CCNP SWITCH Exam Command Reference

Chris Bryant, CCIE #12933

www.thebryantadvantage.com

Back To Index

Command Reference
Overview
VLANs
VTP
Basic Spanning Tree
Advanced Spanning Tree
Basic Switch Operations
Multicasting
Quality of Service
Multilayer Switching & Router Redundancy
Switch Security & Tunneling
Voice VLANs

VLANs
show interface trunk shows port trunk modes, encapsulation, whether the
interface is actually trunking, and the native vlan for each interface.
SW1#show interface trunk
Port
Fa0/11
Fa0/12
Port

Mode
desirable
desirable

Encapsulation Status
802.1q
trunking
802.1q
trunking

Vlans allowed on trunk

Native vlan
1
1

Fa0/11
Fa0/12

1-999,1001-4094
1-999,1001-4094

Port
Vlans allowed and active in management domain
Fa0/11 1,12
Fa0/12 1,12
Port
Vlans in spanning tree forwarding state and not pruned
Fa0/11 1,12
Fa0/12 12

show vlan is the full command to see information regarding all VLANs on
the switch, including some reserved ones you probably aren't using.

show vlan brief gives you the information you need to troubleshoot any
VLAN-related issue, but limits the information shown on the reserved
VLANs.

switchport nonegotiate turns DTP frames off, but the port must be hardcoded for trunking to do so.
SW2(config)#int fast 0/8
SW2(config-if)#switchport nonegotiate
Command rejected: Conflict between 'nonegotiate' and 'dynamic' status.
SW2(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally
SW2(config-if)#switchport mode trunk
SW2(config-if)#switchport nonegotiate

switchport mode access and switchport access vlan x work together to

place a port into a VLAN. The first command prevents the port from
becoming a trunk port, and the second command is a static vlan
assignment.
SW1(config)#int fast 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 12

switchport trunk allowed vlan is used to disallow or allow VLANs from

sending traffic across the trunk, as shown with the below IOS Help
readout.
SW1(config-if)#switchport trunk allowed vlan ?
WORD
VLAN IDs of the allowed VLANs when this port is in trunking mode
add
add VLANs to the current list
all
all VLANs
except
all VLANs except the following
none
no VLANs
remove remove VLANs from the current list

SW1(config)#interface fast 0/11

SW1(config-if)#switchport trunk allowed vlan except 1000
SW1(config-if)#interface fast 0/12
SW1(config-if)#switchport trunk allowed vlan except 1000

switchport trunk encapsulation is used to define whether ISL or dot1q will

be used on the trunk.
Rack1SW1(config-if)#switchport trunk encapsulation ?
dot1q
Interface uses only 802.1q trunking encapsulation when trunking
isl
Interface uses only ISL trunking encapsulation when trunking
negotiate Device will negotiate trunking encapsulation with peer on
interface

switchport trunk native vlan x is used to change the native VLAN of the
trunk. This should be agreed upon by both endpoints. Be prepared to
see an error message while you're changing this, as shown below.
SW1(config-if)#switchport trunk native vlan 12
1d21h: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer
vlan id 1on FastEthernet0/11 VLAN12.
1d21h: %SPANTREE-2-BLOCK_PVID_PEER: Blocking FastEthernet0/11 on
VLAN0001. Inconsistent peer vlan.
1d21h: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/11 on
VLAN0012. Inconsistent local vlan.

VTP
show vtp counters displays the number of different VTP advertisements
send and received by the switch.

show vtp status displays just about anything you need to know about your
VTP domain, including domain name and revision number.

vtp domain is used to define the VTP domain.

vtp mode is used to define the switch as a VTP Server, Client, or as

running in Transparent mode.

To configure VTP in secure mode, set a password on all devices in the

VTP domain with vtp password. Verify with show vtp password.

Enable VTP pruning with vtp pruning, and check the VTP version with vtp

version.

Basic Spanning Tree

show spanning tree interface x will display the STP settings for an
individual port.
SW2#show spanning-tree vlan 1
Interface
Role Sts Cost
Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Fa0/11
Root FWD 19
128.11 P2p
Fa0/12
Altn BLK 19
128.12 P2p

show spanning-tree vlan x shows the STP setting for the entire VLAN.
SW1#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address
000f.90e1.c240
This bridge is the root
Hello Time 5 sec Max Age 30 sec Forward Delay 20 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address
000f.90e1.c240
Hello Time 5 sec Max Age 30 sec Forward Delay 20 sec
Aging Time 300
Interface
Role Sts Cost
Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Fa0/11
Desg FWD 19
128.11 P2p
Fa0/12
Desg FWD 19
128.12 P2p

spanning-tree vlan x can be used to make a nonroot the root bridge with
either the root primary or priority options.
SW2(config)#spanning-tree vlan 20 root primary
SW2(config)#spanning-tree vlan 30 root primary
SW2(config)#spanning-tree vlan 30 root ?
primary Configure this switch as primary root for this spanning tree
secondary Configure switch as secondary root
SW2(config)#spanning-tree vlan 10 priority ?
<0-61440> bridge priority in increments of 4096

spanning-tree vlan x is also used to change the STP timers, but this must
be done on the root bridge to be effective.
SW1(config)#spanning-tree vlan 1 hello-time 5
SW1(config)#spanning-tree vlan 1 max-age 30
SW1(config)#spanning-tree vlan 1 forward-time 20

Advanced Spanning Tree

Portfast can be enabled on the interface level or globally with the
spanning-tree portfast and spanning portfast default commands.
SW1(config)#int fast 0/5
SW1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/5 but will only
have effect when the interface is in a non-trunking mode.
SW1(config-if)#
SW2(config)#spanning portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.

Below, you'll see how to enable the STP features Uplinkfast,

Backbonefast, Root Guard, BPDU Guard, Loop Guard, and UDLD.
Several important options are also shown. You must know these

commands and exactly what they do.

SW2(config)#spanning-tree uplinkfast

SW2(config)#spanning-tree backbonefast

SW3(config)#int fast 0/3

SW3(config-if)#spanning-tree guard root

SW1(config)#int fast 0/5

SW1(config-if)#spanning-tree bpduguard
% Incomplete command.
SW1(config-if)#spanning-tree bpduguard ?
disable Disable BPDU guard for this interface
enable Enable BPDU guard for this interface
SW1(config-if)#spanning-tree bpduguard enable

SW2(config)#udld ?
aggressive Enable UDLD protocol in aggressive mode on fiber ports except
where locally configured
enable
Enable UDLD protocol on fiber ports except where locally
configured
message Set UDLD message parameters
SW2(config)#udld enable

SW2(config-if)#int fast 0/5

SW2(config-if)#spanning-tree guard loop

To enable Multiple Spanning Tree:

SW2(config)# spanning-tree mode mst

The name and revision number must now be set.

SW2(config)# spanning-tree mode mst configuration
SW2(config-mst)# name REGION1
SW2(config-mst)# revision 1

To map VLANs to a particular MST instance:

SW2(config-mst)# instance 1 10,13, 14-20

Basic Switch Operation

show mac-address-table displays the CAM table contents. This command
has about 10 options -- the dynamic option is very helpful.
SW2#show mac-address-table dynamic
Mac Address Table
------------------------------------------Vlan Mac Address
Type
Ports
---- ------------------ ----1 000e.d7f5.a04b DYNAMIC Fa0/11
Total Mac Addresses for this criterion: 1

Create an SVI on an L3 switch:

SWITCH_2(config)#interface vlan 1
SWITCH_2(config-if)#ip address 20.1.1.1 255.255.255.0

Configure the switch's VTY lines to accept Secure Shell connections:

line vty 0 15
transport input ssh

Use the interface-range command to configure a number of interfaces

with one command. Use speed and duplex to adjust those settings for an
interface, and use description to, well, describe what the ports are doing!
SW2(config)#interface range fast 0/1 - 11
SW2(config-if-range)#speed 10
SW2(config-if-range)#duplex half

SW2(config)#interface range fast 0/11 - 12

SW2(config-if-range)#description ports trunking with SW1
SW2(config)#errdisable recovery cause all
SW2(config)#errdisable recovery interval ?
<30-86400> timer-interval(sec)
SW2(config)#errdisable recovery interval 300
SW1(config-if)#channel-group 1 mode ?
active
Enable LACP unconditionally
auto
Enable PAgP only if a PAgP device is detected
desirable
Enable PAgP unconditionally
on
Enable Etherchannel only
passive
Enable LACP only if a LACP device is detected

Multicasting
Enable multicasting with ip multicast-routing. Statically configure the RP
location with ip pim rp-address. Enable Sparse Mode on the interfaces
with ip pim sparse. Verify with show ip pim neighbor.
R1(config)#ip multicast-routing
R1(config)#ip pim rp-address 172.12.123.1
R1(config)#int s0
R1(config-if)#ip pim sparse
R2(config)#ip multicast-routing
R2(config)#ip pim rp-address 172.12.123.1
R2(config)#int s0
R2(config-if)#ip pim sparse
R3(config)#ip multicast-routing
R3(config)#ip pim rp-address 172.12.123.1
R3(config)#int s0
R3(config-if)#ip pim sparse
R1#show ip pim neighbor
PIM Neighbor Table
Neighbor Address Interface
172.12.123.3
Serial0
172.12.123.2
Serial0

Uptime Expires Ver Mode

00:11:08 00:01:37 v2 (DR)
00:11:37 00:01:38 v2

How to limit the multicast groups a router can serve as the RP for:

R1(config)#access-list 14 permit 224.0.1.40

R1(config)#ip pim rp-address 172.12.123.1 ?
<1-99>
Access-list reference for group
<1300-1999> Access-list reference for group (expanded range)
WORD
IP Named Standard Access list
override Overrides Auto RP messages
<cr>
R1(config)#ip pim rp-address 172.12.123.1 14

Configure routers as PIM RPs with send-rp-announce, and as PIM

Mapping Agents with send-rp-discovery.
R3(config)#ip pim send-rp-announce serial0 scope 5
R1(config)#ip pim send-rp-discovery serial 0 scope 5

Bootstrapping Commands:
To configure R1 as a C-BSR:
R1(config)# ip pim bsr-candidate

To configure R2 and R3 as C-RPs:

R2(config)# ip pim rp-candidate

IGMP and CGMP:

Verify IGMP snooping with show ip igmp snooping.
SW1#show ip igmp snooping
Global IGMP Snooping configuration:
----------------------------------IGMP snooping
: Enabled
IGMPv3 snooping (minimal) : Enabled
Report suppression
: Enabled
TCN solicit query
: Disabled
TCN flood query count : 2
Vlan 1:
--------

IGMP snooping
: Enabled
Immediate leave
: Disabled
Multicast router learning mode
: pim-dvmrp
Source only learning age timer
: 10
CGMP interoperability mode
: IGMP_ONLY

Enable CGMP on a router and switch as shown below.

router interface must be PIM-enabled first.
R1(config)#int e0
R1(config-if)#ip cgmp
WARNING: CGMP requires PIM enabled on interface
R1(config-if)#ip pim sparse
R1(config-if)#ip cgmp
SW1(config)#int fast 0/5
SW1(config-if)#ip cgmp

Quality Of Service
To enable QoS:
SW2(config)#mls qos

To configure an interface to trust the incoming CoS:

MLS(config-if)# mls qos trust cos

To change your mind and take the trust off:

SW2(config-if)# no mls qos trust

To create COS-DSCP and IP PREC-DSCP maps:

SW2(config)# mls qos map cos-dscp
SW2(config)#mls qos map ip-prec-dscp

A mutation map is created as follows:

SW2(config) mls qos dscp-mutation

Note that the

The mutation map needs to be applied to the proper interface:

SW2(config-if)mls qos dscp-mutation MAP_NAME

To create a QoS policy, write an ACL to identify the traffic and use a
class-map to refer to the ACL:
SW1(config)#access-list 105 permit tcp any any eq 80
SW1(config)#class-map WEBTRAFFIC
SW1(config-cmap)#match access-group 105

QoS policies are configured with the policy-map command, and each
clause of the policy will contain an action to be taken to traffic matching
that clause.
SW1(config)#policy-map LIMIT_WEBTRAFFIC_BANDWIDTH
SW1(config-pmap)#class WEBTRAFFIC
SW1(config-pmap-c)#police 5000000 exceed-action drop
SW1(config-pmap-c)#exit

Finally, apply the policy to an interface with the service-policy command.

SW1(config)# service-policy LIMIT_WEBTRAFFIC_BANDWIDTH in

Multilayer Switching

To create a Switched Virtual Interface:

MLS(config)#interface vlan 10
MLS(config-if)#ip address 10.1.1.1 255.255.255.0

To configure a multilayer switch port as a routed port:

MLS(config)#interface fast 0/1

MLS(config-if)# no switchport
MLS(config-if)# ip address 172.1.1.1 255.255.255.0

To configure a multilayer switch port as a switching port:

MLS(config)# interface fast 0/1
MLS(config-if)# switchport

To configure basic HSRP:

R2(config)#interface ethernet0
R2(config-if)#standby 5 ip 172.12.23.10
R3(config)#interface ethernet0
R3(config-if)#standby 5 ip 172.12.23.10
R2#show standby
Ethernet0 - Group 5
Local state is Standby, priority 100
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 0.776
Virtual IP address is 172.12.23.10 configured
Active router is 172.12.23.3, priority 100 expires in 9.568
Standby router is local
1 state changes, last state change 00:00:22

To change HSRP timers:

R3(config-if)#standby 5 timers 4 12

To change HSRP priority and allow a router to take over from an online
Active router:
R2(config-if)#standby 5 priority 150 preempt

To change the HSRP virtual router MAC address:

R2(config-if)#standby 5 mac-address 0000.1111.2222

To configure HSRP interface tracking:

R2(config-if)#standby 1 track serial0

To configure GLBP:
MLS(config-if)# glbp 5 ip 172.1.1.10

To change the interface priority, use the glbp priority command. To allow
the local router to preempt the current AVG, use the glbp preempt
command.
MLS(config-if)# glbp 5 priority 150
MLS(config-if)# glbp 5 preempt

To configure members of the server farm "ServFarm"

MLS(config)# ip slb serverfarm ServFarm
MLS(config-slb-sfarm)# real 210.1.1.11
MLS(config-slb-real)# inservice

To create the SRB virtual server:

MLS(config)# ip slb vserver VIRTUAL_SERVER
MLS(config-slb-vserver)# serverfarm ServFarm
MLS(config-slb-vserver)# virtual 210.1.1.14

MLS(config-slb-vserver)# inservice

To allow only specified hosts to connect to the virtual server:

MLS(config-slb-vserver)# client 210.1.1.0 0.0.0.255

Switch Security / Tunnel Commands

To enable AAA and specify a RADIUS or TACACS server:

SW2(config)#aaa new-model
SW2(config)#radius-server host ?
Hostname or A.B.C.D IP address of RADIUS server
SW2(config)#tacacs-server ?
host
Specify a TACACS server

To define a default method list for AAA authentication:

SW2(config)#aaa authentication login default local group radius

To configure port security:

SW2(config)#int fast 0/5
SW2(config-if)#switchport port-security
Command rejected: Fa0/5 is not an access port.
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 10

To specify secure MAC addresses:

SW2(config-if)#switchport port-security mac-address ?
H.H.H 48 bit mac address

To set the port security mode:

SW2(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode

To enable Dot1x on the switch:

SW2(config)#dot1x system-auth-control
system-auth-control Enable or Disable SysAuthControl

Dot1x must be configured globally, but every switch port that's going to
run dot1x authentication must be configured as well.
SW2(config-if)#dot1x port-control ?
auto
PortState will be set to AUTO
force-authorized PortState set to Authorized
force-unauthorized PortState will be set to UnAuthorized

To configure and verify a local SPAN session:

SW2(config)#monitor session 1 source interface fast 0/1 - 5
SW2(config)#monitor session 1 destination interface fast 0/10
SW2#show monitor
Session 1
--------Type
: Local Session
Source Ports
:
Both
: Fa0/1-2
Destination Ports : Fa0/10
Encapsulation : Native
Ingress: Disabled

To verify a remote SPAN session, create the VLAN that will carry the
mirrored traffic:

SW2(config)#vlan 30
SW2(config-vlan)#remote-span

Configure the source ports and destination as shown on the source

switch:
SW2(config)#monitor session 1 source interface fast 0/1 - 5
SW2(config)#monitor session 1 desti remote vlan 30 reflector-port fast 0/12

Configure the source VLAN and destination port on the destination switch:
SW1(config)#monitor session 1 source remote vlan 30
SW1(config)#monitor session 1 destination interface fast 0/10

To create a VLAN ACL, first write an ACL specifying the traffic to be

affected.
SW2(config)#ip access-list extended NO_123_CONTACT
SW2(config-ext-nacl)#permit ip 171.10.10.0 0.0.0.3 172.10.10.0 0.0.0.255

Follow that with the VLAN access-map:

SW2(config)# vlan access-map NO_123 10
SW2(config-access-map)# match ip address NO_123_CONTACT
SW2(config-access-map)# action drop
SW2(config-access-map)# vlan access-map NO_123 20
SW2(config-access-map)# action forward

Finally, we've got to apply the VACL. We're not applying it to a specific
interface - instead, apply the VACL in global configuration mode.
SW2(config)# vlan filter NO_123 vlan-list 100

For dot1q tunneling, the following configuration would be needed on the

service provider switch ports that will receive traffic from the customer:

MLS_1(config)#int fast 0/12

MLS_1(config-if)#switchport access vlan 100
MLS_1(config-if)#switchport mode dot1qtunnel
MLS_1(config-if)#vlan dot1q tag native

By default, CDP, STP, and VTP will not be sent through the dot1q tunnel.
To send those frames to the remote network, create an L2 protocol
tunnel. This command has quite a few options, so I've shown as many as
possible below.
MLS_1(config-if)#l2protocol-tunnel ?
cdp
Cisco Discovery Protocol
drop-threshold
Set drop threshold for protocol packets
point-to-point
point-to-point L2 Protocol
shutdown-threshold Set shutdown threshold for protocol packets
stp
Spanning Tree Protocol
vtp
Vlan Trunking Protocol <cr>
MLS_1(config-if)#l2protocol-tunnel drop-threshold ?
<1-4096>
Packets/sec rate beyond which protocol packets will be dropped
cdp
Cisco Discovery Protocol
point-to-point point-to-point L2 Protocol
stp
Spanning Tree Protocol
vtp
Vlan Trunking Protocol
MLS_1(config-if)#l2protocol-tunnel drop-threshold cdp ?
<1-4096> Packets/sec rate beyond which protocol packets will be dropped
MLS_1(config-if)#l2protocol-tunnel drop-threshold cdp 2000 ?
<cr>
MLS_1(config-if)#l2protocol-tunnel drop-threshold cdp 2000
MLS_1(config-if)#l2protocol-tunnel shutdown-threshold ?
<1-4096>
Packets/sec rate beyond which interface is put to err-disable
cdp
Cisco Discovery Protocol
point-to-point point-to-point L2 Protocol
stp
Spanning Tree Protocol
vtp
Vlan Trunking Protocol
MLS_1(config-if)#l2protocol-tunnel shutdown-threshold vtp ?
<1-4096> Packets/sec rate beyond which interface is put to err-disable
MLS_1(config-if)#l2protocol-tunnel shutdown-threshold vtp 4096

Creating a private VLAN:

MLS(config-vlan)#private-vlan community
Private VLANs can only be configured when VTP is in transparent mode
MLS(config-vlan)#exit
MLS(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
MLS(config)#vlan 20
MLS(config-vlan)#private-vlan community
MLS(config-vlan)#private-vlan association ?
WORD VLAN IDs of the private VLANs to be configured
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list
MLS(config-vlan)#private-vlan association 30

The ports will now be placed into the private VLAN:

MLS(config-if)# switchport mode private-vlan 20 host

Voice VLANs

The basic Voice VLAN configuration is as follows:

MLS(config)# mls qos

(globally enables QoS on the switch)

MLS(config)# interface fast 0/5

(port leading to IP phone)

MLS(config-if)# mls qos trust cos

(trust incoming CoS values)

MLS(config-if)# switchport voice vlan ( x / dot1p / none / untagged)

To configure the phone to accept the CoS values coming from the PC:
MLS(config)# interface fast 0/5

(port leading to IP phone)

MLS(config-if)# switchport priority extend trust

To configure the phone not to trust the incoming CoS value:

MLS(config)# interface fast 0/5

(port leading to IP phone)

MLS(config-if)# switchport priority extend cos 0

To configure the switch to trust incoming CoS values if they're sent by a

Cisco IP phone:
MLS(config-if)# mls qos trust cos
MLS(config-if)# mls qos trust device cisco-phone

Copyright 2010 The Bryant Advantage. All Rights Reserved.