manualshive.com logo in svg

Cisco 3560 - Rfcatalyst - Poe Si, Software Configuration Manual

The Cisco 3560 - Rfcatalyst - Poe Si is a cutting-edge networking product that offers seamless connectivity and power efficiency. Running on advanced software, it ensures optimal performance for your network. To maximize its potential, download the free Software Configuration Manual from manualshive.com and unlock its limitless possibilities today.

Share
Download
background image

 

27-6

Catalyst 3560 Switch Software Configuration Guide

78-16156-01

Chapter 27      Configuring Network Security with ACLs

Configuring IP ACLs

Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet 
B is effectively denied. However, the later fragments that are permitted will consume bandwidth on 
the network and resources of host 10.1.1.2 as it tries to reassemble the packet.

Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet 
is fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match 
the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3 
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit 
ACEs were checking different hosts.

Configuring IP ACLs

Configuring IP ACLs on the switch is the same as configuring IP ACLs on other Cisco switches and 
routers. The process is briefly described here. For more detailed information on configuring ACLs, refer 
to the “Configuring IP Services” chapter in the Cisco IP and IP Routing Configuration Guide for IOS 
Release 12.1. For detailed information about the commands, refer to Cisco IOS IP and IP Routing 
Command Reference for IOS Release 12.1. 

The switch does not support these Cisco IOS router ACL-related features:

Non-IP protocol ACLs (see 

Table 27-1 on page 27-7

) or bridge-group ACLs

IP accounting

Inbound and outbound rate limiting (except with QoS ACLs)

Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch 
clustering feature)

ACL logging for port ACLs and VLAN maps

These are the steps to use IP ACLs on the switch:

Step 1

Create an ACL by specifying an access list number or name and access conditions.

Step 2

Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to 
VLAN maps.

This section includes the following information:

Creating Standard and Extended IP ACLs, page 27-7

Applying an IP ACL to a Terminal Line, page 27-18

Applying an IP ACL to an Interface, page 27-19

Hardware and Software Treatment of IP ACLs, page 27-21

IP ACL Configuration Examples, page 27-21

Summary of Contents for 3560 - Rfcatalyst - Poe Si

Page 1: ...Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Catalyst 3560 Switch Software Configuration Guide Cisco IOS Release 12 1 19 EA1 January 2004 Customer Order Number DOC 7816156 Text Part Number 78 16156 01 ...

Page 2: ...UENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP CCSP the Cisco Arrow logo the Cisco Powered Network mark Cisco Unity Follow Me Browsing FormShare and StackWise are trademarks of Cisco Systems Inc Changing t...

Page 3: ...ublications and Information xxxviii C H A P T E R 1 Overview 1 1 Features 1 1 Default Settings After Initial Switch Configuration 1 9 Network Configuration Examples 1 11 Design Concepts for Using the Switch 1 11 Small to Medium Sized Network Using Catalyst 3560 Switches 1 13 Large Network Using Catalyst 3560 Switches 1 14 Long Distance High Bandwidth Transport Configuration 1 16 Where to Go Next 1...

Page 4: ... or through Telnet 2 9 Accessing the CLI from a Browser 2 9 C H A P T E R 3 Getting Started with CMS 3 1 Understanding CMS 3 1 Front Panel View 3 2 Topology View 3 2 CMS Menu Bar Toolbar and Feature Bar 3 2 Online Help 3 5 Configuration Modes 3 5 Guide Mode 3 5 Expert Mode 3 6 Wizards 3 6 Privilege Levels 3 7 Access to Older Switches In a Cluster 3 7 Configuring CMS 3 8 CMS Requirements 3 8 Minimu...

Page 5: ...iguring the DHCP Server 4 5 Configuring the TFTP Server 4 5 Configuring the DNS 4 6 Configuring the Relay Device 4 6 Obtaining Configuration Files 4 7 Example Configuration 4 8 Manually Assigning IP Information 4 9 Checking and Saving the Running Configuration 4 10 Modifying the Startup Configuration 4 11 Default Boot Configuration 4 12 Automatically Downloading a Configuration File 4 12 Specifyin...

Page 6: ...7 Discovery Through Routed Ports 5 8 Discovery of Newly Installed Switches 5 9 HSRP and Standby Cluster Command Switches 5 10 Virtual IP Addresses 5 11 Other Considerations for Cluster Standby Groups 5 11 Automatic Recovery of Cluster Configuration 5 12 IP Addresses 5 13 Host Names 5 13 Passwords 5 14 SNMP Community Strings 5 14 TACACS and RADIUS 5 14 Access Modes in CMS 5 15 LRE Profiles 5 15 Ava...

Page 7: ...laying the Time and Date Configuration 6 12 Configuring the Time Zone 6 12 Configuring Summer Time Daylight Saving Time 6 13 Configuring a System Name and Prompt 6 15 Default System Name and Prompt Configuration 6 15 Configuring a System Name 6 15 Configuring a System Prompt 6 16 Understanding DNS 6 16 Default DNS Configuration 6 17 Setting Up DNS 6 17 Displaying the DNS Configuration 6 18 Creatin...

Page 8: ... Level Configuration 8 2 Setting or Changing a Static Enable Password 8 3 Protecting Enable and Enable Secret Passwords with Encryption 8 4 Disabling Password Recovery 8 5 Setting a Telnet Password for a Terminal Line 8 6 Configuring Username and Password Pairs 8 7 Configuring Multiple Privilege Levels 8 8 Setting the Privilege Level for a Command 8 8 Changing the Default Privilege Level for Lines...

Page 9: ...ing Switch Access with Kerberos 8 32 Understanding Kerberos 8 32 Kerberos Operation 8 34 Authenticating to a Boundary Switch 8 35 Obtaining a TGT from a KDC 8 35 Authenticating to Network Services 8 35 Configuring Kerberos 8 36 Configuring the Switch for Local Authentication and Authorization 8 36 Configuring the Switch for Secure Shell 8 37 Understanding SSH 8 38 SSH Servers Integrated Clients an...

Page 10: ...nsmission Number 9 16 Configuring the Host Mode 9 17 Configuring a Guest VLAN 9 18 Resetting the 802 1X Configuration to the Default Values 9 18 Displaying 802 1X Statistics and Status 9 19 C H A P T E R 10 Configuring Interface Characteristics 10 1 Understanding Interface Types 10 1 Port Based VLANs 10 2 Switch Ports 10 2 Access Ports 10 2 Trunk Ports 10 3 Routed Ports 10 3 Switch Virtual Interfa...

Page 11: ...ing SmartPort Macros 11 1 Configuring Smart Port Macros 11 2 Default SmartPort Macro Configuration 11 2 SmartPort Macro Configuration Guidelines 11 2 Creating and Applying SmartPort Macros 11 3 Displaying SmartPort Macros 11 4 C H A P T E R 12 Configuring VLANs 12 1 Understanding VLANs 12 1 Supported VLANs 12 3 VLAN Port Membership Modes 12 3 Configuring Normal Range VLANs 12 4 Token Ring VLANs 12...

Page 12: ... Trunk Port 12 20 Defining the Allowed VLANs on a Trunk 12 21 Changing the Pruning Eligible List 12 22 Configuring the Native VLAN for Untagged Traffic 12 23 Configuring Trunk Ports for Load Sharing 12 24 Load Sharing Using STP Port Priorities 12 24 Load Sharing Using STP Path Cost 12 26 Configuring VMPS 12 27 Understanding VMPS 12 27 Dynamic Access Port VLAN Membership 12 28 Default VMPS Client C...

Page 13: ...ersion 13 9 Configuration Requirements 13 9 Configuring a VTP Server 13 9 Configuring a VTP Client 13 11 Disabling VTP VTP Transparent Mode 13 12 Enabling VTP Version 2 13 13 Enabling VTP Pruning 13 13 Adding a VTP Client Switch to a VTP Domain 13 14 Monitoring VTP 13 15 C H A P T E R 14 Configuring Voice VLAN 14 1 Understanding Voice VLAN 14 1 Cisco IP Phone Voice Traffic 14 2 Cisco IP Phone Data...

Page 14: ...ning Tree Modes and Protocols 15 9 Supported Spanning Tree Instances 15 9 Spanning Tree Interoperability and Backward Compatibility 15 10 STP and IEEE 802 1Q Trunks 15 10 VLAN Bridge Spanning Tree 15 11 Configuring Spanning Tree Features 15 11 Default Spanning Tree Configuration 15 11 Spanning Tree Configuration Guidelines 15 12 Changing the Spanning Tree Mode 15 13 Disabling Spanning Tree 15 14 C...

Page 15: ...eatures 16 11 Default MSTP Configuration 16 12 MSTP Configuration Guidelines 16 12 Specifying the MST Region Configuration and Enabling MSTP 16 13 Configuring the Root Switch 16 14 Configuring a Secondary Root Switch 16 16 Configuring Port Priority 16 17 Configuring Path Cost 16 18 Configuring the Switch Priority 16 19 Configuring the Hello Time 16 19 Configuring the Forwarding Delay Time 16 20 Co...

Page 16: ...g Tree Status 17 15 C H A P T E R 18 Configuring DHCP Features 18 1 Understanding DHCP Features 18 1 DHCP Snooping 18 1 Option 82 Data Insertion 18 2 Configuring DHCP Features 18 3 Default DHCP Configuration 18 3 DHCP Snooping Configuration Guidelines 18 3 Enabling DHCP Snooping and Option 82 18 4 Displaying DHCP Information 18 5 Displaying a Binding Table 18 5 Displaying the DHCP Snooping Configu...

Page 17: ...ering and Throttling Configuration 19 21 Configuring IGMP Profiles 19 22 Applying IGMP Profiles 19 23 Setting the Maximum Number of IGMP Groups 19 24 Configuring the IGMP Throttling Action 19 24 Displaying IGMP Filtering and Throttling Configuration 19 26 C H A P T E R 20 Configuring Port Based Traffic Control 20 1 Configuring Storm Control 20 1 Understanding Storm Control 20 2 Default Storm Contr...

Page 18: ...DP on an Interface 21 4 Monitoring and Maintaining CDP 21 5 C H A P T E R 22 Configuring UDLD 22 1 Understanding UDLD 22 1 Modes of Operation 22 1 Methods to Detect Unidirectional Links 22 2 Configuring UDLD 22 4 Default UDLD Configuration 22 4 Configuration Guidelines 22 4 Enabling UDLD Globally 22 5 Enabling UDLD on an Interface 22 6 Resetting an Interface Disabled by UDLD 22 6 Displaying UDLD S...

Page 19: ...gress Traffic 23 20 Specifying VLANs to Filter 23 22 Displaying SPAN and RSPAN Status 23 23 C H A P T E R 24 Configuring RMON 24 1 Understanding RMON 24 1 Configuring RMON 24 2 Default RMON Configuration 24 3 Configuring RMON Alarms and Events 24 3 Collecting Group History Statistics on an Interface 24 5 Collecting Group Ethernet Statistics on an Interface 24 6 Displaying RMON Status 24 6 C H A P ...

Page 20: ...ect Values 26 6 Configuring SNMP 26 6 Default SNMP Configuration 26 7 SNMP Configuration Guidelines 26 7 Disabling the SNMP Agent 26 8 Configuring Community Strings 26 8 Configuring SNMP Groups and Users 26 9 Configuring SNMP Notifications 26 11 Setting the Agent Contact and Location Information 26 14 Limiting TFTP Servers Used Through SNMP 26 15 SNMP Examples 26 15 Displaying SNMP Status 26 16 C ...

Page 21: ...28 Configuring VLAN Maps 27 29 VLAN Map Configuration Guidelines 27 29 Creating a VLAN Map 27 30 Examples of ACLs and VLAN Maps 27 31 Applying a VLAN Map to a VLAN 27 33 Using VLAN Maps in Your Network 27 33 Wiring Closet Configuration 27 33 Denying Access to a Server on Another VLAN 27 35 Using VLAN Maps with Router ACLs 27 36 Guidelines 27 36 Examples of Router ACLs and VLAN Maps Applied to VLAN...

Page 22: ... 28 Default Mapping Table Configuration 28 28 Standard QoS Configuration Guidelines 28 29 Enabling QoS Globally 28 30 Configuring Classification Using Port Trust States 28 30 Configuring the Trust State on Ports within the QoS Domain 28 31 Configuring the CoS Value for an Interface 28 33 Configuring a Trusted Boundary to Ensure Port Security 28 34 Configuring the DSCP Trust State on a Port Borderi...

Page 23: ...ss Interface 28 63 Displaying Standard QoS Information 28 64 C H A P T E R 29 Configuring EtherChannels 29 1 Understanding EtherChannels 29 1 EtherChannel Overview 29 2 Port Channel Interfaces 29 3 Port Aggregation Protocol 29 4 PAgP Modes 29 4 PAgP Interaction with Other Features 29 5 Link Aggregation Control Protocol 29 5 LACP Modes 29 6 LACP Interaction with Other Features 29 6 Load Balancing a...

Page 24: ...Broadcast Packet Handling 30 13 Enabling Directed Broadcast to Physical Broadcast Translation 30 13 Forwarding UDP Broadcast Packets and Protocols 30 14 Establishing an IP Broadcast Address 30 15 Flooding IP Broadcasts 30 16 Monitoring and Maintaining IP Addressing 30 17 Enabling IP Unicast Routing 30 18 Configuring RIP 30 19 Default RIP Configuration 30 19 Configuring Basic RIP Parameters 30 20 C...

Page 25: ... BGP Filtering with Route Maps 30 52 Configuring BGP Filtering by Neighbor 30 53 Configuring Prefix Lists for BGP Filtering 30 54 Configuring BGP Community Filtering 30 55 Configuring BGP Neighbors and Peer Groups 30 57 Configuring Aggregate Addresses 30 59 Configuring Routing Domain Confederations 30 59 Configuring BGP Route Reflectors 30 60 Configuring Route Dampening 30 61 Monitoring and Mainta...

Page 26: ...ority 31 6 Configuring HSRP Authentication and Timers 31 8 Configuring HSRP Groups and Clustering 31 9 Displaying HSRP Configurations 31 10 C H A P T E R 32 Configuring IP Multicast Routing 32 1 Understanding Cisco s Implementation of IP Multicast Routing 32 2 Understanding IGMP 32 2 IGMP Version 1 32 3 IGMP Version 2 32 3 Understanding PIM 32 3 PIM Versions 32 4 PIM Modes 32 4 Auto RP 32 5 Bootst...

Page 27: ...Query Message Interval 32 29 Changing the IGMP Query Timeout for IGMPv2 32 30 Changing the Maximum Query Response Time for IGMPv2 32 30 Configuring the Switch as a Statically Connected Member 32 31 Configuring Optional Multicast Routing Features 32 31 Enabling CGMP Server Support 32 32 Configuring sdr Listener Support 32 33 Enabling sdr Listener Support 32 33 Limiting How Long an sdr Cache Entry E...

Page 28: ... Sources 33 9 Filtering Source Active Request Messages 33 11 Controlling Source Information that Your Switch Forwards 33 12 Using a Filter 33 12 Using TTL to Limit the Multicast Data Sent in SA Messages 33 14 Controlling Source Information that Your Switch Receives 33 14 Configuring an MSDP Mesh Group 33 16 Shutting Down an MSDP Peer 33 16 Including a Bordering PIM Dense Mode Region in MSDP 33 17 ...

Page 29: ...ing a Failed Command Switch with Another Switch 35 10 Recovering from Lost Cluster Member Connectivity 35 11 Preventing Autonegotiation Mismatches 35 12 Troubleshooting Power over Ethernet Switch Ports 35 12 SFP Module Security and Identification 35 12 Using Ping 35 13 Understanding Ping 35 13 Executing Ping 35 13 Using Layer 2 Traceroute 35 14 Understanding Layer 2 Traceroute 35 14 Usage Guidelin...

Page 30: ...nfiguration Files B 8 Guidelines for Creating and Using Configuration Files B 9 Configuration File Types and Location B 9 Creating a Configuration File By Using a Text Editor B 10 Copying Configuration Files By Using TFTP B 10 Preparing to Download or Upload a Configuration File By Using TFTP B 10 Downloading the Configuration File By Using TFTP B 11 Uploading the Configuration File By Using TFTP ...

Page 31: ...n Image File By Using RCP B 31 Uploading an Image File By Using RCP B 33 A P P E N D I X C Unsupported Commands in Cisco IOS Release 12 1 19 EA1 C 1 Access Control Lists C 1 Unsupported Privileged EXEC Commands C 1 Unsupported Global Configuration Commands C 1 ARP Commands C 2 Unsupported Global Configuration Commands C 2 Unsupported Interface Configuration Commands C 2 Unsupported Debug Commands ...

Page 32: ...Commands C 8 MSDP C 9 Unsupported Privileged EXEC Commands C 9 Unsupported Global Configuration Commands C 9 Network Address Translation NAT Commands C 9 Unsupported User EXEC Commands C 9 Unsupported Global Configuration Commands C 9 Unsupported Interface Configuration Commands C 9 RADIUS C 10 Unsupported Global Configuration Commands C 10 SNMP C 10 Unsupported Global Configuration Commands C 10 ...

Page 33: ...ing the commands that have been created or changed for use with the Catalyst 3560 switch It does not provide detailed information about these commands For detailed information about these commands refer to the Catalyst 3560 Switch Command Reference for this release For information about the standard Cisco IOS Release 12 1 commands refer to the Cisco IOS documentation set available from the Cisco c...

Page 34: ...thin an optional element Interactive examples use these conventions Terminal sessions and system displays are in screen font Information you enter is in boldface screen font Nonprinting characters such as passwords or tabs are in angle brackets Notes cautions and timesavers use these conventions and symbols Note Means reader take note Notes contain helpful suggestions or references to materials no...

Page 35: ...n section on page xxxvi Release Notes for the Catalyst 3560 Switch not orderable but available on Cisco com Catalyst 3560 Switch Software Configuration Guide order number DOC 7816156 Catalyst 3560 Switch Command Reference order number DOC 7816155 Catalyst 3560 Switch System Message Guide order number DOC 7816154 Cluster Management Suite CMS online help available only from the switch CMS software C...

Page 36: ...cumentation in these ways Registered Cisco com users Cisco direct customers can order Cisco product documentation from the Networking Products MarketPlace http www cisco com en US partner ordering index shtml Nonregistered Cisco com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters California USA at 408 526 7208 or elsewhere in Nor...

Page 37: ...y degraded or if you do not have Internet access contact Cisco TAC by telephone Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly To open a case by telephone use one of the following numbers Asia Pacific 61 2 8446 7411 Australia 1 800 805 227 EMEA 32 2 704 55 55 USA 1 800 553 2447 For a complete listing of Cisco TAC contacts go t...

Page 38: ... technology breakthroughs and Cisco products and solutions to help industry professionals get the most from their networking investment Included are networking deployment and troubleshooting tips configuration examples customer case studies tutorials and training certification information and links to numerous in depth online resources You can access Packet magazine at this URL http www cisco com ...

Page 39: ...led can be upgraded to the EMI Enhanced multilayer image EMI which provides a richer set of enterprise class intelligent services It includes all SMI features plus full Layer 3 routing IP unicast routing IP multicast routing and fallback bridging To distinguish it from the Layer 2 static routing and RIP the EMI includes protocols such as the Enhanced Interior Gateway Routing Protocol EIGRP and the...

Page 40: ...etwork Cluster Management Suite CMS graphical user interface GUI for Simplifying and minimizing switch and switch cluster management through a supported web browser from anywhere in your intranet Accomplishing multiple configuration tasks from a single CMS window without needing to remember command line interface CLI commands to accomplish specific tasks Interactive guide mode that guides you in c...

Page 41: ... providing up to 8 Gbps Gigabit EtherChannel or 800 Mbps Fast EtherChannel full duplex of bandwidth between switches routers and servers Port Aggregation Protocol PAgP and Link Aggregation Control Protocol LACP for automatic creation of EtherChannel links Forwarding of Layer 2 and Layer 3 packets at Gigabit line rate Per port storm control for preventing broadcast multicast and unicast storms Port...

Page 42: ...tion such as IP address default gateway host name and Domain Name System DNS and Trivial File Transfer Protocol TFTP server names DHCP relay for forwarding User Datagram Protocol UDP broadcasts including IP address requests from DHCP clients DHCP server for automatic assignment of IP addresses and other DHCP options to IP hosts Directed unicast requests to a DNS server for identifying a switch thr...

Page 43: ...IEEE 802 1S Multiple Spanning Tree Protocol MSTP for grouping VLANs into a spanning tree instance and for providing multiple forwarding paths for data traffic and load balancing and IEEE 802 1W Rapid Spanning Tree Protocol RSTP for rapid convergence of the spanning tree by immediately transitioning root and designated ports to the forwarding state Optional spanning tree features available in PVST ...

Page 44: ... MAC addressing for ensuring security Protected port option for restricting the forwarding of traffic to designated ports on the same switch Port security option for limiting and identifying MAC addresses of the stations allowed to access the port Port security aging to set the aging time for secure addresses on a port BPDU guard for shutting down a Port Fast configured port when an invalid config...

Page 45: ... the presence of a Cisco IP phone trusting the CoS value received and ensuring port security Policing Traffic policing policies on the switch port for managing how much of the port bandwidth should be allocated to a specific traffic flow Aggregate policing for policing traffic flows in aggregate to restrict specific applications or traffic flows to metered predefined rates Out of Profile Out of pr...

Page 46: ...ly attached subnets Protocol Independent Multicast PIM for multicast routing within the network allowing for devices in the network to receive the multicast feed requested and for switches not participating in the multicast to be pruned Includes support for PIM sparse mode PIM SM PIM dense mode PIM DM and PIM sparse dense mode requires the EMI Multicast Source Discovery Protocol MSDP for connectin...

Page 47: ... for plug and play operation requiring only that you assign basic IP information to the switch and connect it to the other devices in your network If you have specific network needs you can change the interface specific and system wide settings If you do not configure the switch at all the switch operates with the default settings listed in Table 1 1 This table lists the key software features thei...

Page 48: ...ing STP MSTP Disabled Chapter 16 Configuring MSTP Optional spanning tree features Disabled Chapter 17 Configuring Optional Spanning Tree Features DHCP snooping DHCP snooping Disabled Chapter 18 Configuring DHCP Features DHCP snooping information option Enabled IGMP snooping IGMP snooping Enabled Chapter 19 Configuring IGMP Snooping and MVR IGMP filters None applied IGMP throttling Deny MVR Disable...

Page 49: ... your network users compete for network bandwidth it takes longer to send and receive data When you configure your network consider the bandwidth required by your network users and the relative priority of the network applications they use Table 1 2 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network use...

Page 50: ...d routers to which the network users require equal access directly to the high speed switch ports so that they have their own high speed segment Use the EtherChannel feature between the switch and its connected servers and routers Table 1 3 Providing Network Services Network Demands Suggested Design Methods Efficient bandwidth usage for multimedia applications and guaranteed bandwidth for critical...

Page 51: ...t unauthorized users from accessing critical pieces of the network In addition to inter VLAN routing the multilayer switches provide QoS mechanisms such as DSCP priorities to prioritize the different types of network traffic and to deliver high priority traffic in a predictable manner If congestion occurs QoS drops low priority traffic to allow delivery of high priority traffic For pre standard an...

Page 52: ...n the wiring closets and two backbone switches such as the Catalyst 6500 switches to aggregate up to ten wiring closets In the wiring closet each switch has IGMP snooping enabled to efficiently forward multimedia and multicast traffic QoS ACLs that either drop or mark nonconforming traffic based on bandwidth limits are also configured on each switch VLAN maps provide intra VLAN security and preven...

Page 53: ... mission critical traffic Figure 1 2 Catalyst 3560 Switches in Wiring Closets in a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Cisco IP Phones with workstations WAN IP IP IP Aironet wireless access points IEEE 802 3af compliant powered device such as a web cam Cisco IP Phones with workstations IP IP IP 101389 Aironet wireless access points IEEE 802 3af compliant pow...

Page 54: ...es of up to 393 701 feet 74 5 miles or 120 km The CWDM OADM modules combine or multiplex the different CWDM wavelengths allowing them to travel simultaneously on the same fiber optic cable The CWDM OADM modules on the receiving end separate or demultiplex the different wavelengths For more information about the CWDM SFP modules and CWDM OADM modules refer to the Cisco CWDM GBIC and CWDM SFP Instal...

Page 55: ...you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters or interfaces The user EXEC commands are not saved when the switch reboots To have access to all commands yo...

Page 56: ...mode to configure VLAN parameters When VTP mode is transparent you can create extended range VLANs VLAN IDs greater than 1005 and save configurations in the switch startup configuration file VLAN configuration While in privileged EXEC mode enter the vlan database command Switch vlan To exit to privileged EXEC mode enter exit Use this mode to configure VLAN parameters for VLANs 1 to 1005 in the VLA...

Page 57: ...uration privileged EXEC command in an abbreviated form Switch show conf Table 2 2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode abbreviated command entry Obtain a list of commands that begin with a particular character string For example Switch di dir disable disconnect abbreviated command entry Tab Complete a partial command name For example S...

Page 58: ...g Command History The software provides a history or record of commands that you have entered The command history feature is particularly useful for recalling long or complex commands or entries including access lists You can customize this feature to suit your needs as described in these sections Changing the Command History Buffer Size page 2 5 optional Recalling Commands page 2 5 optional Disab...

Page 59: ... Disabling the Command History Feature The command history feature is automatically enabled You can disable it for the current terminal session or for the command line These procedures are optional To disable the feature during the current terminal session enter the terminal no history privileged EXEC command To disable command history for the line enter the no history line configuration command T...

Page 60: ... terminal editing To reconfigure a specific line to have enhanced editing mode enter this command in line configuration mode Switch config line editing Editing Commands through Keystrokes Table 2 5 shows the keystrokes that you need to edit command lines These keystrokes are optional Table 2 5 Editing Commands through Keystrokes Capability Keystroke1 Purpose Move around the command line to make ch...

Page 61: ...wercase words or capitalize a set of letters Press Esc C Capitalize at the cursor Press Esc L Change the word at the cursor to lowercase Press Esc U Capitalize letters from the cursor to the end of the word Designate a particular keystroke as an executable command perhaps as a shortcut Press Ctrl V or Esc Q Scroll down a line or screen on displays that are longer than the terminal screen can displ...

Page 62: ...entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that the line has been scrolled to the right Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 The software assumes you have a terminal screen that is 80 columns wide If you have a width other than that use the termi...

Page 63: ...k connectivity with the Telnet or SSH client and the switch must have an enable secret password configured For information about configuring the switch for Telnet access see the Setting a Telnet Password for a Terminal Line section on page 8 6 The switch supports up to 16 simultaneous Telnet sessions Changes made by one Telnet user are reflected in all other Telnet sessions For information about c...

Page 64: ...mory cache until you exit the browser session A password is not required to redisplay these pages including the Cisco Systems Access page You can access the CLI by clicking Web Console HTML access to the command line interface from a cached copy of the Cisco Systems Access page To prevent unauthorized access to the CLI or to the Cluster Management Suite CMS exit your browser to end the browser ses...

Page 65: ...be command switches or member switches refer to the release notes for this switch Understanding CMS CMS provides these features for managing switch clusters and individual switches from web browsers such as Netscape Communicator or Microsoft Internet Explorer Front panel and topology views of your network as shown in Figure 3 7 on page 3 14 and Figure 3 8 on page 3 15 that can be displayed at the ...

Page 66: ...launched from a command switch For more information see the Displaying CMS section on page 3 11 CMS Menu Bar Toolbar and Feature Bar The configuration and monitoring options for configuring switches and switch clusters are available from the menu bar the toolbar and the feature bar The menu bar shown in Figure 3 1 provides these options for managing a single switch and switch clusters CMS Choose p...

Page 67: ...t available in read only mode Save the configuration of the cluster or a switch to Flash memory Software Upgrade2 Upgrade the software for the cluster or a switch Port Settings1 Display and configure port parameters on a switch VLAN1 Display VLAN membership assign ports to VLANs and change the administration mode Inventory Display the device type the software version the IP address and other infor...

Page 68: ...click CMS Feature Bar and select Standard Mode To hide the feature bar click CMS Feature Bar and select Autohide Mode Figure 3 2 shows the features available in a sample cluster Figure 3 2 Feature Bar and Search Window Note Only features supported by the devices in your cluster are displayed in the feature bar You can search for features that are available for your cluster by clicking Search and e...

Page 69: ...ge the CMS interaction mode to either expert or guide mode Expert mode displays a configuration window in which you configure the feature options Guide mode takes you through each feature option and provides information about the parameter Wizards are also available for some configuration options These are similar to guide mode configuration windows except that fewer options are available Guide Mo...

Page 70: ...opup menu If you change the interaction mode after selecting a configuration option the mode change does not take effect until you select another configuration option Wizards Similar to guide mode wizards provide a step by step approach for completing a specific configuration task Unlike guide mode a wizard does not prompt you to provide information for all of the feature options Instead it prompt...

Page 71: ... denied access to CMS If you do have privilege level 15 you are granted read write access Therefore you do not need to include the privilege level if it is 15 Entering zero denies access to CMS For more information about privilege levels see the Preventing Unauthorized Access to Your Switch section on page 8 1 and the Configuring Multiple Privilege Levels section on page 8 8 Access to Older Switch...

Page 72: ...figuration Only section on page 3 10 Configuring an Authentication Method Nondefault Configuration Only section on page 3 10 Note The software requirements are automatically verified by the CMS Startup Report when you launch CMS For more information see the Launching CMS section on page 3 11 Minimum Hardware Configuration The minimum PC requirement is a Pentium processor running at 233 MHz with 64...

Page 73: ...in is not registered with the new browser Note Do not install the CMS plug in on Solaris Solaris For Solaris Java plug in 1 4 1 is required to run CMS You can download the Java plug in and installation instructions from this URL http www cisco com pcgi bin tablebuild pl java On Solaris platforms follow the instructions in the README_FIRST txt file to install the Java plug in You need to close and ...

Page 74: ...Manager Cluster management options are not available on these switches This is the earliest version of CMS Refer to the documentation specific to the switch and its Cisco IOS release for descriptions of the CMS version HTTP Access to CMS CMS uses the HTTP protocol the default is port 80 and the default method of authentication the enable password to communicate with the switch through any of its E...

Page 75: ...ter the switch IP address in the browser and press Return Step 2 Enter your username and password when prompted If no username is configured on your switch the default enter only the enable password if an enable password is configured in the password field The switch home page appears as shown in Figure 3 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip http au...

Page 76: ...unches CMS Tools Accesses diagnostic and monitoring tools such as Telnet Extended Ping and the show interfaces privileged EXEC command Help Resources Provides links to the Cisco website technical documentation and the Cisco Technical Assistance Center TAC Step 3 Click Cluster Management Suite to launch the CMS interface The CMS Startup Report runs and verifies that your PC or workstation can corre...

Page 77: ...the links and follow the instructions to configure your PC or workstation Note If you are running Windows and need to both upgrade your web browser and install the CMS plug in you must upgrade your browser first If you install the CMS plug in and then upgrade your browser the plug in is not registered with the new browser Note If your PC or workstation is correctly configured for CMS you do not se...

Page 78: ...bar as shown in Figure 3 6 Figure 3 6 Toolbar The Front Panel view displays the front panel image of the command switch and other selected switches as shown in Figure 3 7 and you can select more switches to be displayed You can choose and configure the switches that appear in Front Panel view You can drag the switches that appear and re arrange them You can right click on a switch port to configur...

Page 79: ...anager for a specific switch in the cluster you launch a separate CMS session The Device Manager interface can vary among the Catalyst switch platforms Topology View When CMS is launched from a command switch the Topology view appears by default This view is available only when CMS is launched from a command switch When you click the topology button on the tool bar the Topology view displays the c...

Page 80: ...er the cluster is collapsed and represented by a single icon The view shows how the cluster is connected to other clusters candidate switches and devices that are not eligible to join the cluster such as routers access points IP phones and so on Note The Topology view displays only the switch cluster and network neighborhood of the specific command or member switch that you access To display a dif...

Page 81: ...fying the Startup Configuration page 4 11 Scheduling a Reload of the Software Image page 4 16 Understanding the Boot Process To start your switch you need to follow the procedures in the hardware installation guide about installing and powering on the switch and setting up the initial configuration IP address subnet mask default gateway secret and Telnet passwords and so forth of the switch The no...

Page 82: ...abling Password Recovery section on page 8 5 Before you can assign switch information make sure you have connected a PC or terminal to the console port and configured the PC or terminal emulation software baud rate and character format to match these of the switch console port Baud rate default is 9600 Data bits default is 8 Note If the data bits option is set to 8 set the parity option to none St...

Page 83: ...d at startup with IP address information and a configuration file With DHCP based autoconfiguration no DHCP client side configuration is needed on your switch However you need to configure the DHCP server or the DHCP server feature on your switch for various lease options associated with IP addresses If you are using DHCP to relay the configuration file location on the network you might also need ...

Page 84: ...er The amount of information the switch receives depends on how you configure the DHCP server For more information see the Configuring the DHCP Server section on page 4 5 If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid a configuration error exists the client returns a DHCPDECLINE broadcast message to the DHCP server The DHCP server sends the client a...

Page 85: ...ettings of the DHCP server the switch can receive IP address information the configuration file or both If you do not configure the DHCP server or the DHCP server feature running on your switch with the lease options described earlier it replies to client requests with only those parameters that are configured If the IP address and subnet mask are not in the reply the switch is not configured If t...

Page 86: ...section on page 4 6 The preferred solution is to configure the DHCP server or the DHCP server feature running on your switch with all the required information Configuring the DNS The DHCP server or the DHCP server feature running on your switch uses the DNS server to resolve the TFTP server name to an IP address You must configure the TFTP server name to IP address map on the DNS server The TFTP s...

Page 87: ...ess is not provided in the DHCP reply one file read method The switch receives its IP address subnet mask and the configuration filename from the DHCP server or the DHCP server feature running on your switch The switch sends a broadcast message to a TFTP server to retrieve the named configuration file from the base directory of the server and upon receipt completes its boot up process Only the IP ...

Page 88: ...to an IP address Example Configuration Figure 4 3 shows a sample network for retrieving IP information by using DHCP based autoconfiguration Figure 4 3 DHCP Based Autoconfiguration Network Example Table 4 2 shows the configuration of the reserved leases on the DHCP server or the DHCP server feature running on your switch Switch A 00e0 9f1e 2001 Cisco router 101401 Switch B 00e0 9f1e 2002 Switch C ...

Page 89: ...Explanation In Figure 4 3 Switch A reads its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its host table by indexing its IP address 10 0 0 2...

Page 90: ... bytes version 12 1 no service pad service timestamps debug uptime service timestamps log uptime no service password encryption hostname Switch A enable secret 5 1 ej9 DMUvAUnZOAmvmgqBEzIxE0 output truncated interface gigabitethernet0 1 no switchport ip address 172 20 137 50 255 255 255 0 interface gigabitethernet0 2 mvr type source output truncated interface VLAN1 Step 5 ip default gateway ip add...

Page 91: ...e If you fail to do this your configuration will be lost the next time you reload the system To display information stored in the NVRAM section of Flash memory use the show startup config or more startup config privileged EXEC command For more information about alternative locations from which to copy the configuration file see Appendix B Working with the Cisco IOS File System Configuration Files ...

Page 92: ...switch attempts to automatically boot the system using information in the BOOT environment variable If the variable is not set the switch attempts to load and execute the first executable image it can by performing a recursive depth first search throughout the Flash file system The Cisco IOS image is stored in a directory that has the same name as the image file excluding the bin extension In a de...

Page 93: ...e steps to configure the switch to boot a specific image during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot manual Enable the switch to manually boot during the next boot cycle Step 3 end Return to privileged EXEC mode Step 4 show boot Verify your entries The boot manual global command changes the setting of the MANUAL_BOOT environment ...

Page 94: ...s listed in the file even if the value is a null string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which does not read the Cisco IOS configuration file For example the name of a boot loader helper file which extends or patches t...

Page 95: ... automatically boot the system If it is set to anything else you must manually boot the switch from the boot loader mode boot manual Enables manually booting the switch during the next boot cycle and changes the setting of the MANUAL_BOOT environment variable The next time you reboot the system the switch is in boot loader mode To boot the system use the boot loader boot flash filesystem file url ...

Page 96: ...day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight Note Use the at keyword only if the switch system clock has been set through Network Time Protocol NTP the hardware calendar or manually The time is relative to the configured time zone on the switch To schedule reload...

Page 97: ...un 20 1996 in 344 hours and 53 minutes Proceed with reload confirm To cancel a previously scheduled reload use the reload cancel privileged EXEC command Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information including the...

Page 98: ...4 18 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image ...

Page 99: ...his chapter consists of these sections Understanding Switch Clusters page 5 2 Planning a Switch Cluster page 5 4 Creating a Switch Cluster page 5 16 Note Configuring switch clusters is more easily done from the Cluster Management Suite CMS web based interface than through the command line interface CLI Therefore information in this chapter focuses on using CMS to create a cluster See Chapter 3 Get...

Page 100: ...er network Cluster members are connected to the cluster command switch according to the connectivity guidelines described in the Automatic Discovery of Cluster Candidates and Members section on page 5 5 This section includes management VLAN considerations for the Catalyst 1900 Catalyst 2820 Catalyst 2900 XL Catalyst 2950 and Catalyst 3500 XL switches For complete information about these switches i...

Page 101: ...ust be the cluster command switch Standby Cluster Command Switch Characteristics A standby cluster command switch must meet these requirements It is running Cisco IOS Release 12 1 19 EA1 or later It has an IP address It has CDP version 2 enabled It is connected to the command switch and to other standby command switches through its management VLAN It is connected to all other cluster member switch...

Page 102: ...their management VLAN to the cluster command switch and standby cluster command switches For complete information about these switches in a switch cluster environment refer to the software configuration guide for that specific switch This requirement does not apply if you have a Catalyst 2970 Catalyst 3550 Catalyst 3560 or Catalyst 3750 cluster command switch Candidate and cluster member switches ...

Page 103: ...s page 5 7 Discovery Through Different Management VLANs page 5 7 Discovery Through Routed Ports page 5 8 Discovery of Newly Installed Switches page 5 9 Discovery Through CDP Hops By using CDP a cluster command switch can discover switches up to seven CDP hops away the default is three hops from the edge of the cluster The edge of the cluster is where the last cluster member switches are connected ...

Page 104: ...ot discover a cluster enabled device connected beyond the noncluster capable Cisco device Figure 5 2 shows that the cluster command switch discovers the switch that is connected to a third party hub However the cluster command switch does not discover the switch that is connected to a Catalyst 5000 switch Figure 5 2 Discovery Through Non CDP Capable and Noncluster Capable Devices Command switch Me...

Page 105: ... must be connected to the cluster command switch through their management VLAN For information about discovery through management VLANs the Discovery Through Different Management VLANs section on page 5 7 For more information about VLANs see Chapter 12 Configuring VLANs Figure 5 3 Discovery Through Different VLANs Discovery Through Different Management VLANs Catalyst 2970 Catalyst 3550 Catalyst 35...

Page 106: ...nt Management VLANs with a Layer 3 Cluster Command Switch Discovery Through Routed Ports If the cluster command switch has a routed port RP configured it discovers only candidate and cluster member switches in the same VLAN as the routed port For more information about routed ports see the Routed Ports section on page 10 3 The Layer 3 cluster command switch in Figure 5 5 can discover the switches ...

Page 107: ...he VLAN of the immediately upstream neighbor The new switch also configures its access port to belong to the VLAN of the immediately upstream neighbor The cluster command switch in Figure 5 6 belongs to VLANs 9 and 16 When new cluster capable switches join the cluster One cluster capable switch and its access port are assigned to VLAN 9 The other cluster capable switch and its access port are assi...

Page 108: ...by group The switches in the cluster standby group are ranked according to HSRP priorities The switch with the highest priority in the group is the active cluster command switch AC The switch with the next highest priority is the standby cluster command switch SC The other switches in the cluster standby group are the passive cluster command switches PC If the active cluster command switch and the...

Page 109: ...switches as the cluster command switch For example if the cluster command switch is a Catalyst 3560 switch the standby cluster command switches must also be Catalyst 3560 switches Refer to the switch configuration guide of other cluster capable switches for their requirements on standby cluster command switches If your switch cluster has a Catalyst 3560 switch it should be the cluster command swit...

Page 110: ...hes If the active cluster command switch and standby cluster command switch become disabled at the same time the passive cluster command switch with the highest priority becomes the active cluster command switch However because it was a passive standby cluster command switch the previous cluster command switch did not forward cluster configuration information to it The active cluster command switc...

Page 111: ...tch leaves the cluster and it does not have its own IP address you then must assign IP information to it to manage it as a standalone switch Note Changing the cluster command switch IP address ends your CMS session on the switch Restart your CMS session by entering the new IP address in the browser Location field Netscape Communicator or Address field Internet Explorer as described in the release ...

Page 112: ...d read write RW community strings with esN appended to the community strings command switch readonly community string esN where N is the member switch number command switch readwrite community string esN where N is the member switch number If the cluster command switch has multiple read only or read write community strings only the first read only and read write strings are propagated to the clust...

Page 113: ...le devices and cannot be configured from CMS For more information about CMS access modes see the Access to Older Switches In a Cluster section on page 3 7 LRE Profiles A configuration conflict occurs if a switch cluster has Long Reach Ethernet LRE switches that use both private and public profiles If one LRE switch in a cluster is assigned a public profile all LRE switches in that cluster must hav...

Page 114: ...e requirements described in the Cluster Command Switch Characteristics section on page 5 3 the Planning a Switch Cluster section on page 5 4 and the release notes Note If your switch cluster has a Catalyst 3560 switch it should be the cluster command switch unless the cluster has a Catalyst 3750 switch or switch stack If the switch cluster has a Catalyst 3750 switch or switch stack that switch or ...

Page 115: ...r member switches are green To add more than one candidate switch press Ctrl and left click the candidates that you want to add Instead of using CMS to add members to the cluster you can use the cluster member global configuration command from the cluster command switch Use the password option in this command if the candidate switch has a password You can select 1 or more switches as long as the t...

Page 116: ...exists for the switch leave this field blank Select a switch and click Add Press Ctrl and left click to select more than one switch 93334 3750G 24T stack12 stack10 stack1 4 stack1 6 stack1 5 stack1 2 stack1 1 3750G 24T stack1 3 Thin line means a connection to a candidate switch Right click a candidate switch to display the pop up menu and select Add to Cluster to add the switch to the cluster 9333...

Page 117: ...switch host names in the Standby Command Group list to show their eligibility or status in the cluster standby group AC Active cluster command switch SC Standby cluster command switch PC Member of the cluster standby group but not the standby cluster command switch HC Candidate switch that can be added to the cluster standby group CC Cluster command switch when HSRP is disabled You must enter a vi...

Page 118: ...d colors see the Topology View section on page 3 2 Step 4 Select Reports Inventory to display an inventory of the switches in the cluster Figure 5 12 The summary includes information such as switch model numbers serial numbers software versions IP information and location You can also display port and switch statistics from Reports Port Statistics and Port Port Settings Runtime Status Instead of u...

Page 119: ...number to start a Telnet session through a console or Telnet connection and to access the cluster member switch CLI The command mode changes and the Cisco IOS commands operate as usual Enter the exit privileged EXEC command on the cluster member switch to return to the command switch CLI This example shows how to log into member switch 3 from the command switch CLI switch rcommand 3 If you do not ...

Page 120: ... you can enable it as described in the Configuring SNMP section on page 26 6 On Catalyst 1900 and Catalyst 2820 switches SNMP is enabled by default When you create a cluster the cluster command switch manages the exchange of messages between cluster member switches and an SNMP application The cluster software on the cluster command switch appends the cluster member switch number esN where N is the...

Page 121: ...figuration Guide 78 16156 01 Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Figure 5 13 SNMP Management for a Cluster Trap T r a p T r a p Command switch Trap 1 Trap 2 Trap 3 Member 1 Member 2 Member 3 33020 SNMP Manager ...

Page 122: ...5 24 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters ...

Page 123: ...21 Managing the ARP Table page 6 28 Managing the System Time and Date You can manage the system time and date on your switch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12 1 This ...

Page 124: ...one packet per minute is necessary to synchronize two devices to within a millisecond of one another NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source A stratum 1 time server has a radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP ...

Page 125: ...ches Switch B and Switch F Figure 6 1 Typical NTP Network Configuration If the network is isolated from the Internet Cisco s implementation of NTP allows a device to act as though it is synchronized through NTP when in fact it has determined the time by using other means Other devices then synchronize to that device through NTP When multiple sources of time are available NTP is always considered t...

Page 126: ...entication page 6 5 Configuring NTP Associations page 6 6 Configuring NTP Broadcast Service page 6 7 Configuring NTP Access Restrictions page 6 8 Configuring the Source IP Address for NTP Packets page 6 10 Displaying the NTP Configuration page 6 11 Default NTP Configuration Table 6 1 shows the default NTP configuration NTP is enabled on all interfaces by default All interfaces receive NTP packets ...

Page 127: ...ation key 42 md5 aNiceKey Switch config ntp trusted key 42 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp authenticate Enable the NTP authentication feature which is disabled by default Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 speci...

Page 128: ... configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchronized by a peer peer association or Configure the switch system clock to be synchronized by a time server server association No peer or server associations ar...

Page 129: ...EC mode follow these steps to configure the switch to send NTP broadcast packets to peers so that they can synchronize their clock to the switch To disable the interface from sending NTP broadcast packets use the no ntp broadcast interface configuration command This example shows how to configure a port to send NTP version 2 packets Switch config interface gigabitethernet0 1 Switch config if ntp b...

Page 130: ... two levels as described in these sections Creating an Access Group and Assigning a Basic IP Access List page 6 9 Disabling NTP Services on a Specific Interface page 6 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to receive NTP broadcast packets and enter interface configuration mode Step 3 ntp broadcast client Ena...

Page 131: ...ted Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp access group query only serve only serve peer access list number Create an access group and apply a basic IP access list The keywords have these meanings query only Allows only NTP control queries serve only Allows only time requests serve Allows time requests and NTP control queries but does not allow the swi...

Page 132: ...h which the NTP packet is sent Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets The address is taken from the specified interface This command is useful if the address on an interface cannot be used as the destination for reply packets Beginning in privileged EXEC mode follow these steps to configure a specific interface from w...

Page 133: ...e manual configuration only as a last resort If you have an outside source to which the switch can synchronize you do not need to manually set the system clock This section contains this configuration information Setting the System Clock page 6 11 Displaying the Time and Date Configuration page 6 12 Configuring the Time Zone page 6 12 Configuring Summer Time Daylight Saving Time page 6 13 Setting ...

Page 134: ...e the time zone The minutes offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC For example the time zone for some sections of Atlantic Canada AST is UTC 3 5 where the 3 means 3 hours and 5 means 50 percent In this case the necessary command is clock timezone AST 3 30 To set the time t...

Page 135: ...lock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurring withou...

Page 136: ...6 2001 at 02 00 Switch config clock summer time pdt date 12 October 2000 2 00 26 April 2001 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone date month date year hh mm month date year hh mm offset or clock summer time zone date date month year hh mm date month year hh mm offset Configure summer time to start on the first date and end on t...

Page 137: ...ge 6 15 Configuring a System Name page 6 15 Configuring a System Prompt page 6 16 Understanding DNS page 6 16 Default System Name and Prompt Configuration The default switch system name and prompt is Switch Configuring a System Name Beginning in privileged EXEC mode follow these steps to manually configure a system name When you set the system name it is also used as the system prompt You can over...

Page 138: ...c device in this domain for example the File Transfer Protocol FTP system is identified as ftp cisco com To keep track of domain names IP has defined the concept of a domain name server which holds a cache or database of names mapped to IP addresses To map domain names to IP addresses you must first identify the host names specify the name server that is present on your network and enable the DNS ...

Page 139: ...namic Host Configuration Protocol DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured with this information Step 3 ip name server server address1 server address2 server address6 Specify the address of one or more name servers to use for name and address resolution You can specify up to six name servers Separate each server address with a...

Page 140: ... command To disable DNS on the switch use the no ip domain lookup global configuration command Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending message...

Page 141: ...ws the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message of the ...

Page 142: ... delimiter Switch config banner login Access for authorized users only Please enter your username and password Switch config Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner login c message c Specify the login message For c enter the delimiting character of your choice for example a pound sign and press the Return key The delimiting character signifies the be...

Page 143: ...nfiguring MAC Address Notification Traps page 6 23 Adding and Removing Static Address Entries page 6 25 Configuring Unicast MAC Address Filtering page 6 26 Displaying Address Table Entries page 6 28 Building the Address Table With multiple MAC addresses supported on all ports you can connect any port on the switch to individual workstations repeaters switches routers or other network devices The s...

Page 144: ...ress table configuration Changing the Address Aging Time Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use You can change the aging time setting for all VLANs or for a specified VLAN Setting too short an aging time can cause addresses to be prematurely removed from the table Then when the switch receives a packet for an unknown destination it ...

Page 145: ...ty on the switch Whenever the switch learns or removes a MAC address an SNMP notification can be generated and sent to the NMS If you have many users coming and going from the network you can set a trap interval time to bundle the notification traps and reduce network traffic The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled MAC...

Page 146: ...ver host command For notification type use the mac notification keyword Step 3 snmp server enable traps mac notification Enable the switch to send MAC address traps to the NMS Step 4 mac address table notification Enable the MAC address notification feature Step 5 mac address table notification interval value history size value Enter the trap interval time and the history table size Optional For i...

Page 147: ... Switch config if snmp trap mac notification added You can verify the previous commands by entering the show mac address table notification interface and the show mac address table notification privileged EXEC commands Adding and Removing Static Address Entries A static address has these characteristics It is manually entered in the address table and must be manually removed It can be a unicast ad...

Page 148: ...MAC addresses are not supported If you specify one of these addresses when entering the mac address table static mac addr vlan vlan id drop global configuration command one of these messages appears Only unicast addresses can be configured to be dropped CPU destined address cannot be configured as drop address Packets that are forwarded to the CPU are also not supported Command Purpose Step 1 conf...

Page 149: ...d the VLAN from which it is received Beginning in privileged EXEC mode follow these steps to configure the switch to drop a source or destination unicast static address To disable unicast MAC address filtering use the no mac address table static mac addr vlan vlan id global configuration command This example shows how to enable unicast MAC address filtering and to configure the switch to drop pack...

Page 150: ...fied by the Subnetwork Access Protocol SNAP By default standard Ethernet style ARP encapsulation represented by the arpa keyword is enabled on the IP interface ARP entries added manually to the table do not age and must be manually removed For CLI procedures refer to the Cisco IOS Release 12 1 documentation on Cisco com Table 6 4 Commands for Displaying the MAC Address Table Command Description sh...

Page 151: ...d in the network You can select a template to provide maximum system usage for some functions or to use the default template to balance resources The templates prioritize system resources to optimize support for these types of features Routing The routing template maximizes system resources for unicast routing typically required for a router or aggregator in the center of a network VLANs The VLAN ...

Page 152: ...lt SDM Template The default template is the default desktop template SDM Template Configuration Guidelines You must reload the switch for the configuration to take effect Use the sdm prefer vlan global configuration command only on switches intended for Layer 2 switching with no routing When you use the VLAN template no system resources are reserved for routing entries and any routing is done thro...

Page 153: ...ANs number of unicast mac addresses 3K number of igmp groups multicast routes 1K number of unicast routes 11K number of directly connected hosts 3K number of indirect routes 8K number of qos aces 512 number of security aces 1K On next reload template will be desktop vlan template To return to the default template use the no sdm prefer global configuration command This example shows how to configur...

Page 154: ...eatures for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 6K number of igmp groups multicast routes 1K number of unicast routes 8K number of directly connected hosts 6K number of indirect routes 2K number of policy based routing aces 0 number of qos aces 512 number of security aces 1K This is an example of output from the show sdm prefer routing command entered on a switch Swi...

Page 155: ...to your switch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch port These passwords are locally stored on the switch When users attempt to access the switch through a port or line they must enter the password specified for the port or line before they can access the switch For more information see the Protecting ...

Page 156: ...ation information Default Password and Privilege Level Configuration page 8 2 Setting or Changing a Static Enable Password page 8 3 Protecting Enable and Enable Secret Passwords with Encryption page 8 4 Disabling Password Recovery page 8 5 Setting a Telnet Password for a Terminal Line page 8 6 Configuring Username and Password Pairs page 8 7 Configuring Multiple Privilege Levels page 8 8 Default P...

Page 157: ...password Define a new password or change an existing password for access to privileged EXEC mode By default no password is defined For password specify a string from 1 to 25 alphanumeric characters The string cannot start with a number is case sensitive and allows spaces but ignores leading spaces It can contain the question mark character if you precede the question mark with the key combination ...

Page 158: ...ted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is normal user EXEC mode privileges The default level is 15 privileged EXEC mode privilege...

Page 159: ... password The password recovery disable feature protects access to the switch password by disabling part of this functionality When this feature is enabled the end user can interrupt the boot process only by agreeing to set the system back to the default configuration With password recovery disabled you can still interrupt the boot process and change the password but the configuration file config ...

Page 160: ...ration command This example shows how to set the Telnet password to let45me67in89 Switch config line vty 10 Switch config line password let45me67in89 Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port The default data characteristics of the console port are 9600 8 1 no parity You might need to press the Return key several times to see the command l...

Page 161: ...ode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the user ID as one word Spaces and quotation marks are not allowed Optional For level specify the privilege level the user has after gaining access The range is 0 to 15 Level 15 gives privileged EXEC mode access Level 1 gives user EXEC mode acces...

Page 162: ...llow these steps to set the privilege level for a command mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 ...

Page 163: ...de the privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privilege level They can lower the privilege level by using the disable command If users know the password to a higher privilege level they can use that password to enable the higher privilege level You might specify a high level or privilege level for your console...

Page 164: ... security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch TACACS provides for separate and modular authentication ...

Page 165: ...ession duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Accounting record...

Page 166: ... is configured to require authorization authorization begins at this time REJECT The user is not authenticated The user can be denied access or is prompted to retry the login sequence depending on the TACACS daemon ERROR An error occurred at some time during authentication with the daemon or in the network connection between the daemon and the switch If an ERROR response is received the switch typ...

Page 167: ...xhausted This section contains this configuration information Default TACACS Configuration page 8 13 Identifying the TACACS Server Host and Setting the Authentication Key page 8 13 Configuring TACACS Login Authentication page 8 14 Configuring TACACS Authorization for Privileged EXEC Access and Network Services page 8 16 Starting TACACS Accounting page 8 17 Default TACACS Configuration TACACS and A...

Page 168: ...or authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to create a li...

Page 169: ...character string to name the list you are creating For method1 specify the actual method the authentication algorithm tries The additional methods of authentication are used only if the previous method returns an error not if it fails Select one of these methods enable Use the enable password for authentication Before you can use this authentication method you must define an enable password by usi...

Page 170: ...thorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured Beginning in privileged EXEC mode follow these steps to specify TACACS authori...

Page 171: ...unting for each Cisco IOS privilege level and for network services To disable accounting use the no aaa accounting network exec start stop method1 global configuration command Displaying the TACACS Configuration To display TACACS server statistics use the show tacacs privileged EXEC command Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your ...

Page 172: ...nments that require access security Networks with multiple vendor access servers each supporting RADIUS For example access servers from several vendors use a single RADIUS server based security database In an IP based network with multiple vendors access servers dial in users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system Turnkey networ...

Page 173: ...server these events occur 1 The user is prompted to enter a username and password 2 The username and encrypted password are sent over the network to the RADIUS server 3 The user receives one of these responses from the RADIUS server a ACCEPT The user is authenticated b REJECT The user is either not authenticated and is prompted to re enter the username and password or access is denied c CHALLENGE ...

Page 174: ...d in the list This process continues until there is successful communication with a listed method or the method list is exhausted You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch This section contains this configuration information Default RADIUS Configuration page 8 20 Identifying the RADIUS Server Host page 8 21 required Configuring...

Page 175: ... services The RADIUS host entries are tried in the order that they are configured A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retransmission and encrypti...

Page 176: ...y the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon...

Page 177: ...hods and then apply that list to various ports The method list defines the types of authentication to be performed and the sequence in which they are performed it must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all...

Page 178: ...ror not if it fails Select one of these methods enable Use the enable password for authentication Before you can use this authentication method you must define an enable password by using the enable password global configuration command group radius Use RADIUS authentication Before you can use this authentication method you must configure the RADIUS server For more information see the Identifying ...

Page 179: ...each entry has a unique identifier the combination of the IP address and UDP port number allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service If you configure two different host entries on the same RADIUS server for the same service for example accounting the second configured host entry acts as a fail over backup to the first one You use the server ...

Page 180: ... value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the l...

Page 181: ... server radius group2 Switch config sg radius server 172 20 0 1 auth port 2000 acct port 2001 Switch config sg radius exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on ...

Page 182: ...o aaa accounting network exec start stop method1 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network related service requests Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged E...

Page 183: ...co TACACS specification and sep is for mandatory attributes and is for optional attributes The full set of features available for TACACS authorization can then be used for RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secret text string used between the switch and all RADIUS servers Note The key is a text string ...

Page 184: ...vpair ip outacl 2 deny ip 10 10 10 10 0 0 255 255 any Other vendors have their own unique vendor IDs options and associated VSAs For more information about vendor IDs and VSAs refer to RFC 2138 Remote Authentication Dial In User Service RADIUS Beginning in privileged EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attributes or more info...

Page 185: ...l configuration command This example shows how to specify a vendor proprietary RADIUS host and to use a secret key of rad124 between the switch and the server Switch config radius server host 172 20 30 15 nonstandard Switch config radius server key rad124 Displaying the RADIUS Configuration To display the RADIUS configuration use the show running config privileged EXEC command Command Purpose Step...

Page 186: ...os121 121cgcr secur_r srprt2 srdkerb htm Note In the Kerberos configuration examples and in the Cisco IOS Security Command Reference Release 12 1 the trusted third party can be a Catalyst 3560 switch that supports Kerberos that is configured as a network security server and that can authenticate users by using the Kerberos protocol Understanding Kerberos Kerberos is a secret key network authentica...

Page 187: ...als have a default lifespan of eight hours Instance An authorization level label for Kerberos principals Most Kerberos principals are of the form user REALM for example smith EXAMPLE COM A Kerberos principal with a Kerberos instance has the form user instance REALM for example smith admin EXAMPLE COM The Kerberos instance can be used to specify the authorization level for the user if authenticatio...

Page 188: ...eros versions the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it In Kerberos versions earlier than Kerberos 5 KEYTAB is referred to as SRVTAB4 Principal Also known as a Kerberos identity this is who you are or what a service is according to the Kerberos server Note The Kerberos principal name must be in all lowercase characters Service credential A ...

Page 189: ...icate directly to the KDC before getting access to the network services The user must authenticate to the KDC because the TGT that the KDC issues is stored on the switch and cannot be used for additional authentication until the user logs on to the switch Obtaining a TGT from a KDC This section describes the second layer of security through which a remote user must pass The user must now authentic...

Page 190: ...system follow these steps Configure the KDC by using Kerberos commands Configure the switch to use the Kerberos protocol For instructions refer to the Kerberos Configuration Task List section in the Security Server Protocols chapter of the Cisco IOS Security Configuration Guide Release 12 1 at this URL http www cisco com univercd cc td doc product software ios121 121cgcr secur_c scprt2 scdkerb htm...

Page 191: ...e ios122 122cgcr fsecur_c fothersf scfssh htm Note For complete syntax and usage information for the commands used in this section refer to the command reference for this release and the command reference for Cisco IOS Release 12 2 at this URL http www cisco com univercd cc td doc product software ios122 122cgcr index htm Step 6 username name privilege level password encryption type password Enter...

Page 192: ...ks with the SSH server supported in this release and with non Cisco SSH servers The switch supports an SSHv1 or an SSHv2 server The switch supports an SSHv1 client SSH supports the Data Encryption Standard DES encryption algorithm the Triple DES 3DES encryption algorithm and password based user authentication SSH also supports these user authentication methods TACACS for more information see the C...

Page 193: ...ar If it does you must configure an IP domain name by using the ip domain name global configuration command When configuring the local authentication and authorization authentication method make sure that AAA is disabled on the console Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH 1 Download the cryptographic software image from Cisco com This step is require...

Page 194: ...d Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip ssh version 1 2 Optional Configure the switch to run SSH version 1 or SSH version 2 1 Configure the switch to run SSH version 1 2 Configure the switch to run SSH version 2 If you do not enter this command or do not specify a keyword the SSH server selects the latest SSH version supported by the SSH client For example if ...

Page 195: ...mands section in the Other Security Features chapter of the Cisco IOS Security Command Reference Cisco IOS Release 12 2 at this URL http www cisco com univercd cc td doc product software ios122 122cgcr fsecur_r fothercr srfssh htm Step 5 show ip ssh or show ssh Show the version and configuration information for your SSH server Show the status of the SSH server connections on the switch Step 6 copy...

Page 196: ...8 42 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 8 Configuring Switch Based Authentication Configuring the Switch for Secure Shell ...

Page 197: ... access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN Until the client is authenticated 802 1X access control allows only Extensible Authentication Protocol over LAN ...

Page 198: ... Secure Access Control Server version 3 0 or later RADIUS operates in a client server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients Switch edge switch or wireless access point controls the physical access to the network based on the authentication status of the client The switch acts as an intermediary proxy between the clien...

Page 199: ... from the client are dropped If the client does not receive an EAP request identity frame after three attempts to start authentication the client sends frames as if the port is in the authorized state A port in the authorized state effectively means that the client has been successfully authenticated For more information see the Ports in Authorized and Unauthorized States section on page 9 4 When ...

Page 200: ...ives normal traffic without 802 1X based authentication of the client This is the default setting force unauthorized causes the port to remain in the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client through the port auto enables 802 1X authentication and causes the port to begin in the unauthorized state allowing...

Page 201: ...u also must configure port security on the port by using the switchport port security interface configuration command When you enable port security and 802 1X on a port 802 1X authenticates the port and port security manages network access for all MAC addresses including that of the client You can then limit the number or group of clients that can access the network through an 802 1X port These ar...

Page 202: ...ch through the IP phone The PVID is the native VLAN of the port Each port that you configure for a voice VLAN is associated with a PVID and a VVID This configuration allows voice traffic and data traffic to be separated onto different VLANs The IP phone uses the VVID for its voice traffic regardless of the authorized or unauthorized state of the port This allows the phone to work independently of ...

Page 203: ...n a port the port is placed in RADIUS server assigned VLAN If 802 1X is disabled on the port it is returned to the configured access VLAN When the port is in the force authorized force unauthorized unauthorized or shutdown state it is put into the configured access VLAN If an 802 1X port is authenticated and put in the RADIUS server assigned VLAN any change to the port access VLAN configuration do...

Page 204: ...urs The switch does not save RADIUS specified ACLs in the running configuration When the port is unauthorized the switch removes the ACL from the port You can configure router ACLs and input port ACLs on the same Catalyst 3560 switch However a port ACL takes precedence over a router ACL If you apply input port ACL to an interface that belongs to a VLAN the port ACL takes precedence over an input r...

Page 205: ...face configuration from the RADIUS server Enable 802 1X Configure the user profile and VSAs on the RADIUS server Configure the 802 1X port for single host mode Configuring 802 1X Authentication These sections describe how to configure 802 1X port based authentication on your switch Default 802 1X Configuration page 9 10 802 1X Configuration Guidelines page 9 11 Configuring 802 1X Authentication pa...

Page 206: ... seconds number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Retransmission time 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client before resending the request Maximum retransmission number 2 times number of times that the switch will send an EAP request identi...

Page 207: ...yzer SPAN and Remote SPAN RSPAN destination ports You can enable 802 1X on a port that is a SPAN or RSPAN destination port However 802 1X is disabled until the port is removed as a SPAN or RSPAN destination port You can enable 802 1X on a SPAN or RSPAN source port You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802 1X guest VLAN The guest VLAN feature is not supported on trun...

Page 208: ...2 1X authentication method list To create a default list that is used when a named list is not specified in the authentication command use the default keyword followed by the methods that are to be used in default situations The default method list is automatically applied to all ports Enter at least one of these keywords group radius Use the list of all RADIUS servers for authentication none Use ...

Page 209: ... and encryption key values for all RADIUS servers by using the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server retransmit and the radius server key global configuration commands For more information see the Configuring Settings for All RADIUS Servers section on page 8 29 Command Purpose Step 1 ...

Page 210: ...ber of seconds between re authentication attempts to 4000 Switch config if dot1x reauthentication Switch config if dot1x timeout reauth period 4000 Manually Re Authenticating a Client Connected to a Port You can manually re authenticate the client connected to a specific port at any time by entering the dot1x re authenticate interface interface id privileged EXEC command This step is optional If y...

Page 211: ... then resends the frame Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers Beginning in privileged EXEC mode follow these steps to change the amount of time that the switch waits for client notification This procedure is optional Command Purpose St...

Page 212: ... privileged EXEC mode follow these steps to set the switch to client frame retransmission number This procedure is optional To return to the default retransmission number use the no dot1x max req interface configuration command This example shows how to set 5 as the number of times that the switch sends an EAP request identity request before restarting the authentication process Switch config if d...

Page 213: ...work access for all MAC addresses including that of the client Beginning in privileged EXEC mode follow these steps to allow multiple hosts clients on an 802 1X authorized port that has the dot1x port control interface configuration command set to auto This procedure is optional To disable multiple hosts on the port use the no dot1x host mode multi host interface configuration command This example...

Page 214: ...set the 802 1X configuration to the default values This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the 802 1X Configuration Guidelines section on page 9 11 Step 3 dot1x guest vlan vlan id Specify an active VLAN ...

Page 215: ...d To display 802 1X statistics for a specific port use the show dot1x statistics interface interface id privileged EXEC command To display the 802 1X administrative and operational status for the switch use the show dot1x all privileged EXEC command To display the 802 1X administrative and operational status for a specific port use the show dot1x interface interface id privileged EXEC command For ...

Page 216: ...9 20 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 9 Configuring 802 1X Port Based Authentication Displaying 802 1X Statistics and Status ...

Page 217: ...te For complete syntax and usage information for the commands used in this chapter refer to the switch command reference for this release and the online Cisco IOS Interface Command Reference for Release 12 1 Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configur...

Page 218: ...the VTP and VLAN configuration is saved in the switch running configuration and you can save it in the switch startup configuration file by entering the copy running config startup config privileged EXEC command Add ports to a VLAN by using the switchport interface configuration commands Identify the interface For a trunk port set trunk characteristics and if desired define the VLANs to which it c...

Page 219: ...raffic is sent with a VLAN tag Although by default a trunk port is a member of every VLAN known to the VTP you can limit VLAN membership by configuring an allowed list of VLANs for each trunk port The list of allowed VLANs does not affect any other port but the associated trunk port By default all possible VLANs VLAN ID 1 to 4094 are in the allowed list A trunk port can only become a member of a V...

Page 220: ...SVI is created for the default VLAN VLAN 1 to permit remote switch administration Additional SVIs must be explicitly configured SVIs provide IP host connectivity only to the system in Layer 3 mode you can configure routing across SVIs Although the switch supports a total or 1005 VLANs and SVIs the interrelationship between the number of SVIs and routed ports and the number of other features being ...

Page 221: ...the EtherChannel For Layer 3 interfaces you manually create the logical interface by using the interface port channel global configuration command Then you manually assign an interface to the EtherChannel by using the channel group interface configuration command For Layer 2 interfaces use the channel group interface configuration command to dynamically create the port channel logical interface Th...

Page 222: ...ceived from these ports is routed For more information see Chapter 30 Configuring IP Unicast Routing Chapter 32 Configuring IP Multicast Routing and Chapter 33 Configuring MSDP Fallback bridging forwards traffic that the switch does not route or traffic belonging to a nonroutable protocol such as DECnet Fallback bridging connects multiple VLANs into one bridge domain by bridging between two or mor...

Page 223: ...ter the configure terminal command at the privileged EXEC prompt Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config Step 2 Enter the interface global configuration command Identify the interface type and the number of the connector In this example Gigabit Ethernet port 1 is selected Switch config interface gigabitethernet0 1 Switch config if Note You ...

Page 224: ...astgigabitethernet 0 1 4 is a valid range the command interface range fastgigabitethernet 0 1 4 is not a valid range The interface range command only works with VLAN interfaces that have been configured with the interface vlan command The show running config privileged EXEC command displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be us...

Page 225: ...me commands might not be executed on all interfaces in the range Wait until the command prompt reappears before exiting interface range configuration mode Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration Before you can use the macro keyword in the interface range macro global configuration command s...

Page 226: ...and displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used as interface ranges All interfaces defined as in a range must be the same type all Fast Ethernet ports all Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can combine multiple interface types in a macro This example shows how to define an interface range na...

Page 227: ...in Layer 3 mode you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode This shuts down the interface and then re enables it which might generate messages on the device to which the interface is connected Furthermore when you use this command to put the interface into Layer 2 mode you are deleting any Layer 3 characteristics confi...

Page 228: ...peed to not negotiate nonegotiate if connected to a device that does not support autonegotiation However when a 1000BASE T SFP module is in the SFP module port you can configure speed as 10 100 or 1000 Mbps or auto and you can configure duplex mode to auto or full These sections describe how to configure the interface speed and duplex mode Configuration Guidelines page 10 13 Setting the Interface ...

Page 229: ...te in full duplex mode However when a 1000BASE T SFP module is inserted in an SFP module port you can configure the duplex mode to full or auto and half duplex mode is supported with the auto configuration You cannot configure speed on SFP module ports except to nonegotiate However when a 1000BASE T SFP module is in the SFP module port the speed can be configured to 10 100 1000 or auto but not non...

Page 230: ... 3560 ports are capable of receiving but not sending pause frames You use the flowcontrol interface configuration command to set the interface s ability to receive pause frames to on off or desired The default state is off Step 3 speed 10 100 1000 auto nonegotiate Enter the appropriate speed parameter for the interface Enter 10 or 100 to set a specific speed for the interface The 1000 keyword is a...

Page 231: ...atic medium dependent interface crossover Auto MDIX is enabled on an interface the interface automatically detects the required cable connection type straight through or crossover and configures the connection appropriately When connecting switches without the Auto MDIX feature you must use straight through cables to connect to devices such as servers workstations or routers and crossover cables t...

Page 232: ...a maximum switch power output of 370 W A powered device can receive redundant power when it is connected to a PoE switch port and to an AC power source If a device being powered by the switch is then connected to wall power the switch might continue to power the device The switch continues to report that it is still powering the device whether the device is being powered by the switch or receiving...

Page 233: ... to a switch power is turned on to all devices If there is not enough available PoE or if a device is disconnected and reconnected while other devices are waiting for power which devices are granted or denied power cannot be predetermined After power is applied to an interface the switch uses Cisco Discovery Protocol CDP to determine the power requirement of the connected Cisco PoE standard and pr...

Page 234: ...C mode follow these steps to add a description for an interface Use the no description interface configuration command to delete the description This example shows how to add a description on a port and how to verify the description Switch config terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet0 2 Switch config if description Connects to Ma...

Page 235: ...y to create a new routed port the switch generates a message that there are not enough resources to convert the interface to a routed port and the interface remains as a switchport If you try to create an extended range VLAN an error message is generated and the extended range VLAN is rejected If the switch is notified by VLAN Trunking Protocol VTP of a new VLAN it sends a message that there are n...

Page 236: ...d by the system jumbo mtu command You cannot set the MTU size for an individual interface you set it for all 10 100 or all Gigabit Ethernet interfaces on the switch When you change the MTU size you must reset the switch before the new configuration takes effect The size of frames that can be received by the switch CPU is limited to 1500 bytes no matter what value was entered with the system mtu or...

Page 237: ... 1800 Switch config exit Switch reload This example shows the response when you try to set Gigabit Ethernet interfaces to an out of range number Switch config system mtu jumbo 2500 Invalid input detected at marker Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 system mtu bytes Optional Change the MTU size for all interfaces on the switch that are operating at 10 o...

Page 238: ...aces Command Purpose show interfaces interface id Display the status and configuration of all interfaces or a specific interface show interfaces interface id status err disabled Display interface status or a list of interfaces in an error disabled state show interfaces interface id switchport Display administrative and operational status of switching nonrouting ports You can use this command to fi...

Page 239: ...rks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface configuration command to restart the interface To verify that an interfac...

Page 240: ...10 24 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces ...

Page 241: ...Port Macros SmartPort macros provide a convenient way to save and share common configurations You can use SmartPort macros to enable features and settings based on the location of a switch in the network and for mass configuration deployments across the network Each SmartPort macro is a set of CLI commands that you define SmartPort macros do not contain new CLI commands they are simply a group of ...

Page 242: ...erface types The macro will fail the syntax check or the configuration check and the switch will return an error message if it is applied to an interface that does not accept the configuration When a macro is applied to an interface all existing configuration on the interface is retained This is helpful when applying an incremental configuration to an interface If you modify a macro definition by ...

Page 243: ...cters Enter the macro commands with one command per line Use the character to end the macro Use the character at the beginning of a line to enter comment text within the macro We recommend that you do not use the exit or end commands in a macro This could cause any commands following exit or end to execute in a different command mode For best results all commands in a macro should be interface con...

Page 244: ...onfig if end Switch show parser macro name desktop config Macro name desktop config Macro type customizable macro description desktop config Put the switch in access mode switchport mode access Allow port to move to forwarding state quickly spanning tree portfast BPDUs should not be sent into the network spanning tree bpduguard enable Restrict the port to one address that of desktop switchport por...

Page 245: ...etwork that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded only to end stations ...

Page 246: ...ute traffic between VLANs by using switch virtual interfaces SVIs An SVI must be explicitly configured and assigned an IP address to route traffic between VLANs For more information see the Switch Virtual Interfaces section on page 10 4 and the Configuring Layer 3 Interfaces section on page 10 19 Note If you plan to configure many VLANs on the switch and to not enable routing you can use the sdm p...

Page 247: ...ure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong Table 12 1 lists the membership modes and membership and VTP characteristics Table 12 1 Port Membership Modes Membership Mode VLAN Membership Characteristics VTP Characteristics Static access A static access port can belong to one VLAN an...

Page 248: ... in the command reference for this release To change the VTP configuration see Chapter 13 Configuring VTP You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs The results of these commands are written to the running configuration file and you can display the file by entering the show running config privileged EXEC command Dynamic access...

Page 249: ...arameters For complete information on the commands and parameters that control VLAN configuration refer to the command reference for this release This section includes information about these topics about normal range VLANs Token Ring VLANs page 12 5 Normal Range VLAN Configuration Guidelines page 12 6 VLAN Configuration Mode Options page 12 6 Saving VLAN Configuration page 12 7 Default Ethernet V...

Page 250: ...h has more active VLANs than supported spanning tree instances spanning tree can be enabled on 128 VLANs and is disabled on the remaining VLANs If you have already used all available spanning tree instances on a switch adding another VLAN anywhere in the VTP domain creates a VLAN on that switch that is not running spanning tree If you have the default allowed list on the trunk ports of that switch...

Page 251: ...ly or exit for the configuration to take effect When you enter the exit command it applies all commands and updates the VLAN database VTP messages are sent to other switches in the VTP domain and the privileged EXEC mode prompt appears Saving VLAN Configuration The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database vlan dat file If VTP mode is transparent they are also save...

Page 252: ...dded to the VLAN database assign a number and name to the VLAN Note When the switch is in VTP transparent mode you can assign VLAN IDs greater than 1006 but they are not added to the VLAN database See the Configuring Extended Range VLANs section on page 12 12 For the list of default parameters that are assigned when you add a VLAN see the Configuring Normal Range VLANs section on page 12 4 Table 1...

Page 253: ... a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify a VLAN Note The available VLAN ID range for this command is 1 to 4094 For information about adding VLAN IDs greater than 1005 extended range VLANs see the Configuring Extended Range VLANs section on page 12 12 Step 3 name vlan name Optional Enter a name for the VLAN If no name is entered for the VLAN the default is to append th...

Page 254: ...any ports assigned to that VLAN become inactive They remain associated with the VLAN and thus inactive until you assign them to a new VLAN Command Purpose Step 1 vlan database Enter VLAN database configuration mode Step 2 vlan vlan id name vlan name Add an Ethernet VLAN by assigning a number to it The range is 1 to 1001 You can create or modify a range of consecutive VLANs by entering vlan first v...

Page 255: ...a VLAN in the VLAN database Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no vlan vlan id Remove the VLAN by entering the VLAN ID Step 3 end Return to privileged EXEC mode Step 4 show vlan brief Verify the VLAN removal Step 5 copy running config startup config Optional If the switch is in VTP transparent mode the VLAN configuration is saved in the running configu...

Page 256: ...an id global configuration command to configure extended range VLANs The extended range is not supported in VLAN database configuration mode accessed by entering the vlan database privileged EXEC command Extended range VLAN configurations are not stored in the VLAN database but because VTP mode is transparent they are stored in the switch running configuration file and you can save the configurati...

Page 257: ...er of VLANs on the switch exceeds the maximum number of spanning tree instances we recommend that you configure the IEEE 802 1S Multiple STP MSTP on your switch to map multiple VLANs to a single STP instance For more information about MSTP see Chapter 16 Configuring MSTP Each routed port on the switch creates an internal VLAN for its use These internal VLANs use extended range VLAN numbers and the...

Page 258: ...N with an Internal VLAN ID section on page 12 15 before creating the extended range VLAN Beginning in privileged EXEC mode follow these steps to create an extended range VLAN To delete an extended range VLAN use the no vlan vlan id global configuration command The procedure for assigning static access ports to an extended range VLAN is the same as for normal range VLANs See the Assigning Static Ac...

Page 259: ...n internal VLAN the display shows the routed port that is using the VLAN ID Enter that port number in Step 3 Step 2 configure terminal Enter global configuration mode Step 3 interface interface id Enter the interface ID for the routed port that is using the VLAN ID Step 4 shutdown Shut down the port to free the internal VLAN ID Step 5 exit Return to global configuration mode Step 6 vtp mode transp...

Page 260: ...nk Port page 12 19 Configuring Trunk Ports for Load Sharing page 12 24 Trunking Overview A trunk is a point to point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch Ethernet trunks carry the traffic of multiple VLANs over a single link and you can extend the VLANs across an entire network Two trunking encapsulations are available on al...

Page 261: ...g To enable trunking to a device that does not support DTP use the switchport mode trunk and switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames Use the switchport trunk encapsulation isl or switchport trunk encapsulation dot1q interface to select the encapsulation type on the trunk port You can also specify on DTP interfa...

Page 262: ...isco switches separated by a cloud of non Cisco 802 1Q switches The non Cisco 802 1Q cloud separating the Cisco switches is treated as a single trunk link between the switches switchport mode dynamic desirable Makes the interface actively attempt to convert the link to a trunk link The interface becomes a trunk interface if the neighboring interface is set to trunk desirable or auto mode switchpor...

Page 263: ...second switch Otherwise the switch cannot receive any VTP advertisements This section includes these procedures for configuring an Ethernet interface as a trunk port on the switch Interaction with Other Features page 12 20 Defining the Allowed VLANs on a Trunk page 12 21 Changing the Pruning Eligible List page 12 22 Configuring the Native VLAN for Untagged Traffic page 12 23 Note By default an int...

Page 264: ...s and 802 1X is not enabled If you try to change the mode of an 802 1X enabled port to dynamic the port mode is not changed Configuring a Trunk Port Beginning in privileged EXEC mode follow these steps to configure a port as an ISL or 802 1Q trunk port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter the interface configuration mode and ...

Page 265: ...individual VLAN trunk link so that no user traffic including spanning tree advertisements is sent or received on VLAN 1 To reduce the risk of spanning tree loops or storms you can disable VLAN 1 on any individual VLAN trunk port by removing VLAN 1 from the allowed list When you remove VLAN 1 from a trunk port the interface continues to sent and receive management traffic for example Cisco Discover...

Page 266: ...al Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and the port to be configured Step 3 switchport mode trunk Configure the interface as a VLAN trunk port Step 4 switchport trunk allowed vlan add all except remove vlan list Optional Configure the list of VLANs allowed on the trunk For explanations about using the add all except and remove keywords r...

Page 267: ...fer to the command reference for this release Separate nonconsecutive VLAN IDs with a comma and no spaces use a hyphen to designate a range of IDs Valid IDs are from 2 to 1001 Extended range VLANs VLAN IDs 1006 to 4094 cannot be pruned VLANs that are pruning ineligible receive flooded traffic The default list of VLANs allowed to be pruned contains VLANs 2 to 1001 Step 4 end Return to privileged EX...

Page 268: ...e same switch form a loop the STP port priority setting determines which port is enabled and which port is in a blocking state You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN The trunk port with the higher priority lower values for a VLAN is forwarding traffic for that VLAN The trunk port with the lower priority higher values for the sa...

Page 269: ... same encapsulation type Step 10 switchport mode trunk Configure the port as a trunk port Step 11 end Return to privileged EXEC mode Step 12 show interfaces gigabitethernet 0 1 switchport Verify the VLAN configuration Step 13 Repeat Steps 7 through 11 on Switch A for a second interface in the switch Step 14 Repeat Steps 7 through 11 on Switch B to configure the trunk ports that connect to the trun...

Page 270: ...hown in Figure 12 4 90573 Switch A Switch B Trunk port 1 VLANs 2 4 path cost 30 VLANs 8 10 path cost 19 Trunk port 2 VLANs 8 10 path cost 30 VLANs 2 4 path cost 19 Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A Step 2 interface gigabitethernet0 1 Enter interface configuration mode and define the interface to be configured as a trunk Step 3 switchport trunk en...

Page 271: ...2 33 VMPS Configuration Example section on page 12 33 Understanding VMPS Each time the client switch receives the MAC address of a new host it sends a VQP query to the VMPS When the VMPS receives this query it searches its database for a MAC address to VLAN mapping The server response is based on this mapping and whether or not the server is in open or secure mode In secure mode the server shuts d...

Page 272: ...one VLAN with an ID from 1 to 4094 When the link comes up the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic access port and attempts to match the MAC address to a VLAN in the VMPS database If there is a match the VMPS sends the VLAN number for tha...

Page 273: ...not be dynamic access ports but you can enter the switchport access vlan dynamic interface configuration command for a trunk port In this case the switch retains the setting and applies it if the port is later configured as an access port You must turn off trunking on the port before the dynamic access setting takes effect Dynamic access ports cannot be monitor ports Secure ports cannot be dynamic...

Page 274: ...r switches can cause a loss of connectivity Beginning in privileged EXEC mode follow these steps to configure a dynamic access port on a VMPS client switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vmps server ipaddress primary Enter the IP address of the switch acting as the primary VMPS server Step 3 vmps server ipaddress Optional Enter the IP address of th...

Page 275: ...econfirmation setting on the command switch You must also first use the rcommand privileged EXEC command to log into the member switch Beginning in privileged EXEC mode follow these steps to change the reconfirmation interval To return the switch to its default setting use the no vmps reconfirm global configuration command Step 6 show interfaces interface id switchport Verify your entries in the O...

Page 276: ...ts to query the secondary VMPS VMPS domain server the IP address of the configured VLAN membership policy servers The switch sends queries to the one marked current The one marked primary is the primary server VMPS Action the result of the most recent reconfirmation attempt A reconfirmation attempt can occur automatically when the reconfirmation interval expired or you can force it by entering the...

Page 277: ... a disabled dynamic access port enter the shutdown interface configuration command followed by the no shutdown interface configuration command VMPS Configuration Example Figure 12 5 shows a network with a VMPS server switch and VMPS client switches with dynamic access ports In this example these assumptions apply The VMPS server and the VMPS client are separate switches The Catalyst 6500 series Sw...

Page 278: ...series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B End station 2 End station 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Switch G Switc...

Page 279: ...figuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work in an environment where updates are made on a single switch and are sent through VTP to other switches in the domain It does not work well in a situation where mu...

Page 280: ...ion number Caution Before adding a VTP client switch to a VTP domain always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number If you add a switch that has a revision number higher than the...

Page 281: ...figurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links In VTP server mode VLAN configurations are saved in nonvolatile RAM NVRAM VTP server is the default mode VTP client A VTP client behaves like a VTP server and transmits and receives VTP updates on its trunks but you cannot create chang...

Page 282: ...d domain name Consistency Checks In VTP version 2 VLAN consistency checks such as VLAN names and values are performed only when you enter new information through the CLI the Cluster Management Software CMS or SNMP Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM If the MD5 digest on a received VTP message is correct its...

Page 283: ...n Making VLANs pruning eligible or pruning ineligible affects pruning eligibility for those VLANs on that trunk only not on all switches in the VTP domain See the Enabling VTP Pruning section on page 13 13 VTP pruning takes effect several seconds after you enable it VTP pruning does not prune traffic from VLANs that are pruning ineligible VLAN 1 and VLANs 1002 to 1005 are always pruning ineligible...

Page 284: ...pruning eligibility whether or not VTP pruning is enabled for the VTP domain whether or not any given VLAN exists and whether or not the interface is currently trunking Configuring VTP This section includes guidelines and procedures for configuring VTP These sections are included Default VTP Configuration page 13 6 VTP Configuration Options page 13 7 VTP Configuration Guidelines page 13 8 Configur...

Page 285: ...witch startup configuration file and reboot the switch the switch configuration is determined as follows If the VTP mode is transparent in the startup configuration and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file the VLAN database is ignored cleared and the VTP and VLAN configurations in the startup configuration file are used The...

Page 286: ...igure at least one switch in the VTP domain for VTP server mode Passwords You can configure a password for the VTP domain but it is not required If you do configure a domain password all domain switches must share the same password and you must configure the password on each switch in the management domain Switches without a password or with the wrong password reject VTP advertisements If you conf...

Page 287: ...n send and receive VTP advertisements to and from other switches in the domain For more information see the Configuring VLAN Trunks section on page 12 16 If you are configuring VTP on a cluster member switch to a VLAN use the rcommand privileged EXEC command to log into the member switch For more information about the command refer to the command reference for this release If you are configuring e...

Page 288: ...password for the VTP domain The password can be from 8 to 64 characters If you configure a VTP password the VTP domain does not function properly if you do not assign the same password to each switch in the domain Step 5 end Return to privileged EXEC mode Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display Command Purpose Command Purpo...

Page 289: ... that domain Therefore make sure you configure at least one switch as a VTP server Beginning in privileged EXEC mode follow these steps to configure the switch as a VTP client Use the no vtp mode global configuration command to return the switch to VTP server mode To return the switch to a no password state use the no vtp password privileged EXEC command When you configure a domain name it cannot ...

Page 290: ...so that the switch boots up in VTP transparent mode Otherwise you lose the extended range VLAN configuration if the switch resets and boots up in VTP server mode the default Beginning in privileged EXEC mode follow these steps to configure VTP transparent mode and save the VTP configuration in the switch startup configuration file To return the switch to VTP server mode use the no vtp mode global ...

Page 291: ...nction properly For Token Ring and Token Ring Net media VTP version 2 must be disabled For more information on VTP version configuration guidelines see the VTP Version section on page 13 9 Beginning in privileged EXEC mode follow these steps to enable VTP version 2 To disable VTP version 2 use the no vtp version global configuration command Note You can also enable VTP version 2 by using the vlan ...

Page 292: ...VTP client to a VTP domain always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number If you add a switch that has a revision number higher than the revision number in the VTP domain it can ...

Page 293: ... can also display statistics about the advertisements sent and received by the switch Table 13 3 shows the privileged EXEC commands for monitoring VTP activity Step 3 vtp domain domain name Change the domain name from the original one displayed in Step 1 to a new name Step 4 end The VLAN information on the switch is updated and the configuration revision number is reset to 0 You return to privileg...

Page 294: ...13 16 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 13 Configuring VTP Monitoring VTP ...

Page 295: ...Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1P CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable manner For more information on QoS see Chapter 28 Configuring QoS The Cisc...

Page 296: ...alue the default is 5 for voice traffic and 3 for voice control traffic Cisco IP Phone Data Traffic The switch can also process tagged data traffic traffic in 802 1Q or 802 1P frame types from the device attached to the access port on the Cisco IP Phone see Figure 14 1 You can configure Layer 2 access ports on the switch to send CDP packets that instruct the attached Cisco IP Phone to configure th...

Page 297: ...af compliant powered devices if they are not being powered by an AC power source For information about PoE interfaces see the Configuring Power over Ethernet on an Interface section on page 10 16 Before you enable voice VLAN we recommend that you enable QoS on the switch by entering the mls qos global configuration command and configure the port trust state to trust by entering the mls qos trust c...

Page 298: ... learned on the voice VLAN and might also be learned on the access VLAN Connecting a PC to the IP phone requires additional MAC addresses Configuring a Port Connected to a Cisco 7960 IP Phone Because a Cisco 7960 IP Phone also supports a connection to a PC or other device a port connecting the switch to a Cisco IP Phone can carry mixed traffic You can configure a port to determine how the IP phone...

Page 299: ... of frames arriving on the IP phone port from connected devices Step 3 mls qos trust cos Configure the interface to classify ingress traffic packets by using the packet CoS value For untagged packets the port default CoS value is used Note Before configuring the port trust state you must first globally enable QoS by using the mls qos global configuration command Step 4 switchport voice vlan vlan i...

Page 300: ...ice VLAN configuration for an interface use the show interfaces interface id switchport privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface connected to the IP phone Step 3 switchport priority extend cos value trust Set the priority of data traffic received from ...

Page 301: ...er 17 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter refer to the command reference for this release This chapter consists of these sections Understanding Spanning Tree Features page 15 1 Configuring Spanning Tree Features page 15 11 Displaying the Spanning Tree Status page 15 22 Understanding Spanning Tree Features ...

Page 302: ...by assigning a role to each port based on the role of the port in the active topology Root A forwarding port elected for the spanning tree topology Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root port in the spanning tree Backup A blocked port in a loopback configuration Switches that have ports with these assigne...

Page 303: ...nfiguration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is discarded and superior information is propagated on the network A BPDU exchan...

Page 304: ...l be elected as the root switch Configuring a higher value decreases the probability a lower value increases the probability For more information see the Configuring the Root Switch section on page 15 14 the Configuring a Secondary Root Switch section on page 15 16 and the Configuring the Switch Priority of a VLAN section on page 15 19 Spanning Tree Interface States Propagation delays can occur wh...

Page 305: ...ing tree stabilizes each interface at the forwarding or blocking state When the spanning tree algorithm places a Layer 2 interface in the forwarding state this process occurs 1 The interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state 2 While spanning tree waits the forward delay timer to expire it moves the interfa...

Page 306: ...state is the first state a Layer 2 interface enters after the blocking state The interface enters this state when the spanning tree determines that the interface should participate in frame forwarding An interface in the listening state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives...

Page 307: ...g interfaces or link types Switch A might not be the ideal root switch By increasing the priority lowering the numerical value of the ideal switch so that it becomes the root switch you force a spanning tree recalculation to form a new topology with the ideal switch as the root Figure 15 2 Spanning Tree Topology When the spanning tree topology is calculated based on default parameters the path bet...

Page 308: ...0010 to be used by different bridge protocols These addresses are static addresses that cannot be removed Regardless of the spanning tree state each switch receives but does not forward packets destined for addresses between 0x0180C2000000 and 0x0180C200000F If spanning tree is enabled the CPU on the switch receives packets destined for 0x0180C2000000 and 0x0180C2000010 If spanning tree is disable...

Page 309: ...ergence the rapid PVST immediately deletes dynamically learned MAC address entries on a per port basis upon receiving a topology change By contrast PVST uses a short aging time for dynamically learned MAC address entries The rapid PVST uses the same configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a lar...

Page 310: ...d on the trunks However in a network of Cisco switches connected through 802 1Q trunks the switches maintain one spanning tree instance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it instead of PVST The switch combines t...

Page 311: ...ormation see Chapter 34 Configuring Fallback Bridging Configuring Spanning Tree Features These sections describe how to configure spanning tree features Default Spanning Tree Configuration page 15 11 Spanning Tree Configuration Guidelines page 15 12 Changing the Spanning Tree Mode page 15 13 required Disabling Spanning Tree page 15 14 optional Configuring the Root Switch page 15 14 optional Config...

Page 312: ...ssary to run spanning tree on all switches in the VLAN However if you are running spanning tree only on a minimal set of switches an incautious change to the network that introduces another loop into the VLAN can result in a broadcast storm Note If you have already used all available spanning tree instances on your switch adding another VLAN anywhere in the VTP domain creates a VLAN that is not ru...

Page 313: ...e a mode that is different from the default mode this procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mode pvst mst rapid pvst Configure a spanning tree mode Select pvst to enable PVST the default setting Select mst to enable MSTP and RSTP For more configuration steps see Chapter 16 Configuring MSTP Select rapid pvst to enable ra...

Page 314: ...r each active VLAN configured on it A bridge ID consisting of the switch priority and the switch MAC address is associated with each instance For each VLAN the switch with the lowest bridge ID becomes the root switch for that VLAN To configure a switch to become the root for the specified VLAN use the spanning tree vlan vlan id root global configuration command to modify the switch priority from t...

Page 315: ...twork diameter the switch automatically sets an optimal hello time forward delay time and maximum age time for a network of that diameter which can significantly reduce the convergence time You can use the hello keyword to override the automatically calculated hello time Note After configuring the switch as the root switch we recommend that you avoid manually configuring the hello time forward del...

Page 316: ...e default setting use the no spanning tree vlan vlan id root global configuration command Step 4 show spanning tree detail Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id root secondary diameter net diameter h...

Page 317: ...n mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0...

Page 318: ...de Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state A low...

Page 319: ...vlan vlan id root secondary global configuration commands to modify the switch priority Beginning in privileged EXEC mode follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Page 320: ...ion command Table 15 4 Spanning Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Command Purpose...

Page 321: ...states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startup config ...

Page 322: ...ation about other keywords for the show spanning tree privileged EXEC command refer to the command reference for this release Table 15 5 Commands for Displaying Spanning Tree Status Command Purpose show spanning tree active Displays spanning tree information on active interfaces only show spanning tree detail Displays a detailed summary of interface information show spanning tree interface interfa...

Page 323: ...TP which is based on IEEE 802 1W is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward compatibility with equipment that is based on the ...

Page 324: ...e the switches with the same MST configuration information A collection of interconnected switches that have the same MST configuration comprises an MST region as shown in Figure 16 1 on page 16 4 The MST configuration controls to which MST region each switch belongs The configuration includes the name of the region the revision number and the MST VLAN to instance assignment map You configure the ...

Page 325: ...ched domain The CIST is formed as a result of the spanning tree algorithm running between switches that support the 802 1W 802 1S and 802 1D protocols The CIST inside an MST region is the same as the CST outside a region For more information see the Operations Within an MST Region section on page 16 3 and the Operations Between MST Regions section on page 16 4 Operations Within an MST Region The I...

Page 326: ...btrees within the CST The RSTP runs in all regions Figure 16 1 MST Regions IST Masters and the CST Root Figure 16 1 does not show additional MST instances for each region Note that the topology of MST instances can be different from that of the IST for the same region Only the CST instance sends and receives BPDUs and MST instances add their spanning tree information into the BPDUs to interact wit...

Page 327: ...figuration At the boundary the roles of the MST ports do not matter and their state is forced to be the same as the IST port state MST ports at the boundary are in the forwarding state only when the IST port is forwarding An IST port at the boundary can have any port role except a backup port role On a shared boundary link the MST ports wait in the blocking state for the forward delay time to expi...

Page 328: ... and the Active Topology page 16 6 Rapid Convergence page 16 7 Synchronization of Port Roles page 16 8 Bridge Protocol Data Unit Format and Processing page 16 9 For configuration information see the Configuring MSTP Features section on page 16 11 Port Roles and the Active Topology The RSTP provides rapid convergence of the spanning tree by assigning port roles and by learning the active topology T...

Page 329: ... root port and immediately transitions the new root port to the forwarding state Point to point links If you connect a port to another port through a point to point link and the local port becomes a designated port it negotiates a rapid transition with the other port by using the proposal agreement handshake to ensure a loop free topology As shown in Figure 16 2 Switch A is connected to Switch B t...

Page 330: ... port the RSTP forces all other ports to synchronize with the new root information The switch is synchronized with superior root information received on the root port if all other ports are synchronized An individual port on the switch is synchronized if That port is in the blocking state It is an edge port a port configured to be at the edge of the network If a designated port is in the forwardin...

Page 331: ...the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN The port role in the proposal message is always set to the designated port The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal The port role in the agreement message is always set to the root port 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Designated ...

Page 332: ...xpires at which time the port transitions to the forwarding state Processing Inferior BPDU Information If a designated port receives an inferior BPDU higher bridge ID higher path cost and so forth than currently stored for the port with a designated port role it immediately replies with its own information Topology Changes This section describes the differences between the RSTP and the 802 1D in h...

Page 333: ...ion delay timer has expired it assumes that it is connected to an 802 1D switch and starts using only 802 1D BPDUs However if the RSTP switch is using 802 1D BPDUs on a port and receives an RSTP BPDU after the timer has expired it restarts the timer and starts using RSTP BPDUs on that port Configuring MSTP Features These sections describe how to configure basic MSTP features Default MSTP Configura...

Page 334: ...Ns run PVST all VLANs run rapid PVST or all VLANs run MSTP For more information see the Spanning Tree Interoperability and Backward Compatibility section on page 15 10 For information on the recommended trunk port configuration see the Interaction with Other Features section on page 12 20 VTP propagation of the MST configuration is not supported However you can manually configure the MST configura...

Page 335: ... of processing RSTP BPDUs There is no limit to the number of MST regions in a network but each region can support up to 16 spanning tree instances You can assign a VLAN to only one spanning tree instance at a time Beginning in privileged EXEC mode follow these steps to specify the MST region configuration and enable MSTP This procedure is required Command Purpose Step 1 configure terminal Enter gl...

Page 336: ... Configuring the Root Switch The switch maintains a spanning tree instance for the group of VLANs mapped to it A bridge ID consisting of the switch priority and the switch MAC address is associated with each instance For a group of VLANs the switch with the lowest bridge ID becomes the root switch To configure a switch to become the root use the spanning tree mst instance id root global configurat...

Page 337: ...e You can use the hello keyword to override the automatically calculated hello time Note After configuring the switch as the root switch we recommend that you avoid manually configuring the hello time forward delay time and maximum age time through the spanning tree mst hello time spanning tree mst forward time and the spanning tree mst max age global configuration commands Beginning in privileged...

Page 338: ...rn the switch to its default setting use the no spanning tree mst instance id root global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root secondary diameter net diameter hello time seconds Configure a switch as the secondary root switch For instance id you can specify a single instance a range of instances se...

Page 339: ...firm the configuration To return the interface to its default setting use the no spanning tree mst instance id port priority interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical i...

Page 340: ...e configuration To return the interface to its default setting use the no spanning tree mst instance id cost interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces The po...

Page 341: ...ing the hello time Note Exercise care when using this command For most situations we recommend that you use the spanning tree mst instance id root primary and the spanning tree mst instance id root secondary global configuration commands to modify the hello time Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id priority priority Configur...

Page 342: ...nfigure the hello time for all MST instances The hello time is the interval between the generation of configuration messages by the root switch These messages mean that the switch is alive For seconds the range is 1 to 10 the default is 2 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config Optional Save your entries ...

Page 343: ...de Step 2 spanning tree mst max age seconds Configure the maximum aging time for all MST instances The maximum aging time is the number of seconds a switch waits without receiving spanning tree configuration messages before attempting a reconfiguration For seconds the range is 6 to 40 the default is 20 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step...

Page 344: ... protocol version set to 0 it sends only 802 1D BPDUs on that port An MSTP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU version 3 associated with a different region or an RST BPDU version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives 802 1D BPDUs because it cannot detect whether the legac...

Page 345: ...n Table 16 4 For information about other keywords for the show spanning tree privileged EXEC command refer to the command reference for this release Table 16 4 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst instance id Displays MST information for the specified instance show spanning tree mst inte...

Page 346: ...16 24 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 16 Configuring MSTP Displaying the MST Configuration and Status ...

Page 347: ...ple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 16 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter refer to the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 17 1 Configuring Optional Spanning Tree Feature...

Page 348: ...tation or server should not receive bridge protocol data units BPDUs An interface with Port Fast enabled goes through the normal cycle of spanning tree status changes when the switch is restarted Note Because the purpose of Port Fast is to minimize the time interfaces must wait for spanning tree to converge it is effective only when used on interfaces connected to end stations If you enable Port F...

Page 349: ...n access port from participating in the spanning tree If your switch is running PVST rapid PVST or MSTP you can enable the BPDU guard feature for the entire switch or for an interface Understanding BPDU Filtering The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface but the feature operates with some differences At the global level you can enable BPDU fil...

Page 350: ...ng rapid PVST or MSTP because these protocols use fast convergence and take precedence over UplinkFast When the spanning tree reconfigures the new root port other interfaces flood the network with multicast packets one for each address that was learned on the interface You can limit these bursts of multicast traffic by reducing the max update rate parameter the default for this parameter is 150 pa...

Page 351: ...e core of the backbone BackboneFast is a complementary technology to the UplinkFast feature which responds to failures on links directly connected to access switches BackboneFast optimizes the maximum age timer which controls the amount of time the switch stores protocol information received on an interface When a switch receives an inferior BPDU from the designated port of another switch the BPDU...

Page 352: ...or BPDU If all the alternate paths to the root switch indicate that the switch has lost connectivity to the root switch the switch expires the maximum aging time on the interface that received the RLQ reply If one or more alternate paths can still connect to the root switch the switch makes all interfaces on which it received an inferior BPDU its designated ports and moves them from the blocking s...

Page 353: ...pology Understanding Root Guard The Layer 2 network of a service provider SP can include many connections to switches that are not owned by the SP In such a topology the spanning tree can reconfigure itself and select a customer switch as the root switch as shown in Figure 17 8 You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer s n...

Page 354: ...enable this feature by using the spanning tree guard root interface configuration command Caution Misuse of the root guard feature can cause a loss of connectivity Figure 17 8 Root Guard in a Service Provider Network Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature...

Page 355: ...onal Enabling BPDU Guard page 17 11 optional Enabling BPDU Filtering page 17 12 optional Enabling UplinkFast for Use with Redundant Links page 17 13 optional Enabling BackboneFast page 17 13 optional Enabling Root Guard page 17 14 optional Enabling Loop Guard page 17 15 optional Default Optional Spanning Tree Configuration Table 17 1 shows the default optional spanning tree configuration Optional ...

Page 356: ... MSTP Beginning in privileged EXEC mode follow these steps to enable Port Fast This procedure is optional Note You can use the spanning tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking ports To disable the Port Fast feature use the spanning tree portfast disable interface configuration command Command Purpose Step 1 configure terminal E...

Page 357: ...network operation You also can use the spanning tree bpduguard enable interface configuration command to enable BPDU guard on any interface without also enabling the Port Fast feature When the interface receives a BPDU it is put in the error disabled state You can enable the BPDU guard feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to...

Page 358: ...ture This command prevents the interface from sending or receiving BPDUs Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning tree loops You can enable the BPDU filtering feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to globally enable the BPDU filtering feature This ...

Page 359: ...tered The changes to the switch priority and the path cost reduce the chance that a switch will become the root switch When UplinkFast is disabled the switch priorities of all VLANs and path costs of all interfaces are set to default values if you did not modify them from their defaults To return the update packet rate to the default setting use the no spanning tree uplinkfast max update rate glob...

Page 360: ... reaching the forwarding state Note You cannot enable both root guard and loop guard at the same time You can enable this feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to enable root guard on an interface This procedure is optional To disable root guard use the no spanning tree guard interface configuration command Command Purpose St...

Page 361: ...face configuration command Displaying the Spanning Tree Status To display the spanning tree status use one or more of the privileged EXEC commands in Table 17 2 Command Purpose Step 1 show spanning tree active or show spanning tree mst Verify which interfaces are alternate or root ports Step 2 configure terminal Enter global configuration mode Step 3 spanning tree loopguard default Enable loop gua...

Page 362: ...ing Tree Features Displaying the Spanning Tree Status You can clear spanning tree counters by using the clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command refer to the command reference for this release ...

Page 363: ...to be permanently assigned to hosts only those hosts that are connected to the network consume IP addresses DHCP Snooping DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table An untrusted message is a message that is received from outside the network or firewall that can cause traf...

Page 364: ...ing information option 82 on the switch this sequence of events occurs The host DHCP client generates a DHCP request and broadcasts it on the network When the switch receives the DHCP request it adds the option 82 information in the packet The option 82 information contains the switch MAC address the remote ID suboption and the port identifier vlan mod port from which the packet is received the ci...

Page 365: ...rmation check global configuration command ip dhcp relay information policy global configuration command ip dhcp relay information trust all global configuration command ip dhcp relay information trusted interface configuration command Before configuring the DHCP information option on your switch make sure to configure the device that is acting as the DHCP server For example you must specify the I...

Page 366: ... of VLANs You can specify a single VLAN identified by VLAN ID number or start and end VLAN IDs to specify a range of VLANs The range is 1 to 4094 Step 4 ip dhcp snooping information option Enable the switch to insert and remove DHCP relay information option 82 field in forwarded DHCP request messages to the DHCP server The default is enabled Step 5 interface interface id Enter interface configurat...

Page 367: ...ooping binding MacAddress IpAddress Lease sec Type VLAN Interface 00 30 94 C2 EF 35 41 0 0 51 286 dynamic 41 gigabitethernet0 1 00 D0 B7 1B 35 DE 41 0 0 52 237 dynamic 41 gigabitethernet0 1 00 00 00 00 00 01 40 0 0 46 286 dynamic 40 gigabitethernet0 2 00 00 00 00 00 03 42 0 0 33 286 dynamic 42 gigabitethernet0 2 00 00 00 00 00 02 41 0 0 53 286 dynamic 41 gigabitethernet0 2 Table 18 2 describes the...

Page 368: ... example shows how to display the DHCP snooping configuration for a switch Switch show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs 40 42 Insertion of option 82 is enabled Interface Trusted Rate limit pps gigabitethernet0 1 yes unlimited gigabitethernet0 2 no 5000 gigabitethernet0 3 yes unlimited gigabitethernet0 4 yes unlimited ...

Page 369: ... for the commands used in this chapter refer to the switch command reference for this release and the Cisco IOS Release Network Protocols Command Reference Part 1 for Release 12 1 This chapter consists of these sections Understanding IGMP Snooping page 19 2 Configuring IGMP Snooping page 19 6 Displaying IGMP Snooping Information page 19 12 Understanding Multicast VLAN Registration page 19 13 Confi...

Page 370: ...ch creates one entry per VLAN in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join request The Catalyst 3560 switch supports IP multicast group based bridging rather than MAC addressed based groups With multicast MAC address based groups if an IP address being configured translates aliases to a previously configured MAC address or to any reserved mu...

Page 371: ...messages are not supported on switches running IGMP filtering or MVR An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast SSM feature For more information refer to the Configuring IP Multicast Layer 3 Switching chapter in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS Release 12 1 12c EW at this URL http...

Page 372: ...on packets from other packets for the multicast group The information in the table tells the switching engine to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group If another host for example Host 4 sends an unsolicited IGMP join message for the same group Figure 19 2 the CPU receives that message and adds t...

Page 373: ...up maintained by IGMP snooping When hosts want to leave a multicast group they can silently leave or they can send a leave message When the switch receives a leave message from a host it sends out a MAC based general query to determine if any other devices connected to that interface are interested in traffic for the specific multicast group The switch then updates the forwarding table for that MA...

Page 374: ...ression to forward only one IGMP report per multicast router query to multicast devices When IGMP router suppression is enabled the default the switch sends the first IGMP report from all hosts for a group to all the multicast routers The switch does not send the remaining IGMP reports for the group to the multicast routers This feature prevents duplicate reports from being sent to the multicast d...

Page 375: ...ration command Beginning in privileged EXEC mode follow these steps to enable IGMP snooping on a VLAN interface Table 19 3 Default IGMP Snooping Configuration Feature Default Setting IGMP snooping Enabled globally and per VLAN Multicast routers None configured Multicast router learning snooping method PIM DVMRP IGMP snooping Immediate Leave Disabled Static groups None configured IGMP report suppre...

Page 376: ...mp global configuration command When this command is entered the router listens to only CGMP self join and CGMP proxy join packets and no other CGMP packets To learn of multicast router ports through only PIM DVMRP packets use the ip igmp snooping vlan vlan id mrouter learn pim dvmrp global configuration command Note If you want to use CGMP as the learning method and no multicast routers in the VL...

Page 377: ...rt To add a multicast router port add a static connection to a multicast router use the ip igmp snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports Beginning in privileged EXEC mode follow these steps to enable a static connection to a multicast router To remove a multicast router port from the VLAN use th...

Page 378: ...nd verify the configuration Switch configure terminal Switch config ip igmp snooping vlan 1 static 224 1 2 3 interface gigabitethernet0 1 Switch config end Switch show ip igmp snooping multicast Vlan Group Address Type Ports 1 224 1 2 3 USER Gi0 1 Enabling IGMP Immediate Leave Processing When you enable IGMP Immediate Leave processing the switch immediately removes a port when it detects an IGMP v...

Page 379: ... report per multicast router query When report suppression is disabled all IGMP reports are forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disable IGMP report suppression To re enable IGMP report suppression use the ip igmp snooping report suppression global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode S...

Page 380: ...ed command options instead of the actual entries dynamic Display entries learned through IGMP snooping group ip_address Display characteristics of the multicast group with the specified group IP address user Display only the user configured multicast entries show ip igmp snooping multicast vlan vlan id count dynamic count group ip_address group ip_address user count group ip_address Display multic...

Page 381: ...ticast groups configured under MVR Join and leave messages from all other multicast groups are managed by IGMP snooping The switch CPU identifies the MVR IP multicast streams and their associated IP multicast group in the switch forwarding table intercepts the IGMP messages and modifies the forwarding table to include or remove the subscriber as a receiver of the multicast stream even though the r...

Page 382: ... an IGMP report to Switch A to join the appropriate multicast If the IGMP report matches one of the configured IP multicast group addresses the switch CPU modifies the hardware address table to include this receiver port and VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN Uplink ports that send and receive multicast data to and from th...

Page 383: ...essage is received the receiver port is removed from multicast group membership which speeds up leave latency Enable the Immediate Leave feature only on receiver ports to which a single receiver device is connected MVR eliminates the need to duplicate television channel multicast traffic for subscribers in each VLAN Multicast traffic for all channels is only sent around the VLAN trunk once only on...

Page 384: ... addresses are allowed on the switch However if the switch is interoperating with Catalyst 3550 or Catalyst 3500 XL switches you should not configure IP addresses that alias between themselves or with the reserved IP multicast addresses in the range 224 0 0 xxx MVR is not supported when multicast routing is enabled on a switch If you enable multicast routing and a multicast routing protocol while ...

Page 385: ...o all source ports on the switch and all receiver ports that have elected to receive data on that multicast address Each multicast address would correspond to one television channel Step 4 mvr querytime value Optional Define the maximum time to wait for IGMP report memberships on a receiver port before removing the port from multicast group membership The value is in units of tenths of a second Th...

Page 386: ...f the Layer 2 port to configure Step 4 mvr type source receiver Configure an MVR port as one of these source Configure uplink ports that receive and send multicast data as source ports Subscribers cannot be directly connected to source ports All source ports on a switch belong to the single multicast VLAN receiver Configure a port as a receiver port if it is a subscriber port and should only recei...

Page 387: ...interface gigabitethernet0 2 Switch config if mvr type receiver Switch config if mvr vlan 22 group 228 1 23 4 Switch config if mvr immediate Switch config end Switch show mvr interface Port Type Status Immediate Leave Gi0 2 RECEIVER ACTIVE DOWN ENABLED Step 6 mvr immediate Optional Enable the Immediate Leave feature of MVR on the port Note This command applies to only receiver ports and should onl...

Page 388: ...ort from the port is forwarded for normal processing IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP multicast traffic The filtering feature operates in the same manner whether CGMP or MVR is used to forward the mu...

Page 389: ...s are not supported on switches running IGMP filtering These sections describe how to configure IGMP filtering and throttling Default IGMP Filtering and Throttling Configuration page 19 21 Configuring IGMP Profiles page 19 22 optional Applying IGMP Profiles page 19 23 optional Setting the Maximum Number of IGMP Groups page 19 24 optional Configuring the IGMP Throttling Action page 19 24 optional D...

Page 390: ...eny access to the range of IP addresses Beginning in privileged EXEC mode follow these steps to create an IGMP profile To delete a profile use the no ip igmp profile profile number global configuration command To delete an IP multicast address or range of IP multicast addresses use the no range ip multicast address IGMP profile configuration command Command Purpose Step 1 configure terminal Enter ...

Page 391: ...rts that belong to an EtherChannel port group You can apply a profile to multiple interfaces but each interface can only have one profile applied to it Beginning in privileged EXEC mode follow these steps to apply an IGMP profile to a switch port To remove a profile from an interface use the no ip igmp filter profile number interface configuration command This example shows how to apply IGMP profi...

Page 392: ...P groups that a Layer 2 interface can join you can configure an interface to remove a randomly selected multicast entry in the forwarding table and to add the next IGMP group to it by using the ip igmp max groups action replace interface configuration command Use the no form of this command to return to the default which is to drop the IGMP join report Follow these guidelines when configuring the ...

Page 393: ...nfigure the throttling action when the maximum number of entries is in the forwarding table To return to the default action of dropping the report use the no ip igmp max groups action interface configuration command This example shows how to configure a port to remove a randomly selected multicast entry in the forwarding table and to add an IGMP group to the forwarding table when the maximum numbe...

Page 394: ...all interfaces on the switch or for a specified interface Use the privileged EXEC commands in Table 19 8 to display IGMP filtering and throttling configuration Table 19 8 Commands for Displaying IGMP Filtering and Throttling Configuration Command Purpose show ip igmp profile profile number Displays the specified IGMP profile or all the IGMP profiles defined on the switch show running config interf...

Page 395: ...er refer to the command reference for this release This chapter consists of these sections Configuring Storm Control page 20 1 Configuring Protected Ports page 20 5 Configuring Port Blocking page 20 6 Configuring Port Security page 20 7 Displaying Port Based Traffic Control Settings page 20 15 Configuring Storm Control These sections include storm control configuration information and procedures U...

Page 396: ...itors packets passing from an interface to the switching bus and determines if the packet is unicast multicast or broadcast The switch monitors the number of broadcast multicast or unicast packets received within a 200 millisecond time interval and when a threshold for one type of traffic is reached that type of traffic is dropped This threshold is specified as a percentage of total available band...

Page 397: ...on an interface and enter the percentage of total available bandwidth that you want to be used by a particular type of traffic entering 100 percent allows all traffic However because of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced thr...

Page 398: ...level level level Specify the multicast traffic suppression level for an interface as a percentage of total bandwidth The level can be from 1 to 100 the optional fraction of a level can be from 0 to 99 A threshold value of 100 percent means that no limit is placed on broadcast traffic A value of 0 0 means that all multicast traffic on that port is blocked Step 5 storm control unicast level level l...

Page 399: ...usual Default Protected Port Configuration The default is to have no protected ports defined Protected Port Configuration Guidelines You can configure protected ports on a physical interface for example Gigabit Ethernet port 1 or an EtherChannel group for example port channel 5 When you enable protected ports for a port channel it is enabled for all ports in the port channel group Configuring a Pr...

Page 400: ...orts Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group When you block multicast or unicast traffic for a port channel it is blocked on all ports in the port channel group Beginning in privileged EXEC mode follow these steps to disable the flooding of multicast and unicast packets out of an interface To return the interface to the defau...

Page 401: ... to one and assign a single secure MAC address the workstation attached to that port is assured the full bandwidth of the port If a port is configured as a secure port and the maximum number of secure MAC addresses is reached when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses a security violation occurs Also if a station wit...

Page 402: ...y secure MAC addresses and to add them to the running configuration by enabling sticky learning To enable sticky learning enter the switchport port security mac address sticky interface configuration command When you enter this command the interface converts all the dynamic secure MAC addresses including those that were dynamically learned before sticky learning was enabled to sticky secure MAC ad...

Page 403: ...ckets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses In this mode you are notified that a security violation has occurred An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown a port security violation causes the inter...

Page 404: ... the voice VLAN and might also be learned on the access VLAN Connecting a PC to the IP phone requires additional MAC addresses If any type of port security is enabled on the access VLAN dynamic port security is automatically enabled on the voice VLAN You cannot configure port security on a per VLAN basis When a voice VLAN is configured on a secure port that is also configured as a sticky secure po...

Page 405: ...the interface Step 5 switchport port security maximum value vlan vlan list Optional Set the maximum number of secure MAC addresses for the interface The maximum number of secure MAC addresses that you can configure on a switch is determined by the maximum number of available MAC addresses allowed in the system This number is determined by the active Switch Database Management SDM template See Chap...

Page 406: ... Note When a secure port is in the error disabled state you can bring it out of this state by entering the errdisable recovery cause psecure violation global configuration command or you can manually re enable it by entering the shutdown and no shutdown interface configuration commands Step 7 switchport port security mac address mac address vlan vlan id Optional Enter a secure MAC address for the ...

Page 407: ... delete all dynamic secure addresses on an interface from the address table enter the no switchport port security interface configuration command followed by the switchport port security command to re enable port security on the interface If you use the no switchport port security mac address sticky interface configuration command to convert sticky secure MAC addresses to dynamic secure MAC addres...

Page 408: ...c interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode for the port on which you want to enable port security aging Step 3 switchport port security aging static time time type absolute inactivity Enable or disable static aging for the secure port or set the aging time or type Note ...

Page 409: ...ort Displays the administrative and operational status of all switching nonrouting ports or the specified port including port blocking and port protection settings show storm control interface id broadcast multicast unicast Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered...

Page 410: ...20 16 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 20 Configuring Port Based Traffic Control Displaying Port Based Traffic Control Settings ...

Page 411: ...e Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems that support different network layer protocols can learn about each other Each CDP...

Page 412: ...dtime and advertisement type Note Steps 2 through 4 are all optional and can be performed in any order Table 21 1 Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enabled CDP timer packet update frequency 60 seconds CDP holdtime before discarding 180 seconds CDP version 2 advertisements Enabled Command Purpose Step 1 configure terminal Enter global con...

Page 413: ...onitoring and Maintaining CDP section on page 21 5 Disabling and Enabling CDP CDP is enabled by default Note Switch clusters and other Cisco devices such as Cisco IP Phones regularly exchange CDP messages Disabling CDP can interrupt cluster discovery and device connectivity For more information see Chapter 5 Clustering Switches Beginning in privileged EXEC mode follow these steps to disable the CD...

Page 414: ...1 Switch config if cdp enable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp run Enable CDP after disabling it Step 3 end Return to privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the interface on which you are disablin...

Page 415: ...how cdp entry entry name protocol version Display information about a specific neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interf...

Page 416: ...21 6 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 21 Configuring CDP Monitoring and Maintaining CDP ...

Page 417: ...nal link it administratively shuts down the affected port and alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggressive mode UDLD can also detect ...

Page 418: ...of the ports is down while the other is up One of the fiber strands in the cable is disconnected In these cases UDLD shuts down the affected port In a point to point link UDLD hello packets can be considered as a heart beat whose presence guarantees the health of the link Conversely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirection...

Page 419: ...rt is shut down If UDLD in normal mode is in the advertisement or in the detection phase and all the neighbor cache entries are aged out UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbors If you enable aggressive mode when all the neighbors of a port have aged out either in the advertisement or in the detection phase UDLD restarts the link up sequence to...

Page 420: ...nfiguration Configuration Guidelines These are the UDLD configuration guidelines UDLD is not supported on ATM ports A UDLD capable port also cannot detect a unidirectional link if it is connected to a UDLD incapable port of another switch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Table 22 1 Default UDLD Configuration Feature...

Page 421: ... UDLD in aggressive mode on all fiber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 22 1 message time message timer interval C...

Page 422: ...uration command enables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be enabled for UDLD and enter interface co...

Page 423: ...ing UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output refer to the command reference for this release ...

Page 424: ...22 8 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 22 Configuring UDLD Displaying UDLD Status ...

Page 425: ...ed or sent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destination ports do not receive or forward traffic Only traffic that enters or leaves source ports or traffic th...

Page 426: ...etwork traffic from port 5 without being physically attached to port 5 Figure 23 1 Example of Local SPAN Configuration on a Single Switch Remote SPAN RSPAN supports source ports source VLANs and destination ports on different switches enabling remote monitoring of multiple switches across your network Figure 23 2 shows source ports on Switch A and Switch B The traffic for each RSPAN session is car...

Page 427: ... the user and form them into a stream of SPAN data which is directed to the destination port RSPAN consists of at least one RSPAN source session an RSPAN VLAN and at least one RSPAN destination session You separately configure RSPAN source sessions and RSPAN destination sessions on different network devices To configure an RSPAN source session on a device you associate a set of source ports or sou...

Page 428: ...ations SPAN sessions do not interfere with the normal operation of the switch However an oversubscribed SPAN destination for example a 10 Mbps port monitoring a 100 Mbps port can result in dropped or lost packets When RSPAN is enabled each packet being monitored is transmitted twice once as normal traffic and once as a monitored packet Therefore monitoring a large number of ports or VLANs could po...

Page 429: ...ncapsulation replicate enabled can have a mixture of untagged 802 1Q and ISL tagged packets appear on the destination port Switch congestion can cause packets to be dropped at ingress source ports egress source ports or SPAN destination ports In general these characteristics are independent of one another For example A packet might be forwarded normally but dropped from monitoring due to an oversu...

Page 430: ...red VLAN is sent to the destination port If a destination port belongs to a source VLAN it is excluded from the source list and is not monitored If ports are added to or removed from the source VLANs the traffic on the source VLAN received by those ports is added to or removed from the sources being monitored You cannot use filter VLANs in the same session with VLAN sources You can monitor only Et...

Page 431: ...al port It cannot be a secure port It cannot be a source port It cannot be an EtherChannel group or a VLAN It can participate in only one SPAN session at a time a destination port in one SPAN session cannot be a destination port for a second SPAN session When it is active incoming traffic is disabled The port does not transmit any traffic except that required for the SPAN session Incoming traffic ...

Page 432: ...or example if a VLAN is being Rx monitored and the switch routes traffic from another VLAN to the monitored VLAN that traffic is not monitored and not received on the SPAN destination port Spanning Tree Protocol STP A destination port does not participate in STP while its SPAN or RSPAN session is active The destination port can participate in STP after the SPAN or RSPAN session is disabled On a so...

Page 433: ...t For SPAN sessions do not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port For RSPAN source sessions do not enable port security on any ports with monitored egress An 802 1X port can be a SPAN source port You can enable 802 1X on a port that is a SPAN destination port however 802 1X is disabled until the port is removed as a SPAN desti...

Page 434: ...ions using the same destination port When you configure a switch port as a SPAN destination port it is no longer a normal switch port only monitored traffic passes through the SPAN destination port Entering SPAN configuration commands does not remove previously configured SPAN parameters You must enter the no monitor session session_number all local remote global configuration command to delete co...

Page 435: ... from 1 to 66 For interface id specify the source port or source VLAN to monitor For source interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 12 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN Note A singl...

Page 436: ...g no monitor session 1 source interface gigabitethernet0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interface gigabitethernet0 1 rx Step 4 monitor session session_number destination interface interface id encapsulation replicate Specify the SPAN session and t...

Page 437: ...nation interface gigabitethernet0 2 Switch config monitor session 2 source vlan 10 Switch config end Creating a Local SPAN Session and Configuring Ingress Traffic Beginning in privileged EXEC mode follow these steps to create a SPAN session to specify the source ports or VLANs and the destination ports and to enable ingress traffic on the destination port for a network security device such as a Ci...

Page 438: ...session session_number destination interface interface id encapsulation replicate ingress dot1q vlan vlan id isl untagged vlan vlan id vlan vlan id Specify the SPAN session the destination port the packet encapsulation and the ingress VLAN and encapsulation For session_number specify the session number entered in step 3 For interface id specify the destination port The destination interface must b...

Page 439: ...ter vlan vlan id Limit the SPAN source traffic to specific VLANs For session_number enter the session number specified in Step 3 For vlan id the range is 1 to 4094 Optional Use a comma to specify a series of VLANs or use a hyphen to specify a range of VLANs Enter a space before and after the comma enter a space before and after the hyphen Step 5 monitor session session_number destination interface...

Page 440: ... RSPAN As RSPAN VLANs have special properties you should reserve a few VLANs across your network for use as RSPAN VLANs do not assign access ports to these VLANs You can apply an output access control list ACL to RSPAN traffic to selectively filter or monitor specific packets Specify these ACLs on the RSPAN VLAN in the RSPAN source switches For RSPAN configuration you can distribute the source por...

Page 441: ... switches and any intermediate switches Use VTP pruning to get an efficient flow of RSPAN traffic or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic Beginning in privileged EXEC mode follow these steps to create an RSPAN VLAN To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN use the no remote span VLAN configuration...

Page 442: ...o monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 12 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN Note A single session can include multiple sources ports or VLANs defined in a series of commands but you cannot combine source ports and sour...

Page 443: ...at is not the switch on which the source session was configured Beginning in privileged EXEC mode follow these steps to define the RSPAN VLAN on that switch to create an RSPAN destination session and to specify the source RSPAN VLAN and the destination port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter the VLAN ID of the RSPAN VLAN created from...

Page 444: ...r Appliance Note Refer to the Creating an RSPAN Destination Session section on page 23 19 for details about the keywords not related to ingress traffic This procedure assumes the RSPAN VLAN has already been configured Step 7 monitor session session_number destination interface interface id Specify the RSPAN session and the destination interface For session_number enter the number defined in Step 6...

Page 445: ...fy the SPAN session the destination port the packet encapsulation and the ingress VLAN and encapsulation For session_number enter the number defined in Step 4 Note In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical interface Note Thoug...

Page 446: ...ll to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id Specify the characteristics of the source port monitored port and SPAN session For session_number the range is from 1 to 66 For interface id specify the source port to monitor The interface specified must already be confi...

Page 447: ...uring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured SPAN or RSPAN sessions ...

Page 448: ...23 24 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 23 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status ...

Page 449: ...r complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12 1 This chapter consists of these sections Understanding RMON page 24 1 Configuring RMON page 24 2 Displaying RMON Status page 24 6 Understanding RMON RMON is an Internet Engineering Task Force IETF standard monitoring specification that al...

Page 450: ...ts the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this software release use hardware counters for RMON data processing th...

Page 451: ...re is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to 65535 For variable specify the MIB object to monitor For interval specify the time i...

Page 452: ...an be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this command T...

Page 453: ...llection history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default is ...

Page 454: ... 12 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which to collect statistics and enter interface configuration mode Step 3 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ow...

Page 455: ...figuration The process also sends messages to the console Note The syslog format is compatible with 4 3 BSD UNIX When the logging process is disabled messages are sent only to the console The messages are sent as they are generated so message and debug output are interspersed with prompts or output from other commands Messages appear on the console after the process that generated them has finishe...

Page 456: ...ty severity MNEMONIC description The part of the message preceding the percent sign depends on the setting of the service sequence numbers service timestamps log datetime service timestamps log datetime localtime msec show timezone or service timestamps log uptime global configuration command Table 25 1 describes the elements of syslog messages Table 25 1 System Log Message Elements Element Descri...

Page 457: ... SYS 5 CONFIG_I Configured from console by vty2 10 34 195 36 Default System Message Logging Configuration Table 25 2 shows the default system message logging configuration MNEMONIC Text string that uniquely describes the message description Text string containing detailed information about the event being reported Table 25 1 System Log Message Elements continued Element Description Table 25 2 Defa...

Page 458: ...message logging after it has been disabled use the logging on global configuration command Setting the Message Display Destination Device If message logging is enabled you can send messages to specific locations in addition to the console Beginning in privileged EXEC mode use one or more of the following commands to specify the locations that receive messages This procedure is optional Command Pur...

Page 459: ...essages for the terminal after which messages are dropped Step 3 logging host Log messages to a UNIX syslog server host For host specify the name or IP address of the host to be used as the syslog server To build a list of syslog servers that receive logging messages enter this command more than once For complete syslog server configuration steps see the Configuring UNIX Syslog Servers section on ...

Page 460: ...ugh the switch console port Use the line vty line number command to specify which vty lines are to have synchronous logging enabled You use a vty connection for configurations that occur through a Telnet session The range of line numbers is from 0 to 15 You can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used f...

Page 461: ...numbers so that you can unambiguously refer to a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service timestamps log uptime or service timestamps log datetime msec ...

Page 462: ...ation command To disable logging to syslog servers use the no logging trap global configuration command Table 25 3 describes the level keywords It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logged to the console By defa...

Page 463: ... Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration command you can change the level of messages sent and stored in the switch history table You also can change the number of messages that are stored in the history table Messages are stored in the history table because SNMP traps are not g...

Page 464: ... daemon on a UNIX server This procedure is optional Log in as root and perform these steps Note Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network If this is the case with your system use the UNIX man syslogd command to decide what options must be added to or removed from the syslog command line to enable logging of remote syslog messages Comman...

Page 465: ...em log messages to an external device you can cause the switch to identify its messages as originating from any of the UNIX syslog facilities Beginning in privileged EXEC mode follow these steps to configure UNIX system facility message logging This procedure is optional To remove a syslog server use the no logging host global configuration command and specify the syslog server IP address To disab...

Page 466: ...ay the logging configuration and the contents of the log buffer use the show logging privileged EXEC command For information about the fields in this display refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12 1 Table 25 4 Logging Facility Type Keywords Facility Type Keyword Description auth Authorization system cron Cron facility daemon System daemon kern Kernel loc...

Page 467: ... SNMP agent and a management information base MIB The SNMP manager can be part of a network management system NMS such as CiscoWorks The agent and MIB reside on the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or s...

Page 468: ... security features Message integrity ensuring that a packet was not tampered with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the crypto encrypted software image is installed Both S...

Page 469: ...on SNMPv3 authNoPriv MD5 or SHA No Provides authentication based on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA DES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Provides DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard Table 26 2 SNMP Operations Operation Description get req...

Page 470: ...icate access to MIB objects and function as embedded passwords In order for the NMS to access the switch the community string definitions on the NMS must match at least one of the three community string definitions on the switch A community string can have one of these attributes Read only RO Gives read access to authorized management stations to all objects in the MIB except the community strings...

Page 471: ...re is an option in the command to select either traps or informs the keyword traps refers to either traps or informs or both Use the snmp server host command to specify whether to send SNMP notifications as traps or informs Note SNMPv1 does not support informs Traps are unreliable because the receiver does not send an acknowledgment when it receives a trap and the sender cannot determine if the tr...

Page 472: ...Note The switch might not use sequential values within a range Configuring SNMP This section describes how to configure SNMP on your switch It contains this configuration information Default SNMP Configuration page 26 7 SNMP Configuration Guidelines page 26 7 Disabling the SNMP Agent page 26 8 Configuring Community Strings page 26 8 Configuring SNMP Groups and Users page 26 9 Configuring SNMP Noti...

Page 473: ...emote agent s SNMP engine ID and user password are used to compute the authentication and privacy digests If you do not configure the remote engine ID first the configuration command fails When configuring SNMP informs you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it Changing the value of the SNMP engine ID has i...

Page 474: ...or the MIB objects accessible to the community Beginning in privileged EXEC mode follow these steps to configure a community string on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no snmp server Disable the SNMP agent operation Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entries Step 5 copy running config startup c...

Page 475: ... you can add new users to the SNMP group Step 3 access list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in Step 2 then create the list repeating the command as many times as necessary For access list number enter the access list number specified in Step 2 The deny keyword denies access if the conditions are matched The permit ke...

Page 476: ...ccess access list Configure a new SNMP group on the remote device For groupname specify the name of the group Specify a security model v1 is the least secure of the possible security models v2c is the second least secure model It allows transmission of informs and integers twice the normal width v3 the most secure requires you to select an authentication level auth Enables the Message Digest 5 MD5...

Page 477: ...keyword is not supported Step 4 snmp server user username groupname remote host udp port port v1 v2c v3 auth md5 sha auth password encrypted access access list Configure a new user to an SNMP group The username is the name of the user on the host that connects to the agent The groupname is the name of the group to which the user is associated Optional Enter remote to specify a remote SNMP entity t...

Page 478: ... SNMP entity changes envmon Generates environmental monitor traps You can enable any or all of these environmental traps fan shutdown supply temperature flash Generates SNMP FLASH notifications hsrp Generates a trap for Hot Standby Router Protocol HSRP changes mac notification Generates a trap for MAC address notifications port security Generates SNMP port security traps You can also set a maximum...

Page 479: ...o the host Optional Specify the SNMP version 1 2c or 3 SNMPv1 does not support informs Optional For version 3 select authentication level auth noauth or priv Note The priv keyword is available only when the crypto software image is installed For community string enter the password like community string sent with the notification operation Optional For udp port port enter the remote device UDP port...

Page 480: ... no snmp server enable traps notification types global configuration command Setting the Agent Contact and Location Information Beginning in privileged EXEC mode follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file Step 9 end Return to privileged EXEC mode Step 10 show running config Verify your entrie...

Page 481: ...tch config snmp server host 192 180 1 111 version 1 public Switch config snmp server host 192 180 1 33 public Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server tftp server list access list number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list For access list number enter an IP standard access list numb...

Page 482: ...g the community string public Switch config snmp server enable traps Switch config snmp server host myhost cisco com public Displaying SNMP Status To display SNMP input and output statistics including the number of illegal community string entries errors and requested variables use the show snmp privileged EXEC command You can also use the other privileged EXEC commands in Table 26 6 to display SN...

Page 483: ...nderstanding ACLs Packet filtering can help limit network traffic and restrict network use by certain users or devices ACLs can filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs An ACL is a sequential collection of permit and deny conditions that apply to packets When a packet is received on an interface the switch compares the...

Page 484: ... control traffic entering a Layer 2 interface The switch does not support port ACLs in the outbound direction You can apply only one IP access list and one MAC access list to a Layer 2 interface Router ACLs access control routed traffic between VLANs and are applied to Layer 3 interfaces in a specific direction inbound or outbound VLAN ACLs or VLAN maps access control all packets bridged and route...

Page 485: ...terfaces in the inbound direction These access lists are supported on Layer 2 interfaces Standard IP access lists using source addresses Extended IP access lists using source and destination addresses and optional protocol type information MAC extended access lists using source and destination MAC addresses and optional protocol type information The switch examines ACLs associated with all inbound...

Page 486: ...rotocol type information for matching operations As with port ACLs the switch examines ACLs associated with features configured on a given interface However router ACLs are supported in both directions As packets enter the switch on an interface ACLs associated with all inbound features configured on that interface are examined After packets are routed and before they are forwarded to the next hop...

Page 487: ...ckets Switch config access list 102 permit tcp any host 10 1 1 1 eq smtp Switch config access list 102 deny tcp any host 10 1 1 2 eq telnet Switch config access list 102 permit tcp any host 10 1 1 2 Switch config access list 102 deny tcp any any Note In the first and second ACEs in the examples the eq keyword after the destination address means to test for the TCP destination port well known numbe...

Page 488: ...here For more detailed information on configuring ACLs refer to the Configuring IP Services chapter in the Cisco IP and IP Routing Configuration Guide for IOS Release 12 1 For detailed information about the commands refer to Cisco IOS IP and IP Routing Command Reference for IOS Release 12 1 The switch does not support these Cisco IOS router ACL related features Non IP protocol ACLs see Table 27 1 ...

Page 489: ...cess List Numbers page 27 7 Creating a Numbered Standard ACL page 27 8 Creating a Numbered Extended ACL page 27 10 Creating Named Standard and Extended ACLs page 27 14 Using Time Ranges with ACLs page 27 16 Including Comments in ACLs page 27 18 Access List Numbers The number you use to denote your ACL shows the type of access list that you are creating Table 27 1 lists the access list number and c...

Page 490: ... 2 access list access list number deny permit source source wildcard log Define a standard IP access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or permit to specify whether to deny or permit access if conditions are matched The source is the source address of the network or host from which the packet is being sent ...

Page 491: ...d output and in the configuration file the ACEs do not necessarily appear in the order in which they were entered The switch software can provide logging messages about packets permitted or denied by a standard IP access list That is any packet that matches the ACL causes an informational logging message about the packet to be sent to the console The level of messages logged to the console is cont...

Page 492: ... Header Protocol ahp Enhanced Interior Gateway Routing Protocol eigrp Encapsulation Security Payload esp generic routing encapsulation gre Internet Control Message Protocol icmp Internet Group Management Protocol igmp Interior Gateway Routing Protocol igrp any Interior Protocol ip IP in IP tunneling ipinip KA9Q NOS compatible IP over IP tunneling nos Open Shortest Path First routing ospf Payload C...

Page 493: ...ters for TCP UDP ICMP and IGMP see steps 2b through 2e The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard can be spec...

Page 494: ...ontrol Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a port numb...

Page 495: ...tos fragments log log input time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these meanings icmp type Enter to filt...

Page 496: ... before configuring named ACLs Not all commands that accept a numbered ACL accept a named ACL ACLs for packet filters and route filters on interfaces can use a name VLAN maps also accept a name A standard ACL and an extended ACL cannot have the same name Numbered ACLs are also available as described in the Creating Standard and Extended IP ACLs section on page 27 7 You can use standard and extende...

Page 497: ...ght use named ACLs instead of numbered ACLs After creating a named ACL you can apply it to interfaces see the Applying an IP ACL to an Interface section on page 27 19 or VLANs see the Configuring VLAN Maps section on page 27 29 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name Define an extended IP access list using a name and enter acces...

Page 498: ... the combined configuration loaded into the TCAM For this reason you should be careful not to have several access lists configured to take affect in close succession within a small number of minutes of each other Note The time range relies on the switch system clock therefore you need a reliable clock source We recommend that you use Network Time Protocol NTP to synchronize the switch clock For mo...

Page 499: ...ime range enter the time range name in an extended ACL that can implement time ranges This example shows how to create and verify extended access list 188 that denies TCP traffic from any source to any destination during the defined holiday times and permits all TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2003 Switch config access list 188 d...

Page 500: ...ones is allowed access and the workstation belonging to Smith is not allowed access Switch config access list 1 remark Permit only Jones workstation through Switch config access list 1 permit 171 69 2 88 Switch config access list 1 remark Do not allow Smith workstation through Switch config access list 1 deny 171 69 3 13 For an entry in a named IP ACL use the remark access list configuration comma...

Page 501: ...witch the ACL only filters packets that are intended for the CPU such as SNMP Telnet or web traffic You do not have to enable routing to apply ACLs to Layer 2 interfaces Note By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is denied by an access group These access group denied packets are not dropped in hardware but are bridged to the switch CP...

Page 502: ...against the ACL If the ACL permits the packet the switch sends the packet If the ACL rejects the packet the switch discards the packet By default the input interface sends ICMP Unreachable messages whenever a packet is discarded regardless of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the output interface ICMP Unreachables are normally limited...

Page 503: ...LAN that must be routed are routed in software but are bridged in hardware If ACLs cause large numbers of packets to be sent to the CPU the switch performance can be negatively affected When you enter the show ip access lists privileged EXEC command the match count displayed does not account for packets that are access controlled in hardware Use the show access lists hardware counters privileged E...

Page 504: ...access list 6 permit 172 20 128 64 wildcard bits 0 0 0 31 Switch config interface gigabitethernet0 1 Switch config if ip access group 6 out This example uses an extended ACL to filter traffic coming from Server B into a port permitting traffic from any source address in this case Server B to only the Accounting destination addresses 172 20 128 64 to 172 20 128 95 The ACL is applied to traffic goin...

Page 505: ...bitethernet0 1 Switch config if ip access group 102 in For another example of using an extended ACL suppose that you have a network connected to the Internet and you want any host on the network to be able to form TCP connections to any host on the Internet However you do not want IP hosts to be able to form TCP connections to hosts on your network except to the mail SMTP port of a dedicated mail ...

Page 506: ...xt nacl permit icmp any any Switch config ext nacl deny udp any 171 69 0 0 0 0 255 255 lt 1024 Switch config ext nacl deny ip any any log Switch config ext nacl exit The Internet_filter ACL is applied to outgoing traffic and the marketing_group ACL is applied to incoming traffic on a Layer 3 port Switch config interface gigabitethernet0 2 Switch config if no switchport Switch config if ip address ...

Page 507: ...tch config ip access list extended telnetting Switch config ext nacl remark Do not allow Jones subnet to telnet out Switch config ext nacl deny tcp 171 69 0 0 0 0 255 255 any eq telnet ACL Logging Two variations of logging are supported on router ACLs The log keyword sends an informational logging message to the console about the packet that matches the entry the log input keyword includes the inp...

Page 508: ... logging entries for IP ACLs start with SEC 6 IPACCESSLOG with minor variations in format depending on the kind of ACL and the access entry that has been matched This is an example of an output message when the log input keyword is entered 00 04 21 SEC 6 IPACCESSLOGDP list inputlog permitted icmp 10 1 1 10 Vlan1 0001 42ef a400 10 1 1 61 0 0 1 packet A log message for the same sort of packet using ...

Page 509: ...type mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos In extended MAC access list configuration mode specify to permit or deny any source MAC address a source MAC address with a mask or a specific host source MAC address and any destination MAC address destina...

Page 510: ... configuration command This example shows how to apply MAC access list mac1 to a port to filter packets entering the port Switch config interface gigabitethernet0 2 Router config if mac access group mac1 in Note The mac access group interface configuration command is only valid when applied to a physical Layer 2 interface You cannot use the command on EtherChannel port channels After receiving a p...

Page 511: ... command to create a VLAN ACL map entry Step 3 In access map configuration mode optionally enter an action forward the default or drop and enter the match command to specify an IP packet or a non IP packet with only a known MAC address and to match the packet against one or more ACLs standard or extended Note If the VLAN map has a match clause for the type of packet IP or MAC and the packet does n...

Page 512: ...obal configuration command to delete a map Use the no vlan access map name number global configuration command to delete a single sequence entry from within the map Use the no action access map configuration command to enforce the default action which is to forward Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan access map name number Create a VLAN map and giv...

Page 513: ...et ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded In this map any IP packets that did not match any of the previous ACLs that is packets that are not TCP packets or UDP packets would get dropped Switch config ip access list extended ip2 Switch config ext nacl permit udp any any Switch config ext nacl exit Switch config vlan access map map_1 20 Switch config access...

Page 514: ...nfig mac access list extended good protocols Switch config ext macl permit any any decnet ip Switch config ext macl permit any any vines ip Switch config ext nacl exit Switch config vlan access map drop mac default 10 Switch config access map match mac address good hosts Switch config access map action forward Switch config access map exit Switch config vlan access map drop mac default 20 Switch c...

Page 515: ...t configuration routing might not be enabled on the switch In this configuration the switch can still support a VLAN map and a QoS classification ACL In Figure 27 4 assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C Traffic from Host X to Host Y is eventually being routed by Switch B a Layer 3 switch with routing enabled Traffic from Host X to ...

Page 516: ...0 1 1 34 eq www Switch config ext nacl exit Next create VLAN access map map2 so that traffic that matches the http access list is dropped and all other IP traffic is forwarded Switch config vlan access map map2 10 Switch config access map match ip address http Switch config access map action drop Switch config access map exit Switch config ip access list extended match_all Switch config ext nacl p...

Page 517: ...ER1 to VLAN 10 Step 1 Define the IP ACL that will match the correct packets Switch config ip access list extended SERVER1_ACL Switch config ext nacl permit ip 10 1 2 0 0 0 0 255 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 4 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 8 host 10 1 1 100 Switch config ext nacl exit Step 2 Define a VLAN map using this ACL that will dr...

Page 518: ...ap entry This section includes this information about using VLAN maps with router ACLs Guidelines page 27 36 Examples of Router ACLs and VLAN Maps Applied to VLANs page 27 37 Guidelines These guidelines are for configurations where you need to have an router ACL and a VLAN map on the same VLAN These guidelines do not apply to configurations where you are mapping router ACLs and VLAN maps on differ...

Page 519: ...ayer 4 ACEs at the end of the list This gives priority to the filtering of traffic based on IP addresses Examples of Router ACLs and VLAN Maps Applied to VLANs This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched bridged routed and multicast packets Although the following illustrations show packets being forwarded to their destination each time the packet s path...

Page 520: ...ayer 2 ACLs are applied to the input VLAN Only non IP non ARP packets can be fallback bridged Figure 27 7 Applying ACLs on Bridged Packets ACLs and Routed Packets Figure 27 8 shows how ACLs are applied on routed packets For routed packets the ACLs are applied in this order 1 VLAN map for input VLAN 2 Input router ACL 3 Output router ACL 4 VLAN map for output VLAN Frame Fallback bridge VLAN 10 Host...

Page 521: ...uted to more than one output VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be permitted in some of the output VLANs and not in others A copy of the packet is forwarded to those destinations where it is permitted However if the input VLAN map VLAN 10 map in Figure 27 9 drops the packet no destination rec...

Page 522: ... and MAC address access lists or a specific access list numbered or named show ip access lists number name Display the contents of all current IP access lists or a specific IP access list numbered or named show ip interface interface id Display detailed configuration and status of an interface If IP is enabled on the interface and ACLs have been applied by using the ip access group interface confi...

Page 523: ...ge 28 18 Displaying Auto QoS Information page 28 26 Configuring Standard QoS page 28 26 Displaying Standard QoS Information page 28 64 Understanding QoS Typically networks operate on a best effort delivery basis which means that all traffic has equal priority and an equal chance of being delivered in a timely manner When congestion occurs all traffic has an equal chance of being dropped When you c...

Page 524: ...ports configured as Layer 2 802 1Q trunks all traffic is in 802 1Q frames except for traffic in the native VLAN Other frame types cannot carry Layer 2 CoS values Layer 2 CoS values range from 0 for low priority to 7 for high priority Prioritization bits in Layer 3 packets Layer 3 IP packets can carry either an IP precedence value or a Differentiated Services Code Point DSCP value QoS supports the ...

Page 525: ...itch also needs to ensure that traffic sent from it meets a specific traffic profile shape Figure 28 2 shows the basic QoS model Actions at the ingress port include classifying traffic policing marking queueing and scheduling Classification is the process of generating a distinct path for a packet by associating it with a QoS label The switch maps the CoS or DSCP in the packet to a QoS label to di...

Page 526: ...ification occurs only on a physical port basis No support exists for classifying packets at the VLAN or the switch virtual interface level During classification the switch performs a lookup and assigns a QoS label to the packet The QoS label identifies all QoS actions to be performed on the packet and from which queue the packet is sent The QoS label is based on the DSCP or the CoS value in the pa...

Page 527: ...P value in the incoming packet configure the port to trust DSCP and assign the same DSCP value to the packet The IETF defines the six most significant bits of the 1 byte TOS field as the DSCP The priority represented by a particular DSCP value is configurable DSCP values range from 0 to 63 For ports that are on the boundary between two QoS administrative domains you can modify the DSCP to another ...

Page 528: ...et Check if packet came with CoS label tag Use the CoS value to generate the QoS label Generate DSCP from CoS to DSCP map Use the DSCP value to generate the QoS label Yes Read next ACL Is there a match with a permit action Assign the DSCP or CoS as specified by ACL action to generate the QoS label Assign the default DSCP 0 Are there any more QoS ACLs configured for this interface Check if packet c...

Page 529: ...t IP ACLs to classify IP traffic by using the access list global configuration command you implement Layer 2 MAC ACLs to classify non IP traffic by using the mac access list extended global configuration command For configuration information see the Configuring a QoS Policy section on page 28 36 Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to name a sp...

Page 530: ...t of profile and specifies the actions on the packet These actions carried out by the marker include passing through the packet without modification dropping the packet or modifying marking down the assigned DSCP of the packet and allowing the packet to pass through The configurable policed DSCP map provides the packet with a new DSCP based QoS label For information on the policed DSCP map see the...

Page 531: ...ions are taken against the frames in that burst You configure the bucket depth the maximum burst that is tolerated before the bucket overflows by using the burst byte option of the police policy map class configuration command or the mls qos aggregate policer global configuration command You configure how fast the average rate that the tokens are removed from the bucket by using the rate bps optio...

Page 532: ...called the policed DSCP map You configure this map by using the mls qos map policed dscp global configuration command Before the traffic reaches the scheduling stage QoS stores the packet in an ingress and an egress queue according to the QoS label The QoS label is based on the DSCP or the CoS value in the packet and selects the queue through the DSCP input and output queue threshold maps or throu...

Page 533: ...el to subject it to different thresholds If the threshold is exceeded for that QoS label the space available in the destination queue is less than the size of the frame the switch drops the frame Figure 28 6 shows an example of WTD operating on a queue whose size is 1000 frames Three drop percentages are configured 40 percent 400 frames 60 percent 600 frames and 100 percent 1000 frames These perce...

Page 534: ...are guaranteed a percentage of the bandwidth and they are rate limited to that amount Shaped traffic does not use more than the allocated bandwidth even if the link is idle Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic With shaping the absolute value of each weight is used to compute the bandwidth available for the queues In shared mode ...

Page 535: ...e the queue according to the SRR weights Send packet to the internal ring Drop packet Start Yes No Table 28 1 Ingress Queue Types Queue Type1 1 The switch uses two nonconfigurable queues for traffic that is essential for proper network operation Function Normal User traffic that is considered to be normal priority You can configure three different thresholds to differentiate among the flows You ca...

Page 536: ...ith which to divide the ingress buffers between the two queues by using the mls qos srr queue input buffers percentage1 percentage2 global configuration command The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped You allocate bandwidth as a percentage by using the mls qos srr queue input bandwidth weight1 weight2 gl...

Page 537: ...rt supports four egress queues one of which queue 1 can be the egress expedite queue These queues are assigned to a queue set All traffic exiting the switch flows through one of these four queues and is subjected to a threshold based on the QoS label assigned to the packet 90565 Receive packet from the internal ring Read QoS label DSCP or CoS value Determine egress queue number and threshold based...

Page 538: ...tage of the queue s allocated memory which you specify by using the mls qos queue set output qset id buffers allocation1 allocation4 global configuration command The sum of all the allocated buffers represents the reserved pool and the remaining buffers are part of the common pool Through buffer allocation you can ensure that high priority traffic is buffered For example if the buffer space is 400...

Page 539: ...nored and is not used in the ratio calculation The expedite queue is a priority queue and it is serviced until empty before the other queues are serviced You enable the expedite queue by using the priority queue out interface configuration command You can combine the commands described in this section to prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues by all...

Page 540: ...est effort service to each packet regardless of the packet contents or size and sends it from a single queue When you enable auto QoS it automatically classifies traffic based on the traffic type and ingress packet label The switch uses the resulting classification to choose the appropriate egress queue You use auto QoS commands to identify ports connected to Cisco IP Phones and to identify ports ...

Page 541: ...o IP Phone is absent the ingress classification is set to not trust the QoS label in the packet The switch configures ingress and egress queues on the port according to the settings in Table 28 3 and Table 28 4 Assigned DSCP 46 26 48 56 0 Assigned CoS 5 3 6 7 0 CoS to Ingress Queue Map 2 3 4 5 6 7 queue 2 0 1 queue 1 CoS to Egress Queue Map 5 queue 1 3 6 7 queue 2 2 4 queue 3 0 1 queue 4 Table 28 ...

Page 542: ...scription Automatically Generated Command The switch automatically enables standard QoS and configures the CoS to DSCP map maps CoS values in incoming packets to a DSCP value Switch config mls qos Switch config mls qos map cos dscp 0 8 16 26 32 46 48 56 The switch automatically maps CoS values to an ingress queue and to a threshold ID Switch config no mls qos srr queue input cos map Switch config ...

Page 543: ...map queue 2 threshold 3 24 25 26 27 28 29 30 31 Switch config mls qos srr queue output dscp map queue 2 threshold 3 48 49 50 51 52 53 54 55 Switch config mls qos srr queue output dscp map queue 2 threshold 3 56 57 58 59 60 61 62 63 Switch config mls qos srr queue output dscp map queue 3 threshold 3 16 17 18 19 20 21 22 23 Switch config mls qos srr queue output dscp map queue 3 threshold 3 32 33 34...

Page 544: ...switch only for VoIP with Cisco IP Phones To take advantage of the auto QoS defaults you should enable auto QoS before you configure other QoS commands If necessary you can fine tune the QoS configuration but we recommend that you do so only after the auto QoS configuration is completed For more information see the Effects of Auto QoS on the Configuration section on page 28 22 You can enable auto ...

Page 545: ...cket are not changed Traffic is switched in pass through mode packets are switched without any rewrites and classified as best effort without any policing This example shows how to enable auto QoS and to trust the QoS labels received in incoming packets when the switch or router connected to a port is a trusted device Switch config interface gigabitethernet0 1 Switch config if auto qos voip trust ...

Page 546: ...n which the VoIP traffic is prioritized over all other traffic Auto QoS is enabled on the switches in the wiring closets at the edge of the QoS domain 101234 Cisco router To Internet Trunk link Trunk link Cisco IP phones End stations Cisco IP phones Video server 172 20 10 16 IP IP IP IP Identify this interface as connected to a trusted switch or router Identify this interface as connected to a tru...

Page 547: ...isco IP Phone The QoS labels of incoming packets are trusted only when the Cisco IP Phone is detected Step 6 exit Return to global configuration mode Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone Step 8 auto qos voip cisco phone Enable auto QoS on the port and specify that the port is connected to a Cisco IP Phone Step 9 exit Return to global configuration mod...

Page 548: ...information about these commands refer to the command reference for this release Configuring Standard QoS Before configuring standard QoS you must have a thorough understanding of these items The types of applications used and the traffic patterns on your network Traffic characteristics and needs of your network Is the traffic bursty Do you need to reserve bandwidth for voice and video streams Ban...

Page 549: ...ation section on page 28 27 and the Default Egress Queue Configuration section on page 28 28 Default Ingress Queue Configuration Table 28 6 shows the default ingress queue configuration when QoS is enabled Table 28 7 shows the default CoS input queue threshold map when QoS is enabled Table 28 8 shows the default DSCP input queue threshold map when QoS is enabled Table 28 6 Default Ingress Queue Co...

Page 550: ...incoming DSCP value to the same DSCP value The default policed DSCP map is a null map which maps an incoming DSCP value to the same DSCP value no markdown Table 28 9 Default Egress Queue Configuration Feature Queue 1 Queue 2 Queue 3 Queue 4 Buffer Allocation 25 percent 25 percent 25 percent 25 percent WTD Drop Threshold 1 100 percent 50 percent 100 percent 100 percent WTD Drop Threshold 2 100 perc...

Page 551: ...ample you could configure 32 policers on a Gigabit Ethernet port and 8 policers on a Fast Ethernet port or you could configure 64 policers on a Gigabit Ethernet port and 5 policers on a Fast Ethernet port Policers are allocated on demand by the software and are constrained by the hardware and ASIC boundaries You cannot reserve policers per port there is no guarantee that a port will be assigned to...

Page 552: ...ion on page 28 36 Configuring the Trust State on Ports within the QoS Domain page 28 31 Configuring the CoS Value for an Interface page 28 33 Configuring a Trusted Boundary to Ensure Port Security page 28 34 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 28 35 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS globally ...

Page 553: ...edge of the QoS domain When the packets are classified at the edge the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain Figure 28 11 shows a sample network topology Figure 28 11 Port Trusted States within the QoS Domain 101236 Trunk Trusted interface Traffic classification perform...

Page 554: ... Configure the port trust state By default the port is not trusted If no keyword is specified the default is dscp The keywords have these meanings cos Classifies an ingress packet by using the packet CoS value For an untagged packet the port default CoS value is used The default port CoS value is 0 dscp Classifies an ingress packet by using the packet DSCP value For a non IP packet the packet CoS ...

Page 555: ...ort For default cos specify a default CoS value to be assigned to a port If the packet is untagged the default CoS value becomes the packet CoS value The CoS range is 0 to 7 The default is 0 Use the override keyword to override the previously configured trust state of the incoming packet and to apply the default port CoS value to the port on all incoming packets By default CoS override is disabled...

Page 556: ...o IP Phone 7910 7935 7940 and 7960 on a switch port If the telephone is not detected the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high priority queue Note that the trusted boundary feature is not effective if the PC and Cisco IP Phone are connected to a hub that is connected to the switch In some situations you can prevent a PC connected to ...

Page 557: ...o DSCP mutation map To ensure a consistent mapping strategy across both QoS domains you must perform this procedure on the ports in both domains 101235 QoS Domain 1 QoS Domain 2 Set interface to the DSCP trusted state Configure the DSCP to DSCP mutation map IP traffic Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in ds...

Page 558: ... traffic classes and attaching policies to ports For background information see the Classification section on page 28 4 and the Policing and Marking section on page 28 8 For configuration guidelines see the Standard QoS Configuration Guidelines section on page 28 29 These sections describe how to classify police and mark traffic Depending on your network configuration you must perform one or more ...

Page 559: ...se Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list number enter the access list number The range is 1 to 99 and 1300 to 1999 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny...

Page 560: ...ge is 100 to 199 and 2000 to 2699 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of available protocol keywords For source enter the network or host from which the packet is being sent ...

Page 561: ... the type of traffic to permit or deny if the conditions are matched entering the command as many times as necessary For src MAC addr enter the MAC address of the host from which the packet is being sent You specify this by using the hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard 255 255 255 or by using the host keyword for source 0 0 0 For ma...

Page 562: ...ber deny permit protocol source source wildcard destination destination wildcard or mac access list extended name permit deny host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC ACL for non IP traffic repeating the command as many times as necessary For more information see the Classifying Traffic by Using A...

Page 563: ... cmap end Switch This example shows how to create a class map called class3 which matches incoming traffic with IP precedence values of 5 6 and 7 Switch config class map class3 Switch config cmap match ip precedence 5 6 7 Switch config cmap end Switch Step 4 match access group acl index or name ip dscp dscp list ip precedence ip precedence list Define the match criterion to classify traffic By def...

Page 564: ...all match any class map name Create a class map and enter class map configuration mode By default no class maps are defined Optional Use the match all keyword to perform a logical AND of all matching statements under this class map All match criteria in the class map must be matched Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or mo...

Page 565: ...or non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 28 47 Step 6 set ip dscp new dscp ip precedence new precedence Classify IP traffic by setting a new value in the packet For ip dscp new dscp enter a new DSCP ...

Page 566: ...onfig pmap c police 48000 8000 exceed action policed dscp transmit Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet0 1 Switch config if service policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port The first permit statement allows traffic from the host with MAC address 0001 0000 0...

Page 567: ...ate bps burst byte exceed action drop policed dscp transmit Define the policer parameters that can be applied to multiple traffic classes within the same policy map By default no aggregate policer is defined For information on the number of policers supported see the Standard QoS Configuration Guidelines section on page 28 29 For aggregate policer name specify the name of the aggregate policer For...

Page 568: ...ig cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match access group 2 Switch config cmap exit Switch config policy map aggflow1 Switch config pmap class ipclass1 Switch config pmap c trust dscp Switch config pmap c police aggregate transmit1 Switch config pmap c exit Switch config pmap class ipclass2 Switch config pmap c set ip dscp 56 Switch...

Page 569: ... You use the CoS to DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic Table 28 12 shows the default CoS to DSCP map If these values are not appropriate for your network you need to modify them Beginning in privileged EXEC mode follow these steps to modify the CoS to DSCP map This procedure is optional To return to the d...

Page 570: ... procedure is optional To return to the default map use the no mls qos ip prec dscp global configuration command This example shows how to modify and display the IP precedence to DSCP map Switch config mls qos map ip prec dscp 10 15 20 25 30 35 40 45 Switch config end Switch show mls qos maps ip prec dscp IpPrecedence dscp map ipprec 0 1 2 3 4 5 6 7 dscp 10 15 20 25 30 35 40 45 Table 28 13 Default...

Page 571: ...16 17 18 19 2 20 21 22 23 24 25 26 27 28 29 3 30 31 32 33 34 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 00 00 00 00 00 00 00 00 58 59 6 60 61 62 63 Note In this policed DSCP map the marked down DSCP values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The inters...

Page 572: ...3 3 03 03 00 04 04 04 04 04 04 04 4 00 05 05 05 05 05 05 05 00 06 5 00 06 06 06 06 06 07 07 07 07 6 07 07 07 07 Note In the above DSCP to CoS map the CoS values are shown in the body of the matrix The d1 column specifies the most significant digit of the DSCP the d2 row specifies the least significant digit of the DSCP The intersection of the d1 and d2 values provides the CoS value For example in ...

Page 573: ...map use the no mls qos dscp mutation dscp mutation name global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map For dscp mutation name enter the mutation map name You can create more than one map by specifying a new name For in dscp enter up to...

Page 574: ...values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the mutated value For example a DSCP value of 12 corresponds to a mutated value of 10 Configuring Ingress Queue Characteristics Depending on the complexity of your n...

Page 575: ...ueue 1 and threshold 1 CoS value 5 is mapped to queue 2 and threshold 1 For queue id the range is 1 to 2 For threshold id the range is 1 to 3 The drop threshold percentage for threshold 3 is predefined It is set to the queue full state For dscp1 dscp8 enter up to eight values and separate each value with a space The range is 0 to 63 For cos1 cos8 enter up to eight values and separate each value wi...

Page 576: ...uch data can be buffered before packets are dropped Beginning in privileged EXEC mode follow these steps to allocate the buffers between the ingress queues This procedure is optional To return to the default setting use the no mls qos srr queue input buffers global configuration command This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffe...

Page 577: ...ue input priority queue 2 bandwidth 0 Switch config mls qos srr queue input bandwidth 25 75 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos srr queue input bandwidth weight1 weight2 Assign shared round robin weights to the ingress queues The default setting for weight1 and weight2 is 4 1 2 of the bandwidth is equally shared between the two queues For weight...

Page 578: ...r example mls qos srr queue input priority queue queue id bandwidth 0 This example shows how to assign the ingress bandwidths to the queues Queue 1 is the priority queue with 10 percent of the bandwidth allocated to it The bandwidth ratios allocated to queues 1 and 2 is 4 4 4 SRR services queue 1 the priority queue first for its configured 10 percent bandwidth Then SRR equally shares the remaining...

Page 579: ...onal Limiting the Bandwidth on an Egress Interface page 28 63 optional Configuration Guidelines Follow these guidelines when the expedite queue is enabled or the egress queues are serviced based on their SRR weights If the egress expedite queue is enabled it overrides the SRR shaped and shared weights for queue 1 If the egress expedite queue is disabled and the SRR shaped and shared weights are co...

Page 580: ...e the maximum memory allocation for the queue set four egress queues per port By default the WTD thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 50 percent The reserved thresholds for queues 1 3 and 4 are set to 50 percent The reserved threshold for queue 2 is set to 100 percent The maximum thresholds for all queues are set to 400 percent For qset id en...

Page 581: ...nfig mls qos queue set output 2 buffers 40 20 20 20 Switch config mls qos queue set output 2 threshold 2 40 60 100 200 Switch config interface gigabitethernet0 1 Switch config if queue set 2 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with particular DSCPs or costs of service into certain queues and adjusting the queue threshold...

Page 582: ...to an egress queue and to a threshold ID By default DSCP values 0 15 are mapped to queue 2 and threshold 1 DSCP values 16 31 are mapped to queue 3 and threshold 1 DSCP values 32 39 and 48 63 are mapped to queue 4 and threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and th...

Page 583: ...nterface interface id Specify the port of the outbound traffic and enter interface configuration mode Step 3 srr queue bandwidth shape weight1 weight2 weight3 weight4 Assign SRR weights to the egress queues By default weight1 is set to 25 weight2 weight3 and weight4 are set to 0 and these queues are in shared mode For weight1 weight2 weight3 weight4 enter the weights to control the percentage of t...

Page 584: ...ws how to configure the weight ratio of the SRR scheduler running on an egress port Four queues are used and the bandwidth ratio allocated for each queue in shared mode is 1 1 2 3 4 2 1 2 3 4 3 1 2 3 4 and 4 1 2 3 4 which is 10 percent 20 percent 30 percent and 40 percent for queues 1 2 3 and 4 This means that queue 4 has four times the bandwidth of queue 1 twice the bandwidth of queue 2 and one a...

Page 585: ... Egress Interface You can limit the bandwidth on an egress port For example if a customer pays only for a small percentage of a high speed link you can limit the bandwidth to that amount Note The egress queue default settings are suitable for most situations You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution C...

Page 586: ...onfiguration mode Step 3 srr queue bandwidth limit weight1 Specify the percentage of the port speed to which the port should be limited The range is 10 to 90 By default the port is not rate limited and is set to 100 percent Step 4 end Return to privileged EXEC mode Step 5 show mls qos interface interface id queueing Verify your entries Step 6 copy running config startup config Optional Save your e...

Page 587: ...cy map name class class map name Display QoS policy maps which define classification criteria for incoming traffic Note Do not use the show policy map interface privileged EXEC command to display classification information for incoming traffic The interface keyword is not supported and the statistics shown in the display should be ignored Table 28 15 Commands for Displaying Standard QoS Informatio...

Page 588: ...28 66 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 28 Configuring QoS Displaying Standard QoS Information ...

Page 589: ...y redistributing the load across the remaining links If a link fails EtherChannel redirects traffic from the failed link to the remaining links in the channel without intervention Note For complete syntax and usage information for the commands used in this chapter refer to the command reference for this release This chapter consists of these sections Understanding EtherChannels page 29 1 Configuri...

Page 590: ...nels is limited to 12 For more information see the EtherChannel Configuration Guidelines section on page 29 9 The EtherChannel Layer 3 ports are made up of routed ports Routed ports are physical ports configured to be in Layer 3 mode by using the no switchport interface configuration command For more information see the Chapter 10 Configuring Interface Characteristics If a link within an EtherChan...

Page 591: ...lowed by the no switchport interface configuration command Then you manually assign an interface to the EtherChannel by using the channel group interface configuration command For both Layer 2 and Layer 3 ports the channel group command binds the physical port and the logical interface together as shown in Figure 29 2 Each EtherChannel has a port channel logical interface numbered from 1 to 12 Thi...

Page 592: ... criteria such as port speed and for Layer 2 EtherChannels trunking state and VLAN numbers Ports can form an EtherChannel when they are in different PAgP modes as long as the modes are compatible For example A port in the desirable mode can form an EtherChannel with another port that is in the desirable or auto mode A port in the auto mode can form an EtherChannel with another port in the desirabl...

Page 593: ...PAgP protocol data units PDUs on the lowest numbered VLAN In Layer 2 EtherChannels the first port in the channel that comes up provides its MAC address to the EtherChannel If this port is removed from the bundle one of the remaining ports in the bundle provides its MAC address to the EtherChannel PAgP sends and receives PAgP PDUs only from ports that are up and have PAgP enabled for the auto or de...

Page 594: ...e bundle one of the remaining ports in the bundle provides its MAC address to the EtherChannel LACP sends and receives LACP PDUs only from ports that are up and have LACP enabled for the active or passive mode Load Balancing and Forwarding Methods EtherChannel balances the traffic load across the links in a channel by reducing part of the binary pattern formed from the addresses in the frame to a ...

Page 595: ...orwarding when packets are forwarded to an EtherChannel they are distributed across the ports in the EtherChannel based on the destination IP address of the incoming packet Therefore to provide load balancing packets from the same IP source address sent to different IP destination addresses could be sent on different ports in the channel But packets sent from different source IP addresses to the s...

Page 596: ...erChannel Load Balancing page 29 15 optional Configuring the PAgP Learn Method and Priority page 29 16 optional Configuring LACP Hot Standby Ports page 29 17 optional Note Make sure that the ports are correctly configured For more information see the EtherChannel Configuration Guidelines section on page 29 9 Note After you configure an EtherChannel configuration changes applied to the port channel...

Page 597: ...terface configuration command is treated as a link failure and its traffic is transferred to one of the remaining ports in the EtherChannel When a group is first created all ports follow the parameters set for the first port to be added to the group If you change the configuration of one of these parameters you must also make the changes to all ports in the group Allowed VLAN list Spanning tree pa...

Page 598: ... the auto or desirable mode Ports with different spanning tree path costs can form an EtherChannel if they are otherwise compatibly configured Setting different spanning tree path costs does not by itself make ports incompatible for the formation of an EtherChannel For Layer 3 EtherChannels assign the Layer 3 address to the port channel logical interface not to the physical ports in the channel Co...

Page 599: ...he on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is assumed The silent setting is for connections to file servers or packet analyzers This setting allows PAgP to operate...

Page 600: ...ce and then put the Ethernet ports into the port channel as described in the next two sections Creating Port Channel Logical Interfaces When configuring Layer 3 EtherChannels you should first manually create the port channel logical interface by using the interface port channel global configuration command Then you put the logical interface into the channel group by using the channel group interfa...

Page 601: ...required Step 7 copy running config startup config Optional Save your entries in the configuration file Step 8 Assign an Ethernet port to the Layer 3 EtherChannel For more information see the Configuring the Physical Interfaces section on page 29 13 Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify a physical port and en...

Page 602: ...y when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is assumed The silent setting is for connections to file servers or packet analyzers This settin...

Page 603: ...hannel load balancing to the default configuration use the no port channel load balance global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 port channel load balance dst ip dst mac src dst ip src dst mac src ip src mac Configure an EtherChannel load balancing method The default is src mac Select one of these load distribution methods dst ip...

Page 604: ... can be swapped into operation in just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The higher the priority the more likely that the port will be selected Note The Catalyst 3560 switch supports address learning onl...

Page 605: ...dress LACP port priority Port number Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port for transmission and enter interface configuration mode Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of...

Page 606: ...ty You can configure the system priority for all of the EtherChannels that are enabled for LACP by using the lacp system priority global configuration command You cannot configure a system priority for each LACP configured channel By changing this value from the default you can affect how the software selects active and standby links You can use the show etherchannel summary privileged EXEC comman...

Page 607: ... restrictive hardware limitations all the ports that cannot be actively included in the EtherChannel are put in the hot standby state and are used only if one of the channeled ports fails Beginning in privileged EXEC mode follow these steps to configure the LACP port priority This procedure is optional To return the LACP port priority to the default value use the no lacp port priority interface co...

Page 608: ...rmation about the fields in the displays refer to the command reference for this release Table 29 4 Commands for Displaying EtherChannel PAgP and LACP Status Command Description show etherchannel channel group number detail port port channel protocol summary detail load balance port port channel protocol summary Displays EtherChannel information in a brief detailed and one line summary form Also d...

Page 609: ... refer to the Cisco IOS IP and IP Routing Command Reference for Release 12 1 This chapter consists of these sections Understanding IP Routing page 30 2 Steps for Configuring Routing page 30 3 Configuring IP Addressing page 30 4 Enabling IP Unicast Routing page 30 18 Configuring RIP page 30 19 Configuring IGRP page 30 23 Configuring OSPF page 30 28 Configuring EIGRP page 30 37 Configuring BGP page ...

Page 610: ...ket directly to Host B without sending it to the router When Host A sends a packet to Host C in VLAN 20 Switch A forwards the packet to the router which receives the traffic on the VLAN 10 interface The router checks the routing table determines the correct outgoing interface and forwards the packet on the VLAN 20 interface to Switch B Switch B receives the packet and forwards it to Host C Types o...

Page 611: ...ols are determined by the software running on the switch If the switch is running the SMI only default routing static routing and RIP are supported All other routing protocols require the EMI Steps for Configuring Routing By default IP routing is disabled on the switch and you must enable it before routing can take place For detailed IP routing configuration information refer to the Cisco IOS IP a...

Page 612: ...o configure various IP addressing features Assigning IP addresses to the interface is required the other procedures are optional Default Addressing Configuration page 30 4 Assigning IP Addresses to Network Interfaces page 30 5 Configuring Address Resolution Methods page 30 8 Routing Assistance When IP Routing is Disabled page 30 11 Configuring Broadcast Packet Handling page 30 13 Monitoring and Ma...

Page 613: ...f a helper address is defined or User Datagram Protocol UDP flooding is configured UDP forwarding is enabled on default ports Any local broadcast Disabled Spanning Tree Protocol STP Disabled Turbo flood Disabled IP helper address Disabled IP host Disabled IRDP Disabled Defaults when enabled Broadcast IRDP advertisements Maximum interval between advertisements 600 seconds Minimum interval between a...

Page 614: ...twork with no default route the router forwards the packet to the best supernet route A supernet consists of contiguous blocks of Class C address spaces used to simulate a single larger address space and is designed to relieve the pressure on the rapidly depleting Class B address space In Figure 30 2 classless routing is enabled When the host sends a packet to 120 20 4 1 instead of discarding the ...

Page 615: ...uting To prevent the switch from forwarding packets destined for unrecognized subnets to the best supernet route possible you can disable classless routing behavior Beginning in privileged EXEC mode follow these steps to disable classless routing Host 128 20 1 0 128 20 2 0 128 20 3 0 128 20 4 1 128 0 0 0 8 128 20 4 1 IP classless 45749 128 20 0 0 Host 128 20 1 0 128 20 2 0 128 20 3 0 128 20 4 1 12...

Page 616: ...ess MAC address association in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests or replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol SNAP Proxy ARP helps hosts with no routing tables determine the MAC addresses of hosts on other networks ...

Page 617: ...nstatic entries from the ARP cache use the clear arp cache privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arp ip address hardware address type Globally associate an IP address with a MAC hardware address in the ARP cache and specify encapsulation type as one of these arpa ARP encapsulation for Ethernet interfaces snap Subnetwork Address Pro...

Page 618: ...and Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 arp arpa snap Specify the ARP encapsulation method arpa Address Resolution Protocol snap Subnetwork Address Protocol Step 4 end Return to privileged EXEC mode Step 5 show interfaces interface id Verify A...

Page 619: ...s ARP requests for every IP address Proxy ARP is enabled by default To enable it after it has been disabled see the Enable Proxy ARP section on page 30 10 Proxy ARP works as long as other routers support it Default Gateway Another method for locating routes is to define a default router or default gateway All nonlocal packets are sent to this router which either routes them appropriately or sends ...

Page 620: ...ep 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip irdp Enable IRDP processing on the interface Step 4 ip irdp multicast Optional Send IRDP advertisements to the multicast address 224 0 0 1 instead of IP broadcasts Note This command allows for compatibility with Sun Micros...

Page 621: ...dges including intelligent bridges because they are Layer 2 devices forward broadcasts to all network segments thus propagating broadcast storms The best solution to the broadcast storm problem is to use a single broadcast address scheme on a network In most modern IP implementations you can set the address to be used as the broadcast address Many implementations including the one in the Catalyst ...

Page 622: ...col which is used by older diskless Sun workstations and the network security protocol SDNS By default both UDP and ND forwarding are enabled if a helper address has been defined for an interface The description for the ip forward protocol interface configuration command in the Cisco IOS IP and IP Routing Command Reference for Release 12 1 lists the ports that are forwarded by default if you do no...

Page 623: ...ddress interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip helper address address Enable forwarding and specify the destination address for forwarding UDP broadcast packets including BOOTP Step 4 exit Return to global config...

Page 624: ...m is given the destination address specified with the ip broadcast address interface configuration command on the output interface The destination address can be set to any address Thus the destination address might change as the datagram propagates through the network The source address is never changed The TTL value is decremented When a flooded UDP datagram is sent out an interface and the dest...

Page 625: ...rn to privileged EXEC mode Step 4 show running config Verify your entry Step 5 copy running config startup config Optional Save your entry in the configuration file Table 30 2 Commands to Clear Caches Tables and Databases Command Purpose clear arp cache Clear the IP ARP cache and the fast switching cache clear host name Remove one or all entries from the host name and the address cache clear ip ro...

Page 626: ...uting protocols as described in these sections Configuring RIP page 30 19 Configuring IGRP page 30 23 Configuring OSPF page 30 28 Configuring EIGRP page 30 37 Configuring BGP page 30 43 You can also configure nonprotocol specific features Configuring Protocol Independent Features page 30 63 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable IP routin...

Page 627: ...e 0 to 15 makes RIP unsuitable for large networks If the router has a default network path RIP advertises a route that links the router to the pseudonetwork 0 0 0 0 The 0 0 0 0 network does not exist it is treated by RIP as a network to implement the default routing feature The switch advertises the default network if a default was learned by RIP or if the router has a gateway of last resort and R...

Page 628: ...etwork number Associate a network with a RIP routing process You can specify multiple network commands RIP routing updates are sent and received through interfaces only on these networks Step 5 neighbor ip address Optional Define a neighboring router with which to exchange routing information This step allows routing updates from RIP normally a broadcast protocol to reach nonbroadcast networks Ste...

Page 629: ...You can also use the interface commands ip rip send receive version 1 2 1 2 to control what versions are used for sending and receiving on interfaces Step 9 no auto summary Optional Disable automatic summarization By default the switch summarizes subprefixes when crossing classful network boundaries Disable summarization RIP version 2 only to advertise subnet and host routing information to classf...

Page 630: ... If split horizon is enabled neither autosummary nor interface IP summary addresses are advertised Beginning in privileged EXEC mode follow these steps to set an interface to advertise a summarized local IP address and to disable split horizon on the interface Step 3 ip rip authentication key chain name of chain Enable RIP authentication Step 4 ip rip authentication mode text md5 Configure the int...

Page 631: ...ter end Configuring IGRP Interior Gateway Routing Protocol IGRP is a dynamic distance vector routing proprietary Cisco protocol for routing in an autonomous system AS that contains large arbitrarily complex networks with diverse bandwidth and delay characteristics IGRP uses a combination of user configurable metrics including internetwork delay bandwidth reliability and load IGRP also advertises t...

Page 632: ...gure IGRP It includes this information Default IGRP Configuration page 30 24 Understanding Load Balancing and Traffic Distribution Control page 30 25 Configuring Basic IGRP Parameters page 30 26 Configuring Split Horizon page 30 27 Note To enable IGRP the switch must be running the EMI Default IGRP Configuration Table 30 5 shows the default IGRP configuration Router System Subnet A Subnet B Interi...

Page 633: ...ynamics of the network remain stable These general rules apply to IGRP unequal cost load balancing IGRP accepts up to four paths for a given destination network The local best metric must be greater than the metric learned from the next router that is the next hop router must be closer have a smaller metric value to the destination than the local best metric The alternative path metric must be wit...

Page 634: ...o routing metrics to increase incoming and outgoing metrics to routes learned through IGRP You can limit the offset list with an access list or an interface Step 5 neighbor ip address Optional Define a neighboring router with which to exchange routing information This step allows routing updates from RIP normally a broadcast protocol to reach nonbroadcast network Step 6 metric weights tos k1 k2 k3...

Page 635: ...s to disable holddown to increase the network s ability to quickly respond to topology changes this command provides this function Use the metric holddown command if other routers or access servers within the IGRP autonomous system are not configured with the no metric holddown command If all routers are not configured the same way you increase the possibility of routing loops Step 9 metric maximu...

Page 636: ...st when sending and receiving packets The Cisco implementation supports RFC 1253 OSPF management information base MIB The Cisco implementation conforms to the OSPF Version 2 specifications with these key features Definition of stub areas is supported Routes learned through any IP routing protocol can be redistributed into another IP routing protocol At the intradomain level this means that OSPF ca...

Page 637: ...ing OSPF Area Parameters page 30 32 Configuring Other OSPF Parameters page 30 33 Changing LSA Group Pacing page 30 35 Configuring a Loopback Interface page 30 35 Monitoring OSPF page 30 36 Note To enable OSPF the switch must be running the EMI Default OSPF Configuration Table 30 6 shows the default OSPF configuration Table 30 6 Default OSPF Configuration Feature Default Setting Interface parameter...

Page 638: ...e lookup Disabled Log adjacency changes Enabled Neighbor None specified Neighbor database filter Disabled All outgoing LSAs are flooded to the neighbor Network area Disabled Router ID No OSPF routing process defined Summary address Disabled Timers LSA group pacing 240 seconds Timers shortest path first spf spf delay 5 seconds spf holdtime 10 seconds Virtual link No area ID or router ID defined Hel...

Page 639: ...efine one or more multiple interfaces to be associated with a specific OSPF area The area ID can be a decimal value or an IP address Step 4 end Return to privileged EXEC mode Step 5 show ip protocols Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration ...

Page 640: ...ollow these steps to configure area parameters Step 8 ip ospf dead interval seconds Optional Set the number of seconds after the last device hello packet was seen before its neighbors declare the OSPF router to be down The value must be the same for all nodes on a network The range is 1 to 65535 seconds The default is 4 times the hello interval Step 9 ip ospf authentication key key Optional Assign...

Page 641: ...ection against unauthorized access to the identified area The identifier can be either a decimal value or an IP address Step 4 area area id authentication message digest Optional Enable MD5 authentication on the area Step 5 area area id stub no summary Optional Define an area as a stub area The no summary keyword prevents an ABR from sending summary link advertisements into the stub area Step 6 ar...

Page 642: ...h the hello packet for the receiving interface Route calculation timers You can configure the delay time between when OSPF receives a topology change and when it starts the shortest path first SPF calculation and the hold time between two SPF calculations Log neighbor changes You can configure the router to send a syslog message when an OSPF neighbor state changes providing a high level view of ch...

Page 643: ...terface is configured with an IP address OSPF uses this IP address as its router ID even if other interfaces have higher IP addresses Because loopback interfaces never fail this provides greater stability OSPF automatically prefers a loopback interface over other interfaces and it chooses the highest IP address among all loopback interfaces Step 10 timers spf spf delay spf holdtime Optional Config...

Page 644: ...o privileged EXEC mode Step 5 show ip interface Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Table 30 7 Show IP OSPF Statistics Commands Command Purpose show ip ospf process id Display general information about OSPF routing processes show ip ospf process id database router link state id show ip ospf process id database router se...

Page 645: ...tion EIGRP scales to large networks Enhanced IGRP has these four basic components Neighbor discovery and recovery is the process that routers use to dynamically learn of other routers on their directly attached networks Routers must also discover when their neighbors become unreachable or inoperative Neighbor discovery and recovery is achieved with low overhead by periodically sending small hello ...

Page 646: ...d by other IP routing protocols This section briefly describes how to configure EIGRP It includes this information Default EIGRP Configuration page 30 38 Configuring Basic EIGRP Parameters page 30 39 Configuring EIGRP Interfaces page 30 40 Configuring EIGRP Route Authentication page 30 41 Monitoring and Maintaining EIGRP page 30 42 Note To enable EIGRP the switch must be running the EMI Default EI...

Page 647: ...tance 90 External distance 170 EIGRP log neighbor changes Disabled No adjacency changes logged IP authentication key chain No authentication provided IP authentication mode No authentication provided IP bandwidth percent 50 percent IP hello interval For low speed nonbroadcast multiaccess NBMA networks 60 seconds all other networks 5 seconds IP hold time For low speed NBMA networks 180 seconds all ...

Page 648: ...rom an experienced network designer Step 6 offset list access list number name in out offset type number Optional Apply an offset list to routing metrics to increase incoming and outgoing metrics to routes learned through EIGRP You can limit the offset list with an access list or an interface Step 7 no auto summary Optional Disable automatic summarization of subnet routes into network level routes...

Page 649: ...the hold time without consulting Cisco technical support Step 7 no ip split horizon eigrp autonomous system number Optional Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated Step 8 end Return to privileged EXEC mode Step 9 show ip eigrp interface Display which interfaces EIGRP is active on and information about EI...

Page 650: ...inite Step 10 send lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can be sent The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Month year The default is forever with the default start time and the earliest acceptable date as January 1 1993 The default end time and duration is infinite Step 11 en...

Page 651: ...ge BGP updates run internal BGP IBGP and routers that belong to different autonomous systems and that exchange BGP updates run external BGP EBGP Most configuration commands are the same for configuring EBGP and IBGP The difference is that the routing updates are exchanged either between autonomous systems EBGP or within an AS IBGP Figure 30 5 shows a network that is running both EBGP and IBGP Figu...

Page 652: ...ng loops and to enforce AS level policy decisions A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next hop router and it has received synchronization from an IGP unless IGP synchronization is disabled When multiple routes are available BGP bases its path selection on attribute values See the Configuring BGP Decision Attributes sectio...

Page 653: ...sco default format 32 bit number BGP confederation identifier peers Identifier None configured Peers None identified BGP Fast external fallover Enabled BGP local preference 100 The range is 0 to 4294967295 with the higher value preferred BGP network None specified no backdoor route advertised BGP route dampening Disabled by default When enabled Half life is 15 minutes Re use is 750 10 second incre...

Page 654: ...irectly connected neighbors are allowed Filter list None used Maximum number of prefixes received No limit Next hop router as next hop for BGP neighbor Disabled Password Disabled Peer group None defined no members assigned Prefix list None specified Remote AS add entry to neighbor BGP table No peers defined Private AS number removal Disabled Route maps None applied to a peer Send community attribu...

Page 655: ...propagated information across the AS so that BGP is synchronized with the IGP Synchronization is enabled by default If your AS does not pass traffic from one AS to another AS or if all routers in your autonomous systems are running BGP you can disable synchronization which allows your network to carry fewer routes in the IGP and allows BGP to converge more quickly Note To enable BGP the switch mus...

Page 656: ...192 208 10 1 remote as 300 Router D Switch config router bgp 300 Switch config router neighbor 192 208 10 2 remote as 200 To verify that BGP peers are running use the show ip bgp neighbors privileged EXEC command This is the output of this command on Router A Switch show ip bgp neighbors BGP neighbor is 129 213 1 1 remote AS 200 external link BGP version 4 remote router ID 175 220 212 1 BGP state ...

Page 657: ... change you must reset the BGP sessions so that the configuration changes take effect There are two types of reset hard reset and soft reset Cisco IOS software releases 12 1 and later support a soft reset without any prior configuration To use a soft reset without preconfiguration both BGP peers must support the soft route refresh capability which is advertised in the OPEN message sent when the pe...

Page 658: ... the IP address of the next hop that is going to be used to reach a destination For EBGP this is usually the IP address of the neighbor specified by the neighbor remote as router configuration command You can disable next hop processing by using route maps or the neighbor next hop self router configuration command 2 Prefer the path with the largest weight a Cisco proprietary parameter The weight a...

Page 659: ...re all true insert the route for this path into the IP routing table Both the best route and this route are external Both the best route and this route are from the same neighboring autonomous system maximum paths is enabled 11 If multipath is not enabled prefer the route with the lowest IP address value for the BGP router ID The router ID is usually the highest IP address on the router or the loo...

Page 660: ...aths in the same AS Step 9 bgp bestpath med confed Optional Configure the switch to consider the MED in choosing a path from among those advertised by different subautonomous systems within a confederation Step 10 bgp deterministic med Optional Configure the switch to consider the MED variable when choosing among routes advertised by different peers in the same AS Step 11 bgp default local prefere...

Page 661: ...ng requires the ip access list global configuration command Beginning in privileged EXEC mode follow these steps to apply a per neighbor route map Step 3 set ip next hop ip address ip address peer address Optional Set a route map to disable next hop processing In an inbound route map set the next hop of matching routes to be the neighbor peering address overriding third party next hops In an outbo...

Page 662: ...ss lists When there is a match the route is used Whether a prefix is permitted or denied is based upon these rules An empty prefix list permits all prefixes An implicit deny is assumed if a given prefix does not match any entries in a prefix list When multiple entries of a prefix list match a given prefix the sequence number of a prefix list entry identifies the entry with the lowest sequence numb...

Page 663: ...ators can define to which communities a destination belongs By default all destinations belong to the general Internet community The community is identified by the COMMUNITIES attribute an optional transitive global attribute in the numerical range from 1 to 4294967200 These are some predefined well known communities internet Advertise this route to the Internet community All routers belong to it ...

Page 664: ... to create and to apply a community list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip community list community list number permit deny community number Create a community list and assign it a number The community list number is an integer from 1 to 99 that identifies one or more permit or deny groups of communities The community number is the number configure...

Page 665: ...ode use these commands to configure BGP peers Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 neighbor peer group name peer group Create a BGP peer group Step 4 neighbor ip address peer group peer group name Make a BGP neighbor a member of the peer group Step 5 neighbor ip address peer group na...

Page 666: ...al Specify that the COMMUNITIES attribute be sent to the neighbor at this IP address Step 18 neighbor ip address peer group name timers keepalive holdtime Optional Set timers for the neighbor or peer group The keepalive interval is the time within which keepalive messages are sent to peers The range is 1 to 4294967295 seconds the default is 60 The holdtime is the interval after which a peer is dec...

Page 667: ...and local preference information is preserved You can then use a single IGP for all of the autonomous systems Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from the AS...

Page 668: ...do not communicate with IBGP speakers outside their cluster When the route reflector receives an advertised route it takes one of these actions depending on the neighbor A route from an external BGP speaker is advertised to all clients and nonclient peers A route from a nonclient peer is advertised to all clients A route from a client is advertised to all clients and nonclient peers Hence the clie...

Page 669: ...ip address peer group name route reflector client Configure the local router as a BGP route reflector and the specified neighbor as a client Step 4 bgp cluster id cluster id Optional Configure the cluster ID if the cluster has more than one route reflector Step 5 no bgp client to client reflection Optional Disable client to client route reflection By default the routes from a route reflector clien...

Page 670: ... to make it less likely that a route will be dampened Step 9 clear ip bgp dampening Optional Clear route dampening information and unsuppress the suppressed routes Step 10 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 30 12 IP BGP Clear and Show Commands Command Purpose clear ip bgp address Reset a particular BGP connection clear ip b...

Page 671: ...30 71 Filtering Routing Information page 30 74 Managing Authentication Keys page 30 76 Configuring Cisco Express Forwarding Cisco Express Forwarding CEF is a Layer 3 IP switching technology used to optimize network performance CEF implements an advanced IP look up and forwarding algorithm to deliver maximum Layer 3 switching performance CEF is less CPU intensive than fast switching route caching a...

Page 672: ...ble CEF on interfaces Beginning in privileged EXEC mode follow these steps to enable CEF globally and on an interface in case if for some reason it has been disabled Configuring the Number of Equal Cost Routing Paths When a router has two or more routes to the same network with the same metrics these routes can be thought of as having an equal cost The term parallel path is another way to refer to...

Page 673: ...by assigning administrative distance values Each dynamic routing protocol has a default administrative distance as listed in Table 30 13 If you want a static route to be overridden by information from a dynamic routing protocol set the administrative distance of the static route higher than that of the dynamic protocol Command Purpose Step 1 configure terminal Enter global configuration mode Step ...

Page 674: ...router might not be able to determine the routes to all other networks To provide complete routing capability you can use some routers as smart routers and give the remaining routers default routes to the smart router Smart routers have routing table information for the entire internetwork These default routes can be dynamically learned or can be configured in the individual routers Most dynamic i...

Page 675: ...ise static routes by using IGRP Redistributing information from one routing protocol to another applies to all supported IP based routing protocols You can also conditionally control the redistribution of routes between routing domains by defining enhanced packet filters or route maps between the two domains The match and set route map configuration commands define the condition portion of a route...

Page 676: ... as path path list number Match a BGP AS path access list Step 4 match community list community list number exact Match a BGP community list Step 5 match ip address access list number access list name access list number access list name Match a standard access list by specifying the name or number It can be an integer from 1 to 199 Step 6 match metric metric value Match the specified route metric ...

Page 677: ... Step 18 set metric bandwidth delay reliability loading mtu Set the metric value to give the redistributed routes for IGRP or EIGRP only bandwidth Metric value or IGRP bandwidth of the route in kilobits per second in the range 0 to 4294967295 delay Route delay in tens of microseconds in the range 0 to 4294967295 reliability Likelihood of successful packet transmission expressed as a number between...

Page 678: ...cted It does not change the metrics of routes derived from IGRP updates from other autonomous systems Any protocol can redistribute other routing protocols if a default mode is in effect Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp rip ospf igrp eigrp Enter router configuration mode Step 3 redistribute protocol process id level 1 level 1 2 level 2 met...

Page 679: ...d routed to the appropriate next hop If packets do not match any route map statements all set clauses are applied If a statement is marked as deny packets meeting the match criteria are sent through normal forwarding channels and destination based routing is performed If a statement is marked as permit and the packets do not match any route map statements the packets are sent through the normal fo...

Page 680: ...n on the SDM templates see Chapter 7 Configuring SDM Templates The number of TCAM entries used by PBR depends on the route map itself the ACLs used and the order of the ACLs and route map entries Policy based routing based on packet length IP precedence and TOS set interface set default next hop or set default interface are not supported Policy maps with no valid set actions or with set action set...

Page 681: ...o not specify a match command the route map applies to all packets Step 4 set ip next hop ip address ip address Specify the action to take on the packets that match the criteria Set next hop to which to route the packet the next hop must be adjacent Step 5 exit Return to global configuration mode Step 6 interface interface id Enter interface configuration mode and specify the interface to configur...

Page 682: ...OSPF domain OSPF routing information is neither sent nor received through the specified router interface In networks with many interfaces to avoid having to manually set them as passive you can set all interfaces to be passive by default by using the passive interface default router configuration command and manually setting interfaces where adjacencies are desired Beginning in privileged EXEC mod...

Page 683: ... updates Use the no distribute list in router configuration command to change or cancel a filter To cancel suppression of network advertisements in updates use the no distribute list out router configuration command Filtering Sources of Routing Information Because some routing information might be more accurate than others you can use filtering to prioritize information coming from different sourc...

Page 684: ...nt regardless of how many valid keys exist The software examines the key numbers in order from lowest to highest and uses the first valid key it encounters The lifetimes allow for overlap during key changes Note that the router must know these lifetimes Beginning in privileged EXEC mode follow these steps to manage authentication keys Command Purpose Step 1 configure terminal Enter global configur...

Page 685: ...Step 6 send lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can be sent The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Month year The default is forever with the default start time and the earliest acceptable date as January 1 1993 The default end time and duration is infinite Step 7 end Return...

Page 686: ...30 78 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 30 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network ...

Page 687: ...method of providing high network availability by providing first hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address HSRP routes IP traffic without relying on the availability of any single router It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN When HSRP is c...

Page 688: ...Protocol ICMP redirect messages are disabled by default for the interface You can configure multiple Hot Standby groups among Catalyst 3560 switches that are operating in Layer 3 to make more use of the redundant routers To do so specify a group number for each Hot Standby command group you configure for an interface For example you might configure an interface on switch 1 as an active router and ...

Page 689: ...SRP configuration information Default HSRP Configuration page 31 4 HSRP Configuration Guidelines page 31 4 Enabling HSRP page 31 5 Configuring HSRP Group Attributes page 31 6 Configuring HSRP Groups and Clustering page 31 9 Host B 172 20 130 5 172 20 128 32 Host A 172 20 128 55 172 20 128 1 172 20 128 3 172 20 128 2 Virtual router Active router Standby router Router A Router B 101361 Host C ...

Page 690: ...ration command and by default a Layer 3 interface Etherchannel port channel in Layer 3 mode a port channel logical interface created by using the interface port channel port channel number global configuration command and binding the Ethernet interface into the channel group For more information see the Configuring Layer 3 EtherChannels section on page 29 12 All Layer 3 interfaces must have IP add...

Page 691: ...red to enable HSRP Switch configure terminal Switch config interface gigabitethernet0 1 Switch config if no switchport Switch config if standby 1 ip Switch config if end Switch show standby Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Layer 3 interface on which you want to enable HSRP Step 3...

Page 692: ...ack command and another interface on the router goes down The standby track interface configuration command ties the router hot standby priority to the availability of its interfaces and is useful for tracking interfaces that are not configured for HSRP When a tracked interface fails the hot standby priority on the device on which tracking has been configured decreases by 10 If an interface is not...

Page 693: ... router to preempt which means that when the local router has a higher priority than the active router it assumes control as the active router Optional group number The group number to which the command applies Optional priority Enter to set or change the group priority The range is 1 to 255 the default is 100 Optional delay Set to cause the local router to postpone taking over the active role for...

Page 694: ...ring is sent unencrypted in all HSRP messages You must configure the same authentication string on all routers and access servers on a cable to ensure interoperation Authentication mismatch prevents a device from learning the designated Hot Standby IP address and timer values from other routers configured with HSRP Routers or access servers on which standby timer values are not configured can lear...

Page 695: ...itch Configuring HSRP Groups and Clustering When a device is participating in an HSRP standby routing and clustering is enabled you can use the same standby group for command switch redundancy and HSRP redundancy Use the cluster standby group HSRP group name routing redundancy global configuration command to enable the same HSRP standby group to be used for command switch and routing redundancy If...

Page 696: ...roup on an interface You can also specify whether to display a concise overview of HSRP information or detailed HSRP information The default display is detail If there are a large number of HSRP groups using the show standby command without qualifiers can result in an unwieldy display This is a an example of output from the show standby privileged EXEC command displaying HSRP information for two s...

Page 697: ...cast group Any host regardless of whether it is a member of a group can sent to a group However only the members of a group receive the message To use this feature the switch must be running the enhanced multilayer image EMI Note For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS IP and IP Routing Command Reference for Release 12 1 This chapter c...

Page 698: ... 32 1 shows where these protocols operate within the IP multicast environment Figure 32 1 IP Multicast Routing Protocols Understanding IGMP To participate in IP multicasting multicast hosts routers and multilayer switches must have the IGMP operating This protocol defines the querier and host roles A querier is a network device that sends query messages to discover which network devices are member...

Page 699: ... address rather than to the all routers address IGMP Version 1 IGMP Version 1 IGMPv1 primarily uses a query response model that enables the multicast router and multilayer switch to find which multicast groups are active have one or more hosts interested in a multicast group on the local subnet IGMPv1 has other processes that enable a host to join and leave a multicast group For more information r...

Page 700: ...receives a multicast packet and has no directly connected members or PIM neighbors present a prune message is sent back to the source to stop unwanted multicast traffic Subsequent multicast packets are not flooded to this router or switch on this pruned branch because branches without receivers are pruned from the distribution tree leaving only branches that contain receivers When a new receiver o...

Page 701: ... RPs serve different group ranges or serve as hot backups of each other Bootstrap Router PIMv2 BSR is another method to distribute group to RP mapping information to all PIM routers and multilayer switches in the network It eliminates the need to manually configure RP information in every router and switch in the network However instead of using IP multicast to distribute group to RP mapping infor...

Page 702: ...ed on an interface that is on the reverse path back to the source 2 If the packet arrives on the interface leading back to the source the RPF check is successful and the packet is forwarded to all interfaces in the outgoing interface list which might not be all interfaces on the router 3 If the RPF check fails the packet is discarded Some multicast routing protocols such as DVMRP maintain a separa...

Page 703: ...However it supports dynamic discovery of DVMRP routers and can interoperate with them over traditional media such as Ethernet and FDDI or over DVMRP specific tunnels DVMRP neighbors build a route table by periodically exchanging source network routing information in route report messages The routing information stored in the DVMRP routing table is separate from the unicast routing table and is use...

Page 704: ...eroperability Problems page 32 22 optional Default Multicast Routing Configuration Table 32 2 shows the default multicast routing configuration Multicast Routing Configuration Guidelines To avoid misconfiguring multicast routing on your switch review the information in these sections PIMv1 and PIMv2 Interoperability page 32 8 Auto RP and BSR Configuration Guidelines page 32 9 PIMv1 and PIMv2 Inter...

Page 705: ...tes with the PIMv2 RP feature Although all PIMv2 devices can also use PIMv1 we recommend that the RPs be upgraded to PIMv2 To ease the transition to PIMv2 we have these recommendations Use Auto RP throughout the region Configure sparse dense mode throughout the region If Auto RP is not already configured in the PIMv1 regions configure Auto RP For more information see the Configuring Auto RP sectio...

Page 706: ...ent the receiver s first hop router might send join messages toward the source to build a source based distribution tree By default multicast routing is disabled and there is no default mode setting This procedure is required Beginning in privileged EXEC mode follow these steps to enable IP multicasting to configure a PIM version and to configure a PIM mode This procedure is required Command Purpo...

Page 707: ...configure an RP If the RP for a group is learned through a dynamic mechanism such as Auto RP or BSR you need not perform this task for that RP Senders of multicast traffic announce their existence through register messages received from the source s first hop router designated router and forwarded to the RP Receivers of multicast packets use RPs to join a multicast group by using explicit join mes...

Page 708: ...s list conditions specify for which groups the device is an RP For ip address enter the unicast address of the RP in dotted decimal notation Optional For access list number enter an IP standard access list number from 1 to 99 If no access list is configured the RP is used for all groups Optional The override keyword means that if there is a conflict between the RP configured with this command and ...

Page 709: ...on on page 32 11 Note If routed interfaces are configured in sparse mode Auto RP can still be used if all devices are configured with a manual RP address for the Auto RP groups These sections describe how to configure Auto RP Setting up Auto RP in a New Internetwork page 32 13 optional Adding Auto RP to an Existing Sparse Mode Cloud page 32 13 optional Preventing Join Messages to False RPs page 32...

Page 710: ...pe and number that identifies the RP address Valid interfaces include physical ports port channels and VLANs For scope ttl specify the time to live value in hops Enter a hop count that is high enough so that the RP announce messages reach all mapping agents in the network There is no default setting The range is 1 to 255 For group list access list number enter an IP standard access list number fro...

Page 711: ... ip pim accept rp auto rp global configuration command This procedure is optional If all interfaces are in sparse mode use a default configured RP to support the two well known groups 224 0 1 39 and 224 0 1 40 Auto RP uses these two well known groups to collect and distribute RP mapping information When this is the case and the ip pim accept rp auto rp command is configured another ip pim accept r...

Page 712: ...able If this variable is omitted the filter applies to all multicast groups If more than one mapping agent is used the filters must be consistent across all mapping agents to ensure that no conflicts occur in the Group to RP mapping information Step 3 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For...

Page 713: ...ing the IP Multicast Boundary page 32 18 optional Configuring Candidate BSRs page 32 19 optional Configuring Candidate RPs page 32 20 optional For overview information see the Bootstrap Router section on page 32 5 Defining the PIM Domain Border As IP multicast becomes more widespread the chance of one PIMv2 domain bordering another PIMv2 domain is increasing Because these two domains probably do n...

Page 714: ...mmand Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched For source enter multicast addresses 224 0 1 39 and 224 0 1 40 which carry Aut...

Page 715: ...d has a priority of 10 Switch config interface gigabitethernet0 2 Switch config if ip address 172 21 24 18 255 255 255 0 Switch config if ip pim sparse dense mode Switch config if ip pim bsr candidate gigabitethernet0 2 30 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim bsr candidate interface id hash mask length priority Configure your switch to be a can...

Page 716: ... command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your switch to be a candidate RP For interface id specify the interface whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels and VLANs Optional For group list access li...

Page 717: ...as the RP mapping agents for Auto RP For more information see the Configuring Auto RP section on page 32 13 and the Configuring Candidate BSRs section on page 32 19 For group prefixes advertised through Auto RP the PIMv2 BSR mechanism should not advertise a subrange of these group prefixes served by a different set of RPs In a mixed PIMv1 and PIMv2 domain have backup RPs serve the same group prefi...

Page 718: ...p pim rp hash privileged EXEC command making sure that all systems agree on the same RP for the same group 2 Verify interoperability between different versions of DRs and RPs Make sure the RPs are interacting with the DRs properly by responding with register stops and forwarding decapsulated data packets from registers Configuring Advanced PIM Features These sections describe the optional advanced...

Page 719: ...At this point data might arrive twice at Router C once encapsulated and once natively 5 When data arrives natively unencapsulated at the RP it sends a register stop message to Router A 6 By default reception of the first data packet prompts Router C to send a join message toward the source 7 When Router C receives data on S G it sends a prune message for the source up the shared tree 8 The RP dele...

Page 720: ...Beginning in privileged EXEC mode follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest path tree This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list ...

Page 721: ...e needs to be forwarded down the shared tree In this case the DR is the device with the highest IP address Beginning in privileged EXEC mode follow these steps to modify the router query message interval This procedure is optional To return to the default setting use the no ip pim query interval seconds interface configuration command Step 4 end Return to privileged EXEC mode Step 5 show running c...

Page 722: ...n configure the switch as a member of a multicast group and discover multicast reachability in a network If all the multicast capable routers and multilayer switches that you administer are members of a multicast group pinging that group causes all these devices to respond The devices respond to ICMP echo request packets addressed to a group of which they are members Another example is the multica...

Page 723: ...ese steps to filter multicast groups allowed on an interface This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp join group group address Configure the switch to join a multicast group By default no group memberships are defined...

Page 724: ... Step 5 access list access list number deny permit source source wildcard Create a standard access list For access list number specify the access list created in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source specify the multicast group that hosts on the subnet can join Optional For source wildcard ente...

Page 725: ...tocol that runs on the LAN The designated router is responsible for sending IGMP host query messages to all hosts on the LAN In sparse mode the designated router also sends PIM register and PIM join messages toward the RP router Beginning in privileged EXEC mode follow these steps to modify the host query interval This procedure is optional To return to the default setting use the no ip igmp query...

Page 726: ...tly connected group members on a LAN Decreasing the value enables the switch to prune groups faster Beginning in privileged EXEC mode follow these steps to change the maximum query response time This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration m...

Page 727: ... flag in the multicast route entry Beginning in privileged EXEC mode follow these steps to configure the switch itself to be a statically connected member of a group and enable fast switching This procedure is optional To remove the switch as a member of the group use the no ip igmp static group group address interface configuration command Configuring Optional Multicast Routing Features This sect...

Page 728: ...interface interface id Specify the interface that is connected to the Layer 2 Catalyst switch and enter interface configuration mode Step 3 ip cgmp proxy Enable CGMP on the interface By default CGMP is disabled on all interfaces Enabling CGMP triggers a CGMP join message Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches Optional When you enter the proxy keyword the CGMP...

Page 729: ...icast packets from SAP clients which announce their conference sessions These SAP packets contain a session description the time the session is active its IP multicast group addresses media format contact person and other information about the advertised multimedia session The information in the SAP packet is displayed in the SDR Session Announcement window Enabling sdr Listener Support By default...

Page 730: ...t enter or exit this interface thereby providing a firewall for multicast traffic in this address range Note Multicast boundaries and TTL thresholds control the scoping of multicast domains however TTL thresholds are not supported by the switch You should use multicast boundaries instead of TTL thresholds to limit the forwarding of multicast traffic outside of a domain or a subdomain Figure 32 5 s...

Page 731: ...y XYZ Engineering Marketing 239 128 0 0 16 239 0 0 0 8 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched The permit key...

Page 732: ...devices dynamically discover DVMRP multicast routers on attached networks by listening to DVMR probe messages When a DVMRP neighbor has been discovered the PIM device periodically sends DVMRP report messages advertising the unicast sources reachable in the PIM domain By default directly connected subnets and networks are advertised The device forwards multicast packets that have been forwarded by ...

Page 733: ...et is being sent Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore Recall that the access list is always terminated by an implicit deny statement for everything Step 3 interface interface id Specify the interface connected to the MBONE and enabled for multicast routing and enter interf...

Page 734: ...5 255 Switch config access list 1 deny 0 0 0 0 255 255 255 255 Switch config access list 2 permit 0 0 0 0 255 255 255 255 Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP The software then sends and receives multicast packets through the tunnel This strategy enables a PIM ...

Page 735: ...tion ip address Specify the destination address of the tunnel interface Enter the IP address of the mrouted router Step 6 tunnel mode dvmrp Configure the encapsulation mode for the tunnel to DVMRP Step 7 ip address address mask or ip unnumbered type number Assign an IP address to the interface or Configure the interface as unnumbered Step 8 ip pim dense mode sparse mode Configure the PIM mode on t...

Page 736: ...face gigabitethernet0 1 Switch config if ip address 172 16 2 1 255 255 255 0 Switch config if ip pim dense mode Switch config exit Switch config access list 1 permit 198 92 37 0 0 0 0 255 Advertising Network 0 0 0 0 to DVMRP Neighbors If your switch is a neighbor of an mrouted version 3 6 device you can configure the software to advertise network 0 0 0 0 the default route to the DVMRP neighbor The...

Page 737: ... 0 1 0 pim querier down leaf 171 69 214 203 0 0 0 0 1 0 pim querier down leaf 171 69 214 18 171 69 214 20 mm1 45e cisco com 1 0 pim 171 69 214 18 171 69 214 19 mm1 45c cisco com 1 0 pim 171 69 214 18 171 69 214 17 mm1 45a cisco com 1 0 pim Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multica...

Page 738: ...VMRP unicast routing can run on all interfaces For DVMRP tunnels it uses DVMRP multicast routing This feature does not enable DVMRP multicast routing among Cisco routers and multilayer switches However if there is a DVMRP capable multicast router the Cisco device can do PIM DVMRP multicast routing Beginning in privileged EXEC mode follow these steps to enable DVMRP unicast routing This procedure i...

Page 739: ...e switch which is a neighbor to the leaf nonpruning DVMRP machine with the ip dvmrp reject non pruners interface configuration command on the interface connected to the nonpruning machine as shown in Figure 32 7 In this case when the switch receives DVMRP probe or report message without the prune capable flag set the switch logs a syslog message and discards the message 101244 Router A Router B La...

Page 740: ...s optional To disable this function use the no ip dvmrp reject non pruners interface configuration command 101245 Router A Router B RP Multicast traffic gets to receiver not to leaf DVMRP device Source router or RP Leaf nonpruning DVMRP device Configure the ip dvmrp reject non pruners command on this interface Receiver Layer 3 switch Command Purpose Step 1 configure terminal Enter global configura...

Page 741: ...ode follow these steps to change the DVMRP route limit This procedure is optional To configure no route limit use the no ip dvmrp route limit global configuration command Changing the DVMRP Route Threshold By default 10 000 DVMRP routes can be received per interface within a 1 minute interval When that rate is exceeded a syslog message is issued warning that there might be a route surge occurring ...

Page 742: ...MRP tunnel shares the same IP address as Fast Ethernet port 1 and falls into the same Class B network as the two directly connected subnets classful summarization of these routes was not performed As a result the DVMRP router is able to poison reverse only these two routes to the directly connected subnets and is able to only RPF properly for multicast traffic sent by sources on these two Ethernet...

Page 743: ...3 3 0 24 m 40 176 32 10 0 24 m 1 176 32 15 0 24 m 1 DVMRP router Cisco router Tunnel Fast Ethernet 0 1 176 32 10 0 24 Fast Ethernet 0 2 176 32 15 0 24 DVMRP Report 45156 DVMRP Route Table Unicast Routing Table 10 000 Routes interface tunnel 0 ip unnumbered fa0 1 interface fastethernet 0 1 ip addr 176 32 10 1 255 255 255 0 ip pim dense mode interface fastethernet 0 2 ip addr 176 32 15 1 255 255 255...

Page 744: ...le DVMRP autosummarization This procedure is optional To re enable auto summarization use the ip dvmrp auto summary interface configuration command Adding a Metric Offset to the DVMRP Route By default the switch increments by one the metric hop count of a DVMRP route advertised in incoming DVMRP reports You can change the metric if you want to favor or not favor a certain route For example a route...

Page 745: ...figured and enter interface configuration mode Step 3 ip dvmrp metric offset in out increment Change the metric added to DVMRP routes advertised in incoming reports The keywords have these meanings Optional in Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies Optional out Specifies that the increment value is added to outgoing DVMRP reports for...

Page 746: ...le 32 5 to display various routing statistics Table 32 4 Commands for Clearing Caches Tables and Databases Command Purpose clear ip cgmp Clear all group entries the Catalyst switches have cached clear ip dvmrp route route Delete routes from the DVMRP routing table clear ip igmp group group name group address interface Delete entries from the IGMP cache clear ip mroute group source Delete entries f...

Page 747: ...switch show ip pim rp group name group address Display the RP routers associated with a sparse mode multicast group show ip rpf source address name Display how the switch is doing Reverse Path Forwarding that is from the unicast routing table DVMRP routing table or static mroutes show ip sdr group session name detail Display the Session Directory Protocol Version 2 cache Table 32 5 Commands for Di...

Page 748: ...32 52 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 32 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing ...

Page 749: ... this chapter refer to the Cisco IOS IP and IP Routing Command Reference for Release 12 1 This chapter consists of these sections Understanding MSDP page 33 1 Configuring MSDP page 33 4 Monitoring and Maintaining MSDP page 33 19 Understanding MSDP MSDP allows multicast sources for a group to be known to all rendezvous points RPs in different domains Each PIM SM domain uses its own RPs and does not...

Page 750: ...SDP peers The SA message identifies the source the group the source is sending to and the address of the RP or the originator ID the IP address of the interface used as the RP address if configured Each MSDP peer receives and forwards the SA message away from the originating RP to achieve peer reverse path flooding RPF The MSDP device examines the BGP or MBGP routing table to discover which peer i...

Page 751: ... never need to leave your domain PIM sparse mode domains can rely only on their own RPs decreasing reliance on RPs in another domain This increases security because you can prevent your sources from being known outside your domain Domains with only receivers can receive data without globally advertising group membership Global source multicast routing table state is not required saving memory MSDP...

Page 752: ...Configure a default MSDP peer when the switch is not BGP or MBGP peering with an MSDP peer If a single MSDP peer is configured the switch always accepts all SA messages from that peer Figure 33 2 shows a network in which default MSDP peers might be used In Figure 33 2 a customer who owns Switch B is connected to the Internet through two Internet service providers ISPs one owning Router A and the o...

Page 753: ... For ip address name enter the IP address or Domain Name System DNS server name of the MSDP default peer Optional For prefix list list enter the list name that specifies the peer to be the default peer only for the listed prefixes You can have multiple active default peers when you have a prefix list associated with each When you enter multiple ip msdp default peer commands with the prefix list ke...

Page 754: ... a SA message is received by the local RP that member needs to wait until the next SA message to hear about the source This delay is known as join latency If you want to sacrifice some memory in exchange for reducing the latency of the source information you can configure the switch to cache SA messages Step 3 ip prefix list name description string seq number permit deny network length Optional Cr...

Page 755: ... For list access list number the range is 100 to 199 Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Create an IP extended access list repeating the command as many times as necessary For access list number the range is 100 to 199 Enter the same number created in Step 2 The deny keyword denies access if the conditions are matched T...

Page 756: ...ces memory Beginning in privileged EXEC mode follow these steps to configure the switch to send SA request messages to the MSDP peer when a new member joins a group and wants to receive multicast traffic This procedure is optional To return to the default setting use the no ip msdp sa request ip address name global configuration command This example shows how to configure the switch to send SA req...

Page 757: ...ure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp redistribute list access list name asn aspath access list number route map map Configure which S G entries from the multicast routing table are advertised in SA messages By default only sources within the local domain are advertised Optional For list access list name enter the name or number of...

Page 758: ...f the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore For destination enter ...

Page 759: ...t 171 69 2 2 list 1 Switch config access list 1 permit 192 4 22 0 0 0 0 255 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp filter sa request ip address name or ip msdp filter sa request ip address name list access list number Filter all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for groups th...

Page 760: ...eged EXEC mode follow these steps to apply a filter This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp sa filter out ip address name or ip msdp sa filter out ip address name list access list number or ip msdp sa filter out ip address name route map map tag Filter all SA messages to the specified MSDP peer or To the specified peer pas...

Page 761: ...sary For access list number enter the number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to be app...

Page 762: ...ages that its MSDP RPF peers send to it However you can control the source information that you receive from MSDP peers by filtering incoming SA messages In other words you can configure the switch to not accept them You can perform one of these actions Filter all incoming SA messages from an MSDP peer Specify an IP extended access list to pass certain source group pairs Filter based on match crit...

Page 763: ...messages that meet the match criteria in the route map map tag If all match criteria are true a permit from the route map passes routes through the filter A deny will filter routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For access l...

Page 764: ...ss name global configuration command Shutting Down an MSDP Peer If you want to configure many MSDP commands for the same peer and you do not want the peer to become active you can shut down the peer configure it and later bring it up When a peer is shut down the TCP connection is terminated and is not restarted You can also shut down an MSDP session without losing configuration information for the...

Page 765: ... procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp shutdown peer name peer address Administratively shut down the specified MSDP peer without losing configuration information For peer name peer address enter the IP address or name of the MSDP peer to shut down Step 3 end Return to privileged EXEC mode Step 4 show running config Verify yo...

Page 766: ...rces to be known to the outside world Because this switch is not an RP it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface Beginning in privileged EXEC mode follow these steps to allow an MSDP speaker that originates an SA message to use the IP address on the interface as the RP address in the SA message ...

Page 767: ...tem The ip msdp cache sa state command must be configured for this command to produce any output show ip msdp peer peer address name Displays detailed information about an MSDP peer show ip msdp sa cache group address source address group name source name autonomous system number Displays S G state learned from MSDP peers show ip msdp summary Displays MSDP peer status and SA message counts Table 3...

Page 768: ...33 20 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Chapter 33 Configuring MSDP Monitoring and Maintaining MSDP ...

Page 769: ...ave any VLANs associated with them can be configured grouped together to form a bridge group Recall that an SVI represents a VLAN of switch ports as one interface to the routing or bridging function in the system You associate only one SVI with a VLAN and you configure an SVI for a VLAN only when you want to route between VLANs to fallback bridge nonroutable protocols between VLANs or to provide I...

Page 770: ...parate spanning tree instance A bridge group establishes a spanning tree instance based on the BPDUs it receives on only its member interfaces If the bridge STP BPDU is received on a port whose VLAN does not belong to a bridge group the BPDU is flooded on all the forwarding ports of the VLAN Figure 34 1 shows a fallback bridging network example The switch has two ports configured as SVIs with diff...

Page 771: ...roups All interfaces in the same group belong to the same bridge domain Each SVI or routed port can be assigned to only one bridge group Note The protected port feature is not compatible with fallback bridging When fallback bridging is enabled it is possible for packets to be forwarded from one protected port on a switch to another protected port on the same switch if the ports are in different VL...

Page 772: ...bridge bridge group protocol vlan bridge Assign a bridge group number and specify the VLAN bridge spanning tree protocol to run in the bridge group The ibm and dec keywords are not supported For bridge group specify the bridge group number The range is 1 to 255 You can create up to 32 bridge groups Frames are bridged only among interfaces in the same group Step 3 interface interface id Specify the...

Page 773: ...t suitable You configure parameters affecting the entire spanning tree by using variations of the bridge global configuration command You configure interface specific parameters by using variations of the bridge group interface configuration command You can adjust spanning tree parameters by performing any of the tasks in these sections Changing the VLAN Bridge Spanning Tree Priority page 34 6 opt...

Page 774: ...the lowest interface value is elected Beginning in privileged EXEC mode follow these steps to change the interface priority This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group priority number Change the VLAN bridge spanning tree priority of the switch For bridge group specify the bridge group number The range is 1 to 255 F...

Page 775: ...e the path cost to 20 on a port in bridge group 10 Switch config interface gigabitethernet0 1 Switch config if bridge group 10 path cost 20 Step 5 show running config Verify your entry Step 6 copy running config startup config Optional Save your entry in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Sp...

Page 776: ...l between Hello BPDUs Beginning in privileged EXEC mode follow these step to adjust the interval between hello BPDUs This procedure is optional To return to the default setting use the no bridge bridge group hello time global configuration command This example shows how to change the hello interval to 5 seconds in bridge group 10 Switch config bridge 10 hello time 5 Command Purpose Step 1 configur...

Page 777: ...nal To return to the default setting use the no bridge bridge group max age global configuration command This example shows how to change the maximum idle interval to 30 seconds in bridge group 10 Switch config bridge 10 max age 30 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group forward time seconds Specify the forward delay interval For bridge ...

Page 778: ... group 10 spanning disabled Monitoring and Maintaining Fallback Bridging To monitor and maintain the network use one or more of the privileged EXEC commands in Table 34 2 For information about the fields in these displays refer to the Cisco IOS Bridging and IBM Networking Command Reference for Release 12 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface i...

Page 779: ...eference for this release and the Cisco IOS Command Summary for Release 12 1 This chapter consists of these sections Recovering from Corrupted Software By Using the XMODEM Protocol page 35 2 Recovering from a Lost or Forgotten Password page 35 4 Recovering from a Command Switch Failure page 35 8 Recovering from Lost Cluster Member Connectivity page 35 11 Note Recovery procedures require that you h...

Page 780: ...s of the tar file by using the tar tvf image_filename tar UNIX command switch tar tvf image_filename tar drwxr xr x 9658 25 0 Nov 21 13 20 2003 c3560 i5 mz 121 19 EA1 drwxr xr x 9658 25 0 Nov 18 18 31 2003 c3560 i5 mz 121 19 EA1 html rw r r 9658 25 4005 Nov 18 15 56 2003 c3560 i5 mz 121 19 EA1 html homepage htm rw r r 9658 25 1392 Nov 18 15 56 2003 c3560 i5 mz 121 19 EA1 html not_supported html rw...

Page 781: ...t the software appear along with instructions The system has been interrupted prior to initializing the flash file system The following commands will initialize the flash file system and finish loading the operating system software flash_init load_helper boot Step 7 Initialize the Flash file system switch flash_init Step 8 If you had set the console port speed to anything other than 9600 it has be...

Page 782: ...ry by using the service password recovery global configuration command Follow the steps in this procedure if you have forgotten or lost the switch password Step 1 Connect a terminal or PC with terminal emulation software to the switch console port Step 2 Set the line speed on the emulation software to 9600 baud Step 3 Power off the switch Step 4 Press the Mode button and at the same time reconnect...

Page 783: ...speed to match that of the switch console port Step 3 Load any helper files switch load_helper Step 4 Display the contents of Flash memory switch dir flash The switch file system appears Directory of flash 13 drwx 192 Mar 01 1993 22 30 48 c3560 i5 mz 121 19 EA1 11 rwx 5825 Mar 01 1993 22 31 59 config text 18 rwx 720 Mar 01 1993 02 21 30 vlan dat 16128000 bytes total 10003456 bytes free Step 5 Rena...

Page 784: ...s likely to leave your switch virtual interface in a shutdown state You can see which interface is in this state by entering the show running config privileged EXEC command To re enable the interface enter the interface vlan vlan id global configuration command and specify the VLAN ID of the shutdown interface With the switch in interface configuration mode enter the no shutdown command Step 14 Re...

Page 785: ...ation y n Y Step 2 Load any helper files Switch load_helper Step 3 Display the contents of Flash memory switch dir flash The switch file system appears Directory of flash 13 drwx 192 Mar 01 1993 22 30 48 c3560 i5 mz 121 19 EA1 16128000 bytes total 10003456 bytes free Step 4 Boot the system Switch boot You are prompted to start the setup program To continue with password recovery enter N at the pro...

Page 786: ... switch and your command switch loses power or fails in some other way management contact with the member switches is lost and you must install a new command switch However connectivity between switches that are still connected is not affected and the member switches forward packets as usual You can manage the members as standalone switches through the console port or if they have IP addresses thr...

Page 787: ...onfiguration Dialog Continue with configuration dialog yes no y At any point you may enter a question mark for help Use ctrl c to abort configuration dialog at any prompt Default settings are in square brackets Basic management setup configures only enough connectivity for management of the system extended setup will ask you to configure each interface on the system Would you like to enter basic m...

Page 788: ...with a switch that is command capable but not part of the cluster follow these steps Step 1 Insert the new switch in place of the failed command switch and duplicate its connections to the cluster members Step 2 Start a CLI session on the new command switch You can access the CLI by using the console port or if an IP address has been assigned to the switch by using Telnet For details about using t...

Page 789: ... underscores Step 11 When the initial configuration displays verify that the addresses are correct Step 12 If the displayed information is correct enter Y and press Return If this information is not correct enter N press Return and begin again at Step 9 Step 13 Start your browser and enter the IP address of the new command switch Step 14 From the Cluster menu select Add to Cluster to display a lis...

Page 790: ...switch port and is being powered by an AC power source loses power from the AC power source the device might enter an error disabled state To recover from an error disabled state enter the shut interface configuration command and then enter the noshut interface command Use these commands described in the command reference for this release to monitor PoE port status show controllers power inline pr...

Page 791: ...ing which you can use to test connectivity to remote hosts Ping sends an echo request packet to an address and waits for a reply Ping returns one of these responses Normal response The normal response hostname is alive occurs in 1 to 10 seconds depending on network traffic Destination does not respond If the host does not respond a no answer message is returned Unknown host If the host does not ex...

Page 792: ...35 16 Understanding Layer 2 Traceroute The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device Layer 2 traceroute supports only unicast source and destination MAC addresses It determines the path by using the MAC address tables of the switches in the path When the switch detects a device in the path that does n...

Page 793: ...cify source and destination MAC addresses that belong to different VLANs the Layer 2 path is not identified and an error message appears If you specify a multicast source or destination MAC address the path is not identified and an error message appears If the source or destination MAC address belongs to multiple VLANs you must specify the VLAN to which both the source and destination MAC addresse...

Page 794: ...te switch is a multilayer switch that is routing a particular packet this switch shows up as a hop in the traceroute output The traceroute privileged EXEC command uses the Time To Live TTL field in the IP header to cause routers and servers to generate specific return messages Traceroute starts by sending a User Datagram Protocol UDP datagram to the destination host with the TTL field set to 1 If ...

Page 795: ...msec 5 171 9 121 34 0 msec 4 msec 4 msec 6 171 9 15 9 120 msec 132 msec 128 msec 7 171 9 15 10 132 msec 128 msec 128 msec Switch The display shows the hop count IP address of the router and the round trip time in milliseconds for each of the three probes that are sent To terminate a trace in progress enter the escape sequence Ctrl X by default You enter the default by simultaneously pressing and r...

Page 796: ...nabling Debugging on a Specific Feature All debug commands are entered in privileged EXEC mode and most debug commands take no arguments For example beginning in privileged EXEC mode enter this command to enable the debugging for Switched Port Analyzer SPAN Switch debug span session The switch continues to generate output until you enter the no form of the command If you enable a debug command and...

Page 797: ...erver The syslog format is compatible with 4 3 Berkeley Standard Distribution BSD UNIX and its derivatives Note Be aware that the debugging destination you use affects system overhead Logging messages to the console produces very high overhead whereas logging messages to a virtual terminal produces less overhead Logging messages to a syslog server produces even less and logging to an internal buff...

Page 798: ...000 Port Vlan SrcMac DstMac Cos Dscpv Gi0 1 0005 0001 0001 0001 0002 0002 0002 Packet 2 Lookup Key Used Index Hit A Data OutptACL 50_0D020202_0D010101 00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Cos Dscpv Gi0 2 0005 0001 0001 0001 0002 0002 0002 output truncated Packet 10 Lookup Key Used Index Hit A Data OutptACL 50_0D020202_0D010101 00_40000014_000A0000 01FFE 03000000 Packet dropp...

Page 799: ...010101 00_40000014_000A0000 034E0 000C001D_00000000 Lookup Used Secondary Station Descriptor 02260000 DestIndex 0226 RewriteIndex 0000 This is an example of the output when the packet coming in on Gigabit Ethernet port 1 in VLAN 5 has a destination MAC address set to the router MAC address in VLAN 5 and the destination IP address set to an IP address that is in the IP routing table It should be fo...

Page 800: ...crashinfo_n where n is a sequence number Each new crashinfo file that is created uses a sequence number that is larger than any previously existing sequence number so the file with the largest sequence number describes the most recent failure Version numbers are used instead of a timestamp because the switches do not include a real time clock You cannot change the name of the file that the system ...

Page 801: ...messages using the configured community string always provide information for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN x use this community string in the SNMP message configured community string x CISCO CDP MIB CISCO CLUSTER MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO ENTITY FRU CONTROL MIB CISCO ENVMON MIB CISCO FLASH MIB Flash memory on all switches i...

Page 802: ...IFTABLE RELATIONSHIP MIB CISCO VLAN MEMBERSHIP MIB CISCO VTP MIB ENTITY MIB ETHERLIKE_MIB IEEE8023 LACP MIB IF MIB In and out counters for VLANs are not supported IGMP MIB IPMROUTE MIB OLD CISCO CHASSIS MIB OLD CISCO FLASH MIB OLD CISCO INTERFACES MIB OLD CISCO IP MIB OLD CISCO SYS MIB OLD CISCO TCP MIB OLD CISCO TS MIB PIM MIB RFC1213 MIB Functionality is as per the agent capabilities specified i...

Page 803: ...ist html You can access other information about MIBs and Cisco products on the Cisco web site http www cisco com public sw center netmgmt cmtk mibs shtml Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure Step 1 Use FTP to access the server ftp cisco com Step 2 Log in with the username anonymous Step 3 Enter your e mail username when prompted for the password St...

Page 804: ...A 4 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Appendix A Supported MIBs Using FTP to Access the MIB Files ...

Page 805: ...ists of these sections Working with the Flash File System page B 1 Working with Configuration Files page B 8 Working with Software Images page B 20 Working with the Flash File System The Flash file system is a single Flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default Flash file system on the switch is na...

Page 806: ...ree b Amount of free memory in the file system in bytes Type Type of file system flash The file system is for a Flash memory device nvram The file system is for a nonvolatile RAM NVRAM device opaque The file system is a locally generated pseudo file system for example the system or a download interface such as brimux unknown The file system is an unknown type Flags Permission for file system ro re...

Page 807: ...ration file with the same name Similarly before copying a Flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table B 2 Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode follow these steps to change direct...

Page 808: ...om a source to a destination use the copy source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of Flash memory to be used as the configuration during system initialization You...

Page 809: ...mmand Use the recursive keyword for deleting a directory and all subdirectories and the files contained in it Use the force keyword to suppress the prompting that confirms a deletion of each file in the directory You are prompted only once at the beginning of this deletion process Use the force and recursive keywords for deleting old software images that were installed by using the archive downloa...

Page 810: ...the source directory to write to the new tar file If none are specified all files and directories at this level are written to the newly created tar file This example shows how to create a tar file This command writes the contents of the new configs directory on the local Flash device to a file named saved tar on the TFTP server at 172 20 10 30 Switch archive tar create tftp 172 20 10 30 saved tar...

Page 811: ...file url dir file For source url specify the source URL alias for the local file system These options are supported For the local Flash file system the syntax is flash For the File Transfer Protocol FTP the syntax is ftp username password location directory tar filename tar For the Remote Copy Protocol RCP the syntax is rcp username location directory tar filename tar For the Trivial File Transfer...

Page 812: ...estore a backed up configuration file To use the configuration file for another switch For example you might add another switch to your network and want it to have a configuration similar to the original switch By copying the file to the new switch you can change the relevant parts rather than recreating the whole file To load the same configuration commands on all the switches in your network so ...

Page 813: ... the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is erased For example if the copied configuration file contains a different IP address in a particular command than the existing configuration the IP address in the copied configuration is used However some commands ...

Page 814: ... by using configuration files you create download from another switch or download from a TFTP server You can copy upload configuration files to a TFTP server for storage This section includes this information Preparing to Download or Upload a Configuration File By Using TFTP page B 10 Downloading the Configuration File By Using TFTP page B 11 Uploading the Configuration File By Using TFTP page B 1...

Page 815: ...y on the workstation Step 2 Verify that the TFTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using TFTP section on page B 10 Step 3 Log into the switch through the console port or a Telnet session Step 4 Download the configuration file from the TFTP server to configure the switch Specify the IP address or host name of the TFTP server an...

Page 816: ...mmand if a username is specified The username set by the ip ftp username username global configuration command if the command is configured Anonymous The switch sends the first valid password in this list The password specified in the copy command if a password is specified The password set by the ip ftp password password global configuration command if the command is configured The switch forms a...

Page 817: ...ate a new FTP username by using the ip ftp username username global configuration command during all copy operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the copy command if you want to specify a username for only that copy ...

Page 818: ...tion file host2 confg from the netadmin1 directory on the remote server with an IP address of 172 16 101 101 to the switch startup configuration Switch configure terminal Switch config ip ftp username netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2...

Page 819: ...config ip ftp password mypass Switch config end Switch copy nvram startup config ftp Remote host 172 16 101 101 Name of configuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 13...

Page 820: ...elnet username as the remote username The switch host name For a successful RCP copy request you must define an account on the network server for the remote username If the server has a directory structure the configuration file is written to or copied from the directory associated with the remote username on the server For example if the configuration file is in the home directory of a user on th...

Page 821: ...netadmin1 directory on the remote server with an IP address of 172 16 101 101 and load and run those commands on the switch Switch copy rcp netadmin1 172 16 101 101 host1 confg system running config Configure using host1 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host1 confg OK Switch SYS 5 CONFIG Configured from host1 config by rcp from 172 16 101 101 Com...

Page 822: ... to upload a configuration file by using RCP This example shows how to copy the running configuration file named switch2 confg to the netadmin1 directory on the remote host with an IP address of 172 16 101 101 Switch copy system running config rcp netadmin1 172 16 101 101 switch2 confg Write file switch confg on host 172 16 101 101 confirm Building configuration OK Connected to 172 16 101 101 Swit...

Page 823: ...onfiguration the switch enters the setup program so that you can reconfigure the switch with all new settings Clearing the Startup Configuration File To clear the contents of your startup configuration use the erase nvram or the erase startup config privileged EXEC command Caution You cannot restore the startup configuration file after it has been deleted Deleting a Stored Configuration File To de...

Page 824: ...t mechanisms provide faster performance and more reliable delivery of data than TFTP These improvements are possible because FTP and RCP are built on and use the Transmission Control Protocol Internet Protocol TCP IP stack which is connection oriented This section includes this information Image Location on the Switch page B 20 tar File Format of Images on a Server or Cisco com page B 21 Copying I...

Page 825: ...e_file_size 3973632 total_image_file_size 5929472 image_feature LAYER_3 MIN_DRAM_MEG 64 image_family C3560 stacking_number 1 0 board_ids 0x00000008 info_end Note Disregard the stacking_number field It does not apply to the switch Table B 3 info File Description Field Description version_suffix Specifies the Cisco IOS image version string suffix version_directory Specifies the directory where the C...

Page 826: ...FTP page B 24 Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP do these tasks Ensure that the workstation acting as the TFTP server is properly configured On a Sun workstation make sure that the etc inetd conf file contains this line tftp dgram udp wait root usr etc in tftpd in tftpd p s tftpboot Make sure that the et...

Page 827: ...s the new image and then reloads the software Command Purpose Step 1 Copy the image to the appropriate TFTP directory on the workstation Make sure the TFTP server is properly configured see the Preparing to Download or Upload an Image File By Using TFTP section on page B 22 Step 2 Log into the switch through the console port or a Telnet session Step 3 archive download sw overwrite reload tftp loca...

Page 828: ...gorithms to operate properly do not rename image names Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server You can later download this image to the switch or to another switch of the same type The upload feature should be used only if the HTML pages associated with the CMS have been installed with the existing image Beginning in privileged EXEC mode follo...

Page 829: ...rotocol requires a client to send a remote username and password on each FTP request to a server When you copy an image file from the switch to a server by using FTP the Cisco IOS software sends the first valid username in this list The username specified in the archive download sw or archive upload sw privileged EXEC command if a username is specified The username set by the ip ftp username usern...

Page 830: ...rations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username for that operation only When you upload an image file to the FTP server it m...

Page 831: ...sh memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username password specify the username and password these must be associated with an account on the FTP server For more information see the Preparing to Download or Upload an Image File By Using FTP section on page B 25 For location s...

Page 832: ...en installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to an FTP server Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 13 Step 2 Log into the switch through the console port or a Telnet session Step 3 configure termi...

Page 833: ...ve tar privileged EXEC command we recommend using the archive download sw and archive upload sw privileged EXEC commands to download and upload software image files This section includes this information Preparing to Download or Upload an Image File By Using RCP page B 29 Downloading an Image File By Using RCP page B 31 Uploading an Image File By Using RCP page B 33 Preparing to Download or Upload...

Page 834: ...er supports the remote shell rsh Ensure that the switch has a route to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the RCP server by using the ping command If you are accessing the switch through the console or a Telnet session and you do not have a valid username make sure that the curre...

Page 835: ... the default remote username see Steps 4 and 5 Step 4 ip rcmd remote username username Optional Specify the remote username Step 5 end Return to privileged EXEC mode Step 6 archive download sw overwrite reload rcp username location directory image na me tar Download the image file from the RCP server to the switch and overwrite the current image The overwrite option overwrites the software image i...

Page 836: ...to point to the newly installed image If you kept the old software during the download process you specified the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board Flash device For file url enter the directory name of the old software image All the files in the directory and the dir...

Page 837: ...hat the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page B 29 Step 2 Log into the switch through the console port or a Telnet session Step 3 configure terminal Enter global configuration mode This step is required only if you override the default remote username see Steps 4 and 5 Step 4 ip rcmd remote username username...

Page 838: ...B 34 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Appendix B Working with the Cisco IOS File System Configuration Files and Software Images Working with Software Images ...

Page 839: ...not tested or because of Catalyst 3560 hardware limitations This is not a complete list The unsupported commands are listed by software feature and command mode Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic name...

Page 840: ...Privileged EXEC Commands clear bridge bridge group multicast router ports groups counts group address interface unit counts clear vlan statistics show bridge bridge group circuit group circuit group src mac address dst mac address show bridge bridge group multicast router ports groups group address show bridge vlan show interfaces crb show interfaces ethernet fastethernet interface slot port irb s...

Page 841: ...ridge group bridge group input lat service deny group list bridge group bridge group input lat service permit group list bridge group bridge group input lsap list access list number bridge group bridge group input pattern list access list number bridge group bridge group input type list access list number bridge group bridge group lat compression bridge group bridge group output address list acces...

Page 842: ...Virtual Template interface Virtual Tokenring Unsupported Interface Configuration Commands mtu standby mac refresh seconds standby use bia IGMP Snooping Commands Unsupported Global Configuration Commands ip igmp snooping source only learning ip igmp snooping tcn Interface Commands Unsupported Privileged EXEC Commands show interfaces interface id vlan vlan id crb fair queue irb mac accounting preced...

Page 843: ... group name or address command affects only packets received by the switch CPU Because most multicast packets are hardware switched use this command only when you know that the route will forward the packet to the CPU debug ip pim atm show frame relay ip rtp header compression interface type number The show ip mcache command displays entries in the cache for those packets that are sent to the swit...

Page 844: ...oard group list access list source list access list kbps ip multicast ttl threshold ttl value instead use the ip multicast boundary access list number interface configuration command ip multicast use functional ip pim minimum vc rate pps ip pim multipoint signalling ip pim nbma mode ip pim vc count number ip rtp compression connections number ip rtp header compression passive IP Unicast Routing Un...

Page 845: ...count ip cef accounting per prefix non recursive ip cef traffic statistics load interval seconds update rate seconds ip flow aggregation ip flow cache ip flow export ip gratuitous arps ip local ip prefix list ip reflexive list router egp router isis router iso igrp router mobile router odr router static Unsupported Interface Configuration Commands ip accounting ip load sharing per packet ip mtu by...

Page 846: ...scription network backdoor table map Unsupported VPN Configuration Commands All Unsupported Route Map Commands match route type set as path tag prepend as path string set automatic tag set dampening half life reuse suppress max suppress time set default interface interface id interface id set interface interface id interface id set ip default next hop ip address ip address set ip destination ip ad...

Page 847: ... template name Unsupported Global Configuration Commands ip msdp default peer ip address name prefix list list Because BGP MBGP is not supported use the ip msdp peer command instead of this command Network Address Translation NAT Commands Unsupported User EXEC Commands clear ip nat translation show ip nat statistics show ip nat translations Unsupported Global Configuration Commands ip nat inside d...

Page 848: ...ius server extended portnames SNMP Unsupported Global Configuration Commands snmp server enable informs snmp server enable traps flash insertion snmp server enable traps flash removal snmp server ifindex persist Spanning Tree Unsupported Global Configuration Commands spanning tree etherchannel guard misconfig spanning tree pathcost method long short Unsupported Interface Configuration Commands spa...

Page 849: ...index show vlan private vlan VTP Unsupported Privileged EXEC Commands vtp password password pruning version number private vlan Note This command has been replaced by the vtp global configuration command Miscellaneous Unsupported Global Configuration Commands errdisable detect cause dhcp rate limit errdisable recovery cause dhcp rate limit errdisable recovery cause unicast flood service compress c...

Page 850: ...C 12 Catalyst 3560 Switch Software Configuration Guide 78 16156 01 Appendix C Unsupported Commands in Cisco IOS Release 12 1 19 EA1 Miscellaneous ...

Page 851: ... 29 AC command switch 5 10 5 19 access class command 27 19 access control entries See ACEs access denied response VMPS 12 28 access groups applying ACLs to interfaces 27 20 IP 27 20 Layer 2 27 20 Layer 3 27 20 accessing clusters switch 5 13 command switches 5 11 member switches 5 13 switch clusters 5 13 access lists See ACLs access ports defined 10 2 in switch clusters 5 9 accounting with RADIUS 8...

Page 852: ... limiting actions 27 37 logging messages 27 9 log keyword 27 15 MAC extended 27 26 28 39 matching 27 7 27 20 monitoring 27 40 named 27 14 number per QoS class map 28 29 numbers 27 7 ACLs continued port 27 2 precedence of 27 2 QoS 28 7 28 37 router 27 2 standard IP configuring for QoS classification 28 37 creating 27 8 matching criteria 27 7 supported features 27 21 support for 1 6 time ranges 27 1...

Page 853: ...ration 30 9 table address resolution 6 28 managing 6 28 ASBRs 30 29 AS path filters BGP 30 53 attributes RADIUS vendor proprietary 8 31 vendor specific 8 29 audience xxxiii authentication EIGRP 30 41 HSRP 31 8 local mode with AAA 8 36 NTP associations 6 5 RADIUS key 8 21 login 8 23 See also port based authentication TACACS defined 8 11 key 8 13 login 8 14 authentication keys and routing protocols ...

Page 854: ...utes configuring 30 59 CIDR 30 59 clear commands 30 62 community filtering 30 55 configuring neighbors 30 57 BGP continued default configuration 30 45 described 30 44 enabling 30 47 monitoring 30 62 multipath support 30 50 neighbors types of 30 47 path selection 30 50 peers configuring 30 57 prefix filtering 30 54 resetting sessions 30 49 route dampening 30 61 route maps 30 52 route reflectors 30 ...

Page 855: ...and switch cluster standby group and member switch caution described xxxiv CC command switch 5 19 CDP and trusted boundary 28 34 automatic discovery in switch clusters 5 5 configuring 21 2 default configuration 21 2 described 21 1 disabling for routing device 21 3 21 4 enabling and disabling on an interface 21 4 on a switch 21 3 monitoring 21 5 overview 21 1 support for 1 4 transmission timer and ...

Page 856: ...xv clusters switch accessing 5 13 adding member switches 5 17 automatic discovery 5 5 automatic recovery 5 10 clusters switch continued benefits 1 2 command switch configuration 5 16 compatibility 5 4 creating 5 16 creating a cluster standby group 5 19 described 5 1 LRE profile considerations 5 15 managing through CLI 5 21 through SNMP 5 22 planning 5 4 planning considerations automatic discovery ...

Page 857: ...m lost member connectivity 35 11 redundant 5 10 5 19 command switch continued replacing with another switch 35 10 with cluster member 35 8 requirements 5 3 standby SC 5 10 5 19 See also candidate switch cluster standby group member switch and standby command switch community list BGP 30 56 community strings configuring 5 14 26 8 for cluster switches 26 4 in clusters 5 14 overview 26 4 SNMP 5 14 co...

Page 858: ...publication xxxiv text xxxiv corrupted software recovery steps with XMODEM 35 2 CoS in Layer 2 frames 28 2 override priority 14 5 trust priority 14 5 CoS input queue threshold map for QoS 28 14 CoS output queue threshold map for QoS 28 17 CoS to DSCP map for QoS 28 47 counters clearing interface 10 23 crashinfo file 35 22 cryptographic software image Kerberos 8 32 SSH 8 37 CWDM 1 16 CWDM SFPs 1 16...

Page 859: ...n MAC address forwarding EtherChannel 29 7 detecting indirect link failures STP 17 6 device discovery protocol 21 1 Device Manager 3 15 See also Switch Manager DHCP based autoconfiguration client request message exchange 4 4 configuring client side 4 3 DNS 4 6 relay device 4 6 server side 4 5 TFTP server 4 5 example 4 8 lease options for IP address information 4 5 for receiving the configuration f...

Page 860: ...inued using FTP B 26 using RCP B 31 using TFTP B 23 DSCP 1 7 28 2 DSCP input queue threshold map for QoS 28 14 DSCP output queue threshold map for QoS 28 17 DSCP to CoS map for QoS 28 50 DSCP to DSCP mutation map for QoS 28 51 DTP 1 6 12 17 DUAL finite state machine EIGRP 30 37 duplex mode configuring 10 12 DVMRP autosummarization configuring a summary address 32 46 disabling 32 48 connecting PIM ...

Page 861: ...See DTP E EBGP 30 43 editing features enabling and disabling 2 6 keystrokes used 2 6 wrapped lines 2 8 EIGRP and IGRP 30 39 authentication 30 41 components 30 37 configuring 30 39 default configuration 30 38 definition 30 37 interface parameters configuring 30 40 monitoring 30 42 support for 1 8 enable password 8 4 enable secret password 8 4 encryption for passwords 8 4 Enhanced IGRP See EIGRP env...

Page 862: ...s adding 12 8 defaults and ranges 12 8 modifying 12 8 events RMON 24 3 examples conventions for xxxiv network configuration 1 11 expedite queue for QoS configuring 28 63 expert mode 3 6 Express Setup 1 9 3 12 See also hardware installation guide extended range VLANs configuration guidelines 12 13 configuring 12 12 creating 12 13 12 14 defined 12 1 extended system ID MSTP 16 14 STP 15 4 15 14 Exten...

Page 863: ... system names B 4 setting the default B 3 filtering in a VLAN 27 29 non IP traffic 27 26 show and more command output 2 8 filtering show and more command output 2 8 filters IP See ACLs IP Flash device number of B 1 Flash updates IGRP 30 25 flooded traffic blocking 20 6 flow based packet classification 1 7 flowcharts QoS classification 28 6 QoS egress queueing and scheduling 28 15 QoS ingress queue...

Page 864: ...dundancy 1 1 1 5 configuring 31 3 default configuration 31 4 definition 31 1 guidelines 31 4 monitoring 31 10 overview 31 1 priority 31 6 HSRP continued routing redundancy 1 8 timers 31 8 tracking 31 6 See also clusters cluster standby group and standby command switch I IBPG 30 43 ICMP redirect messages 30 11 support for 1 8 time exceeded messages 35 16 traceroute and 35 16 unreachable messages 27...

Page 865: ...onfiguring 19 22 IGMP snooping and address aliasing 19 2 configuring 19 6 default configuration 19 7 definition 19 2 enabling and disabling 19 7 IGMP snooping continued global configuration 19 7 Immediate Leave 19 6 method 19 8 monitoring 19 12 support for 1 3 VLAN configuration 19 7 IGMP throttling configuring 19 24 default configuration 19 21 described 19 21 displaying action 19 26 IGP 30 28 IGR...

Page 866: ...roup Management Protocol See IGMP Inter Switch Link See ISL inter VLAN routing 1 8 30 2 Intrusion Detection System See IDS inventory cluster 5 20 IOS File System See IFS ip access group command 27 20 IP ACLs applying to an interface 27 19 extended creating 27 10 for QoS classification 28 7 implicit deny 27 9 27 13 27 15 implicit masks 27 9 logging 27 15 named 27 14 standard creating 27 8 undefined...

Page 867: ...32 34 default configuration 32 8 enabling multicast forwarding 32 10 PIM mode 32 11 group to RP mappings Auto RP 32 5 BSR 32 5 IP multicast routing continued MBONE deleting sdr cache entries 32 50 described 32 33 displaying sdr cache 32 51 enabling sdr listener support 32 33 limiting DVMRP routes advertised 32 45 limiting sdr cache entry lifetime 32 34 SAP packets for conference session announceme...

Page 868: ...ing configuration 30 4 gateways 30 11 networks 30 66 routes 30 66 routing 30 2 directed broadcasts 30 13 dynamic routing 30 3 enabling 30 18 EtherChannel Layer 3 interface 30 3 IGP 30 28 inter VLAN 30 2 IP unicast routing continued IP addressing classes 30 5 configuring 30 4 IRDP 30 12 Layer 3 interfaces 30 3 MAC address and IP address 30 8 passive interfaces 30 74 protocols distance vector 30 3 d...

Page 869: ...35 15 and CDP 35 15 described 35 14 IP addresses and subnets 35 15 MAC addresses and VLANs 35 15 multicast traffic 35 15 multiple devices on a port 35 15 unicast traffic 35 14 usage guidelines 35 15 Layer 2 trunks 12 17 Layer 3 features 1 8 Layer 3 interfaces assigning IP addresses to 30 5 changing from Layer 2 mode 30 5 types of 30 3 Layer 3 packets classification methods 28 2 leave processing IG...

Page 870: ...g for QoS 28 39 creating 27 26 defined 27 26 for QoS classification 28 5 macros See SmartPort macros manageability features 1 4 management access in band browser session 1 4 CLI session 1 4 SNMP 1 5 out of band console port connection 1 5 management options benefits clustering 1 3 CMS 1 2 CLI 2 1 overview 1 4 management VLAN considerations in switch clusters 5 7 discovery through different managem...

Page 871: ...EIGRP 30 42 fallback bridging 34 10 features 1 9 HSRP 31 10 IGMP filters 19 26 snooping 19 12 interfaces 10 22 monitoring continued IP address tables 30 17 multicast routing 32 49 routes 30 77 MSDP peers 33 19 multicast router interfaces 19 12 MVR 19 20 network traffic for analysis with probe 23 2 OSPF 30 36 port blocking 20 15 protection 20 15 RP mapping information 32 22 source active messages 3...

Page 872: ...3 enabling 17 11 CIST described 16 3 configuration guidelines 16 12 17 9 MSTP continued configuring forward delay time 16 20 hello time 16 19 link type for rapid convergence 16 22 maximum aging time 16 21 maximum hop count 16 21 MST region 16 13 path cost 16 18 port priority 16 17 root switch 16 14 secondary root switch 16 16 switch priority 16 19 CST defined 16 3 operations between regions 16 4 d...

Page 873: ...lticast router ports adding 19 9 Multicast Source Discovery Protocol See MSDP multicast storm control command 20 4 multicast storms 20 2 Multicast VLAN Registration See MVR Multiple Spanning Tree Protocol See MSTP MVR and address aliasing 19 16 configuring interfaces 19 18 default configuration 19 16 described 19 13 modes 19 17 monitoring 19 20 setting global parameters 19 17 support for 1 3 N nam...

Page 874: ...g 6 2 O Open Shortest Path First See OSPF optimizing system resources 7 1 options management 1 4 OSPF area parameters configuring 30 32 configuring 30 30 default configuration OSPF continued metrics 30 34 route 30 34 settings 30 29 described 30 28 interface parameters configuring 30 31 LSA group pacing 30 35 monitoring 30 36 router IDs 30 35 route summarization 30 33 support for 1 8 virtual links ...

Page 875: ...of 32 24 sparse mode join messages and shared tree 32 4 overview 32 4 prune messages 32 5 RPF lookups 32 7 support for 1 8 versions interoperability 32 8 troubleshooting interoperability problems 32 22 v2 improvements 32 4 PIM DVMRP as snooping method 19 8 ping character output description 35 14 executing 35 13 overview 35 13 PoE configuring 10 16 support for 1 8 troubleshooting 35 12 poison rever...

Page 876: ...ration guidelines 9 8 described 9 8 initiation and message exchange 9 3 method lists 9 11 multiple hosts mode described 9 17 per user ACLs AAA authorization 9 11 configuration tasks 9 9 described 9 8 RADIUS server attributes 9 8 port based authentication continued ports authorization state and dot1x port control command 9 4 authorized and unauthorized 9 4 voice VLAN 9 6 port security and voice VLA...

Page 877: ...vate VLAN edge ports See protected ports privileged EXEC mode 2 2 privilege levels changing the default for lines 8 9 command switch 5 22 privilege levels continued exiting 8 10 in CMS 3 7 logging into 8 10 mapping on member switches 5 22 overview 8 2 8 8 setting a command with 8 8 protected ports 1 6 20 5 protocol dependent modules EIGRP 30 38 Protocol Independent Multicast Protocol See PIM proxy...

Page 878: ...8 57 ingress queue characteristics 28 52 IP extended ACLs 28 38 IP standard ACLs 28 37 QoS continued MAC ACLs 28 39 policy maps 28 42 port trust states within the domain 28 31 trusted boundary 28 34 default auto configuration 28 18 default standard configuration 28 27 displaying statistics 28 64 egress queues allocating buffer space 28 57 buffer allocation scheme described 28 16 configuring shaped...

Page 879: ...ing 28 42 displaying 28 65 QoS label defined 28 3 queues configuring egress characteristics 28 57 configuring ingress characteristics 28 52 high priority expedite 28 17 28 63 location of 28 11 QoS continued SRR described 28 12 WTD described 28 11 rewrites 28 17 support for 1 7 trust states bordering another domain 28 35 described 28 5 trusted device 28 34 within the domain 28 31 quality of service...

Page 880: ... redundant clusters See cluster standby group redundant links and UplinkFast 17 13 reliable transport protocol EIGRP 30 37 reloading software 4 16 Remote Authentication Dial In User Service See RADIUS Remote Copy Protocol See RCP Remote Network Monitoring See RMON Remote SPAN See RSPAN report suppression IGMP described 19 6 disabling 19 11 requirements cluster See release notes xxxv CMS See switch...

Page 881: ...6 14 STP 15 14 route calculation timers OSPF 30 34 route dampening BGP 30 61 routed packets ACLs on 27 38 routed ports configuring 30 3 defined 10 3 in switch clusters 5 8 IP addresses on 10 19 30 3 route map command 30 73 route maps BGP 30 52 policy based routing 30 71 router ACLs defined 27 2 types of 27 4 route reflectors BGP 30 60 router ID OSPF 30 35 route selection BGP 30 50 route summarizat...

Page 882: ...oint links 16 7 16 22 root ports 16 7 root port defined 16 6 See also MSTP running configuration saving 4 10 S SC standby command switch 5 10 5 19 scheduled reloads 4 16 SDM described 7 1 templates configuring 7 3 number of 7 1 SDM template configuring 7 2 secure MAC addresses deleting 20 13 maximum number of 20 8 types of 20 8 secure ports configuring 20 7 secure remote connections 8 38 Secure Sh...

Page 883: ...ne ID 26 7 groups 26 7 26 9 host 26 7 ifIndex values 26 6 in band management 1 5 in clusters 5 14 informs and trap keyword 26 11 SNMP continued described 26 5 differences from traps 26 5 enabling 26 14 limiting access by TFTP servers 26 15 limiting system log messages to NMS 25 9 manager functions 1 4 26 3 managing clusters with 5 22 MIBs location of A 3 supported A 1 notifications 26 5 overview 2...

Page 884: ...PAN traffic 23 4 speed configuring on interfaces 10 12 split horizon IGRP 30 27 RIP 30 22 SRR configuring shaped weights on egress queues 28 60 shared weights on egress queues 28 62 shared weights on ingress queues 28 55 SRR continued described 28 12 shaped mode 28 12 shared mode 28 12 support for 1 7 SSH configuring 8 39 cryptographic software image 8 37 described 1 4 8 38 encryption methods 8 38...

Page 885: ...BPDU message exchange 15 3 configuration guidelines 15 12 17 9 STP continued configuring forward delay time 15 21 hello time 15 20 maximum aging time 15 21 path cost 15 18 port priority 15 17 root switch 15 14 secondary root switch 15 16 spanning tree mode 15 13 switch priority 15 19 counters clearing 15 22 default configuration 15 11 default optional feature configuration 17 9 designated port def...

Page 886: ...imers described 15 20 UplinkFast described 17 4 enabling 17 13 VLAN bridge 15 11 stratum NTP 6 2 stub areas OSPF 30 32 subnet mask 30 5 subnet zero 30 6 success response VMPS 12 28 summer time 6 13 SunNet Manager 1 4 supernet 30 6 SVIs and IP unicast routing 30 3 and router ACLs 27 4 connecting VLANs 10 5 defined 10 4 routing between VLANs 12 2 switch clustering technology 5 1 See also clusters sw...

Page 887: ...ult configuration 6 15 default setting 6 15 manual configuration 6 15 See also DNS system prompt default setting 6 15 manual configuration 6 16 system resources optimizing 7 1 system routes IGRP 30 23 T TACACS accounting defined 8 11 authentication defined 8 11 authorization defined 8 11 configuring accounting 8 17 authentication key 8 13 authorization 8 16 login authentication 8 14 default config...

Page 888: ...king flooded 20 6 fragmented 27 5 unfragmented 27 5 traffic policing 1 7 traffic suppression 20 2 transparent mode VTP 13 3 13 12 trap door mechanism 4 2 traps configuring MAC address notification 6 23 configuring managers 26 11 defined 26 3 enabling 6 23 26 11 notification types 26 11 overview 26 1 26 5 troubleshooting connectivity problems 35 13 35 14 35 16 detecting unidirectional links 22 1 de...

Page 889: ...ost load balancing IGRP 30 25 unicast MAC address filtering 1 4 and adding static addresses 6 27 and broadcast MAC addresses 6 26 and CPU packets 6 26 unicast MAC address filtering continued and multicast addresses 6 26 and router MAC addresses 6 26 configuration guidelines 6 26 described 6 26 unicast storm control command 20 4 unicast storms 20 2 unicast traffic blocking 20 6 UniDirectional Link ...

Page 890: ...ment domain 13 2 VLAN Management Policy Server See VMPS VLAN map entries order of 27 29 VLAN maps applying 27 33 common uses for 27 33 configuration example 27 34 configuration guidelines 27 29 configuring 27 29 creating 27 30 defined 27 2 denying access example 27 35 denying and permitting packets 27 31 displaying 27 40 examples 27 35 support for 1 6 with router ACLs 27 40 VLAN membership confirm...

Page 891: ...n interval changing 12 31 reconfirming membership 12 31 retry count changing 12 32 voice over IP 14 1 voice VLAN Cisco 7960 phone port connections 14 1 configuration guidelines 7 2 14 3 configuring IP phones for data traffic override CoS of incoming frame 14 5 trust CoS priority of incoming frame 14 5 configuring ports for voice traffic in 802 1P priority tagged frames 14 5 802 1Q frames 14 4 conn...

Page 892: ...examples 13 5 overview 13 4 support for 1 6 pruning eligible list changing 12 22 server mode configuring 13 9 statistics 13 15 support for 1 6 Token Ring support 13 4 transparent mode configuring 13 12 using 13 1 version guidelines 13 9 version 1 13 4 version 2 configuration guidelines 13 9 disabling 13 13 enabling 13 13 overview 13 4 W weighted tail drop See WTD wizards 1 2 3 6 WTD described 28 1...

Reviews:

No comments

Related manuals for 3560 - Rfcatalyst - Poe Si

Magnetrol T20 Series Instruction Manual And Replacement Parts List preview
T20 Series
Brand: Magnetrol Pages: 12
Magnetrol T20 Series Installation And Operating Manual preview
T20 Series
Brand: Magnetrol Pages: 24
Movie Vision VCS-3 Installation And User Manual preview
VCS-3
Brand: Movie Vision Pages: 2
SMC Networks SMC8724-10BT Technical Specifications preview
SMC8724-10BT
Brand: SMC Networks Pages: 2
Omega Engineering PSW32 SERIES User Manual preview
PSW32 SERIES
Brand: Omega Engineering Pages: 8
Sangamo RPTS Q550 Installation & User'S Instructions preview
RPTS Q550
Brand: Sangamo Pages: 2
Eaton Edison Cooper Power Series Installation And Operation Instructions Manual preview
Edison Cooper Power Series
Brand: Eaton Pages: 12
Aquatlantis tecatlantis EASY LED CONTROL 2 PLUS User Manual preview
tecatlantis EASY LED CONTROL 2 PLUS
Brand: Aquatlantis Pages: 4
Bridgetek PANL PH44 Quick Start Manual preview
PANL PH44
Brand: Bridgetek Pages: 2
TeleAdapt MediaHub Mini TA-3350 Installation Manual preview
MediaHub Mini TA-3350
Brand: TeleAdapt Pages: 23
LINK-MI LM-MX42-AUDIO User Manual preview
LM-MX42-AUDIO
Brand: LINK-MI Pages: 12
W Box Technologies 0E-8P65W4POE Manual preview
0E-8P65W4POE
Brand: W Box Technologies Pages: 10
Omnitron Systems Technology iConverter GX/X User Manual preview
iConverter GX/X
Brand: Omnitron Systems Technology Pages: 2
Boca BOCAHUB-16 Plus BEN220 Installation Manual preview
BOCAHUB-16 Plus BEN220
Brand: Boca Pages: 56
ATEN VM7814 Quick Start Manual preview
VM7814
Brand: ATEN Pages: 2
Lantech IGS-3208MGSFP User Manual preview
IGS-3208MGSFP
Brand: Lantech Pages: 27
Key Digital Champion KD-4X4XC Setup Manual preview
Champion KD-4X4XC
Brand: Key Digital Pages: 8
3Com 3C17205-US - Corp SUPERSTACK 3 SWITCH 4400... Implementation Manual preview
3C17205-US - Corp SUPERSTACK 3 SWITCH 4400...
Brand: 3Com Pages: 153

Brands by name

Popular brands

Load more brands