manualshive.com logo in svg

Cisco 3020 - Cisco Catalyst Blade Switch, Software Configuration Manual

The HP 3020 - Cisco Catalyst Blade Switch is an advanced networking solution designed for seamless data transfer. To help you get started with this powerful device, we offer a comprehensive "Getting Started Manual" available for free download from our website. Unlock the full potential of your switch with our user-friendly manual.

Share
Download
background image

 

8-27

Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide

OL-8915-03

Chapter 8      Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Authentication

a server at the same IP address. If two different host entries on the same RADIUS server are configured 
for the same service—for example, authentication—the second host entry configured acts as the 
fail-over backup to the first one. The RADIUS host entries are tried in the order that they were 
configured.

Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on 
the switch. This procedure is required.

To delete the specified RADIUS server, use the 

no radius-server host

 {

hostname

 | 

ip-address

} global 

configuration command.

This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to 
use port 1612 as the authorization port, and to set the encryption key to 

rad123

, matching the key on the 

RADIUS server:

Switch(config)#

 radius-server host 172.l20.39.46 auth-port 6403 key rad123

You can globally configure the timeout, retransmission, and encryption key values for all RADIUS 
servers by using the 

radius-server host

 global configuration command. If you want to configure these 

options on a per-server basis, use the 

radius-server timeout

radius-server retransmit

, and the 

radius-server key

 global configuration commands. For more information, see the 

“Configuring Settings 

for All RADIUS Servers” section on page 7-29

.

You also need to configure some settings on the RADIUS server. These settings include the IP address 
of the switch and the key string to be shared by both the server and the switch. For more information, 
see the RADIUS server documentation.

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

radius-server host

 {

hostname

 | 

ip-address

auth-port

 

port-number

 

key

 

string

Configure the RADIUS server parameters.

For 

hostname

 | 

ip-address, 

specify the hostname or IP address of the 

remote RADIUS server.

For 

auth-port

 

port-number

, specify the UDP destination port for 

authentication requests. The default is 1812. The range is 0 to 65536.

For 

key

 

string

, specify the authentication and encryption key used 

between the switch and the RADIUS daemon running on the RADIUS 
server. The key is a text string that must match the encryption key used on 
the RADIUS server.

Note

Always configure the key as the last item in the 

radius-server 

host

 command syntax because leading spaces are ignored, but 

spaces within and at the end of the key are used. If you use spaces 
in the key, do not enclose the key in quotation marks unless the 
quotation marks are part of the key. This key must match the 
encryption used on the RADIUS daemon.

If you want to use multiple RADIUS servers, re-enter this command.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Summary of Contents for 3020 - Cisco Catalyst Blade Switch

Page 1: ... Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide Cisco IOS Release 12 2 44 SE January 2008 Text Part Number OL 8915 03 ...

Page 2: ...ING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCVP the Cisco logo and Welcome to the Human Network are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn is a service mark of Cisco Systems Inc and Access Registrar Aironet Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP Cisco the Cisco Cer...

Page 3: ...s 1 3 Manageability Features 1 4 Availability and Redundancy Features 1 5 VLAN Features 1 6 Security Features 1 6 QoS and CoS Features 1 8 Layer 3 Features 1 9 Monitoring Features 1 10 Default Settings After Initial Switch Configuration 1 10 Design Concepts for Using the Switch 1 13 Where to Go Next 1 16 C H A P T E R 2 Using the Command Line Interface 2 1 Understanding Command Modes 2 1 Understan...

Page 4: ...ding DHCP based Autoconfiguration and Image Update 3 4 DHCP Autoconfiguration 3 5 DHCP Auto Image Update 3 5 Limitations and Restrictions 3 5 Configuring DHCP Based Autoconfiguration 3 6 DHCP Server Configuration Guidelines 3 6 Configuring the TFTP Server 3 7 Configuring the DNS 3 7 Configuring the Relay Device 3 7 Obtaining Configuration Files 3 8 Example Configuration 3 9 Configuring the DHCP Au...

Page 5: ...D 4 4 Using Hostname DeviceID and ConfigID 4 4 Understanding Cisco IOS Agents 4 5 Initial Configuration 4 5 Incremental Partial Configuration 4 6 Synchronized Configuration 4 6 Configuring Cisco IOS Agents 4 6 Enabling Automated CNS Configuration 4 6 Enabling the CNS Event Agent 4 8 Enabling the Cisco IOS CNS Agent 4 9 Enabling an Initial Configuration 4 9 Enabling a Partial Configuration 4 13 Dis...

Page 6: ...r 5 17 Default Banner Configuration 5 17 Configuring a Message of the Day Login Banner 5 18 Configuring a Login Banner 5 19 Managing the MAC Address Table 5 19 Building the Address Table 5 20 MAC Addresses and VLANs 5 20 Default MAC Address Table Configuration 5 21 Changing the Address Aging Time 5 21 Removing Dynamic Address Entries 5 22 Configuring MAC Address Notification Traps 5 22 Adding and ...

Page 7: ... TACACS 7 10 TACACS Operation 7 12 Configuring TACACS 7 12 Default TACACS Configuration 7 13 Identifying the TACACS Server Host and Setting the Authentication Key 7 13 Configuring TACACS Login Authentication 7 14 Configuring TACACS Authorization for Privileged EXEC Access and Network Services 7 16 Starting TACACS Accounting 7 17 Displaying the TACACS Configuration 7 17 Controlling Switch Access wi...

Page 8: ... Configuration and Status 7 41 Configuring the Switch for Secure Socket Layer HTTP 7 41 Understanding Secure HTTP Servers and Clients 7 41 Certificate Authority Trustpoints 7 42 CipherSuites 7 43 Configuring Secure HTTP Servers and Clients 7 44 Default SSL Configuration 7 44 SSL Configuration Guidelines 7 44 Configuring a CA Trustpoint 7 44 Configuring the Secure HTTP Server 7 45 Configuring the S...

Page 9: ... 802 1x Authentication 8 20 Default IEEE 802 1x Authentication Configuration 8 20 IEEE 802 1x Authentication Configuration Guidelines 8 22 IEEE 802 1x Authentication 8 22 VLAN Assignment Guest VLAN Restricted VLAN and Inaccessible Authentication Bypass 8 23 MAC Authentication Bypass 8 23 Configuring 802 1x Readiness Check 8 24 Configuring Voice Aware 802 1x Security 8 25 Configuring IEEE 802 1x Au...

Page 10: ... Management Only Interface 9 7 Using Interface Configuration Mode 9 7 Procedures for Configuring Interfaces 9 8 Configuring a Range of Interfaces 9 9 Configuring and Using Interface Range Macros 9 10 Configuring Ethernet Interfaces 9 12 Default Ethernet Interface Configuration 9 12 Setting the Type of a Dual Purpose Uplink Port 9 13 Configuring Interface Speed and Duplex Mode 9 15 Speed and Duplex...

Page 11: ...VLANs 11 6 Normal Range VLAN Configuration Guidelines 11 6 VLAN Configuration Mode Options 11 7 VLAN Configuration in config vlan Mode 11 7 VLAN Configuration in VLAN Database Configuration Mode 11 7 Saving VLAN Configuration 11 7 Default Ethernet VLAN Configuration 11 8 Creating or Modifying an Ethernet VLAN 11 9 Deleting a VLAN 11 10 Assigning Static Access Ports to a VLAN 11 11 Configuring Exte...

Page 12: ...efault VMPS Client Configuration 11 29 VMPS Configuration Guidelines 11 29 Configuring the VMPS Client 11 30 Entering the IP Address of the VMPS 11 30 Configuring Dynamic Access Ports on VMPS Clients 11 30 Reconfirming VLAN Memberships 11 31 Changing the Reconfirmation Interval 11 31 Changing the Retry Count 11 32 Monitoring the VMPS 11 32 Troubleshooting Dynamic Access Port VLAN Membership 11 33 ...

Page 13: ...onfiguration 13 3 Voice VLAN Configuration Guidelines 13 3 Configuring a Port Connected to a Cisco 7960 IP Phone 13 4 Configuring Cisco IP Phone Voice Traffic 13 5 Configuring the Priority of Incoming Data Frames 13 6 Displaying Voice VLAN 13 7 C H A P T E R 14 Configuring Private VLANs 14 1 Understanding Private VLANs 14 1 IP Addressing Scheme with Private VLANs 14 3 Private VLANs across Multiple...

Page 14: ...g an IEEE 802 1Q Tunneling Port 15 6 Understanding Layer 2 Protocol Tunneling 15 7 Configuring Layer 2 Protocol Tunneling 15 10 Default Layer 2 Protocol Tunneling Configuration 15 11 Layer 2 Protocol Tunneling Configuration Guidelines 15 12 Configuring Layer 2 Protocol Tunneling 15 13 Configuring Layer 2 Tunneling for EtherChannels 15 14 Configuring the SP Edge Switch 15 14 Configuring the Custome...

Page 15: ...ty 16 16 Configuring Path Cost 16 18 Configuring the Switch Priority of a VLAN 16 19 Configuring Spanning Tree Timers 16 20 Configuring the Hello Time 16 20 Configuring the Forwarding Delay Time for a VLAN 16 21 Configuring the Maximum Aging Time for a VLAN 16 21 Configuring the Transmit Hold Count 16 22 Displaying the Spanning Tree Status 16 22 C H A P T E R 17 Configuring MSTP 17 1 Understanding...

Page 16: ...e Switch Priority 17 21 Configuring the Hello Time 17 22 Configuring the Forwarding Delay Time 17 23 Configuring the Maximum Aging Time 17 23 Configuring the Maximum Hop Count 17 24 Specifying the Link Type to Ensure Rapid Transitions 17 24 Designating the Neighbor Type 17 25 Restarting the Protocol Migration Process 17 25 Displaying the MST Configuration and Status 17 26 C H A P T E R 18 Configur...

Page 17: ...dress Table Move Update 19 4 Configuration Guidelines 19 5 Default Configuration 19 5 Configuring Flex Links 19 6 Configuring VLAN Load Balancing on Flex Links 19 7 Configuring the MAC Address Table Move Update Feature 19 9 Monitoring Flex Links and the MAC Address Table Move Update Information 19 11 C H A P T E R 20 Configuring DHCP Features and IP Source Guard 20 1 Understanding DHCP Features 20...

Page 18: ...1 Interface Trust States and Network Security 21 3 Rate Limiting of ARP Packets 21 4 Relative Priority of ARP ACLs and DHCP Snooping Entries 21 4 Logging of Dropped Packets 21 4 Configuring Dynamic ARP Inspection 21 5 Default Dynamic ARP Inspection Configuration 21 5 Dynamic ARP Inspection Configuration Guidelines 21 6 Configuring Dynamic ARP Inspection in DHCP Environments 21 7 Configuring ARP AC...

Page 19: ...g Information 22 16 Understanding Multicast VLAN Registration 22 17 Using MVR in a Multicast Television Application 22 18 Configuring MVR 22 20 Default MVR Configuration 22 20 MVR Configuration Guidelines and Limitations 22 20 Configuring MVR Global Parameters 22 21 Configuring MVR Interfaces 22 22 Displaying MVR Information 22 24 Configuring IGMP Filtering and Throttling 22 24 Default IGMP Filter...

Page 20: ... and Configuring Port Security Aging 23 17 Port Security and Private VLANs 23 19 Displaying Port Based Traffic Control Settings 23 20 C H A P T E R 24 Configuring CDP 24 1 Understanding CDP 24 1 Configuring CDP 24 2 Default CDP Configuration 24 2 Configuring the CDP Characteristics 24 2 Disabling and Enabling CDP 24 3 Disabling and Enabling CDP on an Interface 24 4 Monitoring and Maintaining CDP 2...

Page 21: ...7 3 SPAN Sessions 27 3 Monitored Traffic 27 4 Source Ports 27 5 Source VLANs 27 6 VLAN Filtering 27 6 Destination Port 27 7 RSPAN VLAN 27 8 SPAN and RSPAN Interaction with Other Features 27 8 Configuring SPAN and RSPAN 27 9 Default SPAN and RSPAN Configuration 27 9 Configuring Local SPAN 27 10 SPAN Configuration Guidelines 27 10 Creating a Local SPAN Session 27 11 Creating a Local SPAN Session and...

Page 22: ...g Message Logging 29 4 Setting the Message Display Destination Device 29 5 Synchronizing Log Messages 29 6 Enabling and Disabling Time Stamps on Log Messages 29 7 Enabling and Disabling Sequence Numbers in Log Messages 29 8 Defining the Message Severity Level 29 8 Limiting Syslog Messages Sent to the History Table and to SNMP 29 10 Enabling the Configuration Change Logger 29 10 Configuring UNIX Sy...

Page 23: ...ed ACLs 31 2 Port ACLs 31 3 Router ACLs 31 4 VLAN Maps 31 5 Handling Fragmented and Unfragmented Traffic 31 5 Configuring IPv4 ACLs 31 6 Creating Standard and Extended IPv4 ACLs 31 7 Access List Numbers 31 8 ACL Logging 31 8 Creating a Numbered Standard ACL 31 9 Creating a Numbered Extended ACL 31 10 Resequencing ACEs in an ACL 31 14 Creating Named Standard and Extended ACLs 31 14 Using Time Range...

Page 24: ...and Switched Packets 31 37 ACLs and Routed Packets 31 38 Displaying IPv4 ACL Configuration 31 38 C H A P T E R 32 Configuring QoS 32 1 Understanding QoS 32 2 Basic QoS Model 32 3 Classification 32 5 Classification Based on QoS ACLs 32 7 Classification Based on Class Maps and Policy Maps 32 7 Policing and Marking 32 8 Policing on Physical Ports 32 9 Policing on SVIs 32 10 Mapping Tables 32 12 Queue...

Page 25: ...ing DSCP Transparency Mode 32 40 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain 32 40 Configuring a QoS Policy 32 42 Classifying Traffic by Using ACLs 32 43 Classifying Traffic by Using Class Maps 32 46 Classifying Policing and Marking Traffic on Physical Ports by Using Policy Maps 32 48 Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps 32 ...

Page 26: ...els 33 1 EtherChannel Overview 33 2 Port Channel Interfaces 33 3 Port Aggregation Protocol 33 4 PAgP Modes 33 4 PAgP Interaction with Other Features 33 5 Link Aggregation Control Protocol 33 5 LACP Modes 33 5 LACP Interaction with Other Features 33 6 EtherChannel On Mode 33 6 Load Balancing and Forwarding Methods 33 6 Configuring EtherChannels 33 8 Default EtherChannel Configuration 33 9 EtherChan...

Page 27: ...e of Subnet Zero 34 5 Classless Routing 34 6 Configuring Address Resolution Methods 34 7 Define a Static ARP Cache 34 8 Set ARP Encapsulation 34 9 Enable Proxy ARP 34 9 Routing Assistance When IP Routing is Disabled 34 10 Proxy ARP 34 10 Default Gateway 34 10 ICMP Router Discovery Protocol IRDP 34 11 Configuring Broadcast Packet Handling 34 12 Enabling Directed Broadcast to Physical Broadcast Tran...

Page 28: ...assive Interfaces 34 34 Controlling Advertising and Processing in Routing Updates 34 34 Filtering Sources of Routing Information 34 35 Managing Authentication Keys 34 36 Monitoring and Maintaining the IP Network 34 37 C H A P T E R 35 Configuring IPv6 Host Functions 35 1 Understanding IPv6 35 1 IPv6 Addresses 35 2 Supported IPv6 Unicast Host Features 35 3 128 Bit Wide Unicast Addresses 35 3 DNS fo...

Page 29: ...ic Multicast Group 36 8 Configuring a Multicast Router Port 36 8 Enabling MLD Immediate Leave 36 9 Configuring MLD Snooping Queries 36 10 Disabling MLD Listener Message Suppression 36 11 Displaying MLD Snooping Information 36 11 C H A P T E R 37 Configuring IPv6 ACLs 37 1 Understanding IPv6 ACLs 37 1 Supported ACL Features 37 2 IPv6 ACL Limitations 37 2 Configuring IPv6 ACLs 37 3 Default IPv6 ACL ...

Page 30: ...C H A P T E R 39 Configuring Cisco IOS IP SLAs Operations 39 1 Understanding Cisco IOS IP SLAs 39 1 Using Cisco IOS IP SLAs to Measure Network Performance 39 3 IP SLAs Responder and IP SLAs Control Protocol 39 4 Response Time Computation for IP SLAs 39 4 Configuring IP SLAs Operations 39 5 Default Configuration 39 5 Configuration Guidelines 39 5 Configuring the IP SLAs Responder 39 6 Monitoring IP...

Page 31: ... 18 Basic crashinfo Files 40 18 Extended crashinfo Files 40 19 C H A P T E R 41 Configuring Online Diagnostics 41 1 Understanding How Online Diagnostics Work 41 1 Scheduling Online Diagnostics 41 2 Configuring Health Monitoring Diagnostics 41 2 Running Online Diagnostic Tests 41 3 Starting Online Diagnostic Tests 41 3 Displaying Online Diagnostic Tests and Test Results 41 3 A P P E N D I X A Suppo...

Page 32: ... File By Using FTP B 13 Downloading a Configuration File By Using FTP B 14 Uploading a Configuration File By Using FTP B 15 Copying Configuration Files By Using RCP B 16 Preparing to Download or Upload a Configuration File By Using RCP B 17 Downloading a Configuration File By Using RCP B 17 Uploading a Configuration File By Using RCP B 18 Clearing Configuration Information B 19 Clearing the Startu...

Page 33: ...tion Command C 1 Archive Commands C 2 Unsupported Privileged EXEC Commands C 2 ARP Commands C 2 Unsupported Global Configuration Commands C 2 Unsupported Interface Configuration Commands C 2 Bootloader Commands C 2 Unsupported user EXEC Command C 2 Unsupported Global Configuration Command C 2 Debug Commands C 3 Unsupported Privileged EXEC Commands C 3 HSRP C 3 Unsupported Global Configuration Comm...

Page 34: ...ss Translation NAT Commands C 7 Unsupported Privileged EXEC Commands C 7 QoS C 7 Unsupported Global Configuration Command C 7 Unsupported Interface Configuration Commands C 7 Unsupported Policy Map Configuration Command C 7 RADIUS C 8 Unsupported Global Configuration Commands C 8 SNMP C 8 Unsupported Global Configuration Commands C 8 Spanning Tree C 8 Unsupported Global Configuration Command C 8 U...

Page 35: ...the commands that have been created or changed for use with the Cisco Catalyst Blade Switch 3020 for HP switch It does not provide detailed information about these commands For detailed information about these commands see the Cisco Catalyst Blade Switch 3020 for HP Command Reference for this release For information about the standard Cisco IOS Release 12 2 commands see the Cisco IOS documentation...

Page 36: ...rials not contained in this manual Caution Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Related Publications For more information about the switch see the Cisco Catalyst Blade Switch 3020 for HP documentation on Cisco com http www cisco com en US products ps6748 tsd_products_support_series_home html Note Before installing co...

Page 37: ... Factor Pluggable Modules Installation Notes order number DOC 7815160 These compatibility matrix documents are available from this Cisco com site http www cisco com en US products hw modules ps5455 products_device_support_tables_list ht ml Cisco Gigabit Ethernet Transceiver Modules Compatibility Matrix not orderable but available on Cisco com Cisco Small Form Factor Pluggable Modules Compatibility...

Page 38: ...xxxviii Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Preface Obtaining Documentation and Submitting a Service Request ...

Page 39: ...quality of service QoS static routing EIGRP and PIM stub routing the Hot Standby Router Protocol HSRP the Routing Information Protocol RIP IPv6 host management and IPv6 MLD snooping Some features described in this chapter are available only on the cryptographic supports encryption version of the software You must obtain authorization to use this feature and to download the cryptographic version of...

Page 40: ...ugh or crossover and to configure the connection appropriately Support for up to 1546 bytes routed frames IEEE 802 3x flow control on all ports the switch does not send pause frames EtherChannel for enhanced fault tolerance and for providing up to 8 Gb s Gigabit EtherChannel full duplex bandwidth among switches routers and servers Port Aggregation Protocol PAgP and Link Aggregation Control Protoco...

Page 41: ...nager The device manager is a GUI that is integrated in the software image You use it to configure and to monitor a single switch For information about launching the device manager see the getting started guide For more information about the device manager see the switch online help CLI The Cisco IOS software supports desktop and multilayer switching features You can access the CLI either by conne...

Page 42: ...TFTP server Address Resolution Protocol ARP for identifying a switch through its IP address and its corresponding MAC address Unicast MAC address filtering to drop packets with specific source or destination MAC addresses Cisco Discovery Protocol CDP Versions 1 and 2 for network topology discovery and mapping between the switch and other Cisco devices on the network Link Layer Discovery Protocol L...

Page 43: ...ort faults IEEE 802 1D Spanning Tree Protocol STP for redundant backbone connections and loop free networks STP has these features Up to 128 spanning tree instances supported Per VLAN spanning tree plus PVST for load balancing across VLANs Rapid PVST for load balancing across VLANs and providing rapid convergence of spanning tree instances UplinkFast and BackboneFast for fast convergence after a s...

Page 44: ...s receiving the traffic Voice VLAN for creating subnets for voice traffic from Cisco IP Phones VLAN 1 minimization for reducing the risk of spanning tree loops or storms by allowing VLAN 1 to be disabled on any individual VLAN trunk link With this feature enabled no user traffic is sent or received on the trunk The switch CPU continues to send and receive control protocol frames VLAN Flex Link Loa...

Page 45: ...dings Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN IEEE 802 1Q tunneling so that customers with users at remote sites across a service provider network can keep VLANs segregated from other customers and Layer 2 protocol tunneling to ensure that the customer s network has complete STP CDP and VTP...

Page 46: ...ctions of remote users through authentication authorization and accounting AAA services Kerberos security system to authenticate requests for network resources by using a trusted third party requires the cryptographic version of the software Secure Socket Layer SSL Version 3 0 support for the HTTP 1 1 server authentication encryption and message integrity and HTTP client authentication to allow se...

Page 47: ... port WTD as the congestion avoidance mechanism for managing the queue lengths and providing drop precedences for different traffic classifications SRR as the scheduling service for specifying the rate at which packets are dequeued to the egress interface shaping or sharing is supported on egress queues Shaped egress queues are guaranteed but limited to using a share of port bandwidth Shared egres...

Page 48: ...ic management interface to monitor physical or operational status of an SFP module Generic online diagnostics to test hardware functionality of the supervisor engine modules and switch while the switch is connected to a live network Enhanced object tracking for HSRP Default Settings After Initial Switch Configuration The switch is designed for plug and play operation requiring only that you assign...

Page 49: ...sed Authentication IEEE 802 1x is disabled For more information see Chapter 8 Configuring IEEE 802 1x Port Based Authentication Port parameters Operating mode is Layer 2 switchport For more information see Chapter 9 Configuring Interface Characteristics Interface speed and duplex mode is autonegotiate For more information see Chapter 9 Configuring Interface Characteristics Auto MDIX is enabled For...

Page 50: ...P Snooping and MVR IGMP throttling setting is deny For more information see Chapter 22 Configuring IGMP Snooping and MVR The IGMP snooping querier feature is disabled For more information see Chapter 22 Configuring IGMP Snooping and MVR MVR is disabled For more information see Chapter 22 Configuring IGMP Snooping and MVR Port based traffic Broadcast multicast and unicast storm control is disabled ...

Page 51: ...n when designing your network As your network traffic profiles evolve consider providing network services that can support applications for voice and data integration multimedia integration application prioritization and security Table 1 2 describes some network demands and how you can meet them Table 1 1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a s...

Page 52: ...th usage for multimedia applications and guaranteed bandwidth for critical applications Use IGMP snooping to efficiently forward multimedia and multicast traffic Use other QoS mechanisms such as packet classification marking scheduling and congestion avoidance to classify traffic with the appropriate priority level thereby providing maximum flexibility and support for mission critical unicast and ...

Page 53: ...the blade switches provide preferential treatment for certain data streams They segment traffic streams into different paths for processing Security features on the blade switch ensure rapid handling of packets Fault tolerance from the server racks to the core is achieved through dual homing of servers connected to the blade switches which have redundant Gigabit EtherChannels Using dual SFP module...

Page 54: ...iguration Guide OL 8915 03 Chapter 1 Overview Where to Go Next Where to Go Next Before configuring the switch review these sections for startup information Chapter 2 Using the Command Line Interface Chapter 3 Assigning the Switch IP Address and Default Gateway ...

Page 55: ...m prompt to obtain a list of commands available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters...

Page 56: ...tered Use a password to protect access to this mode Global configuration While in privileged EXEC mode enter the configure command Switch config To exit to privileged EXEC mode enter exit or end or press Ctrl Z Use this mode to configure parameters that apply to the entire switch Config vlan While in global configuration mode enter the vlan vlan id command Switch config vlan To exit to global conf...

Page 57: ... ports For information about defining interfaces see the Using Interface Configuration Mode section on page 9 7 To configure multiple interfaces with the same parameters see the Configuring a Range of Interfaces section on page 9 9 Line configuration While in global configuration mode specify a line with the line vty or line console command Switch config line To exit to global configuration mode e...

Page 58: ...erface Use the command without the keyword no to re enable a disabled feature or to enable a feature that is disabled by default Configuration commands can also have a default form The default form of a command returns the command setting to its default Most commands are disabled by default so the default form is the same as the no form However some commands are enabled by default and have variabl...

Page 59: ...n see the Configuration Change Notification and Logging feature module at this URL http www cisco com en US products sw iosswrel ps5207 products_feature_guide09186a00801d1e81 html Note Only CLI or HTTP changes are logged Table 2 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for your switch to recognize the command R...

Page 60: ...Switch terminal history size number of lines The range is from 0 to 256 Beginning in line configuration mode enter this command to configure the number of command lines the switch records for all sessions on a particular line Switch config line history size number of lines The range is from 0 to 256 Recalling Commands To recall commands from the history buffer perform one of the actions listed in ...

Page 61: ...l Editing Command Lines that Wrap page 2 9 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced editing These procedures are optional To globally disable enhanced editing mode enter this command in line configuration mode Switch config line no editing To re enable the e...

Page 62: ...he last 10 items that you have deleted or cut If you press Esc Y more than ten times you cycle to the first buffer entry Delete entries if you make a mistake or change your mind Press the Delete or Backspace key Erase the character to the left of the cursor Press Ctrl D Delete the character at the cursor Press Ctrl K Delete all characters from the cursor to the end of the command line Press Ctrl U...

Page 63: ...5 255 0 131 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 After you complete the entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that the line has been scrolled to the right Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 1...

Page 64: ... described in the hardware installation guide that shipped with your switch Then to understand the boot up process and the options available for assigning IP information see Chapter 3 Assigning the Switch IP Address and Default Gateway If your switch is already configured you can access the CLI through a local console connection or through a remote Telnet session but your switch must first be conf...

Page 65: ...witch Information page 3 2 Checking and Saving the Running Configuration page 3 15 Modifying the Startup Configuration page 3 17 Scheduling a Reload of the Software Image page 3 21 Note Information in this chapter about configuring IP addresses and DHCP is specific to IP Version 4 IPv4 Understanding the Bootup Process To start your switch you need to follow the procedures in the getting started gu...

Page 66: ...information see the Disabling Password Recovery section on page 7 5 Before you can assign switch information make sure you have connected a PC or terminal to the console port and configured the PC or terminal emulation software baud rate and character format to match these of the switch console port Baud rate default is 9600 Data bits default is 8 Note If the data bits option is set to 8 set the p...

Page 67: ...nfiguration file location on the network you might also need to configure a Trivial File Transfer Protocol TFTP server and a Domain Name System DNS server The DHCP server for your switch can be on the same LAN or on a different LAN than the switch If the DHCP server is running on a different LAN you should configure a DHCP relay device between your switch and the DHCP server A relay device forward...

Page 68: ...d the client uses configuration information received from the server The amount of information the switch receives depends on how you configure the DHCP server For more information see the Configuring the TFTP Server section on page 3 7 If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid a configuration error exists the client returns a DHCPDECLINE broad...

Page 69: ...option 150 the TFTP server address and option 125 description of the file settings For procedures to configure the switch as a DHCP server see the Configuring DHCP Based Autoconfiguration section on page 3 6 and the Configuring DHCP section of the IP addressing and Services section of the Cisco IOS IP Configuration Guide Release 12 2 After you install the switch in your network the auto image upda...

Page 70: ...d to each switch by the switch hardware address If you want the switch to receive IP address information you must configure the DHCP server with these lease options IP address of the client required Subnet mask of the client required DNS server IP address optional Router IP address default gateway address to be used by the switch required If you want the switch to receive the configuration file fr...

Page 71: ...figured these files are not accessed If you specify the TFTP server name in the DHCP server lease database you must also configure the TFTP server name to IP address mapping in the DNS server database If the TFTP server to be used is on a different LAN from the switch or if it is to be accessed by the switch through the broadcast address which occurs if the DHCP server response does not contain al...

Page 72: ...se the switch obtains its configuration information in these ways The IP address and the configuration filename is reserved for the switch and provided in the DHCP reply one file read method The switch receives its IP address subnet mask TFTP server address and the configuration filename from the DHCP server The switch sends a unicast message to the TFTP server to retrieve the named configuration ...

Page 73: ...e default configuration file or the DHCP reply the switch reads the configuration file that has the same name as its hostname hostname confg or hostname cfg depending on whether network confg or cisconet cfg was read earlier from the TFTP server If the cisconet cfg file is read the filename of the host is truncated to eight characters If the switch cannot read the network confg cisconet cfg or the...

Page 74: ...ds its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its host table by indexing its IP address 10 0 0 21 to its hostname switcha It reads the...

Page 75: ...tethernet1 0 4 Switch config if no switchport Switch config if ip address 10 10 10 1 255 255 255 0 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp poolname Create a name for the DHCP Server address pool and enter DHCP pool configuration mode Step 3 bootfile filename Specify the name of the configuration file that is used as a boot image...

Page 76: ...3 bootfile filename Specify the name of the file that is used as a boot image Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the network mask of the client The prefix length must be preceded by a fo...

Page 77: ...ner config save C Caution Saving Configuration File to NVRAM May Cause You to Nolonger Automatically Download Configuration Files at Reboot C Switch config vlan 99 Switch config vlan interface vlan 99 Switch config if no shutdown Switch config if end Switch show boot BOOT path list Config file flash config text Private Config file flash private config text Enable Break no Manual Boot no HELPER pat...

Page 78: ...s see Chapter 5 Administering the Switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP information is assigned The VLAN range is 1 to 4094 The fa0 interface can be used instead of the VLAN interface Step 3 ip address ip address subnet mask Enter the IP address and subnet ...

Page 79: ...og uptime no service password encryption no aaa new model system env temperature threshold yellow 25 ip subnet zero no ip domain lookup no file verify auto spanning tree mode pvst spanning tree extend system id vlan internal allocation policy ascending vlan 2 4 20 22 100 200 999 interface FastEthernet0 ip address dhcp no ip route cache keepalive 1 interface GigabitEthernet0 1 speed 1000 spanning t...

Page 80: ...peed 1000 spanning tree portfast interface GigabitEthernet0 14 speed 1000 spanning tree portfast interface GigabitEthernet0 15 speed 1000 spanning tree portfast interface GigabitEthernet0 16 speed 1000 spanning tree portfast interface GigabitEthernet0 17 switchport access vlan 20 switchport trunk encapsulation dot1q switchport trunk native vlan 20 switchport mode access switchport backup interface...

Page 81: ...ivileged EXEC command Switch copy running config startup config Destination filename startup config Building configuration This command saves the configuration settings that you made If you fail to do this your configuration will be lost the next time you reload the system To display information stored in the NVRAM section of flash memory use the show startup config or more startup config privileg...

Page 82: ...ot up the system using information in the BOOT environment variable If the variable is not set the switch attempts to load and execute the first executable image it can by performing a recursive depth first search throughout the flash file system The Cisco IOS image is stored in a directory that has the same name as the image file excluding the bin extension In a depth first search of a directory ...

Page 83: ...g a recursive depth first search throughout the flash file system In a depth first search of a directory each encountered subdirectory is completely searched before continuing the search in the original directory However you can specify a specific image with which to boot up the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot manual Enable the switch to...

Page 84: ... is a null string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which does not read the Cisco IOS configuration file For example the name of a bootloader helper file which extends or patches the functionality of the bootloader can ...

Page 85: ...g a recursive depth first search through the flash file system If the BOOT variable is set but the specified images cannot be loaded the system attempts to boot up the first bootable file that it can find in the flash file system boot system filesystem file url Specifies the Cisco IOS image to load during the next bootup cycle This command changes the setting of the BOOT environment variable MANUA...

Page 86: ... to the configured time zone on the switch To schedule reloads across several switches to occur simultaneously the time on each switch must be synchronized with NTP The reload command halts the system If the system is not set to manually boot up it reboots itself Use the reload command after you save the switch configuration information to the startup configuration copy running config startup conf...

Page 87: ...ftware Image Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information including the time the reload is scheduled to occur and the reason for the reload if it was specified when the reload was scheduled ...

Page 88: ...3 24 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image ...

Page 89: ...Cisco Configuration Engine Software The Cisco Configuration Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services see Figure 4 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their configurations and delivering them as needed...

Page 90: ...Service uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration info...

Page 91: ...ique group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses namespa...

Page 92: ...e event gateway and does not change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re established the switch sends its...

Page 93: ... new switch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon succes...

Page 94: ...efer application of the configuration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Conf...

Page 95: ...h Factory default no configuration file Distribution switch IP helper address Enable DHCP relay agent IP routing if used as default gateway DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server A bootstrap configuration file that includes the CNS configuration commands that enable the switch to commun...

Page 96: ...e hostname or the IP address of the event gateway Optional For port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For failover time seconds enter how long the switch waits for the primary gateway route after the route to the backup gateway is establish...

Page 97: ...uration mode and specify the name of the CNS connect template Step 3 cli config text Enter a command line for the CNS connect template Repeat this step for each command line in the template Step 4 Repeat Steps 2 to 3 to configure another CNS connect template Step 5 exit Return to global configuration mode Step 6 cns connect name retries number retry interval seconds sleep seconds timeout seconds E...

Page 98: ...he point to point subinterface number that is used to search for active DLCIs For interface interface type enter the type of interface For line line type enter the line type Step 8 template name name Specify the list of CNS connect templates in the CNS connect profile to be applied to the switch configuration You can specify more than one template Step 9 Repeat Steps 7 to 8 to specify more interfa...

Page 99: ...dress mac address enter dns reverse to retrieve the hostname and assign it as the unique ID enter ipaddress to use the IP address or enter mac address to use the MAC address as the unique ID Optional Enter event to set the ID to be the event id value used to identify the switch Optional Enter image to set the ID to be the image id value used to identify the switch Note If both the event and image ...

Page 100: ...p address syntax check Enable the Cisco IOS agent and initiate an initial configuration For hostname ip address enter the hostname or the IP address of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finished Optiona...

Page 101: ... a Partial Configuration Beginning in privileged EXEC mode follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Command Purpose Step 1 configure terminal En...

Page 102: ...w cns config connections Displays the status of the CNS Cisco IOS agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the Cisco IOS agent show cns event connections Displays the status of the CNS event agent connections show cns event stats Display...

Page 103: ...as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References These sections contain this configuration information Understanding the System Clock page 5...

Page 104: ... radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP This strategy effectively builds a self organizing tree of NTP speakers NTP avoids synchronizing to a device whose time mig...

Page 105: ...ynchronize to that device through NTP When multiple sources of time are available NTP is always considered to be more authoritative NTP time overrides the time set by any other method Several manufacturers include NTP software for their host systems and a publicly available version for systems running UNIX and its various derivatives is also available This software allows host systems to be time s...

Page 106: ...e administrator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server Beginning in privileged EXEC mode follow these steps to authenticate the associations communications between devices running NTP that provide for accurate timekeeping with other devices for security purposes Table 5 1 Default ...

Page 107: ...tch synchronizes to the other device and not the other way around Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 specifies that message authentication support is provided by using the message digest algorithm 5 MD5 For value enter an arbitrary string of up to eight characters...

Page 108: ...n simply be configured to send or receive broadcast messages However the information flow is one way only Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synch...

Page 109: ...Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to send NTP broadcast packets and enter interface configuration mode Step 3 ntp broadcast version number key keyid destination address Enable the interface to send NTP broadcast packets to a peer By default this feature is disabled on all interfaces Optional For number spec...

Page 110: ...ollow these steps to control access to NTP services by using access lists Step 5 ntp broadcastdelay microseconds Optional Change the estimated round trip delay between the switch and the NTP broadcast server The default is 3000 microseconds the range is 1 to 999999 Step 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries Step 8 copy running config startup config Opt...

Page 111: ... services use the no ntp access group query only serve only serve peer global configuration command This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99 However the switch restricts access to allow only time requests from access list 42 Switch configure terminal Switch config ntp access group peer 99 Switch config ntp access group serve only 4...

Page 112: ...source address is to be taken The specified interface is used for the source address for all packets sent to all destinations If a source address is to be used for a specific association use the source keyword in the ntp peer or ntp server global configuration command as described in the Configuring NTP Associations section on page 5 5 Command Purpose Step 1 configure terminal Enter global configu...

Page 113: ...ynchronize you do not need to manually set the system clock These sections contain this configuration information Setting the System Clock page 5 11 Displaying the Time and Date Configuration page 5 12 Configuring the Time Zone page 5 12 Configuring Summer Time Daylight Saving Time page 5 13 Setting the System Clock If you have an outside source on the network that provides time services such as a...

Page 114: ... configure the time zone The minutes offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC For example the time zone for some sections of Atlantic Canada AST is UTC 3 5 where the 3 means 3 hours and 5 means 50 percent In this case the necessary command is clock timezone AST 3 30 To set t...

Page 115: ... config clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurri...

Page 116: ... name are used as the system prompt A greater than symbol is appended The prompt is updated whenever the system name changes For complete syntax and usage information for the commands used in this section from the Cisco com page select Documentation Cisco IOS Software 12 2 Mainline Command References and see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP Command Re...

Page 117: ... naming scheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as the delimiting characters For example Cisco Systems is a commercial organization that IP identifies by a com domain name so its domain name is cisco com A specific device in this domain for example the File Transfer Protocol FTP system is identified as ftp cisco com To ke...

Page 118: ...that separates an unqualified name from the domain name At bootup time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured with this information Step 3 ip name server server address1 server address2 server address6 S...

Page 119: ...Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also displays on all connected...

Page 120: ...ample shows the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the messag...

Page 121: ...udes these types of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For com...

Page 122: ...tations are added or removed from the network the switch updates the address table adding new dynamic addresses and aging out those that are not in use The aging interval is globally configured However the switch maintains an address table for each VLAN and STP can accelerate the aging interval on a per VLAN basis The switch sends packets between any combination of ports based on the destination a...

Page 123: ...dresses to be prematurely removed from the table Then when the switch receives a packet for an unknown destination it floods the packet to all ports in the same VLAN as the receiving port This unnecessary flooding can impact performance Setting too long an aging time can cause the address table to be filled with unused addresses which prevents new addresses from being learned Flooding results whic...

Page 124: ...undle the notification traps and reduce network traffic The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled MAC address notifications are generated for dynamic and secure MAC addresses events are not generated for self addresses multicast addresses or other static addresses Beginning in privileged EXEC mode follow these steps to c...

Page 125: ...g if snmp trap mac notification added You can verify the previous commands by entering the show mac address table notification interface and the show mac address table notification privileged EXEC commands Step 4 mac address table notification Enable the MAC address notification feature Step 5 mac address table notification interval value history size value Enter the trap interval time and the his...

Page 126: ...ddress in all associated VLANs Static MAC addresses configured in a private VLAN primary or secondary VLAN are not replicated in the associated VLAN For more information about private VLANs see Chapter 14 Configuring Private VLANs Beginning in privileged EXEC mode follow these steps to add a static address To remove static entries from the address table use the no mac address table static mac addr...

Page 127: ...ackets with that MAC address depending on which command was entered last The second command that you entered overrides the first command For example if you enter the mac address table static mac addr vlan vlan id interface interface id global configuration command followed by the mac address table static mac addr vlan vlan id drop command the switch drops packets with the specified MAC address as ...

Page 128: ...5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 5 4 Commands for Displaying the MAC Address Table Command Description show ip igmp snooping groups Displays the Layer 2 multicast entries for all VLANs or the specified VLAN show mac address table address Displays MAC address table information for the specified MAC address show mac addre...

Page 129: ... ID Using an IP address ARP finds the associated MAC address When a MAC address is found the IP MAC address association is stored in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol SN...

Page 130: ...5 28 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 5 Administering the Switch Managing the ARP Table ...

Page 131: ...o obtain maximum ACL usage To allocate ternary content addressable memory TCAM resources for different usages the switch SDM templates prioritize system resources to optimize support for certain features You can select SDM templates for IP Version 4 IPv4 to optimize these features Access The access template maximizes system resources for access control lists ACLs to accommodate a large number of A...

Page 132: ...efault template supports Layer 2 multicast routing QoS and ACLs for IPv4 and Layer 2 for IPv6 on the switch These SDM templates support IPv4 and IPv6 environments The dual IPv4 and IPv6 default template supports Layer 2 multicast routing QoS and ACLs for IPv4 and Layer 2 routing and ACLs for IPv6 on the switch The dual IPv4 and IPv6 routing template supports Layer 2 multicast routing including pol...

Page 133: ...tes Resource IPv4 and IPv6 Default IPv4 and IPv6 Routing IPv4 and IPv6 VLAN Unicast MAC addresses 2 K 1 5 K 8 K IPv4 IGMP groups and multicast routes 1 K 1K 1 K Total IPv4 unicast routes 3 K 2 75 K 0 Directly connected IPv4 hosts 2 K 1 5 K 0 Indirect IPv4 routes 1 K 1 25 K 0 IPv6 multicast groups 1 125 K 1 125 K 1 125 K Total IPv6 unicast routes 3 K 2 75 K 0 Directly connected IPv6 addresses 2 K 1...

Page 134: ...dual stack templates results in less TCAM capacity allowed for each resource so do not use if you plan to forward only IPv4 traffic Although these features are visible in the template in the CLI the switch does not support IPv4 or IPv6 policy based routing or IPv6 Qos ACLs Setting the SDM Template Beginning in privileged EXEC mode follow these steps to use the SDM template to maximize feature usag...

Page 135: ...umber of IPv4 unicast routes 8K number of directly connected IPv4 hosts 6K number of indirect IPv4 routes 2K number of IPv4 policy based routing aces 0 number of IPv4 MAC qos aces 0 75K number of IPv4 MAC security aces 1K On next reload template will be desktop vlan template To return to the default template use the no sdm prefer global configuration command This example shows how to configure a s...

Page 136: ... interfaces and 1024 VLANs number of unicast mac addresses 3K number of IPv4 IGMP groups multicast routes 1K number of IPv4 unicast routes 11K number of directly connected IPv4 hosts 3K number of indirect IPv4 routes 8K number of IPv4 policy based routing aces 0 5K number of IPv4 MAC qos aces 0 75K number of IPv4 MAC security aces 1K This is an example of output from the show sdm prefer dual ipv4 ...

Page 137: ... restrict access to users who dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch...

Page 138: ...this section see the Cisco IOS Security Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References These sections contain this configuration information Default Password and Privilege Level Configuration page 7 2 Setting or Changing a Static Enable Password page 7 3 Protecting Enable and Enable Secret Passwords with Encryption pag...

Page 139: ... or any privilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a ...

Page 140: ... global configuration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level...

Page 141: ... the bootup process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the Xmode...

Page 142: ...re that user can access the switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port The default data characteristics of the console port are 9600 8 1 no parity You might need to press the Ret...

Page 143: ... information Setting the Privilege Level for a Command page 7 8 Changing the Default Privilege Level for Lines page 7 9 Logging into and Exiting a Privilege Level page 7 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the ...

Page 144: ...ommand Purpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 i...

Page 145: ...ing into and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege level for ...

Page 146: ... TACACS is a security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch TACACS provides for separate and modular aut...

Page 147: ...trol session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Accounting ...

Page 148: ...e an alternative method for authenticating the user CONTINUE The user is prompted for additional authentication information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS da...

Page 149: ...u can group servers to select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list and contains the list of IP addresses of the selected server hosts Beginning in privileged EXEC mode follow these steps to identify the IP host or host maintaining TACACS server and optionally set the encryption key Command Purpose Step...

Page 150: ... You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authentication method in the method list This process continues until there is successful communication with a l...

Page 151: ... by using the enable password global configuration command group tacacs Uses TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 7 13 line Use the line password for authentication Before you can use this authentication method you mu...

Page 152: ...ation command with the tacacs keyword to set parameters that restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is b...

Page 153: ...command Controlling Switch Access with RADIUS This section describes how to enable and configure the RADIUS which provides detailed accounting information and flexible administrative control over authentication and authorization processes RADIUS is facilitated through AAA and can be enabled only through AAA commands Note For complete syntax and usage information for the commands used in this secti...

Page 154: ...lidates users and to grant access to network resources Networks already using RADIUS You can add a Cisco switch containing a RADIUS client to the network This might be the first step when you make a transition to a TACACS server See Figure 7 2 on page 7 19 Network in which the user must only access a single service Using RADIUS you can control user access to a single host to a single utility such ...

Page 155: ... REJECT The user is either not authenticated and is prompted to re enter the username and password or access is denied c CHALLENGE A challenge requires additional data from the user d CHALLENGE PASSWORD A response requests the user to select a new password The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization Users must first succes...

Page 156: ...thod list is exhausted You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch These sections contain this configuration information Default RADIUS Configuration page 7 20 Identifying the RADIUS Server Host page 7 20 required Configuring RADIUS Login Authentication page 7 23 required Defining AAA Server Groups page 7 25 optional Configuring ...

Page 157: ...RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retransmission and encryption key values can be configured globally for all RADIUS servers on a per server basi...

Page 158: ...rver timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authenticati...

Page 159: ... must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authenticate...

Page 160: ... the RADIUS server For more information see the Identifying the RADIUS Server Host section on page 7 20 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the us...

Page 161: ...under Documentation Cisco IOS Software 12 2 Mainline Command References Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server ...

Page 162: ...transmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key ...

Page 163: ...ser Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You c...

Page 164: ...vices To disable accounting use the no aaa accounting network exec start stop method1 global configuration command Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access The exec keyword might return user profile information such as autocommand information Step 4 end Return to privileged EXEC mode Step 5 show running config Ve...

Page 165: ...l attributes The full set of features available for TACACS authorization can then be used for RADIUS For example this AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP IPCP address assignment cisco avpair ip addr pool first Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared ...

Page 166: ...ated VSAs For more information about vendor IDs and VSAs see RFC 2138 Remote Authentication Dial In User Service RADIUS Beginning in privileged EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attributes or more information about vendor specific attribute 26 see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide ...

Page 167: ... key global configuration command This example shows how to specify a vendor proprietary RADIUS host and to use a secret key of rad124 between the switch and the server Switch config radius server host 172 20 30 15 nonstandard Switch config radius server key rad124 Displaying the RADIUS Configuration To display the RADIUS configuration use the show running config privileged EXEC command Command Pu...

Page 168: ...w iosswrel ps1835 products_command_reference_book09186a 0080087e33 html Note In the Kerberos configuration examples and in the Cisco IOS Security Command Reference Release 12 2 the trusted third party can be a switch that supports Kerberos that is configured as a network security server and that can authenticate users by using the Kerberos protocol Understanding Kerberos Kerberos is a secret key n...

Page 169: ... instance has the form user instance REALM for example smith admin EXAMPLE COM The Kerberos instance can be used to specify the authorization level for the user if authentication is successful The server of each network service might implement and enforce the authorization mappings of Kerberos instances but is not required to do so Note The Kerberos principal and instance names must be in all lowe...

Page 170: ...itch attempts to decrypt the TGT by using the password that the user entered If the decryption is successful the user is authenticated to the switch If the decryption is not successful the user repeats Step 2 either by re entering the username and password noting if Caps Lock or Num Lock is on or off or by entering a different username and password A remote user who initiates a un Kerberized Telne...

Page 171: ...35 products_configuration_guide_book09186a 0080087df1 html Configuring Kerberos So that remote users can authenticate to network services you must configure the hosts and the KDC in the Kerberos realm to communicate and mutually authenticate users and network services To do this you must identify them to each other You add entries for the hosts to the Kerberos database on the KDC and add KEYTAB fi...

Page 172: ...gin authentication to use the local username database The default keyword applies the local user database authentication to all ports Step 4 aaa authorization exec local Configure user AAA authorization check the local database and allow the user to run an EXEC shell Step 5 aaa authorization network local Configure user AAA authorization for all network related service requests Step 6 username nam...

Page 173: ...figuration_guide_chapter0918 6a00800ca7d5 html Note For complete syntax and usage information for the commands used in this section see the command reference for this release and the command reference for Cisco IOS Release 12 2 at this URL http www cisco com en US products sw iosswrel ps1835 products_command_reference_book09186a 0080087e33 html Understanding SSH SSH is a protocol that provides a s...

Page 174: ...The SSH server and the SSH client are supported only on DES 56 bit and 3DES 168 bit data encryption software The switch does not support the Advanced Encryption Standard AES symmetric encryption algorithm Configuring SSH This section has this configuration information Configuration Guidelines page 7 38 Setting Up the Switch to Run SSH page 7 39 required Configuring the SSH Server page 7 40 require...

Page 175: ...see the Configuring the Switch for Local Authentication and Authorization section on page 7 36 Beginning in privileged EXEC mode follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair This procedure is required if you are configuring the switch as an SSH server To delete the RSA key pair use the crypto key zeroize rsa global configuration command After the...

Page 176: ...0 seconds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out values of the CLI based sessions By default up to five simultaneous encrypted SSH connections for multiple CLI based sessions over the network are available session 0 to session 4 After the execution shell starts the CLI based session time out value returns to the ...

Page 177: ...m Cisco com For more information about the crypto image see the release notes for this release These sections contain this information Understanding Secure HTTP Servers and Clients page 7 41 Configuring Secure HTTP Servers and Clients page 7 44 Displaying Secure HTTP Server and Client Status page 7 47 For configuration examples and complete syntax and usage information for the commands used in thi...

Page 178: ...nerates a notification that the certificate is self certified and the user has the opportunity to accept or reject the connection This option is useful for internal network topologies such as testing If you do not configure a CA trustpoint when you enable a secure HTTP connection either a temporary or a persistent self signed certificate for the secure HTTP server or client is automatically genera...

Page 179: ...egotiate the best encryption algorithm to use from those on the list that are supported by both For example Netscape Communicator 4 76 supports U S security with RSA Public Key Cryptography MD2 MD5 RC2 CBC RC4 DES CBC and DES EDE3 CBC For the best possible encryption you should use a client browser that supports 128 bit encryption such as Microsoft Internet Explorer Version 5 5 or later or Netscap...

Page 180: ...elf signed certificate Beginning in privileged EXEC mode follow these steps to configure a CA trustpoint Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 hostname hostname Specify the hostname of the switch required only if you have not previously configured a hostname The hostname is required for security keys and certificates Step 3 ip domain name domain name Spec...

Page 181: ... ca authentication name Authenticate the CA by getting the public key of the CA Use the same name used in Step 5 Step 12 crypto ca enroll name Obtain the certificate from the specified CA trustpoint This command requests a signed certificate for each RSA key pair Step 13 end Return to privileged EXEC mode Step 14 show crypto ca trustpoints Verify the configuration Step 15 copy running config start...

Page 182: ...certificate and to authenticate the client certificate connection Note Use of this command assumes you have already configured a CA trustpoint according to the previous procedure Step 8 ip http path path name Optional Set a base HTTP path for HTML files The path specifies the location of the HTTP server files on the local system usually located in system flash memory Step 9 ip http access class ac...

Page 183: ...p http client secure trustpoint name Optional Specify the CA trustpoint to be used if the remote HTTP server requests client authentication Using this command assumes that you have already configured a CA trustpoint by using the previous procedure The command is optional if client authentication is not needed or if a primary trustpoint has been configured Step 3 ip http client secure ciphersuite 3...

Page 184: ...cure transport the router must have an Rivest Shamir and Adelman RSA key pair Note When using SCP you cannot enter the password into the copy command You must enter the password when prompted Information About Secure Copy To configure the Secure Copy feature you should understand these concepts The behavior of SCP is similar to that of remote copy rcp which comes from the Berkeley r tools suite ex...

Page 185: ...us page 8 44 Understanding IEEE 802 1x Port Based Authentication The IEEE 802 1x standard defines a client server based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated The authentication server authenticates each client connected to a switch port before making available a...

Page 186: ...hentication page 8 19 Device Roles With IEEE 802 1x port based authentication the devices in the network have specific roles as shown in Figure 8 1 Figure 8 1 IEEE 802 1x Device Roles Client the device workstation that requests access to the LAN and switch services and responds to requests from the switch The workstation must be running IEEE 802 1x compliant client software such as that offered in...

Page 187: ...lated for Ethernet and sent to the client The devices that can act as intermediaries include the Catalyst 3750 E Catalyst 3560 E Catalyst 3750 Catalyst 3560 Catalyst 3550 Catalyst 2970 Catalyst 2960 Cisco Catalyst Blade Switch 3020 for HP Catalyst 2955 Catalyst 2950 Catalyst 2940 switches or a wireless access point These devices must be running software that supports the RADIUS client and IEEE 802...

Page 188: ...tribute Attribute 29 The Session Timeout RADIUS attribute Attribute 27 specifies the time after which re authentication occurs 141679 Yes No Client identity is invalid All authentication servers are down All authentication servers are down Client identity is valid The switch gets an EAPOL message and the EAPOL message exchange begins Yes No 1 1 1 1 This occurs if the switch does not detect EAPOL p...

Page 189: ...identity frame However if during bootup the client does not receive an EAP request identity frame from the switch the client can initiate authentication by sending an EAPOL start frame which prompts the switch to request the client s identity Note If IEEE 802 1x authentication is not enabled or supported on the network access device any EAPOL frames from the client are dropped If the client does n...

Page 190: ...l the port becomes authorized If authorization fails and a guest VLAN is specified the switch assigns the port to the guest VLAN If the switch detects an EAPOL packet while waiting for an Ethernet packet the switch stops the MAC authentication bypass process and stops IEEE 802 1x authentication Figure 8 4 shows the message exchange during MAC authentication bypass Figure 8 4 Message Exchange Durin...

Page 191: ... IEEE 802 1x based authentication of the client This is the default setting force unauthorized causes the port to remain in the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client through the port auto enables IEEE 802 1x authentication and causes the port to begin in the unauthorized state allowing only EAPOL frame...

Page 192: ...EE 802 1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage IEEE 802 1x accounting is disabled by default You can enable IEEE 802 1x accounting to monitor this activity on IEEE 802 1x enabled ports User successfully authenticates User logs off Link down occurs Re authentication successfully occurs Re authentication fails The swi...

Page 193: ...ort IEEE 802 1x functionality This feature only works if the supplicant on the client supports a query with the NOTIFY EAP notification packet The client must respond within the IEEE 802 1x timeout value For information on configuring the switch for the 802 1x readiness check see the Configuring 802 1x Readiness Check section on page 8 23 Table 8 1 Accounting AV Pairs Attribute Number AV Pair Name...

Page 194: ...hentication is enabled and all information from the RADIUS server is valid the port is placed in the specified VLAN after authentication If the multiple hosts mode is enabled on an IEEE 802 1x port all hosts are placed in the same VLAN specified by the RADIUS server as the first authenticated host Enabling port security does not impact the RADIUS server assigned VLAN behavior If IEEE 802 1x authen...

Page 195: ...e ingress direction and outacl n for the egress direction MAC ACLs are supported only in the ingress direction The switch supports VSAs only in the ingress direction It does not support port ACLs in the egress direction on Layer 2 ports For more information see Chapter 31 Configuring Network Security with ACLs Use only the extended ACL syntax style to define the per user configuration stored on th...

Page 196: ...ace configuration command followed by the no shutdown interface configuration command to restart the port If devices send EAPOL packets to the switch during the lifetime of the link the switch does not allow clients that fail authentication access to the guest VLAN Note If an EAPOL packet is detected after the interface has changed to the guest VLAN the interface reverts to an unauthorized state a...

Page 197: ...r resets Users who fail authentication remain in the restricted VLAN until the next re authentication attempt A port in the restricted VLAN tries to re authenticate at configured intervals the default is 60 seconds If re authentication fails the port remains in the restricted VLAN If re authentication is successful the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server...

Page 198: ... becomes unavailable during an authentication exchange the current exchanges times out and the switch puts the critical port in the critical authentication state during the next authentication attempt When a RADIUS server that can authenticate the host is available all critical ports in the critical authentication state are automatically re authenticated Inaccessible authentication bypass interact...

Page 199: ...led the supplicant authentication affects both the PVID and the VVID A voice VLAN port becomes active when there is a link and the device MAC address appears after the first CDP message from the IP phone Cisco IP phones do not relay CDP messages from other devices As a result if several IP phones are connected in series the switch recognizes only the one directly connected to it When IEEE 802 1x a...

Page 200: ...ommand When an IEEE 802 1x client logs off the port changes to an unauthenticated state and all dynamic entries in the secure host table are cleared including the entry for the client Normal authentication then takes place If the port is administratively shut down the port becomes unauthenticated and all dynamic entries are removed from the secure host table Port security and a voice VLAN can be c...

Page 201: ...lifetime of the link the switch determines that the device connected to that interface is an IEEE 802 1x capable supplicant and uses IEEE 802 1x authentication not MAC authentication bypass to authorize the interface EAPOL history is cleared if the interface link status goes down If the switch already authorized a port by using MAC authentication bypass and detects an IEEE 802 1x supplicant the sw...

Page 202: ...f seconds between re authentication attempts as the value of the Session Timeout RADIUS attribute Attribute 27 and get an access policy against the client from the RADIUS server Set the action to be taken when the switch tries to re authenticate the client by using the Termination Action RADIUS attribute Attribute 29 If the value is the DEFAULT or is not set the session ends If the value is RADIUS...

Page 203: ... does not support IEEE 802 1x or web browser functionality This allows end hosts such as printers to automatically authenticate by using the MAC address without any additional required configuration Web authentication with automatic MAC check only works in web authentication standalone mode You cannot use this if web authentication is configured as a fallback to IEEE 802 1x authentication The MAC ...

Page 204: ...n the Port page 8 43 optional Resetting the IEEE 802 1x Authentication Configuration to the Default Values page 8 43 optional Default IEEE 802 1x Authentication Configuration Table 8 2 shows the default IEEE 802 1x authentication configuration Table 8 2 Default IEEE 802 1x Authentication Configuration Feature Default Setting Switch IEEE 802 1x enable state Disabled Per port IEEE 802 1x enable stat...

Page 205: ...entication If the VLAN to which an IEEE 802 1x port is assigned to shut down disabled or removed the port becomes unauthorized For example the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed Retransmission time 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client before resending the...

Page 206: ... 802 1x authentication is disabled until the port is removed as a SPAN or RSPAN destination port You can enable IEEE 802 1x authentication on a SPAN or RSPAN source port Before globally enabling IEEE 802 1x authentication on a switch by entering the dot1x system auth control global configuration command remove the EtherChannel configuration from the interfaces on which IEEE 802 1x authentication a...

Page 207: ...s guidelines are the same as the IEEE 802 1x authentication guidelines For more information see the IEEE 802 1x Authentication section on page 8 21 If you disable MAC authentication bypass from a port after the port has been authorized with its MAC address the port state is not affected If the port is in the unauthorized state and the client MAC address is not the authentication server database th...

Page 208: ...xample a PC that is connected to an IP phone A syslog message is generated for each of the clients that respond to the readiness check within the timer period Beginning in privileged EXEC mode follow these steps to enable the IEEE 802 1x readiness check on the switch Command Purpose Step 1 dot1x test eapol capable interface interface id Enable the 802 1x readiness check on the switch Optional For ...

Page 209: ...sed on the RADIUS server configuration Step 4 The switch sends a start message to an accounting server Step 5 Re authentication is performed as necessary Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re authentication Step 7 The user disconnects from the port Command Purpose Step 1 configure terminal Enter global configuration mode Ste...

Page 210: ...S servers for authentication Note Though other keywords are visible in the command line help string only the group radius keywords are supported Step 4 dot1x system auth control Enable IEEE 802 1x authentication globally on the switch Step 5 aaa authorization network default group radius Optional Configure the switch to use user RADIUS authorization for all network related service requests such as...

Page 211: ...For more information see the Configuring Settings for All RADIUS Servers section on page 7 29 You also need to configure some settings on the RADIUS server These settings include the IP address of the switch and the key string to be shared by both the server and the switch For more information see the RADIUS server documentation Command Purpose Step 1 configure terminal Enter global configuration ...

Page 212: ... follow these steps to enable periodic re authentication of the client and to configure the number of seconds between re authentication attempts This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to which multiple hosts are indirectly attached and enter interface configuration mode Step 3 dot1x host mo...

Page 213: ...Quiet Period When the switch cannot authenticate the client the switch remains idle for a set period of time and then tries again The dot1x timeout quiet period interface configuration command controls the idle period A failed authentication of the client might occur because the client provided an invalid password You can provide a faster response time to the user by entering a number smaller than...

Page 214: ... no dot1x timeout tx period interface configuration command This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP request identity frame from the client before resending the request Switch config if dot1x timeout tx period 60 Step 3 dot1x timeout quiet period seconds Set the number of seconds that the switch remains in the quiet state following a ...

Page 215: ...tch config if dot1x max req 5 Setting the Re Authentication Number You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authenticat...

Page 216: ...1646 is not responding Note You must configure the RADIUS server to perform accounting tasks such as logging start stop and interim update messages and time stamps To turn on these functions enable logging of Update Watchdog packets from this AAA client in your RADIUS server Network Configuration tab Next enable CVS RADIUS Accounting in your RADIUS server System Configuration tab Beginning in priv...

Page 217: ...est VLAN This procedure is optional To disable and remove the guest VLAN use the no dot1x guest vlan interface configuration command The port returns to the unauthorized state Step 5 end Return to privileged EXEc mode Step 6 show running config Verify your entries Step 7 copy running config startup config Optional Saves your entries in the configuration file Command Purpose Command Purpose Step 1 ...

Page 218: ...stricted VLAN This procedure is optional To disable and remove the restricted VLAN use the no dot1x auth fail vlan interface configuration command The port returns to the unauthorized state This example shows how to enable VLAN 2 as an IEEE 802 1x restricted VLAN Switch config interface gigabitethernet0 2 Switch config if dot1x auth fail vlan 2 Command Purpose Step 1 configure terminal Enter globa...

Page 219: ...al port and enable the inaccessible authentication bypass feature This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the IEEE 802 1x Authentication Configuration Guidelines section on page 8 21 Step 3 switchport mo...

Page 220: ...he default is 1645 Note You should configure the UDP port for the RADIUS accounting server and the UDP port for the RADIUS authentication server to nondefault values test username name Enable automated testing of the RADIUS server status and specify the username to be used idle time time Set the interval of time in minutes after which the switch sends test packets to the server The range is from 1...

Page 221: ...nd Step 5 dot1x critical eapol recovery delay milliseconds Optional Configure the parameters for inaccessible authentication bypass eapol Specify that the switch sends an EAPOL Success message when the switch successfully authenticates the critical port recovery delay milliseconds Set the recovery delay period during which the switch waits to re initialize a critical port when a RADIUS server that...

Page 222: ...nterface configuration mode For the supported port types see the IEEE 802 1x Authentication Configuration Guidelines section on page 8 21 Step 3 dot1x control direction both in Enable IEEE 802 1x authentication with WoL on the port and use these keywords to configure the port as bidirectional or unidirectional both Sets the port as bidirectional The port cannot receive packets from or send packets...

Page 223: ...P for authorization Optional Use the timeout activity keywords to configured the number of seconds that a connected host can be inactive before it is placed in an unauthorized state The range is 1 to 65535 You must enable port security before configuring a time out value For more information see the Configuring Port Security section on page 23 9 Step 5 end Return to privileged EXEC mode Step 6 sho...

Page 224: ...attribute Attribute 29 This command affects the behavior of the switch only if periodic re authentication is enabled Step 6 end Return to privileged EXEC mode Step 7 show dot1x interface interface id Verify your IEEE 802 1x authentication configuration Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure ter...

Page 225: ...ing request packets Step 7 radius server vsa send authentication Configure the network access server to recognize and use vendor specific attributes VSAs Step 8 ip device tracking Enable the IP device tracking table To disable the IP device tracking table use the no ip device tracking global configuration commands Step 9 end Return to privileged EXEC mode Command Purpose Command Purpose Step 1 con...

Page 226: ...Enter global configuration mode Step 2 ip admission name rule proxy http Define a web authentication rule Step 3 fallback profile fallback profile Define a fallback profile to allow an IEEE 802 1x port to authenticate a client by using web authentication Step 4 ip access group policy in Specify the default access control list to apply to network traffic before web authentication Step 5 ip admissio...

Page 227: ...x authentication on the port Switch config interface gigabitethernet0 1 Switch config if no dot1x pae authenticator Resetting the IEEE 802 1x Authentication Configuration to the Default Values Beginning in privileged EXEC mode follow these steps to reset the IEEE 802 1x authentication configuration to the default values This procedure is optional Command Purpose Step 1 configure terminal Enter glo...

Page 228: ...d To display IEEE 802 1x statistics for a specific port use the show dot1x statistics interface interface id privileged EXEC command To display the IEEE 802 1x administrative and operational status for the switch use the show dot1x all details statistics summary privileged EXEC command To display the IEEE 802 1x administrative and operational status for a specific port use the show dot1x interface...

Page 229: ...nformation for the commands used in this chapter see the switch command reference for this release and the online Cisco IOS Interface Command Reference Release 12 2 Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types The rest of the c...

Page 230: ...ration file by entering the copy running config startup config privileged EXEC command Add ports to a VLAN by using the switchport interface configuration commands Identify the interface For a trunk port set trunk characteristics and if desired define the VLANs to which it can belong For an access port set and define the VLAN to which it belongs For a tunnel port set and define the VLAN ID for the...

Page 231: ... and forwarding to and from the port is enabled only when the VLAN membership of the port is discovered Dynamic access ports on the switch are assigned to a VLAN by a VLAN Membership Policy Server VMPS The VMPS can be a Catalyst 6500 series switch the Cisco Catalyst Blade Switch 3020 for HP cannot be a VMPS server You can also configure an access port with an attached Cisco IP Phone to use one VLA...

Page 232: ...nique to each customer For more information about tunnel ports see Chapter 15 Configuring IEEE 802 1Q and Layer 2 Protocol Tunneling Routed Ports A routed port is a physical port that acts like a port on a router it does not have to be connected to a router A routed port is not associated with a particular VLAN as is an access port A routed port behaves like a regular router interface except that ...

Page 233: ...For more information see the Manually Assigning IP Information section on page 3 14 Note When you create an SVI it does not become active until it is associated with a physical port SVIs support routing protocols and bridging configurations For more information about configuring IP routing see Chapter 34 Configuring IP Unicast Routing EtherChannel Port Groups EtherChannel port groups treat multipl...

Page 234: ...e information about the LEDs see the hardware installation guide Ports 23x and 24x are different from the other dual purpose ports When operating in external mode these ports are single uplink 10 100 1000BASE T copper Gigabit Ethernet ports When operating in internal mode they use the 1000BASE X mode and they form a cross connection with a switch that is installed in a corresponding module bay in ...

Page 235: ...d Administrator module By default the fa0 interface is assigned an IP address through a DHCP server You can also statically configure the IP address You can see the IP address that is assigned to the fa0 interface from the Onboard Administrator GUI through which you can manage the switch through the HP Onboard Administrator module We recommend that you set up your network so that you can communica...

Page 236: ...n commands one per line End with CNTL Z Switch config Step 2 Enter the interface global configuration command Identify the interface type and the number of the connector In this example Gigabit Ethernet port 1 is selected Switch config interface gigabitethernet0 1 Switch config if Note You do not need to add a space between the interface type and interface number For example in the preceding line ...

Page 237: ...first interface number and the hyphen when using the interface range command For example the command interface range gigabitethernet0 1 4 is a valid range the command interface range gigabitethernet0 1 4 is not a valid range Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface range port range macro macro_name Specify the range of interfaces VLANs or physical ...

Page 238: ...command prompt reappears before exiting interface range configuration mode Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration Before you can use the macro keyword in the interface range macro global configuration command string you must use the define interface range global configuration command to de...

Page 239: ...d by the show running config command cannot be used as interface ranges All interfaces defined as in a range must be the same type all Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can combine multiple interface types in a macro This example shows how to define an interface range named enet_list to include ports 1 and 2 and to verify the macro configuration Switch configure te...

Page 240: ...r 3 mode you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode This shuts down the interface and then re enables it which might generate messages on the device to which the interface is connected When you put an interface that is in Layer 3 mode into Layer 2 mode the previous configuration information related to the affected int...

Page 241: ...Disabled Layer 2 interfaces only See the Configuring Protected Ports section on page 23 6 Port security Disabled Layer 2 interfaces only See the Default Port Security Configuration section on page 23 11 Port Fast Disabled Enabled by default on Gigabit Ethernet interfaces 0 1 to 0 16 See the Default Optional Spanning Tree Configuration section on page 18 9 Auto MDIX Enabled Note The switch might no...

Page 242: ...s both types with autonegotiation of speed and duplex the default Depending on the type of installed SFP module the switch might not be able to dynamically select it For more information see the information that follows this procedure Note Gigabit Ethernet interfaces gi0 23 and gi0 24 do not support the media type command auto select module option rj45 The switch disables the SFP module interface ...

Page 243: ...rnet 10 100 1000 Mb s ports support all speed options and all duplex options auto half and full However Gigabit Ethernet ports operating at 1000 Mb s do not support half duplex mode The 1000BASE SX SFP module ports support the nonegotiate keyword in the speed interface configuration command Duplex options are not supported You cannot configure duplex mode on SFP module ports they operate in full d...

Page 244: ...on mode Step 2 interface interface id Specify the physical interface to be configured and enter interface configuration mode Step 3 speed 10 100 1000 auto 10 100 1000 nonegotiate Enter the appropriate speed parameter for the interface Enter 10 100 or 1000 to set a specific speed for the interface The 1000 keyword is available only for 10 100 1000 Mb s ports Enter auto to enable the interface to au...

Page 245: ...he port cannot send pause frames but can operate with an attached device that is required to or can send pause frames the port can receive pause frames receive off Flow control does not operate in either direction In case of congestion no indication is given to the link partner and no pause frames are sent or received by either device Note For details on the command settings and the resulting flow...

Page 246: ...that result from auto MDIX settings and correct and incorrect cabling Beginning in privileged EXEC mode follow these steps to configure auto MDIX on an interface To disable auto MDIX use the no mdix auto interface configuration command This example shows how to enable auto MDIX on a port Switch configure terminal Switch config interface gigabitethernet0 1 Switch config if speed auto Switch config ...

Page 247: ...tch supports these types of Layer 3 interfaces SVIs You should configure SVIs for any VLANs for which you want to route traffic SVIs are created when you enter a VLAN ID following the interface vlan global configuration command To delete an SVI use the no interface vlan global configuration command You cannot delete interface VLAN 1 Note When you create an SVI it does not become active until it is...

Page 248: ...a message that this was due to insufficient hardware resources All Layer 3 interfaces require an IP address to route traffic This procedure shows how to configure an interface as a Layer 3 interface and how to assign an IP address to an interface Note If the physical port is in Layer 2 mode the default you must enter the no switchport interface configuration command to put the interface into Layer...

Page 249: ...net ports are not affected by the system mtu command 10 100 ports are not affected by the system jumbo mtu command If you do not configure the system mtu jumbo command the setting of the system mtu command applies to all Gigabit Ethernet interfaces You cannot set the MTU size for an individual interface you set it for all 10 100 or all Gigabit Ethernet interfaces on the switch When you change the ...

Page 250: ...d Maintaining the Interfaces These sections contain interface monitoring and maintenance information Monitoring Interface Status page 9 23 Clearing and Resetting Interfaces and Counters page 9 23 Shutting Down and Restarting the Interface page 9 24 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 system mtu bytes Optional Change the MTU size for all interfaces on th...

Page 251: ...perational status of switching nonrouting ports You can use this command to find out if a port is in routing or in switching mode show interfaces interface id description Display the description configured on an interface or all interfaces and the interface status show ip interface interface id Display the usability status of all interfaces configured for IP routing or the specified interface show...

Page 252: ...ng down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interf...

Page 253: ... of command line interface CLI commands that you define Smartports macros do not contain new CLI commands they are simply a group of existing CLI commands When you apply a Smartports macro on an interface the CLI commands within the macro are configured on the interface When the macro is applied to an interface the existing interface configurations are not lost The new commands are added to the in...

Page 254: ...ult Smartports Macro Configuration page 10 2 Smartports Macro Configuration Guidelines page 10 3 Creating Smartports Macros page 10 4 Applying Smartports Macros page 10 5 Applying Cisco Default Smartports Macros page 10 6 Default Smartports Macro Configuration There are no Smartports macros enabled cisco phone Use this interface configuration macro when connecting a desktop device such as a PC wit...

Page 255: ...pplied globally to a switch or to a switch interface all existing configuration on the interface is retained This is helpful when applying an incremental configuration If you modify a macro definition by adding or deleting commands the changes are not reflected on the interface where the original macro was applied You need to reapply the updated macro on the interface to apply the new or changed c...

Page 256: ... two help string keywords by using macro keywords Switch config macro name test switchport access vlan VLANID switchport port security maximum MAX macro keywords VLANID MAX Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 macro name macro name Create a macro definition and enter a macro name A macro definition can contain up to 3000 characters Enter the macro comman...

Page 257: ...ering the keyword values the commands are invalid and are not applied Step 3 macro global description text Optional Enter a description about the macro that is applied to the switch Step 4 interface interface id Optional Enter interface configuration mode and specify the interface on which to apply the macro Step 5 default interface interface id Optional Clear all configuration from the specified ...

Page 258: ... Interface Macro Description Gi0 2 desktop config This example shows how to apply the user created macro called desktop config and to replace all occurrences of VLAN 1 with VLAN 25 Switch config if macro apply desktop config vlan 25 Applying Cisco Default Smartports Macros Beginning in privileged EXEC mode follow these steps to apply a Smartports macro Command Purpose Step 1 show parser macro Disp...

Page 259: ...rity age is greater than one minute and use inactivity timer switchport port security violation restrict switchport port security aging time 2 switchport port security aging type inactivity Configure port as an edge network port spanning tree portfast spanning tree bpduguard enable Switch Switch configure terminal Switch config gigabitethernet0 4 Switch config if macro apply cisco desktop AVID 25 ...

Page 260: ...e or more of the privileged EXEC commands in Table 10 2 Table 10 2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros show parser macro name macro name Displays a specific macro show parser macro brief Displays the configured macro names show parser macro description interface interface id Displays the macro description for all interfaces or ...

Page 261: ...network that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded only to end stations...

Page 262: ...terfaces section on page 9 5 and the Configuring Layer 3 Interfaces section on page 9 19 Note If you plan to configure many VLANs on the switch and to not enable routing you can use the sdm prefer vlan global configuration command to set the Switch Database Management sdm feature to the VLAN template which configures system resources to support the maximum number of unicast MAC addresses For more ...

Page 263: ...t VTP to globally propagate information set the VTP mode to transparent To participate in VTP there must be at least one trunk port on the switch connected to a trunk port of a second switch Trunk ISL or IEEE 802 1Q A trunk port is a member of all VLANs by default including extended range VLANs but membership can be limited by configuring the allowed VLAN list You can also modify the pruning eligi...

Page 264: ...VLAN A voice VLAN port is an access port attached to a Cisco IP Phone configured to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone For more information about voice VLAN ports see Chapter 13 Configuring Voice VLAN VTP is not required it has no affect on a voice VLAN Private VLAN A private VLAN port is a host or promiscuous port that belongs to a...

Page 265: ...pe Ethernet Fiber Distributed Data Interface FDDI FDDI network entity title NET TrBRF or TrCRF Token Ring Token Ring Net VLAN state active or suspended Maximum transmission unit MTU for the VLAN Security Association Identifier SAID Bridge identification number for TrBRF VLANs Ring number for FDDI and TrCRF VLANs Parent VLAN number for TrCRF VLANs Spanning Tree Protocol STP type for TrCRF VLANs VLA...

Page 266: ...ded Range VLANs section on page 11 12 Before you can create a VLAN the switch must be in VTP server mode or VTP transparent mode If the switch is a VTP server you must define a VTP domain or VTP will not function The switch does not support Token Ring or FDDI media The switch does not forward FDDI FDDI Net TrCRF or TrBRF traffic but it does propagate the VLAN configuration through VTP The switch s...

Page 267: ...d EXEC command You must use this config vlan mode when creating extended range VLANs VLAN IDs greater than 1005 See the Configuring Extended Range VLANs section on page 11 12 VLAN Configuration in VLAN Database Configuration Mode To access VLAN database configuration mode enter the vlan database privileged EXEC command Then enter the vlan command with a new VLAN ID to create a VLAN or enter an exi...

Page 268: ...tion for the first 1005 VLANs use the VLAN database information Caution If the VLAN database configuration is used at startup and the startup configuration file contains extended range VLAN configuration this information is lost when the system boots up Default Ethernet VLAN Configuration Table 11 2 shows the default configuration for Ethernet VLANs Note The switch supports Ethernet interfaces exc...

Page 269: ...terminal Switch config vlan 20 Switch config vlan name test20 Switch config vlan end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter config vlan mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN Note The available VLAN ID range for this command is 1 to 4094 For information about adding ...

Page 270: ...eleted only on that specific switch You cannot delete the default VLANs for the different media types Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005 Command Purpose Step 1 vlan database Enter VLAN database configuration mode Step 2 vlan vlan id name vlan name Add an Ethernet VLAN by assigning a number to it The range is 1 to 1001 You can create or modify a range of consecutive VLANs by ...

Page 271: ... a VLAN in the VLAN database Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no vlan vlan id Remove the VLAN by entering the VLAN ID Step 3 end Return to privileged EXEC mode Step 4 show vlan brief Verify the VLAN removal Step 5 copy running config startup config Optional If the switch is in VTP transparent mode the VLAN configuration is saved in the running config...

Page 272: ...n id global configuration command to configure extended range VLANs The extended range is not supported in VLAN database configuration mode accessed by entering the vlan database privileged EXEC command Extended range VLAN configurations are not stored in the VLAN database but because VTP mode is transparent they are stored in the switch running configuration file and you can save the configuratio...

Page 273: ...P see Chapter 17 Configuring MSTP Each routed port on the switch creates an internal VLAN for its use These internal VLANs use extended range VLAN numbers and the internal VLAN ID cannot be used for an extended range VLAN If you try to create an extended range VLAN with a VLAN ID that is already allocated as an internal VLAN an error message is generated and the command is rejected Because interna...

Page 274: ...g Static Access Ports to a VLAN section on page 11 11 This example shows how to create a new extended range VLAN with all default characteristics enter config vlan mode and save the new VLAN in the switch startup configuration file Switch config vtp mode transparent Switch config vlan 2000 Switch config vlan end Switch copy running config startup config Command Purpose Step 1 configure terminal En...

Page 275: ... interface id Specify the interface ID for the routed port that is using the VLAN ID and enter interface configuration mode Step 4 shutdown Shut down the port to free the internal VLAN ID Step 5 exit Return to global configuration mode Step 6 vtp mode transparent Set the VTP mode to transparent for creating extended range VLANs Step 7 vlan vlan id Enter the new extended range VLAN ID and enter con...

Page 276: ... Trunk Port page 11 19 Configuring Trunk Ports for Load Sharing page 11 24 Trunking Overview A trunk is a point to point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch Ethernet trunks carry the traffic of multiple VLANs over a single link and you can extend the VLANs across an entire network Two trunking encapsulations are available o...

Page 277: ... this you should configure interfaces connected to devices that do not support DTP to not forward DTP frames that is to turn off DTP If you do not intend to trunk across those links use the switchport mode access interface configuration command to disable trunking To enable trunking to a device that does not support DTP use the switchport mode trunk and switchport nonegotiate interface configurati...

Page 278: ...he link to a trunk link The interface becomes a trunk interface if the neighboring interface is set to trunk desirable or auto mode switchport mode trunk Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link The interface becomes a trunk interface even if the neighboring interface is not a trunk interface switchport nonegotiate Prevents th...

Page 279: ... end of the trunk is different from the native VLAN on the other end spanning tree loops might result Disabling spanning tree on the native VLAN of an IEEE 802 1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning tree loops We recommend that you leave spanning tree enabled on the native VLAN of an IEEE 802 1Q trunk or disable spanning tree on every V...

Page 280: ...features in these ways A trunk port cannot be a secure port A trunk port cannot be a tunnel port Trunk ports can be grouped into EtherChannel port groups but all trunks in the group must have the same configuration When a group is first created all ports follow the parameters set for the first port to be added to the group If you change the configuration of one of these parameters the switch propa...

Page 281: ...ion isl dot1q negotiate Configure the port to support ISL or IEEE 802 1Q encapsulation or to negotiate the default with the neighboring interface for encapsulation type You must configure each end of the link with the same encapsulation type Step 4 switchport mode dynamic auto desirable trunk Configure the interface as a Layer 2 trunk required only if the interface is a Layer 2 access port or tunn...

Page 282: ...o VLAN 1 regardless of the switchport trunk allowed setting The same is true for any VLAN that has been disabled on the port A trunk port can become a member of a VLAN if the VLAN is enabled if VTP knows of the VLAN and if the VLAN is in the allowed list for the port When VTP detects a newly enabled VLAN and the VLAN is in the allowed list for a trunk port the trunk port automatically becomes a me...

Page 283: ...ing can receive both tagged and untagged traffic By default the switch forwards untagged traffic in the native VLAN configured for the port The native VLAN is VLAN 1 by default Note The native VLAN can be assigned any VLAN ID Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Select the trunk port for which VLANs should be pruned and enter inter...

Page 284: ... using STP path costs each load sharing link can be connected to the same switch or to two different switches For more information about STP see Chapter 16 Configuring STP Load Sharing Using STP Port Priorities When two ports on the same switch form a loop the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state You can set the priorities on a par...

Page 285: ...8 10 priority 128 Trunk 1 VLANs 8 10 priority 16 VLANs 3 6 priority 128 Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A Step 2 vtp domain domain name Configure a VTP administrative domain The domain name can be 1 to 32 characters Step 3 vtp mode server Configure Switch A as the VTP server Step 4 end Return to privileged EXEC mode Step 5 show vtp status Verify ...

Page 286: ...Step 14 Repeat Steps 7 through 11 on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A Step 15 show vlan When the trunk links come up VTP passes the VTP and VLAN information to Switch B Verify that Switch B has learned the VLAN configuration Step 16 configure terminal Enter global configuration mode on Switch A Step 17 interface gigabitethernet 0 1 Define...

Page 287: ...figure the port to support ISL or IEEE 802 1Q encapsulation You must configure each end of the link with the same encapsulation type Step 4 switchport mode trunk Configure the port as a trunk port The trunk defaults to ISL trunking Step 5 exit Return to global configuration mode Step 6 Repeat Steps 2 through 5 on a second interface in Switch A Step 7 end Return to privileged EXEC mode Step 8 show ...

Page 288: ...access to the host If the VLAN in the database does not match the current VLAN on the port and active hosts exist on the port the VMPS sends an access denied or a port shutdown response depending on the secure mode of the VMPS If the switch receives an access denied response from the VMPS it continues to block traffic to and from the host MAC address The switch continues to monitor the packets dir...

Page 289: ...ort as a dynamic access port the spanning tree Port Fast feature is automatically enabled for that port The Port Fast mode accelerates the process of bringing the port into the forwarding state IEEE 802 1x ports cannot be configured as dynamic access ports If you try to enable IEEE 802 1x on a dynamic access VQP port an error message appears and IEEE 802 1x is not enabled If you try to change an I...

Page 290: ... port VLAN membership is for end stations or hubs connected to end stations Connecting dynamic access ports to other switches can cause a loss of connectivity Beginning in privileged EXEC mode follow these steps to configure a dynamic access port on a VMPS client switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vmps server ipaddress primary Enter the IP addre...

Page 291: ...irmation interval To return the switch to its default setting use the no vmps reconfirm global configuration command Step 4 switchport access vlan dynamic Configure the port as eligible for dynamic VLAN membership The dynamic access port must be connected to an end station Step 5 end Return to privileged EXEC mode Step 6 show interfaces interface id switchport Verify your entries in the Operationa...

Page 292: ...the switch starts to query the secondary VMPS VMPS domain server the IP address of the configured VLAN membership policy servers The switch sends queries to the one marked current The one marked primary is the primary server VMPS Action the result of the most recent reconfirmation attempt A reconfirmation attempt can occur automatically when the reconfirmation interval expires or you can force it ...

Page 293: ...re enable a disabled dynamic access port enter the shutdown interface configuration command followed by the no shutdown interface configuration command VMPS Configuration Example Figure 11 5 shows a network with a VMPS server switch and VMPS client switches with dynamic access ports In this example these assumptions apply The VMPS server and the VMPS client are separate switches The Catalyst 6500 ...

Page 294: ...yst 6500 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B End station 2 End station 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Switc...

Page 295: ...nfiguration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work in an environment where updates are made on a single switch and are sent through VTP to other switches in the domain It does not work well in a situation where m...

Page 296: ...main always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number If you add a switch that has a revision number higher than the revision number in the VTP domain it can erase all VLAN informa...

Page 297: ...ived over trunk links In VTP server mode VLAN configurations are saved in NVRAM VTP server is the default mode VTP client A VTP client behaves like a VTP server and transmits and receives VTP updates on its trunks but you cannot create change or delete VLANs on a VTP client VLANs are configured on another switch in the domain that is in server mode In VTP client mode VLAN configurations are not sa...

Page 298: ...witch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match Because VTP Version 2 supports only one domain it forwards VTP messages in transparent mode without inspecting the version and domain name Consistency Checks In VTP Version 2 VLAN consistency checks such as VLAN names and values are performed only when you enter new informat...

Page 299: ...twork with VTP pruning enabled The broadcast traffic from Switch A is not forwarded to Switches C E and F because traffic for the Red VLAN has been pruned on the links shown Port 5 on Switch B and Port 4 on Switch D Figure 12 2 Optimized Flooded Traffic with VTP Pruning Enabling VTP pruning on a VTP server enables pruning for the entire management domain Making VLANs pruning eligible or pruning in...

Page 300: ...nterface use the switchport trunk pruning vlan interface configuration command see the Changing the Pruning Eligible List section on page 11 23 VTP pruning operates when an interface is trunking You can set VLAN pruning eligibility whether or not VTP pruning is enabled for the VTP domain whether or not any given VLAN exists and whether or not the interface is currently trunking Configuring VTP The...

Page 301: ...n the switch startup configuration file and reboot the switch the switch configuration is selected as follows If the VTP mode is transparent in the startup configuration and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file the VLAN database is ignored cleared and the VTP and VLAN configurations in the startup configuration file are use...

Page 302: ...onfigure a domain password all domain switches must share the same password and you must configure the password on each switch in the management domain Switches without a password or with the wrong password reject VTP advertisements If you configure a VTP password for a domain a switch that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the cor...

Page 303: ...mode When private VLANs are configured on the switch do not change the VTP mode from transparent to client or server mode Configuring a VTP Server When a switch is in VTP server mode you can change the VLAN configuration and have it propagated throughout the network Note If extended range VLANs are configured on the switch you cannot change VTP mode to server You receive an error message and the c...

Page 304: ...n name it cannot be removed you can only reassign a switch to a different domain To return the switch to a no password state use the no vtp password VLAN database configuration command Command Purpose Step 1 vlan database Enter VLAN database configuration mode Step 2 vtp server Configure the switch for VTP server mode the default Step 3 vtp domain domain name Configure a VTP administrative domain ...

Page 305: ...iguration to the default To keep the VTP configuration with VTP client mode after the switch restarts you must first configure the VTP domain name before the VTP mode Caution If all switches are operating in VTP client mode do not configure a VTP domain name If you do it is impossible to make changes to the VLAN configuration of that domain Therefore make sure you configure at least one switch as ...

Page 306: ... VTP Version 2 does forward received VTP advertisements on its trunk links Note Before you create extended range VLANs VLAN IDs 1006 to 4094 you must set VTP mode to transparent by using the vtp mode transparent global configuration command Save this configuration to the startup configuration so that the switch boots up in VTP transparent mode Otherwise you lose the extended range VLAN configurati...

Page 307: ...ame VTP domain Every switch in the VTP domain must use the same VTP version Do not enable VTP Version 2 unless every switch in the VTP domain supports Version 2 Note In TrCRF and TrBRF Token ring environments you must enable VTP Version 2 for Token Ring VLAN switching to function properly For Token Ring and Token Ring Net media VTP Version 2 must be disabled For more information on VTP version con...

Page 308: ...or the entire VTP domain Only VLANs included in the pruning eligible list can be pruned By default VLANs 2 through 1001 are pruning eligible on trunk ports Reserved VLANs and extended range VLANs cannot be pruned To change the pruning eligible VLANs see the Changing the Pruning Eligible List section on page 11 23 Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain...

Page 309: ...main Command Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Continue with the next steps to reset the switch configuration revision number Step 2 configure terminal Enter global configuration...

Page 310: ...me the current VTP revision and the number of VLANs You can also display statistics about the advertisements sent and received by the switch Table 12 3 shows the privileged EXEC commands for monitoring VTP activity Table 12 3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information show vtp counters Display counters about VTP messages that have been ...

Page 311: ...r 3 IP precedence and Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable manner For more information on QoS see Chapter 32 Co...

Page 312: ...agged no Layer 2 CoS priority value Note In all configurations the voice traffic carries a Layer 3 IP precedence value the default is 5 for voice traffic and 3 for voice control traffic Cisco IP Phone Data Traffic The switch can also process tagged data traffic traffic in IEEE 802 1Q or IEEE 802 1p frame types from the device attached to the access port on the Cisco IP Phone see Figure 13 1 You ca...

Page 313: ... and not on trunk ports even though the configuration is allowed The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN Use the show vlan privileged EXEC command to see if the VLAN is present listed in the display If the VLAN is not listed see Chapter 11 Configuring VLANs for information on how to create the voice VLAN Do not configure...

Page 314: ...is configured and to which a Cisco IP Phone is connected the phone loses connectivity to the switch for up to 30 seconds Protected port See the Configuring Protected Ports section on page 23 6 for more information A source or destination port for a SPAN or RSPAN session Secure port See the Configuring Port Security section on page 23 9 for more information Note When you enable port security on an ...

Page 315: ...figuring the port trust state you must first globally enable QoS by using the mls qos global configuration command Step 4 switchport voice detect cisco phone full duplex vlan vlan id dot1p none untagged Configure how the Cisco IP Phone carries voice traffic detect Configure the interface to detect and recognize a Cisco IP phone cisco phone When you initially implement the switchport voice detect c...

Page 316: ...ex Cisco IP Phone Switch config if switchport voice detect cisco phone full duplex full duplex full duplex keyword Switch config if end This example shows how to disable switchport voice detect on a Cisco IP Phone Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabithernet 0 1 Switch config if no switchport voice detect cisco phone Swit...

Page 317: ...ing Voice VLAN To display voice VLAN configuration for an interface use the show interfaces interface id switchport privileged EXEC command Step 3 switchport priority extend cos value trust Set the priority of data traffic received from the Cisco IP Phone access port cos value Configure the phone to override the priority received from the PC or the attached device with the specified CoS value The ...

Page 318: ...13 8 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 13 Configuring Voice VLAN Displaying Voice VLAN ...

Page 319: ...service providers face when using VLANs Scalability The switch supports up to 1005 active VLANs If a service provider assigns one VLAN per customer this limits the numbers of customers the service provider can support To enable IP routing each VLAN is assigned a subnet address space or a block of addresses which can result in wasting the unused IP addresses and cause IP address management problems...

Page 320: ...iated with the primary VLAN Isolated An isolated port is a host port that belongs to an isolated secondary VLAN It has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous ports Private VLANs block all traffic to isolated ports except traffic from promiscuous ports Traffic received from an isolated port is forwarded only to promiscuous ports Communit...

Page 321: ...te outside the private VLAN You can use private VLANs to control access to end stations in these ways Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2 For example if the end stations are servers this configuration prevents Layer 2 communication between the servers Configure interfaces connected to default gateways and selected end st...

Page 322: ... switches are not merged This can result in unnecessary flooding of private VLAN traffic on those switches Note When configuring private VLANs on the switch always use the default Switch Database Management SDM template to balance system resources between unicast routes and Layer 2 entries If another SDM template is configured use the sdm prefer default global configuration command to set the defa...

Page 323: ... 3 switch a switch virtual interface SVI represents the Layer 3 interface of a VLAN Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs Configure Layer 3 VLAN interfaces SVIs only for primary VLANs You cannot configure Layer 3 VLAN interfaces for secondary VLANs SVIs for secondary VLANs are inactive while the VLAN is configured as a seconda...

Page 324: ... section on page 14 12 Step 5 If inter VLAN routing will be used configure the primary SVI and map secondary VLANs to the primary See the Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface section on page 14 13 Step 6 Verify private VLAN configuration Default Private VLAN Configuration No private VLANs are configured Private VLAN Configuration Guidelines Guidelines for configuring pr...

Page 325: ... We recommend that you prune the private VLANs from the trunks on devices that carry no traffic in the private VLANs You can apply different quality of service QoS configurations to primary isolated and community VLANs When you configure private VLANs sticky Address Resolution Protocol ARP is enabled by default and ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries For s...

Page 326: ...rivate VLAN ports While a port is part of the private VLAN configuration any EtherChannel configuration for it is inactive Enable Port Fast and BPDU guard on isolated and community host ports to prevent STP loops due to misconfigurations and to speed up STP convergence see Chapter 18 Configuring Optional Spanning Tree Features When enabled STP applies the BPDU guard feature to all Port Fast config...

Page 327: ...ary VLAN When the original dynamic MAC address is deleted or aged out the replicated addresses are removed from the MAC address table Configure Layer 3 VLAN interfaces SVIs only for primary VLANs Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode follow these steps to configure a private VLAN Note The private vlan commands do not take effect until you exit VLAN c...

Page 328: ...itch configure terminal Switch config vlan 20 Switch config vlan private vlan primary Switch config vlan exit Switch config vlan 501 Switch config vlan private vlan isolated Switch config vlan exit Switch config vlan 502 Switch config vlan private vlan community Switch config vlan exit Switch config vlan 503 Switch config vlan private vlan community Switch config vlan exit Switch config vlan 20 Sw...

Page 329: ...an host Operational Mode private vlan host Administrative Trunking Encapsulation negotiate Operational Trunking Encapsulation native Negotiation of Trunking Off Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Administrative Native VLAN tagging enabled Voice VLAN none Administrative private vlan host association 20 VLAN0020 25 VLAN0025 Administrative private vlan mapping none Adminis...

Page 330: ...ivate VLAN promiscuous port This example shows how to configure an interface as a private VLAN promiscuous port and map it to a private VLAN The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it Switch configure terminal Switch config interface gigabitethernet0 2 Switch config if switchport mode private vlan promiscuous Switch config if switchport private vla...

Page 331: ...y_vlan_list to map the secondary VLANs to the primary VLAN Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the primary VLAN This example shows how to map the interfaces of VLANs 501and 502 to primary VLAN 10 which permits routing of secondary VLAN ingress traffic from private VLANs 501 to 502 Switch configure terminal Switch config interface vlan ...

Page 332: ...an private vlan Primary Secondary Type Ports 10 501 isolated Gi0 1 Gi0 2 Gi0 3 10 502 community Gi0 1 Gi0 2 Gi0 4 10 503 non operational Table 14 1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces including the VLANs to which they belongs show vlan private vlan type Display the private VLAN information for the switch show interface switchpor...

Page 333: ...age 15 10 Monitoring and Maintaining Tunneling Status page 15 18 Understanding IEEE 802 1Q Tunneling Business customers of service providers often have specific requirements for VLAN IDs and the number of VLANs to be supported The VLAN ranges required by different customers in the same service provider network might overlap and traffic of customers through the infrastructure might be mixed Assigni...

Page 334: ...psulated with another layer of an IEEE 802 1Q tag called the metro tag that contains the VLAN ID that is unique to the customer The original customer IEEE 802 1Q tag is preserved in the encapsulated packet Therefore packets entering the service provider network are double tagged with the outer metro tag containing the customer s access VLAN ID and the inner VLAN ID being that of the incoming traff...

Page 335: ...erent Each customer controls its own VLAN numbering space which is independent of the VLAN numbering space used by other customers and the VLAN numbering space used by the service provider network At the outbound tunnel port the original VLAN numbers on the customer s network are recovered It is possible to have multiple levels of tunneling and tagging but the switch supports only one level in thi...

Page 336: ...on units MTUs are explained in these next sections Native VLANs When configuring IEEE 802 1Q tunneling on an edge switch you must use IEEE 802 1Q trunk ports for sending packets into the service provider network However packets going through the core of the service provider network can be carried through IEEE 802 1Q trunks ISL trunks or nontrunking links When IEEE 802 1Q trunks are used in these c...

Page 337: ...System MTU The default system MTU for traffic on the switch is 1500 bytes You can configure Fast Ethernet ports to support frames larger than 1500 bytes by using the system mtu global configuration command You can configure Gigabit Ethernet ports to support frames larger than 1500 bytes by using the system mtu jumbo global configuration command Because the IEEE 802 1Q tunneling feature increases t...

Page 338: ...s are compatible with tunnel ports as long as the IEEE 802 1Q configuration is consistent within an EtherChannel port group Port Aggregation Protocol PAgP Link Aggregation Control Protocol LACP and UniDirectional Link Detection UDLD are supported on IEEE 802 1Q tunnel ports Dynamic Trunking Protocol DTP is not compatible with IEEE 802 1Q tunneling because you must manually configure asymmetric lin...

Page 339: ...col Tunneling Customers at different sites connected across a service provider network need to use various Layer 2 protocols to scale their topologies to include all remote sites as well as the local sites STP must run properly and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service provider network Cisco Discovery Protocol CDP must d...

Page 340: ...ntrolling protocol tunneling You implement bypass mode by enabling Layer 2 protocol tunneling on the egress trunk port When Layer 2 protocol tunneling is enabled on the trunk port the encapsulated tunnel MAC address is removed and the protocol packets have their normal MAC address Layer 2 protocol tunneling can be used independently or can enhance IEEE 802 1Q tunneling If protocol tunneling is not...

Page 341: ...f EtherChannels by emulating a point to point network topology When you enable protocol tunneling PAgP or LACP on the SP switch remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels Customer X Site 2 VLANs 1 to 100 Customer Y Site 2 VLANs 1 to 200 Customer Y Site 1 VLANs 1 to 200 Customer X Site 1 VLANs 1 to 100 VLAN 30 Trunk ports Switch A Trunk ports...

Page 342: ...hport mode dynamic desirable The switch supports Layer 2 protocol tunneling for CDP STP and VTP For emulated point to point network topologies it also supports PAgP LACP and UDLD protocols The switch does not support Layer 2 protocol tunneling for LLDP Caution PAgP LACP and UDLD protocol tunneling is only intended to emulate a point to point topology An erroneous configuration that sends tunneled ...

Page 343: ...VLAN 100 You can also enable Layer 2 protocol tunneling on access ports on the edge switch connected to access or trunk ports on the customer switch In this case the encapsulation and decapsulation process is the same as described in the previous paragraph except that the packets are not double tagged in the service provider network The single tag is the customer specific access VLAN tag These sec...

Page 344: ...on access ports If you enable PAgP or LACP tunneling we recommend that you also enable UDLD on the interface for faster link failure detection Loopback detection is not supported on Layer 2 protocol tunneling of PAgP LACP or UDLD packets EtherChannel port groups are compatible with tunnel ports when the IEEE 802 1Q configuration is consistent within an EtherChannel port group If an encapsulated PD...

Page 345: ...es The range is 1 to 4096 The default is to have no threshold configured Note If you also set a drop threshold on this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 l2protocol tunnel drop threshold cdp stp vtp value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configur...

Page 346: ... config if exit Switch config l2protocol tunnel cos 7 Switch config end Switch show l2protocol COS for Encapsulated Packets 7 Port Protocol Shutdown Drop Encapsulation Decapsulation Drop Threshold Threshold Counter Counter Counter Gi 0 11 cdp 1500 1000 2288 2282 0 stp 1500 1000 116 13 0 vtp 1500 1000 3 67 0 pagp 0 0 0 lacp 0 0 0 udld 0 0 0 Configuring Layer 2 Tunneling for EtherChannels To configu...

Page 347: ...this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 l2protocol tunnel drop threshold point to point pagp lacp udld value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured threshold is exceeded If no protocol option is specified the threshold applies to each of the...

Page 348: ... udld Switch config if l2protocol tunnel drop threshold point to point pagp 1000 Switch config if exit Switch config interface gigabitethernet0 2 Switch config if switchport access vlan 18 Switch config if switchport mode dot1q tunnel Switch config if l2protocol tunnel point to point pagp Switch config if l2protocol tunnel point to point udld Command Purpose Step 1 configure terminal Enter global ...

Page 349: ...rt trunk encapsulation isl Switch config if switchport mode trunk This example shows how to configure the customer switch at Site 1 Gigabit Ethernet interfaces 1 2 3 and 4 are set for IEEE 802 1Q trunking UDLD is enabled EtherChannel group 1 is enabled and the port channel is shut down and then enabled to activate the EtherChannel configuration Switch config interface gigabitethernet0 1 Switch con...

Page 350: ...clear l2protocol tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports show dot1q tunnel Display IEEE 802 1Q tunnel ports on the switch show dot1q tunnel interface interface id Verify if a specific interface is a tunnel port show l2protocol tunnel Display information about Layer 2 protocol tunneling ports show errdisable recovery Verify if the recovery timer from a Layer ...

Page 351: ... see Chapter 18 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Spanning Tree Features page 16 1 Configuring Spanning Tree Features page 16 10 Displaying the Spanning Tree Status page 16 22 Understanding Spanning Tree Feat...

Page 352: ...opology Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is called t...

Page 353: ...ives a configuration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is discarded and superior information is propagated on the network A BP...

Page 354: ... be elected as the root switch Configuring a higher value decreases the probability a lower value increases the probability For more information see the Configuring the Root Switch section on page 16 14 the Configuring a Secondary Root Switch section on page 16 16 and the Configuring the Switch Priority of a VLAN section on page 16 19 Spanning Tree Interface States Propagation delays can occur whe...

Page 355: ...e this process occurs 1 The interface is in the listening state while spanning tree waits for protocol information to move the interface to the blocking state 2 While spanning tree waits the forward delay timer to expire it moves the interface to the learning state and resets the forward delay timer 3 In the learning state the interface continues to block frame forwarding as the switch learns end ...

Page 356: ...face should participate in frame forwarding An interface in the listening state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Learning State A Layer 2 interface in the learning state prepares to participate in frame forwarding The interface enters the learning state from the ...

Page 357: ...forwarding interfaces or link types Switch A might not be the ideal root switch By increasing the priority lowering the numerical value of the ideal switch so that it becomes the root switch you force a spanning tree recalculation to form a new topology with the ideal switch as the root Figure 16 2 Spanning Tree Topology When the spanning tree topology is calculated based on default parameters the...

Page 358: ...000000 to 0x0180C2000010 to be used by different bridge protocols These addresses are static addresses that cannot be removed Regardless of the spanning tree state each switch receives but does not forward packets destined for addresses between 0x0180C2000000 and 0x0180C200000F If spanning tree is enabled the CPU on the switch receives packets destined for 0x0180C2000000 and 0x0180C2000010 If span...

Page 359: ...he rapid PVST immediately deletes dynamically learned MAC address entries on a per port basis upon receiving a topology change By contrast PVST uses a short aging time for dynamically learned MAC address entries The rapid PVST uses the same configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST i...

Page 360: ... instance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it instead of PVST The switch combines the spanning tree instance of the IEEE 802 1Q VLAN of the trunk with the spanning tree instance of the non Cisco IEEE 802 ...

Page 361: ...ult spanning tree configuration Table 16 3 Default Spanning Tree Configuration Feature Default Setting Enable state Enabled on VLAN 1 For more information see the Supported Spanning Tree Instances section on page 16 9 Spanning tree mode PVST Rapid PVST and MSTP are disabled Switch priority 32768 Spanning tree port priority configurable on a per interface basis 128 Spanning tree port cost configura...

Page 362: ...ble spanning tree instances on your switch adding another VLAN anywhere in the VTP domain creates a VLAN that is not running spanning tree on that switch If you have the default allowed list on the trunk ports of that switch the new VLAN is carried on all trunk ports Depending on the topology of the network this could create a loop in the new VLAN that will not be broken particularly if there are ...

Page 363: ...pid PVST Step 3 interface interface id Recommended for rapid PVST mode only Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 48 Step 4 spanning tree link type point to point Recommended for rapid PVST mode only Specify that the link type for this por...

Page 364: ...tch priority from the default value 32768 to a significantly lower value When you enter this command the software checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN If any root switch for the specified V...

Page 365: ...d time and the spanning tree vlan vlan id max age global configuration commands Beginning in privileged EXEC mode follow these steps to configure a switch to become the root for the specified VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id root global configuration command Command Purpose Step 1 configure terminal Enter global configuration mo...

Page 366: ...orwarding state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure ...

Page 367: ...configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 and 240 All other values are rejected Th...

Page 368: ...terface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state A lower path cost...

Page 369: ...C mode follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id priority priority Configure the switch priority of a VLAN For vlan id you can specify a...

Page 370: ...imers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDUs that...

Page 371: ...istening states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startu...

Page 372: ...y using the clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure the number of BPDUs that can be sent before pausing for 1 s...

Page 373: ...e MST mode the Rapid Spanning Tree Protocol RSTP which is based on IEEE 802 1w is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward comp...

Page 374: ...witches with the same MST configuration information A collection of interconnected switches that have the same MST configuration comprises an MST region as shown in Figure 17 1 on page 17 4 The MST configuration controls to which MST region each switch belongs The configuration includes the name of the region the revision number and the MST VLAN to instance assignment map You configure the switch ...

Page 375: ...tree algorithm running among switches that support the IEEE 802 1w IEEE 802 1s and IEEE 802 1D standards The CIST inside an MST region is the same as the CST outside a region For more information see the Operations Within an MST Region section on page 17 3 and the Operations Between MST Regions section on page 17 4 Note The implementation of the IEEE 802 1s standard changes some of the terminology...

Page 376: ...e in the CIST that encompasses the entire switched domain The root of the subtree is the CIST regional root The MST region appears as a virtual switch to adjacent STP switches and MST regions Figure 17 1 shows a network with three MST regions and a legacy IEEE 802 1D switch D The CIST regional root for region 1 A is also the CIST root The CIST regional root for region 2 B and the CIST regional roo...

Page 377: ...virtual switches and switches that do not belong to any region The CIST regional root was called the IST master in the prestandard implementation If the CIST root is in the region the CIST regional root is the CIST root Otherwise the CIST regional root is the closest switch to the CIST root in the region The CIST regional root acts as a root switch for the IST The CIST internal root path cost is t...

Page 378: ...sage is internal the CIST part is received by the CIST and each MST instance receives its respective M record The Cisco prestandard implementation treats a port that receives an external message as a boundary port This means a port cannot receive a mix of internal and external messages An MST region includes both switches and LANs A segment belongs to the region of its designated port Therefore a ...

Page 379: ...estandard switches can fail you can use an interface configuration command to identify prestandard ports A region cannot be formed between a standard and a prestandard switch but they can interoperate by using the CIST Only the capability of load balancing over different instances is lost in that particular case The CLI displays different flags depending on the port configuration when a port recei...

Page 380: ... configuration BPDU a BPDU with the protocol version set to 0 it sends only IEEE 802 1D BPDUs on that port An MSTP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MSTP BPDU Version 3 associated with a different region or an RSTP BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D B...

Page 381: ...the root switch to that provided by the current root port Backup port Acts as a backup for the path provided by a designated port toward the leaves of the spanning tree A backup port can exist only when two ports are connected in a loopback by a point to point link or when a switch has two or more connections to a shared LAN segment Disabled port Has no role within the operation of the spanning tr...

Page 382: ...r numerical value than the priority of Switch B Switch A sends a proposal message a configuration BPDU with the proposal flag set to Switch B proposing itself as the designated switch After receiving the proposal message Switch B selects as its new root port the port from which the proposal message was received forces all nonedge ports to the blocking state and sends an agreement message a BPDU wi...

Page 383: ...d An individual port on the switch is synchronized if That port is in the blocking state It is an edge port a port configured to be at the edge of the network If a designated port is in the forwarding state and is not configured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize...

Page 384: ...s During Rapid Convergence Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802 1D BPDU format except that the protocol version is set to 2 A new 1 byte Version 1 Length field is set to zero which means that no version 1 protocol information is present Table 17 3 shows the RSTP flag fields 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Des...

Page 385: ...rt to the blocking state but does not send the agreement message The designated port continues sending BPDUs with the proposal flag set until the forward delay timer expires at which time the port transitions to the forwarding state Processing Inferior BPDU Information If a designated port receives an inferior BPDU higher switch ID higher path cost and so forth than currently stored for the port w...

Page 386: ...RSTP switch is using IEEE 802 1D BPDUs on a port and receives an RSTP BPDU after the timer has expired it restarts the timer and starts using RSTP BPDUs on that port Configuring MSTP Features These sections contain this configuration information Default MSTP Configuration page 17 14 MSTP Configuration Guidelines page 17 15 Specifying the MST Region Configuration and Enabling MSTP page 17 16 requir...

Page 387: ...n page 11 20 VTP propagation of the MST configuration is not supported However you can manually configure the MST configuration region name revision number and VLAN to instance mapping on each switch within the MST region by using the command line interface CLI or through the SNMP support For load balancing across redundant paths in the network to work all VLAN to instance mapping assignments must...

Page 388: ...ure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst configuration Enter MST configuration mode Step 3 instance instance id vlan vlan range Map VLANs to an MST instance For instance id the range is 0 to 4094 For vlan vlan range the range is 1 to 4094 When you map VLANs to an MST instance the mapping is incremental and the VLANs specifie...

Page 389: ... and the switch MAC address is associated with each instance For a group of VLANs the switch with the lowest switch ID becomes the root switch To configure a switch to become the root use the spanning tree mst instance id root global configuration command to modify the switch priority from the default value 32768 to a significantly lower value so that the switch becomes the root switch for the spe...

Page 390: ...tting use the no spanning tree mst instance id root global configuration command Configuring a Secondary Root Switch When you configure a switch with the extended system ID support as the secondary root the switch priority is modified from the default value 32768 to 28672 The switch is then likely to become the root switch for the specified instance if the primary root switch fails This is assumin...

Page 391: ...riority value the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root secondary diameter net diameter hello time seconds Configure a switch as the secondary root switch For instance id you can specify a single instance a ra...

Page 392: ...d last If all interfaces have the same cost value the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel...

Page 393: ...anning tree mst instance id root secondary global configuration commands to modify the switch priority Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces The port channel range is 1 to 48 Step 3 spa...

Page 394: ... instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For priority the range is 0 to 61440 in increments of 4096 the default is 32768 The lower the number the more likely the switch will be chosen as the root switch Priority values are 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 and 61440 Al...

Page 395: ...forward time seconds Configure the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup con...

Page 396: ...d transitions to the forwarding state Beginning in privileged EXEC mode follow these steps to override the default link type setting This procedure is optional To return the port to its default setting use the no spanning tree link type interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst max hops hop count Specify the n...

Page 397: ...STP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU Version 3 associated with a different region or an RST BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch i...

Page 398: ...er keywords for the show spanning tree privileged EXEC command see the command reference for this release Table 17 5 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst configuration digest Displays the MD5 digest included in the current MSTCI show spanning tree mst instance id Displays MST information...

Page 399: ...ning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 17 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 18 1 Configuring Optional Spanning Tree Features page 18 9 D...

Page 400: ... a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default global configuration command Figure 18 1 Port Fast Enabled Interfaces Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per port but the feature operates with some differences At the global level yo...

Page 401: ...command prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port Fast enabled interface the interface loses its P...

Page 402: ...parameter is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast pr...

Page 403: ...h stores protocol information received on an interface When a switch receives an inferior BPDU from the designated port of another switch the BPDU is a signal that the other switch might have lost its path to the root and BackboneFast tries to find an alternate path to the root BackboneFast which is enabled by using the spanning tree backbonefast global configuration command starts when a root por...

Page 404: ...ply If one or more alternate paths can still connect to the root switch the switch makes all interfaces on which it received an inferior BPDU its designated ports and moves them from the blocking state if they were in the blocking state through the listening and learning states and into the forwarding state Figure 18 5 shows an example topology with no link failures Switch A the root switch connec...

Page 405: ...can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device A misconfiguration can occur if the switch interfaces are configured in an EtherChannel but the interfaces on the other device are not A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel For EtherChannel configuration guidelines s...

Page 406: ...cts a new root switch The customer s switch does not become the root switch and is not in the path to the root If the switch is operating in multiple spanning tree MST mode root guard forces the interface to be a designated port If a boundary port is blocked in an internal spanning tree IST instance because of root guard the interface also is blocked in all MST instances A boundary port is an inte...

Page 407: ...nterface is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features These sections contain this configuration information Default Optional Spanning Tree Configuration page 18 9 Optional Spanning Tree Configuration Guidelines page 18 10 Enabling Port Fast page 18 10 optional Enabling BPDU Guard pa...

Page 408: ...utomatically enabled When you disable voice VLAN the Port Fast feature is not automatically disabled For more information see Chapter 13 Configuring Voice VLAN You can enable this feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to enable Port Fast This procedure is optional Command Purpose Step 1 configure terminal Enter global configu...

Page 409: ...U guard feature provides a secure response to invalid configurations because you must manually put the port back in service Use the BPDU guard feature in a service provider network to prevent an access port from participating in the spanning tree Caution Configure Port Fast only on ports that connect to end stations otherwise an accidental topology loop could cause a data packet loop and disrupt s...

Page 410: ...use the spanning tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature This command prevents the interface from sending or receiving BPDUs Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning tree loops You can enable the BPDU filtering feature i...

Page 411: ... path cost is not altered The changes to the switch priority and the path cost reduce the chance that a switch will become the root switch When UplinkFast is disabled the switch priorities of all VLANs and path costs of all interfaces are set to default values if you did not modify them from their defaults To return the update packet rate to the default setting use the no spanning tree uplinkfast ...

Page 412: ...iguration command You can use the show interfaces status err disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration On the remote device you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration After the configuration is corrected enter the shutdown and no shutdown interface configurat...

Page 413: ... Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard operates only on interfaces that are considered point to point by the spanning tree Note You cannot enable both loop guard and root guard at the same ti...

Page 414: ...spanning tree privileged EXEC command see the command reference for this release Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 18 2 Commands for Disp...

Page 415: ...ex Links and MAC Address Table Move Update page 19 4 Monitoring Flex Links and the MAC Address Table Move Update Information page 19 11 Understanding Flex Links and the MAC Address Table Move Update This section contains this information Flex Links page 19 1 VLAN Flex Link Load Balancing and Support page 19 2 MAC Address Table Move Update page 19 3 Flex Links Flex Links are a pair of a Layer 2 int...

Page 416: ...also choose to configure a preemption mechanism specifying the preferred port for forwarding traffic For example in the example in Figure 19 1 you can configure the Flex Links pair with preemption mode In the scenario shown when port 1 comes back up and has more bandwidth than port 2 port 1 begins forwarding traffic after 60 seconds Port 2 becomes the standby port You do this by entering the inter...

Page 417: ...oves the MAC address of the PC on port 3 and relearns it on port 4 traffic can then be forwarded from the server to the PC through port 2 If the MAC address table move update feature is configured and enabled on the switches in Figure 19 3 and port 1 goes down port 2 starts forwarding traffic from the PC to the server The switch sends a MAC address table move update packet from port 2 Switch C get...

Page 418: ...MAC Address Table Move Update Example Configuring Flex Links and MAC Address Table Move Update These sections contain this information Configuration Guidelines page 19 5 Default Configuration page 19 5 Configuring Flex Links page 19 6 Configuring VLAN Load Balancing on Flex Links page 19 7 Configuring the MAC Address Table Move Update Feature page 19 9 Switch C Port 3 Port 1 Port 2 Port 4 Switch A...

Page 419: ...active link However you should configure both Flex Links with similar characteristics so that there are no loops or changes in behavior if the standby link begins to forward traffic STP is disabled on Flex Link ports A Flex Link port does not participate in STP even if the VLANs present on the port are configured for STP When STP is not enabled be sure that there are no loops in the configured top...

Page 420: ... interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 switchport backup interface interface id Configure a physical Layer 2 interface or port channel as part of a Flex Link pair with the interface When one link is forwarding traffic the other interface...

Page 421: ...de follow these steps to configure VLAN load balancing on Flex Links Step 4 switchport backup interface interface id preemption mode forced bandwidth off Configure a preemption mechanism and delay for a Flex Link interface pair You can configure the preemption as Forced the active interface always preempts the backup Bandwidth the interface with the higher bandwidth always acts as the active inter...

Page 422: ...h Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet0 6 GigabitEthernet0 8 Active Down Backup Up Vlans Preferred on Active Interface 1 50 Vlans Preferred on Backup Interface 60 100 120 When a Flex Link interface comes up VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up In this ex...

Page 423: ...id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 switchport backup interface interface id or switchport backup interface interface id mmu primary vlan vlan id Configure a physical Layer 2 interface or port channel as part of a Flex Link pair with the interfa...

Page 424: ... Off On Xmt Off On Max packets per min Rcv 40 Xmt 60 Rcv packet count 5 Rcv conforming packet count 5 Rcv invalid packet count 0 Rcv packet count this min 0 Rcv threshold exceed count 0 Rcv last sequence this min 0 Rcv last interface Po2 Rcv last src mac address 000b 462d c502 Rcv last switch ID 0403 fd6a 8700 Xmt packet count 0 Xmt packet count this min 0 Xmt threshold exceed count 0 Xmt pak buf ...

Page 425: ...f end Monitoring Flex Links and the MAC Address Table Move Update Information Table 19 1 shows the privileged EXEC commands for monitoring the Flex Links configuration and the MAC address table move update information Table 19 1 Flex Links and MAC Address Table Move Update Monitoring Commands Command Purpose show interface interface id switchport backup Displays the Flex Link backup interface conf...

Page 426: ...st Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 19 Configuring Flex Links and the MAC Address Table Move Update Feature Monitoring Flex Links and the MAC Address Table Move Update Information ...

Page 427: ...e sections Understanding DHCP Features page 20 1 Configuring DHCP Features page 20 7 Displaying DHCP Snooping Information page 20 15 Understanding IP Source Guard page 20 15 Configuring IP Source Guard page 20 16 Displaying IP Source Guard Information page 20 18 Understanding DHCP Features DHCP is widely used in LAN environments to dynamically assign host IP addresses from a centralized server whi...

Page 428: ...rmation about this database see the Displaying DHCP Snooping Information section on page 20 15 DHCP snooping acts like a firewall between untrusted hosts and DHCP servers You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch Note For DHCP snooping to function properly all DHCP servers must...

Page 429: ...tch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow untrusted global configuration command the aggregation switch accepts packets with option 82 information from the edge switch The aggregation switch learns the bindings for hosts connected through an untrusted switch interface The DHCP security features such as dynamic ...

Page 430: ... 82 field to the DHCP server The DHCP server receives the packet If the server is option 82 capable it can use the remote ID the circuit ID or both to assign IP addresses and implement policies such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID Then the DHCP server echoes the option 82 field in the DHCP reply The DHCP server unicasts the reply t...

Page 431: ...ormation option global configuration command Figure 20 2 Suboption Packet Formats Figure 20 3 shows the packet formats for user configured remote ID and circuit ID suboptions The switch uses these packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option format remote id global configuration command and the ip dhcp snooping vlan information option forma...

Page 432: ...inding has an IP address an associated MAC address the lease time in hexadecimal format the interface to which the binding applies and the VLAN to which the interface belongs The database agent stores the bindings in a file at a configured location At the end of each entry is a checksum that accounts for all the bytes from the start of the file through all the bytes associated with the entry Each ...

Page 433: ...h the latest file update from entries associated with a previous file update This is an example of a binding file 2bb4c2a1 TYPE DHCP SNOOPING VERSION 1 BEGIN 192 1 168 1 3 0003 47d8 c91f 2BB6488E Fa1 0 4 21ae5fbb 192 1 168 3 3 0003 44d6 c52f 2BB648EB Fa1 0 4 1bdb223f 192 1 168 2 3 0003 47d9 c8f1 2BB648AB Fa1 0 4 584a38f0 END When the switch starts and the calculated checksum value equals the store...

Page 434: ...e switch relays DHCP packets only if the IP address of the DHCP server is configured on the SVI of the DHCP client DHCP packet forwarding address None configured Checking the relay agent information Enabled invalid messages are dropped 2 DHCP relay agent forwarding policy Replace the existing relay agent information2 DHCP snooping enabled globally Disabled DHCP snooping information option Enabled ...

Page 435: ...vices or set up the DHCP database agent If the DHCP relay agent is enabled but DHCP snooping is disabled the DHCP option 82 data insertion feature is not supported If a switch port is connected to a DHCP server configure a port as trusted by entering the ip dhcp snooping trust interface configuration command If a switch port is connected to a DHCP client configure a port as untrusted by entering t...

Page 436: ...he DHCP server and the DHCP clients are on different networks or subnets you must configure the switch with the ip helper address address interface configuration command The general rule is to configure the command on the Layer 3 interface closest to the client The address used in the ip helper address command can be a specific DHCP server IP address or it can be the network address if other DHCP ...

Page 437: ...ce range configuration mode or Configure a single physical port that is connected to the DHCP client and enter interface configuration mode Step 7 switchport mode access Define the VLAN membership mode for the port Step 8 switchport access vlan vlan id Assign the ports to the same VLAN as configured in Step 2 Step 9 end Return to privileged EXEC mode Step 10 show running config Verify your entries...

Page 438: ...ifier using a VLAN ID in the range of 1 to 4094 The default circuit ID is the port identifier in the format vlan mod port You can configure the circuit ID to be a string of 3 to 63 ASCII characters no spaces Step 9 ip dhcp snooping trust Optional Configure the interface as trusted or untrusted You can use the no keyword to configure an interface to receive messages from an untrusted client The def...

Page 439: ...CP Snooping on Private VLANs You can enable DHCP snooping on private VLANs If DHCP snooping is enabled the configuration is propagated to both a primary VLAN and its associated secondary VLANs If DHCP snooping is enabled on the primary VLAN it is also configured on the secondary VLANs If DHCP snooping is already configured on the primary VLAN and you configure DHCP snooping with different settings...

Page 440: ...t filename tftp host filename Specify the URL for the database agent or the binding file by using one of these forms flash number filename Optional Use the number parameter to specify the stack member number of the stack master The range for number is 1 to 9 ftp user password host filename http username password hostname host ip directory image name tar rcp user host filename tftp host filename St...

Page 441: ... port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic The IP source binding table has bindings that are learned by DHCP snooping or are manually configured static IP source bindings An entry in this table has an IP address its associated MAC address and its associated VLAN number The switch uses the IP source binding table only when I...

Page 442: ...raffic is filtered based on the source IP and MAC addresses The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table When IP source guard with source IP and MAC address filtering is enabled the switch filters IP and non IP traffic If the source MAC address of an IP or non IP packet matches a valid IP source binding the switch forwards the ...

Page 443: ...content addressable memory TCAM entries exceeds the maximum available the CPU usage increases Enabling IP Source Guard Beginning in privileged EXEC mode follow these steps to enable and configure IP source guard on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configura...

Page 444: ...nterface gigabitethernet1 0 1 Switch config ip source binding 0100 0230 0002 vlan 11 10 0 0 4 interface gigabitethernet1 0 1 Switch config end Displaying IP Source Guard Information To display the IP source guard information use one or more of the privileged EXEC commands in Table 20 3 Step 7 show ip verify source interface interface id Display the IP source guard configuration for all interfaces ...

Page 445: ... a MAC address For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A All hosts within the broadcast domain receive the ARP request and Host A responds with its MAC address However because ARP ...

Page 446: ...spection ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets has a valid IP to MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination Drops invalid ARP packets Dynamic ARP inspect...

Page 447: ...er connected to Switch A only Switch A binds the IP to MAC address of Host 1 Therefore if the interface between Switch A and Switch B is untrusted the ARP packets from Host 1 are dropped by Switch B Connectivity between Host 1 and Host 2 is lost Figure 21 2 ARP Packet Validation on a VLAN Enabled for Dynamic ARP Inspection Configuring interfaces to be trusted when they are actually untrusted leave...

Page 448: ...ation information see the Limiting the Rate of Incoming ARP Packets section on page 21 10 Relative Priority of ARP ACLs and DHCP Snooping Entries Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP to MAC address bindings ARP ACLs take precedence over entries in the DHCP snooping binding database The switch uses ACLs only if you configure them by using the ip ar...

Page 449: ... ARP Inspection Configuration Table 21 1 shows the default dynamic ARP inspection configuration Table 21 1 Default Dynamic ARP Inspection Configuration Feature Default Setting Dynamic ARP inspection Disabled on all VLANs Interface trust state All interfaces are untrusted Rate limit of incoming ARP packets The rate is 15 pps on untrusted interfaces assuming that the network is a switched network wi...

Page 450: ...hannel Consequently the trust state of the first physical port need not match the trust state of the channel Conversely when you change the trust state on the port channel the switch configures a new trust state on all the physical ports that comprise the channel The operating rate for the port channel is cumulative across all the physical ports within the channel For example if you configure the ...

Page 451: ... inspection You must perform this procedure on both switches This procedure is required Command Purpose Step 1 show cdp neighbors Verify the connection between the switches Step 2 configure terminal Enter global configuration mode Step 3 ip arp inspection vlan vlan range Enable dynamic ARP inspection on a per VLAN basis By default dynamic ARP inspection is disabled on all VLANs For vlan range spec...

Page 452: ...2 To prevent this possibility you must configure port 1 on Switch A as untrusted To permit ARP packets from Host 2 you must set up an ARP ACL and apply it to VLAN 1 If the IP address of Host 2 is not static it is impossible to apply the ACL configuration on Switch A you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them Beginning in privileged EXEC mode ...

Page 453: ... defined ARP ACLs are applied to any VLAN For arp acl name specify the name of the ACL created in Step 2 For vlan range specify the VLAN that the switches and hosts are in You can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 Optional Specify static to treat implicit denies in the ARP ACL a...

Page 454: ...ror disabled recovery so that ports automatically emerge from this state after a specified timeout period Note Unless you configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you enter the n...

Page 455: ...equests and responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second The keywords have these meanings For rate pps specify an upper limit for the number of incoming packets processed per second The range is 0 to 2048 pps Optional For burst interval seconds specify the consecutive interval in seconds over which ...

Page 456: ...eanings For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC addresses are classified as invalid and are dropped For dst mac check the destination MAC address in the Ethernet header against the target MAC address in ARP body This check is perf...

Page 457: ...ntries in the log buffer or increase the logging rate Beginning in privileged EXEC mode follow these steps to configure the log buffer This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip arp inspection log buffer entries number logs number interval seconds Configure the dynamic ARP inspection logging buffer By default when dynamic ARP insp...

Page 458: ...LANs separated by a comma The range is 1 to 4094 For acl match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match ACLs For dhcp bindings all log all packets...

Page 459: ...rivileged EXEC commands in Table 21 4 For more information about these commands see the command reference for this release Table 21 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MAC vali...

Page 460: ...21 16 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 21 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information ...

Page 461: ...g Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the IP Multicast Routing Commands section in the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References This chapter consists of these sections Unders...

Page 462: ...in request The switch supports IP multicast group based bridging rather than MAC addressed based groups With multicast MAC address based groups if an IP address being configured translates aliases to a previously configured MAC address or to any reserved multicast MAC addresses in the range 224 0 0 xxx the command fails Because the switch uses IP multicast groups there are no address aliasing issu...

Page 463: ... or IGMPv1 hosts Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast SSM feature For more information about source specific multicast with IGMPv3 and IGMP see the following URL http www cisco com univercd cc td doc product software ios121 121...

Page 464: ...multicast group The information in the table tells the switching engine to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group If another blade server for example Blade Server 4 sends an unsolicited IGMP join message for the same group Figure 22 2 the CPU receives that message and adds the port number of Blad...

Page 465: ...maintained by IGMP snooping When blade servers want to leave a multicast group they can silently leave or they can send a leave message When the switch receives a leave message from a blade server it sends a group specific query to learn if any other devices connected to that interface are interested in traffic for the specific multicast group The switch then updates the forwarding table for that ...

Page 466: ... be configured from 100 to 5000 milliseconds The timer can be set either globally or on a per VLAN basis The VLAN configuration of the leave time overrides the global configuration For configuration steps see the Configuring the IGMP Leave Timer section on page 22 11 IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports This f...

Page 467: ...oin a Group page 22 10 Enabling IGMP Immediate Leave page 22 11 Configuring the IGMP Leave Timer page 22 11 Configuring TCN Related Commands page 22 12 Configuring the IGMP Snooping Querier page 22 14 Disabling IGMP Report Suppression page 22 16 Default IGMP Snooping Configuration Table 22 3 shows the default IGMP snooping configuration Table 22 3 Default IGMP Snooping Configuration Feature Defaul...

Page 468: ...mmand for the specified VLAN number Setting the Snooping Method Multicast capable router ports are added to the forwarding table for every Layer 2 multicast entry The switch learns of such ports through one of these methods Snooping on IGMP queries Protocol Independent Multicast PIM packets and Distance Vector Multicast Routing Protocol DVMRP packets Listening to Cisco Group Management Protocol CG...

Page 469: ... VLAN interface dynamically accesses a multicast router To return to the default learning method use the no ip igmp snooping vlan vlan id mrouter learn cgmp global configuration command This example shows how to configure IGMP snooping to use CGMP packets as the learning method Switch configure terminal Switch config ip igmp snooping vlan 1 mrouter learn cgmp Switch config end Configuring a Multic...

Page 470: ...gure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id mrouter interface interface id Specify the multicast router VLAN ID and the interface to the multicast router The VLAN ID range is 1 to 1001 and 1006 to 4094 The interface can be a physical interface or a port channel The port channel range is 1 to 48 Step 3 end Return to privileged EXEC mode Step 4 show ip igmp sno...

Page 471: ...lan id immediate leave global configuration command This example shows how to enable IGMP Immediate Leave on VLAN 130 Switch configure terminal Switch config ip igmp snooping vlan 130 immediate leave Switch config end Configuring the IGMP Leave Timer Follows these guidelines when configuring the IGMP leave timer You can configure the leave time globally or on a per VLAN basis Configuring the leave...

Page 472: ...e number of general queries for which multicast data traffic is flooded after a TCN event Some examples of TCN events are when the client changed its location and the receiver is on same port that was blocked but is now forwarding and when a port went down without sending a leave message If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command the flood...

Page 473: ...icitation is disabled Beginning in privileged EXEC mode follow these steps to enable the switch to send the global leave message whether or not it is the spanning tree root To return to the default query solicitation use the no ip igmp snooping tcn query solicit global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping tcn flood ...

Page 474: ... querier If there is no global IP address specified the IGMP querier tries to use the VLAN switch virtual interface SVI IP address if one exists If there is no SVI IP address the switch uses the first available IP address configured on the switch The first IP address available appears in the output of the show ip interface privileged EXEC command The IGMP snooping querier does not generate an IGMP...

Page 475: ... IGMP snooping querier Step 3 ip igmp snooping querier address ip_address Optional Specify an IP address for the IGMP snooping querier If you do not specify an IP address the querier tries to use the global IP address configured for the IGMP querier Note The IGMP snooping querier does not generate an IGMP general query if it cannot find an IP address on the switch Step 4 ip igmp snooping querier q...

Page 476: ...st entries for a VLAN configured for IGMP snooping To display IGMP snooping information use one or more of the privileged EXEC commands in Table 22 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no ip igmp snooping report suppression Disable IGMP report suppression Step 3 end Return to privileged EXEC mode Step 4 show ip igmp snooping Verify that IGMP report sup...

Page 477: ...disabled without affecting the behavior of the other feature However if IGMP show ip igmp snooping groups vlan vlan id ip_address count dynamic count user count Display multicast table information for a multicast VLAN or about a specific parameter for the VLAN vlan id The VLAN ID range is 1 to 1001 and 1006 to 4094 count Display the total number of entries for the specified command options instead...

Page 478: ...r In dynamic mode multicast data received by MVR hosts on the switch is forwarded from only those MVR data and client ports that the MVR hosts have joined either by IGMP reports or by MVR static configuration Any IGMP reports received from MVR hosts are also forwarded from all the MVR data ports in the blade server This eliminates using unnecessary bandwidth on MVR data port links which occurs whe...

Page 479: ...embership reports If no reports are received in a configured time period the receiver port is removed from multicast group membership With Immediate Leave an IGMP query is not sent from the receiver port on which the IGMP leave was received As soon as the leave message is received the receiver port is removed from multicast group membership which speeds up leave latency Enable the Immediate Leave ...

Page 480: ...ation Guidelines and Limitations page 22 20 Configuring MVR Global Parameters page 22 21 Configuring MVR Interfaces page 22 22 Default MVR Configuration Table 22 5 shows the default MVR configuration MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR Receiver ports can only be access ports they cannot be trunk ports Receiver ports on a switch can be in differ...

Page 481: ...d Purpose Step 1 configure terminal Enter global configuration mode Step 2 mvr Enable MVR on the switch Step 3 mvr group ip address count Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of MVR group addresses the range for count is 1 to 256 the default is 1 Any multicast data sent to this address is sent to all source ports on the switch ...

Page 482: ...mvr members Verify the configuration Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mvr Enable MVR on the switch Step 3 interface interface id Specify the Layer 2 port to configure and enter interface configuration mode Step 4 mvr type source receiver Con...

Page 483: ... DOWN ENABLED Step 5 mvr vlan vlan id group ip address Optional Statically configure a port to receive multicast traffic sent to the multicast VLAN and the IP multicast address A port statically configured as a member of a group remains a member of the group until statically removed Note In compatible mode this command applies to only receiver ports In dynamic mode it applies to receiver ports and...

Page 484: ...ulticast group the IGMP report from the port is forwarded for normal processing You can also set the maximum number of IGMP groups that a Layer 2 interface can join IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP m...

Page 485: ...f IGMP Groups page 22 27 optional Configuring the IGMP Throttling Action page 22 28 optional Default IGMP Filtering and Throttling Configuration Table 22 7 shows the default IGMP filtering configuration When the maximum number of groups is in forwarding table the default IGMP throttling action is to deny the IGMP report For configuration guidelines see the Configuring the IGMP Throttling Action se...

Page 486: ...fault it would not appear in the show ip igmp profile output display Switch config ip igmp profile 4 Switch config igmp profile permit Switch config igmp profile range 229 9 9 0 Switch config igmp profile end Switch show ip igmp profile 4 IGMP Profile 4 permit range 229 9 9 0 229 9 9 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp profile profile number A...

Page 487: ... configuration command Use the no form of this command to set the maximum back to the default which is no limit This restriction can be applied to Layer 2 ports only you cannot set a maximum number of IGMP groups on routed ports or SVIs You also can use this command on a logical EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group Beginning in privileged EXEC...

Page 488: ...mum entering the ip igmp max groups action deny replace command has no effect If you configure the throttling action and set the maximum group limitation after an interface has added multicast entries to the forwarding table the forwarding table entries are either aged out or removed depending on the throttling action If you configure the throttling action as deny the entries that were previously ...

Page 489: ...l interface to be configured and enter interface configuration mode The interface can be a Layer 2 port that does not belong to an EtherChannel group or an EtherChannel interface The interface cannot be a trunk port Step 3 ip igmp max groups action deny replace When an interface receives an IGMP report and the maximum number of entries is in the forwarding table specify the action that the interfa...

Page 490: ...22 30 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 22 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Page 491: ... Control page 23 1 Default Storm Control Configuration page 23 3 Configuring Storm Control and Threshold Levels page 23 3 Configuring Small Frame Arrival Rate page 23 5 Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when packets flood the LAN creating excessive t...

Page 492: ...ast traffic is reached all multicast traffic except control traffic such as bridge protocol data unit BDPU and Cisco Discovery Protocol CDP frames are blocked However the switch does not differentiate between routing updates and regular multicast data traffic so both types of traffic are blocked The graph in Figure 23 1 shows broadcast traffic patterns on an interface over a given period of time T...

Page 493: ...nter the threshold level that you want to be used for a particular type of traffic However because of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note Stor...

Page 494: ...e rising threshold level for broadcast multicast or unicast traffic in bits per second up to one decimal place The port blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traf...

Page 495: ...or disabled if small frames arrive at a specified rate threshold You globally enable the small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled If the errdisable recovery cause small frame global configuratio...

Page 496: ... not forward any traffic unicast multicast or broadcast to any other port that is also a protected port Data traffic cannot be forwarded between protected ports at Layer 2 only control traffic such as PIM packets is forwarded because these packets are processed by the CPU and forwarded in software All data traffic passing between protected ports must be forwarded through a Layer 3 device Forwardin...

Page 497: ...ports For more information about private VLANs see Chapter 14 Configuring Private VLANs Configuring a Protected Port Beginning in privileged EXEC mode follow these steps to define a port as a protected port To disable protected port use the no switchport protected interface configuration command This example shows how to configure a port as a protected port Switch configure terminal Switch config ...

Page 498: ...block multicast or unicast traffic for a port channel it is blocked on all ports in the port channel group Beginning in privileged EXEC mode follow these steps to disable the flooding of multicast and unicast packets out of an interface To return the interface to the default condition where no traffic is blocked and normal forwarding occurs on the port use the no switchport block multicast unicast...

Page 499: ...onfiguration page 23 11 Port Security Configuration Guidelines page 23 11 Enabling and Configuring Port Security page 23 13 Enabling and Configuring Port Security Aging page 23 17 Port Security and Private VLANs page 23 19 Understanding Port Security These sections contain this conceptual information Secure MAC Addresses page 23 9 Security Violations page 23 10 Secure MAC Addresses You configure t...

Page 500: ...uations occurs The maximum number of secure MAC addresses have been added to the address table and a station whose MAC address is not in the address table attempts to access the interface An address learned or configured on one secure interface is seen on another secure interface in the same VLAN You can configure the interface for one of three violation modes based on the action to be taken if a ...

Page 501: ...witched Port Analyzer SPAN Table 23 1 Security Violation Mode Actions Violation Mode Traffic is forwarded1 1 Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses Sends SNMP trap Sends syslog message Displays error message2 2 The switch returns an error message if you manually configure an address that would cause a security violation Violat...

Page 502: ...ious value the new value overwrites the previously configured value If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value the command is rejected The switch does not support port security aging of sticky secure MAC addresses Table 23 3 summarizes port security compatibility with other port based features Table 23 3 Por...

Page 503: ...an list access voice Optional Set the maximum number of secure MAC addresses for the interface The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system This number is set by the active Switch Database Management SDM template See Chapter 6 Configuring the Switch SDM Template This number is the total o...

Page 504: ... has not reached its maximum limit restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown The interface is er...

Page 505: ...is configured for voice VLAN configure a maximum of two secure MAC addresses Step 9 switchport port security mac address sticky Optional Enable sticky learning on the interface Step 10 switchport port security mac address sticky mac address vlan vlan id access voice Optional Enter a sticky secure MAC address repeating the command as many times as necessary If you configure fewer secure MAC address...

Page 506: ...d dynamic or sticky on the switch or on an interface To delete a specific secure MAC address from the address table use the no switchport port security mac address mac address interface configuration command To delete all dynamic secure addresses on an interface from the address table enter the no switchport port security interface configuration command followed by the switchport port security com...

Page 507: ... mac address sticky 0000 0000 0001 vlan voice Switch config if switchport port security mac address 0000 0000 0004 vlan voice Switch config if switchport port security maximum 10 vlan access Switch config if switchport port security maximum 10 vlan voice Enabling and Configuring Port Security Aging You can use port security aging to set the aging time for all secure addresses on a port Two types o...

Page 508: ...c You can verify the previous commands by entering the show port security interface interface id privileged EXEC command Step 3 switchport port security aging static time time type absolute inactivity Enable or disable static aging for the secure port or set the aging time or type Note The switch does not support port security aging of sticky secure addresses Enter static to enable aging for stati...

Page 509: ...n a secure PVLAN port the same secure address cannot be learned on another secure PVLAN port belonging to the same primary VLAN However an address learned on unsecure PVLAN port can be learned on a secure PVLAN port belonging to same primary VLAN Secure addresses that are learned on host port get automatically replicated on associated primary VLANs and similarly secure addresses learned on promisc...

Page 510: ...tus of all switching nonrouting ports or the specified port including port blocking and port protection settings show storm control interface id broadcast multicast unicast Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered show port security interface interface id Displays...

Page 511: ...ighbors of already known devices With CDP network management applications can learn the device type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the da...

Page 512: ...mer holdtime and advertisement type Note Steps 2 through 4 are all optional and can be performed in any order Table 24 1 Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enabled CDP timer packet update frequency 60 seconds CDP holdtime before discarding 180 seconds CDP Version 2 advertisements Enabled Command Purpose Step 1 configure terminal Enter glo...

Page 513: ...ged EXEC mode follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode follow these steps to enable CDP when it has been disabled This example shows how to enable CDP if it has been disabled Switch configure terminal Switch config cdp run Switch config end Step 6 show cdp Verify your settings Step 7 copy running config startup config Optional Save your en...

Page 514: ... enable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interface configuration mode Step 3 no cdp enable Disable CDP on the interface Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Optional Save your entries in the configu...

Page 515: ...terisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface interface id Display information about interfaces where CDP is enabled You can limit the display to the...

Page 516: ...24 6 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 24 Configuring CDP Monitoring and Maintaining CDP ...

Page 517: ...anding LLDP and LLDP MED This section contains this conceptual information Understanding LLDP page 25 1 Understanding LLDP MED page 25 2 Understanding LLDP The Cisco Discovery Protocol CDP is a device discovery protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bridges access servers and switches CDP allows network management applications to automatically...

Page 518: ...vices such as switches It specifically provides support for voice over IP VoIP applications and provides additional TLVs for capabilities discovery network policy Power over Ethernet and inventory management LLDP MED supports these TLVs LLDP MED capabilities TLV Allows LLDP MED endpoints to determine the capabilities that the connected device supports and what capabilities the device has enabled N...

Page 519: ...h the PSAP can use to call back the emergency caller Configuring LLDP and LLDP MED This section contains this configuration information Default LLDP Configuration page 25 3 Configuring LLDP Characteristics page 25 4 Disabling and Enabling LLDP Globally page 25 5 Disabling and Enabling LLDP on an Interface page 25 5 Configuring LLDP MED TLVs page 25 6 Default LLDP Configuration Table 25 1 shows the...

Page 520: ...tch config lldp timer 30 Switch config end For additional LLDP show commands see the Monitoring and Maintaining LLDP and LLDP MED section on page 25 7 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp holdtime seconds Optional Specify the amount of time a receiving device should hold the information sent by your device before discarding it The range is 0 to 6553...

Page 521: ...l supported interfaces to send and to receive LLDP information Beginning in privileged EXEC mode follow these steps to disable LLDP on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no lldp run Disable LLDP Step 3 end Return to privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp run Enable LLDP St...

Page 522: ...nterface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are enabling LLDP MED and enter interface configuration mode Step 3 lldp transmit LLDP packets are sent on the interface Step 4 lldp receive LLDP packets are received on the interface Step 5 end Return to privileged EXEC mode Step 6 copy running config...

Page 523: ...nfig startup config Optional Save your entries in the configuration file Command Description clear lldp counters Reset the traffic counters to zero clear lldp table Delete the LLDP table of information about neighbors show lldp Display global information such as frequency of transmissions the holdtime for packets being sent and the delay time for LLDP to initialize on an interface show lldp entry ...

Page 524: ...25 8 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 25 Configuring LLDP and LLDP MED Monitoring and Maintaining LLDP and LLDP MED ...

Page 525: ...ks can cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggressive mode UDLD can also detect unidirectional links due to one way traffic on fiber optic and twisted pair links and to mi...

Page 526: ...n the cable is disconnected In these cases UDLD disables the affected port In a point to point link UDLD hello packets can be considered as a heart beat whose presence guarantees the health of the link Conversely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirectional link If both fiber strands in a cable are working normally from a La...

Page 527: ...re aged out UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbors If you enable aggressive mode when all the neighbors of a port have aged out either in the advertisement or in the detection phase UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbor UDLD shuts down the port if after the fast train of messages the lin...

Page 528: ...f another switch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that is running STP Table 26 1 Default UDLD Configuration Feature Default Setting UDLD global enable state Globally disabled UDLD per port ena...

Page 529: ...s UDLD in aggressive mode on all fiber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 26 1 message time message timer interval ...

Page 530: ... state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release S...

Page 531: ...ed or sent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destination ports do not receive or forward traffic Only traffic that enters or leaves source ports or traffic th...

Page 532: ...ort 5 without being physically attached to port 5 Figure 27 1 Example of Local SPAN Configuration on a Single Switch Remote SPAN RSPAN supports source ports source VLANs and destination ports on different switches enabling remote monitoring of multiple switches across your network Figure 27 2 shows source ports on Switch A and Switch B The traffic for each RSPAN session is carried over a user spec...

Page 533: ...cified by the user and form them into a stream of SPAN data which is directed to the destination port RSPAN consists of at least one RSPAN source session an RSPAN VLAN and at least one RSPAN destination session You separately configure RSPAN source sessions and RSPAN destination sessions on different network devices To configure an RSPAN source session on a device you associate a set of source por...

Page 534: ... as SPAN sources and destinations SPAN sessions do not interfere with the normal operation of the switch However an oversubscribed SPAN destination for example a 10 Mb s port monitoring a 100 Mb s port can result in dropped or lost packets When RSPAN is enabled each packet being monitored is transmitted twice once as normal traffic and once as a monitored packet Therefore monitoring a large number...

Page 535: ...cluding BPDU and Layer 2 protocol packets are monitored Therefore a local SPAN session with encapsulation replicate enabled can have a mixture of untagged ISL and IEEE 802 1Q tagged packets appear on the destination port Switch congestion can cause packets to be dropped at ingress source ports egress source ports or SPAN destination ports In general these characteristics are independent of one ano...

Page 536: ...rts and can be monitored in either or both directions On a given port only traffic on the monitored VLAN is sent to the destination port If a destination port belongs to a source VLAN it is excluded from the source list and is not monitored If ports are added to or removed from the source VLANs the traffic on the source VLAN received by those ports is added to or removed from the sources being mon...

Page 537: ...ysical port It cannot be a secure port It cannot be a source port It cannot be an EtherChannel group or a VLAN It can participate in only one SPAN session at a time a destination port in one SPAN session cannot be a destination port for a second SPAN session When it is active incoming traffic is disabled The port does not transmit any traffic except that required for the SPAN session Incoming traf...

Page 538: ...ting SPAN does not monitor routed traffic VSPAN only monitors traffic that enters or exits the switch not traffic that is routed between VLANs For example if a VLAN is being Rx monitored and the switch routes traffic from another VLAN to the monitored VLAN that traffic is not monitored and not received on the SPAN destination port STP A destination port does not participate in STP while its SPAN o...

Page 539: ...t A private VLAN port cannot be a SPAN destination port A secure port cannot be a SPAN destination port For SPAN sessions do not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port For RSPAN source sessions do not enable port security on any ports with monitored egress An IEEE 802 1x port can be a SPAN source port You can enable IEEE 802 1...

Page 540: ... outgoing packets through the SPAN destination port carry the original encapsulation headers untagged ISL or IEEE 802 1Q if the encapsulation replicate keywords are specified If the keywords are not specified the packets are sent in native form For RSPAN destination ports outgoing packets are not tagged You can configure a disabled port to be a source or destination port but the SPAN function does...

Page 541: ... range is 1 to 66 For interface id specify the source port or source VLAN to monitor For source interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 48 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN Note A s...

Page 542: ...t0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interface gigabitethernet0 1 rx The monitoring of traffic received on port 1 is disabled but traffic sent from this port continues to be monitored Step 4 monitor session session_number destination interface interf...

Page 543: ...mber all local remote Remove any existing SPAN configuration for the session Step 3 monitor session session_number source interface interface id vlan vlan id both rx tx Specify the SPAN session and the source port monitored port Step 4 monitor session session_number destination interface interface id encapsulation replicate ingress dot1q vlan vlan id isl untagged vlan vlan id vlan vlan id Specify ...

Page 544: ...lan 6 Switch config end Specifying VLANs to Filter Beginning in privileged EXEC mode follow these steps to limit SPAN source traffic to specific VLANs Step 5 end Return to privileged EXEC mode Step 6 show monitor session session_number show running config Verify the configuration Step 7 copy running config startup config Optional Save the configuration in the configuration file Command Purpose Com...

Page 545: ...cifying VLANs to Filter page 27 22 RSPAN Configuration Guidelines Follow these guidelines when configuring RSPAN All the items in the SPAN Configuration Guidelines section on page 27 10 apply to RSPAN As RSPAN VLANs have special properties you should reserve a few VLANs across your network for use as RSPAN VLANs do not assign access ports to these VLANs Step 5 monitor session session_number destin...

Page 546: ...to prevent the unwanted flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005 These are the hardware limitations related to RSPAN An egress SPAN copy of routed unicast traffic might show an incorrect destination MAC address on both local and remote SPAN sessions The workaround for local SPAN is to use the replicate option For a remote SPAN session there is no workaroun...

Page 547: ...ose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID to create a VLAN or enter the VLAN ID of an existing VLAN and enter VLAN configuration mode The range is 2 to 1001 and 1006 to 4094 The RSPAN VLAN cannot be VLAN 1 the default VLAN or VLAN IDs 1002 through 1005 reserved for Token Ring and FDDI VLANs Step 3 remote span Configure the VLAN as an RSPAN VL...

Page 548: ..._number the range is 1 to 66 Enter a source port or source VLAN for the RSPAN session For interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 48 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN A single sessi...

Page 549: ...network Step 3 remote span Identify the VLAN as the RSPAN VLAN Step 4 exit Return to global configuration mode Step 5 no monitor session session_number all local remote Remove any existing RSPAN configuration for the session For session_number the range is 1 to 66 Specify all to remove all RSPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 6 monitor...

Page 550: ...specify the source RSPAN VLAN and the destination port and to enable incoming traffic on the destination port for a network security device such as a Cisco IDS Sensor Appliance For details about the keywords not related to incoming traffic see the Creating an RSPAN Destination Session section on page 27 19 This procedure assumes that the RSPAN VLAN has already been configured Command Purpose Step ...

Page 551: ...encapsulation For session_number enter the number defined in Step 4 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical interface Though visible in the command line help string encapsulation replicate is not supported for RSPAN The orig...

Page 552: ...Specify all to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id Specify the characteristics of the source port monitored port and SPAN session For session_number the range is 1 to 66 For interface id specify the source port to monitor The interface specified must already be c...

Page 553: ...27 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured SPAN or RSPAN sessions ...

Page 554: ...27 24 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 27 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status ...

Page 555: ...n this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References This chapter consists of these sections Understanding RMON page 28 1 Configuring RMON page 28 2 Displaying RMON Status page 28 6 Understanding RMON RMON is an Internet Eng...

Page 556: ...s the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this software release use hardware counters for RMON data processing the...

Page 557: ...ired Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to 65535 For variable specify the MIB object to monitor For interval specify the time in seconds ...

Page 558: ...t and can be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this co...

Page 559: ...n collection history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default...

Page 560: ...page under Documentation Cisco IOS Software 12 2 Mainline Command References Step 3 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to privileged EXEC mode Step 5 show run...

Page 561: ...By default a switch sends the output from system messages and debug privileged EXEC commands to a logging process The logging process controls the distribution of logging messages to various destinations such as the logging buffer terminal lines or a UNIX syslog server depending on your configuration The process also sends messages to the console Note The syslog format is compatible with 4 3 BSD U...

Page 562: ... Device page 29 5 optional Synchronizing Log Messages page 29 6 optional Enabling and Disabling Time Stamps on Log Messages page 29 7 optional Enabling and Disabling Sequence Numbers in Log Messages page 29 8 optional Defining the Message Severity Level page 29 8 optional Limiting Syslog Messages Sent to the History Table and to SNMP page 29 10 Enabling the Configuration Change Logger page 29 10 o...

Page 563: ...a sequence number only if the service sequence numbers global configuration command is configured For more information see the Enabling and Disabling Sequence Numbers in Log Messages section on page 29 8 timestamp formats mm dd hh mm ss or hh mm ss short uptime or d h long uptime Date and time of the message or event This information appears only if the service timestamps log datetime log global c...

Page 564: ...ut The logging synchronous global configuration command also affects the display of messages to the console When this command is enabled messages appear only after you press Return For more information see the Synchronizing Log Messages section on page 29 6 To re enable message logging after it has been disabled use the logging on global configuration command Time stamps Disabled Synchronous loggi...

Page 565: ...ost to be used as the syslog server To build a list of syslog servers that receive logging messages enter this command more than once For complete syslog server configuration steps see the Configuring UNIX Syslog Servers section on page 29 12 Step 4 logging file flash filename max file size min file size severity level number type Store log messages in a file in flash memory For filename enter the...

Page 566: ...d When synchronous logging of unsolicited messages and debug command output is enabled unsolicited device output appears on the console or printed after solicited device output appears or is printed Unsolicited messages and debug command output appears on the console after the prompt for user input is returned Therefore unsolicited messages and debug command output are not interspersed with solici...

Page 567: ...n this value are printed asynchronously Low numbers mean greater severity and high numbers mean lesser severity The default is 2 Optional Specifying level all means that all messages are printed asynchronously regardless of the severity level Optional For limit number of buffers specify the number of buffers to be queued for the terminal after which new messages are dropped The range is 0 to 21474...

Page 568: ...equence numbers enabled 000019 SYS 5 CONFIG_I Configured from console by vty2 10 34 195 36 Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message which are described in Table 29 3 Beginning in privileged EXEC mode follow these steps to define the message severity level This procedure is optional Command Purpose St...

Page 569: ...Output from the debug commands displayed at the debugging level Debug commands are typically used only by the Technical Assistance Center Interface up or down transitions and system restart messages displayed at the notifications level This message is only for information switch functionality is not affected Step 4 logging trap level Limit messages logged to the syslog servers By default syslog se...

Page 570: ...istory table to the default value use the no logging history size global configuration command Enabling the Configuration Change Logger You can enable a configuration logger to keep track of configuration changes made with the command line interface CLI When you enter the logging enable configuration change logger configuration command the log records the session the user and the command that was ...

Page 571: ...witch config archive log cfg end This is an example of output for the configuration log Switch show archive log config all idx sess user line Logged command 38 11 unknown user vty3 no aaa authorization config commands 39 12 unknown user vty3 no aaa authorization network default group radius 40 12 unknown user vty3 no aaa accounting dot1x default start stop group radius 41 13 unknown user vty3 no a...

Page 572: ... for information on the facilities The debug keyword specifies the syslog level see Table 29 3 on page 29 9 for information on the severity levels The syslog daemon sends messages at this level or at a more severe level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these commands ...

Page 573: ...amentals Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References Step 3 logging trap level Limit messages logged to the syslog servers Be default syslog servers receive informational messages and lower See Table 29 3 on page 29 9 for level keywords Step 4 logging facility facility type Configure the syslog facility See Table 29...

Page 574: ...29 14 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 29 Configuring System Message Logging Displaying the Logging Configuration ...

Page 575: ... SNMP agent and a MIB The SNMP manager can be part of a network management system NMS such as CiscoWorks The agent and MIB reside on the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent ...

Page 576: ...ot tampered with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted software image is installed Both SNMPv1 and SNMPv2C use a community based form of security T...

Page 577: ...ion SNMPv3 authNoPriv MD5 or SHA No Provides authentication based on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA DES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Provides DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard Table 30 2 SNMP Operations Operation Description get re...

Page 578: ... access to authorized management stations to all objects in the MIB except the community strings but does not allow write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorksHP OpenViewnetwork management software CiscoW...

Page 579: ...s soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore traps and informs require a trade off between reliability and resources If it is important that the SNMP manager recei...

Page 580: ...and the switch startup configuration has at least one snmp server global configuration command the SNMP agent is enabled An SNMP group is a table that maps SNMP users to SNMP views An SNMP user is a member of an SNMP group An SNMP host is the recipient of an SNMP trap operation An SNMP engine ID is a name for the local or remote SNMP engine Table 30 4 Default SNMP Configuration Feature Default Set...

Page 581: ...to it If a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authPriv authentication levels Changing the value of the SNMP engine ID has important side effects A user s password entered on the command line is converted to an MD5 or SHA security digest based on the password and the local engine ID The command line password is then ...

Page 582: ...one or more community strings of any length Optional For view specify the view record accessible to the community Optional Specify either read only ro if you want authorized management stations to retrieve MIB objects or specify read write rw if you want authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects Optiona...

Page 583: ...ew users to the SNMP group Beginning in privileged EXEC mode follow these steps to configure SNMP on the switch Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string remote...

Page 584: ...cket authentication noauth Enables the noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in which you ca...

Page 585: ... new user for an SNMP group The username is the name of the user on the host that connects to the agent The groupname is the name of the group to which the user is associated Enter remote to specify a remote SNMP entity to which the user belongs and the hostname or IP address of that entity with the optional UDP port number The default is 162 Enter the SNMP version number v1 v2c or v3 If you enter...

Page 586: ...essages neighbor changes and rendezvous point RP mapping changes port security Generates SNMP port security traps You can also set a maximum trap rate per second The range is from 0 to 1000 the default is 0 which means that there is no rate limit Note When you configure a trap by using the notification type port security configure the port security trap first and then configure the port security t...

Page 587: ...d with the remote host created in Step 2 Note You cannot configure a remote user for an address without first configuring the engine ID for the remote host Otherwise you receive an error message and the command is not executed Step 4 snmp server group groupname v1 v2c v3 auth noauth priv read readview write writeview notify notifyview access access list Configure an SNMP group Step 5 snmp server h...

Page 588: ... to send traps or informs and specify the type of notifications to be sent For a list of notification types see Table 30 5 on page 30 11 or enter snmp server enable traps To enable multiple types of traps you must enter a separate snmp server enable traps command for each trap type Note When you configure a trap by using the notification type port security configure the port security trap first an...

Page 589: ...iguration file copies through SNMP to the servers in the access list For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number enter the access list number specified in Step 2 The deny key...

Page 590: ...unity string public Switch config snmp server community comaccess ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled The...

Page 591: ...bout the fields in the displays see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Table 30 6 Commands for Displaying SNMP Information Feature Default Setting show snmp Displays SNMP statistics show snmp engineID local remote Displays information on the local SNMP engine and all remote engines that have been configured on the device show snmp group Displays information on ...

Page 592: ...30 18 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 30 Configuring SNMP Displaying SNMP Status ...

Page 593: ... Named MAC Extended ACLs page 31 26 Configuring VLAN Maps page 31 28 Using VLAN Maps with Router ACLs page 31 36 Displaying IPv4 ACL Configuration page 31 38 Understanding ACLs Packet filtering can help limit network traffic and restrict network use by certain users or devices ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VL...

Page 594: ... of ACLs to filter traffic Port ACLs access control traffic entering a Layer 2 interface The switch does not support port ACLs in the outbound direction You can apply only one IP access list and one MAC access list to a Layer 2 interface For more information see the Port ACLs section on page 31 3 Router ACLs access control routed traffic between VLANs and are applied to Layer 3 interfaces in a spe...

Page 595: ...h does not recognize the protocol inside the IEEE 802 1Q header This restriction applies to router ACLs port ACLs and VLAN maps For more information about IEEE 802 1Q tunneling see Chapter 15 Configuring IEEE 802 1Q Tunneling and Chapter 15 Configuring IEEE 802 1Q and Layer 2 Protocol Tunneling Port ACLs Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch Port ACLs are supported ...

Page 596: ...d you apply a new IP access list or MAC access list to the interface the new ACL replaces the previously configured one Router ACLs You can apply router ACLs on switch virtual interfaces SVIs which are Layer 3 interfaces to VLANs on physical Layer 3 interfaces and on Layer 3 EtherChannel interfaces You apply router ACLs on interfaces for specific directions inbound or outbound You can apply one ro...

Page 597: ...ng MAC VLAN maps IP traffic is not access controlled by MAC VLAN maps You can enforce VLAN maps only on packets going through the switch you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch With VLAN maps forwarding of packets is permitted or denied based on the action specified in the map Figure 31 2 shows how a VLAN map is applied to preven...

Page 598: ...he remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information Instead they match the third ACE a permit Because the first fragment was denied host 10 1 1 2 cannot reassemble a complete packet so packet B is effectively denied However the later fragments that are permitted will consume bandwidth on the network and resources of host 10 1 1 2 as it trie...

Page 599: ...al collection of permit and deny conditions One by one the switch tests packets against the conditions in an access list The first match determines whether the switch accepts or rejects the packet Because the switch stops testing after the first match the order of the conditions is critical If no conditions match the switch denies the packet The software supports these types of ACLs or access list...

Page 600: ...cess list That is any packet that matches the ACL causes an informational logging message about the packet to be sent to the console The level of messages logged to the console is controlled by the logging console commands controlling the syslog messages Note Because routing is done in hardware and logging is done in software if a large number of packets match a permit or deny ACE containing a log...

Page 601: ...sk from an associated IP host address ACL specification 0 0 0 0 is assumed to be the mask Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard log Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or...

Page 602: ...tion for finer granularity of control When you are creating ACEs in numbered extended access lists remember that after you create the ACL any additions are placed at the end of the list You cannot reorder the list or selectively add or remove ACEs from a numbered list Some protocols also have specific parameters and keywords that apply to that protocol These IP protocols are supported protocol key...

Page 603: ...ific parameters for TCP UDP ICMP and IGMP see steps 2b through 2e The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard ...

Page 604: ...n Control Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a port n...

Page 605: ... precedence precedence tos tos fragments log log input time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these meani...

Page 606: ...to configure more IPv4 access lists in a router than if you were to use numbered access lists If you identify your access list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list ...

Page 607: ... to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name Define an extended IPv4 access list using a name and enter access list configurati...

Page 608: ...nt are referenced in the named and numbered extended ACL task tables in the previous sections the Creating Standard and Extended IPv4 ACLs section on page 31 7 and the Creating Named Standard and Extended ACLs section on page 31 14 These are some of the many possible benefits of using time ranges You have more control over permitting or denying a user access to resources such as an application ide...

Page 609: ...me in an extended ACL that can implement time ranges This example shows how to create and verify extended access list 188 that denies TCP traffic from any source to any destination during the defined holiday times and permits all TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range work...

Page 610: ...d permit or deny statements and some remarks after the associated statements To include a comment for IP numbered standard or extended ACLs use the access list access list number remark remark global configuration command To remove the remark use the no form of this command In this example the server that belongs to Jones is allowed access and the workstation that belongs to Smith is not allowed a...

Page 611: ...ce and routing is not enabled on the switch the ACL only filters packets that are intended for the CPU such as SNMP Telnet or web traffic You do not have to enable routing to apply ACLs to Layer 2 interfaces When private VLANs are configured you can apply router ACLs only on the primary VLAN SVIs The ACL is applied to both primary and secondary VLAN Layer 3 traffic Note By default the router sends...

Page 612: ...he packet against the ACL If the ACL permits the packet the switch sends the packet If the ACL rejects the packet the switch discards the packet By default the input interface sends ICMP Unreachable messages whenever a packet is discarded regardless of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the output interface ICMP Unreachables are normal...

Page 613: ...t must be routed are routed in software but are bridged in hardware If ACLs cause large numbers of packets to be sent to the CPU the switch performance can be negatively affected When you enter the show ip access lists privileged EXEC command the match count displayed does not account for packets that are access controlled in hardware Use the show access lists hardware counters privileged EXEC com...

Page 614: ...ard IP access list 6 10 permit 172 20 128 64 wildcard bits 0 0 0 31 Switch config interface gigabitethernet0 1 Switch config if ip access group 6 out This example uses an extended ACL to filter traffic coming from Server B into a port permitting traffic from any source address in this case Server B to only the Accounting destination addresses 172 20 128 64 to 172 20 128 95 The ACL is applied to tr...

Page 615: ...ernet and you want any host on the network to be able to form TCP connections to any host on the Internet However you do not want IP hosts to be able to form TCP connections to hosts on your network except to the mail SMTP port of a dedicated mail host SMTP uses TCP port 25 on one end of the connection and a random port number on the other end The same port numbers are used throughout the life of ...

Page 616: ...ng_group in Time Range Applied to an IP ACL This example denies HTTP traffic on IP on Monday through Friday between the hours of 8 00 a m and 6 00 p m 18 00 The example allows UDP traffic only on Saturday and Sunday from noon to 8 00 p m 20 00 Switch config time range no http Switch config periodic weekdays 8 00 to 18 00 Switch config time range udp yes Switch config periodic weekend 12 00 to 20 0...

Page 617: ...nacl permit any log Switch config std nacl exit Switch config interface gigabitethernet0 1 Switch config if ip access group stan1 in Switch config if end Switch show logging Syslog logging enabled 0 messages dropped 0 flushes 0 overruns Console logging level debugging 37 messages logged Monitor logging level debugging 0 messages logged Buffer logging level debugging 37 messages logged File logging...

Page 618: ...nclude the input interface information 00 05 47 SEC 6 IPACCESSLOGDP list inputlog permitted icmp 10 1 1 10 10 1 1 61 0 0 1 packet Creating Named MAC Extended ACLs You can filter non IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs The procedure is similar to that of configuring other extended named ACLs Note You cannot apply named MAC extended ACL...

Page 619: ...d to the VLAN Incoming packets received on the Layer 2 port are always filtered by the port ACL Step 3 deny permit any host source MAC address source MAC address mask any host destination MAC address destination MAC address mask type mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip x...

Page 620: ... an undefined ACL to an interface the switch acts as if the ACL has not been applied and permits all packets Remember this behavior if you use undefined ACLs for network security Configuring VLAN Maps This section describes how to configure VLAN maps which is the only way to control filtering within a VLAN VLAN maps have no direction To filter traffic in a specific direction by using a VLAN map yo...

Page 621: ...page 31 29 Creating a VLAN Map page 31 30 Applying a VLAN Map to a VLAN page 31 33 Using VLAN Maps in Your Network page 31 33 VLAN Map Configuration Guidelines Follow these guidelines when configuring VLAN maps If there is no ACL configured to deny traffic on an interface and no VLAN map is configured all traffic is permitted Each VLAN map consists of a series of entries The order of entries in an...

Page 622: ...ode follow these steps to create add to or delete a VLAN map entry Use the no vlan access map name global configuration command to delete a map Use the no vlan access map name number global configuration command to delete a single sequence entry from within the map Use the no action access map configuration command to enforce the default action which is to forward Command Purpose Step 1 configure ...

Page 623: ...2 permits UDP packets and any packets that match the ip2 ACL are forwarded In this map any IP packets that did not match any of the previous ACLs that is packets that are not TCP packets or UDP packets would get dropped Switch config ip access list extended ip2 Switch config ext nacl permit udp any any Switch config ext nacl exit Switch config vlan access map map_1 20 Switch config access map matc...

Page 624: ...ccess list extended good protocols Switch config ext macl permit any any decnet ip Switch config ext macl permit any any vines ip Switch config ext nacl exit Switch config vlan access map drop mac default 10 Switch config access map match mac address good hosts Switch config access map action forward Switch config access map exit Switch config vlan access map drop mac default 20 Switch config acce...

Page 625: ...nd a QoS classification ACL In a wiring closet configuration routing might not be enabled on the switch In this configuration the switch can still support a VLAN map and a QoS classification ACL In Figure 31 4 assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C Traffic from Host X to Host Y is eventually being routed by Switch B a Layer 3 switch...

Page 626: ...32 host 10 1 1 34 eq www Switch config ext nacl exit Next create VLAN access map map2 so that traffic that matches the http access list is dropped and all other IP traffic is forwarded Switch config vlan access map map2 10 Switch config access map match ip address http Switch config access map action drop Switch config access map exit Switch config ip access list extended match_all Switch config e...

Page 627: ... 1 4 and host 10 1 1 8 and permits other IP traffic The final step is to apply the map SERVER1 to VLAN 10 Step 1 Define the IP ACL that will match the correct packets Switch config ip access list extended SERVER1_ACL Switch config ext nacl permit ip 10 1 2 0 0 0 0 255 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 4 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 8 host ...

Page 628: ...AN Maps and Router ACL Configuration Guidelines page 31 36 Examples of Router ACLs and VLAN Maps Applied to VLANs page 31 37 VLAN Maps and Router ACL Configuration Guidelines These guidelines are for configurations where you need to have an router ACL and a VLAN map on the same VLAN These guidelines do not apply to configurations where you are mapping router ACLs and VLAN maps on different VLANs T...

Page 629: ...riority to the filtering of traffic based on IP addresses Examples of Router ACLs and VLAN Maps Applied to VLANs This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched bridged routed and multicast packets Although the following illustrations show packets being forwarded to their destination each time the packet s path crosses a line indicating a VLAN map or an ACL...

Page 630: ...ou use the ip access group interface configuration command to apply ACLs to a Layer 2 or 3 interface you can display the access groups on the interface You can also display the MAC ACLs applied to a Layer 2 interface You can use the privileged EXEC commands as described in Table 31 2 to display this information Frame Routing function VLAN 10 Host A VLAN 10 Packet 101359 VLAN 20 Host B VLAN 20 VLAN...

Page 631: ...play show running config interface interface id Displays the contents of the configuration file for the switch or the specified interface including all configured MAC and IP access lists and which access groups are applied to an interface show mac access group interface interface id Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface Table 31 2 Commands f...

Page 632: ...31 40 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 31 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ...

Page 633: ...ings such as classification queueing and scheduling the same way on physical ports and SVIs When configuring QoS on a physical port you apply a nonhierarchical policy map When configuring QoS on an SVI you apply a nonhierarchical or a hierarchical policy map For complete syntax and usage information for the commands used in this chapter see the command reference this release This chapter consists ...

Page 634: ...ce ToS field to carry the classification class information Classification can also be carried in the Layer 2 frame These special bits in the Layer 2 frame or a Layer 3 packet are described here and shown in Figure 32 1 Prioritization bits in Layer 2 frames Layer 2 Inter Switch Link ISL frame headers have a 1 byte User field that carries an IEEE 802 1p class of service CoS value in the three least ...

Page 635: ...ong a path provide a consistent per hop behavior you can construct an end to end QoS solution Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices the traffic types and patterns in your network and the granularity of control that you need over incoming and outgoing traffic Basic QoS Model To implement QoS the switc...

Page 636: ...2 8 Queueing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of the two ingress queues to place a packet Queueing is enhanced with the weighted tail drop WTD algorithm a congestion avoidance mechanism If the threshold is exceeded the packet is dropped For more information see the Queueing and Scheduling Overview section on page 32 13 Scheduling services the que...

Page 637: ... of the traffic Perform the classification based on a configured Layer 2 MAC access control list ACL which can examine the MAC source address the MAC destination address and other fields If no ACL is configured the packet is assigned 0 as the DSCP and CoS values which means best effort traffic Otherwise the policy map action specifies a DSCP or CoS value to assign to the incoming frame For IP traf...

Page 638: ...uration for classification Assign DSCP identical to DSCP in packet Check if packet came with CoS label tag Use the CoS value to generate the QoS label Generate DSCP from CoS to DSCP map Use the DSCP value to generate the QoS label Yes Read next ACL Is there a match with a permit action Assign the DSCP or CoS as specified by ACL action to generate the QoS label Assign the default DSCP 0 Are there a...

Page 639: ... access list extended global configuration command For configuration information see the Configuring a QoS Policy section on page 32 42 Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to name a specific traffic flow or class and to isolate it from all other traffic The class map defines the criteria used to match against a specific traffic flow to further...

Page 640: ...t of profile and specifies the actions on the packet These actions carried out by the marker include passing through the packet without modification dropping the packet or modifying marking down the assigned DSCP of the packet and allowing the packet to pass through The configurable policed DSCP map provides the packet with a new DSCP based QoS label For information on the policed DSCP map see the...

Page 641: ...itch verifies that there is enough room in the bucket If there is not enough room the packet is marked as nonconforming and the specified policer action is taken dropped or marked down How quickly the bucket fills is a function of the bucket depth burst byte the rate at which the tokens are removed rate bps and the duration of the burst above the average rate The size of the bucket imposes an uppe...

Page 642: ...interface level of the hierarchical policy map A hierarchical policy map has two levels The first level the VLAN level specifies the actions to be taken against a traffic flow on an SVI The second level the interface level specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface level policy map 86835 Yes Yes No No Pass t...

Page 643: ...policy map only supports individual policers and does not support aggregate policers You can configure different interface level policy maps for each class defined in the VLAN level policy map See the Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps section on page 32 52 for an example of a hierarchical policy map Figure 32 5 shows the policing and marking process...

Page 644: ...e this map by using the mls qos map policed dscp global configuration command Before the traffic reaches the scheduling stage QoS stores the packet in an ingress and an egress queue according to the QoS label The QoS label is based on the DSCP or the CoS value in the packet and selects the queue through the DSCP input and output queue threshold maps or through the CoS input and output queue thresh...

Page 645: ...space available in the destination queue is less than the size of the frame the switch drops the frame Each queue has three threshold values The QOS label is determines which of the three threshold values is subjected to the frame Of the three thresholds two are configurable explicit and one is not implicit Figure 32 7 shows an example of WTD operating on a queue whose size is 1000 frames Three dr...

Page 646: ...andwidth and they are rate limited to that amount Shaped traffic does not use more than the allocated bandwidth even if the link is idle Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic With shaping the absolute value of each weight is used to compute the bandwidth available for the queues In shared mode the queues share the bandwidth among...

Page 647: ...et Service the queue according to the SRR weights Send packet to the internal ring Drop packet Start Yes No Table 32 1 Ingress Queue Types Queue Type1 1 The switch uses two nonconfigurable queues for traffic that is essential for proper network operation Function Normal User traffic that is considered to be normal priority You can configure three different thresholds to differentiate among the flo...

Page 648: ...ge 32 13 Buffer and Bandwidth Allocation You define the ratio allocate the amount of space with which to divide the ingress buffers between the two queues by using the mls qos srr queue input buffers percentage1 percentage2 global configuration command The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped You allocate...

Page 649: ...s Each port supports four egress queues one of which queue 1 can be the egress expedite queue These queues are assigned to a queue set All traffic exiting the switch flows through one of these four queues and is subjected to a threshold based on the QoS label assigned to the packet 90565 Receive packet from the internal ring Read QoS label DSCP or CoS value Determine egress queue number and thresh...

Page 650: ...ueue set by using the mls qos queue set output qset id threshold queue id drop threshold1 drop threshold2 reserved threshold maximum threshold global configuration command Each threshold value is a percentage of the queue s allocated memory which you specify by using the mls qos queue set output qset id buffers allocation1 allocation4 global configuration command The sum of all the allocated buffe...

Page 651: ...e the SRR Shaping and Sharing section on page 32 14 The buffer allocation together with the SRR weight ratios control how much data can be buffered and sent before packets are dropped The weight ratio is the ratio of the frequency in which the SRR scheduler sends packets from each queue All four queues participate in the SRR unless the expedite queue is enabled in which case the first bandwidth we...

Page 652: ...tion in a policy map also causes the DSCP to be rewritten Configuring Auto QoS You can use the auto QoS feature to simplify the deployment of existing QoS features Auto QoS makes assumptions about the network design and as a result the switch can prioritize different traffic flows and appropriately use the ingress and egress queues instead of using the default QoS behavior The default is that QoS ...

Page 653: ...covery Protocol CDP to detect the presence or absence of a Cisco IP Phone When a Cisco IP Phone is detected the ingress classification on the port is set to Table 32 2 Traffic Types Packet Labels and Queues VoIP1 Data Traffic 1 VoIP voice over IP VoIP Control Traffic Routing Protocol Traffic STP BPDU Traffic Real Time Video Traffic All Other Traffic DSCP 46 24 26 48 56 34 CoS 5 3 6 7 4 CoS to Ingr...

Page 654: ...Boundary to Ensure Port Security section on page 32 38 When you enable auto QoS by using the auto qos voip cisco phone the auto qos voip cisco softphone or the auto qos voip trust interface configuration command the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 32 5 to the port Table 32 5 Generated Aut...

Page 655: ...s qos srr queue output dscp map queue 1 threshold 3 40 41 42 43 44 45 46 47 Switch config mls qos srr queue output dscp map queue 2 threshold 3 24 25 26 27 28 29 30 31 Switch config mls qos srr queue output dscp map queue 2 threshold 3 48 49 50 51 52 53 54 55 Switch config mls qos srr queue output dscp map queue 2 threshold 3 56 57 58 59 60 61 62 63 Switch config mls qos srr queue output dscp map ...

Page 656: ...s queue set output 2 threshold 4 42 72 100 242 Switch config mls qos queue set output 1 buffers 10 10 26 54 Switch config mls qos queue set output 2 buffers 16 6 17 61 Switch config if srr queue bandwidth shape 10 0 0 0 Switch config if srr queue bandwidth share 10 10 60 20 If you entered the auto qos voip trust command the switch automatically sets the ingress classification to trust the CoS valu...

Page 657: ...evice running Cisco SoftPhone is connected to a nonrouted or routed port the switch supports only one Cisco SoftPhone application per port Beginning with Cisco IOS Release 12 2 44 SE Auto Qos VoIP uses the priority queue interface configuration command for an egress interface You can also configure a policy map and trust device on the same interface for Cisco IP phones If you entered the auto qos ...

Page 658: ...face You can enable auto QoS on static dynamic access voice VLAN access and trunk ports By default the CDP is enabled on all ports For auto QoS to function properly do not disable the CDP When enabling auto QoS with a Cisco IP Phone on a routed port you must assign a static IP address to the IP phone This release supports only Cisco IP SoftPhone Version 1 3 3 or later Connected devices must use Ci...

Page 659: ...e global configuration You can use the no mls qos global configuration command to disable the auto QoS generated global configuration commands With QoS disabled there is no concept of trusted or untrusted ports because the packets are not modified the CoS DSCP and IP precedence values in the packet are not changed Traffic is switched in pass through mode packets are switched without any rewrites a...

Page 660: ...n which the VoIP traffic is prioritized over all other traffic Auto QoS is enabled on the switches in the wiring closets at the edge of the QoS domain 148957 Cisco router To Internet Trunk link Trunk link Cisco IP phones Cisco IP phones Video server 172 20 10 16 IP IP IP IP Identify this interface as connected to a trusted switch or router Identify this interface as connected to a trusted switch o...

Page 661: ...uto QoS on the port and specify that the port is connected to a Cisco IP Phone The QoS labels of incoming packets are trusted only when the Cisco IP Phone is detected Step 6 exit Return to global configuration mode Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone Step 8 interface interface id Specify the switch port identified as connected to a trusted switch or ...

Page 662: ... these commands see the command reference for this release Configuring Standard QoS Before configuring standard QoS you must have a thorough understanding of these items The types of applications used and the traffic patterns on your network Traffic characteristics and needs of your network Is the traffic bursty Do you need to reserve bandwidth for voice and video streams Bandwidth requirements an...

Page 663: ... Configuration section on page 32 31 and the Default Egress Queue Configuration section on page 32 32 Default Ingress Queue Configuration Table 32 6 shows the default ingress queue configuration when QoS is enabled Table 32 7 shows the default CoS input queue threshold map when QoS is enabled Table 32 8 shows the default DSCP input queue threshold map when QoS is enabled Table 32 6 Default Ingress...

Page 664: ... Queue 3 Queue 4 Buffer allocation 25 percent 25 percent 25 percent 25 percent WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Reserved threshold 50 percent 50 percent 50 percent 50 percent Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights absolute 1 1 A shaped weight of zer...

Page 665: ...P extended ACLs to enforce QoS IP fragments are sent as best effort IP fragments are denoted by fields in the IP header Only one ACL per class map and only one match class map configuration command per class map are supported The ACL can have multiple ACEs which match fields against the contents of the packet A trust statement in a policy map requires multiple TCAM entries per ACL line If an input...

Page 666: ...han one physical port supports 256 policers 255 user configurable policers plus 1 policer reserved for system internal use The maximum number of user configurable policers supported per port is 63 Policers are allocated on demand by the software and are constrained by the hardware and ASIC boundaries You cannot reserve policers per port there is no guarantee that a port will be assigned to any pol...

Page 667: ...tion command to disable VLAN based QoS on the physical port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS globally QoS runs with the default settings described in the Default Standard QoS Configuration section on page 32 31 the Queueing and Scheduling on Ingress Queues section on page 32 15 and the Queueing and Scheduling on Egress Queues secti...

Page 668: ...ce page 32 38 Configuring a Trusted Boundary to Ensure Port Security page 32 38 Enabling DSCP Transparency Mode page 32 40 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 32 40 Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain When the packets are classified at the edge the switch port ...

Page 669: ...recedence Configure the port trust state By default the port is not trusted If no keyword is specified the default is dscp The keywords have these meanings cos Classifies an ingress packet by using the packet CoS value For an untagged packet the port default CoS value is used The default port CoS value is 0 dscp Classifies an ingress packet by using the packet DSCP value For a non IP packet the pa...

Page 670: ...sure that voice traffic is properly prioritized over other types of traffic in the network By using the mls qos trust cos interface configuration command you configure the switch port to which Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Valid interfaces include physi...

Page 671: ... a high priority data queue You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC Beginning in privileged EXEC mode follow these steps to enable trusted boundary on a port To disable the trusted boundary feature use the no mls qos trust device interface configurat...

Page 672: ...h to modify the DSCP value based on the trust setting or on an ACL by disabling DSCP transparency use the mls qos rewrite ip dscp global configuration command If you disable QoS by using the no mls qos global configuration command the CoS and DSCP values are not changed the default QoS setting If you enter the no mls qos rewrite ip dscp global configuration command to enable DSCP transparency and ...

Page 673: ... null map which maps an incoming DSCP value to the same DSCP value For dscp mutation name enter the mutation map name You can create more than one map by specifying a new name For in dscp enter up to eight DSCP values separated by spaces Then enter the to keyword For out dscp enter a single DSCP value The DSCP range is 0 to 63 Step 3 interface interface id Specify the port to be trusted and enter ...

Page 674: ...mutation gi0 21 mutation Switch config if end Configuring a QoS Policy Configuring a QoS policy typically requires classifying traffic into classes configuring policies applied to those traffic classes and attaching policies to ports For background information see the Classification section on page 32 5 and the Policing and Marking section on page 32 8 For configuration guidelines see the Standard...

Page 675: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list number enter the access list number The range is 1 to 99 and 1300 to 1999 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use...

Page 676: ...r The range is 100 to 199 and 2000 to 2699 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of available protocol keywords For source enter the network or host from which the packet is be...

Page 677: ...pecify the type of traffic to permit or deny if the conditions are matched entering the command as many times as necessary For src MAC addr enter the MAC address of the host from which the packet is being sent You specify this by using the hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard ffff ffff ffff or by using the host keyword for source 0 0...

Page 678: ...t number deny permit source source wildcard or access list access list number deny permit protocol source source wildcard destination destination wildcard or mac access list extended name permit deny host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC ACL for non IP traffic repeating the command as many time...

Page 679: ...ss2 Switch config cmap match ip dscp 10 11 12 Switch config cmap end Switch This example shows how to create a class map called class3 which matches incoming traffic with IP precedence values of 5 6 and 7 Switch config class map class3 Switch config cmap match ip precedence 5 6 7 Switch config cmap end Switch Step 4 match access group acl index or name ip dscp dscp list ip precedence ip precedence...

Page 680: ...he mls qos map ip prec dscp dscp1 dscp8 global configuration command the settings only affect packets on ingress interfaces that are configured to trust the IP precedence value In a policy map if you set the packet IP precedence value to a new value by using the set ip precedence new precedence policy map class configuration command the egress DSCP value is not affected by the IP precedence to DSC...

Page 681: ...or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Note Because only one match command per class map is supported the match all and match any keywords function the same Step 3 policy map policy map name Create a policy map by entering the policy map name and enter policy map...

Page 682: ...S value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 32 60 Step 6 set dscp new dscp ip precedence new precedence Classify IP traffic by setting a new value in the packet For dscp new dscp enter a new DS...

Page 683: ...witch config pmap c police 1000000 8000 exceed action policed dscp transmit Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet0 1 Switch config if service policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port The first permit statement allows traffic from the host with MAC address 00...

Page 684: ...cy map You can attach only one policy map per ingress port or SVI A policy map can contain multiple class statements each with different match criteria and actions A separate policy map class can exist for each type of traffic received on the SVI Beginning with Cisco IOS Release 12 2 44 SE a policy map and a port trust state can both run on a physical interface The policy map is applied before the...

Page 685: ...g a class map see the Classifying Traffic by Using Class Maps section on page 32 46 By default no class maps are defined Optional Use the match all keyword to perform a logical AND of all matching statements under this class map All match criteria in the class map must be matched Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or more ...

Page 686: ...on the same Step 7 match input interface interface id list Specify the physical ports on which the interface level class map acts You can specify up to six ports as follows A single port counts as one entry A list of ports separated by a space each port counts as an entry A range of ports separated by a hyphen counts as two entries This command can only be used in the child level policy map and mu...

Page 687: ...p transmit keywords to mark down the DSCP value by using the policed DSCP map and to send the packet For more information see the Configuring the Policed DSCP Map section on page 32 62 Step 13 exit Return to policy map configuration mode Step 14 exit Return to global configuration mode Step 15 policy map policy map name Create a VLAN level policy map by entering the policy map name and enter polic...

Page 688: ... the ingress packet and the IP precedence to DSCP map For non IP packets that are tagged QoS derives the DSCP value by using the received CoS value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 32 60 Ste...

Page 689: ... cmap match access 101 Switch config cmap exit Switch config exit Switch Switch This example shows how to attach the new map to an SVI Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config class map cm interface 1 Switch config cmap match input g3 0 1 g3 0 2 Switch config cmap exit Switch config policy map port plcmap Switch config pmap class map cm inte...

Page 690: ...e follow these steps to create an aggregate policer Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos aggregate policer aggregate policer name rate bps burst byte exceed action drop policed dscp transmit Define the policer parameters that can be applied to multiple traffic classes within the same policy map By default no aggregate policer is defined For infor...

Page 691: ...tch config cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match access group 2 Switch config cmap exit Switch config policy map aggflow1 Switch config pmap class ipclass1 Step 4 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode For more information see the Classifying Policin...

Page 692: ... 61 optional Configuring the Policed DSCP Map page 32 62 optional unless the null settings in the map are not appropriate Configuring the DSCP to CoS Map page 32 63 optional Configuring the DSCP to DSCP Mutation Map page 32 64 optional unless the null settings in the map are not appropriate All the maps except the DSCP to DSCP mutation map are globally defined and are applied to all ports Configur...

Page 693: ...DSCP value that QoS uses internally to represent the priority of the traffic Table 32 13 shows the default IP precedence to DSCP map If these values are not appropriate for your network you need to modify them Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map cos dscp dscp1 dscp8 Modify the CoS to DSCP map For dscp1 dscp8 enter eight DSCP values that corr...

Page 694: ...follow these steps to modify the policed DSCP map This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map ip prec dscp dscp1 dscp8 Modify the IP precedence to DSCP map For dscp1 dscp8 enter eight DSCP values that correspond to the IP precedence values 0 to 7 Separate each DSCP value with a space The DSCP range is 0 to 63 Step 3 end Re...

Page 695: ...7 48 49 5 00 00 00 00 00 00 00 00 58 59 6 60 61 62 63 Note In this policed DSCP map the marked down DSCP values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the marked down value For example an original DSCP value of ...

Page 696: ...CoS map a DSCP value of 08 corresponds to a CoS value of 0 Configuring the DSCP to DSCP Mutation Map If two QoS domains have different DSCP definitions use the DSCP to DSCP mutation map to translate one set of DSCP values to match the definition of another domain You apply the DSCP to DSCP mutation map to the receiving port ingress mutation at the boundary of a QoS administrative domain With ingre...

Page 697: ... 00 00 00 00 00 00 10 10 1 10 10 10 10 14 15 16 17 18 19 2 20 20 20 23 24 25 26 27 28 29 3 30 30 30 30 30 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 50 51 52 53 54 55 56 57 58 59 6 60 61 62 63 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map For dscp mutation ...

Page 698: ...ht need to perform all of the tasks in the next sections You will need to make decisions about these characteristics Which packets are assigned by DSCP or CoS value to each queue What drop percentage thresholds apply to each queue and which CoS or DSCP values map to each threshold How much of the available buffer space is allocated between the queues How much of the available bandwidth is allocate...

Page 699: ...pped to queue 1 and threshold 1 CoS value 5 is mapped to queue 2 and threshold 1 For queue id the range is 1 to 2 For threshold id the range is 1 to 3 The drop threshold percentage for threshold 3 is predefined It is set to the queue full state For dscp1 dscp8 enter up to eight values and separate each value with a space The range is 0 to 63 For cos1 cos8 enter up to eight values and separate each...

Page 700: ...he default setting use the no mls qos srr queue input buffers global configuration command This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2 Switch config mls qos srr queue input buffers 60 40 Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated b...

Page 701: ...the mls qos srr queue input priority queue queue id bandwidth weight global configuration command Then SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos srr...

Page 702: ...of the tasks in the next sections You will need to make decisions about these characteristics Which packets are mapped by DSCP or CoS value to each queue and threshold ID What drop percentage thresholds apply to the queue set four egress queues per port and how much reserved and maximum memory is needed for the traffic type How much of the fixed buffer space is allocated to the queue set Does the ...

Page 703: ...ueue is disabled and the SRR shaped and shared weights are configured the shaped mode overrides the shared mode for queue 1 and SRR services this queue in shaped mode If the egress expedite queue is disabled and the SRR shaped weights are not configured SRR services this queue in shared mode Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set You can guarantee the availab...

Page 704: ...ure the WTD thresholds guarantee the availability of buffers and configure the maximum memory allocation for the queue set four egress queues per port By default the WTD thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 200 percent The reserved thresholds for queues 1 2 3 and 4 are set to 50 percent The maximum thresholds for all queues are set to 400 per...

Page 705: ...s the maximum memory that this queue can have before packets are dropped Switch config mls qos queue set output 2 buffers 40 20 20 20 Switch config mls qos queue set output 2 threshold 2 40 60 100 200 Switch config interface gigabitethernet0 1 Switch config if queue set 2 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with particul...

Page 706: ...ueue 4 and threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and threshold 1 CoS values 4 6 and 7 are mapped to queue 4 and threshold 1 CoS value 5 is mapped to queue 1 and threshold 1 For queue id the range is 1 to 4 For threshold id the range is 1 to 3 The drop threshold...

Page 707: ... which is 12 5 percent Switch config interface gigabitethernet0 1 Switch config if srr queue bandwidth shape 8 0 0 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port of the outbound traffic and enter interface configuration mode Step 3 srr queue bandwidth shape weight1 weight2 weight3 weight4 Assign SRR weights to the egress q...

Page 708: ...ample shows how to configure the weight ratio of the SRR scheduler running on an egress port Four queues are used and the bandwidth ratio allocated for each queue in shared mode is 1 1 2 3 4 2 1 2 3 4 3 1 2 3 4 and 4 1 2 3 4 which is 10 percent 20 percent 30 percent and 40 percent for queues 1 2 3 and 4 This means that queue 4 has four times the bandwidth of queue 1 twice the bandwidth of queue 2 ...

Page 709: ...nk you can limit the bandwidth to that amount Note The egress queue default settings are suitable for most situations You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution Beginning in privileged EXEC mode follow these steps to limit the bandwidth on an egress port This procedure is optional Command Purpose Step ...

Page 710: ...ep 4 end Return to privileged EXEC mode Step 5 show mls qos interface interface id queueing Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 32 15 Commands for Displaying Standard QoS Information Command Purpose show class map class map name Display QoS class maps which define the match criteria to classify tra...

Page 711: ...ification criteria for incoming traffic Note Do not use the show policy map interface privileged EXEC command to display classification information for incoming traffic The control plane and interface keywords are not supported and the statistics shown in the display should be ignored show running config include rewrite Display the DSCP transparency setting Table 32 15 Commands for Displaying Stan...

Page 712: ...32 80 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 32 Configuring QoS Displaying Standard QoS Information ...

Page 713: ...oad across the remaining links If a link fails EtherChannel redirects traffic from the failed link to the remaining links in the channel without intervention Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding EtherChannels page 33 1 Configuring EtherChannels page 33 8 ...

Page 714: ...ontrol Protocol LACP or On Configure both ends of the EtherChannel in the same mode When you configure one end of an EtherChannel in either PAgP or LACP mode the system negotiates with the other end of the channel to determine which ports should become active In previous releases the incompatible ports were suspended Beginning with Cisco IOS Release 12 2 35 SE instead of a suspended state the loca...

Page 715: ...figuration command followed by the no switchport interface configuration command Then you manually assign an interface to the EtherChannel by using the channel group interface configuration command For both Layer 2 and Layer 3 ports the channel group command binds the physical port and the logical interface together as shown in Figure 33 2 Each EtherChannel has a port channel logical interface num...

Page 716: ... as port speed and for Layer 2 EtherChannels trunking state and VLAN numbers Ports can form an EtherChannel when they are in different PAgP modes as long as the modes are compatible For example A port in the desirable mode can form an EtherChannel with another port that is in the desirable or auto mode A port in the auto mode can form an EtherChannel with another port in the desirable mode A port ...

Page 717: ...logical link channel or aggregate port Similarly configured ports are grouped based on hardware administrative and port parameter constraints For example LACP groups the ports with the same speed duplex mode native VLAN VLAN range and trunking status and type After grouping the links into an EtherChannel LACP adds the group to the spanning tree as a single switch port LACP Modes Table 33 2 shows t...

Page 718: ...e links in a channel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel EtherChannel load balancing can use MAC addresses or IP addresses source or destination addresses or both source and destination addresses The selected mode applies to all EtherChannels configured on the switch You configure the load b...

Page 719: ...dresses of the incoming packet This forwarding method a combination of source IP and destination IP address based forwarding can be used if it is not clear whether source IP or destination IP address based forwarding is better suited on a particular switch In this method packets sent from the IP address A to IP address B from IP address A to IP address C and from IP address C to IP address B could...

Page 720: ...ancing page 33 15 optional Configuring the PAgP Learn Method and Priority page 33 16 optional Configuring LACP Hot Standby Ports page 33 17 optional Note Make sure that the ports are correctly configured For more information see the EtherChannel Configuration Guidelines section on page 33 9 Note After you configure an EtherChannel configuration changes applied to the port channel interface apply t...

Page 721: ...ng the shutdown interface configuration command is treated as a link failure and its traffic is transferred to one of the remaining ports in the EtherChannel When a group is first created all ports follow the parameters set for the first port to be added to the group If you change the configuration of one of these parameters you must also make the changes to all ports in the group Allowed VLAN lis...

Page 722: ... same on all the trunks Inconsistent trunk modes on EtherChannel ports can have unexpected results An EtherChannel supports the same allowed range of VLANs on all the ports in a trunking Layer 2 EtherChannel If the allowed range of VLANs is not the same the ports do not form an EtherChannel even when PAgP is set to the auto or desirable mode Ports with different spanning tree path costs can form a...

Page 723: ...rts by sending PAgP packets on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not sp...

Page 724: ...onfigure Layer 3 EtherChannels you create the port channel logical interface and then put the Ethernet ports into the port channel as described in the next two sections Creating Port Channel Logical Interfaces When configuring Layer 3 EtherChannels you should first manually create the port channel logical interface by using the interface port channel global configuration command Then you put the l...

Page 725: ...ysical port and enter interface configuration mode Valid interfaces include physical ports For a PAgP EtherChannel you can configure up to eight ports of the same type and speed for the same group For a LACP EtherChannel you can configure up to 16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode Step 3 no ip address Ensure that there is n...

Page 726: ...Channel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is assumed The silent setting is for connections to file servers or packet ana...

Page 727: ...ethods section on page 33 6 Beginning in privileged EXEC mode follow these steps to configure EtherChannel load balancing This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 port channel load balance dst ip dst mac src dst ip src dst mac src ip src mac Configure an EtherChannel load balancing method The default is src mac Select one of these ...

Page 728: ...figure a single port within the group for all transmissions and use other ports for hot standby The unused ports in the group can be swapped into operation in just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The h...

Page 729: ...Enter global configuration mode Step 2 interface interface id Specify the port for transmission and enter interface configuration mode Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not important...

Page 730: ...nd the LACP port priority to affect how the software selects active and standby links For more information see the Configuring the LACP System Priority section on page 33 18 and the Configuring the LACP Port Priority section on page 33 19 Configuring the LACP System Priority You can configure the system priority for all the EtherChannels that are enabled for LACP by using the lacp system priority ...

Page 731: ...em might have more restrictive hardware limitations all the ports that cannot be actively included in the EtherChannel are put in the hot standby state and are used only if one of the channeled ports fails Beginning in privileged EXEC mode follow these steps to configure the LACP port priority This procedure is optional To return the LACP port priority to the default value use the no lacp port pri...

Page 732: ...a set of upstream ports if all of the upstream ports become unavailable trunk failover automatically puts all of the associated downstream ports in an error disabled state This causes the server primary interface to failover to the secondary interface When Layer 2 trunk failover is not enabled if the upstream interfaces lose connectivity the external switch or router goes down the cables are disco...

Page 733: ...e 19 the link states of downstream interfaces 1 3 and 5 do not change If upstream interface 20 also loses link downstream interfaces 1 3 and 5 go into a link down state Downstream interfaces 2 4 and 6 do not change states You can recover a downstream interface link down condition by removing the failed downstream port from the link state group To recover multiple downstream interfaces disable the ...

Page 734: ...up and configure the interfaces Switch configure terminal Switch config link state track 1 Switch config interface range gigabitethernet0 21 22 Switch config if link state group 1 upstream Switch config if interface gigabitethernet0 1 Switch config if link state group 1 downstream Switch config if interface gigabitethernet0 3 Switch config if link state group 1 downstream Switch config if interfac...

Page 735: ...number global configuration command Displaying Layer 2 Trunk Failover Status Use the show link state group command to display the link state group information Enter this command without keywords to display information about all link state groups Enter the group number to display information specific to the group Enter the detail keyword to display detailed information about the group This is an ex...

Page 736: ...33 24 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 33 Configuring EtherChannels and Layer 2 Trunk Failover Understanding Layer 2 Trunk Failover ...

Page 737: ...me 3 of 3 Multicast Release 12 2 This chapter consists of these sections Understanding IP Routing page 34 1 Steps for Configuring Routing page 34 3 Configuring IP Addressing page 34 3 Enabling IP Unicast Routing page 34 17 Configuring RIP page 34 17 Configuring Stub Routing page 34 23 Configuring Protocol Independent Features page 34 27 Monitoring and Maintaining the IP Network page 34 37 Note Whe...

Page 738: ...te packets in three different ways By using default routing By using preprogrammed static routes for the traffic By dynamically calculating routes by using a routing protocol Default routing refers to sending traffic with a destination unknown to the router to a default outlet or destination Static unicast routing forwards packets from predetermined ports through a single path into and out of a ne...

Page 739: ...h routing will occur must have IP addresses assigned to them See the Assigning IP Addresses to Network Interfaces section on page 34 5 Note A Layer 3 switch can have an IP address assigned to each routed port and SVI The number of routed ports and SVIs that you can configure is not limited by software However the interrelationship between this number and the number and volume of features being imp...

Page 740: ...et style ARP Timeout 14400 seconds 4 hours IP broadcast address 255 255 255 255 all ones IP classless routing Enabled IP default gateway Disabled IP directed broadcast Disabled all IP directed broadcasts are dropped IP domain Domain list No domain names defined Domain lookup Enabled Domain name Enabled IP forward protocol If a helper address is defined or User Datagram Protocol UDP flooding is con...

Page 741: ...the all ones subnet 131 108 255 0 and even though it is discouraged you can enable the use of subnet zero if you need the entire subnet space for your IP address Beginning in privileged EXEC mode follow these steps to enable subnet zero Use the no ip subnet zero global configuration command to restore the default and disable the use of subnet zero Command Purpose Step 1 configure terminal Enter gl...

Page 742: ...e In Figure 34 2 classless routing is enabled When the host sends a packet to 120 20 4 1 instead of discarding the packet the router forwards it to the best supernet route If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route the router discards the packet Figure 34 2 IP Classless Routing In Figure 34 3 the router in network...

Page 743: ...IP address as input ARP learns the associated MAC address and then stores the IP address MAC address association in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests or replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol SNAP Proxy ARP helps...

Page 744: ...e no arp ip address hardware address type global configuration command To remove all nonstatic entries from the ARP cache use the clear arp cache privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arp ip address hardware address type Globally associate an IP address with a MAC hardware address in the ARP cache and specify encapsulation type as ...

Page 745: ...n command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 arp arpa snap Specify the ARP encapsulation method arpa Address Resolution Protocol snap Subnetwork Address Protocol Step 4 end Return to privileged EXEC mode Step 5 show interfaces interface id Ve...

Page 746: ... performs ARP requests for every IP address Proxy ARP is enabled by default To enable it after it has been disabled see the Enable Proxy ARP section on page 34 9 Proxy ARP works as long as other routers support it Default Gateway Another method for locating routes is to define a default router or default gateway All nonlocal packets are sent to this router which either routes them appropriately or...

Page 747: ...re terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip irdp Enable IRDP processing on the interface Step 4 ip irdp multicast Optional Send IRDP advertisements to the multicast address 224 0 0 1 instead of IP broadcasts Note This command allows for compatibility with Sun Microsystems Solar...

Page 748: ... they are Layer 2 devices forward broadcasts to all network segments thus propagating broadcast storms The best solution to the broadcast storm problem is to use a single broadcast address scheme on a network In most modern IP implementations you can set the address to be used as the broadcast address Many implementations including the one in the switch support several addressing schemes for forwa...

Page 749: ...ify the Network Disk ND protocol which is used by older diskless Sun workstations and the network security protocol SDNS Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to configure Step 3 ip directed broadcast access list number Enable directed broadcast to physical broadcast trans...

Page 750: ...gured to generate any form of IP broadcast address Beginning in privileged EXEC mode follow these steps to set the IP broadcast address on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip helper address address Enable forwarding and specify...

Page 751: ...ive TTL value of the packet must be at least two A flooded UDP datagram is given the destination address specified with the ip broadcast address interface configuration command on the output interface The destination address can be set to any address Thus the destination address might change as the datagram propagates through the network The source address is never changed The TTL value is decreme...

Page 752: ...3 end Return to privileged EXEC mode Step 4 show running config Verify your entry Step 5 copy running config startup config Optional Save your entry in the configuration file Table 34 2 Commands to Clear Caches Tables and Databases Command Purpose clear arp cache Clear the IP ARP cache and the fast switching cache clear host name Remove one or all entries from the hostname and the address cache cl...

Page 753: ...s the only routing protocol supported by the switch Using RIP the switch sends routing information updates advertisements every 30 seconds If a router does not receive an update from another router for 180 seconds or more it marks the routes served by that router as unusable If there is still no update after 240 seconds the router removes all routing table entries for the non updating router RIP u...

Page 754: ...ameters page 34 19 Configuring RIP Authentication page 34 20 Configuring Summary Addresses and Split Horizon page 34 21 Default RIP Configuration Table 34 4 shows the default RIP configuration Table 34 4 Default RIP Configuration Feature Default Setting Auto summary Enabled Default information originate Disabled Default metric Built in automatic metric translations IP RIP authentication key chain ...

Page 755: ...tworks Step 6 offset list access list number name in out offset type number Optional Apply an offset list to routing metrics to increase incoming and outgoing metrics to routes learned through RIP You can limit the offset list with an access list or an interface Step 7 timers basic update invalid holddown flush Optional Adjust routing protocol timers Valid ranges for all timers are 0 to 4294967295...

Page 756: ... of incoming RIP routing updates By default the switch validates the source IP address of incoming RIP routing updates and discards the update if the source address is not valid Under normal circumstances disabling this feature is not recommended However if you have a router that is off network and you want to receive its updates you can use this command Step 11 output delay delay Optional Add int...

Page 757: ...enabled neither autosummary nor interface IP summary addresses are advertised Beginning in privileged EXEC mode follow these steps to set an interface to advertise a summarized local IP address and to disable split horizon on the interface To disable IP summarization use the no ip summary address rip router configuration command In this example the major net is 10 0 0 0 The summary address 10 2 0 ...

Page 758: ...ng loops Split horizon blocks information about routes from being advertised by a router on any interface from which that information originated This feature can optimize communication among multiple routers especially when links are broken Note In general we do not recommend disabling split horizon unless you are certain that your application requires it to properly advertise routes Beginning in ...

Page 759: ...IM stub routing you should configure the distribution and remote routers to use IP multicast routing and configure only the switch as a PIM stub router The switch does not route transit traffic between distribution routers You also need to configure a routed uplink port on the switch The switch uplink port cannot be used with SVIs You must also configure EIGRP stub routing when configuring PIM stu...

Page 760: ...on the uplink interface of the stub router The PIM stub router does not route the transit traffic between the distribution routers Unicast EIGRP stub routing enforces this behavior You must configure unicast stub routing to assist the PIM stub router behavior For more information see the Configuring EIGRP Stub Routing section on page 34 27 Only directly connected multicast IGMP receivers and sourc...

Page 761: ...ip pim passive Switch config if exit Switch config interface GigabitEthernet0 20 Switch config if no switchport Switch config if ip address 10 1 1 1 255 255 255 0 Switch config if ip pim passive Switch config if end To verify that PIM stub is enabled for each interface use the show ip pim interface privileged EXEC command Switch show ip pim interface Address Interface Ver Nbr Query DR DR Mode Coun...

Page 762: ...ected routes and routing updates Any neighbor that receives a packet informing it of the stub status does not query the stub router for any routes and a router that has a stub peer does not query that peer The stub router depends on the distribution router to send the proper updates to all peers In Figure 34 5 switch B is configured as an EIGRP stub router Switches A and C are connected to the res...

Page 763: ...itches running the IP base image or the IP services image except that with the IP base image protocol related features are available only for RIP For a complete description of the IP routing protocol independent commands in this chapter see the IP Routing Protocol Independent Commands chapter of the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 2 from the Cisco com page...

Page 764: ...opology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB The FIB maintains next hop address information based on the information in the IP routing table Because the FIB contains all known routes that exist in the routing table CEF eliminates route cache maintenance is more efficient for switching traffic and is not affected by traffic patterns...

Page 765: ...ode follow these steps to change the maximum number of parallel paths installed in a routing table from the default Use the no maximum paths router configuration command to restore the default value Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip cef Enable CEF operation Step 3 interface interface id Enter interface configuration mode and specify the Layer 3 int...

Page 766: ... an interface are advertised through RIP whether or not static redistribute router configuration commands were specified for those routing protocols These static routes are advertised because static routes that point to an interface are considered in the routing table to be connected and hence lose their static nature However if you define a static route to an interface that is not one of the netw...

Page 767: ...g table to choose the optimal default network as its default route Cisco routers use administrative distance and metric information to set the default route or the gateway of last resort If dynamic default information is not being passed to the system candidates for the default route are specified with the ip default network global configuration command If this network appears in the routing table...

Page 768: ...onfigure terminal Enter global configuration mode Step 2 route map map tag permit deny sequence number Define any route maps used to control redistribution and enter route map configuration mode map tag A meaningful name for the route map The redistribute router configuration command uses this name to reference this route map Multiple route maps might share the same map tag name Optional If permit...

Page 769: ... other routing protocols if a default mode is in effect Step 8 match ip route source access list number access list name access list number access list name Match the address specified by the specified advertised access lists Step 9 set level level 1 level 2 level 1 2 Set the level for routes that are advertised into the specified area of the routing domain Step 10 end Return to privileged EXEC mo...

Page 770: ...encies by using the no passive interface router configuration command The default keyword is useful in Internet service provider and large enterprise networks where many of the distribution routers have more than 200 interfaces Controlling Advertising and Processing in Routing Updates You can use the distribute list router configuration command with access control lists to suppress routes from bei...

Page 771: ... sources of routing information Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router rip Enter router configuration mode Step 3 distribute list access list number access list name out interface name routing process autonomous system number Permit or deny routes from being advertised in routing updates depending upon the action listed in the access list Step 4 dis...

Page 772: ...must know these lifetimes Beginning in privileged EXEC mode follow these steps to manage authentication keys To remove the key chain use the no key chain name of chain global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 key chain name of chain Identify a key chain and enter key chain configuration mode Step 3 key number Identify the key num...

Page 773: ...s to Clear IP Routes or Display Route Status Command Purpose clear ip route network mask Clear one or more routes from the IP routing table show ip protocols Display the parameters and state of the active routing protocol process show ip route address mask longer prefixes protocol process id Display the current state of the routing table show ip route summary Display the current state of the routi...

Page 774: ...34 38 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 34 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network ...

Page 775: ...on on page 35 12 For more information about SDM templates see Chapter 6 Configuring SDM Templates Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS documentation referenced in the procedures This chapter consists of these sections Understanding IPv6 section on page 35 1 Configuring IPv6 section on page 35 13 Displaying IPv6 section on page 35 18...

Page 776: ...entation on the switch These sections are included IPv6 Addresses page 35 2 Supported IPv6 Unicast Host Features page 35 3 Dual IPv4 and IPv6 SDM Templates page 35 12 IPv6 Addresses IPv6 supports three types of addresses unicast one to one multicast one to many and anycast one to nearest Multicast addresses replace the use of broadcast addresses The switch supports only IPv6 unicast addresses The ...

Page 777: ...s strict aggregation of routing prefixes and limits the number of routing table entries in the global routing table These addresses are used on links that are aggregated through organizations and eventually to the Internet service provider These addresses are defined by a global routing prefix a subnet ID and an interface ID Current global unicast address allocation uses the range of addresses tha...

Page 778: ...er node on the same local link When a destination node receives a neighbor solicitation message it replies by sending a neighbor advertisement message which has a value of 136 in the ICMP packet header Type field A value of 137 in the ICMP packet header Type field identifies an IPv6 neighbor redirect message The switch supports ICMPv6 redirect RFC 2463 for routes with mask lengths less than 64 ICM...

Page 779: ...s autoconfiguration IPv6 nodes routers and hosts begin the autoconfiguration process by generating a link local address for the interface Link local address autoconfiguration is started by Enabling IPv6 on an interface by entering the ipv6 enable interface configuration command Manually configuring the IPv6 address Autoconfiguring by entering the ipv6 address autoconfig command A link local addres...

Page 780: ... enable end switch show interface fastethernet1 0 16 FastEthernet1 0 16 is up line protocol is up connected Hardware is Fast Ethernet address is 000b 462e 9047 bia 000b 462e 9047 switch show ipv6 interface fastethernet1 0 16 FastEthernet1 0 16 is up line protocol is up IPv6 is enabled link local address is FE80 20B 46FF FE2E 9047 No global unicast address is configured Joined group address es FF02...

Page 781: ... with another address configured on the router switch2 show running config interface gigabitethernet1 0 16 Building configuration Current configuration 137 bytes interface GigabitEthernet1 0 16 no switchport no ip address no keepalive ipv6 address 1016 1 1 64 ipv6 address 1016 2 1 64 end switch2 show ipv6 interface fastethernet1 0 16 FastEthernet1 0 16 is up line protocol is up IPv6 is enabled lin...

Page 782: ...6 2 64 180 180 end switch2 show running config interface fastethernet1 0 16 Building configuration Current configuration 91 bytes interface FastEthernet1 0 16 no switchport no ip address ipv6 address autoconfig end switch2 show ipv6 interface fastethernet1 0 16 FastEthernet1 0 16 is up line protocol is up IPv6 is enabled link local address is FE80 20B 46FF FE2E 9047 Global unicast address es 1016 ...

Page 783: ...20B 46FF FE2E 9047 subnet is FEC0 1016 1 64 PRE valid lifetime 2591834 preferred lifetime 604634 Joined group address es FF02 1 FF02 2 FF02 1 FF2E 9047 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised r...

Page 784: ...ddresses Figure 35 1 Dual IPv4 and IPv6 Support on an Interface The switch uses ternary content addressable memory TCAM to store unicast routes MAC addresses access control lists ACLs and other features and provides the switch database management SDM templates to allocate memory resources depending on how the switch is used You must use the dual IPv4 and IPv6 template templates to allocate TCAM us...

Page 785: ...ts Syslog over IPv6 is responsible for transporting Cisco IOS generated system error messages to configured servers Syslog configures the connection to the logging host by using a Cisco IOS socket interface and starts a socket connection on the UDP or TCP transport by using Cisco IOS sockets Syslog supports common address data types that support both IPv4 and IPv6 transports The syslog supports so...

Page 786: ... TCAM resources for different usages the switch SDM templates prioritize system resources to optimize support for certain features You select the template that best suits the switch environment by entering the sdm prefer global configuration command For more information about SDM templates see Chapter 6 Configuring SDM Templates The dual IPv4 and IPv6 templates allow the switch to be used in dual ...

Page 787: ...lt IPv6 configuration Total IPv4 unicast routes 3 K 2 75 K 0 Directly connected IPv4 hosts 2 K 1 5 K 0 Indirect IPv4 routes 1 K 1 25 K 0 IPv6 multicast groups 1 125 K 1 125 K 1 125 K Total IPv6 unicast routes 3 K 2 75 K 0 Directly connected IPv6 addresses 2 K 1 5 K 0 Indirect IPv6 unicast routes 1 K 1 25 K 0 IPv4 policy based routing ACEs 0 0 25 K 0 IPv4 or MAC QoS ACEs total 0 75 K 0 75 K 0 75 K ...

Page 788: ... in the neighbor discovery process all nodes link local multicast group FF02 1 all routers link local multicast group FF02 2 Note Before configuring IPv6 on the switch be sure to select a dual IPv4 and IPv6 SDM template For more information about configuring IPv6 routing see the Implementing Addressing and Basic Connectivity for IPv6 chapter in the Cisco IOS IPv6 Configuration Library at this URL ...

Page 789: ...m the bucket If a series of error messages is generated error messages can be sent until the bucket is empty When the bucket is empty IPv6 ICMP error messages are not sent until a new token is placed in the bucket This method does not increase the average rate limiting time interval but it provides more flexibility than fixed time intervals ICMP rate limiting is enabled by default with a default i...

Page 790: ...tes Only the output interface is specified because the destination is assumed to be directly attached to this interface The packet destination is used as the next hop address A directly attached static route is valid only when the specified interface is IPv6 enabled and is up Recursive static routes Only the next hop is specified and the output interface is derived from the next hop A recursive st...

Page 791: ...e the prefix the network portion of the address A slash mark must precede the decimal value ipv6 address The IPv6 address of the next hop that can be used to reach the specified network The IPv6 address of the next hop need not be directly connected recursion is done to find the IPv6 address of the directly connected next hop The address must be in the form documented in RFC 2373 specified in hexa...

Page 792: ...v6 route static updated Verify your entries by displaying the contents of the IPv6 routing table interface interface id Optional Display only those static routes with the specified interface as an egress interface recursive Optional Display only recursive static routes The recursive keyword is mutually exclusive with the interface keyword but it can be used with or without the IPv6 prefix included...

Page 793: ...rotocols IPv6 Routing Protocol is connected IPv6 Routing Protocol is static IPv6 Routing Protocol is rip fer Interfaces Vlan6 GigabitEthernet0 4 GigabitEthernet0 11 GigabitEthernet0 12 Redistribution None This is an example of the output from the show ipv6 static privileged EXEC command Switch show ipv6 static IPv6 Static routes Code installed in RIB 0 via nexthop 3FFE C000 0 7 777 distance 1 This...

Page 794: ...uery 0 group report 0 group reduce 1 router solicit 0 router advert 0 redirects 0 neighbor solicit 0 neighbor advert Sent 10112 output 0 rate limited unreach 0 routing 0 admin 0 neighbor 0 address 0 port parameter 0 error 0 header 0 option 0 hopcount expired 0 reassembly timeout 0 too big 0 echo request 0 echo reply 0 group query 0 group report 0 group reduce 0 router solicit 9944 router advert 0 ...

Page 795: ...mplete syntax and usage information for the commands used in this chapter see the command reference for this release or the Cisco IOS documentation referenced in the procedures This chapter includes these sections Understanding MLD Snooping section on page 36 1 Configuring IPv6 MLD Snooping section on page 36 5 Displaying MLD Snooping Information section on page 36 11 Understanding MLD Snooping In...

Page 796: ...pport MLDv2 enhanced snooping MESS which sets up IPv6 source and destination multicast address based forwarding MLD snooping can be enabled or disabled globally or per VLAN When MLD snooping is enabled a per VLAN IPv6 multicast MAC address table is constructed in software and a per VLAN IPv6 multicast address table is constructed in software and hardware The switch then performs IPv6 multicast add...

Page 797: ... router When a group exists in the MLD snooping database the switch responds to a group specific query by sending an MLDv1 report When the group is unknown the group specific query is flooded to the ingress VLAN When a host wants to leave a multicast group it can send out an MLD Done message equivalent to IGMP Leave message When the switch receives an MLDv1 Done message if Immediate Leave is not e...

Page 798: ...d if the port on which the query arrived is not the last member port for the address MLD Done Messages and Immediate Leave When the Immediate Leave feature is enabled and a host sends an MLDv1 Done message equivalent to an IGMP leave message the port on which the Done message was received is immediately deleted from the group You enable Immediate Leave on VLANs and as with IGMP snooping you should...

Page 799: ...o configure IPv6 MLD snooping Default MLD Snooping Configuration page 36 5 MLD Snooping Configuration Guidelines page 36 6 Enabling or Disabling MLD Snooping page 36 6 Configuring a Static Multicast Group page 36 8 Configuring a Multicast Router Port page 36 8 Enabling MLD Immediate Leave page 36 9 Configuring MLD Snooping Queries page 36 10 Disabling MLD Listener Message Suppression page 36 11 De...

Page 800: ...ipv4 and ipv6 default routing vlan global configuration command Note When you select and configure SDM templates you must reload the switch for the configuration to take effect The maximum number of address entries allowed for the switch is 1000 The maximum number of multicast entries allowed on the switch is determined by the configured SDM template Enabling or Disabling MLD Snooping By default I...

Page 801: ...VLANs 1 to 1005 it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst switch To disable MLD snooping on a VLAN interface use the no ipv6 mld snooping vlan vlan id global configuration command for the specified VLAN number Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping Globally enable MLD snooping on the switch Step 3 end Ret...

Page 802: ...nd PIMv6 queries you can also use the command line interface CLI to add a multicast router port to a VLAN To add a multicast router port add a static connection to a multicast router use the ipv6 mld snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports Command Purpose Step 1 configure terminal Enter global ...

Page 803: ...Leave on a VLAN use the no ipv6 mld snooping vlan vlan id immediate leave global configuration command This example shows how to enable MLD Immediate Leave on VLAN 130 Switch configure terminal Switch config ipv6 mld snooping vlan 130 immediate leave Switch config exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping vlan vlan id mrouter interface ...

Page 804: ... 1 to 7 the default is 2 The queries are sent 1 second apart Step 5 ipv6 mld snooping vlan vlan id last listener query count count Optional Set the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 the default is 0 When set to 0 the global count value is used Queries are sent 1 second apart Step 6 ipv6 mld snooping last listener query ...

Page 805: ...rwards only one MLD report per multicast router query When message suppression is disabled multiple MLD reports could be forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disable MLD listener message suppression To re enable MLD message suppression use the ipv6 mld snooping listener message suppression global configuration command Displaying MLD Snooping In...

Page 806: ...ptional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6 mld snooping querier vlan vlan id Display information about the IPv6 address and incoming port for the most recently received MLD query messages in the VLAN Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 ...

Page 807: ...n about IPv6 on the switch see Chapter 35 Configuring IPv6 Host Functions Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release or the Cisco IOS documentation referenced in the procedures This chapter contains these sections Understanding IPv6 ACLs page 37 1 Configuring IPv6 ACLs page 37 3 Displaying IPv6 ACLs page 37 7 Unde...

Page 808: ...st addresses 128 that are in the extended universal identifier EUI 64 format The switch supports only these host addresses with no loss of information aggregatable global unicast addresses link local addresses The switch does not support matching on these keywords flowlabel routing header and undetermined transport The switch does not support reflexive ACLs the reflect keyword This release support...

Page 809: ...re no IPv6 ACLs configured or applied Interaction with Other Features Configuring IPv6 ACLs has these interactions with other features or switch characteristics If an IPv6 router ACL is configured to deny a packet the packet is dropped A copy of the packet is sent to the Internet Control Message Protocol ICMP queue to generate an ICMP unreachable message for the frame You can create both IPv4 and ...

Page 810: ... prefixes in the range of 0 to 64 and EUI based 128 prefixes for aggregatable global unicast and link local host addresses Enter any as an abbreviation for the IPv6 prefix 0 For host source ipv6 address or destination ipv6 address enter the source or destination IPv6 host address for which to set deny or permit conditions specified in hexadecimal using 16 bit values between colons Optional For ope...

Page 811: ...ocol sequence value time range name Optional Define a UDP access list and the access conditions Enter udp for the User Datagram Protocol The UDP parameters are the same as those described for TCP except that the operator port port number or name must be a UDP port number or name and the established parameter is not valid for UDP Step 3d deny permit icmp source ipv6 prefix prefix length any host so...

Page 812: ...h config ipv6 acl permit any any Applying an IPv6 ACL to an Interface This section describes how to apply IPv6 ACLs to network interfaces You can apply ACLs only to inbound management traffic on Layer 3 interfaces Beginning in privileged EXEC mode follow these steps to control access to an interface Use the no ipv6 traffic filter access list name interface configuration command to remove an access...

Page 813: ...show access lists privileged EXEC command The output shows all access lists that are configured on the switch Switch show access lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10 This is an example of the output from the show ipv6 access lists privileged EXEC command The output shows only IPv6 access lists configured on the switch Switch...

Page 814: ...37 8 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 37 Configuring IPv6 ACLs Displaying IPv6 ACLs ...

Page 815: ...nding HSRP HSRP is Cisco s standard method of providing high network availability by providing first hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address HSRP routes IP traffic without relying on the availability of any single router It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway ...

Page 816: ...face Internet Control Message Protocol ICMP redirect messages are disabled by default for the interface You can configure multiple Hot Standby groups among switches that are operating in Layer 3 to make more use of the redundant routers To do so specify a group number for each Hot Standby command group you configure for an interface For example you might configure an interface on switch 1 as an ac...

Page 817: ...ault active router because it has the assigned highest priority and Router B is the standby router For group 2 Router B is the default active router because it has the assigned highest priority and Router A is the standby router During normal operation the two routers share the IP traffic load When either router becomes unavailable the other router becomes active and assumes the packet transfer fu...

Page 818: ...Default HSRP Configuration page 38 5 HSRP Configuration Guidelines page 38 5 Enabling HSRP page 38 5 Configuring HSRP Priority page 38 6 Configuring MHSRP page 38 9 Configuring HSRP Authentication and Timers page 38 9 Enabling HSRP Support for ICMP Redirect Messages page 38 11 121235 Active router for group 1 Standby router for group 2 Client 1 Router A Router B 10 0 0 1 10 0 0 2 Active router for...

Page 819: ...page 33 12 All Layer 3 interfaces must have IP addresses assigned to them See the Configuring Layer 3 Interfaces section on page 9 19 Enabling HSRP The standby ip interface configuration command activates HSRP on the configured interface If an IP address is specified that address is used as the designated address for the Hot Standby group If no IP address is specified the address is learned throug...

Page 820: ... Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Layer 3 interface on which you want to enable HSRP Step 3 standby group number ip ip address secondary Create or enable the HSRP group using its number and virtual IP address Optional group number The group number on the interface for which HSRP is being enabled...

Page 821: ...ority when a tracked interface goes down When the interface comes back up the priority is incremented by the same amount When multiple tracked interfaces are down and interface priority values have been configured the configured priority decrements are cumulative If tracked interfaces that were not configured with priority values fail the default decrement is 10 and it is noncumulative When routin...

Page 822: ...ontrol as the active router Optional group number The group number to which the command applies Optional priority Enter to set or change the group priority The range is 1 to 255 the default is 100 Optional delay Set to cause the local router to postpone taking over the active role for the number of seconds shown The range is 0 to 3600 1 hour the default is 0 no delay before taking over Use the no ...

Page 823: ... if standby 1 priority 110 Switch config if standby 1 preempt Switch config if standby 2 ip 10 0 0 4 Switch config if standby 2 preempt Switch config if end Router B Configuration Switch configure terminal Switch config interface gigabitethernet0 1 Switch config if no switchport Switch config if ip address 10 0 0 2 255 255 255 0 Switch config if standby 1 ip 10 0 0 3 Switch config if standby 1 pre...

Page 824: ...ch config if no switchport Switch config if standby 1 ip Switch config if standby 1 timers 5 15 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the HSRP interface on which you want to set authentication Step 3 standby group number authentication string Optional authentication s...

Page 825: ...rations From privileged EXEC mode use this command to display HSRP settings show standby interface id group brief detail You can display HSRP information for the whole switch for a specific interface for an HSRP group or for an HSRP group on an interface You can also specify whether to display a concise overview of HSRP information or detailed HSRP information The default display is detail If ther...

Page 826: ...ncludes this information Understanding Enhanced Object Tracking page 38 12 Configuring Enhanced Object Tracking Features page 38 12 Monitoring Enhanced Object Tracking page 38 18 Understanding Enhanced Object Tracking Each tracked object has a unique number that is specified on the tracking command line interface CLI Client processes use this number to track a specific object The tracking process ...

Page 827: ...the tracked list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track object number interface interface id line protocol Optional Create a tracking list to track the line protocol state of an interface and enter tracking configuration mode The object number identifies the tracked object and can be from 1 to 500 The interface interface id is the interface being tra...

Page 828: ...sion Use the no track track number global configuration command to delete the tracked list This example configures track list 4 with a Boolean AND expression that contains two objects with one object state negated If the list is up the list detects that object 2 is down Switch config track 4 list boolean and Switch config track object 1 Switch config track object 2 not Switch config track exit Com...

Page 829: ...width connections and object 3 represents one large bandwidth connection The configured down 10 value means that once the tracked object is up it will not go down until the threshold value is equal to or lower than 10 which in this example means that all connections are down Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list threshold weight Co...

Page 830: ...1 down 10 Switch config track exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list threshold percentage Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 threshold Specify the state of the tracked list based on a threshold percentage Specify that the threshold is based on percentage S...

Page 831: ...hold to track the threshold metric The default up threshold is 254 and the default down threshold is 255 Enter reachability to track if the route is reachable Enter list to track objects grouped in a list Configure the list as described on the previous pages For boolean see the Boolean Expression section on page 38 14 For threshold weight see the Weight Threshold section on page 38 15 For threshol...

Page 832: ...iosswrel ps1839 products_feature_guide09186a00801541be html Monitoring Enhanced Object Tracking Use the privileged EXEC or User EXEC commands in Table 38 2 to display enhanced object tracking information Step 6 standby group number track object number decrement priority decrement Configure HSRP to track an object and change the hot standby priority based on the state of the object Optional group n...

Page 833: ...ng show track interface brief Display information about tracked interface objects show track ip object number brief route Display information about tracked IP route objects show track resolution Display the resolution of tracked parameters show track timers Display tracked polling interval timers Table 38 2 Commands for Displaying Tracking Information continued Command Purpose ...

Page 834: ...38 20 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 38 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking ...

Page 835: ...with another device that supports full IP SLAs functionality For more information about IP SLAs see the Cisco IOS IP SLAs Configuration Guide Release 12 4T at this URL http www cisco com en US products ps6441 products_configuration_guide_book09186a0080707055 html For command syntax information see the command reference at this URL http www cisco com en US products ps6441 products_command_reference...

Page 836: ...ble it can also be used by performance monitoring applications like CiscoWorks Internetwork Performance Monitor IPM and other third party Cisco partner performance management products You can find more details about network management products that use Cisco IOS IP SLAs at this URL http www cisco com go ipsla Using IP SLAs can provide these benefits Service level agreement monitoring measurement a...

Page 837: ...As responder if required 2 Configure the required IP SLAs operation type 3 Configure any options available for the specified operation type 4 Configure threshold conditions if required 5 Schedule the operation to run then let the operation run for a period of time to gather statistics 6 Display and interpret the results of the operation using the Cisco IOS CLI or a network management system NMS sy...

Page 838: ...is not required for services that are already provided by the destination router such as Telnet or HTTP You cannot configure the IP SLAs responder on non Cisco devices and Cisco IOS IP SLAs can send operational packets only to services native to those devices Response Time Computation for IP SLAs Switches and routers can take tens of milliseconds to process incoming packets due to other high prior...

Page 839: ...iguration Guide It includes only the procedure for configuring the responder because the switch includes only responder support For details about configuring other operations see he Cisco IOS IP SLAs Configuration Guide at this URL http www cisco com en US products ps6441 products_configuration_guide_book09186a0080707055 html This section includes this information Default Configuration page 39 5 C...

Page 840: ...ing IP SLAs Operations Use the User EXEC or Privileged EXEC commands in Table 39 1 to display IP SLAs operations configuration Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip sla responder tcp connect udp echo ipaddress ip address port port number Configure the switch as an IP SLAs responder The optional keywords have these meanings tcp connect Enable the respon...

Page 841: ...e commands used in this chapter see the command reference for this release and the Cisco IOS Command Summary Release 12 2 This chapter consists of these sections Recovering from a Software Failure page 40 2 Recovering from a Lost or Forgotten Password page 40 3 Note Recovery procedures require that you have physical access to the switch Preventing Autonegotiation Mismatches page 40 7 SFP Module Se...

Page 842: ...le by using the tar tvf image_filename tar UNIX command unix tar tvf image_filename tar 2 Locate the bin file and extract it by using the tar xvf image_filename tar image_filename bin UNIX command hostname tar xvf image_filename tar image_filename bin x cbs30x0 i612 mz 122 25 SEF1 cbs30x0 i612 mz 122 25 SEF1 bin 2928176 bytes 5720 tape blocks 3 Verify that the bin file was extracted by using the l...

Page 843: ...ew software image is operating properly Step 16 Delete the flash image_filename bin file from the switch Recovering from a Lost or Forgotten Password The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the bootup process during power on and by entering a new password These recovery procedures require that yo...

Page 844: ... If you see a message that begins with this The system has been interrupted prior to initializing the flash file system The following commands will initialize the flash file system go to the Procedure with Password Recovery Enabled section on page 40 4 and follow the steps If you see a message that begins with this The password recovery mechanism has been triggered but is currently disabled go to ...

Page 845: ... the switch prompt enter privileged EXEC mode Switch enable Step 8 Rename the configuration file to its original name Switch rename flash config text old flash config text Step 9 Copy the configuration file into memory Switch copy flash config text system running config Source filename config text Destination filename running config Press Return in response to the confirmation prompts The configur...

Page 846: ... configuration access to the boot loader prompt can still be allowed Would you like to reset the system back to the default configuration y n Caution Returning the switch to the default configuration results in the loss of all existing configurations We recommend that you contact your system administrator to verify if there are backup switch and VLAN configuration files If you enter n no the norma...

Page 847: ...kely to leave your switch virtual interface in a shutdown state You can see which interface is in this state by entering the show running config privileged EXEC command To re enable the interface enter the interface vlan vlan id global configuration command and specify the VLAN ID of the shutdown interface With the switch in interface configuration mode enter the no shutdown command Step 10 You mu...

Page 848: ...or message text refers to GBIC interfaces and modules the security messages actually refer to the SFP modules and module interfaces For more information about error messages see the system message guide for this release If you are using a non Cisco SFP module remove the SFP module from the switch and replace it with a Cisco module After inserting a Cisco SFP module use the errdisable recovery caus...

Page 849: ... reply Ping returns one of these responses Normal response The normal response hostname is alive occurs in 1 to 10 seconds depending on network traffic Destination does not respond If the host does not respond a no answer message is returned Unknown host If the host does not exist an unknown host message is returned Destination unreachable If the default gateway cannot reach the specified network ...

Page 850: ...derstanding Layer 2 Traceroute The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device Layer 2 traceroute supports only unicast source and destination MAC addresses It finds the path by using the MAC address tables of the switches in the path When the switch detects a device in the path that does not support La...

Page 851: ...you specify source and destination MAC addresses that belong to different VLANs the Layer 2 path is not identified and an error message appears If you specify a multicast source or destination MAC address the path is not identified and an error message appears If the source or destination MAC address belongs to multiple VLANs you must specify the VLAN to which both the source and destination MAC a...

Page 852: ...intermediate switch is a multilayer switch that is routing a particular packet this switch shows up as a hop in the traceroute output The traceroute privileged EXEC command uses the Time To Live TTL field in the IP header to cause routers and servers to generate specific return messages Traceroute starts by sending a User Datagram Protocol UDP datagram to the destination host with the TTL field se...

Page 853: ... msec 4 171 9 4 5 0 msec 4 msec 0 msec 5 171 9 121 34 0 msec 4 msec 4 msec 6 171 9 15 9 120 msec 132 msec 128 msec 7 171 9 15 10 132 msec 128 msec 128 msec Switch The display shows the hop count the IP address of the router and the round trip time in milliseconds for each of the three probes that are sent To end a trace in progress enter the escape sequence Ctrl X by default Simultaneously press a...

Page 854: ...r example a shorted twisted pair can occur if one wire of the twisted pair is soldered to the other wire If one of the twisted pair wires is open TDR can find the length at which the wire is open Use TDR to diagnose and resolve cabling problems in these situations Replacing a switch Setting up a wiring closet Troubleshooting a connection between two devices when a link cannot be established or whe...

Page 855: ...f you enable a debug command and no output appears consider these possibilities The switch might not be properly configured to generate the type of traffic you want to monitor Use the show running config command to check its configuration Even if the switch is properly configured it might not generate the type of traffic you want to monitor during the particular period that debugging is enabled De...

Page 856: ...m Message Logging Using the show platform forward Command The output from the show platform forward privileged EXEC command provides some useful information about the forwarding results if a packet entering an interface is sent through the system Depending upon the parameters entered about the packet the output provides lookup table results and port maps used to calculate forwarding destinations b...

Page 857: ...m the port on which the address was learned Switch show platform forward gigabitethernet0 1 vlan 5 1 1 1 0009 43a8 0145 ip 13 1 1 1 13 2 2 2 udp 10 20 Global Port Number 24 Asic Number 5 Src Real Vlan Id 5 Mapped Vlan Id 5 Ingress Lookup Key Used Index Hit A Data InptACL 40_0D020202_0D010101 00_40000014_000A0000 01FFA 03000000 L2Local 80_00050009_43A80145 00_00000000_00000000 00086 02010197 Statio...

Page 858: ... 00_40000014_000A0000 01D28 30090001_00000000 Lookup Used Secondary Station Descriptor F0070007 DestIndex F007 RewriteIndex 0007 Egress Asic 3 switch 1 Output Packets Packet 1 Lookup Key Used Index Hit A Data OutptACL 50_10010A05_0A010505 00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Cos Dscpv Gi0 2 0007 XXXX XXXX 0246 0009 43A8 0147 Using the crashinfo Files The crashinfo files save...

Page 859: ...he most recent basic crashinfo file that is the file with the highest sequence number at the end of its filename by entering the show tech support privileged EXEC command You also can access the file by using any command that can copy or display files such as the more or the copy privileged EXEC command Extended crashinfo Files In Cisco IOS Release 12 2 25 SEC or later the switch creates the exten...

Page 860: ...40 20 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Chapter 40 Troubleshooting Using the crashinfo Files ...

Page 861: ...derstanding How Online Diagnostics Work With online diagnostics you can test and verify the hardware functionality of the switch while the switch is connected to a live network The online diagnostics contain packet switching tests that check different hardware components and verify the data path and the control signals The online diagnostics detect problems in these areas Hardware components Inter...

Page 862: ... diagnostics Use the no diagnostic monitor interval test test id test id range global configuration command to change the interval to the default value or to zero Use the no diagnostic monitor syslog command to disable generation of syslog messages when a health monitoring test fails Use the diagnostic monitor threshold test test_id test_id_range failure count command to remove the failure thresho...

Page 863: ...ou can use start to begin a diagnostic test Beginning in global configuration mode use this command to start an online diagnostic test This example shows how to start a diagnostic test on a specific switch Switch diagnostic start test 1 Switch 06 27 50 DIAG 6 TEST_RUNNING Running TestPortAsicStackPortLoopback ID 1 06 27 51 DIAG 6 TEST_OK TestPortAsicStackPortLoopback ID 1 has completed successfull...

Page 864: ...gured n a 3 TestPortAsicCam B D X IR not configured n a 4 TestPortAsicRingLoopback B D X IR not configured n a 5 TestMicRingLoopback B D X IR not configured n a 6 TestPortAsicMem B D X IR not configured n a This example shows how to display the online diagnostic results for a switch Switch show diagnostic result Overall diagnostic result PASS Test results Pass F Fail U Untested 1 TestPortAsicStack...

Page 865: ...ges using the configured community string always provide information for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN x use this community string in the SNMP message configured community string x CISCO CABLE DIAG MIB CISCO CDP MIB CISCO CLUSTER MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO ENTITY VENDORTYPE OID MIB CISCO ENVMON MIB CISCO ERR DISABLE MIB CISCO...

Page 866: ... MIB CISCO PROCESS MIB CISCO RTTMON MIB CISCO SMI MIB CISCO STP EXTENSIONS MIB CISCO SYSLOG MIB CISCO TC MIB CISCO TCP MIB CISCO UDLDP MIB CISCO VLAN IFTABLE RELATIONSHIP MIB CISCO VLAN MEMBERSHIP MIB CISCO VTP MIB ENTITY MIB ETHERLIKE MIB IEEE8021 PAE MIB IEEE8023 LAG MIB IF MIB In and out counters for VLANs are not supported INET ADDRESS MIB OLD CISCO CHASSIS MIB OLD CISCO FLASH MIB OLD CISCO IN...

Page 867: ...sco com public sw center netmgmt cmtk mibs shtml Using FTP to Access the MIB Files You can get each MIB file by using this procedure Step 1 Make sure that your FTP client is in passive mode Note Some FTP clients do not support passive mode Step 2 Use FTP to access the server ftp cisco com Step 3 Log in with the username anonymous Step 4 Enter your e mail username when prompted for the password Ste...

Page 868: ...A 4 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Appendix A Supported MIBs Using FTP to Access the MIB Files ...

Page 869: ...mmand References This appendix consists of these sections Working with the Flash File System page B 1 Working with Configuration Files page B 9 Replacing and Rolling Back Configurations page B 20 Working with the Flash File System The flash file system is a single flash device on which you can store files It also provides several commands to help you manage software image and configuration files T...

Page 870: ...ory in the file system in bytes Free b Amount of free memory in the file system in bytes Type Type of file system flash The file system is for a flash memory device nvram The file system is for a NVRAM device opaque The file system is a locally generated pseudo file system for example the system or a download interface such as brimux unknown The file system is an unknown type Flags Permission for ...

Page 871: ...a configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table B 2 Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode follow these steps to chan...

Page 872: ...d their contents cannot be recovered Copying Files To copy a file from a source to a destination use the copy source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of flash mem...

Page 873: ...filesystem file url privileged EXEC command Use the recursive keyword for deleting a directory and all subdirectories and the files contained in it Use the force keyword to suppress the prompting that confirms a deletion of each file in the directory You are prompted only once at the beginning of this deletion process Use the force and recursive keywords for deleting old software images that were ...

Page 874: ...s within the source directory to write to the new tar file If none are specified all files and directories at this level are written to the newly created tar file This example shows how to create a tar file This command writes the contents of the new configs directory on the local flash device to a file named saved tar on the TFTP server at 172 20 10 30 Switch archive tar create tftp 172 20 10 30 ...

Page 875: ...bytes cbs30x0 ipbase tar 122 44 SE html sorttable js 39742 bytes cbs30x0 ipbase tar 122 44 SE html setup_report htm 12461 bytes cbs30x0 ipbase tar 122 44 SE html empty htm 313 bytes This example shows how to display only the html directory and its contents Switch archive tar table flash cbs30x0 ipbase tar 122 44 SE html cbs30x0 ipbase tar 122 44 SE html directory cbs30x0 ipbase tar 122 44 SE html ...

Page 876: ...on on the local flash file system into which the tar file is extracted Use the dir file option to specify an optional list of files or directories within the tar file to be extracted If none are specified all files and directories are extracted This example shows how to extract the contents of a tar file located on the TFTP server at 172 20 10 30 This command extracts just the new configs director...

Page 877: ...ch you can change the relevant parts rather than recreating the whole file To load the same configuration commands on all the switches in your network so that all the switches have similar configurations You can copy upload configuration files from the switch to a file server by using TFTP FTP or RCP You might perform this task to back up a current configuration file to a server before changing it...

Page 878: ...erent IP address in a particular command than the existing configuration the IP address in the copied configuration is used However some commands in the existing configuration might not be replaced or negated In this case the resulting configuration file is a mixture of the existing configuration file and the copied configuration file with the copied configuration file having precedence To restore...

Page 879: ...r is properly configured On a Sun workstation make sure that the etc inetd conf file contains this line tftp dgram udp wait root usr etc in tftpd in tftpd p s tftpboot Make sure that the etc services file contains this line tftp 69 udp Note You must restart the inetd daemon after modifying the etc inetd conf and etc services files To restart the daemon either stop the inetd process and restart it ...

Page 880: ... are executed as the file is parsed line by line This example shows how to configure the software from the file tokyo confg at IP address 172 16 2 155 Switch copy tftp 172 16 2 155 tokyo confg system running config Configure using tokyo confg from 172 16 2 155 confirm y Booting tokyo confg from 172 16 2 155 OK 874 16000 bytes Uploading the Configuration File By Using TFTP To upload a configuration...

Page 881: ...commands to specify a username and password for all copies Include the username in the copy command if you want to specify only a username for that copy operation If the server has a directory structure the configuration file is written to or copied from the directory associated with the username on the server For example if the configuration file resides in the home directory of a user on the ser...

Page 882: ...commands on the switch Switch copy ftp netadmin1 mypass 172 16 101 101 host1 confg system running config Configure using host1 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host1 confg OK Switch SYS 5 CONFIG Configured from host1 config by ftp from 172 16 101 101 Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Prep...

Page 883: ...nfiguration file by using FTP This example shows how to copy the running configuration file named switch2 confg to the netadmin1 directory on the remote host with an IP address of 172 16 101 101 Switch copy system running config ftp netadmin1 mypass 172 16 101 101 switch2 confg Write file switch2 confg on host 172 16 101 101 confirm Building configuration OK Connected to 172 16 101 101 Switch Comm...

Page 884: ...ile from one place to another you must have read permission on the source file and write permission on the destination file If the destination file does not exist RCP creates it for you The RCP requires a client to send a remote username with each RCP request to a server When you copy a configuration file from the switch to a server the Cisco IOS software sends the first valid username in this lis...

Page 885: ... through a Telnet session and you have a valid username this username is used and you do not need to set the RCP username Include the username in the copy command if you want to specify a username for only that copy operation When you upload a file to the RCP server it must be properly configured to accept the RCP write request from the user on the switch For UNIX systems you must add an entry to ...

Page 886: ...rcp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from host2 config by rcp from 172 16 101 101 Uploading a Configuration File By Using RCP Begi...

Page 887: ... switch with no startup configuration the switch enters the setup program so that you can reconfigure the switch with all new settings Clearing the Startup Configuration File To clear the contents of your startup configuration use the erase nvram or the erase startup config privileged EXEC command Caution You cannot restore the startup configuration file after it has been deleted Deleting a Stored...

Page 888: ... can save copies of the running configuration by using the copy running config destination url privileged EXEC command storing the replacement file either locally or remotely However this method lacks any automated file management The configuration replacement and rollback feature can automatically save copies of the running configuration to the configuration archive You use the archive config pri...

Page 889: ...ollback capability reverts to a specific configuration based on a saved configuration file If you want the configuration rollback capability you must first save the running configuration before making any configuration changes Then after entering configuration changes you can use that saved configuration file to roll back the changes by using the configure replace target url command You can specif...

Page 890: ...nd filename prefix for the files in the configuration archive Step 4 maximum number Optional Set the maximum number of archive files of the running configuration to be saved in the configuration archive number Maximum files of the running configuration file in the configuration archive Valid values are from 1 to 14 The default is 10 Note Before using this command you must first enter the path arch...

Page 891: ...hat is to replace the running configuration such as the configuration file created in Step 2 by using the archive config privileged EXEC command list Display a list of the command entries applied by the software parser during each pass of the configuration replacement operation The total number of passes also appears force Replace the running configuration file with the specified saved configurati...

Page 892: ...ase notes Image Location on the Switch The Cisco IOS image is stored as a bin file in a directory that shows the version number A subdirectory contains the files needed for web management The image is stored on the system board flash memory flash You can use the show version privileged EXEC command to see the software version that is currently running on your switch In the display check the line t...

Page 893: ...mand we recommend using the archive download sw and archive upload sw privileged EXEC commands to download and upload software image files These sections contain this configuration information Preparing to Download or Upload an Image File By Using TFTP page B 26 Downloading an Image File By Using TFTP page B 26 Uploading an Image File By Using TFTP page B 28 Table B 3 info File Description Field D...

Page 894: ...to the TFTP server by using the ping command Ensure that the image to be downloaded is in the correct directory on the TFTP server usually tftpboot on a UNIX workstation For download operations ensure that the permissions on the file are set correctly The permission on the file should be world read Before uploading the image file you might need to create an empty file on the TFTP server To create ...

Page 895: ...move it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Step 3 archive download sw overwrite relo...

Page 896: ... image from the switch to an FTP server You download a switch image file from a server to upgrade the switch software You can overwrite the current image with the new one or keep the current image after a download You upload a switch image file to a server for backup purposes You can use this uploaded image for future downloads to the switch or another switch of the same type Note Instead of using...

Page 897: ...server If you are writing to the server the FTP server must be properly configured to accept the FTP write request from you Use the ip ftp username and ip ftp password commands to specify a username and password for all copies Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username only for that operation If the server has a di...

Page 898: ... configure terminal Enter global configuration mode This step is required only if you override the default remote username or password see Steps 4 5 and 6 Step 4 ip ftp username username Optional Change the default remote username Step 5 ip ftp password password Optional Change the default password Step 6 end Return to privileged EXEC mode Step 7 archive download sw overwrite reload ftp username p...

Page 899: ... variable is updated to point to the newly installed image If you kept the old image during the download process you specified the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the dir...

Page 900: ... properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 13 Step 2 Log into the switch through the console port or a Telnet session Step 3 configure terminal Enter global configuration mode This step is required only if you override the default remote username or password see Steps 4 5 and 6 Step 4 ip ftp username username Optiona...

Page 901: ... you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with TFTP You only need to have access to a server that supports the remote shell rsh Most UNIX systems support rsh Because you are copying a file from one place to another you must have...

Page 902: ... archive download sw or archive upload sw privileged EXEC command if you want to specify a username only for that operation When you upload an image to the RCP to the server it must be properly configured to accept the RCP write request from the user on the switch For UNIX systems you must add an entry to the rhosts file for the remote user on the RCP server For example suppose the switch contains...

Page 903: ...ed image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username specify the username For the RCP copy request to execute successfully an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File By Using RCP section on page B 33 ...

Page 904: ...ment pages associated with the embedded device manager have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to an RCP server Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page B 33 Step 2 Log into the switch through the ...

Page 905: ...es Working with Software Images The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and the web management files After these files are uploaded the upload algorithm creates the tar file format Caution For the download and upload algorithms to operate properly do not rename image names ...

Page 906: ... 38 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Appendix B Working with the Cisco IOS File System Configuration Files and Software Images Working with Software Images ...

Page 907: ...e feature and command mode Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic name source destination show access lists rate limit destination show accounting show ip accounting checkpoint output packets access viola...

Page 908: ...Commands archive config show archive config show archive log ARP Commands Unsupported Global Configuration Commands arp ip address hardware address smds arp ip address hardware address srp a arp ip address hardware address srp b Unsupported Interface Configuration Commands arp probe ip probe proxy Bootloader Commands Unsupported user EXEC Command verify Unsupported Global Configuration Command boo...

Page 909: ...cli redirection main debug platform configuration HSRP Unsupported Global Configuration Commands interface Async interface BVI interface Dialer interface Group Async interface Lex interface Multilink interface Virtual Template interface Virtual Tokenring Unsupported Interface Configuration Commands mtu standby mac refresh seconds standby use bia IGMP Snooping Commands Unsupported Global Configurat...

Page 910: ...nd transmit interface type number IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands clear ip accounting checkpoint debug ip cef stats show cef drop not cef switched show ip accounting checkpoint output packets access violations show ip prefix list regular expression Unsupported Global Configuration Commands ip accounting precedence input output ip accounting list ip address wild...

Page 911: ...erify ip unnumbered type number All ip security commands Unsupported Route Map Commands match route type set as path tag prepend as path string set automatic tag set dampening half life reuse suppress max suppress time set default interface interface id interface id set interface interface id interface id set ip default next hop ip address ip address set ip destination ip address mask set ip next ...

Page 912: ...ic show mac address table interface show mac address table multicast show mac address table notification show mac address table static show mac address table vlan show mac address table multicast Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address table entries for a VLAN Unsupported Global Configuration Commands mac address table aging time mac a...

Page 913: ... stack mac persistent timer NetFlow Commands Unsupported Global Configuration Commands ip flow aggregation cache ip flow cache entries ip flow export Network Address Translation NAT Commands Unsupported Privileged EXEC Commands show ip nat statistics show ip nat translations QoS Unsupported Global Configuration Command priority list Unsupported Interface Configuration Commands priority group rate ...

Page 914: ...ation feature default line radius server attribute nas port radius server configure radius server extended portnames SNMP Unsupported Global Configuration Commands snmp server enable informs snmp server ifindex persist Spanning Tree Unsupported Global Configuration Command spanning tree pathcost method long short Unsupported Interface Configuration Command spanning tree stack port VLAN Unsupported...

Page 915: ... C Unsupported Commands in Cisco IOS Release 12 2 44 SE VTP Unsupported User EXEC Commands show running config vlan show vlan ifindex VTP Unsupported Privileged EXEC Command vtp password password pruning version number Note This command has been replaced by the vtp global configuration command ...

Page 916: ...C 10 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL 8915 03 Appendix C Unsupported Commands in Cisco IOS Release 12 2 44 SE VTP ...

Page 917: ...33 with IEEE 802 1x 8 8 with RADIUS 7 28 with TACACS 7 11 7 17 ACEs and QoS 32 7 defined 31 2 Ethernet 31 2 IP 31 2 ACLs ACEs 31 2 any keyword 31 12 applying on routed packets 31 38 on switched packets 31 37 time ranges to 31 16 to an interface 31 19 37 6 to IPv6 interfaces 37 6 to QoS 32 7 classifying traffic for QoS 32 43 comments in 31 18 compiling 31 21 defined 31 1 31 7 examples of 31 21 32 4...

Page 918: ...4 router 31 2 37 1 router ACLs and VLAN map configuration guidelines 31 36 standard IP configuring for QoS classification 32 43 standard IPv4 creating 31 9 matching criteria 31 7 ACLs continued support for 1 7 support in hardware 31 21 time ranges 31 16 types supported 31 2 unsupported features IPv4 31 6 unsupported features IPv6 37 2 using router ACLs with VLAN maps 31 36 VLAN maps configuration ...

Page 919: ...anaging 5 27 asymmetrical links and IEEE 802 1Q tunneling 15 4 attributes RADIUS vendor proprietary 7 31 vendor specific 7 29 audience xxxv authentication HSRP 38 9 local mode with AAA 7 36 NTP associations 5 4 RADIUS key 7 21 login 7 23 TACACS defined 7 11 key 7 13 login 7 14 See also port based authentication authentication failed VLAN See restricted VLAN authentication keys and routing protocol...

Page 920: ...oping See DHCP snooping binding database blocking packets 23 8 Boolean expressions in tracked lists 38 14 booting boot loader function of 3 2 boot process 3 1 manually 3 19 specific image 3 19 boot loader accessing 3 20 described 3 2 environment variables 3 20 prompt 3 20 trap door mechanism 3 2 BPDU error disabled state 18 2 filtering 18 3 RSTP format 17 12 BPDU filtering described 18 3 disabling...

Page 921: ...warding See CEF Cisco Group Management Protocol See CGMP Cisco IOS DHCP server See DHCP Cisco IOS DHCP server Cisco IOS File System See IFS Cisco IOS IP SLAs 39 1 CiscoWorks 2000 1 3 30 4 CIST regional root See MSTP CIST root See MSTP civic location 25 2 classless routing 34 6 class maps for QoS configuring 32 46 described 32 7 displaying 32 78 class of service See CoS clearing interfaces 9 23 CLI...

Page 922: ...les archiving B 20 clearing the startup configuration B 19 creating using a text editor B 10 default name 3 18 deleting a stored configuration B 19 described B 9 downloading automatically 3 18 preparing B 11 B 13 B 17 reasons for B 9 using FTP B 14 using RCP B 17 using TFTP B 12 guidelines for creating and using B 10 guidelines for replacing and rolling back B 21 invalid combinations when copying ...

Page 923: ...re image Kerberos 7 32 SSH 7 37 SSL 7 41 D daylight saving time 5 13 debugging enabling all system diagnostics 40 15 enabling for a specific feature 40 15 redirecting error message output 40 16 using commands 40 14 default commands 2 4 default configuration 802 1x 8 20 auto QoS 32 21 banners 5 17 booting 3 18 CDP 24 2 DHCP 20 8 DHCP option 82 20 8 DHCP snooping 20 8 DHCP snooping binding database ...

Page 924: ... discovery protocol 24 1 25 1 device manager benefits 1 2 described 1 2 1 3 in band management 1 4 requirements xxxvi upgrading a switch B 23 DHCP Cisco IOS server database configuring 20 13 default configuration 20 8 described 20 6 enabling relay agent 20 10 server 20 10 DHCP based autoconfiguration client request message exchange 3 4 configuring client side 3 3 DNS 3 7 relay device 3 7 server si...

Page 925: ...ion guidelines 20 9 configuring 20 14 default configuration 20 8 deleting binding file 20 14 bindings 20 14 database agent 20 14 described 20 6 DHCP snooping binding database continued displaying 20 15 binding entries 20 15 status and statistics 20 15 enabling 20 14 entry 20 6 renewing database 20 14 resetting delay value 20 14 timeout value 20 14 DHCP snooping binding table See DHCP snooping bind...

Page 926: ...templates supporting 35 12 dual purpose uplink ports 9 6 dual purpose uplinks defined 9 6 setting the type 9 13 dynamic access ports characteristics 11 3 configuring 11 30 defined 9 3 dynamic addresses See addresses dynamic ARP inspection ARP cache poisoning 21 1 ARP requests described 21 1 ARP spoofing attack 21 1 clearing log buffer 21 15 statistics 21 15 configuration guidelines 21 6 configurin...

Page 927: ... 3 enable password 7 3 enable secret password 7 3 encryption CipherSuite 7 43 encryption for passwords 7 3 Enhanced IGRP See EIGRP enhanced object tracking commands 38 12 defined 38 12 HSRP 38 17 IP routing state 38 13 line protocol state 38 13 tracked lists 38 13 environment variables function of 3 21 equal cost routing 1 9 34 29 error disabled state BPDU 18 2 EKEY 9 3 error messages during comma...

Page 928: ...5 3 events RMON 28 3 examples conventions for xxxvi expedite queue for QoS 32 77 Express Setup 1 2 See also getting started guide extended crashinfo file 40 18 extended range VLANs configuration guidelines 11 13 configuring 11 12 creating 11 13 creating with an internal VLAN ID 11 15 defined 11 1 extended system ID MSTP 17 17 STP 16 4 16 14 extended universal identifier See EUI Extensible Authenti...

Page 929: ...ation 1 8 flowcharts QoS classification 32 6 QoS egress queueing and scheduling 32 17 QoS ingress queueing and scheduling 32 15 QoS policing and marking 32 10 flowcontrol configuring 9 17 described 9 17 forward delay time MSTP 17 23 STP 16 21 Forwarding Information Base See FIB FTP accessing MIB files A 3 configuration files downloading B 14 overview B 13 preparing the server B 13 uploading B 15 i...

Page 930: ...ring 38 11 object tracking 38 17 overview 38 1 priority 38 7 routing redundancy 1 9 support for ICMP redirect messages 38 11 timers 38 9 tracking 38 7 HTTP S Over IPv6 35 12 HTTP over SSL see HTTPS HTTPS 7 42 configuring 7 45 self signed certificate 7 42 HTTP secure server 7 42 I ICMP IPv6 35 4 redirect messages 34 10 support for 1 9 time exceeded messages 40 12 traceroute and 40 12 unreachable me...

Page 931: ...s 22 3 support for 1 2 IGMP filtering configuring 22 25 default configuration 22 25 described 22 24 monitoring 22 29 support for 1 3 IGMP groups configuring filtering 22 28 setting the maximum number 22 27 IGMP helper 1 3 IGMP Immediate Leave configuration guidelines 22 11 described 22 6 enabling 22 11 IGMP profile applying 22 27 configuration mode 22 25 configuring 22 26 IGMP snooping and address...

Page 932: ...nge macro command 9 10 interface types 9 7 Internet Control Message Protocol See ICMP Internet Protocol version 6 See IPv6 Inter Switch Link See ISL inter VLAN routing 1 9 34 2 Intrusion Detection System See IDS appliances inventory management TLV 25 6 IP ACLs for QoS classification 32 7 implicit deny 31 9 31 13 implicit masks 31 9 named 31 14 undefined 31 20 IP addresses 128 bit 35 2 classes of 3...

Page 933: ... 17 and port security 20 17 and private VLANs 20 17 and routed ports 20 16 and TCAM entries 20 17 and trunk interfaces 20 17 and VRF 20 17 IP source guard continued binding configuration automatic 20 15 manual 20 15 binding table 20 15 configuration guidelines 20 16 default configuration 20 16 described 20 15 disabling 20 18 displaying bindings 20 18 configuration 20 18 enabling 20 17 filtering so...

Page 934: ...34 14 with SVIs 34 3 See also EIGRP See also RIP IPv4 ACLs applying to interfaces 31 19 extended creating 31 10 named 31 14 standard creating 31 9 IPv4 and IPv6 differences 35 2 dual protocol stacks 35 10 IPv6 ACLs displaying 37 7 limitations 37 2 matching criteria 37 2 port 37 1 router 37 1 supported 37 2 addresses 35 2 address formats 35 2 advantages 35 2 applications 35 9 assigning address 35 1...

Page 935: ...ms 7 33 Kerberos continued TGT 7 34 tickets 7 32 key distribution center See KDC L l2protocol tunnel command 15 13 LACP Layer 2 protocol tunneling 15 9 See EtherChannel Layer 2 frames classification with CoS 32 2 Layer 2 interfaces default configuration 9 12 Layer 2 protocol tunneling configuring 15 10 configuring for EtherChannels 15 14 default configuration 15 11 defined 15 8 guidelines 15 12 La...

Page 936: ... holdtime setting 25 4 LLDP MED configuring 25 3 tlvs 25 6 monitoring and maintaining 25 7 overview 25 1 25 2 supported tlvs 25 2 LLDP Media Endpoint Discovery See LLDP MED load balancing 38 3 local SPAN 27 2 location TLV 25 2 25 6 logging messages ACL 31 8 login authentication with RADIUS 7 23 with TACACS 7 14 login banners 5 17 log messages See system message logging loop guard described 18 9 en...

Page 937: ...nfiguring CoS to DSCP 32 60 DSCP 32 60 DSCP to CoS 32 63 DSCP to DSCP mutation 32 64 IP precedence to DSCP 32 61 policed DSCP 32 62 described 32 12 marking action in policy map 32 48 action with aggregate policers 32 58 described 32 4 32 8 matching IPv6 ACLs 37 2 matching IPv4 ACLs 31 7 maximum aging time MSTP 17 23 STP 16 21 maximum hop count MSTP 17 24 maximum paths command 34 29 membership mode...

Page 938: ...n 23 20 tunneling 15 18 VLAN filters 31 39 maps 31 39 VLANs 11 16 VMPS 11 32 VTP 12 16 more 8 44 MSTP boundary ports configuration guidelines 17 15 described 17 6 BPDU filtering described 18 3 enabling 18 12 BPDU guard described 18 2 enabling 18 11 CIST described 17 3 CIST regional root 17 3 CIST root 17 5 configuration guidelines 17 15 18 10 configuring forward delay time 17 23 hello time 17 22 l...

Page 939: ...res supported 1 5 overview 17 2 Port Fast described 18 2 enabling 18 10 preventing root switch selection 18 8 MSTP continued root guard described 18 8 enabling 18 15 root switch configuring 17 17 effects of extended system ID 17 17 unexpected behavior 17 17 shutdown Port Fast enabled port 18 2 status displaying 17 26 multicast groups Immediate Leave 22 6 joining 22 3 leaving 22 5 static joins 22 1...

Page 940: ... examples increasing network performance 1 13 providing network services 1 13 server aggregation and Linux server cluster 1 15 network design performance 1 13 services 1 13 network management CDP 24 1 RMON 28 1 SNMP 30 1 network performance measuring with IP SLAs 39 3 network policy TLV 25 6 Network Time Protocol See NTP no commands 2 4 nonhierarchical policy maps configuration guidelines 32 33 co...

Page 941: ...g recovery of 7 5 encrypting 7 3 for security 1 6 overview 7 1 recovery of 40 3 passwords continued setting enable 7 3 enable secret 7 3 Telnet 7 6 with usernames 7 6 VTP domain 12 8 path cost MSTP 17 20 STP 16 18 percentage thresholds in tracked lists 38 16 performance network design 1 13 performance features 1 2 persistent self signed certificate 7 42 per VLAN spanning tree plus See PVST physica...

Page 942: ...al re authentication of a client 8 30 periodic re authentication 8 29 quiet period 8 30 RADIUS server 8 28 port based authentication continued configuring continued RADIUS server parameters on the switch 8 27 restricted VLAN 8 35 switch to client frame retransmission number 8 32 switch to client retransmission time 8 31 default configuration 8 20 described 8 1 device roles 8 2 displaying statistic...

Page 943: ... mode spanning tree 11 29 support for 1 5 port membership modes VLAN 11 3 port priority MSTP 17 19 STP 16 16 ports access 9 3 blocking 23 8 dual purpose uplink 9 6 dynamic access 11 3 IEEE 802 1Q tunnel 11 4 protected 23 6 routed 9 4 secure 23 9 static access 11 3 11 11 switch 9 2 trunks 11 3 11 16 VLAN assignments 11 11 port security aging 23 17 and private VLANs 23 19 and QoS trusted boundary 32...

Page 944: ... ports 14 2 secondary VLANs 14 2 subdomains 14 1 traffic in 14 5 privileged EXEC mode 2 2 privilege levels changing the default for lines 7 9 exiting 7 9 logging into 7 9 overview 7 2 7 7 setting a command with 7 8 promiscuous ports configuring 14 12 defined 14 2 protected ports 1 7 23 6 Protocol Independent Multicast Protocol See PIM proxy ARP configuring 34 9 definition 34 7 with IP routing disa...

Page 945: ...ansparency 32 40 DSCP trust states bordering another domain 32 40 QoS continued configuring continued egress queue characteristics 32 70 ingress queue characteristics 32 66 IP extended ACLs 32 44 IP standard ACLs 32 43 MAC ACLs 32 45 policy maps hierarchical 32 52 policy maps on physical ports 32 48 port trust states within the domain 32 36 trusted boundary 32 38 default auto configuration 32 21 d...

Page 946: ...ket modification 32 19 policers configuring 32 50 32 55 32 58 described 32 8 displaying 32 78 number of 32 34 types of 32 9 policies attaching to an interface 32 8 policing described 32 4 32 8 token bucket algorithm 32 9 QoS continued policy maps characteristics of 32 48 displaying 32 79 hierarchical 32 8 hierarchical on SVIs 32 52 nonhierarchical on physical ports 32 48 QoS label defined 32 4 que...

Page 947: ... 7 RCP configuration files downloading B 17 overview B 16 preparing the server B 17 uploading B 18 image files deleting old image B 36 downloading B 34 preparing the server B 33 uploading B 36 readiness check port based authentication configuring 8 24 described 8 9 8 24 reconfirmation interval VMPS changing 11 31 reconfirming dynamic VLAN membership 11 31 recovery procedures 40 1 redundancy EtherC...

Page 948: ...ing 34 19 default configuration 34 18 described 34 17 hop counts 34 17 split horizon 34 21 summary addresses 34 21 support for 1 9 RMON default configuration 28 3 displaying status 28 6 enabling alarms and events 28 3 groups supported 28 2 overview 28 1 statistics collecting group Ethernet 28 5 collecting group history 28 5 support for 1 10 root guard described 18 8 enabling 18 15 support for 1 5 ...

Page 949: ...nges 17 13 overview 17 8 port roles described 17 9 synchronized 17 11 proposal agreement handshake process 17 10 rapid convergence described 17 10 edge ports and Port Fast 17 10 point to point links 17 10 17 24 root ports 17 10 root port defined 17 9 See also MSTP running configuration replacing B 20 rolling back B 20 B 21 running configuration saving 3 15 S scheduled reloads 3 21 SCP and SSH 7 48...

Page 950: ...atform forward command 40 16 show running config command displaying ACLs 31 19 31 20 31 30 31 33 interface description in 9 19 shutdown command on interfaces 9 24 shutdown threshold for Layer 2 protocol packets 15 11 Simple Network Management Protocol See SNMP small frame arrival rate configuring 23 5 Smartports macros applying Cisco default macros 10 6 applying global parameter values 10 5 10 6 a...

Page 951: ...ding EtherChannel 33 7 source and destination MAC address forwarding EtherChannel 33 6 source IP address based forwarding EtherChannel 33 7 source MAC address forwarding EtherChannel 33 6 SPAN configuration guidelines 27 10 default configuration 27 9 destination ports 27 7 displaying status 27 23 interaction with other features 27 8 monitored ports 27 5 monitoring ports 27 7 overview 1 10 27 1 por...

Page 952: ...ration 3 18 static access ports assigning to VLAN 11 11 defined 9 3 11 3 static addresses See addresses static IP routing 1 9 static MAC addressing 1 7 static routes configuring for IPv6 35 16 static routes configuring 34 30 static routing 34 2 static VLAN membership 11 2 statistics 802 1x 8 45 CDP 24 5 interface 9 23 LLDP 25 7 LLDP MED 25 7 QoS ingress and egress 32 78 RMON group Ethernet 28 5 RM...

Page 953: ...cted behavior 16 14 features supported 1 5 IEEE 802 1D and bridge ID 16 4 IEEE 802 1D and multicast addresses 16 8 IEEE 802 1t and VLAN identifier 16 4 inferior BPDU 16 3 instances supported 16 9 interface state blocking to forwarding 18 2 STP continued interface states blocking 16 5 disabled 16 7 forwarding 16 5 16 6 learning 16 6 listening 16 6 overview 16 4 interoperability and compatibility am...

Page 954: ...See SPAN switched ports 9 2 switchport block multicast command 23 8 switchport block unicast command 23 8 switchport command 9 12 switchport mode dot1q tunnel command 15 6 switchport protected command 23 7 switch priority MSTP 17 21 STP 16 19 switch software features 1 1 switch virtual interface See SVI syslog See system message logging Syslog Over IPv6 35 11 system clock configuring daylight savi...

Page 955: ...ion of 7 12 overview 7 10 support for 1 8 tracking services accessed by user 7 17 tagged packets IEEE 802 1Q 15 3 Layer 2 protocol 15 8 tar files creating B 6 displaying the contents of B 6 extracting B 8 image file format B 24 TDR 1 10 Telnet accessing management interfaces 2 10 number of connections 1 4 setting a password 7 6 templates SDM 6 1 temporary self signed certificate 7 42 Terminal Acce...

Page 956: ...ed IPv6 37 2 unfragmented 31 5 traffic policing 1 9 traffic suppression 23 1 transmit hold count see STP transparent mode VTP 12 3 12 12 trap door mechanism 3 2 traps configuring MAC address notification 5 22 configuring managers 30 11 defined 30 3 enabling 5 22 30 11 notification types 30 11 overview 30 1 30 4 troubleshooting connectivity problems 40 9 40 10 40 12 detecting unidirectional links 2...

Page 957: ... 15 10 link detection mechanism 26 1 neighbor database 26 2 overview 26 1 resetting an interface 26 6 UDLD continued status displaying 26 6 support for 1 5 UDP configuring 34 14 unauthorized ports with IEEE 802 1x 8 7 unicast MAC address filtering 1 4 and adding static addresses 5 25 and broadcast MAC addresses 5 25 and CPU packets 5 25 and multicast addresses 5 25 and router MAC addresses 5 25 co...

Page 958: ...5 27 VLAN load balancing on flex links 19 2 configuration guidelines 19 5 VLAN management domain 12 2 VLAN Management Policy Server See VMPS VLAN map entries order of 31 29 VLAN maps applying 31 33 common uses for 31 33 configuration guidelines 31 29 configuring 31 28 creating 31 30 defined 31 2 denying access to a server example 31 35 denying and permitting packets 31 31 displaying 31 39 examples...

Page 959: ...pping MAC addresses to VLANs 11 28 monitoring 11 32 VMPS continued reconfirmation interval changing 11 31 reconfirming membership 11 31 retry count changing 11 32 voice aware 802 1x security port based authentication configuring 8 25 described 8 18 8 25 voice over IP 13 1 voice VLAN Cisco 7960 phone port connections 13 1 configuration guidelines 13 3 configuring IP phones for data traffic override...

Page 960: ...ing 12 16 passwords 12 8 pruning disabling 12 14 enabling 12 14 examples 12 5 overview 12 4 support for 1 6 pruning eligible list changing 11 23 server mode configuring 12 9 statistics 12 16 support for 1 6 Token Ring support 12 4 transparent mode configuring 12 12 using 12 1 version guidelines 12 8 Version 1 12 4 VTP continued Version 2 configuration guidelines 12 8 disabling 12 13 enabling 12 13...

Reviews:

No comments

Related manuals for 3020 - Cisco Catalyst Blade Switch

X-Micro WLAN 11g User Manual preview
WLAN 11g
Brand: X-Micro Pages: 74
E-TOP BR486n User Manual preview
BR486n
Brand: E-TOP Pages: 76
Tripp Lite N48M Series Installation Manual preview
N48M Series
Brand: Tripp Lite Pages: 20
Accusys ACS-76500 Owner'S Manual preview
ACS-76500
Brand: Accusys Pages: 34
Industrex M43ic Instruction Manual preview
M43ic
Brand: Industrex Pages: 51
TP-Link tl-wr845n Quick Installation Manual preview
tl-wr845n
Brand: TP-Link Pages: 2
Riverbed SteelCentral NetExpress Installation Manual preview
SteelCentral NetExpress
Brand: Riverbed Pages: 38
IDT Digital Encoder Plus User Manual preview
Digital Encoder Plus
Brand: IDT Pages: 98
RANA Systems RanaSystems 13-0010--001 User Manual preview
RanaSystems 13-0010--001
Brand: RANA Systems Pages: 328
SYNTEK STA-UI-A0035 User Manual preview
STA-UI-A0035
Brand: SYNTEK Pages: 41
AXAGO PCEU-43R Quick Installation Manual preview
PCEU-43R
Brand: AXAGO Pages: 2
Hama 00176547 Operating Instruction preview
00176547
Brand: Hama Pages: 25
Infoblox Infoblox-250 Installation Manual preview
Infoblox-250
Brand: Infoblox Pages: 16
Xtreme SNMP-1PMINI User & Installation Manual preview
SNMP-1PMINI
Brand: Xtreme Pages: 83
Vacron VDH-NK300 Hardware Manual preview
VDH-NK300
Brand: Vacron Pages: 16
Broadband Products D-Link DSL-2640U Quick Installation Manual preview
D-Link DSL-2640U
Brand: Broadband Products Pages: 12
Alcatel-Lucent 1353 Brochure preview
1353
Brand: Alcatel-Lucent Pages: 12
ZyXEL Communications P-660R-TX V3 Support Notes preview
P-660R-TX V3
Brand: ZyXEL Communications Pages: 66

Brands by name

Popular brands

Load more brands