Catalyst 3560 Switch Command Reference, Cisco …...IN-1 Catalyst 3560 Switch Command Reference OL-26671-03 INDEX A aaa accounting dot1x command 2-1 aaa authentication dot1x command

OL-26671-03

I N D E X

A

aaa accounting dot1x command 2-1

aaa authentication dot1x command 2-3

aaa authorization network command 2-5, 2-22, 2-29, 2-31, 2-34, 2-36, 2-38, 2-154, 2-329, 2-331, 2-332, 2-527, B-7, B-38

AAA methods 2-3

access control entries

See ACEs

access control lists

See ACLs

access groups

IP 2-211

MAC, displaying 2-647

access list, IPv6 2-284

access map configuration mode 2-350

access mode 2-832

access ports 2-832

ACEs 2-141, 2-437

ACLs

deny 2-139

displaying 2-509

for non-IP protocols 2-336

IP 2-211

matching 2-350

on Layer 2 interfaces 2-211

permit 2-435

action command 2-6

address aliasing 2-407

aggregate-port learner 2-421

allowed VLANs 2-852

archive download-sw command 2-10

archive tar command 2-13

archive upload-sw command 2-16

arp access-list command 2-18

authentication command bounce-port ignore 2-20

authentication command disable-port ignore 2-21

authentication control-direction command 2-22

authentication event command 2-24

authentication event linksec fail action command 2-28

authentication failed VLAN

See dot1x auth-fail vlan

authentication fallback command 2-29

authentication host-mode command 2-31

authentication linksec policy command 2-33

authentication mac-move permit command 2-34

authentication open command 2-36

authentication order command 2-38

authentication periodic command 2-40

authentication port-control command 2-42

authentication priority command 2-44

authentication timer command 2-46

authentication violation command 2-48

auth-fail max-attempts

See dot1x auth-fail max-attempts

auth-fail vlan


auth open command 2-36

auth order command 2-38

authorization state of controlled port 2-174

auth timer command 2-46

autonegotiation of duplex mode 2-189

auto qos classify command 2-50

auto qos trust command 2-53

auto qos video command 2-56

auto qos voip command 2-59

IN-1Catalyst 3560 Switch Command Reference

Index

B

BackboneFast, for STP 2-763

backup interfaces

configuring 2-825

displaying 2-579

boot (boot loader) command A-2

boot auto-download-sw command 2-65

boot config-file command 2-68

boot enable-break command 2-69

boot helper command 2-70

boot helper-config file command 2-71

booting

Cisco IOS image 2-74

displaying environment variables 2-522

interrupting 2-65, 2-69

manually 2-72

boot loader

accessing A-1

booting

Cisco IOS image A-2

helper image 2-70

directories

creating A-14

displaying a list of A-7

removing A-18

displaying

available commands A-12

memory heap utilization A-13

version A-25

environment variables

described A-19

displaying settings A-19

location of A-20

setting A-19

unsetting A-23

files

copying A-5

deleting A-6

OL-26671-03

displaying a list of A-7

displaying the contents of A-4, A-15, A-22

renaming A-16

file system

formatting A-10

initializing flash A-9

running a consistency check A-11

prompt A-1

resetting the system A-17

boot manual command 2-72

boot private-config-file command 2-73

boot system command 2-74

BPDU filtering, for spanning tree 2-764, 2-798

BPDU guard, for spanning tree 2-766, 2-798

broadcast storm control 2-816

C

candidate switches

See clusters

cat (boot loader) command A-4

CDP, enabling protocol tunneling for 2-308

channel-group command 2-76

channel-protocol command 2-79

Cisco IP camera

auto-QoS configuration 2-56

Cisco SoftPhone


trusting packets sent from 2-399

Cisco Telepresence System


CISP

See Client Information Signalling Protocol

cisp

debug platform cisp command B-38

cisp enable command 2-80

class command 2-81

class-map command 2-84

class maps


Index

creating 2-84

defining the match criteria 2-352

displaying 2-528

class of service

See CoS

clear dot1x command 2-87

clear eap sessions command 2-88

clear errdisable interface 2-89

clear ip arp inspection log command 2-86

clear ip arp inspection statistics command 2-90

clear ipc command 2-93

clear ip dhcp snooping database command 2-91

clear ipv6 dhcp conflict command 2-94

clear l2protocol-tunnel counters command 2-95

clear lacp command 2-96

clear logging smartlog statistics interface command 2-97

clear mac address-table command 2-98, 2-100

clear macsec counters interface command 2-101

clear mka command 2-102

clear nmsp statistics command 2-104

clear pagp command 2-105, 2-109

clear port-security command 2-106

clear psp counter 2-108

clear psp counter command 2-108

clear spanning-tree counters command 2-110

clear spanning-tree detected-protocols command 2-111

clear vmps statistics command 2-112

clear vtp counters command 2-113

Client Information Signalling Protocol 2-80, 2-154, 2-527, B-7, B-38

cluster commander-address command 2-114

cluster discovery hop-count command 2-116

cluster enable command 2-117

cluster holdtime command 2-118

cluster member command 2-119

cluster outside-interface command 2-121

cluster run command 2-122

clusters

adding candidates 2-119


binding to HSRP group 2-123

building manually 2-119

communicating with

devices outside the cluster 2-121

members by using Telnet 2-470

debug messages, display B-8

displaying

candidate switches 2-531

debug messages B-8

member switches 2-533

status 2-529

hop-count limit for extended discovery 2-116

HSRP standby groups 2-123

redundancy 2-123

SNMP trap 2-752

cluster standby-group command 2-123

cluster timer command 2-125

command modes defined 1-1

command switch

See clusters

confidentiality-offset command 2-126

configuration files

password recovery disable considerations A-1

specifying the name 2-68, 2-73

configuring multiple interfaces 2-207

config-vlan mode

commands 2-877

entering 2-876

copy (boot loader) command A-5

CoS

assigning default value to incoming packets 2-369

assigning to Layer 2 protocol packets 2-311

overriding the incoming value 2-369

CoS-to-DSCP map 2-373

CPU ASIC statistics, displaying 2-535

crashinfo files 2-200

critical VLAN 2-26

OL-26671-03

Index

D

debug authentication B-2

debug auto qos command B-4

debug backup command B-6

debug cisp command B-7

debug cluster command B-8

debug dot1x command B-10

debug dtp command B-12

debug eap command B-13

debug etherchannel command B-14

debug ilpower command B-15

debug interface command B-16

debug ip dhcp snooping command B-17

debug ip igmp filter command B-19

debug ip igmp max-groups command B-20

debug ip igmp snooping command B-21

debug ip verify source packet command B-18

debug lacp command B-22

debug lldp packets command B-23

debug mac-notification command B-25

debug macsec command B-26

debug matm command B-27

debug matm move update command B-28

debug mka command B-29

debug monitor command B-31

debug mvrdbg command B-32

debug nmsp command B-33

debug nvram command B-34

debug pagp command B-35

debug platform acl command B-36

debug platform backup interface command B-37

debug platform cisp command B-38

debug platform configuration command B-46

debug platform cpu-queues command B-39

debug platform device-manager command B-41

debug platform dot1x command B-42

debug platform etherchannel command B-43

debug platform fallback-bridging command B-44

OL-26671-03

debug platform forw-tcam command B-45

debug platform ip arp inspection command B-47

debug platform ip dhcp command B-48

debug platform ip igmp snooping command B-49

debug platform ip multicast command B-51

debug platform ip source-guard command B-53

debug platform ip unicast command B-54

debug platform ip wccp command B-56

debug platform led command B-57

debug platform matm command B-58

debug platform messaging application command B-59

debug platform phy command B-60

debug platform pm command B-62

debug platform port-asic command B-64

debug platform port-security command B-65

debug platform qos-acl-tcam command B-66

debug platform remote-commands command B-67

debug platform resource-manager command B-68

debug platform snmp command B-69

debug platform span command B-70

debug platform supervisor-asic command B-71

debug platform sw-bridge command B-72

debug platform tcam command B-73

debug platform udld command B-75

debug platform vlan command B-76

debug pm command B-77

debug port-security command B-79

debug qos-manager command B-80

debug spanning-tree backbonefast command B-83

debug spanning-tree bpdu command B-84

debug spanning-tree bpdu-opt command B-85

debug spanning-tree command B-81

debug spanning-tree mstp command B-86

debug spanning-tree switch command B-88

debug spanning-tree uplinkfast command B-90

debug sw-vlan command B-91

debug sw-vlan ifs command B-93

debug sw-vlan notification command B-94

debug sw-vlan vtp command B-95


Index

debug udld command B-97

debug vqpc command B-99

default policy, MKA 2-359

define interface-range command 2-127

delete (boot loader) command A-6

delete command 2-129

deny (ARP access-list configuration) command 2-132

deny (IPv6) command 2-134

deny command 2-139

detect mechanism, causes 2-191

DHCP snooping

accepting untrusted packets from edge switch 2-244

enabling

on a VLAN 2-250

option 82 2-242, 2-244

trust on an interface 2-248

error recovery timer 2-197

rate limiting 2-247

DHCP snooping binding database

binding file, configuring 2-240

bindings

adding 2-238

deleting 2-238

clearing database agent statistics 2-91

database agent, configuring 2-240

renewing 2-474

dir (boot loader) command A-7

directories, deleting 2-129

domain name, VTP 2-891

dot1x auth-fail max-attempts 2-149

dot1x auth-fail vlan 2-150

dot1x command 2-147

dot1x control-direction command 2-152

dot1x credentials (global configuration) command 2-154

dot1x critical global configuration command 2-155

dot1x critical interface configuration command 2-157

dot1x default command 2-159

dot1x fallback command 2-160

dot1x guest-vlan command 2-161


dot1x host-mode command 2-164

dot1x initialize command 2-166

dot1x mac-auth-bypass command 2-167

dot1x max-reauth-req command 2-169

dot1x max-req command 2-171

dot1x multiple-hosts command 2-172

dot1x pae command 2-173

dot1x port-control command 2-174

dot1x re-authenticate command 2-176

dot1x re-authentication command 2-177

dot1x reauthentication command 2-178

dot1x supplicant controlled transient command 2-179

dot1x supplicant force-multicast command 2-181

dot1x test eapol-capable command 2-182

dot1x test timeout command 2-183

dot1x timeout command 2-184

dot1x violation-mode command 2-187

dropping packets, with ACL matches 2-6

drop threshold, Layer 2 protocol tunneling 2-308

DSCP-to-CoS map 2-373

DSCP-to-DSCP-mutation map 2-373

DTP 2-833

DTP flap

error detection for 2-191


DTP negotiation 2-837

dual-purpose uplink ports

displaying configurable options 2-582

selecting the type 2-355

duplex command 2-188

dynamic-access ports

configuring 2-821

restrictions 2-822

dynamic ARP inspection

ARP ACLs

apply to a VLAN 2-219

define 2-18

deny packets 2-132

display 2-513

OL-26671-03

Index

permit packets 2-427

clear

log buffer 2-86

statistics 2-90

display

ARP ACLs 2-513

configuration and operating state 2-594

log buffer 2-594

statistics 2-594

trust state and rate limit 2-594

enable per VLAN 2-231



log buffer

clear 2-86

configure 2-223

display 2-594

rate-limit incoming ARP packets 2-221

statistics

clear 2-90

display 2-594

trusted interface state 2-227

type of packet logged 2-232

validation checks 2-229

dynamic auto VLAN membership mode 2-832

dynamic desirable VLAN membership mode 2-832

Dynamic Host Configuration Protocol (DHCP)

See DHCP snooping

Dynamic Trunking Protocol

See DTP

E

EAP-request/identity frame

maximum number to send 2-171

response time before retransmitting 2-184

encapsulation methods 2-852

environment variables, displaying 2-522

epm access-control open 2-190

OL-26671-03

errdisable detect cause command 2-191

errdisable detect cause small-frame comand 2-194

errdisable recovery cause small-frame 2-196

errdisable recovery command 2-197

error conditions, displaying 2-570

error disable detection 2-191

error-disabled interfaces, displaying 2-579

EtherChannel

assigning Ethernet interface to channel group 2-76

creating port-channel logical interface 2-205

debug EtherChannel/PAgP, display B-14

debug platform-specific events, display B-43

displaying 2-573

enabling Layer 2 protocol tunneling for

LACP 2-309

PAgP 2-309

UDLD 2-309

interface information, displaying 2-579

LACP

clearing channel-group information 2-96


displaying 2-636

modes 2-76

port priority for hot-standby ports 2-312

restricting a protocol 2-79

system priority 2-314

load-distribution methods 2-445

PAgP

aggregate-port learner 2-421

clearing channel-group information 2-105


displaying 2-703



learn method 2-421

modes 2-76

physical-port learner 2-421

priority of interface for transmitted traffic 2-423

Ethernet controller, internal register display 2-537


Index

Ethernet statistics, collecting 2-492

exception crashinfo command 2-200

extended discovery of candidate switches 2-116

extended-range VLANs

and allowed VLAN list 2-852

and pruning-eligible list 2-852

configuring 2-876

extended system ID for STP 2-772

F

fallback profile command 2-201

fallback profiles, displaying 2-576

fan information, displaying 2-566

file name, VTP 2-891

files, deleting 2-129

flash_init (boot loader) command A-9

flexible authentication ordering 2-38

Flex Links

configuring 2-825

configuring preferred VLAN 2-827

displaying 2-579

flowcontrol command 2-203

format (boot loader) command A-10

forwarding packets, with ACL matches 2-6

fsck (boot loader) command A-11

G

global configuration mode 1-2, 1-3

H

hardware ACL statistics 2-509

help (boot loader) command A-12

hierarchical policy maps 2-443

hop-count limit for clusters 2-116

host connection, port configuration 2-831


host ports, private VLANs 2-835

Hot Standby Router Protocol

See HSRP

HSRP

binding HSRP group to cluster 2-123

standby group 2-123

I

IEEE 802.1Q trunk ports and native VLANs 2-883

IEEE 802.1Q tunnel ports

configuring 2-832

limitations 2-833

IEEE 802.1x

and switchport modes 2-833

violation error recovery 2-197

See also port-based authentication

IEEE 802.1X Port Based Authentication

enabling guest VLAN supplicant 2-149, 2-160, 2-202

IGMP filters

applying 2-254


IGMP groups, setting maximum 2-255

IGMP maximum groups, debugging B-20

IGMP profiles

creating 2-257

displaying 2-606

IGMP snooping

adding ports as a static member of a group 2-273

displaying 2-607

enabling 2-259

enabling the configurable-leave timer 2-261

enabling the Immediate-Leave feature 2-270

flooding query count 2-267

interface topology change notification behavior 2-269

querier 2-263

query solicitation 2-267

report suppression 2-265

switch topology change notification behavior 2-267

OL-26671-03

Index

images

See software images

Immediate-Leave feature, MVR 2-409

immediate-leave processing 2-270

Immediate-Leave processing, IPv6 2-304

interface configuration mode 1-2, 1-4

interface port-channel command 2-205

interface range command 2-207

interface-range macros 2-127

interfaces

assigning Ethernet interface to channel group 2-76

configuring 2-188

configuring multiple 2-207

creating port-channel logical 2-205


disabling 2-748

displaying the MAC address table 2-656

restarting 2-748

interface speed, configuring 2-808

interface vlan command 2-209

internal registers, displaying 2-537, 2-549

Internet Group Management Protocol

See IGMP

invalid GBIC



ip access-group command 2-211

ip address command 2-214

IP addresses, setting 2-214

IP address matching 2-350

ip admission command 2-216

ip admission name proxy http command 2-217

ip arp inspection filter vlan command 2-219

ip arp inspection limit command 2-221

ip arp inspection log-buffer command 2-223

ip arp inspection trust command 2-227

ip arp inspection validate command 2-229

ip arp inspection vlan command 2-231

ip arp inspection vlan logging command 2-232

OL-26671-03

ip device tracking command 2-236

ip device tracking probe command 2-234

IP DHCP snooping

See DHCP snooping

ip dhcp snooping binding command 2-238

ip dhcp snooping command 2-237

ip dhcp snooping database command 2-240

ip dhcp snooping information option allow-untrusted command 2-244

ip dhcp snooping information option command 2-242

ip dhcp snooping information option format remote-id command 2-246

ip dhcp snooping limit rate command 2-247

ip dhcp snooping trust command 2-248

ip dhcp snooping verify command 2-249

ip dhcp snooping vlan command 2-250

ip dhcp snooping vlan information option format-type circuit-id string command 2-252

ip igmp filter command 2-254

ip igmp max-groups command 2-255, 2-278, 2-280

ip igmp profile command 2-257

ip igmp snooping command 2-259

ip igmp snooping last-member-query-interval command 2-261

ip igmp snooping querier command 2-263

ip igmp snooping report-suppression command 2-265

ip igmp snooping tcn command 2-267

ip igmp snooping tcn flood command 2-269

ip igmp snooping vlan immediate-leave command 2-270

ip igmp snooping vlan mrouter command 2-271

ip igmp snooping vlan static command 2-273

IP multicast addresses 2-406

IP phones


trusting packets sent from 2-399

IP-precedence-to-DSCP map 2-373

ip source binding command 2-275

IP source guard

disabling 2-282

enabling 2-282


Index

static IP source bindings 2-275

ip ssh command 2-277

IPv6 access list, deny conditions 2-134

ipv6 access-list command 2-284

ipv6 address dhcp command 2-286

ipv6 dhcp client request vendor command 2-287

ipv6 dhcp ping packets command 2-288

ipv6 dhcp pool command 2-289

ipv6 dhcp server command 2-291

ipv6 mld snooping command 2-293

ipv6 mld snooping last-listener-query count command 2-295

ipv6 mld snooping last-listener-query-interval command 2-297

ipv6 mld snooping listener-message-suppression command 2-299

ipv6 mld snooping robustness-variable command 2-300

ipv6 mld snooping tcn command 2-302

ipv6 mld snooping vlan command 2-304

IPv6 SDM template 2-493

ipv6 traffic-filter command 2-306

ip verify source command 2-282

ip verify source smartlog command 2-283

J

jumbo frames

See MTU

L

l2protocol-tunnel command 2-308

l2protocol-tunnel cos command 2-311

LACP

See EtherChannel

lacp port-priority command 2-312

lacp system-priority command 2-314

Layer 2 mode, enabling 2-819

Layer 2 protocol-tunnel




Layer 2 protocol tunnel counters 2-95

Layer 2 protocol tunneling error recovery 2-309

Layer 2 traceroute

IP addresses 2-866

MAC addresses 2-863

Layer 3 mode, enabling 2-819

line configuration mode 1-2, 1-4

Link Aggregation Control Protocol

See EtherChannel

link flap



link-security authentication 2-28

link-security policies 2-33

link state group command 2-316

link state track command 2-318

load-distribution methods for EtherChannel 2-445

location (global configuration) command 2-319

location (interface configuration) command 2-321

logging event command 2-323

logging event power-inline-status command 2-324

logging file command 2-325

logical interface 2-205

loopback error

detection for 2-191

recovery timer 2-197

loop guard, for spanning tree 2-774, 2-778

M

mab request format attribute 1 command 2-329



mac access-group command 2-334

MAC access-groups, displaying 2-647

MAC access list configuration mode 2-336

mac access-list extended command 2-336

OL-26671-03

Index

MAC access lists 2-139

MAC addresses

disabling MAC address learning per VLAN 2-339

displaying

dynamic 2-654

notification settings 2-659

number of addresses in a VLAN 2-653

per interface 2-656

per VLAN 2-663

static 2-661

static and dynamic entries 2-648

dynamic

aging time 2-338

deleting 2-98

displaying 2-654

enabling MAC address notification 2-343

enabling MAC address-table move update 2-341

matching 2-350

static

adding and removing 2-345

displaying 2-661

dropping on an interface 2-346

MAC address notification, debugging B-25

mac address-table aging-time 2-334, 2-350

mac address-table aging-time command 2-338

mac address-table learning command 2-339

mac address-table move update command 2-341

mac address-table notification command 2-343

mac address-table static command 2-345

mac address-table static drop command 2-346

macros

interface range 2-127, 2-207

MACsec

counters 2-101, 2-544

debugging B-26

displaying 2-665

enabling 2-348

registers 2-544

macsec command 2-348

OL-26671-03

maps

QoS

defining 2-373

VLAN

creating 2-881

defining 2-350

displaying 2-739

match (access-map configuration) command 2-350

match (class-map configuration) command 2-352

maximum transmission unit

See MTU

mdix auto command 2-354

Media Access Control Security

See MACsec.

media-type (interface configuration) command 2-355

media-type rj45 (line configuration) command 2-357

member switches

See clusters

memory (boot loader) command A-13

MKA

confidentiality 2-126

debugging B-29

displaying default policy 2-667

displaying policies 2-669

displaying sessions 2-672

displaying sessions and statistics 2-678

displaying statistics 2-675

policy configuration mode 2-361

MKA, enabling 2-363

mka default policy command 2-359

mka policy global configuration command 2-361

mka policy interface configuration command 2-363

mkdir (boot loader) command A-14

MLD snooping

configuring 2-299, 2-300

configuring queries 2-295, 2-297

configuring topology change notification 2-302

displaying 2-624

enabling 2-293


Index

MLD snooping on a VLAN, enabling 2-304

mls qos aggregate-policer command 2-367

mls qos command 2-365

mls qos cos command 2-369

mls qos dscp-mutation command 2-371

mls qos map command 2-373

mls qos queue-set output buffers command 2-377

mls qos queue-set output threshold command 2-379

mls qos rewrite ip dscp command 2-381

mls qos srr-queue input bandwidth command 2-383

mls qos srr-queue input buffers command 2-385

mls qos-srr-queue input cos-map command 2-387

mls qos srr-queue input dscp-map command 2-389

mls qos srr-queue input priority-queue command 2-391

mls qos srr-queue input threshold command 2-393

mls qos-srr-queue output cos-map command 2-395

mls qos srr-queue output dscp-map command 2-397

mls qos trust command 2-399

mls qos vlan-based command 2-401

mode, MVR 2-406

Mode button, and password recovery 2-497

modes, commands 1-1

monitor session command 2-402

more (boot loader) command A-15

MSTP

displaying 2-721

interoperability 2-111

link type 2-776

MST region

aborting changes 2-781

applying changes 2-781

configuration name 2-781

configuration revision number 2-781

current or pending display 2-781

displaying 2-721

MST configuration mode 2-781

VLANs-to-instance mapping 2-781

path cost 2-783

protocol mode 2-779


restart protocol migration process 2-111

root port

loop guard 2-774

preventing from becoming designated 2-774

restricting which can be root 2-774

root guard 2-774

root switch

affects of extended system ID 2-772

hello-time 2-786, 2-794

interval between BDPU messages 2-787

interval between hello BPDU messages 2-786, 2-794

max-age 2-787

maximum hop count before discarding BPDU 2-788

port priority for selection of 2-790

primary or secondary 2-794

switch priority 2-793

state changes

blocking to forwarding state 2-800

enabling BPDU filtering 2-764, 2-798

enabling BPDU guard 2-766, 2-798

enabling Port Fast 2-798, 2-800

forward-delay time 2-785

length of listening and learning states 2-785

rapid transition to forwarding 2-776

shutting down Port Fast-enabled ports 2-798

state information display 2-720

MTU

configuring size 2-860

displaying global setting 2-728

Multicase Listener Discovery

See MLD

multicast group address, MVR 2-409

multicast groups, MVR 2-407

Multicast Listener Discovery

See MLD

multicast router learning method 2-271

multicast router ports, configuring 2-271

OL-26671-03

Index

multicast router ports, IPv6 2-304

multicast storm control 2-816

multicast VLAN, MVR 2-406

multicast VLAN registration

See MVR

Multiple Spanning Tree Protocol

See MSTP

MVR

and address aliasing 2-407

configuring 2-406

configuring interfaces 2-409


displaying 2-694

displaying interface information 2-695

members, displaying 2-697

mvr (global configuration) command 2-406

mvr (interface configuration) command 2-409

mvr vlan group command 2-410

N

native VLANs 2-852

native VLAN tagging 2-883

Network Admission Control Software Configuration Guide 2-216, 2-218

network-policy (global configuration) command 2-413

network-policy command 2-412

network-policy profile (network-policy configuration) command 2-414

nmsp attachment suppress command 2-417

nmsp command 2-416

no authentication logging verbose 2-418

no dot1x logging verbose 2-419

no mab logging verbose 2-420

nonegotiate, speed 2-808

nonegotiating DTP messaging 2-837

non-IP protocols

denying 2-139

forwarding 2-435

OL-26671-03

non-IP traffic access lists 2-336

non-IP traffic forwarding

denying 2-139

permitting 2-435

normal-range VLANs 2-876

no vlan command 2-876

O

online diagnostics

displaying

configured boot-up coverage level 2-553

current scheduled tasks 2-553

event logs 2-553

supported test suites 2-553

test ID 2-553

test results 2-553

test statistics 2-553

global configuration mode

clearing health monitoring diagnostic test schedule 2-90

clearing test-based testing schedule 2-144

setting health monitoring diagnostic testing 2-90

setting test-based testing 2-144

setting up health monitoring diagnostic test schedule 2-90

setting up test-based testing 2-144

health monitoring diagnostic tests, configuring 2-142

scheduled switchover

disabling 2-144

enabling 2-144

scheduling

enabling 2-144

removing 2-144

testing, starting 2-146

test interval, setting 2-144


Index

P

PAgP

See EtherChannel

pagp learn-method command 2-421

pagp port-priority command 2-423

password, VTP 2-892

password-recovery mechanism, enabling and disabling 2-497

permit (ARP access-list configuration) command 2-427

permit (IPv6) command 2-429

permit (MAC access-list configuration) command 2-435

per-VLAN spanning-tree plus

See STP

physical-port learner 2-421

PIM-DVMRP, as multicast router learning method 2-271

PoE

configuring the power budget 2-449

configuring the power management mode 2-446

displaying controller register values 2-547

displaying power management information 2-708

logging of status 2-324

monitoring power 2-452

policing power consumption 2-452

police aggregate command 2-440

police command 2-438

policed-DSCP map 2-373

policy-map command 2-442

policy maps

applying to an interface 2-499, 2-504

creating 2-442

hierarchical 2-443

policers

displaying 2-682

for a single class 2-438

for multiple classes 2-367, 2-440


traffic classification

defining the class 2-81


defining trust states 2-868

setting DSCP or IP precedence values 2-502

Port Aggregation Protocol

See EtherChannel

port-based authentication

AAA method list 2-3

configuring violation modes 2-187


enabling IEEE 802.1x

globally 2-147

per interface 2-174

guest VLAN 2-161

host modes 2-164

IEEE 802.1x AAA accounting methods 2-1

initialize an interface 2-166, 2-183

MAC authentication bypass 2-167

manual control of authorization state 2-174

PAE as authenticator 2-173

periodic re-authentication

enabling 2-178

time between attempts 2-184

quiet period between failed authentication exchanges 2-184

re-authenticating IEEE 802.1x-enabled ports 2-176

resetting configurable IEEE 802.1x parameters 2-159

switch-to-authentication server retransmission time 2-184

switch-to-client frame-retransmission number 2-169 to 2-171

switch-to-client retransmission time 2-184

test for IEEE 802.1x readiness 2-182

port-channel load-balance command 2-445

Port Fast, for spanning tree 2-800

port ranges, defining 2-127

ports, debugging B-77

ports, protected 2-850

port security

aging 2-844


enabling 2-839

OL-26671-03

Index

violation error recovery 2-197

port trust states for QoS 2-399

port types, MVR 2-409

power information, displaying 2-566

power inline command 2-446

power inline consumption command 2-449

power inline four-pair forced command 2-451

power inline police command 2-452

Power over Ethernet

See PoE

power rps command (user EXEC) 2-455

priority-queue command 2-457

private-vlan command 2-459

private-vlan mapping command 2-462

private VLANs

association 2-848

configuring 2-459

configuring ports 2-835

displaying 2-734

host ports 2-835

mapping

configuring 2-848

displaying 2-579

promiscuous ports 2-835

privileged EXEC mode 1-2, 1-3

promiscuous ports, private VLANs 2-835

protected ports, displaying 2-584

pruning

VLANs 2-852

VTP

displaying interface information 2-579

enabling 2-892

pruning-eligible VLAN list 2-854

psp 2-464

psp command 2-464

PVST+

See STP

OL-26671-03

Q

QoS

auto-QoS

configuring 2-59


auto-QoS trust

configuring 2-53

auto-QoS video

configuring 2-56

class maps

creating 2-84

defining the match criteria 2-352

displaying 2-528

defining the CoS value for an incoming packet 2-369

displaying configuration information 2-681

DSCP transparency 2-381

DSCP trusted ports

applying DSCP-to-DSCP-mutation map to 2-371

defining DSCP-to-DSCP-mutation map 2-373

egress queues

allocating buffers 2-377

defining the CoS output queue threshold map 2-395

defining the DSCP output queue threshold map 2-397

displaying buffer allocations 2-684

displaying CoS output queue threshold map 2-687

displaying DSCP output queue threshold map 2-687

displaying queueing strategy 2-684

displaying queue-set settings 2-690

enabling bandwidth shaping and scheduling 2-812

enabling bandwidth sharing and scheduling 2-814

limiting the maximum output on a port 2-810

mapping a port to a queue-set 2-465

mapping CoS values to a queue and threshold 2-395


Index

mapping DSCP values to a queue and threshold 2-397

setting maximum and reserved memory allocations 2-379

setting WTD thresholds 2-379

enabling 2-365

ingress queues

allocating buffers 2-385

assigning SRR scheduling weights 2-383

defining the CoS input queue threshold map 2-387

defining the DSCP input queue threshold map 2-389

displaying buffer allocations 2-684

displaying CoS input queue threshold map 2-687

displaying DSCP input queue threshold map 2-687

displaying queueing strategy 2-684

displaying settings for 2-683

enabling the priority queue 2-391

mapping CoS values to a queue and threshold 2-387

mapping DSCP values to a queue and threshold 2-389

setting WTD thresholds 2-393

maps

defining 2-373, 2-387, 2-389, 2-395, 2-397

policy maps

applying an aggregate policer 2-440

applying to an interface 2-499, 2-504

creating 2-442

defining policers 2-367, 2-438

displaying policers 2-682

hierarchical 2-443


setting DSCP or IP precedence values 2-502

traffic classifications 2-81

trust states 2-868

port trust states 2-399

queues, enabling the expedite 2-457

statistics


in-profile and out-of-profile packets 2-684

packets enqueued or dropped 2-684

sent and received CoS values 2-684

sent and received DSCP values 2-684

trusted boundary for IP phones 2-399

VLAN-based 2-401

quality of service

See QoS

querytime, MVR 2-406

queue-set command 2-465

R

radius-server dead-criteria command 2-466

radius-server host command 2-468

rapid per-VLAN spanning-tree plus

See STP

rapid PVST+

See STP

rcommand command 2-470

re-authenticating IEEE 802.1x-enabled ports 2-176

re-authentication

periodic 2-178

time between attempts 2-184

receiver ports, MVR 2-409

receiving flow-control packets 2-203

recovery mechanism

causes 2-197

display 2-89, 2-524, 2-568, 2-571

timer interval 2-198

redundancy for cluster switches 2-123

redundant power supply

See RPS

remote-span command 2-472

Remote Switched Port Analyzer

See RSPAN

rename (boot loader) command A-16

renew ip dhcp snooping database command 2-474

rep admin vlan command 2-476

OL-26671-03

Index

rep block port command 2-477

replay protection, MACsec 2-490

replay-protection window-size command 2-490

rep lsl-age-timer command 2-481

rep preempt delay command 2-482

rep preempt segment command 2-484

rep segment command 2-485

rep stcn command 2-488

reset (boot loader) command A-17

restricted VLAN


rmdir (boot loader) command A-18

rmon collection stats command 2-492

root guard, for spanning tree 2-774

routed ports

IP addresses on 2-215

number supported 2-215

RPS 2300

configuring 2-455

managing 2-455

RSPAN

configuring 2-402

filter RSPAN traffic 2-402

remote-span command 2-472

S

scheduled switchover

disabling 2-144

enabling 2-144

sdm prefer command 2-493

SDM templates

allowed resources 2-494

displaying 2-716

dual IPv4 and IPv6 2-493

secure ports, limitations 2-841

sending flow-control packets 2-203

service password-recovery command 2-497

service-policy command 2-499

OL-26671-03

set (boot loader) command A-19

set command 2-502

setup command 2-504

setup express command 2-507

show access-lists command 2-509

show archive status command 2-512

show arp access-list command 2-513

show authentication command 2-514

show auto qos command 2-518

show boot command 2-522

show cable-diagnostics tdr command 2-524

show cisp command 2-527

show class-map command 2-528

show cluster candidates command 2-531

show cluster command 2-529

show cluster members command 2-533

show controllers cpu-interface command 2-535

show controllers ethernet-controller command 2-537

show controllers ethernet phy macsec command 2-544

show controllers power inline command 2-547

show controllers tcam command 2-549

show controller utilization command 2-551

show dot1q-tunnel command 2-556

show dot1x command 2-557

show dtp 2-561

show eap command 2-563

show env command 2-566

show errdisable detect command 2-568

show errdisable flap-values command 2-570

show errdisable recovery command 2-571

show etherchannel command 2-573

show fallback profile command 2-576

show flowcontrol command 2-577

show interface rep command 2-591

show interfaces command 2-579

show interfaces counters command 2-589

show inventory command 2-593

show ip arp inspection command 2-594

show ipc command 2-618


Index

show ip dhcp snooping binding command 2-599

show ip dhcp snooping command 2-598

show ip dhcp snooping database command 2-601, 2-603

show ip igmp profile command 2-606

show ip igmp snooping command 2-607, 2-624

show ip igmp snooping groups command 2-610

show ip igmp snooping mrouter command 2-612

show ip igmp snooping querier command 2-613

show ip source binding command 2-615

show ipv6 access-list command 2-621

show ipv6 dhcp conflict command 2-623

show ipv6 route updated 2-632

show ip verify source command 2-616

show l2protocol-tunnel command 2-634

show lacp command 2-636

show link state group command 2-640

show mac access-group command 2-647

show mac address-table address command 2-650

show mac address-table aging time command 2-651

show mac address-table command 2-648

show mac address-table count command 2-653

show mac address-table dynamic command 2-654

show mac address-table interface command 2-656

show mac address-table move update command 2-658

show mac address-table notification command 2-100, 2-659, B-28

show mac address-table static command 2-661

show mac address-table vlan command 2-663

show macsec command 2-665

show mka default-policy command 2-667

show mka policy command 2-669

show mka session command 2-672

show mka statistics command 2-675

show mka summary command 2-678

show mls qos aggregate-policer command 2-682

show mls qos command 2-681

show mls qos input-queue command 2-683

show mls qos interface command 2-684

show mls qos maps command 2-687


show mls qos queue-set command 2-690

show mls qos vlan command 2-691

show monitor command 2-692

show mvr command 2-694

show mvr interface command 2-695

show mvr members command 2-697

show network-policy profile command 2-699

show nmsp command 2-700

show pagp command 2-703

show platform acl command C-2

show platform backup interface command C-3

show platform configuration command C-4

show platform etherchannel command C-5

show platform forward command C-6

show platform frontend-controller command C-8

show platform igmp snooping command C-9

show platform ip multicast command C-10

show platform ip unicast command C-11

show platform ipv6 unicast command C-15

show platform ip wccp command C-14

show platform layer4op command C-17

show platform mac-address-table command C-18

show platform messaging command C-19

show platform monitor command C-20

show platform mvr table command C-21

show platform pm command C-22

show platform port-asic command C-23

show platform port-security command C-27

show platform qos command C-28

show platform resource-manager command C-29

show platform snmp counters command C-31

show platform spanning-tree command C-32

show platform stp-instance command C-33

show platform tcam command C-34

show platform vlan command C-37

show policy-map command 2-705

show port security command 2-706

show power inline command 2-708

show psp config 2-712

OL-26671-03

Index

show psp config command 2-712

show psp statistics 2-713

show psp statistics command 2-713

show rep topology command 2-714

show sdm prefer command 2-716

show setup express command 2-719

show spanning-tree command 2-720

show storm-control command 2-726

show system mtu command 2-728

show trust command 2-868

show udld command 2-729

show version command 2-732

show vlan access-map command 2-739

show vlan command 2-734

show vlan command, fields 2-736

show vlan filter command 2-740

show vmps command 2-741

show vtp command 2-743

shutdown command 2-748

shutdown threshold, Layer 2 protocol tunneling 2-308

shutdown vlan command 2-749

small violation-rate command 2-750

SNMP host, specifying 2-757

SNMP informs, enabling the sending of 2-752

snmp-server enable traps command 2-752

snmp-server host command 2-757

snmp trap mac-notification change command 2-761

SNMP traps

enabling MAC address notification trap 2-761

enabling the MAC address notification feature 2-343

enabling the sending of 2-752

SoftPhone

See Cisco SoftPhone

software images

deleting 2-129

downloading 2-10

upgrading 2-10

uploading 2-16

software version, displaying 2-732

OL-26671-03

source ports, MVR 2-409

SPAN

configuring 2-402


filter SPAN traffic 2-402

sessions

add interfaces to 2-402

start new 2-402

spanning-tree backbonefast command 2-763

spanning-tree bpdufilter command 2-764

spanning-tree bpduguard command 2-766

spanning-tree cost command 2-768

spanning-tree etherchannel command 2-770

spanning-tree extend system-id command 2-772

spanning-tree guard command 2-774

spanning-tree link-type command 2-776

spanning-tree loopguard default command 2-778

spanning-tree mode command 2-779

spanning-tree mst configuration command 2-781

spanning-tree mst cost command 2-783

spanning-tree mst forward-time command 2-785

spanning-tree mst hello-time command 2-786

spanning-tree mst max-age command 2-787

spanning-tree mst max-hops command 2-788

spanning-tree mst port-priority command 2-790

spanning-tree mst pre-standard command 2-792

spanning-tree mst priority command 2-793

spanning-tree mst root command 2-794

spanning-tree portfast (global configuration) command 2-798

spanning-tree portfast (interface configuration) command 2-800

spanning-tree port-priority command 2-796

Spanning Tree Protocol

See STP

spanning-tree transmit hold-count command 2-802

spanning-tree uplinkfast command 2-803

spanning-tree vlan command 2-805

speed command 2-808


Index

srr-queue bandwidth limit command 2-810

srr-queue bandwidth share command 2-814

SSH, configuring version 2-277

static-access ports, configuring 2-821

statistics, Ethernet group 2-492

sticky learning, enabling 2-839

storm-control command 2-816

STP

BackboneFast 2-763

counters, clearing 2-110

debug messages, display

BackboneFast events B-83

MSTP B-86

optimized BPDUs handling B-85

spanning-tree activity B-81

switch shim B-88

transmitted and received BPDUs B-84

UplinkFast B-90

detection of indirect link failures 2-763

enabling protocol tunneling for 2-308

EtherChannel misconfiguration 2-770

extended system ID 2-772

path cost 2-768

protocol modes 2-779

root port

accelerating choice of new 2-803

loop guard 2-774

preventing from becoming designated 2-774

restricting which can be root 2-774

root guard 2-774

UplinkFast 2-803

root switch

affects of extended system ID 2-772, 2-806

hello-time 2-805

interval between BDPU messages 2-805

interval between hello BPDU messages 2-805

max-age 2-805

port priority for selection of 2-796

primary or secondary 2-805


switch priority 2-805

state changes

blocking to forwarding state 2-800

enabling BPDU filtering 2-764, 2-798

enabling BPDU guard 2-766, 2-798

enabling Port Fast 2-798, 2-800

enabling timer to recover from error state 2-197

forward-delay time 2-805

length of listening and learning states 2-805

shutting down Port Fast-enabled ports 2-798

state information display 2-720

VLAN options 2-793, 2-805

SVIs, creating 2-209

SVI status calculation 2-823

Switched Port Analyzer

See SPAN

switching characteristics

modifying 2-819

returning to interfaces 2-819

switchport access command 2-821

switchport autostate exclude command 2-823

switchport backup interface command 2-825

switchport block command 2-829

switchport command 2-819

switchport host command 2-831

switchport mode command 2-832

switchport mode private-vlan command 2-835

switchport nonegotiate command 2-837

switchport port-security aging command 2-844

switchport port-security command 2-839

switchport priority extend command 2-846

switchport private-vlan command 2-848

switchport protected command 2-850

switchports, displaying 2-579

switchport trunk command 2-852

switchport voice vlan command 2-855, 2-856

system env temperature threshold yellow command 2-858

system message logging 2-324

system message logging, save message to flash 2-325

OL-26671-03

Index

system mtu command 2-860

system resource templates 2-493

T

tar files, creating, listing, and extracting 2-13

TDR, running 2-862

Telnet, using to communicate to cluster switches 2-470

temperature information, displaying 2-566

templates, system resources 2-493

test cable-diagnostics tdr command 2-862

traceroute mac command 2-863

traceroute mac ip command 2-866

trunking, VLAN mode 2-832

trunk mode 2-832

trunk ports 2-832

trunks, to non-DTP device 2-833

trusted boundary for QoS 2-399

trusted port states for QoS 2-399

tunnel ports, Layer 2 protocol, displaying 2-634

type (boot loader) command A-22

U

UDLD

aggressive mode 2-870, 2-872


enable globally 2-870

enable per interface 2-872


message timer 2-870

normal mode 2-870, 2-872

reset a shutdown interface 2-874

status 2-729

udld command 2-870

udld port command 2-872

udld reset command 2-874

unicast storm control 2-816

OL-26671-03

UniDirectional Link Detection

See UDLD

unknown multicast traffic, preventing 2-829

unknown unicast traffic, preventing 2-829

unset (boot loader) command A-23

upgrading

software images

downloading 2-10

monitoring status of 2-512

UplinkFast, for STP 2-803

usb-inactivity-timeout (console configuration) command 2-875

user EXEC mode 1-2

V

version (boot loader) command A-25

vlan (global configuration) command 2-876

vlan access-map command 2-881

VLAN access map configuration mode 2-881

VLAN access maps

actions 2-6

displaying 2-739

VLAN-based QoS 2-401

VLAN configuration

rules 2-879

saving 2-876

VLAN configuration mode

description 1-4

summary 1-2

vlan dot1q tag native command 2-883

vlan filter command 2-884

VLAN filters, displaying 2-740

VLAN ID range 2-876

VLAN maps

applying 2-884

creating 2-881

defining 2-350

displaying 2-739


Index

VLAN Query Protocol

See VQP

VLANs

adding 2-876

configuring 2-876

debug messages, display

ISL B-94

VLAN IOS file system error tests B-93

VLAN manager activity B-91

VTP B-95

displaying configurations 2-734

enabling guest VLAN supplicant 2-149, 2-160, 2-202

extended-range 2-876

MAC addresses

displaying 2-663

number of 2-653

media types 2-879

normal-range 2-876

private 2-835

configuring 2-459

displaying 2-734

See also private VLANs

restarting 2-749

saving the configuration 2-876

shutting down 2-749

SNMP traps for VTP 2-754, 2-758

suspending 2-749

VLAN Trunking Protocol

See VTP

VMPS

configuring servers 2-889

displaying 2-741


reconfirming dynamic VLAN assignments 2-886

vmps reconfirm (global configuration) command 2-887

vmps reconfirm (privileged EXEC) command 2-886

vmps retry command 2-888

vmps server command 2-889

voice VLAN


configuring 2-855, 2-856

setting port priority 2-846

VQP

and dynamic-access ports 2-822

clearing client statistics 2-112

displaying information 2-741

per-server retry count 2-888

reconfirmation interval 2-887

reconfirming dynamic VLAN assignments 2-886

VTP

changing characteristics 2-891

clearing pruning counters 2-113

configuring

domain name 2-891

file name 2-891

mode 2-891

password 2-892

counters display fields 2-744

displaying information 2-743

enabling

pruning 2-892

tunneling for 2-308

Version 2 2-892

enabling per port 2-896

mode 2-891

pruning 2-892

saving the configuration 2-876

statistics 2-743

status 2-743

status display fields 2-746

vtp (global configuration) command 2-891

vtp interface configuration) command 2-896

vtp primary command 2-897

OL-26671-03

Preface

AudienceThis guide is for the networking professional using the Cisco IOS command-line interface (CLI) to manage the Catalyst 3560 and 3560-C switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS commands and the switch software features. Before using this guide, you should have experience working with the concepts and terminology of Ethernet and local area networking.

Purpose The Catalyst 3560 and 3560-C switch is supported by either the IP base image or the IP services image. The IP base image provides Layer 2+ features including access control lists (ACLs), quality of service (QoS), static routing, and the Routing Information Protocol (RIP). The IP services image provides a richer set of enterprise-class features. It includes Layer 2+ features and full Layer 3 routing (IP unicast routing, IP multicast routing, and fallback bridging). To distinguish it from the Layer 2+ static routing and RIP, the IP services image includes protocols such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) Protocol.

This guide provides the information that you need about the Layer 2 and Layer 3 commands that have been created or changed for use with the Catalyst 3560 and 3560-C switches. For information about the standard Cisco IOS Release 15.0 commands, see the Cisco IOS documentation set available on Cisco.com.

This guide does not provide procedures for configuring your switch. For detailed configuration procedures, see the software configuration guide for this release.

This guide does not describe system messages you might encounter. For more information, see the system message guide for this release.

For documentation updates, see the release notes for this release.

xxiCatalyst 3560 Switch Command Reference

OL-26671-03

Preface

ConventionsThis publication uses these conventions to convey instructions and information:

Command descriptions use these conventions:

• Commands and keywords are in boldface text.

• Arguments for which you supply values are in italic.

• Square brackets ([ ]) means optional elements.

• Braces ({}) group required choices, and vertical bars ( | ) separate the alternative elements.

• Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element.

Interactive examples use these conventions:

• Terminal sessions and system displays are in screen font.

• Information you enter is in boldface screen font.

• Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).

Notes, cautions, and warnings use these conventions and symbols:

Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in this manual.

Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Filtering show Command Output The show commands have optional output modifiers to filter the command output.

• | begin—Display begins with the line that matches the expression.

• | exclude—Display excludes with the line that matches the expression.

• | include—Display includes with the line that matches the expression.

• expression—Expression in the output to use as a reference point.

Expressions are case sensitive. If you enter | exclude output, the lines that contain output are not displayed, but the lines that contain Output are displayed.

xxiiCatalyst 3560 Switch Command Reference

OL-26671-03

Preface

Related PublicationsThese documents provide complete information about the switch and are available from this Cisco.com site:http://www.cisco.com/en/US/products/hw/switches/ps5528/tsd_products_support_series_home.html

Note Before installing, configuring, or upgrading the switch, see these documents:

• For initial configuration information, see the “Using Express Setup” section in the getting started guide or the “Configuring the Switch with the CLI-Based Setup Program” appendix in the hardware installation guide.

• For device manager requirements, see the “System Requirements” section in the release notes (not orderable but available on Cisco.com).

• For Network Assistant requirements, see the Getting Started with Cisco Network Assistant (not orderable but available on Cisco.com).

• For cluster requirements, see the Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com).

• For upgrade information, see the “Downloading Software” section in the release notes.

See these documents for other information about the switches:

• Release Notes for the Catalyst 3750, 3560, 3560-C, 2960, 2960-S, and 2960- C Switches

• Catalyst 3560 and 3560-C Switch Software Configuration Guide

• Catalyst 3560 and 3560-C Switch Command Reference

• Device manager online help (available on the switch)

• Catalyst 3560 Switch Hardware Installation Guide

• Catalyst 3560-C and 2960-C Switch Hardware Installation Guide

• Catalyst 3560 Switch Getting Started Guide

• Catalyst 3560-C and 2960-C Switch Getting Started Guide

• Regulatory Compliance and Safety Information for the Catalyst 3560 Switch

• Regulatory Compliance and Safety Information for the Catalyst 3560-C and 2960-C Switch

• Catalyst 3750, 3560, 2960, and 2960-S Switch System Message Guide

• Auto Smartports Configuration Guide

• Call Home Configuration Guide

• Cisco EnergyWise Configuration Guide

• Smart Install Configuration Guide

• Release Notes for Cisco Network Assistant

• Getting Started with Cisco Network Assistant

• Cisco RPS 300 Redundant Power System Hardware Installation Guide

• Cisco RPS 675 Redundant Power System Hardware Installation Guide

• Cisco Redundant Power System 2300 Hardware Installation Guide

xxiiiCatalyst 3560 Switch Command Reference

OL-26671-03

http://www.cisco.com/en/US/products/hw/switches/ps5528/tsd_products_support_series_home.html

Preface

• For more information about the Network Admission Control (NAC) features, see the Network Admission Control Software Configuration Guide.

• Information about Cisco SFP, SFP+, and GBIC modules is available from this Cisco.com site:http://www.cisco.com/en/US/products/hw/modules/ps5455/prod_installation_guides_list.html

These SFP compatibility matrix documents are available from this Cisco.com site:http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation:http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

xxivCatalyst 3560 Switch Command Reference

OL-26671-03

http://www.cisco.com/en/US/products/hw/modules/ps5455/prod_installation_guides_list.htmlhttp://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.htmlhttp://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

OL-26671-03

C H A P T E R 1

Using the Command-Line Interface

The Catalyst 3560 and 3560-C switch is supported by Cisco IOS software. This chapter describes how to use the switch command-line interface (CLI) to configure software features.

• For a complete description of the commands that support these features, see Chapter 2, “Catalyst 3560 and 3560-C Switch Cisco IOS Commands.”

• For information on the bootloader commands, see Appendix A, “Catalyst 3560 and 3560-CSwitch Bootloader Commands.”

• For information on the debug commands, see Appendix B, “Catalyst 3560 and 3560-C Switch Debug Commands.”

• For information on the show platform commands, see Appendix C, “Catalyst 3560 and 3560- Switch Show Platform Commands.”

• For more information on Cisco IOS Release 12.2, see the Cisco IOS Release 12.2 Command Summary.

• For task-oriented configuration steps, see the software configuration guide for this release.

In this document, IP refers to IP version 4 (IPv4) unless there is a specific reference to IP version 6 (IPv6).

CLI Command ModesThis section describes the CLI command mode structure. Command modes support specific Cisco IOS commands. For example, the interface interface-id command only works when entered in global configuration mode.

These are the main command modes for the switch:

• User EXEC

• Privileged EXEC

• Global configuration

• Interface configuration

• VLAN configuration

• Line configuration

1-1Catalyst 3560 Switch Command Reference

Chapter 1 Using the Command-Line InterfaceCLI Command Modes

Table 1-1 lists the main command modes, how to access each mode, the prompt you see in that mode, and how to exit that mode. The prompts listed use the default name Switch.

User EXEC Mode After you access the device, you are automatically in user EXEC command mode. The EXEC commands available at the user level are a subset of those available at the privileged level. In general, use the user EXEC commands to temporarily change terminal settings, perform basic tests, and list system information.

The supported commands can vary depending on the version of software in use. To display a comprehensive list of commands, enter a question mark (?) at the prompt.

Switch> ?

Table 1-1 Command Modes Summary

Command Mode Access Method Prompt Exit or Access Next Mode

User EXEC This is the first level of access.

(For the switch) Change terminal settings, perform basic tasks, and list system information.

Switch> Enter the logout command.

To enter privileged EXEC mode, enter the enable command.

Privileged EXEC From user EXEC mode, enter the enable command.

Switch# To exit to user EXEC mode, enter the disable command.

To enter global configuration mode, enter the configure command.

Global configuration

From privileged EXEC mode, enter the configure command.

Switch(config)# To exit to privileged EXEC mode, enter the exit or end command, or press Ctrl-Z.

To enter interface configuration mode, enter the interface configuration command.

Interface configuration

From global configuration mode, specify an interface by entering the interface command followed by an interface identification.

Switch(config-if)# To exit to privileged EXEC mode, enter the end command, or press Ctrl-Z.

To exit to global configuration mode, enter the exit command.

VLAN configuration

In global configuration mode, enter the vlan vlan-id command.

Switch(config-vlan)# To exit to global configuration mode, enter the exit command.

To return to privileged EXEC mode, enter the end command, or press Ctrl-Z.

Line configuration From global configuration mode, specify a line by entering the line command.

Switch(config-line)# To exit to global configuration mode, enter the exit command.

To return to privileged EXEC mode, enter the end command, or press Ctrl-Z.


OL-26671-03


Privileged EXEC ModeBecause many of the privileged commands configure operating parameters, privileged access should be password-protected to prevent unauthorized use. The privileged command set includes those commands contained in user EXEC mode, as well as the configure privileged EXEC command through which you access the remaining command modes.

If your system administrator has set a password, you are prompted to enter it before being granted access to privileged EXEC mode. The password does not appear on the screen and is case sensitive.

The privileged EXEC mode prompt is the device name followed by the pound sign (#).

Switch#

Enter the enable command to access privileged EXEC mode:

Switch> enable Switch#


Switch# ?

To return to user EXEC mode, enter the disable privileged EXEC command.

Global Configuration ModeGlobal configuration commands apply to features that affect the device as a whole. Use the configure privileged EXEC command to enter global configuration mode. The default is to enter commands from the management console.

When you enter the configure command, a message prompts you for the source of the configuration commands:

Switch# configure Configuring from terminal, memory, or network [terminal]?

You can specify either the terminal or NVRAM as the source of configuration commands.

This example shows you how to access global configuration mode:

Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.


Switch(config)# ?

To exit global configuration command mode and to return to privileged EXEC mode, enter the end or exit command, or press Ctrl-Z.


OL-26671-03


Interface Configuration ModeInterface configuration commands modify the operation of the interface. Interface configuration commands always follow a global configuration command, which defines the interface type.

Use the interface interface-id command to access interface configuration mode. The new prompt means interface configuration mode.

Switch(config-if)#


Switch(config-if)# ?

To exit interface configuration mode and to return to global configuration mode, enter the exit command. To exit interface configuration mode and to return to privileged EXEC mode, enter the end command, or press Ctrl-Z.

VLAN Configuration ModeUse this mode to configure normal-range VLANs (VLAN IDs 1 to 1005) or, when VTP mode is transparent, to configure extended-range VLANs (VLAN IDs 1006 to 4094). When VTP mode is transparent, the VLAN and VTP configuration is saved in the running configuration file, and you can save it to the switch startup configuration file by using the copy running-config startup-config privileged EXEC command. The configurations of VLAN IDs 1 to 1005 are saved in the VLAN database if VTP is in transparent or server mode. The extended-range VLAN configurations are not saved in the VLAN database.

Enter the vlan vlan-id global configuration command to access config-vlan mode:

Switch(config)# vlan 2000Switch(config-vlan)#

The supported keywords can vary but are similar to the commands available in VLAN configuration mode. To display a comprehensive list of commands, enter a question mark (?) at the prompt.

Switch(config-vlan)# ?

For extended-range VLANs, all characteristics except the MTU size must remain at the default setting.

To return to global configuration mode, enter exit; to return to privileged EXEC mode, enter end. All the commands except shutdown take effect when you exit config-vlan mode.

Line Configuration ModeLine configuration commands modify the operation of a terminal line. Line configuration commands always follow a line command, which defines a line number. Use these commands to change terminal parameter settings line-by-line or for a range of lines.

Use the line vty line_number [ending_line_number] command to enter line configuration mode. The new prompt means line configuration mode. The following example shows how to enter line configuration mode for virtual terminal line 7:

Switch(config)# line vty 0 7


OL-26671-03



Switch(config-line)# ?

To exit line configuration mode and to return to global configuration mode, use the exit command. To exit line configuration mode and to return to privileged EXEC mode, enter the end command, or press Ctrl-Z.


OL-26671-03

OL-26671-03

C H A P T E R 2

Catalyst 3560 and 3560-C Switch Cisco IOS Commands

aaa accounting dot1xUse the aaa accounting dot1x global configuration command to enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions. Use the no form of this command to disable IEEE 802.1x accounting.

aaa accounting dot1x {name | default} start-stop {broadcast group {name | radius | tacacs+} [group {name | radius | tacacs+}...] | group {name | radius | tacacs+} [group {name | radius | tacacs+}...]}

no aaa accounting dot1x {name | default}

Syntax Description name Name of a server group. This is optional when you enter it after the broadcast group and group keywords.

default Use the accounting methods that follow as the default list for accounting services.

start-stop Send a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested-user process begins regardless of whether or not the start accounting notice was received by the accounting server.

broadcast Enable accounting records to be sent to multiple AAA servers and send accounting records to the first server in each group. If the first server is unavailable, the switch uses the list of backup servers to identify the first server.

group Specify the server group to be used for accounting services. These are valid server group names:

• name—Name of a server group.

• radius—List of all RADIUS hosts.

• tacacs+—List of all TACACS+ hosts.

The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.


Chapter 2 Catalyst 3560 and 3560-C Switch Cisco IOS Commandsaaa accounting dot1x

Defaults AAA accounting is disabled.

Command Modes Global configuration

Command History

Usage Guidelines This command requires access to a RADIUS server.

We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.

Examples This example shows how to configure IEEE 802.1x accounting:

Switch(config)# aaa new-modelSwitch(config)# aaa accounting dot1x default start-stop group radius

Note The RADIUS authentication server must be properly configured to accept and log update or watchdog packets from the AAA client.

Related Commands

radius (Optional) Enable RADIUS authorization.

tacacs+ (Optional) Enable TACACS+ accounting.

Release Modification

12.2(20)SE This command was introduced.

Command Description

aaa authentication dot1x

Specifies one or more AAA methods for use on interfaces running IEEE 802.1x.

aaa new-model Enables the AAA access control model.

dot1x reauthentication Enables or disables periodic reauthentication.

dot1x timeout reauth-period

Sets the number of seconds between re-authentication attempts.


OL-26671-03

Chapter 2 Catalyst 3560 and 3560-C Switch Cisco IOS Commandsaaa authentication dot1x

aaa authentication dot1xUse the aaa authentication dot1x global configuration command to specify the authentication, authorization, and accounting (AAA) method to use on ports complying with the IEEE 802.1x authentication. Use the no form of this command to disable authentication.

aaa authentication dot1x {default} method1

no aaa authentication dot1x {default}

Syntax Description

Note Though other keywords are visible in the command-line help strings, only the default and group radius keywords are supported.

Defaults No authentication is performed.


Command History

Usage Guidelines The method argument identifies the method that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.

If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command.

Use the show running-config privileged EXEC command to display the configured lists of authentication methods.

Examples This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.

Switch(config)# aaa new-modelSwitch(config)# aaa authentication dot1x default group radius

You can verify your settings by entering the show running-config privileged EXEC command.

default Use the listed authentication method that follows this argument as the default method when a user logs in.

method1 Enter the group radius keywords to use the list of all RADIUS servers for authentication.


12.1(19)EA1 This command was introduced.


OL-26671-03

Chapter 2 Catalyst 3560 and 3560-C Switch Cisco IOS Commandsaaa authentication dot1x

Related Commands Command Description

aaa new-model Enables the AAA access control model.

show running-config Displays the current operating configuration.


OL-26671-03

Chapter 2 Catalyst 3560 and 3560-C Switch Cisco IOS Commandsaaa authorization network

aaa authorization network Use the aaa authorization network global configuration command to the configure the switch to use user-RADIUS authorization for all network-related service requests, such as IEEE 802.1x aaa-user access control lists (ACLs) or VLAN assignment. Use the no form of this command to disable RADIUS user authorization.

aaa authorization network default group radius

no aaa authorization network default

Syntax Description

Defaults Authorization is disabled.


Command History

Usage Guidelines Use the aaa authorization network default group radius global configuration command to allow the switch to download IEEE 802.1x authorization parameters from the RADIUS servers in the default authorization list. The authorization parameters are used by features such as per-user ACLs or VLAN assignment to get parameters from the RADIUS servers.

Use the show running-config privileged EXEC command to display the configured lists of authorization methods.

Examples This example shows how to configure the switch for user RADIUS authorization for all network-related service requests:

Switch(config)# aaa authorization network default group radius

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands

default group radius

Use the list of all RADIUS hosts in the server group as the default authorization list.



Command Description

show running-config Displays the current operating configuration.


OL-26671-03

Chapter 2 Catalyst 3560 and 3560-C Switch Cisco IOS Commandsaction

actionUse the action access-map configuration command to set the action for the VLAN access map entry. Use the no form of this command to return to the default setting.

action {drop | forward}

no action

Syntax Description

Defaults The default action is to forward packets.

Command Modes Access-map configuration

Command History

Usage Guidelines You enter access-map configuration mode by using the vlan access-map global configuration command.

If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.

In access-map configuration mode, use the match access-map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.

The drop and forward parameters are not used in the no form of the command.

Examples This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:

Switch(config)# vlan access-map vmap4Switch(config-access-map)# match ip address al2Switch(config-access-map)# action forwardSwitch(config-access-map)# exitSwitch(config)# vlan filter vmap4 vlan-list 5-6

You can verify your settings by entering the show vlan access-map privileged EXEC command.

drop Drop the packet when the specified conditions are matched.

forward Forward the packet when the specified conditions are matched.




OL-26671-03

Chapter 2 Catalyst 3560 and 3560-C Switch Cisco IOS Commandsaction

Related Commands Command Description

access-list {deny | permit} Configures a standard numbered ACL.

ip access-list Creates a named access list.

mac access-list extended Creates a named MAC address access list.

match (class-map configuration)

Defines the match conditions for a VLAN map.

show vlan access-map Displays the VLAN access maps created on the switch.

vlan access-map Creates a VLAN access map.


OL-26671-03

Chapter 2 Catalyst 3560 and 3560-C Switch Cisco IOS Commandsaccess-list

access-list To enable smart logging for a standard or extended IP access list, use the access-list command in global configuration mode with the smartlog keyword. Matches to ACL entries are logged to a NetFlow collector. To disable smart logging for the access list, use the no form of this command.

access-list access-list-number {deny | permit} source [source-wildcard] [log [word] | smartlog]

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [time-range time-range-name] [fragments] [log [word] | log-input [word] | smartlog]

Syntax Description

Defaults ACL smart logging is not enabled.


Command History

Usage Guidelines For the complete syntax description of the access-list command without the smartlog keyword, see the Cisco IOS Security Command Reference.

When an ACL is applied to an interface, packets matching the ACL are denied or permitted based on the ACL configuration. When smart logging is enabled on the switch and an ACL includes the smartlog keyword, the contents of the denied or permitted packet are sent to a Flexible NetFlow collector.

You must also enable smart logging globally by entering the logging smartlog global configuration command.

Only port ACLs (ACLs attached to Layer 2 interfaces) support smart logging. Router ACLs or VLAN ACLs do not support smart logging. Port ACLs do not support logging.

When an ACL is applied to an interface, matching packets can be either logged or smart logged, but not both.

To remove disable smart logging of an access list, enter access-list configuration mode and enter the no deny {source [source-wildcard] | host source | any} [smartlog] command or the no permit {source [source-wildcard] | host source | any} [smartlog] command.

You can verify that smart logging is enabled in an ACL by entering the show ip access list privileged EXEC command.

smartlog (Optional) Sends packet flows matching the access list to a NetFlow collector when smart logging is enabled on the switch.


12.2(58)SE The smartlog keyword was added.


OL-26671-03

Chapter 2 Catalyst 3560 and 3560-C Switch Cisco IOS Commandsaccess-list

Examples This example shows how to configure smart logging on an extended access list, ACL 101, which allows IP traffic from the host with the IP address 172.20.10.101 to any destination. When smart logging is enabled and the ACL is attached to a Layer 2 interface, copies of packets matching this criteria are sent to the NetFlow collector.

Switch(config)# acl 101 permit ip host 10.1.1.2 any smartlogSwitch(config-if)# end

Related Commands

Syntax Description

Command Modes Privileged EXEC

Command History

Command Description

logging smartlog Globally enables smart logging.

show access list

show ip access list

Displays the contents of all access lists or all IP access lists.


OL-26671-03

Chapter 2 Catalyst 3560 and 3560-C Switch Cisco IOS Commandsarchive download-sw

archive download-swUse the archive download-sw privileged EXEC command to download a new image from a TFTP server to the switch and to overwrite or keep the existing image.

archive download-sw {/allow-feature-upgrade | /directory | /force-reload | /imageonly | /leave-old-sw | /no-set-boot | /no-version-check | /overwrite | /reload | /safe} source-url

Syntax Description /allow-feature-upgrade Allow installation of an image with a different feature set (for example, upgrade from the IP base image to the IP services image).

/directory Specify a directory for the images.

/force-reload Unconditionally force a system reload after successfully downloading the software image.

/imageonly Download only the software image but not the HTML files associated with the embedded device manager. The HTML files for the existing version are deleted only if the existing version is being overwritten or removed.

/leave-old-sw Keep the old software version after a successful download.

/no-set-boot Do not alter the setting of the BOOT environment variable to point to the new software image after it is successfully downloaded.

/no-version-check Download the software image without verifying its version compatibility with the image that is running on the switch.

/overwrite Overwrite the software image in flash memory with the downloaded image.

/reload Reload the system after successfully downloading the image unless the configuration has been changed and not saved.

/safe Keep the current software image. Do not delete it to make room for the new software image before the new image is downloaded. The current image is deleted after the download.


OL-26671-03

Chapter 2 Catalyst 3560 and 3560-C Switch Cisco IOS Commandsarchive download-sw

Defaults The current software image is not overwritten with the downloaded image.

Both the software image and HTML files are downloaded.

The new image is downloaded to the flash: file system.

The BOOT environment variable is changed to point to the new software image on the flash: file system.

Image names are case sensitive; the image file is provided in tar format.

Command Modes Privileged EXEC

Command History

Usage Guidelines Use the /allow-feature-upgrade option to allow installation of an image with a different feature set, for example, upgrading from the IP base image to the IP services image.

Use the archive download-sw /directory command to specify a directory one time..

The /imageonly option removes the HTML files for the existing image if the existing image is being removed or replaced. Only the Cisco IOS image (without the

Documents

Catalyst 3560 Switch Command Reference, Cisco …...IN-1 Catalyst 3560 Switch Command Reference OL-26671-03 INDEX A aaa accounting dot1x command 2-1 aaa authentication dot1x command