Commands Used to Monitor and Manipulate the CAM Table Task
Display all MAC addresses learned on a specific interface
Switch# show mac address-table dynamic interface type number
Display the current CAM table size
Switch# show mac address-table count
Enter a static CAM table entry
Switch(config)# mac address-table static mac-address vlan vlan-id { drop | interface type number}
Clear a CAM entry
Switch# clear mac address-table dynamic [ address mac-address | interface type number | vlan vlan-id ]
Display TCAM utilization
Switch# show platform tcam utilization
Display the current memory template
Switch# show sdm prefer
Configure a preferred memory template
Switch()# sdm prefer template
Switch Port Configuration Commands
Select a port.
Switch(config)# interface type member/module/number
Select multiple ports.
Switch(config)# interface range type member/module/number[, type member/module/number …]
or
Switch(config)# interface range type member/module/first-number – last-number
Define an interface macro.
Switch(config)# define interface-range macro-name type member/module/number[, type member/module/number…] [ type member/module/first-number – lastnumber] […]
Switch(config)# interface range macro macro-na me
Identify port.
Switch(config-if)# description description-string
Set port speed.
Switch(config-if)# speed {10 | 100 | 1000 | auto}
Set port mode.
Switch(config-if)# duplex {auto | full | half}
Detect port error conditions.
Switch(config-if)# errdisable detect cause [all| causename]
Automatically recover from errdisable.
Switch(config-if)# errdisable recovery cause [ all| causename]
Switch(config-if)# errdisable recovery interval seconds
Manually recover from errdisable.
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
Display ports in errdisable state
Switch(config)# show interface status err-diablead
Neighbor Discovery Commands
Display CDP neighbor information.
Switch# show cdp neighbors [ type member/module/number] [detail]
Control CDP operation globally.
Switch(config)# [no] cdp run
Control CDP operation on an interface.
Switch(config-if)# [ no] cdp enable
Display LLDP neighbor information.
Switch(config)# show lldp neighbors [ type member/module/number] [ detail]
Control LLDP operation globally.
Switch(config)# [ no] lldp run
Control LLDP operation on an interface.
Switch(config-if)# [ no] lldp { receive | Transmit}
Power over Ethernet Commands
Set PoE behavior.
Switch(config-if)# power inline { auto | static} [max milliwatts]
Disable PoE on a switch port
Switch(config-if)# power inline never
Display PoE status.
Switch# show power inline [ type member/mod/num] [detail]
VLAN and Trunking Configuration Commands
Create VLAN.
Switch(config)# vlan vlan-num
Switch(config-vlan)# name vlan-nameAssign port to VLAN.
Switch(config)# interface type member/module/number
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan vlan-num
Configure trunk.
Switch(config)# interface type member/module/number
Switch(config-if)# switchport trunk encapsulation {isl | dot1q | negotiate }
Switch(config-if)# switchport trunk native vlan vlan-id
Switch(config-if)# switchport trunk allowed vlan { vlan-list | all | {add | except | remove} vlan-list }
Switch(config-if)# switchport mode {trunk | dynamic {desirable | auto }}
Define the trunking on a port to a Cisco IP phone.
Switch(config-if)# switchport voice vlan { vlan-id | dot1p | untagged | none }
VLAN and Trunking Troubleshooting
Verify VLAN configuration.
Switch# show vlan id vlan-id
Switch# show vlan [ brief ]
Verify active trunk parameters.
Switch# show interface type member/module/number trunk
Compare trunk configuration and active parameters.
Switch# show interface type member/module/number switchport
Verify DTP operation.
Switch# show dtp [ interface type member/module/nombre]
VTP Configuration Commands
Define the VTP domain.
Switch(config)# vtp domain domain-nameSet the VTP mode.
Switch(config)# vtp mode { server | client | transparent | off }
Define an optional VTP password.
Switch(config)# vtp password password [ hidden | secret ]
Configure VTP version.
Switch(config)# vtp version { 1 | 2 | 3 }
Enable VTP pruning.
Switch(config)# vtp pruning
Select VLANs eligible for pruning on a trunk interface.
Switch(config)# interface type member/ module/number
Switch(config-if)# switchport trunk pruning vlan { add | except | none | remove } vlan-list
STP Configuration Commands
Enable STP.
Switch(config)# spanning-tree vlan-id
Set bridge priority.
Switch(config)# spanning-tree vlan vlan-id priority bridge-priority
Set root bridge (macro).
Switch(config)# spanning-tree vlan vlan-id root { primary | secondary } [ diameter diameter ]
Set port cost.
Switch(config-if)# spanning-tree [ vlan vlan-id ] cost cost
Set port priority.
Switch(config-if)# spanning-tree [ vlan vlan-id ] port-priority port-priority
Set STP timers.
Switch(config)# spanning-tree [ vlan vlan-id ] hello-time seconds
Switch(config)# spanning-tree [ vlan vlan-id ] forward-time seconds
Switch(config)# spanning-tree [ vlan vlan-id ] max-age seconds
Set PortFast on an interface.
Switch(config-if)# spanning-tree portfast
Set UplinkFast on a switch.
Switch(config)# spanning-tree uplinkfast [ max-update-rate pkts-per-second ]
Set BackboneFast on a switch.
Switch(config)# spanning-tree backbonefast
STP Protection Configuration Commands
Enable Root Guard. —
Switch(config-if)# spanningtree guarda root
Enable BPDU Guard.
Switch(config)# spanning-tree portfast bpduguard default
Switch(config-if )# spanningtree bpduguard enable
Enable Loop Guard.
Switch(config)# spanning-tree loopguard default
Switch(config-if)# spanningtree guard loop
Enable UDLD.
Switch(config)# udld {enable | aggressive | message time seconds}
Switch(config-if)# udld {enable | aggressive | disable}
Enable BPDU filtering.
Switch(config)# spanning-tree bpdufilter default
Switch(config-if)# spanningtree bpdufilter enable
STP Protection Activity Commands
Look for ports that have been put in an inconsistent state.
Switch# show spanning-tree inconsistentports
Display the global BPDU Guard, BPDU filter, and Loop Guard states.
Switch# show spanning-tree summary
Show UDLD status.
Switch# show udld [ type mod/num ]
Reenable all ports that UDLD has errdisabled.
Switch# udld reset
RSTP Configuration
Define an edge port.
Switch(config-if)# spanning-tree portfast
Override a port type.
Switch(config-if)# spanning-tree link-type point-to-point
MST Region Configuration Commands
Enable MST on a switch.
Switch(config)# spanning-tree mode mst
Enter MST configuration mode.
Switch(config)# spanning-tree mst configuration
Name the MST region.
Switch(config-mst)# name name
Set the configuration revision number.
Switch(config-mst)# revision version
EtherChannel Configuration Commands Task
Select a load-balancing method for the switch.
port-channel load-balance method
Use a PAgP mode on an interface.
channel-protocol PAgP
channel-group number mode { on | {{ auto | desirable } [ non-silent ]}}
Assign the LACP system priority.
lacp system-priority priority
Use an LACP mode on an interface.
channel-protocol LACP
channel-group number mode { on | passive | active }
lacp port-priority priority
Configure EtherChannel Guard
[ no ] spanning-tree etherchannel guard misconfig
Inter-VLAN Routing Configuration Commands
Put a port into Layer 2 mode.
Switch(config-if)# switchport
Put a port into Layer 3 mode.
Switch(config-if)# no switchport
Define an SVI.
Switch(config)# interface vlan vlan-id
Multilayer Switching Verification Commands
Show a Layer 2 port status.
Switch# show interface type member/ module/number switchport
Show a Layer 3 port status.
Switch# show interface type member/ module/number
Show an SVI status.
Switch# show interface vlan vlan-id
View the FIB contents.
Switch# show ip cef
View FIB information for an interface.
Switch# show ip cef [ type member/ module/number | vlan vlan-id ] [ detail ]
View FIB information for an IP prefix.
Switch# show ip cef [ prefix-ip prefixmask ] [ longer-prefixes ] [ detail ]
View FIB adjacency information.
Switch# show adjacency [ type member/ module/number | vlan vlan-id ] [ summary | detail ]
View counters for packets not switched by CEF.
Switch# show cef not-cef-switched
DHCP Commands Related to IPv4
Exclude addresses from a DHCP server scope.
Switch(config-if)# ip dhcp excluded-address start-ip end-ip
Define a DHCP server scope.
Switch(config-if)# ip dhcp pool pool-name
Identify the IP subnet for the server scope.
Switch(config-dhcp)# network ip-address subnet-mask
Identify the default router used in the server scope.
Switch(config-dhcp)# default-router ip-address [ ip-address2 ] [ ip-address3 ] …
Define the DHCP server lease time.
Switch(config-dhcp )# lease {infinite | { days [hours [ minutes ]]}}
Define a DHCP option.
Switch(dhcp-config)# option option-num value
Configure a manual DHCP binding.
Switch(config)# ip dhcp pool pool-name
Switch(dhcp-config)# host ip-address mask
Switch(dhcp-config)# client-identifier identifier
Switch(dhcp-config)# exit
Enable DHCP relay on a Layer 3 interface.
Switch(config-if)# ip helper-address ip-address
Display current DHCP bindings.
Switch# show ip dhcp binding
Manually clear a DHCP binding.
Switch# clear ip dhcp binding { * | ip-address }
DHCP Commands Related to IPv6
Define an IPv6 address prefix on a Layer 3 interface.
Switch(config)# interface type member/module/number
Switch(config-if)# ipv6 address ipv6-prefix
Define a DHCPv6 pool.
Switch(config)# ipv6 dhcp pool pool-name
Switch(config-dhcpv6)# address prefix ipv6-prefix
Switch(config-dhcpv6)# dns-server dns-address
Switch(config-dhcpv6)# domain-name name
Bind a DHCPv6 pool to a Layer 3 interface.
Switch(config)# interface type member/module/number
Switch(config-if)# ipv6 address ipv6-address
Switch(config-if)# ipv6 dhcp server pool-name
Enable DHCPv6 Lite options.
Switch(config-if)# ipv6 nd other-config-Flag
Enable DHCPv6 relay on a Layer 3 interface.
Switch(config-if)# ipv6 dhcp relay destination ipv6- address
Manually clear a DHCPv6 binding.
Switch# clear ipv6 dhcp binding { * | ipv6-address }
Display a summary of DHCPv6 pool activity.
Switch# show ipv6 dhcp pool
Display current DHCPv6 bindings.
Switch# show ipv6 dhcp binding [ ipv6-address ]
Switch Logging Configuration Commands
Log to the console port.
Switch(config)# logging console severity
Log to a buffer.
Switch(config)# logging buffered severity
Switch(config)# logging buffered size
Display the logging buffer.
Switch# show logging
Log to a syslog server.
Switch(config)# logging host
Switch(config)# logging trap severity
Time Clock Configuration Commands
Display the clock.
Switch# show clock [detail]
Set the local time zone.
Switch(config)# clock timezone name offset-hours [ offsetminutes ]
Switch(config)# clock summer-time name date start-month date year hh:mm end-month day year hh:mm [ offset-minutes ]
Synchronize with an NTP server.
Switch(config)# ntp server ip-address [ prefer ] [ version { 3 | 4 }]
Verify NTP synchronization.
Switch# show ntp status Switch# show ntp associations
Use NTP authentication.
Switch(config)# ntp authentication-key key-number md5 keystring
Switch(config)# ntp authenticate
Switch(config)# ntp trusted-key key-number
Switch(config)# ntp server ip-address key key-number
Limit NTP access.
Switch(config)# access-list acl-num permit ip-address mask
Switch(config)# ntp access-group {serve-only | serve | peer | query-only } acl-num
Add time stamps to logging messages.
Switch(config)# service timestamps log datetime [ localtime ] [ show-timezone ] [ msec ] [ year ]
SNMP Configuration Commands
Define SNMPv1 or SNMPv2C access.
Switch(config)# snmp-server community community string [ ro | rw ] [ access-list-number ]
Define an SNMPv1 trap receiver.
Switch(config)# snmp-server host host-address community-string [ trap-type ]
Define an SNMPv2C trap or inform receiver.
Switch(config)# snmp-server host host-address [ informs ] version 2c community-string
Define an SNMPv3 view.
Switch(config)# snmp-server view view-name oid-tree
Define an SNMPv3 user group.
Switch(config)# snmp-server group group-name v3 { noauth | auth | priv } [ read read-view ] [ write write-view ] [ notify notify-view ] [ access access-list ]
Define an SNMPv3 user.
Switch(config)# snmp-server user user-name group-name v3 auth {md5 | sha auth-password priv { des | 3des | aes { 128 | 192 | 256 } priv-password [ access-list ]
Define an SNMPv3 trap or inform receiver.
Switch(config)# snmp-server host host-address [ informs ] version 3 { noauth | auth | priv } user-name [ trap-type ]
IP SLA Configuration and Monitoring Commands
Enable IP SLA responder.
Switch(config)# ip sla responder
Authenticate IP SLA operations.
Switch(config)# key chain chain-name
Switch(config-keychain)# key key-number
Switch(config-keychain-key)# key-string string
Switch(config-keychain-key)# exit
Switch(config-keychain)# exit
Switch(config)# ip sla key-chain chain-name
Define a new IP SLA operation.
Switch(config)# ip sla operation-number
Define an ICMP echo test.
Switch(config-ip-sla)# icmp-echo destination-ip-addr [ sourceip-addr]
Define a UDP jitter test.
Switch(config-ip-sla)# udp-jitter destination-ip-addr dest-udpport [ source-ip source-ip-addr] [ source-port source-udp-port] [num-packets number-of-packets] [ interval packet-interval]
Define UDP jitter codec.
Switch(config-ip-sla)# udp-jitter destination-ip-addr dest-udp-port codec { g711alaw| g711ulaw| g729a}
Set the test frequency.
Switch(config-ip-sla)# frequency seconds
Set the test schedule.
Switch(config)# ip sla schedule operation-number [ life { forever | seconds}] [ start-time { hh:mm[:ss] [ month day| day month] | pending| now| after hh:mm:ss}] [ ageout seconds] [ recurring]
Display the IP SLA test configuration.
Switch# show ip sla configuration [ operation-number]
Display the results of an IP SLA test operation.
Switch# show ip sla statistics [operation-number] [aggregated] [detail]
Configure a local SPAN session source.
Switch(config)# monitor session session-number source { interface type member/mod/num | vlan vlan-id }[ rx | tx | both ]
Configure a local SPAN session destination.
Switch(config)# monitor session session-number destination interface type member/mod/num [ encapsulation replicate ]
Enable ingress traffic from the destination interface.
… ingress { dot1q vlan vlan-id | isl | untagged vlan vlan-id }
Filter VLANs from a trunk link as a SPAN source.
Switch(config)# monitor session session-number filter vlan vlan-range
Create an RSPAN VLAN.
Switch(config)# vlan vlan-id
Switch(config-vlan)# remote-span
Configure an RSPAN session on the source switch.
Switch(config)# monitor session session-number source { interface type member/mod/num | vlan vlan-id }[ rx | tx | both ]
Switch(config)# monitor session session-number destination remote vlan rspan-vlan-id
Configure an RSPAN session on the destination switch.
Switch(config)# monitor session session-number source remote vlan rspan-vlan-id
Switch(config)# monitor session session-number destination interface type member/mod/num [ encapsulation replicate]
Display active SPAN sessions.
Switch# show monitor [ session { session-number | all | local | range range-list | remote }] [ detail ]
Delete SPAN sessions.
Switch(config)# no monitor session { session | range sessionrange } | local | all }
Supervisor Redundancy Configuration Commands
Enable supervisor redundancy.
Switch(config)# redundancy
Set the supervisor redundancy mode.
Switch(config-red)# mode { rpr| rpr-plus| sso}
Display supervisor redundancy states.
Switch# show redundancy states
Enable supervisor redundancy synchronization.
Switch(config-red)# main-cpu
Switch(config-r-mc)# auto-sync { startup-config | config-register| bootvar}
HSRP Configuration Commands Task Command Syntax
Set the HSRP priority.
Switch(config-if)# standby group priority priority
Set the HSRP timers.
Switch(config-if)# standby group timers hello holdtime
Allow router preemption.
Switch(config-if)# standby group preempt [ delay seconds ]
Use group authentication.
Switch(config-if)# standby group authentication string
Adjust priority by tracking an interface.
Switch(config-if)# standby group track type member/module/number decrementvalue
Assign the virtual router address.
Switch(config-if)# standby group ip ip address [ secondary ]
VRRP Configuration Commands Task Command Syntax
Assign a VRRP router priority (default 100).
Switch(config-if)# vrrp group priority level
Alter the advertisement timer (default 1 second).
Switch(config-if)# vrrp group timers advertise [ msec ] interval
Learn the advertisement interval from the master router.
Switch(config-if)# vrrp group timers learn
Disable preempting (default is to preempt).
Switch(config-if)# no vrrp group preempt
Change the preempt delay (default 0 seconds).
Switch(config-if)# vrrp group preempt [ delay seconds ]
Use authentication for advertisements.
Switch(config-if)# vrrp group authentication string
Assign a virtual IP address.
Switch(config-if)# vrrp group ip ip-address [ secondary ]
GLBP Configuration Commands Task Command Syntax
Assign a GLBP priority.
Switch(config-if)# glbp group priority level
Allow GLBP preemption.
Switch(config-if)# glbp group preempt [ delay minimum seconds ]
Define an object to be tracked.
Switch(config)# track object-number interface type member/module/number { line-protocol | ip routing }
Define the weighting thresholds.
Switch(config-if)# glbp group weighting maximum [ lower lower ] [ upper upper ]
Track an object.
Switch(config-if)# glbp group weighting track object-number [ decrement value ]
Choose the load-balancing method.
Switch(config-if)# glbp group loadbalancing [ round-robin | weighted | hostdependent ]
Assign a virtual router address.
Switch(config-if)# glbp group ip [ ip-address [ secondary ]]
Port Security Configuration Commands Task Command Syntax
Enable port security on an interface.
Switch(config-if)# switchport port-security
Set the maximum number of learned addresses.
Switch(config-if)# switchport port-security maximum max-addr
Define a static MAC address.
Switch(config-if)# switchport port-security macaddress mac-addr
Define an action to take.
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}
Display port security status.
Switch# show port-security [ interface type member/module/number ]
Port-Based Authentication Configuration Commands Task Command Syntax
Define a method list for 802.1X.
Switch(config)# aaa authentication dot1x default group radius
Globally enable 802.1X.
Switch(config)# dot1x system-auth-control
Define the 802.1X behavior on a port.
Switch(config-if)# dot1x port-control {forceauthorized | force- unauthorized | auto }
Support more than one host on a port.
Switch(config-if)# dot1x host-mode multi-host
Display 802.1X interface status.
Switch# show dot1x [ all ] [ interface type member/ module/number ]
Storm Control Configuration Commands Task Command Syntax
Enable a Storm Control threshold on an interface.
Switch(config-if)# storm-control { broadcast | multicast | unicast } level { level [ level-low ] | bps bps [ bps-low ] | pps pps [ pps-low ]}
Define an action for Storm Control. (By default, frames are dropped if this command is not present.)
Switch(config-if)# storm-control action { shutdown | trap }
Display Storm Control status.
Switch# show storm-control [ interface-id ] [ broadcast | multicast | unicast ]
VLAN ACL Configuration Commands Task Command Syntax
Define a VACL.
Switch(config)# vlan access-map map-name [ sequencenumber ]
Define a matching condition.
Switch(config-access-map)# match {ip address { acl-number | acl-name }} | { mac address acl-name }}
Define an action.
Switch(config-access-map)# action { drop | forward [ capture ] | redirect type mod/num }
Apply the VACL to VLANs.
Switch(config)# vlan filter map-name vlan-list vlan-list
Private VLAN Configuration Commands Task Command Syntax
Define a secondary VLAN.
Switch(config)# vlan vlan-id
Switch(config-vlan)# private-vlan { isolated | community }
Define a primary VLAN; associate it with secondary VLANs.
Switch(config)# vlan vlan-id
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association { secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list }
Associate ports with private VLANs.
Switch(config-if)# switchport mode private-vlan { host | promiscuous }
Associate nonpromiscuous ports with private VLANs.
Switch(config-if)# switchport private-vlan hostassociation primary-vlan-id secondary-vlan-id
Associate promiscuous ports with private VLANs.
Switch(config-if)# switchport private-vlan mapping { primary-vlan-id} {secondary-vlan-list } | { add secondary-vlan-list} | { remove secondary-vlan-list }
Associate secondary VLANs with a primary VLAN Layer 3 SVI.
Switch(config-if)# private-vlan mapping { secondaryvlan-list | add secondary-vlan-list | remove secondary-vlan-list }
DHCP Snooping Configuration Commands Task Command Syntax
Globally enable DHCP snooping.
Switch(config)# ip dhcp snooping
Define a trusted interface.
Switch(config-if)# ip dhcp snooping trust
Limit the interface DHCP packet rate.
Switch(config-if)# ip dhcp snooping limit rate rate
Display DHCP snooping status.
Switch# show ip dhcp snooping [ binding ]
IP Source Guard Configuration Commands Task Command Syntax
Define a static IP source binding entry.
Switch(config)# ip source binding macaddress vlan vlan-id ip-address interface type member/module/number
Enable IP source guard on an interface.
Switch(config-if)# ip verify source [ portsecurity ]
Display IP source guard status.
Switch# show ip verify source [ interface type member/module/number ]
Display IP source binding database.
Switch# show ip source binding [ ip-address ] [ mac-address ] [ dhcp-snooping | static ] [ interface type member/module/number ] [ vlan vlan-id ]
Dynamic ARP Inspection Configuration Commands Task Command Syntax
Enable DAI on a VLAN.
Switch(config)# ip arp inspection vlan vlanrange
Define a trusted interface.
Switch(config-if)# ip arp inspection trust
Define a static ARP inspection binding.
Switch(config)# arp access-list acl-name permit ip host sender-ip mac host sendermac [ log ]
Apply static ARP inspection bindings.
Switch(config)# ip arp inspection filter arpacl-name vlan vlan-range [ static ]
Validate addresses within ARP replies.
Switch(config)# ip arp inspection validate {[ src-mac ] [ dst-mac ] [ ip ]}
Display DAI status.
Switch# show ip arp inspection
AAA Configuration Commands Task Command Syntax
Enable AAA on a switch.
Switch(config)# aaa new-model
Use local authentication.
Switch(config)# username username password password
Define individual authentication servers.
Switch(config)# radius-server host { hostname | ip-address } [ key string ]
Switch(config)# tacacs-server host { hostname | ip-address } [ key string ]
Define a group of authentication servers.
Switch(config)# aaa group server { radius | tacacs+ } group-name
Switch(config-sg)# server ip-address
Define a list of authentication methods to try.
Switch(config)# aaa authentication login { default | list-name } method1 [ method2 … ]
Apply an authentication method list to a line.
Switch(config-line)# login authentication { default | list-name }
Define a list of authorization methods to try.
Switch(config)# aaa authorization { commands | config-commands | configuration | exec | network | reverseaccess } { default | list-name } method1 [ method2 … ]
Apply an authorization method list to a line.
Switch(config)# authorization { commands level | exec | reverse-access } { default | listname }
Define a list of accounting methods to try.
Switch(config)# aaa accounting { system | exec | commands level } {default | list- name } { start-stop | stop-only | wait-start | none } method1 [ method2… ]
Apply an accounting method list to a line.
Switch(config-line)# accounting { commands level | connection | exec } { default | listname }
Configuring NSF (by Routing Protocol)
BGP
Switch(config)# router bgp as-number
Switch(config-router)# bgp graceful-restart
EIGRP
Switch(config)# router eigrp as-number
Switch(config-router)# nsf
OSPF
Switch(config)# router ospf process-id
Switch(config-router)# nsf
IS-IS
Switch(config)# router isis [tag ]
Switch(config-router)# nsf [ cisco | ietf]
Switch(config-router)# nsf interval [minutes ]
Switch(config-router)# nsf t3 { manual [ seconds] | adjacency }
Switch(config-router)# nsf interface wait seconds