manualshive.com logo in svg

Cisco 3750G - Catalyst Integrated Wireless LAN Controller, Configuration Manual

The Cisco 3750G - Catalyst Integrated Wireless LAN Controller is a powerful networking solution that streamlines wireless communication. To configure this device to its full potential, download our free Configuration Manual from manualshive.com. This comprehensive manual provides step-by-step instructions and is readily available for download.

Share
Download
background image

 

31-8

Catalyst 3750 Switch Software Configuration Guide

OL-8550-02

Chapter 31      Configuring SNMP

Configuring SNMP

Changing the value of the SNMP engine ID has important side effects. A user's password (entered 
on the command line) is converted to an MD5 or SHA security digest based on the password and the 
local engine ID. The command-line password is then destroyed, as required by RFC 2274. Because 
of this deletion, if the value of the engine ID changes, the security digests of SNMPv3 users become 
invalid, and you need to reconfigure SNMP users by using the 

snmp-server user

 

username

 global 

configuration command. Similar restrictions require the reconfiguration of community strings when 
the engine ID changes. 

Disabling the SNMP Agent

Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent:

The

 no snmp-server

 global configuration command disables all running versions (Version 1, 

Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The 
first 

snmp-server

 global configuration command that you enter enables all versions of SNMP.

Configuring Community Strings

You use the SNMP community string to define the relationship between the SNMP manager and the 
agent. The community string acts like a password to permit access to the agent on the switch. Optionally, 
you can specify one or more of these characteristics associated with the string:

An access list of IP addresses of the SNMP managers that are permitted to use the community string 
to gain access to the agent

A MIB view, which defines the subset of all MIB objects accessible to the given community 

Read and write or read-only permission for the MIB objects accessible to the community

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

no snmp-server

Disable the SNMP agent operation.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

Step 5

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Summary of Contents for 3750G - Catalyst Integrated Wireless LAN Controller

Page 1: ... 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Catalyst 3750 Switch Software Configuration Guide Cisco IOS Release 12 2 35 SE December 2006 Text Part Number OL 8550 02 ...

Page 2: ...T OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCVP the Cisco Logo and the Cisco Square Bridge logo are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn is a service mark of Cisco Systems Inc and Access Registrar Aironet BPX Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP Cisco the Cisco Certi...

Page 3: ...ices xlviii Obtaining Technical Assistance xlviii Cisco Support Website xlviii Submitting a Service Request xlix Definitions of Service Request Severity xlix Obtaining Additional Publications and Information l C H A P T E R 1 Overview 1 1 Features 1 1 Ease of Deployment and Ease of Use Features 1 2 Performance Features 1 4 Management Options 1 5 Manageability Features 1 5 Availability and Redundan...

Page 4: ...ault Forms of Commands 2 4 Understanding CLI Error Messages 2 5 Using Configuration Logging 2 5 Using Command History 2 6 Changing the Command History Buffer Size 2 6 Recalling Commands 2 6 Disabling the Command History Feature 2 7 Using Editing Features 2 7 Enabling and Disabling Editing Features 2 7 Editing Commands through Keystrokes 2 7 Editing Command Lines that Wrap 2 9 Searching and Filteri...

Page 5: ...lename to Read and Write the System Configuration 3 12 Booting Manually 3 13 Booting a Specific Software Image 3 14 Controlling Environment Variables 3 15 Scheduling a Reload of the Software Image 3 16 Configuring a Scheduled Reload 3 17 Displaying Scheduled Reload Information 3 18 C H A P T E R 4 Configuring Cisco IOS CNS Agents 4 1 Understanding Cisco Configuration Engine Software 4 1 Configurat...

Page 6: ...tack 5 9 Effects of Removing a Provisioned Switch from a Switch Stack 5 9 Hardware Compatibility and SDM Mismatch Mode in Switch Stacks 5 10 Switch Stack Software Compatibility Recommendations 5 10 Stack Protocol Version Compatibility 5 10 Major Version Number Incompatibility Among Switches 5 11 Minor Version Number Incompatibility Among Switches 5 11 Understanding Auto Upgrade and Auto Advise 5 1...

Page 7: ... Switch Characteristics 6 4 Planning a Switch Cluster 6 4 Automatic Discovery of Cluster Candidates and Members 6 5 Discovery Through CDP Hops 6 5 Discovery Through Non CDP Capable and Noncluster Capable Devices 6 6 Discovery Through Different VLANs 6 7 Discovery Through Different Management VLANs 6 7 Discovery Through Routed Ports 6 8 Discovery of Newly Installed Switches 6 9 HSRP and Standby Clu...

Page 8: ...e 7 12 Configuring Summer Time Daylight Saving Time 7 13 Configuring a System Name and Prompt 7 14 Default System Name and Prompt Configuration 7 15 Configuring a System Name 7 15 Understanding DNS 7 15 Default DNS Configuration 7 16 Setting Up DNS 7 16 Displaying the DNS Configuration 7 17 Creating a Banner 7 17 Default Banner Configuration 7 17 Configuring a Message of the Day Login Banner 7 18 ...

Page 9: ...g or Changing a Static Enable Password 9 3 Protecting Enable and Enable Secret Passwords with Encryption 9 3 Disabling Password Recovery 9 5 Setting a Telnet Password for a Terminal Line 9 6 Configuring Username and Password Pairs 9 6 Configuring Multiple Privilege Levels 9 7 Setting the Privilege Level for a Command 9 8 Changing the Default Privilege Level for Lines 9 9 Logging into and Exiting a...

Page 10: ...nication 9 31 Displaying the RADIUS Configuration 9 31 Controlling Switch Access with Kerberos 9 32 Understanding Kerberos 9 32 Kerberos Operation 9 34 Authenticating to a Boundary Switch 9 34 Obtaining a TGT from a KDC 9 35 Authenticating to Network Services 9 35 Configuring Kerberos 9 35 Configuring the Switch for Local Authentication and Authorization 9 36 Configuring the Switch for Secure Shel...

Page 11: ...unting Attribute Value Pairs 10 9 Using IEEE 802 1x Authentication with VLAN Assignment 10 10 Using IEEE 802 1x Authentication with Per User ACLs 10 11 Using IEEE 802 1x Authentication with Guest VLAN 10 13 Using IEEE 802 1x Authentication with Restricted VLAN 10 14 Using IEEE 802 1x Authentication with Inaccessible Authentication Bypass 10 15 Using IEEE 802 1x Authentication with Voice VLAN Ports...

Page 12: ...Authentication Bypass Feature 10 37 Configuring IEEE 802 1x Authentication with WoL 10 39 Configuring MAC Authentication Bypass 10 40 Configuring NAC Layer 2 IEEE 802 1x Validation 10 41 Configuring Web Authentication 10 41 Disabling IEEE 802 1x Authentication on the Port 10 44 Resetting the IEEE 802 1x Authentication Configuration to the Default Values 10 45 Displaying IEEE 802 1x Statistics and ...

Page 13: ...nagement Mode on a PoE Port 11 21 Budgeting Power for Devices Connected to a PoE Port 11 23 Adding a Description for an Interface 11 24 Configuring Layer 3 Interfaces 11 25 Configuring the System MTU 11 27 Monitoring and Maintaining the Interfaces 11 28 Monitoring Interface Status 11 29 Clearing and Resetting Interfaces and Counters 11 30 Shutting Down and Restarting the Interface 11 30 C H A P T ...

Page 14: ...Range VLAN 13 14 Creating an Extended Range VLAN with an Internal VLAN ID 13 15 Displaying VLANs 13 16 Configuring VLAN Trunks 13 16 Trunking Overview 13 16 Encapsulation Types 13 18 IEEE 802 1Q Configuration Considerations 13 19 Default Layer 2 Ethernet Interface VLAN Configuration 13 19 Configuring an Ethernet Interface as a Trunk Port 13 19 Interaction with Other Features 13 20 Configuring a Tr...

Page 15: ...tanding VTP 14 1 The VTP Domain 14 2 VTP Modes 14 3 VTP Advertisements 14 3 VTP Version 2 14 4 VTP Pruning 14 4 VTP and Switch Stacks 14 6 Configuring VTP 14 6 Default VTP Configuration 14 7 VTP Configuration Options 14 7 VTP Configuration in Global Configuration Mode 14 7 VTP Configuration in VLAN Database Configuration Mode 14 8 VTP Configuration Guidelines 14 8 Domain Names 14 8 Passwords 14 8 ...

Page 16: ...h Private VLANs 16 3 Private VLANs across Multiple Switches 16 4 Private VLAN Interaction with Other Features 16 4 Private VLANs and Unicast Broadcast and Multicast Traffic 16 5 Private VLANs and SVIs 16 5 Private VLANs and Switch Stacks 16 6 Configuring Private VLANs 16 6 Tasks for Configuring Private VLANs 16 6 Default Private VLAN Configuration 16 7 Private VLAN Configuration Guidelines 16 7 Se...

Page 17: ... Configuring Layer 2 Tunneling for EtherChannels 17 14 Configuring the SP Edge Switch 17 14 Configuring the Customer Switch 17 16 Monitoring and Maintaining Tunneling Status 17 18 C H A P T E R 18 Configuring STP 18 1 Understanding Spanning Tree Features 18 1 STP Overview 18 2 Spanning Tree Topology and BPDUs 18 3 Bridge ID Switch Priority and Extended System ID 18 4 Spanning Tree Interface States...

Page 18: ...rwarding Delay Time for a VLAN 18 23 Configuring the Maximum Aging Time for a VLAN 18 23 Configuring the Transmit Hold Count 18 24 Displaying the Spanning Tree Status 18 24 C H A P T E R 19 Configuring MSTP 19 1 Understanding MSTP 19 2 Multiple Spanning Tree Regions 19 2 IST CIST and CST 19 3 Operations Within an MST Region 19 3 Operations Between MST Regions 19 4 IEEE 802 1s Terminology 19 5 Hop ...

Page 19: ... 24 Configuring the Maximum Hop Count 19 24 Specifying the Link Type to Ensure Rapid Transitions 19 24 Designating the Neighbor Type 19 25 Restarting the Protocol Migration Process 19 26 Displaying the MST Configuration and Status 19 26 C H A P T E R 20 Configuring Optional Spanning Tree Features 20 1 Understanding Optional Spanning Tree Features 20 1 Understanding Port Fast 20 2 Understanding BPD...

Page 20: ...on Guidelines 21 4 Default Configuration 21 4 Configuring Flex Links and MAC Address Table Move Update 21 5 Configuring Flex Links 21 5 Configuring the MAC Address Table Move Update Feature 21 6 Monitoring Flex Links and the MAC Address Table Move Update 21 9 C H A P T E R 22 Configuring DHCP Features and IP Source Guard 22 1 Understanding DHCP Features 22 1 DHCP Server 22 2 DHCP Relay Agent 22 2 ...

Page 21: ...rface Trust States and Network Security 23 3 Rate Limiting of ARP Packets 23 4 Relative Priority of ARP ACLs and DHCP Snooping Entries 23 4 Logging of Dropped Packets 23 5 Configuring Dynamic ARP Inspection 23 5 Default Dynamic ARP Inspection Configuration 23 5 Dynamic ARP Inspection Configuration Guidelines 23 6 Configuring Dynamic ARP Inspection in DHCP Environments 23 7 Configuring ARP ACLs for...

Page 22: ...P Snooping Information 24 16 Understanding Multicast VLAN Registration 24 18 Using MVR in a Multicast Television Application 24 19 Configuring MVR 24 20 Default MVR Configuration 24 20 MVR Configuration Guidelines and Limitations 24 21 Configuring MVR Global Parameters 24 21 Configuring MVR Interfaces 24 22 Displaying MVR Information 24 24 Configuring IGMP Filtering and Throttling 24 24 Default IG...

Page 23: ... 12 Enabling and Configuring Port Security Aging 25 15 Port Security and Switch Stacks 25 17 Displaying Port Based Traffic Control Settings 25 17 C H A P T E R 26 Configuring CDP 26 1 Understanding CDP 26 1 CDP and Switch Stacks 26 2 Configuring CDP 26 2 Default CDP Configuration 26 2 Configuring the CDP Characteristics 26 2 Disabling and Enabling CDP 26 3 Disabling and Enabling CDP on an Interfac...

Page 24: ...Guidelines 28 11 Creating a Local SPAN Session 28 12 Creating a Local SPAN Session and Configuring Incoming Traffic 28 15 Specifying VLANs to Filter 28 16 Configuring RSPAN 28 17 RSPAN Configuration Guidelines 28 18 Configuring a VLAN as an RSPAN VLAN 28 19 Creating an RSPAN Source Session 28 19 Creating an RSPAN Destination Session 28 21 Creating an RSPAN Destination Session and Configuring Incom...

Page 25: ...iguration Change Logger 30 11 Configuring UNIX Syslog Servers 30 12 Logging Messages to a UNIX Syslog Daemon 30 12 Configuring the UNIX System Logging Facility 30 13 Displaying the Logging Configuration 30 14 C H A P T E R 31 Configuring SNMP 31 1 Understanding SNMP 31 1 SNMP Versions 31 2 SNMP Manager Functions 31 3 SNMP Agent Functions 31 4 SNMP Community Strings 31 4 Using SNMP to Access MIB Va...

Page 26: ...CLs 32 15 Using Time Ranges with ACLs 32 17 Including Comments in ACLs 32 19 Applying an IPv4 ACL to a Terminal Line 32 19 Applying an IPv4 ACL to an Interface 32 20 Hardware and Software Treatment of IP ACLs 32 22 IPv4 ACL Configuration Examples 32 22 Numbered ACLs 32 24 Extended ACLs 32 24 Named ACLs 32 24 Time Range Applied to an IP ACL 32 25 Commented IP ACL Entries 32 25 ACL Logging 32 26 Cre...

Page 27: ...arking 33 8 Policing on Physical Ports 33 9 Policing on SVIs 33 10 Mapping Tables 33 12 Queueing and Scheduling Overview 33 13 Weighted Tail Drop 33 13 SRR Shaping and Sharing 33 14 Queueing and Scheduling on Ingress Queues 33 15 Queueing and Scheduling on Egress Queues 33 17 Packet Modification 33 19 Configuring Auto QoS 33 20 Generated Auto QoS Configuration 33 20 Effects of Auto QoS on the Conf...

Page 28: ...sing Hierarchical Policy Maps 33 53 Classifying Policing and Marking Traffic by Using Aggregate Policers 33 59 Configuring DSCP Maps 33 61 Configuring the CoS to DSCP Map 33 61 Configuring the IP Precedence to DSCP Map 33 62 Configuring the Policed DSCP Map 33 63 Configuring the DSCP to CoS Map 33 64 Configuring the DSCP to DSCP Mutation Map 33 65 Configuring Ingress Queue Characteristics 33 67 Ma...

Page 29: ...er 2 EtherChannels 34 13 Configuring Layer 3 EtherChannels 34 15 Creating Port Channel Logical Interfaces 34 15 Configuring the Physical Interfaces 34 16 Configuring EtherChannel Load Balancing 34 18 Configuring the PAgP Learn Method and Priority 34 19 Configuring LACP Hot Standby Ports 34 20 Configuring the LACP System Priority 34 21 Configuring the LACP Port Priority 34 22 Displaying EtherChanne...

Page 30: ...l Broadcast Translation 35 14 Forwarding UDP Broadcast Packets and Protocols 35 15 Establishing an IP Broadcast Address 35 16 Flooding IP Broadcasts 35 17 Monitoring and Maintaining IP Addressing 35 18 Enabling IP Unicast Routing 35 19 Configuring RIP 35 19 Default RIP Configuration 35 20 Configuring Basic RIP Parameters 35 21 Configuring RIP Authentication 35 22 Configuring Summary Addresses and ...

Page 31: ...unity Filtering 35 56 Configuring BGP Neighbors and Peer Groups 35 57 Configuring Aggregate Addresses 35 59 Configuring Routing Domain Confederations 35 60 Configuring BGP Route Reflectors 35 61 Configuring Route Dampening 35 62 Monitoring and Maintaining BGP 35 63 Configuring Multi VRF CE 35 64 Understanding Multi VRF CE 35 65 Default Multi VRF CE Configuration 35 67 Multi VRF CE Configuration Gu...

Page 32: ...Bit Wide Unicast Addresses 36 3 DNS for IPv6 36 4 Path MTU Discovery for IPv6 Unicast 36 4 ICMPv6 36 4 Neighbor Discovery 36 4 IPv6 Stateless Autoconfiguration and Duplicate Address Detection 36 5 IPv6 Applications 36 5 Dual IPv4 and IPv6 Protocol Stacks 36 6 Unsupported IPv6 Unicast Routing Features 36 6 Limitations 36 7 IPv6 and Switch Stacks 36 7 SDM Templates 36 8 Dual IPv4 and IPv6 SDM Templa...

Page 33: ... Snooping 37 6 Configuring a Static Multicast Group 37 8 Configuring a Multicast Router Port 37 8 Enabling MLD Immediate Leave 37 9 Configuring MLD Snooping Queries 37 10 Disabling MLD Listener Message Suppression 37 11 Displaying MLD Snooping Information 37 11 C H A P T E R 38 Configuring IPv6 ACLs 38 1 Understanding IPv6 ACLs 38 1 Supported ACL Features 38 2 IPv6 ACL Limitations 38 3 IPv6 ACLs a...

Page 34: ...ng State 39 13 Configuring a Tracked List 39 14 Configuring HSRP Object Tracking 39 17 Configuring Other Tracking Characteristics 39 18 C H A P T E R 40 Configuring IP Multicast Routing 40 1 Understanding Cisco s Implementation of IP Multicast Routing 40 2 Understanding IGMP 40 3 IGMP Version 1 40 3 IGMP Version 2 40 3 Understanding PIM 40 4 PIM Versions 40 4 PIM Modes 40 4 Auto RP 40 5 Bootstrap ...

Page 35: ...o IP Multicast Groups 40 29 Changing the IGMP Version 40 30 Modifying the IGMP Host Query Message Interval 40 31 Changing the IGMP Query Timeout for IGMPv2 40 31 Changing the Maximum Query Response Time for IGMPv2 40 32 Configuring the Switch as a Statically Connected Member 40 33 Configuring Optional Multicast Routing Features 40 33 Enabling CGMP Server Support 40 34 Configuring sdr Listener Supp...

Page 36: ... 4 Configuring a Default MSDP Peer 41 4 Caching Source Active State 41 6 Requesting Source Information from an MSDP Peer 41 8 Controlling Source Information that Your Switch Originates 41 9 Redistributing Sources 41 9 Filtering Source Active Request Messages 41 11 Controlling Source Information that Your Switch Forwards 41 12 Using a Filter 41 12 Using TTL to Limit the Multicast Data Sent in SA Me...

Page 37: ...rd 43 3 Procedure with Password Recovery Enabled 43 4 Procedure with Password Recovery Disabled 43 6 Preventing Switch Stack Problems 43 7 Recovering from a Command Switch Failure 43 8 Replacing a Failed Command Switch with a Cluster Member 43 9 Replacing a Failed Command Switch with Another Switch 43 11 Recovering from Lost Cluster Member Connectivity 43 12 Preventing Autonegotiation Mismatches 4...

Page 38: ...standing How Online Diagnostics Work 44 1 Scheduling Online Diagnostics 44 2 Configuring Health Monitoring Diagnostics 44 2 Running Online Diagnostic Tests 44 3 Starting Online Diagnostic Tests 44 3 Displaying Online Diagnostic Tests and Test Results 44 4 A P P E N D I X A Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch A 1 Understanding the Wireless LAN Controller Switch ...

Page 39: ...nd Location C 10 Creating a Configuration File By Using a Text Editor C 10 Copying Configuration Files By Using TFTP C 10 Preparing to Download or Upload a Configuration File By Using TFTP C 10 Downloading the Configuration File By Using TFTP C 11 Uploading the Configuration File By Using TFTP C 12 Copying Configuration Files By Using FTP C 12 Preparing to Download or Upload a Configuration File B...

Page 40: ...ds in Cisco IOS Release 12 2 35 SE D 1 Access Control Lists D 1 Unsupported Privileged EXEC Commands D 1 Unsupported Global Configuration Commands D 1 Unsupported Route Map Configuration Commands D 1 Archive Commands D 2 Unsupported Privileged EXEC Commands D 2 ARP Commands D 2 Unsupported Global Configuration Commands D 2 Unsupported Interface Configuration Commands D 2 Boot Loader Commands D 2 U...

Page 41: ...D 9 Miscellaneous D 9 Unsupported Privileged EXEC Commands D 9 Unsupported Global Configuration Commands D 9 MSDP D 10 Unsupported Privileged EXEC Commands D 10 Unsupported Global Configuration Commands D 10 NetFlow Commands D 10 Unsupported Global Configuration Commands D 10 Network Address Translation NAT Commands D 10 Unsupported Privileged EXEC Commands D 10 QoS D 11 Unsupported Global Configu...

Page 42: ...Contents xlii Catalyst 3750 Switch Software Configuration Guide OL 8550 02 VTP D 12 Unsupported Privileged EXEC Commands D 12 I N D E X ...

Page 43: ...Shortest Path First OSPF Protocol This guide provides procedures for using the commands that have been created or changed for use with the Catalyst 3750 switch It does not provide detailed information about these commands For detailed information about these commands see the Catalyst 3750 Switch Command Reference for this release For information about the standard Cisco IOS Release 12 2 commands s...

Page 44: ...bols Note Means reader take note Notes contain helpful suggestions or references to materials not contained in this manual Caution Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Related Publications These documents provide complete information about the switch and are available from this Cisco com site http www cisco com en US...

Page 45: ...ory Compliance and Safety Information for the Catalyst 3750 Switch order number DOC 7816664 Getting Started with Cisco Network Assistant not orderable but available on Cisco com Release Notes for Cisco Network Assistant not orderable but available on Cisco com Cisco Small Form Factor Pluggable Modules Installation Notes order number DOC 7815160 Cisco CWDM GBIC and CWDM SFP Installation Note not or...

Page 46: ...ebsite at this URL http www cisco com You can access international Cisco websites at this URL http www cisco com public countries_languages shtml Product Documentation DVD The Product Documentation DVD is a library of technical product documentation on a portable medium The DVD enables you to access installation configuration and command guides for Cisco hardware and software products With the DVD...

Page 47: ...ty notices and security responses as they are updated in real time you can subscribe to the Product Security Incident Response Team Really Simple Syndication PSIRT RSS feed Information about how to subscribe to the PSIRT RSS feed is found at this URL http www cisco com en US products products_psirt_rss_feed html Reporting Security Problems in Cisco Products Cisco is committed to delivering secure ...

Page 48: ...o to this URL http tools cisco com RPF register register do Obtaining Technical Assistance Cisco Technical Support provides 24 hour a day award winning technical assistance The Cisco Support website on Cisco com features extensive online support resources In addition if you have a valid Cisco service contract Cisco Technical Assistance Center TAC engineers provide telephone support If you do not h...

Page 49: ...vice requests S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information After you describe your situation the TAC Service Request Tool provides recommended solutions If your issue is not resolved using the recommended resources your service request is assigned to a Cisco engineer The TAC Service Request Tool is located at this URL...

Page 50: ...nce tool that includes brief product overviews key features sample part numbers and abbreviated technical specifications for many Cisco products that are sold through channel partners It is updated twice a year and includes the latest Cisco channel product offerings To order and find out more about the Cisco Product Quick Reference Guide go to this URL http www cisco com go guide Cisco Marketplace...

Page 51: ...leases for Cisco products Updated monthly this online publication is organized by product category to direct you quickly to the documentation for your products You can view the latest release of What s New in Cisco Documentation at this URL http www cisco com univercd cc td doc abtunicd 136957 htm World class networking training is available from Cisco You can view current offerings at this URL ht...

Page 52: ...lii Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Preface Obtaining Additional Publications and Information ...

Page 53: ...control lists ACLs quality of service QoS static routing EIGRP stub routing the Hot Standby Router Protocol HSRP and the Routing Information Protocol RIP Switches with the IP base image installed can be upgraded to IP services image formerly known as the enhanced multilayer image EMI IP services image which provides a richer set of enterprise class intelligent services It includes all IP base imag...

Page 54: ...Features page 1 7 Security Features page 1 8 includes a feature requiring the cryptographic versions of the software IP base and IP services images QoS and CoS Features page 1 9 Layer 3 Features page 1 11 includes features requiring the IP services image Power over Ethernet Features page 1 12 Monitoring Features page 1 12 Ease of Deployment and Ease of Use Features The switch ships with these feat...

Page 55: ...the network Creating a bidirectional 32 Gbps switching fabric across the switch stack where all stack members have full access to the system bandwidth Using a single IP address and configuration file to manage the entire switch stack Automatic Cisco IOS version check of new stack members with the option to automatically load images from the stack master or from a TFTP server Adding removing and re...

Page 56: ...orm control for preventing broadcast multicast and unicast storms Port blocking on forwarding unknown Layer 2 unknown unicast multicast and bridged broadcast traffic Cisco Group Management Protocol CGMP server support and Internet Group Management Protocol IGMP snooping for IGMP Versions 1 2 and 3 For CGMP devices CGMP for limiting multicast traffic to specified end stations and reducing overall n...

Page 57: ...nsive set of MIB extensions and four remote monitoring RMON groups For more information about using SNMP see Chapter 31 Configuring SNMP CNS Cisco Networking Services is network management software that acts as a configuration service for automating the deployment and management of network devices and services You can automate initial configurations and configuration updates by generating switch s...

Page 58: ...ation or switch image files requires the cryptographic versions of the software IP base and IP services images On the Catalyst 3750G Integrated Wireless LAN Controller Switch only an integrated Catalyst 3750 switch and Cisco 4400 series wireless LAN controller that supports up to 25 or 50 lightweight access points Availability and Redundancy Features These are the availability and redundancy featu...

Page 59: ...llow the failover of the server traffic to an operational link on another Cisco Ethernet switch RPS support through the Cisco RPS 300 and Cisco RPS 675 for enhancing power reliability VLAN Features These are the VLAN features Support for up to 1005 VLANs for assigning users to VLANs associated with appropriate network resources traffic patterns and bandwidth Support for VLAN IDs in the 1 to 4094 r...

Page 60: ...ction on Layer 2 interfaces VLAN ACLs VLAN maps for providing intra VLAN security by filtering traffic based on information in the MAC IP and TCP UDP headers Source and destination MAC based ACLs for filtering non IP traffic IPv6 ACLs to be applied to interfaces to filter IPv6 traffic DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers IP source guard to restri...

Page 61: ...rol Software Configuration Guide IEEE 802 1x inaccessible authentication bypass For information about configuring this feature see the Configuring the Inaccessible Authentication Bypass Feature section on page 10 37 Authentication authorization and accounting AAA down policy for a NAC Layer 2 IP validation of a host if the AAA server is not available when the posture validation occurs For informat...

Page 62: ...port level second level policy map Each second level policy map can have a different policer Aggregate policing for policing traffic flows in aggregate to restrict specific applications or traffic flows to metered predefined rates Out of Profile Out of profile markdown for packets that exceed bandwidth utilization limits Ingress queueing and scheduling Two configurable ingress queues for user traf...

Page 63: ...P Router Discovery Protocol IRDP for using router advertisement and router solicitation messages to discover the addresses of routers on directly attached subnets Protocol Independent Multicast PIM for multicast routing within the network allowing for devices in the network to receive the multicast feed requested and for switches not participating in the multicast to be pruned Includes support for...

Page 64: ...k by storing the MAC addresses that the switch has learned or removed Switched Port Analyzer SPAN and Remote SPAN RSPAN for traffic monitoring on any port or VLAN SPAN and RSPAN support of Intrusion Detection Systems IDS to monitor repel and report network security violations Four groups history statistics alarms and events of embedded RMON agents for network monitoring and traffic analysis Syslog...

Page 65: ...ormation see Chapter 5 Managing Switch Stacks Switch cluster is disabled For more information about switch clusters see Chapter 6 Clustering Switches and the Getting Started with Cisco Network Assistant available on Cisco com No passwords are defined For more information see Chapter 7 Administering the Switch System name and prompt is Switch For more information see Chapter 7 Administering the Swi...

Page 66: ... Chapter 18 Configuring STP MSTP is disabled For more information see Chapter 19 Configuring MSTP Optional spanning tree features are disabled For more information see Chapter 20 Configuring Optional Spanning Tree Features Flex Links are not configured For more information see Chapter 21 Configuring Flex Links and the MAC Address Table Move Update Feature DHCP snooping is disabled The DHCP snoopin...

Page 67: ... No EtherChannels are configured For more information see Chapter 34 Configuring EtherChannels and Link State Tracking IP unicast routing is disabled For more information see Chapter 35 Configuring IP Unicast Routing No HSRP groups are configured For more information see Chapter 39 Configuring HSRP and Enhanced Object Tracking IP multicast routing is disabled on all interfaces For more information...

Page 68: ...many users on a single network segment and a growing number of users accessing the Internet Create smaller network segments so that fewer users share the bandwidth and use VLANs and IP subnets to place the network resources in the same logical network as the users who access those resources most Use full duplex operation between the switch and its connected workstations Increased power of new PCs ...

Page 69: ...R to continuously send multicast streams in a multicast VLAN but to isolate the streams from subscriber VLANs for bandwidth and security reasons High demand on network redundancy and availability to provide always on mission critical applications Use switch stacks where all stack members are eligible stack masters in case of stack master failure All stack members have synchronized copies of the sa...

Page 70: ...BASE T connection Figure 1 1 Cost Effective Wiring Closet High performance wiring closet Figure 1 2 For high speed access to network resources you can use Catalyst 3750switches and switch stacks in the access layer to provide Gigabit Ethernet to the desktop To prevent congestion use QoS DSCP marking priorities on these switches For high speed IP forwarding at the distribution layer connect the swi...

Page 71: ...hes and network resources Figure 1 3 Redundant Gigabit Backbone Server aggregation Figure 1 4 and Linux server cluster Figure 1 5 You can use the switches and switch stacks to interconnect groups of servers centralizing physical security and administration of your network For high speed IP forwarding at the distribution layer connect the switches in the access layer to multilayer switches with rou...

Page 72: ...uplinks from the switches provides redundant uplinks to the network core Using SFP modules provides flexibility in media and distance options through fiber optic connections The various lengths of stack cable available ranging from 0 5 meter to 3 meters provide extended connections to the switch stacks across multiple server racks for multiple stack aggregation Figure 1 4 Server Aggregation 86931 ...

Page 73: ...s and configuration The switches are interconnected through Gigabit interfaces This network uses VLANs to logically segment the network into well defined broadcast groups and for security management Data and multimedia traffic are configured on the same VLAN Voice traffic from the Cisco IP Phones are configured on separate VVIDs If data multimedia and voice traffic are assigned to the same VLAN on...

Page 74: ...receive power Cisco CallManager controls call processing routing and Cisco IP Phone features and configuration Users with workstations running Cisco SoftPhone software can place receive and control calls from their PCs Using Cisco IP Phones Cisco CallManager software and Cisco SoftPhone software integrates telephony and IP networks and the IP network supports both voice and data With the multilaye...

Page 75: ... also configured on each switch stack VLAN maps provide intra VLAN security and prevent unauthorized users from accessing critical pieces of the network QoS features can limit bandwidth on a per port or per user basis The switch ports are configured as either trusted or untrusted You can configure a trusted port to trust the CoS value the DSCP value or the IP precedence If you configure the port a...

Page 76: ...00 routers Catalyst 6500 multilayer switches Cisco IP Phones with workstations Aironet wireless access points IEEE 802 3af compliant powered device such as a web cam Cisco IP Phones with workstations WAN IP IP IP IP IP IP 86930 Catalyst 3750 multilayer StackWise switch stack Catalyst 3750 multilayer StackWise switch stack Aironet wireless access points IEEE 802 3af compliant powered device such as...

Page 77: ...ntial switch or to a Catalyst 3750 aggregation switch For more information about the Catalyst Long Reach Ethernet LRE switches see the documentation sets specific to these switches for LRE information All ports on the residential Catalyst 3750 switches and Catalyst 2950 LRE switches if they are included are configured as IEEE 802 1Q trunks with protected port and STP root guard features enabled Th...

Page 78: ...ngth used for long distance transmissions is 1550 nm The CWDM SFP modules connect to CWDM optical add drop multiplexer OADM modules over distances of up to 393 701 feet 74 5 miles or 120 km The CWDM OADM modules combine or multiplex the different CWDM wavelengths allowing them to travel simultaneously on the same fiber optic cable The CWDM OADM modules on the receiving end separate or demultiplex ...

Page 79: ...ration Where to Go Next Before configuring the switch review these sections for startup information Chapter 2 Using the Command Line Interface Chapter 3 Assigning the Switch IP Address and Default Gateway 95750 Access layer Catalyst 4500 multilayer switches Eight 1 Gbps connections 8 Gbps Catalyst switches CWDM OADM modules CWDM OADM modules Aggregation layer ...

Page 80: ...1 28 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 1 Overview Where to Go Next ...

Page 81: ...rompt to obtain a list of commands available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters or...

Page 82: ... a password to protect access to this mode Global configuration While in privileged EXEC mode enter the configure command Switch config To exit to privileged EXEC mode enter exit or end or press Ctrl Z Use this mode to configure parameters that apply to the entire switch Config vlan While in global configuration mode enter the vlan vlan id command Switch config vlan To exit to global configuration...

Page 83: ...nformation about defining interfaces see the Using Interface Configuration Mode section on page 11 10 To configure multiple interfaces with the same parameters see the Configuring a Range of Interfaces section on page 11 12 Line configuration While in global configuration mode specify a line with the line vty or line console command Switch config line To exit to global configuration mode enter exi...

Page 84: ...e the command without the keyword no to re enable a disabled feature or to enable a feature that is disabled by default Configuration commands can also have a default form The default form of a command returns the command setting to its default Most commands are disabled by default so the default form is the same as the no form However some commands are enabled by default and have variables set to...

Page 85: ...ore information see the Configuration Change Notification and Logging feature module at this URL http www cisco com univercd cc td doc product software ios123 123newft 123t 123t_4 gtconlog htm Note Only CLI or HTTP changes are logged Table 2 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for your switch to recognize ...

Page 86: ...minal history size number of lines The range is from 0 to 256 Beginning in line configuration mode enter this command to configure the number of command lines the switch records for all sessions on a particular line Switch config line history size number of lines The range is from 0 to 256 Recalling Commands To recall commands from the history buffer perform one of the actions listed in Table 2 4 ...

Page 87: ... Command Lines that Wrap page 2 9 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced editing These procedures are optional To globally disable enhanced editing mode enter this command in line configuration mode Switch config line no editing To re enable the enhanced e...

Page 88: ... items that you have deleted or cut If you press Esc Y more than ten times you cycle to the first buffer entry Delete entries if you make a mistake or change your mind Press the Delete or Backspace key Erase the character to the left of the cursor Press Ctrl D Delete the character at the cursor Press Ctrl K Delete all characters from the cursor to the end of the command line Press Ctrl U or Ctrl X...

Page 89: ...1 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 After you complete the entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that the line has been scrolled to the right Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 T...

Page 90: ...e stack master You cannot manage stack members on an individual switch basis You can connect to the stack master through the console port of one or more stack members Be careful with using multiple CLI sessions to the stack master Commands you enter in one session are not displayed in the other sessions Therefore it is possible to lose track of the session from which you entered commands Note We r...

Page 91: ...hardware installation guide Use any Telnet TCP IP or encrypted Secure Shell SSH package from a remote management station The switch must have network connectivity with the Telnet or SSH client and the switch must have an enable secret password configured For information about configuring the switch for Telnet access see the Setting a Telnet Password for a Terminal Line section on page 9 6 The swit...

Page 92: ...2 12 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 2 Using the Command Line Interface Accessing the CLI ...

Page 93: ...e sections Understanding the Boot Process page 3 1 Assigning Switch Information page 3 2 Checking and Saving the Running Configuration page 3 10 Modifying the Startup Configuration page 3 12 Scheduling a Reload of the Software Image page 3 16 Note Information in this chapter about configuring IP addresses and DHCP is specific to IP Version 4 IPv4 If you plan to enable IP Version 6 IPv6 forwarding ...

Page 94: ...estart the operating system For more information see the Recovering from a Software Failure section on page 43 2 and the Recovering from a Lost or Forgotten Password section on page 43 3 Note You can disable password recovery For more information see the Disabling Password Recovery section on page 9 5 Before you can assign switch information make sure you have connected a PC or terminal to the con...

Page 95: ...ally Assigning IP Information page 3 10 Default Switch Information Table 3 1 shows the default switch information Understanding DHCP Based Autoconfiguration DHCP provides configuration information to Internet hosts and internetworking devices This protocol consists of two components one for delivering configuration parameters from a DHCP server to a device and a mechanism for allocating network ad...

Page 96: ...ration file is present and the configuration includes the ip address dhcp interface configuration command on specific routed interfaces the DHCP client is invoked and requests the IP address information for those interfaces Figure 3 1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server Figure 3 1 DHCP Client and Server Message Exchange The client Switch A ...

Page 97: ...DHCP Server Configuration Guidelines page 3 5 Configuring the TFTP Server page 3 6 Configuring the DNS page 3 6 Configuring the Relay Device page 3 7 Obtaining Configuration Files page 3 7 Example Configuration page 3 8 If your DHCP server is a Cisco device see the Configuring DHCP section of the IP Addressing and Services section of the Cisco IOS IP Configuration Guide Release 12 2 for additional...

Page 98: ...ss 255 255 255 255 For the switch to successfully download a configuration file the TFTP server must contain one or more configuration files in its base directory The files can include these files The configuration file named in the DHCP reply the actual switch configuration file The network confg or the cisconet cfg file known as the default configuration files The router confg or the ciscortr cf...

Page 99: ...router config if ip helper address 20 0 0 4 On interface 20 0 0 1 router config if ip helper address 10 0 0 1 Note If the switch is acting as the relay device configure the interface as a routed port For more information see the Routed Ports section on page 11 4 and the Configuring Layer 3 Interfaces section on page 11 25 Figure 3 2 Relay Device Used in Autoconfiguration Obtaining Configuration Fi...

Page 100: ...obtains its hostname If the hostname is not found in the file the switch uses the hostname in the DHCP reply If the hostname is not specified in the DHCP reply the switch uses the default Switch as its hostname After obtaining its hostname from the default configuration file or the DHCP reply the switch reads the configuration file that has the same name as its hostname hostname confg or hostname ...

Page 101: ...h A through Switch D Configuration Explanation In Figure 3 3 Switch A reads its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its host table ...

Page 102: ...ration You can check the configuration settings that you entered or changes that you made by entering this privileged EXEC command Switch show running config Building configuration Current configuration 1363 bytes Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP information ...

Page 103: ...rivate RW snmp server community public RO snmp server community private es0 RW snmp server community public es0 RO snmp server chassis id 0x12 end To store the configuration or changes you have made to your startup configuration in flash memory enter this privileged EXEC command Switch copy running config startup config Destination filename startup config Building configuration This command saves ...

Page 104: ...mation see the Understanding DHCP Based Autoconfiguration section on page 3 3 Specifying the Filename to Read and Write the System Configuration By default the Cisco IOS software uses the file config text to read and write a nonvolatile copy of the system configuration However you can specify a different filename which will be loaded during the next boot cycle Table 3 3 Default Boot Configuration ...

Page 105: ...onfigure the switch to manually boot during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot config file flash file url Specify the configuration file to load during the next boot cycle For file url specify the path directory and the configuration filename Filenames and directory names are case sensitive Step 3 end Return to privileged EXEC ...

Page 106: ...next time you reboot the system the switch is in boot loader mode shown by the switch prompt To boot the system use the boot filesystem file url boot loader command For filesystem use flash for the system board flash device For file url specify the path directory and the name of the bootable image Filenames and directory names are case sensitive Step 5 copy running config startup config Optional S...

Page 107: ... it has a value if it is listed in the file even if the value is a null string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which does not read the Cisco IOS configuration file For example the name of a boot loader helper file whi...

Page 108: ...uring the next boot cycle and the stack members on which the image is loaded This command changes the setting of the BOOT environment variable MANUAL_BOOT set MANUAL_BOOT yes Decides whether the switch automatically or manually boots Valid values are 1 yes 0 and no If it is set to no or 0 the boot loader attempts to automatically boot the system If it is set to anything else you must manually boot...

Page 109: ...rdware calendar or manually The time is relative to the configured time zone on the switch To schedule reloads across several switches to occur simultaneously the time on each switch must be synchronized with NTP The reload command halts the system If the system is not set to manually boot it reboots itself Use the reload command after you save the switch configuration information to the startup c...

Page 110: ...ge Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information including the time the reload is scheduled to occur and the reason for the reload if it was specified when the reload was scheduled ...

Page 111: ...tware that acts as a configuration service for automating the deployment and management of network devices and services see Figure 4 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their configurations and delivering them as needed The Configuration Engine automates initial configurations and configuration updates by gene...

Page 112: ...ses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration information i...

Page 113: ... device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Cisco Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses namespace cont...

Page 114: ...change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re established the switch sends its modified hostname to the eve...

Page 115: ...ch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon successful down...

Page 116: ...cation of the configuration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Configuring Ci...

Page 117: ...default no configuration file Distribution switch IP helper address Enable DHCP relay agent IP routing if used as default gateway DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with...

Page 118: ...nd enter the gateway parameters For ip address hostname enter either the IP address or the hostname of the event gateway Optional For port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For init retry retry count enter the number of initial retries befo...

Page 119: ...d specify the interface for connecting to the Configuration Engine Enter the interface prefix for the connecting interface You must specify the interface type but need not specify the interface number Optional For ping interval seconds enter the interval between successive ping attempts The range is 1 to 30 seconds The default is 10 seconds Optional For retries num enter the number of ping retries...

Page 120: ...ary text string for string string as the unique ID Step 8 cns config initial ip address hostname port number event no persist page page source ip address syntax check Enable the Cisco IOS agent and initiate an initial configuration For ip address hostname enter the IP address or the hostname of the configuration server Optional For port number enter the port number of the configuration server The ...

Page 121: ...steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Step 10 show cns config connections Verify information about the configuration agent Step 11 show running config Ver...

Page 122: ...fig connections Displays the status of the CNS Cisco IOS agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the Cisco IOS agent show cns event connections Displays the status of the CNS event agent connections show cns event stats Displays statist...

Page 123: ...ck are stack members The stack members use the Cisco StackWise technology to behave and work together as a unified system Layer 2 and Layer 3 protocols present the entire switch stack as a single entity to the network The stack master is the single point of stack wide management From the stack master you configure System level global features that apply to all stack members Interface level feature...

Page 124: ...onnection to the console port of any stack member A network management application through the Simple Network Management Protocol SNMP Note Use SNMP to manage network features across the switch stack that are defined by supported MIBs The switch does not support MIBs to manage stacking specific features such as stack membership and election CiscoWorks network management software To manage switch s...

Page 125: ...stack master or you add powered on standalone switches or switch stacks Note Make sure the switches that you add to or remove from the switch stack are powered off After adding or removing stack members make sure that the switch stack is operating at full bandwidth 32 Gbps Press the Mode button on a stack member until the Stack mode LED is on The last two port LEDs on all switches in the stack sho...

Page 126: ...the switch that you prefer to be the stack master This ensures that the switch is re elected as stack master if a re election occurs 3 The switch that is not using the default interface level configuration 4 The switch with the higher priority switch software version These switch software versions are listed from highest to lowest priority Cryptographic IP services image software Noncryptographic ...

Page 127: ...The stack master has failed The switch stack membership is increased by adding powered on standalone switches or switch stacks In the events marked by an asterisk the current stack master might be re elected based on the listed factors When you power on or reset an entire switch stack some stack members might not participate in the stack master election Stack members that are powered on within the...

Page 128: ...luding a standalone switch retains its member number until you manually change the number or unless the number is already being used by another member in the stack If you manually change the stack member number by using the switch current stack member number renumber new stack member number global configuration command the new number goes into effect after that stack member resets or after you use...

Page 129: ...witch before it joins the switch stack You can configure in advance the stack member number the switch type and the interfaces associated with a switch that is not currently part of the stack The configuration that you create on the switch stack is called the provisioned configuration The switch that will be added to the switch stack and that receives this configuration is called the provisioned s...

Page 130: ...nfiguration to the provisioned switch and adds it to the stack The provisioned configuration is changed to reflect the new information The stack member number is not found in the provisioned configuration The switch stack applies the default configuration to the provisioned switch and adds it to the stack The provisioned configuration is changed to reflect the new information The stack member numb...

Page 131: ...es not contain a provisioned configuration for a new switch the switch joins the stack with the default interface configuration The switch stack then adds to its running configuration a switch stack member number provision type global configuration command that matches the new switch For configuration information see the Provisioning a New Member for a Switch Stack section on page 5 23 Effects of ...

Page 132: ...ck members use the information in this section and in the Hardware Compatibility and SDM Mismatch Mode in Switch Stacks section on page 5 10 All stack members must run the same Cisco IOS software version to ensure compatibility between stack members This helps ensure full compatibility in the stack protocol version among the stack members For example all stack members should have the IP services i...

Page 133: ...tware and tries to upgrade the switch in VM mode two software processes are involved automatic upgrade and automatic advise The automatic upgrade auto upgrade process includes an auto copy process and an auto extract process By default auto upgrade is enabled the boot auto copy sw global configuration command is enabled You can disable auto upgrade by using the no boot auto copy sw global configur...

Page 134: ...o advise software does not provide a recommendation The same events occur when cryptographic and noncryptographic images are running Beginning with Cisco IOS Release 12 2 35 SE you can use the archive download sw allow feature upgrade privileged EXEC command to allow installing an image with a different feature set Auto Upgrade and Auto Advise Example Messages When you add a switch that has a diff...

Page 135: ...n switch 1 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW c3750 i5 mz 122 0 0 313 SE directory Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW extracting c3750 i5 mz 122 0 0 313 SE c3750 ipservices mz 122 25 SEB 4945851 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW extracting c3750 ipservices mz 122 25 SEB info 450 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW extracting info 104 bytes Mar 11 20 ...

Page 136: ...SW For information about using the archive download sw privileged EXEC command see the Working with Software Images section on page C 19 Note Auto advise and auto copy identify which images are running by examining the info file and by searching the directory structure on the switch stack If you download your image by using the copy tftp command instead of by using the archive download sw privileg...

Page 137: ...e interface specific configuration as the failed switch Hence you do not need to reconfigure the interface settings The replacement switch must have the same stack member number as the failed switch For information about the benefits of provisioning a switch stack see the Switch Stack Offline Configuration section on page 5 7 You back up and restore the stack configuration in the same way as you w...

Page 138: ... the stack master or to any other stack member You can still manage the stack through the same IP address even if you remove the stack master or any other stack member from the stack provided there is IP connectivity Note Stack members retain their IP addresses when you remove them from a switch stack To avoid a conflict by having two devices with the same IP address in your network change the IP ...

Page 139: ...ack member Switch Stack Configuration Scenarios Table 5 2 provides switch stack configuration scenarios Most of the scenarios assume at least two switches are connected through their StackWise ports Table 5 2 Switch Stack Configuration Scenarios Scenario Result Stack master election specifically determined by existing stack masters Connect two powered on switch stacks through the StackWise ports O...

Page 140: ...s at the same time The stack member with the cryptographic IP base image software is elected stack master Stack master election specifically determined by the MAC address Assuming that both stack members have the same priority value configuration file and software image restart both stack members at the same time The stack member with the lower MAC address is elected stack master Stack member numb...

Page 141: ...ack continues to use that MAC address Stack master failure Remove or power off the stack master Based on the factors described in the Stack Master Election and Re Election section on page 5 4 one of the remaining stack members becomes the new stack master All other stack members in the stack remain as stack members and do not reboot Add more than nine stack members 1 Through their StackWise ports ...

Page 142: ...lways enter a value If the command is entered without a value the only option prior to this release the time delay appears in the running config file with an explicit timer value of 4 minutes If you enter 0 the stack MAC address of the previous stack master is used until you enter the no stack mac persistent timer command which immediately changes the stack MAC address to that of the current stack...

Page 143: ...delay after a stack master change before the stack MAC address changes to that of the new stack master If the previous stack master rejoins the stack during this period the stack uses that MAC address as the stack MAC address Enter the command with no value to set the default delay of approximately 4 minutes We recommend that you always configure a value Enter 0 to continue using the MAC address o...

Page 144: ... optional Setting the Stack Member Priority Value Note This task is available only from the stack master Beginning in privileged EXEC mode follow these steps to assign a priority value to a stack member This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 switch current stack member number renumber new stack member number Specify the current s...

Page 145: ... resets Step 3 end Return to privileged EXEC mode Step 4 reload slot stack member number Reset the stack member and apply this configuration change Step 5 show switch stack member number Verify the stack member priority value Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 show switch Display summary information ...

Page 146: ... 12S switch with a stack member number of 2 for the switch stack The show running config command output shows the interfaces associated with the provisioned switch Switch config switch 2 provision WS C3750G 12S Switch config end Switch show running config include switch 2 interface GigabitEthernet2 0 1 interface GigabitEthernet2 0 2 interface GigabitEthernet2 0 3 output truncated ...

Page 147: ...ands are available in a CLI session to a specific stack member Displaying Switch Stack Information To display configuration changes that you save after you reset a specific stack member or the switch stack use the privileged EXEC commands listed in Table 5 4 Table 5 4 Commands for Displaying Switch Stack Information Command Description show platform stack manager all Displays all switch stack info...

Page 148: ...5 26 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 5 Managing Switch Stacks Displaying Switch Stack Information ...

Page 149: ...t also includes guidelines and limitations for clusters mixed with other cluster capable Catalyst switches but it does not provide complete descriptions of the cluster features for these other switches For complete cluster information for a specific Catalyst platform refer to the software configuration guide for that switch This chapter consists of these sections Understanding Switch Clusters page...

Page 150: ...Catalyst 2950 and Catalyst 3500 XL switches For complete information about these switches in a switch cluster environment refer to the software configuration guide for that specific switch Command switch redundancy if a cluster command switch fails One or more switches can be designated as standby cluster command switches to avoid loss of contact with cluster members A cluster standby group is a g...

Page 151: ...command switch and to other standby command switches through its management VLAN It is connected to all other cluster member switches except the cluster command and standby command switches through a common VLAN It is redundantly connected to the cluster so that connectivity to cluster member switches is maintained It is not a command or member switch of another cluster Note Standby cluster comman...

Page 152: ...ter member switches must be connected through their management VLAN to the cluster command switch and standby cluster command switches For complete information about these switches in a switch cluster environment refer to the software configuration guide for that specific switch This requirement does not apply if you have a Catalyst 2970 Catalyst 3550 Catalyst 3560 or Catalyst 3750 cluster command...

Page 153: ...iscovery Through CDP Hops page 6 5 Discovery Through Non CDP Capable and Noncluster Capable Devices page 6 6 Discovery Through Different VLANs page 6 7 Discovery Through Different Management VLANs page 6 7 Discovery Through Routed Ports page 6 8 Discovery of Newly Installed Switches page 6 9 Discovery Through CDP Hops By using CDP a cluster command switch can discover switches up to seven CDP hops...

Page 154: ...ot discover a cluster enabled device connected beyond the noncluster capable Cisco device Figure 6 2 shows that the cluster command switch discovers the switch that is connected to a third party hub However the cluster command switch does not discover the switch that is connected to a Catalyst 5000 switch Figure 6 2 Discovery Through Non CDP Capable and Noncluster Capable Devices Command device Me...

Page 155: ... must be connected to the cluster command switch through their management VLAN For information about discovery through management VLANs see the Discovery Through Different Management VLANs section on page 6 7 For more information about VLANs see Chapter 13 Configuring VLANs Note For additional considerations about VLANs in switch stacks see the Switch Clusters and Switch Stacks section on page 6 1...

Page 156: ...oncandidate device which is switch 7 Figure 6 4 Discovery Through Different Management VLANs with a Layer 3 Cluster Command Switch Discovery Through Routed Ports If the cluster command switch has a routed port RP configured it discovers only candidate and cluster member switches in the same VLAN as the routed port For more information about routed ports see the Routed Ports section on page 11 4 Th...

Page 157: ...e VLAN of the immediately upstream neighbor The new switch also configures its access port to belong to the VLAN of the immediately upstream neighbor The cluster command switch in Figure 6 6 belongs to VLANs 9 and 16 When new cluster capable switches join the cluster One cluster capable switch and its access port are assigned to VLAN 9 The other cluster capable switch and its access port are assig...

Page 158: ... the active cluster command switch AC The switch with the next highest priority is the standby cluster command switch SC The other switches in the cluster standby group are the passive cluster command switches PC If the active cluster command switch and the standby cluster command switch become disabled at the same time the passive cluster command switch with the highest priority becomes the activ...

Page 159: ...its role as the active cluster command switch and the current active cluster command switch becomes the standby cluster command switch again For more information about IP address in switch clusters see the IP Addresses section on page 6 13 Other Considerations for Cluster Standby Groups Note For additional considerations about cluster standby groups in switch stacks see the Switch Clusters and Swi...

Page 160: ...st one VLAN in common with the switch cluster Catalyst 1900 Catalyst 2820 Catalyst 2900 XL Catalyst 2950 and Catalyst 3500 XL cluster member switches must be connected to the cluster standby group through their management VLANs For more information about VLANs in switch clusters see these sections Discovery Through Different VLANs section on page 6 7 Discovery Through Different Management VLANs se...

Page 161: ...er configuration from the active cluster command switch including members that were added while it was down The active cluster command switch sends a copy of the cluster configuration to the cluster standby group IP Addresses You must assign IP information to a cluster command switch You can assign more than one IP address to the cluster command switch and you can access the cluster through any of...

Page 162: ... inherit the command switch password If you change the member switch password to be different from the command switch password and save the change the switch is not manageable by the cluster command switch until you change the member switch password to match the command switch password Rebooting the member switch does not revert the password back to the command switch password We recommend that yo...

Page 163: ... Comparison of Switch Stacks and Switch Clusters Switch Stack Switch Cluster Made up of Catalyst 3750 switches only Made up of cluster capable switches such as Catalyst 3750 Catalyst 3550 and Catalyst 2950 switches Stack members are connected through StackWise ports Cluster members are connected through LAN ports Requires one stack master and supports up to eight other stack members Requires 1 clu...

Page 164: ...tem Plus TACACS is configured on a cluster member it must be configured on all cluster members Similarly if RADIUS is configured on a cluster member it must be configured on all cluster members Further the same switch cluster cannot have some members configured with TACACS and other members configured with RADIUS For more information about TACACS see the Controlling Switch Access with TACACS secti...

Page 165: ...ember switches running standard and Enterprise Edition Software as follows If the command switch privilege level is 1 to 14 the cluster member switch is accessed at privilege level 1 If the command switch privilege level is 15 the cluster member switch is accessed at privilege level 15 Note The Catalyst 1900 and Catalyst 2820 CLI is available only on switches running Enterprise Edition Software Fo...

Page 166: ...d switch redirects traps from the cluster member switch to the management station as shown in Figure 6 8 If a cluster member switch has its own IP address and community strings the cluster member switch can send traps directly to the management station without going through the cluster command switch If a cluster member switch has its own IP address and community strings they can be used in additi...

Page 167: ...an manage the system time and date on your switch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 These sections contain this configuration information Understanding the System Clock page...

Page 168: ...atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP This strategy effectively builds a self organizing tree of NTP speakers NTP avoids synchronizing to a device whose time might not be ...

Page 169: ...e to that device through NTP When multiple sources of time are available NTP is always considered to be more authoritative NTP time overrides the time set by any other method Several manufacturers include NTP software for their host systems and a publicly available version for systems running UNIX and its various derivatives is also available This software allows host systems to be time synchroniz...

Page 170: ...rator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server Beginning in privileged EXEC mode follow these steps to authenticate the associations communications between devices running NTP that provide for accurate timekeeping with other devices for security purposes Table 7 1 Default NTP Config...

Page 171: ...ronizes to the other device and not the other way around Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 specifies that message authentication support is provided by using the message digest algorithm 5 MD5 For value enter an arbitrary string of up to eight characters for the ...

Page 172: ...be configured to send or receive broadcast messages However the information flow is one way only Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchronized b...

Page 173: ...urpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to send NTP broadcast packets and enter interface configuration mode Step 3 ntp broadcast version number key keyid destination address Enable the interface to send NTP broadcast packets to a peer By default this feature is disabled on all interfaces Optional For number specify the N...

Page 174: ...ese steps to control access to NTP services by using access lists Step 5 ntp broadcastdelay microseconds Optional Change the estimated round trip delay between the switch and the NTP broadcast server The default is 3000 microseconds the range is 1 to 999999 Step 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries Step 8 copy running config startup config Optional Sa...

Page 175: ...use the no ntp access group query only serve only serve peer global configuration command This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99 However the switch restricts access to allow only time requests from access list 42 Switch configure terminal Switch config ntp access group peer 99 Switch config ntp access group serve only 42 Switch c...

Page 176: ...ress is to be taken The specified interface is used for the source address for all packets sent to all destinations If a source address is to be used for a specific association use the source keyword in the ntp peer or ntp server global configuration command as described in the Configuring NTP Associations section on page 7 5 Command Purpose Step 1 configure terminal Enter global configuration mod...

Page 177: ...e stack master fails and different stack member resumes the role of stack master These sections contain this configuration information Setting the System Clock page 7 11 Displaying the Time and Date Configuration page 7 12 Configuring the Time Zone page 7 12 Configuring Summer Time Daylight Saving Time page 7 13 Setting the System Clock If you have an outside source on the network that provides ti...

Page 178: ...e the time zone The minutes offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC For example the time zone for some sections of Atlantic Canada AST is UTC 3 5 where the 3 means 3 hours and 5 means 50 percent In this case the necessary command is clock timezone AST 3 30 To set the time t...

Page 179: ...ock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurring without...

Page 180: ...n symbol is appended The prompt is updated whenever the system name changes If you are accessing a stack member through the stack master you must use the session stack member number privileged EXEC command The stack member number range is from 1 through 9 When you use this command the stack member number is appended to the system prompt For example Switch 2 is the prompt in privileged EXEC mode fo...

Page 181: ...tabase with which you can map hostnames to IP addresses When you configure DNS on your switch you can substitute the hostname for the IP address with all IP commands such as ping telnet connect and related Telnet support operations IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as the delimiting ...

Page 182: ...ne a default domain name that the software uses to complete unqualified hostnames names without a dotted decimal domain name Do not include the initial period that separates an unqualified name from the domain name At boot time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name might be...

Page 183: ...isplaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also display...

Page 184: ...ws the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message of the ...

Page 185: ...e types of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For complete syn...

Page 186: ...added or removed from the network the switch updates the address table adding new dynamic addresses and aging out those that are not in use The aging interval is globally configured on a standalone switch or on the switch stack However the switch maintains an address table for each VLAN and STP can accelerate the aging interval on a per VLAN basis The switch sends packets between any combination o...

Page 187: ... stack members When a switch joins a switch stack that switch receives the addresses for each VLAN learned on the other stack members When a stack member leaves the switch stack the remaining stack members age out or remove all addresses learned by the former stack member Default MAC Address Table Configuration Table 7 3 shows the default MAC address table configuration Changing the Address Aging ...

Page 188: ...ddress activity on the switch Whenever the switch learns or removes a MAC address an SNMP notification can be generated and sent to the NMS If you have many users coming and going from the network you can set a trap interval time to bundle the notification traps and reduce network traffic The MAC notification history table stores the MAC address activity for each hardware port for which the trap i...

Page 189: ...er host command For notification type use the mac notification keyword Step 3 snmp server enable traps mac notification Enable the switch to send MAC address traps to the NMS Step 4 mac address table notification Enable the MAC address notification feature Step 5 mac address table notification interval value history size value Enter the trap interval time and the history table size Optional For in...

Page 190: ...ng and Removing Static Address Entries A static address has these characteristics It is manually entered in the address table and must be manually removed It can be a unicast or multicast address It does not age and is retained when the switch restarts You can add and remove static addresses and define the forwarding behavior for them The forwarding behavior defines how a port that receives a pack...

Page 191: ...static mac addr vlan vlan id drop global configuration command one of these messages appears Only unicast addresses can be configured to be dropped CPU destined address cannot be configured as drop address Packets that are forwarded to the CPU are also not supported Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mac address table static mac addr vlan vlan id inter...

Page 192: ... the VLAN from which it is received Beginning in privileged EXEC mode follow these steps to configure the switch to drop a source or destination unicast static address To disable unicast MAC address filtering use the no mac address table static mac addr vlan vlan id global configuration command This example shows how to enable unicast MAC address filtering and to configure the switch to drop packe...

Page 193: ...y the Subnetwork Access Protocol SNAP By default standard Ethernet style ARP encapsulation represented by the arpa keyword is enabled on the IP interface ARP entries added manually to the table do not age and must be manually removed For CLI procedures see the Cisco IOS Release 12 2 documentation on Cisco com Table 7 4 Commands for Displaying the MAC Address Table Command Description show ip igmp ...

Page 194: ...7 28 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 7 Administering the Switch Managing the ARP Table ...

Page 195: ...o obtain maximum ACL usage To allocate ternary content addressable memory TCAM resources for different usages the switch SDM templates prioritize system resources to optimize support for certain features You can select SDM templates for IP Version 4 IPv4 to optimize these features Routing The routing template maximizes system resources for unicast routing typically required for a router or aggrega...

Page 196: ... dual stack environments supporting both IPv4 and IPv6 Using the dual stack templates results in less TCAM capacity allowed for each resource Do not use them if you plan to forward only IPv4 traffic These SDM templates support IPv4 and IPv6 environments Desktop dual IPv4 and IPv6 default template supports Layer 2 multicast routing QoS and ACLs for IPv4 and Layer 2 routing and ACLs for IPv6 on desk...

Page 197: ...ely 1000 VLANs SDM Templates and Switch Stacks All stack members use the same SDM desktop or aggregator template that is stored on the stack master When a new switch is added to a stack as with the switch configuration and VLAN database files the SDM configuration that is stored on the stack master overrides the template configured on an individual switch For more information about stacking see Ch...

Page 198: ...e to a desktop template and reload the switch the entire stack operates with the selected desktop template This could cause configuration losses if the number of TCAM entries exceeds the desktop template sizes If you change the template from a desktop template to an aggregator template and reload the switch any desktop switches that were part of the stack go into the SDM mismatch mode When this oc...

Page 199: ...nly on switches intended for Layer 2 switching with no routing When you use the VLAN template no system resources are reserved for routing entries and any routing is done through software This overloads the CPU and severely degrades routing performance Do not use the routing template if you do not have routing enabled on your switch The sdm prefer routing desktop global configuration command preve...

Page 200: ...these meanings access Maximizes system resources for ACLs default Gives balance to all functions Visible on Catalyst 3750 12S switches to use with the desktop keyword to set the switch to the default desktop template Use the no sdm prefer command to set a desktop switch to the default desktop template or to set an aggregator switch to the default aggregator template dual ipv4 and ipv6 Select a tem...

Page 201: ...nfigure a switch with the routing template the desktop routing template for a desktop switch or the aggregator routing template for a Catalyst 3750 12S Switch config sdm prefer routing Switch config end Switch reload Proceed with reload confirm This example shows how to configure the desktop routing template on a Catalyst 3750 12S switch Switch config sdm prefer routing desktop Switch config end S...

Page 202: ... show sdm prefer routing aggregate routing template The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 6K number of igmp groups multicast routes 1K number of unicast routes 20K number of directly connected hosts 6K number of indirect routes 14K number of policy based routing aces 512 n...

Page 203: ... support this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 2K number of IPv4 IGMP groups multicast routes 1K number of IPv4 unicast routes 3K number of directly connected IPv4 hosts 2K number of indirect IPv4 routes 1K number of IPv6 multicast groups 1K number of directly connected IPv6 addresses 2K number of indirect IPv6 unicast routes 1K number of IPv...

Page 204: ...8 10 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 8 Configuring SDM Templates Displaying the SDM Templates ...

Page 205: ...strators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you should c...

Page 206: ... information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 2 These sections contain this configuration information Default Password and Privilege Level Configuration page 9 2 Setting or Changing a Static Enable Password page 9 3 Protecting Enable and Enable Secret Passwords with Encryption page 9 3 Disabling Password Recovery page 9 5 Setting a Telne...

Page 207: ...ivilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a new passwo...

Page 208: ...nfiguration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is norm...

Page 209: ...rocess and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the Xmodem protocol Fo...

Page 210: ...ser can access the switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port The default data characteristics of the console port are 9600 8 1 no parity You might need to press the Return key s...

Page 211: ...ion Setting the Privilege Level for a Command page 9 8 Changing the Default Privilege Level for Lines page 9 9 Logging into and Exiting a Privilege Level page 9 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the user ID a...

Page 212: ...pose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 is the leve...

Page 213: ...and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege level for the line ...

Page 214: ...CACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch Note We recommend a redundant connection between a switch stack and the TACACS server This is to help ensure that the TACACS server remains accessible in case one of t...

Page 215: ...session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Accounting recor...

Page 216: ...onnection between the daemon and the switch If an ERROR response is received the switch typically tries to use an alternative method for authenticating the user CONTINUE The user is prompted for additional authentication information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS...

Page 217: ...ou can configure the switch to use a single server or AAA server groups to group existing server hosts for authentication You can group servers to select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list and contains the list of IP addresses of the selected server hosts Beginning in privileged EXEC mode follow thes...

Page 218: ...more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authentication method in the method list This process continues until there is successful communication with a listed authentication metho...

Page 219: ... the enable password global configuration command group tacacs Uses TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 9 13 line Use the line password for authentication Before you can use this authentication method you must define...

Page 220: ...at restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in through the CLI...

Page 221: ...ontrolling Switch Access with RADIUS This section describes how to enable and configure the RADIUS which provides detailed accounting information and flexible administrative control over authentication and authorization processes RADIUS is facilitated through AAA and can be enabled only through AAA commands Note For complete syntax and usage information for the commands used in this section see th...

Page 222: ... a smart card access control system In one case RADIUS has been used with Enigma s security cards to validates users and to grant access to network resources Networks already using RADIUS You can add a Cisco switch containing a RADIUS client to the network This might be the first step when you make a transition to a TACACS server See Figure 9 2 on page 9 19 Network in which the user must only acce...

Page 223: ...he user is either not authenticated and is prompted to re enter the username and password or access is denied c CHALLENGE A challenge requires additional data from the user d CHALLENGE PASSWORD A response requests the user to select a new password The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization Users must first successfully co...

Page 224: ...is exhausted You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch These sections contain this configuration information Default RADIUS Configuration page 9 20 Identifying the RADIUS Server Host page 9 20 required Configuring RADIUS Login Authentication page 9 23 required Defining AAA Server Groups page 9 25 optional Configuring RADIUS Aut...

Page 225: ...rver and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retransmission and encryption key values can be configured globally for all RADIUS servers on a per server basis or in s...

Page 226: ... the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon ...

Page 227: ...d and the sequence in which they are performed it must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and aut...

Page 228: ...US server For more information see the Identifying the RADIUS Server Host section on page 9 20 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the username na...

Page 229: ... Release 12 2 Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multiple host entries...

Page 230: ...value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the la...

Page 231: ...leged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can use th...

Page 232: ...disable accounting use the no aaa accounting network exec start stop method1 global configuration command Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access The exec keyword might return user profile information such as autocommand information Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your...

Page 233: ...es The full set of features available for TACACS authorization can then be used for RADIUS For example this AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP IPCP address assignment cisco avpair ip addr pool first Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secret tex...

Page 234: ...n unique vendor IDs options and associated VSAs For more information about vendor IDs and VSAs see RFC 2138 Remote Authentication Dial In User Service RADIUS Beginning in privileged EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attributes or more information about vendor specific attribute 26 see the RADIUS Attributes appendix in the C...

Page 235: ...l configuration command This example shows how to specify a vendor proprietary RADIUS host and to use a secret key of rad124 between the switch and the server Switch config radius server host 172 20 30 15 nonstandard Switch config radius server key rad124 Displaying the RADIUS Configuration To display the RADIUS configuration use the show running config privileged EXEC command Command Purpose Step...

Page 236: ...122cgcr fsecur_c fsecsp index htm Note In the Kerberos configuration examples and in the Cisco IOS Security Command Reference Release 12 2 the trusted third party can be a Catalyst 3750 switch that supports Kerberos that is configured as a network security server and that can authenticate users by using the Kerberos protocol Understanding Kerberos Kerberos is a secret key network authentication pr...

Page 237: ...ls have a default lifespan of eight hours Instance An authorization level label for Kerberos principals Most Kerberos principals are of the form user REALM for example smith EXAMPLE COM A Kerberos principal with a Kerberos instance has the form user instance REALM for example smith admin EXAMPLE COM The Kerberos instance can be used to specify the authorization level for the user if authentication...

Page 238: ...witch prompts the user for a username and password 3 The switch requests a TGT from the KDC for this user KEYTAB3 A password that a network service shares with the KDC In Kerberos 5 and later Kerberos versions the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it In Kerberos versions earlier than Kerberos 5 KEYTAB is referred to as SRVTAB4 Principal Al...

Page 239: ... KDC section in the Security Server Protocols chapter of the Cisco IOS Security Configuration Guide Release 12 2 at this URL http www cisco com univercd cc td doc product software ios122 122cgcr fsecur_c fsecsp scfkerb ht m 1000999 Authenticating to Network Services This section describes the third layer of security through which a remote user must pass The user with a TGT must now authenticate to...

Page 240: ...22cgcr fsecur_c fsecsp scfkerb ht m 1001027 Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode The switch then handles authentication and authorization No accounting is available in this configuration Beginning in privileged EXEC mode follow these steps to configure the switch for ...

Page 241: ... Cisco com For more information see the release notes for this release These sections contain this information Understanding SSH page 9 38 Configuring SSH page 9 39 Displaying the SSH Configuration and Status page 9 41 Step 6 username name privilege level password encryption type password Enter the local database and establish a username based authentication system Repeat this command for each use...

Page 242: ... 38 Limitations page 9 39 Note The SSH connection to the switch stack can be lost if a stack master running the cryptographic version of the IP base image formerly known as the standard multilayer image SMI or IP services image formerly known as the enhanced multilayer image EMI software fails and is replaced by a switch that is running a noncryptographic version of the software We recommend that ...

Page 243: ...tion information Configuration Guidelines page 9 39 Setting Up the Switch to Run SSH page 9 40 required Configuring the SSH Server page 9 41 required only if you are configuring the switch as an SSH server Configuration Guidelines Follow these guidelines when configuring the switch as an SSH server or SSH client An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server and the rev...

Page 244: ...ing in privileged EXEC mode follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair This procedure is required if you are configuring the switch as an SSH server To delete the RSA key pair use the crypto key zeroize rsa global configuration command After the RSA key pair is deleted the SSH server is automatically disabled Command Purpose Step 1 configure te...

Page 245: ...nds authentication retries number Configure the SSH control parameters Specify the time out value in seconds the default is 120 seconds The range is 0 to 120 seconds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out values of the CLI based sessions By default up to five simultaneous encrypted SSH connections for multiple CL...

Page 246: ...HTTPS HTTP Server and Client with SSL 3 0 feature description for Cisco IOS Release 12 2 15 T at this URL http www cisco com univercd cc td doc product software ios122 122newft 122t 122t15 ftsslsht htm Understanding Secure HTTP Servers and Clients On a secure HTTP connection data to and from an HTTP server is encrypted before being sent over the Internet HTTP with SSL encryption provides a secure ...

Page 247: ...f you disable the secure HTTP server so that it will be there the next time you re enable a secure HTTP connection If a self signed certificate has been generated this information is included in the output of the show running config privileged EXEC command This is a partial sample output from that command displaying a self signed certificate Switch show running config Building configuration output...

Page 248: ...st defines the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router processing load speed 1 SSL_RSA_WITH_DES_CBC_SHA RSA key exchange RSA Public Key Cryptography with DES CBC for message encryption and SHA for message digest 2 SSL_RSA_WITH_RC4_128_MD5 RSA key exchange with RC4 128 bit encryption and MD5 for message digest 3 SSL_RSA_WITH_RC4_128_SHA RSA key...

Page 249: ... keys and certificates Step 4 crypto key generate rsa Optional Generate an RSA key pair RSA key pairs are required before you can obtain a certificate for the switch RSA key pairs are generated automatically You can use this command to regenerate the keys if needed Step 5 crypto ca trustpoint name Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode S...

Page 250: ...http secure port port number Optional Specify the port number to be used for the HTTPS server The default port number is 443 Valid options are 443 or any number in the range 1025 to 65535 Step 5 ip http secure ciphersuite 3des ede cbc sha rc4 128 md5 rc4 128 sha des cbc sha Optional Specify the CipherSuites encryption algorithms to be used for encryption over the HTTPS connection If you do not hav...

Page 251: ...lient authentication connections to the secure HTTP client fail Beginning in privileged EXEC mode follow these steps to configure a secure HTTP client Step 11 ip http timeout policy idle seconds life seconds requests value Optional Specify how long a connection to the HTTP server can remain open under the defined circumstances idle the maximum time period when no data is received or response data ...

Page 252: ...nabling SCP you must correctly configure SSH authentication and authorization on the switch Because SCP relies on SSH for its secure transport the router must have an Rivest Shamir and Adelman RSA key pair Note When using SCP you cannot enter the password into the copy command You must enter the password when prompted Step 3 ip http client secure ciphersuite 3des ede cbc sha rc4 128 md5 rc4 128 sh...

Page 253: ...res that authentication authorization and accounting AAA authorization be configured so the router can determine whether the user has the correct privilege level A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System IFS to and from a switch by using the copy command An authorized administrator can also do this from a workstation For more information on ...

Page 254: ...9 50 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 9 Configuring Switch Based Authentication Configuring the Switch for Secure Copy Protocol ...

Page 255: ...atus page 10 46 Understanding IEEE 802 1x Port Based Authentication The IEEE 802 1x standard defines a client server based access control and authentication protocol that prevents clients from connecting to a LAN through publicly accessible ports unless they are authenticated The authentication server authenticates each client connected to a switch port before making available any services offered...

Page 256: ...on page 10 19 Using Multidomain Authentication page 10 20 Using Web Authentication page 10 21 Device Roles With IEEE 802 1x port based authentication the devices in the network have specific roles as shown in Figure 10 1 Figure 10 1 IEEE 802 1x Device Roles Client the device workstation that requests access to the LAN and switch services and responds to requests from the switch The workstation mus...

Page 257: ...r is removed leaving the EAP frame which is then encapsulated for Ethernet and sent to the client The devices that can act as intermediaries include the Catalyst 3750 E Catalyst 3560 E Catalyst 3750 Catalyst 3560 Catalyst 3550 Catalyst 2970 Catalyst 2960 Catalyst 2955 Catalyst 2950 Catalyst 2940 switches or a wireless access point These devices must be running software that supports the RADIUS cli...

Page 258: ...ation using a RADIUS server is configured the switch uses timers based on the Session Timeout RADIUS attribute Attribute 27 and the Termination Action RADIUS attribute Attribute 29 141679 Yes No Client identity is invalid All authentication servers are down All authentication servers are down Client identity is valid The switch gets an EAPOL message and the EAPOL message exchange begins Yes No 1 1...

Page 259: ...nticated The switch sends an EAP request identity frame to the client to request its identity Upon receipt of the frame the client responds with an EAP response identity frame However if during bootup the client does not receive an EAP request identity frame from the switch the client can initiate authentication by sending an EAPOL start frame which prompts the switch to request the client s ident...

Page 260: ...he MAC address of the client as its identity and includes this information in the RADIUS access request frame that is sent to the RADIUS server After the server sends the switch the RADIUS access accept frame authorization is successful the port becomes authorized If authorization fails and a guest VLAN is specified the switch assigns the port to the guest VLAN If the switch detects an EAPOL packe...

Page 261: ...on process by sending the EAPOL start frame When no response is received the client sends the request for a fixed number of times Because no response is received the client begins sending frames as if the port is in the authorized state You control the port authorization state by using the dot1x port control interface configuration command and these keywords force authorized disables IEEE 802 1x a...

Page 262: ...odic re authentication enabled remain in the authenticated state Communication with the RADIUS server is not required Ports that are already authenticated and that have periodic re authentication enabled with the dot1x re authentication global configuration command fail the authentication process when the re authentication occurs Ports return to the unauthenticated state during the re authenticati...

Page 263: ...d defines how users are authorized and authenticated for network access but does not keep track of network usage IEEE 802 1x accounting is disabled by default You can enable IEEE 802 1x accounting to monitor this activity on IEEE 802 1x enabled ports User successfully authenticates User logs off Link down occurs Re authentication successfully occurs Re authentication fails The switch does not log ...

Page 264: ...E 802 1x authentication with VLAN assignment After successful IEEE 802 1x authentication of a port the RADIUS server sends the VLAN assignment to configure the switch port The RADIUS server database maintains the username to VLAN mappings assigning the VLAN based on the username of the client connected to the switch port You can use this feature to limit network access for certain users Table 10 1...

Page 265: ...When the port is in the force authorized force unauthorized unauthorized or shutdown state it is put into the configured access VLAN If an IEEE 802 1x port is authenticated and put in the RADIUS server assigned VLAN any change to the port access VLAN configuration does not take effect The IEEE 802 1x authentication with VLAN assignment feature is not supported on trunk ports dynamic ports or with ...

Page 266: ...port ACLs in the egress direction on Layer 2 ports For more information see Chapter 32 Configuring Network Security with ACLs Use only the extended ACL syntax style to define the per user configuration stored on the RADIUS server When the definitions are passed from the RADIUS server they are created by using the extended naming convention However if you use the Filter Id attribute it can point to...

Page 267: ...ork by entering the dot1x auth fail vlan vlan id interface configuration command In Cisco IOS Release 12 2 25 SEE and later if devices send EAPOL packets to the switch during the lifetime of the link the switch no longer allows clients that fail authentication access to the guest VLAN Note If an EAPOL packet is detected after the interface has changed to the guest VLAN the interface reverts to an ...

Page 268: ...r resets Users who fail authentication remain in the restricted VLAN until the next re authentication attempt A port in the restricted VLAN tries to re authenticate at configured intervals the default is 60 seconds If re authentication fails the port remains in the restricted VLAN If re authentication is successful the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server...

Page 269: ...port is already authorized and re authentication occurs the switch puts the critical port in the critical authentication state in the current VLAN which might be the one previously assigned by the RADIUS server If the RADIUS server becomes unavailable during an authentication exchange the current exchanges times out and the switch puts the critical port in the critical authentication state during ...

Page 270: ...ter sends the member the server status Using IEEE 802 1x Authentication with Voice VLAN Ports A voice VLAN port is a special access port associated with two VLAN identifiers VVID to carry voice traffic to and from the IP phone The VVID is used to configure the IP phone connected to the port PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone The ...

Page 271: ...t table unless port security static aging has been enabled A security violation occurs if the client is authenticated but the port security table is full This can happen if the maximum number of secure hosts has been statically configured or if the client ages out of the secure host table If the client address is aged its place in the secure host table can be taken by another host If the security ...

Page 272: ... packets from or send packets to the host Using IEEE 802 1x Authentication with MAC Authentication Bypass You can configure the switch to authorize clients based on the client MAC address see Figure 10 2 on page 10 4 by using the MAC authentication bypass feature For example you can enable this feature on IEEE 802 1x ports connected to devices such as printers If IEEE 802 1x authentication times o...

Page 273: ...gured Restricted VLAN This feature is not supported when the client connected to an IEEE 802 lx port is authenticated with MAC authentication bypass Port security See the Using IEEE 802 1x Authentication with Port Security section on page 10 17 Voice VLAN See the Using IEEE 802 1x Authentication with Voice VLAN Ports section on page 10 16 VLAN Membership Policy Server VMPS IEEE802 1x and VMPS are ...

Page 274: ...abled switch port the voice device fails authorization To authorize a voice device the AAA server must be configured to send a Cisco Attribute Value AV pair attribute with a value of device traffic class voice Without this value the switch treats the voice device as a data device The guest VLAN and restricted VLAN features only apply to the data devices on an MDA enabled port The switch treats a v...

Page 275: ...se only web authentication You can also configure the port to first try and use IEEE 802 1x authentication and then to use web authorization if the client does not support IEEE 802 1x authentication Web authentication requires two Cisco Attribute Value AV pair attributes The first attribute priv lvl 15 must always be set to 15 This sets the privilege level of the user who is logging into the switc...

Page 276: ...thentication with WoL page 10 39 optional Configuring MAC Authentication Bypass page 10 40 optional Configuring NAC Layer 2 IEEE 802 1x Validation page 10 41 optional Configuring Web Authentication page 10 41 optional Disabling IEEE 802 1x Authentication on the Port page 10 44 optional Resetting the IEEE 802 1x Authentication Configuration to the Default Values page 10 45 optional Default IEEE 802...

Page 277: ...conds number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Retransmission time 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client before resending the request Maximum retransmission number 2 times number of times that the switch will send an EAP request identity ...

Page 278: ...n is not enabled If you try to change an IEEE 802 1x enabled port to dynamic VLAN assignment an error message appears and the VLAN configuration is not changed EtherChannel port Do not configure a port that is an active or a not yet active member of an EtherChannel as an IEEE 802 1x port If you try to enable IEEE 802 1x authentication on an EtherChannel port an error message appears and IEEE 802 1...

Page 279: ...hich the client is connected is in the critical authentication state Windows XP might report that the interface is not authenticated If the Windows XP client is configured for DHCP and has an IP address from the DHCP server receiving an EAP Success message on a critical port might not re initiate the DHCP configuration process You can configure the inaccessible authentication bypass feature and th...

Page 280: ...evious release make sure to reconfigure it by using the dot1x host mode multi host interface configuration command In Cisco IOS Release 12 2 25 SEE the implementation for IEEE 802 1x authentication changed from the previous releases When IEEE 802 1x authentication is enabled information about Port Fast is no longer added to the configuration and this information appears in the running configuratio...

Page 281: ...st is automatically applied to all ports For method1 enter the group radius keywords to use the list of all RADIUS servers for authentication Note Though other keywords are visible in the command line help string only the group radius keywords are supported Step 4 dot1x system auth control Enable IEEE 802 1x authentication globally on the switch Step 5 aaa authorization network default group radiu...

Page 282: ...e settings include the IP address of the switch and the key string to be shared by both the server and the switch For more information see the RADIUS server documentation Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address auth port port number key string Configure the RADIUS server parameters For hostname ip address specify the h...

Page 283: ...ice vlan 101 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server vsa send authentication Configure the network access server to recognize and use vendor specific attributes VSAs Step 3 interface interface id Specify the port to which multiple hosts are indirectly attached and enter interface configuration mode Step 4 dot1x host mode s...

Page 284: ...e client connected to a specific port at any time by entering the dot1x re authenticate interface interface id privileged EXEC command This step is optional If you want to enable or disable periodic re authentication see the Configuring Periodic Re Authentication section on page 10 30 This example shows how to manually re authenticate the client connected to a port Switch dot1x re authenticate int...

Page 285: ...me and then resends the frame Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers Beginning in privileged EXEC mode follow these steps to change the amount of time that the switch waits for client notification This procedure is optional Command Purp...

Page 286: ...on number This procedure is optional To return to the default retransmission number use the no dot1x max req interface configuration command This example shows how to set 5 as the number of times that the switch sends an EAP request identity request before restarting the authentication process Switch config if dot1x max req 5 Setting the Re Authentication Number You can also change the number of t...

Page 287: ...receive the accounting response message from the RADIUS server after a configurable number of retransmissions of an accounting request this system message appears Accounting message s for session s failed to receive Accounting Response When the stop message is not sent successfully this message appears 00 09 55 RADIUS 3 NOACCOUNTINGRESPONSE Accounting message Start for session 172 20 50 145 sam 11...

Page 288: ...t VLANs in single host or multiple hosts mode Beginning in privileged EXEC mode follow these steps to configure a guest VLAN This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 aaa accounting dot1x default start stop group radius Enable IEEE...

Page 289: ... restricted VLAN when the authentication server does not receive a valid username and password The switch supports restricted VLANs only in single host mode Beginning in privileged EXEC mode follow these steps to configure a restricted VLAN This procedure is optional Step 5 dot1x guest vlan vlan id Specify an active VLAN as an IEEE 802 1x guest VLAN The range is 1 to 4094 You can configure any act...

Page 290: ...N as an IEEE 802 1x restricted VLAN Step 6 end Return to privileged EXEC mode Step 7 show dot1x interface interface id Optional Verify your entries Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and...

Page 291: ...e the port as a critical port and enable the inaccessible authentication bypass feature This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server dead criteria time time tries tries Optional Set the conditions that are used to decide when a RADIUS server is considered unavailable or dead The range for time is from 1 to 120 seconds The...

Page 292: ...0 string 7 string string global configuration command test username name Enable automated testing of the RADIUS server status and specify the username to be used idle time time Set the interval of time in minutes after which the switch sends test packets to the server The range is from 1 to 35791 minutes The default is 60 minutes 1 hour ignore acct port Disable testing on the RADIUS server account...

Page 293: ...eged EXEC mode follow these steps to enable IEEE 802 1x authentication with WoL This procedure is optional Step 7 dot1x critical recovery action reinitialize vlan vlan id Enable the inaccessible authentication bypass feature and use these keywords to configure the feature recovery action reinitialize Enable the recovery feature and specify that the recovery action is to authenticate the port when ...

Page 294: ...Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the IEEE 802 1x Authentication Configuration Guidelines section on page 10 23 Step 3 dot1x port control auto Enable IEEE ...

Page 295: ...Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 dot1x guest vlan vlan id Specify an active VLAN as an IEEE 802 1x guest VLAN The range is 1 to 4094 You can configure any active VLAN except an internal VLAN routed port an RSPAN VLAN or a voice VLAN as an IEEE 802 1...

Page 296: ...ing Switch Based Authentication The console prompts you for a username and password on future attempts to access the switch console after entering the aaa authentication login command If you do not want to be prompted for a username and password configure a second login authentication list Switch config t Switch config aaa authentication login line console none Switch config line console 0 Switch ...

Page 297: ... access group access list in Specify the default access control list to be applied to network traffic before web authentication Step 6 ip admission rule Apply an IP admission rule to the interface Step 7 end Return to privileged EXEC mode Step 8 show running config interface interface id Verify your configuration Step 9 copy running config startup config Optional Save your entries in the configura...

Page 298: ... To configure the port as an IEEE 802 1x port access entity PAE authenticator which enables IEEE 802 1x on the port but does not allow clients connected to the port to be authorized use the dot1x pae authenticator interface configuration command Step 10 dot1x fallback fallback profile Configure the port to authenticate a client by using web authentication when no IEEE 802 1x supplicant is detected...

Page 299: ... Beginning in privileged EXEC mode follow these steps to reset the IEEE 802 1x authentication configuration to the default values This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the port to be configured Step 3 dot1x default Reset the IEEE 802 1x parameters to the defau...

Page 300: ...play IEEE 802 1x statistics for a specific port use the show dot1x statistics interface interface id privileged EXEC command To display the IEEE 802 1x administrative and operational status for the switch use the show dot1x all details statistics summary privileged EXEC command To display the IEEE 802 1x administrative and operational status for a specific port use the show dot1x interface interfa...

Page 301: ...omplete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the online Cisco IOS Interface Command Reference Release 12 2 Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interfa...

Page 302: ...n the stack build the same VLAN database To configure extended range VLANs VLAN IDs 1006 to 4094 you must use config vlan mode with VTP mode set to transparent Extended range VLANs are not added to the VLAN database When VTP mode is transparent the VTP and VLAN configuration is saved in the switch running configuration and you can save it in the switch startup configuration file by entering the co...

Page 303: ... Membership Policy Server VMPS The VMPS can be a Catalyst 6500 series switch the Catalyst 3750 switch cannot be a VMPS server You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone For more information about voice VLAN ports see Chapter 15 Configuring Voice VLAN Trunk Ports A trun...

Page 304: ... to a router A routed port is not associated with a particular VLAN as is an access port A routed port behaves like a regular router interface except that it does not support VLAN subinterfaces Routed ports can be configured with a Layer 3 routing protocol A routed port is a Layer 3 interface only and does not support Layer 2 protocols such as DTP and STP Configure routed ports by putting the inte...

Page 305: ...es being configured might impact CPU performance because of hardware limitations See the Configuring Layer 3 Interfaces section on page 11 25 for information about what happens when hardware resource limitations are reached SVIs are created the first time that you enter the vlan interface configuration command for a VLAN interface The VLAN corresponds to the VLAN tag associated with data frames on...

Page 306: ... dynamically create the port channel logical interface This command binds the physical and logical ports together For more information see Chapter 34 Configuring EtherChannels and Link State Tracking 10 Gigabit Ethernet Interfaces The Catalyst 3750G 16TD switch has one 10 Gigabit Ethernet interface The switch uses a 10 Gigabit Ethernet XENPAK module to establish connections to networks The 10 Giga...

Page 307: ...ccording to the CDP message that it receives CDP is not supported on third party powered devices therefore the switch uses the IEEE classification to determine the power usage of the device IEEE 802 3af The major features of this standard are powered device discovery power administration disconnect detection and optional powered device power classification For more information see the standard Pow...

Page 308: ...includes the status in output displays Power Management Modes The switch supports these PoE modes auto The switch automatically detects if the connected device requires power If the switch discovers a powered device connected to the port and if the switch has enough power it grants power updates the power budget turns on power to the port on a first come first served basis and updates the LEDs For...

Page 309: ...However if the powered device IEEE class is greater than the maximum wattage the switch does not supply power to it If the switch learns through CDP messages that the powered device needs more than the maximum wattage the powered device is shutdown If you do not specify a wattage the switch pre allocates the maximum value The switch powers the port only if it discovers a powered device Use the sta...

Page 310: ...Chapter 42 Configuring Fallback Bridging Using Interface Configuration Mode The switch supports these interface types Physical ports switch ports and routed ports VLANs switch virtual interfaces Port channels EtherChannel interfaces You can also configure a range of interfaces see the Configuring a Range of Interfaces section on page 11 12 To configure a physical interface port specify the interfa...

Page 311: ...on the type of other interfaces on the switch If the port type changes from Fast Ethernet to Gigabit Ethernet SFP the port numbers begin again from 1 if the port type remains Gigabit Ethernet the port numbers continue consecutively To configure the first SFP module port on stack member 1 with 24 10 100 1000 ports enter this command Switch config interface gigabitethernet1 0 25 To configure the fir...

Page 312: ...re multiple interfaces with the same configuration parameters When you enter the interface range configuration mode all command parameters that you enter are attributed to all interfaces within that range until you exit this mode Beginning in privileged EXEC mode follow these steps to configure a range of interfaces with the same parameters Command Purpose Step 1 configure terminal Enter global co...

Page 313: ...e type all Fast Ethernet ports all Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can enter multiple ranges in a command This example shows how to use the interface range global configuration command to set the speed on ports 1 to 4 on switch 1 to 100 Mbps Switch configure terminal Switch config interface range gigabitethernet1 0 1 4 Switch config if range speed 100 This exampl...

Page 314: ...s must have been configured with the interface vlan command The show running config privileged EXEC command displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used as interface ranges All interfaces defined as in a range must be the same type all Fast Ethernet ports all Gigabit Ethernet ports all EtherChannel ports or all VLANs but yo...

Page 315: ...Switch config if range This example shows how to delete the interface range macro enet_list and to verify that it was deleted Switch configure terminal Switch config no define interface range enet_list Switch config end Switch show run include define Switch Configuring Ethernet Interfaces These sections contain this configuration information Default Ethernet Interface Configuration page 11 15 Conf...

Page 316: ...ined Speed Autonegotiate Not supported on the 10 Gigabit interfaces Duplex mode Autonegotiate Not supported on the 10 Gigabit interfaces Flow control Flow control is set to receive off It is always off for sent packets EtherChannel PAgP Disabled on all Ethernet ports See Chapter 34 Configuring EtherChannels and Link State Tracking Port blocking unknown multicast and unknown unicast traffic Disable...

Page 317: ...models include combinations of Fast Ethernet 10 100 Mbps ports Gigabit Ethernet 10 100 1000 Mbps ports 10 Gigabit module ports and small form factor pluggable SFP module slots supporting SFP modules These sections describe how to configure the interface speed and duplex mode Speed and Duplex Configuration Guidelines page 11 17 Setting the Interface Speed and Duplex Parameters page 11 18 Speed and ...

Page 318: ...n Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode follow these steps to set the speed and duplex mode for a physical interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the physical interface to be configured and enter interface configuration mode Step 3 speed 10 100 1000 auto 10 100 1000 none...

Page 319: ...rol Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end If one port experiences congestion and cannot receive any more traffic it notifies the other port by sending a pause frame to stop sending until the condition clears Upon receipt of a pause frame the sending device stops sending any data ...

Page 320: ...IX on an Interface When automatic medium dependent interface crossover auto MDIX is enabled on an interface the interface automatically detects the required cable connection type straight through or crossover and configures the connection appropriately When connecting switches without the auto MDIX feature you must use straight through cables to connect to devices such as servers workstations or r...

Page 321: ...e to give a PoE port higher priority to make it data only or to specify a maximum wattage to disallow high power powered devices on a port Table 11 3 Link Conditions and Auto MDIX Settings Local Side Auto MDIX Remote Side Auto MDIX With Correct Cabling With Incorrect Cabling On On Link up Link up On Off Link up Link up Off On Link up Link up Off Off Link up Link down Command Purpose Step 1 configu...

Page 322: ...n mode Step 2 interface interface id Specify the physical port to be configured and enter interface configuration mode Step 3 power inline auto max max wattage never static max max wattage Configure the PoE mode on the port The keywords have these meanings auto Enable powered device detection If enough power is available automatically allocate power to the PoE port after device detection This is t...

Page 323: ... example if the switch budgets 15 400 milliwatts on each PoE port you can connect only 24 Class 0 powered devices If your Class 0 device power requirement is actually 5000 milliwatts you can set the consumption wattage to 5000 milliwatts and connect up to 48 devices The total PoE output power available on a 24 port or 48 port switch is 370 000 milliwatts Caution You should carefully plan your swit...

Page 324: ...e Step 5 show power inline consumption default Display the power consumption status Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no cdp run Optional Disable CDP Step 3 interface interface id Specify the physical port to be configured and enter interface...

Page 325: ...gning Layer 2 ports to VLANs see Chapter 13 Configuring VLANs Routed ports Routed ports are physical ports configured to be in Layer 3 mode by using the no switchport interface configuration command Layer 3 EtherChannel ports EtherChannel interfaces made up of routed ports EtherChannel port interfaces are described in Chapter 34 Configuring EtherChannels and Link State Tracking A Layer 3 switch ca...

Page 326: ...e into Layer 3 mode the previous configuration information related to the affected interface might be lost and the interface is returned to its default configuration Beginning in privileged EXEC mode follow these steps to configure a Layer 3 interface To remove an IP address from an interface use the no ip address interface configuration command This example shows how to configure a port as a rout...

Page 327: ...ze you must reset the switch before the new configuration takes effect The system mtu routing command does not require a switch reset to take effect Frames sizes that can be received by the switch CPU are limited to 1998 bytes no matter what value was entered with the system mtu or system mtu jumbo commands Although frames that are forwarded or routed are typically not received by the CPU in some ...

Page 328: ...0 Invalid input detected at marker Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information Monitoring Interface Status page 11 29 Clearing and Resetting Interfaces and Counters page 11 30 Shutting Down and Restarting the Interface page 11 30 Step 3 system mtu jumbo bytes Optional Change the MTU size for all Gigabit Ethernet interfaces on th...

Page 329: ...a port is in routing or in switching mode show interfaces interface id description Display the description configured on an interface or all interfaces and the interface status show ip interface interface id Display the usability status of all interfaces configured for IP routing or the specified interface show interface interface id stats Display the input and output packets by the switching path...

Page 330: ...face and marks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface configuration command to restart the interface To verify that ...

Page 331: ... command line interface CLI commands that you define Smartports macros do not contain new CLI commands they are simply a group of existing CLI commands When you apply a Smartports macro on an interface the CLI commands within the macro are configured on the interface When the macro is applied to an interface the existing interface configurations are not lost The new commands are added to the inter...

Page 332: ...orts Macro Configuration page 12 2 Smartports Macro Configuration Guidelines page 12 3 Creating Smartports Macros page 12 4 Applying Smartports Macros page 12 5 Applying Cisco Default Smartports Macros page 12 6 Default Smartports Macro Configuration There are no Smartports macros enabled cisco phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco ...

Page 333: ...bally to a switch or to a switch interface all existing configuration on the interface is retained This is helpful when applying an incremental configuration If you modify a macro definition by adding or deleting commands the changes are not reflected on the interface where the original macro was applied You need to reapply the updated macro on the interface to apply the new or changed commands Yo...

Page 334: ... string keywords by using macro keywords Switch config macro name test switchport access vlan VLANID switchport port security maximum MAX macro keywords VLANID MAX Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 macro name macro name Create a macro definition and enter a macro name A macro definition can contain up to 3000 characters Enter the macro commands with o...

Page 335: ...keyword values the commands are invalid and are not applied Step 3 macro global description text Optional Enter a description about the macro that is applied to the switch Step 4 interface interface id Optional Enter interface configuration mode and specify the interface on which to apply the macro Step 5 default interface interface id Optional Clear all configuration from the specified interface ...

Page 336: ...e Macro Description Gi1 0 2 desktop config This example shows how to apply the user created macro called desktop config and to replace all occurrences of VLAN 1 with VLAN 25 Switch config if macro apply desktop config vlan 25 Applying Cisco Default Smartports Macros Beginning in privileged EXEC mode follow these steps to apply a Smartports macro Command Purpose Step 1 show parser macro Display the...

Page 337: ... greater than one minute and use inactivity timer switchport port security violation restrict switchport port security aging time 2 switchport port security aging type inactivity Configure port as an edge network port spanning tree portfast spanning tree bpduguard enable Switch Switch configure terminal Switch config gigabitethernet1 0 4 Switch config if macro apply cisco desktop AVID 25 Step 7 ma...

Page 338: ...of the privileged EXEC commands in Table 12 2 Table 12 2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros show parser macro name macro name Displays a specific macro show parser macro brief Displays the configured macro names show parser macro description interface interface id Displays the macro description for all interfaces or for a spec...

Page 339: ...AN is a switched network that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded onl...

Page 340: ...ction on page 11 5 and the Configuring Layer 3 Interfaces section on page 11 25 Note If you plan to configure many VLANs on the switch and to not enable routing you can use the sdm prefer vlan global configuration command to set the Switch Database Management sdm feature to the VLAN template which configures system resources to support the maximum number of unicast MAC addresses For more informati...

Page 341: ...nformation set the VTP mode to transparent To participate in VTP there must be at least one trunk port on the switch stack connected to a trunk port of a second switch or switch stack Trunk ISL or IEEE 802 1Q A trunk port is a member of all VLANs by default including extended range VLANs but membership can be limited by configuring the allowed VLAN list You can also modify the pruning eligible lis...

Page 342: ...onsistent with the stack master Voice VLAN A voice VLAN port is an access port attached to a Cisco IP Phone configured to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone For more information about voice VLAN ports see Chapter 15 Configuring Voice VLAN VTP is not required it has no affect on a voice VLAN Private VLAN A private VLAN port is a host...

Page 343: ...t Fiber Distributed Data Interface FDDI FDDI network entity title NET TrBRF or TrCRF Token Ring Token Ring Net VLAN state active or suspended Maximum transmission unit MTU for the VLAN Security Association Identifier SAID Bridge identification number for TrBRF VLANs Ring number for FDDI and TrCRF VLANs Parent VLAN number for TrCRF VLANs Spanning Tree Protocol STP type for TrCRF VLANs VLAN number t...

Page 344: ... domain or VTP will not function The switch does not support Token Ring or FDDI media The switch does not forward FDDI FDDI Net TrCRF or TrBRF traffic but it does propagate the VLAN configuration through VTP The switch supports 128 spanning tree instances If a switch has more active VLANs than supported spanning tree instances spanning tree can be enabled on 128 VLANs and is disabled on the remain...

Page 345: ... creating extended range VLANs VLAN IDs greater than 1005 See the Configuring Extended Range VLANs section on page 13 12 VLAN Configuration in VLAN Database Configuration Mode To access VLAN database configuration mode enter the vlan database privileged EXEC command Then enter the vlan command with a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify the VLAN You can use the defau...

Page 346: ...he first 1005 VLANs use the VLAN database information Caution If the VLAN database configuration is used at startup and the startup configuration file contains extended range VLAN configuration this information is lost when the system boots up Default Ethernet VLAN Configuration Table 13 2 shows the default configuration for Ethernet VLANs Note The switch supports Ethernet interfaces exclusively B...

Page 347: ...Switch config vlan 20 Switch config vlan name test20 Switch config vlan end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter config vlan mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN Note The available VLAN ID range for this command is 1 to 4094 For information about adding VLAN IDs ...

Page 348: ...on that specific switch stack You cannot delete the default VLANs for the different media types Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005 Command Purpose Step 1 vlan database Enter VLAN database configuration mode Step 2 vlan vlan id name vlan name Add an Ethernet VLAN by assigning a number to it The range is 1 to 1001 You can create or modify a range of consecutive VLANs by enteri...

Page 349: ...that does not exist the new VLAN is created See the Creating or Modifying an Ethernet VLAN section on page 13 9 Beginning in privileged EXEC mode follow these steps to assign a port to a VLAN in the VLAN database Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no vlan vlan id Remove the VLAN by entering the VLAN ID Step 3 end Return to privileged EXEC mode Step 4 s...

Page 350: ...mode accessed by entering the vlan database privileged EXEC command Extended range VLAN configurations are not stored in the VLAN database but because VTP mode is transparent they are stored in the switch running configuration file and you can save the configuration in the startup configuration file by using the copy running config startup config privileged EXEC command Note Although the switch su...

Page 351: ...end that you configure the IEEE 802 1s Multiple STP MSTP on your switch to map multiple VLANs to a single spanning tree instance For more information about MSTP see Chapter 19 Configuring MSTP Each routed port on the switch creates an internal VLAN for its use These internal VLANs use extended range VLAN numbers and the internal VLAN ID cannot be used for an extended range VLAN If you try to creat...

Page 352: ...VLAN with an Internal VLAN ID section on page 13 15 before creating the extended range VLAN Beginning in privileged EXEC mode follow these steps to create an extended range VLAN To delete an extended range VLAN use the no vlan vlan id global configuration command The procedure for assigning static access ports to an extended range VLAN is the same as for normal range VLANs See the Assigning Static...

Page 353: ...ed port that is using the VLAN ID Enter that port number in Step 3 Step 2 configure terminal Enter global configuration mode Step 3 interface interface id Specify the interface ID for the routed port that is using the VLAN ID and enter interface configuration mode Step 4 shutdown Shut down the port to free the internal VLAN ID Step 5 exit Return to global configuration mode Step 6 vtp mode transpa...

Page 354: ...ing an Ethernet Interface as a Trunk Port page 13 19 Configuring Trunk Ports for Load Sharing page 13 24 Trunking Overview A trunk is a point to point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch Ethernet trunks carry the traffic of multiple VLANs over a single link and you can extend the VLANs across an entire network Two trunking ...

Page 355: ...ld cause misconfigurations To avoid this you should configure interfaces connected to devices that do not support DTP to not forward DTP frames that is to turn off DTP If you do not intend to trunk across those links use the switchport mode access interface configuration command to disable trunking To enable trunking to a device that does not support DTP use the switchport mode trunk and switchpor...

Page 356: ... a trunk link The interface becomes a trunk interface if the neighboring interface is set to trunk desirable or auto mode switchport mode trunk Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link The interface becomes a trunk interface even if the neighboring interface is not a trunk interface switchport nonegotiate Prevents the interfac...

Page 357: ...abling spanning tree on the native VLAN of an IEEE 802 1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning tree loops We recommend that you leave spanning tree enabled on the native VLAN of an IEEE 802 1Q trunk or disable spanning tree on every VLAN in the network Make sure your network is loop free before disabling spanning tree Default Layer 2 Eth...

Page 358: ...ropagates the setting you entered to all ports in the group allowed VLAN list STP port priority for each VLAN STP Port Fast setting trunk status if one port in a port group ceases to be a trunk all ports cease to be trunks We recommend that you configure no more than 24 trunk ports in PVST mode and no more than 40 trunk ports in MST mode If you try to enable IEEE 802 1x on a trunk port an error me...

Page 359: ...the default VLAN on all trunk ports in all Cisco switches and it has previously been a requirement that VLAN 1 always be enabled on every trunk link You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic including spanning tree advertisements is sent or received on VLAN 1 Step 4 switchport mode dynamic auto desirable trunk Configure ...

Page 360: ... the no switchport trunk allowed vlan interface configuration command This example shows how to remove VLAN 2 from the allowed VLAN list on a port Switch config interface gigabitethernet1 0 1 Switch config if switchport trunk allowed vlan remove 2 Switch config if end Changing the Pruning Eligible List The pruning eligible list applies only to trunk ports Each trunk port has its own eligibility li...

Page 361: ...Step 2 interface interface id Select the trunk port for which VLANs should be pruned and enter interface configuration mode Step 3 switchport trunk pruning vlan add except none remove vlan list vlan vlan Configure the list of VLANs allowed to be pruned from the trunk See the VTP Pruning section on page 14 4 For explanations about using the add except none and remove keywords see the command refere...

Page 362: ...ports on the same switch form a loop the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN The trunk port with the higher priority lower values for a VLAN is forwarding traffic for that VLAN The trunk port with the lower priority higher...

Page 363: ...tch B Trunk 2 VLANs 3 6 priority 16 VLANs 8 10 priority 128 Trunk 1 VLANs 8 10 priority 16 VLANs 3 6 priority 128 Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A Step 2 vtp domain domain name Configure a VTP administrative domain The domain name can be 1 to 32 characters Step 3 vtp mode server Configure Switch A as the VTP server Step 4 end Return to privilege...

Page 364: ...ond port in the switch stack Step 14 Repeat Steps 7 through 11 on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A Step 15 show vlan When the trunk links come up VTP passes the VTP and VLAN information to Switch B Verify that Switch B has learned the VLAN configuration Step 16 configure terminal Enter global configuration mode on Switch A Step 17 interfa...

Page 365: ...guration mode Step 6 Repeat Steps 2 through 5 on a second interface in the Switch A stack Step 7 end Return to privileged EXEC mode Step 8 show running config Verify your entries In the display make sure that the interfaces are configured as trunk ports Step 9 show vlan When the trunk links come up Switch A receives the VTP information from the other switches Verify that Switch A has learned the V...

Page 366: ... not the server is in open or secure mode In secure mode the server shuts down the port when an illegal host is detected In open mode the server simply denies the host access to the port If the port is currently unassigned that is it does not yet have a VLAN assignment the VMPS provides one of these responses If the host is allowed on the port the VMPS sends the client a vlan assignment response c...

Page 367: ...es down on a dynamic access port the port returns to an isolated state and does not belong to a VLAN Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN Dynamic access ports can be used for direct host connections or they can connect to a network A maximum of 20 MAC addresses are allowed per port on the switch A dynamic ...

Page 368: ...guring the VMPS Client You configure dynamic VLANs by using the VMPS server The switch can be a VMPS client it cannot be a VMPS server Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client Note If the VMPS is being defined for a cluster of switches enter the address on the command switch Beginning in privileged EXEC mode follow th...

Page 369: ...AN membership assignments that the switch has received from the VMPS Changing the Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS You can set the number of minutes after which reconfirmation occurs If you are configuring a member switch in a cluster this parameter must be equal to or greater than the reconfirmation setting on the c...

Page 370: ...e secondary VMPS VMPS domain server the IP address of the configured VLAN membership policy servers The switch sends queries to the one marked current The one marked primary is the primary server VMPS Action the result of the most recent reconfirmation attempt A reconfirmation attempt can occur automatically when the reconfirmation interval expires or you can force it by entering the vmps reconfir...

Page 371: ...s down the port to prevent the host from connecting to the network More than 20 active hosts reside on a dynamic access port To re enable a disabled dynamic access port enter the shutdown interface configuration command followed by the no shutdown interface configuration command VMPS Configuration Example Figure 13 5 shows a network with a VMPS server switch and VMPS client switches with dynamic a...

Page 372: ...eries Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B End station 2 End station 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Switch G Switch...

Page 373: ...ns and security violations Before you create VLANs you must decide whether to use VTP in your network Using VTP you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work in an environment where updates ar...

Page 374: ...VTP server and VLAN information is not propagated over the network If the switch receives a VTP advertisement over a trunk link it inherits the management domain name and the VTP configuration revision number The switch then ignores advertisements with a different domain name or an earlier configuration revision number Caution Before adding a VTP client switch to a VTP domain always verify that it...

Page 375: ...d in NVRAM VTP server is the default mode VTP client A VTP client behaves like a VTP server and transmits and receives VTP updates on its trunks but you cannot create change or delete VLANs on a VTP client VLANs are configured on another switch in the domain that is in server mode In VTP client mode VLAN configurations are not saved in NVRAM VTP transparent VTP transparent switches do not particip...

Page 376: ...lient propagates configuration changes to its other trunks even for TLVs it is not able to parse The unrecognized TLV is saved in NVRAM when the switch is operating in VTP server mode Version Dependent Transparent Mode In VTP Version 1 a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match Because VTP Version ...

Page 377: ...e assigned to the Red VLAN If a broadcast is sent from the host connected to Switch A Switch A floods the broadcast and every switch in the network receives it even though Switches C E and F have no ports in the Red VLAN Figure 14 1 Flooding Traffic without VTP Pruning Figure 14 2 shows a switched network with VTP pruning enabled The broadcast traffic from Switch A is not forwarded to Switches C E...

Page 378: ... see the Changing the Pruning Eligible List section on page 13 22 VTP pruning operates when an interface is trunking You can set VLAN pruning eligibility whether or not VTP pruning is enabled for the VTP domain whether or not any given VLAN exists and whether or not the interface is currently trunking VTP and Switch Stacks VTP configuration is the same in all members of a switch stack When the swi...

Page 379: ... is transparent the VTP domain name and mode are also saved in the switch running configuration file and you can save it in the switch startup configuration file by entering the copy running config startup config privileged EXEC command You must use this command if you want to save VTP mode as transparent even if the switch resets When you save VTP information in the switch startup configuration f...

Page 380: ...de do not exchange VTP messages with other switches and you do not need to configure a VTP domain name for them Note If NVRAM and DRAM storage is sufficient all switches in a VTP domain should be in VTP server mode Caution Do not configure a VTP domain if all switches are operating in VTP client mode If you configure the domain it is impossible to make changes to the VLAN configuration of that dom...

Page 381: ...ion see the Configuring VLAN Trunks section on page 13 16 If you are configuring VTP on a cluster member switch to a VLAN use the rcommand privileged EXEC command to log in to the member switch For more information about the command see the command reference for this release If you are configuring extended range VLANs on the switch the switch must be in VTP transparent mode VTP does not support pr...

Page 382: ...et the password for the VTP domain The password can be 8 to 64 characters If you configure a VTP password the VTP domain does not function properly if you do not assign the same password to each switch in the domain Step 5 end Return to privileged EXEC mode Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display Command Purpose Command Pur...

Page 383: ...on of that domain Therefore make sure you configure at least one switch as a VTP server Beginning in privileged EXEC mode follow these steps to configure the switch as a VTP client Use the no vtp mode global configuration command to return the switch to VTP server mode To return the switch to a no password state use the no vtp password privileged EXEC command When you configure a domain name it ca...

Page 384: ... the switch boots up in VTP transparent mode Otherwise you lose the extended range VLAN configuration if the switch resets and boots up in VTP server mode the default Beginning in privileged EXEC mode follow these steps to configure VTP transparent mode and save the VTP configuration in the switch startup configuration file To return the switch to VTP server mode use the no vtp mode global configu...

Page 385: ...sion 2 Note In TrCRF and TrBRF Token ring environments you must enable VTP Version 2 for Token Ring VLAN switching to function properly For Token Ring and Token Ring Net media VTP Version 2 must be disabled For more information on VTP version configuration guidelines see the VTP Version section on page 14 9 Beginning in privileged EXEC mode follow these steps to enable VTP Version 2 To disable VTP...

Page 386: ...ire VTP domain Only VLANs included in the pruning eligible list can be pruned By default VLANs 2 through 1001 are pruning eligible on trunk ports Reserved VLANs and extended range VLANs cannot be pruned To change the pruning eligible VLANs see the Changing the Pruning Eligible List section on page 13 22 Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain always ve...

Page 387: ...and Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Continue with the next steps to reset the switch configuration revision number Step 2 configure terminal Enter global configuration mode Ste...

Page 388: ...rrent VTP revision and the number of VLANs You can also display statistics about the advertisements sent and received by the switch Table 14 3 shows the privileged EXEC commands for monitoring VTP activity Table 14 3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information show vtp counters Display counters about VTP messages that have been sent and ...

Page 389: ...ne the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable manner For...

Page 390: ...Layer 2 CoS priority value Note In all configurations the voice traffic carries a Layer 3 IP precedence value the default is 5 for voice traffic and 3 for voice control traffic Cisco IP Phone Data Traffic The switch can also process tagged data traffic traffic in IEEE 802 1Q or IEEE 802 1p frame types from the device attached to the access port on the Cisco IP Phone see Figure 15 1 You can configu...

Page 391: ... not on trunk ports even though the configuration is allowed The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN Use the show vlan privileged EXEC command to see if the VLAN is present listed in the display If the VLAN is not listed see Chapter 13 Configuring VLANs for information on how to create the voice VLAN Do not configure voi...

Page 392: ...e Configuring IEEE 802 1x Authentication section on page 10 26 for more information Note If you enable IEEE 802 1x on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected the phone loses connectivity to the switch for up to 30 seconds Protected port See the Configuring Protected Ports section on page 25 5 for more information A source or destination port fo...

Page 393: ... vlan dot1p Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface connected to the phone and enter interface configuration mode Step 3 mls qos trust cos Configure the interface to classify incoming traffic packets by using the packet CoS value For untagged packets the port default CoS value is used Note Be...

Page 394: ...minal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet1 0 1 Switch config if switchport priority extend trust Switch config if end To return the port to its default setting use the no switchport priority extend interface configuration command Displaying Voice VLAN To display voice VLAN configuration for an interface use the show interfaces interface...

Page 395: ...es two problems that service providers face when using VLANs Scalability The switch supports up to 1005 active VLANs If a service provider assigns one VLAN per customer this limits the numbers of customers the service provider can support To enable IP routing each VLAN is assigned a subnet address space or a block of addresses which can result in wasting the unused IP addresses and cause IP addres...

Page 396: ... the primary VLAN Isolated An isolated port is a host port that belongs to an isolated secondary VLAN It has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous ports Private VLANs block all traffic to isolated ports except traffic from promiscuous ports Traffic received from an isolated port is forwarded only to promiscuous ports Community A commun...

Page 397: ...the private VLAN You can use private VLANs to control access to end stations in these ways Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2 For example if the end stations are servers this configuration prevents Layer 2 communication between the servers Configure interfaces connected to default gateways and selected end stations for ...

Page 398: ...e network the Layer 2 databases in these switches are not merged This can result in unnecessary flooding of private VLAN traffic on those switches Note When configuring private VLANs on the switch always use the default Switch Database Management SDM template to balance system resources between unicast routes and Layer 2 entries If another SDM template is configured use the sdm prefer default glob...

Page 399: ...ous ports trunk ports isolated ports and community ports Multicast traffic is routed or bridged across private VLAN boundaries and within a single community VLAN Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in different secondary VLANs Private VLANs and SVIs In a Layer 3 switch a switch virtual interface SVI represents the Layer 3 interface of a VLAN ...

Page 400: ...figuring Private VLANs These sections contain this configuration information Tasks for Configuring Private VLANs page 16 6 Default Private VLAN Configuration page 16 7 Private VLAN Configuration Guidelines page 16 7 Configuring and Associating VLANs in a Private VLAN page 16 10 Configuring a Layer 2 Interface as a Private VLAN Host Port page 16 12 Configuring a Layer 2 Interface as a Private VLAN ...

Page 401: ...7 After you have configured private VLANs use the copy running config startup config privileged EXEC command to save the VTP transparent mode configuration and private VLAN configuration in the switch startup configuration file Otherwise if the switch resets it defaults to VTP server mode which does not support private VLANs VTP does not propagate private VLAN configuration You must configure priv...

Page 402: ...secondary VLANs When a frame is Layer 2 forwarded within a private VLAN the same VLAN map is applied at the ingress side and at the egress side When a frame is routed from inside a private VLAN to an external port the private VLAN map is applied at the ingress side For frames going upstream from a host port to a promiscuous port the VLAN map configured on the secondary VLAN is applied For frames g...

Page 403: ...ith private VLANs When IGMP snooping is enabled on the switch the default the switch stack supports no more than 20 private VLAN domains Do not configure a remote SPAN RSPAN VLAN as a private VLAN primary or secondary VLAN For more information about SPAN see Chapter 28 Configuring SPAN and RSPAN Do not configure private VLAN ports on interfaces configured for these other features dynamic access po...

Page 404: ... vlan id Enter VLAN configuration mode and designate or create a VLAN that will be the primary VLAN The VLAN ID range is 2 to 1001 and 1006 to 4094 Step 4 private vlan primary Designate the VLAN as the primary VLAN Step 5 exit Return to global configuration mode Step 6 vlan vlan id Optional Enter VLAN configuration mode and designate or create a VLAN that will be an isolated VLAN The VLAN ID range...

Page 405: ... to associate them in a private VLAN and to verify the configuration Switch configure terminal Switch config vlan 20 Switch config vlan private vlan primary Switch config vlan exit Switch config vlan 501 Switch config vlan private vlan isolated Switch config vlan exit Switch config vlan 502 Switch config vlan private vlan community Switch config vlan exit Switch config vlan 503 Switch config vlan ...

Page 406: ...ation of Trunking Off Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Administrative Native VLAN tagging enabled Voice VLAN none Administrative private vlan host association 20 VLAN0020 25 VLAN0025 Administrative private vlan mapping none Administrative private vlan trunk native VLAN none Administrative private vlan trunk Native VLAN tagging enabled Administrative private vlan trunk...

Page 407: ...terface as a private VLAN promiscuous port and map it to a private VLAN The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it Switch configure terminal Switch config interface fastethernet1 0 2 Switch config if switchport mode private vlan promiscuous Switch config if switchport private vlan mapping 20 add 501 503 Switch config if end Use the show vlan privat...

Page 408: ...t to map the secondary VLANs to the primary VLAN Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the primary VLAN This example shows how to map the interfaces of VLANs 501and 502 to primary VLAN 10 which permits routing of secondary VLAN ingress traffic from private VLANs 501 to 502 Switch configure terminal Switch config interface vlan 10 Switch ...

Page 409: ...mary Secondary Type Ports 10 501 isolated Fa2 0 1 Gi3 0 1 Gi3 0 2 10 502 community Fa2 0 11 Gi3 0 1 Gi3 0 4 10 503 non operational Table 16 1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces including the VLANs to which they belongs show vlan private vlan type Display the private VLAN information for the switch stack show interface switchpor...

Page 410: ...16 16 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 16 Configuring Private VLANs Monitoring Private VLANs ...

Page 411: ... 7 Configuring Layer 2 Protocol Tunneling page 17 10 Monitoring and Maintaining Tunneling Status page 17 18 Understanding IEEE 802 1Q Tunneling Business customers of service providers often have specific requirements for VLAN IDs and the number of VLANs to be supported The VLAN ranges required by different customers in the same service provider network might overlap and traffic of customers throug...

Page 412: ...t inside the switch and when they exit the trunk port into the service provider network they are encapsulated with another layer of an IEEE 802 1Q tag called the metro tag that contains the VLAN ID that is unique to the customer The original customer IEEE 802 1Q tag is preserved in the encapsulated packet Therefore packets entering the service provider network are double tagged with the outer metr...

Page 413: ...pace used by other customers and the VLAN numbering space used by the service provider network At the outbound tunnel port the original VLAN numbers on the customer s network are recovered It is possible to have multiple levels of tunneling and tagging but the switch supports only one level in this release If traffic coming from a customer network is not tagged native VLAN frames these packets are...

Page 414: ...TUs are explained in these next sections Native VLANs When configuring IEEE 802 1Q tunneling on an edge switch you must use IEEE 802 1Q trunk ports for sending packets into the service provider network However packets going through the core of the service provider network can be carried through IEEE 802 1Q trunks ISL trunks or nontrunking links When IEEE 802 1Q trunks are used in these core switch...

Page 415: ... The default system MTU for traffic on the switch is 1500 bytes You can configure Fast Ethernet ports to support frames larger than 1500 bytes by using the system mtu global configuration command You can configure Gigabit Ethernet ports to support frames larger than 1500 bytes by using the system mtu jumbo global configuration command Because the IEEE 802 1Q tunneling feature increases the frame s...

Page 416: ...l port groups are compatible with tunnel ports as long as the IEEE 802 1Q configuration is consistent within an EtherChannel port group Port Aggregation Protocol PAgP Link Aggregation Control Protocol LACP and UniDirectional Link Detection UDLD are supported on IEEE 802 1Q tunnel ports Dynamic Trunking Protocol DTP is not compatible with IEEE 802 1Q tunneling because you must manually configure as...

Page 417: ...otocol Tunneling Customers at different sites connected across a service provider network need to use various Layer 2 protocols to scale their topologies to include all remote sites as well as the local sites STP must run properly and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service provider network Cisco Discovery Protocol CDP mus...

Page 418: ...protocol tunneling You implement bypass mode by enabling Layer 2 protocol tunneling on the egress trunk port When Layer 2 protocol tunneling is enabled on the trunk port the encapsulated tunnel MAC address is removed and the protocol packets have their normal MAC address Layer 2 protocol tunneling can be used independently or can enhance IEEE 802 1Q tunneling If protocol tunneling is not enabled o...

Page 419: ...nnels by emulating a point to point network topology When you enable protocol tunneling PAgP or LACP on the SP switch remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels Customer X Site 2 VLANs 1 to 100 Customer Y Site 2 VLANs 1 to 200 Customer Y Site 1 VLANs 1 to 200 Customer X Site 1 VLANs 1 to 100 VLAN 30 Trunk ports Switch A Trunk ports VLAN 30 V...

Page 420: ... default mode or switchport mode dynamic desirable The switch supports Layer 2 protocol tunneling for CDP STP and VTP For emulated point to point network topologies it also supports PAgP LACP and UDLD protocols Caution PAgP LACP and UDLD protocol tunneling is only intended to emulate a point to point topology An erroneous configuration that sends tunneled packets to many ports could lead to a netw...

Page 421: ...he customer specific access VLAN tag Layer 2 protocol tunneling configuration is distributed among all stack members Each stack member that receives an ingress packet on a local port encapsulates or decapsulates the packet and forwards it to the appropriate destination port On a single switch ingress Layer 2 protocol tunneled traffic is sent across all local ports in the same VLAN on which Layer 2...

Page 422: ... ports If you enable PAgP or LACP tunneling we recommend that you also enable UDLD on the interface for faster link failure detection Loopback detection is not supported on Layer 2 protocol tunneling of PAgP LACP or UDLD packets EtherChannel port groups are compatible with tunnel ports when the IEEE 802 1Q configuration is consistent within an EtherChannel port group If an encapsulated PDU with th...

Page 423: ...nge is 1 to 4096 The default is to have no threshold configured Note If you also set a drop threshold on this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 l2protocol tunnel drop threshold cdp stp vtp value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured thresh...

Page 424: ...exit Switch config l2protocol tunnel cos 7 Switch config end Switch show l2protocol COS for Encapsulated Packets 7 Port Protocol Shutdown Drop Encapsulation Decapsulation Drop Threshold Threshold Counter Counter Counter Fa1 0 11 cdp 1500 1000 2288 2282 0 stp 1500 1000 116 13 0 vtp 1500 1000 3 67 0 pagp 0 0 0 lacp 0 0 0 udld 0 0 0 Configuring Layer 2 Tunneling for EtherChannels To configure Layer 2...

Page 425: ...rface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 l2protocol tunnel drop threshold point to point pagp lacp udld value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured threshold is exceeded If no protocol option is specified the threshold applies to each of the tunneled...

Page 426: ...h config if l2protocol tunnel drop threshold point to point pagp 1000 Switch config if exit Switch config interface fastethernet1 0 2 Switch config if switchport access vlan 18 Switch config if switchport mode dot1q tunnel Switch config if l2protocol tunnel point to point pagp Switch config if l2protocol tunnel point to point udld Command Purpose Step 1 configure terminal Enter global configuratio...

Page 427: ...encapsulation isl Switch config if switchport mode trunk This example shows how to configure the customer switch at Site 1 Fast Ethernet interfaces 1 2 3 and 4 are set for IEEE 802 1Q trunking UDLD is enabled EtherChannel group 1 is enabled and the port channel is shut down and then enabled to activate the EtherChannel configuration Switch config interface fastethernet1 0 1 Switch config if switch...

Page 428: ...rotocol tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports show dot1q tunnel Display IEEE 802 1Q tunnel ports on the switch show dot1q tunnel interface interface id Verify if a specific interface is a tunnel port show l2protocol tunnel Display information about Layer 2 protocol tunneling ports show errdisable recovery Verify if the recovery timer from a Layer 2 protoco...

Page 429: ...ter 19 Configuring MSTP For information about other spanning tree features such as Port Fast UplinkFast root guard and so forth see Chapter 20 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Spanning Tree Features page 18 ...

Page 430: ...ng port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is called the designated switch Spanning...

Page 431: ...LANs for which it is the designated switch If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is discarded...

Page 432: ...e Port States in a Switch Stack All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning tree blocking mode Bridge ID Switch Priority and Extended System ID The IEEE 802 1D standard requires that each switch has an unique bridge identifier bridge ID which controls the selection of the root switch Because each VLAN is considered as a di...

Page 433: ... 16 the Configuring a Secondary Root Switch section on page 18 18 and the Configuring the Switch Priority of a VLAN section on page 18 21 Spanning Tree Interface States Propagation delays can occur when protocol information passes through a switched LAN As a result topology changes can take place at different times and at different places in a switched network When an interface transitions directl...

Page 434: ...the spanning tree algorithm places a Layer 2 interface in the forwarding state this process occurs 1 The interface is in the listening state while spanning tree waits for protocol information to move the interface to the blocking state 2 While spanning tree waits the forward delay timer to expire it moves the interface to the learning state and resets the forward delay timer 3 In the learning stat...

Page 435: ... state is the first state a Layer 2 interface enters after the blocking state The interface enters this state when the spanning tree decides that the interface should participate in frame forwarding An interface in the listening state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives B...

Page 436: ...g interfaces or link types Switch A might not be the ideal root switch By increasing the priority lowering the numerical value of the ideal switch so that it becomes the root switch you force a spanning tree recalculation to form a new topology with the ideal switch as the root Figure 18 3 Spanning Tree Topology When the spanning tree topology is calculated based on default parameters the path bet...

Page 437: ...used by different bridge protocols These addresses are static addresses that cannot be removed Regardless of the spanning tree state each switch in the stack receives but does not forward packets destined for addresses between 0x0180C2000000 and 0x0180C200000F If spanning tree is enabled the CPU on each switch in the stack receives packets destined for 0x0180C2000000 and 0x0180C2000010 If spanning...

Page 438: ...tries on a per port basis upon receiving a topology change By contrast PVST uses a short aging time for dynamically learned MAC address entries The rapid PVST uses the same configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to learn the complexities o...

Page 439: ...tance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it instead of PVST The switch combines the spanning tree instance of the IEEE 802 1Q VLAN of the trunk with the spanning tree instance of the non Cisco IEEE 802 1Q s...

Page 440: ...s within the stack and possibly outside the stack The remaining stack member with the lowest stack port ID becomes the stack root If the stack master fails or leaves the stack the stack members elect a new stack master and all stack members change their bridge IDs of the spanning trees to the new master bridge ID If the switch stack is the spanning tree root and the stack master fails or leaves th...

Page 441: ...e already in use you can disable spanning tree on one of the VLANs and then enable it on the VLAN where you want it to run Use the no spanning tree vlan vlan id global configuration command to disable spanning tree on a specific VLAN and use the spanning tree vlan vlan id global configuration command to enable spanning tree on the desired VLAN Table 18 3 Default Spanning Tree Configuration Feature...

Page 442: ...will not be broken particularly if there are several adjacent switches that have all run out of spanning tree instances You can prevent this possibility by setting up allowed lists on the trunk ports of switches that have used up their allocation of spanning tree instances Setting up allowed lists is not necessary in many cases and can make it more labor intensive to add another VLAN to the networ...

Page 443: ...d pvst to enable rapid PVST Step 3 interface interface id Recommended for rapid PVST mode only Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 48 Step 4 spanning tree link type point to point Recommended for rapid PVST mode only Specify that the lin...

Page 444: ...ity from the default value 32768 to a significantly lower value When you enter this command the software checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN If any root switch for the specified VLAN has a...

Page 445: ... the spanning tree vlan vlan id max age global configuration commands Beginning in privileged EXEC mode follow these steps to configure a switch to become the root for the specified VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id root global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ...

Page 446: ... state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure terminal ...

Page 447: ...Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0 16 32 ...

Page 448: ...de Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state A low...

Page 449: ...e spanning tree vlan vlan id root secondary global configuration commands to modify the switch priority Beginning in privileged EXEC mode follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configura...

Page 450: ...able Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDUs that can be se...

Page 451: ...tates to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startup config O...

Page 452: ...he clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure the number of BPDUs that can be sent before pausing for 1 second For...

Page 453: ... the switch is in the MST mode the Rapid Spanning Tree Protocol RSTP which is based on IEEE 802 1w is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and ma...

Page 454: ...ns For switches to participate in multiple spanning tree MST instances you must consistently configure the switches with the same MST configuration information A collection of interconnected switches that have the same MST configuration comprises an MST region as shown in Figure 19 1 on page 19 4 The MST configuration controls to which MST region each switch belongs The configuration includes the ...

Page 455: ...rithm running among switches that support the IEEE 802 1w IEEE 802 1s and IEEE 802 1D standards The CIST inside an MST region is the same as the CST outside a region For more information see the Operations Within an MST Region section on page 19 3 and the Operations Between MST Regions section on page 19 4 Note The implementation of the IEEE 802 1s standard changes some of the terminology associat...

Page 456: ...CIST that encompasses the entire switched domain The root of the subtree is the CIST regional root The MST region appears as a virtual switch to adjacent STP switches and MST regions Figure 19 1 shows a network with three MST regions and a legacy IEEE 802 1D switch D The CIST regional root for region 1 A is also the CIST root The CIST regional root for region 2 B and the CIST regional root for reg...

Page 457: ...itches and switches that do not belong to any region The CIST regional root was called the IST master in the prestandard implementation If the CIST root is in the region the CIST regional root is the CIST root Otherwise the CIST regional root is the closest switch to the CIST root in the region The CIST regional root acts as a root switch for the IST The CIST internal root path cost is the cost to...

Page 458: ...ternal the CIST part is received by the CIST and each MST instance receives its respective M record The Cisco prestandard implementation treats a port that receives an external message as a boundary port This means a port cannot receive a mix of internal and external messages An MST region includes both switches and LANs A segment belongs to the region of its designated port Therefore a port in a ...

Page 459: ... switches can fail you can use an interface configuration command to identify prestandard ports A region cannot be formed between a standard and a prestandard switch but they can interoperate by using the CIST Only the capability of load balancing over different instances is lost in that particular case The CLI displays different flags depending on the port configuration when a port receives prest...

Page 460: ... ID for a given spanning tree The switch ID is derived from the MAC address of the stack master If a switch that does not support MSTP is added to a switch stack that does support MSTP or the reverse the switch is put into a version mismatch state If possible the switch is automatically upgraded or downgraded to the same version of software that is running on the switch stack When a new switch joi...

Page 461: ...undary port connects to a LAN the designated switch of which is either a single spanning tree switch or a switch with a different MST configuration Understanding RSTP The RSTP takes advantage of point to point wiring and provides rapid convergence of the spanning tree Reconfiguration of the spanning tree can occur in less than 1 second in contrast to 50 seconds with the default settings in the IEE...

Page 462: ...ows Edge ports If you configure a port as an edge port on an RSTP switch by using the spanning tree portfast interface configuration command the edge port immediately transitions to the forwarding state An edge port is the same as a Port Fast enabled port and you should enable it only on ports that connect to a single end station Root ports If the RSTP selects a new root port it blocks the old roo...

Page 463: ...ng the port to the forwarding state CSRT is automatically enabled when the switch is in MST mode The switch learns the link type from the port duplex mode a full duplex port is considered to have a point to point connection a half duplex port is considered to have a shared connection You can override the default setting that is controlled by the duplex setting by using the spanning tree link type ...

Page 464: ... point to point link are in agreement about their port roles the RSTP immediately transitions the port states to forwarding The sequence of events is shown in Figure 19 5 Figure 19 5 Sequence of Events During Rapid Convergence Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802 1D BPDU format except that the protocol version is set to 2 A new 1 byte Ver...

Page 465: ... proposal flag and starts the forward delay timer for the port The new root port requires twice the forward delay time to transition to the forwarding state If the superior information received on the port causes the port to become a backup or alternate port RSTP sets the port to the blocking state but does not send the agreement message The designated port continues sending BPDUs with the proposa...

Page 466: ...en a port is initialized the migrate delay timer is started specifies the minimum time during which RSTP BPDUs are sent and RSTP BPDUs are sent While this timer is active the switch processes all BPDUs received on that port and ignores the protocol type If the switch receives an IEEE 802 1D BPDU after the port migration delay timer has expired it assumes that it is connected to an IEEE 802 1D swit...

Page 467: ...LANs run MSTP For more information see the Spanning Tree Interoperability and Backward Compatibility section on page 18 11 For information on the recommended trunk port configuration see the Interaction with Other Features section on page 13 20 All stack members run the same version of spanning tree all PVST rapid PVST or MSTP For more information see the Spanning Tree Interoperability and Backwar...

Page 468: ...have the same VLAN to instance mapping the same configuration revision number and the same name A region can have one member or multiple members with the same MST configuration each member must be capable of processing RSTP BPDUs There is no limit to the number of MST regions in a network but each region can only support up to 65 spanning tree instances You can assign a VLAN to only one spanning t...

Page 469: ... Configuring the Root Switch The switch maintains a spanning tree instance for the group of VLANs mapped to it A switch ID consisting of the switch priority and the switch MAC address is associated with each instance For a group of VLANs the switch with the lowest switch ID becomes the root switch To configure a switch to become the root use the spanning tree mst instance id root global configurat...

Page 470: ...y time and maximum age time for a network of that diameter which can significantly reduce the convergence time You can use the hello keyword to override the automatically calculated hello time Note After configuring the switch as the root switch we recommend that you avoid manually configuring the hello time forward delay time and maximum age time through the spanning tree mst hello time spanning ...

Page 471: ...n selecting an interface to put into the forwarding state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfa...

Page 472: ...irm the configuration To return the interface to its default setting use the no spanning tree mst instance id port priority interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical in...

Page 473: ...configuration To return the interface to its default setting use the no spanning tree mst instance id cost interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces The port...

Page 474: ...and Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id priority priority Configure the switch priority For instance id you can specify a single instance a range of instances separated by ...

Page 475: ...figure the hello time for all MST instances The hello time is the interval between the generation of configuration messages by the root switch These messages mean that the switch is alive For seconds the range is 1 to 10 the default is 2 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config Optional Save your entries i...

Page 476: ...ement handshake to ensure a loop free topology as described in the Rapid Convergence section on page 19 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst max age seconds Configure the maximum aging time for all MST instances The maximum aging time is the number of seconds a switch waits without receiving spanning tree configuration messages befor...

Page 477: ...en if the port is in STP compatibility mode Beginning in privileged EXEC mode follow these steps to override the default link type setting This procedure is optional To return the port to its default setting use the no spanning tree mst prestandard interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an inte...

Page 478: ...o assign a boundary role to a port when the switch to which it is connected has joined the region To restart the protocol migration process force the renegotiation with neighboring switches on the switch use the clear spanning tree detected protocols privileged EXEC command To restart the protocol migration process on a specific interface use the clear spanning tree detected protocols interface in...

Page 479: ...out the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 19 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 20 1 Configuring Optional Spanning Tree...

Page 480: ...d on interfaces connected to end stations If you enable Port Fast on an interface connecting to another switch you risk creating a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default global configuration command Figure 20 1 Port Fast Enabled Interfaces Understanding BPDU Guard The BPDU guard feature can be...

Page 481: ... global configuration command This command prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port Fast enabled ...

Page 482: ...is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast provides fas...

Page 483: ...CSUF provides a fast spanning tree transition fast convergence in less than 1 second under normal network conditions across a switch stack During the fast transition an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning tree loops or loss of connectivity to the backbone With this feature you can have a redundant and resilient network i...

Page 484: ...ack root port on Switch 2 or Switch 3 and puts it into the forwarding state in less than 1 second Figure 20 5 Cross Stack UplinkFast Topology When certain link loss or spanning tree events occur described in Events that Cause Fast Convergence section on page 20 7 the Fast Uplink Transition Protocol uses the neighbor list to send fast transition requests to stack members The switch sending the fast...

Page 485: ...r these circumstances The stack root port link fails If two switches in the stack have alternate paths to the root only one of the switches performs the fast transition The failed link which connects the stack root to the spanning tree root recovers A network reconfiguration causes a new stack root switch to be selected A network reconfiguration causes a new port on the current stack root switch t...

Page 486: ...itch has alternate paths to the root switch it uses these alternate paths to send a root link query RLQ request The switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack When a stack member receives an RLQ reply from a nonstack member on a blocked inter...

Page 487: ...ate providing a path from Switch B to Switch A The root switch election takes approximately 30 seconds twice the Forward Delay time if the default Forward Delay time of 15 seconds is set Figure 20 7 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 20 7 BackboneFast Example After Indirect Link Failure If a new switch is introduced into a shared medium to...

Page 488: ... in Figure 20 9 You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer s network If spanning tree calculations cause an interface in the customer network to be selected as the root port root guard then places the interface in the root inconsistent blocked state to prevent the customer s switch from becoming the root switch or being in ...

Page 489: ...nated ports and spanning tree does not send BPDUs on root or alternate ports When the switch is operating in MST mode BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features These sections contain this configuration information Defa...

Page 490: ...irectly to the spanning tree forwarding state without waiting for the standard forward time delay Caution Use Port Fast only when connecting a single end station to an access or trunk port Enabling this feature on an interface connected to a switch or hub could prevent spanning tree from detecting and disabling loops in your network which could cause broadcast storms and address learning problems ...

Page 491: ...nually put the interface back in service Use the BPDU guard feature in a service provider network to prevent an access port from participating in the spanning tree Caution Configure Port Fast only on interfaces that connect to end stations otherwise an accidental topology loop could cause a data packet loop and disrupt switch and network operation Command Purpose Step 1 configure terminal Enter gl...

Page 492: ...BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port Fast enabled interface the interface loses its Port Fast operational status and BPDU filtering is disabled Caution Configure Port Fast only on interfaces that connect to end stations otherwise an accidental topology loop could cause a data packet loop and disrupt switch and n...

Page 493: ...nkFast or the CSUF feature for rapid PVST or for the MSTP but the feature remains disabled inactive until you change the spanning tree mode to PVST Beginning in privileged EXEC mode follow these steps to enable UplinkFast and CSUF This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree portfast bpdufilter default Globally enable BPD...

Page 494: ...ast global configuration command CSUF is automatically globally enabled or disabled on nonstack port interfaces For more information see the Enabling UplinkFast for Use with Redundant Links section on page 20 15 To disable UplinkFast on the switch and all its VLANs use the no spanning tree uplinkfast global configuration command Enabling BackboneFast You can enable BackboneFast to detect indirect ...

Page 495: ...e configuration commands on the port channel interfaces that were misconfigured Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs Do not enable the root guard on interfaces to be used by the UplinkFast feature With UplinkFast the backup interfaces in the blocked state replace the root port in the case of a failure However if root guard i...

Page 496: ... guard use the no spanning tree loopguard default global configuration command You can override the setting of the no spanning tree loopguard default global configuration command by using the spanning tree guard loop interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter int...

Page 497: ...panning tree privileged EXEC command see the command reference for this release Table 20 2 Commands for Displaying the Spanning Tree Status Command Purpose show spanning tree active Displays spanning tree information on active interfaces only show spanning tree detail Displays a detailed summary of interface information show spanning tree interface interface id Displays spanning tree information f...

Page 498: ...20 20 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 20 Configuring Optional Spanning Tree Features Displaying the Spanning Tree Status ...

Page 499: ...g Flex Links and the MAC Address Table Move Update page 21 1 Configuring Flex Links and MAC Address Table Move Update page 21 4 Monitoring Flex Links and the MAC Address Table Move Update page 21 9 Understanding Flex Links and the MAC Address Table Move Update This section contains this information Flex Links page 21 1 MAC Address Table Move Update page 21 2 Flex Links Flex Links are a pair of a L...

Page 500: ... configure the Flex Links pair with preemption mode In the scenario shown when port 1 comes back up and has more bandwidth than port 2 port 1 begins forwarding traffic after 60 seconds Port 2 becomes the standby port You do this by entering the interface configuration switchport backup interface preemption mode bandwidth and switchport backup interface preemption delay commands Figure 21 1 Flex Li...

Page 501: ...PC on port 4 which reduces the reconvergence time You can configure the access switch switch A to send MAC address table move update messages You can also configure the uplink switches B C and D to get and process the MAC address table move update messages When switch C gets a MAC address table move update message from switch A switch C learns the MAC address of the PC on port 4 Switch C updates t...

Page 502: ... physical interface as Flex Links with either the port channel or the physical interface as the active link A backup link does not have to be the same type Fast Ethernet Gigabit Ethernet or port channel as the active link However you should configure both Flex Links with similar characteristics so that there are no loops or changes in behavior if the standby link begins to forward traffic STP is d...

Page 503: ...dby Beginning inprivileged EXEC mode follow these steps to configure a preemption scheme for a pair of Flex Links Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 S...

Page 504: ...information Configuring a switch to send MAC address table move updates Configuring a switch to get MAC address table move updates Step 3 switchport backup interface interface id Configure a physical Layer 2 interface or port channel as part of a Flex Links pair with the interface When one link is forwarding traffic the other interface is in standby mode Step 4 switchport backup interface interfac...

Page 505: ...ace id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 switchport backup interface interface id or switchport backup interface interface id mmu primary vlan vlan id Configure a physical Layer 2 interface or port channel as part of a Flex Link pair with the int...

Page 506: ...il cnt 0 Xmt last interface None Beginning in privileged EXEC mode follow these steps to configure a switch to get and process MAC address table move update messages To disable the MAC address table move update feature use the no mac address table move update receive configuration command To display the MAC address table move update information use the show mac address table move update privileged...

Page 507: ...nds for monitoring the Flex Links configuration and the MAC address table move update information Table 21 1 Flex Links and MAC Address Table Move Update Monitoring Commands Command Purpose show interface interface id switchport backup Displays the Flex Link backup interface configured for an interface or all the configured Flex Links and the state of each active and backup interface up or standby...

Page 508: ... 10 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 21 Configuring Flex Links and the MAC Address Table Move Update Feature Monitoring Flex Links and the MAC Address Table Move Update ...

Page 509: ...HCP Features page 22 1 Configuring DHCP Features page 22 8 Displaying DHCP Snooping Information page 22 16 Understanding IP Source Guard page 22 16 Configuring IP Source Guard page 22 17 Displaying IP Source Guard Information page 22 19 Understanding DHCP Features DHCP is widely used in LAN environments to dynamically assign host IP addresses from a centralized server which significantly reduces t...

Page 510: ...g Information section on page 22 16 DHCP snooping acts like a firewall between untrusted hosts and DHCP servers You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch Note For DHCP snooping to function properly all DHCP servers must be connected to the switch through trusted interfaces An u...

Page 511: ...annot configure DHCP snooping on an aggregation switch because the DHCP snooping bindings database is not properly populated You also cannot configure IP source guard and dynamic Address Resolution Protocol ARP inspection on the switch unless you use static bindings or ARP access control lists ACLs In Cisco IOS Release 12 2 25 SEA or later when an aggregation switch can be connected to an edge swi...

Page 512: ...from which the packet is received Beginning with Cisco IOS Release 12 2 25 SEE you can configure the remote ID and circuit ID For information on configuring these suboptions see the Enabling DHCP Snooping and Option 82 section on page 22 12 If the IP address of the relay agent is configured the switch adds this IP address in the DHCP packet The switch forwards the DHCP request that includes the op...

Page 513: ...ort 3 is the Fast Ethernet x 0 1 port port 4 is the Fast Ethernet x 0 2 port and so forth where x is the stack member number Port 27 is the SFP module slot x 0 1 and so forth Figure 22 2 shows the packet formats for the remote ID suboption and the circuit ID suboption when the default suboption configuration is used For the circuit ID suboption the module number corresponds to the switch number in...

Page 514: ... on the length of the string that you configure Figure 22 3 User Configured Suboption Packet Formats Cisco IOS DHCP Server Database During the DHCP based autoconfiguration process the designated DHCP server uses the Cisco IOS DHCP server database It has IP addresses address bindings and configuration parameters such as the boot file An address binding is a mapping between an IP address and a MAC a...

Page 515: ...es When a switch learns of new bindings or when it loses bindings the switch immediately updates the entries in the database The switch also updates the entries in the binding file The frequency at which the file is updated is based on a configurable delay and the updates are batched If the file is not updated in a specified time set by the write delay and abort timeout values the update stops Thi...

Page 516: ...ng DHCP packets For more information about switch stacks see Chapter 5 Managing Switch Stacks Configuring DHCP Features These sections contain this configuration information Default DHCP Configuration page 22 8 DHCP Snooping Configuration Guidelines page 22 9 Configuring the DHCP Server page 22 10 DHCP Server and Switch Stacks page 22 10 Configuring the DHCP Relay Agent page 22 11 Specifying the P...

Page 517: ...sign or exclude or you must configure DHCP options for these devices When configuring a large number of circuit IDs on a switch consider the impact of lengthy character strings on the NVRAM or the flash memory If the circuit ID configurations combined with other data exceed the capacity of the NVRAM or the flash memory an error message appears DHCP snooping enabled globally Disabled DHCP snooping ...

Page 518: ...e we recommend that you enable and configure NTP For more information see the Configuring NTP section on page 7 3 If NTP is configured the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP Do not enter the ip dhcp snooping information option allow untrusted command on an aggregation switch to which an untrusted device is connected If you e...

Page 519: ...ination network segment Using the network address enables any DHCP server to respond to requests Beginning in privileged EXEC mode follow these steps to specify the packet forwarding address Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service dhcp Enable the DHCP server and relay agent on your switch By default this feature is enabled Step 3 end Return to privi...

Page 520: ...tup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp snooping Enable DHCP snooping globally Step 3 ip dhcp snooping vlan vlan range Enable DHCP snooping on a VLAN or range of VLANs The range is 1 to 4094 You can enter a single VLAN ID identified by VLAN ID number a series of VLAN IDs...

Page 521: ...on for the specified interface Specify the VLAN and port identifier using a VLAN ID in the range of 1 to 4094 The default circuit ID is the port identifier in the format vlan mod port You can configure the circuit ID to be a string of 3 to 63 ASCII characters no spaces Step 9 ip dhcp snooping trust Optional Configure the interface as trusted or untrusted You can use the no keyword to configure an ...

Page 522: ...f DHCP snooping is already configured on the primary VLAN and you configure DHCP snooping with different settings on a secondary VLAN the configuration for the secondary VLAN does not take effect You must configure DHCP snooping on the primary VLAN If DHCP snooping is not configured on the primary VLAN this message appears when you are configuring DHCP snooping on the secondary VLAN such as VLAN 2...

Page 523: ...e tftp host filename Specify the URL for the database agent or the binding file by using one of these forms flash number filename Optional Use the number parameter to specify the stack member number of the stack master The range for number is 1 to 9 ftp user password host filename http username password hostname host ip directory image name tar rcp user host filename tftp host filename Step 3 ip d...

Page 524: ...ows only IP traffic with a source IP address in the IP source binding table and denies all other traffic Note The port ACL takes precedence over any router ACLs or VLAN maps that affect the same interface The IP source binding table has bindings that are learned by DHCP snooping or are manually configured static IP source bindings An entry in this table has an IP address with its associated MAC ad...

Page 525: ...ffic only when the source IP and MAC addresses match an entry in the IP source binding table When IP source guard with source IP and MAC address filtering is enabled the switch filters IP and non IP traffic If the source MAC address of an IP or non IP packet matches a valid IP source binding the switch forwards the packet The switch drops all other types of packets except DHCP packets The switch u...

Page 526: ...follow these steps to enable and configure IP source guard on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip verify source or ip verify source port security Enable IP source guard with source IP address filtering Enable IP source guard with s...

Page 527: ...ch config ip source binding 0100 0022 0010 vlan 10 10 0 0 2 interface gigabitethernet1 0 1 Switch config ip source binding 0100 0230 0002 vlan 11 10 0 0 4 interface gigabitethernet1 0 1 Switch config end Displaying IP Source Guard Information To display the IP source guard information use one or more of the privileged EXEC commands in Table 22 3 Step 8 show ip source binding ip address mac address...

Page 528: ...22 20 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 22 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information ...

Page 529: ...on ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A All hosts within the broadcas...

Page 530: ...rcepts logs and discards ARP packets with invalid IP to MAC address bindings This capability protects the network from certain man in the middle attacks Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets has a valid IP ...

Page 531: ...ypass the security check No other validation is needed at any other place in the VLAN or in the network You configure the trust setting by using the ip arp inspection trust interface configuration command Caution Use the trust state configuration carefully Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity In Figure 23 2 assume that both Switch A a...

Page 532: ...revent a denial of service attack By default the rate for untrusted interfaces is 15 packets per second pps Trusted interfaces are not rate limited You can change this setting by using the ip arp inspection limit interface configuration command When the rate of incoming ARP packets exceeds the configured limit the switch places the port in the error disabled state The port remains in that state un...

Page 533: ...mic ARP Inspection These sections contain this configuration information Default Dynamic ARP Inspection Configuration page 23 5 Dynamic ARP Inspection Configuration Guidelines page 23 6 Configuring Dynamic ARP Inspection in DHCP Environments page 23 7 required in DHCP environments Configuring ARP ACLs for Non DHCP Environments page 23 8 required in non DHCP environments Limiting the Rate of Incomi...

Page 534: ...mic ARP inspection is supported on access ports trunk ports EtherChannel ports and private VLAN ports A physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match Otherwise the physical port remains suspended in the port channel A port channel inherits its trust state from the first physical port that joins the channel Consequently...

Page 535: ...Dynamic ARP Inspection in DHCP Environments This procedure shows how to configure dynamic ARP inspection when two switches support this feature Host 1 is connected to Switch A and Host 2 is connected to Switch B as shown in Figure 23 2 on page 23 3 Both switches are running dynamic ARP inspection on VLAN 1 where the hosts are located A DHCP server is connected to Switch A Both hosts acquire their ...

Page 536: ... Switch A you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them Step 4 interface interface id Specify the interface connected to the other switch and enter interface configuration mode Step 5 ip arp inspection trust Configure the connection between the switches as trusted By default all interfaces are untrusted The switch does not check ARP packets that...

Page 537: ...on see the Configuring the Log Buffer section on page 23 12 Step 4 exit Return to global configuration mode Step 5 ip arp inspection filter arp acl name vlan vlan range static Apply the ARP ACL to the VLAN By default no defined ARP ACLs are applied to any VLAN For arp acl name specify the name of the ACL created in Step 2 For vlan range specify the VLAN that the switches and hosts are in You can s...

Page 538: ...bled recovery so that ports automatically emerge from this state after a specified timeout period Note Unless you configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you enter the no ip arp...

Page 539: ...ter interface configuration mode Step 3 ip arp inspection limit rate pps burst interval seconds none Limit the rate of incoming ARP requests and responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second The keywords have these meanings For rate pps specify an upper limit for the number of incoming packets proces...

Page 540: ...l configuration mode Step 2 ip arp inspection validate src mac dst mac ip Perform a specific check on incoming ARP packets By default no checks are performed The keywords have these meanings For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC...

Page 541: ...1 configure terminal Enter global configuration mode Step 2 ip arp inspection log buffer entries number logs number interval seconds Configure the dynamic ARP inspection logging buffer By default when dynamic ARP inspection is enabled denied or dropped ARP packets are logged The number of log entries is 32 The number of system messages is limited to 5 per second The logging rate interval is 1 seco...

Page 542: ...ated by a comma The range is 1 to 4094 For acl match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match ACLs For dhcp bindings all log all packets that matc...

Page 543: ... EXEC commands in Table 23 4 For more information about these commands see the command reference for this release Table 23 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MAC validation fa...

Page 544: ...23 16 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information ...

Page 545: ...v4 traffic For information about MLD snooping see Chapter 37 Configuring IPv6 MLD Snooping Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the IP Multicast Routing Commands section in the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 This chapter consists of these sections Understanding...

Page 546: ...roup from which it receives an IGMP join request The switch supports IP multicast group based bridging rather than MAC addressed based groups With multicast MAC address based groups if an IP address being configured translates aliases to a previously configured MAC address or to any reserved multicast MAC addresses in the range 224 0 0 xxx the command fails Because the switch uses IP multicast gro...

Page 547: ...Pv2 or IGMPv1 hosts Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast SSM feature For more information about source specific multicast with IGMPv3 and IGMP see the following URL http www cisco com univercd cc td doc product software ios121 ...

Page 548: ...ion in the IGMP report to set up a forwarding table entry as shown in Table 24 1 that includes the port numbers connected to Host 1 and the router The switch hardware can distinguish IGMP information packets from other packets for the multicast group The information in the table tells the switching engine to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packets to t...

Page 549: ... wishes to receive multicast traffic the router continues forwarding the multicast traffic to the VLAN The switch forwards multicast group traffic only to those hosts listed in the forwarding table for that IP multicast group maintained by IGMP snooping When hosts want to leave a multicast group they can silently leave or they can send a leave message When the switch receives a leave message from ...

Page 550: ... time that the switch waits after sending a group specific query to determine if hosts are still interested in a specific multicast group The IGMP leave response time can be configured from 100 to 5000 milliseconds The timer can be set either globally or on a per VLAN basis The VLAN configuration of the leave time overrides the global configuration For configuration steps see the Configuring the I...

Page 551: ...nger to converge if the stack master is removed Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on their content These sections contain this configuration information Default IGMP Snooping Configuration page 24 7 Enabling or Disabling IGMP Snooping page 24 8 Setting the Snooping Method page 24 9 Configuring a Multicast Router Port...

Page 552: ...snooping on all VLAN interfaces use the no ip igmp snooping global configuration command Beginning in privileged EXEC mode follow these steps to enable IGMP snooping on a VLAN interface IGMP snooping querier Disabled IGMP report suppression Enabled 1 TCN Topology Change Notification Table 24 3 Default IGMP Snooping Configuration continued Feature Default Setting Command Purpose Step 1 configure te...

Page 553: ... CGMP self join and CGMP proxy join packets and to no other CGMP packets To learn of multicast router ports through only PIM DVMRP packets use the ip igmp snooping vlan vlan id mrouter learn pim dvmrp global configuration command Note If you want to use CGMP as the learning method and no multicast routers in the VLAN are CGMP proxy enabled you must enter the ip cgmp router only command to dynamica...

Page 554: ...e a static connection to a multicast router To remove a multicast router port from the VLAN use the no ip igmp snooping vlan vlan id mrouter interface interface id global configuration command This example shows how to enable a static connection to a multicast router Switch configure terminal Switch config ip igmp snooping vlan 200 mrouter interface gigabitethernet1 0 2 Switch config end Command P...

Page 555: ...e on that port You should only use the Immediate Leave feature when there is a single receiver present on every port in the VLAN Note Immediate Leave is supported only on IGMP Version 2 hosts Beginning in privileged EXEC mode follow these steps to enable IGMP Immediate Leave Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id static ip_add...

Page 556: ...e steps to enable the IGMP configurable leave timer To globally reset the IGMP leave timer to the default setting use the no ip igmp snooping last member query interval global configuration command To remove the configured IGMP leave time setting from the specified VLAN use the no ip igmp snooping vlan vlan id last member query interval global configuration command Step 4 show ip igmp snooping vla...

Page 557: ...ed on the general queries received during the TCN event Beginning in privileged EXEC mode follow these steps to configure the TCN flood query count To return to the default flooding query count use the no ip igmp snooping tcn flood query count global configuration command Recovering from Flood Mode When a topology change occurs the spanning tree root sends a special IGMP leave message also known a...

Page 558: ...nterface To re enable multicast flooding on an interface use the ip igmp snooping tcn flood interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping tcn query solicit Send an IGMP leave message global leave to speed the process of recovering from the flood mode caused during a TCN event By default query solicitation is disabl...

Page 559: ...led in the VLAN PIM is enabled on the SVI of the corresponding VLAN Beginning in privileged EXEC mode follow these steps to enable the IGMP snooping querier feature in a VLAN Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping querier Enable the IGMP snooping querier Step 3 ip igmp snooping querier address ip_address Optional Specify an IP address for ...

Page 560: ...he multicast query has IGMPv1 and IGMPv2 reports This feature is not supported when the query includes IGMPv3 reports IGMP report suppression is enabled by default When it is enabled the switch forwards only one IGMP report per multicast router query When report suppression is disabled all IGMP reports are forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to d...

Page 561: ...nt Display multicast table information for a multicast VLAN or about a specific parameter for the VLAN vlan id The VLAN ID range is 1 to 1001 and 1006 to 4094 count Display the total number of entries for the specified command options instead of the actual entries dynamic Display entries learned through IGMP snooping ip_address Display characteristics of the multicast group with the specified grou...

Page 562: ...switch forwarding table intercepts the IGMP messages and modifies the forwarding table to include or remove the subscriber as a receiver of the multicast stream even though the receivers might be in a different VLAN from the source This forwarding behavior selectively allows traffic to cross between different VLANs You can set the switch for compatible or dynamic mode of MVR operation In compatibl...

Page 563: ... an IGMP report to Switch A to join the appropriate multicast If the IGMP report matches one of the configured IP multicast group addresses the switch CPU modifies the hardware address table to include this receiver port and VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN Uplink ports that send and receive multicast data to and from th...

Page 564: ...ver device is connected MVR eliminates the need to duplicate television channel multicast traffic for subscribers in each VLAN Multicast traffic for all channels is only sent around the VLAN trunk once only on the multicast VLAN The IGMP leave and join messages are in the VLAN to which the subscriber port is assigned These messages dynamically register for streams of multicast traffic in the multi...

Page 565: ...e MVR on private VLAN ports MVR is not supported when multicast routing is enabled on a switch If you enable multicast routing and a multicast routing protocol while MVR is enabled MVR is disabled and you receive a warning message If you try to enable MVR while multicast routing and a multicast routing protocol are enabled the operation to enable MVR is cancelled and you receive an error message M...

Page 566: ...nt to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address Each multicast address would correspond to one television channel Step 4 mvr querytime value Optional Define the maximum time to wait for IGMP report memberships on a receiver port before removing the port from multicast group membership The value is in units of tenths of a secon...

Page 567: ... a port as a receiver port if it is a subscriber port and should only receive multicast data It does not receive data unless it becomes a member of the multicast group either statically or by using IGMP leave and join messages Receiver ports cannot belong to the multicast VLAN The default configuration is as a non MVR port If you attempt to configure a non MVR port with MVR characteristics the ope...

Page 568: ...group the IGMP report from the port is forwarded for normal processing You can also set the maximum number of IGMP groups that a Layer 2 interface can join IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP multicast ...

Page 569: ...figuring the IGMP Throttling Action page 24 28 optional Default IGMP Filtering and Throttling Configuration Table 24 7 shows the default IGMP filtering configuration When the maximum number of groups is in forwarding table the default IGMP throttling action is to deny the IGMP report For configuration guidelines see the Configuring the IGMP Throttling Action section on page 24 28 Configuring IGMP ...

Page 570: ... 9 0 229 9 9 0 Applying IGMP Profiles To control access as defined in an IGMP profile use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces You can apply IGMP profiles only to Layer 2 access ports you cannot apply IGMP profiles to routed ports or SVIs You cannot apply profiles to ports that belong to an EtherChannel port group You can apply a pro...

Page 571: ...e maximum number of IGMP groups in the forwarding table Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the physical interface and enter interface configuration mode The interface must be a Layer 2 port that does not belong to an EtherChannel port group Step 3 ip igmp filter profile number Apply the specified IGMP profile to the inter...

Page 572: ...orwarding table the forwarding table entries are either aged out or removed depending on the throttling action If you configure the throttling action as deny the entries that were previously in the forwarding table are not removed but are aged out After these entries are aged out and the maximum number of entries is in the forwarding table the switch drops the next IGMP report received on the inte...

Page 573: ...face Use the privileged EXEC commands in Table 24 8 to display IGMP filtering and throttling configuration Step 4 end Return to privileged EXEC mode Step 5 show running config interface interface id Verify the configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 24 8 Commands for Displaying IGMP Filtering and Throttling ...

Page 574: ...24 30 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Page 575: ...this conceptual and configuration information Understanding Storm Control page 25 1 Default Storm Control Configuration page 25 3 Configuring Storm Control and Threshold Levels page 25 3 Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when packets flood the LAN cr...

Page 576: ...as bridge protocol data unit BDPU and Cisco Discovery Protocol CDP frames are blocked However the switch does not differentiate between routing updates such as OSPF and regular multicast data traffic so both types of traffic are blocked The graph in Figure 25 1 shows broadcast traffic patterns on an interface over a given period of time The example can also be applied to multicast and unicast traf...

Page 577: ...hreshold level that you want to be used for a particular type of traffic However because of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note Storm control ...

Page 578: ...threshold level for broadcast multicast or unicast traffic in bits per second up to one decimal place The port blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic drops...

Page 579: ...ment the use of protected ports ensures that there is no exchange of unicast broadcast or multicast traffic between these ports on the switch Protected ports have these features A protected port does not forward any traffic unicast multicast or broadcast to any other port that is also a protected port Data traffic cannot be forwarded between protected ports at Layer 2 only control traffic such as ...

Page 580: ...ore information about private VLANs see Chapter 16 Configuring Private VLANs Configuring a Protected Port Beginning in privileged EXEC mode follow these steps to define a port as a protected port To disable protected port use the no switchport protected interface configuration command This example shows how to configure a port as a protected port Switch configure terminal Switch config interface g...

Page 581: ...icast or unicast traffic for a port channel it is blocked on all ports in the port channel group Beginning in privileged EXEC mode follow these steps to disable the flooding of multicast and unicast packets out of an interface To return the interface to the default condition where no traffic is blocked and normal forwarding occurs on the port use the no switchport block multicast unicast interface...

Page 582: ...ion page 25 10 Port Security Configuration Guidelines page 25 10 Enabling and Configuring Port Security page 25 12 Enabling and Configuring Port Security Aging page 25 15 Port Security and Switch Stacks page 25 17 Understanding Port Security These sections contain this conceptual information Secure MAC Addresses page 25 8 Security Violations page 25 9 Secure MAC Addresses You configure the maximum...

Page 583: ... occurs The maximum number of secure MAC addresses have been added to the address table and a station whose MAC address is not in the address table attempts to access the interface An address learned or configured on one secure interface is seen on another secure interface in the same VLAN You can configure the interface for one of three violation modes based on the action to be taken if a violati...

Page 584: ...upported on access ports and not on trunk ports even though the configuration is allowed Table 25 1 Security Violation Mode Actions Violation Mode Traffic is forwarded1 1 Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses Sends SNMP trap Sends syslog message Displays error message2 2 The switch returns an error message if you manually con...

Page 585: ...w value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value the command is rejected The switch does not support port security aging of sticky secure MAC addresses Table 25 3 summarizes port security compatibility with other port based features Table 25 3 Port Security Compatibility with Other Switch Features Type of Port or Feature o...

Page 586: ...s voice Optional Set the maximum number of secure MAC addresses for the interface The maximum number of secure MAC addresses that you can configure on a switch stack is set by the maximum number of available MAC addresses allowed in the system This number is set by the active Switch Database Management SDM template See Chapter 8 Configuring the Switch SDM Template This number is the total of avail...

Page 587: ... is logged and the violation counter increments Note When a secure port is in the error disabled state you can bring it out of this state by entering the errdisable recovery cause psecure violation global configuration command or you can manually re enable it by entering the shutdown and no shutdown interface configuration commands Step 8 switchport port security mac address mac address vlan vlan ...

Page 588: ...curity mac address mac address interface configuration command To delete all dynamic secure addresses on an interface from the address table enter the no switchport port security interface configuration command followed by the switchport port security command to re enable port security on the interface If you use the no switchport port security mac address sticky interface configuration command to...

Page 589: ...ode access Switch config if switchport voice vlan 22 Switch config if switchport port security Switch config if switchport port security maximum 20 Switch config if switchport port security violation restrict Switch config if switchport port security mac address sticky Switch config if switchport port security mac address sticky 0000 0000 0002 Switch config if switchport port security mac address ...

Page 590: ...n verify the previous commands by entering the show port security interface interface id privileged EXEC command Step 3 switchport port security aging static time time type absolute inactivity Enable or disable static aging for the secure port or set the aging time or type Note The switch does not support port security aging of sticky secure addresses Enter static to enable aging for statically co...

Page 591: ...rmation use one or more of the privileged EXEC commands in Table 25 4 Table 25 4 Commands for Displaying Traffic Control Status and Configuration Command Purpose show interfaces interface id switchport Displays the administrative and operational status of all switching nonrouting ports or the specified port including port blocking and port protection settings show storm control interface id broadc...

Page 592: ...25 18 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 25 Configuring Port Based Traffic Control Displaying Port Based Traffic Control Settings ...

Page 593: ...ork management applications can learn the device type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems that support di...

Page 594: ...ration Table 26 1 shows the default CDP configuration Configuring the CDP Characteristics You can configure the frequency of CDP updates the amount of time to hold the information before discarding it and whether or not to send Version 2 advertisements Beginning in privileged EXEC mode follow these steps to configure the CDP timer holdtime and advertisement type Note Steps 2 through 4 are all opti...

Page 595: ...o com Beginning in privileged EXEC mode follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode follow these steps to enable CDP when it has been disabled Step 3 cdp holdtime seconds Optional Specify the amount of time a receiving device should hold the information sent by your device before discarding it The range is 10 to 255 seconds the default is 180...

Page 596: ...fig interface gigabitethernet1 0 1 Switch config if cdp enable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interface configuration mode Step 3 no cdp enable Disable CDP on the interface Step 4 end Return to privileged EXEC mode Step 5 copy running config s...

Page 597: ... display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface interface id Display information about interfaces where CDP is enabled You can limit the display to the interfac...

Page 598: ...26 6 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 26 Configuring CDP Monitoring and Maintaining CDP ...

Page 599: ...unidirectional links When UDLD detects a unidirectional link it disables the affected port and alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggr...

Page 600: ...ne of the ports is down while the other is up One of the fiber strands in the cable is disconnected In these cases UDLD disables the affected port In a point to point link UDLD hello packets can be considered as a heart beat whose presence guarantees the health of the link Conversely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirectio...

Page 601: ...rt is disabled If UDLD in normal mode is in the advertisement or in the detection phase and all the neighbor cache entries are aged out UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbors If you enable aggressive mode when all the neighbors of a port have aged out either in the advertisement or in the detection phase UDLD restarts the link up sequence to ...

Page 602: ...on Guidelines These are the UDLD configuration guidelines UDLD is not supported on ATM ports A UDLD capable port cannot detect a unidirectional link if it is connected to a UDLD incapable port of another switch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Table 27 1 Default UDLD Configuration Feature Default Setting UDLD global...

Page 603: ...ll fiber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 27 1 message time message timer interval Configures the period of time ...

Page 604: ...ables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be enabled for UDLD and enter interface configuration mode S...

Page 605: ...uring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release ...

Page 606: ...27 8 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 27 Configuring UDLD Displaying UDLD Status ...

Page 607: ...vice SPAN copies or mirrors traffic received or sent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destination ports do not receive or forward traffic Only traffic that e...

Page 608: ...ts are in the same switch or switch stack Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis For example in Figure 28 1 all traffic on port 5 the source port is mirrored to port 10 the destination port A network analyzer on port 10receives all network traffic from port 5 without being physically attached to port 5 Figure...

Page 609: ... VLAN that is dedicated for that RSPAN session in all participating switches The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN Each RSPAN source switch must have either ports or VLANs as RSPAN sources The destination is always a physical port as shown on Switch C i...

Page 610: ... the user and form them into a stream of SPAN data which is directed to the destination port RSPAN consists of at least one RSPAN source session an RSPAN VLAN and at least one RSPAN destination session You separately configure RSPAN source sessions and RSPAN destination sessions on different network devices To configure an RSPAN source session on a device you associate a set of source ports or sou...

Page 611: ...ed as SPAN sources and destinations SPAN sessions do not interfere with the normal operation of the switch However an oversubscribed SPAN destination for example a 10 Mbps port monitoring a 100 Mbps port can result in dropped or lost packets When RSPAN is enabled each packet being monitored is transmitted twice once as normal traffic and once as a monitored packet Therefore monitoring a large numb...

Page 612: ...DU and Layer 2 protocol packets are monitored Therefore a local SPAN session with encapsulation replicate enabled can have a mixture of untagged ISL and IEEE 802 1Q tagged packets appear on the destination port Switch congestion can cause packets to be dropped at ingress source ports egress source ports or SPAN destination ports In general these characteristics are independent of one another For e...

Page 613: ...s and can be monitored in either or both directions On a given port only traffic on the monitored VLAN is sent to the destination port If a destination port belongs to a source VLAN it is excluded from the source list and is not monitored If ports are added to or removed from the source VLANs the traffic on the source VLAN received by those ports is added to or removed from the sources being monit...

Page 614: ...sical port It cannot be a secure port It cannot be a source port It cannot be an EtherChannel group or a VLAN It can participate in only one SPAN session at a time a destination port in one SPAN session cannot be a destination port for a second SPAN session When it is active incoming traffic is disabled The port does not transmit any traffic except that required for the SPAN session Incoming traff...

Page 615: ... does not monitor routed traffic VSPAN only monitors traffic that enters or exits the switch not traffic that is routed between VLANs For example if a VLAN is being Rx monitored and the switch routes traffic from another VLAN to the monitored VLAN that traffic is not monitored and not received on the SPAN destination port STP A destination port does not participate in STP while its SPAN or RSPAN s...

Page 616: ...port For SPAN sessions do not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port For RSPAN source sessions do not enable port security on any ports with monitored egress An IEEE 802 1x port can be a SPAN source port You can enable IEEE 802 1x on a port that is a SPAN destination port however IEEE 802 1x is disabled until the port is remov...

Page 617: ...ion The destination port cannot be a source port a source port cannot be a destination port You cannot have two SPAN sessions using the same destination port When you configure a switch port as a SPAN destination port it is no longer a normal switch port only monitored traffic passes through the SPAN destination port Entering SPAN configuration commands does not remove previously configured SPAN p...

Page 618: ...karound for local SPAN is to use the replicate option On Catalyst 3750 24PS 3750 48PS 3750 24TS 3750 48TS 3750G 12S 3750G 24T 3750G 24TS and 3750G 16TD switches egress SPAN routed packets both unicast and multicast show the incorrect source MAC address For local SPAN packets with native encapsulation on the destination port the packet shows the MAC address of VLAN 1 This problem does not appear wi...

Page 619: ...irection the SPAN monitors both sent and received traffic both Monitor both received and sent traffic This is the default rx Monitor received traffic tx Monitor sent traffic Note You can use the monitor session session_number source command multiple times to configure multiple source ports Step 4 monitor session session_number destination interface interface id encapsulation replicate Specify the ...

Page 620: ...gigabitethernet1 0 2 encapsulation replicate Switch config end This example shows how to remove port 1 as a SPAN source for SPAN session 1 Switch config no monitor session 1 source interface gigabitethernet1 0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interf...

Page 621: ...y the SPAN session the destination port the packet encapsulation and the ingress VLAN and encapsulation For session_number specify the session number entered in Step 3 For interface id specify the destination port The destination interface must be a physical port it cannot be an EtherChannel and it cannot be a VLAN Optional Specify a series or range of interfaces Enter a space before and after the...

Page 622: ...x Switch config monitor session 2 destination interface gigabitethernet1 0 2 encapsulation replicate ingress dot1q vlan 6 Switch config end Specifying VLANs to Filter Beginning in privileged EXEC mode follow these steps to limit SPAN source traffic to specific VLANs Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_number all local remote R...

Page 623: ...Session page 28 19 Creating an RSPAN Destination Session page 28 21 Creating an RSPAN Destination Session and Configuring Incoming Traffic page 28 22 Specifying VLANs to Filter page 28 24 Step 5 monitor session session_number destination interface interface id encapsulation replicate Specify the SPAN session and the destination port monitoring port For session_number specify the session number ent...

Page 624: ...tion of an RSPAN source session on the switch You can configure any VLAN as an RSPAN VLAN as long as these conditions are met The same RSPAN VLAN is used for an RSPAN session in all the switches All participating switches support RSPAN We recommend that you configure an RSPAN VLAN before you configure an RSPAN source or a destination session If you enable VTP and VTP pruning RSPAN traffic is prune...

Page 625: ...mand This example shows how to create RSPAN VLAN 901 Switch config vlan 901 Switch config vlan remote span Switch config vlan end Creating an RSPAN Source Session Beginning in privileged EXEC mode follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vla...

Page 626: ... the range is 1 to 66 Enter a source port or source VLAN for the RSPAN session For interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 48 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN A single session can ...

Page 627: ...e VTP network Step 3 remote span Identify the VLAN as the RSPAN VLAN Step 4 exit Return to global configuration mode Step 5 no monitor session session_number all local remote Remove any existing RSPAN configuration for the session For session_number the range is 1 to 66 Specify all to remove all RSPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 6 m...

Page 628: ...the source RSPAN VLAN and the destination port and to enable incoming traffic on the destination port for a network security device such as a Cisco IDS Sensor Appliance For details about the keywords not related to incoming traffic see the Creating an RSPAN Destination Session section on page 28 21 This procedure assumes that the RSPAN VLAN has already been configured Command Purpose Step 1 config...

Page 629: ...tion For session_number enter the number defined in Step 4 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical interface Though visible in the command line help string encapsulation replicate is not supported for RSPAN The original VLAN...

Page 630: ...all to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id Specify the characteristics of the source port monitored port and SPAN session For session_number the range is 1 to 66 For interface id specify the source port to monitor The interface specified must already be configure...

Page 631: ...uring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured SPAN or RSPAN sessions ...

Page 632: ...28 26 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 28 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status ...

Page 633: ...e tuning information Note For complete syntax and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 This chapter consists of these sections Understanding RMON page 29 1 Configuring RMON page 29 2 Displaying RMON Status page 29 6 Understanding RMON RMON is an Internet Engineer...

Page 634: ...esets the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this software release use hardware counters for RMON data processing...

Page 635: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to 65535 For variable specify the MIB object to monitor For interval specify the time in seconds the alarm...

Page 636: ...be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this command This...

Page 637: ...on history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default is 50 buc...

Page 638: ...erence Release 12 2 Step 3 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 show rmon statisti...

Page 639: ...tname n where n is a switch number from 1 to 9 and redirects the output to the logging process on the stack master Though the stack master is a stack member it does not append its hostname to system messages The logging process controls the distribution of logging messages to various destinations such as the logging buffer terminal lines or a UNIX syslog server depending on your configuration The ...

Page 640: ...g Configuration page 30 4 Disabling Message Logging page 30 4 optional Setting the Message Display Destination Device page 30 5 optional Synchronizing Log Messages page 30 6 optional Enabling and Disabling Time Stamps on Log Messages page 30 8 optional Enabling and Disabling Sequence Numbers in Log Messages page 30 8 optional Defining the Message Severity Level page 30 9 optional Limiting Syslog M...

Page 641: ... Line protocol on Interface Vlan1 changed state to down Switch 2 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interface GigabitEthernet2 0 1 changed state to down 2 Switch 2 Table 30 1 System Log Message Elements Element Description seq no Stamps log messages with a sequence number only if the service sequence numbers global configuration command is configured For more information see the Enabling...

Page 642: ...led messages appear on the console as soon as they are produced often appearing in the middle of command output Table 30 2 Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled Console severity Debugging and numerically lower levels see Table 30 3 on page 30 10 Logging file configuration No filename specified Logging buffer size 4096 byt...

Page 643: ...e buffer size too large because the switch could run out of memory for other tasks Use the show memory privileged EXEC command to view the free processor memory on the switch However this value is the maximum available and the buffer size should not be set to this amount Step 3 logging host Log messages to a UNIX syslog server host For host specify the name or IP address of the host to be used as ...

Page 644: ...C command output with solicited device output and prompts for a specific console port line or virtual terminal line You can identify the types of messages to be output asynchronously based on the level of severity You can also configure the maximum number of buffers for storing asynchronous messages for the terminal after which messages are dropped When synchronous logging of unsolicited messages ...

Page 645: ...ou can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to line configuration Step 3 logging synchronous level severity level all limit number of buffers Enable synchronous ...

Page 646: ...e log message can have the same time stamp you can display messages with sequence numbers so that you can unambiguously see a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode ...

Page 647: ...ion command To disable logging to syslog servers use the no logging trap global configuration command Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logged to the console ...

Page 648: ...layed at the informational level This message is only for information switch functionality is not affected Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration command you can change the level of messages sent and stored in the switch history tabl...

Page 649: ...owed by the logging enable command to disable and reenable logging Use the show archive log config all number end number user username session number number end number statistics provisioning privileged EXEC command to display the complete configuration log or the log for specified parameters The default is that configuration logging is disabled For information about the commands see the Cisco IOS...

Page 650: ...43 14 temi vty4 switchport mode trunk 44 14 temi vty4 exit 45 16 temi vty5 interface FastEthernet5 0 1 46 16 temi vty5 switchport mode trunk 47 16 temi vty5 exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility Logging Messages to a UNIX Syslog Daemon Before you can send system log messages ...

Page 651: ...6 var log cisco log Step 3 Make sure the syslog daemon reads the new changes kill HUP cat etc syslog pid For more information see the man syslog conf and man syslogd commands on your UNIX system Configuring the UNIX System Logging Facility When sending system log messages to an external device you can cause the switch to identify its messages as originating from any of the UNIX syslog facilities B...

Page 652: ...ies consult the operator s manual for your UNIX operating system Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer use the show logging privileged EXEC command For information about the fields in this display see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Table 30 4 Logging Facility Type Keywords Facility Type ...

Page 653: ...between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the repository for information about device parameters and network data The agent can also respond to a manager s requests to get or set data An agent can send unsolici...

Page 654: ...rity features Message integrity ensuring that a packet was not tampered with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted software image is installed Both...

Page 655: ...3 authNoPriv MD5 or SHA No Provides authentication based on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA DES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Provides DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard Table 31 2 SNMP Operations Operation Description get request Ret...

Page 656: ...mmunity string definitions on the switch A community string can have one of these attributes Read only RO Gives read access to authorized management stations to all objects in the MIB except the community strings but does not allow write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Wh...

Page 657: ...ms Note SNMPv1 does not support informs Traps are unreliable because the receiver does not send an acknowledgment when it receives a trap and the sender cannot determine if the trap was received When an SNMP manager receives an inform request it acknowledges the message with an SNMP response protocol data unit PDU If the sender does not receive a response the inform request can be sent again Becau...

Page 658: ...x value to an interface Note The switch might not use sequential values within a range Configuring SNMP These sections contain this configuration information Default SNMP Configuration page 31 7 SNMP Configuration Guidelines page 31 7 Disabling the SNMP Agent page 31 8 Configuring Community Strings page 31 8 Configuring SNMP Groups and Users page 31 10 Configuring SNMP Notifications page 31 12 Set...

Page 659: ... number for the remote SNMP agent of the device where the user resides Before you configure remote users for a particular agent configure the SNMP engine ID using the snmp server engineID global configuration with the remote option The remote agent s SNMP engine ID and user password are used to compute the authentication and privacy digests If you do not configure the remote engine ID first the co...

Page 660: ...on 2C and Version 3 on the device No specific Cisco IOS command exists to enable SNMP The first snmp server global configuration command that you enter enables all versions of SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent The community string acts like a password to permit access to the agent on the switch Opt...

Page 661: ...authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects Optional For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 access list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in Step 2 then create the...

Page 662: ... follow these steps to configure SNMP on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string remote ip address udp port port number engineid string Configure a name for either the local or remote copy of SNMP The engineid string is a 24 character ID string with the name of the copy of SNMP You need not specify the e...

Page 663: ...entication noauth Enables the noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in which you can only vi...

Page 664: ...MP group The username is the name of the user on the host that connects to the agent The groupname is the name of the group to which the user is associated Enter remote to specify a remote SNMP entity to which the user belongs and the hostname or IP address of that entity with the optional UDP port number The default is 162 Enter the SNMP version number v1 v2c or v3 If you enter v3 you have these ...

Page 665: ...rap for Open Shortest Path First OSPF changes You can enable any or all of these traps Cisco specific errors link state advertisement rate limit retransmit and state changes pim Generates a trap for Protocol Independent Multicast PIM changes You can enable any or all of these traps invalid PIM messages neighbor changes and rendezvous point RP mapping changes port security Generates SNMP port secur...

Page 666: ...p 2 Note You cannot configure a remote user for an address without first configuring the engine ID for the remote host Otherwise you receive an error message and the command is not executed Step 4 snmp server group groupname v1 v2c v3 auth noauth priv read readview write writeview notify notifyview access access list Configure an SNMP group Step 5 snmp server host host addr informs traps version 1...

Page 667: ...cify the type of notifications to be sent For a list of notification types see Table 31 5 on page 31 12 or enter snmp server enable traps To enable multiple types of traps you must enter a separate snmp server enable traps command for each trap type Step 7 snmp server trap source interface id Optional Specify the source interface which provides the IP address for the trap message This command also...

Page 668: ...ch config snmp server host 192 180 1 111 version 1 public Switch config snmp server host 192 180 1 33 public Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server tftp server list access list number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list For access list number enter an IP standard access list numbe...

Page 669: ...o send auth authNoPriv authentication level informs when the user enters global configuration mode Switch config snmp server engineID remote 192 180 1 27 00000063000100a1c0b4011b Switch config snmp server group authgroup v3 auth Switch config snmp server user authuser authgroup remote 192 180 1 27 v3 auth md5 mypassword Switch config snmp server user authuser authgroup v3 auth md5 mypassword Switc...

Page 670: ...31 18 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 31 Configuring SNMP Displaying SNMP Status ...

Page 671: ...ed MAC Extended ACLs page 32 27 Configuring VLAN Maps page 32 29 Using VLAN Maps with Router ACLs page 32 36 Displaying IPv4 ACL Configuration page 32 40 Understanding ACLs Packet filtering can help limit network traffic and restrict network use by certain users or devices ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs ...

Page 672: ...cations of ACLs to filter traffic Port ACLs access control traffic entering a Layer 2 interface The switch does not support port ACLs in the outbound direction You can apply only one IP access list and one MAC access list to a Layer 2 interface For more information see the Port ACLs section on page 32 3 Router ACLs access control routed traffic between VLANs and are applied to Layer 3 interfaces i...

Page 673: ...witch does not recognize the protocol inside the IEEE 802 1Q header This restriction applies to router ACLs port ACLs and VLAN maps For more information about IEEE 802 1Q tunneling see Chapter 17 Configuring IEEE 802 1Q Tunneling and Chapter 17 Configuring Layer 2 Protocol Tunneling Port ACLs Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch Port ACLs are supported only on phys...

Page 674: ...ace and you apply a new IP access list or MAC access list to the interface the new ACL replaces the previously configured one Router ACLs You can apply router ACLs on switch virtual interfaces SVIs which are Layer 3 interfaces to VLANs on physical Layer 3 interfaces and on Layer 3 EtherChannel interfaces You apply router ACLs on interfaces for specific directions inbound or outbound You can apply ...

Page 675: ... VLAN maps IP traffic is not access controlled by MAC VLAN maps You can enforce VLAN maps only on packets going through the switch you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch With VLAN maps forwarding of packets is permitted or denied based on the action specified in the map Figure 32 2 shows how a VLAN map is applied to prevent a sp...

Page 676: ...aining fragments in the packet do not match the second ACE because they are missing Layer 4 information Instead they match the third ACE a permit Because the first fragment was denied host 10 1 1 2 cannot reassemble a complete packet so packet B is effectively denied However the later fragments that are permitted will consume bandwidth on the network and resources of host 10 1 1 2 as it tries to r...

Page 677: ...switch does not support these Cisco IOS router ACL related features Non IP protocol ACLs see Table 32 1 on page 32 8 or bridge group ACLs IP accounting Inbound and outbound rate limiting except with QoS ACLs Reflexive ACLs or dynamic ACLs except for some specialized dynamic ACLs used by the switch clustering feature ACL logging for port ACLs and VLAN maps These are the steps to use IP ACLs on the ...

Page 678: ...19 Access List Numbers The number you use to denote your ACL shows the type of access list that you are creating Table 32 1 lists the access list number and corresponding access list type and shows whether or not they are supported in the switch The switch supports IPv4 standard and extended access lists numbers 1 to 199 and 1300 to 2699 Table 32 1 Access List Numbers Access List Number Type Suppo...

Page 679: ...the ACL causes an informational logging message about the packet to be sent to the console The level of messages logged to the console is controlled by the logging console commands controlling the syslog messages Note Because routing is done in hardware and logging is done in software if a large number of packets match a permit or deny ACE containing a log keyword the software might not be able to...

Page 680: ...d IP access list 2 10 deny 171 69 198 102 20 permit any Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard log Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or permit to specify whether to deny...

Page 681: ...e list You cannot reorder the list or selectively add or remove ACEs from a numbered list Some protocols also have specific parameters and keywords that apply to that protocol These IP protocols are supported protocol keywords are in parentheses in bold Authentication Header Protocol ahp Enhanced Interior Gateway Routing Protocol eigrp Encapsulation Security Payload esp generic routing encapsulati...

Page 682: ...eters for TCP UDP ICMP and IGMP see steps 2b through 2e The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard can be spe...

Page 683: ... Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a port number ran...

Page 684: ...ce precedence tos tos fragments log log input time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these meanings icmp ...

Page 685: ...amed ACLs to configure more IPv4 access lists in a router than if you were to use numbered access lists If you identify your access list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of ac...

Page 686: ...leged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name Define an extended IPv4 access list using a name and enter access list configuration mode T...

Page 687: ...erenced in the named and numbered extended ACL task tables in the previous sections the Creating Standard and Extended IPv4 ACLs section on page 32 7 and the Creating Named Standard and Extended ACLs section on page 32 15 These are some of the many possible benefits of using time ranges You have more control over permitting or denying a user access to resources such as an application identified by...

Page 688: ...xtended ACL that can implement time ranges This example shows how to create and verify extended access list 188 that denies TCP traffic from any source to any destination during the defined holiday times and permits all TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range workhours Swit...

Page 689: ... deny statements and some remarks after the associated statements To include a comment for IP numbered standard or extended ACLs use the access list access list number remark remark global configuration command To remove the remark use the no form of this command In this example the workstation that belongs to Jones is allowed access and the workstation that belongs to Smith is not allowed access ...

Page 690: ... or web traffic You do not have to enable routing to apply ACLs to Layer 2 interfaces When private VLANs are configured you can apply router ACLs only on the primary VLAN SVIs The ACL is applied to both primary and secondary VLAN Layer 3 traffic Note By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is denied by an access group These access group...

Page 691: ...t against the ACL If the ACL permits the packet the switch sends the packet If the ACL rejects the packet the switch discards the packet By default the input interface sends ICMP Unreachable messages whenever a packet is discarded regardless of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the output interface ICMP Unreachables are normally limit...

Page 692: ...ed are routed in software but are bridged in hardware If ACLs cause large numbers of packets to be sent to the CPU the switch performance can be negatively affected When you enter the show ip access lists privileged EXEC command the match count displayed does not account for packets that are access controlled in hardware Use the show access lists hardware counters privileged EXEC command to obtain...

Page 693: ...ss list 6 10 permit 172 20 128 64 wildcard bits 0 0 0 31 Switch config interface gigabitethernet1 0 1 Switch config if ip access group 6 out This example uses an extended ACL to filter traffic coming from Server B into a port permitting traffic from any source address in this case Server B to only the Accounting destination addresses 172 20 128 64 to 172 20 128 95 The ACL is applied to traffic goi...

Page 694: ... you want any host on the network to be able to form TCP connections to any host on the Internet However you do not want IP hosts to be able to form TCP connections to hosts on your network except to the mail SMTP port of a dedicated mail host SMTP uses TCP port 25 on one end of the connection and a random port number on the other end The same port numbers are used throughout the life of the conne...

Page 695: ... IP ACL This example denies HTTP traffic on IP on Monday through Friday between the hours of 8 00 a m and 6 00 p m 18 00 The example allows UDP traffic only on Saturday and Sunday from noon to 8 00 p m 20 00 Switch config time range no http Switch config periodic weekdays 8 00 to 18 00 Switch config time range udp yes Switch config periodic weekend 12 00 to 20 00 Switch config ip access list exten...

Page 696: ...g ip access list standard stan1 Switch config std nacl deny 10 1 1 0 0 0 0 255 log Switch config std nacl permit any log Switch config std nacl exit Switch config interface gigabitethernet1 0 1 Switch config if ip access group stan1 in Switch config if end Switch show logging Syslog logging enabled 0 messages dropped 0 flushes 0 overruns Console logging level debugging 37 messages logged Monitor l...

Page 697: ... a400 10 1 1 61 0 0 1 packet A log message for the same sort of packet using the log keyword does not include the input interface information 00 05 47 SEC 6 IPACCESSLOGDP list inputlog permitted icmp 10 1 1 10 10 1 1 61 0 0 1 packet Creating Named MAC Extended ACLs You can filter non IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs The procedure i...

Page 698: ...ters only IP packets and the MAC access list filters non IP packets Step 3 deny permit any host source MAC address source MAC address mask any host destination MAC address destination MAC address mask type mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos In ex...

Page 699: ...ckets Remember this behavior if you use undefined ACLs for network security Configuring VLAN Maps This section describes how to configure VLAN maps which is the only way to control filtering within a VLAN VLAN maps have no direction To filter traffic in a specific direction by using a VLAN map you need to include an ACL with specific source or destination addresses If there is a match clause for t...

Page 700: ...1 Applying a VLAN Map to a VLAN page 32 34 Using VLAN Maps in Your Network page 32 34 VLAN Map Configuration Guidelines Follow these guidelines when configuring VLAN maps If there is no ACL configured to deny traffic on an interface and no VLAN map is configured all traffic is permitted Each VLAN map consists of a series of entries The order of entries in an VLAN map is important A packet that com...

Page 701: ...mand to delete a single sequence entry from within the map Use the no action access map configuration command to enforce the default action which is to forward VLAN maps do not use the specific permit or deny keywords To deny a packet by using VLAN maps create an ACL that would match the packet and set the action to drop A permit in the ACL counts as a match A deny in the ACL means no match Comman...

Page 702: ...dropped Switch config ip access list extended ip2 Switch config ext nacl permit udp any any Switch config ext nacl exit Switch config vlan access map map_1 20 Switch config access map match ip address ip2 Switch config access map action forward Example 2 In this example the VLAN map has a default action of drop for IP packets and a default action of forward for MAC packets Used with standard ACL 1...

Page 703: ...g ext macl permit any any vines ip Switch config ext nacl exit Switch config vlan access map drop mac default 10 Switch config access map match mac address good hosts Switch config access map action forward Switch config access map exit Switch config vlan access map drop mac default 20 Switch config access map match mac address good protocols Switch config access map action forward Example 4 In th...

Page 704: ...ion routing might not be enabled on the switch In this configuration the switch can still support a VLAN map and a QoS classification ACL In Figure 32 4 assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C Traffic from Host X to Host Y is eventually being routed by Switch B a Layer 3 switch with routing enabled Traffic from Host X to Host Y can b...

Page 705: ...fic is forwarded Switch config vlan access map map2 10 Switch config access map match ip address http Switch config access map action drop Switch config access map exit Switch config ip access list extended match_all Switch config ext nacl permit ip any any Switch config ext nacl exit Switch config vlan access map map2 20 Switch config access map match ip address match_all Switch config access map...

Page 706: ...AN map using this ACL that will drop IP packets that match SERVER1_ACL and forward IP packets that do not match the ACL Switch config vlan access map SERVER1_MAP Switch config access map match ip address SERVER1_ACL Switch config access map action drop Switch config vlan access map SERVER1_MAP 20 Switch config access map action forward Switch config access map exit Step 3 Apply the VLAN map to VLA...

Page 707: ...and a VLAN map when they are configured on the same VLAN Merging the router ACL with the VLAN map might significantly increase the number of ACEs If you must configure a router ACL and a VLAN map on the same VLAN use these guidelines for both router ACL and VLAN map configuration You can configure only one VLAN map and one router ACL in each direction input output on a VLAN interface Whenever poss...

Page 708: ... the packet might be dropped rather than forwarded ACLs and Switched Packets Figure 32 6 shows how an ACL is applied on packets that are switched within a VLAN Packets switched within the VLAN without being routed or forwarded by fallback bridging are only subject to the VLAN map of the input VLAN Figure 32 6 Applying ACLs on Switched Packets ACLs and Bridged Packets Figure 32 7 shows how an ACL i...

Page 709: ...d on routed packets For routed packets the ACLs are applied in this order 1 VLAN map for input VLAN 2 Input router ACL 3 Output router ACL 4 VLAN map for output VLAN Figure 32 8 Applying ACLs on Routed Packets Frame Fallback bridge VLAN 10 Host A VLAN 10 Packet 101358 VLAN 20 Host B VLAN 20 VLAN 10 map VLAN 20 map Frame Routing function VLAN 10 Host A VLAN 10 Packet 101359 VLAN 20 Host B VLAN 20 V...

Page 710: ...cket no destination receives a copy of the packet Figure 32 9 Applying ACLs on Multicast Packets Displaying IPv4 ACL Configuration You can display the ACLs that are configured on the switch and you can display the ACLs that have been applied to interfaces and VLANs When you use the ip access group interface configuration command to apply ACLs to a Layer 2 or 3 interface you can display the access ...

Page 711: ... running config interface interface id Displays the contents of the configuration file for the switch or the specified interface including all configured MAC and IP access lists and which access groups are applied to an interface show mac access group interface interface id Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface Table 32 2 Commands for Displa...

Page 712: ...32 42 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 32 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ...

Page 713: ...S settings such as classification queueing and scheduling the same way on physical ports and SVIs When configuring QoS on a physical port you apply a nonhierarchical policy map When configuring QoS on an SVI you apply a nonhierarchical or a hierarchical policy map In the Catalyst 3750 Metro switch documentation nonhierarchical policy maps are referred to as nonhierarchical single level policy maps...

Page 714: ...eld to carry the classification class information Classification can also be carried in the Layer 2 frame These special bits in the Layer 2 frame or a Layer 3 packet are described here and shown in Figure 33 1 Prioritization bits in Layer 2 frames Layer 2 Inter Switch Link ISL frame headers have a 1 byte User field that carries an IEEE 802 1p class of service CoS value in the three least significa...

Page 715: ... provide a consistent per hop behavior you can construct an end to end QoS solution Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices the traffic types and patterns in your network and the granularity of control that you need over incoming and outgoing traffic Basic QoS Model To implement QoS the switch must dis...

Page 716: ...ng evaluates the QoS label and the corresponding DSCP or CoS value to select into which of the two ingress queues to place a packet Queueing is enhanced with the weighted tail drop WTD algorithm a congestion avoidance mechanism If the threshold is exceeded the packet is dropped For more information see the Queueing and Scheduling Overview section on page 33 13 Scheduling services the queues based ...

Page 717: ...raffic Perform the classification based on a configured Layer 2 MAC access control list ACL which can examine the MAC source address the MAC destination address and other fields If no ACL is configured the packet is assigned 0 as the DSCP and CoS values which means best effort traffic Otherwise the policy map action specifies a DSCP or CoS value to assign to the incoming frame For IP traffic you h...

Page 718: ...or classification Assign DSCP identical to DSCP in packet Check if packet came with CoS label tag Use the CoS value to generate the QoS label Generate DSCP from CoS to DSCP map Use the DSCP value to generate the QoS label Yes Read next ACL Is there a match with a permit action Assign the DSCP or CoS as specified by ACL action to generate the QoS label Assign the default DSCP 0 Are there any more Q...

Page 719: ...st extended global configuration command For configuration information see the Configuring a QoS Policy section on page 33 43 Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to name a specific traffic flow or class and to isolate it from all other traffic The class map defines the criteria used to match against a specific traffic flow to further classify ...

Page 720: ...ugh the packet without modification dropping the packet or modifying marking down the assigned DSCP of the packet and allowing the packet to pass through The configurable policed DSCP map provides the packet with a new DSCP based QoS label For information on the policed DSCP map see the Mapping Tables section on page 33 12 Marked down packets use the same queues as the original QoS label to preven...

Page 721: ... time a token is added to the bucket the switch verifies that there is enough room in the bucket If there is not enough room the packet is marked as nonconforming and the specified policer action is taken dropped or marked down How quickly the bucket fills is a function of the bucket depth burst byte the rate at which the tokens are removed rate bps and the duration of the burst above the average ...

Page 722: ...level of the hierarchical policy map A hierarchical policy map has two levels The first level the VLAN level specifies the actions to be taken against a traffic flow on an SVI The second level the interface level specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface level policy map 86835 Yes Yes No No Pass through Dro...

Page 723: ...vidual policers and does not support aggregate policers Beginning with Cisco IOS Release 12 2 25 SED you can configure different interface level policy maps for each class defined in the VLAN level policy map See the Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps section on page 33 53 for an example of a hierarchical policy map Figure 33 5 shows the policing and...

Page 724: ...called the policed DSCP map You configure this map by using the mls qos map policed dscp global configuration command Before the traffic reaches the scheduling stage QoS stores the packet in an ingress and an egress queue according to the QoS label The QoS label is based on the DSCP or the CoS value in the packet and selects the queue through the DSCP input and output queue threshold maps or throu...

Page 725: ...l to subject it to different thresholds If the threshold is exceeded for that QoS label the space available in the destination queue is less than the size of the frame the switch drops the frame Figure 33 7 shows an example of WTD operating on a queue whose size is 1000 frames Three drop percentages are configured 40 percent 400 frames 60 percent 600 frames and 100 percent 1000 frames These percen...

Page 726: ...e guaranteed a percentage of the bandwidth and they are rate limited to that amount Shaped traffic does not use more than the allocated bandwidth even if the link is idle Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic With shaping the absolute value of each weight is used to compute the bandwidth available for the queues In shared mode th...

Page 727: ...ueue according to the SRR weights Send packet to the stack ring Drop packet Start Yes No Table 33 1 Ingress Queue Types Queue Type1 1 The switch uses two nonconfigurable queues for traffic that is essential for proper network and stack operation Function Normal User traffic that is considered to be normal priority You can configure three different thresholds to differentiate among the flows You ca...

Page 728: ...with which to divide the ingress buffers between the two queues by using the mls qos srr queue input buffers percentage1 percentage2 global configuration command The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped You allocate bandwidth as a percentage by using the mls qos srr queue input bandwidth weight1 weight2 g...

Page 729: ...ort supports four egress queues one of which queue 1 can be the egress expedite queue These queues are assigned to a queue set All traffic exiting the switch flows through one of these four queues and is subjected to a threshold based on the QoS label assigned to the packet 86694 Receive packet from the stack ring Read QoS label DSCP or CoS value Determine egress queue number and threshold based o...

Page 730: ...tage of the queue s allocated memory which you specify by using the mls qos queue set output qset id buffers allocation1 allocation4 global configuration command The sum of all the allocated buffers represents the reserved pool and the remaining buffers are part of the common pool Through buffer allocation you can ensure that high priority traffic is buffered For example if the buffer space is 400...

Page 731: ...are dropped The weight ratio is the ratio of the frequency in which the SRR scheduler sends packets from each queue All four queues participate in the SRR unless the expedite queue is enabled in which case the first bandwidth weight is ignored and is not used in the ratio calculation The expedite queue is a priority queue and it is serviced until empty before the other queues are serviced You enab...

Page 732: ...QoS You can use the auto QoS feature to simplify the deployment of existing QoS features Auto QoS makes assumptions about the network design and as a result the switch can prioritize different traffic flows and appropriately use the ingress and egress queues instead of using the default QoS behavior The default is that QoS is disabled The switch then offers best effort service to each packet regar...

Page 733: ...ived in the packet When a Cisco IP Phone is absent the ingress classification is set to not trust the QoS label in the packet The switch configures ingress and egress queues on the port according to the settings in Table 33 3 and Table 33 4 Table 33 2 Traffic Types Packet Labels and Queues VoIP1 Data Traffic 1 VoIP voice over IP VoIP Control Traffic Routing Protocol Traffic STP BPDU Traffic Real T...

Page 734: ... softphone or the auto qos voip trust interface configuration command the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 33 5 to the port Table 33 5 Generated Auto QoS Configuration Description Automatically Generated Command The switch automatically enables standard QoS and configures the CoS to DSCP m...

Page 735: ... queue output dscp map queue 1 threshold 3 40 41 42 43 44 45 46 47 Switch config mls qos srr queue output dscp map queue 2 threshold 3 24 25 26 27 28 29 30 31 Switch config mls qos srr queue output dscp map queue 2 threshold 3 48 49 50 51 52 53 54 55 Switch config mls qos srr queue output dscp map queue 2 threshold 3 56 57 58 59 60 61 62 63 Switch config mls qos srr queue output dscp map queue 3 t...

Page 736: ...et output 2 threshold 4 42 72 100 242 Switch config mls qos queue set output 1 buffers 10 10 26 54 Switch config mls qos queue set output 2 buffers 16 6 17 61 Switch config if srr queue bandwidth shape 10 0 0 0 Switch config if srr queue bandwidth share 10 10 60 20 If you entered the auto qos voip trust command the switch automatically sets the ingress classification to trust the CoS value receive...

Page 737: ...gures the switch for VoIP with Cisco IP Phones on nonrouted and routed ports Auto QoS also configures the switch for VoIP with devices running the Cisco SoftPhone application Note When a device running Cisco SoftPhone is connected to a nonrouted or routed port the switch supports only one Cisco SoftPhone application per port If you entered the auto qos voip cisco softphone command the switch autom...

Page 738: ...st use Cisco Call Manager Version 4 or later Upgrading from a Previous Software Release In Cisco IOS Release 12 2 20 SE the implementation for auto QoS changed from the previous release The generated auto QoS configuration was changed support for the Cisco SoftPhone feature was added and support for Cisco IP Phones on routed ports was added If auto QoS is configured on the switch your switch is ru...

Page 739: ...s through mode packets are switched without any rewrites and classified as best effort without any policing This example shows how to enable auto QoS and to trust the QoS labels received in incoming packets when the switch or router connected to a port is a trusted device Switch config interface gigabitethernet2 0 1 Switch config if auto qos voip trust Step 3 auto qos voip cisco phone cisco softph...

Page 740: ...Network Figure 33 11 shows a network in which the VoIP traffic is prioritized over all other traffic Auto QoS is enabled on the switches in the wiring closets at the edge of the QoS domain 101234 Cisco router To Internet Trunk link Trunk link Cisco IP phones End stations Cisco IP phones Video server 172 20 10 16 IP IP IP IP Identify this interface as connected to a trusted switch or router Identif...

Page 741: ...n the port and specify that the port is connected to a Cisco IP Phone The QoS labels of incoming packets are trusted only when the Cisco IP Phone is detected Step 6 exit Return to global configuration mode Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone Step 8 interface interface id Specify the switch port identified as connected to a trusted switch or router an...

Page 742: ...mmands see the command reference for this release Configuring Standard QoS Before configuring standard QoS you must have a thorough understanding of these items The types of applications used and the traffic patterns on your network Traffic characteristics and needs of your network Is the traffic bursty Do you need to reserve bandwidth for voice and video streams Bandwidth requirements and speed o...

Page 743: ...tion section on page 33 31 and the Default Egress Queue Configuration section on page 33 32 Default Ingress Queue Configuration Table 33 6 shows the default ingress queue configuration when QoS is enabled Table 33 7 shows the default CoS input queue threshold map when QoS is enabled Table 33 8 shows the default DSCP input queue threshold map when QoS is enabled Table 33 6 Default Ingress Queue Con...

Page 744: ...ueue 4 Buffer allocation 25 percent 25 percent 25 percent 25 percent WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Reserved threshold 50 percent 50 percent 50 percent 50 percent Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights absolute 1 1 A shaped weight of zero means th...

Page 745: ... ACLs to enforce QoS IP fragments are sent as best effort IP fragments are denoted by fields in the IP header Only one ACL per class map and only one match class map configuration command per class map are supported The ACL can have multiple ACEs which match fields against the contents of the packet A trust statement in a policy map requires multiple TCAM entries per ACL line If an input service p...

Page 746: ...s The port ASIC device which controls more than one physical port supports 256 policers 255 user configurable policers plus 1 policer reserved for system internal use The maximum number of user configurable policers supported per port is 63 For example you could configure 32 policers on a Gigabit Ethernet port and 8 policers on a Fast Ethernet port or you could configure 64 policers on a Gigabit E...

Page 747: ...S Globally By default QoS is disabled on the switch Beginning in privileged EXEC mode follow these steps to enable QoS This procedure is required To disable QoS use the no mls qos global configuration command Enabling VLAN Based QoS on Physical Ports By default VLAN based QoS is disabled on all physical switch ports The switch applies QoS including class maps and policy maps only on a physical por...

Page 748: ...38 Configuring a Trusted Boundary to Ensure Port Security page 33 39 Enabling DSCP Transparency Mode page 33 40 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 33 41 Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain When the packets are classified at the edge the switch port within the ...

Page 749: ...follow these steps to configure the port to trust the classification of the traffic that it receives 101236 Trunk Trusted interface Traffic classification performed here Trusted boundary IP P1 P3 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be trusted and enter interface configuration mode Valid interfaces include physi...

Page 750: ...e keywords have these meanings cos Classifies an ingress packet by using the packet CoS value For an untagged packet the port default CoS value is used The default port CoS value is 0 dscp Classifies an ingress packet by using the packet DSCP value For a non IP packet the packet CoS value is used if the packet is tagged for an untagged packet the default port CoS is used Internally the switch maps...

Page 751: ... the trusted setting you also can use the trusted boundary feature to prevent misuse of a high priority queue if a user bypasses the telephone and connects the PC directly to the switch Without trusted boundary the CoS labels generated by the PC are trusted by the switch because of the trusted CoS setting By contrast trusted boundary uses CDP to detect the presence of a Cisco IP Phone such as the ...

Page 752: ...In Cisco IOS Release 12 2 25 SE or later the switch supports the DSCP transparency feature It affects only the DSCP field of a packet at egress By default DSCP transparency is disabled The switch modifies the DSCP field in an incoming packet and the DSCP field in the outgoing packet is based on the quality of service QoS configuration including the port trust setting policing and marking and the D...

Page 753: ...tion command the CoS and DSCP values are not changed the default QoS setting If you enter the no mls qos rewrite ip dscp global configuration command to enable DSCP transparency and then enter the mls qos trust cos dscp interface configuration command DSCP transparency is still enabled Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS...

Page 754: ... which maps an incoming DSCP value to the same DSCP value For dscp mutation name enter the mutation map name You can create more than one map by specifying a new name For in dscp enter up to eight DSCP values separated by spaces Then enter the to keyword For out dscp enter a single DSCP value The DSCP range is 0 to 63 Step 3 interface interface id Specify the port to be trusted and enter interface...

Page 755: ... gi1 0 2 mutation Switch config if end Configuring a QoS Policy Configuring a QoS policy typically requires classifying traffic into classes configuring policies applied to those traffic classes and attaching policies to ports For background information see the Classification section on page 33 5 and the Policing and Marking section on page 33 8 For configuration guidelines see the Standard QoS Co...

Page 756: ...e Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list number enter the access list number The range is 1 to 99 and 1300 to 1999 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny ...

Page 757: ...ge is 100 to 199 and 2000 to 2699 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of available protocol keywords For source enter the network or host from which the packet is being sent ...

Page 758: ... type of traffic to permit or deny if the conditions are matched entering the command as many times as necessary For src MAC addr enter the MAC address of the host from which the packet is being sent You specify this by using the hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard ffff ffff ffff or by using the host keyword for source 0 0 0 For mas...

Page 759: ...deny permit source source wildcard or access list access list number deny permit protocol source source wildcard destination destination wildcard or mac access list extended name permit deny host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC ACL for non IP traffic repeating the command as many times as nece...

Page 760: ... config cmap match ip dscp 10 11 12 Switch config cmap end Switch This example shows how to create a class map called class3 which matches incoming traffic with IP precedence values of 5 6 and 7 Switch config class map class3 Switch config cmap match ip precedence 5 6 7 Switch config cmap end Switch Step 4 match access group acl index or name ip dscp dscp list ip precedence ip precedence list Defi...

Page 761: ...cp dscp1 dscp8 global configuration command the settings only affect packets on ingress interfaces that are configured to trust the IP precedence value In a policy map if you set the packet IP precedence value to a new value by using the set ip precedence new precedence policy map class configuration command the egress DSCP value is not affected by the IP precedence to DSCP map If you want the egr...

Page 762: ...atch criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Note Because only one match command per class map is supported the match all and match any keywords function the same Step 3 policy map policy map name Create a policy map by entering the policy map name and enter policy map configur...

Page 763: ...r non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 33 61 Step 6 set dscp new dscp ip precedence new precedence Classify IP traffic by setting a new value in the packet For dscp new dscp enter a new DSCP value t...

Page 764: ...g pmap c police 1000000 8000 exceed action policed dscp transmit Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet2 0 1 Switch config if service policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port The first permit statement allows traffic from the host with MAC address 0001 0000 0...

Page 765: ...re configuring a hierarchical policy map you must enable VLAN based QoS on the physical ports that are to be specified at the interface level of the policy map You can attach only one policy map per ingress port or SVI A policy map can contain multiple class statements each with different match criteria and actions A separate policy map class can exist for each type of traffic received on the SVI ...

Page 766: ...ack master When a stack member is added the stack master re enables and reconfigures these features on all applicable ports on the stack member When you merge switch stacks the new stack master re enables and reconfigures these features on the switches in the new stack When the switch stack divides into two or more switch stacks the stack master in each switch stack re enables and reconfigures the...

Page 767: ...erform a logical AND of all matching statements under this class map All match criteria in the class map must be matched Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is ma...

Page 768: ...tional Specify the action to take when the rates are exceeded Use the exceed action drop keywords to drop the packet Use the exceed action policed dscp transmit keywords to mark down the DSCP value by using the policed DSCP map and to send the packet For more information see the Configuring the Policed DSCP Map section on page 33 63 Step 13 exit Return to policy map configuration mode Step 14 exit...

Page 769: ...precedence to DSCP map For non IP packets that are tagged QoS derives the DSCP value by using the received CoS value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 33 61 Step 18 set dscp new dscp ip prece...

Page 770: ...ch access 101 Switch config cmap exit Switch config exit Switch Switch This example shows how to attach the new map to an SVI Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config class map cm interface 1 Switch config cmap match input g3 0 1 g3 0 2 Switch config cmap exit Switch config policy map port plcmap Switch config pmap class map cm interface 1 S...

Page 771: ...ysical ports Note The 10 Gigabit interfaces do not support policing by using an aggregate policer Beginning in privileged EXEC mode follow these steps to create an aggregate policer Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos aggregate policer aggregate policer name rate bps burst byte exceed action drop policed dscp transmit Define the policer paramete...

Page 772: ...ch config cmap exit Switch config class map ipclass2 Step 3 class map match all match any class map name Create a class map to classify traffic as necessary For more information see the Classifying Traffic by Using Class Maps section on page 33 47 Step 4 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode For more information see t...

Page 773: ...information Configuring the CoS to DSCP Map page 33 61 optional Configuring the IP Precedence to DSCP Map page 33 62 optional Configuring the Policed DSCP Map page 33 63 optional unless the null settings in the map are not appropriate Configuring the DSCP to CoS Map page 33 64 optional Configuring the DSCP to DSCP Mutation Map page 33 65 optional unless the null settings in the map are not appropr...

Page 774: ...P precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic Table 33 13 shows the default IP precedence to DSCP map If these values are not appropriate for your network you need to modify them Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map cos dscp dscp1 dscp8 Modify the CoS to DSCP map For ...

Page 775: ...se steps to modify the policed DSCP map This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map ip prec dscp dscp1 dscp8 Modify the IP precedence to DSCP map For dscp1 dscp8 enter eight DSCP values that correspond to the IP precedence values 0 to 7 Separate each DSCP value with a space The DSCP range is 0 to 63 Step 3 end Return to pr...

Page 776: ...00 00 00 00 00 00 00 00 58 59 6 60 61 62 63 Note In this policed DSCP map the marked down DSCP values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the marked down value For example an original DSCP value of 53 corresp...

Page 777: ... DSCP value of 08 corresponds to a CoS value of 0 Configuring the DSCP to DSCP Mutation Map If two QoS domains have different DSCP definitions use the DSCP to DSCP mutation map to translate one set of DSCP values to match the definition of another domain You apply the DSCP to DSCP mutation map to the receiving port ingress mutation at the boundary of a QoS administrative domain With ingress mutati...

Page 778: ... 00 00 00 10 10 1 10 10 10 10 14 15 16 17 18 19 2 20 20 20 23 24 25 26 27 28 29 3 30 30 30 30 30 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 50 51 52 53 54 55 56 57 58 59 6 60 61 62 63 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map For dscp mutation name ente...

Page 779: ... perform all of the tasks in the next sections You will need to make decisions about these characteristics Which packets are assigned by DSCP or CoS value to each queue What drop percentage thresholds apply to each queue and which CoS or DSCP values map to each threshold How much of the available buffer space is allocated between the queues How much of the available bandwidth is allocated between ...

Page 780: ...eue 1 and threshold 1 CoS value 5 is mapped to queue 2 and threshold 1 For queue id the range is 1 to 2 For threshold id the range is 1 to 3 The drop threshold percentage for threshold 3 is predefined It is set to the queue full state For dscp1 dscp8 enter up to eight values and separate each value with a space The range is 0 to 63 For cos1 cos8 enter up to eight values and separate each value wit...

Page 781: ...t setting use the no mls qos srr queue input buffers global configuration command This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2 Switch config mls qos srr queue input buffers 60 40 Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated between th...

Page 782: ...os srr queue input priority queue queue id bandwidth weight global configuration command Then SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos srr queue in...

Page 783: ...s in the next sections You will need to make decisions about these characteristics Which packets are mapped by DSCP or CoS value to each queue and threshold ID What drop percentage thresholds apply to the queue set four egress queues per port and how much reserved and maximum memory is needed for the traffic type How much of the fixed buffer space is allocated to the queue set Does the bandwidth o...

Page 784: ...led and the SRR shaped and shared weights are configured the shaped mode overrides the shared mode for queue 1 and SRR services this queue in shaped mode If the egress expedite queue is disabled and the SRR shaped weights are not configured SRR services this queue in shared mode Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set You can guarantee the availability of buff...

Page 785: ...WTD thresholds guarantee the availability of buffers and configure the maximum memory allocation for the queue set four egress queues per port By default the WTD thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 200 percent The reserved thresholds for queues 1 2 3 and 4 are set to 50 percent The maximum thresholds for all queues are set to 400 percent For...

Page 786: ...mum memory that this queue can have before packets are dropped Switch config mls qos queue set output 2 buffers 40 20 20 20 Switch config mls qos queue set output 2 threshold 2 40 60 100 200 Switch config interface gigabitethernet1 0 1 Switch config if queue set 2 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with particular DSCPs...

Page 787: ... threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and threshold 1 CoS values 4 6 and 7 are mapped to queue 4 and threshold 1 CoS value 5 is mapped to queue 1 and threshold 1 For queue id the range is 1 to 4 For threshold id the range is 1 to 3 The drop threshold percentag...

Page 788: ...nfiguration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port of the outbound traffic and enter interface configuration mode Step 3 srr queue bandwidth shape weight1 weight2 weight3 weight4 Assign SRR weights to the egress queues By default weight1 is set to 25 weight2 weight3 and weight4 are set to 0 and these queues a...

Page 789: ...ed to a port This procedure is optional To return to the default setting use the no srr queue bandwidth share interface configuration command This example shows how to configure the weight ratio of the SRR scheduler running on an egress port Four queues are used and the bandwidth ratio allocated for each queue in shared mode is 1 1 2 3 4 2 1 2 3 4 3 1 2 3 4 and 4 1 2 3 4 which is 10 percent 20 per...

Page 790: ...ce Note You cannot configure SSR shaped weights on the 10 Gigabit interfaces You can limit the bandwidth on an egress port For example if a customer pays only for a small percentage of a high speed link you can limit the bandwidth to that amount Note The egress queue default settings are suitable for most situations You should change them only when you have a thorough understanding of the egress q...

Page 791: ...configuration mode Step 3 srr queue bandwidth limit weight1 Specify the percentage of the port speed to which the port should be limited The range is 10 to 90 By default the port is not rate limited and is set to 100 percent Step 4 end Return to privileged EXEC mode Step 5 show mls qos interface interface id queueing Verify your entries Step 6 copy running config startup config Optional Save your ...

Page 792: ...ame class class map name Display QoS policy maps which define classification criteria for incoming traffic Note Do not use the show policy map interface privileged EXEC command to display classification information for incoming traffic The control plane and interface keywords are not supported and the statistics shown in the display should be ignored show running config include rewrite Display the...

Page 793: ...n the channel without intervention This chapter also describes how to configure link state tracking Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding EtherChannels page 34 1 Con...

Page 794: ...ration command For more information see the Chapter 11 Configuring Interface Characteristics You can configure an EtherChannel in one of these modes Port Aggregation Protocol PAgP Link Aggregation Control Protocol LACP or On Configure both ends of the EtherChannel in the same mode When you configure one end of an EtherChannel in either PAgP or LACP mode the system negotiates with the other end of ...

Page 795: ...hin an EtherChannel fails traffic previously carried over that failed link moves to the remaining links within the EtherChannel If traps are enabled on the switch a trap is sent for a failure that identifies the switch the EtherChannel and the failed link Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel Figure 3...

Page 796: ... the same as the port channel number or you can use a new number If you use a new number the channel group command dynamically creates a new port channel With Layer 3 ports you should manually create the logical interface by using the interface port channel global configuration command followed by the no switchport interface configuration command Then you manually assign an interface to the EtherC...

Page 797: ...co switches and on those switches licensed by vendors to support PAgP PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports You can use PAgP only in single switch EtherChannel configurations PAgP cannot be enabled on cross stack EtherChannels For more information see the EtherChannel Configuration Guidelines section on page 34 12 By using PAgP t...

Page 798: ... of a silent partner is a file server or a packet analyzer that is not generating traffic In this case running PAgP on a physical port connected to a silent partner prevents that switch port from ever becoming operational However the silent setting allows PAgP to operate to attach the port to a channel group and to use the port for transmission PAgP Interaction with Other Features The Dynamic Trun...

Page 799: ...le switch port LACP Modes Table 34 2 shows the user configurable EtherChannel LACP modes for the channel group interface configuration command Both the active and passive LACP modes enable ports to negotiate with partner ports to an EtherChannel based on criteria such as port speed and for Layer 2 EtherChannels trunking state and VLAN numbers Ports can form an EtherChannel when they are in differe...

Page 800: ... by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel EtherChannel load balancing can use MAC addresses or IP addresses source or destination addresses or both source and destination addresses The selected mode applies to all EtherChannels configured on the switch You configure the load balancing and forward...

Page 801: ...s of the incoming packet This forwarding method a combination of source IP and destination IP address based forwarding can be used if it is not clear whether source IP or destination IP address based forwarding is better suited on a particular switch In this method packets sent from the IP address A to IP address B from IP address A to IP address C and from IP address C to IP address B could all u...

Page 802: ...ly Any PAgP or LACP configuration on a winning switch stack is not affected but the PAgP or LACP configuration on the losing switch stack is lost after the stack reboots With PAgP if the stack master fails or leaves the stack a new stack master is elected A spanning tree reconvergence is not triggered unless there is a change in the EtherChannel bandwidth The new stack master synchronizes the conf...

Page 803: ...on on page 34 12 Note After you configure an EtherChannel configuration changes applied to the port channel interface apply to all the physical ports assigned to the port channel interface and configuration changes applied to the physical port affect only the port where you apply the configuration Default EtherChannel Configuration Table 34 3 shows the default EtherChannel configuration Table 34 3...

Page 804: ...VLAN Spanning tree Port Fast setting Do not configure a port to be a member of more than one EtherChannel group Do not configure an EtherChannel in both the PAgP and LACP modes EtherChannel groups running PAgP and LACP can coexist on the same switch or on different switches in the stack Individual EtherChannel groups can run either PAgP or LACP but they cannot interoperate Do not configure a Switc...

Page 805: ...ons loops and forwarding misbehaviors can occur Configuring Layer 2 EtherChannels You configure Layer 2 EtherChannels by assigning ports to a channel group with the channel group interface configuration command This command automatically creates the port channel logical interface If you enabled PAgP on a port in the auto or desirable mode you must reconfigure it for either the on mode or the LACP ...

Page 806: ...rces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is assume...

Page 807: ...uses LACP passive mode and assigns two ports on stack member 2 and one port on stack member 3 as static access ports in VLAN 10 to channel 5 Switch configure terminal Switch config interface range gigabitethernet2 0 4 5 Switch config if range switchport mode access Switch config if range switchport access vlan 10 Switch config if range channel group 5 mode active Switch config if range exit Switch...

Page 808: ...interface and enter interface configuration mode For port channel number the range is 1 to 48 Step 3 no switchport Put the interface into Layer 3 mode Step 4 ip address ip address mask Assign an IP address and subnet mask to the EtherChannel Step 5 end Return to privileged EXEC mode Step 6 show etherchannel channel group number detail Verify your entries Step 7 copy running config startup config O...

Page 809: ...n the switch stack on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non...

Page 810: ...t Switch config if channel group 7 mode active Switch config if exit Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source based or destination based forwarding methods For more information see the Load Balancing and Forwarding Methods section on page 34 8 Beginning in privileged EXEC mode follow these steps to configure EtherCh...

Page 811: ...le port within the group for all transmissions and use other ports for hot standby The unused ports in the group can be swapped into operation in just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The higher the pri...

Page 812: ...l configuration mode Step 2 interface interface id Specify the port for transmission and enter interface configuration mode Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not important on which p...

Page 813: ... port priority to affect how the software selects active and standby links For more information see the Configuring the LACP System Priority section on page 34 21 and the Configuring the LACP Port Priority section on page 34 22 Configuring the LACP System Priority You can configure the system priority for all the EtherChannels that are enabled for LACP by using the lacp system priority global conf...

Page 814: ...ve more restrictive hardware limitations all the ports that cannot be actively included in the EtherChannel are put in the hot standby state and are used only if one of the channeled ports fails Beginning in privileged EXEC mode follow these steps to configure the LACP port priority This procedure is optional To return the LACP port priority to the default value use the no lacp port priority inter...

Page 815: ...ports connected to distribution switches and network devices are referred to as upstream ports Switch A provides primary links to server 1 and server 2 through link state group 1 Port 1 is connected to server 1 and port 2 is connected to server 2 Port 3 and port 4 on switch A also provide secondary links through link state group 2 Port 5 and port 6 are connected to distribution switch 1 through li...

Page 816: ... These interfaces can be bundled together and each downstream interface can be associated with a single group consisting of multiple upstream interfaces referred to as a link state group In a link state group the link states of the downstream interfaces are dependent on the link states of the upstream interfaces If all of the upstream interfaces in a link state group are in the link down state the...

Page 817: ... Link State Tracking Configuration Guidelines page 34 26 Configuring Link State Tracking page 34 26 Displaying Link State Tracking Status page 34 27 141680 Network Layer 3 link Server 1 Server 2 Server 3 Server 4 Distribution switch 1 Distribution switch 2 Switch A Switch B Port 1 Port 5 Port 4 Port 3 Port 2 Port 2 Port 3 Port 4 Port 8 Port 7 Port 6 Port 5 Port 1 Port 6 Port 7 Port 8 Link state gr...

Page 818: ...f link state group 1 upstream Switch config if interface gigabitethernet1 0 1 Switch config if link state group 1 downstream Switch config if interface gigabitethernet1 0 3 Switch config if link state group 1 downstream Switch config if interface gigabitethernet1 0 5 Switch config if link state group 1 downstream Switch config if end Command Purpose Step 1 configure terminal Enter global configura...

Page 819: ...up This is an example of output from the show link state group 1 command Switch show link state group 1 Link State Group 1 Status Enabled Down This is an example of output from the show link state group detail command Switch show link state group detail Up Interface up Dwn Interface Down Dis Interface disabled Link State Group 1 Status Enabled Down Upstream Interfaces Gi1 0 15 Dwn Gi1 0 16 Dwn Dow...

Page 820: ...34 28 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 34 Configuring EtherChannels and Link State Tracking Configuring Link State Tracking ...

Page 821: ...ble IP Version 6 IPv6 unicast routing and configure interfaces to forward IPv6 traffic in addition to IPv4 traffic For information about configuring IPv6 on the switch see Chapter 36 Configuring IPv6 Unicast Routing For more detailed IP unicast configuration information see the Cisco IOS IP Configuration Guide Release 12 2 For complete syntax and usage information for the commands used in this cha...

Page 822: ...routing You configure one or more routers to route traffic to the appropriate destination VLAN Figure 35 1 shows a basic routing topology Switch A is in VLAN 10 and Switch B is in VLAN 20 The router has an interface in each VLAN Figure 35 1 Routing Topology Example When Host A in VLAN 10 needs to communicate with Host B in VLAN 10 it sends a packet addressed to that host Switch A forwards the pack...

Page 823: ...or protocols Distance vector protocols supported by the switch are Routing Information Protocol RIP which uses a single distance metric cost to determine the best path and Border Gateway Protocol BGP which adds a path vector mechanism The switch also supports the Open Shortest Path First OSPF link state protocol and Enhanced IGRP EIGRP which adds some link state routing features to traditional Int...

Page 824: ...ing with Cisco IOS Release 12 2 35 SE the switch stack supports NSF capable routing for OSPF and EIGRP For more information see the OSPF NSF Capability section on page 35 27 and the EIGRP NSF Capability section on page 35 38 At election the new stack master performs these functions It starts generating receiving and processing routing updates It builds routing tables generates the CEF database and...

Page 825: ...ee the Assigning IP Addresses to Network Interfaces section on page 35 7 Note A Layer 3 switch can have an IP address assigned to each routed port and SVI The number of routed ports and SVIs that you can configure is not limited by software However the interrelationship between this number and the number and volume of features being implemented might have an impact on CPU utilization because of ha...

Page 826: ...ARP Timeout 14400 seconds 4 hours IP broadcast address 255 255 255 255 all ones IP classless routing Enabled IP default gateway Disabled IP directed broadcast Disabled all IP directed broadcasts are dropped IP domain Domain list No domain names defined Domain lookup Enabled Domain name Enabled IP forward protocol If a helper address is defined or User Datagram Protocol UDP flooding is configured U...

Page 827: ...nes subnet 131 108 255 0 and even though it is discouraged you can enable the use of subnet zero if you need the entire subnet space for your IP address Beginning in privileged EXEC mode follow these steps to enable subnet zero Use the no ip subnet zero global configuration command to restore the default and disable the use of subnet zero Command Purpose Step 1 configure terminal Enter global conf...

Page 828: ...e 35 2 classless routing is enabled When the host sends a packet to 120 20 4 1 instead of discarding the packet the router forwards it to the best supernet route If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route the router discards the packet Figure 35 2 IP Classless Routing In Figure 35 3 the router in network 128 20 0 ...

Page 829: ...ution The switch can use these forms of address resolution Address Resolution Protocol ARP is used to associate IP address with MAC addresses Taking an IP address as input ARP learns the associated MAC address and then stores the IP address MAC address association in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation ...

Page 830: ... in privileged EXEC mode follow these steps to provide static mapping between IP addresses and MAC addresses Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arp ip address hardware address type Globally associate an IP address with a MAC hardware address in the ARP cache and specify encapsulation type as one of these arpa ARP encapsulation for Ethernet interfaces s...

Page 831: ...been disabled To disable proxy ARP on the interface use the no ip proxy arp interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 arp arpa snap Specify the ARP encapsulation method arpa Address Resolution Protocol snap Subnetwork...

Page 832: ...s as long as other routers support it Default Gateway Another method for locating routes is to define a default router or default gateway All nonlocal packets are sent to this router which either routes them appropriately or sends an IP Control Message Protocol ICMP redirect message back defining which local router the host should use The switch caches the redirect messages and forwards each packe...

Page 833: ...l configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip irdp Enable IRDP processing on the interface Step 4 ip irdp multicast Optional Send IRDP advertisements to the multicast address 224 0 0 1 instead of IP broadcasts Note This command allows for compatibility with Sun Microsystems Solaris which requires IRDP ...

Page 834: ...et the address to be used as the broadcast address Many implementations including the one in the switch support several addressing schemes for forwarding broadcast messages Perform the tasks in these sections to enable these schemes Enabling Directed Broadcast to Physical Broadcast Translation page 35 14 Forwarding UDP Broadcast Packets and Protocols page 35 15 Establishing an IP Broadcast Address...

Page 835: ...defined for an interface The description for the ip forward protocol interface configuration command in the Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services Release 12 2 lists the ports that are forwarded by default if you do not specify any UDP ports If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts you are configuring the router to act as...

Page 836: ...tep 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip helper address address Enable forwarding and specify the destination address for forwarding UDP broadcast packets including BOOTP Step 4 exit Return to global configuration mode Step 5 ip forward protocol udp port nd sdns Specify which protocols the router forwards when forwardi...

Page 837: ...ied with the ip broadcast address interface configuration command on the output interface The destination address can be set to any address Thus the destination address might change as the datagram propagates through the network The source address is never changed The TTL value is decremented When a flooded UDP datagram is sent out an interface and the destination address possibly changed the data...

Page 838: ...config Verify your entry Step 5 copy running config startup config Optional Save your entry in the configuration file Table 35 2 Commands to Clear Caches Tables and Databases Command Purpose clear arp cache Clear the IP ARP cache and the fast switching cache clear host name Remove one or all entries from the hostname and the address cache clear ip route network mask Remove one or more routes from ...

Page 839: ...The Routing Information Protocol RIP is an interior gateway protocol IGP created for use in small homogeneous networks It is a distance vector routing protocol that uses broadcast User Datagram Protocol UDP data packets to exchange routing information The protocol is documented in RFC 1058 You can find detailed information about RIP in IP Routing Fundamentals published by Cisco Press Note RIP is t...

Page 840: ...ertises the default network if a default was learned by RIP or if the router has a gateway of last resort and RIP is configured with a default metric RIP sends updates to the interfaces in specified networks If an interface s network is not specified it is not advertised in any RIP update These sections contain this configuration information Default RIP Configuration page 35 20 Configuring Basic R...

Page 841: ...ting process You can specify multiple network commands RIP routing updates are sent and received through interfaces only on these networks Step 5 neighbor ip address Optional Define a neighboring router with which to exchange routing information This step allows routing updates from RIP normally a broadcast protocol to reach nonbroadcast networks Step 6 offset list access list number name in out o...

Page 842: ...ou can also use the interface commands ip rip send receive version 1 2 1 2 to control what versions are used for sending and receiving on interfaces Step 9 no auto summary Optional Disable automatic summarization By default the switch summarizes subprefixes when crossing classful network boundaries Disable summarization RIP Version 2 only to advertise subnet and host routing information to classfu...

Page 843: ... If split horizon is enabled neither autosummary nor interface IP summary addresses are advertised Beginning in privileged EXEC mode follow these steps to set an interface to advertise a summarized local IP address and to disable split horizon on the interface Step 3 ip rip authentication key chain name of chain Enable RIP authentication Step 4 ip rip authentication mode text md5 Configure the int...

Page 844: ...2 2 2 peer group mygroup Switch config router end Configuring Split Horizon Routers connected to broadcast type IP networks and using distance vector routing protocols normally use the split horizon mechanism to reduce the possibility of routing loops Split horizon blocks information about routes from being advertised by a router on any interface from which that information originated This feature...

Page 845: ...d into another IP routing protocol At the intradomain level this means that OSPF can import routes learned through EIGRP and RIP OSPF routes can also be exported into RIP Plain text and MD5 authentication among neighboring routers within an area is supported Configurable routing interface parameters include interface output cost retransmission interval interface transmit delay router priority rout...

Page 846: ...ed the default metric setting is 10 and the external route type default is Type 2 Default metric Built in automatic metric translation as appropriate for each routing protocol Distance OSPF dist1 all routes within an area 110 dist2 all routes from one area to another 110 and dist3 routes from other routing domains 110 OSPF database filter Disabled All outgoing link state advertisements LSAs are fl...

Page 847: ... IOS Release 12 2 35 SE the IP services image supports OSPF NSF capable routing for IPv4 for better convergence and lower traffic loss following a stack master change When a stack master change occurs in an OSPF NSF capable stack the new stack master must do two things to resynchronize its link state database with its OSFP neighbors Release the available OSPF neighbors on the network without reset...

Page 848: ...s enabled For more information about NSF see the Cisco Nonstop Forwarding Feature Overview at this URL http www cisco com en US products sw iosswrel ps1829 products_feature_guide09186a00800ab7fc html Note NSF is not supported on interfaces configured for Hot Standby Router Protocol HSRP Configuring Basic OSPF Parameters Enabling OSPF requires that you create an OSPF routing process specify the ran...

Page 849: ...of seconds between link state advertisement transmissions The range is 1 to 65535 seconds The default is 5 seconds Step 5 ip ospf transmit delay seconds Optional Set the estimated number of seconds to wait before sending a link state update packet The range is 1 to 65535 seconds The default is 1 second Step 6 ip ospf priority number Optional Set priority to help find the OSPF designated router for...

Page 850: ... area router configuration commands are all optional Beginning in privileged EXEC mode follow these steps to configure area parameters Step 11 ip ospf database filter all out Optional Block flooding of OSPF LSA packets to the interface By default OSPF floods new LSAs over all interfaces in the same area except the interface on which the LSA arrives Step 12 end Return to privileged EXEC mode Step 1...

Page 851: ...nomous system boundary router ASBR You can force the ASBR to generate a default route into the OSPF routing domain Domain Name Server DNS names for use in all OSPF show privileged EXEC command displays makes it easier to identify a router than displaying it by router ID or neighbor ID Step 5 area area id stub no summary Optional Define an area as a stub area The no summary keyword prevents an ABR ...

Page 852: ...the hold time between two SPF calculations Log neighbor changes You can configure the router to send a syslog message when an OSPF neighbor state changes providing a high level view of changes in the router Beginning in privileged EXEC mode follow these steps to configure these OSPF parameters Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router ospf process id E...

Page 853: ...outing information out its interfaces If a loopback interface is configured with an IP address OSPF uses this IP address as Step 10 timers throttle spf spf delay spf holdtime spf wait Optional Configure route calculation timers spf delay Delay between receiving a change to SPF calculation The range is from 1 to 600000 miliseconds spf holdtime Delay between first and second SPF calculation The rang...

Page 854: ...k interface and enter interface configuration mode Step 3 ip address address mask Assign an IP address to this interface Step 4 end Return to privileged EXEC mode Step 5 show ip interface Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Table 35 6 Show IP OSPF Statistics Commands Command Purpose show ip ospf process id Display gener...

Page 855: ...overy and recovery is the process that routers use to dynamically learn of other routers on their directly attached networks Routers must also discover when their neighbors become unreachable or inoperative Neighbor discovery and recovery is achieved with low overhead by periodically sending small hello packets As long as hello packets are received the Cisco IOS software can learn that a neighbor ...

Page 856: ...is configuration information Default EIGRP Configuration page 35 36 Configuring Basic EIGRP Parameters page 35 39 Configuring EIGRP Interfaces page 35 40 Configuring EIGRP Route Authentication page 35 40 EIGRP Stub Routing page 35 41 Monitoring and Maintaining EIGRP page 35 42 Note To enable EIGRP the stack master must be running the IP services image Default EIGRP Configuration Table 35 7 shows t...

Page 857: ...ntication provided IP bandwidth percent 50 percent IP hello interval For low speed nonbroadcast multiaccess NBMA networks 60 seconds all other networks 5 seconds IP hold time For low speed NBMA networks 180 seconds all other networks 15 seconds IP split horizon Enabled IP summary address No summary aggregate addresses are predefined Metric weights tos 0 k1 and k3 1 k2 k4 and k5 0 Network None spec...

Page 858: ...quire neighbors and rebuild the topology and routing tables without interrupting the traffic directed toward the switch stack EIGRP peer routers maintain the routes learned from the new stack master and continue forwarding traffic through the NSF restart process To prevent an adjacency reset by the neighbors the new stack master uses a new Restart RS bit in the EIGRP packet header to show the rest...

Page 859: ...nal Enable logging of EIGRP neighbor changes to monitor routing system stability Step 6 metric weights tos k1 k2 k3 k4 k5 Optional Adjust the EIGRP metric Although the defaults have been carefully set to provide excellent operation in most networks you can adjust them Caution Setting metrics is complex and is not recommended without guidance from an experienced network designer Step 7 offset list ...

Page 860: ... 50 percent Step 4 ip summary address eigrp autonomous system number address mask Optional Configure a summary aggregate address for a specified interface not usually necessary if auto summary is enabled Step 5 ip hello interval eigrp autonomous system number seconds Optional Change the hello time interval for an EIGRP routing process The range is 1 to 65535 seconds The default is 60 seconds for l...

Page 861: ...nfiguration mode Step 6 key chain name of chain Identify a key chain and enter key chain configuration mode Match the name configured in Step 4 Step 7 key number In key chain configuration mode identify the key number Step 8 key string text In key chain key configuration mode identify the key string Step 9 accept lifetime start time infinite end time duration seconds Optional Specify the time peri...

Page 862: ...stub router Switches A and C are connected to the rest of the WAN Switch B advertises connected static redistribution and summary routes to switch A and C Switch B does not advertise any routes learned from switch A and the reverse Figure 35 4 EIGRP Stub Router Configuration For more information about EIGRP stub routing see Configuring EIGRP Stub Routing part of the Cisco IOS IP Configuration Guid...

Page 863: ...ch see Appendix D Unsupported Commands in Cisco IOS Release 12 2 35 SE Routers that belong to the same autonomous system AS and that exchange BGP updates run internal BGP IBGP and routers that belong to different autonomous systems and that exchange BGP updates run external BGP EBGP Most configuration commands are the same for configuring EBGP and IBGP The difference is that the routing updates ar...

Page 864: ...sponse to errors or special conditions In BGP each route consists of a network number a list of autonomous systems that information has passed through the autonomous system path and a list of other path attributes The primary function of a BGP system is to exchange network reachability information including information about the list of AS paths with other BGP systems This information can be used ...

Page 865: ...s list None defined Auto summary Enabled Best path The router considers as path in choosing a route and does not compare similar routes from external BGP peers Compare router ID Disabled BGP community list Number None defined When you permit a value for the community number the list defaults to an implicit deny for everything else that has not been permitted Format Cisco default format 32 bit numb...

Page 866: ...or Advertisement interval 30 seconds for external peers 5 seconds for internal peers Change logging Enabled Conditional advertisement Disabled Default originate No default route is sent to the neighbor Description None Distribute list None defined External BGP multihop Only directly connected neighbors are allowed Filter list None used Maximum number of prefixes received No limit Next hop router a...

Page 867: ...stems whose routes are not advertised to external neighbors The private AS numbers are from 64512 to 65535 You can configure external neighbors to remove private AS numbers from the AS path by using the neighbor remove private as router configuration command Then when an update is passed to an external neighbor if the AS path includes private AS numbers these numbers are dropped If your AS will be...

Page 868: ... remote as number Add an entry to the BGP neighbor table specifying that the neighbor identified by the IP address belongs to the specified AS For EBGP neighbors are usually directly connected and the IP address is the address of the interface at the other end of the connection For IBGP the IP address can be the address of any of the router interfaces Step 6 neighbor ip address peer group name rem...

Page 869: ...nfig router neighbor 175 220 212 1 remote as 200 Switch config router neighbor 192 208 10 1 remote as 300 Router D Switch config router bgp 300 Switch config router neighbor 192 208 10 2 remote as 200 To verify that BGP peers are running use the show ip bgp neighbors privileged EXEC command This is the output of this command on Router A Switch show ip bgp neighbors BGP neighbor is 129 213 1 1 remo...

Page 870: ...ersion or timer or make a similar configuration change you must reset the BGP sessions so that the configuration changes take effect There are two types of reset hard reset and soft reset Cisco IOS Releases 12 1 and later support a soft reset without any prior configuration To use a soft reset without preconfiguration both BGP peers must support the soft route refresh capability which is advertise...

Page 871: ...he IP address of the next hop that is going to be used to reach a destination For EBGP this is usually the IP address of the neighbor specified by the neighbor remote as router configuration command You can disable next hop processing by using route maps or the neighbor next hop self router configuration command 2 Prefer the path with the largest weight a Cisco proprietary parameter The weight att...

Page 872: ...re all true insert the route for this path into the IP routing table Both the best route and this route are external Both the best route and this route are from the same neighboring autonomous system maximum paths is enabled 11 If multipath is not enabled prefer the route with the lowest IP address value for the BGP router ID The router ID is usually the highest IP address on the router or the loo...

Page 873: ...e the switch to consider the MED in choosing a path from among those advertised by different subautonomous systems within a confederation Step 10 bgp deterministic med Optional Configure the switch to consider the MED variable when choosing among routes advertised by different peers in the same AS Step 11 bgp default local preference value Optional Change the default local preference value The ran...

Page 874: ...g requires the ip access list global configuration command Beginning in privileged EXEC mode follow these steps to apply a per neighbor route map Step 3 set ip next hop ip address ip address peer address Optional Set a route map to disable next hop processing In an inbound route map set the next hop of matching routes to be the neighbor peering address overriding third party next hops In an outbou...

Page 875: ...g access lists When there is a match the route is used Whether a prefix is permitted or denied is based upon these rules An empty prefix list permits all prefixes An implicit deny is assumed if a given prefix does not match any entries in a prefix list When multiple entries of a prefix list match a given prefix the sequence number of a prefix list entry identifies the entry with the lowest sequenc...

Page 876: ...tors can define to which communities a destination belongs By default all destinations belong to the general Internet community The community is identified by the COMMUNITIES attribute an optional transitive global attribute in the numerical range from 1 to 4294967200 These are some predefined well known communities internet Advertise this route to the Internet community All routers belong to it n...

Page 877: ... lists filter lists update source and so on Neighbors with the same update policies can be grouped into peer groups to simplify configuration and to make updating more efficient When you have configured many peers we recommend this approach Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip community list community list number permit deny community number Create a ...

Page 878: ...as number Specify a BGP neighbor If a peer group is not configured with a remote as number use this command to create peer groups containing EBGP neighbors The range is 1 to 65535 Step 6 neighbor ip address peer group name description text Optional Associate a description with a neighbor Step 7 neighbor ip address peer group name default originate route map map name Optional Allow a BGP speaker th...

Page 879: ...onal Specify that the COMMUNITIES attribute be sent to the neighbor at this IP address Step 18 neighbor ip address peer group name timers keepalive holdtime Optional Set timers for the neighbor or peer group The keepalive interval is the time within which keepalive messages are sent to peers The range is 1 to 4294967295 seconds the default is 60 The holdtime is the interval after which a peer is d...

Page 880: ...onfigure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from the AS and the atomic aggregate attribute is set to indicate that information might be missing Step 4 aggregate address address mask as set ...

Page 881: ...lector receives an advertised route it takes one of these actions depending on the neighbor A route from an external BGP speaker is advertised to all clients and nonclient peers A route from a nonclient peer is advertised to all clients A route from a client is advertised to all clients and nonclient peers Hence the clients need not be fully meshed Usually a cluster of clients have a single route ...

Page 882: ...p address peer group name route reflector client Configure the local router as a BGP route reflector and the specified neighbor as a client Step 4 bgp cluster id cluster id Optional Configure the cluster ID if the cluster has more than one route reflector Step 5 no bgp client to client reflection Optional Disable client to client route reflection By default the routes from a route reflector client...

Page 883: ...s to make it less likely that a route will be dampened Step 9 clear ip bgp dampening Optional Clear route dampening information and unsuppress the suppressed routes Step 10 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 35 11 IP BGP Clear and Show Commands Command Purpose clear ip bgp address Reset a particular BGP connection clear ip ...

Page 884: ...erlapping IP addresses On a switch running the IP base image configuring multi VRF CE and EIGRP stub routing at the same time is not allowed Note The switch does not use Multiprotocol Label Switching MPLS to support VPNs For information about MPLS VRF refer to the Cisco IOS Switching Services Configuration Guide Release 12 2 These sections contain this information Understanding Multi VRF CE page 3...

Page 885: ...to which it is directly attached eliminating the need for the PE to maintain all of the service provider VPN routes Each PE router maintains a VRF for each of its directly connected sites Multiple interfaces on a PE router can be associated with a single VRF if all of these sites participate in the same VPN Each VPN is mapped to a specified VRF After learning local VPN routes from CEs a PE router ...

Page 886: ...e routing table based on the input policy label number When a route is found the switch forwards the packet to the PE When the ingress PE receives a packet from the CE it performs a VRF lookup When a route is found the router adds a corresponding MPLS label to the packet and sends it to the MPLS network When an egress PE receives a packet from the network it strips the label and uses the label to ...

Page 887: ...e PE router there is no difference between using multi VRF CE or using multiple CEs In Figure 35 6 multiple virtual Layer 3 interfaces are connected to the multi VRF CE device The switch supports configuring VRF by using physical ports VLAN SVIs or a combination of both The SVIs can be connected through an access port or a trunk port A customer can use multiple VLANs as long as they do not overlap...

Page 888: ...ease 12 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable IP routing Step 3 ip vrf vrf name Name the VRF and enter VRF configuration mode Step 4 rd route distinguisher Create a VRF table by specifying a route distinguisher Enter either an AS number and an arbitrary number xxx y or an IP address and arbitrary number A B C D y Step 5 route target ex...

Page 889: ...rf vrf name Enable OSPF routing specify a VPN forwarding table and enter router configuration mode Step 3 log adjacency changes Optional Log changes in the adjacency state This is the default state Step 4 redistribute bgp autonomous system number subnets Set the switch to redistribute information from the BGP network to the OSPF network Step 5 network network number area area id Define a network a...

Page 890: ...mple also includes commands for configuring traffic to Switch A for a Catalyst 6000 or Catalyst 6500 switch acting as a PE router Figure 35 7 Multi VRF CE Configuration Example Step 6 address family ipv4 vrf vrf name Define BGP parameters for PE to CE routing sessions and enter VRF address family mode Step 7 neighbor address remote as as number Define a BGP session between PE and CE routers Step 8...

Page 891: ...Switch config if ip vrf forwarding v12 Switch config if ip address 8 8 2 8 255 255 255 0 Switch config if exit Switch config interface gigabitethernet1 0 5 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if no ip address Switch config if exit Switch config interface fastethernet1 0 8 Switch config if switchport access vlan 208 Switch confi...

Page 892: ...1 Switch config router redistribute bgp 800 subnets Switch config router network 208 0 0 0 0 0 0 255 area 0 Switch config router exit Switch config router ospf 2 vrf vl2 Switch config router redistribute bgp 800 subnets Switch config router network 118 0 0 0 0 0 0 255 area 0 Switch config router exit Configure BGP for CE to PE routing Switch config router bgp 800 Switch config router address famil...

Page 893: ...h F belongs to VPN 2 Configure the connection to Switch A by using these commands Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip routing Switch config interface fastethernet1 0 1 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if no ip address Switch config if exit Switch config interfa...

Page 894: ...er af neighbor 83 0 0 8 remote as 800 Router config router af neighbor 83 0 0 8 activate Router config router af network 3 3 2 0 mask 255 255 255 0 Router config router af exit Router config router address family ipv4 vrf vl Router config router af neighbor 38 0 0 8 remote as 800 Router config router af neighbor 38 0 0 8 activate Router config router af network 3 3 1 0 mask 255 255 255 0 Router co...

Page 895: ...quently invalidated because of routing changes which can cause traffic to be process switched using the routing table instead of fast switched using the route cache CEF and dCEF use the Forwarding Information Base FIB lookup table to perform destination based switching of IP packets The two main components in dCEF are the distributed FIB and the distributed adjacency tables The FIB is similar to a...

Page 896: ...ilable bandwidth Equal cost routes are supported across switches in a stack Even though the router automatically learns about and configures equal cost routes you can control the maximum number of parallel paths supported by an IP routing protocol in its routing table Although the switch software allows a maximum of 32 equal cost routes the switch hardware will never use more than 16 paths per rou...

Page 897: ...ic route to be overridden by information from a dynamic routing protocol set the administrative distance of the static route higher than that of the dynamic protocol Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp rip ospf eigrp Enter router configuration mode Step 3 maximum paths maximum Set the maximum number of parallel paths for the protocol routing ...

Page 898: ...plete routing capability you can use some routers as smart routers and give the remaining routers default routes to the smart router Smart routers have routing table information for the entire internetwork These default routes can be dynamically learned or can be configured in the individual routers Most dynamic interior routing protocols include a mechanism for causing a smart router to generate ...

Page 899: ...tocols You can also conditionally control the redistribution of routes between routing domains by defining enhanced packet filters or route maps between the two domains The match and set route map configuration commands define the condition portion of a route map The match command specifies that a criterion must be matched the set command specifies an action to be taken if the routing update meets...

Page 900: ...ist number access list name access list number access list name Match a standard access list by specifying the name or number It can be an integer from 1 to 199 Step 6 match metric metric value Match the specified route metric The metric value can be an EIGRP metric with a specified value from 0 to 4294967295 Step 7 match ip next hop access list number access list name access list number access li...

Page 901: ... metric bandwidth delay reliability loading mtu Set the metric value to give the redistributed routes for EIGRP only bandwidth Metric value or IGRP bandwidth of the route in kilobits per second in the range 0 to 4294967295 delay Route delay in tens of microseconds in the range 0 to 4294967295 reliability Likelihood of successful packet transmission expressed as a number between 0 and 255 where 255...

Page 902: ...particular end system Application Protocol You can use PBR to provide equal access and source sensitive routing routing based on interactive versus batch traffic or routing based on dedicated links For example you could transfer stock records to a corporate office on a high bandwidth high cost link for a short time while transmitting routine application data such as e mail over a low bandwidth low...

Page 903: ...ls about PBR commands and keywords see the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 2 For a list of PBR commands that are visible but not supported by the switch see Appendix D Unsupported Commands in Cisco IOS Release 12 2 35 SE PBR configuration is applied to the whole stack and all switches use the stack master configuration Note This software release does not s...

Page 904: ...d PBR DSCP route maps on the same switch When you configure PBR with QoS DSCP you can set QoS to be enabled by entering the mls qos global configuration command or disabled by entering the no mls qos command When QoS is enabled to ensure that the DSCP value of the traffic is unchanged you should configure DSCP trust state on the port where traffic enters the switch by entering the mls qos trust ds...

Page 905: ...ne or more standard or extended access lists Note Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address If you do not specify a match command the route map applies to all packets Step 4 set ip next hop ip address ip address Specify the action to take on the packets that match the criteria Set next hop to which to route the packet the next hop must be adja...

Page 906: ...or received through the specified router interface In networks with many interfaces to avoid having to manually set them as passive you can set all interfaces to be passive by default by using the passive interface default router configuration command and manually setting interfaces where adjacencies are desired Beginning in privileged EXEC mode follow these steps to configure passive interfaces S...

Page 907: ...es not apply to OSPF Beginning in privileged EXEC mode follow these steps to control the advertising or processing of routing updates Use the no distribute list in router configuration command to change or cancel a filter To cancel suppression of network advertisements in updates use the no distribute list out router configuration command Filtering Sources of Routing Information Because some routi...

Page 908: ...hain configuration command which is stored locally The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and Message Digest 5 MD5 authentication key in use You can configure multiple keys with life times Only one authentication packet is sent regardless of how many valid keys exist The software examines the key numbers ...

Page 909: ...hh mm ss Month date year or hh mm ss date Month year The default is forever with the default start time and the earliest acceptable date as January 1 1993 The default end time and duration is infinite Step 6 send lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can be sent The start time and end time syntax can be either hh mm ss Month da...

Page 910: ... IP Unicast Routing Monitoring and Maintaining the IP Network show ip cache Display the routing table used to switch IP traffic show route map map name Display all route maps configured or only the one specified Table 35 15 Commands to Clear IP Routes or Display Route Status Command Purpose ...

Page 911: ...enable IPv6 routing you must also configure a switch database management SDM template to a dual IPv4 and IPv6 template See the SDM Templates section on page 36 8 Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS documentation referenced in the procedures T...

Page 912: ... These sections are included IPv6 Addresses page 36 2 Supported IPv6 Unicast Routing Features page 36 3 Unsupported IPv6 Unicast Routing Features page 36 6 Limitations page 36 7 IPv6 and Switch Stacks page 36 7 SDM Templates page 36 8 IPv6 Addresses IPv6 supports three types of addresses unicast one to one multicast one to many and anycast one to nearest Multicast addresses replace the use of broa...

Page 913: ... up to 16 equal cost routes and can forward IPv4 and IPv6 frames simultaneously at line rate 128 Bit Wide Unicast Addresses The switch supports aggregatable global unicast addresses and link local unicast addresses RFC 2373 It does not support site local unicast addresses Aggregatable global unicast addresses are IPv6 addresses from the aggregatable global unicast prefix The address structure enab...

Page 914: ...n unreachable messages to report errors during processing and other diagnostic functions In IPv6 ICMP packets are also used in the neighbor discovery protocol and path MTU discovery A value of 58 in the Next Header field of the basic IPv6 packet header identifies an IPv6 ICMP packet Neighbor Discovery The switch supports Neighbor Discovery Protocol NDP for IPv6 RFC 2461 a protocol running on top o...

Page 915: ...global IPv6 addresses without the need for manual configuration or the help of a server such as a DHCP server With IPv6 a router on the link uses router advertisement messages to advertise global prefixes and its ability to act as a default router for the link A node on the link can automatically configure global IPv6 addresses by appending its interface identifier 64 bits to the prefixes 64 bits ...

Page 916: ...Dual IPv4 and IPv6 Support on an Interface The switch uses ternary content addressable memory TCAM to store unicast routes MAC addresses access control lists ACLs and other features and provides the switch database management SDM templates to allocate memory resources depending on how the switch is used You must use the dual IPv4 and IPv6 template templates to allocate TCAM usage to both IPv4and I...

Page 917: ...d are not forwarded as corrupted packets The switch routes IPv6 to IPv4 and IPv4 to IPv6 packets in hardware but the switch cannot be an IPv6 to IPv4 or IPv4 to IPv6 tunnel endpoint Bridged IPv6 packets with hop by hop extension headers are forwarded in software In IPv4 these packets are routed in software but bridged in hardware In addition to the normal SPAN and RSPAN limitations defined in the ...

Page 918: ...ting protocols generates routing tables distributes CEFv6 routing tables to stack members that use dCEFv6 runs IPv6 host functionality and IPv6 applications Stack member must be running the advanced IP services image receives CEFv6 routing tables from the stack master programs the routes into hardware Note IPv6 packets are routed in hardware across the stack provided the packet does not have excep...

Page 919: ...dual IPv4 and IPv6 default template supports Layer 2 multicast routing QoS and ACLs for IPv4 and Layer 2 routing and ACLs for IPv6 on desktop switches all Catalyst 3750 switches except Catalyst 3750 12S Desktop dual IPv4 and IPv6 routing template supports Layer 2 multicast routing including policy based routing QoS and ACLs for IPv4 and Layer 2 routing and ACLs for IPv6 on desktop switches all Cat...

Page 920: ...36 20 Table 36 1 Approximate Feature Resources Allowed by Dual IPv4 IPv6 Templates Resource Desktop Default Desktop Routing Desktop VLAN Aggregator Default Aggregator Routing Aggregator VLAN Unicast MAC addresses 2 K 1536 8 K 2 K 2K 8 K IPv4 IGMP groups and multicast routes 1 K 1K 1 K 2 K 2K 0 Total IPv4 unicast routes 3 K 2816 0 3 K 8K 0 Directly connected IPv4 hosts 2 K 1536 0 2 K 2K 0 Indirect ...

Page 921: ...6 for the interface The configured interface automatically joins these required multicast groups for that link solicited node multicast group FF02 0 0 0 0 1 ff00 104 for each unicast address assigned to the interface this address is used in the neighbor discovery process all nodes link local multicast group FF02 1 all routers link local multicast group FF02 2 Note Before configuring IPv6 on the sw...

Page 922: ...nterface to configure The interface can be a physical interface a switch virtual interface SVI or a Layer 3 EtherChannel Step 7 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 8 ipv6 address ipv6 prefix prefix length eui 64 or ipv6 address ipv6 address link local or ipv6 enable Specify a global IPv6 address with an extended universal identifier...

Page 923: ...astEthernet1 0 11 is up line protocol is up IPv6 is enabled link local address is FE80 20B 46FF FE2F D940 Global unicast address es 2001 0DB8 c18 1 20B 46FF FE2F D940 subnet is 2001 0DB8 c18 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1...

Page 924: ...g if end Step 3 ipv6 unicast routing Enable forwarding of IPv6 data packets on the switch Step 4 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 5 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 6 ip address ip address mask secondary Specify a primary or secondary IPv4 address for th...

Page 925: ...ration command This example shows how to configure an IPv6 ICMP error message interval of 50 milliseconds and a bucket size of 20 tokens Switch config ipv6 icmp error interval 50 20 Configuring CEF and dCEF for IPv6 Cisco Express Forwarding CEF is a Layer 3 IP switching technology used to optimize network performance CEF implements an advanced IP look up and forwarding algorithm to deliver maximum...

Page 926: ...packet destination is used as the next hop address A directly attached static route is valid only when the specified interface is IPv6 enabled and is up Recursive static routes Only the next hop is specified and the output interface is derived from the next hop A recursive static route is valid only when the specified next hop results in a valid IPv6 output interface the route does not self recur ...

Page 927: ...d recursion is done to find the IPv6 address of the directly connected next hop The address must be in the form documented in RFC 2373 specified in hexadecimal using 16 bit values between colons interface id Specify direct static routes from point to point and broadcast interfaces With point to point interfaces there is no need to specify the IPv6 address of the next hop With broadcast interfaces ...

Page 928: ...two different neighbors but with different costs it stores only the lowest cost route in the local RIB The RIB also stores any expired routes that the RIP process is advertising to its neighbors that are running RIP If the same route is learned from a different routing protocol with a better administrative distance than IPv6 RIP the RIP route is not added to the IPv6 RIB but the route still exists...

Page 929: ...process Step 3 maximum paths number paths Optional Define the maximum number of equal cost routes that IPv6 RIP can support The range is from 1 to 64 and the default is four paths Step 4 exit Return to global configuration mode Step 5 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 6 ipv6 rip name enable Enable the specified IPv6 RIP ro...

Page 930: ...interfaces are indirectly enabled by using router configuration mode In IPv6 you can configure many address prefixes on an interface All address prefixes configured on an interface are included by default you cannot select a subset of address prefixes to import Unlike OSPF Version 2 multiple instances of IPv6 can run on a link OSPF Version 2 uses the 32 bit IPv4 address configured on the interface...

Page 931: ...Set the address range status to advertise and generate a Type 3 summary link state advertisement LSA not advertise Optional Set the address range status to DoNotAdvertise The Type 3 summary LSA is suppressed and component networks remain hidden from other networks cost cost Optional Metric or cost for this summary route which is used during OSPF SPF calculation to determine the shortest paths to t...

Page 932: ...p address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertise...

Page 933: ...oopback10 3FFE C000 16A 1 20B 46FF FE2F D900 128 receive output truncated This is an example of the output from the show ipv6 protocols privileged EXEC command Switch show ipv6 protocols IPv6 Routing Protocol is connected IPv6 Routing Protocol is static IPv6 Routing Protocol is rip fer Interfaces Vlan6 FastEthernet2 0 4 FastEthernet2 0 11 FastEthernet1 0 12 Redistribution None This is an example o...

Page 934: ...ext 1 ON2 OSPF NSSA ext 2 S 0 1 0 via 3FFE C000 0 7 777 C 3FFE C000 0 1 64 0 0 via Vlan1 L 3FFE C000 0 1 20B 46FF FE2F D940 128 0 0 via Vlan1 C 3FFE C000 0 7 64 0 0 via Vlan7 L 3FFE C000 0 7 20B 46FF FE2F D97F 128 0 0 via Vlan7 C 3FFE C000 111 1 64 0 0 via FastEthernet1 0 11 L 3FFE C000 111 1 20B 46FF FE2F D945 128 0 0 C 3FFE C000 168 1 64 0 0 via FastEthernet2 0 4 L 3FFE C000 168 1 20B 46FF FE2F ...

Page 935: ...oup report 0 group reduce 1 router solicit 0 router advert 0 redirects 0 neighbor solicit 0 neighbor advert Sent 10112 output 0 rate limited unreach 0 routing 0 admin 0 neighbor 0 address 0 port parameter 0 error 0 header 0 option 0 hopcount expired 0 reassembly timeout 0 too big 0 echo request 0 echo reply 0 group query 0 group report 0 group reduce 0 router solicit 9944 router advert 0 redirects...

Page 936: ...36 26 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 36 Configuring IPv6 Unicast Routing Displaying IPv6 ...

Page 937: ...r 36 Configuring IPv6 Unicast Routing Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release or the Cisco IOS documentation referenced in the procedures This chapter includes these sections Understanding MLD Snooping section on page 37 1 Configuring IPv6 MLD Snooping section on page 37 5 Displaying MLD Snooping Information se...

Page 938: ... MESS which sets up IPv6 source and destination multicast address based forwarding MLD snooping can be enabled or disabled globally or per VLAN When MLD snooping is enabled a per VLAN IPv6 multicast MAC address table is constructed in software and a per VLAN IPv6 multicast address table is constructed in software and hardware The switch then performs IPv6 multicast address based bridging in hardwa...

Page 939: ...st 6500 switch When a group exists in the MLD snooping database the switch responds to a group specific query by sending an MLDv1 report When the group is unknown the group specific query is flooded to the ingress VLAN When a host wants to leave a multicast group it can send out an MLD Done message equivalent to IGMP Leave message When the switch receives an MLDv1 Done message if Immediate Leave i...

Page 940: ...ort on which the query arrived is not the last member port for the address MLD Done Messages and Immediate Leave When the Immediate Leave feature is enabled and a host sends an MLDv1 Done message equivalent to an IGMP leave message the port on which the Done message was received is immediately deleted from the group You enable Immediate Leave on VLANs and as with IGMP snooping you should only use ...

Page 941: ... response time only one received report for a group is forwarded to the multicast routers regardless of which switch the report arrives on The election of a new stack master does not affect the learning or bridging of IPv6 multicast data bridging of IPv6 multicast data does not stop during a stack master re election When a new switch is added to the stack it synchronizes the learned IPv6 multicast...

Page 942: ...rmined by the configured SDM template The maximum number of address entries allowed for the switch stack is 1000 Enabling or Disabling MLD Snooping By default IPv6 MLD snooping is globally disabled on the switch and enabled on all VLANs When MLD snooping is globally disabled it is also disabled on all VLANs When you globally enable MLD snooping the VLAN configuration overrides the global configura...

Page 943: ...st 3750 or Catalyst 3560 switch to receive queries on the VLAN For normal range VLANs 1 to 1005 it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch To disable MLD snooping on a VLAN interface use the no ipv6 mld snooping vlan vlan id global configuration command for the specified VLAN number Command Purpose Step 1 configure terminal Enter global configuration mo...

Page 944: ... queries you can also use the command line interface CLI to add a multicast router port to a VLAN To add a multicast router port add a static connection to a multicast router use the ipv6 mld snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports Command Purpose Step 1 configure terminal Enter global configur...

Page 945: ... a VLAN use the no ipv6 mld snooping vlan vlan id immediate leave global configuration command This example shows how to enable MLD Immediate Leave on VLAN 130 Switch configure terminal Switch config ipv6 mld snooping vlan 130 immediate leave Switch config exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping vlan vlan id mrouter interface interfac...

Page 946: ...e default is 2 The queries are sent 1 second apart Step 5 ipv6 mld snooping vlan vlan id last listener query count count Optional Set the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 the default is 0 When set to 0 the global count value is used Queries are sent 1 second apart Step 6 ipv6 mld snooping last listener query interval i...

Page 947: ...y one MLD report per multicast router query When message suppression is disabled multiple MLD reports could be forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disable MLD listener message suppression To re enable MLD message suppression use the ipv6 mld snooping listener message suppression global configuration command Displaying MLD Snooping Information ...

Page 948: ...nter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6 mld snooping querier vlan vlan id Display information about the IPv6 address and incoming port for the most recently received MLD query messages in the VLAN Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6...

Page 949: ...by entering the sdm prefer dual ipv4 and ipv6 default vlan desktop global configuration command For related information see these chapters For more information about SDM templates see Chapter 8 Configuring SDM Templates For information about IPv6 on the switch seeChapter 36 Configuring IPv6 Unicast Routing For information about ACLs on the switch see Chapter 32 Configuring Network Security with AC...

Page 950: ...uted IP packets received on other ports are filtered by the router ACL Other packets are not filtered When an output router ACL and input port ACL exist in an SVI packets received on the ports to which a port ACL is applied are filtered by the port ACL Outgoing routed IPv6 packets are filtered by the router ACL Other packets are not filtered Note If any port ACL IPv4 IPv6 or MAC is applied to an i...

Page 951: ...Beginning with Cisco IOS Release 12 2 35 SE switches running the IP services or IP base image support input router ACLs for IPv6 management traffic When configuring an ACL there is no restriction on keywords entered in the ACL regardless of whether or not they are supported on the platform When you apply the ACL to an interface that requires hardware forwarding physical ports or SVIs the switch ch...

Page 952: ...ther Features Configuring IPv6 ACLs has these interactions with other features or switch characteristics If an IPv6 router ACL is configured to deny a packet the packet is not routed A copy of the packet is sent to the Internet Control Message Protocol ICMP queue to generate an ICMP unreachable message for the frame If a bridged frame is to be dropped due to a port ACL the frame is not bridged You...

Page 953: ... in the range of 0 to 64 and EUI based 128 prefixes for aggregatable global unicast and link local host addresses Enter any as an abbreviation for the IPv6 prefix 0 For host source ipv6 address or destination ipv6 address enter the source or destination IPv6 host address for which to set deny or permit conditions specified in hexadecimal using 16 bit values between colons Optional For operator spe...

Page 954: ...ence value time range name Optional Define a UDP access list and the access conditions Enter udp for the User Datagram Protocol The UDP parameters are the same as those described for TCP except that the operator port port number or name must be a UDP port number or name and the established parameter is not valid for UDP Step 3d deny permit icmp source ipv6 prefix prefix length any host source ipv6...

Page 955: ...or to inbound traffic on Layer 2 interfaces If the switch stack is running the IP services or IP base image you can apply ACLs only to inbound management traffic on Layer 3 interfaces Beginning in privileged EXEC mode follow these steps to control access to an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Identify a Layer 2 interf...

Page 956: ... show access lists privileged EXEC command The output shows all access lists that are configured on the switch stack Switch show access lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10 This is an example of the output from the show ipv6 access lists privileged EXEC command The output shows only IPv6 access lists configured on the switch...

Page 957: ...e 1 of 3 Addressing and Services Release 12 2 This chapter consists of these sections Understanding HSRP page 39 1 Configuring HSRP page 39 4 Displaying HSRP Configurations page 39 11 Configuring Enhanced Object Tracking page 39 12 Understanding HSRP HSRP is Cisco s standard method of providing high network availability by providing first hop redundancy for IP hosts on an IEEE 802 LAN configured w...

Page 958: ...andby routers When HSRP is configured on an interface Internet Control Message Protocol ICMP redirect messages are disabled by default for the interface You can configure multiple Hot Standby groups among Catalyst 3750 switches and switch stacks that are operating in Layer 3 to make more use of the redundant routers To do so specify a group number for each Hot Standby command group you configure f...

Page 959: ...efault active router because it has the assigned highest priority and Router B is the standby router For group 2 Router B is the default active router because it has the assigned highest priority and Router A is the standby router During normal operation the two routers share the IP traffic load When either router becomes unavailable the other router becomes active and assumes the packet transfer ...

Page 960: ...tandby router might become active after the stack master fails Configuring HSRP These sections contain this configuration information Default HSRP Configuration page 39 5 HSRP Configuration Guidelines page 39 5 Enabling HSRP page 39 5 Configuring HSRP Priority page 39 6 Configuring MHSRP page 39 9 Configuring HSRP Authentication and Timers page 39 9 Enabling HSRP Support for ICMP Redirect Messages...

Page 961: ... All Layer 3 interfaces must have IP addresses assigned to them See the Configuring Layer 3 Interfaces section on page 11 25 Enabling HSRP The standby ip interface configuration command activates HSRP on the configured interface If an IP address is specified that address is used as the designated address for the Hot Standby group If no IP address is specified the address is learned through the sta...

Page 962: ...onfigure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Layer 3 interface on which you want to enable HSRP Step 3 standby group number ip ip address secondary Create or enable the HSRP group using its number and virtual IP address Optional group number The group number on the interface for which HSRP is being enabled The rang...

Page 963: ... a tracked interface goes down When the interface comes back up the priority is incremented by the same amount When multiple tracked interfaces are down and interface priority values have been configured the configured priority decrements are cumulative If tracked interfaces that were not configured with priority values fail the default decrement is 10 and it is noncumulative When routing is first...

Page 964: ... the active router Optional group number The group number to which the command applies Optional priority Enter to set or change the group priority The range is 1 to 255 the default is 100 Optional delay Set to cause the local router to postpone taking over the active role for the number of seconds shown The range is 0 to 3600 1 hour the default is 0 no delay before taking over Use the no form of t...

Page 965: ...y 1 priority 110 Switch config if standby 1 preempt Switch config if standby 2 ip 10 0 0 4 Switch config if standby 2 preempt Switch config if end Router B Configuration Switch configure terminal Switch config interface gigabitethernet1 0 1 Switch config if no switchport Switch config if ip address 10 0 0 2 255 255 255 0 Switch config if standby 1 ip 10 0 0 3 Switch config if standby 1 preempt Swi...

Page 966: ...g if no switchport Switch config if standby 1 ip Switch config if standby 1 timers 5 15 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the HSRP interface on which you want to set authentication Step 3 standby group number authentication string Optional authentication string En...

Page 967: ...ting in an HSRP standby routing and clustering is enabled you can use the same standby group for command switch redundancy and HSRP redundancy Use the cluster standby group HSRP group name routing redundancy global configuration command to enable the same HSRP standby group to be used for command switch and routing redundancy If you create a cluster with the same HSRP standby group name without en...

Page 968: ...ion to the interface line protocol state A client process such as HSRP can register an interest in tracking objects and request notification when the tracked object changes state Several clients can track the same object and can take different actions when the object changes state This feature increases the availability and speed of recovery of a router system and decreases outages and outage dura...

Page 969: ... protocol Optional Create a tracking list to track the line protocol state of an interface and enter tracking configuration mode The object number identifies the tracked object and can be from 1 to 500 The interface interface id is the interface being tracked Step 3 delay up seconds down seconds up seconds down seconds Optional Specify a period of time in seconds to delay communicating state chang...

Page 970: ... weight of all objects against a threshold weight for each object When you measure the tracked list by a percentage threshold you assign a percentage threshold to all objects in the tracked list The state of each object is determined by comparing the assigned percentages of each object to the list Boolean Expression Configuring a tracked list with a Boolean expression enables calculation by using ...

Page 971: ...mode Step 6 show track object number Verify that the specified objects are being tracked Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list threshold weight Configure a tracked list object and enter tracking configuration mode The trac...

Page 972: ...aring the assigned percentage of each object to the list You cannot use the Boolean NOT operator in a percentage threshold list Beginning in privileged EXEC mode follow these steps to configure a tracked list of objects by using a percentage threshold Use the no track track number global configuration command to delete the tracked list Command Purpose Step 1 configure terminal Enter global configu...

Page 973: ...t percentage Optional Create a tracking list to track the configured state and enter tracking configuration mode Note Although visible in the command line help the rtr keyword is not supported The object number range is from 1 to 500 Enter interface interface id to select an interface to track Enter line protocol to track the interface line protocol state Enter ip routing to track the interface IP...

Page 974: ...virtual IP address Optional group number The group number on the interface for which HSRP is being enabled The range is 0 to 255 the default is 0 If there is only one HSRP group you do not need to enter a group number Optional on all but one interface ip address The virtual IP address of the hot standby router interface You must enter the virtual IP address for at least one of the interfaces it ca...

Page 975: ...ver only the members of a group receive the message To use this feature the stack master must be running the IP services image formerly known as the enhanced multilayer image EMI Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS IP Command Reference Volume...

Page 976: ...and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP Figure 40 1 shows where these protocols operate within the IP multicast environment Figure 40 1 IP Multicast Routing Protocols According to IPv4 multicast standards the MAC destination multicast address begins with 0100 5e and is appended by the last 23 bits of the IP address On the C...

Page 977: ...ich are class D addresses The high order bits of a Class D address are 1110 Therefore host group addresses can be in the range 224 0 0 0 through 239 255 255 255 Multicast addresses in the range 224 0 0 0 to 224 0 0 255 are reserved for use by routing protocols and other network control traffic The address 224 0 0 0 is guaranteed not to be assigned to any group IGMP packets are sent using these IP ...

Page 978: ...ery and distribution mechanism that enables routers and multilayer switches to dynamically learn the group to RP mappings Sparse mode and dense mode are properties of a group as opposed to an interface We strongly recommend sparse dense mode as opposed to either sparse mode or dense mode only PIM join and prune messages have more flexible encoding for multiple address families A more flexible hell...

Page 979: ...e eliminates the need to manually configure the RP information in every router and multilayer switch in the network For Auto RP to work you configure a Cisco router or multilayer switch as the mapping agent It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements Candidate RPs periodically send multicast RP announce mes...

Page 980: ... Path Check With unicast routing routers and multilayer switches forward traffic through the network along a single path from the source to the destination host whose IP address appears in the destination address field of the IP packet Each router and switch along the way makes a unicast forwarding decision using the destination IP address in the packet by looking up the destination address in the...

Page 981: ...ees and use RPF as previously described Understanding DVMRP DVMRP is implemented in the equipment of many vendors and is based on the public domain mrouted program This protocol has been deployed in the MBONE and in other intradomain multicast networks Cisco routers and multilayer switches run PIM and can forward multicast packets to and receive from a DVMRP neighbor It is also possible to propaga...

Page 982: ...es multicast members reside instead of flooding multicast traffic to all switch interfaces IGMP snooping is another method to constrain the flooding of multicast packets For more information see Chapter 24 Configuring IGMP Snooping and MVR CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages which are both at the MAC level and a...

Page 983: ...PIMv2 devices to interoperate with Cisco PIM v1 devices Monitoring the RP Mapping Information page 40 24 optional Troubleshooting PIMv1 and PIMv2 Interoperability Problems page 40 24 optional Default Multicast Routing Configuration Table 40 2 shows the default multicast routing configuration Multicast Routing Configuration Guidelines To avoid misconfiguring multicast routing on your switch review ...

Page 984: ...lect multiple RPs Dense mode groups in a mixed PIMv1 and PIMv2 region need no special configuration they automatically interoperate Sparse mode groups in a mixed PIMv1 and PIMv2 region are possible because the Auto RP feature in PIMv1 interoperates with the PIMv2 RP feature Although all PIMv2 devices can also use PIMv1 we recommend that the RPs be upgraded to PIMv2 To ease the transition to PIMv2 ...

Page 985: ...rom downstream devices or when there is a directly connected member on the interface When forwarding from a LAN sparse mode operation occurs if there is an RP known for the group If so the packets are encapsulated and sent toward the RP When no RP is known the packet is flooded in a dense mode fashion If the multicast traffic from a specific source is sufficient the receiver s first hop router mig...

Page 986: ... ip pim version 1 2 Configure the PIM version on the interface By default Version 2 is enabled and is the recommended setting An interface in PIMv2 mode automatically downgrades to PIMv1 mode if that interface has a PIMv1 neighbor The interface returns to Version 2 mode after all Version 1 neighbors are shut down or upgraded For more information see the PIMv1 and PIMv2 Interoperability section on ...

Page 987: ...fined by an access list If there is no RP configured for a group the multilayer switch treats the group as dense and uses the dense mode PIM techniques Beginning in privileged EXEC mode follow these steps to manually configure the address of the RP This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp address ip address access list nu...

Page 988: ...nse mode and do not configure Auto RP you must manually configure an RP as described in the Manually Assigning an RP to Multicast Groups section on page 40 13 Note If routed interfaces are configured in sparse mode Auto RP can still be used if all devices are configured with a manual RP address for the Auto RP groups These sections describe how to configure Auto RP Step 3 access list access list n...

Page 989: ...eady configured on all PIM devices and the RP in the sparse mode network It was previously configured with the ip pim rp address global configuration command This step is not required for spare dense mode environments The selected RP should have good connectivity and be available across the network Use this RP for the global groups for example 224 x x x and other global groups Do not reconfigure t...

Page 990: ... access list repeating the command as many times as necessary For access list number enter the access list number specified in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source enter the multicast group address range for which the RP should be used Optional For source wildcard enter the wildcard bits in do...

Page 991: ... Messages You can add configuration commands to the mapping agents to prevent a maliciously configured router from masquerading as a candidate RP and causing problems Beginning in privileged EXEC mode follow these steps to filter incoming RP announcement messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp announce filter rp...

Page 992: ...e mapping agent does not accept candidate RP announcements from 172 16 5 1 or 172 16 2 1 if the announcements are for any groups in the 239 0 0 0 through 239 255 255 255 range This range is the administratively scoped address range Step 3 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list ...

Page 993: ...he domain borders could adversely affect the normal BSR election mechanism and elect a single BSR across all bordering domains and co mingle candidate RP advertisements resulting in the election of RPs in the wrong domain Beginning in privileged EXEC mode follow these steps to define the PIM domain border This procedure is optional To remove the PIM border use the no ip pim bsr border interface co...

Page 994: ...mmand Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched For source enter multicast addresses 224 0 1 39 and 224 0 1 40 which carry Aut...

Page 995: ...e gigabitethernet1 0 2 Switch config if ip address 172 21 24 18 255 255 255 0 Switch config if ip pim sparse dense mode Switch config if ip pim bsr candidate gigabitethernet1 0 2 30 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim bsr candidate interface id hash mask length priority Configure your switch to be a candidate BSR For interface id enter the int...

Page 996: ... command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your switch to be a candidate RP For interface id specify the interface whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels and VLANs Optional For group list access li...

Page 997: ... as the RP mapping agents for Auto RP For more information see the Configuring Auto RP section on page 40 14 and the Configuring Candidate BSRs section on page 40 21 For group prefixes advertised through Auto RP the PIMv2 BSR mechanism should not advertise a subrange of these group prefixes served by a different set of RPs In a mixed PIMv1 and PIMv2 domain have backup RPs serve the same group pref...

Page 998: ... pim rp hash privileged EXEC command making sure that all systems agree on the same RP for the same group 2 Verify interoperability between different versions of DRs and RPs Make sure the RPs are interacting with the DRs properly by responding with register stops and forwarding decapsulated data packets from registers Configuring Advanced PIM Features These sections describe the optional advanced ...

Page 999: ...At this point data might arrive twice at Router C once encapsulated and once natively 5 When data arrives natively unencapsulated at the RP it sends a register stop message to Router A 6 By default reception of the first data packet prompts Router C to send a join message toward the source 7 When Router C receives data on S G it sends a prune message for the source up the shared tree 8 The RP dele...

Page 1000: ...ps Beginning in privileged EXEC mode follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest path tree This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access li...

Page 1001: ...e needs to be forwarded down the shared tree In this case the DR is the device with the highest IP address Beginning in privileged EXEC mode follow these steps to modify the router query message interval This procedure is optional To return to the default setting use the no ip pim query interval seconds interface configuration command Step 4 end Return to privileged EXEC mode Step 5 show running c...

Page 1002: ...igure the switch as a member of a multicast group and discover multicast reachability in a network If all the multicast capable routers and multilayer switches that you administer are members of a multicast group pinging that group causes all these devices to respond The devices respond to ICMP echo request packets addressed to a group of which they are members Another example is the multicast tra...

Page 1003: ...ese steps to filter multicast groups allowed on an interface This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp join group group address Configure the switch to join a multicast group By default no group memberships are defined...

Page 1004: ... Step 5 access list access list number deny permit source source wildcard Create a standard access list For access list number specify the access list created in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source specify the multicast group that hosts on the subnet can join Optional For source wildcard ente...

Page 1005: ...r and PIM join messages toward the RP router Beginning in privileged EXEC mode follow these steps to modify the host query interval This procedure is optional To return to the default setting use the no ip igmp query interval interface configuration command Changing the IGMP Query Timeout for IGMPv2 If you are using IGMPv2 you can specify the period of time before the switch takes over as the quer...

Page 1006: ... default setting use the no ip igmp query max response time interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp querier timeout seconds Specify the IGMP query timeout The default is 60 seconds twice the query interval The r...

Page 1007: ...ning in privileged EXEC mode follow these steps to configure the switch itself to be a statically connected member of a group and enable fast switching This procedure is optional To remove the switch as a member of the group use the no ip igmp static group group address interface configuration command Configuring Optional Multicast Routing Features These sections describe how to configure optional...

Page 1008: ...2 interface interface id Specify the interface that is connected to the Layer 2 Catalyst switch and enter interface configuration mode Step 3 ip cgmp proxy Enable CGMP on the interface By default CGMP is disabled on all interfaces Enabling CGMP triggers a CGMP join message Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches Optional When you enter the proxy keyword the CG...

Page 1009: ...t contact person and other information about the advertised multimedia session The information in the SAP packet is displayed in the SDR Session Announcement window Enabling sdr Listener Support By default the switch does not listen to session directory advertisements Beginning in privileged EXEC mode follow these steps to enable the switch to join the default session directory group 224 2 127 254...

Page 1010: ...er TTL thresholds are not supported by the switch You should use multicast boundaries instead of TTL thresholds to limit the forwarding of multicast traffic outside of a domain or a subdomain Figure 40 5 shows that Company XYZ has an administratively scoped boundary set for the multicast address range 239 0 0 0 8 on all routed interfaces at the perimeter of its network This boundary prevents any m...

Page 1011: ... XYZ Engineering Marketing 239 128 0 0 16 239 0 0 0 8 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched The permit keyw...

Page 1012: ...VMRP multicast routers on attached networks by listening to DVMR probe messages When a DVMRP neighbor has been discovered the PIM device periodically sends DVMRP report messages advertising the unicast sources reachable in the PIM domain By default directly connected subnets and networks are advertised The device forwards multicast packets that have been forwarded by DVMRP routers and in turn forw...

Page 1013: ...et is being sent Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore Recall that the access list is always terminated by an implicit deny statement for everything Step 3 interface interface id Specify the interface connected to the MBONE and enabled for multicast routing and enter interf...

Page 1014: ...5 255 Switch config access list 1 deny 0 0 0 0 255 255 255 255 Switch config access list 2 permit 0 0 0 0 255 255 255 255 Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP The software then sends and receives multicast packets through the tunnel This strategy enables a PIM ...

Page 1015: ...tion ip address Specify the destination address of the tunnel interface Enter the IP address of the mrouted router Step 6 tunnel mode dvmrp Configure the encapsulation mode for the tunnel to DVMRP Step 7 ip address address mask or ip unnumbered type number Assign an IP address to the interface or Configure the interface as unnumbered Step 8 ip pim dense mode sparse mode Configure the PIM mode on t...

Page 1016: ...face gigabitethernet1 0 1 Switch config if ip address 172 16 2 1 255 255 255 0 Switch config if ip pim dense mode Switch config exit Switch config access list 1 permit 198 92 37 0 0 0 0 255 Advertising Network 0 0 0 0 to DVMRP Neighbors If your switch is a neighbor of an mrouted Version 3 6 device you can configure the software to advertise network 0 0 0 0 the default route to the DVMRP neighbor T...

Page 1017: ...69 214 18 171 69 214 19 mm1 45c cisco com 1 0 pim 171 69 214 18 171 69 214 17 mm1 45a cisco com 1 0 pim Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multicast packets from senders It is also possible to propagate DVMRP routes into and through a PIM cloud PIM uses this information however Cis...

Page 1018: ...d multilayer switches However if there is a DVMRP capable multicast router the Cisco device can do PIM DVMRP multicast routing Beginning in privileged EXEC mode follow these steps to enable DVMRP unicast routing This procedure is optional To disable this feature use the no ip dvmrp unicast routing interface configuration command Rejecting a DVMRP Nonpruning Neighbor By default Cisco devices accept...

Page 1019: ... switch which is a neighbor to the leaf nonpruning DVMRP machine with the ip dvmrp reject non pruners interface configuration command on the interface connected to the nonpruning machine as shown in Figure 40 7 In this case when the switch receives DVMRP probe or report message without the prune capable flag set the switch logs a syslog message and discards the message 101244 Router A Router B Lay...

Page 1020: ...s optional To disable this function use the no ip dvmrp reject non pruners interface configuration command 101245 Router A Router B RP Multicast traffic gets to receiver not to leaf DVMRP device Source router or RP Leaf nonpruning DVMRP device Configure the ip dvmrp reject non pruners command on this interface Receiver Layer 3 switch Command Purpose Step 1 configure terminal Enter global configura...

Page 1021: ...ode follow these steps to change the DVMRP route limit This procedure is optional To configure no route limit use the no ip dvmrp route limit global configuration command Changing the DVMRP Route Threshold By default 10 000 DVMRP routes can be received per interface within a 1 minute interval When that rate is exceeded a syslog message is issued warning that there might be a route surge occurring ...

Page 1022: ...RP tunnel shares the same IP address as Fast Ethernet port 1 and falls into the same Class B network as the two directly connected subnets classful summarization of these routes was not performed As a result the DVMRP router is able to poison reverse only these two routes to the directly connected subnets and is able to only RPF properly for multicast traffic sent by sources on these two Ethernet ...

Page 1023: ... 0 24 m 40 176 32 10 0 24 m 1 176 32 15 0 24 m 1 DVMRP router Cisco router Tunnel Fast Ethernet 1 0 1 176 32 10 0 24 Fast Ethernet 1 0 2 176 32 15 0 24 DVMRP Report 86514 DVMRP Route Table Unicast Routing Table 10 000 Routes interface tunnel 0 ip unnumbered fastethernet1 0 1 interface fastethernet1 0 1 ip addr 176 32 10 1 255 255 255 0 ip pim dense mode interface fastethernet1 0 2 ip addr 176 32 1...

Page 1024: ...d Adding a Metric Offset to the DVMRP Route By default the switch increments by one the metric hop count of a DVMRP route advertised in incoming DVMRP reports You can change the metric if you want to favor or not favor a certain route For example a route is learned by multilayer switch A and the same route is learned by multilayer switch B with a higher metric If you want to use the path through s...

Page 1025: ...ent Change the metric added to DVMRP routes advertised in incoming reports The keywords have these meanings Optional in Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies Optional out Specifies that the increment value is added to outgoing DVMRP reports for routes from the DVMRP routing table If neither in nor out is specified in is the default ...

Page 1026: ... cache entry Table 40 4 Commands for Clearing Caches Tables and Databases continued Command Purpose Table 40 5 Commands for Displaying System and Network Statistics Command Purpose ping group name group address Send an ICMP Echo Request to a multicast group address show ip dvmrp route ip address Display the entries in the DVMRP routing table show ip igmp groups group name group address type number...

Page 1027: ...tatic mroutes show ip sdr group session name detail Display the Session Directory Protocol Version 2 cache Table 40 5 Commands for Displaying System and Network Statistics continued Command Purpose Table 40 6 Commands for Monitoring IP Multicast Routing Command Purpose mrinfo hostname address source address interface Query a multicast router or multilayer switch about which neighboring multicast d...

Page 1028: ...40 54 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 40 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing ...

Page 1029: ...e For complete syntax and usage information for the commands used in this chapter see the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 This chapter consists of these sections Understanding MSDP page 41 1 Configuring MSDP page 41 4 Monitoring and Maintaining MSDP page 41 19 Understanding MSDP MSDP allows multicast sources for a group to be known to all rendezvous points RPs i...

Page 1030: ...SDP peers The SA message identifies the source the group the source is sending to and the address of the RP or the originator ID the IP address of the interface used as the RP address if configured Each MSDP peer receives and forwards the SA message away from the originating RP to achieve peer reverse path flooding RPF The MSDP device examines the BGP or MBGP routing table to discover which peer i...

Page 1031: ... never need to leave your domain PIM sparse mode domains can rely only on their own RPs decreasing reliance on RPs in another domain This increases security because you can prevent your sources from being known outside your domain Domains with only receivers can receive data without globally advertising group membership Global source multicast routing table state is not required saving memory MSDP...

Page 1032: ...eer Configure a default MSDP peer when the switch is not BGP or MBGP peering with an MSDP peer If a single MSDP peer is configured the switch always accepts all SA messages from that peer Figure 41 2 shows a network in which default MSDP peers might be used In Figure 41 2 a customer who owns Switch B is connected to the Internet through two Internet service providers ISPs one owning Router A and t...

Page 1033: ... For ip address name enter the IP address or Domain Name System DNS server name of the MSDP default peer Optional For prefix list list enter the list name that specifies the peer to be the default peer only for the listed prefixes You can have multiple active default peers when you have a prefix list associated with each When you enter multiple ip msdp default peer commands with the prefix list ke...

Page 1034: ... a SA message is received by the local RP that member needs to wait until the next SA message to hear about the source This delay is known as join latency If you want to sacrifice some memory in exchange for reducing the latency of the source information you can configure the switch to cache SA messages Step 3 ip prefix list name description string seq number permit deny network length Optional Cr...

Page 1035: ... For list access list number the range is 100 to 199 Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Create an IP extended access list repeating the command as many times as necessary For access list number the range is 100 to 199 Enter the same number created in Step 2 The deny keyword denies access if the conditions are matched T...

Page 1036: ...es memory Beginning in privileged EXEC mode follow these steps to configure the switch to send SA request messages to the MSDP peer when a new member joins a group and wants to receive multicast traffic This procedure is optional To return to the default setting use the no ip msdp sa request ip address name global configuration command This example shows how to configure the switch to send SA requ...

Page 1037: ...re is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp redistribute list access list name asn aspath access list number route map map Configure which S G entries from the multicast routing table are advertised in SA messages By default only sources within the local domain are advertised Optional For list access list name enter the name or number of ...

Page 1038: ... the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore For destination enter t...

Page 1039: ...t 171 69 2 2 list 1 Switch config access list 1 permit 192 4 22 0 0 0 0 255 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp filter sa request ip address name or ip msdp filter sa request ip address name list access list number Filter all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for groups th...

Page 1040: ...eged EXEC mode follow these steps to apply a filter This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp sa filter out ip address name or ip msdp sa filter out ip address name list access list number or ip msdp sa filter out ip address name route map map tag Filter all SA messages to the specified MSDP peer or To the specified peer pas...

Page 1041: ...sary For access list number enter the number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to be app...

Page 1042: ...ges that its MSDP RPF peers send to it However you can control the source information that you receive from MSDP peers by filtering incoming SA messages In other words you can configure the switch to not accept them You can perform one of these actions Filter all incoming SA messages from an MSDP peer Specify an IP extended access list to pass certain source group pairs Filter based on match crite...

Page 1043: ... messages that meet the match criteria in the route map map tag If all match criteria are true a permit from the route map passes routes through the filter A deny will filter routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For access ...

Page 1044: ...ss name global configuration command Shutting Down an MSDP Peer If you want to configure many MSDP commands for the same peer and you do not want the peer to become active you can shut down the peer configure it and later bring it up When a peer is shut down the TCP connection is terminated and is not restarted You can also shut down an MSDP session without losing configuration information for the...

Page 1045: ... procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp shutdown peer name peer address Administratively shut down the specified MSDP peer without losing configuration information For peer name peer address enter the IP address or name of the MSDP peer to shut down Step 3 end Return to privileged EXEC mode Step 4 show running config Verify yo...

Page 1046: ...ces to be known to the outside world Because this switch is not an RP it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface Beginning in privileged EXEC mode follow these steps to allow an MSDP speaker that originates an SA message to use the IP address on the interface as the RP address in the SA message T...

Page 1047: ...em The ip msdp cache sa state command must be configured for this command to produce any output show ip msdp peer peer address name Displays detailed information about an MSDP peer show ip msdp sa cache group address source address group name source name autonomous system number Displays S G state learned from MSDP peers show ip msdp summary Displays MSDP peer status and SA message counts Table 41...

Page 1048: ...41 20 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 41 Configuring MSDP Monitoring and Maintaining MSDP ...

Page 1049: ...information for the commands used in this chapter see the Cisco IOS Bridging and IBM Networking Command Reference Volume 1 of 2 Release 12 2 This chapter consists of these sections Understanding Fallback Bridging page 42 1 Configuring Fallback Bridging page 42 3 Monitoring and Maintaining Fallback Bridging page 42 11 Understanding Fallback Bridging These sections describe how fallback bridging wor...

Page 1050: ...a VLAN bridge spanning tree instance when a bridge group is created The switch runs the bridge group and treats the SVIs and routed ports in the bridge group as its spanning tree ports These are the reasons for placing network interfaces into a bridge group To bridge all nonrouted traffic among the network interfaces making up the bridge group If the packet destination address is in the bridge tab...

Page 1051: ...s image fails and if the newly elected stack master is running the IP base image formerly known as the standard multilayer image SMI the switch stack loses its fallback bridging capability If stacks merge or if a switch is added to the stack any new VLANs that are part of a bridge group and become active are included in the VLAN bridge STP When a stack member fails the addresses learned from this ...

Page 1052: ...p To configure fallback bridging for a set of SVIs or routed ports these interfaces must be assigned to bridge groups All interfaces in the same group belong to the same bridge domain Each SVI or routed port can be assigned to only one bridge group Note The protected port feature is not compatible with fallback bridging When fallback bridging is enabled it is possible for packets to be forwarded f...

Page 1053: ... vlan exit Switch config interface vlan2 Switch config if bridge group 10 Switch config if exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group protocol vlan bridge Assign a bridge group number and specify the VLAN bridge spanning tree protocol to run in the bridge group The ibm and dec keywords are not supported For bridge group specify the bri...

Page 1054: ...eferences and Recommended Reading appendix in the Cisco IOS Configuration Fundamentals Command Reference Changing the VLAN Bridge Spanning Tree Priority You can globally configure the VLAN bridge spanning tree priority of a switch when it ties with another switch for the position as the root switch You also can configure the likelihood that the switch will be selected as the root switch Beginning ...

Page 1055: ...ed with it By convention the path cost is 1000 data rate of the attached LAN in Mbps Beginning in privileged EXEC mode follow these steps to assign a path cost This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to set the priority and enter interface configuration mode Step 3 bridge group bridge g...

Page 1056: ...idual configuration might be Adjusting the Interval between Hello BPDUs Beginning in privileged EXEC mode follow these step to adjust the interval between hello BPDUs This procedure is optional Step 3 bridge group bridge group path cost cost Assign the path cost of a port For bridge group specify the bridge group number The range is 1 to 255 For cost enter a number from 0 to 65535 The higher the v...

Page 1057: ... to change the forward delay interval to 10 seconds in bridge group 10 Switch config bridge 10 forward time 10 Changing the Maximum Idle Interval If a switch does not receive BPDUs from the root switch within a specified interval it recomputes the spanning tree topology Beginning in privileged EXEC mode follow these steps to change the maximum idle interval maximum aging time This procedure is opt...

Page 1058: ... configuration command This example shows how to disable spanning tree on a port in bridge group 10 Switch config interface gigabitethernet2 0 1 Switch config if bridge group 10 spanning disabled Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group max age seconds Specify the interval that the switch waits to hear BPDUs from the root switch For bridg...

Page 1059: ...mber number global configuration command Enter the show bridge bridge group interface id mac address verbose privileged EXEC command at the stack member prompt For information about the fields in these displays see the Cisco IOS Bridging and IBM Networking Command Reference Volume 1 of 2 Release 12 2 Table 42 2 Commands for Monitoring and Maintaining Fallback Bridging Command Purpose clear bridge ...

Page 1060: ...42 12 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 42 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging ...

Page 1061: ...d in this chapter see the command reference for this release and the Cisco IOS Command Summary Release 12 2 This chapter consists of these sections Recovering from a Software Failure page 43 2 Recovering from a Lost or Forgotten Password page 43 3 Preventing Switch Stack Problems page 43 7 Recovering from a Command Switch Failure page 43 8 Recovering from Lost Cluster Member Connectivity page 43 1...

Page 1062: ...program to navigate to and extract the bin file If you are using UNIX follow these steps 1 Display the contents of the tar file by using the tar tvf image_filename tar UNIX command switch tar tvf image_filename tar 2 Locate the bin file and extract it by using the tar xvf image_filename tar image_filename bin UNIX command switch tar xvf image_filename tar image_filename bin x c3750 ipservices mz 1...

Page 1063: ... The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power on and by entering a new password These recovery procedures require that you have physical access to the switch Note On these switches a system administrator can disable some of the functionality of this feature by allowing an...

Page 1064: ...w the steps If you see a message that begins with this The password recovery mechanism has been triggered but is currently disabled go to the Procedure with Password Recovery Disabled section on page 43 6 and follow the steps Step 5 After recovering the password reload the standalone switch or the stack master Switch reload slot stack master member number Proceed with reload confirm y Step 6 Power...

Page 1065: ... Before continuing to Step 9 power on any connected stack members and wait until they have completely initialized Failure to follow this step can result in a lost configuration depending on how your switch is set up Step 9 Copy the configuration file into memory Switch copy flash config text system running config Source filename config text Destination filename running config Press Return in respo...

Page 1066: ...iguration access to the boot loader prompt can still be allowed Would you like to reset the system back to the default configuration y n Caution Returning the switch to the default configuration results in the loss of all existing configurations We recommend that you contact your system administrator to verify if there are backup switch and VLAN configuration files If you enter n no the normal boo...

Page 1067: ...y have completely initialized Step 9 Write the running configuration to the startup configuration file Switch copy running config startup config The new password is now in the startup configuration Note This procedure is likely to leave your switch virtual interface in a shutdown state You can see which interface is in this state by entering the show running config privileged EXEC command To re en...

Page 1068: ...tch functions with the exact same configuration as the replaced switch This is also assuming the new switch is using the same member number as the replaced switch Removing powered on stack members causes the switch stack to divide partition into two or more switch stacks each with the same configuration If you want the switch stacks to remain separate change the IP address or addresses of the newl...

Page 1069: ...ch with a Cluster Member To replace a failed command switch with a command capable member in the same cluster follow these steps Step 1 Disconnect the command switch from the member switches and physically remove it from the cluster Step 2 Insert the member switch in place of the failed command switch and duplicate its connections to the cluster members Step 3 Start a CLI session on the new comman...

Page 1070: ...rn to start the setup program Step 11 Respond to the questions in the setup program When prompted for the hostname recall that on a command switch the hostname is limited to 28 characters on a member switch to 31 characters Do not use n where n is a number as the last characters in a hostname for any switch When prompted for the Telnet virtual terminal password recall that it can be from 1 to 25 a...

Page 1071: ...u may enter a question mark for help Use ctrl c to abort configuration dialog at any prompt Default settings are in square brackets Basic management setup configures only enough connectivity for management of the system extended setup will ask you to configure each interface on the system Would you like to enter basic management setup yes no Step 6 Enter Y at the first prompt The prompts in the se...

Page 1072: ...Catalyst 2900 XL Catalyst 2820 and Catalyst 1900 member switches must connect to the command switch through a port that belongs to the same management VLAN A member switch Catalyst 3750 Catalyst 3560 Catalyst 3550 Catalyst 2970 Catalyst 2960 Catalyst 2950 Catalyst 3500 XL Catalyst 2900 XL Catalyst 2820 and Catalyst 1900 switch connected to the command switch through a secured port can lose connect...

Page 1073: ...mmand a false link up can occur placing the port into an error disabled state To take the port out of the error disabled state enter the shutdown and the no shutdown interface configuration commands You should not connect a Cisco powered device to a port that has been configured with the power inline never command SFP Module Security and Identification Cisco small form factor pluggable SFP modules...

Page 1074: ...rence for this release Monitoring Temperature The Catalyst 3750G 48TS 3750G 48PS 3750G 24TS 1U and 3750G 24PS switches monitor the temperature conditions The switch also uses the temperature information to control the fans Use the show env temperature status privileged EXEC command to display the temperature value state and thresholds The temperature value is the temperature in the switch not the ...

Page 1075: ...inning in privileged EXEC mode use this command to ping another device on the network from the switch Note Though other protocol keywords are available with the ping command they are not supported in this release This example shows how to ping an IP host Switch ping 172 20 52 3 Type escape sequence to abort Sending 5 100 byte ICMP Echoes to 172 20 52 3 timeout is 2 seconds Success rate is 100 perc...

Page 1076: ...Guidelines These are the Layer 2 traceroute usage guidelines Cisco Discovery Protocol CDP must be enabled on all the devices in the network For Layer 2 traceroute to function properly do not disable CDP For a list of switches that support Layer 2 traceroute see the Usage Guidelines section on page 43 16 If any devices in the physical path are transparent to CDP the switch cannot identify the path ...

Page 1077: ...supported in Token Ring VLANs Displaying the Physical Path You can display physical path that a packet takes from a source device to a destination device by using one of these privileged EXEC commands tracetroute mac interface interface id source mac address interface interface id destination mac address vlan vlan id detail tracetroute mac ip source ip address source hostname destination ip addres...

Page 1078: ...sets the UDP destination port number in the datagram to a very large value that the destination host is unlikely to be using When a host receives a datagram destined to itself containing a destination port number that is unused locally it sends an ICMP port unreachable error to the source Because all errors except port unreachable errors come from intermediate hops the receipt of a port unreachabl...

Page 1079: ...module ports TDR can detect these cabling problems Open broken or cut twisted pair wires The wires are not connected to the wires from the remote device Shorted twisted pair wires The wires are touching each other or the wires from the remote device For example a shorted twisted pair can occur if one wire of the twisted pair is soldered to the other wire If one of the twisted pair wires is open TD...

Page 1080: ...ases the likelihood that increased debug command processing overhead will affect system use Note For complete syntax and usage information for specific debug commands see the command reference for this release Enabling Debugging on a Specific Feature When you enable debugging it is enabled only on the stack master To enable debugging on a stack member you must start a session from the stack master...

Page 1081: ...ccidentally left any debug commands enabled Redirecting Debug and Error Message Output By default the network server sends the output from debug commands and system error messages to the console If you use this default you can use a virtual terminal connection to monitor debug output instead of connecting to the console port Possible destinations include the console virtual terminals internal buff...

Page 1082: ... output from the show platform forward command on port 1 in VLAN 5 when the packet entering that port is addressed to unknown MAC addresses The packet should be flooded to all other ports in VLAN 5 Switch show platform forward gigabitethernet1 0 1 vlan 5 1 1 1 2 2 2 ip 13 1 1 1 13 2 2 2 udp 10 20 Global Port Number 24 Asic Number 5 Src Real Vlan Id 5 Mapped Vlan Id 5 Ingress Lookup Key Used Index ...

Page 1083: ...se there is no default route set the packet should be dropped Switch show platform forward gigabitethernet1 0 1 vlan 5 1 1 1 03 e319 ee44 ip 13 1 1 1 13 2 2 2 udp 10 20 Global Port Number 24 Asic Number 5 Src Real Vlan Id 5 Mapped Vlan Id 5 Ingress Lookup Key Used Index Hit A Data InptACL 40_0D020202_0D010101 00_41000014_000A0000 01FFA 03000000 L3Local 00_00000000_00000000 90_00001400_0D020202 010...

Page 1084: ... crashinfo_n where n is a sequence number Each new crashinfo file that is created uses a sequence number that is larger than any previously existing sequence number so the file with the largest sequence number describes the most recent failure Version numbers are used instead of a timestamp because the switches do not include a real time clock You cannot change the name of the file that the system...

Page 1085: ...shinfo Files Extended crashinfo files are kept in this directory on the flash file system flash crashinfo_ext The filenames are crashinfo_ext_n where n is a sequence number You can configure the switch to not create the extended creashinfo file by using the no exception crashinfo global configuration command ...

Page 1086: ...43 26 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 43 Troubleshooting Using the crashinfo Files ...

Page 1087: ...44 3 Understanding How Online Diagnostics Work With online diagnostics you can test and verify the hardware functionality of the switch while the switch is connected to a live network The online diagnostics contain packet switching tests that check different hardware components and verify the data path and the control signals The online diagnostics detect problems in these areas Hardware component...

Page 1088: ...nds to configure health monitoring diagnostics Use the no diagnostic monitor interval switch num test test id test id range all global configuration command to change the interval to the default value or to zero Use the no diagnostic monitor syslog command to disable generation of syslog messages when a health monitoring test fails Use the diagnostic monitor threshold switch num test test_id test_...

Page 1089: ...nline diagnostic test This example shows how to start a diagnostic test on a specific switch Switch diagnostic start switch 1 test 1 Switch 06 27 50 DIAG 6 TEST_RUNNING Switch 1 Running TestPortAsicStackPortLoopback ID 1 switch 1 06 27 51 DIAG 6 TEST_OK Switch 1 TestPortAsicStackPortLoopback ID 1 has completed successfully switch 1 Switch This example shows how to start diagnostics test 2 on a swi...

Page 1090: ...r test to reload after completion of the test list Switch 6 Running test s 2 will partition stack Switch 6 Running test s 2 may disrupt normal system operation Do you want to continue no Displaying Online Diagnostic Tests and Test Results You can display the online diagnostic tests that are configured for specific switches and check the results of the tests using the show commands To display the d...

Page 1091: ...for a switch Switch show diagnostic result switch 1 Switch 1 SerialNo Overall diagnostic result PASS Test results Pass F Fail U Untested 1 TestPortAsicStackPortLoopback 2 TestPortAsicLoopback 3 TestPortAsicCam 4 TestPortAsicRingLoopback 5 TestMicRingLoopback 6 TestPortAsicMem This example shows how to display the online diagnostic test status Switch show diagnostic status BU Bootup Diagnostics HM ...

Page 1092: ...44 6 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Chapter 44 Configuring Online Diagnostics Displaying Online Diagnostic Tests and Test Results ...

Page 1093: ...e Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Point Release 4 0 x 0 For controller software upgrade procedure see the Cisco Wireless LAN Controller Configuration Guide Release 4 0 If the switch and controller software are not compatible you need to upgrade or downgrade the software so that they are compatible When the Wireless LAN Control Protocol WCP version in the Cat...

Page 1094: ...e connected internally through two Gigabit Ethernet links These links are automatically configured to direct the switch wireless traffic toward the controller requiring minimal configuration by the user The Wireless LAN Controller Switch and Switch Stacks The wireless LAN controller switch can coexist with other Catalyst 3750 switches in a switch stack However for controller functionality all swit...

Page 1095: ...y the switch the controller configuration is not automatically saved Password recovery functions separately on the switch and on the controller You can trigger the password recovery procedure on the switch by pressing the switch Mode button See Chapter 43 Troubleshooting for information about the switch password recovery procedure Password recovery on the controller can be performed by selecting c...

Page 1096: ... any Catalyst 3750 switch standalone or in a switch stack This section describes only the configuration specific to the wireless LAN controller switch and includes these sections Internal Port Configuration page A 4 Reconfiguring the Internal Ports page A 5 Accessing the Controller page A 6 Internal Port Configuration As explained in the Internal Ports section on page A 3 the internal ports connec...

Page 1097: ...h has automatically configured use the show etherchannel summary privileged EXEC command This output shows that the internal ports on switch 1 in the stack belong to port channel 40 You should not use this port channel for any other ports in the stack Switch show etherchannel summary Flags D down P in port channel I stand alone s suspended H Hot standby LACP only R Layer3 S Layer2 U in use f faile...

Page 1098: ...without PAgP or LACP Note No other ports in the switch stack should be members of this channel group Step 4 exit Return to privileged EXEC mode Step 5 interface interface id Specify the other internal port and enter interface configuration mode Step 6 channel group channel group number mode on Assign the port to the same channel group used in Step 3 Step 7 exit Return to privileged EXEC mode Step ...

Page 1099: ... Status of the Controller operational Service VLAN 4095 Service Port Mac Address 000b 8540 3783 Service IP Address 127 0 1 2 Management IP Address 22 2 2 2 Management VLAN 7 Software Version 3 3 0 3 Keepalive Version controller switch 1 1 Keepalives Missed 0 Controller accepts http https 0 1 Controller s Status Line up Watchdog resets of Controller 0 Controller resets total 0 Unacknowledged contro...

Page 1100: ...A 8 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Appendix A Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch Displaying Internal Wireless Controller Information ...

Page 1101: ...ation for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN x use this community string in the SNMP message configured community string x CISCO CDP MIB CISCO CLUSTER MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO ENTITY FRU CONTROL MIB CISCO ENTITY VENDORTYPE OID MIB CISCO ENVMON MIB CISCO FLASH MIB Flash memory on all switches is modeled as removable flash memory ...

Page 1102: ...t for some objects only stack master information is supported ENTITY MIB is a better alternative CISCO STACKMAKER MIB CISCO STACKWISE MIB CISCO STP EXTENSIONS MIB CISCO SYSLOG MIB CISCO TC MIB CISCO TCP MIB CISCO UDLDP MIB CISCO VLAN IFTABLE RELATIONSHIP MIB CISCO VLAN MEMBERSHIP MIB CISCO VTP MIB ENTITY MIB ETHERLIKE MIB IEEE8021 PAE MIB IEEE8023 LAG MIB IF MIB In and out counters for VLANs are n...

Page 1103: ... cisco com pub mibs supportlists cat3750 cat3750 supportlist html You can access other information about MIBs and Cisco products on the Cisco web site http www cisco com public sw center netmgmt cmtk mibs shtml Using FTP to Access the MIB Files You can get each MIB file by using this procedure Step 1 Make sure that your FTP client is in passive mode Note Some FTP clients do not support passive mod...

Page 1104: ...B 4 Catalyst 3750 Switch Software Configuration Guide OL 8550 02 Appendix B Supported MIBs Using FTP to Access the MIB Files ...

Page 1105: ...with Software Images page C 19 Working with the Flash File System The flash file system is a single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the switch is named flash As viewed from the stack master or any stack member flash refers to the local flash device which is the dev...

Page 1106: ...le In this example the stack master is stack member 3 therefore flash3 is aliased to flash The file system on stack member 5 is displayed as flash5 on the stack master Switch show file systems File Systems Size b Free b Type Flags Prefixes 15998976 5135872 flash rw flash flash3 opaque rw bs opaque rw vb 524288 520138 nvram rw nvram network rw tftp opaque rw null opaque rw system opaque ro xmodem o...

Page 1107: ...ory you might want to verify that the file system does not already contain a configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table C 2 Flags Permission for file system ro read on...

Page 1108: ...sw command but are no longer needed show file information file url Display information about a specific file show file descriptors Display a list of open file descriptors File descriptors are the internal representations of open files You can use this command to see if another user has a file open Table C 2 Commands for Displaying Information About Files continued Command Description Command Purpo...

Page 1109: ...ly you cannot copy these combinations From a running configuration to a running configuration From a startup configuration to a startup configuration From a device to the same device for example the copy flash flash command is invalid For specific examples of using the copy command with configuration files see the Working with Configuration Files section on page C 8 To copy software images either ...

Page 1110: ...m an existing stack member to the incompatible switch That switch automatically reloads and joins the stack as a fully functioning member Creating a tar File To create a tar file and write files into it use this privileged EXEC command archive tar create destination url flash file url For destination url specify the destination URL alias for the local or network file system and the name of the tar...

Page 1111: ...tch archive tar table flash c3750 ipservices mz 122 25 SEB tar info 219 bytes c3750 ipservices mz 122 25 SEB directory c3750 ipservices mz 122 25 SEB html directory c3750 ipservices mz 122 25 SEB html foo html 0 bytes c3750 ipservices mz 122 25 SEB c3750 ipservices mz 122 25 SEB bin 610856 bytes c3750 ipservices mz 122 25 SEB info 219 bytes This example shows how to display only the html directory...

Page 1112: ...erA hampton savedconfig Saved configuration on server version 11 3 service timestamps log datetime localtime service linenumber service udp small servers service pt vty logging output truncated Working with Configuration Files This section describes how to create load and maintain configuration files Note For information about configuration files in switch stacks see the Switch Stack Configuration...

Page 1113: ...ches that have the same hardware configuration Use these guidelines when creating a configuration file We recommend that you connect through the console port for the initial configuration of the switch If you are accessing the switch through a network connection instead of through a direct connection to the console port keep in mind that some configuration changes such as changing the switch IP ad...

Page 1114: ... File By Using FTP section on page C 13 or the Downloading a Configuration File By Using RCP section on page C 17 Step 2 Open the configuration file in a text editor such as vi or emacs on UNIX or Notepad on a PC Step 3 Extract the portion of the configuration file with the desired commands and save it in a new file Step 4 Copy the configuration file to the appropriate server location For example ...

Page 1115: ...name of the file you will use when uploading it to the server During upload operations if you are overwriting an existing file including an empty file if you had to create one on the server ensure that the permissions on the file are set correctly Permissions on the file should be world write Downloading the Configuration File By Using TFTP To configure the switch by using a configuration file dow...

Page 1116: ...ion Files By Using FTP You can copy configuration files to or from an FTP server The FTP protocol requires a client to send a remote username and password on each FTP request to a server When you copy a configuration file from the switch to a server by using FTP the Cisco IOS software sends the first valid username in this list The username specified in the copy command if a username is specified ...

Page 1117: ... username is the one that you want to use for the FTP download You can enter the show users privileged EXEC command to view the valid username If you do not want to use this username create a new FTP username by using the ip ftp username username global configuration command during all copy operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and ...

Page 1118: ...ame netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from host2 c...

Page 1119: ...e TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with TFTP You only ne...

Page 1120: ...ion File By Using RCP Before you begin downloading or uploading a configuration file by using RCP do these tasks Ensure that the workstation acting as the RCP server supports the remote shell rsh Ensure that the switch has a route to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the RCP ser...

Page 1121: ...witch configure terminal Switch config ip rcmd remote username netadmin1 Switch config end Switch copy rcp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store c...

Page 1122: ...iguration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Clearing Configuration Information You can clear the configuration information from the startup configuration If you reboot the switch with no startup configuration the switch enters the setup program so that you can reconfigure the switch with all new settings Command Purpose Step 1 Verify that the RC...

Page 1123: ...witch stacks the archive download sw and archive upload sw privileged EXEC commands can only be used through the stack master Software images downloaded to the stack master are automatically downloaded to the rest of the stack members To upgrade a switch in the stack that has an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing ...

Page 1124: ... web management The image is stored on the system board flash memory flash You can use the show version privileged EXEC command to see the software version that is currently running on your switch In the display check the line that begins with System image file is It shows the directory name in flash memory where the image is stored You can also use the dir filesystem privileged EXEC command to se...

Page 1125: ...ands to download and upload software image files For switch stacks the archive download sw and archive upload sw privileged EXEC commands can only be used through the stack master Software images downloaded to the stack master are automatically downloaded to the rest of the stack members To upgrade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy...

Page 1126: ...e SunOS 4 x or a reboot command on Solaris 2 x or SunOS 5 x For more information on the TFTP daemon see the documentation for your workstation Ensure that the switch has a route to the TFTP server The switch and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the TFTP server by using the ping command Ensure that the ...

Page 1127: ... is properly configured see the Preparing to Download or Upload an Image File By Using TFTP section on page C 22 Step 2 Log into the switch through the console port or a Telnet session Step 3 archive download sw allow feature upgrade overwrite reload tftp location directory image name tar Download the image file from the TFTP server to the switch and overwrite the current image The allow feature u...

Page 1128: ...existing image Beginning in privileged EXEC mode follow these steps to upload an image to a TFTP server The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and the web management files After these files are uploaded the upload algorithm creates the tar file format Caution For the download and upload algorithms ...

Page 1129: ... send a remote username and password on each FTP request to a server When you copy an image file from the switch to a server by using FTP the Cisco IOS software sends the first valid username in this list The username specified in the archive download sw or archive upload sw privileged EXEC command if a username is specified The username set by the ip ftp username username global configuration com...

Page 1130: ... username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username for that operation only When you upload an image file to the FTP server it must be properly configured to accept the write request from the user on the switch For more information see the documentation for your ...

Page 1131: ...option reloads the system after downloading the image unless the configuration has been changed and not been saved For username password specify the username and password these must be associated with an account on the FTP server For more information see the Preparing to Download or Upload an Image File By Using FTP section on page C 25 For location specify the IP address of the FTP server For dir...

Page 1132: ... software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using FTP You can upload an image from the switch to an FTP server You can later download this image to the same switch or to another switch of the same type Use the upload feature only if the web manage...

Page 1133: ...tacks the archive download sw and archive upload sw privileged EXEC commands can only be used through the stack master Software images downloaded to the stack master are automatically downloaded to the rest of the stack members To upgrade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack member to the inco...

Page 1134: ...tch hostname For the RCP copy request to execute successfully an account must be defined on the network server for the remote username If the server has a directory structure the image file is written to or copied from the directory associated with the remote username on the server For example if the image file resides in the home directory of a user on the server specify that user s name as the r...

Page 1135: ...tion mode This step is required only if you override the default remote username see Steps 4 and 5 Step 4 ip rcmd remote username username Optional Specify the remote username Step 5 end Return to privileged EXEC mode Step 6 archive download sw allow feature upgrade overwrite reload rcp username location directory image na me tar Download the image file from the RCP server to the switch and overwr...

Page 1136: ...ete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using RCP You can upload an imag...

Page 1137: ...t has incompatible software That switch automatically reloads and joins the stack as a fully functioning member Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page C 30 Step 2 Log into the switch through the console port or a Telnet session Step 3 configure terminal Enter global conf...

Page 1138: ...reload source stack member number Copy the running image file from a stack member and then unconditionally reload the updated stack member Note At least one stack member must be running the image that is to be copied to the switch that is running the incompatible software For destination system destination stack member number specify the number of the stack member the destination to which to copy ...

Page 1139: ...tware feature and command mode Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic name source destination show access lists rate limit destination show accounting show ip accounting checkpoint output packets access v...

Page 1140: ...ip address hardware address srp a arp ip address hardware address srp b Unsupported Interface Configuration Commands arp probe ip probe proxy Boot Loader Commands Unsupported Global Configuration Commands boot buffersize FallBack Bridging Unsupported Privileged EXEC Commands clear bridge bridge group multicast router ports groups counts group address interface unit counts clear vlan statistics sho...

Page 1141: ...e bridge group mac address table limit number bridge bridge group multicast source bridge bridge group protocol dec bridge bridge group route protocol bridge bridge group subscriber policy policy subscriber policy policy no default packet permit deny Unsupported Interface Configuration Commands bridge group bridge group cbus bridging bridge group bridge group circuit group circuit number bridge gr...

Page 1142: ...p bridge group subscriber loop control bridge group bridge group subscriber trunk bridge bridge group lat service filtering frame relay map bridge dlci broadcast interface bvi bridge group x25 map bridge x 121 address broadcast options keywords HSRP Unsupported Global Configuration Commands interface Async interface BVI interface Dialer interface Group Async interface Lex interface Multilink inter...

Page 1143: ...display packets that are hardware switched The debug ip mpacket detail access list number group name or address command affects only packets received by the switch CPU Because most multicast packets are hardware switched use this command only when you know that the route will forward the packet to the CPU debug ip pim atm show frame relay ip rtp header compression interface type number The show ip...

Page 1144: ...ress multicast address extended access list number ip multicast rate limit in out video whiteboard group list access list source list access list kbps ip multicast ttl threshold ttl value instead use the ip multicast boundary access list number interface configuration command ip multicast use functional ip pim minimum vc rate pps ip pim multipoint signalling ip pim nbma mode ip pim vc count number...

Page 1145: ...nting transits count ip cef accounting per prefix non recursive ip cef traffic statistics load interval seconds update rate seconds ip flow aggregation ip flow cache ip flow export ip gratuitous arps ip local ip prefix list ip reflexive list router egp router isis router iso igrp router mobile router odr router static Unsupported Interface Configuration Commands ip accounting ip load sharing per p...

Page 1146: ... automatic tag set dampening half life reuse suppress max suppress time set default interface interface id interface id set interface interface id interface id set ip default next hop ip address ip address set ip destination ip address mask set ip next hop verify availability set ip precedence value set ip qos group set metric type internal set origin set metric type internal set tag tag value MAC...

Page 1147: ...Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address table entries for a VLAN Unsupported Global Configuration Commands mac address table aging time mac address table notification mac address table static Miscellaneous Unsupported Privileged EXEC Commands file verify auto show cable diagnostics prbs test cable diagnostics prbs Unsupported Global Configu...

Page 1148: ... policy policy number show template template name Unsupported Global Configuration Commands ip msdp default peer ip address name prefix list list Because BGP MBGP is not supported use the ip msdp peer command instead of this command NetFlow Commands Unsupported Global Configuration Commands ip flow aggregation cache ip flow cache entries ip flow export Network Address Translation NAT Commands Unsu...

Page 1149: ...Unsupported Policy Map Configuration Commands class class default where class default is the class map name RADIUS Unsupported Global Configuration Commands aaa nas port extended radius server attribute nas port radius server configure radius server extended portnames SNMP Unsupported Global Configuration Commands snmp server enable informs snmp server ifindex persist Spanning Tree Unsupported Glo...

Page 1150: ...n Command spanning tree stack port VLAN Unsupported Global Configuration Commands vlan internal allocation policy ascending descending Unsupported User EXEC Commands show running config vlan show vlan ifindex VTP Unsupported Privileged EXEC Commands vtp password password pruning version number Note This command has been replaced by the vtp global configuration command ...

Page 1151: ...sponse VMPS 13 28 access groups applying IPv4 ACLs to interfaces 32 21 Layer 2 32 21 Layer 3 32 21 accessing clusters switch 6 13 command switches 6 11 accessing continued member switches 6 13 switch clusters 6 13 accessing stack members 5 25 access lists See ACLs access ports and Layer 2 protocol tunneling 17 11 defined 11 3 in switch clusters 6 9 access template 8 1 accounting with 802 1x 10 33 ...

Page 1152: ...displaying 38 8 interactions with other features 38 4 limitations 38 3 matching criteria 38 3 named 38 3 precedence of 38 2 supported 38 2 unsupported features 38 3 ACLs continued Layer 4 information in 32 37 logging messages 32 9 MAC extended 32 27 33 46 matching 32 7 32 21 38 3 monitoring 32 40 38 8 named IPv6 38 3 named IPv4 32 15 names 38 4 number per QoS class map 33 33 port 32 2 38 1 precede...

Page 1153: ... 14 3 aggregatable global unicast addresses 36 3 aggregate addresses BGP 35 59 aggregated ports See EtherChannel aggregate policers 33 59 aggregate policing 1 10 aggregator template 5 10 8 1 aging accelerating 18 9 aging time accelerated for MSTP 19 23 for STP 18 9 18 23 MAC address table 7 21 maximum for MSTP 19 24 for STP 18 23 18 24 alarms RMON 29 3 allowed VLAN list 13 21 area border routers S...

Page 1154: ...rs 6 5 See also CDP automatic extraction auto extract in switch stacks 5 11 automatic QoS See QoS automatic recovery clusters 6 10 See also HSRP automatic upgrades auto upgrade in switch stacks 5 11 auto MDIX configuring 11 21 described 11 20 autonegotiation duplex mode 1 4 interface configuration guidelines 11 18 mismatches 43 12 autonomous system boundary routers See ASBRs autonomous systems in ...

Page 1155: ...database 22 7 IP source guard 22 16 binding table DHCP snooping See DHCP snooping binding database blocking packets 25 7 Boolean expressions in tracked lists 39 14 booting boot loader function of 3 2 boot process 3 2 manually 3 13 specific image 3 14 boot loader accessing 3 15 described 3 2 environment variables 3 15 prompt 3 15 trap door mechanism 3 2 bootstrap router BSR described 40 5 Border Ga...

Page 1156: ... device 26 3 to 26 4 enabling and disabling on an interface 26 4 on a switch 26 3 Layer 2 protocol tunneling 17 8 monitoring 26 5 overview 26 1 power negotiation extensions 11 7 support for 1 5 CDP continued switch stack considerations 26 2 transmission timer and holdtime setting 26 2 updates 26 2 CEF defined 35 75 distributed 35 75 enabling 35 76 IPv6 36 15 CGMP as IGMP snooping learning method 2...

Page 1157: ...6 16 no and default forms of commands 2 4 client mode VTP 14 3 client processes tracking 39 12 clock See system clock cluster requirements xlv clusters switch accessing 6 13 automatic discovery 6 5 automatic recovery 6 10 benefits 1 2 compatibility 6 4 described 6 1 LRE profile considerations 6 16 managing through CLI 6 16 through SNMP 6 17 planning 6 4 planning considerations automatic discovery ...

Page 1158: ... requirements 6 3 standby SC 6 10 command switch continued See also candidate switch cluster standby group member switch and standby command switch community list BGP 35 57 community ports 16 2 community strings configuring 6 14 31 8 for cluster switches 31 4 in clusters 6 14 overview 31 4 SNMP 6 14 community VLANs 16 2 16 3 compatibility feature 25 11 compatibility software See stacks switch conf...

Page 1159: ...corrupted software recovery steps with Xmodem 43 2 CoS in Layer 2 frames 33 2 override priority 15 6 trust priority 15 6 CoS input queue threshold map for QoS 33 16 CoS output queue threshold map for QoS 33 19 CoS to DSCP map for QoS 33 61 counters clearing interface 11 30 crashinfo file 43 24 critical authentication IEEE 802 1x 10 37 cross stack EtherChannel configuration guidelines 34 13 configu...

Page 1160: ...C address table move update 21 4 MSDP 41 4 MSTP 19 15 multi VRF CE 35 67 MVR 24 20 NTP 7 4 optional spanning tree configuration 20 12 default configuration continued OSPF 35 26 password and privilege level 9 2 PIM 40 9 private VLANs 16 7 RADIUS 9 20 RIP 35 20 RMON 29 3 RSPAN 28 11 SDM template 8 5 SNMP 31 7 SPAN 28 11 SSL 9 44 standard QoS 33 31 STP 18 13 switch stacks 5 19 system message logging ...

Page 1161: ...1 support for 1 5 DHCP binding database See DHCP snooping binding database DHCP binding table See DHCP snooping binding database DHCP option 82 circuit ID suboption 22 5 configuration guidelines 22 9 default configuration 22 8 displaying 22 16 forwarding address specifying 22 11 helper address 22 11 overview 22 3 packet format suboption circuit ID 22 5 remote ID 22 5 remote ID suboption 22 5 DHCP ...

Page 1162: ...nfiguration 3 6 default configuration 7 16 displaying the configuration 7 17 in IPv6 36 4 overview 7 15 setting up 7 16 support for 1 5 documentation related xliv document conventions xliv domain names DNS 7 15 VTP 14 8 Domain Name System See DNS dot1q tunnel switchport mode 13 18 double tagged packets IEEE 802 1Q tunneling 17 2 Layer 2 protocol tunneling 17 10 downloading configuration files prep...

Page 1163: ...g unicast route advertisements 40 38 routing table 40 8 source distribution tree building 40 8 support for 1 11 tunnels configuring 40 40 displaying neighbor information 40 43 dynamic access ports characteristics 13 3 configuring 13 31 defined 11 3 dynamic addresses See addresses dynamic ARP inspection ARP cache poisoning 23 1 ARP requests described 23 1 ARP spoofing attack 23 1 clearing log buffe...

Page 1164: ... configuration 35 36 definition 35 35 interface parameters configuring 35 40 monitoring 35 42 stub routing 35 41 support for 1 11 elections See stack master enable password 9 3 enable secret password 9 3 encryption CipherSuite 9 44 encryption for passwords 9 3 Enhanced IGRP See EIGRP enhanced object tracking commands 39 12 defined 39 12 HSRP 39 17 IP routing state 39 13 line protocol state 39 13 t...

Page 1165: ...herChannel guard described 20 10 disabling 20 17 enabling 20 17 Ethernet VLANs adding 13 9 defaults and ranges 13 8 modifying 13 9 EUI 36 3 events RMON 29 3 examples conventions for xliv network configuration 1 15 expedite queue for QoS 33 78 Express Setup 1 2 See also getting started guide extended crashinfo file 43 24 extended range VLANs configuration guidelines 13 13 configuring 13 12 creating...

Page 1166: ...7 1 files basic crashinfo description 43 24 location 43 24 copying C 5 crashinfo description 43 24 deleting C 5 displaying the contents of C 8 files continued extended crashinfo description 43 24 location 43 25 tar creating C 6 displaying the contents of C 7 extracting C 7 image file format C 20 file system displaying available file systems C 2 displaying file information C 3 local file system nam...

Page 1167: ...ce xliii purpose of xliii guide mode 1 3 GUIs See device manager and Network Assistant H hardware limitations and Layer 3 interfaces 11 25 hello time MSTP 19 22 STP 18 22 help for the command line 2 3 hierarchical policy maps 33 8 configuration guidelines 33 33 configuring 33 53 described 33 11 history changing the buffer size 2 6 described 2 6 disabling 2 7 recalling commands 2 6 history table le...

Page 1168: ... Discovery Protocol See IRDP ICMPv6 36 4 IDS appliances and ingress RSPAN 28 22 and ingress SPAN 28 15 IEEE 802 1D See STP IEEE 802 1p 15 1 IEEE 802 1Q and trunk ports 11 3 configuration limitations 13 19 encapsulation 13 16 native VLAN for untagged traffic 13 23 tunneling compatibility with other features 17 6 defaults 17 4 described 17 1 tunnel ports with other features 17 6 IEEE 802 1s See MSTP...

Page 1169: ...eout value 40 31 IGMP filtering configuring 24 25 default configuration 24 25 described 24 24 monitoring 24 29 support for 1 4 IGMP groups configuring filtering 24 28 setting the maximum number 24 27 IGMP Immediate Leave configuration guidelines 24 12 described 24 6 enabling 24 11 IGMP profile applying 24 26 configuration mode 24 25 configuring 24 26 IGMP snooping and address aliasing 24 2 and sta...

Page 1170: ...ing 11 10 range of 11 12 restarting 11 30 shutting down 11 30 speed and duplex configuring 11 18 status 11 28 supported 11 10 types of 11 1 interfaces range macro command 11 13 interface types 11 10 Interior Gateway Protocol See IGP internal BGP See IBGP internal neighbors BGP 35 47 Internet Control Message Protocol See ICMP Internet Group Management Protocol See IGMP Internet Protocol version 6 S...

Page 1171: ...0 20 defining the PIM domain border 40 19 overview 40 5 using with Auto RP 40 23 Cisco implementation 40 2 configuring basic multicast routing 40 11 IP multicast boundary 40 36 default configuration 40 9 IP multicast routing continued enabling multicast forwarding 40 11 PIM mode 40 12 group to RP mappings Auto RP 40 5 BSR 40 5 MBONE deleting sdr cache entries 40 52 described 40 35 displaying sdr c...

Page 1172: ...7 and VRF 22 18 binding configuration automatic 22 16 manual 22 16 binding table 22 16 configuration guidelines 22 17 default configuration 22 17 described 22 16 IP source guard continued disabling 22 19 displaying bindings 22 19 configuration 22 19 enabling 22 18 filtering source IP address 22 17 source IP and MAC address 22 17 source IP address filtering 22 17 source IP and MAC address filtering...

Page 1173: ...v4 ACLs applying to interfaces 32 20 extended creating 32 11 named 32 15 standard creating 32 10 IPv4 and IPv6 configuring on an interface 36 13 differences 36 2 dual protocol stacks 36 6 IPv6 ACLs displaying 38 8 limitations 38 3 matching criteria 38 3 port 38 1 precedence 38 2 router 38 1 supported 38 2 addresses 36 2 address formats 36 2 advantages 36 2 and switch stacks 36 7 applications 36 5 ...

Page 1174: ...d 9 32 KDC 9 32 operation 9 34 realm 9 33 server 9 33 support for 1 9 Kerberos continued switch as trusted third party 9 32 terms 9 33 TGT 9 34 tickets 9 32 key distribution center See KDC L l2protocol tunnel command 17 13 LACP Layer 2 protocol tunneling 17 9 See EtherChannel Layer 2 frames classification with CoS 33 2 Layer 2 interfaces default configuration 11 15 Layer 2 protocol tunneling confi...

Page 1175: ... 3 local SPAN 28 2 logging messages ACL 32 9 login authentication with RADIUS 9 23 with TACACS 9 14 login banners 7 17 log messages See system message logging Long Reach Ethernet LRE technology 1 17 1 25 loop guard described 20 11 enabling 20 18 support for 1 7 LRE profiles considerations in switch clusters 6 16 M MAB aging timer described 1 8 MAB inactivity timer default setting 10 23 range 10 26...

Page 1176: ...3 64 DSCP to DSCP mutation 33 65 IP precedence to DSCP 33 62 policed DSCP 33 63 described 33 12 marking action in policy map 33 49 action with aggregate policers 33 59 described 33 4 33 8 matching IPv6 ACLs 38 3 matching IPv4 ACLs 32 7 maximum aging time MSTP 19 24 STP 18 23 maximum hop count MSTP 19 24 maximum paths command 35 51 35 76 MDA configuration guidelines 10 20 to 10 21 described 1 8 10 ...

Page 1177: ...4 24 network traffic for analysis with probe 28 2 OSPF 35 34 port blocking 25 17 protection 25 17 monitoring continued private VLANs 16 15 RP mapping information 40 24 SFP status 11 29 43 14 source active messages 41 19 speed and duplex mode 11 19 traffic flowing among switches 29 1 traffic suppression 25 17 tunneling 17 18 VLAN filters 32 41 maps 32 41 VLANs 13 16 VMPS 13 32 VTP 14 16 more 10 44 ...

Page 1178: ...me 19 22 link type for rapid convergence 19 24 maximum aging time 19 24 maximum hop count 19 24 MST region 19 16 MSTP continued configuring neighbor type 19 25 path cost 19 21 port priority 19 19 root switch 19 17 secondary root switch 19 19 switch priority 19 22 CST defined 19 3 operations between regions 19 4 default configuration 19 15 default optional feature configuration 20 12 displaying sta...

Page 1179: ...aces monitoring 24 17 37 12 multicast router ports adding 24 10 37 8 Multicast Source Discovery Protocol See MSDP multicast storm 25 1 multicast storm control command 25 4 multicast television application 24 19 multicast VLAN 24 18 Multicast VLAN Registration See MVR multidomain authentication See MDA Multiple HSRP See MHSRP multiple VPN routing forwarding in customer edge devices See multi VRF CE...

Page 1180: ... 16 requirements xliv upgrading a switch C 19 wizards 1 3 network configuration examples cost effective wiring closet 1 17 high performance wiring closet 1 18 increasing network performance 1 16 network configuration examples continued large network 1 23 long distance high bandwidth transport 1 26 multidwelling network 1 25 providing network services 1 17 redundant Gigabit backbone 1 19 server agg...

Page 1181: ...rst See OSPF optimizing system resources 8 1 options management 1 5 OSPF area parameters configuring 35 30 configuring 35 28 Open Shortest Path First continued default configuration metrics 35 32 route 35 31 settings 35 26 described 35 25 for IPv6 36 20 interface parameters configuring 35 29 LSA group pacing 35 33 monitoring 35 34 router IDs 35 33 route summarization 35 31 support for 1 11 virtual...

Page 1182: ...rse mode join messages and shared tree 40 5 overview 40 5 prune messages 40 5 RPF lookups 40 7 support for 1 11 PIM continued versions interoperability 40 10 troubleshooting interoperability problems 40 24 v2 improvements 40 4 PIM DVMRP as snooping method 24 9 ping character output description 43 15 executing 43 15 overview 43 14 PoE auto mode 11 8 CDP with power consumption described 11 7 CDP wit...

Page 1183: ... 34 host mode 10 29 inaccessible authentication bypass 10 37 port based authentication continued configuring manual re authentication of a client 10 30 periodic re authentication 10 30 quiet period 10 31 RADIUS server 10 28 RADIUS server parameters on the switch 10 27 restricted VLAN 10 35 switch to client frame retransmission number 10 32 switch to client retransmission time 10 31 default configu...

Page 1184: ...cking 1 4 25 7 port channel See EtherChannel Port Fast described 20 2 enabling 20 12 mode spanning tree 13 29 support for 1 7 port membership modes VLAN 13 3 port priority MSTP 19 19 STP 18 18 ports 10 Gigabit Ethernet module 11 6 access 11 3 blocking 25 7 dynamic access 13 3 IEEE 802 1Q tunnel 13 4 protected 25 5 routed 11 4 secure 25 8 static access 13 3 13 11 switch 11 2 trunks 13 3 13 16 VLAN ...

Page 1185: ... 4 isolated 16 2 promiscuous 16 2 primary VLANs 16 1 16 3 promiscuous ports 16 2 secondary VLANs 16 2 subdomains 16 1 traffic in 16 5 privileged EXEC mode 2 2 privilege levels changing the default for lines 9 9 command switch 6 17 exiting 9 9 logging into 9 9 mapping on member switches 6 17 overview 9 2 9 7 setting a command with 9 8 promiscuous ports configuring 16 13 defined 16 2 protected ports...

Page 1186: ...rust IP precedence described 33 5 class maps configuring 33 47 displaying 33 79 QoS continued configuration guidelines auto QoS 33 25 standard QoS 33 33 configuring aggregate policers 33 59 auto QoS 33 20 default port CoS value 33 38 DSCP maps 33 61 DSCP transparency 33 40 DSCP trust states bordering another domain 33 41 egress queue characteristics 33 71 ingress queue characteristics 33 67 IP ext...

Page 1187: ...to DSCP 33 61 displaying 33 79 DSCP to CoS 33 64 DSCP to DSCP mutation 33 65 IP precedence to DSCP 33 62 policed DSCP 33 63 types of 33 12 marked down actions 33 51 33 56 marking described 33 4 33 8 overview 33 2 packet modification 33 19 QoS continued policers configuring 33 51 33 56 33 59 described 33 8 displaying 33 79 number of 33 34 types of 33 9 policies attaching to an interface 33 8 polici...

Page 1188: ...See rapid PVST rapid PVST described 18 10 IEEE 802 1Q trunking interoperability 18 11 instances supported 18 10 Rapid Spanning Tree Protocol See RSTP RARP 35 9 rcommand command 6 16 RCP configuration files downloading C 17 overview C 15 preparing the server C 16 uploading C 18 image files deleting old image C 32 downloading C 31 preparing the server C 30 uploading C 32 reconfirmation interval VMPS...

Page 1189: ...1305 NTP 7 2 1587 NSSAs 35 25 1757 RMON 29 2 1771 BGP 35 43 1901 SNMPv2C 31 2 1902 to 1907 SNMPv2 31 2 2236 IP multicast and IGMP 24 2 2273 2275 SNMPv3 31 2 RIP advertisements 35 20 authentication 35 22 configuring 35 21 default configuration 35 20 described 35 20 for IPv6 36 18 hop counts 35 20 split horizon 35 23 summary addresses 35 23 support for 1 11 RMON default configuration 29 3 displaying...

Page 1190: ...features 28 9 monitored ports 28 6 monitoring ports 28 8 overview 1 12 28 1 received traffic 28 5 session limits 28 11 RSPAN 28 3 continued sessions creating 28 19 defined 28 4 limiting source traffic to specific VLANs 28 24 specifying monitored ports 28 19 with ingress traffic enabled 28 22 source ports 28 6 transmitted traffic 28 6 VLAN based 28 7 RSTP active topology 19 10 BPDU format 19 12 pro...

Page 1191: ...rvice provider networks and customer VLANs 17 2 and IEEE 802 1Q tunneling 17 1 Layer 2 protocols across 17 8 Layer 2 protocol tunneling for EtherChannels 17 9 set request operation 31 5 setup program failed command switch replacement 43 11 replacing failed command switch 43 9 severity levels defining in system messages 30 9 SFPs monitoring status of 11 29 43 14 numbering of 11 11 security and iden...

Page 1192: ...aps 31 5 disabling 31 15 enabling 31 15 limiting access by TFTP servers 31 16 limiting system log messages to NMS 30 10 SNMP continued manager functions 1 5 31 3 managing clusters with 6 17 MIBs location of B 3 supported B 1 notifications 31 5 overview 31 1 31 4 security levels 31 3 status displaying 31 17 system contact and location 31 15 trap manager configuring 31 14 traps described 31 3 31 5 d...

Page 1193: ...ning tree and native VLANs 13 19 Spanning Tree Protocol See STP SPAN traffic 28 5 split horizon RIP 35 23 SRR configuring shaped weights on egress queues 33 76 shared weights on egress queues 33 77 shared weights on ingress queues 33 69 SRR continued described 33 14 shaped mode 33 14 shared mode 33 14 support for 1 10 SSH configuring 9 39 cryptographic software image 9 37 described 1 6 9 38 encryp...

Page 1194: ...auto advise 5 12 stacks switch continued auto copy 5 11 auto extract 5 11 auto upgrade 5 11 benefits 1 2 bridge ID 5 6 CDP considerations 26 2 compatibility software 5 10 configuration file 5 14 configuration scenarios 5 17 copying an image file from one member to another C 33 default configuration 5 19 description of 5 1 displaying information of 5 25 enabling persistent MAC address timer 5 19 ha...

Page 1195: ...andby command switch configuring considerations 6 11 defined 6 2 priority 6 10 requirements 6 3 virtual IP address 6 11 See also cluster standby group and HSRP standby group cluster See cluster standby group and HSRP standby ip command 39 5 standby links 21 2 standby router 39 1 standby timers HSRP 39 9 startup configuration booting manually 3 13 specific image 3 14 clearing C 19 configuration fil...

Page 1196: ...efault configuration 18 13 STP continued default optional feature configuration 20 12 designated port defined 18 4 designated switch defined 18 4 detecting indirect link failures 20 8 disabling 18 16 displaying status 18 24 EtherChannel guard described 20 10 disabling 20 17 enabling 20 17 extended system ID effects on root switch 18 16 effects on the secondary root switch 18 18 overview 18 4 unexp...

Page 1197: ...st described 20 3 enabling 20 15 VLAN bridge 18 11 stratum NTP 7 2 stub areas OSPF 35 30 stub routing EIGRP 35 41 subdomains private VLAN 16 1 subnet mask 35 7 subnet zero 35 7 success response VMPS 13 28 summer time 7 13 SunNet Manager 1 5 supernet 35 8 SVIs and IP unicast routing 35 5 and router ACLs 32 4 connecting VLANs 11 9 defined 11 5 routing between VLANs 13 2 switch clustering technology ...

Page 1198: ... system MTU and IEEE 802 1Q tunneling 17 5 system name default configuration 7 15 default setting 7 15 manual configuration 7 15 See also DNS system prompt default setting 7 14 7 15 system resources optimizing 8 1 T TACACS accounting defined 9 11 authentication defined 9 11 authorization defined 9 11 configuring accounting 9 17 authentication key 9 13 authorization 9 16 login authentication 9 14 d...

Page 1199: ...a port 43 17 unicast traffic 43 16 usage guidelines 43 16 traceroute command 43 18 See also IP traceroute tracked lists configuring 39 14 types 39 14 tracked objects by Boolean expression 39 14 by threshold percentage 39 16 by threshold weight 39 15 tracking interface line protocol state 39 13 tracking IP routing state 39 13 tracking objects 39 12 tracking process 39 12 traffic blocking flooded 25...

Page 1200: ... 1 10 within a QoS domain 33 36 trustpoints CA 9 42 tunneling defined 17 1 IEEE 802 1Q 17 1 Layer 2 protocol 17 8 tunnel ports defined 13 4 described 11 4 17 1 IEEE 802 1Q configuring 17 6 incompatibilities with other features 17 6 twisted pair Ethernet detecting unidirectional links 27 1 type of service See ToS U UDLD configuration guidelines 27 4 default configuration 27 4 disabling globally 27 ...

Page 1201: ...EXEC mode 2 2 username based authentication 9 6 V version dependent transparent mode 14 4 version mismatch VM mode automatic upgrades with auto upgrade 5 11 described 5 11 displaying 5 11 manual upgrades with auto advise 5 12 upgrades with auto extract 5 11 virtual IP address cluster standby group 6 11 command switch 6 11 Virtual Private Network See VPN virtual router 39 1 39 2 vlan dat file 13 5 ...

Page 1202: ...ode 13 9 creating in VLAN configuration mode 13 10 customer numbering in service provider networks 17 3 default configuration 13 8 deleting 13 10 described 11 2 13 1 displaying 13 16 extended range 13 1 13 12 VLANs continued features 1 7 illustrated 13 2 internal 13 13 in the switch stack 13 6 limiting source traffic with RSPAN 28 24 limiting source traffic with SPAN 28 16 modifying 13 9 multicast...

Page 1203: ...table See VRF VQP 1 7 13 28 VRF defining 35 66 tables 35 64 VTP adding a client to a domain 14 14 advertisements 13 19 14 3 and extended range VLANs 14 2 and normal range VLANs 14 2 client mode configuring 14 11 VTP continued configuration global configuration mode 14 7 guidelines 14 8 privileged EXEC mode 14 7 requirements 14 9 saving 14 7 VLAN configuration mode 14 8 configuration mode options 1...

Page 1204: ...n 1 14 4 Version 2 configuration guidelines 14 9 disabling 14 13 enabling 14 13 overview 14 4 W web authentication configuring 10 41 to 10 44 described 1 8 10 21 fallback for IEEE 802 1x 10 43 weighted tail drop See WTD weight thresholds in tracked lists 39 15 wireless LAN controlle A 1 wireless LAN controller A 3 wizards 1 3 WTD described 33 13 setting thresholds egress queue sets 33 72 ingress q...

Reviews:

No comments

Related manuals for 3750G - Catalyst Integrated Wireless LAN Controller

D-Link NetDefend DFL-260E Reference Manual preview
NetDefend DFL-260E
Brand: D-Link Pages: 328
D-Link ShareCenter Pulse DNS-320 Quick Install Manual preview
ShareCenter Pulse DNS-320
Brand: D-Link Pages: 2
D-Link DFL-210 - NetDefend - Security Appliance Firewall Registration Manual preview
DFL-210 - NetDefend - Security Appliance
Brand: D-Link Pages: 19
D-Link DFL-M510 Faq preview
DFL-M510
Brand: D-Link Pages: 22
D-Link DFE-680TX Quick Install Manual preview
DFE-680TX
Brand: D-Link Pages: 4
Dahua N300 Quick Start Manual preview
N300
Brand: Dahua Pages: 12
D-Link NetDefend DFL-1600 Quick Manual preview
NetDefend DFL-1600
Brand: D-Link Pages: 23
DBM ACE9600 Operating Manual preview
ACE9600
Brand: DBM Pages: 50
ICP DAS USA ET-7000 series Quick Start Manual preview
ET-7000 series
Brand: ICP DAS USA Pages: 14
ICP DAS USA I-2533 User Manual preview
I-2533
Brand: ICP DAS USA Pages: 25
ICP DAS USA ET-2200 Series Manual preview
ET-2200 Series
Brand: ICP DAS USA Pages: 15
ICP DAS USA PCIe-S112 Quick Start Manual preview
PCIe-S112
Brand: ICP DAS USA Pages: 8
ICP ZT-2550 Quick Start Manual preview
ZT-2550
Brand: ICP Pages: 14
Ubiquiti NanoBeam M5 Setup preview
NanoBeam M5
Brand: Ubiquiti Pages: 3
Analog Devices ADAU1961 Manual preview
ADAU1961
Brand: Analog Devices Pages: 76
Aztech DSL1000EW(L) Speci?Cations preview
DSL1000EW(L)
Brand: Aztech Pages: 2
Teac HD-35NAS User Manual preview
HD-35NAS
Brand: Teac Pages: 20
Maple Systems cMT-FHDX Series Installation Instruction preview
cMT-FHDX Series
Brand: Maple Systems Pages: 2

Brands by name

Popular brands

Load more brands