CISCO Catalyst 3550CR

8/16/2019 CISCO Catalyst 3550CR

1/784

Corporate Headquarters

Cisco Systems, Inc.170 West Tasman DriveSan J ose, CA 95134-1706USAhttp://www.cisco.com

Tel: 408 526-4000800 553-NETS (6387)

Fax: 408 526-4100

Catalyst 3550 Multilayer Switch

Command Reference

Cisco IOS Release 12.2(25)SEE

February 2006

Text Part Number: OL-8566-01

http://www.cisco.com/http://www.cisco.com/


2/784

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNA BLE TO LOCATE THE SOFTWARE LICENSEOR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (U CB) as part of UCB’s public

domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY IND IRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAG ES.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,

and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco

Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capit al, the Cisco Systems logo, Cisco U nity, Enterprise/Solver, EtherChannel,

EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard,LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet , PIX, Post-Routing, Pre-Routing, ProConnect,

RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Syste ms, Inc. and/or

its affiliates in the United States and certain other countries.

All other trademarks mentioned in thi s document or Website are the property of t heir respective owners. The use of the word partner d oes not imply a partnership relationship

between Cisco and any other company. (0601R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the

document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Catalyst 3550 Multilayer Switch Command Reference

Copyright © 2006 Cisco Systems, Inc. All rights reserved.


3/784

iii

Catalyst 3550 Multilayer Switch CommandReference

OL-8566-01

C O N T E N T S

Preface xvii

Audience xvii

Purpose xvii

Conventions xviii

Related Publications xviii

Obtaining Documentation xix

Cisco.com xix

Product Documentation DVD xx

Ordering Documentation xx

Documentation Feedback xx

Cisco Product Security Overview xx

Reporting Security Problems in Cisco Products xxi

Obtaining Technical Assistance xxi

Cisco Technical Support & Documentation Website xxii

Submitting a Service Request xxii

Definitions of Service Request Severity xxiii

Obtaining Additional Publications and Information xxiii

CHAPTER 1 Using the Command-Line Interface 1-1

Type of Memory 1-1

Platforms 1-1

CLI Command Modes 1-1

User EXEC Mode 1-3

Privileged EXEC Mode 1-3

Global Configuration Mode 1-3

Interface Configuration Mode 1-4

config-vlan Mode 1-4VLAN Configuration Mode 1-5

Line Configuration Mode 1-5

CHAPTER 2 Catalyst 3550 Switch Cisco IOS Commands 2-1

aaa accounting dot1x 2-1

aaa authentication dot1x 2-3


4/784

Contents

iv


OL-8566-01

aaa authorization network 2-5

access-list hardware program nonblocking 2-6

action 2-8

archive download-sw 2-10archive tar 2-13

archive upload-sw 2-16

arp access-list 2-18

auto qos voip 2-20

boot boothlpr 2-24

boot buffersize 2-25

boot config-file 2-26

boot enable-break 2-27

boot helper 2-28

boot helper-config-file 2-29

boot manual 2-30

boot private-config-file 2-31

boot system 2-32

channel-group 2-33

channel-protocol 2-37

class 2-39

class-map 2-41clear ip arp inspection log 2-43

clear ip arp inspection statistics 2-44

clear l2protocol-tunnel counters 2-45

clear lacp 2-46

clear mac address-table 2-47

clear pagp 2-49

clear port-security 2-50

clear spanning-tree counters 2-52

clear spanning-tree detected-protocols 2-53

clear vmps statistics 2-54

clear vtp counters 2-55

cluster commander-address 2-56

cluster discovery hop-count 2-58

cluster enable 2-59


5/784

Contents

v


OL-8566-01

cluster holdtime 2-60

cluster member 2-61

cluster outside-interface 2-63

cluster run 2-64cluster standby-group 2-65

cluster timer 2-67

define interface-range 2-68

delete 2-70

deny 2-71

deny (ARP access-list configuration) 2-74

dot1x 2-76

dot1x auth-fail max-attempts 2-78

dot1x auth-fail vlan 2-80

dot1x control-direction 2-82

dot1x critical (global configuration) 2-84

dot1x critical (interface configuration) 2-86

dot1x default 2-88

dot1x guest-vlan 2-89

dot1x host-mode 2-91

dot1x initialize 2-92

dot1x mac-auth-bypass 2-93dot1x max-reauth-req 2-95

dot1x max-req 2-96

dot1x multiple-hosts 2-97

dot1x pae 2-98

dot1x port-control 2-99

dot1x re-authenticate 2-101

dot1x re-authentication 2-102

dot1x reauthentication 2-103

dot1x timeout 2-104

duplex 2-107

errdisable detect cause 2-109

errdisable recovery 2-111

flowcontrol 2-113

interface port-channel 2-117


6/784

Contents

vi


OL-8566-01

interface range 2-119

interface vlan 2-121

ip access-group 2-123

ip address 2-125ip arp inspection filter vlan 2-127

ip arp inspection limit 2-129

ip arp inspection log-buffer 2-131

ip arp inspection trust 2-133

ip arp inspection validate 2-135

ip arp inspection vlan 2-137

ip arp inspection vlan logging 2-139

ip dhcp snooping 2-141

ip dhcp snooping binding 2-143

ip dhcp snooping database 2-145

ip dhcp snooping information option 2-148

ip dhcp snooping information option allow-untrusted 2-150

ip dhcp snooping information option format remote-id 2-152

ip dhcp snooping information option format snmp-ifindex 2-153

ip dhcp snooping limit rate 2-154

ip dhcp snooping trust 2-155

ip dhcp snooping verify 2-156ip dhcp snooping vlan 2-157

ip dhcp snooping vlan information option format-type circuit-id string 2-158

ip igmp filter 2-160

ip igmp max-groups 2-162

ip igmp profile 2-164

ip igmp snooping 2-166

ip igmp snooping last-member-query-interval 2-168

ip igmp snooping querier 2-170

ip igmp snooping report-suppression 2-172

ip igmp snooping source-only-learning age-timer 2-174

ip igmp snooping tcn 2-176

ip igmp snooping tcn flood 2-178

ip igmp snooping vlan immediate-leave 2-179

ip igmp snooping vlan mrouter 2-180


7/784

Contents

vii


OL-8566-01

ip igmp snooping vlan static 2-182

ip source binding 2-184

ip ssh 2-186

ip verify source 2-188ip vrf (global configuration) 2-189

ip vrf (interface configuration) 2-192

l2protocol-tunnel 2-194

l2protocol-tunnel cos 2-197

lacp port-priority 2-198

lacp system-priority 2-200

logging file 2-202

mac access-group 2-204

mac access-list extended 2-206

mac address-table aging-time 2-208

mac address-table notification 2-209

mac address-table static 2-211

mac address-table static drop 2-212

macro apply 2-214

macro description 2-217

macro global 2-218

macro global description 2-221macro name 2-222

match (access-map configuration) 2-224

match (class-map configuration) 2-226

mls aclmerge delay 2-229

mls qos 2-231

mls qos aggregate-policer 2-234

mls qos cos 2-236

mls qos cos policy-map 2-238

mls qos dscp-mutation 2-240

mls qos map 2-242

mls qos min-reserve 2-246

mls qos monitor 2-247

mls qos trust 2-249

monitor session 2-252


8/784

Contents

viii


OL-8566-01

mvr (global configuration) 2-256

mvr (interface configuration) 2-259

pagp learn-method 2-262

pagp port-priority 2-264permit 2-266

permit (ARP access-list configuration) 2-269

police 2-271

police aggregate 2-273

policy-map 2-275

port-channel load-balance 2-278

power inline 2-280

priority-queue 2-282

rcommand 2-283

remote-span 2-285

rmon collection stats 2-286

sdm prefer 2-287

service password-recovery 2-290

service-policy 2-293

set 2-295

setup 2-297

setup express 2-300show access-lists 2-302

show archive status 2-304

show auto qos 2-305

show boot 2-308

show class-map 2-310

show cluster 2-311

show cluster candidates 2-313

show cluster members 2-315

show controllers cpu-interface 2-317

show controllers ethernet-controller 2-319

show controllers switch 2-324

show controllers tcam 2-325

show controllers utilization 2-327

show dot1q-tunnel 2-329


9/784

Contents

ix


OL-8566-01

show dot1x 2-330

show env 2-334

show errdisable detect 2-335

show errdisable flap-values 2-337show errdisable recovery 2-339

show etherchannel 2-341

show flowcontrol 2-344

show fm 2-346

show fm interface 2-349

show fm vlan 2-351

show forward 2-352

show interfaces 2-357

show interfaces counters 2-366

show inventory 2-368

show arp access-list 2-369

show ip arp inspection 2-370

show ip dhcp snooping 2-373

show ip dhcp snooping binding 2-374

show ip dhcp snooping database 2-376

show ip igmp profile 2-378

show ip igmp snooping 2-379show ip igmp snooping groups 2-382

show ip igmp snooping mrouter 2-384

show ip igmp snooping querier 2-386

show ip source binding 2-388

show ip verify source 2-389

show l2protocol-tunnel 2-391

show l2tcam 2-394

show l3tcam 2-396

show lacp 2-398

show mac access-group 2-400

show mac address-table 2-402

show mac address-table address 2-404

show mac address-table aging-time 2-406

show mac address-table count 2-408


10/784

Contents

x


OL-8566-01

show mac address-table dynamic 2-410

show mac address-table interface 2-412

show mac address-table multicast 2-414

show mac address-table notification 2-417show mac address-table static 2-419

show mac address-table vlan 2-421

show mls qos 2-423

show mls qos aggregate-policer 2-424

show mls qos interface 2-425

show mls qos maps 2-429

show monitor 2-432

show mvr 2-434

show mvr interface 2-436

show mvr members 2-438

show pagp 2-440

show parser macro 2-442

show policy-map 2-445

show port-security 2-447

show power inline 2-450

show running-config vlan 2-452

show sdm prefer 2-454show setup express 2-456

show spanning-tree 2-457

show storm-control 2-464

show system mtu 2-466

show tcam 2-467

show tcam pbr 2-470

show tcam qos 2-472

show udld 2-474

show version 2-477

show vlan 2-479

show vlan access-map 2-483

show vlan filter 2-484

show vmps 2-485

show vtp 2-487


11/784

Contents

xi


OL-8566-01

shutdown 2-491

shutdown vlan 2-492

snmp-server enable traps 2-493

snmp-server host 2-497snmp-server ip 2-501

snmp trap mac-notification 2-503

spanning-tree backbonefast 2-505

spanning-tree bpdufilter 2-506

spanning-tree bpduguard 2-508

spanning-tree cost 2-510

spanning-tree etherchannel guard misconfig 2-512

spanning-tree extend system-id 2-514

spanning-tree guard 2-516

spanning-tree link-type 2-518

spanning-tree loopguard default 2-519

spanning-tree mode 2-521

spanning-tree mst configuration 2-523

spanning-tree mst cost 2-525

spanning-tree mst forward-time 2-527

spanning-tree mst hello-time 2-528

spanning-tree mst max-age 2-529spanning-tree mst max-hops 2-530

spanning-tree mst port-priority 2-531

spanning-tree mst pre-standard 2-533

spanning-tree mst priority 2-534

spanning-tree mst root 2-535

spanning-tree port-priority 2-537

spanning-tree portfast (global configuration) 2-539

spanning-tree portfast (interface configuration) 2-541

spanning-tree stack-port 2-543

spanning-tree transmit hold-count 2-545

spanning-tree uplinkfast 2-546

spanning-tree vlan 2-548

speed 2-551

storm-control 2-553


12/784

Contents

xii


OL-8566-01

switchcore 2-556

switchport 2-558

switchport access 2-560

switchport backup interface 2-562switchport block 2-565

switchport broadcast 2-566

switchport host 2-567

switchport mode 2-569

switchport multicast 2-572

switchport nonegotiate 2-573

switchport port-security 2-575

switchport port-security aging 2-580

switchport priority extend 2-582

switchport protected 2-584

switchport trunk 2-586

switchport unicast 2-590

switchport voice vlan 2-591

system mtu 2-593

traceroute mac 2-595

traceroute mac ip 2-598

trust 2-600udld 2-602

udld port 2-604

udld reset 2-606

vlan (global configuration) 2-607

vlan (VLAN configuration) 2-613

vlan access-map 2-619

vlan database 2-621

vlan dot1q tag native 2-625

vlan filter 2-627

vmps reconfirm (privileged EXEC) 2-629

vmps reconfirm (global configuration) 2-630

vmps retry 2-631

vmps server 2-632

vtp (global configuration) 2-634


13/784

Contents

xiii


OL-8566-01

vtp (privileged EXEC) 2-638

vtp (VLAN configuration) 2-640

wrr-queue bandwidth 2-644

wrr-queue cos-map 2-646wrr-queue dscp-map 2-648

wrr-queue min-reserve 2-650

wrr-queue queue-limit 2-651

wrr-queue random-detect max-threshold 2-653

wrr-queue threshold 2-655

APPENDIX A Catalyst 3550 Switch Boot Loader Commands A-1

boot A-2

cat A-3

copy A-4

delete A-5

dir A-6

flash_init A-8

format A-9

fsck A-10

help A-11

load_helper A-12

memory A-13

mkdir A-15

more A-16

rename A-17

reset A-18

rmdir A-19

set A-20

type A-23

unset A-24

version A-26

APPENDIX B Catalyst 3550 Switch Debug Commands B-1

debug acltcam B-2

debug auto qos B-3

debug backup B-5


14/784

Contents

xiv


OL-8566-01

debug cluster B-6

debug cpu-interface B-8

debug dot1x B-9

debug eap B-11debug etherchannel B-12

debug ethernet-controller ram-access B-13

debug fallback-bridging B-14

debug gigastack B-15

debug ilpower controller B-16

debug ilpower event B-17

debug ip dhcp snooping B-18

debug ip igmp filter B-19

debug ip igmp max-groups B-20

debug ip verify source packet B-21

debug l3multicast B-22

debug l3tcam B-23

debug l3unicast B-24

debug mac-manager B-25

debug mac-notification B-26

debug met B-27

debug mvrdbg B-28debug pagp B-29

debug pbr B-30

debug platform ip arp inspection B-31

debug pm B-32

debug port-security B-34

debug span-session B-35

debug spanning-tree B-36

debug spanning-tree backbonefast B-38

debug spanning-tree bpdu B-39

debug spanning-tree bpdu-opt B-40

debug spanning-tree mstp B-41

debug spanning-tree switch B-43

debug spanning-tree uplinkfast B-45

debug sw-vlan B-46


15/784

Contents

xv


OL-8566-01

debug sw-vlan ifs B-48

debug sw-vlan notification B-49

debug sw-vlan vtp B-51

debug udld B-53

INDEX


16/784

Contents

xvi


OL-8566-01


17/784

xvii


OL-8566-01

Preface

AudienceThis guide is for the networking professional using the Cisco IOS command-line interface (CLI) to

manage the Catalyst 3550 switch, hereafter referred to as the switch or the multilayer switch. Before

using this guide, you should have experience working with the Cisco IOS and the switch softwarefeatures. Before using this guide, you should have experience working with the Cisco IOS and be

familiar with the concepts and terminology of Ethernet and local area networking.

PurposeThe Catalyst 3550 switch is supported by either the IP base image (formerly known as the standard

multilayer image [SMI]) or the IP services image (formerly known as the enhanced multilayer image

[EMI]). The IP services image provides a richer set of enterprise-class features, including

hardware-based IP unicast and multicast routing, inter-VLAN routing, routed access control lists

(ACLs), and the Hot Standby Router Protocol (HSRP). All Catalyst 3550 Gigabit Ethernet switches are

shipped with the IP services image pre-installed. Catalyst 3550 Fast Ethernet switches are shipped witheither the IP base image or the IP services image pre-installed. After initial deployment, you can order

the upgrade kit to upgrade Catalyst 3550 Fast Ethernet switches from the IP base image to the IP services

image.

This guide provides the information you need about the Layer 2 and Layer 3 commands that have been

created or changed for use with the Catalyst 3550 family of switches. For information about the standard

Cisco IOS Release 12.2 commands, see the Cisco IOS documentation set available from the Cisco.com home

page by selecting Service and Support > Technical Documents. On the Cisco Product Documentation home

page, select Release 12.2 from the Cisco IOS Software drop-down list.

This guide does not provide procedures for configuring your switch. For detailed configuration

procedures, see the Catalyst 3550 Multilayer Switch Software Configuration Guide for this release.

This guide does not describe system messages you might encounter. For more information, see the

Catalyst 3550 Multilayer Switch System Message Guide for this release.

For documentation updates, see the release notes for this release.


18/784

xviii


OL-8566-01

Preface

Conventions

ConventionsThis publication uses these conventions to convey instructions and information:

Command descriptions use these conventions:

Commands and keywords are in boldface text.• Arguments for which you supply values are in italic.

• Square brackets ([ ]) means optional elements.

• Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.

• Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional

element.

Interactive examples use these conventions:

• Terminal sessions and system displays are in screen font.

• Information you enter is in boldface screen font.

• Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).

Notes, cautions, and warnings use these conventions and symbols:

Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in

this manual.

Caution Means reader be careful. In this situation, you might do something that could result in equipment

damage or loss of data.

Timesaver Means the following will help you solve a problem. The tips information might not be troubleshooting

or even an action, but could be useful information.

Related PublicationsThese documents provide complete information about the switch and are available from this Cisco.com

site:

http://www.cisco.com/en/US/products/hw/switches/ps646/tsd_products_support_series_home.html

You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com site and

from the telephone numbers listed in the “Obtaining Documentation” section on page xix.• Release Notes for the Catalyst 3550 Multilayer Switch (not orderable but available on Cisco.com)

Note Switch requirements and procedures for initial configurations and software upgrades tend to change and

therefore appear only in the release notes. Before installing, configuring, or upgrading the switch, see

the release notes on Cisco.com for the latest information.

http://www.cisco.com/en/US/products/hw/switches/ps646/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/products/hw/switches/ps646/tsd_products_support_series_home.html


19/784

xix


OL-8566-01

Preface

Obtaining Documentation

• Catalyst 3550 Multilayer Switch Software Configuration Guide (not orderable but available on

Cisco.com)

• Catalyst 3550 Multilayer Switch Command Reference (not orderable but available on Cisco.com)

• Catalyst 3750, 3560, 3550, 2970, and 2960 Switch System Message Guide (not orderable but

available on Cisco.com)

• Device manager online help (available on the switch)

• Catalyst 3550 Multilayer Switch Hardware Installation Guide (not orderable but available on

Cisco.com)

• Catalyst 3550 Multilayer Switch Getting Started Guide (order number DOC-7816575=)

• Regulatory Compliance and Safety Information for the Catalyst 3550 Multilayer (order number

DOC-7816655=)

• Getting Started with Cisco Network Assistant (not orderable but available on Cisco.com)

• 1000BASE-T Gigabit Interface Converter Installation Note (not orderable but is available on

Cisco.com)

• Catalyst GigaStack Gigabit Interface Converter Hardware Installation Guide

(order number DOC-786460=)

• Cisco Small Form-Factor Pluggable Modules Installation Notes (order number DOC-7815160=)

• Cisco CWDM GBIC and CWDM SFP Installation Note (not orderable but available on Cisco.com)

• For information about the Network Admission Control (NAC) features, see the Network Admission

Control Software Configuration Guide (not orderable but available on Cisco.com)

Obtaining DocumentationCisco documentation and additional literature are available on Cisco.com. Cisco also provides several

ways to obtain technical assistance and other technical resources. These sections explain how to obtain

technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

http://www.cisco.com/techsupporthttp://www.cisco.com/http://www.cisco.com/public/countries_languages.shtmlhttp://www.cisco.com/public/countries_languages.shtmlhttp://www.cisco.com/http://www.cisco.com/techsupport


20/784

xx


OL-8566-01

Preface

Documentation Feedback

Product Documentation DVD

The Product Documentation DVD is a comprehensive library of technical product documentation on a

portable medium. The DVD enables you to access multiple versions of installation, configuration, and

command guides for Cisco hardware and software products. With the DVD, you have access to the same

HTML documentation that is found on the Cisco website without being connected to the Internet.Certain products also have .PDF versions of the documentation available.

The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com

users (Cisco direct customers) can order a Product Documentation DVD (product number

DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Ordering Documentation

Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the

Cisco Marketplace at this URL:


Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.

(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by

calling 011 408 519-5055. You can also order documentation by e-mail at

[email protected] or by fax at 1 408 519-5001 in the United States and Canada,

or elsewhere at 011 408 519-5001.

Documentation Feedback You can rate and provide feedback about Cisco technical documents by completing the online feedback

form that appears with the technical documents on Cisco.com.

You can submit comments about Cisco documentation by using the response card (i f present) behind the

front cover of your document or by writing to the following address:

Cisco Systems

Attn: Customer Document Ordering

170 West Tasman Drive

San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security OverviewCisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to:

• Report security vulnerabilities in Cisco products.

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

http://www.cisco.com/go/marketplace/http://www.cisco.com/go/marketplace/mailto:[email protected]://www.cisco.com/public/countries_languages.shtmlhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.htmlhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.htmlmailto:[email protected]://www.cisco.com/go/marketplace/http://www.cisco.com/go/marketplace/http://www.cisco.com/public/countries_languages.shtml


21/784

xxi


OL-8566-01

Preface

Obtaining Technical Assistance

A current list of security advisories, security notices, and security responses for Cisco products is

available at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you

can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS)

feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release

them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a

vulnerability in a Cisco product, contact PSIRT:

• For Emergencies only—[email protected]

An emergency is either a condition in which a system is under active attack or a condition for which

a severe and urgent security vulnerability should be reported. All other conditions are considerednonemergencies.

• For Nonemergencies—[email protected]

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to

encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been

encrypted with PGP versions 2. x through 9. x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence

with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page

at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers

before sending any sensitive material to find other means of encrypting the data.

Obtaining Technical AssistanceCisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco

Technical Support & Documentation website on Cisco.com features extensive online support resources.

In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC)

engineers provide telephone support. If you do not have a valid Cisco service contract, contact your

reseller.

http://www.cisco.com/go/psirthttp://www.cisco.com/en/US/products/products_psirt_rss_feed.htmlmailto:[email protected]:[email protected]://www.cisco.com/en/US/products/products_security_vulnerability_policy.htmlhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.htmlmailto:[email protected]:[email protected]://www.cisco.com/en/US/products/products_psirt_rss_feed.htmlhttp://www.cisco.com/go/psirt


22/784

xxii


OL-8566-01

Preface

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for

troubleshooting and resolving technical issues with Cisco products and technologies. The website is

available 24 hours a day, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user

ID and password. If you have a valid service contract but do not have a user ID or password, you can

register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting

a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &

Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose

Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the CiscoProduct Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by

product ID or model name; by tree view; or for certain products, by copying and pasting show commandoutput. Search results show an illustration of your product with the serial number label location

highlighted. Locate the serial number label on your product and record the information before placing a

service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3

and S4 service requests are those in which your network is minimally impaired or for which you require

product information.) After you describe your situation, the TAC Service Request Tool provides

recommended solutions. If your issue is not resolved using the recommended resources, your service

request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone.

(S1 or S2 service requests are those in which your production network is down or severely degraded.)

Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business

operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)

EMEA: +32 2 704 55 55

USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

http://www.cisco.com/techsupporthttp://tools.cisco.com/RPF/register/register.dohttp://www.cisco.com/techsupport/servicerequesthttp://www.cisco.com/techsupport/contactshttp://www.cisco.com/techsupport/contactshttp://www.cisco.com/techsupport/servicerequesthttp://tools.cisco.com/RPF/register/register.dohttp://www.cisco.com/techsupport


23/784

xxiii


OL-8566-01

Preface

Obtaining Additional Publications and Information

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity

definitions.

Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations.

You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your

business operations are negatively affected by inadequate performance of Cisco products. You and Cisco

will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired, while most business operations

remain functional. You and Cisco will commit resources during normal business hours to restore service

to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or

configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various online

and printed sources.

• The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief

product overviews, key features, sample part numbers, and abbreviated technical specifications for

many Cisco products that are sold through channel partners. It is updated twice a year and includes

the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference

Guide, go to this URL:

http://www.cisco.com/go/guide

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo

merchandise. Visit Cisco Marketplace, the company store, at this URL:


• Cisco Press publishes a wide range of general networking, training and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other

information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and

networking investments. Each quarter, Packet delivers coverage of the latest industry trends,

technology breakthroughs, and Cisco products and solutions, as well as network deployment and

troubleshooting tips, configuration examples, customer case studies, certification and training

information, and links to scores of in-depth online resources. You can access Packet magazine at

this URL:

http://www.cisco.com/packet

http://www.cisco.com/go/guidehttp://www.cisco.com/go/marketplace/http://www.ciscopress.com/http://www.cisco.com/packethttp://www.cisco.com/packethttp://www.ciscopress.com/http://www.cisco.com/go/marketplace/http://www.cisco.com/go/guidehttp://www.cisco.com/techsupport/contacts


24/784


25/784

C H A P T E R

1-1


OL-8566-01

1

Using the Command-Line Interface

The Catalyst 3550 multilayer switches are supported by Cisco IOS software. This chapter describes how

to use the switch command-line interface (CLI) to configure software features.

For a complete description of the commands that support these features, see Chapter 2, “Catalyst 3550

Switch Cisco IOS Commands.” For information on the boot loader commands, see Appendix A,

“Catalyst 3550 Switch Boot Loader Commands.” For information on the debug commands, see theAppendix B, “Catalyst 3550 Switch Debug Commands.” For more information on Cisco IOS

Release 12.2, see the Cisco IOS Release 12.2 Command Summary.

For task-oriented configuration steps, see the software configuration guide for this release. For

information on accessing the CLI through the switch console port or through a Telnet session, see the

hardware installation guide or the getting started guide.

In this document, IP refers to IP version 4 (IPv4). Layer 3 IP version 6 (IPv6) packets are treated as

non-IP packets.

Type of MemoryThe switch flash memory stores the Cisco IOS software image, the startup configuration file, and helper

files.

PlatformsThis IOS release runs on a variety of switches and modules. For a complete list, see the release notes for

this switch.

CLI Command ModesThis section describes the CLI command mode structure. Command modes support specific Cisco IOS

commands. For example, the interface interface-id command only works when entered in global

configuration mode.

These are the main command modes for the switch:

• User EXEC

• Privileged EXEC


26/784

1-2


OL-8566-01

Chapter1 Using the Command-Line Interface

CLI Command Modes

• Global configuration

• Interface configuration

• Config-vlan

• VLAN configuration

• Line configuration

Table 1-1 lists the main command modes, how to access each mode, the prompt you see in that mode,

and how to exit that mode. The prompts listed use the default name Switch.

Table1-1 Command Modes Summary

Command Mode Access Method Prompt Exit or Access Next Mode

User EXEC This is the first level of access.

(For the switch) Change terminal

settings, perform basic tasks, and

list system information.

Switch> Enter the logout command.

To enter privileged EXEC mode, enter

the enable command.

Privileged EXEC From user EXEC mode, enter theenable command.

Switch# To exit to user EXEC mode, enter thedisable command.

To enter global configuration mode,

enter the configure command.

Global

configuration

From privileged EXEC mode,

enter the configure command.

Switch(config)# To exit to privileged EXEC mode,

enter the exit or end command, orpress Ctrl-Z.

To enter interface configuration mode,

enter the interface configurationcommand.

Interface

configuration

From global configuration mode,

specify an interface by enteringthe interface command.

Switch(config-if)# To exit to privileged EXEC mode,

enter the end command, or pressCtrl-Z.

To exit to global configuration mode,

enter the exit command.

Config-vlan In global configuration mode,

enter the vlan vlan-id command.

Switch(config-vlan)# To exit to global configuration mode,


To return to privileged EXEC mode,

enter the end command, or press

Ctrl-Z.

VLAN

configuration

From privileged EXEC mode,

enter the vlan database command.

Switch(vlan)# To exit to privileged EXEC mode,


Line configuration From global configuration mode,

specify a line by entering the line

command.

Switch(config-line)# To exit to global configuration mode,


To return to privileged EXEC mode,

enter the end command, or press

Ctrl-Z.


27/784

1-3


OL-8566-01


CLI Command Modes

User EXEC Mode

After you access the device, you are automatically in user EXEC command mode. The EXEC commands

available at the user level are a subset of those available at the privileged level. In general, use the user

EXEC commands to temporarily change terminal settings, perform basic tests, and list system

information.The supported commands can vary depending on the version of software in use. To view a

comprehensive list of commands, enter a question mark (?) at the prompt.

Switch> ?

Privileged EXEC Mode

Because many of the privileged commands configure operating parameters, privileged access should be

password-protected to prevent unauthorized use. The privileged command set includes those commands

contained in user EXEC mode, as well as the configure privileged EXEC command through which youaccess the remaining command modes.

If your system administrator has set a password, you are prompted to enter it before being granted access

to privileged EXEC mode. The password does not appear on the screen and is case sensitive.

The privileged EXEC mode prompt is the device name followed by the pound sign (#).

Switch#

Enter the enable command to access privileged EXEC mode:

Switch> enable

Switch#

The supported commands can vary depending on the version of software in use. To view a

comprehensive list of commands, enter a question mark (?) at the prompt.

Switch# ?

To return to user EXEC mode, enter the disable privileged EXEC command.

Global Configuration Mode

Global configuration commands apply to features that affect the device as a whole. Use the configure

privileged EXEC command to enter global configuration mode. The default is to enter commands from

the management console.

When you enter the configure command, a message prompts you for the source of the configuration

commands:

Switch# configureConfiguring from terminal, memory, or network [terminal]?

You can specify either the terminal or NVRAM as the source of configuration commands.

This example shows you how to access global configuration mode:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.


28/784

1-4


OL-8566-01


CLI Command Modes


comprehensive list of commands, enter a question mark (?) at the prompt:

Switch(config)# ?

To exit global configuration command mode and to return to privileged EXEC mode, enter the end or

exit command, or press Ctrl-Z.

Interface Configuration Mode

Interface configuration commands modify the operation of the interface. Interface configuration

commands always follow a global configuration command, which defines the interface type.

Use the interface interface-id command to access interface configuration mode. The new prompt means

interface configuration mode.

Switch(config-if)#



Switch(config-if)# ?

To exit interface configuration mode and to return to global configuration mode, enter the exit command.To exit interface configuration mode and to return to privileged EXEC mode, enter the end command,

or press Ctrl-Z.

config-vlan Mode

Use this mode to configure normal-range VLANs (VLAN IDs 1 to 1005) or, when VTP mode is

transparent, to configure extended-range VLANs (VLAN IDs 1006 to 4094). When VTP mode is

transparent, the VLAN and VTP configuration is saved in the running configuration file, and you can

save it to the switch startup configuration file by using the copy running-config startup-config privileged EXEC command. The configurations of VLAN IDs 1 to 1005 are saved in the VLAN database

if VTP is in transparent or server mode. The extended-range VLAN configurations are not saved in the

VLAN database.

Enter the vlan vlan-id global configuration command to access config-vlan mode:

Switch(config)# vlan 2000

Switch(config-vlan)#

The supported keywords can vary but are similar to the commands available in VLAN configuration

mode. To view a comprehensive list of commands, enter a question mark (?) at the prompt:

Switch(config-vlan)# ?

For extended-range VLANs, all characteristics except the MTU size must remain at the default setting.To return to global configuration mode, enter exit; to return to privileged EXEC mode, enter end. All

the commands except shutdown take effect when you exit config-vlan mode.


29/784

1-5


OL-8566-01


CLI Command Modes

VLAN Configuration Mode

You can use the VLAN configuration commands to create or modify VLAN parameters for VLAN IDs

1 to 1005.

Enter the vlan database privileged EXEC command to access VLAN configuration mode:

Switch# vlan database

Switch(vlan)#



Switch(vlan)# ?

To return to privileged EXEC mode, enter the abort VLAN configuration command to abandon theproposed database. Otherwise, enter exit to implement the proposed new VLAN database and to return

to privileged EXEC mode. When you enter exit or apply, the configuration is saved in the VLAN

database; configuration from VLAN configuration mode cannot be saved in the switch configuration file

Line Configuration Mode

Line configuration commands modify the operation of a terminal line. Line configuration commands

always follow a line command, which defines a line number. Use these commands to change terminal

parameter settings line-by-line or for a range of lines.

Use the line vty line_number [ending_line_number ] command to enter line configuration mode. Thenew prompt means line configuration mode. The following example shows how to enter line

configuration mode for virtual terminal line 7:

Switch(config)# line vty 0 7



Switch(config-line)# ?

To exit line configuration mode and to return to global configuration mode, use the exit command. Toexit line configuration mode and to return to privileged EXEC mode, enter the end command, or press

Ctrl-Z.


30/784

1-6


OL-8566-01


CLI Command Modes


31/784

C H A P T E R

2-1


OL-8566-01

2

Catalyst 3550 Switch Cisco IOS Commands

aaa accounting dot1xUse the aaa accounting dot1x global configuration command to enable authentication, authorization,

and accounting (AAA) accounting and to create method lists defining specific accounting methods on a

per-line or per-interface basis for IEEE 802.1x sessions. Use the no form of this command to disable IEEE802.1x accounting.

aaa accounting dot1x {name | default} start-stop {broadcast group {name | radius | tacacs+}

[group {name | radius | tacacs+} ... ] | group {name | radius | tacacs+} [group {name | radius| tacacs+} ...]}

no aaa accounting dot1x {name | default}

Syntax Description name Name of a server group. This is optional when you enter it after thebroadcast group and group keywords.

default Use the accounting methods that follow as the default list for accountingservices.

start-stop Send a start accounting notice at the beginning of a process and a stopaccounting notice at the end of a process. The start accounting record is sent

in the background. The requested-user process begins regardless of whether

or not the start accounting notice was received by the accounting server.

broadcast Enable accounting records to be sent to multiple AAA servers and sendaccounting records to the first server in each group. If the first server is

unavailable, the switch uses the list of backup servers to identify the first

server.

group Specify the server group to be used for accounting services. These are valid

server group names:

• name—Name of a server group.

• radius—List of all RADIUS hosts.

• tacacs+ —List of a ll TACACS+ hosts .

The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.

radius (Optional) Enable RADIUS authorization.

tacacs+ (Optional) Enable TACACS+ accounting.


32/784

2-2


OL-8566-01

Chapter2 Catalyst 3550 Switch Cisco IOS Commands

aaa accounting dot1x

Defaults AAA accounting is disabled.

Command Modes Global configuration

Command History

Usage Guidelines This command requires access to a RADIUS server.

Note We recommend that you enter the dot1x reauthentication interface configuration command before

configuring IEEE 802.1x RADIUS accounting on an interface.

Examples This example shows how to configure IEEE 802.1x accounting:

Switch(config)# aaa accounting dot1x default start-stop group radiusSwitch(config)#

Note The RADIUS authentication server must be properly configured to accept and log update or watchdog

packets from the AAA client.

Related Commands

Release Modification

12.2(20)SE This command was introduced.

Command Description

aaa authentication dot1x Specifies one or more AAA methods for use on interfaces running IEEE

802.1x authentication.

dot1x re-authentication Enables or disables periodic reauthentication.

dot1x timeout

reauth-period

Sets the number of seconds between re-authentication attempts.


33/784

2-3


OL-8566-01


aaa authentication dot1x

aaa authentication dot1xUse the aaa authentication dot1x global configuration command to specify the authentication,

authorization, and accounting (AAA) method to use on ports complying with IEEE 802.1x

authentication. Use the no form of this command to disable authentication.

aaa authentication dot1x {default} method1

no aaa authentication dot1x {default}

Syntax Description

Note Though other commands are visible in the command-line help strings, only the default and groupradius keywords are supported.

Defaults No authentication is performed.


Command History

Usage Guidelines The method argument identifies the method that the authentication algorithm tries in the given sequenceto validate the password provided by the client. The only method that is truly IEEE 802.1x-compliant is

the group radius method, in which the client data is validated against a RADIUS authentication server

If you specify group radius, you must configure the RADIUS server by entering the radius-server hostglobal configuration command.

Use the show running-config privileged EXEC command to display the configured lists ofauthentication methods.

default Use the listed authentication method that follows this argument as the default

method when a user logs in.

method1 Enter the group radius keywords to use the list of all RADIUS servers for

authentication.

Release Modification12.1(8)EA1 This command was introduced.


34/784

2-4


OL-8566-01


aaa authentication dot1x

Examples This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authenticationlist. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is

not allowed access to the network.

Switch(config)# aaa new-modelSwitch(config)# aaa authentication dot1x default group radius

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands Command Description

aaa new-model Enables the AAA access control model. For syntax information, select Cisco

IOS Release 12.2 Configuration Guides and Command References > CiscoIOS Security Command Reference, Release 12.2 > Authentication,

Authorization, and Accounting > Authentication Commands.

show running-config Displays the current operating configuration. For syntax information, select

Cisco IOS Release 12.2 Configuration Guides and Command References >Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

> File Management Commands > Configuration File ManagementCommands.


35/784

2-5


OL-8566-01


aaa authorization network

aaa authorization networkUse the aaa authorization network global configuration command to the configure the switch to use

user-RADIUS authorization for all network-related service requests, such as IEEE 802.1x per-user

access control lists (ACLs) or VLAN assignment. Use the no form of this command to disable the switch

for RADIUS user authorization.

aaa authorization network default group radius

no aaa authorization network default

Syntax Description

Defaults Authorization is disabled.


Command History

Usage Guidelines Use the aaa authorization network default group radius global configuration command to allow theswitch to download IEEE 802.1x authorization parameters from the RADIUS servers in the default

authorization list. The authorization parameters are used by features such as per-user ACLs or VLAN

assignment to get parameters from the RADIUS servers.

Use the show running-config privileged EXEC command to display the configured lists of

authorization methods.

Examples This example shows how to configure the switch for user RADIUS authorization for all network-relatedservice requests:

Switch(config)# aaa authorization network default group radius

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands

default group

radius

Use the list of all RADIUS hosts in the server group as the default authorization

list.


12.2(25)SEE This command was introduced.

Command Description

show running-config Displays the current operating configuration. For syntax information, select

Cisco IOS Configuration Fundamentals Command Reference, Release12.2 > File Management Commands > Configuration File Management

Commands.


36/784


37/784

2-7


OL-8566-01


access-list hardware programnonblocking


access-list {deny | permit} Configures a standard numbered ACL. For syntax information, select

Cisco IOS Release 12.2 Configuration Guides and Command

References > Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.

action (access mapconfiguration)

Defines or modifies the action for the VLAN access map entry.

ip access-group Applies an IP access list to a Layer 2 or Layer 3 interface.

ip access-list Configures a named access list. For syntax information, select Cisco

IOS Release 12.2 Configuration Guides and Command References >Cisco IOS IP Command Reference, Volume 1 of 3: Addressing

and Services, Release 12.2 > IP Services Commands.

mac access-group Applies a MAC access list to a Layer 2 interface.

match (access-map

configuration)

Defines the match conditions for a VLAN map.

show running-config | include

access-list hardware

Displays the current operating configuration. For syntax information,

select Cisco IOS Release 12.2 Configuration Guides and CommandReferences > Cisco IOS Configuration Fundamentals Command

Reference, Release 12.2 > File Management Commands >Configuration File Management Commands.

vlan access-map Creates a VLAN access map or enters access-map configuration

mode.

vlan filter Applies a VLAN map to one or more VLANs.


38/784

2-8


OL-8566-01


action

actionUse the action access map configuration command to set the action for the VLAN access map entry. Use

the no form of this command to return to the default setting.

action {drop | forward}

no action

Syntax Description

Defaults The default action is to forward packets.

Command Modes Access-map configuration

Command History

Usage Guidelines You enter access-map configuration mode by using the vlan access-map global configuration command.

If the action is drop, you should define the access map, including configuring any access control list

(ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.

In access map configuration mode, use the match access map configuration command to define the

match conditions for a VLAN map. Use the action command to set the action that occurs when a packet

matches the conditions.

The drop and forward parameters are not used in the no form of the command.

Examples This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causesthe VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:

Switch(config)# vlan access-map vmap4Switch(config-access-map)# match ip address al2Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter vmap4 vlan-list 5-6

You can verify your settings by entering the show vlan access-map privileged EXEC command.

drop Drop the packet when the specified conditions are matched.

forward Forward the packet when the specified conditions are matched.


12.1(4)EA1 This command was introduced.


39/784

2-9


OL-8566-01


action


access-list {deny | permit} Configures a standard numbered ACL. For syntax information, select

Cisco IOS Release 12.2 Configuration Guides and Command

References > Cisco IOS IP Command Reference, Volume 1 of 3:Addressing and Services, Release 12.2 > IP Services Commands.

ip access-list Creates a named access list. For syntax information, select Cisco IOSRelease 12.2 Configuration Guides and Command References >

Cisco IOS IP Command Reference, Volume 1 of 3: Addressing

and Services, Release 12.2 > IP Services Commands.

mac access-list extended Creates a named MAC address access list.

match (access-map

configuration)

Defines the match conditions for a VLAN map.

show vlan access-map Displays the VLAN access maps created on the switch.

vlan access-map Creates a VLAN access map.


40/784

2-10


OL-8566-01


archive download-sw

archive download-swUse the archive download-sw privileged EXEC command to download a new image from a TFTP server

to the switch and overwrite or keep the existing image.

archive download-sw { /force-reload | /imageonly | /leave-old-sw | /no-set-boot | /overwrite | /reload | /safe} source-url

Syntax Description /force-reload Unconditionally force a system reload after successfully downloading thesoftware image.

/imageonly Download only the software image but not the HTML files associated with the

device manager. The HTML files for the existing version are deleted only if the

existing version is being overwritten or removed.

/leave-old-sw Keep the old software version after a successful download.

/no-set-boot Do not alter the setting of the BOOT environment variable to point to the new

software image after it is successfully downloaded.

/overwrite Overwrite the software image in flash with the downloaded one.

/reload Reload the system after successfully downloading the image unless the

configuration has been changed and not been saved.

/safe Keep the current software image; do not delete it to make room for the new

software image before the new image is downloaded. The current image is

deleted after the download.

source-url The source URL alias for a local or network file system. These options are

supported:

• The syntax for the local flash file system:

flash:

• The syntax for the FTP:

ftp:[[ // username[: password ]@location]/ directory] / image-name.tar

• The syntax for an HTTP server:

http:// [[username: password ]@]{hostname |

host-ip}[/ directory] / image-name.tar

• The syntax for a secure HTTP server:

https:// [[username: password ]@]{hostname |

host-ip}[/ directory] / image-name.tar

• The syntax for the Remote Copy Protocol (RCP):

rcp:[[ // username@location]/ directory] / image-name.tar

• The syntax for the TFTP:

tftp:[[ // location]/ directory] / image-name.tar

The image-name.tar is the software image to download and install on theswitch.


41/784


42/784

2-12


OL-8566-01


archive download-sw


archive tar Creates a tar file, lists the files in a tar file, or extracts the files from a tar file.

archive upload-sw Uploads an existing image on the switch to a server.

delete Deletes a file or directory on the flash memory device.


43/784


44/784


45/784

2-15


OL-8566-01


archive tar

Examples This example shows how to create a tar file. The command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30:

Switch# archive tar /create tftp:172.20.10.30/saved.tar flash:/new-configs

This example shows how to display the contents of the c3550-ipservices-tar.122-25.tar file that is in

flash memory. The contents of the tar file appear on the screen:Switch# archive tar /table flash:c3550-ipservices-tar.122-25.tarinfo (219 bytes)

c3550-ipservices-mz.122-25.SEB/ (directory)

c3550-ipservices-mz.122-25/html/ (directory)c3550-ipservices-mz.122-25/c3550-mz.122-25.SEB.bin (6074880 bytes)

c3550-ipservices-mz.122-25/info (219 bytes)info.ver (219 bytes)

This example shows how to display only the c3550-ipservices-mz.122-25.SEB/html directory and its

contents:

Switch# archive tar /table flash:c3550-ipservices-tar.122-25.SEB.tarc3550-ipservices-mz.122-25.SEB/html

c3550-ipservices-mz.122-25.SEB/html/ (directory)

c3550-ipservices-mz.122-25SEB/html/const.htm (556 bytes)c3550-ipservices-mz.122-25SEB/html/xhome.htm (9373 bytes)c3550-ipservices-mz.122-25SEB/html/menu.css (1654 bytes)

This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This

command extracts just the new-configs directory into the root directory on the local flash file system.

The remaining files in the saved.tar file are ignored.

Switch# archive tar /xtract tftp:/172.20.10.30/saved.tar flash:/ new-configs


archive download-sw Downloads a new image to the switch.

archive upload-sw Uploads an existing image on the switch to a server.


46/784

2-16


OL-8566-01


archive upload-sw

archive upload-swUse the archive upload-sw privileged EXEC command to upload an existing switch image to a server.

archive upload-sw [ /version version_string] destination-url

Syntax Description

Defaults Uploads the currently running image from the flash: file system.

Command Modes Privileged EXEC

Command History

Usage Guidelines The upload feature is available only if the HTML files associated with the device manager have beeninstalled with the existing image.

The files are uploaded in this sequence: info, the Cisco IOS image, the HTML files, and info.ver. After

these files are uploaded, the software creates the tar file.

Image names are case sensitive.

Examples This example shows how to upload the currently running image to a TFTP server at 172.20.140.2:

Switch# archive upload-sw tftp://172.20.140.2/test-image.tar

/version version_string (Optional) Specify the specify version string of the image to be uploaded.

destination-url The destination URL alias for a local or network file system. These options

are supported:

• The syntax for the local flash file system:

flash:

• The syntax for the FTP:

ftp:[[ // username[: password ]@location]/ directory] / image-name.tar

• The syntax for the Remote Copy Protocol (RCP):

rcp:[[ // username@location]/ directory] / image-name.tar

• The syntax for the TFTP:

tftp:[[ // location]/ directory] / image-name.tar

The image-name.tar is the name of the software image to be stored on theserver.


12.1(4)EA1 This command was introduced.


47/784

2-17


OL-8566-01


archive upload-sw


archive download-sw Downloads a new image to the switch.

archive tar Creates a tar file, lists the files in a tar file, or extracts the files from a tar file.


48/784

2-18


OL-8566-01


arp access-list

arp access-listUse the arp access-list global configuration command to define an Address Resolution Protocol (ARP)

access control list (ACL) or to add clauses to the end of a previously defined list. Use the no form of thiscommand to delete the specified ARP access list.

arp access-list acl-name

no arp access-list acl-name

This command is available only if your switch is running the IP services image, formerly known as the

enhanced multilayer image (EMI).

Syntax Description

Defaults No ARP access lists are defined.


Command History

Usage Guidelines After entering the arp access-list command, you enter ARP access-list configuration mode, and these

configuration commands are available:

• default: returns a command to its default setting.

• deny: specifies packets to reject. For more information, see the “deny (ARP access-list

configuration)” section on page 2-74.

• exit: exits ARP access-list configuration mode.

• no: negates a command or returns to default settings.

• permit: specifies packets to forward. For more information, see the “permit (ARP access-list

configuration)” section on page 2-269.

Use the permit and deny access-list configuration commands to forward and to drop ARP packets basedon the specified matching criteria.

When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared

to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL

permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny

statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement,

the switch compares the packet to the list of DHCP bindings (unless the ACL is static, which means that

packets are not compared to the bindings).

acl-name Name of the ACL.


12.2(25)SEA This command was introduced.


49/784

2-19


OL-8566-01


arp access-list

Examples This example shows how to define an ARP access list and to permit both ARP requests and ARPresponses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:

Switch(config)# arp access-list static-hosts

Switch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 00001.0000.abcdSwitch(config-arp-nacl)# end

You can verify your settings by entering the show arp access-list privileged EXEC command.


deny (ARP access-list

configuration)

Denies an ARP packet based on matches compared against the DHCP

bindings.

ip arp inspection filter

vlan

Permits ARP requests and responses from a host configured with a static IP

address.

permit (ARP

access-listconfiguration)

Permits an ARP packet based on matches compared against the DHCP

bindings.

show arp access-list Displays detailed information about ARP access lists.


50/784

2-20


OL-8566-01


auto qos voip

auto qos voipUse the auto qos voip interface configuration command to automatically configure quality of service

(auto-QoS) for voice over IP (VoIP) within a QoS domain. Use the no form of this command to changethe auto-QoS configuration settings to the standard QoS defaults.

auto qos voip {cisco-phone | cisco-softphone | trust}

no auto qos voip

Syntax Description

Defaults Auto-QoS is disabled on all interfaces.

When auto-QoS is enabled, i t uses the ingress packet label to categorize traffic and class of service (CoS)

packet labels and to configure the egress queues as summarized in Table 2-1.

cisco-phone Identify this interface as connected to a Cisco IP Phone, and automatically configure

QoS for VoIP. The QoS labels of incoming packets are trusted only when the

telephone is detected.

cisco-softphone Identify this port as connected to a device running the Cisco SoftPhone, andautomatically configure QoS for VoIP.

trust Identify this interface as connected to a trusted switch or router, and automatically

configure QoS for VoIP. The QoS labels of incoming packets are trusted.

Table2-1 Traffic Types, Packet Labels, and Egress Queues

VoIP DataTraffic

VoIP ControlTraffic

Routing ProtocolTraffic

STP1 BPDU2 Traffic

1. STP = Spanning Tree Protocol

2. BPDU = bridge protocol data unit

Real-TimeVideo Traffic All Other Traffic

DSCP

3

3. DSCP = Differentiated Services Code Point

46 24, 26 48 56 34 ——CoS 5 3 6 7 4

CoS-to-Queue

Map

5 3, 6, 7 4 2 0, 1

Egress Queue Expedite

(queue 4)

70% WRR4 (queue 3)

4. WRR = weighted round robin

20% WRR

(queue 2)

20% WRR

(queue 2)

10% WRR

(queue 1)


51/784

2-21


OL-8566-01


auto qos voip

Table 2-2 lists the auto-QoS configuration for the egress queues.

Command Modes Interface configuration

Command History

Usage Guidelines Use this command to configure the QoS appropriate for VoIP traffic within the QoS domain. The QoSdomain includes the switch, the interior of the network, and the edge devices that can classify incoming

traffic for QoS.

In releases earlier than Cisco IOS Release 12.1(20)EA2, auto-QoS configures the switch only for VoIP

with Cisco IP Phones on switch ports.

In Cisco IOS Release 12.1(20)EA2 or later, auto-QoS configures the switch for VoIP with Cisco IP

Phones on switch and routed ports and for VoIP with devices running the Cisco SoftPhone application.

These releases support only Cisco IP SoftPhone Version 1.3(3) or later. Connected devices must use

Cisco Call Manager Version 4 or later.

To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS

commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.

Note The switch applies the auto-QoS-generated commands as if the commands were entered from the

command-line interface (CLI). An existing user configuration can cause the application of the generated

commands to fail or to be overridden by the generated commands. These actions occur without warning.

If all the generated commands are successfully applied, any user-entered configuration that was not

overridden remains in the running configuration. Any user-entered configuration that was overriddencan be retrieved by reloading the switch without saving the current configuration to memory. If the

generated commands fail to be applied, the previous running configuration is restored.

If this is the first port on which you have enabled auto-QoS, the auto-QoS-generated global

configuration commands are executed followed by the interface configuration commands. If you enable

auto-QoS on another port, only the auto-QoS-generated interface configuration commands for that port

are executed.

Table2-2 Auto-QoS Configuration for the Egress Queues

Egress Queue

Queue

Number

CoS-to-Queue

Map

Queue

Weight

Queue Size forGigabit-Capable

Ports

Queue Size (inpackets) for 10/100

Ethernet Ports

Expedite 4 5 – 10 percent 34 (10 percent)

70% WRR 3 3, 6, 7 70 percent 15 percent 51 (15 percent)

20% WRR 2 2, 4 20 percent 25 percent 82 (25 percent)

10% WRR 1 0, 1 10 percent 50 percent 170 (50 percent)


12.1(12c)EA1 This command was introduced.

12.1(20)EA2 The cisco-softphone keyword was added, and the generated auto-QoSconfiguration changed.


52/784

2-22


OL-8566-01


auto qos voip

When you enable the auto-QoS feature on the first interface, these automatic actions occur:

• QoS is globally enabled (mls qos global configuration command).

• When you enter the auto qos voip cisco-phone interface configuration command on a port at the

edge of the network that is connected to a Cisco IP Phone, the switch enables the trusted boundary

feature. The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a

Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the interface is setto trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress

classification is set to not trust the QoS label in the packet. The egress queues on the interface are

also reconfigured (see Table 2-2).

• When you enter the auto qos voip cisco-softphone interface configuration command on a port at

the edge of the network that is connected to a device running the Cisco SoftPhone, the switch uses

policing to decide whether a packet is in or out of profile and to specify the action on the packet. If

the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the

DSCP value to 0. The egress queues on the interface are also reconfigured (see Table 2-2).

• When you enter the auto qos voip trust interface configuration command on a port connected tothe interior of the network, the ingress classification on the interface is set to trust the QoS label

received in the packet, and the egress queues on the interface are reconfigured (see Table 2-2).

You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports. When

enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to the IP

phone.

Note When a device running Cisco SoftPhone is connected to a switch or routed port, the switch supports only

one Cisco SoftPhone application per port.

After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its

name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the

copied policy map or policer. To use the new policy map instead of the generated one, remove the

generated policy from the interface, and apply the new policy map.

To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable

debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enableauto-QoS debugging.

To disable auto-QoS on an interface, use the no auto qos voip interface configuration command. Whenyou enter this command, the switch enables standard QoS and changes the auto-QoS settings to the

standard-QoS default settings for that interface.

To disable auto-QoS on the switch, use the no mls qos global configuration command. When you enter

this command, the switch disables QoS on all interfaces and enables pass-through mode.

Examples This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets

when the switch or router connected to an interface is a trusted device:

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# auto qos voip trust

This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets

when the device connected to an interface is detected as a Cisco IP Phone:

Switch(config)# interface fastethernet0/1Switch(config-if)# auto qos voip cisco-phone


53/784

2-23


OL-8566-01


auto qos voip

This example shows how to display the QoS configuration that is automatically generated when

auto-QoS is enabled:

Switch# debug auto qos AutoQoS debugging is on

Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface fastethernet0/1Switch(config-if)# auto qos voip trust

Switch(config-if)#4d22h:mls qos map cos-dscp 0 8 16 26 32 46 48 56

4d22h:mls qos min-reserve 5 1704d22h:mls qos min-reserve 6 85

4d22h:mls qos min-reserve 7 51

4d22h:mls qos min-reserve 8 34

4d22h:mls qos4d22h:interface FastEthernet0/1

4d22h: mls qos trust cos4d22h: wrr-queue bandwidth 10 20 70 1

4d22h: wrr-queue min-reserve 1 5



4d22h: wrr-queue min-reserve 4 84d22h: no wrr-queue cos-map

4d22h: wrr-queue cos-map 1 0 14d22h: wrr-queue cos-map 2 2 4

4d22h: wrr-queue cos-map 3 3 6 74d22h: wrr-queue cos-map 4 5

4d22h: priority-queue out

Switchconfig-if)# interface gigabitethernet0/1

Switch(config-if)# auto qos voip cisco-phoneSwitch(config-if)#

4d22h:interface GigabitEthernet0/14d22h: mls qos trust device cisco-phone

4d22h: mls qos trust cos

4d22h: wrr-queue bandwidth 10 20 70 1

4d22h: wrr-queue queue-limit 50 25 15 104d22h: no wrr-queue cos-map

4d22h: wrr-queue cos-map 1 0 14d22h: wrr-queue cos-map 2 2 4

4d22h: wrr-queue cos-map 3 3 6 7

4d22h: wrr-queue cos-map 4 5

4d22h: priority-queue outSwitch(config-if)#

You can verify your settings by entering the show auto qos interface interface-id privileged EXEC

command.


debug auto qos Enables debugging of the auto-QoS feature.

mls qos map {cos-dscp dscp1 ... dscp8 | dscp-cos dscp-list to cos}

Defines the CoS-to-DSCP map or the DSCP-to-CoS map.

mls qos trust Configures the port trust state.

show auto qos Displays auto-QoS information.

show mls qos Displays global QoS configuration information.

show mls qos interface Displays QoS information at the interface level.

show mls qos maps Displays QoS mapping information.


54/784


55/784

2-25

Catalyst 355