Cisco 220 Series Smart Switches CLI Reference Guide

Cisco 220 Series Smart Plus Switches Command

Line Interface Reference Guide Release 1.0.0.x

CLI GUIDE

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,

go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner

does not imply a partnership relationship between Cisco and any other company. (1110R)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 1

Contents

Chapter 1: Introduction 22

Overview 22

User (Privilege) Levels 23

CLI Command Modes 24

User EXEC Mode 24

Privileged EXEC Mode 25

Global Configuration Mode 25

Global Configuration Submodes 26

Accessing the CLI 27

Using HyperTerminal over the Console Interface 28

Using Telnet over an Ethernet Interface 30

CLI Command Conventions 30

Editing Features 31

Entering Commands 31

Terminal Command Buffer 32

Negating the Effect of Commands 32

Command Completion 33

Keyboard Shortcuts 33

Copying and Pasting Text 33

Interface Naming Conventions 34

Interface ID 34

Interface Range 35

Interface List 35

Chapter 2: 802.1X Commands 36

dot1x guest-vlan enable 36

dot1x guest-vlan enable (Interface) 37

dot1x max-req 38

dot1x port-control 39

dot1x reauthentication 40

dot1x system-auth-control 41

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 2

Contents

dot1x timeout quiet-period 41

dot1x timeout reauth-period 42

dot1x timeout supp-timeout 43

show dot1x 44

show dot1x authenticated-hosts 45

show dot1x guest-vlan 46

show dot1x interfaces 48

Chapter 3: AAA Commands 50

aaa authentication enable 50

aaa authentication login 52

enable authentication 53

enable password 54

ip http authentication 56

passwords aging 58

passwords complexity <attributes> 59

passwords complexity enable 60

show aaa authentication lists 62

show line lists 62

show passwords configuration 63

show username 64

username 65

Chapter 4: ACL Commands 67

deny (MAC) 67

deny (IP) 68

deny (IPv6) 71

ip access-group in 73

ip access-list extended 74

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 3

Contents

ipv6 access-group in 75

ipv6 access-list 75

mac access-group in 77

mac access-list extended 77

no sequence 78

permit (IP) 79

permit (IPv6) 81

permit (MAC) 84

show access-lists 85

show access-lists 86

show access-lists utilization 86

Chapter 5: Address Table Commands 88

bridge multicast reserved-address 88

clear mac address-table 89

mac address-table aging-time 90

mac address-table static 90

show bridge multicast reserved-address 93

show mac address-table 94

show mac address-table aging-time 95

show port-security 96

switchport port-security 97

switchport port-security mode maximum 98

Chapter 6: Bonjour Commands 101

bonjour enable 101

show bonjour 102

Chapter 7: CDP Commands 103

cdp advertise-v2 103

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 4

Contents

cdp appliance-vlan enable 104

cdp device-id format 105

cdp enable 105

cdp holdtime 106

cdp log mismatch duplex 107

cdp log mismatch native 108

cdp log mismatch voip 109

cdp mandatory-tlvs validation 110

cdp pdu 110

cdp run 111

cdp timer 112

clear cdp counter 113

clear cdp table 114

show cdp 114

show cdp entry 115

show cdp interfaces 116

show cdp neighbor 116

show cdp tlv 118

show cdp traffic global 118

show cdp traffic (Interface) 120

Chapter 8: Clock Commands 124

clock set 124

clock source 125

clock summer-time 125

clock timezone 127

show clock 128

show sntp configuration 129

sntp server 129

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 5

Contents

Chapter 9: Configuration and Image File Commands 131

boot host auto-config 131

boot system 132

copy 133

delete backup-config 135

delete startup-config 136

dir 136

ip dhcp tftp-server file 137

ip dhcp tftp-server ip address 138

management vlan ipv6 dhcp client information refresh 139

management vlan ipv6 dhcp client stateless 140

renew dhcp force-autoconfig 141

show backup-config 142

show boot 144

show bootvar 145

show ip dhcp tftp-server 146

show running-config 147

show startup-config 150

write 152

Chapter 10: EEE Commands 154

eee enable (Interface) 154

Chapter 11: Ethernet Configuration Commands 155

clear counters 155

clear etherlike statistics 156

default interface 156

description 157

duplex 158

errdisable recovery 158

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 6

Contents

flowcontrol 160

interface 161

interface range 162

jumbo-frame 162

show errdisable recovery 163

show interface status 164

show storm-control 165

shutdown 167

speed 168

storm-control action 169

storm-control broadcast 170

storm-control broadcast level 171

storm-control enable 172

storm-control ifg 173

storm-control unit 173

storm-control unknown-multicast 174

storm-control unknown-multicast level 175

storm-control unknown-unicast 176

storm-control unknown-unicast level 176

Chapter 12: GVRP Commands 178

clear gvrp statistics 178

gvrp enable (Global) 179

gvrp enable (Interface) 179

gvrp registration-mode 180

gvrp vlan-creation-forbid 181

show gvrp 182

show gvrp configuration 182

show gvrp error-statictics 184

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 7

Contents

show gvrp statistics 185

Chapter 13: IGMP Snooping Commands 196

clear ip igmp snooping groups 196

clear ip igmp snooping statistics 196

ip igmp filter 197

ip igmp max-groups 198

ip igmp profile 199

ip igmp snooping 200

ip igmp snooping version 201

ip igmp snooping report-suppression 201

ip igmp snooping unknown-multicast action 202

ip igmp snooping vlan 203

ip igmp snooping vlan immediate-leave 204

ip igmp snooping vlan forbidden mrouter 205

ip igmp snooping vlan forbidden forward-all 206

ip igmp snooping vlan last-member-query-count 207

ip igmp snooping vlan last-member-query-interval 207

ip igmp snooping vlan mrouter 208

ip igmp snooping vlan querier 209

ip igmp snooping vlan querier version 210

ip igmp snooping vlan query-interval 211

ip igmp snooping vlan response-time 212

ip igmp snooping vlan robustness-variable 212

ip igmp snooping vlan static 213

ip igmp snooping vlan mrouter 214

ip igmp snooping vlan forward-all 215

profile range 216

show ip igmp filter 217

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 8

Contents

show ip igmp max-group 218

show ip igmp max-group action 219

show ip igmp profile 219

show ip igmp snooping 220

show ip igmp snooping forward-all 221

show ip igmp snooping groups 222

show ip igmp snooping mrouter 223

show ip igmp snooping querier 224

show ip igmp snooping vlan 224

Chapter 14: IP Addressing Commands 226

clear arp-cache 226

ip default-gateway 226

ip domain lookup 227

ip domain name 228

ip host 229

ip name-server 230

management vlan ip-address 231

management vlan ip dhcp client 232

show arp 233

show hosts 233

show ip 234

show ip dhcp 235

Chapter 15: IP ARP Inspection Commands 236

clear ip arp inspection statistics vlan 236

ip arp inspection 236

ip arp inspection limit rate 237

ip arp inspection trust 239

ip arp inspection validate 240

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 9

Contents

ip arp inspection vlan 241

show ip arp inspection 242

show ip arp inspection interfaces 243

show ip arp inspection statistics 244

Chapter 16: IP DHCP Snooping Commands 246

clear ip dhcp snooping binding 246

clear ip dhcp snooping binding interface 246

clear ip dhcp snooping binding vlan 247

clear ip dhcp snooping database statistics 248

clear ip dhcp snooping interfaces statistics 248

ip dhcp snooping 249

ip dhcp snooping database 249

ip dhcp snooping information option 251

ip dhcp snooping information option allow-untrusted 252

ip dhcp snooping limit rate 253

ip dhcp snooping trust 254

ip dhcp snooping verify mac-address 255

ip dhcp snooping vlan 256

ip dhcp snooping vlan information option circuit-id 257

renew ip dhcp snooping database 258

show ip dhcp snooping 259

show ip dhcp snooping binding 259

show ip dhcp snooping database 260

show ip dhcp snooping information option format remote-id 261

show ip dhcp snooping interfaces 261

show ip dhcp snooping interfaces statistics 262

Chapter 17: IP Source Guard Commands 264

ip source binding 264

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 10

Contents

ip source binding max-entry 265

ip verify source 266

show ip source binding 267

show ip verify source interfaces 268

Chapter 18: IPv6 Addressing Commands 270

ipv6 default-gateway 270

management vlan ipv6-address 271

management vlan ipv6-address-autoconfig 272

management vlan ipv6-address-dhcp 273

show ipv6 274

show ipv6 dhcp 274

Chapter 19: IPv6 MLD Snooping Commands 276

clear ipv6 mld snooping groups 276

clear ipv6 mld snooping statistics 276

ipv6 mld filter 277

ipv6 mld max-groups 278

ipv6 mld profile 279

ipv6 mld snooping 280

ipv6 mld snooping report-suppression 281

ipv6 mld snooping vlan 281

ipv6 mld snooping vlan immediate-leave 282

ipv6 mld snooping vlan forbidden mrouter 283

ipv6 mld snooping vlan forbidden forward-all 284

ipv6 mld snooping vlan last-member-query-count 285

ipv6 mld snooping vlan last-member-query-interval 286

ipv6 mld snooping vlan mrouter learn pim-dvmrp 287

ipv6 mld snooping vlan query-interval 288

ipv6 mld snooping vlan response-time 289

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 11

Contents

ipv6 mld snooping vlan robustness-variable 290

ipv6 mld snooping vlan static interface 291

ipv6 mld snooping vlan mrouter 292

ipv6 mld snooping vlan forward-all 293

profile range 294

show ipv6 mld filter 295

show ipv6 mld max-group 296

show ipv6 mld max-group action 297

show ipv6 mld profile 297

show ipv6 mld snooping 298

show ipv6 mld snooping forward-all 299

show ipv6 mld snooping groups 300

show ipv6 mld snooping mrouter 301

show ipv6 mld snooping vlan 302

Chapter 20: LACP Commands 303

lacp port-priority 303

lacp system-priority 304

lacp timeout 304

show lacp 305

Chapter 21: Line Commands 311

clear line 311

exec-timeout 311

line 312

password-thresh 313

show line 314

silent-time 315

speed 315

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 12

Contents

Chapter 22: LLDP Commands 317

clear lldp statistics 317

lldp holdtime-multiplier 317

lldp lldpdu 319

lldp med 320

lldp med fast-start-repeat-count 321

lldp med location 321

lldp med network-policy voice auto 322

lldp med network-policy (Global) 323

lldp med network-policy (Interface) 325

lldp med tlv-select 326

lldp receive 327

lldp reinit 328

lldp run 328

lldp tlv-select 802.1 329

lldp tlv-select TLV 330

lldp transmit 331

lldp tx-delay 332

lldp timer 332

show lldp 333

show lldp interfaces 337

show lldp interfaces tlvs-overloading 338

show lldp local-device 339

show lldp med 340

show lldp neighbor 341

show lldp statistics 343

Chapter 23: Management ACL Commands 345

deny (Management) 345

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 13

Contents

management access-class 346

management access-list 347

no sequence (Management) 348

permit (Management) 349

show management access-class 350

show management access-list 351

Chapter 24: PHY Diagnostics Commands 352

show cable-diagnostics cable-length 352

show fiber-ports optical-transceiver 355

Chapter 25: Power over Ethernet (PoE) Commands 357

power inline 357

power inline legacy enable 358

power inline limit 358

power inline limit-mode 359

power inline priority 360

power inline traps enable 361

power inline usage-threshold 361

show env all 362

show power inline 363

show power inline consumption 367

Chapter 26: Port Channel Commands 368

channel-group 368

port-channel load-balance 369

show etherchannel summary 370

Chapter 27: Port Monitor Commands 371

monitor session destination interface 371

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 14

Contents

monitor session destination remote-span 372

monitor session source interfaces 373

monitor session source remote-span 374

no monitor session 375

remote-span 376

show monitor 377

show vlan remote-span 378

Chapter 28: QoS Commands 379

class 379

class-map 380

match 381

police 382

police aggregate 383

policy-map 384

priority-queue out num-of-queues 386

qos 387

qos advanced-mode trust 388

qos aggregate-policer 389

qos cos 391

qos map cos-queue 391

qos map dscp-queue 392

qos map precedence-queue 393

qos map queue-cos 394

qos map queue-dscp 395

qos map queue-precedence 395

qos remark 396

qos trust (Global) 397

qos trust (Interface) 398

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 15

Contents

service-policy 399

set 400

show class-map 401

show policy-map 401

show policy-map interface 402

show qos 403

show qos aggregate-policer 404

show qos interfaces 404

show qos map 405

show qos queueing 407

show rate-limit vlan 407

traffic-shape 408

trust-shape (Interface) 409

traffic-shape queue 410

trust 410

rate-limit (Interface) 412

rate-limit (VLAN) 413

wrr-queue bandwidth 414

Chapter 29: RADIUS Commands 416

radius-server default-param 416

radius-server host 417

show radius-server 419

show radius-server default-param 420

Chapter 30: RMON Commands 422

clear rmon statistics 422

rmon alarm 422

rmon event 425

rmon history 426

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 16

Contents

show rmon alarm 427

show rmon event 429

show rmon event log 430

show rmon history 431

show rmon statistics interfaces 432

Chapter 31: Security DoS Commands 436

security-suite dos (Global) 436

security-suite dos (Interface) 438

security-suite dos ip gratuitous-arps 439

show security-suite dos 439

show security-suite dos interfaces 440

Chapter 32: SNMP Commands 442

show snmp-server 442

show snmp-server community 443

show snmp-server engineid 444

show snmp-server group 445

show snmp-server host 446

show snmp-server trap 447

show snmp-server view 448

show snmp-server user 449

snmp-server 451

snmp-server community 451

snmp-server contact 453

snmp-server engineid 454

snmp-server engineid remote 454

snmp-server group 455

snmp-server host 456

snmp-server location 458

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 17

Contents

snmp-server trap 459

snmp-server user 459

snmp-server view 461

Chapter 33: STP Commands 463

clear spanning-tree detected-protocols 463

instance (MST) 464

name (MST) 465

revision (MST) 465

show spanning-tree 466

show spanning-tree interfaces 467

show spanning-tree mst 468

show spanning-tree mst configuration 469

show spanning-tree mst interfaces 470

spanning-tree 471

spanning-tree bpdu (Global) 471

spanning-tree bpdu-filter (Interface) 472

spanning-tree bpdu-guard (Interface) 473

spanning-tree cost (Interface) 474

spanning-tree forward-time 475

spanning-tree hello-time 475

spanning-tree link-type (Interface) 476

spanning-tree mst port-priority 477

spanning-tree max-hops 478

spanning-tree max-age 479

spanning-tree mode 480

spanning-tree mst configuration 480

spanning-tree mst cost 481

spanning-tree mst priority 482

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 18

Contents

spanning-tree pathcost method 483

spanning-tree portfast 484

spanning-tree port-priority 485

spanning-tree priority 485

spanning-tree tx-hold-count 486

Chapter 34: SYN Protection Commands 488

security-suite syn protection mode 488

security-suite syn protection recovery 489

security-suite syn protection threshold 489

show security-suite syn protection 490

Chapter 35: Syslog Commands 492

clear logging 492

logging host 492

logging on 494

logging severity 495

show logging 496

Chapter 36: System Management Commands 499

hostname 499

ping 499

reload 501

show cpu input rate 501

show cpu utilization 502

show memory statistics 503

show services tcp-udp 504

show system languages 505

show tech-support 506

show username 509

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 19

Contents

show users 510

show version 511

traceroute 512

Chapter 37: TACACS+ Commands 514

show tacacs default-config 514

show tacacs 515

tacacs-server default-param 516

tacacs-server host 517

Chapter 38: Telnet and SSH Commands 519

crypto certificate generate 519

crypto key generate 520

ip ssh server 521

ip telnet server 522

Chapter 39: User Interface Commands 524

banner exec 524

banner login 525

configure 527

do 527

disable 528

end 529

enable 529

exit (Configuration) 530

exit (EXEC) 531

history 531

show banner 532

show history 533

show privilege 534

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 20

Contents

terminal length 535

Chapter 40: Voice VLAN Commands 537

show voice vlan 537

voice vlan enable 539

voice vlan aging-timeout 539

voice vlan cos 540

voice vlan cos mode 541

voice vlan dscp 542

voice vlan mode 542

voice vlan oui-table 543

voice vlan state 545

voice vlan id 546

voice vlan vpt 546

Chapter 41: VLAN Commands 548

name (vlan) 548

management-vlan 549

show interfaces protected-ports 549

show interfaces switchport 550

show management-vlan 552

show vlan 553

show vlan default-vlan 554

switchport access vlan 554

switchport default-vlan tagged 555

switchport dot1q-tunnel vlan 557

switchport forbidden default-vlan 558

switchport forbidden vlan 559

switchport general acceptable-frame-type 559

switchport general allowed vlan 560

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 21

Contents

switchport general ingress-filtering disable 562

switchport general pvid 562

switchport mode 564

switchport mode trunk uplink 565

switchport protected 566

switchport trunk allowed vlan 567

switchport trunk native vlan 568

switchport vlan tpid 569

vlan 569

vlan default-vlan 570

Chapter 42: Web Server Commands 572

ip http secure-server 572

ip http server 573

ip http timeout-policy 573

show ip http 574

show ip https 575

show services tcp-udp 576

Appendix A: Where to Go From Here 579

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 22

Introduction

The command-line interface (CLI) provides a text-based method for managing and

monitoring the switch. You can access the command-line interface using a

physical serial connection or a remote logical connection with Telnet.

This chapter describes how to use the command-line interface and contains the

following topics:

• Overview

• User (Privilege) Levels

• CLI Command Modes

• Accessing the CLI

• CLI Command Conventions

• Editing Features

• Interface Naming Conventions

Overview

The command-line interface is divided into various modes. Each mode has a group

of commands available in it. These modes are described in the CLI Command

Modes section.

Users are assigned privilege levels. Each privilege level can access the CLI modes

permitted to that level. User privilege levels are described in the User (Privilege)

Levels section.

Introduction

User (Privilege) Levels

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 23

User (Privilege) Levels

Users may be created with one of the following user levels:

• Level 1—Users with this level can only run the User EXEC mode commands.

Users at this level cannot access the web-based interface.

• Level 15—Users with this level can run all commands. Only users at this

level can access the web-based interface.

A system administrator (user with level 15) can create passwords that allow a

lower-level user to temporarily become a higher-level user. For example, the user

may go from level 1 to 15.

Users with a lower level can raise their level by entering the enable command and

the password for level 15. The higher level holds only for the current session.

The disable command returns the user to a lower level.

To create a user and assign a user level, use the username command. Only users

with privilege level 15 can create users at this level.

Example 1—The following example creates the password for level 15 (by the

administrator):

switchxxxxxx# configure

switchxxxxxx(config)# enable privilege 15 password level15@abc

Example 2—The following example creates a user with privilege level 1:

switchxxxxxx# configure

switchxxxxxx(config)# username john privilege 1 secret John1234

Example 3—The following example switches between level 1 to level 15. The user

must know the password for level 15.

switchxxxxxx# exit

switchxxxxxx> enable 15

Password: ****** (this is the password for level 15)

switchxxxxxx#

Introduction

CLI Command Modes

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 24

NOTE If the authentication of passwords is performed on the RADIUS or TACACS+

servers, the passwords assigned to user level 15 must be configured on the

external server and associated with the $enab15$ username. See the AAA

Commands chapter for details.

CLI Command Modes

The command-line interface is divided into four command modes. These are the

command modes in the order in which they are accessed:

• User EXEC Mode

• Privileged EXEC Mode

• Global Configuration Mode

• Global Configuration Submodes

Each command mode has its own unique console prompt and set of CLI

commands. Entering a question mark at the console prompt displays a list of

available commands for the current mode and for the level of the user. Specific

commands are used to switch from one mode to another.

Users are assigned privilege levels that determine the modes and commands

available to them. User levels are described in the User (Privilege) Levels section.

User EXEC Mode

Users with level 1 initially log into the User EXEC mode. The User EXEC mode is

used for tasks that do not change the configuration, such as performing basic tests

and listing system information.

The user-level prompt consists of the switch hostname followed by a >. The

default hostname is switchxxxxxx where xxxxxx is the last six digits of the

switch’s MAC address, as shown here:

switchxxxxxx>

The default hostname can be changed by using the hostname Global

Configuration mode command.

Introduction

CLI Command Modes

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 25

Privileged EXEC Mode

A user with level 15 automatically logs into the Privileged EXEC mode.

The user-level prompt consists of the switch hostname followed by a #. The

default hostname is switchxxxxxx where xxxxxx is the last six digits of the

switch’s MAC address, as shown here:

switchxxxxxx#

Users with level 1 can enter the Privileged EXEC mode by entering the enable

command, and when prompted, the password for level 15.

To return from the Privileged EXEC mode to the User EXEC mode, use the disable

command.

Global Configuration Mode

The Global Configuration mode is used to run the commands that configure the

features at the system level, as opposed to the interface level.

Only users with command level 15 can access this mode.

To access the Global Configuration mode from the Privileged EXEC mode, enter

the configure command at the Privileged EXEC mode prompt and press Enter. The

Global Configuration mode prompt, consisting of the switch hostname followed by

(config)#, is displayed:

switchxxxxxx(config)#

Use any of the following commands to return from the Global Configuration mode

to the Privileged EXEC mode:

• exit

• end

• Ctrl+Z

The following example shows how to access the Global Configuration mode and

return to the Privileged EXEC mode:

switchxxxxxx#

switchxxxxxx# configure

switchxxxxxx(config)# exit

switchxxxxxx#

Introduction

CLI Command Modes

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 26

Global Configuration Submodes

Various submodes may be entered from the Global Configuration mode. These

submodes enable performing commands on a group of interfaces or lines,

defining conditions required to allow traffic based on IPv4, IPv6, and MAC

addresses, or defining the settings for management ACL, IGMP profiles, and MLD

profiles.

For instance, to perform several operations on a specific interface, you can enter

the Interface Configuration mode for that interface.

The following example enters the Interface Configuration mode for fa1-5 and then

sets their speeds:

switchxxxxxx#

switchxxxxxx# configure

switchxxxxxx(config)# interface range gi1-5

switchxxxxxx(config-if-range)# speed 1000

switchxxxxxx(config-if-range)# exit

switchxxxxxx(config)#

The exit command returns to the Global Configuration mode.

The following submodes are available:

• Interface—Contains commands that configure a specific interface (port or

port channel) or a range of interfaces. The interface Global Configuration

mode command is used to enter the Interface Configuration mode.

• Port Channel—Contains commands used to configure port channels; for

example, assigning ports to a port channel. Most of these commands are

the same as the commands in the Ethernet Interface Configuration mode,

and are used to manage the member ports as a single entity. The interface

Port-Channel Global Configuration mode command is used to enter the Port

Channel Interface Configuration mode.

• IP Access-List—Configures conditions required to allow traffic based on IP

addresses. The ip access-list Global Configuration mode command is used

to enter the IP Access-List Configuration mode.

• IPv6 Access-List—Configures conditions required to allow traffic based on

IPv6 addresses. The ipv6 access-list Global Configuration mode command

is used to enter the IPv6 Access-List Configuration mode.

• Line Interface—Contains commands used to configure the management

connections for the console, Telnet, and SSH. These commands configure

Introduction

Accessing the CLI

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 27

connection operations such as line timeout settings. The line Global

Configuration command is used to enter the Line Configuration mode.

• MAC Access-List—Configures conditions required to allow traffic based on

MAC addresses. The mac access-list Global Configuration mode command

is used to enter the MAC Access-List Configuration mode.

• Management Access-List—Contains commands used to define

management access-lists. The management access-list Global

Configuration mode command is used to enter the Management Access-

List Configuration mode.

• IGMP Profile—Contains commands used to define the settings of IGMP

profiles. The ip igmp profile Global Configuration mode command is used to

enter the IGMP Profile Configuration mode.

• MLD Profile—Contains commands used to define the settings of MLD

profiles. The ipv6 mld profile Global Configuration mode command is used

to enter the MLD Profile Configuration mode.

To return from any Interface Configuration mode to the Global Configuration mode,

use the exit command.

Accessing the CLI

The command-line interface can be accessed from a terminal or computer by

performing one of the following tasks:

• Running a terminal application, such as HyperTerminal, on a computer that is

directly connected to the switch’s console port.

• Running a Telnet session from a command prompt on a computer with a

network connection to the switch.

• Using SSH.

NOTE Telnet and SSH are disabled by default on the switch.

If the access is through a Telnet connection, ensure that the following conditions

are met before using CLI commands:

• The switch has a defined IP address.

• Corresponding management access is granted.

Introduction

Accessing the CLI

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 28

• An IP path is available so that the computer and the switch can reach each

other.

Using HyperTerminal over the Console Interface

The switch’s serial console port provides a direct connection to a computer’s

serial port using a standard DB-9 null modem or crossover cable. Once the

computer and the switch are connected, run a terminal application to access the

command-line interface.

To access the command-line interface using the HyperTerminal application,

perform the following steps:

STEP 1 Click the Start button.

STEP 2 Select All Programs > Accessories > Communications > HyperTerminal.

STEP 3 Enter a name for this connection. Select an icon for the application, then click OK.

STEP 4 Select a port (such as COM1) to communicate with the switch.

STEP 5 Set the serial port settings, then click OK.

• Bits per second = 9600

• Data bits = 8

• Parity = None

• Stop bits = 1

• Flow control = None

STEP 6 When the command-line interface appears, enter cisco at the Username prompt

and press Enter.

STEP 7 Enter cisco at the Password prompt and press Enter.

Introduction

Accessing the CLI

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 29

If this is the first time that you have logged on with the default username and

password, or the switch has been rebooted to factory defaults, you are asked to

change your password. The following message appears:

Please change your password from the default settings. Please change the

password for better protection of your network. Do you want to change the

password (Y/N) [Y]?

STEP 8 Enter Y, and set a new administrator password.

Password complexity is enabled on the switch by default. Passwords must

conform to the following default settings:

• Have a minimum length of eight characters.

• Contain characters from at least three character classes (uppercase letters,

lowercase letters, numbers, and special characters available on a standard

keyboard).

• Are different from the current password.

• Contain no character that is repeated more than three times consecutively.

STEP 9 Press Enter.

The switchxxxxxx# prompt is displayed. You can now enter the commands to

manage the switch. For detailed information about the commands, refer to the

appropriate chapters of this reference guide.

Introduction

CLI Command Conventions

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 30

Using Telnet over an Ethernet Interface

Telnet provides a method of connecting to the command-line interface over an IP

network.

To establish a Telnet session from the command prompt, perform the following

steps:

STEP 1 Click Start, then select All Programs > Accessories > Command Prompt to open a

command prompt.

STEP 2 At the prompt, enter telnet <IP address of switch>, then press Enter.

The command-line interface is displayed.

CLI Command Conventions

There are certain command entry standards that apply to all commands. The

following table describes the command conventions:

[ ] In a command line, square brackets indicate an

optional entry.

Introduction

Editing Features

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 31

Editing Features

Entering Commands

A CLI command is a series of keywords and arguments. Keywords identify a

command, and arguments specify configuration parameters. For example, in the

command show interfaces status

gi1

, show, interfaces, and status are keywords, gi

is an argument that specifies the interface type, and 1 specifies the port.

To enter the commands that require parameters, enter the required parameters

after the command keyword. For example, to set a password for the administrator,

enter:

switchxxxxxx(config)# username admin secret Nn148279

When working with the CLI, the command options are not displayed. The standard

command to request help is ?.

There are two instances where help information can be displayed:

• Keyword lookup—The character ? is entered in place of a command. A list

of all valid commands and corresponding help messages are displayed.

{ } In a command line, curly brackets indicate a selection

of compulsory parameters separated with the |

character. One option must be selected. For example,

flowcontrol {auto | on | off} means that for the

flowcontrol command, either auto, on, or off must be

selected.

parameter Italic text indicates a parameter.

bold Command names and keywords are shown in bold.

italics

Variables and arguments are shown in

italics

press key Names of keys to be pressed are shown in bold.

Ctrl+F4 Keys separated by the + character are to be pressed

simultaneously on the keyboard.

Screen Display

Fixed-width font indicates CLI prompts, CLI commands

entered by the user, and system messages displayed

on the console.

Introduction

Editing Features

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 32

• Partial keyword lookup—If a command is incomplete and the character ? is

entered in place of a parameter, the matched keyword or parameters for

this command are displayed.

Terminal Command Buf fer

Every time a command is entered in the CLI, it is recorded on an internally

managed command history buffer. Commands stored in the buffer are maintained

on a First In First Out (FIFO) basis. These commands can be recalled, reviewed,

modified, and reissued. This buffer is not preserved across device resets.

By default, the history buffer system is enabled, but it can be disabled at any time.

For more information on enabling or disabling the history buffer, refer to the history

command.

There is a standard default number of commands that are stored in the buffer. The

standard number of 10 commands can be increased to 256. For more information

on configuring the command history buffer, refer to the history command.

To display the history buffer, refer to the show history command.

Negating the Effect of Commands

For many configuration commands, the prefix keyword no can be entered to

cancel the effect of a command or reset the configuration to the default value. This

reference guide provides a description of the negation effect for each CLI

command.

Up-Arrow key

Ctrl+P

Recalls commands in the history buffer, beginning with

the most recent command. Repeat the key sequence

to recall successively older commands.

Down-Arrow key Returns to more recent commands in the history buffer

after recalling commands with the up-arrow key.

Repeating the key sequence will recall successively

more recent commands.

Introduction

Editing Features

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 33

Command Completion

If the command entered is incomplete, invalid, or has missing or invalid

parameters, then the appropriate error message is displayed. This assists in

entering the correct command. By pressing Ta b after an incomplete command is

entered, the system will attempt to identify and complete the command. If the

characters already entered are not enough for the system to identify a single

matching command, press ? to display the available commands matching the

characters already entered.

Keyboard Shortcuts

The CLI has a range of keyboard shortcuts to assist in editing the CLI commands.

The following table describes the CLI shortcuts:

Copying and Pasting Text

Up to 1000 lines of text (or commands) can be copied and pasted into the device.

NOTE It is the user’s responsibility to ensure that the text copied into the device consists

of legal commands only.

Up-arrow Recalls commands from the history buffer, beginning

with the most recent command. Repeat the key

sequence to recall successively older commands.

Down-arrow Returns the most recent commands from the history

buffer after recalling commands with the up-arrow key.

Repeating the key sequence will recall successively

more recent commands.

Ctrl+A Moves the cursor to the beginning of the command

line.

Ctrl+E Moves the cursor to the end of the command line.

Ctrl+Z / End Returns back to the Privileged EXEC mode from any

configuration mode.

Backspace Deletes one character left to the cursor position.

Introduction

Interface Naming Conventions

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 34

When copying and pasting commands from a configuration file, make sure that the

following conditions exist:

• A device Configuration mode has been accessed.

• The commands contain no encrypted data, such as encrypted passwords

or keys. Encrypted data cannot be copied and pasted into the device

except for encrypted passwords where the keyword encrypted is used

before the encrypted data.

Interface Naming Conventions

Interface ID

Within the command-line interface, the interfaces are denoted by concatenating

the following elements:

• Type of interface—The following types of interfaces are found on the

various types of devices:

- Fast Ethernet (10/100 bits)—This can be written as FastEthernet or fa.

- Gigabit Ethernet ports (10/100/1000 bits)—This can be written either

GigabitEthernet or gi.

- LAG (Port Channel)—This can be written as either Port-Channel or po.

• Interface Number—Port, LAG, tunnel, or VLAN ID.

The syntax for this is:

{<port-type>[ ]<port-number>}|{Port-Channel|po}[ ]<port-channel-number>

Sample of these various options are shown in the example below:

switchxxxxxx# configure

switchxxxxxx(config)# interface gi1

switchxxxxxx(config)# interface fa1

switchxxxxxx(config)# interface Port-Channel 1

switchxxxxxx(config-if)#

Introduction

Interface Naming Conventions

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 35

Interface Range

Interfaces may be described on an individual basis or within a range. The interface

range command has the following syntax:

<interface-range> ::=

{<port-type>[ ][<first-port-number>[ - <last-port-number]}|

{Port-Channel|po}[ ]<first-port-channel-number>[ - <last-port-channel-

number>]

A sample of this command is shown in the example below:

switchxxxxxx# configure

switchxxxxxx(config)# interface range gi1-5

switchxxxxxx(config-if-range)#

Interface List

A combination of interface types can be specified in the interface range command

in the following format:

<range-list> ::= <interface-range> | <range-list>,< interface-range>

NOTE Range lists can contain either ports or port channels. The space after the comma is

optional. When a range list is defined, a space after the first entry and before the

comma (,) must be entered.

A sample of this command is shown in this example:

switchxxxxxx# configure

switchxxxxxx(config)# interface range gi1,gi4-5

switchxxxxxx(config-if-range)#

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 36

802.1X Commands

dot1x guest-vlan enable

To enable the guest VLAN feature on the switch and specify a VLAN as the guest

VLAN, use the dot1x guest-vlan enable Global Configuration mode command.

To disable the guest VLAN feature on the switch, use the no form of this command.

Syntax

dot1x guest-vlan

vlan-id

enable

no dot1x guest-vlan enable

Parameters

•

vlan-id

—Identifier of the VLAN set as the guest VLAN.

Default Configuration

Guest VLAN is disabled on the switch.

Command Mode

Global Configuration mode

User Guidelines

Use the dot1x guest-vlan enable Interface Configuration mode command to

enable unauthorized users on an interface to access the guest VLAN.

If the guest VLAN is defined and enabled, the interface automatically joins the

guest VLAN when the interface is unauthorized and leaves it when the interface

becomes authorized. To be able to join or leave the guest VLAN, the interface

should not be a static member of the guest VLAN.

Example

The following example sets VLAN 2 as the guest VLAN:

802.1X Commands

dot1x guest-vlan enable (Interface)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 37

switchxxxxxx(config)# dot1x guest-vlan 2 enable

dot1x guest-vlan enable (Interface)

To enable unauthorized users on the interface accessing the guest VLAN, use the

dot1x guest-vlan enable Interface Configuration (Ethernet) mode command.

To disable unauthorized users on the interface accessing the guest VLAN, use the

no form of this command.

Syntax

dot1x guest-vlan enable

no dot1x guest-vlan enable

Parameters

N/A

Default Configuration

Unauthorized users cannot access the guest VLAN by default.

Command Mode

Interface Configuration (Ethernet) mode

User Guidelines

The switch can have only one guest VLAN. The guest VLAN is defined in the dot1x

guest-vlan enable

Global Configuration mode command.

Example

The following example enables unauthorized users on gi15 to access the guest

VLAN:

switchxxxxxx(config)# interface gi15

switchxxxxxx(config-if)# dot1x guest-vlan enable

802.1X Commands

dot1x max-req

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 38

dot1x max-req

To set the maximum number of times that the switch sends an Extensible

Authentication Protocol (EAP) request or identity frame (assuming that no

response is received) to the client before restarting the authentication process,

use the dot1x max-req Interface Configuration mode command.

To revert to its default setting, use the no form of this command.

Syntax

dot1x max-req

count

no dot1x max-req

Parameters

•

count

—The maximum number of times that the switch sends an EAP

request or identity frame before restarting the authentication process.

(Range: 1 to 10)

Default Configuration

The default maximum number of attempts is 2.

Command Mode

Interface Configuration (Ethernet) mode

User Guidelines

The default value of this command should be changed only to adjust to unusual

circumstances, such as unreliable links or specific behavioral problems with

certain clients and authentication servers.

Example

The following example sets the maximum number of EAP requests to 6:

switchxxxxxx(config)# interface gi15

switchxxxxxx(config-if)# dot1x max-req 6

802.1X Commands

dot1x port-control

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 39

dot1x port-control

To enable manual control of the port authorization state, use the dot1x port-control

Interface Configuration (Ethernet) mode command.

To disable manual control of the port authorization state, use the no form of this

command.

Syntax

dot1x port-control

{auto | force-authorized | force-unauthorized}

no dot1x port-control

Parameters

• auto—Enables 802.1X authentication on the interface and causes it to

transition to the authorized or unauthorized state, based on the 802.1X

authentication exchange between the switch and the client.

• force-authorized—Disables 802.1X authentication on the interface and

causes the interface to transition to the authorized state without any

authentication exchange required. The interface resends and receives

normal traffic without 802.1X-based client authentication.

• force-unauthorized—Denies all access through this interface by forcing it to

transition to the unauthorized state and ignoring all attempts by the client to

authenticate. The switch cannot provide authentication services to the

client through this interface.

Default Configuration

The interface is in the force-authorized state.

Command Mode

Interface Configuration (Ethernet) mode

User Guidelines

In order to proceed to the forwarding state immediately after successful

authentication, we recommend that you disable STP or enable the STP PortFast

mode on 802.1X edge ports (ports in auto state that are connected to end

stations).

802.1X Commands

dot1x reauthentication

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 40

Example

The following example enables 802.1X authentication in auto mode on gi15:

switchxxxxxx(config)# interface gi15

switchxxxxxx(config-if)# dot1x port-control auto

dot1x reauthentication

To enable periodic reauthentication of the client, use the dot1x reauthentication

Interface Configuration (Ethernet) mode command.

To disable periodic reauthentication of the client, use the no form of this command.

Syntax

dot1x reauthentication

no dot1x reauthentication

Parameters

N/A

Default Configuration

Periodic reauthentication is disabled.

Command Mode

Interface Configuration (Ethernet) mode

Example

switchxxxxxx(config)# interface gi15

switchxxxxxx(config-if)# dot1x reauthentication

802.1X Commands

dot1x system-auth-control

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 41

dot1x system-auth-control

To enable 802.1X globally on the switch, use the dot1x system-auth-control Global

Configuration mode command.

To disable 802.1X globally on the switch, use the no form of this command.

Syntax

dot1x system-auth-control

no dot1x system-auth-control

Parameters

N/A

Default Configuration

802.1X is disabled.

Command Mode

Global Configuration mode

Example

switchxxxxxx(config)# dot1x system-auth-control

dot1x timeout quiet-period

To set the time interval that the switch remains in a quiet state following a failed

authentication exchange (for example, the client provided an invalid password),

use the dot1x timeout quiet-period Interface Configuration (Ethernet) mode

command.

To revert to its default setting, use the no form of this command.

Syntax

dot1x timeout quiet-period

seconds

no dot1x timeout quiet-period

802.1X Commands

dot1x timeout reauth-period

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 42

Parameters

•

seconds

—The time interval in seconds that the switch remains in a quiet

state following a failed authentication exchange with the client. (Range: 0 to

65535 seconds)

Default Configuration

The default quiet period is 60 seconds.

Command Mode

Interface Configuration (Ethernet) mode

User Guidelines

During the quiet period, the switch does not accept or initiate the authentication

requests.

The default value of this command should only be changed to adjust to unusual

circumstances, such as unreliable links or specific behavioral problems with

certain clients and authentication servers.

To provide faster response time to the user, a smaller number than the default

value should be entered.

Example

The following example sets the time interval to 10 seconds:

switchxxxxxx(config)# interface gi15

switchxxxxxx(config-if)# dot1x timeout quiet-period 10

dot1x timeout reauth-period

To set the number of seconds between reauthentication attempts, use the dot1x

timeout reauth-period Interface Configuration (Ethernet) mode command.

To revert to its default setting, use the no form of this command.

Syntax

dot1x timeout reauth-period

seconds

no dot1x timeout reauth-period

802.1X Commands

dot1x timeout supp-timeout

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 43

Parameters

•

seconds

—Number of seconds between reauthentication attempts. (Range:

30 to 65535)

Default Configuration

3600 seconds

Command Mode

Interface Configuration (Ethernet) mode

Example

switchxxxxxx(config)# interface gi15

switchxxxxxx(config-if)# dot1x timeout reauth-period 5000

dot1x timeout supp-timeout

To set the time interval during which the switch waits for a response to an

Extensible Authentication Protocol (EAP) request frame from the client before

resending the request, use the dot1x timeout supp-timeout Interface Configuration

(Ethernet) mode command.

To revert to its default setting, use the no form of this command.

Syntax

dot1x timeout supp-timeout

seconds

no dot1x timeout supp-timeout

Parameters

•

seconds

—The time interval in seconds during which the switch waits for a

response to an EAP request frame from the client before resending the

request. (Range: 1 to 65535 seconds)

Default Configuration

The default timeout period is 30 seconds.

802.1X Commands

show dot1x

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 44

Command Mode

Interface Configuration (Ethernet) mode

User Guidelines

The default value of this command should be changed only to adjust to unusual

circumstances, such as unreliable links or specific behavioral problems with

certain clients and authentication servers.

Example

The following example sets the time interval to 3600 seconds:

switchxxxxxx(config)# interface gi15

switchxxxxxx(config-if)# dot1x timeout supp-timeout 3600

show dot1x

To show the 802.1X status, use the show dot1x Privileged EXEC mode command.

Syntax

show dot1x

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show dot1x

802.1x protocol is: Enabled

802.1x protocol version: 2

802.1X Commands

show dot1x authenticated-hosts

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 45

The following table describes the significant fields shown in the example:

show dot1x authenticated-hosts

To show information for all dot1x authenticated hosts, use the show dot1x

authenticated-hosts Privileged EXEC mode command.

Syntax

show dot1x authenticated-hosts

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Examples

switchxxxxxx# show dot1x authenticated-hosts

User Name | Port | Session Time | Authentication Method | MAC

Address

------------+-------+-------------------+-----------------------+-----------

The following table describes the significant fields shown in the example:

Field Description

802.1x protocol is

Port-based 802.1X authentication is enabled or

disabled on the switch.

802.1x protocol

version

Version of the 802.1X protocol.

Field Description

User Name Supplicant name that was authenticated on the port.

802.1X Commands

show dot1x guest-vlan

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 46

show dot1x guest-vlan

To show the 802.1X guest VLAN information for all interfaces, use the show dot1x

guest-vlan Privileged EXEC mode command.

Syntax

show dot1x guest-vlan

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show dot1x guest-vlan

Guest VLAN ID: none (disabled)

Port | Guest VLAN | In Guest VLAN

--------+------------+---------------

gi1 | Enabled | No

gi2 | Disabled | ---

gi3 | Disabled | ---

gi4 | Disabled | ---

gi5 | Disabled | ---

gi6 | Disabled | ---

gi7 | Disabled | ---

Port Port number.

Session Time Amount of time that the supplicant was logged on the

port.

Authentication

Method

Method used to authenticate the last session.

MAC Address Supplicant MAC address.

Field Description

802.1X Commands

show dot1x guest-vlan

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 47

gi8 | Disabled | ---

gi9 | Disabled | ---

gi10 | Disabled | ---

gi11 | Disabled | ---

gi12 | Disabled | ---

gi13 | Disabled | ---

gi14 | Disabled | ---

gi15 | Enabled | No

gi16 | Disabled | ---

gi17 | Disabled | ---

gi18 | Disabled | ---

gi19 | Disabled | ---

gi20 | Disabled | ---

gi21 | Disabled | ---

gi22 | Disabled | ---

gi23 | Disabled | ---

gi24 | Disabled | ---

gi25 | Disabled | ---

gi26 | Disabled | ---

gi27 | Disabled | ---

gi28 | Disabled | ---

gi29 | Disabled | ---

gi30 | Disabled | ---

gi31 | Disabled | ---

gi32 | Disabled | ---

gi33 | Disabled | ---

gi34 | Disabled | ---

gi35 | Disabled | ---

gi36 | Disabled | ---

gi37 | Disabled | ---

gi38 | Disabled | ---

gi39 | Disabled | ---

gi40 | Disabled | ---

gi41 | Disabled | ---

gi42 | Disabled | ---

gi43 | Disabled | ---

gi44 | Disabled | ---

gi45 | Disabled | ---

gi46 | Disabled | ---

gi47 | Disabled | ---

gi48 | Disabled | ---

gi49 | Disabled | ---

gi50 | Disabled | ---

gi51 | Disabled | ---

gi52 | Disabled | ---

The following table describes the significant fields shown in the example:

Field Description

Guest VLAN ID Identifier of the VLAN as the guest VLAN.

Port Port number.

802.1X Commands

show dot1x interfaces

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 48

show dot1x interfaces

To show 802.1X configuration on specific interfaces, use the show dot1x

interfaces Privileged EXEC mode command.

Syntax

show dot1x interfaces {

interface-id

}

Parameters

•

interface-id

—An interface ID or a list of interfaces.

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show dot1x interfaces gi11

Port | Mode | Current State | Reauth Control | Reauth P

eriod

--------+--------------------+----------------------+-----------------+-----

---------

gi11 | Authentication | Initialize | Enabled |

5000

Quiet Period: 60 Second

Supplicant timeout: 30 Second

Max req: 2

Session Time (HH:MM:SS): 0: 0: 0: 0

Guest VLAN Shows whether 802.1X authentication is enabled or

disabled on the port.

In Guest VLAN Shows whether the unauthorized port is in or not in the

guest VLAN.

Field Description

802.1X Commands

show dot1x interfaces

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 49

The following table describes the significant fields shown in the example:

Field Description

Port

Port number.

Mode

802.1X port-based authentication mode.

Current State

Current port authorization state.

Reauth Control

Shows that reauthentication is enabled or disabled on

the port.

Reauth Period Number of seconds after which the selected port is

reauthenticated.

Quiet Period Number of seconds that the switch remains in the quiet

state following a failed authentication exchange.

Supplicant timeout Number of seconds that lapses before EAP requests

are resent to the supplicant.

Max req Maximum number of EAP requests that can be sent.

Session Time

(HH:MM:SS)

Amount of time that the supplicant was logged on the

port.

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 50

AAA Commands

This chapter describes the Authentication, Authorization, and Accounting (AAA)

commands.

aaa authentication enable

To set one or more authentication methods for accessing higher privilege levels,

use the aaa authentication enable Global Configuration mode command.

To restore the default authentication method, use the no form of this command.

Syntax

aaa authentication enable {default |

LISTNAME

}

method1

[

method2

...]

no aaa authentication enable {default |

LISTNAME

}

Parameters

• default—Uses the default authentication method list when accessing higher

privilege levels.

•

LISTNAME

—Name of the authentication method list activated when users

access higher privilege levels. (Length: 1 to 32 characters)

•

method1

[

method2

...]—A list of methods that the authentication algorithm

tries, in the given sequence.

Default Configuration

The enable password command defines the default authentication login method.

This command functions the same as the aaa authentication enable default enable

command.

On a console, the enable password is used if a password exists. If no password is

set, the authentication still succeeds. This command functions the same as

entering the aaa authentication enable default enable none command.

AAA Commands

aaa authentication enable

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 51

Command Mode

Global Configuration mode

User Guidelines

A user who logs on with a lower privilege level must pass these authentication

methods to access a higher level.

The additional authentication methods are used only if the previous method

returns an error, not if it fails. Specify none as the final method in the command line

to ensure that the authentication succeeds, even if all methods return an error.

Select one or more methods from the following list:

Create a list by entering the aaa authentication enable

LISTNAME

command

where

LISTNAME

is any character string used to name this list. The method

argument identifies the list of methods that the authentication algorithm tries in the

given sequence.

All aaa authentication enable default requests sent by the switch to a RADIUS or a

TACACS+ server include the username $enabx$., where x is the requested

privilege level.

The no aaa authentication enable

LISTNAME

command deletes the list name if it

has not been referenced.

Example

The following example sets the enable password for authentication for accessing

higher privilege levels:

switchxxxxxx(config)# aaa authentication enable enable-list radius none

switchxxxxxx(config)# line console

switchxxxxxx(config-line)# enable authentication enable-list

Keyword Description

enable Uses the enable password for authentication.

none Uses no authentication.

radius Uses a list of RADIUS servers for authentication.

tacacs+ Uses a list of TACACS servers for authentication.

AAA Commands

aaa authentication login

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 52

aaa authentication login

To set one or more authentication methods to be applied during login, use the aaa

authentication login Global Configuration mode command.

To restore the default authentication method, use the no form of this command.

Syntax

aaa authentication login {default |

LISTNAME

}

method1 [method2...]

no aaa authentication login {default |

LISTNAME

}

Parameters

• default—Uses the default authentication method list when a user logs in

(this list is unnamed).

•

LISTNAME

—Name of the authentication method list activated when a user

logs in. (Length: 1 to 32 characters)

•

method1 [method2...]

—A list of methods that the authentication algorithm

tries (in the given sequence).

Default Configuration

If no authentication method is specified, the default is to use the locally-defined

users and passwords. It is the same as entering the aaa authentication login local

command.

NOTE If no authentication method is defined, the console users can log in without any

authentication verification.

Command Mode

Global Configuration mode

User Guidelines

A list of authentication methods may be assigned a list name, and this list name

can be used in the aaa authentication enable command.

Create a list of authentication methods by entering this command with the

LISTNAME

parameter where

LISTNAME

is any character string. The method

argument identifies the list of methods that the authentication algorithm tries in the

given sequence.

AAA Commands

enable authentication

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 53

Each additional authentication method is used only if the previous method returns

an error, not if it fails. To ensure that the authentication succeeds even if all

methods return an error, specify none as the final method in the command line.

Select one or more methods from the following list:

The default and list names created with this command are used with the aaa

authentication enable command.

The no aaa authentication login

LISTNAME

command deletes a list name only if it

has not been referenced by another command.

Example

The following example sets the authentication login method for console sessions:

switchxxxxxx(config)# aaa authentication login authen-list radius local none

switchxxxxxx(config)# line console

switchxxxxxx(config-line)# login authentication authen-list

enable authentication

To specify the authentication method for accessing a higher privilege level from a

remote Telnet or console, use the enable authentication Line Configuration mode

command.

To restore the default authentication method, use the no form of this command.

Syntax

enable authentication

LISTNAME

Keyword Description

enable Uses the enable password for authentication.

local Uses the locally defined usernames for authentication.

none Uses no authentication.

radius Uses a list of RADIUS servers for authentication.

tacacs+ Uses a list of TACACS+ servers for authentication.

AAA Commands

enable password

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 54

no enable authentication

Parameters

•

LISTNAME

—Name of a specific authentication method list created with the

aaa authentication enable command.

Command Mode

Line Configuration mode

Examples

Example 1—The following example uses the default authentication method when

accessing a higher privilege level from a console:

switchxxxxxx(config)# line console

switchxxxxxx(config-line)# enable authentication default

Example 2—The following example sets a list of authentication methods for

accessing higher privilege levels:

switchxxxxxx(config)# aaa authentication enable enable-list radius none

switchxxxxxx(config)# line console

switchxxxxxx(config-line)# enable authentication enable-list

enable password

To set a local password to control access to normal and privilege levels, use the

enable password Global Configuration mode command.

To restore the default password, use the no form of this command.

Syntax

enable password [level

privilege-level

]

unencrypted-password

enable secret [level

privilege-level

] encrypted

encrypted-password

no enable [password | secret] [level

privilege-level

]

AAA Commands

enable password

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 55

Parameters

• level

privilege-level

—(Optional) Specifies the level for which the password

applies. If not specified, the level is 15. (Range: 1 to 15)

•

unencrypted-password

—Password for this level. (Range: 0 to 80

characters)

•

encrypted-password

—The encrypted password. Use this keyword to

enter a password that is already encrypted, such as a password that you

copied from the configuration file of another device.

Default Configuration

The default level is 15.

The passwords are encrypted by default.

Command Mode

Global Configuration mode

User Guidelines

When the administrator configures a new enable password, this password is

encrypted automatically and saved to the configuration file. No matter how the

password was entered, it appears in the configuration file with the keyword

encrypted and the encrypted value.

If the administrator wants to manually copy a password that was configured on

one switch (switch B) to another switch (switch A), the administrator must add

encrypted in front of this encrypted password when entering the enable

command in switch A. In this way, the two switches will have the same password.

The passwords are encrypted by default. You only are required to use the

encrypted keyword when you are actually entering an encrypted keyword.

Example

The following command sets an unencrypted password for level 15 (it will be

encrypted in the configuration file):

switchxxxxxx(config)# enable password level 15 let-me-in

switchxxxxxx(config)# enable secret level l

4b529f21c93d4706090285b0c10172eb073ffebc4

AAA Commands

ip http authentication

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 56

ip http authentication

To specify one or more AAA methods for HTTP and HTTPS login authentications,

use the ip http authentication Global Configuration mode command.

Syntax

ip http authentication aaa login-authentication [http | https] {default |

LISTNAME

}

no ip http authentication aaa login-authentication [http | https]

Parameters

• http—(Optional) Binds a login authentication list to user access with the

HTTP protocol.

• https—(Optional) Binds a login authentication list to user access with the

HTTPS protocol.

• default—Uses the default login authentication method list.

•

LISTNAME

—Name of the login authentication method list.

Default Configuration

The default login authentication list is used for HTTP and HTTPS sessions by

default.

Command Mode

Global Configuration mode

Example

The following example creates two login authentication method lists and binds

them to HTTP and HTTPS separately:

switchxxxxxx(config)# ip http authentication aaa login-authentication http

test1

switchxxxxxx(config)# ip http authentication aaa login-authentication https

test2

AAA Commands

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 57

To specify the login authentication method list for a remote Telnet or console

session, use the login authentication Line Configuration mode command.

To restore the default authentication method, use the no form of this command.

Syntax

LISTNAME

}

no login authentication

Parameters

• default—Uses the default login authentication list.

•

LISTNAME

—Name of a specific authentication list created with the aaa

authentication login command.

Default Configuration

The default login authentication list is used used for each line.

Command Mode

Line Configuration mode

Examples

Example 1—The following example specifies the default login authentication

method for a console session:

switchxxxxxx(config)# line console

switchxxxxxx(config-line)# login authentication default

Example 2—The following example sets an authentication login method list for the

console:

switchxxxxxx (config)# aaa authentication login authen-list radius local none

switchxxxxxx (config)# line console

switchxxxxxx (config-line)# login authentication authen-list

AAA Commands

passwords aging

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 58

passwords aging

To enforce the password aging, use the passwords aging Global Configuration

mode command.

To revert to its default setting, use the no form of this command.

Syntax

passwords aging

days

no passwords aging

Parameters

•

days

—The number of days before a password change is forced. The value

of zero means disabling aging. (Range: 0 to 365)

Default Configuration

The number of days is 180.

Command Mode

Global Configuration mode

User Guidelines

Aging is relevant only to local users with the privilege level 15.

To disable the password aging, use passwords aging 0. Using no passwords

aging restores the aging time to its default setting.

Example

The following example configures the aging time to 24 days:

switchxxxxxx(config)# passwords aging 24

AAA Commands

passwords complexity <attributes>

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 59

passwords complexity <attributes>

To configure the minimum password requirements when the password complexity

is enabled, use the passwords complexity <attributes> Global Configuration

mode commands.

To revert to its default setting, use the no form of these commands.

Syntax

passwords complexity

min-length

number

no passwords complexity min-length

passwords complexity min-classes

number

no passwords complexity min-classes

passwords complexity not-current

no passwords complexity not-current

passwords complexity no-repeat

number

no password complexity

no-repeat

passwords complexity not-username

no passwords complexity not-username

Parameters

• min-length

number

—Specifies the minimum length of the password.

(Range: 0 to 64 characters)

• min-classes

number

—Specifies the minimum character classes

(uppercase letters, lowercase letters, numbers, and special characters

available on a standard keyboard). (Range: 0 to 4)

• not-current—Specifies that the new password cannot be same as the

current password.

• no-repeat

number

—Specifies the maximum number of characters that can

be repeated consecutively. Zero specifies that there is no limit on repeated

characters. (Range: 0 to 16)

• not-username—Specifies that the new password cannot be same as the

current username.

AAA Commands

passwords complexity enable

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 60

Default Configuration

The minimum length is 8.

The number of classes is 3.

The default for no-repeat is 3.

All other controls are enabled by default.

Command Mode

Global Configuration mode

Example

The following example changes the minimum required password length to 10

characters:

switchxxxxxx(config)# passwords complexity min-length 10

passwords complexity enable

To enforce the minimum password complexity, use the passwords complexity

enable Global Configuration mode command.

To disable enforcing the password complexity, use the no form of this command.

Syntax

passwords complexity enable

no passwords complexity enable

Parameters

N/A

Default Configuration

Password complexity is enabled on the switch.

Command Mode

Global Configuration mode

AAA Commands

passwords complexity enable

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 61

User Guidelines

The password complexity is enabled by default. The user is required to enter a

password that:

• Has a minimum length of 8 characters.

• Contains characters from at least 3 character classes (uppercase letters,

lowercase letters, numbers, and special characters available on a standard

keyboard).

• Is different from the current password.

• Contains no character that is repeated more than 3 times consecutively.

You can control these attributes of the password complexity with specific

commands described in this section.

If you have previously configured other complexity settings, then those settings

are used. This command does not eliminate the other settings. It works only as a

toggle.

Example

The following example enables enforcing the password complexity on the switch

and shows the current password complexity settings:

switchxxxxxx(config)# passwords complexity enable

switchxxxxxx(config)# exit

switchxxxxxx# show passwords configuration

Passwords aging is enabled with aging time 180 days.

Passwords complexity is enabled with the following attributes:

Minimal length: 3 characters

Minimal classes: 3

New password must be different than the current: Enabled

Maximum consecutive same characters: 3

New password must be different than the user name: Enabled

AAA Commands

show aaa authentication lists

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 62

show aaa authentication lists

To show information for the AAA authentication lists, use the show aaa

authentication lists Privileged EXEC command.

Syntax

show aaa authentication {login | enable} lists

Parameters

• login—Displays information for the AAA authentication login lists.

• enable—Displays information for the AAA authentication enable lists.

Command Mode

Privileged EXEC mode

Example

The following examples show information for all existing login and enable

authentication lists:

switchxxxxxx# show aaa authentication login lists

-----------------+-------------------------------

default | local

switchxxxxxx# show aaa authentication enable lists

Enable List Name | Authentication Method List

-----------------+-------------------------------

default | enable

show line lists

To show all AAA method lists for different line types, use the show line lists

Privileged EXEC mode command.

Syntax

show line lists

AAA Commands

show passwords configuration

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 63

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

The following example displays all AAA method lists for different line types:

switchxxxxxxx# show line lists

Line Type | AAA Type | List Name

-------------+-----------------+-----------------

console | login | default

| enable | default

telnet | login | default

| enable | default

ssh | login | default

| enable | default

http | login | default

https | login | default

show passwords configuration

To show the password management configuration, use the show passwords

configuration Privileged EXEC mode command.

Syntax

show passwords configuration

Parameters

N/A

Default Configuration

N/A

AAA Commands

show username

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 64

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show passwords configuration

Passwords aging is enabled with aging time 180 days.

Passwords complexity is enabled with the following attributes:

Minimal length: 3 characters

Minimal classes: 3

New password must be different than the current: Enabled

Maximum consecutive same characters: 3

New password must be different than the user name: Enabled

show username

To show all user accounts in local database, use the show username Privileged

EXEC mode command.

Syntax

show username

Parameters

None

Default Configuration

None

Command Mode

Privileged EXEC mode

Example

The following example shows information for all user accounts defined on the

switch:

switchxxxxxx# show username

Priv | Type | User Name | Password

-------+--------+--------------------------------+--------------------------

AAA Commands

username

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 65

15 | secret | cisco |

ZmZmNzVhZTAzYjAyODkzZjlkM2JjZGIyMGYyMzY0NDM=

username

To add a new user or edit an existing user, use the username Global Configuration

mode command.

To delete a username, use the no form of this command.

Syntax

username

USERNAME

[privilege

{1 | 15 | admin | user}] {nopassword | secret

{Encrypted

encrypted-password

unencrypted-password

}}

no username

USERNAME

Parameters

•

USERNAME

—Name of the user. (Range: 0 to 32 characters)

• privilege 1 —(Optional) Specifies the privilege level to 1.

• privilege 15

—(Optional) Specifies the privilege level to 15.

• privilege admin

—(Optional) Specifies the privilege level to 15.

• privilege user

—(Optional) Specifies the privilege level to 1.

• nopassword—No password is required for this user to log in.

• secret Encrypted

encrypted-password

—Specifies an encrypted

password for the user. Use this keyword to enter a password that is already

encrypted, such as a password that you copied from another the

configuration file of another device.

• secret

unencrypted-password

—Specifies a password that will be

automatically encrypted. (Range: 0 to 80 characters)

Default Configuration

The privilege level of the default user cisco is 15. The default password of this

user is cisco.

Command Mode

Global Configuration mode

AAA Commands

username

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 66

Examples

Example 1—The following example adds a user tom (level 15) with no password:

switchxxxxxx(config)# username tom privilege 15 nopassword

Example 2—The following example sets a password for user jerry (level 15) that

has already been encrypted. It will be copied to the configuration file just as it is

entered. To use it, the user must know its unencrypted form.

switchxxxxxx(config)# username jerry privilege 15 secret encrypted

4b529f21c93d4706090285b0c10172eb073ffebc4

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 67

ACL Commands

deny (MAC)

To set deny conditions (conditions are also known as access control entries

[ACEs]) for a MAC-based ACL, use the deny MAC Access-List Configuration mode

command.

To remove a MAC-based ACE, use the no sequence command.

Syntax

deny {any |

source source-wildcard

} {any |

destination destination-wildcard

} [vlan

vlan-id

] [cos

cos cos-wildcard

] [ethtype

value

] [disable-port]

no sequence

value

Parameters

• any—Any source or destination MAC address of the packet.

•

source

—Source MAC address of the packet.

•

source-wildcard

—Wildcard bits to be applied to the source MAC address.

•

destination

—Destination MAC address of the packet.

•

destination-wildcard

—Wildcard bits to be applied to the destination MAC

address.

• vlan

vlan-id

—(Optional) Specifies the VLAN ID of the packet. (Range: 1 to

4094)

• cos

cos

—(Optional) Specifies the CoS value of the packet. (Range: 0 to 7)

•

cos-wildcard

—(Optional) Wildcard bits to be applied to the CoS value.

• ethtype

value

—(Optional) Specifies the Ethernet type in hexadecimal

format of the packet.

ACL Commands

deny (IP)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 68

• disable-port—(Optional) Disables the Ethernet interface if the condition is

matched.

Default Configuration

No MAC-based ACE is defined.

Command Mode

MAC Access-List Configuration mode

User Guidelines

After an ACE is added to an ACL, an implicit deny any any condition exists at the

end of the list. That is, if there are no matches, the packets are denied. However,

before the first ACE is added, the list permits all packets.

Example

switchxxxxxx(config)# mac access-list extended server1

switchxxxxxx(config-mac-acl)# deny 00:00:00:00:00:01 00:00:00:00:00:ff any

deny (IP)

To set deny conditions for an IPv4-based ACL, use the deny IP Access-List

Configuration mode command.

To remove an IPv4-based ACE, use the no sequence command.

Syntax

[sequence

value

] deny

protocol

{any |

source source-wildcard

} {any |

destination

destination-wildcard

} [dscp

number

precedence

number

] [disable-port]

[sequence

value

] deny

icmp

{any |

source source-wildcard

} {any |

destination

destination-wildcard

} [any |

icmp-type

] [any |

icmp-code

] [dscp

number

precedence

number

] [disable-port]

[sequence

value

] deny

tcp

{any

| {

source source-wildcard

} {any

source-port

port-

range

} }{any |

destination destination-wildcard

} {any |

destination-port

port-range

}

[dscp

number

| precedence

number

] [match-all

list-of-flags

] [disable-port]

ACL Commands

deny (IP)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 69

[sequence

value

] deny

udp

{any |

source source-wildcard

} {any |

source-port

port-

range

} {any |

destination destination-wildcard

} {any |

destination-port

port-range

}

[dscp

number

| precedence

number

] [disable-port]

no sequence

value

Parameters

• sequence

value

—(Optional) Specifies the sequence number of the IPv4-

based ACL. The acceptable range is from 1 to 2147483547. If not specified,

the switch provides a number starting from 1 in ascending order.

•

protocol

—The name or the number of an IP protocol. Available protocol

names are icmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout,

ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, and

isis. To match any protocol, use the ip keyword. (Range: 0 to 255)

•

source

—Source IP address of the packet.

•

source-wildcard

—Wildcard bits to be applied to the source IP address.

•

source-port/port range

—UDP or TCP source port. Predefined port names

are defined in the

destination-port/port-range

parameter. (Range: 0 to

65535)

•

destination

—Destination IP address of the packet.

•

destination-wildcard

—Wildcard bits to be applied to the destination IP

address.

•

destination-port/port range

—UDP or TCP destination port. You can enter a

range of ports by using hyphen, such as 20 - 21. For TCP enter a number or

one of the following values: bgp (179), chargen (19), daytime (13), discard (9),

domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher

(70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119),

pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds

(49), talk (517), telnet (23), time (35), uucp (117), whois (43), www (80). For

UDP enter a number or one of the following values: biff (512), bootpc (68),

bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434),

nameserver (42), netbios-dgm (138), netbios-ns (135), non500-isakmp

(4500), ntp (123), rip (520), snmp 161), snmptrap (162), sunrpc (111), syslog

(514), tacacs-ds (49), talk (517), tftp (69), time (35), who (513), or xdmcp

(177). (Range: 0 to 65535)

• dscp

number

—(Optional) Specifies the DSCP value.

• precedence

number

—(Optional) Specifies the IP precedence value.

ACL Commands

deny (IP)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 70

• disable-port—(Optional) The Ethernet interface is disabled if the condition

is matched.

•

icmp-type

—(Optional) The ICMP message type for filtering ICMP packets.

Enter a number or one of these values: echo-reply, destination-unreachable,

source-quench, redirect, alternate-host-address, echo-request, router-

advertisement, router-solicitation, time-exceeded, parameter-problem,

timestamp, timestamp-reply, information-request, information-reply,

address-mask-request, address-mask-reply, traceroute, datagram-

conversion-error, mobile-host-redirect, mobile-registration-request, mobile-

registration-reply, domain-name-request, domain-name-reply, skip, or

photuris. (Range: 0 to 255)

•

icmp-code

—(Optional) ICMP message code for filtering ICMP packets.

(Range: 0 to 255)

• match-all

list-of-flags

—(Optional) Specifies a list of TCP flags that should

occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it

is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -

urg, -ack, -psh, -rst, -syn, and -fin. The flags are concatenated to one string,

such as +fin-ack.

Default Configuration

No IPv4-based ACE is defined.

Command Mode

IP Access-List Configuration mode

User Guidelines

After an ACE is added to an ACL, an implicit deny any any condition exists at the

end of the list. That is, if there are no matches, the packets are denied. However,

before the first ACE is added, the list permits all packets.

The number of TCP or UDP ranges that can be defined in ACLs is limited. You can

define up to #ASIC-specific ranges for TCP and up to #ASIC-specific ranges for

UDP.

If a range of ports is used for a source port in ACE, it is not counted again if it is

also used for a source port in another ACE.

If a range of ports is used for a destination port in ACE, it is not counted again if it is

also used for a destination port in another ACE.

If a range of ports is used for a source port, it is counted again if it is also used for a

destination port.

ACL Commands

deny (IPv6)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 71

Example

switchxxxxxx(config)# ip access-list extended server

switchxxxxxx(config-ip-acl)# deny ip 172.212.0.0/0.0.255.255 any

deny (IPv6)

To set deny conditions for an IPv6-based ACL, use the deny IPv6 Access-List

Configuration mode command.

To remove an IPv6-based ACE, use the no sequence command.

Syntax

[sequence

value

] deny

protocol

{any |

source-prefix/length

} {any |

destination-

prefix/length

} [dscp

number

precedence

number

] [disable-port]

[sequence

value

] deny

icmp

{any |

source-prefix

{any |

source-prefix/length

} {any |

destination- prefix/length

} {any |

icmp-type

} {any |

icmp-code

} [dscp

number

precedence

number

] [disable-port]

[sequence

value

] deny

tcp

{any |

source-prefix/length

} {any |

source-port/port-

range

} {any |

destination- prefix/length

} {any|

destination-port/port-range

} [dscp

number

| precedence

number

] [match-all

list-of-flags

] [disable-port]

[sequence

value

] deny

udp

{any |

source-prefix/length

} {any |

source-port/port-

range

} {any

destination- prefix/length

} {any |

destination-port/port-range

} [dscp

number

| precedence

number

] [match-all

list-of-flags

] [disable-port]

no sequence

value

Parameters

• sequence

value

—(Optional) Specifies the sequence number of the IPv6-

based ACL. The acceptable range is from 1 to 2147483547. If not specified,

the switch provides a number starting from 1 in ascending order.

•

protocol

—The name or the number of an IP protocol. Available protocol

names are icmp (58), tcp (6), and udp (17). To match any protocol, use the

ipv6 keyword. (Range: 0 to 255)

•

source-prefix/length

—The source IPv6 network or class of networks about

which to set permit conditions. This argument must be in the format

ACL Commands

deny (IPv6)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 72

documented in RFC 3513 where the address is specified in hexadecimal

using 16-bit values between colons.

•

source-port/port-range

—The UDP or TCP source port. Predefined port

names are defined in the

destination-port/port-range

parameter. (Range: 0

to 65535)

•

destination-prefix/length

—The destination IPv6 network or class of

networks about which to set permit conditions. This argument must be in

the format documented in RFC 3513 where the address is specified in

hexadecimal using 16-bit values between colons.

•

destination-port/port-range

—The UDP or TCP destination port. You can

enter a range of ports by using a hyphen, such as 20 - 21. For TCP enter a

number or one of these values: bgp (179), chargen (19), daytime (13),

discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data

20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515),

nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514),

tacacs-ds (49), talk (517), telnet (23), time (37), uucp (117), whois (43), www

(80). For UDP enter a number or one of the following values: biff (512),

bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7),

mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137),

non500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162),

sunrpc (111), syslog (514), tacacs (49), talk (517), tftp (69), time (37), who

(513), or xdmcp (177). (Range: 0 to 65535)

• dscp

number

—(Optional) Specifies the DSCP value. (Range: 0 to 63)

• precedence

number

—(Optional) Specifies the IP precedence value.

• disable-port—(Optional) Disables the Ethernet interface if the condition is

matched.

•

icmp-type

—(Optional) The ICMP message type for filtering ICMP packets.

Enter a number or one of these values: destination-unreachable (1), packet-

too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128),

echo-reply (129), mld-query (130), mld-report (131), mldv2-report (143),

mld-done (132), router-solicitation (133), router-advertisement (134), nd-ns

(135), or nd-na (135). (Range: 0 to 255)

•

icmp-code

—(Optional) The ICMP message code for filtering ICMP packets.

(Range: 0 to 255)

• match-all

list-of-flags

—(Optional) Specifies a list of TCP flags that should

occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it

is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -

ACL Commands

ip access-group in

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 73

urg, -ack, -psh, -rst, -syn, and -fin. The flags are concatenated to one string,

such as +fin-ack.

Default Configuration

No IPv6-based ACE is defined.

Command Mode

IPv6 Access-List Configuration mode

User Guidelines

The number of TCP/UDP ranges that can be defined in ACLs is limited. You can

define up to #ASIC-specific ranges for TCP and up to #ASIC-specific ranges for

UDP.

If a range of ports is used for a source port in ACE, it is not counted again if it is

also used for a source port in another ACE.

If a range of ports is used for a destination port in ACE, it is not counted again if it is

also used for a destination port in another ACE.

If a range of ports is used for a source port, it is counted again if it is also used for a

destination port.

Example

switchxxxxxx(config)# ipv6 access-list server

switchxxxxxx(config-ipv6-acl)# deny tcp 3001::2/64 any any 80

ip access-group in

To bind an IPv4-based ACL to an interface, use the ip access-group in Interface

Configuration mode command.

To remove all IPv4-based ACLs from an interface, use the no form of this

command.

Syntax

ip access-group

acl-name

no ip access-group in

ACL Commands

ip access-list extended

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 74

Parameters

•

acl-name

—Name of the IPv4-based ACL. (Range: 1 to 32 characters)

Default Configuration

No IPv4-based ACL is applied to the interface.

Command Mode

Interface Configuration (Ethernet) mode

Example

switchxxxxxx(config)# interface gi11

switchxxxxxx(config-if)# ip access-group v4acl1 in

ip access-list extended

To name an IPv4-based ACL and to enter the IPv4 Access-List Configuration

mode, use the ip access-list extended Global Configuration mode command.

To remove an IPv4-based ACL, use the no form of this command.

Syntax

ip access-list extended

acl-name

no ip access-list extended

acl-name

Parameters

•

acl-name

—Name of the IPv4-based ACL. (Range: 1 to 32 characters)

Default Configuration

No IPv4-based ACL is configured.

Command Mode

Global Configuration mode

User Guidelines

The IPv4-based ACEs for this IPv4-based ACL are defined in the permit (IP) and

deny (IP) commands.

ACL Commands

ipv6 access-group in

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 75

An IPv4-based ACL is defined by a unique name. IPv4-based ACL, IPv6-based

ACL, MAC-based ACL, or policy map cannot have the same name.

Example

switchxxxxxx(config)# ip access-list extended server

switchxxxxxx(config-ip-acl)#

ipv6 access-group in

To bind an IPv6-based ACL to an interface, use the ipv6 access-group in Interface

Configuration mode command.

To remove all IPv6-based ACLs from an interface, use the no form of this

command.

Syntax

ipv6 access-group

acl-name

no ipv6 access-group in

Parameters

•

acl-name

—Name of the IPv6-based ACL. (Range: 1 to 32 characters)

Default Configuration

No IPv6-based ACL is applied to the interface.

Command Mode

Interface Configuration (Ethernet) mode

Example

switchxxxxxx(config)# interface gi11

switchxxxxxx(config-if)# ipv6 access-group v6acl1 in

ACL Commands

ipv6 access-list

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 76

ipv6 access-list

To define an IPv6-based ACL and to enter the IPv6 Access-List Configuration

mode, use the ipv6 access-list Global Configuration mode command.

To remove an IPv6-based ACL, use the no form of this command.

Syntax

ipv6 access-list

acl-name

no ipv6 access-list

acl-name

Parameters

•

acl-name

—Name of the IPv6-based ACL. (Range: 1 to 32 characters)

Default Configuration

No IPv6-based ACL is defined.

Command Mode

Global Configuration mode

User Guidelines

The IPv6-based ACEs for this IPv6-based ACL are defined in the permit (IPv6) and

deny (IPv6) commands.

An IPv6-based ACL is defined by a unique name. IPv4-based ACL, IPv6-based

ACL, MAC-based ACL, or policy map cannot have the same name.

Each IPv6-based ACL has implicit permit icmp any any nd-ns any, permit icmp any

any nd-na any, and deny ipv6 any any statements as its last match conditions. (The

former two match conditions allow for ICMPv6 neighbor discovery.)

The IPv6 neighbor discovery process uses the IPv6 network layer service,

therefore, by default, IPv6-based ACLs implicitly allow IPv6 neighbor discovery

packets to be sent and received on an interface. In IPv4, the Address Resolution

Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a

separate data link layer protocol; therefore, by default, IPv4-based ACLs implicitly

allow ARP packets to be sent and received on an interface.

Example

switchxxxxxx(config)# ipv6 access-list test

ACL Commands

mac access-group in

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 77

switchxxxxxx(config-ipv6-acl)#

mac access-group in

To bind a MAC-based ACL to an interface, use the mac access-group in Interface

Configuration mode command.

To remove all MAC-based ACLs from an interface, use the no form of this

command.

Syntax

mac access-group

acl-name

no mac access-group in

Parameters

•

acl-name

—Name of the MAC-based ACL. (Range: 1 to 32 characters)

Default Configuration

No MAC-based ACL is applied to the interface.

Command Mode

Interface Configuration (Ethernet) mode

Example

witchxxxxxx(config)# interface gi11

witchxxxxxx(config-if)# mac access-group macac11 in

mac access-list extended

To define a Layer 2 ACL based on source MAC address filtering and to enter the

MAC Access-List Configuration mode, use the mac access-list extended Global

Configuration mode command.

To remove a MAC-based ACL, use the no form of this command.

ACL Commands

no sequence

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 78

Syntax

mac access-list extended

acl-nam

no mac access-list extended

acl-name

Parameters

•

acl-name

—Name of the MAC-based ACL. (Range: 1 to 32 characters)

Default Configuration

No MAC-based ACL is defined.

Command Mode

Global Configuration mode

User Guidelines

The MAC-based ACEs for this MAC-based ACL are defined in the permit (MAC)

and deny (MAC) commands.

A MAC-based ACL is defined by a unique name. IPv4-based ACL, IPv6-based

ACL, MAC-based ACL, or policy map cannot have the same name.

Example

switchxxxxxx(config)# mac access-list extended server1

switchxxxxxx(config-mac-acl)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any

no sequence

To remove a permit or deny ACE for an IPv4-based ACL, an IPv6-based ACL, or a

MAC-based ACL, use the no sequence command in the IP Access-List

Configuration mode, in the IPv6 Access-List Configuration mode, or in the MAC

Access-List Configuration mode.

Syntax

no sequence

value

ACL Commands

permit (IP)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 79

Parameters

•

value

—Sequence name of the ACL. The acceptable range is from 1 to

2147483547.

Command Mode

IP Access-List Configuration mode, IPv6 Access-List Configuration mode, and

MAC Access-List Configuration mode

Example

switchxxxxxx(config)# mac access-list extended macac11

switchxxxxxx(config-mac-acl)# show access-list

MAC access list macac11

....sequence 1 permit any any

switchxxxxxx(config-mac-acl)# no sequence 1

permit (IP)

To set permit conditions for an IPv4-based ACL, use the permit IP Access-List

Configuration mode command.

To remove an IPv4-based ACE, use the no sequence command.

Syntax

[sequence

value

] permit

protocol

{any |

source source-wildcard

} {any

destination

destination-wildcard

} [dscp

number

| precedence

number

]

[sequence

value

] permit

icmp

{any

source source-wildcard

} {any |

destination

destination-wildcard

} [any

icmp-type

] [any

icmp-code

] [dscp

number

precedence

number

]

[sequence

value

] permit

tcp

{any |

source source-wildcard

} {any |

source-port/

port-range

} {any |

destination destination-wildcard

} {any |

destination-port

port-

range

} [dscp

number

| precedence

number

] [match-all

list-of-flags

]

[sequence

value

] permit

udp

{any

source source-wildcard

} {any |

source-port/

port-range

} {any

destination destination-wildcard

} {any |

destination-port

port-

range

} [dscp

number

| precedence

number

]

no sequence

value

ACL Commands

permit (IP)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 80

Parameters

• sequence

value

—(Optional) Specifies the sequence number for the IPv4-

based ACL. The acceptable range is from 1 to 2147483547. If not specified,

the switch provides a number starting from 1 in ascending order.

•

protocol

—The name or the number of an IP protocol. Available protocol

names are icmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout,

ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, and

isis. To match any protocol, use the IP keyword. (Range: 0 to 255)

•

source

—Source IP address of the packet.

•

source-wildcard

—Wildcard bits to be applied to the source IP address.

•

source-port/port-range

—(Optional) The UDP or TCP source port.

Predefined port names are defined in the

destination-port/port-range

parameter. (Range: 0 to 65535)

•

destination

—Destination IP address of the packet.

•

destination-wildcard

—Wildcard bits to be applied to the destination IP

address.

•

destination-port/port-range

—(Optional) The UDP or TCP destination port.

You can enter a range of ports by using hyphen such as 20 - 21. For TCP

enter a number or one of these values: bgp (179), chargen (19), daytime (13),

discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data

(20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd

(515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog

(514), tacacs-ds (49), talk (517), telnet (23), time (35), uucp (117), whois (43),

www (80). For UDP enter a number or one of the following values: biff (512),

bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7),

mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (135),

on500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162),

sunrpc (111), syslog (514), tacacs-ds (49), talk (517), tftp (69), time (35), who

(513), or xdmcp (177). (Range: 0 to 65535)

• dscp

number

—(Optional) Specifies the DSCP value.

• precedence

number

—(Optional) Specifies the IP precedence value.

•

icmp-type

—(Optional) The ICMP message type for filtering ICMP packets.

Enter a number or one of these values: echo-reply, destination-unreachable,

source-quench, redirect, alternate-host-address, echo-request, router-

advertisement, router-solicitation, time-exceeded, parameter-problem,

timestamp, timestamp-reply, information-request, information-reply,

ACL Commands

permit (IP)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 81

address-mask-request, address-mask-reply, traceroute, datagram-

conversion-error, mobile-host-redirect, mobile-registration-request, mobile-

registration-reply, domain-name-request, domain-name-reply, skip, or

photuris. (Range: 0 to 255)

•

icmp-code

—(Optional) The ICMP message code for filtering ICMP packets.

(Range: 0 to 255)

• match-all

list-of-flags

—(Optional) Specifies a list of TCP flags that should

occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it

is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -

urg, -ack, -psh, -rst, -syn, and -fin. The flags are concatenated to one string,

such as +fin-ack.

Default Configuration

No IPv4-based ACE is defined.

Command Mode

IP Access-List Configuration mode

User Guidelines

After an ACE is added to an ACL, an implicit deny any any condition exists at the

end of the list. That is, if there are no matches, the packets are denied. However,

before the first ACE is added, the list permits all packets up to #ASIC-specific

ranges for TCP and up to #ASIC-specific ranges for UDP.

If a range of ports is used for a source port in an ACE, it is not counted again if it is

also used for a source port in another ACE.

If a range of ports is used for a destination port in an ACE, it is not counted again if

it is also used for a destination port in another ACE.

If a range of ports is used for a source port, it is counted again if it is also used for a

destination port.

Example

switchxxxxxx(config)# ip access-list extended server

switchxxxxxx(config-ip-acl)# permit ip 176.212.0.0 0.0.255.255 any

ACL Commands

permit (IPv6)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 82

permit (IPv6)

To set permit conditions for an IPv6-based ACL, use the permit command in the

IPv6 Access-List Configuration mode.

To remove an IPv6-based ACE, use the no sequence command.

Syntax

[sequence

value

] permit

protocol

{any |

source-prefix/length

} {any |

destination-

prefix/length

} [dscp

number

| precedence

number

]

[sequence

value

] permit

icmp

{any | {

source-prefix/length

} {any |

destination-

prefix/length

} {any |

icmp-type

} {any |

icmp-code

} [dscp

number

precedence

number

]

[sequence

value

] permit

tcp

{any |

source-prefix/length

} {any |

source-port/port-

range

} {any |

destination- prefix/length

} {any |

destination-port

port-range

} [dscp

number

| precedence

number

] [match-all

list-of-flags

]

[sequence

value

] permit

udp

{any |

source-prefix/length

} {any |

source-port/port-

range

} {any |

destination- prefix/length

} {any |

destination-port/port-range

} [dscp

numbe

precedence

number

]

no sequence

value

Parameters

• sequence

value

—(Optional) The sequence number for the IPv6-based ACL.

The acceptable range is from 1 to 2147483547. If not specified, the switch

provides a number starting from 1 in ascending order.

•

protocol

—The name or the number of an IP protocol. Available protocol

names are icmp (58), tcp (6), and udp (17). To match any protocol, use the

ipv6 keyword. (Range: 0 to 255)

•

source-prefix/length

—The source IPv6 network or class of networks about

which to set permit conditions. This argument must be in the form

documented in RFC 3513 where the address is specified in hexadecimal

using 16-bit values between colons.

•

source-port/port-range

—The UDP or TCP source port. Predefined port

names are defined in the

destination-port/port-range

parameter. (Range: 0

to 65535)

•

destination-prefix/length

—The destination IPv6 network or class of

networks about which to set permit conditions. This argument must be in

ACL Commands

permit (IPv6)

Cisco 220 Series Smart Plus Switches Command Line Interface Reference Guide Release 1.0.0.x 83

the form documented in RFC 3513 where the address is specified in