be recognized as a token
The text can begin or end with free text or a token. Tokens can be concatenated sequentially or
separated by free text. If the free text includes a space character - the text parameter must be
placed between quotation (e.g. "text1 text2").
316
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
The Remote-ID payload template may include 1 token, multiple tokens or no tokens at all.
The total length of the text field in the command cannot exceed 160 bytes. The byte count
includes all bytes of the text parameter - including all free text and Tokens as written in the text
field.
The combined length of the Circuit-ID payload Remote-ID payload cannot exceed 247 bytes.
The payload byte count takes into account the count of free-text chars (1 byte each) and a
predefined length reserved for each token (see in table below).
The following table details supported tokens, the device parameter they represent and the
reserved and actual byte count per each token:
Token Name
Description
Reserved
Length
Actual
Length
$int-ifindex$
Source interface ifIndex
value
4 bytes
• Hex Format - 2 bytes
• ASCII format - 4 bytes
$int-portid$
Source interface
sequential number on
the specific module (in
stack). For LAG source
interfaces - it is the LAG
ID
2 bytes
• Hex Format - 1 bytes
• ASCII format - 2 bytes
$int-name$
The full name of the
source interface, as used
in CLI commands
32 bytes
The actual number of bytes
needed for ASCII
representation of the
interface full name
$int-abrvname$
The abbreviated name of
the source interface, as
used in CLI commands
8 bytes
The actual number of bytes
needed for ASCII
representation of the
interface full name
$int-desc-16$
The description
configured by user on
source interface. If
description is more than
16 bytes - only the 1st
16 bytes are used
16 bytes
The actual number of bytes
needed for ASCII
representation of the
interface description (max
16 bytes)
If a description is not
configured, the
abbreviated interface
name is used
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
317
12
DHCP Relay Commands
Token Name
Description
Reserved
Length
Actual
Length
$int-desc-32$
The description
configured by user on
source interface. If
description is more than
32 bytes - only the 1st
32 bytes are used
32 bytes
The actual number of bytes
needed for ASCII
representation of the
interface description (max
32 bytes)
64 bytes
The actual number of bytes
needed for ASCII
representation of the
interface description
If a description is not
configured, the
abbreviated interface
name is used
$int-desc-64$
The description
configured by user on
source interface.
If a description is not
configured, the
abbreviated interface
name is used
$int-mac$
MAC address of the
source interface (Hex
value with no delimiter)
6 bytes
6 bytes
$switch-mac$
MAC address of the
switch
relaying/forwarding
DHCP packet (Hex
value with no delimiter)
6 bytes
6 bytes
$switch-hostname-16$
The hostname of the
switch
relaying/forwarding
DHCP packet.
16 bytes
The actual number of bytes
needed for ASCII
representation of the
hostname (max 16 bytes)
32 bytes
The actual number of bytes
needed for ASCII
representation of the
hostname (max 32 bytes)
If the hostname is more
than 16 bytes - only the
1st 16 bytes are used
$switch-hostname-32$
The hostname of the
switch
relaying/forwarding
DHCP packet.
If the hostname is more
than 32 bytes - only the
1st 32 bytes are used
318
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
Token Name
Description
Reserved
Length
Actual
Length
$switch-hostname-58$
The hostname of the
switch
relaying/forwarding
DHCP packet.
58 bytes
The actual number of bytes
needed for ASCII
representation of the
hostname
$switch-moduleid$
The unit ID of the
source interface upon
which the DHCP client
request was received
2 bytes
• Hex Format - 1 bytes
• ASCII format - 2 bytes
$vlan-id$
The Source VLAN ID
(1-4094)
4 bytes
• Hex Format - 2 bytes
• ASCII format - 4 bytes
$vlan-name-16$
The VLAN name
assigned by user to the
VLAN. If the name is
more than 16 bytes only the 1st 16 bytes are
used
16 bytes
The actual number of bytes
needed for ASCII
representation of the
VLAN name (max 16)
32 bytes
The actual number of bytes
needed for ASCII
representation of the
VLAN name (max 32)
If a name is not
configure for the VLAN,
the value is taken from
the relevant VLAN
ifDescr MIB field
$vlan-name-32$
The VLAN name
assigned by user to the
VLAN.
If a name is not
configure for the VLAN,
the value is taken from
the relevant VLAN
ifDescr MIB field
Notes:
•
Source Interface or VLAN int table refers to the Interface or VLAN on which the
DHCP client packet (to which the option 82 is added) was received on.
•
Reserved (Byte) Length - The maximum length the token may “consume” in the
packet. This value is used for calculation of the 247 byte limit (for all sub options
payload combined). The reserved length does not change if numeric tokens are filled in
as Hexadecimal or ASCII values (see command ip dhcp information option
numeric-token-format)
•
Actual (Byte) Length - The actual number of bytes the token will “consume” in packet
itself. The actual byte length may change (for relevant tokens) if token is filled in as
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
319
12
DHCP Relay Commands
hexadecimal or ASCII values (see command ip dhcp information option
numeric-token-format).
Example
Example 1: The following example configures the device to use a Remote-ID which is a
concatenation of free text and the full device hostname:
switchxxxxxx(config)# ip dhcp information option remote-id
aaa$switch-hostname-58$bbb
12.9
show ip dhcp information option tokens
Use the show ip dhcp information option tokens User EXEC mode command to display
tokens which can be used when configuring the payloads of Circuit-ID and Remote-ID sub
options (DHCP option 82):
Syntax
show ip dhcp information option tokens [brief]
Parameters
•
Brief - Displays the name of the tokens without token information (useful for copying
name of token when using commands ip dhcp information option circuit-id or ip dhcp
information option remote-id).
Default Configuration
Full token information is displayed
Command Mode
User EXEC mode
User Guidelines
Use this command to display the tokens that can be used as part of the text parameter in
commands ip dhcp information option circuit-id or ip dhcp information option remote-id.
The tokens represent various system info, which the user can include in either of the
sub-options’ payloads. This allows automatic update of value based on current system
information and also based on relevant interfaces.
320
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
The tokens have meaningful and pre-determined names based on the information they
represent. A $ symbol is placed before and after the Token name ($token-name$).
Tokens can be divided, in general, into 3 groups: Tokens which represent interface level
information (format of $int-xxx$); Tokens which represent switch level information (format of
$switch-xxx$), and tokens which represent VLAN related information (format of $vlan-xxx$).
Example
Example 1: The following example displays all supported tokens and all the information related to
each token:
switchxxxxxx# show ip dhcp information option tokens
Interface level Tokens - relates to the interface upon which the DHCP client
packet was received:
Token Name: $int-ifindex$
Token value: ifIndex of the interface
Token format: Hex (default) or ASCII
Token reserved length: 4 bytes.
Token actual payload length: 2(HEX)/4(ASCII) bytes.
Token Name: $int-portid$
Token value: interface number relative to the specific unit (standalone or
stacking unit)
Token format: Hex (default) or ASCII
Token reserved length: 2 bytes
Token actual payload length: 1(HEX)/2(ASCII) bytes
Token Name: $int-name$
Token value: The interface full name based as used in CLI
Token format: ASCII
Token reserved length: 32 bytes
Token actual payload length: Actual number of bytes (ASCII) inserted to
sub-option
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
321
12
DHCP Relay Commands
Token Name: $int-abrvname$
Token value: The interface abbreviated name as used in CLI
Token format: ASCII
Token reserved length: 8 bytes
Token actual payload length: Actual number of bytes (ASCII) inserted to
sub-option
Token Name: $int-desc-16$
Token value: (up to) The first 16 bytes of the description user configured
for the interface
Token format: ASCII
Token reserved length: 16 bytes
Token actual payload length: Actual number of bytes (ASCII) inserted to
sub-option
Token Name: $int-desc-32$
Token value: (up to) The first 32 bytes of the description user configured
for the interface
Token format: ASCII
Token reserved length: 32 bytes
Token actual payload length: Actual number of bytes (ASCII) inserted to
sub-option
Token Name: $int-desc-64$
Token value: The full description user configured for the interface (even if
more than 32 bytes)
Token format: ASCII
Token reserved length: 64 bytes
Token actual payload length: Actual number of bytes (ASCII) inserted to
sub-option
Token Name: $int-mac$
322
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
Token value: The MAC address of the physical interface
Token format: HEX
Token reserved length: 6 bytes
Token actual payload length:6 bytes
Device level Tokens - relates to switch level information:
Token Name: $switch-mac$
Token value: Device base MAC address
Token format: HEX
Token reserved length: 6 bytes
Token actual payload length:6 bytes
Token Name: $switch-hostname-16$
Token value: (Up to) The first 16 bytes of the hostname of the device
Token format: ASCII
Token reserved length: 16 bytes
Token actual payload length: Actual number of bytes (ASCII) inserted to
sub-option
Token Name: $switch-hostname-32$
Token value: (Up to) The first 32 bytes of the hostname of the device
Token format: ASCII
Token reserved length: 32 bytes
Token actual payload length: Actual number of bytes (ASCII) inserted to
sub-option
Token Name: $switch-hostname-58$
Token value: Device full hostname (even if more than 32 bytes)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
323
12
DHCP Relay Commands
Token format: ASCII
Token reserved length: 58 bytes
Token actual payload length: Actual number of bytes (ASCII) inserted to
sub-option
Token Name: $switch-moduleid$
Token value: The unit ID of the unit within the stack
Token format: Hex (default) or ASCII
Token reserved length: 2 bytes
Token actual payload length: 1(HEX)/2(ASCII) bytes
VLAN level Tokens - relates to the VLAN upon which the DHCP client packet was
received:
Token Name: $vlan-id$
Token value: VLAN ID (1-4094)
Token format: Hex (default) or ASCII
Token reserved length: 4 bytes
Token actual payload length: 2(HEX)/4(ASCII) bytes
Token Name: $vlan-name-16$
Token value: (Up to) The first 16 bytes of the VLAN name
Token format: ASCII
Token reserved length: 16 bytes
Token actual payload length: Actual number of bytes (ASCII) inserted to
sub-option
Token Name: $vlan-name-32$
Token value: The full VLAN name (even if more than 16 bytes)
Token format: ASCII
324
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
Token reserved length: 32 bytes
Token actual payload length: Actual number of bytes (ASCII) inserted to
sub-option
Example 2: The following example displays only the names of the supported Tokens:
switchxxxxxx# show ip dhcp information option tokens brief
Interface level Tokens:
$int-ifindex$
$int-portid$
$int-name$
$int-abrvname$
$int-desc-16$
$int-desc-32$
$int-desc-64$
$int-mac$
Device level Tokens:
$switch-mac$
$switch-hostname-16$
$switch-hostname-32$
$switch-hostname-58$
$switch-moduleid$
VLAN level Tokens:
$vlan-id$
$vlan-name-16$
$vlan-name-32$
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
325
12
DHCP Relay Commands
12.10 show ip dhcp information option
The show ip dhcp information option User EXEC mode command displays the DHCP
Option 82 and sub option configuration.
Syntax
show ip dhcp information option [{interface interface-id} {vlan vlan}]
Parameters
•
interface interface-id - Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or Port-channel.
Use this parameter together with the vlan parameter to display actual option 82
payload for a DHCP client message received on the specified interface and VLAN
•
vlan vlan- Specifies a VLAN ID
Use this parameter together with the interface parameter to display actual option 82
payload for a DHCP client message received on the specified interface and VLAN
Default Configuration
If no parameter is entered the general settings of option 82 will be displayed.
Command Mode
User EXEC mode
Example
Example 1: The following example displays global information for DHCP option 82, including
sub options, when user did not change the settings of Option 82 sub-options.
switchxxxxxx# show ip dhcp information option
Relay agent Information option is Enabled
Numeric Token format: hex
Circuit-id payload template: (default)
Remote-id payload template: (default)
Total sub Options reserved payload: 14/247 bytes
326
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
Example 2: The following example displays global information for DHCP option 82, including
sub options, where user modified both Circuit-ID and Remote-ID sub-options.
switchxxxxxx# show ip dhcp information option
Relay agent Information option is Enabled
Numeric Token format: hex
Circuit-id payload template: aaa$int-name$bbb$vlan-name$ccc
Remote-id payload template: aaa$switch-hostname-58$bbb
Total sub Options reserved payload: 143/247 bytes
Example 3: The following example displays specific interface and VLAN information for DHCP
option 82, where user modified both Circuit-ID and Remote-ID sub-options.
switchxxxxxx# show ip dhcp information option interface te1/0/1 vlan 2
Relay agent Information option is Enabled
Numeric Token format: hex
Circuit-id payload template: aaa$int-name$bbb$vlan-name$ccc
Remote-id payload template: aaa$switch-hostname-58$bbb
Total sub Options reserved payload: 143/247 bytes
Interface te1/0/1 vlan 2:
Circuit-id header content: 0131012f
Circuit-id payload content: 61616154656e6769676162697445746865726e657431
2f302f3162626241502d564c414e636363
Circuit-id Total Length: 43
Remote-id header content: 0211010f
Remote-id payload content: 616161466c6f6f7234537769746368626262
Remote-id Total Length: 22
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
327
12
DHCP Relay Commands
Example 4: The following example displays specific interface and VLAN information for DHCP
option 82, including sub options, when user modified only the Circuit-ID sub-option.
switchxxxxxx# show ip dhcp information option interface te1/0/10 vlan 13
Relay agent Information option is Enabled
Numeric Token format: hex
Circuit-id payload template: $int-portid$aaa$vlan-id$zzz
Remote-id payload template: (default)
Total sub Options reserved payload: 18/247 bytes
Interface te1/0/10 vlan 13:
Circuit-id header content: 010b012f
Circuit-id payload content: 0a616161000d7a7a7a
Circuit-id Total Length: 13
Remote-id header content: 02080006
Remote-id payload content: 000000112233
Remote-id Total Length: 10
Example 5: The following example displays specific interface and VLAN information for DHCP
option 82, when user set Numeric Token format to ASCII and configured Circuit-ID sub-option.
switchxxxxxx# show ip dhcp information option interface te1/0/10 vlan 13
Relay agent Information option is Enabled
Numeric Token format: ascii
Circuit-id payload template: $int-portid$aaa$vlan-id$zzz
Remote-id payload template: (default)
Total sub Options reserved payload: 18/247 bytes
Interface te1/0/10 vlan 13:
Circuit-id header content: 010e012f
Circuit-id payload content: 3130616161303031337a7a7a
328
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
12
DHCP Relay Commands
Circuit-id Total Length: 16
Remote-id header content: 0211000f
Remote-id payload content: 000000112233
Remote-id Total Length: 10
Example 6: The following example requested display is for specific interface and VLAN
information for DHCP option 82, where $vlan-name-32$ is one of the tokens - but the specific
VLAN was not created on device.
switchxxxxxx# show ip dhcp information option interface te1/0/1 vlan 2
Relay agent Information option is Enabled
Numeric Token format: hex
Circuit-id payload template: aaa$int-name$bbb$vlan-name-32$ccc
Remote-id payload template: aaa$switch-hostname-58$bbb
Total sub Options reserved payload: 137/247 bytes
Interface te1/0/1 vlan 2:
Error - Cannot calculate Circuit-ID info - sub-option contains VLAN related Token
which does not exist on device.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
329
13
DHCP Server Commands
13.0
13.1
address (DHCP Host)
To manually bind an IP address to a DHCP client, use the address command in DHCP Pool
Host Configuration mode. To remove the IP address binding to the client, use the no form of
this command.
Syntax
address ip-address {mask | prefix-length} {client-identifier unique-identifier |
hardware-address mac-address}
no address
Parameters
•
address—Specifies the client IP address.
•
mask—Specifies the client network mask.
•
prefix-length—Specifies the number of bits that comprise the address prefix. The
prefix is an alternative way of specifying the client network mask. The prefix length
must be preceded by a forward slash (/).
•
unique-identifier—Specifies the distinct client identification in dotted hexadecimal
notation. Each byte in a hexadecimal character string is two hexadecimal digits. Bytes
are separated by a period or colon. For example, 01b7.0813.8811.66.
•
mac-address—Specifies the client MAC address.
Default Configuration
No address are bound.
Command Mode
DHCP Pool Host Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
330
13
DHCP Server Commands
User Guidelines
To classify the DHCP client, DHCP server uses either the client identifier passed in Option 61,
if the client-identifier keyword is configured or the client MAC address, if the
hardware-address keyword is configured.
Example
The following example manually binds an IP address to a DHCP client.
switchxxxxxx(config)# ip dhcp pool host aaaa
switchxxxxxx(config-dhcp)# address 10.12.1.99 255.255.255.0 client-identifier
01b7.0813.8811.66
switchxxxxxx(config-dhcp)# exit
switchxxxxxx(config)# ip dhcp pool host bbbb
switchxxxxxx(config-dhcp)# address 10.12.1.88 255.255.255.0 hardware-address
00:01:b7:08:13:88
switchxxxxxx(config-dhcp)# exit
switchxxxxxx(config)#
13.2
address (DHCP Network)
To configure the subnet number and mask for a DHCP address pool on a DHCP server, use the
address command in DHCP Pool Network Configuration mode. To remove the subnet
number and mask, use the no form of this command.
Syntax
address {network-number | low low-address high high-address} {mask | prefix-length}
no address
Parameters
•
network-number—Specifies the IP address of the DHCP address pool.
•
mask—Specifies the pool network mask.
•
prefix-length—Specifies the number of bits that comprise the address prefix. The
prefix is an alternative way of specifying the client network mask. The prefix length
must be preceded by a forward slash (/).
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
331
13
DHCP Server Commands
•
low low-address—Specifies the first IP address to use in the address range.
•
high high-address—Specifies the last IP address to use in the address range.
Default Configuration
DHCP address pools are not configured.
If the low address is not specified, it defaults to the first IP address in the network.
If the high address is not specified, it defaults to the last IP address in the network.
Command Mode
DHCP Pool Network Configuration mode
Example
The following example configures the subnet number and mask for a DHCP address pool on a
DHCP server.
switchxxxxxx(config-dhcp)# address 10.12.1.0 255.255.255.0
13.3
auto-default-router
To enable auto default router, use the auto-default-router command in DHCP Pool Network
Configuration mode or in DHCP Pool Host Configuration mode. To disable auto default
router, use the no form of this command.
Syntax
auto-default-router
no auto-default-router
Parameters
N/A
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
332
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
Default Configuration
Enabled.
User Guidelines
If the feature is enabled then the DHCP server returns an IP address defined on the input interface
as a default router when an default router is not configured in the following case:




Default router is not configurable.
DHCP client is directly connected.
IP Routing is enabled.
Default router was required by the client.
Example
The following example disable auto default router sending.
switchxxxxxx(config-dhcp)# no auto-default-router
13.4
bootfile
To specify the default boot image file name for a DHCP client, use the bootfile command in
DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode. To
delete the boot image file name, use the no form of this command.
Syntax
bootfile filename
no bootfile
Parameters
•
filename—Specifies the file name used as a boot image. (Length: 1–128 characters).
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
333
13
DHCP Server Commands
Example
The following example specifies boot_image_file as the default boot image file name for a
DHCP client.
switchxxxxxx(config-dhcp)# bootfile boot_image_file
13.5
clear ip dhcp binding
To delete the dynamic address binding from the DHCP server database, use the clear ip dhcp
binding command in Privileged EXEC mode.
Syntax
clear ip dhcp binding {address | *}
Parameters
•
address —Specifies the binding address to delete from the DHCP database.
•
* —Clears all dynamic bindings.
Command Mode
Privileged EXEC mode
User Guidelines
Typically, the address supplied denotes the client IP address. If the asterisk (*) character is
specified as the address parameter, DHCP clears all dynamic bindings.
Use the no ip dhcp pool Global Configuration mode command to delete a manual binding.
Example
The following example deletes the address binding 10.12.1.99 from a DHCP server database:
switchxxxxxx# clear ip dhcp binding 10.12.1.99
334
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
13.6
client-name
To define the name of a DHCP client, use the client-name command in DHCP Pool Host
Configuration mode. To remove the client name, use the no form of this command.
Syntax
client-name name
no client-name
Parameters
•
name—Specifies the client name, using standard ASCII characters. The client name
should not include the domain name. For example, the .name Mars should not be
specified as mars.yahoo.com. (Length: 1–32 characters).
Command Mode
DHCP Pool Host Configuration mode
Default Configuration
No client name is defined.
Example
The following example defines the string client1 as the client name.
switchxxxxxx(config-dhcp)# client-name client1
13.7
default-router
To configure the default router list for a DHCP client, use the default-router command in
DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode. To
remove the default router list, use the no form of this command.
Syntax
default-router ip-address [ip-address2 ... ip-address8]
no default-router
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
335
13
DHCP Server Commands
Parameters
•
ip-address [ip-address2 ... ip-address8]—Specifies the IP addresses of default routers.
Up to eight addresses can be specified in one command line.
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
No default router is defined.
User Guidelines
The router IP address should be on the same subnet as the client subnet.
If the auto-default-router command is configured then the DHCP server returns an IP address
defined on the input interface as a default router when an default router is not configured in the following
case:




Default router is not configurable.
DHCP client is directly connected.
IP Routing is enabled.
Default router was required by the client.
Example
The following example specifies 10.12.1.99 as the default router IP address.
switchxxxxxx(config-dhcp)# default-router 10.12.1.99
13.8
dns-server
To configure the Domain Name System (DNS) IP server list available to a DHCP client, use
the dns-server command in DHCP Pool Network Configuration mode or in DHCP Pool Host
Configuration mode. To remove the DNS server list, use the no form of this command.
Syntax
dns-server ip-address [ip-address2 ... ip-address8]
no dns-server
336
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
Parameters
•
ip-address [ip-address2 ... ip-address8]—Specifies the IP addresses of DNS servers.
Up to eight addresses can be specified in one command line.
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
No DNS server is defined.
User Guidelines
If DNS IP servers are not configured for a DHCP client, the client cannot correlate host names
to IP addresses.
Example
The following example specifies 10.12.1.99 as the client domain name server IP address.
switchxxxxxx(config-dhcp)# dns-server 10.12.1.99
13.9
domain-name
To specify the domain name for a DHCP client, use the domain-name command in DHCP
Pool Network Configuration mode or in DHCP Pool Host Configuration mode. To remove the
domain name, use the no form of this command.
Syntax
domain-name domain
no domain-name
Parameters
•
domain—Specifies the DHCP client domain name string. (Length: 1–32 characters).
Command Mode
DHCP Pool Network Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
337
13
DHCP Server Commands
DHCP Pool Host Configuration mode
Default Configuration
No domain name is defined.
Example
The following example specifies yahoo.com as the DHCP client domain name string.
switchxxxxxx(config-dhcp)# domain-name yahoo.com
13.10 ip dhcp excluded-address
To specify IP addresses that a DHCP server must not assign to DHCP clients, use the ip dhcp
excluded-address command in Global Configuration mode. To remove the excluded IP
addresses, use the no form of this command.
Syntax
ip dhcp excluded-address low-address [high-address]
no ip dhcp excluded-address low-address [high-address]
Parameters
•
low-address—Specifies the excluded IP address, or first IP address in an excluded
address range.
•
high-address—(Optional) Specifies the last IP address in the excluded address range.
Default Configuration
All IP pool addresses are assignable.
Command Mode
Global Configuration mode
User Guidelines
The DHCP server assumes that all pool addresses can be assigned to clients. Use this
command to exclude a single IP address or a range of IP addresses.
338
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
Example
The following example configures an excluded IP address range from 172.16.1.100 through
172.16.1.199.
switchxxxxxx(config)# ip dhcp excluded-address 172.16.1.100 172.16.1.199
13.11 ip dhcp pool host
To configure a DHCP static address on a DHCP server and enter the DHCP Pool Host
Configuration mode, use the ip dhcp pool host command in Global Configuration mode. To
remove the address pool, use the no form of this command.
Syntax
ip dhcp pool host name
no ip dhcp pool host name
Parameters
•
name—Specifies the DHCP address pool name. It can be either a symbolic string (such
as Engineering) or an integer (such as 8). (Length: 1–32 characters).
Default Configuration
DHCP hosts are not configured.
Command Mode
Global Configuration mode
User Guidelines
During execution of this command, the configuration mode changes to the DHCP Pool
Configuration mode. In this mode, the administrator can configure host parameters, such as
the IP subnet number and default router list.
Example
The following example configures station as the DHCP address pool:
switchxxxxxx(config)# ip dhcp pool host station
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
339
13
DHCP Server Commands
switchxxxxxx(config-dhcp)#
13.12 ip dhcp pool network
To configure a DHCP address pool on a DHCP Server and enter DHCP Pool Network
Configuration mode, use the ip dhcp pool network command in Global Configuration mode.
To remove the address pool, use the no form of this command.
Syntax
ip dhcp pool network name
no ip dhcp pool network name
Parameters
•
name—Specifies the DHCP address pool name. It can be either a symbolic string (such
as ‘engineering’) or an integer (such as 8). (Length: 1–32 characters).
Default Configuration
DHCP address pools are not configured.
Command Mode
Global Configuration mode
User Guidelines
During execution of this command, the configuration mode changes to DHCP Pool Network
Configuration mode. In this mode, the administrator can configure pool parameters, such as
the IP subnet number and default router list.
Example
The following example configures Pool1 as the DHCP address pool.
switchxxxxxx(config)# ip dhcp pool network Pool1
switchxxxxxx(config-dhcp)#
340
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
13.13 ip dhcp server
To enable the DHCP server features on the device, use the ip dhcp server command in Global
Configuration mode. To disable the DHCP server, use the no form of this command.
Syntax
ip dhcp server
no ip dhcp server
Default Configuration
The DHCP server is disabled.
Command Mode
Global Configuration mode
Example
The following example enables the DHCP server on the device:
switchxxxxxx(config)# ip dhcp server
13.14 lease
To configure the time duration of the lease for an IP address that is assigned from a DHCP
server to a DHCP client, use the lease command in DHCP Pool Network Configuration mode.
To restore the default value, use the no form of this command.
Syntax
lease days [hours [minutes]] | infinite
no lease
Parameters
•
days—Specifies the number of days in the lease.
•
hours—(Optional) Specifies the number of hours in the lease. A days value must be
supplied before configuring an hours value.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
341
13
DHCP Server Commands
•
minutes—(Optional) Specifies the number of minutes in the lease. A days value and an
hours value must be supplied before configuring a minutes value.
•
infinite—Specifies that the duration of the lease is unlimited.
Default Configuration
The default lease duration is 1 day.
Command Mode
DHCP Pool Network Configuration mode
Examples
The following example shows a 1-day lease.
switchxxxxxx(config-dhcp)# lease 1
The following example shows a one-hour lease.
switchxxxxxx(config-dhcp)# lease 0 1
The following example shows a one-minute lease.
switchxxxxxx(config-dhcp)# lease 0 0 1
The following example shows an infinite (unlimited) lease.
switchxxxxxx(config-dhcp)# lease infinite
13.15 netbios-name-server
To configure the NetBIOS Windows Internet Naming Service (WINS) server list that is
available to Microsoft DHCP clients, use the netbios-name-server in DHCP Pool Network
Configuration mode or in DHCP Pool Host Configuration mode. To remove the NetBIOS
name server list, use the no form of this command.
342
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
Syntax
netbios-name-server ip-address [ip-address2 ... ip-address8]
no netbios-name-server
Parameters
•
ip-address [ip-address2 ... ip-address8]—Specifies the IP addresses of NetBIOS
WINS name servers. Up to eight addresses can be specified in one command line.
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
No bios server is defined.
Example
The following example specifies the IP address of a NetBIOS name server available to the
DHCP client.
switchxxxxxx(config-dhcp)# netbios-name-server 10.12.1.90
13.16 netbios-node-type
To configure the NetBIOS node type for Microsoft DHCP clients, use the netbios-node-type
command in DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration
mode. To return to default, use the no form of this command.
Syntax
netbios-node-type {b-node | p-node | m-node | h-node}
no netbios-node-type
Parameters
•
b-node—Specifies the Broadcast NetBIOS node type.
•
p-node—Specifies the Peer-to-peer NetBIOS node type.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
343
13
DHCP Server Commands
•
m-node—Specifies the Mixed NetBIOS node type.
•
h-node—Specifies the Hybrid NetBIOS node type.
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
h-node (Hybrid NetBIOS node type).
Example
The following example specifies the client's NetBIOS type as mixed.
switchxxxxxx(config-dhcp)# netbios node-type m-node
13.17 next-server
To configure the next server (siaddr) in the boot process of a DHCP client, use the next-server
command in DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration
mode. To remove the next server, use the no form of this command.
Syntax
next-server ip-address
no next-server
Parameters
•
ip-address—Specifies the IP address of the next server in the boot process.
Default Configuration
If the next-server command is not used to configure a boot server list, the DHCP server uses
inbound interface helper addresses as boot servers.
Command Mode
DHCP Pool Network Configuration mode
344
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
DHCP Pool Host Configuration mode
User Guidelines
The client will connect, using the SCP/TFTP protocol, to this server in order to download the
configuration file.
Example
The following example specifies 10.12.1.99 as the IP address of the next server:
switchxxxxxx(config-dhcp)# next-server 10.12.1.99
13.18 next-server-name
To configure the next server name (sname) in the boot process of a DHCP client, use the
next-server-name command in DHCP Pool Network Configuration mode or in DHCP Pool
Host Configuration mode. To remove the boot server name, use the no form of this command.
Syntax
next-server-name name
no next-server-name
Parameters
•
name—Specifies the name of the next server in the boot process. (Length: 1–64
characters).
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
No next server name is defined.
User Guidelines
The client will connect, using the SCP/TFTP protocol, to this server in order to download the
configuration file.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
345
13
DHCP Server Commands
Example
The following example specifies www.bootserver.com as the name of the next server in the
boot process of a DHCP client.
switchxxxxxx(config-dhcp)# next-server www.bootserver.com
13.19 option
To configure the DHCP server options, use the option command in DHCP Pool Network
Configuration mode or in DHCP Pool Host Configuration mode. To remove the options, use
the no form of this command.
Syntax
option code {boolean {false | true} | integer value | ascii string | hex {string | none} | ip
{address} | ip-list {ip-address1 [ip-address2 …]}} [description text]
no option code
Parameters
346
•
code—Specifies the DHCP option code. The supported values are defined in the User
Guidelines.
•
boolean {false | true}—Specifies a boolean value. The values are coded by integer
values of one octet: 0 = false and 1 = true.
•
integer value—Specifies an integer value. The option size depends on the option code.
•
ascii string—Specifies a network virtual terminal (NVT) ASCII character string.
ASCII character strings that contain white spaces must be delimited by quotation
marks. The ASCII value is truncated to the first 160 characters entered.
•
ip address—Specifies an IP address.
•
ip-list {ip-address1 [ip-address2 ...]}—Specifies up to 8 IP addresses.
•
hex string—Specifies dotted hexadecimal data. The hexadecimal value is truncated to
the first 320 characters entered. Each byte in hexadecimal character strings is two
hexadecimal digits. Each byte can be separated by a period, colon, or white space.
•
hex none—Specifies the zero-length hexadecimal string.
•
description text—User description
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
User Guidelines
The option command enables defining any option that cannot be defined by other special CLI
commands. A new definition of an option overrides the previous definition of this option.
The boolean keyword may be configured for the following options: 19, 20, 27, 29-31, 34, 36,
and 39.
The integer keyword may be configured for the following options: 2, 13, 22-26, 35, 37-38,
132-134, and 211. The switch checks the value range and builds the value field of the size in
accordance with the option definition.
The ascii keyword may be configured for the following options: 14, 17-18, 40, 64, 130, 209,
and 210.
The ip keyword may be configured for the following options: 16, 28, 32, 128-129, 131, 135,
and 136.
The ip-list keyword may be configured for the following options: 5, 7-11, 33, 41, 42, 45, 48,
49, 65, 68-76, and 150.
The hex keyword may be configured for any option in the range 1-254 except for the
following: 1, 3-4, 6, 12, 15, 44, 46, 50-51, 53-54, 56, 66-67, 82, and 255. The switch does not
validate the syntax of an option defined by this format.
Examples
Example 1. The following example configures DHCP option 19, which specifies whether the
client should configure its IP layer for packet forwarding:
switchxxxxxx(config-dhcp)# option 19 boolean true description "IP Forwarding
Enable/Disable Option"
Example 2. The following example configures DHCP option 2, which specifies the offset of
the client in seconds from Coordinated Universal Time (UTC):
switchxxxxxx(config-dhcp)# option 2 integer 3600
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
347
13
DHCP Server Commands
Example 3. The following example configures DHCP option 72, which specifies the World
Wide Web servers for DHCP clients. World Wide Web servers 172.16.3.252 and 172.16.3.253
are configured in the following example:
switchxxxxxx(config-dhcp)# option 72 ip-list 172.16.3.252 172.16.3.253
13.20 show ip dhcp
To display the DHCP configuration, use the show ip dhcp command in User EXEC mode.
Syntax
show ip dhcp
Command Mode
User EXEC mode
Example
The following example displays the DHCP configuration.
switchxxxxxx# show ip dhcp
DHCP server is enabled.
13.21 show ip dhcp allocated
To display the allocated address or all the allocated addresses on the DHCP server, use the
show ip dhcp allocated command in User EXEC mode.
Syntax
show ip dhcp allocated [ip-address]
Parameters
•
348
ip-address —(Optional) Specifies the IP address.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
Command Mode
User EXEC mode
Example
The following example displays the output of various forms of this command:
switchxxxxxx# show ip dhcp allocated
DHCP server enabled
The number of allocated entries is 3
IP address
Hardware address Lease expiration
Type
----------
---------------- --------------------
---------
172.16.1.11
00a0.9802.32de
Feb 01 1998 12:00 AM
Dynamic
172.16.3.253 02c7.f800.0422
Infinite
Automatic
172.16.3.254 02c7.f800.0422
Infinite
Static
switchxxxxxx# show ip dhcp allocated 172.16.1.11
DHCP server enabled
The number of allocated entries is 2
IP address
Hardware address Lease expiration
Type
----------
---------------- --------------------
--------
172.16.1.11
00a0.9802.32de
Dynamic
Feb 01 1998 12:00 AM
switchxxxxxx# show ip dhcp allocated 172.16.3.254
DHCP server enabled
The number of allocated entries is 2
IP address
Hardware address Lease expiration
Type
----------
---------------- --------------------
-------
172.16.3.254 02c7.f800.0422
Infinite
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
Static
349
13
DHCP Server Commands
The following table describes the significant fields shown in the display.
Field
Description
IP address
The host IP address as recorded on the DHCP Server.
Hardware
address
The MAC address or client identifier of the host as
recorded on the DHCP Server.
Lease expiration
The lease expiration date of the host IP address.
Type
The manner in which the IP address was assigned to the
host.
13.22 show ip dhcp binding
To display the specific address binding or all the address bindings on the DHCP server, use the
show ip dhcp binding command in User EXEC mode.
Syntax
show ip dhcp binding [ip-address]
Parameters
•
ip-address—(Optional) Specifies the IP address.
Command Mode
User EXEC mode
Examples
The following examples display the DHCP server binding address parameters.
switchxxxxxx# show ip dhcp binding
DHCP server enabled
The number of used (all types) entries is 6
The number of pre-allocated entries is 1
The number of allocated entries is 1
The number of expired entries is 1
The number of declined entries is 2
350
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
The number of static entries is 1
The number of dynamic entries is 2
The number of automatic entries is 1
IP address Client Identifier
Lease Expiration Type
State
---------- -----------------
-------------
1.16.1.11
00a0.9802.32de
Feb 01 1998
dynamic allocated
1.16.3.23
02c7.f801.0422
12:00AM
dynamic expired
1.16.3.24
02c7.f802.0422
dynamic declined
1.16.3.25
02c7.f803.0422
dynamic pre-allocated
1.16.3.26
02c7.f804.0422
dynamic declined
------- ---------
switchxxxxxx# show ip dhcp binding 1.16.1.11
DHCP server enabled
IP address Client Identifier
Lease Expiration
---------- -----------------
----------------- ------- ---------
1.16.1.11
Feb 01 1998
00a0.9802.32de
Type
State
dynamic allocated
12:00 AM
switchxxxxxx# show ip dhcp binding 1.16.3.24
IP address Client Identifier
Lease Expiration
---------- -----------------
---------------
1.16.3.24
02c7.f802.0422
Type
State
------- --------dynamic declined
The following table describes the significant fields shown in the display.
Field
Description
IP address
The host IP address as recorded on the DHCP Server.
Client Identifier
The MAC address or client identifier of the host as
recorded on the DHCP Server.
Lease expiration
The lease expiration date of the host IP address.
Type
The manner in which the IP address was assigned to the
host.
State
The IP Address state.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
351
13
DHCP Server Commands
13.23 show ip dhcp declined
To display the specific declined address or all of the declined addresses on the DHCP server,
use the show ip dhcp declined command in User EXEC mode.
Syntax
show ip dhcp declined [ip-address]
Parameters
•
ip-address—(Optional) Specifies the IP address.
Command Mode
User EXEC mode
Example
The following example displays the output of various forms of this command:
switchxxxxxx# show ip dhcp declined
DHCP server enabled
The number of declined entries is 2
IP address
Hardware address
172.16.1.11
00a0.9802.32de
172.16.3.254 02c7.f800.0422
switchxxxxxx# show ip dhcp declined 172.16.1.11
DHCP server enabled
The number of declined entries is 2
352
IP address
Hardware address
172.16.1.11
00a0.9802.32de
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
13.24 show ip dhcp excluded-addresses
To display the excluded addresses, use the show ip dhcp excluded-addresses command in
User EXEC mode.
Syntax
show ip dhcp excluded-addresses
Command Mode
User EXEC mode
Example
The following example displays excluded addresses.
switchxxxxxx# show ip dhcp excluded-addresses
The number of excluded addresses ranges is 2
Excluded addresses:
10.1.1.212- 10.1.1.219, 10.1.2.212- 10.1.2.219
13.25 show ip dhcp expired
To display the specific expired address or all of the expired addresses on the DHCP server, use
the show ip dhcp expired command in User EXEC mode.
Syntax
show ip dhcp expired [ip-address]
Parameters
•
ip-address—(Optional) Specifies the IP.
Command Mode
User EXEC mode
Example
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
353
13
DHCP Server Commands
switchxxxxxx# show ip dhcp expired
DHCP server enabled
The number of expired entries is 1
IP address
Hardware address
172.16.1.11
00a0.9802.32de
172.16.3.254 02c7.f800.0422
switchxxxxxx# show ip dhcp expired 172.16.1.11
DHCP server enabled
The number of expired entries is 1
IP address
Hardware address
172.16.1.13 00a0.9802.32de
13.26 show ip dhcp pool host
To display the DHCP pool host configuration, use the show ip dhcp pool host command in
User EXEC mode.
Syntax
show ip dhcp pool host [address | name]
Parameters
•
address—(Optional) Specifies the client IP address.
•
name—(Optional) Specifies the DHCP pool name. (Length: 1-32 characters)
Command Mode
User EXEC mode
Examples
Example 1. The following example displays the configuration of all DHCP host pools:
switchxxxxxx# show ip dhcp pool host
The number of host pools is 1
354
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
Name
IP Address
Hardware Address
Client Identifier
----------
----------
----------------
-----------------
station
172.16.1.11
01b7.0813.8811.66
Example 2. The following example displays the DHCP pool host configuration of the pool
named station:
switchxxxxxx# show ip dhcp pool host station
Name
IP Address
Hardware Address
Client Identifier
----------
----------
----------------
-----------------
station
172.16.1.11
01b7.0813.8811.66
Mask: 255.255.0.0
Auto Default router: enabled
Default router: 172.16.1.1
Client name: client1
DNS server: 10.12.1.99
Domain name: yahoo.com
NetBIOS name server: 10.12.1.90
NetBIOS node type: h-node
Next server: 10.12.1.99
Next-server-name: 10.12.1.100
Bootfile: Bootfile
Time server 10.12.1.99
Options:
Code Type
Len Value
Description
---
-------
--- ----------------
--------------------------------
2
integer
14
ascii
19
boolean
4 3600
16 qq/aaaa/bbb.txt
1 false
"IP Forwarding Enable/Disable
Option"
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
355
13
DHCP Server Commands
21
ip
4 134.14.14.1
31
ip-list
8 1.1.1.1, 12.23.45.2
47
hex
5 02af00aa00
13.27 show ip dhcp pool network
To display the DHCP network configuration, use the show ip dhcp pool network command in
User EXEC mode.
Syntax
show ip dhcp pool network [name]
Parameters
•
name—(Optional) Specifies the DHCP pool name. (Length: 1-32 characters).
Command Mode
User EXEC mode
Examples
Example 1—The following example displays configuration of all DHCP network pools:
switchxxxxxx# show ip dhcp pool network
The number of network pools is 2
Name Address range mask Lease
---------------------------------------------------marketing 10.1.1.17-10.1.1.178 255.255.255.0 0d:12h:0m
finance 10.1.2.8-10.1.2.178 255.255.255.0 0d:12h:0m
Example 2—The following example displays configuration of the DHCP network pool
marketing:
switchxxxxxx# show ip dhcp pool network marketing
Name Address range mask Lease
--------------------------------- ------------------------
356
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
marketing 10.1.1.17-10.1.1.178 255.255.255.0 0d:12h:0m
Statistics:
All-range Available Free Pre-allocated Allocated Expired
---------- ---------
----- -------------
162 150 68 50 20
3
Declined
--------- --------- --------
9
Auto Default router: enabled
Default router: 10.1.1.1
DNS server: 10.12.1.99
Domain name: yahoo.com
NetBIOS name server: 10.12.1.90
NetBIOS node type: h-node
Next server: 10.12.1.99
Next-server-name: 10.12.1.100
Bootfile: Bootfile
Time server 10.12.1.99
Options:
Code Type
Len Value
Description
---
-------
--- --------------------
--------------------------------
2
integer
14
ascii
19
boolean
4 3600
16 qq/aaaa/bbb.txt
1 false
"IP Forwarding Enable/Disable
Option"
21
ip
4 134.14.14.1
31
ip-list
8 1.1.1.1, 12.23.45.2
47
hex
5 02af00aa00
13.28 show ip dhcp pre-allocated
To display the specific pre-allocated address or all the pre-allocated addresses on the DHCP
server, use the show ip dhcp pre-allocated command in User EXEC mode.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
357
13
DHCP Server Commands
Syntax
show ip dhcp pre-allocated [ip-address]
Parameters
•
ip-address—(Optional) Specifies the IP.
Command Mode
User EXEC mode
Examples
switchxxxxxx# show ip dhcp pre-allocated
DHCP server enabled
The number of pre-allocated entries is 1
IP address
Hardware address
172.16.1.11
00a0.9802.32de
172.16.3.254 02c7.f800.0422
switchxxxxxx# show ip dhcp pre-allocated 172.16.1.11
DHCP server enabled
The number of pre-allocated entries is 1
IP address
Hardware address
172.16.1.15
00a0.9802.32de
13.29 show ip dhcp server statistics
To display DHCP server statistics, use the show ip dhcp server statistics command in User
EXEC mode.
Syntax
show ip dhcp server statistics
Command Mode
User EXEC mode
358
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
13
DHCP Server Commands
Example
The following example displays DHCP server statistics
switchxxxxxx# show ip dhcp server statistics
DHCP server enabled
The number of network pools is 7
The number of excluded pools is 2
The number of used (all types) entries is 7
The number of pre-allocated entries is 1
The number of allocated entries is 3
The number of expired entries is 1
The number of declined entries is 2
The number of static entries is 1
The number of dynamic entries is 2
The number of automatic entries is 1
13.30 time-server
To specify the time servers list for a DHCP client, use the time-server command in DHCP
Pool Network Configuration mode or in DHCP Pool Host Configuration mode. To remove the
time servers list, use the no form of this command.
Syntax
time-server ip-address [ip-address2 ... ip-address8]
no time-server
Parameters
•
ip-address [ip-address2 ... ip-address8]—Specifies the IP addresses of Time servers.
Up to eight addresses can be specified in one command line.
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
359
13
DHCP Server Commands
Default Configuration
No time server is defined.
User Guidelines
The time server’s IP address should be on the same subnet as the client subnet.
Example
The following example specifies 10.12.1.99 as the time server IP address.
switchxxxxxx(config-dhcp)# time-server 10.12.1.99
360
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
14.0
14.1
ip dhcp snooping
Use the ip dhcp snooping Global Configuration mode command to enable Dynamic Host
Configuration Protocol (DHCP) Snooping globally. Use the no form of this command to
restore the default configuration.
Syntax
ip dhcp snooping
no ip dhcp snooping
Parameters
N/A
Default Configuration
DHCP snooping is disabled.
Command Mode
Global Configuration mode
User Guidelines
For any DHCP Snooping configuration to take effect, DHCP Snooping must be enabled
globally. DHCP Snooping on a VLAN is not active until DHCP Snooping on a VLAN is
enabled by using the ip dhcp snooping vlan Global Configuration mode command.
Example
The following example enables DHCP Snooping on the device.
switchxxxxxx(config)# ip dhcp snooping
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
361
14
DHCP Snooping Commands
14.2
ip dhcp snooping vlan
Use the ip dhcp snooping vlan Global Configuration mode command to enable DHCP
Snooping on a VLAN. Use the no form of this command to disable DHCP Snooping on a
VLAN.
Syntax
ip dhcp snooping vlan vlan-id
no ip dhcp snooping vlan vlan-id
Parameters
•
vlan-id—Specifies the VLAN ID.
Default Configuration
DHCP Snooping on a VLAN is disabled.
Command Mode
Global Configuration mode
User Guidelines
DHCP Snooping must be enabled globally before enabling DHCP Snooping on a VLAN.
Example
The following example enables DHCP Snooping on VLAN 21.
switchxxxxxx(config)# ip dhcp snooping vlan 21
14.3
ip dhcp snooping trust
Use the ip dhcp snooping trust Interface Configuration (Ethernet, Port-channel) mode
command to configure a port as trusted for DHCP snooping purposes. Use the no form of this
command to restore the default configuration.
Syntax
ip dhcp snooping trust
362
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
no ip dhcp snooping trust
Parameters
N/A
Default Configuration
The interface is untrusted.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Configure as trusted the ports that are connected to a DHCP server or to other switches or
routers. Configure the ports that are connected to DHCP clients as untrusted.
Example
The following example configures te1/0/4 as trusted for DHCP Snooping.
switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# ip dhcp snooping trust
14.4 ip dhcp snooping information option
allowed-untrusted
Use the ip dhcp snooping information option allowed-untrusted Global Configuration
mode command to allow a device to accept DHCP packets with option-82 information from an
untrusted port. Use the no form of this command to drop these packets from an untrusted port.
Syntax
ip dhcp snooping information option allowed-untrusted
no ip dhcp snooping information option allowed-untrusted
Parameters
N/A
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
363
14
DHCP Snooping Commands
Default Configuration
DHCP packets with option-82 information from an untrusted port are discarded.
Command Mode
Global Configuration mode
Example
The following example allows a device to accept DHCP packets with option-82 information
from an untrusted port.
switchxxxxxx(config)# ip dhcp snooping information option allowed-untrusted
14.5
ip dhcp snooping verify
Use the ip dhcp snooping verify Global Configuration mode command to configure a device
to verify that the source MAC address in a DHCP packet received on an untrusted port
matches the client hardware address. Use the no form of this command to disable MAC
address verification in a DHCP packet received on an untrusted port.
Syntax
ip dhcp snooping verify
no ip dhcp snooping verify
Default Configuration
The switch verifies that the source MAC address in a DHCP packet received on an untrusted
port matches the client hardware address in the packet.
Command Mode
Global Configuration mode
Example
The following example configures a device to verify that the source MAC address in a DHCP
packet received on an untrusted port matches the client hardware address.
switchxxxxxx(config)# ip dhcp snooping verify
364
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
14.6
ip dhcp snooping database
Use the ip dhcp snooping database Global Configuration mode command to enable the
DHCP Snooping binding database file. Use the no form of this command to delete the DHCP
Snooping binding database file.
Syntax
ip dhcp snooping database
no ip dhcp snooping database
Parameters
N/A
Default Configuration
The DHCP Snooping binding database file is not defined.
Command Mode
Global Configuration mode
User Guidelines
The DHCP Snooping binding database file resides on Flash.
To ensure that the lease time in the database is accurate, the Simple Network Time Protocol
(SNTP) must be enabled and configured.
The device writes binding changes to the binding database file only if the device system clock
is synchronized with SNTP.
Example
The following example enables the DHCP Snooping binding database file.
switchxxxxxx(config)# ip dhcp snooping database
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
365
14
DHCP Snooping Commands
14.7
ip dhcp snooping binding
Use the ip dhcp snooping binding Privileged EXEC mode command to configure the DHCP
Snooping binding database and add dynamic binding entries to the database. Use the no form
of this command to delete entries from the binding database.
Syntax
ip dhcp snooping binding mac-address vlan-id ip-address interface-id expiry {seconds |
infinite}
no ip dhcp snooping binding mac-address vlan-id
Parameters
•
mac-address—Specifies a MAC address.
•
vlan-id—Specifies a VLAN number.
•
ip-address—Specifies an IP address.
•
interface-id—Specifies an interface ID. The interface ID can be one of the following
types: Ethernet port or Port-channel.
•
expiry
-
seconds—Specifies the time interval, in seconds, after which the binding entry is
no longer valid. (Range: 10–4294967294).
-
infinite—Specifies infinite lease time.
Default Configuration
No static binding exists.
Command Mode
Privileged EXEC mode
User Guidelines
Use the ip dhcp snooping binding command to add manually a dynamic entry to the DHCP
database.
After entering this command, an entry is added to the DHCP Snooping database. If the DHCP
Snooping binding file exists, the entry is also added to that file.
366
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
The entry would not be added to the configuration files. The entry would be displayed in the
show commands as a “DHCP Snooping” entry.
An entry added by this command can override the existed dynamic entry.
An entry added by this command cannot override the existed static entry added by the ip
source-guard binding command.
The entry is displayed in the show commands as a DHCP Snooping entry.
Use the no ip dhcp snooping binding command to delete manually a dynamic entry from the
DHCP database.
A dynamic temporary entries for which the IP address is 0.0.0.0 cannot be deleted.
Example
The following example adds a binding entry to the DHCP Snooping binding database.
switchxxxxxx# ip dhcp snooping binding 0060.704C.73FF 23 176.10.1.1 te1/0/4
expiry 900
14.8
clear ip dhcp snooping database
Use the clear ip dhcp snooping database Privileged EXEC mode command to clear the
DHCP Snooping binding database.
Syntax
clear ip dhcp snooping database
Parameters
N/A
Command Mode
Privileged EXEC mode
Example
The following example clears the DHCP Snooping binding database.
switchxxxxxx# clear ip dhcp snooping database
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
367
14
DHCP Snooping Commands
14.9
show ip dhcp snooping
Use the show ip dhcp snooping EXEC mode command to display the DHCP snooping
configuration for all interfaces or for a specific interface.
Syntax
show ip dhcp snooping [interface-id]
Parameters
•
interface-id—Specifies an interface ID. The interface ID can be one of the following
types: Ethernet port or Port-channel.
Command Mode
User EXEC mode
Example
The following example displays the DHCP snooping configuration.
switchxxxxxx# show ip dhcp snooping
DHCP snooping is Enabled
DHCP snooping is configured on following VLANs: 21
DHCP snooping database is Enabled
Relay agent Information option 82 is Enabled
Option 82 on untrusted port is allowed
Verification of hwaddr field is Enabled
DHCP snooping file update frequency is configured to: 6666 seconds
368
Interface
Trusted
---------
-------
te1/0/1
Yes
te1/0/2
Yes
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
14.10 show ip dhcp snooping binding
Use the show ip dhcp snooping binding User EXEC mode command to display the DHCP
Snooping binding database and configuration information for all interfaces or for a specific
interface.
Syntax
show ip dhcp snooping binding [mac-address mac-address] [ip-address ip-address] [vlan
vlan-id] [interface-id]
Parameters
•
mac-address mac-address—Specifies a MAC address.
•
ip-address ip-address—Specifies an IP address.
•
vlan vlan-id—Specifies a VLAN ID.
•
interface-id—Specifies an interface ID. The interface ID can be one of the following
types: Ethernet port or Port-channel.
Command Mode
User EXEC mode
Example
The following examples displays the DHCP snooping binding database and configuration
information for all interfaces on a device.switchxxxxxx# show ip dhcp snooping binding
Update frequency: 1200
Total number of binding: 2
Mac Address
IP Address
------------
---------
0060.704C.73FF
0060.704C.7BC1
Lease
Type
VLAN
Interface
-------
--------
----
---------------
10.1.8.1
7983
snooping
3
te1/0/1
10.1.8.2
92332
snooping
3
te1/0/2
(sec)
(s)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
369
14
DHCP Snooping Commands
14.11 ip source-guard
Use the ip source-guard command in Configuration mode or Interface Configuration mode to
enable IP Source Guard globally on a device or in Interface Configuration (Ethernet,
Port-channel) mode to enable IP Source Guard on an interface.
Use the no form of this command to disable IP Source Guard on the device or on an interface.
Syntax
ip source-guard
no ip source-guard
Parameters
N/A
Default Configuration
IP Source Guard is disabled.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
IP Source Guard must be enabled globally before enabling IP Source Guard on an interface.
IP Source Guard is active only on DHCP snooping untrusted interfaces, and if at least one of
the interface VLANs are DHCP snooping enabled.
Example
The following example enables IP Source Guard on te1/0/4.
switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# ip source-guard
370
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
14.12 ip source-guard binding
Use the ip source-guard binding Global Configuration mode command to configure the static
IP source bindings on the device. Use the no form of this command to delete the static
bindings.
Syntax
ip source-guard binding mac-address vlan-id ip-address interface-id
no ip source-guard binding mac-address vlan-id
Parameters
•
mac-address—Specifies a MAC address.
•
vlan-id—Specifies a VLAN number.
•
ip-address—Specifies an IP address.
•
interface-id—Specifies an interface ID. The interface ID can be one of the following
types: Ethernet port or Port-channel.
Default Configuration
No static binding exists.
Command Mode
Global Configuration mode
User Guidelines
Use the ip source-guard binding command to add a static entry to the DHCP database.
An entry added by this command can override the existed entry.
Use the no ip source-guard binding command to delete an entry from the DHCP database.
Example
The following example configures the static IP source bindings.
switchxxxxxx(config)# ip source-guard binding 0060.704C.73FF 23 176.10.1.1
te1/0/4
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
371
14
DHCP Snooping Commands
14.13 ip source-guard tcam retries-freq
Use the ip source-guard tcam retries-freq Global Configuration mode command to set the
frequency of retries for TCAM resources for inactive IP Source Guard addresses. Use the no
form of this command to restore the default configuration.
Syntax
ip source-guard tcam retries-freq {seconds | never}
no ip source-guard tcam retries-freq
Parameters
•
seconds—Specifies the retries frequency in seconds. (Range: 10–600)
•
never—Disables automatic searching for TCAM resources.
Default Configuration
The default retries frequency is 60 seconds.
Command Mode
Global Configuration mode
User Guidelines
Since the IP Source Guard uses the Ternary Content Addressable Memory (TCAM) resources,
there may be situations when IP Source Guard addresses are inactive because of a lack of
TCAM resources.
By default, once every minute the software conducts a search for available space in the TCAM
for the inactive IP Source Guard addresses. Use this command to change the search frequency
or to disable automatic retries for TCAM space.
The ip source-guard tcam locate command manually retries locating TCAM resources for
the inactive IP Source Guard addresses.
The show ip source-guard inactive EXEC mode command displays the inactive IP Source
Guard addresses.
Example
The following example sets the frequency of retries for TCAM resources to 2 minutes.
switchxxxxxx(config)# ip source-guard tcam retries-freq 120
372
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
14.14 ip source-guard tcam locate
Use the ip source-guard tcam locate Privileged EXEC mode command to manually retry to
locate TCAM resources for inactive IP Source Guard addresses.
Syntax
ip source-guard tcam locate
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
Since the IP Source Guard uses the Ternary Content Addressable Memory (TCAM) resources,
there may be situations when IP Source Guard addresses are inactive because of a lack of
TCAM resources.
By default, once every 60 seconds the software conducts a search for available space in the
TCAM for the inactive IP Source Guard addresses.
Execute the ip source-guard tcam retries-freq command with the never keyword to disable
automatic retries for TCAM space, and then execute this command to manually retry locating
TCAM resources for the inactive IP Source Guard addresses.
The show ip source-guard inactive EXEC mode command displays the inactive IP source
guard addresses.
Example
The following example manually retries to locate TCAM resources.
switchxxxxxx# ip source-guard tcam locate
14.15 show ip source-guard configuration
Use the show ip source-guard configuration EXEC mode command to display the IP source
guard configuration for all interfaces or for a specific interface.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
373
14
DHCP Snooping Commands
Syntax
show ip source-guard configuration [interface-id]
Parameters
•
interface-id—Specifies an interface ID. The interface ID can be one of the following
types: Ethernet port or Port-channel.
Command Mode
User EXEC mode
Example
The following example displays the IP Source Guard configuration.
switchxxxxxx# show ip source-guard configuration
IP source guard is globally enabled.
Interface
State
---------
-------
te1/0/1
Enabled
te1/0/2
Enabled
te1/0/3
Enabled
te1/0/4
Enabled
14.16 show ip source-guard status
Use the show ip source-guard status EXEC mode command to display the IP Source Guard
status.
Syntax
show ip source-guard status [mac-address mac-address] [ip-address ip-address] [vlan
vlan] [interface-id]
Parameters
374
•
mac-address mac-address—Specifies a MAC address.
•
ip-address ip-address—Specifies an IP address.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
•
vlan vlan-id—Specifies a VLAN ID.
•
interface-id—Specifies an interface ID. The interface ID can be one of the following
types: Ethernet port or Port-channel.
Command Mode
User EXEC mode
Example
The following examples display the IP Source Guard status.
switchxxxxxx# show ip source-guard status
IP source guard is globally enaabled.
Interface
Filter
Status
IP Address
MAC Address
VLAN
Type
-------
-----
-------
-----------
---------------
---
-----
te1/0/1
IP
Active
10.1.8.1
0060.704C.73FF
3
DHCP
te1/0/2
IP
Active
10.1.8.2
0060.704C.7BC1
3
Static
te1/0/3
IP
Active
Deny all
0060.704C.7BC3
4
DHCP
te1/0/4
IP
Inactive
14.17 show ip source-guard inactive
Use the show ip source-guard inactive EXEC mode command to display the IP Source
Guard inactive addresses.
Syntax
show ip source-guard inactive
Parameters
N/A
Command Mode
User EXEC mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
375
14
DHCP Snooping Commands
User Guidelines
Since the IP Source Guard uses the Ternary Content Addressable Memory (TCAM) resources,
there may be situations when IP Source Guard addresses are inactive because of a lack of
TCAM resources.
By default, once every minute the software conducts a search for available space in the TCAM
for the inactive IP Source Guard addresses.
Use the ip source-guard tcam retries-freq command to change the retry frequency or to
disable automatic retries for TCAM space.
Use the ip source-guard tcam locate command to manually retry locating TCAM resources
for the inactive IP Source Guard addresses.
This command displays the inactive IP source guard addresses.
Example
The following example displays the IP source guard inactive addresses.
switchxxxxxx# show ip source-guard inactive
TCAM resources search frequency: 60 seconds
Interface
Filter
--------
-----
te1/0/2
IP
te1/0/3
IP
te1/0/4
I
IP
MAC Address
VLAN
Type
Reason
---------
-----------
-----
----
----------
10.1.8.32
0060.704C.8
3
DHCP
Resource
Address
3FF
Problem
Trust port
14.18 show ip source-guard statistics
Use the show ip source-guard statistics EXEC mode command to display the Source Guard
dynamic information (permitted stations).
Syntax
show ip source-guard statistics [vlan vlan-id]
Parameters
•
376
vlan-id—Display the statistics on this VLAN.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
Command Mode
User EXEC mode
Example
switchxxxxxx# show ip source-guard statistics
VLAN
Statically Permitted Stations
DHCP Snooping Permitted Stations
---- ------------------------------- -------------------------------2
2
3
14.19 ip arp inspection
Use the ip arp inspection Global Configuration mode command globally to enable Address
Resolution Protocol (ARP) inspection. Use the no form of this command to disable ARP
inspection.
Syntax
ip arp inspection
no ip arp inspection
Parameters
N/A
Default Configuration
ARP inspection is disabled.
Command Mode
Global Configuration mode
User Guidelines
Note that if a port is configured as an untrusted port, then it should also be configured as an
untrusted port for DHCP Snooping, or the IP-address-MAC-address binding for this port
should be configured statically. Otherwise, hosts that are attached to this port cannot respond
to ARPs.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
377
14
DHCP Snooping Commands
Example
The following example enables ARP inspection on the device.
switchxxxxxx(config)# ip arp inspection
14.20 ip arp inspection vlan
Use the ip arp inspection vlan Global Configuration mode command to enable ARP
inspection on a VLAN, based on the DHCP Snooping database. Use the no form of this
command to disable ARP inspection on a VLAN.
Syntax
ip arp inspection vlan vlan-id
no ip arp inspection vlan vlan-id
Parameters
•
vlan-id—Specifies the VLAN ID.
Default Configuration
DHCP Snooping based ARP inspection on a VLAN is disabled.
Command Mode
Global Configuration mode
User Guidelines
This command enables ARP inspection on a VLAN based on the DHCP snooping database.
Use the ip arp inspection list assign command to enable static ARP inspection.
Example
The following example enables DHCP Snooping based ARP inspection on VLAN 23.
switchxxxxxx(config)# ip arp inspection vlan 23
378
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
14.21 ip arp inspection trust
Use the ip arp inspection trust Interface Configuration (Ethernet, Port-channel) mode
command to configure an interface trust state that determines if incoming Address Resolution
Protocol (ARP) packets are inspected. Use the no form of this command to restore the default
configuration.
Syntax
ip arp inspection trust
no ip arp inspection trust
Parameters
N/A
Default Configuration
The interface is untrusted.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
The device does not check ARP packets that are received on the trusted interface; it only
forwards the packets.
For untrusted interfaces, the device intercepts all ARP requests and responses. It verifies that
the intercepted packets have valid IP-to-MAC address bindings before updating the local
cache and before forwarding the packet to the appropriate destination. The device drops
invalid packets and logs them in the log buffer according to the logging configuration
specified with the ip arp inspection logging interval command.
Example
The following example configures te1/0/3 as a trusted interface.
switchxxxxxx(config)# interface te1/0/3
switchxxxxxx(config-if)# ip arp inspection trust
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
379
14
DHCP Snooping Commands
14.22 ip arp inspection validate
Use the ip arp inspection validate Global Configuration mode command to perform specific
checks for dynamic Address Resolution Protocol (ARP) inspection. Use the no form of this
command to restore the default configuration.
Syntax
ip arp inspection validate
no ip arp inspection validate
Parameters
N/A
Default Configuration
ARP inspection validation is disabled.
Command Mode
Global Configuration mode
User Guidelines
The following checks are performed:
•
Source MAC address: Compares the source MAC address in the Ethernet header
against the sender MAC address in the ARP body. This check is performed on both
ARP requests and responses.
•
Destination MAC address: Compares the destination MAC address in the Ethernet
header against the target MAC address in the ARP body. This check is performed for
ARP responses.
•
IP addresses: Compares the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
Example
The following example executes ARP inspection validation.
switchxxxxxx(config)# ip arp inspection validate
380
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
14.23 ip arp inspection list create
Use the ip arp inspection list create Global Configuration mode command to create a static
ARP binding list and enters the ARP list configuration mode. Use the no form of this
command to delete the list.
Syntax
ip arp inspection list create name
no ip arp inspection list create name
Parameters
•
name—Specifies the static ARP binding list name. (Length: 1–32 characters).
Default Configuration
No static ARP binding list exists.
Command Mode
Global Configuration mode
User Guidelines
Use the ip arp inspection list assign command to assign the list to a VLAN.
Example
The following example creates the static ARP binding list ‘servers’ and enters the ARP list
configuration mode.
switchxxxxxx(config)# ip arp inspection list create servers
14.24 ip mac
Use the ip mac ARP-list Configuration mode command to create a static ARP binding. Use
the no form of this command to delete a static ARP binding.
Syntax
ip ip-address mac mac-address
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
381
14
DHCP Snooping Commands
no ip ip-address mac mac-address
Parameters
•
ip-address—Specifies the IP address to be entered to the list.
•
mac-address—Specifies the MAC address associated with the IP address.
Default Configuration
No static ARP binding is defined.
Command Mode
ARP-list Configuration mode
Example
The following example creates a static ARP binding.
switchxxxxxx(config)# ip arp inspection list create servers
switchxxxxxx(config-arp-list)# ip 172.16.1.1 mac 0060.704C.7321
switchxxxxxx(config-arp-list)# ip 172.16.1.2 mac 0060.704C.7322
14.25 ip arp inspection list assign
Use the ip arp inspection list assign Global Configuration mode command to assign a static
ARP binding list to a VLAN. Use the no form of this command to delete the assignment.
Syntax
ip arp inspection list assign vlan-id name
no ip arp inspection list assign vlan-id
Parameters
•
vlan-id—Specifies the VLAN ID.
•
name—Specifies the static ARP binding list name.
Default Configuration
No static ARP binding list assignment exists.
382
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
Command Mode
Global Configuration mode
Example
The following example assigns the static ARP binding list Servers to VLAN 37.
switchxxxxxx(config)# ip arp inspection list assign 37 servers
14.26 ip arp inspection logging interval
Use the ip arp inspection logging interval Global Configuration mode command to set the
minimum time interval between successive ARP SYSLOG messages. Use the no form of this
command to restore the default configuration.
Syntax
ip arp inspection logging interval {seconds | infinite}
no ip arp inspection logging interval
Parameters
•
seconds—Specifies the minimum time interval between successive ARP SYSLOG
messages. A 0 value means that a system message is immediately generated. (Range:
0–86400)
•
infinite—Specifies that SYSLOG messages are not generated.
Default Configuration
The default minimum ARP SYSLOG message logging time interval is 5 seconds.
Command Mode
Global Configuration mode
Example
The following example sets the minimum ARP SYSLOG message logging time interval to 60
seconds.
switchxxxxxx(config)# ip arp inspection logging interval 60
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
383
14
DHCP Snooping Commands
14.27 show ip arp inspection
Use the show ip arp inspection EXEC mode command to display the ARP inspection
configuration for all interfaces or for a specific interface.
Syntax
show ip arp inspection [interface-id]
Parameters
•
interface-id—Specifies an interface ID. The interface ID can be one of the following
types: Ethernet port or Port-channel.
Command Mode
User EXEC mode
Example
The following example displays the ARP inspection configuration.
switchxxxxxx# show ip arp inspection
IP ARP inspection is Enabled
IP ARP inspection is configured on following VLANs: 1
Verification of packet header is Enabled
IP ARP inspection logging interval is: 222
Interface
seconds
Trusted
----------- -----------
te1/0/1
Yes
te1/0/2
Yes
14.28 show ip arp inspection list
Use the show ip arp inspection list Privileged EXEC mode command to display the static
ARP binding list.
384
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
14
DHCP Snooping Commands
Syntax
show ip arp inspection list
Parameters
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays the static ARP binding list.
switchxxxxxx# show ip arp inspection list
List name: servers
Assigned to VLANs: 1,2
IP
ARP
-----------
--------------
172.16.1.1
0060.704C.7322
172.16.1.2
0060.704C.7322
14.29 show ip arp inspection statistics
Use the show ip arp inspection statistics EXEC command to display statistics for the
following types of packets that have been processed by this feature: Forwarded, Dropped,
IP/MAC Validation Failure.
Syntax
show ip arp inspection statistics [vlan vlan-id]
Parameters
•
vlan-id—Specifies VLAN ID.
Command Mode
User EXEC mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
385
14
DHCP Snooping Commands
User Guidelines
To clear ARP Inspection counters use the clear ip arp inspection statistics command.
Counters values are kept when disabling the ARP Inspection feature.
Example
switchxxxxxx# show ip arp inspection statistics
Vlan
Forwarded Packets Dropped Packets IP/MAC Failures
----
-----------------------------------------------
2
1500100
80
14.30 clear ip arp inspection statistics
Use the clear ip arp inspection statistics Privileged EXEC mode command to clear statistics
ARP Inspection statistics globally.
Syntax
clear ip arp inspection statistics [vlan vlan-id]
Parameters
•
vlan-id—Specifies VLAN ID.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# clear ip arp inspection statistics
386
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
15
DHCPv6 Commands
15.0
15.1
clear ipv6 dhcp client
To restart DHCP for an IPv6 client on an interface, use the clear ipv6 dhcp client command in
Privileged EXEC mode.
Syntax
clear ipv6 dhcp client interface-id
Parameters
•
interface-id—Interface identifier.
Default Configuration
N/A
Command Mode
Privileged EXEC mode
User Guidelines
This command restarts DHCP for an IPv6 client on a specified interface after first releasing
and unconfiguring previously-acquired prefixes and other configuration options (for example,
Domain Name System [DNS] servers).
Example
The following example restarts the DHCP for IPv6 client on VLAN 100:
switchxxxxxx# clear ipv6 dhcp client vlan 100
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
387
15
DHCPv6 Commands
15.2
ipv6 address dhcp
To enable DHCP for an IPv6 client process and acquire an IPv6 address on an interface, use
the ipv6 address dhcp command in Interface Configuration mode. To remove the address
from the interface, use the no form of this command.
Syntax
ipv6 address dhcp [rapid-commit]
no ipv6 address dhcp
Parameters
•
rapid-commit—Allows the two-message exchange method for address assignment.
Default Configuration
No IPv6 addresses are acquired from the DHCPv6 server.
Command Mode
Interface (VLAN) Configuration mode
Interface (Ethernet, Port Channel, OOB) Configuration mode
User Guidelines
This command enables IPv6 on an interface (if it is not enabled) and starts the DHCP for IPv6
client process, if this process is not yet running and if an IPv6 interface is enabled on the
interface. This command allows an interface to dynamically learn its IPv6 address by using
DHCPv6 and enables the DHCPv6 Stateless service.
The rapid-commit keyword enables the use of the two-message exchange for address
allocation and other configuration. If it is enabled, the client includes the rapid-commit option
in a solicit message.
This command allows an interface to dynamically learn its IPv6 address by using DHCPv6.
The DHCPv6 stateless service allows to receive the configuration from a DHCP server, passed
in the following options:
388
•
Option 7: OPTION_PREFERENCE - The preference value for the server in this
message
•
Option 12: OPTION_UNICAST - The IP address to which the client should send
messages delivered using unicast
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
15
DHCPv6 Commands
•
Option 23: OPTION_DNS_SERVERS - List of DNS Servers IPv6 Addresses
•
Option 24: OPTION_DOMAIN_LIST - Domain Search List
•
Option 31: OPTION_SNTP_SERVERS - List of SNTP Servers IPv6 Addresses
•
Option 32: OPTION_INFORMATION_REFRESH_TIME - Information Refresh Time
Option
•
Option 41: OPTION_NEW_POSIX_TIMEZONE - New Timezone Posix String
•
Option 59: OPT_BOOTFILE_URL - Configuration Server URL
•
Option 60: OPT_BOOTFILE_PARAM, the first parameter - Configuration File Path
Name
The DHCPv6 client uses the following IAID format based on the interface-id on which it is
running:
•
Octet 1, bits 7-4: These bits are reserved and must be 0
•
Octet 1, Bits 3-0: These bits contain the interface type:
•
-
0—VLAN
-
1—Ethernet port
-
2—Port channel
-
3—Tunnel
Octets 2-4: The octets contain a value depending on the interface type in the network
format:
-
VLAN
Octet 2: Reserved, must be 0
Octets 3-4: VLAN ID (1-4095)
-
Ethernet port
Octet 2, bits 7-4: Slot number
Octet 2, bits 3-0: Port Type:
0—Ethernet
1—Fast Ethernet
2—Giga Ethernet
3—2.5Giga Ethernet
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
389
15
DHCPv6 Commands
4—5Giga Ethernet
5—10Giga Ethernet
6—12Giga Ethernet
7—13.6Giga Ethernet
8—16Giga Ethernet
9—20Giga Ethernet
10—40Giga Ethernet
11—100Giga Ethernet
Octet 3: Unit number
Octet 4: Port number
-
Port channel
Octets 2-3: Reserved, must be 0
Octet 4: Port channel number
-
Tunnel
Octets 2-3: Reserved, must be 0
Octet 4: Tunnel number
When IPv6 Forwarding is enabled only stateless information is required from a DHCPv6
server.
When IPv6 forwarding is changed from disabled to enabled, IPv6 addresses assigned by a
DHCPv6 are removed.
When IPv6 forwarding is changed from enabled to disabled receiving IPv6 addresses from a
DHCPv6 server is resumed.
The DHCPv6 client, server, and relay functions are mutually exclusive on an interface.
Example
The following example enables IPv6 on VLAN 100 and acquires an IPv6 address:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 address dhcp
switchxxxxxx(config-if)# exit
390
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
15
DHCPv6 Commands
15.3
ipv6 dhcp client information refresh
To configure the refresh time for IPv6 client information refresh time on a specified interface
if the DHCPv6 server reply does not include the Information Refresh Time, use the ipv6 dhcp
client information refresh command in Interface Configuration mode. To return to the
default value of the refresh time, use the no form of this command.
Syntax
ipv6 dhcp client information refresh seconds | infinite
no ipv6 dhcp client information refresh
Parameters
•
seconds—The refresh time, in seconds. The value cannot be less than the minimal
acceptable refresh time configured by the ipv6 dhcp client information refresh
command. The maximum value that can be used is 4,294967,294 seconds
(0xFFFFFFFE).
•
infinite—Infinite refresh time.
Default Configuration
The default is 86,400 seconds (24 hours).
Command Mode
Interface Configuration mode
User Guidelines
The ipv6 dhcp client information refresh command specifies the information refresh time. If
the server does not sends an information refresh time option then a value configured by the
command is used.
Use the infinite keyword, to prevent refresh, if the server does not send an information refresh
time option.
Example
The following example configures an upper limit of 2 days:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp client information refresh 172800
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
391
15
DHCPv6 Commands
switchxxxxxx(config-if)# exit
15.4
ipv6 dhcp client information refresh minimum
To configure the minimum acceptable refresh time on the specified interface, use the ipv6
dhcp client information refresh minimum command in Interface Configuration mode. To
remove the configured refresh time, use the no form of this command.
Syntax
ipv6 dhcp client information refresh minimum seconds | infinite
no ipv6 dhcp client information refresh minimum
Parameters
•
seconds—The refresh time, in seconds. The minimum value that can be used is 600
seconds. The maximum value that can be used is 4,294,967,294 seconds
(0xFFFFFFFE).
•
infinite—Infinite refresh time.
Default Configuration
The default is 86,400 seconds (24 hours).
Command Mode
Interface Configuration mode
User Guidelines
The ipv6 dhcp client information refresh minimum command specifies the minimum
acceptable information refresh time. If the server sends an information refresh time option of
less than the configured minimum refresh time, the configured minimum refresh time will be
used instead.
This command may be configured in the following situations:
• In unstable environments where unexpected changes are likely to occur.
• For planned changes, including renumbering. An administrator can gradually decrease the
time as the planned event nears.
392
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
15
DHCPv6 Commands
• Limit the amount of time before new services or servers are available to the client, such as
the addition of a new Simple Network Time Protocol (SNTP) server or a change of address
of a Domain Name System (DNS) server.
If you configure the infinite keyword client never refreshes the information.
Example
The following example configures an upper limit of 2 days:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp client information refresh 172800
switchxxxxxx(config-if)# exit
15.5
ipv6 dhcp duid-en
To set the Vendor Based on Enterprise Number DHVPv6 Unique Identified (DUID-EN)
format, use the ipv6 dhcp duid-en command in Global Configuration mode.
To return to the default value, use the no form of this command.
Syntax
ipv6 dhcp duid-en enterprise-number identifier
no ipv6 dhcp duid-en
Parameters
•
enterprise-number—The vendor’s registered Private Enterprise number as maintained
by IANA.
•
identifier—The vendor-defined non-empty hex string (up to 64 hex characters). If the
number of the character is not even ’0’ is added at the right. Each 2 hex characters can
be separated by a period or colon.
Default Configuration
DUID Based on Link-layer Address (DUID-LL) is used. The base MAC Address is used as a
Link-layer Address.
Command Mode
Global Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
393
15
DHCPv6 Commands
User Guidelines
By default, the DHCPv6 uses the DUID Based on Link-layer Address (see RFC3315) with the
Base MAC Address as a Link-layer Address.
Use this command to change the DUID format to the Vendor Based on Enterprise Number.
Examples
Example 1. The following sets the DIID-EN format:
ipv6 dhcp duid-en 9 0CC084D303000912
Example 2. The following sets the DIID-EN format using colons as delimiter:
switchxxxxxx(config)# ipv6 dhcp duid-en 9 0C:C0:84:D3:03:00:09:12
15.6
ipv6 dhcp relay destination (Global)
To specify a globally-defined relay destination address to which client messages are
forwarded, use the ipv6 dhcp relay destination command in Global Configuration mode. To
remove a relay destination address, use the no form of this command.
Syntax
ipv6 dhcp relay destination {ipv6-address [interface-id]} | interface-id
no ipv6 dhcp relay destination [{ipv6-address [interface-id]} | interface-id]
Parameters
•
394
ipv6-address [interface-id]—Relay destination IPv6 address in the form documented
in RFC 4291 where the address is specified in hexadecimal using 16-bit values
between colons. There are the following types of relay destination address:
-
Link-local Unicast address. A user must specify the interface-id argument for this
kind of address.
-
Global Unicast IPv6 address. If the interface-id argument is omitted then the
Routing table is used.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
15
DHCPv6 Commands
•
interface-id—Interface identifier that specifies the output interface for a destination. If
this argument is configured, client messages are forwarded to the well-known
link-local Multicast address All_DHCP_Relay_Agents_and_Servers (FF02::1:2)
through the link to which the output interface is connected.
Default Configuration
There is no globally-defined relay destination.
Command Mode
Global Configuration mode
User Guidelines
The ipv6 dhcp relay destination command specifies a destination address to which client
messages are forwarded. The address is used by all DHCPv6 relays running on the switch. Up
to 100 addresses can be defined.
When a relay service is running on an interface, a DHCP for IPv6 message received on that
interface will be forwarded to all configured relay destinations configured per interface and
globally.
Multiple destinations can be configured on one interface, and multiple output interfaces can be
configured for one destination.
Unspecified, loopback, and Multicast addresses are not acceptable as the relay destination.
Use the no form of the command with the ipv6-address and interface-id arguments to remove
only the given globally-defined address with the given output interface.
Use the no form of the command with the ipv6-address argument to remove only the given
globally-defined address for all output interfaces.
The no form of the command without the arguments removes all the globally-defined
addresses.
Examples
Example 1. The following example sets the relay unicast link-local destination address per
VLAN 200:
switchxxxxxx(config)# ipv6 dhcp relay destination FE80::1:2 vlan 200
Example 2. The following example sets that client messages are forwarded to VLAN 200:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
395
15
DHCPv6 Commands
switchxxxxxx(config)# ipv6 dhcp relay destination vlan 200
Example 3. The following example sets the unicast global relay destination address:
switchxxxxxx(config)# ipv6 dhcp relay destination 3002::1:2
15.7
ipv6 dhcp relay destination (Interface)
To specify a destination address to which client messages are forwarded and to enable DHCP
for IPv6 relay service on the interface, use the ipv6 dhcp relay destination command in
Interface Configuration mode. To remove a relay destination on the interface or to delete an
output interface for a destination, use the no form of this command.
Syntax
ipv6 dhcp relay destination [{ipv6-address [interface-id]} | interface-id]
no ipv6 dhcp relay destination [{ipv6-address [interface-id]} | interface-id]
Parameters
•
•
ipv6-address [interface-id]—Relay destination IPv6 address in the form documented
in RFC 4291 where the address is specified in hexadecimal using 16-bit values
between colons. There are the following types of relay destination address:
-
Link-local Unicast address. A user must specify the interface-id argument for this
kind of address.
-
Global Unicast IPv6 address. If the interface-id argument is omitted then the
Routing table is used.
interface-id—Interface identifier that specifies the output interface for a destination. If
this argument is configured, client messages are forwarded to the well-known
link-local Multicast address All_DHCP_Relay_Agents_and_Servers (FF02::1:2)
through the link to which the output interface is connected.
Default Configuration
The relay function is disabled, and there is no relay destination on an interface.
Command Mode
Interface Configuration mode
396
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
15
DHCPv6 Commands
User Guidelines
This command specifies a destination address to which client messages are forwarded, and it
enables DHCP for IPv6 relay service on the interface. Up to 10 addresses can be defined per
one interface and up to 100 addresses can be defined per switch.
DHCPv6 Relay inserts the Interface-id option if an IPv6 global address is not defined on the
interface on which the relay is running. The Interface-id field of the option is the interface
name (a value of the ifName field of the ifTable) on which the relay is running.
When relay service is running on an interface, a DHCP for IPv6 message received on that
interface will be forwarded to all configured relay destinations configured per interface and
globally.
The incoming DHCP for IPv6 message may have come from a client on that interface, or it
may have been relayed by another relay agent.
The relay destination can be a Unicast address of a server or another relay agent, or it may be a
Multicast address. There are two types of relay destination addresses:
• A link-local Unicast or Multicast IPv6 address, for which a user must specify an output
interface.
• A global Unicast IPv6 address. A user can optionally specify an output interface for this
kind of address.
If no output interface is configured for a destination, the output interface is determined by
routing tables. In this case, it is recommended that a Unicast or Multicast routing protocol be
running on the router.
Multiple destinations can be configured on one interface, and multiple output interfaces can be
configured for one destination. When the relay agent relays messages to a Multicast address, it
sets the hop limit field in the IPv6 packet header to 32.
Unspecified, loopback, and node-local Multicast addresses are not acceptable as the relay
destination.
Note that it is not necessary to enable the relay function on an interface for it to accept and
forward an incoming relay reply message from servers. By default, the relay function is
disabled, and there is no relay destination on an interface.
Use the no form of the command with arguments to remove a specific address.
Use the no form of the command without arguments to remove all the defined addresses and to
disable the relay on the interface.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
397
15
DHCPv6 Commands
Examples
Example 1. The following example sets the relay Unicast link-local destination address per
VLAN 200 and enables the DHCPv6 Relay on VLAN 100 if it was not enabled:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp relay destination FE80::1:2 vlan 200
switchxxxxxx(config-if)# exit
Example 2. The following example sets the relay well known Multicast link-local destination
address per VLAN 200 and enables the DHCPv6 Relay on VLAN 100 if it was not enabled:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp relay destination vlan 200
switchxxxxxx(config-if)# exit
Example 3. The following example sets the Unicast global relay destination address and
enables the DHCPv6 Relay on VLAN 100 if it was not enabled:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp relay destination 3002::1:2
switchxxxxxx(config-if)# exit
Example 4. The following example enables DHCPv6 relay on VLAN 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp relay destination
switchxxxxxx(config-if)# exit
Example 5. The following example disables DHCPv6 relay on VLAN 100:
398
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
15
DHCPv6 Commands
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# no ipv6 dhcp relay destination
switchxxxxxx(config-if)# exit
15.8
show ipv6 dhcp
To display the Dynamic DHCP unique identifier (DUID) on a specified device, use the show
ipv6 dhcp command in User EXEC mode.This information is relevant for DHCPv6 clients
and DHCPv6 relays.
Syntax
show ipv6 dhcp
Parameters
NA
Command Mode
User EXEC mode
User Guidelines
This command uses the DUID, which is based on the link-layer address for both client and
server identifiers. The device uses the MAC address from the lowest-numbered interface to
form the DUID.
Examples
Example 1. The following is sample output from this command when the switch’s DUID
format is vendor based on enterprise number:
switchxxxxxx# show ipv6 dhcp
The switch’s DHCPv6 unique identifier(DUID)is 0002000000090CC084D303000912
Format: 2
Enterprise Number: 9
Identifier: 0CC084D303000912
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
399
15
DHCPv6 Commands
Example 2. The following is sample output from this command when the switch’s DUID
format is the vendor-based on link-layer address:
switchxxxxxx# show ipv6 dhcp
The switch’s DHCPv6 unique identifier(DUID)is 000300010024012607AA
Format: 3
Hardware type: 1
MAC Address: 0024.0126.07AA
Example 3. The following is sample output from this command when the switch’s DUID
format is vendorbased on link-layer address and DHCPv6 Relay is supported:
switchxxxxxx# show ipv6 dhcp
The switch’s DHCPv6 unique identifier(DUID)is 000300010024012607AA
Format: 3
Hardware type: 1
MAC Address: 0024.0126.07AA
Relay Destinations:
2001:001:250:A2FF:FEBF:A056
2001:1001:250:A2FF:FEBF:A056
2001:1011:250:A2FF:FEBF:A056 via VLAN 100
FE80::250:A2FF:FEBF:A056 via VLAN 100
FE80::250:A2FF:FEBF:A056 via VLAN 200
15.9
show ipv6 dhcp interface
To display DHCP for IPv6 interface information, use the show ipv6 dhcp interface command
in User EXEC mode.
Syntax
show ipv6 dhcp interface [interface-id]
400
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
15
DHCPv6 Commands
Parameters
•
interface-id—Interface identifier.
Command Mode
User EXEC mode
User Guidelines
If no interfaces are specified in the command, all interfaces on which DHCP for IPv6 (client or
server) is enabled are displayed. If an interface is specified in the command, only information
about the specified interface is displayed.
Note. This new output format is supported starting with the SW version supporting
statefull configuration
Example
The following is sample output from this command when DHCPv6 client is enabled:
switchxxxxxx# show ipv6 dhcp interface
VLAN 100 is in client mode
Configuration:
Statefull Service is enabled (rapid-commit)
Auto-Configuration is enabled
Information Refresh Time: 86400 seconds
Information Refresh Minimum Time: 600 seconds
State:
DHCP Operational mode is enabled
Statefull Service is available
DHCP server:
Address: FE80::204:FCFF:FEA1:7439
DUID: 000300010002FCA17400
Preference: 20
IPv6 Address Information:
IA NA: IA ID 0x00040001, T1 120, T2 192
IPv6 Address: 30e0::12:45:11
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
401
15
DHCPv6 Commands
preferred lifetime: 300, valid lifetime: 54333
expires at Nov 08 2002 09:11 (54331 seconds)
renew for address will be sent in 54301 seconds
IPv6 Address: 3012::13:af:25
preferred lifetime: 280, valid lifetime: 51111
expires at Nov 08 2002 08:17 (51109 seconds)
renew for address will be sent in 5101 seconds
Stateless Information:
Information Refresh Time:
86400 seconds
expires at Nov 08 2002 08:17 (51109 seconds)
DNS Servers: 1001::1, 2001::10
DNS Domain Search List: company.com beta.org
SNTP Servers: 2004::1
POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00
Configuration Server: config.company.com
Configuration Path Name: qqq/config/aaa_config.dat
Indirect Image Path Name: qqq/config/aaa_image_name.txt
VLAN 105 is in client mode
Configuration:
Statefull Service is enabled
Auto-Configuration is disabled
Information Refresh Time: 86400 seconds
Information Refresh Minimum Time: 600 seconds
State:
DHCP Operational mode is enabled
Statefull Service is not available (IPv6 routing is enabled)
DHCP server:
Address: FE80::204:FCFF:FEA1:7439
DUID: 000300010002FCA17400
Preference: 20
Stateless Information:
402
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
15
DHCPv6 Commands
Information Refresh Time:
86400 seconds
expires at Nov 08 2002 08:17 (51109 seconds)
DNS Servers: 1001::1, 2001::10
DNS Domain Search List: company.com beta.org
SNTP Servers: 2004::1
POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00
Configuration Server: config.company.com
Configuration Path Name: qqq/config/aaa_config.dat
Indirect Image Path Name: qqq/config/aaa_image_name.txt
VLAN 107 is in client mode
Configuration:
Statefull Service is enabled
Auto-Configuration is enabled
Information Refresh Time: 86400 seconds
Information Refresh Minimum Time: 600 seconds
State:
DHCP Operational mode is enabled
Statefull Service is not available (IPv6 routing is enabled)
DHCP server:
Address: FE80::204:FCFF:FEA1:7439
DUID: 000300010002FCA17400
Preference: 20
Stateless Information:
Information Refresh Time:
86400 seconds
expires at Nov 08 2002 08:17 (51109 seconds)
DNS Servers: 1001::1, 2001::10
DNS Domain Search List: company.com beta.org
SNTP Servers: 2004::1
POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00
Configuration Server: config.company.com
Configuration Path Name: qqq/config/aaa_config.dat
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
403
15
DHCPv6 Commands
Indirect Image Path Name: qqq/config/aaa_image_name.txt
VLAN 110 is in client mode
Configuration:
Statefull Service is enabled
Auto-Configuration is disabled
Information Refresh Time: 86400 seconds
Information Refresh Minimum Time: 600 seconds
State:
DHCP Operational mode is disabled (IPv6 is not enabled)
VLAN 1000 is in client mode
Configuration:
Statefull Service is enabled
Auto-Configuration is enabled
Information Refresh Time: 86400 seconds
Information Refresh Minimum Time: 600 seconds
State:
DHCP Operational mode is disabled (Interface status is DOWN)
DHCP server:
Address: FE80::204:FCFF:FEA1:7439
DUID: 000300010002FCA17400
Preference: 20
Stateless Information:
Information Refresh Time:
86400 seconds
expires at Nov 08 2002 08:17 (51109 seconds)
DNS Servers: 1001::1, 2001::10
DNS Domain Search List: company.com beta.org
SNTP Servers: 2004::1
POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00
Configuration Server: config.company.com
Configuration Path Name: qqq/config/aaa_config.dat
Indirect Image Path Name: qqq/config/aaa_image_name.txt
404
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
15
DHCPv6 Commands
VLAN 1010 is in relay mode
DHCP Operational mode is enabled
Relay source interface: VLAN 101
Relay destinations:
2001:001:250:A2FF:FEBF:A056
FE80::250:A2FF:FEBF:A056 via FastEthernet 1/0/10
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
405
16
DNS Client Commands
16.0
16.1
clear host
Use the clear host command in privileged EXEC mode to delete dynamic
hostname-to-address mapping entries from the DNS client name-to-address cache.
Syntax
clear host {hostname | *}
Parameters
•
hostname—Name of the host for which hostname-to-address mappings are to be
deleted from the DNS client name-to-address cache.
•
*—Specifies that all the dynamic hostname-to-address mappings are to be deleted
from the DNS client name-to-address cache.
Default Configuration
No hostname-to-address mapping entries are deleted from the DNS client name-to-address
cache.
Command Mode
Privileged EXEC mode
User Guidelines
To remove the dynamic entry that provides mapping information for a single hostname, use
the hostname argument. To remove all the dynamic entries, use the * keyword.
To define a static hostname-to-address mappings in the DNS hostname cache, use the ip host
command.
To delete a static hostname-to-address mappings in the DNS hostname cache, use the no ip
host command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
406
16
DNS Client Commands
Example
The following example deletes all dynamic entries from the DNS client name-to-address
cache.
switchxxxxxx# clear host *
16.2
ip domain lookup
Use the ip domain lookup command in Global Configuration mode to enable the IP Domain
Naming System (DNS)-based host name-to-address translation.
To disable the DNS, use the no form of this command.
Syntax
ip domain lookup
no ip domain lookup
Parameters
N/A
Default Configuration
Enabled.
Command Mode
Global Configuration mode
Example
The following example enables DNS-based host name-to-address translation.
switchxxxxxx(config)# ip domain lookup
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
407
16
DNS Client Commands
16.3
ip domain name
Use the ip domain name command in Global Configuration mode. to define a default domain
name that the switch uses to complete unqualified hostnames (names without a dotted-decimal
domain name).
To delete the static defined default domain name, use the no form of this command.
Syntax
ip domain name name
no ip domain name
Parameters
name—Default domain name used to complete unqualified host names. Do not include the
initial period that separates an unqualified name from the domain name. Length: 1–158
characters. Maximum label length of each domain level is 63 characters.
Default Configuration
No default domain name is defined.
Command Mode
Global Configuration mode
User Guidelines
Any IP hostname that does not contain a domain name (that is, any name without a dot) will
have the dot and the default domain name appended to it before being added to the host table.
Domain names and host names are restricted to the ASCII letters A through Z
(case-insensitive), the digits 0 through 9, the underscore and the hyphen. A period (.) is used to
separate labels.
The maximum size of each domain level is 63 characters. The maximum name size is 158
bytes.
Example
The following example defines the default domain name as ‘www.website.com’.
switchxxxxxx(config)# ip domain name website.com
408
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
16
DNS Client Commands
16.4
ip domain polling-interval
Use the ip domain polling-interval command in Global Configuration mode to specify the
polling interval.
Use the no form of this command to return to the default behavior.
Syntax
ip domain polling-interval seconds
no ip domain polling-interval
Parameters
seconds—Polling interval in seconds. The range is from (2*(R+1)*T) to 3600.
Default Configuration
The default value is 2 * (R+1) * T, where
•
R is a value configured by the ip domain retry command.
•
T is a value configured by the ip domain timeout command.
Command Mode
Global Configuration mode
User Guidelines
Some applications communicate with the given IP address continuously. DNS clients for such
applications, which have not received resolution of the IP address or have not detected a DNS
server using a fixed number of retransmissions, return an error to the application and continue
to send DNS Request messages for the IP address using the polling interval.
Example
The following example shows how to configure the polling interval of 100 seconds:
switchxxxxxx(config)# ip domain polling-interval 100
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
409
16
DNS Client Commands
16.5
ip domain retry
Use the ip domain retry command in Global Configuration mode to specify the number of
times the device will send Domain Name System (DNS) queries when there is no replay.
To return to the default behavior, use the no form of this command.
Syntax
ip domain retry number
no ip domain retry
Parameters
number—Number of times to retry sending a DNS query to the DNS server. The range is from
0 to 16.
Default Configuration
The default value is 1.
Command Mode
Global Configuration mode
User Guidelines
The number argument specifies how many times the DNS query will be sent to a DNS server
until the switch decides that the DNS server does not exist.
Example
The following example shows how to configure the switch to send out 10 DNS queries before
giving up:
switchxxxxxx(config)# ip domain retry 10
16.6
ip domain timeout
Use the ip domain timeout command in Global Configuration mode to specify the amount of
time to wait for a response to a DNS query.
To return to the default behavior, use the no form of this command.
410
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
16
DNS Client Commands
Syntax
ip domain timeout seconds
no ip domain timeout
Parameters
seconds—Time, in seconds, to wait for a response to a DNS query. The range is from 1 to 60.
Default Configuration
The default value is 2 seconds.
Command Mode
Global Configuration mode
User Guidelines
Use the command to change the default time out value. Use the no form of this command to
return to the default time out value.
Example
The following example shows how to configure the switch to wait 50 seconds for a response to
a DNS query:
switchxxxxxx(config)# ip domain timeout 50
16.7
ip host
Use the ip host Global Configuration mode command to define the static host
name-to-address mapping in the DNS host name cache.
Use the no form of this command to remove the static host name-to-address mapping.
Syntax
ip host hostname address1 [address2...address8]
no ip host name ip host name [address1...address8]
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
411
16
DNS Client Commands
Parameters
•
hostname—Name of the host. (Length: 1–158 characters. Maximum label length of
each domain level is 63 characters).
•
address1—Associated host IP address (IPv4 or IPv6, if IPv6 stack is supported).
•
address2...address8—Up to seven additional associated IP addresses, delimited by a
single space (IPv4 or IPv6, if IPv6 stack is supported).
Default Configuration
No host is defined.
Command Mode
Global Configuration mode
User Guidelines
Host names are restricted to the ASCII letters A through Z (case-insensitive), the digits 0
through 9, the underscore and the hyphen. A period (.) is used to separate labels.
An IP application will receive the IP addresses in the following order:
1. IPv6 addresses in the order specified by the command.
2. IPv4 addresses in the order specified by the command.
Use the no format of the command with the address1...address8 argument to delete the
specified addresses. The entry is deleted if all its addresses are deleted.
Example
The following example defines a static host name-to-address mapping in the host cache.
switchxxxxxx(config)# ip host accounting.website.com 176.10.23.1
16.8
ip name-server
Use the ip name-server command in Global Configuration mode to specify the address of one
or more name servers to use for name and address resolution.
Use the no form of this command to remove the static specified addresses.
412
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
16
DNS Client Commands
Syntax
ip name-server server1-address [server-address2...erver-address8]
no ip name-server [server-address1...server-address8]
Parameters
•
server-address1—IPv4 or IPv6 addresses of a single name server.
•
server-address2...server-address8—IPv4 or IPv6 addresses of additional name servers.
Default Configuration
No name server IP addresses are defined.
Command Mode
Global Configuration mode
User Guidelines
The preference of the servers is determined by the order in which they were entered.
Each ip name-server command replaces the configuration defined by the previous one (if one
existed).
Example
The following example shows how to specify IPv4 hosts 172.16.1.111, 172.16.1.2, and IPv6
host 2001:0DB8::3 as the name servers:
switchxxxxxx(config)# ip name-server 172.16.1.111 172.16.1.2 2001:0DB8::3
16.9
show hosts
Use the show hosts command in privileged EXEC mode to display the default domain name,
the style of name lookup service, a list of name server hosts, and the cached list of hostnames
and addresses.
Syntax
show hosts [all | hostname]
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
413
16
DNS Client Commands
Parameters
•
all—The specified host name cache information is to be displayed for all configured
DNS views. This is the default.
•
hostname—The specified host name cache information displayed is to be limited to
entries for a particular host name.
Command Mode
Privileged EXEC mode
Default Configuration
Default is all.
User Guidelines
This command displays the default domain name, a list of name server hosts, and the cached
list of host names and addresses.
Example
The following is sample output with no parameters specified:
switchxxxxxx# show hosts
Name/address lookup is enabled
Domain Timeout: 3 seconds
Domain Retry: 4 times
Domain Polling Interval: 10 seconds
Default Domain Table
Source
Interface Preference Domain
static
website.com
dhcpv6
vlan 100
1
qqtca.com
dhcpv6
vlan 100
2
company.com
dhcpv6
vlan 1100
1
pptca.com
Name Server Table
414
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
16
DNS Client Commands
Source
Interface Preference
IP Address
static
1
192.0.2.204
static
2
192.0.2.205
static
3
192.0.2.105
DHCPv6
vlan 100 1
2002:0:22AC::11:231A:0BB4
DHCPv4
vlan 1
1
192.1.122.20
DHCPv4
vlan 1
2
154.1.122.20
Casche Table
Flags: (static/dynamic, OK/Ne/??)
OK - Okay, Ne - Negative Cache, ?? - No Response
Host Flag Address;Age...in preference order
example1.company.com (dynamic, OK) 2002:0:130F::0A0:1504:0BB4;1 112.0.2.10
176.16.8.8;123 124 173.0.2.30;39
example2.company.com (dynamic, ??)
example3.company.com (static, OK) 120.0.2.27
example4.company.com (dynamic, OK) 24 173.0.2.30;15
example5.company.com (dynamic, Ne); 12
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
415
17
EEE Commands
1
17.1
eee enable (global)
To enable the EEE mode globally, use the eee enable Global Configuration command. To
disable the mode, use the no format of the command.
Syntax
eee enable
no eee enable
Parameters
This command has no arguments or keywords.
Default Configuration
Enabled
Command Mode
Global Configuration mode
User Guidelines
In order for EEE to work, the device at the other end of the link must also support EEE and
have it enabled. In addition, for EEE to work properly, auto-negotaition must be enabled;
however, if the port speed is negotiated as 1Giga, EEE always works regardless of whether the
auto-negotiation status is enabled or disabled.
If auto-negotiation is not enabled on the port and its speed is less than 1 Giga, the EEE
operational status is disabled.
Example
switchxxxxxx(config)# eee enable
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
416
17
EEE Commands
17.2
eee enable (interface)
To enable the EEE mode on an Ethernet port, use the eee enable Interface Configuration
command. To disable the mode, use the no format of the command.
Syntax
eee enable
no eee enable
Parameters
This command has no arguments or keywords.
Default Configuration
EEE is enabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
If auto-negotiation is not enabled on the port and its speed is 1 Giga, the EEE operational
status is disabled.
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# eee enable
17.3
eee lldp enable
To enable EEE support by LLDP on an Ethernet port, use the eee lldp enable Interface
Configuration command. To disable the support, use the no format of the command.
Syntax
eee lldp enable
no eee lldp enable
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
417
17
EEE Commands
Parameters
This command has no arguments or keywords.
Default Configuration
Enabled
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Enabling EEE LLDP advertisement enables devices to choose and change system wake-up
times in order to get the optimal energy saving mode.
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# eee lldp enable
17.4
show eee
Use the show eee EXEC command to display EEE information.
Syntax
show eee [interface-id]
Parameters
interface-id—(Optional) Specify an Ethernet port.
Defaults
None
Command Mode
Privileged EXEC mode
418
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
17
EEE Commands
User Guidelines
If the port is a 10G port, but the link speed is 1G, the EEE Remote status cannot be resolved
(and displayed).
Examples
Example 1 - The following displays brief Information about all ports.
switchxxxxxx# show eee
EEE globally enabled
EEE Administrate status is enabled on ports: te1/0/1-2, te1/0/4
EEE Operational status is enabled on ports: te1/0/1-2, te1/0/4
EEE LLDP Administrate status is enabled on ports: te1/0/1-3
EEE LLDP Operational status is enabled on ports: te1/0/1-2
Example 2 - The following is the information displayed when a port is in the Not Present
state; no information is displayed if the port supports EEE.
switchxxxxxx# show eee te1/0/1
Port Status: notPresent
EEE Administrate status: enabled
EEE LLDP Administrate status: enabled
Example 3 - The following is the information displayed when the port is in status DOWN.
switchxxxxxx# show eee te1/0/1
Port Status: DOWN
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
419
17
EEE Commands
EEE Administrate status: enabled
EEE LLDP Administrate status: enabled
Example 4 - The following is the information displayed when the port is in status UP and does
not support EEE.
switchxxxxxx# show eee te1/0/2
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Administrate status: enabled
EEE LLDP Administrate status: enabled
Example 5 - The following is the information displayed when the neighbor does not support
EEE.
switchxxxxxx# show eee te1/0/4
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Remote status: disabled
EEE Administrate status: enabled
EEE Operational status: disabled (neighbor does not support)
EEE LLDP Administrate status: enabled
EEE LLDP Operational status: disabled
420
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
17
EEE Commands
Example 6 - The following is the information displayed when EEE is disabled on the port.
switchxxxxxx# show eee te1/0/1
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Administrate status: disabled
EEE Operational status: disabled
EEE LLDP Administrate status: enabled
EEE LLDP Operational status: disabled
Example 7 - The following is the information displayed when EEE is running on the port, and
EEE LLDP is disabled.
switchxxxxxx# show eee te1/0/2
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Remote status: enabled
EEE Administrate status: enabled
EEE Operational status: enabled
EEE LLDP Administrate status: disabled
EEE LLDP Operational status: disabled
Resolved Tx Timer: 10usec
Local Tx Timer: 10 usec
Resolved Timer: 25 usec
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
421
17
EEE Commands
Local Rx Timer: 20 usec
Example 8 - The following is the information displayed when EEE and EEE LLDP are
running on the port.
switchxxxxxx# show eee te1/0/3
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Remote status: enabled
EEE Administrate status: enabled
EEE Operational status: enabled
EEE LLDP Administrate status: enabled
EEE LLDP Operational status: enabled
Resolved Tx Timer: 10usec
Local Tx Timer: 10 usec
Remote Rx Timer: 5 usec
Resolved Timer: 25 usec
Local Rx Timer: 20 usec
Remote Tx Timer: 25 usec
Example 9 - The following is the information displayed when EEE is running on the port,
EEE LLDP is enabled but not synchronized with the remote link partner.
switchxxxxxx# show eee te1/0/4
Port Status: up
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
422
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
17
EEE Commands
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Remote status: enabled
EEE Administrate status: enabled
EEE Operational status: enabled
EEE LLDP Administrate status: enabled
EEE LLDP Operational status:
disabled
Resolved Tx Timer: 64
Local Tx Timer: 64
Resolved Rx Timer: 16
Local Rx Timer: 16
Example 10 - The following is the information displayed when EEE and EEE LLDP are
running on the port.
show eee te1/0/3
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Remote status: enabled
EEE Administrate status: enabled
EEE Operational status: enabled
EEE LLDP Administrate status: enabled
EEE LLDP Operational status: enabled
Resolved Tx Timer: 10usec
Local Tx Timer: 10 usec
Remote Rx Timer: 5 usec
Resolved Timer: 25 usec
Local Rx Timer: 20 usec
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
423
17
EEE Commands
Remote Tx Timer: 25 usec
424
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
18.0
1
18.1
interface
To enter Interface configuration mode in order to configure an interface, use the interface
Global Configuration mode command.
Syntax
interface interface-id
Parameters
interface-id—Specifies an interface ID. The interface ID can be one of the following types:
Ethernet port, port-channel, VLAN, range, OOB, IP interface or tunnel.
Default Configuration
None
Command Mode
Global Configuration mode
Examples
Example 1—For Ethernet ports:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)#
Example 2—For port channels (LAGs):
switchxxxxxx(config)# interface po1
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
425
18
Ethernet Configuration Commands
switchxxxxxx(config-if)#
18.2
interface range
To execute a command on multiple ports at the same time, use the interface range command.
Syntax
interface range interface-id-list
Parameters
interface-id-list—Specify list of interface IDs. The interface ID can be one of the following
types: Ethernet port, VLAN, or port-channel
Default Configuration
None
Command Mode
Interface (Ethernet, Port Channel, VLAN) Configuration mode
User Guidelines
Commands under the interface range context are executed independently on each interface in
the range. If the command returns an error on one of the interfaces, it does not stop the
execution of the command on other interfaces.
Example
switchxxxxxx(config)# interface range te1/0/1-4
switchxxxxxx(config-if-range)#
18.3
shutdown
To disable an interface, use the shutdown Interface Configuration mode command. To restart
a disabled interface, use the no form of this command.
426
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
Syntax
shutdown
no shutdown
Parameters
This command has no arguments or keywords.
Default Configuration
The interface is enabled.
Command Mode
Interface Configuration mode
User Guidelines
The shutdown command set a value of ifAdminStatus (see RFC 2863) to DOWN. When
ifAdminStatus is changed to DOWN, ifOperStatus will be also changed to DOWN.
The DOWN state of ifOperStatus means that the interface does not transmit/receive messages
from/to higher levels. For example, if you shut down a VLAN, on which an IP interface is
configured, bridging into the VLAN continues, but the switch cannot transmit and receive IP
traffic on the VLAN.
Notes:
•
If the switch shuts down an Ethernet port it additionally shuts down the port MAC
sublayer too.
•
If the switch shuts down a port channel it additionally shuts down all ports of the port
channel too.
Examples
Example 1—The following example disables te1/0/4 operations.
switchxxxxxx(config)#
interface te1/0/4
switchxxxxxx(config-if)#
shutdown
switchxxxxxx(config-if)#
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
427
18
Ethernet Configuration Commands
Example 2—The following example restarts the disabled Ethernet port.
switchxxxxxx(config)#
interface te1/0/4
switchxxxxxx(config-if)#
no shutdown
switchxxxxxx(config-if)#
Example 3—The following example shuts down vlan 100.
switchxxxxxx(config)#
interface vlan 100
switchxxxxxx(config-if)#
shutdown
switchxxxxxx(config-if)#
Example 4—The following example shuts down tunnel 1.
switchxxxxxx(config)#
interface tunnel 1
switchxxxxxx(config-if)#
shutdown
switchxxxxxx(config-if)#
Example 5—The following example shuts down Port Channel 3.
switchxxxxxx(config)#
interface po3
switchxxxxxx(config-if)#
shutdown
switchxxxxxx(config-if)#
18.4
operation time
To control the time that the port is up, use the operation time Interface (Ethernet, Port
Channel) Configuration mode command. To cancel the time range for the port operation time,
use the no form of this command.
Syntax
operation time time-range-name
428
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
no operation time
Parameters
•
time-range-name—Specifies a time range the port operates (in up state). When the
Time Range is not in effect, the port is shutdown. (Range: 1–32 characters)
Default Configuration
There is no time range configured on the port authorized state.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
It is recommended to disable spanning tree or to enable spanning-tree PortFast mode on
802.1x edge ports (ports in auto state that are connected to end stations), in order to proceed to
the forwarding state immediately after successful authentication.
Example
The operation time command influences the port if the port status is up. This command defines
the time frame during which the port stays up and at which time the port will be shutdown.
While the port is in shutdown because of other reasons, this command has no effect.
The following example activates an operation time range (named "morning") on port te1/0/1.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
18.5
operation time morning
description
To add a description to an interface, use the description Interface (Ethernet, Port Channel)
Configuration mode command. To remove the description, use the no form of this command.
Syntax
description string
no description
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
429
18
Ethernet Configuration Commands
Parameters
string—Specifies a comment or a description of the port to assist the user. (Length: 1–64
characters).
Default Configuration
The interface does not have a description.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Example
The following example adds the description ‘SW#3’ to te1/0/4.
switchxxxxxx(config)#
interface te1/0/4
switchxxxxxx(config-if)#
18.6
description SW#3
speed
To configure the speed of a given Ethernet interface when not using auto-negotiation, use the
speed Interface (Ethernet, Port Channel) Configuration mode command. To restore the default
configuration, use the no form of this command.
Syntax
speed {10 | 100 | 1000 | 10000}
no speed
Parameters
•
10—Forces10 Mbps operation
•
100—Forces 100 Mbps operation
•
1000—Forces 1000 Mbps operation
•
10000—Forces 10000 Mbps operation
Default Configuration
The port operates at its maximum speed capability.
430
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
The no speed command in a port-channel context returns each port in the port-channel to its
maximum capability.
Example
The following example configures the speed of te1/0/4 to 100 Mbps operation.
switchxxxxxx(config)#
interface te1/0/4
switchxxxxxx(config-if)#
18.7
speed 100
duplex
To configure the full/half duplex operation of a given Ethernet interface when not using
auto-negotiation, use the duplex Interface (Ethernet, Port Channel) Configuration mode
command. To restore the default configuration, use the no form of this command.
Syntax
duplex {half | full}
no duplex
Parameters
•
half—Forces half-duplex operation.
•
full—Forces full-duplex operation.
Default Configuration
The interface operates in full duplex mode.
Command Mode
Interface (Ethernet) Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
431
18
Ethernet Configuration Commands
Example
The following example configures te1/0/1 to operate in full duplex mode.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
duplex full
negotiation
18.8
To enable auto-negotiation operation for the speed and duplex parameters and primarysecondary mode of a given interface, use the negotiation Interface (Ethernet, Port Channel)
Configuration mode command. To disable auto-negotiation, use the no form of this command.
Syntax
negotiation [capability [capability2... capability5]] [preferred {primary | secondary}]
no negotiation
Parameters
•
•
Capability—(Optional) Specifies the capabilities to advertise. (Possible values: 10h,
10f, 100h,100f, 1000f ,10000f ).
-
10h—Advertise 10 half-duplex
-
10f—Advertise 10 full-duplex
-
100h—Advertise 100 half-duplex
-
100f—Advertise 100 full-duplex
-
1000f—Advertise 1000 full-duplex
-
10000f—Advertise 10000 full-duplex
Preferred—(Optional) Specifies the primary-secondary preference:
-
primary—Advertise primary preference
-
secondary—Advertise secondary preference
Default Configuration
If capability is unspecified, defaults to list of all the capabilities of the port and preferred
secondary mode.
432
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Example
The following example enables auto-negotiation on te1/0/1.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
18.9
negotiation
flowcontrol
To configure the Flow Control on a given interface, use the flowcontrol Interface (Ethernet,
Port Channel) Configuration mode command. To disable Flow Control, use the no form of this
command.
Syntax
flowcontrol {auto | on | off}
no flowcontrol
Parameters
•
auto—Specifies auto-negotiation of Flow Control.
•
on—Enables Flow Control.
•
off—Disables Flow Control.
Default Configuration
Flow control is set to Disabled.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Use the negotiation command to enable flow control auto.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
433
18
Ethernet Configuration Commands
Example
The following example enables Flow Control on port te1/0/1
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
flowcontrol on
18.10 mdix
To enable cable crossover on a given interface, use the mdix Interface (Ethernet)
Configuration mode command. To disable cable crossover, use the no form of this command.
Syntax
mdix {on | auto}
no mdix
Parameters
•
on—Enables manual MDIX.
•
auto—Enables automatic MDI/MDIX.
Default Configuration
The default setting is Auto.
Command Mode
Interface (Ethernet) Configuration mode
Example
The following example enables automatic crossover on port te1/0/1.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
434
mdix auto
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
18.11 back-pressure
To enable back pressure on a specific interface, use the back-pressure Interface (Ethernet)
Configuration mode command. To disable back pressure, use the no form of this command.
Syntax
back-pressure
no back-pressure
Parameters
This command has no arguments or keywords.
Default Configuration
Back pressure is disabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Back-pressure cannot be enabled when EEE is enabled.
Example
The following example enables back pressure on port te1/0/1.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
back-pressure
18.12 port jumbo-frame
To enable jumbo frames on the device, use the port jumbo-frame Global Configuration mode
command. To disable jumbo frames, use the no form of this command.
Syntax
port jumbo-frame
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
435
18
Ethernet Configuration Commands
no port jumbo-frame
Parameters
This command has no arguments or keywords.
Default Configuration
Jumbo frames are disabled on the device.
Command Mode
Global Configuration mode
User Guidelines
This command takes effect only after resetting the device.
Example
The following example enables jumbo frames on the device.
switchxxxxxx(config)#
port jumbo-frame
18.13 ports negotiation tuning
To tune link negotiation on device interfaces use the ports negotiation tuning Global
Configuration mode command. To disable this setting use the no form of this command.
Syntax
ports negotiation tuning
no ports negotiation tuning
Parameters
This command has no arguments or keywords.
Default Configuration
Negotiation tuning is disabled on device interfaces.
436
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
Command Mode
Global Configuration mode
User Guidelines
Use this command to tune interface link negotiation on the device. The default value of this
command should be changed only to adjust to unusual circumstances which effect link
negotiation or stability.
This command takes effect only after resetting the device. Make sure to save configuration to
device startup configuration before reloading
Example
The following example enables negotiation tuning on the device.
switchxxxxxx(config)#
ports negotiation tuning
This setting will take effect only after copying running configuration to startup
configuration and resetting the device
18.14 link-flap prevention
To enable setting a physical interface to err-disable state due to excessive link flapping, use the
link-flap prevention Global Configuration mode command. Use the no form of this
command to restore the default configuration.
Syntax
link-flap prevention {enable | disable}
no link-flap prevention
Parameters
enable—Enables Link-flap Prevention.
disable—Disables Link-flap Prevention.
Default Configuration
Link-flap prevention is enabled on the device.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
437
18
Ethernet Configuration Commands
Command Mode
Global Configuration mode
User Guidelines
This command will shutdown Ethernet (Physical) interfaces if the interface experienced, for a
duration of 10 seconds, 3 link flaps (link status changes) within each second.
You can use the following commands to reset an interface shut down by link-flap prevention:



The errdisable recovery reset command with the link-flapping parameter to recover all
interfaces in this state due to link-flap prevention, or the interface interface-id parameter to reset a
given interface.
The errdisable recovery cause with the link-flapping parameter to automatically recover from
the link-flap prevention error-disabled state.
The command sequence of "shutdown" and then "no shutdown" on required interface.
Example
The following example enables link-flap prevention on the device.
switchxxxxxx(config)#
link-flap prevention
18.15 clear counters
To clear counters on all or on a specific interface, use the clear counters Privileged EXEC
mode command.
Syntax
clear counters [interface-id]
Parameters
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
Default Configuration
All counters are cleared.
438
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
Command Mode
Privileged EXEC mode
Example
The following example clears the statistics counters for te1/0/1.
switchxxxxxx#
clear counters te1/0/1
18.16 set interface active
To reactivate an interface that was shut down, use the set interface active Privileged EXEC
mode command.
Syntax
set interface active interface-id
Parameters
interface-id— Specifies an interface ID. The interface ID can be one of the following types:
Ethernet port or port-channel.
Command Mode
Privileged EXEC mode
User Guidelines
This command is used to activate interfaces that were configured to be active, but were shut
down by the system.
Example
The following example reactivates te1/0/1.
switchxxxxxx#
set interface active te1/0/1
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
439
18
Ethernet Configuration Commands
18.17 errdisable recovery cause
To enable automatic re-activation of an interface after an Err-Disable shutdown, use the
errdisable recovery cause Global Configuration mode command. To disable automatic
re-activation, use the no form of this command.
Syntax
errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny |
stp-bpdu-guard | stp-loopback-guard | loopback-detection | udld | storm-control |
link-flap }
no errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny |
stp-bpdu-guard | stp-loopback-guard | loopback-detection | udld | storm-control |
link-flap }
Parameters
440
•
all—Enables the error recovery mechanism for all reasons described below.
•
port-security—Enables the error recovery mechanism for the port security
Err-Disable state.
•
dot1x-src-address—Enables the error recovery mechanism for the 802.1x Err-Disable
state.
•
acl-deny—Enables the error recovery mechanism for the ACL Deny Err-Disable state.
•
stp-bpdu-guard—Enables the error recovery mechanism for the STP BPDU Guard
Err-Disable state.
•
stp-loopback-guard—Enables the error recovery mechanism for the STP Loopback
Guard Err-Disable state.
•
loopback-detection—Enables the error recovery mechanism for the Loopback
Detection Err-Disable state.
•
udld—Enables the error recovery mechanism for the UDLD Shutdown state.
•
storm-control—Enables the error recovery mechanism for the Storm Control
Shutdown state.
•
link-flap—Enables the error recovery mechanism for the link-flap prevention
Err-Disable state.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
Default Configuration
Automatic re-activation is disabled, except for link-flap reason where automatic re-creation is
enabled by default.
Command Mode
Global Configuration mode
Example
The following example enables automatic re-activation of an interface after all states.
switchxxxxxx(config)#
errdisable recovery cause all
18.18 errdisable recovery interval
To set the error recovery timeout intervalse the errdisable recovery interval Global
Configuration mode command. To return to the default configuration, use the no form of this
command.
Syntax
errdisable recovery interval seconds
no errdisable recovery interval
Parameters
seconds—Specifies the error recovery timeout interval in seconds. (Range: 30–86400)
Default Configuration
The default error recovery timeout interval is 300 seconds.
Command Mode
Global Configuration mode
Example
The following example sets the error recovery timeout interval to 10 minutes.
switchxxxxxx(config)#
errdisable recovery interval 600
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
441
18
Ethernet Configuration Commands
18.19 errdisable recovery reset
To reactivate one or more interfaces that were shut down by a given application, use the
errdisable recovery reset Privileged EXEC mode command. A single interface, multiple
interfaces or all interfaces can be specified.
Syntax
errdisable recovery reset {all | port-security | dot1x-src-address | acl-deny
|stp-bpdu-guard | stp-loopback-guard | loopback-detection | udld | storm-control |
link-flap | interface interface-id}
Parameters
•
all—Reactivate all interfaces regardless of their state.
•
port-security—Reactivate all interfaces in the Port Security Err-Disable state.
•
dot1x-src-address—Reactivate all interfaces in the 802.1x Err-Disable state.
•
acl-deny—Reactivate all interfaces in the ACL Deny Err-Disable state.
•
stp-bpdu-guard—Reactivate all interfaces in the STP BPDU Guard Err-Disable state.
•
stp-loopback-guard—Reactivate all interfaces in the STP Loopback Guard
Err-Disable state.
•
loopback-detection—Reactivate all interfaces in the Loopback Detection Err-Disable
state.
•
udld—Reactivate all interfaces in the UDLD Shutdown state.
•
storm-control—Reactivate all interfaces in the Storm Control Shutdown state.
•
link-flap—Reactivate all interfaces in the link-flap prevention Err-Disable state.
•
interface interface-id—Reactivate interfaces that were configured to be active, but
were shut down by the system.
Default Configuration
None.
Command Mode
Privileged EXEC mode
442
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
Examples
Example 1—The following example reactivates interface te1/0/1:
switchxxxxxx#
errdisable recovery reset interface te1/0/1
Example 2—The following example reactivates all interfaces regardless their state:
switchxxxxxx#
errdisable recovery reset all
Example 3—The following example enables all interfaces in the port security Err-Disable
state
switchxxxxxx#
errdisable recovery reset port-security
18.20 show interfaces configuration
To display the configuration for all configured interfaces or for a specific interface, use the
show interfaces configuration Privileged EXEC mode command.
Syntax
show interfaces configuration [interface-id | detailed]
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition to present
ports.
Default Configuration
Display all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
443
18
Ethernet Configuration Commands
Example
The following example displays the configuration of all configured interfaces:
switchxxxxxx#
show interfaces configuration
Flow
Port
Type
Admin
Back
Mdix
Duplex
Speed
Neg
control
State
Pressure
Mode
------ -------- ------
-----
-------- -------
-----
--------
----
te1/0/1 10G-Copper
te1/0/2 10G-Copper
Full
Full
PO
Type
Speed
------
------ -----
Po1
10000
10000
Disabled Off
Disabled Off
Flow
Admin
Neg
Control
State
--------
-------
-----
Disabled
Off
Up
Up
Up
Disabled
Disabled
Off
Off
18.21 show interfaces status
To display the status of all interfaces or of a specific interface, use the show interfaces status
Privileged EXEC mode command.
Syntax
show interfaces status [interface-id | detailed]
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition to present
ports.
Command Mode
Privileged EXEC mode
444
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Example
The following example displays the status of all configured interfaces.
switchxxxxxx#
Port
Type
show interfaces status
Duplex
------ --------- ------
Speed Neg
Flow
Link
Back
ctrl
State
Pressure Mode
----- -------- ----
------ -------- --
te1/0/1
10G-Copper
Full
10000
Disabled Off
te1/0/2
10G-Copper
--
--
--
--
Up
Down
Flow
Link
control
State
PO
Type
Duplex Speed
Neg
-----
-------
------ -----
------- ----
------
Po1
1G
Full
Disabled Off
Up
10000
Mdix
Disabled Off
--
--
*: The interface was suspended by the system.
18.22 show interfaces advertise
To display auto-negotiation advertisement information for all configured interfaces or for a
specific interface, use the show interfaces advertise Privileged EXEC mode command.
Syntax
show interfaces advertise [interface-id | detailed]
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
445
18
Ethernet Configuration Commands
•
detailed—(Optional) Displays information for non-present ports in addition to present
ports.
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
Examples
The following examples display auto-negotiation information.
switchxxxxxx#
446
show interfaces advertise
Port
Type
Neg
Prefered
Operational Link Advertisement
----
---------
------
-------
----------------------------
te1/0/1
10G-Copper
Enable
primary
10000f, 1000f
te1/0/2
10G-Copper
Enable
secondary
10000f
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
switchxxxxxx#
show interfaces advertise
te1/0/1
Port:te1/0/1
Type: 10G-Copper
Link state: Up
Auto Negotiation: enabled
Preference: primary
10h
10f
100h
100f
1G
10G
---
---
----
----
-----
-----
Admin Local link Advertisement
yes
yes
yes
yes
yes
yes
Oper Local link Advertisement
yes
yes
yes
yes
yes
yes
Remote Local link Advertisement
no
no
yes
yes
yes
yes
Priority Resolution
-
-
-
-
-
yes
switchxxxxxx#
show interfaces advertise
te1/0/1
Port: te1/0/1
Type: 10G-Copper
Link state: Up
Auto negotiation: disabled.
18.23 show interfaces description
To display the description for all configured interfaces or for a specific interface, use the show
interfaces description Privileged EXEC mode command.
Syntax
show interfaces description [interface-id | detailed]
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
447
18
Ethernet Configuration Commands
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition to present
ports.
Default Configuration
Display description for all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays the description of all configured interfaces.
switchxxxxxx#
show interfaces description
Port
Descriptions
------
---------------------------------------------
te1/0/1
Port that should be used for management only
te1/0/2
te1/0/3
te1/0/4
PO
Description
----
-----------
Po1
Output
18.24 show interfaces counters
To display traffic seen by all the physical interfaces or by a specific interface, use the show
interfaces counters Privileged EXEC mode command.
Syntax
show interfaces counters [interface-id | detailed]
448
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition to present
ports.
Default Configuration
Display counters for all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays traffic seen by all the physical interfaces.
switchxxxxxx#
Port
show interfaces counters te1/0/1
InUcastPkts
InMcastPkts
InBcastPkts
InOctets
---------- ------------ ------------ ------------ -----------te1/0/1
Port
0
0
0
OutUcastPkts OutMcastPkts OutBcastPkts
0
OutOctets
---------- ------------ ------------ ------------ -----------te1/0/1
0
1
35
7051
FCS Errors: 0
Single Collision Frames: 0
Multiple Collision Frames: 0
SQE Test Errors: 0
Deferred Transmissions: 0
Late Collisions: 0
Excessive Collisions: 0
Carrier Sense Errors: 0
Oversize Packets: 0
Internal MAC Rx Errors: 0
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
449
18
Ethernet Configuration Commands
Symbol Errors: 0
Received Pause Frames: 0
Transmitted Pause Frames: 0
450
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
The following table describes the fields shown in the display.
Field
Description
InOctets
Number of received octets.
InUcastPkts
Number of received Unicast packets.
InMcastPkts
Number of received Unicast packets.
InBcastPkts
Number of received broadcast packets.
OutOctets
Number of transmitted octets.
OutUcastPkts
Number of transmitted Unicast packets.
OutMcastPkts
Nmber of transmitted Unicast packets.
OutBcastPkts
Number of transmitted Broadcast packets.
FCS Errors
Number of frames received that are an integral
number of octets in length but do not pass the
FCS check.
Single Collision Frames
Number of frames that are involved in a single
collision, and are subsequently transmitted
successfully.
Multiple Collision
Frames
Number of frames that are involved in more
than one collision and are subsequently
transmitted successfully.
SQE Test Errors
Number of times that the SQE TEST ERROR
is received. The SQE TEST ERROR is set in
accordance with the rules for verification of the
SQE detection mechanism in the PLS Carrier
Sense Function as described in IEEE Std.
802.3, 2000 Edition, section 7.2.4.6.
Deferred Transmissions
Number of frames for which the first
transmission attempt is delayed because the
medium is busy.
Late Collisions
Number of times that a collision is detected
later than one slotTime into the transmission of
a packet.
Excessive Collisions
Number of frames for which transmission fails
due to excessive collisions.
Oversize Packets
Number of frames received that exceed the
maximum permitted frame size.
Internal MAC Rx Errors
Number of frames for which reception fails due
to an internal MAC sublayer receive error.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
451
18
Ethernet Configuration Commands
Field
Description
Received Pause Frames
Number of MAC Control frames received with
an opcode indicating the PAUSE operation.
Transmitted Pause
Frames
Number of MAC Control frames transmitted on
this interface with an opcode indicating the
PAUSE operation.
18.25 show ports jumbo-frame
To display whether jumbo frames are enabled on the device, use the show ports jumbo-frame
Privileged EXEC mode command.
Syntax
show ports jumbo-frame
Parameters
This command has no arguments or keywords.
Default Configuration
None
Command Mode
Privileged EXEC mode
Example
The following example displays whether jumbo frames are enabled on the device.
switchxxxxxx#
show ports jumbo-frame
Jumbo frames are disabled
Jumbo frames will be enabled after reset
452
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
18.26 show link-flap prevention
To display whether link-flap prevention is enabled on the device, use the show link-flap
prevention Privileged EXEC mode command.
Syntax
show link-flap prevention
Parameters
This command has no arguments or keywords.
Default Configuration
None
Command Mode
Privileged EXEC mode
Example
The following example displays whether link-flap prevention is enabled on the device.
switchxxxxxx#
show link-flap prevention
link-flap prevention is currently enabled on device
18.27 show errdisable recovery
To display the Err-Disable configuration of the device, use the show errdisable recovery
Privileged EXEC mode command.
Syntax
show errdisable recovery
Parameters
This command has no arguments or keywords.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
453
18
Ethernet Configuration Commands
Default Configuration
None
Command Mode
Privileged EXEC mode
Example
The following example displays the Err-Disable configuration.
switchxxxxxx#
show errdisable recovery
Timer interval: 300 Seconds
Reason
Automatic Recovery
---------------------- -----------------port-security
Disable
dot1x-src-address
Disable
acl-deny
Enable
stp-bpdu-guard
Disable
stp-loopback-guard
Disable
loop-detection
Disable
udld
Disable
storm control
Disable
link-flap
Disable
18.28 show errdisable interfaces
To display the Err-Disable state of all interfaces or of a specific interface, use the show
errdisable interfaces Privileged EXEC mode command.
Syntax
show errdisable interfaces [interface-id]
454
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
Parameters
•
interface—(Optional) Port or port-channel number.
Default Configuration
Display for all interfaces.
Command Mode
Privileged EXEC mode
Example
The following example displays the Err-Disable state of te1/0/1.
switchxxxxxx#
Interface
show errdisable interfaces
Reason
Time to recovery
(sec)
------------
------------------
-------------
te1/0/1
port-security
250
te1/0/5
acl-deny
NA
18.29 clear switchport monitor
To clear monitored statistics on all or on a specific interface or interface list, use the clear
switchport monitor Privileged EXEC mode command.
Syntax
clear switchport monitor [interface-id-list]
Parameters
interface-id-list—(Optional) Specifies a list of interface ID. The interface ID can be one of
the following types: Ethernet port or port-channel.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
455
18
Ethernet Configuration Commands
Default Configuration
All monitored statistics are cleared.
Command Mode
Privileged EXEC mode
Example
The following example clears the monitored statistics for te1/0/1.
switchxxxxxx#
clear switchport monitor te1/0/1
18.30 show switchport monitor
To display the monitored statistics gathered by a specific interface, use the show switchport
monitor Privileged EXEC mode command.
Syntax
show switchport monitor interface-id {seconds | minutes | hours } [utilization | tx | rx |
frames]
show switchport monitor interface-id {days |weeks}
show switchport monitor utilization [interface-id]
Parameters
456
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
•
seconds— last 20 samples, sampled every 15 seconds.
•
minutes —last 60 samples, sampled every 60 seconds (every round minute according
to system time).
•
hours —last 24 samples, sampled every 60 minutes (every round hour according to
system time).
•
days —last 7 samples, sampled every 24 hours (midnight to midnight according to
system time).
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
•
weeks —last 12 samples, sampled every 7 days (midnight saturday to midnight
saturday according to system time).
•
utilization —shows per time frame the utilization calculated.
•
rx —shows received counters statistics.
•
tx —shows sent counters statistics.
•
frames —show received counters statistics collected per packet size.
Default Configuration
Display monitored statistics for an interface or all interface in case of sshow switchport
monitor utilization command.
Command Mode
Privileged EXEC mode
User Guidelines
The show switchport monitor utilization is used to show a utilization summary per interface
of the last time frame in each time frame(i.e. last minute, last hour, last day and last week).
The show switchport monitor interface-id is used to show monitored statistics samples
collected per time frame and per counter types.
Examples
Example 1—The following example displays monitored statistics utilization seen by interface
te1/0/1.
switchxxxxxx#
Interface
--------te1/0/1
show switchport monitor utilization te1/0/1
Minutes Rx/TX
Hours Rx/TX
Days Rx/TX
Weeks Rx/TX
utilization
utilization
utilization
utilization
------------
-----------
-----------
-----------
95%
80%
60%
20%
Example 2—The following example displays monitored Tx statistics gathered in minutes
time frame seen by interface te1/0/1.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
457
18
Ethernet Configuration Commands
switchxxxxxx#
Time
show switchport monitor te1/0/1 minutes tx
Unicast frames
Broadcast frames
Multicast frames
Good
Sent
Sent
Sent
Octet
Sent
----------
--------------
-----------
-----------
-------
04:22:00(~)
95%
80%
60%
20%
04:23:00
80%
70%
60%
50%
(~) Not all samples are available.
458
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
18
Ethernet Configuration Commands
The following table describes the fields shown in the display.
Field
Description
Time
Time stamp of the current sample in system real
time clock.
For seconds, minutes and hours format is:
hh:mm:ss.
For days and weeks format is:
<day of week> dd/mm/yy.
Good Octets Received
Number of received octets.
Good Unicast frames
Received
Number of received Unicast packets.
Good Multicast frames
Received
Number of received Unicast packets.
Good Broadcast frames
Received
Number of received broadcast packets.
Good Octets Sent
Number of transmitted octets.
Good Unicast frames
Sent
Number of transmitted Unicast packets.
Good Multicast frames
Sent
Nmber of transmitted Unicast packets.
Good Broadcast frames
Sent
Number of transmitted Broadcast packets.
Frames of 64 bytes
Number of received packets size of 64 bytes.
Frames of 65-127 bytes
Number of received packets size of 65-127
bytes.
Frames of 128-255 bytes
Number of received packets size of 128-255
bytes.
Frames of 256-511 bytes
Number of received packets size of 256-511
bytes.
Frames of 512-1023 bytes
Number of received packets size of 512-1023
bytes.
Frames of 1024-1518
bytes
Number of received packets size of 1024-1518
bytes.
Rx Error Frames
Received
Number of frames received that are an integral
number of octets in length but do not pass the
FCS check.
Rx Utilization
Utilization in percentage for Received frames
on the interface.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
459
18
460
Ethernet Configuration Commands
Field
Description
Tx Utilization
Utilization in percentage for Sent frames on the
interface.
Rx/Tx Utilization
An average of the Rx Utilization and the Tx
Utilization in percentage on the interface.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
19
Green Ethernet
.1
19.1
green-ethernet energy-detect (global)
To enable Green-Ethernet Energy-Detect mode globally, use the green-ethernet
energy-detect Global Configuration mode command. To disable this feature, use the no form
of this command.
Syntax
green-ethernet energy-detect
no green-ethernet energy-detect
Parameters
This command has no arguments or keywords.
Default Configuration
Disabled.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)#
19.2
green-ethernet energy-detect
green-ethernet energy-detect (interface)
Use the green-ethernet energy-detect Interface configuration mode command to enable
Green Ethernet-Energy-Detect mode on a port. Use the no form of this command, to disable it
on a port.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
461
19
Green Ethernet
Syntax
green-ethernet energy-detect
no green-ethernet energy-detect
Parameters
This command has no arguments or keywords.
Default Configuration
Disabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Energy-Detect only works on copper ports. When a port is enabled for auto selection,
copper/fiber Energy-Detect cannot work.
It takes the PHY ~5 seconds to fall into sleep mode when the link is lost after normal
operation.
Example
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
19.3
green-ethernet energy-detect
green-ethernet short-reach (global)
Use the green-ethernet short-reach Global Configuration mode command to enable
Green-Ethernet Short-Reach mode globally. Use the no form of this command to disabled it.
Syntax
green-ethernet short-reach
no green-ethernet short-reach
Parameters
This command has no arguments or keywords.
462
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
19
Green Ethernet
Default Configuration
Disabled.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)#
19.4
green-ethernet short-reach
green-ethernet short-reach (interface)
Use the green-ethernet short-reach Interface Configuration mode command to enable
green-ethernet short-reach mode on a port. Use the no form of this command to disable it on a
port.
Syntax
green-ethernet short-reach
no green-ethernet short-reach
Parameters
This command has no arguments or keywords.
Default Configuration
Disabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
The VCT length check can be performed only on a copper port operating at a speed of 1000
Mbps. If the media is not copper or the link speed is not 1000, Mbps Short-Reach mode is not
applied.
When the interface is set to enhanced mode, after the VCT length check has completed and set
the power to low, an active monitoring for errors is done continuously. In the case of errors
crossing a certain threshold, the PHY will be reverted to long reach.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
463
19
Green Ethernet
Note that EEE cannot be enabled if the Short-Reach mode is enabled.
Example
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
19.5
green-ethernet short-reach
green-ethernet power-meter reset
Use the green-ethernet power meter reset Privileged EXEC mode command to reset the
power save meter.
Syntax
green-ethernet power-meter reset
Parameters
This command has no arguments or keywords.
Default Configuration
None
Command Mode
Privileged EXEC mode
Example
switchxxxxxx#
19.6
green-ethernet power-meter reset
show green-ethernet
To display green-ethernet configuration and information, use the show green-ethernet
Privileged EXEC mode command.
Syntax
show green-ethernet [interface-id | detailed ]
464
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
19
Green Ethernet
Parameters
•
interface-id—(Optional) Specifies an Ethernet port
•
detailed—(Optional) Displays information for non-present ports in addition to present
ports.
Default Configuration
Display for all ports. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
User Guidelines
The power savings displayed is relevant to the power saved by:
•
Port LEDs
•
Energy detect
•
Short reach
The EEE power saving is dynamic by nature since it is based on port utilization and is
therefore not taken into consideration.
The following describes the reasons for non-operation displayed by this command.
If there are a several reasons, then only the highest priority reason is displayed.
Energy-Detect Non-Operational Reasons
Priority
Reason Description
1
NP
Port is not present
2
LT
Link Type is not supported (fiber, auto media
select)
3
LU
Port Link is up – NA
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
465
19
Green Ethernet
Example
Short-Reach Non-Operational Reasons
Priority Reason Description
1
NP
Port is not present
2
LT
Link Type is not supported (fiber)
3
LS
Link Speed Is not Supported (10mbps,100mbps)
4
LL
Link Length received from VCT test exceeds
threshold
6
LD
Port Link is Down – NA
switchxxxxxx#
show green-ethernet
Energy-Detect mode: Enabled
Short-Reach mode: Disabled
Disable Port LEDs mode: Enabled
Power Savings: 24% (1.08W out of maximum 4.33W)
Cumulative Energy Saved: 33 [Watt*Hour]
* Estimated Annual Power saving: 300 [Watt*Hour]
* Annual estimate is based on the saving during the previous week
NA – information for previous week is not available
Short-Reach cable length threshold: 50m
Port
----
466
Energy-Detect
Short-Reach
VCT Cable
Admin Oper Reason
Admin Force Oper Reason
Length
----- ---- -------
----- ----- ---- -------
------
te1/0/1
on
on
te1/0/2
on
off
te1/0/3
on
off
off
off
off
LU
on
off
on
LU
off
off
off
< 50
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
20.0
20.1
File Specification
The files may be located on:
•
Network: TFTP servers and/or SCP servers - Network files
•
Active FLASH - Flash files
•
mass-storage connected to a USB port of Active - USB files. Only one mass-storage is
supported.
Note. Although inside the switch supports the File System on FLASH of all stack units the
File System CLI commands allow access only to flash files on Active unit. Needed file
synchronizations between Active unit and other units is performed by the switch
automatically.
Uniform Resource Locators (URLs) are used to specify the location of a file or a directory.
The URL has the following syntax:
<url> ::= tftp://<location>/<file-path> |
scp://[<username>:<password>@]<location>/<file-path> | usb://<file-path> |
flash://<file-path> | <current-directory>[/<file-path>] | <higher-directory>[/<file-path>] |
<file-path>
<username> ::= string up to 70 characters
<password> :: = string up to 70 characters
<location> ::= <ipv4-address> | <ipv6-address> | <dns-name>
<current-directory> ::= [{usb | flash}:][.]
<higher-directory> ::= [{usb | flash}:]..
<file-path> ::= [<directories-path>/]<filename>
<directories-path> ::= <directory-name> | <directories-path>/<directory-name>
The maximum number of directories in <directories-path> is 16.
<directory-name> ::= string up to 63 characters
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
467
20
File System Commands
<filename> ::= string up to 63 characters
Filenames and directory names consist only of characters from the portable filename character
set. The set includes the following characters:
•
ABCDEFGHIJKLMNOPQRSTUVWXYZ
•
abcdefghijklmnopqrstuvwxyz
•
<space>
•
0123456789._-
The last three characters are the <period>, <underscore>, and <hyphen> characters,
respectively. If an URL includes spaces it must be enclosed by the " characters.
For example:
"flash://aaa it/alpha/file 125"
The maximal length of URL is 160 characters
The following File systems are supported on USB:
•
FAT32—Full support.
•
NTFS—Partially support: read only.
The switch supports the following predefined URL aliases:
•
•
active-image—The predefined URL alias specifies the Active Image file. This file has
the following permissions:
-
readable
-
executable
inactive-image—The predefined URL alias specifies the Inactive Image file. This file
has the following permissions:
-
readable
-
executable
•
running-config—The predefined URL alias specifies the Running Configuration File.
•
startup-config—The predefined URL alias specifies the Startup Configuration File.
This file has the following permissions:
-
468
readable
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
•
localization. The predefined URL alias specifies the Secondary Language Dictionary
files. These files have the following permissions:
•
logging. The predefined URL alias specifies the Syslog file. This file has the following
permissions:
•
readable
readable
mirror-config. The predefined URL alias specifies the Mirror Configuration file. This
file has the following permissions:
-
readable
Example
Example 1. The following example specifies a file on TFTP server using an IPv4 address:
tftp://1.1.1.1/aaa/dat/file.txt
Example 2. The following example specifies a file on TFTP server using an IPv6 address:
tftp://3000:1:2::11/aaa/dat/file.txt
Example 3. The following example specifies a file on TFTP server using a DNS name:
tftp://files.export.com/aaa/dat/file.txt
Example 4. The following example specifies a file on FLASH:
flash://aaa/dat/file.txt
Example 5. The following example specifies files using the current directory:
./dat/file.txt
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
469
20
File System Commands
dat/file.txt
Example 6. The following example specifies a file using the higher directory:
../dat/file.txt
Example 7. The following example specifies a file on mass-storage device connected to the
USB port:
usb://aaa/dat/file.txt
Example 8. The following example specifies files on mass-storage device connected to the
USB port using the current directory:
usb:aaa/dat/file.txt
usb:./aaa/dat/file.txt
Example 9. The following example specifies a file on mass-storage device connected to the
USB port using the higher directory:
usb:../aaa/dat/file.txt
20.2
System Flash Files
The system files used by the switch are in the flash://system/ directory. A user cannot add,
delete, and rename the system files and directories, a user cannot create new directories under
the system directory.
The system files are divided to the following groups:
470
•
Inner System files. The files are created by the switch itself. For example the Syslog
file.
•
Files installed/Uninstalled by user. This group includes the following files:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
-
Active and Inactive Images
-
Startup Configuration
-
Secondary Language Dictionary
The following boot commands install/uninstall these files:
•
boot config
•
boot localization
•
boot system
Additionally, the following commands from previous versions can be used too:
•
copy (copy running-config startup-config)
•
write
Note. Reset to Factory Default removes all files from the FLASH except the following files:
•
active-image
•
inactive-image
•
mirror-config
•
localization
The flash://system/ directory contains the following directories:
•
flash://system/images/—The directory contains the Active and Inactive Image files.
•
flash://system/configuration/—The directory contains the Startup and Mirror
Configuration files.
•
flash://system/localization/—The directory contains the Secondary Language
Dictionary files.
•
flash://system/syslog/—The directory contains the Syslog file.
•
flash://system/applications/—The directory contains inner system files managed by
the switch applications.
20.3
Flash File System on Stack
The CLI commands provide access only to files located on Active unit FLASH. The switch
performs automatically synchronization files between Active unit and Member units:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
471
20
File System Commands
•
The Standby unit’s Flash File system is fully synchronized with the Active unit’s Flash
File System.
•
For non-Standby Member units File system only the following files are synchronized:
-
Active Image file
-
Inactive Image file
-
Secondary Language Dictionary files
-
All other files and directories are deleted.
20.4
boot config
To install a file as Startup Configuration after reload, use the boot config command in
Privileged EXEC mode. To uninstall the Startup configuration file, use the no form of this
command.
Syntax
boot config startup-config-url
boot config running-config
boot config mirror-config
no boot config
Parameters
•
startup-config-url—the url of a file. The predefined URLs cannot be configured.
Default Configuration
N/A
Command Mode
Privileged EXEC mode
User Guidelines
Use the boot config startup-config-url command to install Startup Configuration from the
startup-config-url file. The file must be a text file containing CLI commands. The command
performs the following actions:
472
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
•
Copies the file into the system directory flash://system/configuration/
•
Converts the file format from the text format in the inner binary format.
•
Installs the converted file as Startup Configuration. The previous Startup
Configuration file is deleted.
•
Installs Startup Configuration on Standby unit.
Use the boot config running-config command to install Startup Configuration from Running
Configuration.
Use the boot config mirror-config command to install Startup Configuration from the Mirror
Configuration file.
Use the no boot config command, to uninstall Startup Configuration. The uninstalled file is
deleted.
Example
Example 1. The following example installs Startup Configuration from a TFTP server:
switchxxxxxx#
boot config tftp://1.1.1./confiration-files/config-v1.9.dat
Example 2. The following example installs Startup Configuration from FLASH:
switchxxxxxx#
boot config flash://confiration-files/config-v1.9.dat
Example 3. The following example unsets the current Startup Configuration:
switchxxxxxx#
no boot config
Example 4. The following example installs Startup Configuration from the Running
Configuration file:
switchxxxxxx#
boot config running-config
Example 5. The following example installs Startup Configuration from the Mirror
Configuration file:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
473
20
File System Commands
switchxxxxxx#
20.5
boot config mirror-config
boot localization
To install a file as the Secondary Language Dictionary file, use the boot localization
command in Privileged EXEC mode. To remove all the installed language files, use the no
form of this command.
Syntax
boot localization dictionary-url
no boot localization
Parameters
•
dictionary-url—the url of a file. The predefined URLs cannot be configured.
Default Configuration
Default language.
Command Mode
Privileged EXEC mode
User Guidelines
Use the boot localization dictionary-url command to install aSecondary Language Dictionary
from the dictionary-url file. The command performs the following actions:
•
Copies the file into the system directory flash://system/localization/
•
Validates installed file format and if the file language is supported by the device. If the
file does not have the correct format, or if the file language is not supported by the
device, the file is not copied and the command will finish with an error.
•
Replaces the relevant language file on device with the installed file. Update of
language file does not change the active secondary language used by web GUI user.
•
Installs Secondary Language Dictionary relevant file on all the all other stack units.
Use the no boot dictionary command, to uninstall Secondary Language Dictionary. The
uninstalled files are deleted.
474
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
Example
Example 1. The following example installs the Secondary Language Dictionary file from a
TFTP server:
switchxxxxxx#
boot localization
tftp://196.1.1.1/web-dictionaries/germany-dictionary.lang
Example 2. The following example installs the Secondary Language Dictionary file from
FLASH:
switchxxxxxx#
boot localization
flash://web-dictionaries/germany-dictionary.lang
20.6
boot system
To install the system (active) image that the switch loads at startup, use the boot system
command in Privileged EXEC mode.
Syntax
boot system image-url
boot system inactive-image
Parameters
•
image-url—The URL of a file. The predefined URLs cannot be configured.
Default Configuration
No default.
Command Mode
Privileged EXEC mode
User Guidelines
Use the boot system image-url command to install a new active image from the image-url file.
The command performs the following actions:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
475
20
File System Commands
•
Copies the file into the system directory flash://system/image/
•
Validates its format. If the file does not have the correct image format the file is deleted
and the command is finished with an error.
•
Installs the copied file as the active image that will be used be loaded at startup. The
previous active image file is save as inactive image. The previous inactive image is
deleted.
•
Installs the new active image in all stack units.
Use the boot system inactive-image command to set the inactive image as active one and the
active image as inactive one.
The command installs the inactive image as active in all stack units.
Use the show bootvar / show version command to display information about the active and
inactive images.
Example
Example 1. The following example sets a new active image from a TFTP server:
switchxxxxxx#
boot system tftp://145.21.2.3/image/image-v1-1.ros
Example 2. The following example sets a new active image from FLASH:
switchxxxxxx#
boot system flash://images/image-v1-1.ros
Example 3. The following example sets the inactive image:
switchxxxxxx#
20.7
boot system inactive-image
cd
To change the current directory or file system, use the cd command in User EXEC mode.
Syntax
cd url
476
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
Parameters
•
url—Specifies a directory on FLASH or on USB.
Default Configuration
The flash root directory (flash://)
Command Mode
User EXEC mode
User Guidelines
When a terminal session is started the current directory of the session is set to flash://. Use the
cd command to change the current directory.
Example
Example 1. The following example sets a new current directory on FLASH:
switchxxxxxx>
pwd
flash://
switchxxxxxx>
cd date/aaa
switchxxxxxx> pwd
flash://date/aaa
Example 2. The following example sets a new current directory on USB:
switchxxxxxx> pwd
flash://
switchxxxxxx> cd usb://
switchxxxxxx> pwd
usb://
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
477
20
File System Commands
20.8
copy
To copy any file from a source to a destination, use the copy command in Privileged EXEC
mode.
Syntax
copy src-url dst-url
copy {running-config | startup-config} dst-url [exclude | include-encrypted |
include-plaintext]
copy src-url running-config
copy running-config startup-config
copy tech-support cbd usb://<file-path>
Parameters
•
src-url—The location URL of the source file to be copied. The predefined URL aliases
can be configured.
•
dst-url—The URL of the destination file or the directory to be copied. The predefined
URL aliases cannot be configured.
•
exclude—The file does not include sensitive data in the file being copied.
•
include-encrypted—The file includes sensitive data in its encrypted form. This secure
option is applied by default, if no secure option is configured.
•
include-plaintext—The file includes sensitive data in its plaintext form.
•
tech-support cbd — Indicates that the source is the Cisco Business Dashboard (CBD)
tech support information. If this source is selected, the destination can only be USB. If
specified filename does not include the ".zip" suffix, this suffix will be added
automatically to copied filename (full path length up to 160 characters).
Command Mode
Privileged EXEC mode
User Guidelines
The following guidelines are relevant:
478
•
You cannot copy one network file to another network file.
•
Localization is not supported as a predefined src-url or dst-url.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
•
Use the copy src-url dst-url command to copy any file. If the dst-url argument defines
an existed flash file the command fails if this file does not have the writable
permission. If the dst-url argument defines a directory file then the file is copied into
the directory with the same name. No file format validation or conversion is
performed. If the src-url argument and dst-url arguments define flash files the dst-url
file will have the permissions of the src-url file. If the src-url argument defines a
non-flash file and the dst-url argument defines a flash files the dst-url file will have the
following permissions:
-
readable
-
writable
•
Use the copy src-url running-config command to add a file to the Running
Configuration file.
•
The copy running-config startup-config command has exactly the same functionality
as the boot config command with the running-config keyword.
Example
Example 1. The following example copies file file1 from the TFTP server 172.16.101.101 to
the flash://aaaa/file1 file:
switchxxxxxx# copy tftp://172.16.101.101/file1 flash://aaa/file1
Example 2. The following example saves the Startup configuration file in the
tftp://172.16.101.101/config.txt file:
switchxxxxxx# copy startup-config tftp://172.16.101.101/config.txt
include-encrypted
Example 3. The following example copies the Running Configuration file to the Startup
configuration:
switchxxxxxx# copy running-config startup-config
Example 4. The following example copies the Syslog file to a TFTP server:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
479
20
File System Commands
switchxxxxxx# copy logging tftp://1.1.1.1/syslog.txt
Example 5. The following example copies a file from the mass-storage device connected to
the USB port to Flash:
switchxxxxxx# copy usb://aaa/file1.txt flash://dir1/file2
20.9
delete
To delete a local file, use the delete command in Privileged EXEC mode.
Syntax
delete url
delete startup-config
Delete SNA Storage file-name
Parameters
•
url—Specifies the local URL of the local file to be deleted. The predefined and
network URLs cannot be configured.
•
file-name—Specifies the name of SNA user file to delete.
Command Mode
Privileged EXEC mode
User Guidelines
The delete url command cannot delete a network file.
Use the delete startup-config command to delete the Startup Configuration file.
Use the Delete SNA Storage file-name command to delete SNA Settings saved for specific
user (as specified in the file-name parameter).
480
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
Example
Example 1. The following example deletes the file called ‘backup/config’ from FLASH:
switchxxxxxx# cd flash://backup/
switchxxxxxx# delete aaa.ttt
Delete flash://backup/aaa.ttt? [Y/N]Y
Example 2. The following example deletes the file called ‘aaa/config’ from the mass-storage
device connected to the USB port:
switchxxxxxx# delete usb://aaa/config
Delete usb://aaa/config? [Y/N]Y
20.10 dir
To display a list of files on a file system, use the dir command in User EXEC mode.
Syntax
dir [url]
Parameters
•
url—Specifies the local URL of the directory to be displayed. The predefined and
network URLs cannot be configured. If the argument is omitted the current directory is
used.
Command Mode
User EXEC mode
User Guidelines
The command cannot be applied to a network directory.
Use the dir command without the argument to display the current directory.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
481
20
File System Commands
Examples
The following example displays the flash://mng/ directory:
switchxxxxxx> dir flash://mng/
Permissions
d-directory
r-readable
w-writable
x-executable
134560K of 520000K are free
Directory of flash://mng/
Permission
File Size
Last Modified
File Name
----------
---------
--------------------
------------------
drw-
4720148
Dec 12 2010 17:49:36
bin
-r--
60
Dec 12 2011 17:49:36
config-list
-r--
160
Feb 12 2011 17:49:36
image-list
-r-x
6520148
Nov 29 2010
7:12:30
image1
-rw-
2014
Nov 20 2010
9:12:30
data
20.11 mkdir
To create a new directory, use the mkdir command in Privileged EXEC mode.
Syntax
mkdir url
Parameters
•
url—Specifies the URL of the created directory. The predefined and network URLs
cannot be configured.
Command Mode
Privileged EXEC mode
482
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
User Guidelines
The mkdir command cannot be applied to a network directory.
The mkdir command cannot create a directory into the flash://system/ directory.
All directories defined in the url argument except the created one must exist.
Example
Example 1. The following example creates a directory on FLASH:
switchxxxxxx# mkdir flash://date/aaa/
Example 2. The following example creates a directory on the mass-storage device connected
to the USB port:
switchxxxxxx# mkdir usb://newdir/
20.12 more
To display the contents of a file, use the more command in User EXEC mode.
Syntax
more url
Parameters
•
url—Specifies the local URL or predefined file name of the file to display.
Command Mode
User EXEC mode
User Guidelines
The command cannot be applied to a network file.
The more running-config command displays the same output as the show running-config
command regardless the specified format.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
483
20
File System Commands
The more startup-config command displays the same output as the show startup-config
command regardless the specified format.
The more active-image and more inactive-image commands display only the version
number of the image regardless the specified format.
Example
The following example displays the running configuration file contents:
switchxxxxxx> more running-config
no spanning-tree
interface range gi1/1//11-48
speed 1000
exit
no lldp run
line console
exec-timeout 0
20.13 pwd
To show the current directory, use the pwd command in User EXEC mode.
Syntax
pwd [usb: I flash:]
Parameters
•
usb:—Display the current directory on the USB driver.
•
flash:—Display the current directory on the FLASH driver.
Command Mode
User EXEC mode
User Guidelines
Use the pwd usb: I flash: command to show the current directory on the specified driver.
484
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
Use the pwd command to show the current directory set by the recent cd command.
Example
The following example uses the cd command to change the current directory and then uses the
pwd command to display that current directory:
switchxxxxxx> pwd
flash://
switchxxxxxx> cd date/aaa
switchxxxxxx> pwd
flash://date/aaa
20.14 reload
To reload the operating system, use the reload command in Privileged EXEC mode.
Syntax
reload [in [hhh:mm | mmm] | at hh:mm [day month]] | cancel]
reload cancel
Parameters
•
in hhh:mm | mmm—Schedules a reload of the image to take effect in the specified
minutes or hours and minutes. The reload must take place within approximately 24
days.
•
at hh:mm—Schedules a reload of the image to take place at the specified time (using a
24-hour clock). If you specify the month and day, the reload is scheduled to take place
at the specified time and date. If you do not specify the month and day, the reload takes
place at the specified time on the current day (if the specified time is later than the
current time) or on the next day (if the specified time is earlier than the current time).
Specifying 00:00 schedules the reload for midnight. The reload must take place within
24 hours.
•
day—Number of the day in the range from 1 to 31.
•
month—Month of the year. (Range: Jan–Dec)
•
cancel—Cancels a scheduled reload.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
485
20
File System Commands
Command Mode
Privileged EXEC mode
User Guidelines
Use the reload command to reload the switch.
Use the reload {in hhh:mm | mmm | at hh:mm [day month]} command the command to
specify scheduled switch reload.
The at keyword can be configured only if the system clock has been set on the switch.
When you specify the reload time using the at keyword, if you specify the month and day, the
reload takes place at the specified time and date. If you do not specify the month and day, the
reload takes place at the specified time on the current day (if the specified time is later than the
current time), or on the next day (if the specified time is earlier than the current time).
Specifying 00:00 schedules the reload for midnight. The reload must take place within 24
days.
Use the reload cancel command to cancel the scheduled reload.
To display information about a scheduled reload, use the show reload command.
Example
Example 1. The following example reloads the switch:
switchxxxxxx# reload
This command will reset the whole system and disconnect your current session.
Do you want to continue? (Y/N) [Y]
Example 2. The following example reloads the image in 10 minutes:
switchxxxxxx# reload in 10
This command will reset the whole system and disconnect your current session.
Reload is scheduled for 11:57:08 UTC Fri Apr 21 2012 (in 10 minutes). Do you
want to continue? (Y/N) [Y]
Example 3. The following example reloads the image at 12:10 24 Aug:
switchxxxxxx# reload at 12:10 24 Aug
486
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
This command will reset the whole system and disconnect your current session.
Reload is scheduled for 12:10:00 UTC Sun Aug 24 2014 (in 1 hours and 12
minutes). Do you want to continue ? (Y/N)[N]
Example 4. The following example reloads the image at 13:00:
switchxxxxxx# reload at 13:00 soft
This command will reset the whole system and disconnect your current session.
Reload is scheduled for 13:00:00 UTC Fri Apr 21 2012 (in 1 hour and 3
minutes). Do you want to continue? (Y/N) [Y]
Example 5. The following example cancels a reload.
switchxxxxxx# reload cancel
Reload cancelled.
20.15 rename
To rename a local file or directory, use the rename command in Privileged EXEC mode.
Syntax
rename url new-url
Parameters
•
url—Specifies the URL of the file or directory to be renamed. The predefined and
network URLs cannot be configured.
•
new-url—Specifies the new URL of the renamed file or directory. The predefined and
network URLs cannot be configured.
Command Mode
Privileged EXEC mode
User Guidelines
The url and new-url arguments must specifies the same driver.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
487
20
File System Commands
The command cannot rename a network file or network directory.
The command cannot rename a file or directory into the flash://system directory.
Examples
Example 1. The following example renames the flash://bin/text1.txt file to
flash://archive/text1sav.txt:
switchxxxxxx# cd flash://archive
switchxxxxxx# rename flash://bin/text1.txt ./text1sav.txt
Example 2. The following example renames the flash://a/b directory to the flash://e/g/h
directory:
switchxxxxxx# pwd
flash://a/b/c/d
switchxxxxxx> dir flash://a
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://a
File Name
Permission
File Size
Last Modified
---------
----------
---------
--------------------
472148
Dec 13 2010 15:49:36
b
drw-
switchxxxxxx> dir flash://e/g/h
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://e/g/h
File Name
488
Permission
File Size
Last Modified
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
---------
----------
---------
--------------------
switchxxxxxx# rename flash://a/b flash://e/g/h
switchxxxxxx# pwd
flash://e/g/h/c/d
switchxxxxxx> dir flash://a
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://mng/
File Name
Permission
File Size
Last Modified
---------
----------
---------
--------------------
switchxxxxxx> dir flash://e/g/h
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://e/g/h
File Name
Permission
File Size
Last Modified
---------
----------
---------
--------------------
720148
Dec 12 2010 17:49:36
c
drw-
20.16 rmdir
To remove a local directory, use the rmdir command in Privileged EXEC mode.
Syntax
rmdir url
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
489
20
File System Commands
Parameters
•
url—Specifies the URL of the file or directory to be deleted. The predefined and
network URLs cannot be configured.
Command Mode
Privileged EXEC mode
User Guidelines
Only empty directory can be deleted.
The command cannot remove a network directory.
The command cannot remove a directory into the flash://system directory.
Example
Example 1. The following example removes the directory called ‘backup/config/’ from
FLASH:
switchxxxxxx# rmdir flash://backup/config/
Remove flash://backup/config? [Y/N]Y
Example 2. The following example removes the directory called ‘aaa/config’ from the
mass-storage device connected to the USB port:
switchxxxxxx# rmdir usb://aaa/config/
Remove directory usb://aaa/config? [Y/N]Y
20.17 service mirror-configuration
Use the service mirror-configuration Global Configuration mode command to enable the
mirror-configuration service. Use no service mirror-configuration command to disable the
service.
Syntax
service mirror-configuration
no service mirror-configuration
490
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
Parameters
This command has no arguments or keywords.
Default Configuration
The default configuration is mirror-configuration service enabled.
Command Mode
Global Configuration mode
User Guidelines
The mirror-configuration service automatically keeps a copy of the last known stable
configuration (startup configuration that has not been modified for 24H).
When this service is disabled, the mirror-configuration file is deleted.
Examples
Example 1 - The following example disables the mirror-configuration service:
switchxxxxxx(config)# no service mirror-configuration
This operation will delete the mirror-config file if exists. Do you want to continue? (Y/N) [N]
Example 2 - The following example enables the mirror-configuration service
switchxxxxxx(config)# service mirror-configuration
Service is enabled.
20.18 show bootvar / show version
To display the active system image file that was loaded by the device at startup, and to display
the system image file that will be loaded after rebooting the switch, use the show bootvar or
show version command in User EXEC mode.
Syntax
show bootvar
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
491
20
File System Commands
show version
Parameters
This command has no arguments or keywords.
Command Mode
User EXEC mode
User Guidelines
The show bootvar and show version commands have the same functionality.
Example
Example 1. The following example gives an example of the command output after reload:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/image_v12-01.ros
Version: 12.01
MD5 Digest: 3FA000012857D8855AABC7577AB8999
Date: 04-Feb-2001
Time: 11:13:17
Example 2. This example continues the inactive one, after applying the boot system
tftp://1.1.1.1/image_v14-01.ros command:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
492
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
Inactive after reboot
Inactive-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Active after reboot
Example 3. This example continues the inactive one, after a system reload:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Inactive-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Example 4. This example continues the inactive one, after applying the boot system
inactive-image command:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Inactive after reboot
Inactive-image: flash://system/images/image_v12-03.ros
Version: 12.03
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
493
20
File System Commands
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Active after reboot
Example 5. This example continues the inactive one, after a system reload:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/_image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Example 7. The following example gives an example of the command output after applying
the boot system command two times:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/image_v12-01.ros
Version: 12.01
MD5 Digest: 3FA000012857D8855AABC7577AB8999
Date: 04-Feb-2001
Time: 11:13:17
switchxxxxxx# boot system tftp://1.1.1.1/image_v14-01.ros
494
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive after reboot
Inactive-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Active after reboot
switchxxxxxx# boot system tftp://1.1.1.1/image_v14-04.ros
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive after reboot
Inactive-image: flash://system/images/image_v14-04.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Active after reboot
Example 8. The following example gives an example of the command output after applying
the boot system tftp://1.1.1.1/image_v14-01.ros command and the boot system
inactive-image command:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
495
20
File System Commands
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/image_v12-01.ros
Version: 12.01
MD5 Digest: 3FA000012857D8855AABC7577AB8999
Date: 04-Feb-2001
Time: 11:13:17
switchxxxxxx# boot system tftp://1.1.1.1/image_v14-01.ros
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive after reboot
Inactive-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Active after reboot
switchxxxxxx# boot system inactive-image
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
496
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
20.19 show mirror-configuration service
To display the mirror-configuration service status, use the show mirror-configuration service
command in User EXEC mode.
Syntax
show mirror-configuration service
Command Mode
User EXEC mode
Example
The following example displays the status of the mirror-configuration service
switchxxxxxx# show mirror-configuration service
Mirror-configuration service is enabled
20.20 show reload
To display the reload status on the switch, use the show reload command in User EXEC
mode.
Syntax
show reload
Parameters
This command has no arguments or keywords.
Command Mode
User EXEC mode
User Guidelines
You can use the show reload command to display a pending image reload. To cancel the
reload, use the reload command with the cancel keyword.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
497
20
File System Commands
Example
Example 1. The following example displays information when scheduled reload has been
configured:
switchxxxxxx> show reload
Image reload scheduled for 00:00:00 UTC Sat April 20 (in 3 hours and 12 minutes)
Example 2. The following example displays information when scheduled reload has not been
configured:
switchxxxxxx> show reload
No scheduled reload
20.21 show running-config
To display the contents of the currently running configuration file, use the
show running-config command in Privileged EXEC mode.
show running-config [interface interface-id-list | detailed | brief]
Parameters
•
interface interface-id-list—Specifies a list of interface IDs. The interface IDs can be
one of the following types: Ethernet port, port-channel or VLAN.
•
detailed—Displays configuration with SSL and SSH keys and certificates.
•
brief—Displays configuration without SSL and SSH keys and certificates.
Default Configuration
All interfaces are displayed. If the detailed or brief keyword is not specified, the brief
keyword is applied.
Command Mode
Privileged EXEC mode
498
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
Example
The following example displays the running configuration file contents.
switchxxxxxx# show running-config
config-file-header
AA307-02
v1.2.5.76 / R750_NIK_1_2_584_002
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
unit-type unit 1 network te uplink none
unit-type unit 2 network te uplink none
unit-type unit 3 network te uplink none
unit-type unit 4 network te uplink none
unit-type unit 5 network te uplink none
unit-type unit 6 network te uplink none
unit-type unit 7 network te uplink none
unit-type unit 8 network te uplink none
unit-type-control-end
!
no spanning-tree
interface range te1/0/1-4
speed 1000
exit
no lldp run
interface vlan 1
ip address 1.1.1.1 255.0.0.0
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
499
20
File System Commands
exit
line console
exec-timeout 0
exit
switchxxxxxx#
20.22 show startup-config
To display the Startup Configuration file contents, use the show startup-config command in
Privileged EXEC mode.
Syntax
show startup-config [interface interface-id-list]
Parameters
•
interface interface-id-list—Specifies a list of interface IDs. The interface IDs can be
one of the following types: Ethernet port, port-channel or VLAN.
Command Mode
Privileged EXEC mode
Example
The following example displays the startup configuration file contents.
switchxxxxxx# show startup-config
config-file-header
AA307-02
v1.2.5.76 / R750_NIK_1_2_584_002
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
500
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
File System Commands
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
no spanning-tree
interface range te1/0/1-4
speed 1000
exit
no lldp run
interface vlan 1
ip address 1.1.1.1 255.0.0.0
exit
line console
exec-timeout 0
exit
switchxxxxxx#
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
501
20
File System Commands
20.23 write
To save the running configuration to the startup configuration file, use the write command in
Privileged EXEC mode.
Syntax
write
write memory
Parameters
This command has no arguments or keywords.
Command Mode
Privileged EXEC mode
User Guidelines
Use the write command or the write memory command to save the Running Configuration
file into the Startup Configuration file.
Examples
The following example shows how to overwrite the startup-config file with the running-config
file with the write command.
switchxxxxxx# write
Overwrite file [startup-config] ?[Yes/press any key for no]....15-Sep-2010
11:27
:48 %COPY-I-FILECPY: Files Copy - source URL running-config destination URL
flash://startup-config
15-Sep-2010 11:27:50 %COPY-N-TRAP: The copy operation was completed
successfully
Copy succeeded
502
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
File System Commands
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
20
503
21
Cisco Business Dashboard Probe Commands
21.0
21.1
cbd probe enable
To enable the Cisco Business Dashboard Probe operation on device, use the cbd probe enable
command in Global Configuration mode. To disable the Cisco Business Dashboard Probe
operation, use the no form of this command.
Syntax
cbd probe enable
no cbd probe enable
Parameters
N/A
Default Configuration
Cisco Business Dashboard Probe is disabled.
Command Mode
Global Configuration mode
User Guidelines
Use the command to enable the Cisco Business Dashboard Probe on the device.
Example
The following example enables the Cisco Business Dashboard Probe on the device:
switchxxxxxx(config)# cbd probe enable
This operation may take a few seconds....
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
504
21
Cisco Business Dashboard Probe Commands
21.2
cbd address
To configure the details of the Cisco Business Dashboard, use the cbd address command in
Global Configuration mode. To remove the details of the Cisco Business Dashboard, use the
no form of this command.
Syntax
cbd address {ip-address | hostname} [port port]
no cbd address
Parameters
•
address ip-address—Specifies the Cisco Business Dashboard IP address. This can be
an IPv4 address.
•
address hostname — Specifies the Cisco Business Dashboard as a hostname (Range:
1–158 characters. Maximum label size of each part of the host name: 63).
•
port — Specifies the TCP port used to connect to Cisco Business Dashboard. (Range:
1-65535)
Default Configuration
No address is configured. CBD port default is 443.
Command Mode
Global Configuration mode
User Guidelines
Use the cbd address command to configure the Cisco Business Dashboard IP address and the
TCP port to use to connect to the Cisco Business Dashboard. The cbd connection enable
configuration must be removed prior to making changes to this parameter.
Examples
Example 0
Example 1: The following example configures the IPv4 address of the Cisco Business
Dashboard to 1.1.1.1 and sets the TCP port to 8443.
switchxxxxxx(config)# cbd address 1.1.1.1 port 8443
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
505
21
Cisco Business Dashboard Probe Commands
Example 2: In the following example configuration of the Cisco Business Dashboard IPv4
address fails because connection to Dashboard is enabled.
switchxxxxxx(config)# cbd address 1.1.1.1
Command failed!
Please disable connection to Cisco Business Dashboard before configuring this
command, using command "no cbd connection enable". Only after configuring all
Dashboard settings (Dashboard address, Key parameters, Organization and Network
name) re-enable connection (command "cbd connection enable") to allow Probe
connection to Cisco Business Dashboard
21.3
cbd organization name
To configure the organization name of the Cisco Business Dashboard, use the cbd
organization name command in Global Configuration mode. To remove Cisco Business
Dashboard organization name configuration, use the no form of this command.
Syntax
cbd organization name organization-name
no cbd organization name
Parameters
organization name organization-name—Specifies the Organization name of the Cisco
Business Dashboard Probe running on the device. Parameter can be specified as an
alphanumeric string, including symbols and white-spaces (Range: 1–64).
Default Configuration
CBD Organization Name is not defined.
Command Mode
Global Configuration mode
User Guidelines
Use the cbd organization name command to configure the Cisco Business Dashboard
organization name.The cbd connection enable configuration must be removed prior to
making changes to this parameter.
506
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
21
Cisco Business Dashboard Probe Commands
Example
The following example configures the organization name of the Cisco Business Dashboard:
switchxxxxxx(config)# cbd organization name "my organization"
21.4
cbd network name
To configure the network name of the Cisco Business Dashboard, use the cbd network name
command in Global Configuration mode. To remove Cisco Business Dashboard network name
configuration, use the no form of this command.
Syntax
cbd network name network-name
no cbd network name
Parameters
network name network-name—Specifies the site name of the Cisco Business Dashboard
Probe running on the device. Network Name can be specified as an alphanumeric string,
including symbols and white-spaces (Range: 1–64).
Default Configuration
CBD Network Name is not defined.
Command Mode
Global Configuration mode
User Guidelines
Use the cbd network name command to configure the Cisco Business Dashboard network
name. The cbd connection enable configuration must be removed prior to making changes to
this parameter.
Example
The following example configures the network name of the Cisco Business Dashboard.
switchxxxxxx(config)# cbd network name "my network"
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
507
21
Cisco Business Dashboard Probe Commands
21.5
cbd key
To configure the key ID and secret of the Cisco Business Dashboard, use the cbd key
command in Global Configuration mode. To remove Cisco Business Dashboard key ID and
secret configuration, use the no form of this command.
Syntax
cbd key id id-string secret secret-string
encrypted cbd key id id-string secret encrypted-secret-string
no cbd key
Parameters
•
id id-string—Specifies the key ID to use for initial authentication between the Cisco
Business Dashboard Probe running on the device and the Cisco Business Dashboard
(A string of 24 hexadecimal digits).
•
secret secret-string— Specifies the secret to use for authentication, can be specified as
an alphanumeric string without white-spaces. The key can be up to 160 characters.
•
secret encrypted-secret-string — Same as the secret-string parameter, but the secret is
in encrypted form.
Default Configuration
CBD key ID and secret are not defined.
Command Mode
Global Configuration mode
User Guidelines
Use the cbd key command to configure the Cisco Business Dashboard key ID and secret. The
cbd connection enable configuration must be removed prior to making changes to this
parameter.
Example
The following example configures the key ID and secret of the Cisco Business Dashboard
used for initial authentication:
switchxxxxxx(config)# cbd key id 5cecde9f21bb450005fb790b secret
secretExample123
508
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
21
Cisco Business Dashboard Probe Commands
21.6
cbd connection enable
To configure the probe to connect with Cisco Business Dashboard, use the cbd connection
enable command in Global Configuration mode. To disable probe connection to the Cisco
Business Dashboard, use the no form of this command.
Syntax
cbd connection enable
no cbd connection enable
Default Configuration
Probe is not enabled for connection to Cisco Business Dashboard.
Command Mode
Global Configuration mode
User Guidelines
Use the cbd connection enable command to enable the probe to connect to the Cisco Business
Dashboard. The configuration of this command will trigger the Cisco Business Dashboard
Probe to connect to the Cisco Business Dashboard if the CBD Probe is enabled.
The cbd organization name, cbd network name, cbd address and cbd key settings must be
configured for the cbd connection enable command to succeed. Use the no cbd connection
enable to disconnect the Probe from the Cisco Business Dashboard and to allow the user to
change the Cisco Business Dashboard settings mentioned above.
Examples
Example 0
Example 1: The following example enables the probe to connect to the Cisco Business
Dashboard:
switchxxxxxx(config)# cbd connection enable
Example 2: In the following example the command fails because some of the Dashboard
settings needed for connection were not configured:
switchxxxxxx(config)# cbd connection enable
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
509
21
Cisco Business Dashboard Probe Commands
Command failed. Please make sure all of the following dashboard parameters are
configured: dashboard address, organization name, network name and key;
21.7
cbd reset
To reset Cisco Business Dashboard Probe connection to the Cisco Business Dashboard use the
cbd reset command in Privileged EXEC mode.
Syntax
cbd reset
Command Mode
Privileged EXEC mode
User Guidelines
Use the cbd reset command to reset the connection to the Cisco Business Dashboard.
Applying the command will disconnect current connection with Dashboard, flush CBD probe
cached data and then attempt to reconnect to the Cisco Business Dashboard.
The command will be executed only if the Probe Agent is enabled (command cbd probe
enable) and connection to Cisco Business Dashboard is also enabled (command cbd
connection enable).
Examples
Example 0
Example 1: The following example executes an attempt to reconnect using the configured key
ID and secret:
switchxxxxxx# cbd reset
Example 2: In the following example the reset command fails because Probe connection to
Network Cisco Business Dashboard is not enabled:
switchxxxxxx# cbd reset
Operation failed because Probe connection to Cisco Business Dashboard is not
enabled.
510
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
21
Cisco Business Dashboard Probe Commands
Please enable conntection to Cisco Business Dashboard using command "cbd
connection enable".
Example 3: In the following example the reset command fails because Probe agent is not
enabled on device:
switchxxxxxx# cbd reset
Operation failed because Probe is not enabled
Please enable Probe using command "cbd probe enable".
21.8
clear cbd probe database
To clear the Cisco Business Dashboard Probe database use the clear cbd probe database
command in Privileged EXEC mode.
Syntax
clear cbd probe database
Command Mode
Privileged EXEC mode
User Guidelines
Use the clear cbd probe database to clear the Cisco Business Dashboard Probe database.
The command will be executed only if the Cisco Business Dashboard Probe Agent is disabled
(see details in command cbd probe enable command syntax).
Examples
Example 0
Example 1: The following example clears the Cisco Business Dashboard Probe Database:
switchxxxxxx# clear cbd probe database
Example 2: In the following example, the clear command fails because the Cisco Business
Dashboard Probe is enabled on the switch:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
511
21
Cisco Business Dashboard Probe Commands
switchxxxxxx# clear cbd probe database
Operation failed because Cisco Business Dashboard Probe is enabled on the switch.
Please disable Probe on switch using command "no cbd probe enable".
21.9
show cbd
To display information about Cisco Business Dashboard Probe Configuration and status, use
the show cbd command in Privileged EXEC mode.
Syntax
show cbd
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
User Guidelines
Use the show cbd command, to display information about the Cisco Business Dashboard
Probe running on the device.
Example
The following example shows the output from the show cbd command:
switchxxxxxx# show cbd
Network Probe is enabled
Operational status: Active
512
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
21
Cisco Business Dashboard Probe Commands
Probe version: 1.1.2.20181019
Dashboard address: 1.1.1.1
Dashboard port: 443
Key ID: MyKey
Key Secret (encrypted): 8nPzy2hzuba9pG3iiC/q0451RynUn7kq94L9WORFrRM=
Organization name: ABC Company
Network name: my network
Dashboard status: connected
The following table describes the different Cisco Business Dashboard Probe setting and
behavior and the relevant Administrative & Operational state display.
Cisco Business Dashboard Probe
Setting and Status
Administrative State
indication
Operational State
indication
Cisco Business Dashboard Probe Disabled
Disabled
Inactive
Cisco Business Dashboard Probe Enabled and
active
Enabled
Active
Cisco Business Dashboard Probe Enabled but
is not active (indicates a failure)
Enabled
Fault
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
513
22
GARP VLAN Registration Protocol (GVRP)
Commands
22.0
22.1
clear gvrp statistics
To clear GVRP statistical information for all interfaces or for a specific interface, use the clear
gvrp statistics Privileged EXEC mode command.
Syntax
clear gvrp statistics [interface-id]
Parameters
Interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or Port-channel.
Default Configuration
All GVRP statistics are cleared.
Command Mode
Privileged EXEC mode
Example
The following example clears all GVRP statistical information on te1/0/4.
switchxxxxxx#
clear gvrp statistics te1/0/4
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
514
22
GARP VLAN Registration Protocol (GVRP) Commands
22.2
gvrp enable (Global)
To enable the Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol
(GVRP) globally, use the gvrp enable Global Configuration mode command. To disable
GVRP on the device, use the no form of this command.
Syntax
gvrp enable
no gvrp enable
Parameters
This command has no arguments or keywords.
Default Configuration
GVRP is globally disabled.
Command Mode
Global Configuration mode
Example
The following example enables GVRP globally on the device.
switchxxxxxx(config)#
22.3
gvrp enable
gvrp enable (Interface)
To enable GVRP on an interface, use the gvrp enable Interface (Ethernet, Port Channel)
Configuration mode command. To disable GVRP on an interface, use the no form of this
command.
Syntax
gvrp enable
no gvrp enable
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
515
22
GARP VLAN Registration Protocol (GVRP) Commands
Parameters
This command has no arguments or keywords.
Default Configuration
GVRP is disabled on all interfaces.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
An access port does not dynamically join a VLAN because it is always a member of a single
VLAN only. Membership in an untagged VLAN is propagated in the same way as in a tagged
VLAN. That is, the PVID must be manually defined as the untagged VLAN ID.
Example
The following example enables GVRP on te1/0/4.
switchxxxxxx(config)#
interface te1/0/4
switchxxxxxx(config-if)#
22.4
gvrp enable
gvrp registration-forbid
To deregister all dynamic VLANs on a port and prevent VLAN creation or registration on the
port, use the gvrp registration-forbid Interface Configuration mode command. To allow
dynamic registration of VLANs on a port, use the no form of this command.
Syntax
gvrp registration-forbid
no gvrp registration-forbid
Parameters
This command has no arguments or keywords.
Default Configuration
Dynamic registration of VLANs on the port is allowed.
516
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
22
GARP VLAN Registration Protocol (GVRP) Commands
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Example
The following example forbids dynamic registration of VLANs on te1/0/2.
switchxxxxxx(config-if)#
interface te1/0/2
switchxxxxxx(config-if)#
gvrp registration-forbid
22.5
gvrp vlan-creation-forbid
To disable dynamic VLAN creation or modification, use the gvrp vlan-creation-forbid
Interface Configuration mode command. To enable dynamic VLAN creation or modification,
use the no form of this command.
Syntax
gvrp vlan-creation-forbid
no gvrp vlan-creation-forbid
Parameters
This command has no arguments or keywords.
Default Configuration
Enabled.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Example
The following example disables dynamic VLAN creation on te1/0/3.
switchxxxxxx(config-if)#
interface te1/0/3
switchxxxxxx(config-if)#
gvrp vlan-creation-forbid
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
517
22
GARP VLAN Registration Protocol (GVRP) Commands
22.6
show gvrp configuration
To display GVRP configuration information, including timer values, whether GVRP and
dynamic VLAN creation are enabled, and which ports are running GVRP, use the show gvrp
configuration EXEC mode command.
Syntax
show gvrp configuration [interface-id | detailed]
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition to present
ports.
Default Configuration
All GVRP statistics are displayed for all interfaces. If detailed is not used, only present ports
are displayed.
Command Mode
User EXEC mode
Example
The following example displays GVRP configuration.
switchxxxxxx#
show gvrp configuration
GVRP Feature is currently Enabled on the device.
Maximum VLANs: 4094
Port(s) GVRP-Status
----
518
Regist-
Dynamic
Timers(ms)
ration
VLAN Creation
Join
----------- --------
-------------
----
Leave
Leave All
-----
----------
te1/0/1
Enabled
Forbidden
Disabled
600
200
10000
te1/0/2
Enabled
Normal
Enabled
1200
400
20000
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
22
GARP VLAN Registration Protocol (GVRP) Commands
22.7
show gvrp error-statistics
Use the show gvrp error-statistics EXEC mode command to display GVRP error statistics
for all interfaces or for a specific interface.
Syntax
show gvrp error-statistics [interface-id]
Parameters
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or Port-channel.
Default Configuration
All GVRP error statistics are displayed.
Command Mode
User EXEC mode
Example
The following example displays GVRP error statistics.
switchxxxxxx#
show gvrp error-statistics
GVRP Error Statistics:
---------------------Legend:
INVPROT
: Invalid Protocol Id
INVATYP
: Invalid Attribute Type
INVAVAL
: Invalid Attribute Value INVEVENT: Invalid Event
Port
INVALEN : Invalid Attribute Length
INVPROT INVATYP INVAVAL INVALEN INVEVENT
-------- ------- ------- ------- ------- --------
te1/0/1
0
0
0
0
0
te1/0/2
0
0
0
0
0
te1/0/3
0
0
0
0
0
te1/0/4
0
0
0
0
0
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
519
22
GARP VLAN Registration Protocol (GVRP) Commands
22.8
show gvrp statistics
To display GVRP statistics for all interfaces or for a specific interface, use the show gvrp
statistics EXEC mode command.
Syntax
show gvrp statistics [interface-id]
Parameters
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or Port-channel.
Default Configuration
All GVRP statistics are displayed.
Command Mode
User EXEC mode
Example
The following example displays GVRP statistical information.
switchxxxxxx#
show gvrp statistics
GVRP statistics:
---------------Legend:
520
rJE :
Join Empty Received
rJIn: Join In Received
rEmp:
Empty Received
rLIn: Leave In Received
rLE :
Leave Empty Received
rLA : Leave All Received
sJE :
Join Empty Sent
sJIn: Join In Sent
sEmp:
Empty Sent
sLIn: Leave In Sent
sLE :
Leave Empty Sent
sLA : Leave All Sent
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
22
GARP VLAN Registration Protocol (GVRP) Commands
Port
rJE
rJIn
rEmp
rLIn
rLE
rLA
sJE
sJIn
sEmp
sLIn
sLE
sLA
-----
----
----
----
----
----
----
----
----
----
----
----
---
te1/0/1 0
0
0
0
0
0
0
0
0
0
0
0
te1/0/2 0
0
0
0
0
0
0
0
0
0
0
0
te1/0/3 0
0
0
0
0
0
0
0
0
0
0
0
te1/0/4 0
0
0
0
0
0
0
0
0
0
0
0
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
521
23
IGMP Commands
23.0
23.1
clear ip igmp counters
To clear the Internet Group Management Protocol (IGMP) interface counters, use the clear ip
igmp counters command in Privileged EXEC mode.
Syntax
clear ip igmp counters [interface-id]
Parameters
•
interface-id—(Optional) Interface Identifier
Command Mode
Privileged EXEC mode
User Guidelines
Use the clear ip igmp counters command to clear the IGMP counters, which keep track of the
number of joins and leaves received. If you omit the optional interface-id argument, the clear
ip igmp counters command clears the counters on all interfaces.
Example
The following example clears the counters for VLAN 100:
switchxxxxxx# clear ip igmp counters vlan 100
23.2
ip igmp last-member-query-count
To configure the Internet Group Management Protocol (IGMP) last member query counter,
use the ip igmp last-member-query-count command in Interface Configuration mode. To
restore the default value, use the no form of this command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
522
23
IGMP Commands
Syntax
ip igmp last-member-query-count count
no ip igmp last-member-query-count
Parameters
count—The number of times that group- or group-source-specific queries are sent upon
receipt of a message indicating a leave. (Range: 1–7)
Default Configuration
A value of IGMP Robustness variable.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp robustness command to change the IGMP last member query counter.
Example
The following example changes a value of the IGMP last member query counter to 3:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip igmp last-member-query-count 3
switchxxxxxx(config-if)# exit
23.3
ip igmp last-member-query-interval
To configure the Internet Group Management Protocol (IGMP) last member query interval,
use the ip igmp last-member-query-interval command in Interface Configuration mode. To
restore the default IGMP query interval, use the no form of this command.
Syntax
ip igmp last-member-query-interval milliseconds
no ip igmp last-member-query-interval
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
523
23
IGMP Commands
Parameters
•
milliseconds—Interval, in milliseconds, at which IGMP group-specific host query
messages are sent on the interface. (Range: 100–25500).
Default Configuration
The default IGMP last member query interval is 1000 milliseconds.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp last-member-query-interval command to configure the IGMP last member
query interval on an interface.
Example
The following example shows how to increase the the IGMP last member query interval to
1500 milliseconds:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ip igmp last-member-query-interval 1500
switchxxxxxx(config-if)# exit
23.4
ip igmp query-interval
To configure the frequency at which the IGMP querier sends Internet Group Management
Protocol (IGMP) host-query messages from an interface, use the ip igmp query-interval
command in Interface Configuration mode. To restore the default IGMP query interval, use the
no form of this command.
Syntax
ip igmp query-interval seconds
no ip igmp query-interval
Parameters
•
524
seconds—Frequency, in seconds, at which the switch sends IGMP query messages
from the interface. The range is from 30 to 18000.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
23
IGMP Commands
Default Configuration
The default IGMP query interval is 125 seconds.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp query-interval command to configure the frequency at which the IGMP
querier sends IGMP host-query messages from an interface. The IGMP querier sends
query-host messages to discover which multicast groups have members on the attached
networks of the router.
The query interval must be bigger than the maximum query response time.
Example
The following example shows how to increase the frequency at which the IGMP querier sends
IGMP host-query messages to 180 seconds:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ip igmp query-interval 180
switchxxxxxx(config-if)# exit
23.5
ip igmp query-max-response-time
To configure the maximum response time advertised in Internet Group Management Protocol
(IGMP) queries, use the ip igmp query-max-response-time command in Interface
Configuration mode. To restore the default value, use the no form of this command.
Syntax
ip igmp query-max-response-time seconds
no ip igmp query-max-response-time
Parameters
•
seconds—Maximum response time, in seconds, advertised in IGMP queries. (Range:
5–20)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
525
23
IGMP Commands
Default Configuration
10 seconds.
Command Mode
Interface Configuration mode
User Guidelines
This command controls the period during which the responder can respond to an IGMP query
message before the router deletes the group.
This command controls how much time the hosts have to answer an IGMP query message
before the router deletes their group. Configuring a value of fewer than 10 seconds enables the
router to prune groups faster.
The maximum query response time must be less than the query interval.
Note. If the hosts do not respond fast enough, they might be pruned inadvertently. Therefore,
the hosts must know to respond faster than 10 seconds (or the value you configure).
Example
The following example configures a maximum response time of 8 seconds:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ip igmp query-max-response-time 8
switchxxxxxx(config-if)# exit
23.6
ip igmp robustness
To configure the Internet Group Management Protocol (IGMP) robustness variable, use the ip
igmp robustness command in Interface Configuration mode. To restore the default value, use
the no form of this command.
Syntax
ip igmp robustness count
no ip igmp robustness
Parameters
•
526
count—The number of expected packet loss on a link. Parameter range. (Range: 1–7).
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
23
IGMP Commands
Default Configuration
The default value is 2.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp robustness command to change the IGMP robustness variable.
Example
The following example changes a value of the IGMP robustness variable to 3:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip igmp robustness 3
switchxxxxxx(config-if)# exit
23.7
ip igmp version
To configure which version of Internet Group Management Protocol (IGMP) the router uses,
use the ip igmp version command in Interface Configuration mode. To restore the default
value, use the no form of this command.
Syntax
ip igmp version {1 | 2 | 3}
no ip igmp version
Parameters
•
1—IGMP Version 1.
•
2—IGMP Version 2.
•
3—IGMP Version 3.
Default Configuration
3
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
527
23
IGMP Commands
Command Mode
Interface Configuration mode
User Guidelines
Use the commnad to change the default version of IGMP>
Example
The following example configures the router to use IGMP Version 2:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ip igmp version 2
switchxxxxxx(config-if)# exit
23.8
show ip igmp counters
To display the Internet Group Management Protocol (IGMP) traffic counters, use the show ip
igmp counters command in User EXEC mode.
Syntax
show ip igmp counters [interface-id]
Parameters
•
interface-id—(Optional) Interface Identifier.
Command Mode
User EXEC mode
User Guidelines
Use the show ip igmp counters command to check if the expected number of IGMP protocol
messages have been received and sent.
If you omit the optional interface-id argument, the show ip igmp counters command displays
counters of all interfaces.
528
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
23
IGMP Commands
Example
The following example displays the IGMP protocol messages received and sent:
switchxxxxxx# show ip igmp counters vlan 100
VLAN 100
Elapsed time since counters cleared:00:00:21
Failed received Joins: 0
Total IGMPv1 received messages: 0
Total IGMPv2 received messages: 10
Total IGMPv3 received messages: 0
Total invalid received messages: 0
General Sent Queries: 0
Specific Sent Queries: 0
23.9
show ip igmp groups
To display the multicast groups that are directly connected to the router and that were learned
through Internet Group Management Protocol (IGMP), use the show ip igmp groups
command in User EXEC mode.
Syntax
show ip igmp groups [group-name | group-address | interface-id] [detail]
Parameters
•
group-name | group-address—(Optional) IP address or name of the multicast group.
•
interface-id—(Optional) Interface identifier.
•
detail—(Optional) Displays detailed information about individual sources.
Command Mode
User EXEC mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
529
23
IGMP Commands
User Guidelines
Use the show ip igmp groups [detail] command to display all directly connected groups.
Use the show ip igmp groups [group-name | group-address] [detail] command to display one
given directly connected group.
Use the show ip igmp groups interface-id [detail] command to display all groups directly
connected to the given interface.
Examples
Example 1. The following is sample output from the show ip igmp groups command. It
shows all of the groups joined by VLAN 100:
switchxxxxxx# show ip igmp groups vlan 100
IGMP Connected Group Membership
Expires: never - switch itself has joined the group
Group Address
Interface
Expires
224.1.1.1
VLAN 100
00:01:30
224.10.12.79
VLAN 100
never
225.1.1.1
VLAN 100
00:00:27
Example 2. The following is sample output from the show ip igmp groups command using
the detail keyword:
switchxxxxxx# show ip igmp groups detail
Expires: zero value - INCLUDE state; non-zero value - EXCLUDE state
Interface: VLAN 100
Group: 225.1.1.1
Router mode: INCLUDE
Last reporter: 10.0.119.133
Group Timer Expires: 00:20:11
530
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
23
IGMP Commands
Group source list:
Source Address
Expires
20.1.1.1
00:04:08
120.1.1.1
00:02:01
Group: 226.1.1.2
Router mode: EXCLUDE
Last reporter: 100.1.12.130
Group Timer Expiry: 00:22:12
Exclude Mode Expiry (Filter) Timer: 00:10:11
Group source list:
Source Address
Expires
2.2.2.1
00:04:08
192.168.1.1
00:04:08
12.1.1.10
00:00:00
40.3.4.2
00:00:00
23.10 show ip igmp groups summary
To display the number of (*, G) and (S, G) membership reports present in the Internet Group
Management Protocol (IGMP) cache, use the show ip igmp groups summary command in
User EXEC mode.
Syntax
show ip igmp groups summary
Parameters
This command has no arguments or keywords.
Command Mode
User EXEC mode
User Guidelines
The show ip igmp groups summary command displays the number of directly connected
multicast groups.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
531
23
IGMP Commands
Example
The following is sample output from the show ip igmp groups summary command:
switchxxxxxx# show ip igmp groups summary
IGMP Route Summary
No. of (*,G) routes = 5
No. of (S,G) routes = 0
Field Descriptions:
No. of (*,G) routes = 5—Displays the number of groups present in the IGMP cache.
No. of (S,G) routes = 0—Displays the number of include and exclude mode sources present in the IGMP
cache.
23.11 show ip igmp interface
To display multicast-related information about an interface, use the show ip igmp interface
command in User EXEC mode.
Syntax
show ip igmp interface [interface-id]
Parameters
•
interface-id—(Optional) Interface identifier.
Command Mode
User EXEC mode
User Guidelines
If you omit the optional interface-id argument, the show ip igmp interface command displays
information about all interfaces.
532
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
23
IGMP Commands
Example
The following is sample output from the show ip igmp interface command for Ethernet
interface 2/1/1:
switchxxxxxx# show ip igmp interface vlan 100
VLAN 100 is up
Administrative IGMP Querier IP address is 1.1.1.1
Operational IGMP Querier IP address is 1.1.1.1
Current IGMP version is 3
Administrative IGMP robustness variable is 2 seconds
Operational IGMP robustness variable is 2 seconds
Administrative IGMP query interval is 125 seconds
Operational IGMP query interval is 125 seconds
Administrative IGMP max query response time is 10 seconds
Operational IGMP max query response time is 10 seconds
Administrative Last member query response interval is 1000 milliseconds
Operational Last member query response interval is 1000 milliseconds
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
533
24
IGMP Proxy Commands
24.0
24.1
ip igmp-proxy
To add downstream interfaces to an IGMP proxy tree, use the ip igmp-proxy command in
Interface Configuration mode. To remove downstream from interfaces to an IGMP proxy tree,
use the no form of this command.
Syntax
ip igmp-proxy upstream-interface-id
no ip igmp-proxy
Parameters
•
upstream-interface-id—Upstream Interface identifier.
Default Configuration
The protocol is disabled on the interface.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp-proxy command to add downstream interfaces to an IGMP proxy tree. If the
proxy tree does not exist it is created.
Use the no format of the command to remove the downstream interface. When the last
downstream interface is removed from the proxy tree it is deleted too.
Examples
Example 1. The following example adds a downstream interface to an IGMP Proxy process
with vlan 200 as its Upstream interface:
switchxxxxxx(config)# interface vlan 100
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
534
24
IGMP Proxy Commands
switchxxxxxx(config-if)# ip igmp-proxy vlan 200
switchxxxxxx(config-if)# exit
Example 2. The following example adds a range of downstream interfaces to an IGMP Proxy
process with vlan 200 as its Upstream interface:
switchxxxxxx(config)# interface range vlan 100-105
switchxxxxxx(config-if)# ip igmp-proxy vlan 200
switchxxxxxx(config-if)# exit
24.2
ip igmp-proxy downstream protected
To disable forwarding of IP Multicast traffic from downstream interfaces, use the ip
igmp-proxy downstream protected command in Global Configuration mode. To allow
forwarding from downstream interfaces, use the no form of this command.
Syntax
ip igmp-proxy downstream protected
no ip igmp-proxy downstream protected
Parameters
This command has no arguments or keywords.
Default Configuration
Forwarding from downstream interfaces is allowed.
Command Mode
Global Configuration mode
User Guidelines
Use the ip igmp-proxy downstream protected command to block forwarding from
downstream interfaces.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
535
24
IGMP Proxy Commands
Example
The following example prohibits forwarding from downstream interfaces:
switchxxxxxx(config)# ip igmp-proxy downstream protected
24.3
ip igmp-proxy downstream protected interface
To disable or enable forwarding of IP Multicast traffic from a given downstream interface, use
the ip igmp-proxy downstream protected interface command in Interface Configuration
mode. To return to default, use the no form of this command.
Syntax
ip igmp-proxy downstream protected interface {enabled | disabled}
no ip igmp-proxy downstream protected interface
Parameters
•
enabled—Downstream interface protection on the interface is enabled. IPv4 Multicast
traffic arriving on the interface will not be forwarded.
•
disabled—Downstream interface protection on the interface is disabled. IPv4
Multicast traffic arriving on the interface will be forwarded.
Default Configuration
Global downstream protection configuration (see the ip igmp-proxy downstream protected
command)
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp-proxy downstream protected interface disabled command to block
forwarding from the given downstream interface.
Use the ip igmp-proxy downstream protected interface enabled command to allow
forwarding from the given downstream interface.
The command can be configured only for a downstream interface. When a downstream
interface is removed from the IGMP Proxy tree the configuration is removed too.
536
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
24
IGMP Proxy Commands
Example
The following example prohibits forwarding from downstream interface vlan 100:
switchxxxxxx(config)# interface vlan100
switchxxxxxx(config-if)# ip igmp-proxy downstream protected interface enabled
switchxxxxxx(config-if)# exit
24.4
ip igmp-proxy ssm
To define the Source Specific Multicast (SSM) range of IP Multicast addresses, use the ip
igmp-proxy ssm command in Global Configuration mode. To disable the SSM range, use the
no form of this command.
Syntax
ip igmp-proxy ssm {default | range access-list}
no ip igmp-proxy ssm
Parameters
•
default—Defines the SSM range access list to 232.0.0.0/8 (see rfc4607).
•
range access-list—Specifies the standard IP access list name defining the SSM range.
Default Configuration
The command is disabled.
Command Mode
Global Configuration mode
User Guidelines
A new ip igmp-proxy ssm command overrides the previous ip igmp-proxy ssm command.
Use the no ip igmp-proxy ssm command to remove all defined ranges.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
537
24
IGMP Proxy Commands
Example
The following example shows how to configure SSM service for the default IP address range
and the IP address ranges defined by access list list1:
switchxxxxxx(config)# ip access-list list1 permit 224.2.151.0/24
switchxxxxxx(config)# ip access-list list1 deny 224.2.152.141
switchxxxxxx(config)# ip access-list list1 permit 224.2.152.0/24
switchxxxxxx(config)# ip igmp-proxy ssm range list1
24.5
show ip igmp-proxy interface
To display information about interfaces configured for IGMP Proxy, use the show ip
igmp-proxy interface command in User EXEC mode or Privileged EXEC mode.
Syntax
show ip igmp-proxy interface [interface-id]
Parameters
•
interface-id—(Optional) Display IGMP Proxy information about the interface.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
The show ip igmp-proxy interface command is used to display all interfaces where the IGMP
Proxy is enabled or to display the IGMP Proxy configuration for a given interface.
Examples
Example 1. The following example displays IGMP Proxy status on all interfaces where the
IGMP Proxy is enabled:
switchxxxxxx# show ip igmp-proxy interface
* - the switch is the Querier on the interface
538
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
24
IGMP Proxy Commands
IP Forwarding is enabled
IP Multicast Routing is enabled
IGMP Proxy is enabled
Global Downdtream interfaces protection is disabled
SSM Access List Name:list1
Interface
vlan 100
Type
Interface Protection
upstream
*vlan 102
downstream
enabled
*vlan 110
downstream
default
vlan 113
downstream
disabled
Example 2. The following is sample output from the show ip igmp-proxy interface
command for given upstream interface:
switchxxxxxx# show ip igmp-proxy interface vlan 100
* - the switch is the Querier on the interface
IP Forwarding is enabled
IP Multicast Routing is enabled
IGMP Proxy is enabled
Global Downdtream interfaces protection is disabled
SSM Access List Name:
IP Multicast Tarffic Discarding from Downdtream interfaces is disabled
vlan 100 is a Upstream interface
Downstream interfaces:
*vlan 102, *vlan 110, vlan 113
Example 3. The following is sample output from the show ip igmp-proxy interface
command for given downstream interface:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
539
24
IGMP Proxy Commands
switchxxxxxx# show ip igmp-proxy interface vlan 102
IP Forwarding is enabled
IP Multicast Routing is enabled
IGMP Proxy is enabled
Global Downdtream interfaces protection is disabled
vlan 102 is a Downstream interface
The switch is the Querier on vlan 102
Downsteam Interface protection is enabled
SSM Access List Name: default
Upstream interface: vlan 100
Example 4. The following is sample output from the show ip igmp-proxy interface
command for an interface on which IGMP Proxy is disabled:
switchxxxxxx# show ip igmp-proxy interface vlan 1
IP Forwarding is enabled
IP Multicast Routing is enabled
IGMP Proxy is disabled
540
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
25
IGMP Snooping Commands
25.0
25.1
ip igmp snooping (Global)
To enable Internet Group Management Protocol (IGMP) snooping, use the ip igmp snooping
command in Global Configuration mode. To return to the default, use the no form of this
command.
Syntax
ip igmp snooping
no ip igmp snooping
Default Configuration
Disabled.
Command Mode
Global Configuration mode
Example
The following example enables IGMP snooping.
switchxxxxxx(config)# ip igmp snooping
25.2
ip igmp snooping vlan
To enable IGMP snooping on a specific VLAN, use the ip igmp snooping vlan command in
Global Configuration mode. To return to the default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
541
25
IGMP Snooping Commands
no ip igmp snooping vlan vlan-id
Parameters
•
vlan-id—Specifies the VLAN.
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
IGMP snooping can be enabled only on static VLANs.
IGMPv1, IGMPv2, and IGMPv3 Snooping are supported.
To activate IGMP snooping, bridge multicast filtering must be enabled by the bridge
multicast filtering command.
The user guidelines of the bridge multicast mode command describes the configuration that
is written into the FDB as a function of the FDB mode and the IGMP version that is used in the
network.
Example
switchxxxxxx(config)# ip igmp snooping vlan 2
25.3
ip igmp snooping vlan mrouter
To enable automatic learning of Multicast router ports on a VLAN, use the ip igmp snooping
vlan mrouter command in Global Configuration mode. To remove the configuration, use the
no form of this command.
Syntax
ip igmp snooping vlan vlan-id mrouter learn pim-dvmrp
no ip igmp snooping vlan vlan-id mrouter learn pim-dvmrp
Parameters
•
542
vlan-id—Specifies the VLAN.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
25
IGMP Snooping Commands
Default Configuration
Learning pim-dvmrp is enabled.
Command Mode
Global Configuration mode
User Guidelines
Multicast router ports are learned according to:
•
Queries received on the port
•
PIM/PIMv2 received on the port
•
DVMRP received on the port
•
MRDISC received on the port
•
MOSPF received on the port
You can execute the command before the VLAN is created.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 mrouter learn pim-dvmrp
25.4
ip igmp snooping vlan mrouter interface
To define a port that is connected to a Multicast router port, use the ip igmp snooping
mrouter interface command in Global Configuration mode. To return to the default, use the
no form of this command.
Syntax
ip igmp snooping vlan vlan-id mrouter interface interface-list
no ip igmp snooping vlan vlan-id mrouter interface interface-list
Parameters
•
vlan-id—Specifies the VLAN.
•
interface-list—Specifies the list of interfaces. The interfaces can be one of the
following types: Ethernet port or Port-channel.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
543
25
IGMP Snooping Commands
Default Configuration
No ports defined
Command Mode
Global Configuration mode
User Guidelines
A port that is defined as a Multicast router port receives all IGMP packets (reports and
queries) as well as all Multicast data.
You can execute the command before the VLAN is created.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 mrouter interface te1/0/1
25.5
ip igmp snooping vlan forbidden mrouter
To forbid a port from being defined as a Multicast router port by static configuration or by
automatic learning, use the ip igmp snooping vlan forbidden mrouter command in Global
Configuration mode. To return to the default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id forbidden mrouter interface interface-list
no ip igmp snooping vlan vlan-id forbidden mrouter interface interface-list
Parameters
•
vlan-id—Specifies the VLAN.
•
interface-list—Specifies a list of interfaces. The interfaces can be of one of the
following types: Ethernet port or Port-channel.
Default Configuration
No ports defined.
Command Mode
Global Configuration mode
544
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
25
IGMP Snooping Commands
User Guidelines
A port that is a forbidden mrouter port cannot be a Multicast router port (i.e. cannot be learned
dynamically or assigned statically).
You can execute the command before the VLAN is created.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 forbidden mrouter interface
te1/0/1
25.6
ip igmp snooping vlan static
To register an IP-layer Multicast address to the bridge table, and to add static ports to the group
defined by this address, use the ip igmp snooping vlan static command in Global
Configuration mode. To return to the default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id static ip-address [interface interface-list]
no ip igmp snooping vlan vlan-id static ip-address [interface interface-list]
Parameter
•
vlan-id—Specifies the VLAN.
•
ip-address—Specifies the IP Multicast address.
•
interface interface-list—(Optional) Specifies a list of interfaces. The interfaces can be
of one of the following types: Ethernet port or Port-channel.
Default Configuration
No Multicast addresses are defined.
Command Mode
Global Configuration mode
User Guidelines
Static Multicast addresses can only be defined on static VLANs.
You can execute the command before the VLAN is created.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
545
25
IGMP Snooping Commands
You can register an entry without specifying an interface.
Using the no command without a port-list removes the entry.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 static 239.2.2.2 interface
te1/0/1
25.7
ip igmp snooping vlan multicast-tv
To define the Multicast IP addresses that are associated with a Multicast TV VLAN, use the ip
igmp snooping vlan multicast-tv command in Global Configuration mode. To return to the
default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id multicast-tv first-ip-multicast-address
[last-ip-multicast-address | {count number}]
no ip igmp snooping vlan vlan-id multicast-tv first-ip-multicast-address
[last-ip-multicast-address | {count number}]
Parameters
•
vlan-id—Specifies the VLAN
•
first-ip-multicast-address—The first Multicast IP address of the range
•
last-ip-multicast-address—The last Multicast IP address of the range
•
count number—(Optional) Configures multiple contiguous Multicast IP addresses. If
not specified, the default is 1.
Default Configuration
No Multicast IP address is associated.
Command Mode
Global Configuration mode
546
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
25
IGMP Snooping Commands
User Guidelines
Use this command to define the Multicast transmissions on a Multicast-TV VLAN. The
configuration is only relevant for an Access port that is a member in the configured VLAN as
a Multicast-TV VLAN.
If an IGMP message is received on such an Access port, it is associated with the Multicast-TV
VLAN only if it is for one of the Multicast IP addresses that are associated with the
Multicast-TV VLAN.
Up to 256 VLANs can be configured.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 multicast-tv 239.2.2.2 count
3
25.8
ip igmp snooping map cpe vlan
To map CPE VLANs to Multicast-TV VLANs, use the ip igmp snooping map cpe vlan
command in Global Configuration mode. To return to the default, use the no form of this
command.
Syntax
ip igmp snooping map cpe vlan cpe-vlan-id multicast-tv vlan vlan-id
no ip igmp snooping map cpe vlan vlan-id
Parameters
•
cpe-vlan-id—Specifies the CPE VLAN ID.
•
vlan-id—Specifies the Multicast-TV VLAN ID.
Default Configuration
No mapping exists.
Command Mode
Global Configuration mode
User Guidelines
Use this command to associate the CPE VLAN with a Multicast-TV VLAN.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
547
25
IGMP Snooping Commands
If an IGMP message is received on a customer port tagged with a CPE VLAN, and there is
mapping from that CPE VLAN to a Multicast-TV VLAN, the IGMP message is associated
with the Multicast-TV VLAN.
Example
The following example maps CPE VLAN 2 to Multicast-TV VLAN 31.
switchxxxxxx(config)# ip igmp snooping map cpe vlan 2 multicast-tv vlan 31
25.9
ip igmp snooping querier
To enable globally the IGMP Snooping querier, use the ip igmp snooping querier command
in Global Configuration mode. To disable the IGMP Snooping querier globally, use the no
form of this command.
Syntax
ip igmp snooping querier
no ip igmp snooping querier
Parameters
N/A
Default Configuration
Enabled
Command Mode
Global Configuration mode
User Guidelines
To run the IGMP Snooping querier on a VLAN, you have enable it globally and on the VLAN.
Example
The following example disables the IGMP Snooping querier globally:
switchxxxxxx(config)# no ip igmp snooping querier
548
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
25
IGMP Snooping Commands
25.10 ip igmp snooping vlan querier
To enable the IGMP Snooping querier on a specific VLAN, use the ip igmp snooping vlan
querier command in Global Configuration mode. To disable the IGMP Snooping querier on
the VLAN interface, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id querier
no ip igmp snooping vlan vlan-id querier
Parameters
•
vlan-id—Specifies the VLAN.
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
The IGMP Snooping querier can be enabled on a VLAN only if IGMP Snooping is enabled for
that VLAN.
Example
The following example enables the IGMP Snooping querier on VLAN 1:
switchxxxxxx(config)# ip igmp snooping vlan 1 querier
25.11 ip igmp snooping vlan querier address
To define the source IP address that the IGMP snooping querier uses, use the ip igmp
snooping vlan querier address command in Global Configuration mode. To return to the
default, use the no form of this command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
549
25
IGMP Snooping Commands
Syntax
ip igmp snooping vlan vlan-id querier address ip-address
no ip igmp snooping vlan vlan-id querier address
Parameters
•
vlan-id—Specifies the VLAN.
•
ip-address—Source IP address.
Default Configuration
If an IP address is configured for the VLAN, it is used as the source address of the IGMP
snooping querier. If there are multiple IP addresses, the minimum IP address defined on the
VLAN is used.
Command Mode
Global Configuration mode
User Guidelines
If an IP address is not configured by this command, and no IP address is configured for the
querier’s VLAN, the querier is disabled.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 querier address 10.5.234.205
25.12 ip igmp snooping vlan querier election
To enable IGMP Querier election mechanism of an IGMP Snooping querier on a specific
VLAN, use the ip igmp snooping vlan querier election command in Global Configuration
mode. To disable Querier election mechanism, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id querier election
no ip igmp snooping vlan vlan-id querier election
Parameters
•
550
vlan-id—Specifies the VLAN.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
25
IGMP Snooping Commands
Default Configuration
Enabled
Command Mode
Global Configuration mode
User Guidelines
Use the no form of the ip igmp snooping vlan querier election command to disable IGMP
Querier election mechanism on a VLAN.
If the IGMP Querier election mechanism is enabled, the IGMP Snooping querier supports the
standard IGMP Querier election mechanism specified in RFC2236 and RFC3376.
If IGMP Querier election mechanism is disabled, IGMP Snooping Querier delays sending
General Query messages for 60 seconds from the time it was enabled. During this time, if the
switch did not receive an IGMP query from another Querier - it starts sending General Query
messages. Once the switch acts as a Querier, it will stop sending General Query messages if it
detects another Querier on the VLAN. In this case, the switch will resume sending General
Query messages if it does hear another Querier for Query Passive interval that equals to
<Robustness>*<Query Interval> + 0.5*<Query Response Interval).
See the ip igmp robustness, ip igmp query-interval, and ip igmp
query-max-response-time commands for configurations of these parameters.
It is recommended to disable IGMP Querier election mechanism if there is an IPM Multicast
router on the VLAN.
Example
The following example disables IGMP Snooping Querier election on VLAN 1:
switchxxxxxx(config)# no ip igmp snooping vlan 1 querier election
25.13 ip igmp snooping vlan querier version
To configure the IGMP version of an IGMP Snooping querier on a specific VLAN, use the ip
igmp snooping vlan querier version command in Global Configuration mode. To return to
the default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id querier version {2 | 3}
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
551
25
IGMP Snooping Commands
no ip igmp snooping vlan vlan-id querier version
Parameters
•
vlan-id—Specifies the VLAN.
•
querier version 2—Specifies that the IGMP version would be IGMPv2.
•
querier version 3—Specifies that the IGMP version would be IGMPv3.
Default Configuration
IGMPv2.
Command Mode
Global Configuration mode
Example
The following example sets the version of the IGMP Snooping Querier VLAN 1 to 3:
switchxxxxxx(config)# ip igmp snooping vlan 1 querier version 3
25.14 ip igmp snooping vlan immediate-leave
To enable the IGMP Snooping Immediate-Leave processing on a VLAN, use the ip igmp
snooping vlan immediate-leave Global Configuration mode command in Global
Configuration mode. To return to the default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id immediate-leave
no ip igmp snooping vlan vlan-id immediate-leave
Parameters
•
vlan-id—Specifies the VLAN ID value. (Range: 1–4094).
Default Configuration
Disabled
552
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
25
IGMP Snooping Commands
Command Mode
Global Configuration mode
User Guidelines
You can execute the command before the VLAN is created.
Example
The following example enables IGMP snooping immediate-leave feature on VLAN 1.
switchxxxxxx(config)# ip igmp snooping vlan 1 immediate-leave
25.15 show ip igmp snooping cpe vlans
To display the CPE VLAN to Multicast TV VLAN mappings, use the show ip igmp snooping
cpe vlans command in User EXEC mode.
Syntax
show ip igmp snooping cpe vlans [vlan vlan-id]
Parameters
•
vlan vlan-id —(Optional) Specifies the CPE VLAN ID.
Command Mode
User EXEC mode
Example
The following example displays the CPE VLAN to Multicast TV VLAN mappings.
switchxxxxxx# show ip igmp snooping cpe vlans
CPE VLAN
Multicast-TV VLAN
--------
------------------
2
1118
3
1119
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
553
25
IGMP Snooping Commands
25.16 show ip igmp snooping groups
To display the Multicast groups learned by the IGMP snooping, use the show ip igmp
snooping groups command in User EXEC mode.
Syntax
show ip igmp snooping groups [vlan vlan-id] [address ip-multicast-address] [source
ip-address]
Parameters
•
vlan vlan-id—(Optional) Specifies the VLAN ID.
•
address ip-multicast-address—(Optional) Specifies the IP multicast address.
•
source ip-address—(Optional) Specifies the IP source address.
Command Mode
User EXEC mode
User Guidelines
To see all Multicast groups learned by IGMP snooping, use the show ip igmp snooping
groups command without parameters.
Use the show ip igmp snooping groups command with parameters to see a needed subset of
all Multicast groups learned by IGMP snooping
To see the full Multicast address table (including static addresses), use the show bridge
multicast address-table command.
Example
The following example shows sample output:
switchxxxxxx# show ip igmp snooping groups vlan 1
switchxxxxxx# show ip igmp snooping groups
Vlan
Group
Source
Address
554
Include Ports
Exclude Ports
Comp-Mode
Address
----
---------------
1
239.255.255.250
---------*
--------te1/0/1
--------
--------v2
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
25
IGMP Snooping Commands
25.17 show ip igmp snooping interface
To display the IGMP snooping configuration for a specific VLAN, use the show ip igmp
snooping interface command in User EXEC mode.
Syntax
show ip igmp snooping interface vlan-id
Parameters
•
vlan-id—Specifies the VLAN ID.
Command Mode
User EXEC mode
Example
The following example displays the IGMP snooping configuration for VLAN 1000
switchxxxxxx# show ip igmp snooping interface 1000
IGMP Snooping is globally enabled
IGMP Snooping Querier is globally enabled
VLAN 1000
IGMP Snooping is enabled
IGMP snooping last immediate leave: enable
Automatic learning of Multicast router ports is enabled
IGMP Snooping Querier is enabled
IGMP Snooping Querier operation state: is not running
IGMP Snooping Querier version: 2
IGMP Snooping Querier election is enabled
IGMP Snooping Querier address: 194.12.10.166
IGMP snooping robustness: admin 2
oper 2
IGMP snooping query interval: admin 125 sec oper 125 sec
IGMP snooping query maximum response: admin 10 sec oper 10 sec
IGMP snooping last member query counter: admin 2 oper 2
IGMP snooping last member query interval: admin 1000 msec oper 500 msec
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
555
25
IGMP Snooping Commands
IGMP Snooping interface active Querier address: 194.12.100.100 (remote)
Groups that are in IGMP version 1 compatibility mode:
231.2.2.3, 231.2.2.3
25.18 show ip igmp snooping mrouter
To display information on dynamically learned Multicast router interfaces for all VLANs or
for a specific VLAN, use the show ip igmp snooping mrouter command in User EXEC
mode.
Syntax
show ip igmp snooping mrouter [interface vlan-id]
Parameters
•
interface vlan-id—(Optional) Specifies the VLAN ID.
Command Mode
User EXEC mode
Example
The following example displays information on dynamically learned Multicast router
interfaces for VLAN 1000:
switchxxxxxx# show ip igmp snooping mrouter interface 1000
VLAN
Dynamic
Static
Forbidden
----
---------
---------
----------
1000
te1/0/1
te1/0/2
te1/0/3-4
25.19 show ip igmp snooping multicast-tv
To display the IP addresses associated with Multicast TV VLANs, use the show ip igmp
snooping multicast-tv EXEC mode command in User EXEC mode.
556
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
25
IGMP Snooping Commands
Syntax
show ip igmp snooping multicast-tv [vlan vlan-id]
Parameters
•
vlan vlan-id—(Optional) Specifies the VLAN ID.
Command Mode
User EXEC mode
Example
The following example displays the IP addresses associated with all Multicast TV VLANs.
switchxxxxxx# show ip igmp snooping multicast-tv
VLAN First IP Address
Last IP Address
---- ----------------
---------------
1000 238.2.5.5
238.2.5.5
1000 239.255.0.0
239.255.1.1
1010 232.0.0.0
239.0.0.255
1010 239.0.1.2
239.255.4.5
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
557
26
IP Addressing Commands
26.0
IP addresses and Layer 2 Interfaces
IP addresses can be configured on the following Layer 2 interfaces:
•
Ethernet port
•
Port channel
•
VLAN
•
Loopback port
•
OOB port
Lists of Commands
26.1
ip address
Use the ip address Interface Configuration (Ethernet, VLAN, Port-channel) mode command
to define an IP address for an interface. Use the no form of this command to remove an IP
address definition.
Syntax
OOB port:
ip address ip-address {mask | /prefix-length} [default-gateway-ip-address]
no ip address
In-Band interfaces:
ip address ip-address {mask | /prefix-length}
no ip address [ip-address]
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
558
26
IP Addressing Commands
Parameters
•
ip-address—Specifies the IP address.
•
mask—Specifies the network mask of the IP address.
•
prefix-length—Specifies the number of bits that comprise the IP address prefix. The
prefix length must be preceded by a forward slash (/). (Range: 8–30)
•
default-gateway-ip-address—Specifies the default gateway IP address. The route is
gotten a metric of 4 for an In-Band interface and 2 for OOB.
Default Configuration
No IP address is defined for interfaces.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip address command to define a static IP address on an interface.
In-Band interfaces
Multiple IP addresses are supported. A new defined IP address is added on the interface.
Defining a static IP address on an interface stops a DHCP client running on the interface and
removes the IP address assigned by the DHCP client.
If a configured IP address overlaps another configured one a warning message is displayed. To
change an existed IP address, delete the existed one and add the new one.
OOB port
One IP address is supported. A new IP address defined on the OOB port overrides the
previously defined IP address on the OOB port.
Defining a static IP address on the OOB port stops a DHCP client running on the OOB port
and deletes an IP address assigned by the DHCP client.
While no IP address is assigned either by DHCP client or manually the default IP address
192.168.1.254 is assigned on the OOB port
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
559
26
IP Addressing Commands
Examples
Example 1. The following example configures VLAN 1 with IP address 131.108.1.27 and
subnet mask 255.255.255.0.
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip address 131.108.1.27 255.255.255.0
Example 2. The following example configures 3 overlapped IP addresses.
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip address 1.1.1.1 255.0.0.0
switchxxxxxx(config)# exit
switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# ip address 1.2.1.1 255.255.0.0
switchxxxxxx(config)# This IP address overlaps IP address 1.1.1.1/8 on vlan1,
are you sure? [Y/N]Y
switchxxxxxx(config)# exit
switchxxxxxx(config)# interface vlan 3
switchxxxxxx(config-if)# ip address 1.3.1.1 255.255.0.0
switchxxxxxx(config)# This IP address overlaps IP address 1.1.1.1/8 on vlan1,
are you sure? [Y/N]Y
switchxxxxxx(config)# exit
Example 3. The following example configures IP address on OOB:
switchxxxxxx(config)# interface oob
switchxxxxxx(config-if)# ip address 131.108.1.27 255.255.255.0 131.108.1.100
560
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
26
IP Addressing Commands
26.2
ip address dhcp
Use the ip address dhcp Interface Configuration (Ethernet, VLAN, Port-channel) mode
command to acquire an IP address for an Ethernet interface from the Dynamic Host
Configuration Protocol (DHCP) server. Use the no form of this command to release an
acquired IP address.
Syntax
ip address dhcp
no ip address dhcp
Parameters
N/A
Command Mode
Interface Configuration mode
User Guidelines
Use the ip address dhcp command to enable DHCP client on the interface.
The ip address dhcp command removes all the manually configured addresses on the
interface.
The default route (Default Gateway) received in DHCP Router option (Option 3) is assigned a
metric of 8 for an In-Band interface and 6 for OOB.
Use the no form of the command to disable DHCP client on interface.
Example
The following example acquires an IP address for VLAN 100 from DHCP.
switchxxxxxx(config)# interface vlan100
switchxxxxxx(config-if)# ip address dhcp
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
561
26
IP Addressing Commands
26.3
renew dhcp
Use the renew dhcp Privileged EXEC mode command to renew an IP address that was
acquired from a DHCP server for a specific interface.
Syntax
renew dhcp interface-id [force-autoconfig]
Parameters
•
interface-id—Specifies an interface.
•
force-autoconfig - If the DHCP server holds a DHCP option 67 record for the
assigned IP address, the record overwrites the existing device configuration.
Command Mode
Privileged EXEC mode
User Guidelines
Use the renew dhcp command to renew a DHCP address on an interface.
This command does not enable DHCP client on an interface and if DHCP client is not enabled
on the interface, the command returns an error message.
Example
The following example renews an IP address on VLAN 19 that was acquired from a DHCP
server:
switchxxxxxx# renew dhcp vlan 19
26.4
ip default-gateway
The ip default-gateway Global Configuration mode command defines a default gateway
(device). Use the no form of this command to restore the default configuration.
Syntax
ip default-gateway ip-address
no ip default-gateway [ip-address]
562
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
26
IP Addressing Commands
Parameters
•
ip-address—Specifies the default gateway IP address.
Command Mode
Global Configuration mode
Default Configuration
No default gateway is defined.
User Guidelines
Use the ip default-gateway command to defines a default gateway (default route).
The ip default-gateway command adds the default route with metric of 4 for the gateway
connected on an In-Band interface and 2 for the gateway connected on OOB.
Use the no ip default-gateway ip-address command to delete one default gateway.
Use the no ip default-gateway command to delete all default gateways.
Example
The following example defines default gateway 192.168.1.1.
switchxxxxxx(config)# ip default-gateway 192.168.1.1
26.5
show ip interface
Use the show ip interface EXEC mode command to display the usability status of configured
IP interfaces.
Syntax
show ip interface [interface-id]
Parameters
•
interface-id—Specifies an interface ID on which IP addresses are defined.
Default Configuration
All IP addresses.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
563
26
IP Addressing Commands
Command Mode
User EXEC mode
Examples
Example 1 - The following example displays all configured IP addresses and their types:
switchxxxxxx# show ip interface
IP Address
I/F
I/F Status
Type
admin/oper
Directed
Redirect
Status
Broadcast
-------------
------
----------- ------- --------
--------- -----
10.5.230.232/24
vlan 1
UP/UP
Static
disable
Enabled
Valid
10.5.234.202/24
vlan 4
UP/DOWN
Static
disable
Disabled
Valid
10.5.240.200/24
oob
UP/UP
Static
Valid
Example 2 - The following example displays the IP addresses configured on the given L2
interfaces and their types:
switchxxxxxx# show ip interface vlan 1
IP Address
I/F
I/F Status
Type
-------------
------
----------- ------- --------
--------- -----
10.5.230.232/24
vlan 1
UP/UP
Enabled
admin/oper
26.6
Directed
Redirect
Status
Broadcast
Static
disable
Valid
arp
Use the arp Global Configuration mode command to add a permanent entry to the Address
Resolution Protocol (ARP) cache. Use the no form of this command to remove an entry from
the ARP cache.
Syntax
arp ip-address mac-address [interface-id]
no arp ip-address
564
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
26
IP Addressing Commands
Parameters
•
ip-address—IP address or IP alias to map to the specified MAC address.
•
mac-address—MAC address to map to the specified IP address or IP alias.
•
interface-id—Address pair is added for specified interface.
Command Mode
Global Configuration mode
Default Configuration
No permanent entry is defined.
If no interface ID is entered, address pair is relevant to all interfaces.
User Guidelines
The software uses ARP cache entries to translate 32-bit IP addresses into 48-bit hardware
(MAC) addresses. Because most hosts support dynamic address resolution, static ARP cache
entries generally do not need to be specified.
Example
The following example adds IP address 198.133.219.232 and MAC address 00:00:0c:40:0f:bc
to the ARP table.
switchxxxxxx(config)# arp 198.133.219.232 00:00:0c:40:0f:bc vlan100
26.7
arp timeout (Global)
Use the arp timeout Global Configuration mode command to set the time interval during
which an entry remains in the ARP cache. Use the no form of this command to restore the
default configuration.
Syntax
arp timeout seconds
no arp timeout
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
565
26
IP Addressing Commands
Parameters
•
seconds—Specifies the time interval (in seconds) during which an entry remains in the
ARP cache. (Range: 1–40000000).
Default Configuration
The default ARP timeout is 60000 seconds, if IP Routing is enabled, and 300 seconds if IP
Routing is disabled.
Command Mode
Global Configuration mode
Example
The following example configures the ARP timeout to 12000 seconds.
switchxxxxxx(config)# arp timeout 12000
26.8
ip arp proxy disable
Use the ip arp proxy disable Global Configuration mode command to globally disable proxy
Address Resolution Protocol (ARP). Use the no form of this command reenable proxy ARP.
Syntax
ip arp proxy disable
no ip arp proxy disable
Parameters
N/A
Default
Disabled by default.
Command Mode
Global Configuration mode
566
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
26
IP Addressing Commands
User Guidelines
This command overrides any proxy ARP interface configuration.
The command is supported only when IP Routing is enabled.
Example
The following example globally disables ARP proxy.
switchxxxxxx(config)# ip arp proxy disable
26.9
ip proxy-arp
Use the ip proxy-arp Interface Configuration mode command to enable an ARP proxy on
specific interfaces. Use the no form of this command disable it.
Syntax
ip proxy-arp
no ip proxy-arp
Default Configuration
ARP Proxy is enabled.
Command Mode
Interface Configuration mode
User Guidelines
This configuration can be applied only if at least one IP address is defined on a specific
interface.
The command is supported only when IP Routing is enabled.
Example
The following example enables ARP proxy when the switch is in router mode.
switchxxxxxx(config-if)# ip proxy-arp
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
567
26
IP Addressing Commands
26.10 clear arp-cache
Use the clear arp-cache Privileged EXEC mode command to delete all dynamic entries from
the ARP cache.
Syntax
clear arp-cache
Command Mode
Privileged EXEC mode
Example
The following example deletes all dynamic entries from the ARP cache.
switchxxxxxx# clear arp-cache
26.11 show arp
Use the show arp Privileged EXEC mode command to display entries in the ARP table.
Syntax
show arp [ip-address ip-address] [mac-address mac-address] [interface-id]
Parameters
•
ip-address ip-address—Specifies the IP address.
•
mac-address mac-address—Specifies the MAC address.
•
interface-id—Specifies an interface ID.
Command Mode
Privileged EXEC mode
User Guidelines
Since the associated interface of a MAC address can be aged out from the FDB table, the
Interface field can be empty.
568
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
26
IP Addressing Commands
If an ARP entry is associated with an IP interface that is defined on a port or port-channel, the
VLAN field is empty.
Example
The following example displays entries in the ARP table.
switchxxxxxx# show arp
ARP timeout: 80000 Seconds
VLAN
Interface
IP Address
HW Address
Status
-------
---------------
----------
-----------------
-------
VLAN 1
te1/0/1
10.7.1.102
00:10:B5:04:DB:4B
Dynamic
VLAN 1
te1/0/2
10.7.1.135
00:50:22:00:2A:A4
Static
VLAN 2
te1/0/1
11.7.1.135
00:12:22:00:2A:A4
Dynamic
te1/0/2
12.10.1.13
00:11:55:04:DB:4B
Dynamic
26.12 show arp configuration
Use the show arp configuration privileged EXEC command to display the global and
interface configuration of the ARP protocol.
Syntax
show arp configuration
Parameters
This command has no arguments or key words.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show arp configuration
Global configuration:
ARP Proxy: enabled
ARP timeout:
80000 Seconds
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
569
26
IP Addressing Commands
Interface configuration:
VLAN 1:
ARP Proxy: disabled
ARP timeout:60000 Seconds
VLAN 10:
ARP Proxy: enabled
ARP timeout:70000 Seconds
VLAN 20:
ARP Proxy: enabled
ARP timeout:80000 Second (Global)
26.13 interface ip
Use the interface ip Global Configuration mode command to enter the IP Interface
Configuration mode.
Syntax
interface ip ip-address
Parameters
•
ip-address—Specifies one of the IP addresses of the device.
Command Mode
Global Configuration mode
Example
The following example enters the IP interface configuration mode.
switchxxxxxx(config)# interface ip 192.168.1.1
switchxxxxxx(config-ip)#
570
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
26
IP Addressing Commands
26.14 ip helper-address
Use the ip helper-address Global Configuration mode command to enable the forwarding of
UDP Broadcast packets received on an interface to a specific (helper) address. Use the no
form of this command to disable the forwarding of broadcast packets to a specific (helper)
address.
Syntax
ip helper-address {ip-interface | all} address [udp-port-list]
no ip helper-address {ip-interface | all} address
Parameters
•
ip-interface—Specifies the IP interface.
•
all—Specifies all IP interfaces.
•
address—Specifies the destination broadcast or host address to which to forward UDP
broadcast packets. A value of 0.0.0.0 specifies that UDP broadcast packets are not
forwarded to any host.
•
udp-port-list—Specifies the destination UDP port number to which to forward
Broadcast packets (Range: 1–59999). This can be a list of port numbers separated by
spaces.
Default Configuration
Forwarding of UDP Broadcast packets received on an interface to a specific (helper) address is
disabled.
If udp-port-list is not specified, packets for the default services are forwarded to the helper
address.
Command Mode
Global Configuration mode
User Guidelines
This command forwards specific UDP Broadcast packets from one interface to another, by
specifying a UDP port number to which UDP broadcast packets with that destination port
number are forwarded. By default, if no UDP port number is specified, the device forwards
UDP broadcast packets for the following six services:
•
IEN-116 Name Service (port 42)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
571
26
IP Addressing Commands
•
DNS (port 53)
•
NetBIOS Name Server (port 137)
•
NetBIOS Datagram Server (port 138)
•
TACACS Server (port 49)
•
Time Service (port 37)
Many helper addresses may be defined. However, the total number of address-port pairs is
limited to 128 for the device.
The setting of a helper address for a specific interface has precedence over the setting of a
helper address for all the interfaces.
Forwarding of BOOTP/DHCP (ports 67, 68) cannot be enabled with this command. Use the
DHCP relay commands to relay BOOTP/DHCP packets.
The ip-interface argument cannot be the OOB port.
Example
The following example enables the forwarding of UDP Broadcast packets received on all
interfaces to the UDP ports of a destination IP address and UDP port 1 and 2.
switchxxxxxx(config)# ip helper-address all 172.16.9.9 49 53 1 2
26.15 show ip helper-address
Use the show ip helper-address Privileged EXEC mode command to display the IP helper
addresses configuration on the system.
Syntax
show ip helper-address
Parameters
This command has no arguments or key words.
Command Mode
Privileged EXEC mode
572
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
26
IP Addressing Commands
User Guidelines
Example
The following example displays the IP helper addresses configuration on the system:
switchxxxxxx# show ip
Interface
Helper Address
UDP Ports
------------
--------------
------------------------
192.168.1.1
172.16.8.8
37, 42, 49, 53, 137, 138
192.168.2.1
172.16.9.9
37, 49
26.16 show ip dhcp client interface
Use the show ip dhcp client interface command in User EXEC or Privileged EXEC mode to
display DHCP client interface information.
Syntax
show ip dhcp client interface [interface-id]
Parameters
•
interface-id—Interface identifier.
Command Mode
User EXEC mode
User Guidelines
If no interfaces are specified, all interfaces on which DHCP client is enabled are displayed. If
an interface is specified, only information about the specified interface is displayed.
Example
The following is sample output of the show ip dhcp client interface command:
switchxxxxxx# show ip dhcp client interface
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
573
26
IP Addressing Commands
VLAN 100 is in client mode
Address: 170.10.100.100 Mask: 255.255.255.0 T1 120, T2 192
Default Gateway: 170.10.100.1
DNS Servers: 115.1.1.1, 87.12.34.20
DNS Domain Search List: company.com
Host Name: switch_floor7
Configuration Server Addresses: 192.1.1.1 202.1.1.1
Configuration Path Name: qqq/config/aaa_config.dat
Image Path Name: qqq/image/aaa_image.ros
POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00
VLAN 1200 is in client mode
Address: 180.10.100.100 Mask: 255.255.255.0 T1 120, T2 192
Default Gateway: 180.10.100.1
DNS Servers: 115.1.1.1, 87.12.34.20
DNS Domain Search List: company.com
Host Name: switch_floor7
Configuration Server Addresses: configuration.company.com
Configuration Path Name: qqq/config/aaa_config.dat
Image Path Name: qqq/image/aaa_image.ros
POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00
Option 43: 5A1N;K4;B3;IFE80::2E0:81FF:FE2D:3799;J6088
574
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
27
IP Routing Protocol-Independent Commands
27.0
27.1
accept-lifetime
To set the time period during which the authentication key on a key chain is received as valid,
use the accept-lifetime command inkey chain key configuration mode. To revert to the default
value, use the no form of this command.
Syntax
accept-lifetime start-time {infinite | end-time | duration seconds}
no accept-lifetime
Parameters
•
start-time—Beginning time that the key specified by the key command is valid to be
received. The syntax can be either of the following:
hh:mm:ss Month date year
hh:mm:ss date Month year
hh—hours (0-23)
mm—minutes (0-59
ss—seconds (0-59)
Month—first three letters of the month
date—date (1-31)
year—year (four digits)
The default start time and the earliest acceptable date is January 1, 2000.
•
infinite—Key is valid to be received from the start-time value on.
•
end-time—Key is valid to be received from the start-time value until the end-time
value. The syntax is the same as that for the start-time value. The end-time value must
be after the start-time value. The default end time is an infinite time period.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
575
27
IP Routing Protocol-Independent Commands
•
duration seconds—Length of time (in seconds) that the key is valid to be received.
The range is from 1 to 2147483646.
Default Configuration
The default time period during which the authentication key is valid for authenticating
incoming packets is set to Forever.
The definition of Forever is: the starting time is January 1, 2000, and the ending time is
infinite.
Command Mode
Key Chain Key Configuration mode
User Guidelines
The switch checks Time-of-Date again a value of the start-time argument regardless if
Time-of-Date is not set by management or by SNTP because of the default value of
Time-of-Date always is an passed time.
If validation of the value of the start-time argument was passed and the end-time argument is
configured and its value is infinite the key is considered as actual regardless if Time-of-Date
is not set by management or by SNTP.
If Time-of-Date is not set by management or by SNTP and if the end-time argument is
configured with a value differing from infinite or the duration parameter is configured, the
key is considered as expired.
If Time-of-Date is set by management or by SNTP, the switch checks Time-of-Date again a
value of the end-time argument or of the duration parameter.
If the last key expires, authentication will be finished with error.
Example
The following example configures a key chain called keychain1. The key named string1 will
be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key
named string2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00
p.m. The overlap allows for migration of keys or discrepancies in the set time of the router.
There is a 30-minute leeway on each side to handle time differences:
switchxxxxxx(config)# router rip
switchxxxxxx(config-rip)# network 172.19.1.1
switchxxxxxx(config-rip)# exit
switchxxxxxx(config)# interface ip 172.19.1.1
576
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
27
IP Routing Protocol-Independent Commands
switchxxxxxx(config-ip)# ip rip authentication mode md5
switchxxxxxx(config-ip)#
ip rip authentication key-chain keychain1
switchxxxxxx(config-ip)# exit
switchxxxxxx(config)# key chain keychain1
switchxxxxxx(config-keychain)# key 1
switchxxxxxx(config-keychain-key)# key-string string1
switchxxxxxx(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 2011
duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 14:00:00 Jan 25 2011 duration
3600
switchxxxxxx(config-keychain-key)# exit
switchxxxxxx(config-keychain)# key 2
switchxxxxxx(config-keychain-key)# key-string string2
switchxxxxxx(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 2011
duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 15:00:00 Jan 25 2011 duration
3600
switchxxxxxx(config-keychain-key)# exit
27.2
directed-broadcast
Use the directed-broadcast IP Interface Configuration mode command to enable the
translation of a directed broadcast to physical broadcasts. Use the no form of this command to
disable this function.
Syntax
directed-broadcast
no directed-broadcast
Default Configuration
Translation of a directed broadcast to physical broadcasts is disabled. All IP directed
broadcasts are dropped.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
577
27
IP Routing Protocol-Independent Commands
Command Mode
IP Configuration mode
Example
The following example enables the translation of a directed broadcast to physical broadcasts.
switchxxxxxx(config)# interface ip 192.168.1.1
switchxxxxxx(config-ip)# directed-broadcast
27.3
ip policy route-map
To enable policy routing on an interface and identify a route map, use the ip policy route-map
command in Interface Configuration mode. To disable policy routing, use the no form of this
command.
Syntax
ip policy route-map map-tag
no ip policy route-map
Parameters
•
map-tag—Name of the route map to use for policy routing. The name must match a
map-tag value specified by a route-map (Policy Routing) command.
Default Configuration
No policy routing occurs on the interface.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip policy route-map command to enable policy routing on an interface. The actual
policy routing will take a place if an IP address is defined on the interface.
The IP packets matched to the route-map conditions specified by the route map with the
map-tag name will take a route depended on the action of the matched ACL:
578
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
IP Routing Protocol-Independent Commands
27
•
permit—The route specified by the set command Policy routing.
•
deny—The route specified by the IP Forwarding table (regular routing).
•
Name of the route map to use for policy routing. The name must match a map-tag
value specified by a route-map (Policy Routing) command.
The not matched IP packets will be forwarded using the obvious shortest path.
IP policy routing on a Layer 2 interface is performed only when IP interface is defined, its
status is UP, and the next hop is reachable. If the IP policy routing is not applied then the
matched IP packets will be forwarded using the obvious shortest path.
Note. Of course, like in the case of regular IP Routing Policy Based IP Router routes only
MAC "tome" IP frames.
IP policy routing cannot be configured on an interface together with the following features:
•
VLAN ACL
•
VRRP routers are enabled with more than 7 different VRRP Router Identifiers
Example
The following example shows how to configure policy routing:
switchxxxxxx(config)# ip access-list extended pr-acl1
switchxxxxxx(config-ip-al)# permit tcp any any 156.12.5.0 0.0.0.255 any
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# ip access-list extended pr-acl2
switchxxxxxx(config-ip-al)# permit tcp any any 156.122.5.0 0.0.0.255 any
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# route-map pbr 10
switchxxxxxx(config-route-map)# match ip address access-list pr-acl1
switchxxxxxx(config-route-map)# set ip next-hop 56.1.1.1
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config)# route-map pbr 20
switchxxxxxx(config-route-map)# match ip address access-list pr-acl2
switchxxxxxx(config-route-map)# set ip next-hop 50.1.1.1
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip policy route-map pbr
switchxxxxxx(config-if)# exit
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
579
27
IP Routing Protocol-Independent Commands
27.4
ip redirects
Use the ip redirects command in IP Interface Configuration mode to enable the sending of
ICMP redirect messages to re-send a packet through the same interface on which the packet
was received. To disable the sending of redirect messages, use the no form of this command.
Syntax
ip redirects
no ip redirects
Parameters
N/A.
Default Configuration
The sending of ICMP redirect messages is enabled.
Command Mode
IP Configuration mode
Example
The following example disables the sending of ICMP redirect messages on IP interface 1.1.1.1
and re-enables the messages on IP interface 2.2.2.2:
switchxxxxxx(config)# interface ip 1.1.1.1
switchxxxxxx(config-ip)# no ip redirects
switchxxxxxx(config-ip)# exit
switchxxxxxx(config)# interface ip 2.2.2.2
switchxxxxxx(config-ip)# ip redirects
switchxxxxxx(config-ip)# exit
27.5
ip route
To establish static routes, use the ip route command in global configuration mode. To remove
static routes, use the no form of this command.
580
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
IP Routing Protocol-Independent Commands
27
Syntax
ip route prefix {mask | /prefix-length} {{ip-address [metric value] [track object]} |
reject-route}
no ip route prefix {mask | /prefix-length} [ip-address]
Parameters
•
prefix—IP route prefix for the destination.
•
mask—Prefix mask for the destination.
•
/prefix-length—Prefix mask for the destination.Specifies the number of bits that
comprise the IP address prefix. The prefix length must be preceded by a forward slash
(/). (Range: 0–32)
•
ip-address—IP address of the next hop that can be used to reach that network.
•
metric value—Metric of the route. The default metric is 4 for the Next Hop on an
In-Band interface and 2 for the Next Hop on OOB. Range: 1–255.
•
reject-route—Stopping routing to the destination network.
•
track object—Number of associates a track object with this route. Valid values for the
number argument range from 1 to 64.
Default Configuration
No static routes are established.
Command Mode
Global Configuration mode
User Guidelines
The track object keyword and argument combination specifies that the static route can be
active (used for forwarding) only if the state of the configured track object is up.
Use the no ip route command without the ip-address parameter to remove all static routes to
the given subnet.
Use the no ip route command with the ip-address parameter to remove only one static route to
the given subnet via the given next hop.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
581
27
IP Routing Protocol-Independent Commands
Examples
Example 1—The following example shows how to route packets for network 172.31.0.0 to a
router at 172.31.6.6 using mask:
switchxxxxxx(config)# ip route 172.31.0.0 255.255.0.0 172.31.6.6 metric 2
Example 2—The following example shows how to route packets for network 172.31.0.0 to a
router at 172.31.6.6 using prefix length :
switchxxxxxx(config)# ip route 172.31.0.0 /16 172.31.6.6 metric 2
Example 3—The following example shows how to reject packets for network 194.1.1.0:
switchxxxxxx(config)# ip route 194.1.1.0 255.255.255.0 reject-route
Example 4—The following example shows how to remove all static routes to network
194.1.1.0/24:
switchxxxxxx(config)# no ip route 194.1.1.0 /24
Example 5—The following example shows how to remove one static route to network
194.1.1.0/24 via 1.1.1.1:
switchxxxxxx(config)# no ip route 194.1.1.0 /24 1.1.1.1
27.6
ip routing
To enable IP routing, use the ip routing command in global configuration mode. To disable IP
routing, use the no form of this command.
Syntax
ip routing
no ip routing
582
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
27
IP Routing Protocol-Independent Commands
Parameters
This command has no arguments or keywords.
Default Configuration
IP routing is enabled.
Command Mode
Global Configuration mode
User Guidelines
Use the command to enable IP Routing.
The switch supports one IPv4 stack on in-band interfaces and the OOB port.
The IP stack is always running on the OOB port as an IP host regardless whether IP routing is
enabled.
The switch blocks routing between in-band interfaces and the OOB interface.
In the case when there are two best routes - one via an in-band and one via the OOB port, the
switch will use the route via the OOB port.
DHCP Relay and IP Helper cannot be enabled on the OOB port.
Routing protocols cannot be enabled on the OOB port.
The IP subnet defined on the OOB port is not redistributed to routing protocols running on
in-band interfaces.
Example The following example enables IP routing
switchxxxxxx(config)# ip routing
27.7
key-string
To specify the authentication string for a key, use the key-string command in key chain key
configuration mode. To remove the authentication string, use the no form of this command.
Syntax
key-string text
no key-string
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
583
27
IP Routing Protocol-Independent Commands
Parameters
•
text—Specifies the authentication string. The string can contain from 1 to 16
characters.
Default Configuration
No key exists.
Command Mode
Key Chain Key Configuration mode
User Guidelines
Example
The following example configures a key chain named chain1. The key named key1 will be
accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named
key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The
overlap allows for migration of keys or a discrepancy in the set time of the router. There is a
30-minute leeway on each side to handle time differences:
switchxxxxxx(config)# key chain chain1
switchxxxxxx(config-keychain)# key 1
switchxxxxxx(config-keychain-key)# key-string key1
switchxxxxxx(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 2011
duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 14:00:00 Jan 25 2011
duration 3600
switchxxxxxx(config-keychain-key)# exit
switchxxxxxx(config-keychain)# key 2
switchxxxxxx(config-keychain-key)# key-string key2
switchxxxxxx(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 2011
duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 15:00:00 Jan 25 2011
duration 3600
switchxxxxxx(config-keychain-key)# exit
switchxxxxxx(config-keychain)# exit
584
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
27
IP Routing Protocol-Independent Commands
switchxxxxxx(config)# router rip
switchxxxxxx(config-rip)# network 172.19.1.1
switchxxxxxx(config-rip)# version 2
switchxxxxxx(config-rip)# exit
switchxxxxxx(config)# interface ip 172.19.1.1
switchxxxxxx(config-ip)# ip rip authentication key-chain chain1
switchxxxxxx(config-ip)# ip rip authentication mode md5
switchxxxxxx(config-ip)# exit
27.8
key (key chain)
To identify an authentication key on a key chain, use the key command in key-chain
configuration mode. To remove the key from the key chain, use the no form of this command.
Syntax
key key-id
no key key-id
Parameters
•
key-id—Identification number of an authentication key on a key chain. The range of
keys is from 1 to 255. The key identification numbers need not be consecutive. The
scope of a key identification number is the key chain where the key is defined.
Default Configuration
No key exists on the key chain.
Command Mode
Key-Chain Configuration mode
User Guidelines
It is useful to have multiple keys on a key chain so that the software can sequence through the
keys as they become invalid after time, based on the accept-lifetime and send-lifetime key
chain key command settings.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
585
27
IP Routing Protocol-Independent Commands
Each key has its own key identifier, which is stored locally. The combination of the key
identifier and the interface associated with the message uniquely identifies the authentication
algorithm and authentication key in use. Only one authentication packet is sent, regardless of
the number of valid keys. The software starts looking at the lowest key identifier number and
uses the first valid key.
If the last key expires, authentication will be finished with error.
To remove all keys, remove the key chain by using the no key chain command.
Example
The following example configures a key chain named chain1. The key named key1 will be
accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named
key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The
overlap allows for migration of keys or a discrepancy in the set time of the router. There is a
30-minute leeway on each side to handle time differences:
switchxxxxxx(config)# key 1
switchxxxxxx(config)# key chain chain1
switchxxxxxx(config-keychain)# key 1
switchxxxxxx(config-keychain-key)# key-string key1
switchxxxxxx(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 2011
duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 14:00:00 Jan 25 2011
duration 3600
switchxxxxxx(config-keychain-key)# exit
switchxxxxxx(config-keychain)# key 2
switchxxxxxx(config-keychain-key)# key-string key2
switchxxxxxx(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 2011
duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 15:00:00 Jan 25 2011
duration 3600
switchxxxxxx(config-keychain-key)# exit
switchxxxxxx(config-keychain)# exit
switchxxxxxx(config)# router rip
switchxxxxxx(config-rip)# network 172.19.1.1
586
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
27
IP Routing Protocol-Independent Commands
exit
switchxxxxxx(config)# interface ip 172.19.1.1
switchxxxxxx(config-ip)# ip rip authentication mode md5
switchxxxxxx(config-ip)# ip rip authentication key-chain chain1
switchxxxxxx(config-ip)# exit
27.9
key chain
To enable authentication for routing protocols, identify a group of authentication keys by using
the key chain command in global configuration mode. To remove the key chain, use the no
form of this command
Syntax
key chain name-of-chain
no key chain name-of-chain
Parameters
•
name-of-chain—Name of a key chain. The chain-name may have from 1 to 32
characters. A key chain must have at least one key and can have up to 256 keys.
Default Configuration
No key chain exists.
Command Mode
Global Configuration mode
User Guidelines
You must configure a key chain with keys to enable authentication.
Although you can identify multiple key chains, we recommend using one key chain per
interface per routing protocol. Upon specifying the key chain command, you enter key-chain
configuration mode.
Example
The following example configures a key chain named chain1. The key named key1 will be
accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
587
27
IP Routing Protocol-Independent Commands
key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The
overlap allows for migration of keys or a discrepancy in the set time of the router. There is a
30-minute leeway on each side to handle time differences:
switchxxxxxx(config)# key chain chain1
switchxxxxxx(config-keychain)# key 1
switchxxxxxx(config-keychain-key)# key-string key1
switchxxxxxx(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 2011
duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 14:00:00 Jan 25 2011 duration
3600
switchxxxxxx(config-keychain-key)# exit
switchxxxxxx(config-keychain)# key 2
switchxxxxxx(config-keychain-key)# key-string key2
switchxxxxxx(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 2011
duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 15:00:00 Jan 25 2011 duration
3600
switchxxxxxx(config-keychain-key)# exit
switchxxxxxx(config-keychain)# exit
switchxxxxxx(config)# router rip
switchxxxxxx(config-rip)# network 172.19.1.1
switchxxxxxx(config-rip)# exit
switchxxxxxx(config)# interface ip 172.19.1.1
switchxxxxxx(config-ip)# ip rip authentication mode md5
switchxxxxxx(config-ip)# ip rip authentication key-chain chain1
switchxxxxxx(config-ip)# exit
27.10 send-lifetime
To set the time period during which an authentication key on a key chain is valid to be sent,
use the send-lifetime command in Key Chain Key configuration mode. To revert to the default
value, use the no form of this command.
588
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
IP Routing Protocol-Independent Commands
27
Syntax
send-lifetime start-time {infinite | end-time | duration seconds}
no send-lifetime
Parameters
•
start-time—Beginning time that the key specified by the key command is valid to be
received. The syntax can be either of the following:
hh:mm:ss Month date year
hh:mm:ss date Month year
hh—hours (0-23)
mm—minutes (0-59
ss—seconds (0-59)
Month—first three letters of the month
date—date (1-31)
year—year (four digits)
The default start time and the earliest acceptable date is January 1, 2000.
•
infinite—Key is valid to be received from the start-time value on.
•
end-time—Key is valid to be received from the start-time value until the end-time
value. The syntax is the same as that for the start-time value. The end-time value must
be after the start-time value. The default end time is an infinite time period.
•
duration seconds—Length of time (in seconds) that the key is valid to be received.
The range is from 1 to 2147483646.
Default Configuration
The default time period during which the authentication key is valid for authenticating
incoming packets is set to forever.
Forever (the starting time is January 1, 2000, and the ending time is infinite)
Command Mode
Key Chain Key Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
589
27
IP Routing Protocol-Independent Commands
User Guidelines
Specify a start-time value and one of the following values: infinite end-time, or duration
seconds.
A key is considered as expired if Time-of-Date is not set by management or by SNTP.
If the last key expires, authentication will be finished with error.
Example
The following example configures a key chain called chain1. The key named key1 will be
accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named
key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The
overlap allows for migration of keys or discrepancies in the set time of the router. There is a
30-minute leeway on each side to handle time differences:
switchxxxxxx(config)# router rip
switchxxxxxx(config-rip)# network 172.19.1.1
switchxxxxxx(config-rip)# exit
switchxxxxxx(config)# interface ip 172.19.1.1
switchxxxxxx(config-ip)# ip rip authentication mode md5
switchxxxxxx(config-ip)# ip rip authentication key-chain chain1
switchxxxxxx(config-ip)# exit
switchxxxxxx(config)# key chain chain1
switchxxxxxx(config-keychain)# key 1
switchxxxxxx(config-keychain-key)# key-string key1
switchxxxxxx(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996
duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration
3600
switchxxxxxx(config-keychain-key)# exit
switchxxxxxx(config-keychain)# key 2
switchxxxxxx(config-keychain-key)# key-string key2
switchxxxxxx(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996
duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration
3600
590
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
27
IP Routing Protocol-Independent Commands
switchxxxxxx(config-keychain-key)# exit
switchxxxxxx(config-keychain)# exit
27.11 show ip protocols
To display the parameters and current state of the active IP routing protocol processes, use the
show ip protocols command in user EXEC or privileged EXEC mode.
Syntax
show ip protocols [summary]
Parameters
•
summary—Displays the configured routing protocol process names.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
The information displayed by the show ip protocols command is useful in debugging routing
operations.
Examples
Example 1. The following is sample output from the show ip protocols command, showing
active routing protocols:
switchxxxxxx# show ip protocols
IP Routing Protocol is "rip"
Interfaces
IP Addresses
VLAN 1
12.1.1.1
VLAN 1
150.23.12.2
VLAN 11
1.1.1.1
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
591
27
IP Routing Protocol-Independent Commands
Example 2. The following is sample output from the show ip protocols command with the
summary keyword:
switchxxxxxx# show ipv6 protocols summary
IP Routing Protocol is "rip"
27.12 show ip route
To display the current state of the routing table, use the show ip route command in user EXEC
or privileged EXEC mode.
Syntax
show ip route [address ip-address {mask [longer-prefixes]} [protocol | static | rejected |
icmp | connected]
Parameters
•
address ip-address—IP address about which routing information should be displayed.
•
mask—The value of the subnet mask.
•
longer-prefixes—Specifies that only routes matching the IP address and mask pair
should be displayed.
•
protocol—The name of the origin of the protocol to be displayed. Use one of the
following arguments:
-
rip—Displays routes added by RIP
•
connected—Displays connected routes.
•
icmp—Displays routes added by ICMP Direct.
•
rejected—Displays rejected routes.
•
static—Displays static routes.
Command Mode
User EXEC mode
Privileged EXEC mode
592
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
27
IP Routing Protocol-Independent Commands
User Guidelines
Use this command without parameters to display the whole IPv6 Routing table.
Use this command with parameters to specify required routes.
Examples
Example 1. The following is sample output from the show ip route command when IP
Routing is not enabled:
switchxxxxxx# show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: disabled
Codes: > - best, C - connected, S - static, I - ICMP
IP Routing Table - 5 entries
Code
IP Route
Distance/ Next Hop
Last Time Outgoing Interface Track Track
Metric
IP Address
Updated
---------------
------------- ------------ ----------- -------- --------
------ ------------------- -----------
Interface Status
Object Status
S>
10.10.0.0/16
1/2
10.119.254.244 00:02:22
vlan2
UP
10
UP
S
10.10.0.0/16
1/1
10.120.254.244 00:10:42
vlan3
UP
10
DOWN
S>
10.16.2.0/24
1/1
10.119.254.244 00:02:22
vlan2
UP
C>
10.119.0.0/16
0/1
0.0.0.0
vlan2
C>
10.120.0.0/16
0/1
0.0.0.0
vlan3
Example 2. The following is sample output from the show ip route command when IP
Routing is enabled:
switchxxxxxx# show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Directed Broadcast Forwarding: disabled
Codes: > - best, C - connected, S - static
Codes: > - best, C - connected, S - static
R - RIP
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
593
27
IP Routing Protocol-Independent Commands
Policy Routing
VLAN 1
Route Map: BPR1
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.1
Next Hop Status: Active
ACL Name: ACLTCPTELNET
Next Hop: 2.2.2.2
Next Hop Status: Not Active (Unreachable)
ACL Name: ACL_AA
Next Hop: 3.3.3.3
Next Hop Status: Not Active (Not direct)
VLAN 100
Route Map: BPR_10
Status: Not Active (No IP interface on VLAN 100)
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
VLAN 110
Route Map: BPR_20
Status: Not Active (VLAN 110 status is DOWN)
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
VLAN 200
Route Map: BPR_A0
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
IP Routing Table - 5 entries
594
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
27
IP Routing Protocol-Independent Commands
Code
IP Route
Distance/ Next Hop
Last Time Outgoing Interface Track Track
Metric
IP Address
Updated
------ ------------------- -----------
---------------
------------- ------------ ----------- -------- --------
R>
10.7.10.0/24
120/5
10.119.254.244 00:02:22
vlan2
S>
10.175.0.0/16
1/1
10.119.254.240 00:02:22
vlan2
UP
10
UP
S>
10.180.0.0/16
1/1
10.119.254.240 00:02:42
vlan3
UP
10
UP
C>
10.119.0.0/16
0/1
0.0.0.0
vlan2
C>
10.120.0.0/16
0/1
0.0.0.0
vlan3
Interface Status
Object Status
Example 3. In the following example, the logical AND operation is performed on the address
10.16.0.0 and the mask 255.255.0.0, resulting in 10.16.0.0. On each destination in the routing
table the logical AND operation is also performed with the mask and the result is compared
with 10.16.0.0. Any destinations that fall into that range are displayed in the output:
switchxxxxxx# show ip route 10.16.0.0 255.255.0.0 longer-prefix
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Directed Broadcast Forwarding: disabled
Codes: > - best, C - connected, S - static
R - RIP
Policy Routing
VLAN 1
Route Map: BPR1
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.1
Next Hop Status: Active
ACL Name: ACLTCPTELNET
Next Hop: 2.2.2.2
Next Hop Status: Not Active (Unreachable)
ACL Name: ACL_AA
Next Hop: 3.3.3.3
Next Hop Status: Not Active (Not direct)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
595
27
IP Routing Protocol-Independent Commands
VLAN 100
Route Map: BPR_10
Status: Not Active (No IP interface on VLAN 100)
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
VLAN 110
Route Map: BPR_20
Status: Not Active (VLAN 110 status is DOWN)
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
VLAN 200
Route Map: BPR_A0
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
IP Routing Table - 6 entries
Code
IP Route
Distance/ Next Hop
Last Time Outgoing Interface Track Track
Metric
Updated
IP Address
------ ------------------- ----------- ---------------
596
Interface
Status
Object Status
------------- ------------ ----------- -------- --------
S>
10.16.2.0/24
1/1
10.119.254.244 00:02:22
vlan2
UP
S>
10.16.2.64/26
1/1
100.1.14.244
00:02:22
vlan1
UP
S>
10.16.2.128/26 1/1
110.9.2.2
00:02:22
vlan3
UP
S>
10.16.208.0/24 1/1
120.120.5.44
00:02:22
vlan2
UP
S>
10.16.223.0/24 1/1
20.1.2.24
00:02:22
vlan5
UP
S>
10.16.236.0/24 1/1
30.19.54.240
00:02:23
vlan6
UP
C>
10.119.0.0/16
0/1
0.0.0.0
vlan2
C>
10.120.0.0/16
0/1
0.0.0.0
vlan3
C>
20.1.0.0/16
0/1
0.0.0.0
vlan5
C>
30.19.0.0/16
0/1
0.0.0.0
vlan2
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
27
IP Routing Protocol-Independent Commands
C>
100.1.0.0/16
0/1
0.0.0.0
vlan1
C>
110.9.0.0/16
0/1
0.0.0.0
vlan3
C>
120.120.0.0/16
0/1
0.0.0.0
vlan2
Example 4. The following is sample output from the show ip route command when IP
Routing is enabled and hardware forwarding is not active:
switchxxxxxx# show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled (hardware forwarding is not active)
Directed Broadcast Forwarding: disabled
Codes: > - best, C - connected, S - static
Codes: > - best, C - connected, S - static
R - RIP
Policy Routing
VLAN 1
Route Map: BPR1
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.1
Next Hop Status: Active
ACL Name: ACLTCPTELNET
Next Hop: 2.2.2.2
Next Hop Status: Not Active (Unreachable)
ACL Name: ACL_AA
Next Hop: 3.3.3.3
Next Hop Status: Not Active (Not direct)
VLAN 100
Route Map: BPR_10
Status: Not Active (No IP interface on VLAN 100)
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
597
27
IP Routing Protocol-Independent Commands
Next Hop Status: Active
VLAN 110
Route Map: BPR_20
Status: Not Active (VLAN 110 status is DOWN)
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
VLAN 200
Route Map: BPR_A0
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
IP Routing Table - 5 entries
Code
IP Route
Distance/ Next Hop
Last Time Outgoing Interface Track Track
Metric
Updated
IP Address
------ ------------------- ----------- ---------------
Interface
Status
Object Status
------------- ------------ ----------- -------- --------
R>
10.7.10.0/24
120/5
10.119.254.244 00:02:22
vlan2
S>
10.175.0.0/16
1/1
10.119.254.240 00:02:22
vlan2
UP
10
UP
S>
10.180.0.0/16
1/1
10.119.254.240 00:02:42
vlan3
UP
10
UP
C>
10.119.0.0/16
0/1
0.0.0.0
vlan2
C>
10.120.0.0/16
0/1
0.0.0.0
vlan3
27.13 show ip route summary
Use the show ip route summary command in User EXEC or Privileged EXEC mode to
display the current contents of the IP routing table in summary format.
Syntax
show ip route summary
Parameters
N/A.
598
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
IP Routing Protocol-Independent Commands
27
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Example
The following is sample output from the show ip route summary command:
switchxxxxxx# show ip route summary
IP Routing Table Summary - 90 entries
35 connected, 25 static, 12 RIP
Number of prefixes:
/16: 16, /18: 10, /22: 15, /24: 15, /28: 2, /30: 12
27.14 show key chain
To display authentication key information, use the show key chain command in Privileged
EXEC mode.
Syntax
show key chain [name-of-chain]
Parameters
•
name-of-chain—Name of the key chain to display, as named in the key chain
command.
Default Configuration
Information about all key chains is displayed.
Command Mode
Privileged EXEC mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
599
27
IP Routing Protocol-Independent Commands
User Guidelines
Examples
Example 1. The following is sample output from the show key chain command when the
current time of date is defined:
switchxxxxxx# show key chain
Current Time of Date is Feb 8 2011
Accept lifetime is configured to ignore
Key-chain trees:
key 1 -- text "chestnut"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
key 2 -- text "birch"
accept lifetime (00:00:00 Dec 5 2010) - (23:59:59 Dec 5 2010)
send lifetime (06:00:00 Dec 5 2010) - (18:00:00 Dec 5 2016)[valid now]
Example 2. The following is sample output from the show key chain command when the
current time of date is not defined:
switchxxxxxx# show key chain
Current Time of Date is not defined
Accept lifetime is ignored
Key-chain trees:
key 1 -- text "chestnut"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
key 2 -- text "birch"
accept lifetime (00:00:00 Dec 5 2010) - (23:59:59 Dec 5 2010)
600
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
IP Routing Protocol-Independent Commands
27
send lifetime (06:00:00 Dec 5 2010) - (18:00:00 Dec 5 2016)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
601
28
IP SLA Commands
28.0
28.1
clear ip sla counters
To clear the IP Service Level Agreements (SLAs) counters, use the clear ip sla counters
command in Privileged EXEC mode.
Syntax
clear ip sla counters [operation]
Parameters
•
operation—This operation’s number is used to identify the IP SLA operation whose
counters you want to clear. The range is from 1 to 64.
Command Mode
Privileged EXEC mode
User Guidelines
Use the clear ip sla counters operation command, to clear IP SLAs counters of the specified IP
SLAs operation.
Use the clear ip sla counters command, to clear IP SLAs counters of all IP SLAs operations.
Example
The following example clears the IP SLAs counters:
switchxxxxxx(config)# clear ip sla counters
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
602
28
IP SLA Commands
28.2
delay
To configure a period of time in seconds to delay state changes of a tracking object, use the
delay command in TRACK Configuration mode.
Syntax
delay {up seconds down seconds} | up seconds | down seconds
no delay [up] [down]
Parameters
•
up seconds—(Optional) Specifies a period of time in seconds to delay state changes
from DOWN to UP. Range 1-180.
•
down seconds—(Optional) Specifies a period of time in seconds to delay state changes
from UP to DOWN. Range 1-180.
Default Configuration
No delay.
Command Mode
TRACK Configuration mode
User Guidelines
Use the delay command, to define a delay interval for tracking object state UP and/or DOWN.
The delay interval is normally configured as a multiple of frequency.
If the delay command was not used to configure a delay interval for state X, then when the
associated IP SLAs operation changes the state of the tracking object to X from Y, the X state
is immediately passed to the associated applications.
If the delay command was used to configure a delay period for state X, then when the
associated IP SLAs operation changes the state of the tracking object to X from Y, the tracking
object performs the following actions:
•
The state of the tracking object is not changed and the tracking object starts the delay timer
for interval T.
•
If, after when the timer is running the original state (Y) is received again, the timer is
stopped and the state remains Y.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
603
28
IP SLA Commands
•
If the delay timer is expired, the state of the tracking object is changed to X and the X
state is passed to the associated applications.
Note. The new delay value configured by this command will impact on the current delay
interval.
Use the no delay up down or no delay command to delete delay for all changes.
Use the no delay down command to delete delay for changes from UP to DOWN.
Use the no delay up command to delete delay for changes from DOWN to UP.
Example
The following example shows how to configure the tracking process to track the state of IP
SLAs operation 2. State changes from UP to DOWN are delayed in 150 seconds:
switchxxxxxx(config)# track 1 ip sla 2 state
switchxxxxxx(config-track)# delay down 150
switchxxxxxx(config-track)# exit
switchxxxxxx(config)#
28.3
frequency (IP SLA)
To set the rate at which a specified IP Service Level Agreements (SLAs) operation repeats, use
the frequency command in the appropriate submode of IP SLA configuration. To restore the
default configuration, use the no form of the command.
Syntax
frequency seconds
no frequency
Parameters
•
seconds—Number of seconds between the IP SLAs operations. The range is from 10
second to 500 seconds.
604
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
28
IP SLA Commands
Default Configuration
10 seconds
Command Mode
IP SLA ICMP ECHO Configuration mode
User Guidelines
A single IP SLAs operation will repeat at a given frequency for the lifetime of the operation.
The following configuration guideline is required:
frequency > timeout
Note. The new frequency value configured by this command will impact on the current
frequency interval.
Example
This example shows how to set the frequency of an IP SLA operation:
switchxxxxxx(config)# ip sla 10
switchxxxxxx(config-ip-sla)# icmp-echo 172.16.1.175
switchxxxxxx(config-ip-sla-icmp-echo)# frequency 90
switchxxxxxx(config-ip-sla-icmp-echo)# exit
switchxxxxxx(config-ip-sla)# exit
switchxxxxxx(config)# ip sla schedule 10 life forever start-time now
28.4
icmp-echo
To configure an IP Service Level Agreements (SLAs) Internet Control Message Protocol
(ICMP) Echo operation, use the icmp-echo command in IP SLA Configuration mode.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
605
28
IP SLA Commands
Syntax
icmp-echo {ip-address | hostname} [{source-ip ip-address}] [nexthop-ip ip-address]
Parameters
•
ip-address | hostname—Destination IP address or hostname.
•
nexthop-ip ip-address—(Optional) IP address of the next hop.
•
source-ip ip-address—(Optional) Specifies the source IP address. When a source IP
address is not specified, the IP SLAs ICMP Echo operation chooses the IP address nearest
to the destination.
Default Configuration
No IP SLAs operation type is configured for the operation being configured.
Command Mode
IP SLA Configuration mode
User Guidelines
The default request packet data size of ICMP Echo requests is 28 bytes. Use the
request-data-size (IP SLA) command to modify this value. This data size is the payload
portion of the ICMP packet, which makes a 64-byte IP packet.
Each IP SLAs ICMP Echo operation sends one ICMP Echo request.
The frequency (IP SLA) command specifies the interval between two consecutive IP SLAs
ICMP Echo operations.
The timeout (IP SLA) command specifies the maximum wait time for the ICMP Echo Reply
message or an ICMP Error message.
After an operation has been finished the operation return code is set.
An operation is finished by one of the following events:
606
•
ICMP Echo reply has been received - the return code is set to ok.
•
ICMP Error reply has been received - the return code is set to error.
•
No any ICMP reply has been received - the return code is set to error.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
28
IP SLA Commands
•
Configured Source IP address or Source interface is not accessible - the return code is
set to error.
Note. If an operation parameter is changed by configuration the change will impact only on
the next operation start.
Examples
Example 1. In the following example, IP SLAs operation 10 is created and configured as an
echo operation using the ICMP protocol and the destination IPv4 address 172.16.1.175:
switchxxxxxx(config)# ip sla 10
switchxxxxxx(config-ip-sla)# icmp-echo 172.16.1.175
switchxxxxxx(config-ip-sla-icmp-echo)# exit
switchxxxxxx(config-ip-sla)# exit
switchxxxxxx(config)# ip sla schedule 10 life forever start-time now
Example 2. In the following example, IP SLAs operation 10 is created and configured as an
echo operation using the ICMP protocol and the destination IPv4 address 172.16.1.175 and
next hop 12.1.1.1:
switchxxxxxx(config)# ip sla 10
switchxxxxxx(config-ip-sla)# icmp-echo 172.16.1.175 nexthop-ip 12.1.1.1
switchxxxxxx(config-ip-sla-icmp-echo)# exit
switchxxxxxx(config-ip-sla)# exit
switchxxxxxx(config)# ip sla schedule 10 life forever start-time now
28.5
ip sla
To begin configuring an IP Service Level Agreements (SLAs) operation and enter IP SLA
configuration mode, use the ip sla command in Global Configuration mode. To restore the
default configuration, use the no form of the command.
Syntax
ip sla operation
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
607
28
IP SLA Commands
no ip sla operation
Parameters
•
operation—Operation number used for the identification of the IP SLAs operation you want
to configure. The range is from 1 to 64.
Default Configuration
No IP SLAs operation is configured.
Command Mode
Global Configuration mode
User Guidelines
The ip sla command is used to begin configuration for an IP SLAs operation. Use this
command to specify an identification number for the operation you are about to configure.
After you enter this command, the switch will enter the IP SLAs configuration mode.
Note. An IP SLAs operation is not created if an IP SLAs operation type (for example, ICMP
Echo) has not been configured.
After you configure an operation, you must schedule the operation. For information on
scheduling an operation, refer to the ip sla schedule command.
You cannot configure a new IP SLAs operation with a number of an existing IP SLAs
operation. You must first delete the existing IP SLAs operation (using the no ip sla command)
and then configure the new operation.
To display the current configuration settings of the operation, use the show ip sla operation
command.
Example
The following example starts to configure operation 4:
switchxxxxxx(config)# ip sla 4
switchxxxxxx(config-ip-sla)#
608
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
28
IP SLA Commands
28.6
ip sla schedule
To configure the scheduling parameters for a single IP Service Level Agreements (SLAs)
operation, use the ip sla schedule command in Global Configuration mode. To restore the
default configuration, use the no form of the command.
Syntax
ip sla schedule operation life forever start-time now
no ip sla schedule operation
Parameters
•
operation—Number of the IP SLAs operation to schedule. The range is from 1 to 64.
•
life forever —Schedules the IP SLAs operation to run indefinitely.
•
start-time now— Indicates that the operation schedule should start immediately.
Default Configuration
The operation is placed in the pending state (that is, the operation is enabled but not actively
collecting information).
Command Mode
Global Configuration mode
User Guidelines
After you have scheduled the operation with the ip sla schedule command, you can change the
parameters of the operation, these new parameters’ values will be applied only in the next
operation execution.
Note 1. An IP SLAs operation in the pending state passes the OK return code.
Note 2. The no form does not stop the currently executed operation.
Example
In the following example, operation 3 is scheduled to run indefinitely and started immediately:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
609
28
IP SLA Commands
switchxxxxxx(config)# ip sla schedule 3 life forever start-time now
28.7
request-data-size (IP SLA)
To set the protocol data size in the payload of an IP Service Level Agreements (SLAs)
operation's request packet, use the request-data-size command in the appropriate submode of
IP SLA configuration mode. To restore the default configuration, use the no form of the
command.
Syntax
request-data-size bytes
no request-data-size
Parameters
•
bytes—Size of payload of the request packet of the operation, in bytes. Range is from
28 to 1472.
Default Configuration
The default request packet data size for an ICMP Echo operation is 28 bytes. This data size is
the payload portion of the ICMP packet, which makes a 64-byte IP packet.
Command Mode
IP SLA ICMP ECHO Configuration mode
User Guidelines
Use the request-data-size command, to set the payload size in the messages used by the IP
SLAs operation.
Example
The following examples show how to set the request packet size to 40 bytes for an IP SLAs
ICMP echo operation:
switchxxxxxx(config)# ip sla 10
610
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
28
IP SLA Commands
switchxxxxxx(config-ip-sla)# icmp-echo 172.16.1.175
switchxxxxxx(config-ip-sla-icmp-echo)# request-data-size 40
switchxxxxxx(config-ip-sla-icmp-echo)# exit
switchxxxxxx(config-ip-sla)# exit
switchxxxxxx(config)# ip sla schedule 10 life forever start-time now
28.8
show ip sla operation
To display information about all IP Service Level Agreements (SLAs) operations or a
specified operation, use the show ip sla operation command in User EXEC mode.
Syntax
show ip sla operation [operation]
Parameters
•
operation—Number of the IP SLAs operation for which the details will be displayed.
The range is from 1 to 64.
Default Configuration
This command has no default settings.
Command Mode
User EXEC mode
User Guidelines
Use the show ip sla operation operation command, to display information about the given IP
SLAs operation.
Use the show ip sla operation command, to display information about the all IP SLAs
operations.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
611
28
IP SLA Commands
Example
The following example shows output from the show ip sla operation command:
switchxxxxxx> show ip sla operation
IP SLA Operational Number: 1
Type of operation: ICMP Echo
Target address: 149.101.22.10
Source Address: 125.0.0.1
Request size (ICMP data portion): 28
Operation frequency: 10 seconds (default)
Operation timeout: 2000 milliseconds (default)
Operation state: scheduled
Operation return code: OK
Operation Success counter: 100
Operation Failure counter: 12
ICMP Echo Request counter: 112
ICMP Echo Reply counter: 100
ICMP Error counter: 5
IP SLA Operational Number: 2
Type of operation: ICMP Echo
Target address: 1.1.1.1
Source address: 1.100.100.100 (default)
Request size (ICMP data portion): 28
Operation frequency: 50 seconds
Operation timeout: 1000 milliseconds
Operation state: scheduled
Operation return code: OK
Operation Success counter: 80
Operation Failure counter: 0
ICMP Echo Request counter: 80
612
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
28
IP SLA Commands
ICMP Echo Reply counter: 80
ICMP Error counter: 0
IP SLA Operational Number: 3
Type of operation: ICMP Echo
Target address: 1.1.1.1
Source address: 1.100.100.100 (default)
Request size (ICMP data portion): 28
Operation frequency: 10 seconds (default)
Operation timeout: 2000 milliseconds (default)
Operation state: scheduled
Operation return code: Error
Operation Success counter: 50
Operation Failure counter: 30
ICMP Echo Request counter: 80
ICMP Echo Reply counter: 50
ICMP Error counter: 5
IP SLA Operational Number: 4
Type of operation: ICMP Echo
Target address: 149.101.22.10
Nexthop address: 14.11.122.1
Source Address: 14.11.122.102 (default)
Request size (ICMP data portion): 28
Operation frequency: 10 seconds (default)
Operation timeout: 2000 milliseconds (default)
Operation state: scheduled
Operation return code: OK
Operation Success counter: 50
Operation Failure counter: 8
ICMP Echo Request counter: 58
ICMP Echo Reply counter: 45
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
613
28
IP SLA Commands
ICMP Error counter: 10
IP SLA Operational Number: 5
Type of operation: ICMP Network Echo
Target address: 149.101.22.10/24
Nexthop address: 14.11.122.1
Source Address: 14.11.122.102 (default)
Request size (ICMP data portion): 28
Operation frequency: 10 seconds (default)
Operation timeout: 2000 milliseconds (default)
Operation state: pended
Operation return code: Error
Operation Success counter: 0
Operation Failure counter: 10
ICMP Echo Request counter: 10
ICMP Echo Reply counter: 0
ICMP Error counter: 2
28.9
show track
To display information about all tracking objects or a specified tracking object, use the show
track command in User EXEC mode.
Syntax
show track [object]
Parameters
•
object—Number of the tracking object for which the details will be displayed. The
range is from 1 to 64.
Default Configuration
This command has no default settings.
614
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
28
IP SLA Commands
Command Mode
User EXEC mode
User Guidelines
Use the show track object command, to display information about the given IP SLAs object.
Use the show itrack command, to display information about the all IP SLAs objects.
Example
The following example shows information about all tracking objects:
switchxxxxxx> show track
Object
Object Operation Operation
Number
State
-----
------ --------- --------------
61
UP
10
ICMP Echo
62
UP
10
ICMP Echo
63
UP
11
ICMP Echo
64
DOWN
11
ICMP Echo
Number
Up Delay
Down Delay
Type
Delay Interval
Remainder
-------- ---------150
120
--------10
120
150
2
28.10 timeout (IP SLA)
To set the amount of time an IP Service Level Agreements (SLAs) operation waits for a
response to its request packet, use the timeout command in the appropriate submode of IP
SLA configuration mode. To restore the default configuration, use the no form of the
command.
Syntax
timeout milliseconds
no timeout
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
615
28
IP SLA Commands
Parameters
•
milliseconds—Length of time the operation waits to receive a response from its request
packet, in milliseconds (ms). The range is from 50 millisecond to 5000 milliseconds.
Default Configuration
The default is 2000 milliseconds.
Command Mode
IP SLA ICMP ECHO Configuration mode
User Guidelines
Use the timeout (IP SLA) command to set how long the operation waits to receive a response
from its request packet, and use the frequency (IP SLA) command to set the rate at which the
IP SLAs operation restarts.
It is recommended that the value of the milliseconds argument be based on the sum of both the
maximum round-trip time (RTT) value for the packets and the processing time of the IP SLAs
operation.
The following configuration guideline is required:
frequency > timeout
Note. The new timeout value configured by this command will impact on the current timeout
interval.
Example
In the following examples, the timeout value for an IP SLAs operation 10 is set for 2500 ms:
switchxxxxxx(config)# ip sla 10
switchxxxxxx(config-ip-sla)# icmp-echo 172.16.1.175
switchxxxxxx(config-ip-sla-icmp-echo)# timeout 2500
switchxxxxxx(config-ip-sla-icmp-echo)# exit
switchxxxxxx(config-ip-sla)# exit
switchxxxxxx(config)# ip sla schedule 10 life forever start-time now
616
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
28
IP SLA Commands
28.11 track ip sla
To track the state of an IP Service Level Agreements (SLAs) operation and to enter tracking
configuration mode, use the track ip sla command in Global Configuration mode. To restore
the default configuration, use the no form of the command.
Syntax
track object ip sla operation state
no track object ip sla
Parameters
•
object—Object number representing the tracking object. The range is from 1 to 64.
•
operation—Number of the IP SLAs operation you are tracking. The range is from 1 to
64.
•
state—Tracks the operation state.
Default Configuration
IP SLAs tracking is disabled.
Command Mode
Global Configuration mode
User Guidelines
Use the command to enable a tracking object. An enabled tracking object cannot be enabled
one more. You cannot enable an already enabled track.
Each tracking object maintains an operation state. This state has one of the following values:
UP or DOWN. After object creation the state is set to UP. The following table specifies the
conversion of the IP SLAs operation to the object state:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
617
28
IP SLA Commands
Table 4:
Object Operation State
Operation Return Code
Track Operation State
OK
UP
ERROR
DOWN
If the delay command has not configured a delay interval for state X then when the associated
IP SLAs operation changes the state of the tracking object to X from Y, the X state is
immediately passed to the associated applications.
See the delay command about actions performed by switch when the associated IP SLAs
operation changes the state of the tracking object to X from Y and he delay command has
configured a delay period for state X.
Note 1. If the IP SLAs operation specified by the argument is not configured or is pending,
then its state is OK.
Note 2. An application can be bound to a non-existing tracking object and the application will
receive the UP state.
Example
The following example shows how to configure the tracking process to track the state of IP
SLAs operation 2. State changes from UP to DOWN are delayed in 150 seconds:
switchxxxxxx(config)# track 1 ip sla 2 state
switchxxxxxx(config-track)# delay down 150
switchxxxxxx(config-track)# exit
switchxxxxxx(config)#
618
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
29
IP System Management Commands
29.0
29.1
ping
Use the ping EXEC mode command to send ICMP echo request packets to another node on
the network.
Syntax
ping [ip] {ipv4-address | hostname} [size packet_size] [count packet_count] [timeout
time_out] [source source-address]
ping ipv6 {ipv6-address | hostname} [size packet_size] [count packet_count] [timeout
time_out] [source source-address]
Parameters
•
ip—Use IPv4 to check the network connectivity.
•
ipv6—Use IPv6 to check the network connectivity.
•
ipv4-address—IPv4 address to ping.
•
ipv6-address—Unicast or Multicast IPv6 address to ping. When the IPv6 address is a
Link Local address (IPv6Z address), the outgoing interface name must be specified.
•
hostname—Hostname to ping (Length: 1-158 characters. Maximum label size for each
part of the host name: 58.)
•
size packet_size—Number of bytes in the packet not including the VLAN tag. The
default is 64 bytes. (IPv4:64–1518, IPv6: 68–1518)
•
count packet_count—Number of packets to send, from 1 to 65535 packets. The
default is 4 packets. If 0 is entered, it pings until stopped (0–65535).
•
time time-out—Timeout in milliseconds to wait for each reply, from 50 to 65535
milliseconds. The default is 2000 milliseconds (50–65535).
•
source source-address—Source address (Unicast IPv4 address or global Unicast IPv6
address).
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
619
29
IP System Management Commands
Default Usage
N/A
Command Mode
Privileged EXEC mode
User Guidelines
Press Esc to stop pinging. Following are sample results of the ping command:
•
Destination does not respond—If the host does not respond, a “no answer from host”
appears within 10 seconds.
•
Destination unreachable—The gateway for this destination indicates that the
destination is unreachable.
•
Network or host unreachable—The switch found no corresponding entry in the route
table.
When using the ping ipv6 command to check network connectivity of a directly attached host
using its link local address, the egress interface may be specified in the IPv6Z format. If the
egress interface is not specified, the default interface is selected.
When using the ping ipv6 command with a Multicast address, the information displayed is
taken from all received echo responses.
When the source keyword is configured and the source address is not an address of the switch,
the command is halted with an error message and pings are not sent.
Examples
Example 1 - Ping an IP address.
switchxxxxxx> ping ip 10.1.1.1
Pinging 10.1.1.1 with 64 bytes of data:
64 bytes from 10.1.1.1: icmp_seq=0. time=11 ms
64 bytes from 10.1.1.1: icmp_seq=1. time=8 ms
64 bytes from 10.1.1.1: icmp_seq=2. time=8 ms
64 bytes from 10.1.1.1: icmp_seq=3. time=7 ms
----10.1.1.1 PING Statistics---4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 7/8/11
620
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
IP System Management Commands
29
Example 2 - Ping a site.
switchxxxxxx> ping ip yahoo.com
Pinging yahoo.com [66.218.71.198] with 64 bytes of data:
64 bytes from 66.218.71.198: icmp_seq=0. time=11 ms
64 bytes from 66.218.71.198: icmp_seq=1. time=8 ms
64 bytes from 66.218.71.198: icmp_seq=2. time=8 ms
64 bytes from 66.218.71.198: icmp_seq=3. time=7 ms
----10.1.1.1 PING Statistics---4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 7/8/11
Example 3 - Ping an IPv6 address.
switchxxxxxx> ping ipv6 3003::11
Pinging 3003::11 with 64 bytes of data:
64 bytes from 3003::11: icmp_seq=1. time=0 ms
64 bytes from 3003::11: icmp_seq=2. time=50 ms
64 bytes from 3003::11: icmp_seq=3. time=0 ms
64 bytes from 3003::11: icmp_seq=4. time=0 ms
----3003::11 PING Statistics---4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/12/50
switchxxxxxx> ping ipv6 FF02::1
Pinging FF02::1 with 64 bytes of data:
64 bytes from FF02::1: icmp_seq=1. time=0 ms
64 bytes from FF02::1: icmp_seq=1. time=70 ms
64 bytes from FF02::1: icmp_seq=2. time=0 ms
64 bytes from FF02::1: icmp_seq=1. time=1050 ms
64 bytes from FF02::1: icmp_seq=2. time=70 ms
64 bytes from FF02::1: icmp_seq=2. time=1050 ms
64 bytes from FF02::1: icmp_seq=3. time=0 ms
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
621
29
IP System Management Commands
64 bytes from FF02::1: icmp_seq=3. time=70 ms
64 bytes from FF02::1: icmp_seq=4. time=0 ms
64 bytes from FF02::1: icmp_seq=3. time=1050 ms
64 bytes from FF02::1: icmp_seq=4. time=70 ms
64 bytes from FF02::1: icmp_sq=4. time=1050 ms
---- FF02::1 PING Statistics---4 packets transmitted, 12 packets received
29.2
ssh
To start an encrypted session with a remote networking device, use the ssh command in user
EXEC or privileged EXEC mode.
Syntax
ssh {ip-address | hostname} [port] [keyword...]
Parameters
622
•
ip-address—Specifies the destination host IP address (IPv4 or IPv6).
•
hostname—Hostname to ping (Length: 1-158 characters. Maximum label size for each
part of the host name: 58.)
•
port—Specifies the decimal TCP port number. The default port is the SSH port (22).
•
keyword—Specifies the one or more keywords listed in the Keywords table in the User
Guidelines.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
29
IP System Management Commands
Keywords Table
Options
Description
/password password
Specifies the password to use when logging in on the remote
networking device running the SSH server. If the keyword is
not specified, the password configured by the ip ssh-client
password command is used. If this keyword is specified the
the /user keyword must be specified too.
/source-interface interface-id
Specifies the source interface which minimal IPv4/v6
address will be used as the source IPv4/v6 address. If the
keyword is not specified, the source IPv4/IPv6 address
configured by the ip ssh-client source-interface command
is used.
/user user-name
Specifies the user name to use when logging in on the
remote networking device running the SSH server. If the
keyword is not specified, the user name configured by the ip
ssh-client username command is used. If this keyword is
specified the /password keyword must be specified too.
Default Configuration
The default port is the SSH port (22) on the host.
Command Mode
Privileged EXEC mode
User Guidelines
The ssh command enables the switch to make a secure, encrypted connection to another
switch running an SSH server. This connection provides functionality that is similar to that of
a Telnet connection except that the connection is encrypted. With authentication and
encryption, the SSH client allows for a secure communication over an insecure network.
Only one SSH terminal connection can be active at the same time.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
623
29
IP System Management Commands
Examples
Example 1. The following example sets a secure session between the local device and the
edge device HQedge. The user name and password configured by the ip ssh-client username
and ip ssh-client password commands are used.
switchxxxxxx> ssh HQedge
Example 2. The following example sets a secure session between the local device and the
edge device 1.1.1.1. The user name is HQhost and the password is a password configured by
the ip ssh-client password command.
switchxxxxxx> ssh 1.1.1.1 /user HQhost
Example 3. The following example sets a secure session between the local device and the
edge device HQedge. The user name is HQhost and the password is ar3245ddd.
switchxxxxxx> ssh HQedge /user HQhost /password ar3245ddd
Example 4. The following example sets a lookback interface as a source interface:
switchxxxxxx> ssh HQedge /source-interface loopback1
29.3
telnet
The telnet EXEC mode command logs on to a host that supports Telnet.
Syntax
telnet {ip-address | hostname} [port] [keyword...]
Parameters
624
•
ip-address—Specifies the destination host IP address (IPv4 or IPv6).
•
hostname—Hostname to ping (Length: 1-158 characters. Maximum label size for each
part of the host name: 58.)
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
29
IP System Management Commands
•
port—Specifies the decimal TCP port number or one of the keywords listed in the
Ports table in the User Guidelines.
•
keyword—Specifies the one or more keywords listed in the Keywords table in the User
Guidelines.
Default Configuration
The default port is the Telnet port (23) on the host.
Command Mode
Privileged EXEC mode
User Guidelines
Telnet software supports special Telnet commands in the form of Telnet sequences that map
generic terminal control functions to operating system-specific functions. To enter a Telnet
sequence, press the escape sequence keys (Ctrl-shift-6) followed by a Telnet command
character.
Special Telnet Sequences
Telnet Sequence
Purpose
Ctrl-shift-6-b
Break
Ctrl-shift-6-c
Interrupt Process (IP)
Ctrl-shift-6-h
Erase Character (EC)
Ctrl-shift-6-o
Abort Output (AO)
Ctrl-shift-6-t
Are You There? (AYT)
Ctrl-shift-6-u
Erase Line (EL)
At any time during an active Telnet session, available Telnet commands can be listed by
pressing the ?/help keys at the system prompt.
A sample of this list follows.
switchxxxxxx> ?/help
[Special telnet escape help]
^^ B sends telnet BREAK
^^ C sends telnet IP
^^ H sends telnet EC
^^ O sends telnet AO
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
625
29
IP System Management Commands
^^ T sends telnet AYT
^^ U sends telnet EL
?/help suspends the session (return to system command prompt)
Several concurrent Telnet sessions can be opened, enabling switching between the sessions. To
open a subsequent session, the current connection has to be suspended by pressing the escape
sequence keys (Ctrl-shift-6) and x to return to the system command prompt. Then open a new
connection with the telnet EXEC mode command.
This command lists concurrent Telnet connections to remote hosts that were opened by the
current Telnet session to the local device. It does not list Telnet connections to remote hosts
that were opened by other Telnet sessions.
Keywords Table
Options
Description
/echo
Enables local echo.
/quiet
Prevents onscreen display of all messages from the
software.
/source-interface
Specifies the source interface.
/stream
Turns on stream processing, which enables a raw TCP
stream with no Telnet control sequences. A stream
connection does not process Telnet options and can be
appropriate for connections to ports running
UNIX-to-UNIX Copy Program (UUCP) and other
non-Telnet protocols.
Ctrl-shift-6 x
Returns to the System Command Prompt.
Ports Table
626
Keyword
Description
Port Number
BGP
Border Gateway Protocol
179
chargen
Character generator
19
cmd
Remote commands
514
daytime
Daytime
13
discard
Discard
9
domain
Domain Name Service
53
echo
Echo
7
exec
Exec
512
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
29
IP System Management Commands
Keyword
Description
Port Number
finger
Finger
79
ftp
File Transfer Protocol
21
ftp-data
FTP data connections
20
gopher
Gopher
70
hostname
NIC hostname server
101
ident
Ident Protocol
113
irc
Internet Relay Chat
194
klogin
Kerberos login
543
kshell
Kerberos shell
544
login
Login
513
lpd
Printer service
515
nntp
Network News Transport
Protocol
119
pim-auto-rp
PIM Auto-RP
496
pop2
Post Office Protocol v2
109
pop3
Post Office Protocol v3
110
smtp
Simple Mail Transport Protocol
25
sunrpc
Sun Remote Procedure Call
111
syslog
Syslog
514
tacacs
TAC Access Control System
49
talk
Talk
517
telnet
Telnet
23
time
Time
37
uucp
Unix-to-Unix Copy Program
540
whois
Nickname
43
www
World Wide Web
80
Example
The following example displays logging in to IP address 176.213.10.50 via Telnet.
switchxxxxxx> telnet 176.213.10.50
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
627
29
IP System Management Commands
29.4
traceroute
To display the routes that packets will take when traveling to their destination, use the
traceroute EXEC mode command.
Syntax
traceroute ip {ipv4-address | hostname} [size packet_size] [ttl max-ttl] [count packet_count]
[timeout time_out] [source ip-address]
traceroute ipv6 {ipv6-address | hostname} [size packet_size] [ttl max-ttl] [count
packet_count] [timeout time_out] [source ip-address]
Parameters
•
ip—Use IPv4 to discover the route.
•
ipv6—Use IPv6 to discover the route.
•
ipv4-address—IPv4 address of the destination host.
•
ipv6-address—IPv6 address of the destination host.
•
hostname—Hostname to ping (Length: 1-158 characters. Maximum label size for each
part of the host name: 58.)
•
size packet_size—Number of bytes in the packet not including the VLAN tag. The
default is 64 bytes. (IPv4:64-1518, IPv6: 68-1518)
•
ttl max-ttl—The largest TTL value that can be used. The default is 30. The traceroute
command terminates when the destination is reached or when this value is reached.
(Range: 1–255)
•
count packet_count—The number of probes to be sent at each TTL level. The default
count is 3. (Range: 1–10)
•
timeout time_out—The number of seconds to wait for a response to a probe packet.
The default is 3 seconds. (Range: 1–60)
•
source ip-address—One of the interface addresses of the device to use as a source
address for the probes. The device selects the optimal source address by default.
(Range: Valid IP address)
Default Usage
N/A
Command Mode
Privileged EXEC mode
628
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
29
IP System Management Commands
User Guidelines
The traceroute command works by taking advantage of the error messages generated by
routers when a datagram exceeds its time-to-live (TTL) value.
The traceroute command starts by sending probe datagrams with a TTL value of one. This
causes the first router to discard the probe datagram and send back an error message. The
traceroute command sends several probes at each TTL level and displays the round-trip time
for each.
The traceroute command sends out one probe at a time. Each outgoing packet can result in
one or two error messages. A "time exceeded” error message indicates that an intermediate
router has seen and discarded the probe. A "destination unreachable" error message indicates
that the destination node has received the probe and discarded it because it could not deliver
the packet. If the timer goes off before a response comes in, the traceroute command prints an
asterisk (*).
The traceroute command terminates when the destination responds, when the maximum TTL
is exceeded, or when the user interrupts the trace with Esc.
The traceroute ipv6 command is not relevant to IPv6 link local addresses.
Example
switchxxxxxx> traceroute ip umaxp1.physics.lsa.umich.edu
Type Esc to abort.
Tracing the route to umaxp1.physics.lsa.umich.edu (141.211.101.64)
1 i2-gateway.stanford.edu (192.68.191.83)
0 msec 0 msec 0 msec
2 STAN.POS.calren2.NET (171.64.1.213) 0 msec 0 msec 0 msec
3 SUNV--STAN.POS.calren2.net (198.32.249.73) 1 msec 1 msec 1 msec
4 Abilene--QSV.POS.calren2.net (198.32.249.162)
1 msec 1 msec 1 msec
5 kscyng-snvang.abilene.ucaid.edu (198.32.8.103)
33 msec 35 msec 35 msec
6 iplsng-kscyng.abilene.ucaid.edu (198.32.8.80)
47 msec 45 msec 45 msec
7 so-0-2-0x1.aa1.mich.net (192.122.183.9)
56 msec
8 atm1-0x24.michnet8.mich.net (198.108.23.82)
53 msec 54 msec
56 msec 56 msec 57 msec
9 * * *
10 A-ARB3-LSA-NG.c-SEB.umnet.umich.edu(141.211.5.22)58 msec 58msec 58 msec
11 umaxp1.physics.lsa.umich.edu (141.211.101.64)
62 msec 63 msec 63 msec
Trace completed
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
629
29
IP System Management Commands
The following table describes the significant fields shown in the display:
Field
Description
1
Indicates the sequence number of the router in the
path to the host.
i2-gateway.stanford.ed
u
Host name of this router.
192.68.191.83
IP address of this router.
1 msec 1 msec 1 msec
Round-trip time for each of the probes that are sent.
The following are characters that can appear in the traceroute command output:
630
Field
Description
*
The probe timed out.
?
Unknown packet type.
A
Administratively unreachable. Usually, this output indicates that
an access list is blocking traffic.
F
Fragmentation required and DF is set.
H
Host unreachable.
N
Network unreachable.
P
Protocol unreachable.
Q
Source quench.
R
Fragment reassembly time exceeded
S
Source route failed.
U
Port unreachable.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
30
IPv4 IPM Router Commands
30.0
30.1
ip multicast-routing
To enable IPv4 Multicast routing on all IP-enabled interfaces of the router and to enable
Multicast forwarding, use the ip multicast-routing command in global configuration mode.
To stop Multicast routing and forwarding, use the no form of this command.
Syntax
ip multicast-routing igmp-proxy
no ip multicast-routing
Parameters
•
igmp-proxy—Enable Multicast routing using IGMP Proxy.
Default Configuration
Multicast routing is not enabled.
Command Mode
Global Configuration mode
User Guidelines
Use the ip multicast-routing command with parameter to specify the needed IP Multicast
Routing Protocol.
To forward IPv4 Multicast packets on an interface, IPv4 Multicast forwarding must be enabled
globally and an IPMv4 Routing protocol must be enabled on the interface.
Example
The following example enables IP Multicast routing using IGMP Proxy:
switchxxxxxx(config)# ip multicast-routing igmp-proxy
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
631
30
IPv4 IPM Router Commands
30.2
ip multicast ttl-threshold
To configure the time-to-live (TTL) threshold of packets being forwarded out an interface, use
the ip multicast ttl-threshold command in Interface Configuration mode. To return to the
default TTL threshold, use the no form of this command.
Syntax
ip multicast ttl-threshold ttl-value
no ip multicast ttl-threshold
Parameters
•
ttl-value—Time-to-live value, in hops. It can be a value from 0 to 256.
Default Configuration
The default TTL value is 0.
Command Mode
Interface Configuration mode
User Guidelines
Multicast packets with a TTL value less than the threshold will not be forwarded on the
interface.
The default value of 0 means all Multicast packets are forwarded on the interface.
A value of 256 means that no Multicast packets are forwarded on the interface.
You should configure the TTL threshold only on border routers. Conversely, routers on which
you configure a TTL threshold value automatically become border routers.
Example
The following example sets the TTL threshold on a border router to 200:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ip multicast ttl-threshold 200
switchxxxxxx(config-if)# exit
632
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
30
IPv4 IPM Router Commands
30.3
show ip mroute
To display the contents of the Multicast routing (mroute) table, use the show ip mroute
command in user EXEC or privileged EXEC mode.
Syntax
show ip mroute [group-address [source-address]] [summary]
Parameters
•
group-address—Destination Multicast IP address.
•
source-address—Source IP address.
•
summary—Filters the output to display a one-line, abbreviated summary of each entry
in the mroute table.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Use the show ip mroute command to display information about Mroute entries in the mroute
table. The switch populates the Multicast routing table by creating (S, G) entries from (*, G)
entries. The asterisk (*) refers to all source addresses, the “S” refers to a single source address,
and the “G” is the destination Multicast group address. In creating (S, G) entries, the switch
uses the best path to that destination group found in the Unicast routing table (that is, through
Reverse Path Forwarding [RPF]).
Examples
Description of Significant fields in the examples below
Timers:Uptime/Expires—“Uptime” indicates per interface how long (in hours, minutes, and
seconds) the entry has been in the IP Multicast routing table. “Expires” indicates per interface
how long (in hours, minutes, and seconds) until the entry will be removed from the IP
Multicast routing table.
(*, 224.0.255.1) and (192.168.37.100/32, 224.0.255.1)—Entry in the IP Multicast routing
table. The entry consists of the IP address of the source router followed by the IP address of
the Multicast group. An asterisk (*) in place of the source router indicates all sources.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
633
30
IPv4 IPM Router Commands
Entries in the first format are referred to as (*, G) or “star comma G” entries. Entries in the
second format are referred to as (S, G) or “S comma G” entries. (*, G) entries are used to build
(S, G) entries.
Incoming interface: —Expected interface for a Multicast packet from the source. If the
packet is not received on this interface, it is discarded.
Outgoing Interface List (OIF):—Interfaces through which packets will be forwarded.
Example 1. The following is sample output from the show ip mroute command with the
summary keyword:
switchxxxxxx# show ip mroute summary
Timers: Uptime/Expires
IP Multicast Routing Table
(172.16.160.67/32, 224.2.127.254), 00:02:46/00:00:12, OIF count:2
(172.16.244.217/32, 224.2.127.254), 00:02:15/00:00:40, OIF count:
(172.16.8.33/32, 224.2.127.254), 00:00:25/00:02:32, OIF count:2
(172.16.2.62/32, 224.2.127.254), 00:00:51/00:02:03, OIF count:2
(172.16.8.3/32, 224.2.127.254), 00:00:26/00:02:33, OIF count:2
(172.16.60.189/32, 224.2.127.254), 00:03:47/00:00:46, OIF count:2
Example 2. The following is sample output from the show ip mroute command:
switchxxxxxx# show ip mroute
Timers: Uptime/Expires
IP Multicast Routing Table
(*, 224.0.255.3), 5:29:15/00:03:01
Incoming interface: vlan2
Outgoing interface list:
vlan100, 5:29:15/0:02:57
(192.168.46.0/24, 224.0.255.3), 05:29:15/00:02:59
Incoming interface: vlan2
Outgoing interface list:
634
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
30
IPv4 IPM Router Commands
vlan5, 05:29:15/00:02:57
30.4
show ip multicast
To display general information about IP Multicast configuration, use the show ip multicast
command in user EXEC or privileged EXEC mode.
Syntax
show ip multicast [interface interface-id]
Parameters
•
interface—Displays IP Multicast-related information about an interface configured
for IP Multicast.
•
interface-id—Interface identifier for which to display IP Multicast information.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Use the show ip multicast command without the interface keyword to display general
information about the state of IP Multicast on the router.
Use the show ip multicast command with the interface keyword to display the IP Multicast
information about the specified interface.
Examples
Example 1. The following is sample output from the show ip multicast command without the
interface keyword when no IP Multicast Routing protocol is enabled:
switchxxxxxx# show ip multicast
IP Unicast Forwarding: enabled
IP Multicast Protocol: No
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
635
30
IPv4 IPM Router Commands
Example 2. The following is sample output from the show ip multicast command without the
interface keyword when IGMP Proxy is enabled:
switchxxxxxx# show ip multicast
IP Unicast Forwarding: enabled
IP Multicast Protocol: IGMP Proxy
Example 3. The following is sample output from the show ip multicast command about the
given interface. IGMP Proxy is enabled on the interface and the interface is an IGMP Proxy
Upstream interface:
switchxxxxxx# show ip multicast interface vlan 200
IP Unicast Forwarding: enabled
IP Multicast Protocol: IGMP Proxy
vlan 200
TTL-threshold: 0
IGMP Protocol: IGMPv3
IGMP Proxy: Upstream
Example 4. The following is sample output from the show ip multicast command about the
given interface. IGMP Proxy is enabled on the interface and the interface is an IGMP Proxy
Downlink interface:
switchxxxxxx# show ip multicast interface vlan 100
IP Unicast Forwarding: enabled
IP Multicast Protocol: IGP Proxy
vlan 200
TTL-threshold: 0
IGMP Protocol: IGMPv3
IGMP Proxy: DownStream (Upstream: vlan 200)
636
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
30
IPv4 IPM Router Commands
Example 5. The following is sample output from the show ip multicast command about the
given interface. IGMP Proxy is disabled on the interface:
switchxxxxxx# show ip multicast interface vlan 100
IP Unicast Forwarding: enabled
IP Multicast Protocol: IGMP Proxy
vlan 200
IP Status: enabled
hop-threshold: 100
IGMP Protocol: IGMPv3
IGMP Proxy: disabled
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
637
31
IPv6 Commands
31.0
31.1
clear ipv6 neighbors
Use the clear ipv6 neighbors command in privileged EXEC mode to delete all entries in the
IPv6 neighbor discovery cache, except static entries.
Syntax
clear ipv6 neighbors
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
Example
The following example deletes all entries, except static entries, in the neighbor discovery
cache:
switchxxxxxx# clear ipv6 neighbors
31.2
ipv6 address
Use the ipv6 address command in Interface Configuration mode to configure a global unicast
IPv6 address based on an IPv6 general prefix and enable IPv6 processing on an interface. To
remove the address from the interface, use the no form of this command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
638
31
IPv6 Commands
Syntax
ipv6 address ipv6-address/prefix-length
no ipv6 address [ipv6-address/prefix-length]
Parameters
•
ipv6-address—Specifies the global unicast IPv6 address assigned to the interface. This
argument must be in the form documented in RFC4293 where the address is specified
in hexadecimal using 16-bit values between colons.
•
prefix-length—The length of the IPv6 prefix. A decimal value that indicates how many
of the high-order contiguous bits of the address comprise the prefix (the network
portion of the address). A slash mark must precede the decimal value.
Default Configuration
No IP address is defined for the interface.
Command Mode
Interface Configuration mode
User Guidelines
The ipv6 address command cannot be applied to define an IPv6 address on an ISATAP
interface.
Using the no IPv6 address command without arguments removes all manually-configured
IPv6 addresses from an interface, including link local manually configured addresses.
Example
The following example defines the IPv6 global address 2001:DB8:2222:7272::72 on vlan 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 address 2001:DB8:2222:7272::72/64
switchxxxxxx(config-if)# exit
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
639
31
IPv6 Commands
31.3
ipv6 address anycast
Use the ipv6 address anycast command in Interface Configuration mode to configure a global
unicast IPv6 Anycast address and enable IPv6 processing on an interface. To remove the
address from the interface, use the no form of this command.
Syntax
ipv6 address ipv6-prefix/prefix-length anycast
no ipv6 address [ipv6-prefix/prefix-length]
Parameters
•
ipv6-address—Specifies the global unicast IPv6 address assigned to the interface. This
argument must be in the form documented in RFC4293 where the address is specified
in hexadecimal using 16-bit values between colons.
•
prefix-length—The length of the IPv6 prefix. A decimal value that indicates how many
of the high-order contiguous bits of the address comprise the prefix (the network
portion of the address). A slash mark must precede the decimal value.
Default Configuration
No IP address is defined for the interface.
Command Mode
Interface Configuration mode
User Guidelines
An Anycast address is an address that is assigned to a set of interfaces that typically belong to
different nodes. A packet sent to an Anycast address is delivered to the closest interface—as
defined by the routing protocols in use—identified by the Anycast address. Anycast addresses
are syntactically indistinguishable from Unicast addresses because Anycast addresses are
allocated from the Unicast address space. Nodes to which the Anycast address is assigned
must be explicitly configured to recognize that the address is an Anycast address.
Anycast addresses can be used only by a router, not a host, and Anycast addresses must not be
used as the source address of an IPv6 packet.
The subnet router Anycast address has a prefix concatenated by a series of zeros (the interface
ID). The subnet router Anycast address can be used to reach a router on the link that is
identified by the prefix in the subnet router Anycast address.
640
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
The ipv6 address anycast command cannot be applied to define an IPv6 address on an
ISATAP interface.
Using the no form of the ipv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually-configured addresses.
Example
The following example enables IPv6 processing on the interface, assigns the prefix
2001:0DB8:1:1::/64 to the interface, and configures the IPv6 Anycast address
2001:0DB8:1:1:FFFF:FFFF:FFFF:FFFE:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 address 2001:0DB8:1:1:FFFF:FFFF:FFFF:FFFE/64
anycast
switchxxxxxx(config-if)# exit
31.4
ipv6 address autoconfig
Use the ipv6 address autoconfig command in Interface Configuration mode to enable
automatic configuration of IPv6 addresses using stateless auto configuration on an interface
and enable IPv6 processing on the interface. Addresses are configured depending on the
prefixes received in Router Advertisement messages. To disable automatic configuration of
IPv6 addresses and to remove the automatically configured address from the interface, use the
no form of this command.
Syntax
ipv6 address autoconfig
no ipv6 address autoconfig
Parameters
N/A.
Default Configuration
Stateless Auto configuration is enabled.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
641
31
IPv6 Commands
Command Mode
Interface Configuration mode
User Guidelines
This command enables IPv6 on an interface (if it was disabled) and causes the switch to
perform IPv6 stateless address auto-configuration to discover prefixes on the link and then to
add the eui-64 based addresses to the interface.
Stateless auto configuration is applied only when IPv6 Forwarding is disabled.
When IPv6 forwarding is changed from disabled to enabled, and stateless auto configuration is
enabled the switch stops stateless auto configuration and removes all stateless auto configured
ipv6 addresses from all interfaces.
When IPv6 forwarding is changed from enabled to disabled and stateless auto configuration is
enabled the switch resumes stateless auto configuration.
Additionally the ipv6 address autoconfig command enables on the interface the DHCPv6
Stateless client to receive DHCP stateless information and this information is received from a
DHCPv6 server regardless whether IPv6 Forwarding is enabled or not.
Example
The following example assigns the IPv6 address automatically:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 address autoconfig
switchxxxxxx(config-if)# exit
31.5
ipv6 address eui-64
Use the ipv6 address eui-64 command in Interface Configuration mode to configure a global
unicast IPv6 address for an interface and enables IPv6 processing on the interface using an
EUI-64 interface ID in the low order 64 bits of the address. To remove the address from the
interface, use the no form of this command.
Syntax
ipv6 address ipv6-prefix/prefix-length eui-64
no ipv6 address [ipv6-prefix/prefix-length eui-64]
642
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Parameters
•
ipv6-prefix—Specifies the global unicast IPv6 address assigned to the interface. This
argument must be in the form documented in RFC4293 where the address is specified
in hexadecimal using 16-bit values between colons.
•
prefix-length—The length of the IPv6 prefix. A decimal value that indicates how many
of the high-order contiguous bits of the address comprise the prefix (the network
portion of the address). A slash mark must precede the decimal value.
Default Configuration
No IP address is defined for the interface.
Command Mode
Interface Configuration mode
User Guidelines
If the value specified for the prefix-length argument is greater than 64 bits, the prefix bits have
precedence over the interface ID.
The IPv6 address is built from ipv6-prefix and the EUI-64 Interface ID by the following way:
•
The first prefix-length bits are taken from ipv6-prefix.
•
If prefix-length < 64 then
-
The following (64-prefix-length) bits are filled by 0s.
-
The last 64 bits are taken from the EUI-64 Interface ID.
•
If prefix-length equals to 64 then the following 64 bits are taken from the EUI-64
Interface ID.
•
If prefix-length > 64 then the following (128-prefix-length) bits are taken from the last
(64-(prefix-length -64)) bits of the EUI-64 Interface ID.
If the switch detects another host using one of its IPv6 addresses, it adds the IPv6 address and
displays an error message on the console.
Using the no form of the ipv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually-configured addresses.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
643
31
IPv6 Commands
Example
The following example enables IPv6 processing on VLAN 1, configures IPv6 global address
2001:0DB8:0:1::/64 and specifies an EUI-64 interface ID in the low order 64 bits of the
address:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 address 2001:0DB8:0:1::/64 eui-64
switchxxxxxx(config-if)# exit
31.6
ipv6 address link-local
Use the ipv6 address link-local command in Interface Configuration mode to configure an
IPv6 link local address for an interface and enable IPv6 processing on the interface. To remove
the manually configured link local address from the interface, use the no form of this
command.
Syntax
ipv6 address ipv6-prefix link-local
no ipv6 address [link-local]
Parameters
•
ipv6-address—Specifies the IPv6 network assigned to the interface. This argument
must be in the form documented in RFC4293 where the address is specified in
hexadecimal using 16-bit values between colons.
Default Configuration
The default Link-local address is defined.
Command Mode
Interface Configuration mode
User Guidelines
The switch automatically generates a link local address for an interface when IPv6 processing
is enabled on the interface, typically when an IPv6 address is configured on the interface. To
manually specify a link local address to be used by an interface, use the ipv6 address
link-local command.
644
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
The ipv6 address link-local command cannot be applied to define an IPv6 address on an
ISATAP interface.
Using the no form of the ipv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually-configured addresses.
Example
The following example enables IPv6 processing on VLAN 1 and configures
FE80::260:3EFF:FE11:6770 as the link local address for VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 address FE80::260:3EFF:FE11:6770 link-local
switchxxxxxx(config-if)# exit
31.7
ipv6 default-gateway
Use the ipv6 default-gateway Global Configuration mode command to define an IPv6 default
gateway. To remove the IPv6 default gateway, use the no form of this command.
Syntax
ipv6 default-gateway {ipv6-address [outgoing-interface-id]} | interface-id
no ipv6 default-gateway [{ipv6-address [outgoing-interface-id]} | interface-id]
Parameters
•
ipv6-address—Specifies the IPv6 address of an IPv6 router that can be used to reach a
network.
•
outgoing-interface-id—Outgoing Interface identifier.
•
interface-id—Specifies the Interface Identifier of the outgoing interface that can be
used to reach a network. This argument can be applied only to point-to-point interfaces
(manual IPv6 over IPv4 tunnels).
Default Configuration
No default gateway is defined.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
645
31
IPv6 Commands
Command Mode
Global Configuration mode
User Guidelines
The command is an alias of the ipv6 route command with the predefined (default) route:
ipv6 route ::/0 ipv6-address | interface-id
See the definition of the ipv6 route command for details.
Examples
Example 1. The following example defines a default gateway with a global IPv6 address:
switchxxxxxx(config)# ipv6 default-gateway 5::5
Example 2. The following example defines a default gateway with a link-local IPv6 address:
switchxxxxxx(config)# ipv6 default-gateway
FE80::260:3EFF:FE11:6770%vlan1
Example 3. The following example defines a default gateway on manual tunnel 1:
switchxxxxxx(config)# ipv6 default-gateway tunnel1
31.8
ipv6 enable
Use the ipv6 enable command in Interface Configuration mode to enable IPv6 processing on
an interface.
To disable IPv6 processing on an interface that has not been configured with an explicit IPv6
address, use the no form of this command.
Syntax
ipv6 enable
no ipv6 enable
Parameters
N/A.
646
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Default Configuration
IPv6 interface is disabled.
Command Mode
Interface Configuration mode
User Guidelines
This command automatically configures an IPv6 link-local Unicast address on the interface
while also enabling the interface for IPv6 processing. The no ipv6 enable command does not
disable IPv6 processing on an interface that is configured with an explicit IPv6 address.
Example
The following example enables VLAN 1 for the IPv6 addressing mode.
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 enable
switchxxxxxx(config-if)# exit
31.9
ipv6 hop-limit
Use the ipv6 hop-limit command in Global Configuration mode to configure the maximum
number of hops used in all IPv6 packets that are originated by the router.
To return the hop limit to its default value, use the no form of this command.
Syntax
ipv6 hop-limit value
no ipv6 hop-limit
Parameters
•
value—Maximum number of hops. The acceptable range is from 1 to 255.
Default Configuration
The default is 64 hops.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
647
31
IPv6 Commands
Command Mode
Global Configuration mode
Example
The following example configures a maximum number of 15 hops for all IPv6 packets that are
originated from the router:
switchxxxxxx(config)# ipv6 hop-limit 15
31.10 ipv6 icmp error-interval
Use the ipv6 icmp error-interval command in Global Configuration mode to configure the
interval and bucket size for IPv6 ICMP error messages. To return the interval to its default
setting, use the no form of this command.
Syntax
ipv6 icmp error-interval milliseconds [bucketsize]
no ipv6 icmp error-interval
Parameters
•
milliseconds—Time interval between tokens being placed in the bucket. Each token
represents a single ICMP error message. The acceptable range is from 0 to
2147483647. A value of 0 disables ICMP rate limiting.
•
bucketsize—Maximum number of tokens stored in the bucket. The acceptable range is
from 1 to 200.
Default Configuration
The default interval is 100ms and the default bucketsize is 10 i.e. 100 ICMP error messages
per second.
Command Mode
Global Configuration mode
648
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
User Guidelines
Use this command to limit the rate at which IPv6 ICMP error messages are sent. A token
bucket algorithm is used with one token representing one IPv6 ICMP error message. Tokens
are placed in the virtual bucket at a specified interval until the maximum number of tokens
allowed in the bucket is reached.
The milliseconds argument specifies the time interval between tokens arriving in the bucket.
The optional bucketsize argument is used to define the maximum number of tokens allowed in
the bucket. Tokens are removed from the bucket when IPv6 ICMP error messages are sent,
which means that if the bucketsize is set to 20, a rapid succession of 20 IPv6 ICMP error
messages can be sent. When the bucket is empty of tokens, IPv6 ICMP error messages are not
sent until a new token is placed in the bucket.
Average Packets Per Second = (1000/ milliseconds) * bucketsize.
To disable ICMP rate limiting, set the milliseconds argument to zero.
Example
The following example shows an interval of 50 milliseconds and a bucket size of 20 tokens
being configured for IPv6 ICMP error messages:
switchxxxxxx(config)# ipv6 icmp error-interval 50 20
31.11 ipv6 link-local default zone
Use the Ipv6 link-local default zone command to configure an interface to egress a link local
packet without a specified interface or with the default zone 0.
Use the no form of this command to return the default link local interface to the default value.
Syntax
Ipv6 link-local default zone interface-id
no Ipv6 link-local default zone
Parameters
•
interface-id—Specifies the interface that is used as the egress interface for packets sent
without a specified IPv6Z interface identifier or with the default 0 identifier.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
649
31
IPv6 Commands
Default
By default, link local default zone is disabled.
Command Mode
Global Configuration mode
Example
The following example defines VLAN 1 as a default zone:
switchxxxxxx(config)# ipv6 link-local default zone vlan1
31.12 ipv6 nd advertisement-interval
Use the ipv6 nd advertisement-interval in Interface Configuration mode to configure the
advertisement interval option in router advertisements (RAs).
To reset the interval to the default value, use the no form of this command.
Syntax
ipv6 nd advertisement-interval
no ipv6 nd advertisement-interval
Parameters
N/A.
Default Configuration
Advertisement interval option is not sent.
Command Mode
Interface Configuration mode
User Guidelines
Use the ipv6 nd advertisement-interval command to indicate to a visiting mobile node the
interval at which that node may expect to receive RAs. The node may use this information in
its movement detection algorithm.
650
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Example
The following example enables the advertisement interval option to be sent in RAs:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd advertisement-interval
switchxxxxxx(config-if)# exit
31.13 ipv6 nd dad attempts
Use the ipv6 nd dad attempts command in Interface Configuration mode to configure the
number of consecutive neighbor solicitation messages that are sent on an interface while
duplicate address detection is performed on the Unicast IPv6 addresses of the interface.
To return the number of messages to the default value, use the no form of this command.
Syntax
ipv6 nd dad attempts value
no ipv6 nd dad attempts
Parameters
•
value—The number of neighbor solicitation messages. The acceptable range is from 0
to 600. Configuring a value of 0 disables duplicate address detection processing on the
specified interface; a value of 1 configures a single transmission without follow-up
transmissions.
Default Configuration
1
Command Mode
Interface Configuration mode
User Guidelines
Duplicate address detection verifies the uniqueness of new Unicast IPv6 addresses before the
addresses are assigned to interfaces (the new addresses remain in a tentative state while
duplicate address detection is performed). Duplicate address detection uses neighbor
solicitation messages to verify the uniqueness of Unicast IPv6 addresses.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
651
31
IPv6 Commands
The DupAddrDetectTransmits node configuration variable (as specified in RFC 4862, IPv6
Stateless Address Autoconfiguration) is used to automatically determine the number of
consecutive neighbor solicitation messages that are sent on an interface, while duplicate
address detection is performed on a tentative Unicast IPv6 address.
The interval between duplicate address detection, neighbor solicitation messages (the
duplicate address detection timeout interval) is specified by the neighbor discovery-related
variable RetransTimer (as specified in RFC 4861, Neighbor Discovery for IPv6), which is
used to determine the time between retransmissions of neighbor solicitation messages to a
neighbor when resolving the address or when probing the reachability of a neighbor. This is
the same management variable used to specify the interval for neighbor solicitation messages
during address resolution and neighbor unreachability detection. Use the ipv6 nd ns-interval
command to configure the interval between neighbor solicitation messages that are sent during
duplicate address detection.
Duplicate address detection is suspended on interfaces that are administratively down. While
an interface is administratively down, the Unicast IPv6 addresses assigned to the interface are
set to a pending state. Duplicate address detection is automatically restarted on an interface
when the interface returns to being administratively up.
An interface returning to administratively up, restarts duplicate address detection for all of the
Unicast IPv6 addresses on the interface. While duplicate address detection is performed on the
link-local address of an interface, the state for the other IPv6 addresses is still set to
TENTATIVE. When duplicate address detection is completed on the link-local address,
duplicate address detection is performed on the remaining IPv6 addresses.
When duplicate address detection identifies a duplicate address, the state of the address is set
to DUPLICATE and the address is not used. If the duplicate address is the link-local address of
the interface, the processing of IPv6 packets is disabled on the interface and an error SYSLOG
message is issued.
If the duplicate address is a global address of the interface, the address is not used and an error
SYSLOG message is issued.
All configuration commands associated with the duplicate address remain as configured while
the state of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on
the new link-local address and all of the other IPv6 address associated with the interface are
regenerated (duplicate address detection is performed only on the new link-local address).
Note. Since DAD is not supported on NBMA interfaces the command is allowed but does not
impact on an IPv6 tunnel interface of the ISATAP type it does not impact. The configuration is
saved and will impacted when the interface type is changed on another type on which DAD is
supported (for example, to the IPv6 manual tunnel).
652
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Example
The following example configures five consecutive neighbor solicitation messages to be sent
on VLAN 1 while duplicate address detection is being performed on the tentative Unicast IPv6
address of the interface. The example also disables duplicate address detection processing on
VLAN 2.
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd dad attempts 5
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# ipv6 nd dad attempts 0
switchxxxxxx(config-if)# exit
31.14 ipv6 nd hop-limit
Use the ipv6 nd hop-limit command in Global Configuration mode to configure the
maximum number of hops used in router advertisements.
To return the hop limit to its default value, use the no form of this command.
Syntax
ipv6 nd hop-limit value
no ipv6 nd hop-limit
Parameters
•
value—Maximum number of hops. The acceptable range is from 1 to 255.
Default Configuration
The default value is defined by the ipv6 hop-limit command, or is set to 64 hops, if the
command was not configured.
Command Mode
Interface Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
653
31
IPv6 Commands
User Guidelines
Use this command if you want to change the default value. The default value is defined by the
ipv6 hop-limit command.
Example
The following example configures a maximum number of 15 hops for router advertisements
on VLAN 2:
switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# ipv6 nd hop-limit 15
switchxxxxxx(config-if)# exit
31.15 ipv6 nd managed-config-flag
Use the ipv6 nd managed-config-flag command in Interface Configuration mode to set the
“managed address configuration flag” in IPv6 router advertisements.
To clear the flag from IPv6 router advertisements, use the no form of this command.
Syntax
ipv6 nd managed-config-flag
no ipv6 nd managed-config-flag
Parameters
N/A.
Default Configuration
The “managed address configuration flag” flag is not set in IPv6 router advertisements.
Command Mode
Interface Configuration mode
User Guidelines
Setting the Managed Address Configuration flag in IPv6 router advertisements indicates to
attached hosts whether they should use stateful autoconfiguration to obtain addresses. If this
654
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
flag is set, the attached hosts should use stateful autoconfiguration to obtain addresses, and if it
is not set, the attached hosts should not use stateful autoconfiguration to obtain addresses.
Hosts may use stateful and stateless address autoconfiguration simultaneously.
Example
The following example configures the Managed Address Configuration flag in IPv6 router
advertisements on VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd managed-config-flag
switchxxxxxx(config-if)# exit
31.16 ipv6 nd ns-interval
Use the ipv6 nd ns-interval command in Interface Configuration mode to configure the
interval between IPv6 neighbor solicitation retransmissions on an interface.
To restore the default interval, use the no form of this command.
Syntax
ipv6 nd ns-interval milliseconds
no ipv6 nd ns-interval
Parameters
•
milliseconds—Interval between IPv6 neighbor solicit transmissions. The acceptable
range is from 1000 to 3600000 milliseconds.
Default Configuration
0 seconds (unspecified) is advertised in router advertisements and the value 1000 milliseconds
is used for the neighbor discovery activity of the router itself.
Command Mode
Interface Configuration mode
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
655
31
IPv6 Commands
User Guidelines
This value will be included in all IPv6 router advertisements sent out this interface. Very short
intervals are not recommended in normal IPv6 operation. When a non-default value is
configured, the configured time is both advertised and used by the router itself.
Example
The following example configures an IPv6 neighbor solicit transmission interval of 9000
milliseconds for VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd ns-interval 9000
switchxxxxxx(config-if)# exit
31.17 ipv6 nd other-config-flag
Use the ipv6 nd other-config-flag command in Interface Configuration mode to set the Other
Stateful configuration flag in IPv6 router advertisements.
To clear the flag from IPv6 router advertisements, use the no form of this command.
Syntax
ipv6 nd other-config-flag
no ipv6 nd other-config-flag
Parameters
N/A.
Default Configuration
The Other Stateful configuration flag is not set in IPv6 router advertisements.
Command Mode
Interface Configuration mode
User Guidelines
The setting of the Other Stateful configuration flag in IPv6 router advertisements indicates to
attached hosts how they can obtain autoconfiguration information other than addresses. If the
656
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
flag is set, the attached hosts should use stateful autoconfiguration to obtain the other
(nonaddress) information.
Note. If the Managed Address Configuration flag is set using the ipv6 nd
managed-config-flag command, then an attached host can use stateful autoconfiguration to
obtain the other (nonaddress) information regardless of the setting of the Other Stateful
configuration flag.
Example
The following example configures the Other Stateful configuration flag in IPv6 router
advertisements on VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd other-config-flag
switchxxxxxx(config-if)# exit
31.18 ipv6 nd prefix
Use the ipv6 nd prefix command in Interface Configuration mode to configure which IPv6
prefixes are included in IPv6 Neighbor Discovery (ND) router advertisements.
To remove the prefixes, use the no form of this command.
Syntax
ipv6 nd prefix {ipv6-prefix/prefix-length | default} [no-advertise | {[valid-lifetime
preferred-lifetime] [no-autoconfig] [off-link | no-onlink]}]
no ipv6 nd prefix [ipv6-prefix/prefix-length | default]
Parameters
•
ipv6-prefix—IPv6 network number to include in router advertisements. This argument
must be in the form documented in RFC4293, where the address is specified in
hexadecimal using 16-bit values between colons.
•
/prefix-length—Length of the IPv6 prefix. A decimal value that indicates how many of
the high-order contiguous bits of the address comprise the prefix (the network portion
of the address). A slash mark must precede the decimal value.
•
default—Default values used for automatic advertised prefixes configured as
addresses on the interface using the ipv6 address command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
657
31
IPv6 Commands
•
no-advertise—Prefix is not advertised.
•
valid-lifetime—Remaining length of time, in seconds, that this prefix will continue to
be valid, i.e., time until invalidation. A value of 4,294,967,295 represents infinity. The
address generated from an invalidated prefix should not appear as the destination or
source address of a packet.
•
preferred-lifetime—Remaining length of time, in seconds, that this prefix will continue
to be preferred, i.e., time until deprecation. A value of 4,294,967,295 represents
infinity. The address generated from a deprecated prefix should no longer be used as a
source address in new communications, but packets received on such an interface are
processed as expected. The preferred-lifetime must not be larger than the valid-lifetime.
•
no-autoconfig—Indicates to hosts on the local link that the specified prefix cannot be
used for IPv6 autoconfiguration.The prefix will be advertised with the A-bit clear.
•
off-link—Configures the specified prefix as off-link. The prefix will be advertised
with the L-bit clear. The prefix will not be inserted into the routing table as a connected
prefix. If the prefix is already present in the routing table as a connected prefix (for
example, because the prefix was also configured using the ipv6 address command),
then it will be removed.
•
no-onlink—Configures the specified prefix as not on-link. The prefix will be
advertised with the L-bit clear.
Default Configuration
All prefixes configured on interfaces that originate IPv6 router advertisements are advertised
with a valid lifetime of 2,592,000 seconds (30 days) and a preferred lifetime of 604,800
seconds (7 days).
Note that by default:
•
All prefixes are inserted in the routing table as connected prefixes.
•
All prefixes are advertised as on-link (for example, the L-bit is set in the
advertisement)
•
All prefixes are advertised as an auto-configuration prefix (for example, the A-bit is set
in the advertisement)
Command Mode
Interface Configuration mode
658
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
User Guidelines
This command enables control over the individual parameters per prefix, including whether
the prefix should be advertised.
Use the ipv6 nd prefix ipv6-prefix/prefix-length command to add the prefix to the Prefix table.
Use the no ipv6 nd prefix ipv6-prefix/prefix-length command to remove the prefix from the
Prefix table.
Use the no ipv6 nd prefix command without the ipv6-prefix/prefix-length argument o remove
all prefixes from the Prefix Table.
Note. The no ipv6 nd prefix command does not return the default values to the original
default values.
The switch supports the following advertisement algorithm:
•
Advertise all prefixes that are configured as addresses on the interface using the
parameters defined by the ipv6 nd prefix default command (or the default value if the
command has not been configured) except refixes that are placed in the Prefix table
(changed (configured) by the ipv6 nd prefix command).
•
Advertise all prefixes configured by the ipv6 nd prefix command without the
no-advertise keyword.
Default Keyword
The default keyword can be used to set default values for automatic advertised prefixes
configured as addresses on the interface using the ipv6 address command.
Note. These default values are not used as the default values in the ipv6 nd prefix command.
Use the no ipv6 nd prefix default command to return the default values to the original default
values.
On-Link
When on-link is “on” (by default), the specified prefix is assigned to the link. Nodes sending
traffic to such addresses that contain the specified prefix consider the destination to be locally
reachable on the link. An on-link prefix is inserted into the routing table as a Connected prefix.
Auto-configuration
When auto-configuration is on (by default), it indicates to hosts on the local link that the
specified prefix can be used for IPv6 auto-configuration.
The configuration options affect the L-bit and A-bit settings associated with the prefix in the
IPv6 ND Router Advertisement, and presence of the prefix in the routing table, as follows:
•
Default
L=1 A=1, In the Routing Table
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
659
31
IPv6 Commands
•
no-onlink
L=0 A=1, In the Routing Table
•
no-autoconfig
L=1 A=0, In the Routing Table
•
no-onlink no-autoconfig
L=0 A=0, In the Routing Table
•
off-link
L=0 A=1, Not in the Routing Table
•
off-link no-autoconfig
L=0 A=0, Not in the Routing Table
Examples
Example 1. The following example includes the IPv6 prefix 2001:0DB8::/35 in router
advertisements sent out VLAN 1 with a valid lifetime of 1000 seconds and a preferred lifetime
of 900 seconds. The prefix is inserted in the Routing table:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd prefix 2001:0DB8::/35 1000 900
switchxxxxxx(config-if)# exit
Example 2. The following example advertises the prefix with the L-bit clear:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 address 2001::1/64
switchxxxxxx(config-if)# ipv6 nd prefix 2001::/64 3600 3600 no-onlink
switchxxxxxx(config-if)# exit
31.19 ipv6 nd ra interval
Use the ipv6 nd ra interval command in Interface Configuration mode to configure the
interval between IPv6 router advertisement (RA) transmissions on an interface.
To restore the default interval, use the no form of this command.
Syntax
ipv6 nd ra interval maximum-secs [minimum-secs]
no ipv6 nd ra interval
660
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Parameters
•
maximum-secs—Maximum interval between IPv6 RA transmissions in seconds. The
range is from 4 to 1800.
•
minimum-secs—Minimum interval between IPv6 RA transmissions in seconds. The
range is from 3 to 1350.
Default Configuration
maximum-secs is 600 seconds.
minimum-secs is 0.33*maximum-secs, if the value .=> 3 seconds and is 3 seconds, if the value
.< 3 seconds.
Command Mode
Interface Configuration mode
User Guidelines
The interval between transmissions should be less than or equal to the IPv6 router
advertisement lifetime if you configure the route as a default router by using this command. To
prevent synchronization with other IPv6 nodes, the actual interval used is randomly selected
from a value between the minimum and maximum values.
The minimum RA interval may never be more than 75% of the maximum RA interval and
never less than 3 seconds.
Examples
Example 1. The following example configures an IPv6 router advertisement interval of 201
seconds for VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd ra interval 201
switchxxxxxx(config-if)# exit
Example 2. The following examples shows a maximum RA interval of 200 seconds and a
minimum RA interval of 50 seconds:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd ra interval 200 50
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
661
31
IPv6 Commands
switchxxxxxx(config-if)# exit
31.20 ipv6 nd ra lifetime
Use the ipv6 nd ra lifetime command in Interface Configuration mode to configure the
Router Lifetime value in IPv6 router advertisements on an interface.
To restore the default lifetime, use the no form of this command.
Syntax
ipv6 nd ra lifetime seconds
no ipv6 nd ra lifetime
Parameters
•
seconds—Remaining length of time, in seconds, that this router will continue to be
useful as a default router (Router Lifetime value). A value of zero indicates that it is no
longer useful as a default router. The acceptable range is 0 or from <Maximum RA
Interval> to 9000 seconds.
Default Configuration
The default lifetime value is 3*<Maximum RA Interval> seconds.
Command Mode
Interface Configuration mode
User Guidelines
The Router Lifetime value is included in all IPv6 router advertisements sent out the interface.
The value indicates the usefulness of the router as a default router on this interface. Setting the
value to 0 indicates that the router should not be considered a default router on this interface.
The Router Lifetime value can be set to a non-zero value to indicate that it should be
considered a default router on this interface. The non-zero value for the Router Lifetime value
should not be less than the router advertisement interval.
Example
The following example configures an IPv6 router advertisement lifetime of 1801 seconds for
VLAN 1:
662
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd ra lifetime 1801
switchxxxxxx(config-if)# exit
31.21 ipv6 nd ra suppress
Use the ipv6 nd ra suppress command in Interface Configuration mode to suppress IPv6
router advertisement transmissions on an interface. To re-enable the sending of IPv6 router
advertisement transmissions on an interface, use the no form of this command.
Syntax
ipv6 nd ra suppress
no ipv6 nd ra suppress
Parameters
N/A.
Default Configuration
LAN interface - IPv6 router advertisements are automatically sent.
Point-to-Point interface - IPv6 router advertisements are suppressed.
NBMA interface - IPv6 router advertisements are suppressed.
Command Mode
Interface Configuration mode
User Guidelines
Use the no ipv6 nd ra suppress command to enable the sending of IPv6 router advertisement
transmissions on a Point-to-Point interface (for example, manual tunnel).
NBMA interface - IPv6 router advertisements are suppressed.
Use the no ipv6 nd ra suppress command to enable the sending of IPv6 router advertisement
transmissions on a NBMA interface (for example, ISATAP tunnel).
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
663
31
IPv6 Commands
Examples
Example 1. The following example suppresses IPv6 router advertisements on vlan 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd ra suppress
switchxxxxxx(config-if)# exit
Example 2. The following example enables the sending of IPv6 router advertisements on
tunnel 1:
switchxxxxxx(config)# interface tunnel 1
switchxxxxxx(config-if)# no ipv6 nd ra suppress
switchxxxxxx(config-if)# exit
31.22 ipv6 nd reachable-time
Use the ipv6 nd reachable-time command in Interface Configuration mode to configure the
amount of time that a remote IPv6 node is considered reachable after some reachability
confirmation event has occurred.
To restore the default time, use the no form of this command.
Syntax
ipv6 nd reachable-time milliseconds
no ipv6 nd reachable-time
Parameters
•
milliseconds—Amount of time that a remote IPv6 node is considered reachable (in
milliseconds). The acceptable range is from 0 to 3600000 milliseconds.
Default Configuration
0 milliseconds (unspecified) is advertised in router advertisements and the value 30000 (30
seconds) is used for the neighbor discovery activity of the router itself.
664
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Command Mode
Interface Configuration mode
User Guidelines
The configured time enables the router to detect unavailable neighbors. Shorter configured
times enable the router to detect unavailable neighbors more quickly; however, shorter times
consume more IPv6 network bandwidth and processing resources in all IPv6 network devices.
Very short configured times are not recommended in normal IPv6 operation.
The configured time is included in all router advertisements sent out of an interface so that
nodes on the same link use the same time value. A value of 0 means indicates that the
configured time is unspecified by this router.
Example
The following example configures an IPv6 reachable time of 1,700,000 milliseconds for
VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd reachable-time 1700000
switchxxxxxx(config-if)# exit
31.23 ipv6 nd router-preference
Use the ipv6 nd router-preference command in Interface Configuration mode to configure a
default router preference (DRP) for the router on a specific interface.
To return to the default DRP, use the no form of this command.
Syntax
ipv6 nd router-preference {high | medium | low}
no ipv6 nd router-preference
Parameters
•
high—Preference for the router specified on an interface is high.
•
medium—Preference for the router specified on an interface is medium.
•
low—Preference for the router specified on an interface is low.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
665
31
IPv6 Commands
Default Configuration
Router advertisements (RAs) are sent with the medium preference.
Command Mode
Interface Configuration mode
User Guidelines
RA messages are sent with the DRP configured by the this command. If no DRP is configured,
RAs are sent with a medium preference.
A DRP is useful when, for example, two routers on a link may provide equivalent, but not
equal-cost, routing, and policy may dictate that hosts should prefer one of the routers.
Example
The following example configures a DRP of high for the router on VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd router-preference high
switchxxxxxx(config-if)# exit
31.24 ipv6 neighbor
Use the ipv6 neighbor command in Global Configuration mode to configure a static entry in
the IPv6 neighbor discovery cache. To remove a static IPv6 entry from the IPv6 neighbor
discovery cache, use the no form of this command.
Syntax
ipv6 neighbor ipv6-address interface-id mac-address
no ipv6 neighbor [[ipv6-address] interface-id]
Parameters
666
•
ipv6-address—Specified IPv6 address. This argument must be in the form documented
in RFC4293 where the address is specified in hexadecimal using 16-bit values between
colons.
•
interface-id—Specified interface identifier.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
•
mac-address—Interface MAC address.
Default Configuration
Static entries are not configured in the IPv6 neighbor discovery cache.
Command Mode
Global Configuration mode
User Guidelines
This command is similar to the arp command.
Use the ipv6 neighbor command to add a static entry in the IPv6 neighbor discovery cache.
If the specified IPv6 address is a global IPv6 address it must belong to one of static on-link
prefixes defined in the interface. When a static on-link prefix is deleted all static entries in the
IPv6 neighbor discovery cache corresponding the prefix is deleted to.
If an entry for the specified IPv6 address already exists in the neighbor discovery cache,
learned through the IPv6 neighbor discovery process, the entry is automatically converted to a
static entry.
Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery
process.
Use the no ipv6 neighbor ipv6-address interface-id command to remove the one given static
entry on the given interface. The command does not remove the entry from the cache, if it is a
dynamic entry, learned from the IPv6 neighbor discovery process.
Use the no ipv6 neighbor interface-id command to delete the all static entries on the given
interface.
Use the no ipv6 neighbor command to remove the all static entries on all interfaces.
Use the show ipv6 neighbors command to view static entries in the IPv6 neighbor discovery
cache. A static entry in the IPv6 neighbor discovery cache can have one of the following
states:
•
NCMP (Incomplete)—The interface for this entry is down.
•
REACH (Reachable)—The interface for this entry is up.
Note. Reachability detection is not applied to static entries in the IPv6 neighbor discovery
cache; therefore, the descriptions for the INCMP and REACH states are different for dynamic
and static cache entries.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
667
31
IPv6 Commands
Examples
Example 1. The following example configures a static entry in the IPv6 neighbor discovery
cache for a neighbor with the IPv6 address 2001:0DB8::45A and link-layer address
0002.7D1A.9472 on VLAN 1:
switchxxxxxx(config)# ipv6 neighbor 2001:0DB8::45A vlan1 0002.7D1A.9472
Example 2. The following example deletes the static entry in the IPv6 neighbor discovery
cache for a neighbor with the IPv6 address 2001:0DB8::45A and link-layer address
0002.7D1A.9472 on VLAN 1:
switchxxxxxx(config)# no ipv6 neighbor 2001:0DB8::45A vlan1
Example 3. The following example deletes all static entries in the IPv6 neighbor discovery
cache on VLAN 1:
switchxxxxxx(config)# no ipv6 neighbor vlan1
Example 4. The following example deletes all static entries in the IPv6 neighbor discovery
cache on all interfaces:
switchxxxxxx(config)# no ipv6 neighbor
31.25 ipv6 policy route-map
To enable policy routing on an interface and identify a route map, use the ipv6 policy
route-map command in Interface Configuration mode. To disable policy routing, use the no
form of this command.
Syntax
ipv6 policy route-map map-tag
no ipv6 policy route-map
668
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Parameters
•
map-tag—Name of the route map to use for policy routing. The name must match a
map-tag value specified by a route-map (Policy Routing) command.
Default Configuration
No policy routing occurs on the interface.
Command Mode
Interface Configuration mode
User Guidelines
Use the ipv6 policy route-map command to enable IPv6 policy routing.
Use the ipv6 policy route-map command to enable policy routing on an interface. The actual
policy routing will take a place if an IPv6 is enabled on the interface.
The IPv6 packets matched to the route-map conditions specified by the route map with the
map-tag name will take a route depended on the action of the matched ACL:
•
permit—The route specified by the set command Policy routing.
•
deny—The route specified by the IPv6 Forwarding table (regular routing).
•
Name of the route map to use for policy routing. The name must match a map-tag
value specified by a route-map (Policy Routing) command.
The not matched IPv6 packets will be forwarded using the obvious shortest path.
IPv6 policy routing on a Layer 2 interface is performed only when IPv6 interface is defined, its
status is UP, and the next hop is reachable. If the IPv6 policy routing is not applied then the
matched IPv6 packets will be forwarded using the obvious shortest path.
Note. Of course, like in the case of regular IPv6 Routing Policy Based IPv6 Router routes only
MAC "tome" IPv6 frames.
IPv6 policy routing cannot be configured on an interface together with the following features:
•
IPv6 First Hop Security
•
VLAN ACL
•
VLAN Rate Limit
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
669
31
IPv6 Commands
Example
The following example shows how to configure policy routing:
switchxxxxxx(config)# ipv6 access-list pr-acl1
switchxxxxxx(config-ip-al)# permit tcp any any 3002:08FA/32 any
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# ipv6 access-list pr-acl2
switchxxxxxx(config-ip-al)# permit tcp any any 3002:0800/32 any
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# route-map pbr 10
switchxxxxxx(config-route-map)# match ipv6 address access-list pr-acl1
switchxxxxxx(config-route-map)# set ipv6 next-hop 3012:12af::1
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config)# route-map pbr 20
switchxxxxxx(config-route-map)# match ipv6 address access-list pr-acl2
switchxxxxxx(config-route-map)# set ipv6 next-hop 3012:1223::1
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 policy route-map pbr
switchxxxxxx(config-if)# exit
31.26 ipv6 redirects
Use the ipv6 redirects command in Interface Configuration mode to enable the sending of
ICMP IPv6 redirect messages to re-send a packet through the same interface on which the
packet was received.
To disable the sending of redirect messages, use the no form of this command.
Syntax
ipv6 redirects
no ipv6 redirects
Parameters
N/A.
Default Configuration
The sending of ICMP IPv6 redirect messages is enabled.
670
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Command Mode
Interface Configuration mode
Example
The following example disables the sending of ICMP IPv6 redirect messages on VLAN 100
and re-enables the messages on VLAN 2:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# no ipv6 redirects
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# ipv6 redirects
switchxxxxxx(config-if)# exit
31.27 ipv6 route
Use the ipv6 route command in Global Configuration mode to establish static IPv6 routes.
To remove a previously configured static route, use the no form of this command.
Syntax
ipv6 route ipv6-prefix/prefix-length {{next-ipv6-address [outgoing-interface-id]} |
interface-id} [metric]
no ipv6 route ipv6-prefix/prefix-length [{next-ipv6-address [outgoing-interface-id]} |
interface-id]
Parameters
•
ipv6-prefix—IPv6 network that is the destination of the static route. Can also be a host
name when static host routes are configured.
•
/prefix-length—Length of the IPv6 prefix. A decimal value that indicates how many of
the high-order contiguous bits of the address comprise the prefix (the network portion
of the address). A slash mark must precede the decimal value.
•
next-ipv6-address—IPv6 address of the next hop that can be used to reach the specified
network.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
671
31
IPv6 Commands
-
If the next-ipv6-address argument is a link local address it must be defined in the
zone format: IPv6 Zone Format> ::= IPv6-Link-Local-Address%Interface-ID
-
The interface-id argument must be coded without spaces.
•
outgoing-interface-id—Outgoing Interface identifier.
•
interface-id—Outgoing Interface identifier. This argument can be applied only to
point-to-point interfaces (manual IPv6 over IPv4 tunnels).
•
metric—Static route metric. Acceptable values are from 1 to 65535. The default value
is 1.
Default Configuration
Static entries are not configured in the IPv6 neighbor discovery cache.
Command Mode
Global Configuration mode
User Guidelines
Use the ipv6 route ipv6-prefix/prefix-length interface-id [metric] command to define a static
route, if the outgoing interface is a manual tunnel.
If the next-ipv6-address argument is a global IPv6 address that belongs to an on-link prefix
you can omit the outgoing-interface-id argument and in this case the L2 interface on which
this on-link prefix is defined will be used as the outgoing interface. If the outgoing-interface-id
argument is configured it overrides this switch decision.
If the next-ipv6-address argument is a global IPv6 address that does not belong to any on-link
prefix you must configure the outgoing-interface-id argument.
If the next-ipv6-address argument is a link-local IPv6 address and the outgoing-interface-id
argument is omitted the zone of the next-ipv6-address argument will be used as the outgoing
interface. If the outgoing-interface-id argument is configured it overrides this zone.
Examples
Example 1. The following example defines a static route with a global next hop:
switchxxxxxx(config)# ipv6 route 2001::/64 5::5 10
Example 2. The following example defines a static route with a link-local next hop:
672
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
switchxxxxxx(config)# ipv6 route 2001:DB8:2222::/48
FE80::260:3EFF:FE11:6770%vlan1 12
Example 3. The following example defines a static route on manual tunnel 1:
switchxxxxxx(config)# ipv6 route 2001:DB8:2222::/48 tunnel1
Example 4. The following example defines a static route on with the outgoing interface:
switchxxxxxx(config)# ipv6 route 2001::/64 5::5 vlan10 10
31.28 ipv6 unicast-routing
Use the ipv6 unicast-routing command in Global Configuration mode to enable the
forwarding of IPv6 Unicast datagrams.
To disable the forwarding of IPv6 Unicast datagrams, use the no form of this command.
Syntax
ipv6 unicast-routing
no ipv6 unicast-routing
Parameters
N/A.
Default Configuration
IPv6 Unicast routing is disabled.
Command Mode
Global Configuration mode
Example
The following example enables the forwarding of IPv6 Unicast datagrams:
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
673
31
IPv6 Commands
switchxxxxxx(config)# ipv6 unicast-routing
31.29 ipv6 unreachables
Use the ipv6 unreachables command in Interface Configuration mode to enable the
generation of Internet Control Message Protocol for IPv6 (ICMPv6) unreachable messages for
any packets arriving on a specified interface.
To prevent the generation of unreachable messages, use the no form of this command.
Syntax
ipv6 unreachables
no ipv6 unreachables
Parameters
N/A.
Default Configuration
The sending of ICMP IPv6 unreachable messages is enabled.
Command Mode
Interface Configuration mode
User Guidelines
If the switch receives a Unicast packet destined for itself that uses a protocol it does not
recognize, it sends an ICMPv6 unreachable message to the source.
If the switch receives a datagram that it cannot deliver to its ultimate destination because it
knows of no route to the destination address, it replies to the originator of that datagram with
an ICMP host unreachable message.
Example
The following example disables the generation of ICMPv6 unreachable messages, as
appropriate, on an interface:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# no ipv6 unreachables
674
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
switchxxxxxx(config-if)# exit
31.30 show ipv6 interface
Use the show ipv6 interface command in user EXEC or privileged EXEC mode to display the
usability status of interfaces configured for IPv6.
Syntax
show ipv6 interface [brief] | [[interface-id] [prefix]]
Parameters
•
brief—Displays a brief summary of IPv6 status and configuration for each interface
where IPv6 is defined.
•
interface-id—Interface identifier about which to display information.
•
prefix—Prefix generated from a local IPv6 prefix pool.
Default Configuration
Option brief - all IPv6 interfaces are displayed.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Use this command to validate the IPv6 status of an interface and its configured addresses. This
command also displays the parameters that IPv6 uses for operation on this interface and any
configured features.
If the interface’s hardware is usable, the interface is marked up.
If you specify an optional interface identifier, the command displays information only about
that specific interface. For a specific interface, you can enter the prefix keyword to see the
IPv6 neighbor discovery (ND) prefixes that are configured on the interface.
The keyword is supported only if IPv6 unicast routing is enabled.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
675
31
IPv6 Commands
Examples
Example 1. The show ipv6 interface command displays information about the specified
interface:
switchxxxxxx# show ipv6 interface vlan 1
VLAN 1 is up/up
IPv6 is enabled, link-local address is FE80::0DB8:12AB:FA01
IPv6 Forwarding is enabled
Global unicast address(es):
Ipv6 Global Address
Type
2000:0DB8::2/64 (ANY)
Manual
2000:0DB8::2/64
Manual
2000:1DB8::2011/64
Manual
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF11:6770
MTU is 1500 bytes
ICMP error messages limited interval is 100ms; Bucket size is 10 tokens
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router maximum advertisement interval is 600 seconds
ND router minimum advertisement interval is 198 seconds (DEFAULT)
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Stateless autoconfiguration is enabled.
Stateless autoconfiguration is not available (IPv6 Forwarding is enabled).
MLD Version is 2
676
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Field Descriptions:
•
vlan 1 is up/up—Indicates the interface status: administrative/operational.
•
IPv6 is enabled, stalled, disabled (stalled and disabled are not shown in sample
output)—Indicates that IPv6 is enabled, stalled, or disabled on the interface. If IPv6 is
enabled, the interface is marked Enabled. If duplicate address detection processing
identified the link-local address of the interface as being a duplicate address, the
processing of IPv6 packets is disabled on the interface and the interface is marked
Stalled. If IPv6 is not enabled, the interface is marked Disabled.
•
link-local address—Displays the link-local address assigned to the interface.
•
Global unicast address(es):—Displays the global Unicast addresses assigned to the
interface. The type is manual or autoconfig.
•
Joined group address(es):—Indicates the Multicast groups to which this interface
belongs.
•
MTU is 1500 bytes—Maximum transmission unit of the interface.
•
ICMP error messages—Specifies the minimum interval (in milliseconds) between
error messages sent on this interface.
•
ICMP redirects—State of ICMP IPv6 redirect messages on the interface (the sending
of the messages is enabled or disabled).
•
ND DAD—The state of duplicate address detection on the interface (enabled or
disabled).
•
number of DAD attempts:—Number of consecutive neighbor solicitation messages
that are sent on the interface while duplicate address detection is performed.
•
ND reachable time—Displays the neighbor discovery reachable time (in
milliseconds) assigned to this interface.
•
ND advertised reachable time—Displays the neighbor discovery reachable time (in
milliseconds) advertised on this interface.
•
ND advertised retransmit interval—Displays the neighbor discovery retransmit
interval (in milliseconds) advertised on this interface.
•
ND router advertisements—Specifies the interval (in seconds) for neighbor
discovery router advertisements sent on this interface and the amount of time before
the advertisements expire.
•
ND advertised default router preference is Medium—DRP for the router on a
specific interface.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
677
31
IPv6 Commands
•
MLD Version—Version of MLD
Example 2. The show ipv6 interface command displays information about the specified
manual Ipv6 tunnel:
switchxxxxxx# show ipv6 interface tunnel 2
Tunnel 2 is up/up
IPv6 is enabled, link-local address is FE80::0DB8:12AB:FA01
IPv6 Forwarding is enabled
Global unicast address(es):
Ipv6 Global Address
Type
2000:0DB8::2/64 (ANY)
Manual
2000:0DB8::2/64
Manual
2000:1DB8::2011/64
Manual
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF11:6770
MTU is 1500 bytes
ICMP error messages limited interval is 100ms; Bucket size is 10 tokens
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
Stateless autoconfiguration is disabled.
MLD Version is 2
678
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Tunnel mode is manual
Tunnel Local IPv4 address : 10.10.10.1(auto)
Tunnel Remote Ipv4 address : 10.1.1.1
Field Descriptions:
•
vlan 1 is up/up—Indicates the interface status: administrative/operational.
•
IPv6 is enabled, stalled, disabled (stalled and disabled are not shown in sample
output)—Indicates that IPv6 is enabled, stalled, or disabled on the interface. If IPv6 is
enabled, the interface is marked “enabled.” If duplicate address detection processing
identified the link-local address of the interface as being a duplicate address, the
processing of IPv6 packets is disabled on the interface and the interface is marked
“stalled.” If IPv6 is not enabled, the interface is marked “disabled.”
•
link-local address—Displays the link-local address assigned to the interface.
•
Global Unicast address(es):—Displays the global Unicast addresses assigned to the
interface. The type is manual or autoconfig.
•
Joined group address(es):—Indicates the Multicast groups to which this interface
belongs.
•
—Maximum transmission unit of the interface.
•
ICMP error messages—Specifies the minimum interval (in milliseconds) between
error messages sent on this interface.
•
ICMP redirects—The state of Internet Control Message Protocol (ICMP) IPv6
redirect messages on the interface (the sending of the messages is enabled or disabled).
•
ND DAD—The state of duplicate address detection on the interface (enabled or
disabled).
•
number of DAD attempts:—Number of consecutive neighbor solicitation messages
that are sent on the interface while duplicate address detection is performed.
•
ND reachable time—Displays the neighbor discovery reachable time (in
milliseconds) assigned to this interface.
•
ND advertised reachable time—Displays the neighbor discovery reachable time (in
milliseconds) advertised on this interface.
•
ND advertised retransmit interval—Displays the neighbor discovery retransmit
interval (in milliseconds) advertised on this interface.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
679
31
IPv6 Commands
•
ND router advertisements—Specifies the interval (in seconds) for neighbor
discovery router advertisements sent on this interface and the amount of time before
the advertisements expire.
•
ND advertised default router preference is Medium—The DRP for the router on a
specific interface.
•
MLD Version—The version of MLD
•
Tunnel mode—Specifies the tunnel mode: manual
•
Tunnel Local IPv4 address—Specifies the tunnel local IPv4 address and have one of
the following formats:
•
-
ipv4-address
-
ipv4-address (auto)
-
ipv4-address (interface-id)
Tunnel Remote Ipv4 address—Specifies the tunnel remote IPv4 address
Example 3. The show ipv6 interface command displays information about the specified
ISATAP tunnel:
switchxxxxxx# show ipv6 interface tunnel 1
Tunnel 1 is up/up
IPv6 is enabled, link-local address is FE80::0DB8:12AB:FA01
ICMP redirects are disabled
Global unicast address(es):
Ipv6 Global Address
Type
2000:0DB8::2/64 (ANY)
Manual
2000:0DB8::2/64
Manual
2000:1DB8::2011/64
Manual
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF11:6770
is 1500 bytes
680
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
ICMP error messages limited interval is 100ms; Bucket size is 10 tokens
ICMP redirects are enabled
ND DAD is disabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Stateless autoconfiguration is disabled.
MLD Version is 2
Tunnel mode is ISATAP
Tunnel Local IPv4 address : 10.10.10.1(VLAN 1)
ISATAP Router DNS name is isatap
Field Descriptions:
•
ND DAD—The state of duplicate address detection on the interface (enabled or
disabled). Note. The state of duplicate address detection on an IPv6 tunnel interface of
ISATAP type always is displayed as disabled regardless of a value of the number of
DAD attempts parameter because DAD is not supported on NBMA interfaces. The
switch will enable DAD automatically when the user change the type of the tunnel to
manual if a the parameter value bigger than 0.
•
number of DAD attempts:—Number of consecutive neighbor solicitation messages
that are sent on the interface while duplicate address detection is performed.
•
vlan 1 is up/up—Indicates the interface status: administrative/operational.
•
IPv6 is enabled, stalled, disabled (stalled and disabled are not shown in sample
output)—Indicates that IPv6 is enabled, stalled, or disabled on the interface. If IPv6 is
enabled, the interface is marked “enabled.” If duplicate address detection processing
identified the link-local address of the interface as being a duplicate address, the
processing of IPv6 packets is disabled on the interface and the interface is marked
“stalled.” If IPv6 is not enabled, the interface is marked “disabled.”
•
link-local address—Displays the link-local address assigned to the interface.
•
Global Unicast address(es):—Displays the global Unicast addresses assigned to the
interface. The type is manual or autoconfig.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
681
31
682
IPv6 Commands
•
Joined group address(es):—Indicates the Multicast groups to which this interface
belongs.
•
—Maximum transmission unit of the interface.
•
ICMP error messages—Specifies the minimum interval (in milliseconds) between
error messages sent on this interface.
•
ICMP redirects—The state of Internet Control Message Protocol (ICMP) IPv6
redirect messages on the interface (the sending of the messages is enabled or disabled).
•
number of DAD attempts:—Number of consecutive neighbor solicitation messages
that are sent on the interface while duplicate address detection is performed.
•
ND reachable time—Displays the neighbor discovery reachable time (in
milliseconds) assigned to this interface.
•
ND advertised reachable time—Displays the neighbor discovery reachable time (in
milliseconds) advertised on this interface.
•
ND advertised retransmit interval—Displays the neighbor discovery retransmit
interval (in milliseconds) advertised on this interface.
•
ND router advertisements—Specifies the interval (in seconds) for neighbor
discovery router advertisements sent on this interface and the amount of time before
the advertisements expire.
•
ND advertised default router preference is Medium—The DRP for the router on a
specific interface.
•
MLD Version—The version of MLD
•
Tunnel mode—Specifies the tunnel mode: isatap
•
Tunnel Local IPv4 address—Specifies the tunnel local IPv4 address and have one of
the following formats:
-
ipv4-address
-
ipv4-address (auto)
-
ipv4-address (interface-id)
•
Tunnel Remote Ipv4 address—Specifies the tunnel remote IPv4 address
•
ISATAP Router DNS name is—The DNS name of the ISATAP Router
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Example 4. The following command with the brief keyword displays information about all
interfaces that IPv6 is defined on:
switchxxxxxx# show ipv6 interface brief
Interface
Interface
State
IPv6
Link Local
State
IPv6 Address
MLD
Version
Number of
Global Addresses
---------
--------- -------
----------------- -------
----------------
vlan 1
up/up
enabled
FE80::0DB8:12AB:FA01
1
1
vlan 2
up/up
stalled
FE80::0DB8:12AB:FA01
1
1
vlan 3
up/down
enabled
FE80::0DB8:12AB:FA01
1
3
vlan 4
down/down enabled
FE80::0DB8:12AB:FA01
2
2
vlan 5
up/up
enabled
FE80::0DB8:12AB:FA01
1
1
vlan 100
up/up
enabled
FE80::0DB8:12AB:FA01
1
1
vlan 1000
up/up
stalled
FE80::0DB8:12AB:FA01
1
1
Example 5. This sample output shows the characteristics of VLAN 1 that has generated a
prefix from a local IPv6 prefix pool:
switchxxxxxx# configure terminal
switchxxxxxx(config)# interface vlan1
switchxxxxxx(config-if)# ipv6 address 2001:0DB8:1::1/64
switchxxxxxx(config-if)# ipv6 address 2001:0DB8:2::1/64
switchxxxxxx(config-if)# ipv6 address 2001:0DB8:3::1/64
switchxxxxxx(config-if)# ipv6 nd prefix 2001:0DB8:1::/64 no-advertise
switchxxxxxx(config-if)# ipv6 nd prefix 2001:0DB8:3::/64 2912000 564900
off-link
switchxxxxxx(config-if)# ipv6 nd prefix 2001:0DB8:4::/64
switchxxxxxx(config-if)# ipv6 nd prefix 2001:0DB8:5::/64 2912000 564900
off-link
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# exit
switchxxxxxx# show ipv6 interface vlan 1 prefix
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
683
31
IPv6 Commands
IPv6 Prefix Advertisements VLAN 1
Codes: A - Address, P - Prefix is advertised, R is in Routing Table
Code Prefix
Flags
Valid Lifetime
---- ----------------
----
---------------
Preferred Lifetime
-----------------------
default
LA
2592000
604800
AR
2001:0DB8:1::/64
LA
infinite
infinite
APR
2001:0DB8:2::/64
LA
infinite
infinite
AP
2001:0DB8:3::/64
A
infinite
infinite
PR
2001:0DB8:4::/64
LA
2592000
604800
P
2001:0DB8:5::/64
A
2912000
564900
31.31 show ipv6 link-local default zone
Use the show ipv6 link-local default zone command in user EXEC or privileged EXEC mode
to display the IPv6 link local default zone.
Syntax
show ipv6 link-local default zone
Command Mode
User EXEC mode
Privileged EXEC mode
Examples
Example 1. The following example displays the default zone when it is defined:
switchxxxxxx# show ipv6 link-local default zone
Link Local Default Zone is VLAN 1
Example 2. The following example displays the default zone when it is not defined:
switchxxxxxx# show ipv6 link-local default zone
684
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Link Local Default Zone is not defined
31.32 show ipv6 nd prefix
Use the show ipv6 nd prefix command in user EXEC or privileged EXEC mode to display
IPv6 prefixes included in IPv6 Neighbor Discovery (ND) router advertisements.
Syntax
show ipv6 nd prefix [interface-id]
Parameters
•
interface-id—Specified interface identifier on which prefixes are advertised.
Default Configuration
No prefixes are displayed.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Use the how ipv6 nd prefix command with the interface-id argument to display prefixes
advertised on a single interface.
Example
The following example displays IPv6 prefixes:
switchxxxxxx# show ipv6 nd prefix vlan 100
vlan 100
default
valid-lifetime 2,592,000 secs
preferred-lifetime 604,800 secs
on-link
auto-config
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
685
31
IPv6 Commands
prefix 2001::1/64
valid-lifetime 3,600 secs
preferred-lifetime 2,700 secs
prefix 2001:2:12/64
no advertise
prefix 2002::1/64
valid-lifetime 3,600 secs
preferred-lifetime 2,700 secs
on-link
prefix 2011::1/64
valid-lifetime 3,600 secs
preferred-lifetime 2,700 secs
off-link
auto-config
31.33 show ipv6 neighbors
Use the show ipv6 neighbors command in User EXEC or Privileged EXEC mode to display
IPv6 neighbor discovery (ND) cache information.
Syntax
show ipv6 neighbors [interface-id | ipv6-address | ipv6-hostname]
Parameters
•
interface-id—Specifies the identifier of the interface from which IPv6 neighbor
information is to be displayed.
•
ipv6-address—Specifies the IPv6 address of the neighbor. This argument must be in
the form documented in RFC4293 where the address is specified in hexadecimal using
16-bit values between colons.
•
ipv6-hostname—Specifies the IPv6 host name of the remote networking device.
Default Configuration
All IPv6 ND cache entries are listed.
686
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
When the interface-id argument is not specified, cache information for all IPv6 neighbors is
displayed. Specifying the interface-id argument displays only cache information about the
specified interface.
Examples
Example 1. The following is sample output from the show ipv6 neighbors command when
entered with an interface-id:
switchxxxxxx# show ipv6 neighbors vlan 1
IPv6 Address
Age Link-layer Addr
State
Interface Router
2000:0:0:4::2
0
0003.a0d6.141e
REACH
VLAN1
Yes
3001:1::45a
-
0002.7d1a.9472
REACH
VLAN1
-
FE80::203:A0FF:FED6:141E
0
0003.a0d6.141e
REACH
VLAN1
No
Example 2. The following is sample output from the show ipv6 neighbors command when
entered with an IPv6 address:
switchxxxxxx# show ipv6 neighbors 2000:0:0:4::2
IPv6 Address
2000:0:0:4::2
Age Link-layer Addr
0
0003.a0d6.141e
State
Interface Router
REACH
VLAN1
Yes
Field Descriptions:
•
Total number of entries—Number of entries (peers) in the cache.
•
IPv6 Address—IPv6 address of neighbor or interface.
•
Age—Time (in minutes) since the address was confirmed to be reachable. A hyphen
(-) indicates a static entry.
•
Link-layer Addr—MAC address. If the address is unknown, a hyphen (-) is
displayed.
•
Interface—Interface which the neighbor is connected to.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
687
31
IPv6 Commands
•
Router—Specifies if the neighbor is a Router. A hyphen (-) is displayed for static
entries.
31.34 show ipv6 route
Use the show ipv6 route command in user EXEC or privileged EXEC mode to display the
current contents of the IPv6 routing table.
Syntax
show ipv6 route [ipv6-address | ipv6-prefix/prefix-length | protocol | interface interface-id]
Parameters
•
ipv6-address—Displays routing information for a specific IPv6 address. This argument
must be in the form documented in RFC4293 where the address is specified in
hexadecimal using 16-bit values between colons.
•
ipv6-prefix—Displays routing information for a specific IPv6 network. This argument
must be in the form documented in RFC4293 where the address is specified in
hexadecimal using 16-bit values between colons.
•
/prefix-length—The length of the IPv6 prefix. A decimal value that indicates how
many of the high-order contiguous bits of the address comprise the prefix (the network
portion of the address). A slash mark must precede the decimal value.
•
protocol—Displays routes for the specified routing protocol using any of these
keywords: bgp, isis, ospf, or rip; or displays routes for the specified type of route
using any of these keywords: connected, static, nd, or icmp.
•
interface interface-id—Identifier of an interface.
Default Configuration
All IPv6 routing information for all active routing tables is displayed.
Command Mode
User EXEC mode
Privileged EXEC mode
688
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
User Guidelines
This command provides output similar to the show ip route command, except that the
information is IPv6-specific.
When the ipv6-address or ipv6-prefix/prefix-length argument is specified, a longest match
lookup is performed from the routing table and only route information for that address or
network is displayed. When the icmp, nd, connected, local, or static keywords are specified,
only that type of route is displayed. When the interface-id argument are specified, only the
specified interface-specific routes are displayed.
Examples
Example 1. The following is sample output from the show ipv6 route command when IPv6
Routing is not enabled and the command is entered without an IPv6 address or prefix
specified:
switchxxxxxx# show ipv6 route
Codes: > - Best
S - Static, C - Connected(from ipv6 address), I - ICMP Redirect, ND Router Advertisment
[d/m]: d - route’s distance, m - route’s metric
IPv6 Forwarding is disabled
IPv6 Routing Table - 4 entries
S> ::/0 [1/1]
via:: fe80::77
ND> ::/0
VLAN 1
[3/2]
via:: fe80::200:cff:fe4a:dfa8 VLAN 1 Lifetime 1784 sec
C> 3002:1:1:1:1/64
[0/0]
via:: VLAN 1
ND> 3004:1:1:1:1/64
[0/0]
via:: VLAN 100 Lifetime 1784 sec
Example 2. The following is sample output from the show ipv6 route command when IPv6
Routing is enabled and the command is entered without an IPv6 address or prefix specified:
switchxxxxxx# show ipv6 route
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
689
31
IPv6 Commands
Codes: > - Best
S - Static, C - Connected(from ipv6 address),
L - Local(on-link prefixes defined by the ipv6 nd prefix command with on-link
keyword,
[d/m]: d - route’s distance, m - route’s metric
IPv6 Forwarding is enabled (hardware forwarding is not active)
IPv6 Policy Routing
VLAN 1
Route Map:
Status:
BPR1
Active
ACL Name: ACLTCPHTTP
Next Hop: fe80::77
Next Hop Status: Active
ACL Name: ACLTCPTELNET
Next Hop: 4001::27
Next Hop Status: Not Active (Unreachable)
ACL Name: ACL_AA
Next Hop: 301a:23:24
Next Hop Status: Not Active (Not direct)
VLAN 100
Route Map:
Status:
BPR_10
Not Active (No IP interface on VLAN 100)
ACL Name: ACLTCPHTTP
Next Hop: 4214::10
Next Hop Status: Active
VLAN 110
Route Map:
Status:
BPR_20
Not Active (VLAN 110 status is DOWN)
ACL Name: ACLTCPHTTP
Next Hop: 3004:1241::73
Next Hop Status: Active
690
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
VLAN 200
Route Map:
Status:
BPR_A0
Active
ACL Name: ACLTCPHTTP
Next Hop: 3004:1241::73
Next Hop Status: Active
IPv6 Routing Table - 3 entries
S>
3000::/64 [1/1]
via:: FE80::A8BB:CCFF:FE02:8B00
C>
4001::/64 [0/0]
via::
L>
VLAN 100
VLAN 100
4002::/64 [0/0]
via::
VLAN 100 Lifetime 9000 sec
31.35 show ipv6 route summary
Use the show ipv6 route summary command in User EXEC or Privileged EXEC mode to
display the current contents of the IPv6 routing table in summary format.
Syntax
show ipv6 route summary
Parameters
N/A.
Command Mode
User EXEC mode
Privileged EXEC mode
Example
The following is sample output from the show ipv6 route summary command:
switchxxxxxx# show ipv6 route summary
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
691
31
IPv6 Commands
IPv6 Routing Table Summary - 97 entries
37 local, 35 connected, 25 static
Number of prefixes:
/16: 1, /28: 10, /32: 5, /35: 25, /40: 1, /64: 9
/96: 5, /112: 1, /127: 4, /128: 36
31.36 show ipv6 static
Use the show ipv6 static command in user EXEC or privileged EXEC mode to display the
current static routes of the IPv6 routing table.
Syntax
show ipv6 static [ipv6-address | ipv6-prefix/prefix-length] [interface interface-id][detail]
Parameters
•
ipv6-address—Provides routing information for a specific IPv6 address. This argument
must be in the form documented in RFC4293 where the address is specified in
hexadecimal using 16-bit values between colons.
•
ipv6-prefix—Provides routing information for a specific IPv6 network. This argument
must be in the form documented in RFC4293 where the address is specified in
hexadecimal using 16-bit values between colons.
•
/prefix-length—Length of the IPv6 prefix. A decimal value that indicates how many of
the high-order contiguous bits of the address comprise the prefix (the network portion
of the address). A slash mark must precede the decimal value.
•
interface interface-id—Identifier of an interface.
•
detail—Specifies for invalid routes, the reason why the route is not valid.
Default Configuration
All IPv6 static routing information for all active routing tables is displayed.
Command Mode
User EXEC mode
Privileged EXEC mode
692
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
31
IPv6 Commands
User Guidelines
When the ipv6-address or ipv6-prefix/prefix-length argument is specified, a longest match
lookup is performed from the routing table and only route information for that address or
network is displayed. Only the information matching the criteria specified in the command
syntax is displayed. For example, when the interface-id argument is specified, only the
specified interface-specific routes are displayed.
When the detail keyword is specified, the reason why the route is not valid is displayed for
invalid direct or fully specified routes.
Examples
Example 1. The following is sample output from the show ipv6 static command without
specified options:
switchxxxxxx# show ipv6 static
IPv6 Static routes
Code: * - installed in Forwarding Information Base (FIB)
IPv6 Static routes distance is 1
* 3000::/16, via outgoing interface tunnel1, metric 1
5000::/16, via outgoing interface tunnel2, metric 1
* 5555::/16, via outgoing interface VLAN100 nexthop 4000::1 metric 1
5555::/16, via outgoing interface VLAN10 nexthop 9999::1 vlan100 metric 1
* 5555::/16, via outgoing interface VLAN100 nexthop 4001:AF00::1,
metric 1
* 6000::/16, via outgoing interface VLAN1 nexthop 2007::1 metric 1
Example 2. The following is sample output from the show ipv6 static command when entered
with the IPv6 prefix 2001:200::/35:
switchxxxxxx# show ipv6 static 2001:200::/35
IPv6 Static routes
Code: * - installed in Forwarding Information Base (FIB)
IPv6 Static routes distance is 1
* 2001:200::/35, via outgoing interface VLAN100 nexthop 4000::1, metric 1
2001:200::/35, via outgoing interface VLAN10 nexthop 9999::1, metric 1
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
693
31
IPv6 Commands
Example 3. The following is sample output from the show ipv6 static command when entered
with the interface VLAN 1:
switchxxxxxx# show ipv6 static interface vlan 1
IPv6 Static routes
Code: * - installed in Forwarding Information Base (FIB)
IPv6 Static routes distance is 1
* 5000::/16, via outgoing interface VLAN1 nexthop 4000::1, metric 1
Example 4. The following is sample output from the show ipv6 static command with the
detail keyword:
switchxxxxxx# show ipv6 static detail
IPv6 Static routes
Code: * - installed in Forwarding Information Base (FIB)
IPv6 Static routes distance is 1
* 3000::/16, via outgoing interface tunnel1, metric 1
5000::/16, via outgoing interface tunnel2, metric 1
5000::/16, via outgoing interface VLAN2 nexthop 2003::1, metric 1
Interface is down
* 5555::/16, via outgoing interface VLAN100 nexthop 4000::1, metric 1
5555::/16, via outgoing interface VLAN10 nexthop 9999::1, metric 1
Route does not fully resolve
* 5555::/16, via outgoing interface VLAN12 nexthop 4001:AF00::1, metric 1
* 6000::/16, via outgoing interface VLAN102 nexthop 2007::1, metric 1
694
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
32
IPv6 First Hop Security
32.0
Policies
Policies contain the rules of verification that will be performed on input packets. They can be
attached to VLANs and/or port (Ethernet port or port channel).
The final set of rules that is applied to an input packet on a port is built in the following way:
1. The rules configured in policies attached to the port on the VLAN on which the packet
arrived are added to the set.
1.
2.
The rules configured in the policy attached to the VLAN are added to the set if they have not been
added at the port level.
The global rules are added to the set if they have not been added at the VLAN or port level.
Rules defined at the port level override the rules set at the VLAN level. Rules defined at the
VLAN level override the globally-configured rules. The globally-configured rules override the
system defaults.
You can only attach 1 policy (for a specific sub-feature) to a VLAN.
You can attach multiple policies (for a specific sub-feature) to a port if they specify different
VLANs.
A sub-feature policy does not take effect until:
•
IPv6 First Hop Security is enabled on the VLAN
•
The sub-feature is enabled on the VLAN
•
The policy is attached to the VLAN or port
Default Policies
Empty default polices exist for each sub-feature and are by default attached to all VLANs and
ports. The default policies are named: "vlan_default" and "port_default":
Rules can be added to these default policies. You do not have to manually attach default
policies to ports. They are attached by default.
When a user-defined policy is attached to a port the default policy for that port is detached. If
the user-define policy is detached from the port, the default policy is reattached.
Default policies can never be deleted. You can only delete the user-added configuration.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
695
32
IPv6 First Hop Security
Lists of Commands
32.1
address-config
To specify allowed configuration methods of global IPv6 addresses within an IPv6 Neighbor
Binding policy, use the address-config command in Neighbor Binding Policy Configuration
mode. To return to the default, use the no form of this command.
Syntax
address-config [stateless | any] [dhcp]
no address-config
Parameters
•
stateless—Only auto configuration for global IPv6 bound from NDP messages is
allowed.
•
any—All configuration methods for global IPv6 bound from NDP messages (stateless
and manual) are allowed. If no keyword is defined the any keyword is applied.
•
dhcp—Bound from DHCPv6 is allowed.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached to the
VLAN.
Policy attached to VLAN: global configuration.
Command Mode
Neighbor Binding Policy Configuration mode.
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports in the
VLAN. If it is defined in a policy attached to a port in the VLAN, this value overrides the
value in the policy attached to the VLAN.
If no keyword is defined the address-config any command is applied.
696
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
32
IPv6 First Hop Security
Example
The following example shows how to change the global configuration to allow only DHCP
address configuration method:
switchxxxxxx(config)# ipv6 neighbor binding policy policy1
switchxxxxxx(config-nbr-binding)# address-config dhcp
switchxxxxxx(config-nbr-binding)# exit
32.2
address-prefix-validation
To define the bound address prefix validation within an IPv6 Neighbor Binding policy, use the
address-prefix-validation command in Neighbor Binding Policy Configuration mode. To
return to the default, use the no form of this command.
Syntax
address-prefix-validation [enable | disable]
no address-prefix-validation
Parameters
•
enable—Enables bound address prefix validation. If no keyword is configured, this
keyword is applied by default.
•
disable—Disables bound address prefix validation.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached to the
VLAN.
Policy attached to VLAN: global configured value.
Command Mode
Neighbor Binding Policy Configuration mode.
User Guidelines
When a policy containing this command is attached to a VLAN, it overrides the global
configuration and is applied to all ports of the VLAN. When this command is used in a policy
attached to a port, it overrides the global and the VLAN configurations.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
697
32
IPv6 First Hop Security
Example
The following example shows how to define policy1 that changes the global bound address
verification in Neighbor Binding:
switchxxxxxx(config)# ipv6 neighbor binding policy policy1
switchxxxxxx(config-nbr-binding)# address-prefix-validation enable
switchxxxxxx(config-nbr-binding)# exit
32.3
clear ipv6 first hop security counters
To clear IPv6 First Hop Security port counters, use the clear ipv6 first hop security counters
command in privileged EXEC mode.
Syntax
clear ipv6 first hop security counters [interface interface-id]
Parameters
•
interface interface-id—Clear IPv6 First Hop Security counters for the specified
Ethernet port or port channel.
Command Mode
Privileged EXEC mode
User Guidelines
This command clears port counters about packets handled by IPv6 First Hop Security.
Use the interface keyword to clear all counters for the specific port.
Use the command without keyword to clear all counters.
Example
The following example clears IPv6 First Hop Security counters on port te1/0/1
switchxxxxxx# clear ipv6 first hop security counters interface te1/0/1
698
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
32
IPv6 First Hop Security
32.4
clear ipv6 first hop security error counters
To clear IPv6 First Hop Security global error counters, use the clear ipv6 first hop security
error counters command in privileged EXEC mode.
Syntax
clear ipv6 first hop security error counters
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
This command clears global error counters.
Example
The following example clears IPv6 First Hop Security error counters:
switchxxxxxx# clear ipv6 first hop security error counters
32.5
clear ipv6 neighbor binding prefix table
To remove dynamic entries from the Neighbor Prefix table, use the clear ipv6 neighbor
binding prefix table command in Privilege EXEC configuration mode.
Syntax
clear ipv6 neighbor binding prefix table [vlan vlan-id] [prefix-address/prefix-length]
Parameters
•
vlan-id—Clear the dynamic prefixes that match the specified VLAN.
•
prefix-address/prefix-length—Clear the specific dynamic prefix.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
699
32
IPv6 First Hop Security
Command Mode
Privileged EXEC mode
User Guidelines
This command deletes the dynamic entries of the Neighbor Prefix table.
Use the clear ipv6 neighbor binding prefix table vlan vlan-id prefix-address/prefix-length
command to delete one specific entry.
Use the clear ipv6 neighbor binding prefix table vlan vlan-id command to delete the
dynamic entries that match the specified VLAN.
Use the clear ipv6 neighbor binding prefix table command to delete all dynamic entries.
Examples
Example 1. The following example clears all dynamic entries:
switchxxxxxx# clear ipv6 neighbor binding prefix table
Example 2. The following example clears all dynamic prefixes that match VLAN 100:
switchxxxxxx# clear ipv6 neighbor binding prefix table vlan 100
Example 3. The following example clears one specific prefix:
switchxxxxxx# clear ipv6 neighbor binding prefix table vlan 100
2002:11aa:0000:0001::/64
32.6
clear ipv6 neighbor binding table
To remove dynamic entries from the Neighbor Binding table, use the clear ipv6 neighbor
binding table command in Privilege EXEC configuration mode.
Syntax
clear ipv6 neighbor binding table [vlan vlan-id] [interface interface-id] [ipv6 ipv6-address]
[mac mac-address] [ndp | dhcp]
700
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
32
IPv6 First Hop Security
Parameters
•
vlan vlan-id—Clear the dynamic entries that match the specified VLAN.
•
interface interface-id—Clear the dynamic entries that match the specified port
(Ethernet port or port channel).
•
ipv6 ipv6-address—Clear the dynamic entries that match the specified IPv6 address.
•
mac mac-address—Clear the dynamic entries that match the specified MAC address.
•
ndp—Clear the dynamic entries that are bound from NDP messages.
•
dhcp—Clear the dynamic entries that are bound from DHCPv6 messages.
Command Mode
Privileged EXEC mode
User Guidelines
This command deletes the dynamic entries of the Neighbor Binding table.
The dynamic entries to be deleted can be specified by the vlan-id argument, the interface-id
argument, IPv6 address, MAC address, or by type of message from which they were bound.
If the ndp keyword and the dhcp keyword is not defined, the entries are removed regardless
their origin.
If no keywords or arguments are entered, all dynamic entries are deleted.
All keyword and argument combinations are allowed.
Example
The following example clears all dynamic entries that exist on VLAN 100 & port te1/0/1:
switchxxxxxx# clear ipv6 neighbor binding table vlan 100 interface te1/0/1
32.7
device-role (IPv6 DHCP Guard)
To specify the role of the device attached to the port within an IPv6 DHCP Guard policy, use
the device-role command in IPv6 DHCPv6 Guard Policy Configuration mode. To return to the
default, use the no form of this command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
701
32
IPv6 First Hop Security
Syntax
device-role {client | server}
no device-role
Parameters
•
client—Sets the role of the device to DHCPv6 client.
•
server—Sets the role of the device to DHCPv6 server.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached to the
VLAN.
Policy attached to VLAN: client.
Command Mode
DHCP Guard Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports in the
VLAN. If it is defined in a policy attached to a port in the VLAN, this value overrides the
value in the policy attached to the VLAN.
IPv6 DHCP Guard discards the following DHCPv6 messages sent by DHCPv6 servers/relays
and received on ports configured as client:
•
ADVERTISE
•
REPLY
•
RECONFIGURE
•
RELAY-REPL
•
LEASEQUERY-REPLY
Example
The following example defines an IPv6 DHCP Guard policy named policy 1 and configures
the port role as the server:
switchxxxxxx(config)# ipv6 dhcp guard policy policy1
702
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
32
IPv6 First Hop Security
switchxxxxxx(config-dhcp-guard)# device-role server
switchxxxxxx(config-dhcp-guard)# exit
32.8
device-role (Neighbor Binding)
To specify the role of the device attached to the port within an IPv6 Neighbor Binding policy,
use the device-role command within IPv6 Neighbor Binding Policy Configuration mode. To
return to the default, use the no form of this command.
Syntax
device-role {perimeter | internal}
no device-role
Parameters
•
perimeter—Specifies that the port is connected to devices not supporting IPv6 First
Hop Security.
•
internal—Specifies that the port is connected to devices supporting IPv6 First Hop
Security.
Default Configuration
Policy attached to port or port channel: Value configured in the policy attached to the VLAN.
Policy attached to VLAN: Perimeter.
Command Mode
Neighbor Binding Policy Configuration mode.
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports in the
VLAN. If it is defined in a policy attached to a port in the VLAN, this value overrides the
value in the policy attached to the VLAN.
NB Integrity supports the perimetrical model (see RFC 6620).
This model specifies two types of ports:
•
Perimeter Port—Specifies ports connected to devices not supporting NB Integrity.
NB Integrity establishes binding for neighbors connected to these ports. Source Guard
does not function on these ports.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
703
32
IPv6 First Hop Security
•
Internal Port—The second type specifies ports connected to devices supporting IPv6
First Hop Security. NB Integrity does not establish binding for neighbors connected to
these ports, but it does propagate the bindings established on perimeter ports.
A dynamic IPv6 address bound to a port is deleted when its role is changed from perimetrical
to internal. A static IPv6 address is kept.
Example
The following example defines a Neighbor Binding policy named policy 1 and configures the
port role as an internal port:
switchxxxxxx(config)# ipv6 neighbor binding policy policy1
switchxxxxxx(config-nbr-binding)# device-role internal
switchxxxxxx(config-nbr-binding)# exit
32.9
device-role (ND Inspection Policy)
To specify the role of the device attached to the port within an IPv6 ND Inspection policy, use
the device-role command in ND Inspection Policy Configuration mode. To disable this
function, use the no form of this command.
Syntax
device-role {host | router}
no device-role
Parameters
•
host—Sets the role of the device to host.
•
router—Sets the role of the device to router.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached to the
VLAN.
Policy attached to VLAN: host.
Command Mode
ND inspection Policy Configuration mode
704
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
32
IPv6 First Hop Security
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports in the
VLAN. If it is defined in a policy attached to a port in the VLAN, this value overrides the
value in the policy attached to the VLAN.
ND Inspection performs egress filtering of NDP messages depending on a port role.The
following table specifies the filtering rules.
Message
Host
Router
RA
Permit
Permit
RS
Deny
Permit
CPA
Permit
Permit
CPS
Deny
Permit
ICMP Redirect
Permit
Permit
Example
The following example defines an ND Inspection policy named policy 1 and configures the
port role as router:
switchxxxxxx(config)# ipv6 nd inspection policy policy1
switchxxxxxx(config-nd-inspection)# device-role router
switchxxxxxx(config-nd-inspection)# exit
32.10 device-role (RA Guard Policy)
To specify the role of the device attached to the port within an IPv6 RA Guard policy, use the
device-role command in RA Guard Policy Configuration mode. To returned to the default, use
the no form of this command.
Syntax
device-role {host | router}
no device-role
Parameters
•
host—Sets the role of the device to host.
•
router—Sets the role of the device to router.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
705
32
IPv6 First Hop Security
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached to the
VLAN.
Policy attached to VLAN: host.
Command Mode
RA Guard Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports in the
VLAN. If it is defined in a policy attached to a port in the VLAN, this value overrides the
value in the policy attached to the VLAN.
RA Guard discards input RA, CPA, and ICMPv6 Redirect messages received on ports
configured as host.
Example
The following example defines an RA Guard policy named policy 1 and configures the port
role as router:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# device-role router
switchxxxxxx(config-ra-guard)# exit
32.11 drop-unsecure
To enable dropping messages with no or invalid options or an invalid signature within an IPv6
ND Inspection policy, use the drop-unsecure command in ND Inspection Policy Configuration
mode. To return to the default, use the no form of this command.
Syntax
drop-unsecure [enable | disable]
no drop-unsecure
706
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
32
IPv6 First Hop Security
Parameters
•
enable—Enables dropping messages with no or invalid options or an invalid
signature. If no keyword is configured this keyword is applied by default.
•
disable—Disables dropping messages with no or invalid options or an invalid
signature.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached to the
VLAN.
Policy attached to VLAN: global configuration.
Command Mode
ND inspection Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports in the
VLAN. If it is defined in a policy attached to a port in the VLAN, this value overrides the
value in the policy attached to the VLAN.
Example
The following example defines an ND Inspection policy named policy1, places the switch in
ND Inspection Policy Configuration mode, and enables the switch to drop messages with no or
invalid options or an invalid signature:
switchxxxxxx(config)# ipv6 nd inspection policy policy1
switchxxxxxx(config-nd-inspection)# drop-unsecure
switchxxxxxx(config-nd-inspection)# exit
32.12 hop-limit
To enable the verification of the advertised Cur Hop Limit value in RA messages within an
IPv6 RA Guard policy, use the hop-limit command in RA Guard Policy Configuration mode.
To return to the default, use the no form of this command.
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
707
32
IPv6 First Hop Security
Syntax
hop-limit {[maximum {value | disable}] [minimum {value | disable}]}
no hop-limit [maximum] [minimum]
Parameters
•
maximum value—Verifies that the hop-count limit is less than or equal to the value
argument. Range 1-255. The value of the high boundary must be equal or greater than
the value of the low boundary.
•
maximum disable—Disables verification of the high boundary of the hop-count limit.
•
minimum value—Verifies that the hop-count limit is greater than or equal to the value
argument. Range 1-255.
•
minimum disable—Disables verification of the lower boundary of the hop-count
limit.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached to the
VLAN.
Policy attached to VLAN: global configuration.
Command Mode
RA Guard Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports in the
VLAN. If it is defined in a policy attached to a port in the VLAN, this value overrides the
value in the policy attached to the VLAN.
Use the disable keyword to disable verification regardless of the global or VLAN
configuration.
Examples
Example 1—The following example defines an RA Guard policy named policy1, places the
switch in RA Guard Policy Configuration mode, and defines a minimum Cur Hop Limit value
of 5:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
708
Cisco Sx550X Product line - Ph. 2.5.7 Command Line Interface Reference Guide, v1.0
32
IPv6 First Hop Security
switchxxxxxx(config-ra-guard)# hop-limit minimum 5
switchxxxxxx(config-ra-guard)# exit
Example 2—The following example defines an RA Guard policy named policy1, places the
switch in RA Guard Policy Configuration mode, and disables validation of the Cur Hop Limit
high boundary:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# hop-limit maximum disable
switchxxxxxx(config-ra-guard)# exit
32.13 ipv6 dhcp guard
To enable the DHCPv6 guard feature on a VLAN, use the ipv6 dhcp guard command in
VLAN Configuration mode. To return to the default, use the no form of this command.
Syntax
ipv6 dhcp guard
no ipv6 dhcp guard
Parameters
N/A
Default Configuration
DHCPv6 Guard on a VLAN is disabled.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
DHCPv6 Guard blocks messages sent by DHCPv6 servers/relays to clients received on ports
that are not configured as a DHCPv6 server. Client messages or messages sent by relay agents
from clients to servers are not