Table Of Contents
Catalyst 3550 Switch Cisco IOS Commands
access-list hardware program nonblocking
clear l2protocol-tunnel counters
clear spanning-tree detected-protocols
ip dhcp snooping information option
ip dhcp snooping information option format snmp-ifindex
ip igmp snooping report-suppression
ip igmp snooping source-only-learning age-timer
ip vrf (interface configuration)
mac address-table notification
match (access-map configuration)
match (class-map configuration)
Catalyst 3550 Switch Cisco IOS Commands
aaa accounting dot1x
Use the aaa accounting dot1x global configuration command to enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for 802.1x sessions. Use the no form of this command to disable 802.1x accounting.
aaa accounting dot1x {name | default} start-stop {broadcast group {name | radius | tacacs+} [group {name | radius | tacacs+} ... ] | group {name | radius | tacacs+} [group {name | radius | tacacs+} ...]}
no aaa accounting dot1x {name | default}
Syntax Description
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command requires access to a RADIUS server.
Note
We recommend that you enter the dot1x reauthentication interface configuration command before configuring 802.1x RADIUS accounting on an interface.
Examples
This example shows how to configure 802.1x accounting:
Switch(config)# aaa accounting dot1xSwitch(config)#
Note
Related Commands
Command
Description
Specifies one or more AAA methods for use on interfaces running 802.1x.
Sets the number of seconds between re-authentication attempts.
aaa authentication dot1x
Use the aaa authentication dot1x global configuration command to specify one or more authentication, authorization, and accounting (AAA) methods for use on interfaces running IEEE 802.1x. Use the no form of this command to disable authentication.
aaa authentication dot1x {default} method1 [method2...]
no aaa authentication dot1x {default}
Syntax Description
Defaults
No authentication is performed.
Command Modes
Global configuration
Command History
Usage Guidelines
The method argument identifies the list of methods that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server. The remaining methods enable AAA to authenticate the client by using locally configured data. For example, the local and local-case methods use the username and password that are saved in the Cisco IOS configuration file. The enable and line methods use the enable and line passwords for authentication.
If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command.
If you are not using a RADIUS server, you can use the local or local-case methods, which access the local username database to perform authentication. By specifying the enable or line methods, you can supply the clients with a password to provide access to the switch.
Use the show running-config privileged EXEC command to display the configured lists of authentication methods.
Examples
This example shows how to enable AAA and how to create an authentication list for 802.1x. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is allowed access with no authentication.
Switch(config)# aaa new-modelSwitch(config)# aaa authentication dot1x default group radius noneYou can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
access-list hardware program nonblocking
Use the access-list hardware program nonblocking global configuration command to cause the system to continue to forward frames even while a new security access-control list (ACL) configuration is being programmed into the hardware. Use the no form of this command to return to the default behavior, where traffic is blocked on affected interfaces when changes are made to the security ACL configuration while the hardware is updated with the new configuration.
access-list hardware program nonblocking
no access-list hardware program nonblocking
Syntax Description
This command has no arguments or keywords.
Defaults
Traffic is blocked on affected interfaces while a new ACL configuration is loaded into hardware.
Command Modes
Global configuration
Command History
Usage Guidelines
By default, when changes are made to the configuration of security ACLs, the system completely blocks traffic on the affected ports or VLANs while it is updating the hardware to the new configuration. This includes any changes that affect the ternary content addressable memory (TCAM), including applying an ACL to an interface or making changes to VLAN maps or ACLs that are used for security features. This prevents the possibility of forwarding frames that should have been dropped because a partially loaded configuration permitted a frame that the complete configuration would have blocked.
You can use the access-list hardware program nonblocking command to set the system to continue to forward frames while a new security ACL configuration is being programmed into the hardware. Enabling this setting might cause less disruption to traffic that should be allowed while the hardware is being updated, but might also temporarily allow some traffic that would be denied when the new configuration is completely loaded.
Examples
This example shows how to set the system to continue forwarding frames while a new security ACL configuration is being programmed into hardware:
Switch (config)# access-list hardware program nonblockingYou can verify your setting by entering the show running-config | include access-list hardware privileged EXEC command.
Related Commands
access-list {deny | permit}
Configures a standard numbered ACL. For syntax information, refer to the Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1 > IP Addressing and Services > IP Services Commands.
action (access map configuration)
Defines or modifies the action for the VLAN access map entry.
ip access-group
Applies an IP access list to a Layer 2 or Layer 3 interface.
ip access-list
Configures a named access list. For syntax information, refer to the Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1 > IP Addressing and Services > IP Services Commands.
Applies a MAC access list to a Layer 2 interface.
Defines the match conditions for a VLAN map.
show running-config | include access-list hardware
Displays the current operating configuration. For syntax information, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1 > Cisco IOS File Management Commands > Configuration File Commands.
Creates a VLAN access map or enters access-map configuration mode.
Applies a VLAN map to one or more VLANs.
action
Use the action access map configuration command to set the action for the VLAN access map entry. Use the no form of this command to return to the default setting.
action {drop | forward}
no action
Syntax Description
drop
Drop the packet when the specified conditions are matched.
forward
Forward the packet when the specified conditions are matched.
Defaults
The default action is to forward packets.
Command Modes
Access-map configuration
Command History
Usage Guidelines
You enter access-map configuration mode by using the vlan access-map global configuration command.
If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.
In access map configuration mode, use the match access map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.
The drop and forward parameters are not used in the no form of the command.
Examples
This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:
Switch(config)# vlan access-map vmap4Switch(config-access-map)# match ip address al2Switch(config-access-map)# action forwardSwitch(config-access-map)# exitSwitch(config)# vlan filter vmap4 vlan-list 5-6You can verify your settings by entering the show vlan access-map privileged EXEC command.
Related Commands
archive download-sw
Use the archive download-sw privileged EXEC command to download a new image to the switch and overwrite or keep the existing image.
archive download-sw {/force-reload | /imageonly | /leave-old-sw | /no-set-boot | /overwrite | /reload | /safe} source-url
Syntax Description
Defaults
The current software image is not overwritten with the downloaded image.
Both the software image and HTML files are downloaded.
The new image is downloaded to the flash: file system.
The BOOT environment variable is changed to point to the new software image on the flash: file system.
Image names are case sensitive; the image file is provided in tar format.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the /overwrite option to overwrite the image on the flash device with the downloaded one.
If the flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option.
If you specify the command without the /overwrite option, the download algorithm verifies that the new image is not the same as the one on the switch flash device. If the images are the same, the download does not occur. If the images are different, the old image is deleted, and the new one is downloaded.
The /imageonly option removes the HTML files for the existing image if the existing image is being removed or replaced. Only the Cisco IOS image (without the HTML files) is downloaded.
Using the /safe or /leave-old-sw option can cause the new image download to fail if there is insufficient flash space.
If you used the /leave-old-sw option and did not overwrite the old image when you downloaded the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the "delete" section.
If you leave the existing software in place before downloading the new image, an error results if the existing software will prevent the new image from fitting onto flash memory.
After downloading a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive download-sw command.
Examples
This example shows how to download a new image from a TFTP server at 172.20.129.10 and overwrite the image on the switch:
Switch# archive download-sw /overwrite tftp://172.20.129.10/test-image.tarThis example shows how to download only the software image from a TFTP server at 172.20.129.10 to the switch:
Switch# archive download-sw /image-only tftp://172.20.129.10/test-image.tarThis example shows how to keep the old software version after a successful download:
Switch# archive download-sw /leave-old-sw tftp://172.20.129.10/test-image.tarRelated Commands
archive tar
Use the archive tar privileged EXEC command to create a tar file, list files in a tar file, or extract the files from a tar file.
archive tar {/create destination-url flash:/file-url} | {/table source-url} | {/xtract source-url flash:/file-url [dir/file...]}
Syntax Description
Defaults
None
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
Image names are case sensitive.
Examples
This example shows how to create a tar file. The command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30:
Switch# archive tar /create tftp:172.20.10.30/saved.tar flash:/new-configsThis example shows how to display the contents of the c3550-tv0-m.tar file that is in flash memory. The contents of the tar file appear on the screen:
Switch# archive tar /table flash:c3550-tv0-m.tarinfo (219 bytes)c3550-tv0-mz-121/ (directory)c3550-tv0-mz-121/html/ (directory)c3550-tv0-mz-121/html/foo.html (0 bytes)c3550-tv0-mz-121/vegas-tv0-mz-121.bin (610856 bytes)c3550-tv0-mz-121/info (219 bytes)info.ver (219 bytes)This example shows how to display only the c3550-tv0-mz-121/html directory and its contents:
Switch# archive tar /table flash:c3550-tv0-m.tar c3550-tv0-mz-121/htmlc3550-tv0-mz-121/html/ (directory)c3550-tv0-mz-121/html/foo.html (0 bytes)This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored.
Switch# archive tar /xtract tftp:/172.20.10.30/saved.tar flash:/ new-configsRelated Commands
Downloads a new image to the switch.
Uploads an existing image on the switch to a server.
archive upload-sw
Use the archive upload-sw privileged EXEC command to upload an existing switch image to a server.
archive upload-sw [/version version_string] destination-url
Syntax Description
Defaults
Uploads the currently running image from the flash: file system.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The upload feature is available only if the HTML files associated with the Cluster Management Suite (CMS) have been installed with the existing image.
The files are uploaded in this sequence: info, the Cisco IOS image, the HTML files, and info.ver. After these files are uploaded, the software creates the tar file.
Image names are case sensitive.
Examples
This example shows how to upload the currently running image to a TFTP server at 172.20.140.2:
Switch# archive upload-sw tftp://172.20.140.2/test-image.tarRelated Commands
Downloads a new image to the switch.
Creates a tar file, lists the files in a tar file, or extracts the files from a tar file.
auto qos voip
Use the auto qos voip interface configuration command to automatically configure quality of service (auto-QoS) for voice over IP (VoIP) within a QoS domain. Use the no form of this command to change the auto-QoS configuration settings to the standard QoS defaults.
auto qos voip {cisco-phone | cisco-softphone | trust}
no auto qos voip
Syntax Description
Defaults
Auto-QoS is disabled on all interfaces.
When auto-QoS is enabled, it uses the ingress packet label to categorize traffic and class of service (CoS) packet labels and to configure the egress queues as summarized in Table 2-1.
Table 2-1 Traffic Types, Packet Labels, and Egress Queues
DSCP3
46
24, 26
48
56
34
—
—
CoS
5
3
6
7
4
CoS-to-Queue Map
5
3, 6, 7
4
2
0, 1
Egress Queue
Expedite (queue 4)
70% WRR4 (queue 3)
20% WRR (queue 2)
20% WRR (queue 2)
10% WRR (queue 1)
1 STP = Spanning Tree Protocol
2 BPDU = bridge protocol data unit
3 DSCP = Differentiated Services Code Point
4 WRR = weighted round robin
Table 2-2 lists the auto-QoS configuration for the egress queues.
Command Modes
Interface configuration
Command History
12.1(12c)EA1
This command was introduced.
12.1(20)EA2
The cisco-softphone keyword was added, and the generated auto-QoS configuration changed.
Usage Guidelines
Use this command to configure the QoS appropriate for VoIP traffic within the QoS domain. The QoS domain includes the switch, the interior of the network, and the edge devices that can classify incoming traffic for QoS.
In releases earlier than Cisco IOS Release 12.2(20)EA2, auto-QoS configures the switch only for VoIP with Cisco IP Phones on switch ports.
In Cisco IOS Release 12.2(20)EA2 or later, auto-QoS configures the switch for VoIP with Cisco IP Phones on switch and routed ports and for VoIP with devices running the Cisco SoftPhone application. These releases support only Cisco IP SoftPhone Version 1.3(3) or later. Connected devices must use Cisco Call Manager Version 4 or later.
To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.
Note
If this is the first port on which you have enabled auto-QoS, the auto-QoS-generated global configuration commands are executed followed by the interface configuration commands. If you enable auto-QoS on another port, only the auto-QoS-generated interface configuration commands for that port are executed.
When you enable the auto-QoS feature on the first interface, these automatic actions occur:
•
•
•
•
You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to the IP phone.
Note
After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy from the interface, and apply the new policy map.
To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging.
To disable auto-QoS on an interface, use the no auto qos voip interface configuration command. When you enter this command, the switch enables standard QoS and changes the auto-QoS settings to the standard-QoS default settings for that interface.
To disable auto-QoS on the switch, use the no mls qos global configuration command. When you enter this command, the switch disables QoS on all interfaces and enables pass-through mode.
Examples
This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets when the switch or router connected to an interface is a trusted device:
Switch(config)# interface gigabitethernet0/1Switch(config-if)# auto qos voip trustThis example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets when the device connected to an interface is detected as a Cisco IP Phone:
Switch(config)# interface fastethernet0/1Switch(config-if)# auto qos voip cisco-phoneThis example shows how to display the QoS configuration that is automatically generated when auto-QoS is enabled:
Switch# debug auto qosAutoQoS debugging is onSwitch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface fastethernet0/1Switch(config-if)# auto qos voip trustSwitch(config-if)#4d22h:mls qos map cos-dscp 0 8 16 26 32 46 48 564d22h:mls qos min-reserve 5 1704d22h:mls qos min-reserve 6 854d22h:mls qos min-reserve 7 514d22h:mls qos min-reserve 8 344d22h:mls qos4d22h:interface FastEthernet0/14d22h: mls qos trust cos4d22h: wrr-queue bandwidth 10 20 70 14d22h: wrr-queue min-reserve 1 54d22h: wrr-queue min-reserve 2 64d22h: wrr-queue min-reserve 3 74d22h: wrr-queue min-reserve 4 84d22h: no wrr-queue cos-map4d22h: wrr-queue cos-map 1 0 14d22h: wrr-queue cos-map 2 2 44d22h: wrr-queue cos-map 3 3 6 74d22h: wrr-queue cos-map 4 54d22h: priority-queue outSwitchconfig-if)# interface gigabitethernet0/1Switch(config-if)# auto qos voip cisco-phoneSwitch(config-if)#4d22h:interface GigabitEthernet0/14d22h: mls qos trust device cisco-phone4d22h: mls qos trust cos4d22h: wrr-queue bandwidth 10 20 70 14d22h: wrr-queue queue-limit 50 25 15 104d22h: no wrr-queue cos-map4d22h: wrr-queue cos-map 1 0 14d22h: wrr-queue cos-map 2 2 44d22h: wrr-queue cos-map 3 3 6 74d22h: wrr-queue cos-map 4 54d22h: priority-queue outSwitch(config-if)#You can verify your settings by entering the show auto qos interface interface-id privileged EXEC command.
Related Commands
Enables debugging of the auto-QoS feature.
mls qos map {cos-dscp dscp1 ... dscp8 | dscp-cos dscp-list to cos}
Defines the CoS-to-DSCP map or the DSCP-to-CoS map.
Configures the port trust state.
Displays auto-QoS information.
Displays global QoS configuration information.
Displays QoS information at the interface level.
Displays QoS mapping information.
boot boothlpr
Use the boot boothlpr global configuration command to load a special Cisco IOS image, which when loaded into memory, can load a second Cisco IOS image into memory and launch it. This variable is used only for internal development and testing. Use the no form of this command to return to the default setting.
boot boothlpr filesystem:/file-url
no boot boothlpr
Syntax Description
filesystem:
Alias for a flash file system. Use flash: for the system board flash device.
/file-url
The path (directory) and name of a bootable helper image.
Defaults
No helper image is loaded.
Command Modes
Global configuration
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
This command changes the setting of the BOOTHLPR environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot buffersize
Use the boot buffersize global configuration command to specify the size of the file system-simulated NVRAM in flash memory. The buffer holds a copy of the configuration file in memory. Use the no form of this command to return to the default setting.
boot buffersize size
no boot buffersize
Syntax Description
Defaults
The default is 32 KB.
Command Modes
Global configuration
Command History
Usage Guidelines
The configuration file cannot be larger than the buffer size allocation.
You must reload the switch by using the reload privileged EXEC command for this command to take effect.
This command changes the setting of the CONFIG_BUFSIZE environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot config-file
Use the boot config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the system configuration. Use the no form of this command to return to the default setting.
boot config-file flash:/file-url
no boot config-file
Syntax Description
Defaults
The default configuration file is flash:config.text.
Command Modes
Global configuration
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
This command changes the setting of the CONFIG_FILE environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot enable-break
Use the boot enable-break global configuration command to enable interrupting the automatic boot process. Use the no form of this command to return to the default setting.
boot enable-break
no boot enable-break
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled. The automatic boot process cannot be interrupted by pressing the Break key on the console.
Command Modes
Global configuration
Command History
Usage Guidelines
When you enter this command, you can interrupt the automatic boot process by pressing the Break key on the console after the flash file system is initialized.
Note
This command changes the setting of the ENABLE_BREAK environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot helper
Use the boot helper global configuration command to dynamically load files during boot loader initialization to extend or patch the functionality of the boot loader. Use the no form of this command to return to the default setting.
boot helper filesystem:/file-url ...
no boot helper
Syntax Description
Defaults
No helper files are loaded.
Command Modes
Global configuration
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot helper-config-file
Use the boot helper-config-file global configuration command to specify the name of the configuration file to be used by the Cisco IOS helper image. If this is not set, the file specified by the CONFIG_FILE environment variable is used by all versions of Cisco IOS that are loaded. This variable is used only for internal development and testing. Use the no form of this c
