Address Table Commands

This chapter contains the following sections:

bridge multicast filtering

To enable the filtering of Multicast addresses, use the bridge multicast filtering Global Configuration mode command. To disable Multicast address filtering, use the no form of this command.

Syntax

bridge multicast filtering

no bridge multicast filtering

Parameters

This command has no arguments or keywords.

Default Configuration

Multicast address filtering is disabled. All Multicast addresses are flooded to all ports.

Command Mode

Global Configuration mode

User Guidelines

When this feature is enabled, unregistered Multicast traffic (as opposed to registered) will still be flooded.

All registered Multicast addresses will be forwarded to the Multicast groups. There are two ways to manage Multicast groups, one is the IGMP Snooping feature, and the other is the bridge multicast forward-all command.

Example

The following example enables bridge Multicast filtering.

switchxxxxxx(config)# bridge multicast filtering

bridge multicast mode

To configure the Multicast bridging mode, use the bridge multicast mode Interface (VLAN) Configuration mode command. To return to the default configuration, use the no form of this command.

Syntax

bridge multicast mode {mac-group | ipv4-group | ipv4-src-group}

no bridge multicast mode

Parameters

  • mac-group—Specifies that Multicast bridging is based on the packet's VLAN and MAC address.

  • ipv4-group—Specifies that Multicast bridging is based on the packet's VLAN and MAC address for non-IPv4 packets, and on the packet's VLAN and IPv4 destination address for IPv4 packets.

  • ipv4-src-group—Specifies that Multicast bridging is based on the packet's VLAN and MAC address for non-IPv4 packets, and on the packet's VLAN, IPv4 destination address and IPv4 source address for IPv4 packets.

Default Configuration

The default mode is mac-group.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

Use the mac-group option when using a network management system that uses a MIB based on the Multicast MAC address. Otherwise, it is recommended to use the ipv4 mode, because there is no overlapping of IPv4 Multicast addresses in these modes.

The following table describes the actual data that is written to the Forwarding Data Base (FDB) as a function of the IGMP version that is used in the network:

FDB mode

IGMP version 2

IGMP version 3

mac-group

MAC group address

MAC group address

ipv4-group

IP group address

IP group address

ipv4-src-group

(*)

IP source and group addresses

(*) Note that (*,G) cannot be written to the FDB if the mode is ipv4-src-group. In that case, no new FDB entry is created, but the port is added to the static (S,G) entries (if they exist) that belong to the requested group. It is recommended to set the FDB mode to ipv4-group or mac-group for IGMP version 2.

If an application on the device requests (*,G), the operating FDB mode is changed to ipv4-group.

Example

The following example configures the Multicast bridging mode as an mac-group on VLAN 2.

switchxxxxxx(config)#  interface vlan 2
switchxxxxxx(config-if)#  bridge multicast mode mac-group

bridge multicast address

To register a MAC-layer Multicast address in the bridge table and statically add or remove ports to or from the group, use the bridge multicast address Interface (VLAN) Configuration mode command. To unregister the MAC address, use the no form of this command.

Syntax

bridge multicast address {mac-multicast-address | ipv4-multicast-address} [{add | remove} {ethernet interface-list | port-channel port-channel-list}]

no bridge multicast address mac-multicast-address

Parameters

  • mac-multicast-address | ipv4-multicast-address—Specifies the group Multicast address.

  • add—(Optional) Adds ports to the group.

  • remove—(Optional) Removes ports from the group.

  • ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.

  • port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces; use a hyphen to designate a range of port channels.

Default Configuration

No Multicast addresses are defined.

If ethernet interface-list or port-channel port-channel-list is specified without specifying add or remove, the default option is add.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

To register the group in the bridge database without adding or removing ports or port channels, specify the mac-multicast-address parameter only.

Static Multicast addresses can be defined on static VLANs only. You can execute the command before the VLAN is created.

Examples

Example 1 - The following example registers the MAC address to the bridge table:

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast address 01:00:5e:02:02:03

Example 2 - The following example registers the MAC address and adds ports statically.

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast address 01:00:5e:02:02:03 add gi1/0/1-2

bridge multicast forbidden address

To forbid adding or removing a specific Multicast address to or from specific ports, use the bridge multicast forbidden address IInterface (VLAN) Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

bridge multicast forbidden address {mac-multicast-address | ipv4-multicast-address} {add | remove} {ethernet interface-list | port-channel port-channel-list}

no bridge multicast forbidden address mac-multicast-address

Parameters

  • mac-multicast-address | ipv4-multicast-address—Specifies the group Multicast address.

  • add—Forbids adding ports to the group.

  • remove—Forbids removing ports from the group.

  • ethernet interface-list—Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.

  • port-channel port-channel-list—Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate a range of port channels.

Default Configuration

No forbidden addresses are defined.

Default option is add.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

Before defining forbidden ports, the Multicast group should be registered, using bridge multicast address.

You can execute the command before the VLAN is created.

Example

The following example forbids MAC address 0100.5e02.0203 on port gi1/0/4 within VLAN 8.

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast address 0100.5e02.0203
switchxxxxxx(config-if)#  bridge multicast forbidden address 0100.5e02.0203 add gi1/0/4

bridge multicast ip-address

To register IP-layer Multicast addresses to the bridge table, and statically add or remove ports to or from the group, use the bridge multicast ip-address IInterface (VLAN) Configuration mode command. To unregister the IP address, use the no form of this command.

Syntax

bridge multicast ip-address ip-multicast-address [[add | remove] {interface-list | port-channel port-channel-list}]

no bridge multicast ip-address ip-multicast-address

Parameters

  • ip-multicast-address—Specifies the group IP Multicast address.

  • add—(Optional) Adds ports to the group.

  • remove—(Optional) Removes ports from the group.

  • interface-list—(Optional) Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.

  • port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate a range of port channels.

Default Configuration

No Multicast addresses are defined.

Default option is add.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

To register the group in the bridge database without adding or removing ports or port channels, specify the ip-multicast-address parameter only.

Static Multicast addresses can be defined on static VLANs only.

You can execute the command before the VLAN is created.

Example

The following example registers the specified IP address to the bridge table:

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast ip-address 239.2.2.2

The following example registers the IP address and adds ports statically.

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast ip-address 239.2.2.2 add gi1/0/4

bridge multicast forbidden ip-address

To forbid adding or removing a specific IP Multicast address to or from specific ports, use the bridge multicast forbidden ip-address Interface (VLAN) Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

bridge multicast forbidden ip-address {ip-multicast-address} {add | remove} {ethernet interface-list | port-channel port-channel-list}

no bridge multicast forbidden ip-address ip-multicast-address

Parameters

  • ip-multicast-address—Specifies the group IP Multicast address.

  • add—(Optional) Forbids adding ports to the group.

  • remove—(Optional) Forbids removing ports from the group.

  • ethernet interface-list —(Optional) Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.

  • port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate a range of port channels.

Default Configuration

No forbidden addresses are defined.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

Before defining forbidden ports, the Multicast group should be registered.

You can execute the command before the VLAN is created.

Example

The following example registers IP address 239.2.2.2, and forbids the IP address on port gi1/0/4 within VLAN 8.

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast ip-address 239.2.2.2
switchxxxxxx(config-if)#  bridge multicast forbidden ip-address 239.2.2.2 add gi1/0/4

bridge multicast source group

To register a source IP address - Multicast IP address pair to the bridge table, and statically add or remove ports to or from the source-group, use the bridge multicast source group Interface (VLAN) Configuration mode command. To unregister the source-group-pair, use the no form of this command.

Syntax

bridge multicast source ip-address group ip-multicast-address [[add | remove] {ethernet interface-list | port-channel port-channel-list}]

no bridge multicast source ip-address group ip-multicast-address

Parameters

  • ip-address—Specifies the source IP address.

  • ip-multicast-address—Specifies the group IP Multicast address.

  • add—(Optional) Adds ports to the group for the specific source IP address.

  • remove—(Optional) Removes ports from the group for the specific source IP address.

  • ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.

  • port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces; use a hyphen to designate a range of port channels.

Default Configuration

No Multicast addresses are defined.

The default option is add.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

You can execute the command before the VLAN is created.

Example

The following example registers a source IP address - Multicast IP address pair to the bridge table:

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast source 13.16.1.1 group 239.2.2.2

bridge multicast forbidden source group

To forbid adding or removing a specific IP source address - Multicast address pair to or from specific ports, use the bridge multicast forbidden source group IInterface (VLAN) Configuration mode command. To return to the default configuration, use the no form of this command.

Syntax

bridge multicast forbidden source ip-address group ip-multicast-address {add | remove} {ethernet interface-list | port-channel port-channel-list}

no bridge multicast forbidden source ip-address group ip-multicast-address

Parameters

  • ip-address—Specifies the source IP address.

  • ip-multicast-address—Specifies the group IP Multicast address.

  • add—(Optional) Forbids adding ports to the group for the specific source IP address.

  • remove—(Optional) Forbids removing ports from the group for the specific source IP address.

  • ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.

  • port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces; use a hyphen to designate a range of port channels.

Default Configuration

No forbidden addresses are defined.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

Before defining forbidden ports, the Multicast group should be registered.

You can execute the command before the VLAN is created.

Example

The following example registers a source IP address - Multicast IP address pair to the bridge table, and forbids adding the pair to port gi1/0/4 on VLAN 8:

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast source 13.16.1.1 group 239.2.2.2
switchxxxxxx(config-if)#  bridge multicast forbidden source 13.16.1.1 group 239.2.2.2 add gi1/0/4

bridge multicast ipv6 mode

To configure the Multicast bridging mode for IPv6 Multicast packets, use the bridge multicast ipv6 mode Interface (VLAN) Configuration mode command. To return to the default configuration, use the no form of this command.

Syntax

bridge multicast ipv6 mode {mac-group | ip-group | ip-src-group}

no bridge multicast ipv6 mode

Parameters

  • mac-group—Specifies that Multicast bridging is based on the packet's VLAN and MAC destination address.

  • ip-group—Specifies that Multicast bridging is based on the packet's VLAN and IPv6 destination address for IPv6 packets.

  • ip-src-group—Specifies that Multicast bridging is based on the packet's VLAN, IPv6 destination address and IPv6 source address for IPv6 packets.

Default Configuration

The default mode is mac-group.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

Use the mac-group mode when using a network management system that uses a MIB based on the Multicast MAC address.

The following table describes the actual data that is written to the Forwarding Data Base (FDB) as a function of the MLD version that is used in the network:

FDB mode

MLD version 1

MLD version 2

mac-group

MAC group address

MAC group address

ipv6-group

IPv6 group address

IPv6 group address

ipv6-src-group

(*)

IPv6 source and group addresses

(*) In ip-src-group mode a match is performed on 4 bytes of the multicast address and 4 bytes of the source address. In the group address the last 4 bytes of the address are checked for match. In the source address the last 3 bytes and 5th from last bytes of the interface ID are examined.

(*) Note that (*,G) cannot be written to the FDB if the mode is ip-src-group. In that case, no new FDB entry is created, but the port is added to the (S,G) entries (if they exist) that belong to the requested group.

If an application on the device requests (*,G), the operating FDB mode is changed to ip-group.

You can execute the command before the VLAN is created.

Example

The following example configures the Multicast bridging mode as an ip-group on VLAN 2.

switchxxxxxx(config)#  interface vlan 2
switchxxxxxx(config-if)#  bridge multicast ipv6 mode 
ip-group  

bridge multicast ipv6 ip-address

To register an IPv6 Multicast address to the bridge table, and statically add or remove ports to or from the group, use the bridge multicast ipv6 ip-address Interface (VLAN) Configuration mode command. To unregister the IPv6 address, use the no form of this command.

Syntax

bridge multicast ipv6 ip-address ipv6-multicast-address [[add | remove] {ethernet interface-list | port-channel port-channel-list}]

no bridge multicast ipv6 ip-address ip-multicast-address

Parameters

  • ipv6-multicast-address—Specifies the group IPv6 multicast address.

  • add—(Optional) Adds ports to the group.

  • remove—(Optional) Removes ports from the group.

  • ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces; use a hyphen to designate a range of ports.

  • port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate a range of port channels.

Default Configuration

No Multicast addresses are defined.

The default option is add.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

To register the group in the bridge database without adding or removing ports or port channels, specify the ipv6-multicast-address parameter only.

Static Multicast addresses can be defined on static VLANs only. You can execute the command before the VLAN is created.

Examples

Example 1 - The following example registers the IPv6 address to the bridge table:

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast ipv6 ip-address FF00:0:0:0:4:4:4:1

Example 2 - The following example registers the IPv6 address and adds ports statically.

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast ipv6 ip-address FF00:0:0:0:4:4:4:1 add gi1/0/1-2

bridge multicast ipv6 forbidden ip-address

To forbid adding or removing a specific IPv6 Multicast address to or from specific ports, use the bridge multicast ipv6 forbidden ip-address Interface (VLAN) Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

bridge multicast ipv6 forbidden ip-address {ipv6-multicast-address} {add | remove} {ethernet interface-list | port-channel port-channel-list}

no bridge multicast ipv6 forbidden ip-address ipv6-multicast-address

Parameters

  • ipv6-multicast-address—Specifies the group IPv6 Multicast address.

  • add—(Optional) Forbids adding ports to the group.

  • remove—(Optional) Forbids removing ports from the group.

  • ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.

  • port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate a range of port channels.

Default Configuration

No forbidden addresses are defined.

The default option is add.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

Before defining forbidden ports, the Multicast group should be registered.

You can execute the command before the VLAN is created.

Example

The following example registers an IPv6 Multicast address, and forbids the IPv6 address on port gi1/0/4 within VLAN 8.

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast ipv6 ip-address FF00:0:0:0:4:4:4:1
switchxxxxxx(config-if)#  bridge multicast ipv6 forbidden ip-address FF00:0:0:0:4:4:4:1 add gi1/0/4

bridge multicast ipv6 source group

To register a source IPv6 address - Multicast IPv6 address pair to the bridge table, and statically add or remove ports to or from the source-group, use the bridge multicast ipv6 source group Interface (VLAN) Configuration mode command. To unregister the source-group-pair, use the no form of this command.

Syntax

bridge multicast ipv6 source ipv6-source-address group ipv6-multicast-address [[add | remove] {ethernet interface-list | port-channel port-channel-list}]

no bridge multicast ipv6 source ipv6-address group ipv6-multicast-address

Parameters

  • ipv6-source-address—Specifies the source IPv6 address.

  • ipv6-multicast-address—Specifies the group IPv6 Multicast address.

  • add—(Optional) Adds ports to the group for the specific source IPv6 address.

  • remove—(Optional) Removes ports from the group for the specific source IPv6 address.

  • ethernet interface-list—(Optional) Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.

  • port-channel port-channel-list—(Optional) Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate a range of port channels.

Default Configuration

No Multicast addresses are defined.

The default option is add.

Command Mode

Interface (VLAN) Configuration mode

Example

The following example registers a source IPv6 address - Multicast IPv6 address pair to the bridge table:

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast source 2001:0:0:0:4:4:4 group FF00:0:0:0:4:4:4:1

bridge multicast ipv6 forbidden source group

To forbid adding or removing a specific IPv6 source address - Multicast address pair to or from specific ports, use the bridge multicast ipv6 forbidden source group Interface (VLAN) Configuration mode command. To return to the default configuration, use the no form of this command.

Syntax

bridge multicast ipv6 forbidden source ipv6-source-address group ipv6-multicast-address {add | remove} {ethernet interface-list | port-channel port-channel-list}

no bridge multicast ipv6 forbidden source ipv6-address group ipv6-multicast-address

Parameters

  • ipv6-source-address—Specifies the source IPv6 address.

  • ipv6-multicast-address—Specifies the group IPv6 Multicast address.

  • add—Forbids adding ports to the group for the specific source IPv6 address.

  • remove—Forbids removing ports from the group for the specific source IPv6 address.

  • ethernet interface-list—Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.

  • port-channel port-channel-list—Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces; use a hyphen to designate a range of port channels.

Default Configuration

No forbidden addresses are defined.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

Before defining forbidden ports, the Multicast group should be registered.

You can execute the command before the VLAN is created.

Example

The following example registers a source IPv6 address - Multicast IPv6 address pair to the bridge table, and forbids adding the pair to gi1/0/4 on VLAN 8:

switchxxxxxx(config)#  interface vlan 8
switchxxxxxx(config-if)#  bridge multicast source 2001:0:0:0:4:4:4 group FF00:0:0:0:4:4:4:1
switchxxxxxx(config-if)#  bridge multicast forbidden source 2001:0:0:0:4:4:4:1 group FF00:0:0:0:4:4:4:1 add gi1/0/4

bridge multicast unregistered

To configure forwarding unregistered Multicast addresses, use the bridge multicast unregistered Interface (Ethernet, Port Channel) Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

bridge multicast unregistered {forwarding | filtering}

no bridge multicast unregistered

Parameters

  • forwarding—Forwards unregistered Multicast packets.

  • filtering—Filters unregistered Multicast packets.

Default Configuration

Unregistered Multicast addresses are forwarded.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Do not enable unregistered Multicast filtering on ports that are connected to routers, because the 224.0.0.x address range should not be filtered. Note that routers do not necessarily send IGMP reports for the 224.0.0.x range.

You can execute the command before the VLAN is created.

Example

The following example specifies that unregistered Multicast packets are filtered on gi1/0/1:

switchxxxxxx(config)#  interface gi1/0/1
switchxxxxxx(config-if)#  bridge multicast unregistered filtering

bridge multicast forward-all

To enable forwarding all multicast packets for a range of ports or port channels, use the bridge multicast forward-all Interface (VLAN) Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

bridge multicast forward-all {add | remove} {ethernet interface-list | port-channel port-channel-list}

no bridge multicast forward-all

Parameters

  • add—Forces forwarding of all Multicast packets.

  • remove—Does not force forwarding of all Multicast packets.

  • ethernet interface-list—Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.

  • port-channel port-channel-list—Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate a range of port channels.

Default Configuration

Forwarding of all Multicast packets is disabled.

Command Mode

Interface (VLAN) Configuration mode

Example

The following example enables all Multicast packets on port gi1/0/4 to be forwarded.

switchxxxxxx(config)#  interface vlan 2
switchxxxxxx(config-if)#  bridge multicast forward-all add gi1/0/4

bridge multicast forbidden forward-all

To forbid a port to dynamically join Multicast groups, use the bridge multicast forbidden forward-all Interface (VLAN) Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

bridge multicast forbidden forward-all {add | remove} {ethernet interface-list | port-channel port-channel-list}

no bridge multicast forbidden forward-all

Parameters

  • add—Forbids forwarding of all Multicast packets.

  • remove—Does not forbid forwarding of all Multicast packets.

  • ethernet interface-list —Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.

  • port-channel port-channel-list—Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces; use a hyphen to designate a range of port channels.

Default Configuration

Ports are not forbidden to dynamically join Multicast groups.

The default option is add.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

Use this command to forbid a port to dynamically join (by IGMP, for example) a Multicast group.

The port can still be a Multicast router port.

Example

The following example forbids forwarding of all Multicast packets to gi1/0/1 within VLAN 2.

switchxxxxxx(config)#  interface vlan 2
switchxxxxxx(config-if)#  bridge multicast forbidden forward-all add ethernet gi1/0/1

bridge unicast unknown

To enable egress filtering of Unicast packets where the destination MAC address is unknown to the device, use the bridge unicast unknown Interface (Ethernet, Port Channel) Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

bridge unicast unknown {filtering | forwarding}

no bridge unicast unknown

Parameters

  • filtering—Filter unregistered Unicast packets.

  • forwarding—Forward unregistered Unicast packets.

Default Configuration

Forwarding.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode.

Example

The following example drops Unicast packets on gi1/0/1 when the destination is unknown.

switchxxxxxx(config)#  interface gi1/0/1
switchxxxxxx(config-if)#  bridge unicast unknown filtering

show bridge unicast unknown

To display the unknown Unicast filtering configuration, use the show bridge unicast unknown Privileged EXEC mode command.

Syntax

show bridge unicast unknown [interface-id]

Parameters

interface-id—(Optional) Specify an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel

Command Mode

Privileged EXEC mode

Example

Console # show bridge unicast unknown
Port
Unregistered
--------
---------------------
gi1/0/1
Forward
gi1/0/2
Filter
gi1/0/3
Filter

mac address-table static

To add a MAC-layer station source address to the MAC address table, use the mac address-table static Global Configuration mode command. To delete the MAC address, use the no form of this command.

Syntax

mac address-table static mac-address vlan vlan-id interface interface-id [permanent | delete-on-reset | delete-on-timeout | secure]|

no mac address-table static [mac-address] vlan vlan-id

Parameters

  • mac-address—MAC address (Range: Valid MAC address)

  • vlan-id— Specify the VLAN

  • interface-id—Specify an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel (Range: valid ethernet port, valid port-channel)

  • permanent—(Optional) The permanent static MAC address. The keyword is applied by the default.

  • delete-on-reset—(Optional)The delete-on-reset static MAC address.

  • delete-on-timeout—(Optional)The delete-on-timeout static MAC address.

  • secure—(Optional)The secure MAC address. May be used only in a secure mode.

Default Configuration

No static addresses are defined. The default mode for an added address is permanent.

Command Mode

Global Configuration mode

User Guidelines

Use the command to add a static MAC address with given time-to-live in any mode or to add a secure MAC address in a secure mode.

Each MAC address in the MAC address table is assigned two attributes: type and time-to-live.

The following value of time-of-live is supported:

  • permanent—MAC address is saved until it is removed manually.

  • delete-on-reset—MAC address is saved until the next reboot.

    delete-on-timeout—MAC address that may be removed by the aging timer.

The following types are supported:

  • static— MAC address manually added by the command with the following keywords specifying its time-of-live:

    permanent

    delete-on-reset

    delete-on-timeout

    A static MAC address may be added in any port mode.

    secure— A MAC address added manually or learned in a secure mode. Use the mac address-table static command with the secure keyword to add a secure MAC address. The MAC address cannot be relearned.

    A secure MAC address may be added only in a secure port mode.

  • dynamic— a MAC address learned by the switch in non-secure mode. A value of its time-to-live attribute is delete-on-timeout.

Examples

Example 1 - The following example adds two permanent static MAC address:

switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b1 vlan 1 interface gi1/0/1
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1/0/1 permanent

Example 2 - The following example adds a deleted-on-reset static MAC address:

switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1/0/1 delete-on-reset

Example 3 - The following example adds a deleted-on-timeout static MAC address:

switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi1/0/1 delete-on-timeout

Example 4 - The following example adds a secure MAC address:

switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface  gi1/0/1 secure

clear mac address-table

To remove learned or secure entries from the forwarding database (FDB), use the clear mac address-table Privileged EXEC mode command.

Syntax

clear mac address-table dynamic interface interface-id

clear mac address-table secure interface interface-id

Parameters

  • dynamic interface interface-id—Delete all dynamic (learned) addresses on the specified interface.The interface ID can be one of the following types: Ethernet port or port-channel. If interface ID is not supplied, all dynamic addresses are deleted.

  • secure interface interface-id—Delete all the secure addresses learned on the specific interface. A secure address on a MAC address learned on ports on which port security is defined.

Default Configuration

For dynamic addresses, if interface-id is not supplied, all dynamic entries are deleted.

Command Mode

Privileged EXEC mode

Examples

Example 1 - Delete all dynamic entries from the FDB.

switchxxxxxx#  clear mac address-table dynamic

Example 2 - Delete all secure entries from the FDB learned on secure port gi1/0/1.

switchxxxxxx#  clear mac address-table secure interface gi1/0/1

mac address-table aging-time

To set the aging time of the address table, use the mac address-table aging-time Global configuration command. To restore the default, use the no form of this command.

Syntax

mac address-table aging-time seconds

no mac address-table aging-time

Parameters

seconds—Time is number of seconds. (Range:10-400)

Default Configuration

300

Command Mode

Global Configuration mode

Example

switchxxxxxx(config)#  mac address-table aging-time 600

port security

To enable port security learning mode on an interface, use the port security Interface (Ethernet, Port Channel) Configuration mode command. To disable port security learning mode on an interface, use the no form of this command.

Syntax

port security [forward | discard | discard-shutdown] [trap seconds]

no port security

Parameters

  • forward—(Optional) Forwards packets with unlearned source addresses, but does not learn the address.

  • discard—(Optional) Discards packets with unlearned source addresses.

  • discard-shutdown—(Optional) Discards packets with unlearned source addresses and shuts down the port.

  • trap seconds—(Optional) Sends SNMP traps and specifies the minimum time interval in seconds between consecutive traps. (Range: 1–1000000)

Default Configuration

The feature is disabled by default.

The default mode is discard.

The default number of seconds is zero, but if traps is entered, a number of seconds must also be entered.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The command may be used only when the interface in the regular (non-secure with unlimited MAC learning) mode.

Port Security cannot be enabled on an interface if 802.1X authentication is already active on the interface.

When the port security command enables the lock mode on a port all dynamic addresses learned on the port are changed to permanent secure addresses.

When the port security command enables a mode on a port differing from the lock mode all dynamic addresses learned on the port are deleted.

When the no port security command cancels a secure mode on a port all secure addresses defined on the port are changed to dynamic addresses.

Additionally to set a mode, use the port security command to set an action that the switch should perform on a frame which source MAC address cannot be learned.

Example

The following example forwards all packets to port gi1/0/1 without learning addresses of packets from unknown sources and sends traps every 100 seconds, if a packet with an unknown source address is received.

switchxxxxxx(config)# interface gi1/0/4
switchxxxxxx(config-if)# port security mode lock
switchxxxxxx(config-if)# port security forward trap 100
switchxxxxxx(config-if)# exit

port security mode

To configure the port security learning mode, use the port security mode Interface (Ethernet, Port Channel) Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

port security mode {max-addresses | lock | secure permanent | secure delete-on-reset}

no port security mode

Parameters

  • max-addresses— Non-secure mode with limited learning dynamic MAC addresses.

  • lock— Secure mode without MAC learning.

  • secure permanent—Secure mode with limited learning permanent secure MAC addresses with the permanent time-of-live. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.

  • secure delete-on-reset—Secure mode with limited learning secure MAC addresses with the delete-on-reset time-of-live. The static and secure MAC addresses may be added on the port manually by the mac address-table static command.

Default Configuration

The default port security mode islock.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The default port mode is called regular. In this mode, the port allows unlimited learning of dynamic addresses.

The command may be used only when the interface in the regular (non-secure with unlimited MAC learning) mode.

Example

The following example sets the port security mode to Lock for gi1/0/4.


switchxxxxxx(config)# interface gi1/0/4
switchxxxxxx(config-if)# port security mode 
lock

switchxxxxxx(config-if)# port security
switchxxxxxx(config-if)# exit

port security max

To configure the maximum number of addresses that can be learned on the port while the port is in port, max-addresses or secure mode, use the port security max Interface (Ethernet, Port Channel) Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

port security max max-addr

no port security max

Parameters

max-addr—Specifies the maximum number of addresses that can be learned on the port. (Range: 0–256)

Default Configuration

This default maximum number of addresses is 1.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

The command may be used only when the interface in the regular (non-secure with unlimited MAC learning) mode.

Example

The following example sets the port to limited learning mode:

switchxxxxxx(config)# interface gi1/0/4
switchxxxxxx(config-if)# port security mode max
switchxxxxxx(config-if)# port security max 20
switchxxxxxx(config-if)# port security
switchxxxxxx(config-if)# exit

port security routed secure-address

To add a MAC-layer secure address to a routed port. (port that has an IP address defined on it), use the port security routed secure-address Interface (Ethernet, Port Channel) Configuration mode command. To delete a MAC address from a routed port, use the no form of this command.

Syntax

port security routed secure-address mac-address

no port security routed secure-address mac-address

Parameters

mac-address—Specifies the MAC address.

Default Configuration

No addresses are defined.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode. It cannot be configured for a range of interfaces (range context).

User Guidelines

This command enables adding secure MAC addresses to a routed port in port security mode. The command is available when the port is a routed port and in port security mode. The address is deleted if the port exits the security mode or is not a routed port.

Example

The following example adds the MAC-layer address 00:66:66:66:66:66 to gi1/0/1.

switchxxxxxx(config)#  interface gi1/0/1
switchxxxxxx(config-if)#  port security routed secure-address 00:66:66:66:66:66

show mac address-table

To display entries in the MAC address table, use the show mac address-table Privileged EXEC mode command.

Syntax

show mac address-table [dynamic | static | secure] [vlan vlan] [interface interface-id] [address mac-address]

Parameters

  • dynamic—(Optional) Displays only dynamic MAC address table entries.

  • static—(Optional) Displays only static MAC address table entries.

  • secure—(Optional) Displays only secure MAC address table entries.

  • vlan—(Optional) Displays entries for a specific VLAN.

  • interface interface-id—(Optional) Displays entries for a specific interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.

  • address mac-address—(Optional) Displays entries for a specific MAC address.

Default Configuration

If no parameters are entered, the entire table is displayed.

Command Mode

Privileged EXEC mode

User Guidelines

Internal usage VLANs (VLANs that are automatically allocated on routed ports) are presented in the VLAN column by a port number and not by a VLAN ID.

Examples

Example 1 - Displays entire address table.

switchxxxxxx#  show mac address-table
Aging time is 300 sec
VLAN
MAC Address
Port
Type
--------
---------------------
----------
----------
1
00:00:26:08:13:23
0
self
1
00:3f:bd:45:5a:b1
gi1/0/1
static
1
00:a1:b0:69:63:f3
gi1/0/2
dynamic
2
00:a1:b0:69:63:f3
gi1/0/3
dynamic
gi1/0/4
00:a1:b0:69:61:12
gi1/0/4
dynamic

Example 2 - Displays address table entries containing the specified MAC address.

switchxxxxxx#  show mac address-table address 00:3f:bd:45:5a:b1
Aging time is 300 sec
VLAN        MAC Address         Port       Type
-------- --------------------- ---------- ----------
1         00:3f:bd:45:5a:b1    		static      	gi1/0/4

show mac address-table count

To display the number of addresses present in the Forwarding Database, use the show mac address-table count Privileged EXEC mode command.

Syntax

show mac address-table count [vlan vlan | interface interface-id]

Parameters

  • vlan vlan—(Optional) Specifies VLAN.

  • interface-id interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.

Command Mode

Privileged EXEC mode

User Guidelines

Use the show mac address-table count command to display the Forwarding Database capacity (total number of entries), free entries (the number of entries that can still be used) and the consumed entries breakdown by type of entry. The following entry types are displayed:

  • Used Unicast - Occupied Forwarding Database entries which are layer 2 MAC unicast addresses.

  • Used Multicast - Occupied Forwarding Database entries which are layer 2 MAC Multicast addresses.

  • IPv4 hosts - Occupied Forwarding Database entries which are IPv4 Layer 3 host entries.

  • IPv6 hosts - Occupied Forwarding Database entries which are IPv6 Layer 3 host entries.

  • Secure - The amount of the secure unicast entries.

  • Dynamic Unicast- The amount of the dynamic unicast entries.

  • Static Unicast - The amount of the static (configured by user) unicast entries.

  • Internal - The amount of the internal entries. For example device own MAC address.

The Secure, Dynamic Unicast, Static Unicast and Internal entry types present further breakdown of the Used Unicast entries.

The total number of consumed entries is the aggregate value of the following entry types: Used Unicast; Used Multicast ;IPv4 hosts ;IPv6 hosts .

If the Interface parameter is used the command will display only the following entry types: Used Unicast, secure, Dynamic Unicast, Static Unicast and Internal.

Examples

Example 1 - The following example displays the number of entries present in forwarding table for the entire device:

switchxxxxxx#  show mac address-table count
This may take some time.
Capacity         : 16384
Free    		         : 16378
Used unicast     : 5
Used multicast   : 1
Used IPv4 hosts  : 1
Used IPv6 hosts  : 1 (each IPv6 host consumes 2 entires in MAC address table)
Secure           : 0
Dynamic unicast  : 2
Static unicast   : 2
Internal         : 1
console#

Example 2 - The following example displays the number of entries present in forwarding table for a specific device interface.

switchxxxxxx#  show mac address-table count interface gi1/0/1
This may take some time.
Capacity         : 16384
Free    		         : 16378
Used unicast     : 5
Secure           : 0
Dynamic  unicast : 2
Static unicast   : 2
Internal         : 0
console#

show bridge multicast mode

To display the Multicast bridging mode for all VLANs or for a specific VLAN, use the show bridge multicast mode Privileged EXEC mode command.

Syntax

show bridge multicast mode [vlan vlan-id]

Parameters

vlan vlan-id—(Optional) Specifies the VLAN ID.

Command Mode

Privileged EXEC mode

Example

The following example displays the Multicast bridging mode for all VLANs

switchxxxxxx#  show bridge multicast mode
VLAN
IPv4 Multicast Mode
IPv6 Multicast Mode
Admin
Oper
Admin
Oper
-----
-----------
-----------
-----------
-----------
1
MAC-GROUP
MAC-GROUP
MAC-GROUP
MAC-GROUP
11
IPv4-GROUP
IPv4-GROUP
IPv6-GROUP
IPv6-GROUP
12
IPv4-SRC-
GROUP
IPv4-SRC-
GROUP
IPv6-SRC-
GROUP
IPv6-SRC-
GROUP

show bridge multicast address-table

To display Multicast MAC addresses or IP Multicast address table information, use the show bridge multicast address-table Privileged EXEC mode command.

Syntax

show bridge multicast address-table [vlan vlan-id]

show bridge multicast address-table [vlan vlan-id] [address mac-multicast-address] [format {ip | mac}]

show bridge multicast address-table [vlan vlan-id] [address ipv4-multicast-address] [source ipv4-source-address]

show bridge multicast address-table [vlan vlan-id] [address ipv6-multicast-address] [source ipv6-source-address]

Parameters

  • vlan-id vlan-id—(Optional) Display entries for specified VLAN ID.

  • address—(Optional) Display entries for specified Multicast address. The possible values are:

    mac-multicast-address—(Optional) Specifies the MAC Multicast address.

    ipv4-multicast-address—(Optional) Specifies the IPv4 Multicast address.

    ipv6-multicast-address—(Optional) Specifies the IPv6 Multicast address.

  • format—(Optional) Applies if mac-multicast-address was selected. In this case either MAC or IP format can be displayed. Display entries for specified Multicast address format. The possible values are:

    ip—Specifies that the Multicast address is an IP address.

    mac—Specifies that the Multicast address is a MAC address.

  • source —(Optional) Specifies the source address. The possible values are:

    ipv4-address—(Optional) Specifies the source IPv4 address.

    ipv6-address—(Optional) Specifies the source IPv6 address.

Default Configuration

If the format is not specified, it defaults to mac (only if mac-multicast-address was entered).

If VLAN ID is not entered, entries for all VLANs are displayed.

If MAC or IP address is not supplied, entries for all addresses are displayed.

Command Mode

Privileged EXEC mode

User Guidelines

A MAC address can be displayed in IP format only if it is within the range 0100.5e00.0000 through 0100.5e7f.ffff.

Multicast router ports (defined statically or discovered dynamically) are members in all MAC groups.

Changing the Multicast mode can move static Multicast addresses that are written in the device FDB to a shadow configuration because of FDB hash collisions.

Example

The following example displays bridge Multicast address information.

switchxxxxxx#  show bridge multicast address-table
Multicast address table for VLANs in MAC-GROUP bridging mode:
Vlan    MAC Address         Type           Ports
---- -----------------    --------------   -----
8    01:00:5e:02:02:03     Static          1-2
Forbidden ports for Multicast addresses:
Vlan    MAC Address         Ports
---- -----------------      -----
8    01:00:5e:02:02:03      gi1/0/4

Multicast address table for VLANs in IPv4-GROUP bridging mode:

Vlan    MAC Address         Type             Ports
---- -----------------    --------------     -----
1      224.0.0.251         Dynamic           gi1/0/2
Forbidden ports for Multicast addresses:
Vlan    MAC Address         Ports
---- -----------------      -----
1      232.5.6.5
1      233.22.2.6
Multicast address table for VLANs in IPv4-SRC-GROUP bridging mode:
Vlan  Group Address  Source address  Type        Ports
---- --------------- --------------- --------    -----
1     224.2.2.251     11.2.2.3       Dynamic     gi1/0/1
Forbidden ports for Multicast addresses:
Vlan  Group Address  Source Address   Ports
---- --------------- --------------- -------
8    239.2.2.2       *               gi1/0/4
8    239.2.2.2       1.1.1.11        gi1/0/4
Multicast address table for VLANs in IPv6-GROUP bridging mode:
VLAN  IP/MAC Address   Type      Ports
---- ----------------- --------- ---------------------
8    ff02::4:4:4       Static    gi1/0/1-2, gi1/0/3, Po1
Forbidden ports for Multicast addresses:
VLAN  IP/MAC Address   Ports
---- ----------------- -----------
8    ff02::4:4:4       gi1/0/4
Multicast address table for VLANs in IPv6-SRC-GROUP bridging mode:
Vlan  Group Address  Source address  Type     Ports
---- --------------- --------------- -------- ------------------
8    ff02::4:4:4     *               Static   gi1/0/1-2,gi1/0/3,Po1
8    ff02::4:4:4     fe80::200:7ff:  Static
                     fe00:200
Forbidden ports for Multicast addresses:
Vlan  Group Address  Source address    Ports
---- --------------- ---------------   ----------
8    ff02::4:4:4     *                  gi1/0/4
8    ff02::4:4:4     fe80::200:7ff:f    gi1/0/4
                     e00:200

show bridge multicast address-table static

To display the statically-configured Multicast addresses, use the show bridge multicast address-table static Privileged EXEC mode command.

Syntax

show bridge multicast address-table static [vlan vlan-id] [all]

show bridge multicast address-table static [vlan vlan-id] [address mac-multicast-address] [mac| ip]

show bridge multicast address-table static [vlan vlan-id] [address ipv4-multicast-address] [source ipv4-source-address]

show bridge multicast address-table static [vlan vlan-id] [address ipv6-multicast-address] [source ipv6-source-address]

Parameters

  • vlan vlan-id—(Optional) Specifies the VLAN ID.

  • address—(Optional) Specifies the Multicast address. The possible values are:

    mac-multicast-address—(Optional) Specifies the MAC Multicast address.

    ipv4-multicast-address—(Optional) Specifies the IPv4 Multicast address.

    ipv6-multicast-address—(Optional) Specifies the IPv6 Multicast address.

  • source—(Optional) Specifies the source address. The possible values are:

    ipv4-address—(Optional) Specifies the source IPv4 address.

    ipv6-address—(Optional) Specifies the source IPv6 address.

Default Configuration

When all/mac/ip is not specified, all entries (MAC and IP) will be displayed.

Command Mode

Privileged EXEC mode

User Guidelines

A MAC address can be displayed in IP format only if it is within the range 0100.5e00.0000–- 0100.5e7f.ffff.

Example

The following example displays the statically-configured Multicast addresses.

switchxxxxxx#  show bridge multicast address-table static
MAC-GROUP table
Vlan
----
1
MAC Address
--------------
0100.9923.8787
Ports
--------
gi1/0/1, gi1/0/2
Forbidden ports for multicast addresses:
Vlan
----
MAC Address
--------------
Ports
--------
IPv4-GROUP Table
Vlan
----
1
19
IP Address
----------
231.2.2.3
231.2.2.8
Ports 
--------
gi1/0/1, gi1/0/2
gi1/0/2-3
Forbidden ports for multicast addresses:
Vlan
----
1
19
IP Address
----------
231.2.2.3
231.2.2.8
Ports
--------
gi1/0/4
gi1/0/3
IPv4-SRC-GROUP Table:
Vlan
----
Group Address
---------------
Source address
---------------
Ports
------
Forbidden ports for multicast addresses:
Vlan
----
Group Address
---------------
Source address
---------------
Ports
------
IPv6-GROUP Table
Vlan
----
191
IP Address
----------------
FF12::8
Ports
---------
gi1/0/1-4
Forbidden ports for multicast addresses:
Vlan
----
11
191
IP Address
----------------
FF12::3
FF12::8
Ports
---------
gi1/0/4
gi1/0/4
IPv6-SRC-GROUP Table:
Vlan
----
192
Group Address
---------------
FF12::8
Source address
---------------
FE80::201:C9A9:FE40:8988
Ports
------
gi1/0/1-4
Forbidden ports for multicast addresses:
Vlan
----
192
Group Address
---------------
FF12::3
Source address
---------------
FE80::201:C9A9:FE40:8988
Ports
------
gi1/0/4

show bridge multicast filtering

To display the Multicast filtering configuration, use the show bridge multicast filtering Privileged EXEC mode command.

Syntax

show bridge multicast filtering vlan-id

Parameters

vlan-id—Specifies the VLAN ID. (Range: Valid VLAN)

Default Configuration

None

Command Mode

Privileged EXEC mode

Example

The following example displays the Multicast configuration for VLAN 1.

switchxxxxxx#  show bridge multicast filtering 1
Filtering: Enabled
VLAN: 1
Forward-All
Port
-----
gi1/0/1
gi1/0/2
gi1/0/3
Static
---------
Forbidden
Forward
-
Status
------
Filter
Forward(s)
Forward(d)

bridge multicast unregistered

To configure forwarding unregistered Multicast addresses, use the bridge multicast unregistered Interface (Ethernet, Port Channel) Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

bridge multicast unregistered {forwarding | filtering}

no bridge multicast unregistered

Parameters

  • forwarding—Forwards unregistered Multicast packets.

  • filtering—Filters unregistered Multicast packets.

Default Configuration

Unregistered Multicast addresses are forwarded.

Command Mode

Interface (Ethernet, Port Channel) Configuration mode

User Guidelines

Do not enable unregistered Multicast filtering on ports that are connected to routers, because the 224.0.0.x address range should not be filtered. Note that routers do not necessarily send IGMP reports for the 224.0.0.x range.

You can execute the command before the VLAN is created.

Example

The following example specifies that unregistered Multicast packets are filtered on gi1/0/1:

switchxxxxxx(config)#  interface gi1/0/1
switchxxxxxx(config-if)#  bridge multicast unregistered filtering

show ports security

To display the port-lock status, use the show ports security Privileged EXEC mode command.

Syntax

show ports security [interface-id | detailed]

Parameters

  • interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.

  • detailed—(Optional) Displays information for non-present ports in addition to present ports.

Default Configuration

Display for all interfaces. If detailed is not used, only present ports are displayed.

Command Mode

Privileged EXEC mode

Example

The following example displays the port-lock status of all ports.


switchxxxxxx#  show ports security
Port   Status       Learning    Action    Maximum  Trap     Frequency
------- --------    ---------   ------    ---      -------  --------
gi1/0/1
       Enabled      Max-       Discard     3       Enabled  100
                    Addresses
gi1/0/2
      Disabled     Max-         -          28        -        -
                   Addresses
gi1/0/3
     Enabled       Lock      Discard      8       Disabled   -

The following table describes the fields shown above.

Field

Description

Port

The port number.

Status

The port security status. The possible values are: Enabled or Disabled.

Action

The action taken on violation.

Maximum

The maximum number of addresses that can be associated on this port in the Max-Addresses mode.

Trap

The status of SNMP traps. The possible values are: Enable or Disable.

Frequency

The minimum time interval between consecutive traps.

show ports security addresses

To display the current dynamic addresses in locked ports, use the show ports security addresses Privileged EXEC mode command.

Syntax

show ports security addresses [interface-id | detailed]

Parameters

  • interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.

  • detailed—(Optional) Displays information for non-present ports in addition to present ports.

Default Configuration

Display for all interfaces. If detailed is not used, only present ports are displayed.

Command Mode

Privileged EXEC mode

Example

The following example displays dynamic addresses in all currently locked port:

Port
-------
gi1/0/1
gi1/0/2
gi1/0/3
gi1/0/4
...
Status
--------
Disabled
Disabled
Disabled
Disabled
Learning
--------
Lock
Lock
Lock
Lock
Current
----------
0
0
0
0
Maximum
----------
10
1
1
1

bridge multicast reserved-address

To define the action on Multicast reserved-address packets, use the bridge multicast reserved-address Global Configuration mode command. To revert to default, use the no form of this command.

Syntax

bridge multicast reserved-address mac-multicast-address [ethernet-v2 ethtype | llc sap | llc-snap pid] {discard | bridge}

no bridge multicast reserved-address mac-multicast-address [ethernet-v2 ethtype | llc sap | llc-snap pid]

Parameters

  • mac-multicast-address—MAC Multicast address in the reserved MAC addresses range. (Range: 01-80-C2-00-00-00, 01-80-C2-00-00-02–01-80-C2-00-00-2F)

  • ethernet-v2 ethtype—(Optional) Specifies that the packet type is Ethernet v2 and the Ethernet type field (16 bits in hexadecimal format). (Range: 0x0600–0xFFFF)

  • llc sap—(Optional) Specifies that the packet type is LLC and the DSAP-SSAP field (16 bits in hexadecimal format). (Range: 0xFFFF)

  • llc-snap pid—(Optional) Specifies that the packet type is LLC-SNAP and the PID field (40 bits in hexadecimal format). (Range: 0x0000000000 - 0xFFFFFFFFFF)

  • discard—Specifies discarding the packets.

  • bridge—Specifies bridging (forwarding) the packets

Default Configuration

  • If the user-supplied MAC Multicast address, ethertype and encapsulation (LLC) specifies a protocol supported on the device (called Peer), the default action (discard or bridge) is determined by the protocol.

  • If not, the default action is as follows:

    For MAC addresses in the range 01-80-C2-00-00-00, 01-80-C2-00-00-02– 01-80-C2-00-00-0F, the default is discard.

    For MAC addresses in the range 00-80-C2-00-00-10– 01-80-C2-00-00-2F, the default is bridge.

Command Mode

Global Configuration mode

User Guidelines

If the packet/service type (ethertype/encapsulation) is not specified, the configuration is relevant to all the packets with the configured MAC address.

Specific configurations (that contain service type) have precedence over less specific configurations (contain only MAC address).

The packets that are bridged are subject to security ACLs. The actions define by this command has precedence over forwarding rules defined by applications/protocols (STP, LLDP etc.) supported on the device.

Example

switchxxxxxx(config)# bridge multicast reserved-address 00:3f:bd:45:5a:b1

show bridge multicast reserved-addresses

To display the Multicast reserved-address rules, use the show bridge multicast reserved-addresses Privileged EXEC mode command.

Syntax

show bridge multicast reserved-addresses

Command Mode

Privileged EXEC mode

Example

switchxxxxxx # show bridge multicast reserved-addresses
MAC Address		         Frame Type		  Protocol		        Action
-----------------	-  ----------		- --------------  -	-----------
01-80-C2-00-00-00 LLC-SNAP 00-00-0C-01-29 Bridge