Catalyst Supervisor Engine 32 PISA IOS Command Reference, 12.2ZY

eigrp event-log-size

To set the size of the IP-EIGRP event log, use the eigrp event-log-size command.

eigrp event-log-size size

Syntax Description

Command Default

This command has no default settings.

Command Modes

Router configuration (config-router)

Command History

Usage Guidelines

Once the configured event log size has been exceeded, the last configured (event-log-size) number of lines of log is retained.

Examples

This example shows how to set the size of the IP-EIGRP event log:

Router (config-router)# eigrp event-log-size 5000010

Router (config-router)#

Related Commands

encapsulation dot1q

To enable the IEEE 802.1Q encapsulation of traffic on a specified subinterface in the VLANs, use the encapsulation dot1q command.

encapsulation dot1q vlan-id [native]

Syntax Description

Command Default

This command has no default settings.

Command Modes

Subinterface configuration

Command History

Usage Guidelines

Always use the native keyword when the vlan-id is the ID of the 802.1Q native VLAN. Do not configure encapsulation on the native VLAN of an 802.1Q trunk without the native keyword.

To enter the subinterface configuration mode, you must enter the interface configuration mode first and then enter the interface command to specify a subinterface.

Examples

This example shows how to set encapsulation for VLAN traffic using the 802.1Q protocol for VLAN 100:

Router(config-subif)# encapsulation dot1q 100

Router(config-subif)#

Related Commands

encapsulation isl

To enable ISL, use the encapsulation isl command.

encapsulation isl vlan-identifier

Syntax Description

Command Default

This command has no default settings.

Command Modes

Subinterface configuration

Command History

Usage Guidelines

ISL is a Cisco protocol that is used for interconnecting multiple switches and routers and for defining VLAN topologies.

ISL encapsulation adds a 26-byte header to the beginning of the Ethernet frame. The header contains a 10-bit VLAN identifier that conveys VLAN membership identities between the switches.

To enter the subinterface configuration mode, you must enter the interface configuration mode first and then enter the interface command to specify a subinterface.

Examples

This example shows how to enable ISL on Fast Ethernet subinterface 2/1.20:

Router(config-subif)# encapsulation isl 400

Router(config-subif)#

Related Commands

erase

To erase a file system, use the erase command.

erase {const_nvram: | nvram: | startup-config:}

Syntax Description

Command Default

This command has no default settings.

Command Modes

EXEC

Command History

Usage Guidelines

Caution When you use the erase command to erase a file system, you cannot recover the files in the file system.

The erase nvram: command replaces the write erase command and the erase startup-config command.

You can use the erase command on both Class B and Class C flash file systems only. To reclaim space on flash file systems after deleting files using the delete command, you must use the erase command. The erase command erases all of the files in the flash file system.

Class A flash file systems cannot be erased. You can delete individual files using the delete command and then reclaim the space using the squeeze command. You can also use the format command to format the flash file system.

On Class C flash file systems, space is dynamically reclaimed when you use the delete command. You can also use either the format or erase command to reinitialize a Class C flash file system.

The erase nvram: command erases NVRAM. On Class A file system platforms, if the CONFIG_FILE variable specifies a file in flash memory, the specified file is marked "deleted."

Examples

This example shows how to erase the NVRAM and the startup configuration in the NVRAM:

Router# erase nvram:

Router# 

Related Commands

errdisable detect cause

To enable the error-disable detection, use the errdisable detect cause command. To disable the error-disable detection, use the no form of this command.

errdisable detect cause {all | dtp-flap | l2ptguard | link-flap | packet-buffer-error | pagp-flap | udld}

no errdisable detect cause {all | dtp-flap | l2ptguard | link-flap | pagp-flap | udld}

Syntax Description

Command Default

Enabled for all causes.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

Note Entering the no errdisable detect cause packet-buffer-error command allows you to detect the fault that triggers a power cycle of the affected module.

A cause (bpduguard, dtp-flap, link-flap, pagp-flap, root-guard, udld) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state (an operational state that is similiar to the link-down state).

You must enter the shutdown and then the no shutdown commands to recover an interface manually from the error-disable state.

Examples

This example shows how to enable the error-disable detection for the Layer 2 protocol-tunnel guard error-disable cause:

Router(config)# errdisable detect cause l2ptguard

Router(config)# 

Related Commands

errdisable recovery

To configure the recovery mechanism variables, use the errdisable recovery command. To return to the default state, use the no form of this command.

errdisable recovery cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap | pesecure-violation | security-violation | udld | unicast-flood}

errdisable recovery {interval interval}

no errdisable recovery cause {all | {arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap | pesecure-violation | security-violation | udld | unicast-flood}

no errdisable recovery {interval interval}

Syntax Description

Command Default

The defaults are as follows:

•Disabled for all causes.

•If enabled, the interval is 300 seconds.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

The secure-violation option is not supported.

A cause (bpduguard, dhcp-rate-limit, dtp-flap, l2ptguard, link-flap, pagp-flap, security-violation, channel-misconfig, psecure-violation, udld, or unicast-flood) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in an error-disabled state (an operational state that is similiar to the link-down state). If you do not enable errdisable recovery for the cause, the interface stays in the error-disabled state until a shutdown and no shutdown occurs. If you enable recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry operation once all the causes have timed out.

You must enter the shutdown and then the no shutdown commands to recover an interface manually from the error-disabled state.

Examples

This example shows how to enable the recovery timer for the BPDU-guard error-disable cause:

Router(config)# errdisable recovery cause bpduguard

Router(config)# 

This example shows how to set the timer to 300 seconds:

Router(config)# errdisable recovery interval 300

Router(config)# 

Related Commands

error-detection packet-buffer action

To specify the action that a module takes after packet buffer memory failures, use the error-detection packet-buffer action command. To return to the default settings, use the no form of this command.

error-detection packet-buffer action {module num} {error-disable | power-down | reset}

Syntax Description

Command Default

Error-disable port group

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

This command is supported on the following modules only:

•WS-X6348-RJ-45

•WS-X6348-RJ-21V

•WS-X6248-RJ-45

•WS-X6248-TEL

•WS-X6148-RJ-45

•WS-X6148-RJ-21

When you specify the reset keyword, a rapid reboot (approximately 10 seconds) and not a normal reboot (approximately 45 to 50 seconds) is performed. Prior to this release, the module always went through a non-rapid reboot.

Examples

This example shows how to set the module to error disable after packet buffer memory failures:

Router(config)# error-detection packet-buffer action module 2 error-disable

Router(config)# 

This example shows how to set the module to power down after packet buffer memory failures:

Router(config)# error-detection packet-buffer action module 2 power-down

Router(config)# 

This example shows how to set the module to reset after packet buffer memory failures:

Router(config)# error-detection packet-buffer action module 2 reset

Router(config)# 

file verify auto

To verify the compressed Cisco IOS image checksum, use the file verify auto command. To turn off automatic verification after a copy operation, use the no form of this command.

file verify auto

no file verify auto

Syntax Description

This command has no arguments or keywords.

Command Default

Verification is done automatically after completion of a copy operation.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

Enter the copy /noverify command to override the default behavior for a single copy operation.

Examples

This example shows how to verify the compressed Cisco IOS image checksum:

Router(config)# file verify auto

Router(config)#

Related Commands

flowcontrol

To configure a port to send or receive pause frames, use the flowcontrol command.

flowcontrol {send | receive} {desired | off | on}

Syntax Description

Command Default

Flow-control defaults depend upon port speed. The defaults are as follows:

•Gigabit Ethernet ports default to off for receive and desired for send.

•Fast Ethernet ports default to off for receive and on for send.

•On the 24-port 100BASE-FX and 48-port 10/100 BASE-TX RJ-45 modules, the default is off for receive and off for send.

•10-Gigabit Ethernet ports are permanently configured to respond to pause frames, and the default for send is off.

Command Modes

Interface configuration (config-if)

Command History

Usage Guidelines

The send and desired keywords are supported on Gigabit Ethernet ports only.

Pause frames are special packets that signal a source to stop sending frames for a specific period of time because the buffers are full.

Gigabit Ethernet ports on the Catalyst 6500 series switches use flow control to inhibit the transmission of packets to the port for a period of time; other Ethernet ports use flow control to respond to flow-control requests.

If a Gigabit Ethernet port receive buffer becomes full, the port transmits a "pause" packet that tells remote ports to delay sending more packets for a specified period of time. All Ethernet ports (1000 Mbps, 100 Mbps, and 10 Mbps) can receive and act upon "pause" packets from other devices.

You can configure non-Gigabit Ethernet ports to ignore received pause frames (disable) or to react to them (enable).

When used with receive, the on and desired keywords have the same result.

All Catalyst 6500 series switch Gigabit Ethernet ports can receive and process pause frames from remote devices.

To obtain predictable results, follow these guidelines:

•Use send on only when remote ports are set to receive on or receive desired.

•Use send off only when remote ports are set to receive off or receive desired.

•Use receive on only when remote ports are set to send on or send desired.

•Use send off only when remote ports are set to receive off or receive desired.

Examples

These examples show how to configure the local port to not support any level of flow control by the remote port:

Router(config-if)# flowcontrol receive off

Router(config-if)#

Router(config-if)# flowcontrol send off

Router(config-if)#

Related Commands

format

To format a Class A or Class C flash file system, use the format command.

Class A flash file system:

format bootflash: [spare spare-number] filesystem1: [[filesystem2:][monlib-filename]]

Class C flash file system:

format filesystem1:

Caution Reserve a certain number of memory sectors as spares, so that if some sectors fail, most of the flash PC card can still be used. Otherwise, you must reformat the flash PC card when some of the sectors fail.

Syntax Description

Command Default

The defaults are as follows:

•monlib-filename is the one bundled with the system software.

•spare-number is zero (0).

Command Modes

EXEC

Command History

Usage Guidelines

Use this command to format Class A or C flash memory file systems.

The Supervisor Engine 32 PISA has these flash memory devices:

•disk0:

–One external CompactFlash Type II slot

–Supports CompactFlash Type II Flash PC cards

•sup-bootdisk:

–Supervisor Engine 32 PISA 256-MB internal CompactFlash flash memory

–From the Supervisor Engine 32 PISA ROMMON, it is bootdisk:

•bootdisk:

–PISA 256-MB internal CompactFlash flash memory

–Not accessible from the Supervisor Engine 32 PISA ROMMON

In some cases, you might need to insert a new flash PC card and load images or back up configuration files onto it. Before you can use a new flash PC card, you must format it.

Sectors in flash PC cards can fail. Reserve certain flash PC sectors as "spares" by using the optional spare argument on the format command to specify between 0 and 16 sectors as spares. If you reserve a small number of spare sectors for emergencies, you can still use most of the flash PC card. If you specify 0 spare sectors and some sectors fail, you must reformat the flash PC card, which erases all existing data.

The monlib file is the ROM monitor library. The ROM monitor uses this file to access files in the flash file system. The Cisco IOS system software contains a monlib file.

When used with HSA and you do not specify the monlib-filename argument, the system takes the ROM monitor library file from the slave image bundle. If you specify the monlib-filename argument, the system assumes that the files reside on the slave devices.

In the command syntax, filesystem1: specifies the device to format, and filesystem2: specifies the optional device containing the monlib file, used to format filesystem1:. If you omit the optional filesystem2: and monlib-filename arguments, the system formats filesystem1:, using the monlib file that is already bundled with the system software. If you omit only the optional filesystem2: argument, the system formats filesystem1:, using the monlib file from the device that you specified with the cd command. If you omit only the optional monlib-filename argument, the system formats filesystem1: using filesystem2:'s monlib file. When you specify both arguments—filesystem2: and monlib-filename—the system formats filesystem1:, using the monlib file from the specified device. You can specify filesystem1:'s own monlib file in this argument. If the system cannot find a monlib file, it terminates its formatting.

Examples

This example shows how to format a CompactFlash PC card that is inserted in slot 0:

Router# format disk0:

Running config file on this device, proceed? [confirm]y

All sectors will be erased, proceed? [confirm]y

Enter volume id (up to 31 characters): <Return>

Formatting sector 1 (erasing)

Format device disk0 completed

When the console returns to the EXEC prompt, the new CompactFlash PC card is successfully formatted and ready for use.

Related Commands

fsck

To check a flash file system for damage and to repair any problems, use the fsck command.

fsck [/automatic | disk0:]

Syntax Description

Command Default

The current file system is checked if disk0: is not specified.

Command Modes

EXEC

Command History

Usage Guidelines

This command is valid only on Class C flash file systems and on PCMCIA ATA flash disks and CompactFlash disks.

If you do not enter any arguments, the current file system is used. Use the pwd command to display the current file system.

If you enter the disk0: keyword, the fsck utility checks the selected file system for problems. If a problem is detected, a prompt is displayed asking if you want the problem fixed.

If you enter the /automatic keyword, you are prompted to confirm that you want the automatic mode. In automatic mode, problems are fixed automatically and you are not prompted to confirm.

Table 2-9 lists the checks and actions that are performed by the fsck utility.

Examples

This example shows how to run a check of the current file system:

Router# fsck

 Checking the boot sector and partition table...

 Checking FAT, Files and Directories...

 Files

 1) disk0:/FILE3 and

 2) disk0:/FILE2

 have a common cluster.

 Press 1/2 to truncate or any other character to ignore[confirm] q

 Ignoring this error and continuing with the rest of the check...

 Files

 1) disk0:/FILE5 and

 2) disk0:/FILE4

 have a common cluster.

 Press 1/2 to truncate or any other character to ignore[confirm] 1

 File disk0:/FILE5 truncated.

 Files

 1) disk0:/FILE7 and

 2) disk0:/FILE6

 have a common cluster.

.

.

.

1) disk0:/FILE15 and

 2) disk0:/FILE13

 have a common cluster.

 Press 1/2 to truncate or any other character to ignore[confirm] i

 Ignoring this error and continuing with the rest of the check...

 Reclaiming unused space...

 Created file disk0:/fsck-11 for an unused cluster chain

 Created file disk0:/fsck-20 for an unused cluster chain

 Created file disk0:/fsck-30 for an unused cluster chain

 Created file disk0:/fsck-35 for an unused cluster chain

 Created file disk0:/fsck-40 for an unused cluster chain

 Created file disk0:/fsck-46 for an unused cluster chain

 Created file disk0:/fsck-55 for an unused cluster chain

 Created file disk0:/fsck-62 for an unused cluster chain

 Created file disk0:/fsck-90 for an unused cluster chain

 Updating FAT...

 fsck of disk0: complete

Router# 

hold-queue

To limit the size of the IP output queue on an interface, use the hold-queue command. To return to the default settings, use the no form of this command.

hold-queue length {in | out}

no hold-queue {in | out}

Syntax Description

Command Default

The defaults are as follows:

•The input hold-queue limit is 75 packets.

•The default output hold-queue limit is 40 packets.

•The default is 10 packets for asynchronous interfaces.

Command Modes

Interface configuration (config-if)

Command History

Usage Guidelines

This command is not supported on the OSM.

The default limits prevent a malfunctioning interface from consuming an excessive amount of memory. There is no fixed upper limit to a queue size.

The default of ten packets allows the Cisco IOS software to queue a number of back-to-back routing updates. The default is for asynchronous interfaces only; other media types have different defaults.

The guidelines for hold queues and priority queueing are as follows:

•The hold queue stores packets that are received from the network and are waiting to be sent to the client. We recommend that the queue size does not exceed ten packets on asynchronous interfaces. For most other interfaces, the queue length should not exceed 100 packets.

•The input hold queue prevents a single interface from flooding the network server with too many input packets. Additional input packets are discarded if the interface has too many outstanding input packets in the system.

•If you use priority output queueing, you can set the length of the four output queues using the priority-list global configuration command.You cannot use the hold-queue command to set an output hold-queue length in this situation.

•For slow links, use a small output hold-queue limit to prevent storing packets at a rate that exceeds the transmission capability of the link.

•For fast links, use a large output hold-queue limit. A fast link may be busy for a short time (and require the hold queue) but can empty the output hold queue quickly when capacity returns.

•You can display the current hold-queue setting and the number of packets that are discarded because of hold-queue overflows by using the show interfaces command in EXEC mode.

Caution Increasing the hold queue can cause negative effects to network routing and response times. If you use protocols that have sequence/acknowledge packets to determine round-trip times, do not increase the output queue. Instead, we recommend that you program the Catalyst 6500 series switch to drop packets and inform the hosts to slow down transmissions to match the available bandwidth. We do not recommend that you make duplicate copies of the same packet within the network.

Examples

This example sets a small input queue on a slow serial line:

Router(config)# interface serial 0

Router(config-if)# hold-queue 30 i

Related Commands

hw-module boot

To specify the boot options for the module through the power management bus control register, use the hw-module boot command.

hw-module {module num} {boot [value] {config-register | eobc | {flash image} | rom-monitor}}

Syntax Description

Command Default

This command has no default settings.

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

This command is supported on the CMM only.

The valid values for the boot value argument are as follows:

•0—Specifies the module's config-register value.

•1—Specifies the first image in the flash memory.

•2—Specifies the second image in the flash memory.

•3—Stays in ROM-monitor mode after the module reset.

•4—Specifies the download image through EOBC.

Examples

This example shows how to reload the module in slot 6 using the module's config-register value:

Router# hw-module slot 1/6 boot config-register

Router# 

This example shows how to reload the module in slot 3 using an image downloaded through EOBC:

Router# hw-module slot 1/3 boot eobc

Router# 

hw-module fan-tray version

To set the fan-type (high or low power) version, use the hw-module fan-tray version command.

hw-module fan-tray version [1 | 2]

Syntax Description

Command Default

This command has no default settings.

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

Before you install a high-capacity fan tray, enter the hw-module fan-tray version 2 command to check for configuration problems, such as power-supply compatibility and power sufficiency. If there are no problems, a message is displayed to change the fan tray from version 1 to version 2. At this point, you can remove the old fan tray and quickly insert the new high-capacity fan tray.

This command is supported on the following chassis:

•WS-C6506

•WS-C6509

•WS-C6509-NEB/OSR7609

Set the version to 2 before installing higher power fan trays. Set the version to 1 before downgrading to lower power fan trays.

Command confirmation does not change the fan power consumption or cooling capacity. It updates the backplane IDPROM. The new values take effect the next time that you insert a fan.

When you execute the command, the software checks the configurations and prompts for confirmation. Any illegal configurations (such as power-supply incompatibility) result in a warning being displayed and a command failure.

Examples

This example shows how to set the fan type for lower power fan trays:

Router # hw-module fan-tray version 1

Router # 

Related Commands

hw-module oversubscription

To administratively disable the oversubscribed ports (3, 4, 7, and 8) on a module, use the hw-module oversubscription command. Use the no form of this command to enable the oversubscribed ports.

hw-module {module num} oversubscription

no hw-module {module num} oversubscription

Syntax Description

Command Default

Enabled.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

This command is supported on the WS-X6708-10G-3C and the WS-X6708-10G-3CXL modules only.

When you disable the oversubscribed ports, the port is put into shutdown mode. In this mode, you cannot enter the no shut command on the disabled ports. If you attempt to enter the no shut command on the disabled ports, this message appears:

The current module is operating in non-oversubscription mode. To utilise this interface, 
enable oversubscription mode for the module.

The num argument designates the module number. Valid values depend on the chassis that is used. For example, if you have a 13-slot chassis, valid values for the module number are from 1 to 13.

When you enter the show interfaces command on the disabled ports, the output displays "disabled for performance" to distinguish between the normal port shutdown and the shutdown for performance.

Examples

This example shows how to administratively disable the oversubscribed ports on a module:

Router # hw-module module 3 oversubscription

Router # 

This example shows how to administratively enable the oversubscribed ports on a module:

Router # no hw-module module 3 oversubscription

Router # 

Related Commands

hw-module reset

To reset a module by turning the power off and then on, use the hw-module reset command.

hw-module {module num} reset

Syntax Description

Command Default

This command has no default settings.

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

The num argument designates the module number. Valid values depend on the chassis that is used. For example, if you have a 13-slot chassis, valid values for the module number are from 1 to 13.

Examples

This example shows how to reload a specific module:

Router # hw-module module 3 reset

Router # 

hw-module shutdown

To shut down the module, use the hw-module shutdown command.

hw-module {module num} shutdown

Syntax Description

Command Default

This command has no default settings.

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

This command is supported on the SSL Services Module and the NAM.

If you enter the hw-module shutdown command to shut down the module, you will have to enter the no power enable module command and the power enable module command to restart (power down and then power up) the module.

Examples

This example shows how to shut down and restart the module:

Router# hw-module module 3 shutdown

Router# no power enable module 3

Router# power enable module 3

hw-module simulate link-up

To enable a software link on a specified module, use the hw-module simulate link-up command. For information on disabling a software link, refer to the "Usage Guidelines" section.

hw-module {module num} simulate link-up

Syntax Description

Command Default

This command has no default settings.

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

This command is supported on Ethernet modules only.

To disable a software link on a module, you must perform one of the following procedures:

•Enter the shutdown and then the no shutdown commands on all the ports on the module.

•Enter the hw-module reset command.

When you apply this command to a module, the port LEDs on the module will glow green and simulate a link-up condition. This command can be used for testing interface configurations without cabling to the interface.

The num argument designates the module number. Valid values depend on the chassis that is used. For example, if you have a 13-slot chassis, valid values for the module number are from 1 to 13.

Examples

This example shows how to enable softlink on a module:

Router# hw-module module 3 simulate link-up

Router# 

Related Commands

instance

To map a VLAN or a set of VLANs to an MST instance, use the instance command. To return the VLANs to the default instance (CIST), use the no form of this command.

instance instance-id {vlans vlan-range}

no instance instance-id

Syntax Description

Command Default

No VLANs are mapped to any MST instance (all VLANs are mapped to the CIST instance).

Command Modes

MST configuration submode

Command History

Usage Guidelines

The vlans vlan-range is entered as a single value or a range.

The mapping is incremental, not absolute. When you enter a range of VLANs, this range is added or removed to the existing instances.

Any unmapped VLAN is mapped to the CIST instance.

You can configure up to 65 interfaces

Examples

This example shows how to map a range of VLANs to instance 2:

Router(config-mst)# instance 2 vlans 1-100

Router(config-mst)# 

This example shows how to map a VLAN to instance 5:

Router(config-mst)# instance 5 vlans 1100

Router(config-mst)# 

This example shows how to move a range of VLANs from instance 2 to the CIST instance:

Router(config-mst)# no instance 2 vlans 40-60

Router(config-mst)# 

This example shows how to move all the VLANs that are mapped to instance 2 back to the CIST instance:

Router(config-mst)# no instance 2

Router(config-mst)# 

Related Commands

interface

To select an interface to configure and enter interface configuration mode, use the interface command.

interface {type module} [.subinterface]

Syntax Description

Command Default

No interface types are configured.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

Table 2-11 lists the valid values for type.

By default, the Supervisor Engine 32 PISA EtherChannel (port channel interface 256, which is automatically configured with the pisa-channel command) is a 1-Gps EtherChannel.

Note The pisa-channel command is visible in the configuration file, but it is not user configurable.

You can enter the number of a port subinterface in the following format:

interface {{type module/port.subinterface}}

The Supervisor Engine 32 PISA ports are as follows:

•Supervisor Engine 32 PISA Management Ports—The console port for the Supervisor Engine 32 PISA port is an EIA/TIA-232 (RS-232) port. The Supervisor Engine 32 PISA also has two Universal Serial Bus (USB) 2.0 ports that currently are not enabled.

•Supervisor Engine 32 PISA Data Ports for the WS-S32-10GE-PISA has the following ports:

–Ports 1 and 2: XENPAK 10 Gigabit Ethernet

–Port 3: 10/100/1000 Mbps RJ-45

Note You can disable Port 3 and reallocate its port ASIC capacity to the PISA EtherChannel (see the "Configuring Full PISA EtherChannel Bandwidth" section in the Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide—Release 12.2ZY}.

•Supervisor Engine 32 PISA Data Ports for the WS-S32-GE-PISA has these ports:

–Ports 1 through 8: Small form-factor pluggable (SFP) Gigabit Ethernet

–Port 9: 10/100/1000 Mbps RJ-45 port

Note You can disable port 9 and reallocate its port ASIC capacity to the PISA EtherChannel (see the "Configuring Full PISA EtherChannel Bandwidth" section in the Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide—Release 12.2ZY).

Note After the port becomes a member of the PISA EtherChannel, only the no channel-group 256 mode on command has any effect on the port until the port is no longer a member of the PISA EtherChannel. While the port is a member of the PISA EtherChannel, all port configuration commands except the no channel-group 256 mode on command are ignored.

On a WS-S32-GE-PISA, you can allocate both ports 8 and 9 to the PISA EtherChannel.

You cannot enter any configuration under port channel interface 256.

The PISA EtherChannel MTU size is 4,096 bytes.

Examples

This example shows how to allocate the port ASIC capacity of port 3 to the PISA EtherChannel on a WS-S32-10GE-PISA that is installed in slot 5:

Router(config)# interface gigabitethernet 5/3

Router(config-if)# channel-group 256 mode on

Router(config-if)# 

This example shows how to allocate the port ASIC capacity of port 9 to the PISA EtherChannel on a WS-S32-GE-PISA that is installed in slot 5:

Router(config)# interface gigabitethernet 5/9

Router(config-if)# channel-group 256 mode on

Router(config-if)# 

This example shows how to revert to the default port ASIC capacity allocation.

Router(config)# interface gigabitethernet 5/9

Router(config-if)# no channel-group 256 mode on

Router(config-if)# 

Related Commands

interface port-channel

To create a port-channel virtual interface and enter interface configuration mode, use the interface port-channel command. To remove a virtual interface or subinterface, use the no form of this command.

interface port-channel channel-number[.subinterface]

no interface port-channel channel-number[.subinterface]

Syntax Description

Command Default

This command has no default settings.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

This command is not supported on the IDSM and NAM.

This command is supported on EtherChannel, Fast EtherChannel, Gigabit EtherChannel, and 10-Gigabit EtherChannel interfaces.

The channel-number argument can be from 1 to 256, with a maximum of 128 port-channel interfaces.

You can create Layer 2 port channels dynamically or by entering the interface port-channel command; you can create Layer 3 port channels by entering the interface port-channel command only. You cannot create Layer 3 port channels dynamically.

Only one port channel in a channel group is allowed.

Ports can be bundled across any module.

Caution The Layer 3 port-channel interface is the routed interface. Do not enable Layer 3 addresses on the physical Fast Ethernet interfaces.

When you use the interface port-channel command, follow these guidelines:

•If you configure ISL, you must assign the IP address to the SVI.

•If you want to use CDP, you must configure it only on the physical Fast Ethernet interface and not on the port-channel interface.

•If you do not assign a static MAC address on the port-channel interface, a MAC address is automatically assigned. If you assign a static MAC address and then later remove it, the MAC address is automatically assigned.

Examples

This example shows how to create a port-channel interface with a channel-group number of 256:

Router(config)# interface port-channel 256

Creating a switch port Po256. channel-group 256 is L2

Router(config-if)#

Note The port-channel interface counters that are shown by the show counters interface port-channel and show interface port-channel counters commands are not supported for channel groups that are using GE-WAN interfaces for QinQ link bundling. The show interface port-channel {number | number.subif} command (without the counters keyword) is supported, however.

Related Commands

interface range

To execute a command on multiple ports at the same time, use the interface range command.

interface range {port-range | {macro name}}

Syntax Description

Command Default

This command has no default settings.

Command Modes

Global or interface configuration

Command History

Usage Guidelines

The values that you entered with the interface range vlan command are applied to all existing VLAN SVIs.

Before you can use a macro, you must define a range using the define interface-range command.

All configuration changes that are made to a port range are saved to NVRAM, but port ranges that are created with the interface range command are not saved to NVRAM.

You can enter the port range in two ways:

•Specifying up to five port ranges

•Specifying a previously defined macro

You can either specify the ports or the name of a port-range macro. A port range must consist of the same port type, and the ports within a range cannot span slots.

You can define up to five port ranges on a single command with each range separated by a comma.

You can enter the range with or without white spaces. For example, you can enter the range as gigabitethernet 7/1 -7 or gigabitethernet 7/1-7.

When you enter a range of VLANs, any SVIs that do not exist within that range are created.

When entering the port-range, use this format: card-type {slot}/{first-port} - {last-port}.

Valid values for card-type are as follows:

•ethernet

•fastethernet

•gigabitethernet

•loopback

•tengigabitethernet

•tunnel

•ge-wan

•pos

•atm

•vlan vlan-id (valid values are from 1 to 4094)

•port-channel interface-number (valid values are from 1 to 256)

You cannot specify both a macro and an interface range in the same command. After creating a macro, the CLI does not allow you to enter additional ranges. If you have already entered an interface range, the CLI does not allow you to enter a macro.

In addition, you can specify a single interface in port-range.

Examples

This example shows how to execute a command on two port ranges:

Router(config)# interface range fastethernet 5/18 -20, ethernet 3/1 -24

Router(config-if-range)#

This command shows how to execute a port-range macro:

Router(config)# interface range macro macro1

Router(config-if-range)#

Related Commands

interface vlan

To create or access a dynamic SVI, use the interface vlan command. To delete an SVI, use the no form of this command.

interface vlan vlan-id

no interface vlan vlan-id

Syntax Description

Command Default

Fast EtherChannel is not specified.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

SVIs are created the first time that you enter the interface vlan vlan-id command for a particular VLAN. The vlan-id value corresponds to the VLAN tag that is associated with the data frames on an ISL, the 802.1Q-encapsulated trunk, or the VLAN ID that is configured for an access port. A message displays whenever you create a new VLAN interface, so that you can check if you entered the correct VLAN number.

If you delete an SVI by entering the no interface vlan vlan-id command, the associated IDB pair is forced into an administrative down state and is marked as deleted. The deleted interface will not be visible in the show interface command.

You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but much of the previous configuration is gone.

VLANs 1006 to 1014 are internal VLANs on the Catalyst 6500 series switch and cannot be used for creating new VLANs.

Examples

This example shows the output when you enter the interface vlan vlan-id command for a new VLAN number:

Router(config)# interface vlan 23

% Creating new VLAN interface.

Router(config)#

inter-packet gap 6502-mode

To set the IPG value, use the inter-packet gap 6502-mode command. To return to the default settings, use the no form of this command.

inter-packet gap 6502-mode

no inter-packet gap 6502-mode

Syntax Description

This command has no keywords or arguments.

Command Default

All fragments from flows that are received from an ACE with Layer 4 ports and permit action are permitted. All other fragments are dropped in the hardware. This action also applies to flows that are handled in the software regardless of this command setting.

Command Modes

Interface configuration (config-if)

Command History

Usage Guidelines

This command is supported on situations where a WS-X6704-10GE is connected to a WS-X6502-10GE only. You enter this command to change the IPG value of the WS-X6704-10GE to match the WS-X6502-10GE.

The default 6704 mode sets the IPG value to average 12. Based on packet size, the IPG between successive packets range from 9 to 15.

The 6502 mode sets the IPG value to average 16. Based on packet size, the IPG between successive packets range from 13 to 19.

Examples

This example shows how to set the IPG to 6502 mode:

Router(config-if)# inter-packet gap 6502-mode

Router(config-if)# 

This example shows how to set the IPG to the default mode:

Router(config-if)# no inter-packet gap 6502-mode

Router(config-if)# 

ip access-list hardware permit fragments

To permit all noninitial fragments in the hardware, use the ip access-list hardware permit fragments command. To return to the default settings, use the no form of this command.

ip access-list hardware permit fragments

no ip access-list hardware permit fragments

Syntax Description

This command has no keywords or arguments.

Command Default

All fragments from flows that are received from an ACE with Layer 4 ports and permit action are permitted. All other fragments are dropped in the hardware. This action also applies to flows that are handled in the software regardless of this command setting.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

Flow fragments that match ACEs with Layer 4 ports and permit results are permitted in the hardware, and all other fragments are dropped. An entry is added in the TCAM for each ACE with Layer 4 ports and permit action. This action could cause large ACLs to not fit in the TCAM. If this situation occurs, use the ip access-list hardware permit fragments command to permit all noninitial fragments in the hardware.

This command affects all ACLs that are currently applied to interfaces and not only newly-applied ACLs.

The initial flow fragments that match the ACEs with Layer 4 ports and permit results are permitted in the hardware. All other initial fragments are dropped in the hardware.

Examples

This example shows how to permit all noninitial fragments in the hardware:

Router(config)# ip access-list hardware permit fragments

Router(config)#

This example shows how to return to the default settings:

Router(config)# no ip access-list hardware permit fragments

Router(config)#

Related Commands

ip arp inspection filter vlan

To permit ARPs from hosts that are configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the ip arp inspection filter vlan command. To disable this application, use the no form of this command.

ip arp inspection filter arp-acl-name {vlan vlan-range} [static]

no ip arp inspection filter arp-acl-name {vlan vlan-range} [static]

Syntax Description

Command Default

No defined ARP ACLs are applied to any VLAN.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

For vlan-range, you can specify the VLAN to which the switches and hosts belong. You can specify a single VLAN identified by a VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma.

When an ARP access control list is applied to a VLAN for dynamic ARP inspection, the ARP packets containing only the IP-to-Ethernet MAC bindings are compared against the ACLs. All other packet types are bridged in the incoming VLAN without validation.

This command specifies that the incoming ARP packets are compared against the ARP access control list, and the packets are permitted only if the access control list permits them.

If the access control lists deny the packets because of explicit denies, the packets are dropped. If the packets are denied because of an implicit deny, they are then matched against the list of DHCP bindings if the ACL is not applied statically.

If you do not specify the static keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL.

Examples

This example shows how to apply the ARP ACL static hosts to VLAN 1 for DAI:

Switch# config terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# ip arp inspection filter static-hosts vlan 1

Router(config)# 

Related Commands

ip arp inspection limit

To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from consuming all of the system's resources in the event of a DoS attack, use the ip arp inspection limit command. To return to the default settings, use the no form of this command.

ip arp inspection limit {rate pps [{burst interval seconds}]} | none

no ip arp inspection limit

Syntax Description

Command Default

The default settings are as follows:

•The rate pps is set to 15 packets per second on the untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.

•The rate is unlimited on all the trusted interfaces.

•The burst interval seconds is set to 1 second.

Command Modes

Interface configuration (config-if)

Command History

Usage Guidelines

You should configure the trunk ports with higher rates to reflect their aggregation. When the rate of the incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state. You can use the error-disable timeout feature to remove the port from the error-disabled state. The rate applies to both the trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle the packets across multiple DAI-enabled VLANs, or use the none keyword to make the rate unlimited.

The rate of the incoming ARP packets on the channel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for the channel ports only after examining the rate of the incoming ARP packets on the channel members.

After a switch receives more than the configured rate of packets every second consecutively over a period of burst seconds, the interface is placed into an error-disabled state.

Examples

This example shows how to limit the rate of the incoming ARP requests to 25 packets per second:

Router# config terminal

Router(config)# interface fa6/3

Router(config-if)# ip arp inspection limit rate 25

Router(config-if)# 

This example shows how to limit the rate of the incoming ARP requests to 20 packets per second and to set the interface monitoring interval to 5 consecutive seconds:

Router# config terminal

Router(config)# interface fa6/1

Router(config-if)# ip arp inspection limit rate 20 burst interval 5

Router(config-if)# 

Related Commands

ip arp inspection log-buffer

To configure the parameters that are associated with the logging buffer, use the ip arp inspection log-buffer command. To disable the parameters, use the no form of this command.

ip arp inspection log-buffer {{entries number} | {logs number} {interval seconds}}

no ip arp inspection log-buffer {entries | logs}

Syntax Description

Command Default

The default settings are as follows:

•When dynamic ARP inspection is enabled, denied, or dropped, the ARP packets are logged.

•The entries number is 32.

•The logs number is 5 per second.

•The interval seconds is 1 second.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

A 0 value for the logs number indicates that the entries should not be logged out of this buffer.

A 0 value for the interval seconds keyword and argument indicates an immediate log.

You cannot enter a 0 for both the logs number and the interval seconds keywords and arguments.

The first dropped packet of a given flow is logged immediately. The subsequent packets for the same flow are registered but are not logged immediately. Registration for these packets occurs in a log buffer that is shared by all the VLANs. Entries from this buffer are logged on a rate-controlled basis.

Examples

This example shows how to configure the logging buffer to hold up to 45 entries:

Router# config terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# ip arp inspection log-buffer entries 45

Router(config)# 

This example shows how to configure the logging rate for 10 logs per 3 seconds:

Router(config)# ip arp inspection log-buffer logs 10 interval 3

Router(config)# 

Related Commands

ip arp inspection trust

To set a per-port configurable trust state that determines the set of interfaces where incoming ARP packets are inspected, use the ip arp inspection trust command. To make the interfaces untrusted, use the no form of this command.

ip arp inspection trust

no ip arp inspection trust

Syntax Description

This command has no arguments or keywords.

Command Default

This command has no default settings.

Command Modes

Interface configuration (config-if)

Command History

Examples

This example shows how to configure an interface to be trusted:

Router# config terminal

Router(config)# interface fastEthernet 6/3

Router(config-if)# ip arp inspection trust 

Router(config-if)# 

Related Commands

ip arp inspection validate

To perform specific checks for an ARP inspection, use the ip arp inspection validate command. To disable ARP inspection checks, use the no form of this command.

ip arp inspection validate [src-mac] [dst-mac] [ip]

no ip arp inspection validate [src-mac] [dst-mac] [ip]

Syntax Description

Command Default

Disabled

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

The sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

The src-mac checks are issued against both ARP requests and responses. The dst-mac checks are issued for ARP responses.

Note When enabled, packets with different MAC addresses are classified as invalid and are dropped.

When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the command line. Each command overrides the configuration of the previous command. If a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.

The no form of this command disables only the specified checks. If no check options are enabled, all the checks are disabled.

Examples

This example shows how to enable the source MAC validation:

Router(config)# ip arp inspection validate src-mac 

Router(config)# 

Related Commands

ip arp inspection vlan

To enable DAI on a per-VLAN basis, use the ip arp inspection vlan command. To disable DAI, use the no form of this command.

ip arp inspection vlan vlan-range

no ip arp inspection vlan vlan-range

Syntax Description

Command Default

ARP inspection is disabled on all VLANs.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

For vlan-range, you can specify a single VLAN identified by a VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma.

You must specify on which VLANs to enable DAI. DAI may not function on the configured VLANs if the VLAN has not been created or is a private VLAN.

Examples

This example shows how to enable DAI on VLAN 1:

Router(config)# ip arp inspection vlan 1

Router(config)# 

Related Commands

ip arp inspection vlan logging

To control the type of packets that are logged, use the ip arp inspection vlan logging command. To disable this logging control, use the no form of this command.

ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {permit | all | none}}

no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings}

Syntax Description

Command Default

All denied or dropped packets are logged.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

By default, the matchlog keyword is not available on the ACEs. When you enter the matchlog keyword, denied packets are not logged. Packets are logged only when they match against an ACE that has the matchlog keyword.

The acl-match and dhcp-bindings keywords merge with each other. When you set an ACL match configuration, the DHCP bindings configuration is not disabled. You can use the no form of this command to reset some of the logging criteria to their defaults. If you do not specify either option, all the logging types are reset to log on when the ARP packets are denied. The two options that are available are as follows:

•acl-match—Logging on ACL matches is reset to log on deny

•dhcp-bindings—Logging on DHCP bindings is reset to log on deny

Examples

This example shows how to configure an ARP inspection on VLAN 1 to add packets to a log that matches the ACLs:

Router# config terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# ip arp inspection vlan 1 logging acl-match matchlog 

Router(config)# 

Related Commands

ip auth-proxy max-login-attempts

To limit the number of login attempts at a firewall interface, use the ip auth-proxy max-login-attempts command. To return to the default settings, use the no form of this command.

ip auth-proxy max-login-attempts 1-maxint

no ip auth-proxy max-login-attempts

Syntax Description

Command Default

1-maxint is 5.

Command Modes

Interface configuration (config-if)

Command History

Usage Guidelines

This command is supported on the firewall interfaces only.

The maximum login attempt functionality is independent of the watch-list feature. If you do not configure a watch list (using the ip access-list hardware permit fragments command) and you configure a maximum login attempt, the existing authentication proxy behavior occurs but displays the new number for retries. If you configure a watch list, the IP address is put in the watch list, once the configured number of attempts has been reached.

Examples

This example shows how to set a limit to the number of login attempts at a firewall interface:

Router(config-if)# ip auth-proxy max-login-attempts 4

Router(config-if)#

Related Commands

ip auth-proxy watch-list

To enable and configure an authentication proxy watch list, use the ip auth-proxy watch-list command. See the "Usage Guidelines" section for the no form of this command usage.

ip auth-proxy watch-list {{add-item ip-addr} | enable | {expiry-time minutes}}

no ip auth-proxy watch-list [{add-item ip-addr} | expiry-time]

Syntax Description

Command Default

The defaults are as follows:

•minutes is 30 minutes.

•The watch-list functionality is disabled.

Command Modes

Interface configuration (config-if)

Command History

Usage Guidelines

The valid values for minutes are from 0 to the largest 32-bit positive number (0x7FFFFFFF or 2147483647 in decimal). Setting the minutes to 0 (zero) places the entries in the list permanently.

This command is supported on the firewall interfaces only.

Use the no form of this command to do the following:

•no ip auth-proxy watch-list—Disables the watch-list functionality.

•no ip auth-proxy watch-list add-item ip-addr—Removes the IP address from the watch list.

•no ip auth-proxy watch-list expiry-time—Returns to the default setting.

A watch list consists of IP addresses that have opened TCP connections to port 80 and have not sent any data. No new connections are accepted from this type of IP address (to port 80) and the packet is dropped.

An entry remains in the watch list for the time that is specified by expiry-time minutes.

When you disable a watch list, no new entries are put into the watch list, but the sessions are put in SERVICE_DENIED state. The timer deletes sessions after 2 minutes.

Examples

This example shows how to enable an authentication proxy watch list:

Router(config-if)# ip auth-proxy watch-list enable

Router(config-if)#

This example shows how to disable an authentication proxy watch list:

Router(config-if)# no ip auth-proxy watch-list

Router(config-if)#

This example shows how to add an IP address to a watch list:

Router(config-if)# ip auth-proxy watch-list add-item 12.0.0.2

Router(config-if)#

This example shows how to set the duration of time that an entry is in a watch list:

Router(config-if)# ip auth-proxy watch-list expiry-time 29

Router(config-if)#

Related Commands

ip casa

To configure the router to function as a forwarding agent, use the ip casa command. To disable the forwarding agent, use the no form of this command.

ip casa [control-address igmp-address [udp-limit]]

no ip casa

Syntax Description

Command Default

The default udp-limit value is 256.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

If more than the maximum udp-limit value arrives in a burst, the CASA wildcard updates from the service manager might get dropped.

The control-address value is unique for each forwarding agent.

Examples

This example shows how to specify the IP address (10.10.4.1) and IGMP address (224.0.1.2) for the forwarding agent and set the UDP queue length to 300:

Router(config)# ip-casa 10.10.4.1 224.0.1.2 300

Router(config)# 

Related Commands

ip cef load-sharing algorithm

To select a CEF load-balancing algorithm, use the ip cef load-sharing algorithm command. To return to the default universal load-balancing algorithm, use the no form of this command.

ip cef load-sharing algorithm {original | tunnel [id] | universal [id]}

no ip cef load-sharing algorithm {original | tunnel [id] | universal [id]}

Syntax Description

Command Default

The universal load-balancing is selected.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

The original CEF load-sharing algorithm produced distortions in load-balancing across multiple routers due to the use of the same algorithm on every router. When the load-balancing algorithm is set to universal mode, each router on the network can make a different load-balancing decision for each source-destination address pair which resolves load-balancing distortions.

Use the tunnel algorithm to share the load more fairly when only a few source-destination pairs are involved.

Examples

This example shows how to enable the CEF load-balancing algorithm for universal environments:

Router(config)# ip cef load-sharing algorithm universal 1

Router(config)#

Related Commands

ip cef table consistency-check

To enable the CEF-table consistency-checker types and parameters, use the ip cef table consistency-check command. To disable consistency checkers, use the no form of this command.

ip cef table consistency-check [type {lc-detect | scan-lc | scan-rib | scan-rp}] [count count-number] [period seconds]

ip cef table consistency-check [settle-time seconds]

no ip cef table consistency-check [type {lc-detect | scan-lc | scan-rib | scan-rp}] [count count-number] [period seconds]

no ip cef table consistency-check [settle-time seconds]

Syntax Description

Command Default

Enabled

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

This command configures CEF-table consistency checkers and parameters for the detection mechanism types that are listed in Table 2-12.

Examples

This example shows how to enable the CEF-table consistency checkers:

Router(config)# ip cef table consistency-check

Router(config)# 

Related Commands

ip dhcp relay information option trust-all

To enable all the interfaces as trusted sources of the DHCP relay-agent information option, use the ip dhcp relay information option trust-all command. To return to the default settings, use the no form of this command.

ip dhcp relay information option trust-all

no ip dhcp relay information option trust-all

Syntax Description

This command has no arguments or keywords.

Command Default

The DHCP server does not insert relay information.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

This command is used by cable access router termination systems. This functionality enables a DHCP server to identify the user (cable access router) sending the request and initiate appropriate action that is based on this information.

Examples

This example shows how to specify that all interfaces on the router are trusted:

Router(config)# ip dhcp relay information option trust-all

Router(config)# 

Related Commands

ip dhcp relay information trust

To enable an interface as a trusted source of the DHCP relay-agent information, use the ip dhcp relay information trust command. To return to the default settings, use the no form of this command.

ip dhcp relay information trust

no ip dhcp relay information trust

Syntax Description

This command has no arguments or keywords.

Command Default

All interfaces on the router are untrusted.

Command Modes

Interface configuration (config-if)

Command History

Usage Guidelines

Configuring an interface as a trusted source of relay-agent information allows the interface to receive DHCP discover or request packets. DHCP discover or request packets contain the relay-agent information option.

Examples

This example shows how to specify that the interface is trusted:

Router(config)# ip dhcp relay information trust

Router(config)# 

Related Commands

ip dhcp route connected

To specify routes as connected routes, use the ip dhcp route connected command. To return to the default settings, use the no form of this command.

ip dhcp route connected

no ip dhcp route connected

Syntax Description

This command has no arguments or keywords.

Command Default

All interfaces on the router are untrusted.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

If you enable the ip dhcp route connected command, DHCP downloads the route database from a database agent and adds the routes as connected routes, even though they may have been added as static routes previously.

Examples

This example shows how to specify routes as connected routes:

Router(config)# ip dhcp route connected

Router(config)# 

ip dhcp snooping

To globally enable DHCP snooping, use the ip dhcp snooping command. To disable DHCP snooping, use the no form of this command.

ip dhcp snooping

no ip dhcp snooping

Syntax Description

This command has no arguments or keywords.

Command Default

Disabled

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

Wireless clients, or mobile nodes, gain access to an untrusted wireless network only if there is a corresponding entry in the DHCP snooping database. Enable DHCP snooping globally by entering the ip dhcp snooping command, and enable DHCP snooping on the tunnel interface by entering the ip dhcp snooping packets command. After you enable DHCP snooping, the process snoops DHCP packets to and from the mobile nodes and populates the DHCP snooping database.

Examples

This example shows how to enable DHCP snooping:

Router(config) # ip dhcp snooping

Router(config) #

This example shows how to disable DHCP snooping:

Router(config) # no ip dhcp snooping

Router(config) #

Related Commands

ip dhcp snooping binding

To set up and generate a DHCP binding configuration to restore bindings across reboots, use the ip dhcp snooping binding command. To disable the binding configuration, use the no form of this command.

ip dhcp snooping binding mac-address {vlan vlan} ip-address {interface interface interface-number} {expiry seconds}

no ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface

Syntax Description

Command Default

This command has no default settings.

Command Modes

Privileged EXEC (#)

Command History

Usage Guidelines

When you add or remove a binding using this command, the binding database is marked as changed and a write is initiated.

A maximum of 512 bindings are allowed in the DHCP snooping database.

Examples

This example shows how to generate a DHCP binding configuration on interface gigabitethernet1/1 in VLAN 1 with an expiration time of 1000 seconds:

Router# ip dhcp snooping binding 0000.0c00.40af vlan 1 10.42.0.6 interface gi1/1 expiry 1000

Router#

Related Commands

ip dhcp snooping database

To configure the DHCP-snooping database, use the ip dhcp snooping database command.

ip dhcp snooping database {bootflash:url | ftp:url | rcp:url | scp:url | sup-bootflash: | tftp:url}

ip dhcp snooping database {timeout timeout | write-delay time}

Syntax Description

Command Default

This command has no default settings.

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

You must enable DHCP snooping on the interface before entering this command. Use the ip dhcp snooping command to enable DHCP snooping.

Examples

This example shows how to specify the database URL using TFTP:

Router(config)# ip dhcp snooping database tftp://90.90.90.90/snooping-rp2

Router(config)#

This example shows how to specify the amount of time before writing DHCP snooping entries to an external server:

Router(config)# ip dhcp snooping database write-delay 15

Router(config)#

Related Commands

ip dhcp snooping information option

To enable DHCP option 82 data insertion, use the ip dhcp snooping information option command. To disable DHCP option 82 data insertion, use the no form of this command.

ip dhcp snooping information option [allow-untrusted]

no ip dhcp snooping information option

Syntax Description

Command Default

The defaults are as follows:

•ip dhcp snooping information option—Enabled

•ip dhcp snooping information option allow-untrusted—Disabled

Command Modes

Global configuration (config) (config)

Command History

Usage Guidelines

DHCP option 82 is part of RFC 3046. DHCP is an application-layer protocol that is used for the dynamic configuration of TCP/IP networks. The protocol allows for a relay agent to pass DHCP messages between the DHCP clients and DHCP servers. By using a relay agent, servers do not have to be on the same network as the clients. Option 82 (82 is the option's code) addresses the security and scalability issues. Option 82 resides in the relay agent when DHCP packets that originate from the forwarding client are sent to the server. Servers that recognize option 82 may use the information to implement the IP address or other parameter assignment policies. The DHCP server echoes the option back to the relay agent in its replies. The relay agent strips out the option from the relay agent before forwarding the reply to the client.

When you enter the ip dhcp snooping information option allow-untrusted on an aggregation switch that is connected to an edge switch through an untrusted interface, the aggregation switch accepts packets with option 82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. You can enable the DHCP security features, such as dynamic ARP inspection or IP source guard, on the aggregation switch while the switch receives packets with option 82 information on untrusted input interfaces to which hosts are connected. You must configure the port on the edge switch that connects to the aggregation switch as a trusted interface.

Caution Do not enter the ip dhcp snooping information option allow-untrusted command on an aggregation switch that is connected to an untrusted device. If you enter this command, an untrusted device might spoof the option 82 information.

Examples

This example shows how to enable DHCP option 82 data insertion:

Router(config)# ip dhcp snooping information option

Router(config)# 

This example shows how to disable DHCP option 82 data insertion:

Router(config)# no ip dhcp snooping information option

Router(config)# 

This example shows how to enable the switch to accept incoming DHCP snooping packets with option 82 information from the edge switch:

Router(config)# ip dhcp snooping information option allow-trusted

Router(config)# 

Related Commands

ip dhcp snooping limit rate

To configure the number of the DHCP messages that an interface can receive per second, use the ip dhcp snooping limit rate command. To disable the DHCP message rate limiting, use the no form of this command.

ip dhcp snooping limit rate rate

no ip dhcp snooping limit rate

Syntax Description

Command Default

Disabled

Command Modes

Interface configuration (config-if)

Command History

Usage Guidelines

This command is supported on Layer 2 switch-port and port-channel interfaces only.

Typically, the rate limit applies to the untrusted interfaces. If you want to set up rate limiting for the trusted interfaces, note that the trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit of the interfaces to a higher value.

Examples

This example shows how to specify the number of DHCP messages that a switch can receive per second:

Router(config-if)# ip dhcp snooping limit rate 150

Router(config)# 

This example shows how to disable the DHCP message rate limiting:

Router(config-if)# no ip dhcp snooping limit rate

Router(config)# 

Related Commands