background image

 

19-9

Cisco ME 3800X and 3600X Switch Software Configuration Guide

OL-23400-01

Chapter 19      Configuring Traffic Control

Configuring EVC MAC Security

MAC Address Security Guidelines

MAC security is disabled by default on an EFP. When MAC security is disabled on an EFP, you can 
configure MAC security functions, but they do not become operational until you enable MAC 
security. 

A secured EFP is one on which MAC security is enabled. 

A secured MAC address is one that is configured or learned. 

A secured bridge domain is one on which MAC security is enabled. 

Secured EFP learned MAC addresses are kept in both the EVC MAC security table and the system 
MAC address table. Secured addresses are aged out by the configured MAC security aging process. 

When you enable MAC security on an EFP by entering the mac security service-instance 
configuration command, the existing MAC addresses on the EFP that were dynamically learned are 
removed, and configured MAC addresses and sticky MAC address entries are added to the EVC 
MAC security table. 

When you remove an EFP from a bridge domain or move an EFP to a new bridge domain, all MAC 
addresses for the EFP are removed from the MAC address table.

A MAC locking condition occurs when a MAC move occurs and a MAC entry already exists for an 
EFP in a given bridge domain. and the same MAC address is received on a different EFP in the 
bridge domain. If the move takes place from one secured EFP to another secured EFP, the move is 
not allowed and the configured violation action occurs. A move between a secured and non-secured 
EFP is allowed because no violation occurs.

Enabling and Configuring EVC MAC Security

For detailed information about the commands, see the Cisco IOS Carrier Ethernet Command Reference 
at:

http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html

Beginning in privileged EXEC mode, follow these steps to configure MAC security on an EFP:

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface interface-id

Specify the interface to be configured, and enter interface configuration 
mode.

Step 3

switchport mode trunk 

Configure the interface as a trunk port, required for EFP configuration. 

Step 4

switchport trunk allowed vlan 
none

Configure the interface to have no allowed VLANs.

Step 5

service instance number ethernet 
[name]

Configure an EFP (service instance) and enter service instance configuration 
mode. 

The number is the EFP identifier, an integer from 1 to 4000.

(Optional) ethernet name is the name of a previously configured 
Ethernet virtual connection (EVC). You do not need to use an EVC name 
in a service instance.

Summary of Contents for 3845 - Security Bundle Router

Page 1: ...est Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco ME 3800X and 3600X Switch Software Configuration Guide Cisco IOS Release 12 2 52 EY October 2010 Text Part Number OL 23400 01 ...

Page 2: ...RRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE F...

Page 3: ...ilability Features 1 5 VLAN Features 1 5 Security Features 1 6 Switch Security 1 6 Network Security 1 6 Quality of Service and Class of Service Features 1 7 Layer 2 Virtual Private Network Services 1 7 Layer 3 Features 1 8 Layer 3 VPN Services 1 8 Monitoring Features 1 9 Feature Support per License 1 9 Where to Go Next 1 11 C H A P T E R 2 Using the Command Line Interface 2 1 Understanding Command...

Page 4: ... DHCP Client Request Process 3 4 Understanding DHCP based Autoconfiguration and Image Update 3 5 DHCP Autoconfiguration 3 5 DHCP Auto Image Update 3 5 Limitations and Restrictions 3 6 Configuring DHCP Based Autoconfiguration 3 6 DHCP Server Configuration Guidelines 3 7 Configuring the TFTP Server 3 7 Configuring the DNS 3 8 Configuring the Relay Device 3 8 Obtaining Configuration Files 3 9 Example...

Page 5: ... 4 4 Using Hostname DeviceID and ConfigID 4 4 Understanding Cisco IOS Agents 4 5 Initial Configuration 4 5 Incremental Partial Configuration 4 6 Synchronized Configuration 4 6 Configuring Cisco IOS Agents 4 6 Enabling Automated CNS Configuration 4 6 Enabling the CNS Event Agent 4 7 Enabling the Cisco IOS CNS Agent 4 8 Enabling an Initial Configuration 4 9 Enabling a Partial Configuration 4 12 Upgr...

Page 6: ...ng Up DNS 5 16 Displaying the DNS Configuration 5 17 Creating a Banner 5 17 Default Banner Configuration 5 17 Configuring a Message of the Day Login Banner 5 18 Configuring a Login Banner 5 19 Managing the MAC Address Table 5 19 Building the Address Table 5 20 MAC Addresses and VLANs 5 20 Default MAC Address Table Configuration 5 21 Changing the Address Aging Time 5 21 Removing Dynamic Address Ent...

Page 7: ...n 8 2 Setting or Changing a Static Enable Password 8 3 Protecting Enable and Enable Secret Passwords with Encryption 8 3 Disabling Password Recovery 8 5 Setting a Telnet Password for a Terminal Line 8 6 Configuring Username and Password Pairs 8 6 Configuring Multiple Privilege Levels 8 7 Setting the Privilege Level for a Command 8 8 Changing the Default Privilege Level for Lines 8 9 Logging into a...

Page 8: ...iguration 8 30 Controlling Switch Access with Kerberos 8 31 Understanding Kerberos 8 31 Kerberos Operation 8 33 Authenticating to a Boundary Switch 8 33 Obtaining a TGT from a KDC 8 34 Authenticating to Network Services 8 34 Configuring Kerberos 8 34 Configuring the Switch for Local Authentication and Authorization 8 35 Configuring the Switch for Secure Shell 8 36 Understanding SSH 8 36 SSH Server...

Page 9: ...ment Port 9 12 Configuring Ethernet Interfaces 9 13 Default Ethernet Interface Configuration 9 13 Configuring Interface Speed and Duplex Mode 9 14 Speed and Duplex Configuration Guidelines 9 14 Setting the Interface Speed and Duplex Parameters 9 15 Configuring IEEE 802 3x Flow Control 9 17 Configuring Auto MDIX on an Interface 9 18 Adding a Description for an Interface 9 19 Configuring Layer 3 Int...

Page 10: ...tive VLAN for Untagged Traffic 10 13 Configuring Trunk Ports for Load Sharing 10 14 Load Sharing Using STP Port Priorities 10 14 Load Sharing Using STP Path Cost 10 15 C H A P T E R 11 Configuring Ethernet Virtual Connections EVCs 11 1 Supported EVC Features 11 2 Understanding EVC Features 11 3 Ethernet Virtual Connections 11 3 Service Instances and EFPs 11 3 Encapsulation 11 4 Bridge Domains 11 6...

Page 11: ...dge Domain Routing 11 24 EFPs and Switchport MAC Addresses 11 25 EVC and Switchports 11 25 EFPs and MSTP 11 29 Monitoring EVC 11 29 C H A P T E R 12 Configuring Command Macros 12 1 Understanding Command Macros 12 1 Configuring Command Macros 12 1 Default Command Macro Configuration 12 2 Command Macro Configuration Guidelines 12 2 Creating Command Macros 12 3 Applying Command Macros 12 4 Displaying...

Page 12: ...3 15 Configuring Port Priority 13 16 Configuring Path Cost 13 18 Configuring the Switch Priority of a VLAN 13 19 Configuring Spanning Tree Timers 13 20 Configuring the Hello Time 13 20 Configuring the Forwarding Delay Time for a VLAN 13 21 Configuring the Maximum Aging Time for a VLAN 13 21 Displaying the Spanning Tree Status 13 22 C H A P T E R 14 Configuring MSTP 14 1 Understanding MSTP 14 2 Mul...

Page 13: ... Hello Time 14 23 Configuring the Forwarding Delay Time 14 23 Configuring the Maximum Aging Time 14 24 Configuring the Maximum Hop Count 14 24 Specifying the Link Type to Ensure Rapid Transitions 14 25 Designating the Neighbor Type 14 26 Restarting the Protocol Migration Process 14 26 Displaying the MST Configuration and Status 14 27 C H A P T E R 15 Configuring Optional Spanning Tree Features 15 ...

Page 14: ... Configuring SNMP Traps for REP 16 13 Monitoring REP 16 14 C H A P T E R 17 Configuring Flex Links and the MAC Address Table Move Update Feature 17 1 Understanding Flex Links and the MAC Address Table Move Update 17 1 Flex Links 17 1 VLAN Flex Link Load Balancing and Support 17 2 Flex Link Multicast Fast Convergence 17 3 Learning the Other Flex Link Port as the mrouter Port 17 3 Generating IGMP Re...

Page 15: ...ing Time After a TCN Event 18 10 Recovering from Flood Mode 18 10 Disabling Multicast Flooding During a TCN Event 18 11 Disabling IGMP Report Suppression 18 12 Displaying IGMP Snooping Information 18 12 Configuring IGMP Filtering and Throttling 18 13 Default IGMP Filtering and Throttling Configuration 18 14 Configuring IGMP Profiles 18 14 Applying IGMP Profiles 18 15 Setting the Maximum Number of ...

Page 16: ...CDP and Ethernet Flow Points EFPs 20 4 Monitoring and Maintaining CDP 20 5 C H A P T E R 21 Configuring LLDP and LLDP MED 21 1 Understanding LLDP and LLDP MED 21 1 Understanding LLDP 21 1 Understanding LLDP MED 21 2 Configuring LLDP and LLDP MED 21 3 Default LLDP Configuration 21 3 Configuring LLDP Characteristics 21 3 Disabling and Enabling LLDP Globally 21 4 Disabling and Enabling LLDP on an Int...

Page 17: ...ogging 24 2 System Log Message Format 24 2 Default System Message Logging Configuration 24 3 Disabling Message Logging 24 3 Setting the Message Display Destination Device 24 4 Synchronizing Log Messages 24 5 Enabling and Disabling Time Stamps on Log Messages 24 7 Enabling and Disabling Sequence Numbers in Log Messages 24 7 Defining the Message Severity Level 24 8 Limiting Syslog Messages Sent to t...

Page 18: ... 25 18 Configuring the Cisco Process MIB CPU Threshold Table 25 20 SNMP Examples 25 21 Displaying SNMP Status 25 23 C H A P T E R 26 Configuring Network Security with ACLs 26 1 Understanding ACLs 26 1 Supported ACLs 26 2 Port ACLs 26 3 Router ACLs 26 4 VLAN Maps 26 5 Handling Fragmented and Unfragmented Traffic 26 5 Configuring IPv4 ACLs 26 6 Creating Standard and Extended IPv4 ACLs 26 7 IPv4 Acce...

Page 19: ...g Access to a Server on Another VLAN 26 34 Using VLAN Maps with Router ACLs 26 35 VLAN Maps and Router ACL Configuration Guidelines 26 36 Examples of Router ACLs and VLAN Maps Applied to VLANs 26 37 ACLs and Switched Packets 26 37 ACLs and Routed Packets 26 37 ACLs and Multicast Packets 26 38 Displaying IPv4 ACL Configuration 26 39 C H A P T E R 27 Configuring QoS 27 1 Understanding QoS 27 2 Modul...

Page 20: ...ring Input Class Maps 27 26 Using ACLs to Classify Traffic 27 28 Configuring Class Based Marking 27 32 Configuring Policing 27 34 Configuring Output Policy Maps 27 41 Configuring Output Class Maps 27 41 Configuring Class Based Weighted Fair Queuing 27 44 Configuring Class Based Shaping 27 47 Configuring Port Shaping 27 48 Configuring Class Based Priority Queuing 27 49 Configuring Weighted Tail Dro...

Page 21: ...guring the Physical Interfaces 28 13 Configuring EtherChannel Load Balancing 28 15 Configuring the PAgP Learn Method and Priority 28 16 Configuring LACP Hot Standby Ports 28 17 Configuring the LACP System Priority 28 18 Configuring the LACP Port Priority 28 18 EtherChannels and Ethernet Flow Points EFPs 28 19 Displaying EtherChannel PAgP and LACP Status 28 20 C H A P T E R 29 Configuring IP Unicas...

Page 22: ...nfiguring Summary Addresses 29 21 Configuring OSPF 29 22 Default OSPF Configuration 29 23 Nonstop Forwarding Awareness 29 24 Configuring Basic OSPF Parameters 29 24 Configuring OSPF Interfaces 29 25 Configuring OSPF Network Types 29 27 Configuring OSPF for Nonbroadcast Networks 29 27 Configuring Network Types for OSPF Interfaces 29 27 Configuring OSPF Area Parameters 29 29 Configuring Other OSPF P...

Page 23: ...CLNS Routing 29 61 Configuring IS IS Dynamic Routing 29 62 Default IS IS Configuration 29 62 Nonstop Forwarding Awareness 29 63 Enabling IS IS Routing 29 63 Configuring IS IS Global Parameters 29 65 Configuring IS IS Interface Parameters 29 68 Monitoring and Maintaining IS IS 29 70 Configuring BFD 29 71 Default BFD Configuration 29 72 Default BFD Configuration Guidelines 29 73 Configuring BFD Sess...

Page 24: ...29 94 Configuring Static Unicast Routes 29 95 Specifying Default Routes and Networks 29 96 Using Route Maps to Redistribute Routing Information 29 97 Filtering Routing Information 29 100 Setting Passive Interfaces 29 101 Controlling Advertising and Processing in Routing Updates 29 101 Filtering Sources of Routing Information 29 102 Managing Authentication Keys 29 103 Monitoring and Maintaining the...

Page 25: ...C H A P T E R 32 Configuring Ethernet OAM CFM and E LMI 32 1 Understanding Ethernet CFM 32 1 CFM Domain 32 2 Maintenance Associations and Maintenance Points 32 3 CFM Messages 32 4 Crosscheck Function and Static Remote MEPs 32 5 SNMP Traps and Fault Alarms 32 5 Configuration Error List 32 5 IP SLAs Support for CFM 32 6 Configuring Ethernet CFM 32 6 Default Ethernet CFM Configuration 32 6 Ethernet C...

Page 26: ...figuration Guidelines 32 33 Enabling E LMI 32 34 Customer Edge Device Configuration 32 35 Displaying E LMI 32 35 Ethernet CFM and Ethernet OAM Interaction 32 35 Enabling Ethernet OAM 32 36 Ethernet OAM and CFM Configuration Example 32 36 C H A P T E R 33 Configuring IP Multicast Routing 33 1 Understanding Cisco s Implementation of IP Multicast Routing 33 1 Understanding IGMP 33 2 IGMP Version 1 33...

Page 27: ...us Point 33 22 Manually Assigning an RP to Multicast Groups 33 22 Configuring Auto RP 33 23 Configuring PIMv2 BSR 33 27 Using Auto RP and a BSR 33 31 Monitoring the RP Mapping Information 33 32 Troubleshooting PIMv1 and PIMv2 Interoperability Problems 33 32 Configuring Advanced PIM Features 33 33 Understanding PIM Shared Tree and Source Tree 33 33 Delaying the Use of PIM Shortest Path Tree 33 34 M...

Page 28: ... BGP Routing Sessions 34 10 Configuring Provider Edge to Provider Edge Routing Sessions 34 10 IBGP Provider Edge to Provider Edge Configuration 34 10 IBGP Provider Edge to Provider Edge Configuration 34 11 Configuring Provider Edge to Customer Edge Routing Sessions 34 11 BGP Provider Edge to Customer Edge Configuration 34 11 OSPF Provider Edge to Customer Edge Configuration 34 12 RIPv2 Provider Ed...

Page 29: ... 31 Configuring EoMPLS 34 31 Configuring the Pseudowire Using Pseudowire Class 34 33 Configuring L2VPN Interworking 34 34 EoMPLS and EVC 34 35 Packet Flow in an EoMPLS Network 34 36 Configuring L2VPN Pseudowire Redundancy 34 37 Configuration Guidelines 34 38 Configuring Pseudowire Redundancy 34 39 Forcing a Manual Switchover to the Backup Pseudowire VC 34 40 Monitoring L2VPN Pseudowire Redundancy ...

Page 30: ...venting Autonegotiation Mismatches 35 6 SFP Module Security and Identification 35 7 Monitoring SFP Module Status 35 7 Monitoring Temperature 35 7 Using Ping 35 8 Using Layer 2 Traceroute 35 8 Understanding Layer 2 Traceroute 35 9 Layer 2 Traceroute Usage Guidelines 35 9 Displaying the Physical Path 35 10 Using IP Traceroute 35 10 Understanding IP Traceroute 35 10 Executing IP Traceroute 35 11 Usin...

Page 31: ...Directories B 4 Copying Files B 4 Deleting Files B 5 Creating Displaying and Extracting tar Files B 6 Creating a tar File B 6 Displaying the Contents of a tar File B 6 Extracting a tar File B 7 Displaying the Contents of a File B 8 Working with Configuration Files B 8 Guidelines for Creating and Using Configuration Files B 9 Configuration File Types and Location B 9 Creating a Configuration File B...

Page 32: ...or Upload an Image File By Using TFTP B 25 Downloading an Image File By Using TFTP B 26 Uploading an Image File By Using TFTP B 27 Copying Image Files By Using FTP B 27 Preparing to Download or Upload an Image File By Using FTP B 28 Downloading an Image File By Using FTP B 29 Uploading an Image File By Using FTP B 31 Copying Image Files By Using RCP B 32 Preparing to Download or Upload an Image Fi...

Page 33: ... 6 Tunnel Interfaces C 6 Routing Configuration Mode C 7 Multicast Source Discovery Protocol MSDP Commands C 7 Privileged EXEC Mode C 7 Global Configuration Mode C 7 NetFlow Commands C 7 Global Configuration Mode C 7 Quality of Service QoS Commands C 7 Global Configuration Mode C 7 Interface Configuration Mode C 8 RADIUS Commands C 8 Global Configuration Mode C 8 Simple Network Management Protocol ...

Page 34: ...Contents xxxiv Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Show Commands C 10 Global Configuration Mode C 10 Interface Configuration Mode C 10 I N D E X ...

Page 35: ...ommands see the Cisco ME 3800X and ME 3600X Switch Command Reference for this release For information about the standard Cisco IOS commands see the Cisco IOS documentation available from this URL http www cisco com en US products ps6350 tsd_products_support_series_home html This guide does not describe system messages you might encounter or how to install your switch For more information see the C...

Page 36: ..._series_home html ME 3600X switch http www cisco com en US products ps10956 tsd_products_support_series_home html Note Before installing configuring or upgrading the switch see these documents For initial configuration information see the Configuring the Switch with the CLI Based Setup Program appendix in the hardware installation guide For upgrading information see the Downloading Software sectio...

Page 37: ... Small Form Factor Pluggable Modules Compatibility Matrix Compatibility Matrix for 1000BASE T Small Form Factor Pluggable Modules Obtaining Documentation and Submitting a Service Request For information on obtaining documentation submitting a service request and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco tec...

Page 38: ...xxxviii Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Preface ...

Page 39: ... license enables 10 Gigabit Ethernet on the SFP uplink ports For differences in feature support for each license see Table 1 1 and Table 1 2 on page 1 10 The ME 3800X supports these licenses plus a scaled license that can be installed with any of these licenses to increase the supported values for that license for example more MAC addresses VLANs IPv4 routes and so on Metro Ethernet services is th...

Page 40: ...ace crossover auto MDIX capability on interfaces that enables the interface to automatically detect the required cable connection type straight through or crossover and to configure the connection appropriately Support for 9800 byte frames on routed ports and switch ports at all speeds 10 100 1000 10000 Mb s IEEE 802 3x flow control on all ports the switch does not send pause frames EtherChannel f...

Page 41: ... compatible management station that is running platforms such as HP OpenView or SunNet Manager The switch supports a comprehensive set of MIB extensions and four remote monitoring RMON groups For more information about using SNMP see Chapter 25 Configuring SNMP Manageability Features Note The encrypted Secure Shell SSH feature listed in this section is available only on the cryptographic versions ...

Page 42: ...to 16 simultaneous Telnet connections for multiple CLI based sessions over the network In band management access for up to five simultaneous encrypted Secure Shell SSH connections for multiple CLI based sessions over the network requires the cryptographic versions of the switch software In band management access through SNMP Versions 1 2c and 3 get and set requests Out of band management access th...

Page 43: ...tion from the blocking state to the forwarding state Bridge protocol data unit BPDU guard for shutting down Port Fast enabled ports that receive BPDUs BPDU filtering for preventing a Port Fast enabled ports from sending or receiving BPDUs Root guard for preventing switches outside the network core from becoming the spanning tree root Loop guard for preventing alternate or root ports from becoming ...

Page 44: ... from accessing the configuration file by using the password recovery process Multilevel security for a choice of security level notification and resulting actions MAC security option for limiting and identifying MAC addresses of the stations allowed to access Ethernet Flow Points EFPs MAC security aging to set the aging time for secure addresses on a service instance LLDP Link Layer Discovery Pro...

Page 45: ...g and Scheduling Deficit round robin traffic shaping to mix packets from all queues to minimize traffic burst Class based traffic shaping to specify a maximum permitted average rate for a traffic class Port shaping to specify the maximum permitted average rate for a port Class based weighted queuing CBWFQ to control bandwidth to a traffic class WTD to adjust queue size for a specified traffic clas...

Page 46: ...he multicast feed requested and for switches not participating in the multicast to be pruned Includes support for PIM sparse mode PIM SM PIM dense mode PIM DM and PIM sparse dense mode Support for the SSM PIM protocol to optimize multicast applications such as video DHCP relay for forwarding UDP broadcasts including IP address requests from DHCP clients Layer 3 VPN Services Multiple VPN routing fo...

Page 47: ...ule Online diagnostics to test the hardware functionality switch while the switch is connected to a live network On board failure logging OBFL to collect information about the switch and the power supplies connected to it IP Service Level Agreements IP SLAs support to measure network performance by using active traffic monitoring IP SLAs for Metro Ethernet using IEEE 802 1ag Ethernet Operation Adm...

Page 48: ...l features in the Metro Ethernet Services image IPv4 routing RIP OSFP EIGRP IS IS and BGP BFD Multicast routing PIM DM SSM and SSM mapping Multi VRF CE VRF Lite with service awareness ARP ping SNMP syslog traceroute FTP and TFTP All features in the Metro IP Services license MPLS MPLS traffic engineering and Fast Reroute MPLS OAM MPLS VPN Ethernet over MPLS EoMPLS Pseudowire redundancy Table 1 4 ME...

Page 49: ...pter 1 Overview Where to Go Next Where to Go Next Before configuring the switch review these sections for startup information Chapter 2 Using the Command Line Interface Chapter 3 Assigning the Switch IP Address and Default Gateway Chapter 4 Configuring Cisco IOS Configuration Engine ...

Page 50: ...1 12 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 1 Overview Where to Go Next ...

Page 51: ... the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters or interfaces The user EXEC commands are not saved when the switch reboots To have access to all...

Page 52: ... entire switch VLAN configuration While in global configuration mode enter the vlan vlan id command Switch config vlan To exit to global configuration mode enter the exit command To return to privileged EXEC mode press Ctrl Z or enter end Use this mode to configure VLAN parameters Interface configuration While in global configuration mode enter the interface command with a specific interface Switc...

Page 53: ...onfiguration privileged EXEC command in an abbreviated form Switch show conf Table 2 2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode abbreviated command entry Obtain a list of commands that begin with a particular character string For example Switch di dir disable disconnect abbreviated command entry Tab Complete a partial command name For exam...

Page 54: ...h Using Command History The software provides a history or record of commands that you have entered The command history feature is particularly useful for recalling long or complex commands or entries including access lists You can customize this feature to suit your needs as described in these sections Changing the Command History Buffer Size page 2 5 optional Recalling Commands page 2 5 optional...

Page 55: ...tional Disabling the Command History Feature The command history feature is automatically enabled You can disable it for the current terminal session or for the command line These procedures are optional To disable the feature during the current terminal session enter the terminal no history privileged EXEC command To disable command history for the line enter the no history line configuration com...

Page 56: ...l editing To reconfigure a specific line to have enhanced editing mode enter this command in line configuration mode Switch config line editing Editing Commands through Keystrokes Table 2 5 shows the keystrokes that you need to edit command lines These keystrokes are optional Table 2 5 Editing Commands through Keystrokes Capability Keystroke1 Purpose Move around the command line to make changes or...

Page 57: ... or lowercase words or capitalize a set of letters Press Esc C Capitalize at the cursor Press Esc L Change the word at the cursor to lowercase Press Esc U Capitalize letters from the cursor to the end of the word Designate a particular keystroke as an executable command perhaps as a shortcut Press Ctrl V or Esc Q Scroll down a line or screen on displays that are longer than the terminal screen can...

Page 58: ... the entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that the line has been scrolled to the right Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 The software assumes you have a terminal screen that is 80 columns wide If you have a width other than that use the ...

Page 59: ...or a Terminal Line section on page 8 6 You can use one of these methods to establish a connection with the switch Connect the switch console port to a management station or dial up modem For information about connecting to the console port see the switch hardware installation guide Use any Telnet TCP IP or encrypted Secure Shell SSH package from a remote management station The switch must have net...

Page 60: ...2 10 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 2 Using the Command Line Interface Accessing the CLI ...

Page 61: ...ning Switch Information page 3 3 Checking and Saving the Running Configuration page 3 16 Modifying the Startup Configuration page 3 17 Scheduling a Reload of the Software Image page 3 21 Note Information in this chapter about configuring IP addresses and DHCP is specific to IP Version 4 IPv4 Understanding the Boot Process To start your switch you need to follow the procedures in the hardware insta...

Page 62: ...n see the Recovering from a Lost or Forgotten Password section on page 35 2 Note You can disable password recovery For more information see the Disabling Password Recovery section on page 8 5 Before you can assign switch information make sure you have connected a PC or terminal to the console port and configured the PC or terminal emulation software baud rate and character format to match these of...

Page 63: ...t the setup program see the Configuring the Switch with the CLI Based Setup Program appendix in the hardware installation guide Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured Note If you are using DHCP do not respond to any of the questions in the setup program until the switch receives the dynamically assigned IP address and rea...

Page 64: ...between your switch and the DHCP server A relay device forwards broadcast traffic between two directly connected LANs A router does not forward broadcast packets but it forwards packets based on the destination IP address in the received packet DHCP based autoconfiguration replaces the BOOTP client functionality on your switch DHCP Client Request Process When you boot your switch the DHCP client i...

Page 65: ...in hostnames and a standard configuration from the central management DHCP server A client switch includes in its DCHPDISCOVER message an option 12 field used to request a hostname and other configuration parameters from the DHCP server The configuration files on all clients are identical except for their DHCP obtained hostnames If a client has a default hostname the hostname name global configura...

Page 66: ...s downloaded and installed on the switch When you reboot the switch the configuration is stored in the saved configuration on the switch Limitations and Restrictions These are the limitations The DHCP based autoconfiguration with a saved configuration process stops if there is not at least one Layer 3 interface in an up state without an assigned IP address in the network Unless you configure a tim...

Page 67: ...sts with only those parameters that are configured If the IP address and the subnet mask are not in the reply the switch is not configured If the router IP address or the TFTP server name are not found the switch might send broadcast instead of unicast TFTP requests Unavailability of other lease options does not affect autoconfiguration The switch can act as a DHCP server By default the Cisco IOS ...

Page 68: ...tion see the Configuring the Relay Device section on page 3 8 The preferred solution is to configure the DHCP server with all the required information Configuring the DNS The DHCP server uses the DNS server to resolve the TFTP server name to an IP address You must configure the TFTP server name to IP address map on the DNS server The TFTP server contains the configuration files for the switch You ...

Page 69: ...e switch but the TFTP server address is not provided in the DHCP reply one file read method The switch receives its IP address subnet mask and the configuration filename from the DHCP server The switch sends a broadcast message to a TFTP server to retrieve the named configuration file from the base directory of the server and upon receipt it completes its boot up process Only the IP address is res...

Page 70: ...ame cannot be resolved to an IP address Example Configuration Figure 3 3 shows a sample network for retrieving IP information by using DHCP based autoconfiguration Figure 3 3 DHCP Based Autoconfiguration Network Example Table 3 2 shows the configuration of the reserved leases on the DHCP server Switch 1 00e0 9f1e 2001 Cisco router 111394 Switch 2 00e0 9f1e 2002 Switch 3 00e0 9f1e 2003 DHCP server ...

Page 71: ...24 DHCP Client Configuration No configuration file is present on Switch A through Switch D Configuration Explanation In Figure 3 3 Switch A reads its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch A reads the network confg file from the base directory of the TFTP server It adds the content...

Page 72: ...tion mode Step 2 ip dhcp pool poolname Create a name for the DHCP Server address pool and enter DHCP pool configuration mode Step 3 bootfile filename Specify the name of the configuration file that is used as a boot image Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that comp...

Page 73: ...y the name of the file that is used as a boot image Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the network mask of the client The prefix length must be preceded by a forward slash Step 5 default...

Page 74: ...config save C Caution Saving Configuration File to NVRAM May Cause You to Nolonger Automatically Download Configuration Files at Reboot C Switch config vlan 99 Switch config vlan interface vlan 99 Switch config if no shutdown Switch config if end Switch show boot BOOT path list Config file flash config text Private Config file flash private config text Enable Break no Manual Boot no HELPER path li...

Page 75: ...and calendar services see Chapter 5 Administering the Switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP information is assigned The range is 1 to 4094 do not enter leading zeros Step 3 ip address ip address subnet mask Enter the IP address and subnet mask Step 4 exit R...

Page 76: ...debug datetime msec service timestamps log datetime msec no service password encryption hostname Switch no aaa new model authentication mac move permit ip subnet zero license boot level AdvancedMetroIPAccess spanning tree mode rapid pvst spanning tree extend system id vlan internal allocation policy ascending vlan 2 10 interface GigabitEthernet0 no ip address shutdown negotiation auto interface Gi...

Page 77: ...uration will be lost the next time you reload the system To display information stored in the NVRAM section of flash memory use the show startup config or more startup config privileged EXEC command For more information about alternative locations from which to copy the configuration file see Appendix B Working with the Cisco IOS File System Configuration Files and Software Images Modifying the St...

Page 78: ... automatically boot the system using information in the BOOT environment variable If the variable is not set the switch attempts to load and execute the first executable image it can by performing a recursive depth first search throughout the flash file system The Cisco IOS image is stored in a directory that has the same name as the image file excluding the bin extension In a depth first search o...

Page 79: ...w these steps to configure the switch to boot a specific image during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot manual Enable the switch to manually boot during the next boot cycle Step 3 end Return to privileged EXEC mode Step 4 show boot Verify your entries The boot manual global command changes the setting of the MANUAL_BOOT enviro...

Page 80: ...n be used to control how the boot loader or any other software running on the system behaves Boot loader environment variables are similar to environment variables that can be set on UNIX or DOS systems Environment variables that have values are stored in flash memory outside of the flash file system Each line in these files contains an environment variable name and an equal sign followed by the v...

Page 81: ... variable is not set the system attempts to load and execute the first executable image it can find by using a recursive depth first search through the flash file system If the BOOT variable is set but the specified images cannot be loaded the system attempts to boot the first bootable file that it can find in the flash file system boot system filesystem file url Specifies the Cisco IOS image to l...

Page 82: ...to the configured time zone on the switch To schedule reloads across several switches to occur simultaneously the time on each switch must be synchronized with NTP The reload command halts the system If the system is not set to manually boot it reboots itself Use the reload command after you save the switch configuration information to the startup configuration copy running config startup config I...

Page 83: ...re Image Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information including the time the reload is scheduled to occur and the reason for the reload if it was specified when the reload was scheduled ...

Page 84: ...3 24 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image ...

Page 85: ...ware The Cisco Configuration Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services see Figure 4 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their configurations and delivering them as needed The Configuration Engine autom...

Page 86: ...n Service uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration in...

Page 87: ...nique group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses namesp...

Page 88: ...ection to the event gateway and does not change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re established the swit...

Page 89: ...he new switch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon succ...

Page 90: ...nfiguration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Configuring Cisco IOS Agents T...

Page 91: ...uration Device Required Configuration Access switch Factory default no configuration file Distribution switch IP helper address Enable DHCP relay agent IP routing if used as default gateway DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server A bootstrap configuration file that includes the CNS confi...

Page 92: ...e event agent and enter the gateway parameters For hostname ip address enter either the hostname or the IP address of the event gateway Optional For port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For failover time seconds enter how long the switch ...

Page 93: ... configuration mode specify the name of the CNS connect profile and define the profile parameters The switch uses the CNS connect profile to connect to the Configuration Engine Enter the name of the CNS connect profile Optional For retries number enter the number of connection retries The range is 1 to 30 The default is 3 Optional For retry interval seconds enter the interval between successive co...

Page 94: ...y the Configuration Engine For interface num enter the type of interface for example ethernet group async loopback or virtual template This setting specifies from which interface the IP or MAC address should be retrieved to define the unique ID For dns reverse ipaddress mac address enter dns reverse to retrieve the hostname and assign it as the unique ID enter ipaddress to use the IP address or en...

Page 95: ... ip address syntax check Enable the Cisco IOS agent and initiate an initial configuration For hostname ip address enter the hostname or the IP address of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finished Optio...

Page 96: ...g a Partial Configuration Beginning in privileged EXEC mode follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Command Purpose Step 1 configure terminal E...

Page 97: ...ing the HTTPS protocol Determine how to handle error messages generated by image agent operations Error messages can be sent to the CNS Event Bus or an HTTP or HTTPS URL Restrictions for the CNS Image Agent During automated image loading operations you must try to prevent the Cisco IOS device from losing connectivity with the file server that is providing the image Image reloading is subject to me...

Page 98: ...S Configuration You can use the privileged EXEC commands in Table 4 2 to display CNS configuration information Step 5 cns image retry number Specify the number of times to retry and download the image Step 6 cns image server ip address status ip address Download the image from the server to the switch Step 7 end Return to privileged EXEC mode Command Purpose Table 4 2 Displaying CNS Configuration ...

Page 99: ...g automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 These sections contain this configuration information Understanding the System Clock page 5 1 Understanding Network Time Protocol page 5 2 Conf...

Page 100: ...ice running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP This strategy effectively builds a self organizing tree of NTP speakers NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized NTP also compares the time reported by several devices and d...

Page 101: ...P software for their host systems and a publicly available version for systems running UNIX and its various derivatives is also available This software allows host systems to be time synchronized as well Configuring NTP The switch does not have a hardware supported clock and cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available Th...

Page 102: ... 1 Default NTP Configuration Feature Default Setting NTP authentication Disabled No authentication key is specified NTP peer or server associations None configured NTP broadcast service Disabled no interface sends or receives NTP broadcast packets NTP access restrictions No access control is specified NTP packet source IP address The source address is set by the outgoing interface Command Purpose ...

Page 103: ...tp trusted key 42 Configuring NTP Associations An NTP association can be a peer association this switch can either synchronize to the other device or allow the other device to synchronize to it or it can be a server association meaning that only this switch synchronizes to the other device and not the other way around Step 4 ntp trusted key key number Specify one or more key numbers defined in Ste...

Page 104: ...imply be configured to send or receive broadcast messages However the information flow is one way only Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchron...

Page 105: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to send NTP broadcast packets and enter interface configuration mode Step 3 ntp broadcast version number key keyid destination address Enable the interface to send NTP broadcast packets to a peer By default this feature is disabled on all interfaces Optional For number specify ...

Page 106: ...NTP services by using access lists Step 5 ntp broadcastdelay microseconds Optional Change the estimated round trip delay between the switch and the NTP broadcast server The default is 3000 microseconds the range is 1 to 999999 Step 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries Step 8 copy running config startup config Optional Save your entries in the configur...

Page 107: ...vices use the no ntp access group query only serve only serve peer global configuration command This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99 However the switch restricts access to allow only time requests from access list 42 Switch configure terminal Switch config ntp access group peer 99 Switch config ntp access group serve only 42 Sw...

Page 108: ...ce address is to be taken The specified interface is used for the source address for all packets sent to all destinations If a source address is to be used for a specific association use the source keyword in the ntp peer or ntp server global configuration command as described in the Configuring NTP Associations section on page 5 5 Command Purpose Step 1 configure terminal Enter global configurati...

Page 109: ... to manually set the system clock Setting the System Clock page 5 11 Displaying the Time and Date Configuration page 5 12 Configuring the Time Zone page 5 12 Configuring Summer Time Daylight Saving Time page 5 13 Setting the System Clock If you have an outside source on the network that providestime services such as an NTP server you do not need to manually set the system clock Beginning in privil...

Page 110: ...nfigure the time zone The minutes offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC For example the time zone for some sections of Atlantic Canada AST is UTC 3 5 where the 3 means 3 hours and 5 means 50 percent In this case the necessary command is clock timezone AST 3 30 To set the ...

Page 111: ...fig clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurring w...

Page 112: ...tem prompt A greater than symbol is appended The prompt is updated whenever the system name changes For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 and the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 2 Default System Name and Prompt Configuration page 5 15 Confi...

Page 113: ...co Systems is a commercial organization that IP identifies by a com domain name so its domain name is cisco com A specific device in this domain for example the File Transfer Protocol FTP system is identified as ftp cisco com To keep track of domain names IP has defined the concept of a domain name server which holds a cache or database of names mapped to IP addresses To map domain names to IP add...

Page 114: ...ration Protocol DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured with this information Step 3 ip name server server address1 server address2 server address6 Specify the address of one or more name servers to use for name and address resolution You can specify up to six name servers Separate each server address with a space The first s...

Page 115: ...r server address global configuration command To disable DNS on the switch use the no ip domain lookup global configuration command Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at lo...

Page 116: ...le shows the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message o...

Page 117: ...ddress a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For complete syntax and usage information for ...

Page 118: ...packets between any combination of ports based on the destination address of the received packet Using the MAC address table the switch forwards the packet only to the port associated with the destination address If the destination address is on the port that sent the packet the packet is filtered and not forwarded The switch always uses the store and forward method complete packets are stored and...

Page 119: ...ress Entries To remove all dynamic entries use the clear mac address table dynamic command in privileged EXEC mode You can also remove a specific MAC address clear mac address table dynamic address mac address remove all addresses on the specified physical port or port channel clear mac address table dynamic interface interface id or remove all addresses on a specified VLAN clear mac address table...

Page 120: ...g in privileged EXEC mode follow these steps to configure the switch to send MAC address change notification traps to an NMS host Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server host host addr traps informs version 1 2c 3 community string notification type Specify the recipient of the trap message For host addr specify the name or address of the NMS Spe...

Page 121: ...tory size 100 Switch config interface gigabitethernet0 2 Switch config if snmp trap mac notification change added You can verify your settings by entering the show mac address table notification change interface and the show mac address table notification change privileged EXEC commands Step 5 mac address table notification change interval value history size value Enter the trap interval time and ...

Page 122: ...dress table notification mac move You can verify your settings by entering the show mac address table notification mac move privileged EXEC commands Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server host host addr traps informs version 1 2c 3 community string notification type Specify the recipient of the trap message For host addr specify the name or add...

Page 123: ...fy the string to send with the notification operation Though you can set this string by using the snmp server host command we recommend that you define this string by using the snmp server community command before using the snmp server host command For notification type use the mac notification keyword Step 3 snmp server enable traps mac notification threshold Enable the switch to send MAC thresho...

Page 124: ...y your settings by entering the show mac address table notification threshold privileged EXEC commands Adding and Removing Static Address Entries A static address has these characteristics It is manually entered in the address table and must be manually removed It can be a unicast or multicast address It does not age and is retained when the switch restarts You can add and remove static addresses ...

Page 125: ...ac addr vlan vlan id drop global configuration command one of these messages appears Only unicast addresses can be configured to be dropped CPU destined address cannot be configured as drop address Packets that are forwarded to the CPU are also not supported Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mac address table static mac addr vlan vlan id interface int...

Page 126: ...atic mac addr vlan vlan id global configuration command This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3 220a 12f4 When a packet is received in VLAN 4 with this MAC address as its source or destination the packet is dropped Switch config mac address table static c2f3 220a 12f4 vlan 4 drop Di...

Page 127: ...a default condition and therefore does not appear in the output from the show running config command The second command causes the configuration to appear in the show running config privileged EXEC command display This example shows how to disable MAC address learning on VLAN 200 Switch config no mac address table learning vlan 200 You can display the MAC address learning status of all VLANs or a ...

Page 128: ... Ethernet is specified by the Subnetwork Access Protocol SNAP By default standard Ethernet style ARP encapsulation represented by the arpa keyword is enabled on the IP interface ARP entries added manually to the table do not age and must be manually removed For CLI procedures see the Cisco IOS Release 12 2 documentation on Cisco com show mac address table count Displays the number of addresses pre...

Page 129: ...Each device must be able to support a system timing master which is the synchronization source A sync port is the port on which synchronization information is received All SyncE frames coming from the sync port are the source of synchronization for all other ports on the device The switch 10 Gigabit Ethernet uplink ports or BITS interface support line clock recovery sending and receiving clock inf...

Page 130: ...c multicast SSM provides a way to implement quality in synchronous networks but this feature is not supported on the ME 3800X and 3600X switches We recommend configuring the SyncE network as a Resilient Ethernet Protocol REP segment for resiliency and to avoid timing loops when there are any network failures within the segment See SyncE Timing Using REP for Loop Prevention and Resiliency section o...

Page 131: ...ention These SyncE features are achieved through correct configuration of port priorities Timing loops can occur if priority is not correctly configured Configuring REP allows the segment to automatically respond to a failure in the ring and avoid timing loops by changing the direction of the reference clock path Figure 6 1 shows how you can configure a REP segment in a SyncE network The 10 Gigabi...

Page 132: ...ock select hold off timeout global configuration command Wait to restore timeout If a failed SyncE source comes up the switch waits for a specific time period of time before considering the source as available in the selection process The default time is 300 seconds Configure wait to restore timeout by entering the network clock select wait to restore global configuration command 281357 Blocked RE...

Page 133: ...ing and receiving T1 and E1 timing signals You can configure all Ethernet ports to send data referenced to the BITS recovered clock The BITS signal is used as long as it does not have these faults loss of signal out of frame alarm indication signal remote alarm indication The switch supports BITS IN and BITS OUT and recovers and sends BITS timing T1 E1 or 2 048 KHz The switch does not support T1 o...

Page 134: ... Ethernet fiber SFP Configuring the Network Clock Selection Beginning in privileged EXEC mode follow these steps to configure the SyncE network clock Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 network clock select priority BITS SYNCE port number Configure the input clock and its priority For priority the range is from 1 to 15 with 1 being the highest priority ...

Page 135: ...TS interface The Ethernet Equipment Clock EEC mode of operation is based on the area of deployment Step 4 network clock select mode nonrevert revert Optional Configure the reference switching mode to determine the action to be taken if an input clock with a higher priority than the selected reference becomes valid nonrevert The new clock does not immediately become valid but is selected only if th...

Page 136: ...code ami AMI encoding linecode b8zs B8ZS encoding Step 4 controller BITS output applique E1 2048KHz framing options linecode ami hdb3 or controller BITS output applique T1 framing d4 esf linecode ami b8zs line build out length Optional Configure the controller BITS output framing and coding options For E1 output 2048KHz Select 2048 KHz input framing Select one of these options fas_crc4 FASCRC4 fas...

Page 137: ...ou can force selection of a particular network clock or select automatic clock selection where the switch uses the selection algorithm based on the priority and the validity of the input Beginning in privileged EXEC mode use this step to set the SyncE network clock Step 7 show controller BITS Verify the configuration Step 8 copy running config startup config Optional Save your entries in the switc...

Page 138: ...nce switching mode so that if an input clock with a higher priority than the selected reference becomes valid the higher priority clock is immediately selected This is required in a ring topology Step 5 ql enabled rep segment segment id Identify a REP segment to use for the REP workaround The segment id range is from 1 to 1024 Step 6 network clock select hold off timeout value Optional Configure t...

Page 139: ...nfig if exit Switch config network clock select mode revert Switch config network clock select wait to restore timeout 300 Switch config network clock select hold off timeout 300 Switch config end Monitoring SyncE Use these privileged EXEC commands to view SyncE configuration on a switch show controller BITS Switch show controller BITS Applique type is T1 Line Coding is B8ZS Rx B8ZS Tx Framing is ...

Page 140: ...ck Mode Non Revertive EEC Option Configured Option 2 System Clock State is Automatic hold timeout infinite ESMC SSM workaround using REP not configured Measured offset freq for input BITS is 0 0ppm 3 8 ppm resolution Measured offset freq for input Te0 1 is 0 0ppm 3 8 ppm resolution Measured offset freq for input Te0 2 is 0 0ppm 3 8 ppm resolution Measured offset freq for current path T4 DPLL is 0 ...

Page 141: ...enerates an system message If you enter a descriptive name for the alarm that name is included in the system message A triggered alarm also turns on the LED display the LED is normally off meaning no alarm See the Cisco ME 3800X and ME 3600X Hardware Installation Guide for information about the LEDs The alarm trigger setting is open or closed If not set the alarm is triggered when the circuit clos...

Page 142: ...on about the alarm commands see the command reference for this release Note The switch supports the CISCO ENTITY ALARM MIB for these alarms Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 alarm contact contact number description string Optional Configure a description for the alarm contact number The contact number can be from 1 to 4 The description string can be u...

Page 143: ...t 2 description door sensor Switch config alarm contact 2 severity major Switch config alarm contact 2 trigger closed Switch config end Switch config show env alarm contact Switch show env alarm contact ALARM CONTACT 1 Status not asserted Description test_1 Severity critical Trigger open ALARM CONTACT 2 Status not asserted Description door sensor Severity major Trigger closed ALARM CONTACT 3 Statu...

Page 144: ...7 4 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 7 Configuring the Switch External Alarms Configuring Switch Alarms ...

Page 145: ...rom outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch port These passwords are locally st...

Page 146: ...ote For complete syntax and usage information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 4 Default Password and Privilege Level Configuration page 8 2 Setting or Changing a Static Enable Password page 8 3 Protecting Enable and Enable Secret Passwords with Encryption page 8 3 Disabling Password Recovery page 8 5 Setting a Telnet Password for a Term...

Page 147: ...any privilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a new ...

Page 148: ...bal configuration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 i...

Page 149: ...e end user interrupts the boot process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch We recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the XMODEM protocol For more information ...

Page 150: ...that user can access the switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port The default data characteristics of the console port are 9600 8 1 no parity You might need to press the Return...

Page 151: ...formation Setting the Privilege Level for a Command page 8 8 Changing the Default Privilege Level for Lines page 8 9 Logging into and Exiting a Privilege Level page 8 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the use...

Page 152: ...nd Purpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 is th...

Page 153: ... into and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege level for the...

Page 154: ...on that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch TACACS provides for separate and modular authentication authorization and a...

Page 155: ...ntrol session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Accounting...

Page 156: ... undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon is again contacted and it returns an ACCEPT or REJECT authorization response If an ACCEPT response is returned the response contains data in the for...

Page 157: ...n group servers to select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list and contains the list of IP addresses of the selected server hosts Beginning in privileged EXEC mode follow these steps to identify the IP host or host maintaining TACACS server and optionally set the encryption key Command Purpose Step 1 c...

Page 158: ... can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authentication method in the method list This process continues until there is successful communication with a liste...

Page 159: ... using the enable password global configuration command group tacacs Uses TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 8 13 line Use the line password for authentication Before you can use this authentication method you must ...

Page 160: ...ation has been configured Beginning in privileged EXEC mode follow these steps to specify TACACS authorization for privileged EXEC access and network services To disable authorization use the no aaa authorization network exec method1 global configuration command Starting TACACS Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources th...

Page 161: ...tion see the Cisco IOS Security Command Reference Release 12 2 These sections contain this configuration information Understanding RADIUS page 8 17 RADIUS Operation page 8 19 Configuring RADIUS page 8 19 Displaying the RADIUS Configuration page 8 30 Understanding RADIUS RADIUS is a distributed client server system that secures networks against unauthorized access RADIUS clients run on supported Ci...

Page 162: ...t step when you make a transition to a TACACS server See Figure 8 2 on page 8 18 Network in which the user must only access a single service Using RADIUS you can control user access to a single host to a single utility such as Telnet or to the network through a protocol Networks that require resource accounting You can use RADIUS accounting independently of RADIUS authentication or authorization T...

Page 163: ...how to configure your switch to support RADIUS At a minimum you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication You can optionally define method lists for RADIUS authorization and accounting A method list defines the sequence and methods to be used to authenticate to authorize or to keep accounts on a user You can use method...

Page 164: ...on a server at the same IP address If two different host entries on the same RADIUS server are configured for the same service for example accounting the second host entry configured acts as a fail over backup to the first one Using this example if the first host entry fails to provide accounting services the switch tries the second host entry configured on the same device for accounting services ...

Page 165: ...ing of the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string spec...

Page 166: ...st be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authenticate a ...

Page 167: ...use this authentication method you must define an enable password by using the enable password global configuration command group radius Use RADIUS authentication Before you can use this authentication method you must configure the RADIUS server For more information see the Identifying the RADIUS Server Host section on page 8 20 line Use the line password for authentication Before you can use this...

Page 168: ...r if each entry has a unique identifier the combination of the IP address and UDP port number allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service If you configure two different host entries on the same RADIUS server for the same service for example accounting the second configured host entry acts as a fail over backup to the first one You use the se...

Page 169: ...nsmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as ...

Page 170: ... Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can ...

Page 171: ...es To disable accounting use the no aaa accounting network exec start stop method1 global configuration command Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access The exec keyword might return user profile information such as autocommand information Step 4 end Return to privileged EXEC mode Step 5 show running config Verif...

Page 172: ...tributes The full set of features available for TACACS authorization can then be used for RADIUS For example this AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP IPCP address assignment cisco avpair ip addr pool first Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secr...

Page 173: ...ed EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attributes or more information about vendor specific attribute 26 see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide Release 12 2 Configuring the Switch for Vendor Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies a...

Page 174: ...e evenly across all RADIUS servers in a server group For more information see the RADIUS Server Load Balancing chapter of the Cisco IOS Security Configuration Guide Release 12 2 http www ciscosystems com en US docs ios 12_2sb feature guide sbrdldbl html Displaying the RADIUS Configuration To display the RADIUS configuration use the show running config privileged EXEC command Command Purpose Step 1...

Page 175: ...he trusted third party can be a Cisco ME switch that supports Kerberos that is configured as a network security server and that can authenticate users by using the Kerberos protocol Understanding Kerberos Kerberos is a secret key network authentication protocol which was developed at the Massachusetts Institute of Technology MIT It uses the Data Encryption Standard DES cryptographic algorithm for ...

Page 176: ...e of the form user REALM for example smith EXAMPLE COM A Kerberos principal with a Kerberos instance has the form user instance REALM for example smith admin EXAMPLE COM The Kerberos instance can be used to specify the authorization level for the user if authentication is successful The server of each network service might implement and enforce the authorization mappings of Kerberos instances but ...

Page 177: ...and password 3 The switch requests a TGT from the KDC for this user 4 The KDC sends an encrypted TGT that includes the user identity to the switch KEYTAB3 A password that a network service shares with the KDC In Kerberos 5 and later Kerberos versions the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it In Kerberos versions earlier than Kerberos 5 KEYT...

Page 178: ...US docs ios 12_2 security configuration guide scfkerb html Authenticating to Network Services This section describes the third layer of security through which a remote user must pass The user with a TGT must now authenticate to the network services in a Kerberos realm For instructions about how to authenticate to a network service see the Authenticating to Network Services section in the Security ...

Page 179: ... default local Set the login authentication to use the local username database The default keyword applies the local user database authentication to all ports Step 4 aaa authorization exec local Configure user AAA authorization check the local database and allow the user to run an EXEC shell Step 5 aaa authorization network local Configure user AAA authorization for all network related service req...

Page 180: ...US docs ios security command reference sec_book html Understanding SSH SSH is a protocol that provides a secure remote connection to a device SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated This software release supports SSH Version 1 SSHv1 and SSH Version 2 SSHv2 This section consists of these topics SSH Servers Inte...

Page 181: ...ation Guidelines Follow these guidelines when configuring the switch as an SSH server or SSH client An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server and the reverse If you get CLI error messages after entering the crypto key generate rsa global configuration command an RSA key pair has not been generated Reconfigure the hostname and domain and then enter the crypto key ge...

Page 182: ...SSH server Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 hostname hostname Configure a hostname for your switch Step 3 ip domain name domain_name Configure a host domain for your switch Step 4 crypto key generate rsa Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair We recommend that a minimum modulus size of 102...

Page 183: ...conds authentication retries number Configure the SSH control parameters Specify the time out value in seconds the default is 120 seconds The range is 0 to 120 seconds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out values of the CLI based sessions By default up to five simultaneous encrypted SSH connections for multiple ...

Page 184: ...n prompted Information About Secure Copy To configure the Secure Copy feature you should understand these concepts The behavior of SCP is similar to that of remote copy rcp which comes from the Berkeley r tools suite except that SCP relies on SSH for security SCP also requires that authentication authorization and accounting AAA authorization be configured so the router can determine whether the u...

Page 185: ... Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the online Cisco IOS Interface Command Reference Release 12 2 Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring th...

Page 186: ... configuration file by entering the copy running config startup config privileged EXEC command Add ports to a VLAN by using the switchport interface configuration commands Identify the interface For a trunk port set trunk characteristics and if desired define the VLANs to which it can belong For an access port set and define the VLAN to which it belongs To isolate VLANs of different customers in a...

Page 187: ...ed state For more information about trunk ports see Chapter 10 Configuring VLANs Routed Ports A routed port is a physical port that acts like a port on a router it does not have to be connected to a router A routed port is not associated with a particular VLAN as is an access port A routed port behaves like a regular router interface except that it does not support VLAN subinterfaces Routed ports ...

Page 188: ...esource limitations are reached SVIs are created the first time that you enter the vlan interface configuration command for a VLAN interface The VLAN corresponds to the VLAN tag associated with data frames on an IEEE 802 1Q encapsulated trunk or the VLAN ID configured for an access port Configure a VLAN interface for each VLAN for which you want to route traffic and assign it an IP address For mor...

Page 189: ... cannot add an interface to a channel group if it has a service instance configured on it EFPs do not support routing EFPs do not support switchport commands Switch interfaces configured with service instances support a different range of features than interfaces that do not have service instances For more information on EVCs see Chapter 11 Configuring Ethernet Virtual Connections EVCs Connecting ...

Page 190: ...form factor pluggable SFP module Gigabit Ethernet interfaces Module number The module or slot number on the switch always 0 on the Cisco ME switch Port number The interface number on the switch The port numbers always begin at 1 starting with the leftmost port when facing the front of the switch for example gigabitethernet 0 1 If there is more than one interface type for example 10 100 1000 ports ...

Page 191: ...interface Configuring a Range of Interfaces You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters When you enter the interface range configuration mode all command parameters that you enter are attributed to all interfaces within that range until you exit this mode Beginning in privileged EXEC mode follow these steps to...

Page 192: ...ed on ports 1 and 2 to 100 Mb s Switch configure terminal Switch config interface range gigabitethernet0 1 2 Switch config if range speed 100 This example shows how to use a comma to add different interface type strings to the range to enable Fast Ethernet ports 1 to 3 and Gigabit Ethernet ports 1 and 2 to receive IEEE 802 3x flow control pause frames Switch configure terminal Switch config interf...

Page 193: ...as interface ranges All interfaces defined as in a range must be the same type all Fast Ethernet ports all Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can combine multiple interface types in a macro This example shows how to define an interface range named enet_list to include ports 1 and 2 and to verify the macro configuration Switch configure terminal Switch config define ...

Page 194: ...te the interface range macro enet_list and to verify that it was deleted Switch configure terminal Switch config no define interface range enet_list Switch config end Switch show run include define Switch Using the Ethernet Management Port Understanding the Ethernet Management Port page 9 10 Supported Features on the Ethernet Management Port page 9 12 Configuring the Ethernet Management Port page ...

Page 195: ...le with Routing Protocols Enabled In Figure 9 3 if the Ethernet management port and the network ports are associated with the same routing process the routes are propagated in this manner The routes from the Ethernet management port are propagated through the network ports to the network The routes from the network ports are propagated through the Ethernet management port to the network Because ro...

Page 196: ...ature is supported If you try to configure an unsupported feature on the Ethernet Management port the feature might not work properly and the switch might fail Configuring the Ethernet Management Port To specify the Ethernet management port in the CLI enter gigabitethernet0 To disable the port use the shutdown interface configuration command To enable the port use the no shutdown interface configu...

Page 197: ... to which the interface is connected When you put an interface that is in Layer 3 mode into Layer 2 mode the previous configuration information related to the affected interface might be lost and the interface is returned to its default configuration Table 1 Boot Loader Commands Command Description arp ip_address Displays the currently cached ARP1 table when this command is entered without the ip_...

Page 198: ...abit Ethernet ports to half duplex mode if the speed is 10 or 100 Mb s Half duplex mode is not supported on Gigabit Ethernet ports operating at 1000 Mb s You cannot configure speed on SFP module ports or on 10 Gigabit Ethernet ports but you can configure speed to not negotiate nonegotiate if connected to a device that does not support autonegotiation Table 9 2 Default Ethernet Configuration Featur...

Page 199: ... is available it puts the interface in half duplex mode the default for this SFP module because the 100BASE FX SFP module does not support autonegotiation If both ends of the line support autonegotiation we highly recommend the default setting of auto negotiation If one interface supports autonegotiation and the other end does not configure duplex and speed on both interfaces do not use the auto s...

Page 200: ...100 or the 1000 keywords with the auto keyword the port autonegotiates only at the specified speeds The nonegotiate keyword is available only for 10 Gigabit Ethernet ports or for SFP module ports SFP module ports operate only at 1000 Mb s but can be configured to not negotiate if connected to a device that does not support autonegotiation Note When a Cisco1000BASE T SFP module is in the SFP module...

Page 201: ...ched device that is required to or can send pause frames the port can receive pause frames receive off IEEE 802 3x flow control does not operate in either direction In case of congestion no indication is given to the link partner and no pause frames are sent or received by either device Note For details on the command settings and the resulting IEEE 802 3x flow control resolution on local and remo...

Page 202: ...hows the link states that result from auto MDIX settings and correct and incorrect cabling Beginning in privileged EXEC mode follow these steps to configure auto MDIX on an interface To disable auto MDIX use the no mdix auto interface configuration command This example shows how to enable auto MDIX on a port Switch configure terminal Switch config interface gigabitethernet0 1 Switch config if spee...

Page 203: ...onfiguring Layer 3 Interfaces The switch supports these types of Layer 3 interfaces SVIs You should configure SVIs for any VLANs for which you want to route traffic SVIs are created when you enter a VLAN ID following the interface vlan global configuration command To delete an SVI use the no interface vlan global configuration command You cannot delete interface VLAN 1 Note When you create an SVI ...

Page 204: ...erface Note If the physical port is in Layer 2 mode the default you must enter the no switchport interface configuration command to put the interface into Layer 3 mode Entering a no switchport command disables and then re enables the interface which might generate messages on the device to which the interface is connected Furthermore when you put an interface that is in Layer 2 mode into Layer 3 m...

Page 205: ...rs page 9 23 Shutting Down and Restarting the Interface page 9 23 Monitoring Interface Status Commands entered at the privileged EXEC prompt display information about the interface including the versions of the software and the hardware the configuration and statistics about the interfaces Table 9 4 lists some of these interface monitoring commands You can display the full list of show commands by...

Page 206: ...r properties threshold table Display these physical and operational status about an SFP module interface id Optional Display configuration and status for a specified physical interface detail Optional Display calibration properties including high and low numbers and any alarm information for any Digital Optical Monitoring DoM capable transceiver if one is installed in the switch dom supported list...

Page 207: ...interface and marks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface configuration command to enable an interface To verify th...

Page 208: ...9 24 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 9 Configuring Interfaces Monitoring and Maintaining the Interfaces ...

Page 209: ...nks page 10 9 Understanding VLANs A VLAN is a switched network that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast...

Page 210: ...sing this method it is known as interface based or static VLAN membership Note The switch does not support VLAN Trunking Protocol VTP Traffic between VLANs must be routed Switches can route traffic between VLANs by using switch virtual interfaces SVIs that are explicitly configured and assigned an IP address For more information see the Switch Virtual Interfaces section on page 9 4 and the Configu...

Page 211: ...1001 in the VLAN database VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed Configurations for VLAN IDs 1 to 1005 are written to the file vlan dat VLAN database and you can display them by entering the show vlan privileged EXEC command The vlan dat file is stored in flash memory Caution You can cause inconsistency in the VLAN database if you try to manually delete the vla...

Page 212: ...es You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic that the port carries and the number of VLANs to which it can belong Table 10 1 lists the membership modes and characteristics For more detailed definitions of access and trunk modes and their functions see Table 10 4 on page 10 10 When a port belongs to a VLAN the switch learns and manage...

Page 213: ...ain VLAN configuration information Default Ethernet VLAN Configuration page 10 5 VLAN Configuration Guidelines page 10 6 Creating or Modifying an Ethernet VLAN page 10 7 Assigning Static Access Ports to a VLAN page 10 8 Displaying VLANs page 10 9 For more efficient management of the MAC address table space available on the switch you can control which VLANs learn MAC addresses by disabling MAC add...

Page 214: ...p in the new VLAN that would not be broken particularly if there are several adjacent switches that all have run out of spanning tree instances You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning tree instances If the number of VLANs on the switch exceeds the number of supported spanning tree instances we recommend...

Page 215: ...nfiguration file by using the copy running config startup config privileged EXEC command Beginning in privileged EXEC mode follow these steps to create or modify an Ethernet VLAN To delete a VLAN use the no vlan vlan id global configuration command You cannot delete VLAN 1 or VLANs 1002 to 1005 Caution When you delete a VLAN any ports assigned to that VLAN become inactive They remain associated wi...

Page 216: ...e steps to assign a port to a VLAN in the VLAN database To return an interface to its default configuration use the default interface interface id interface configuration command This example shows how to configure a port as an access port in VLAN 2 Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabithernet0 1 Switch config if switchpo...

Page 217: ...d another networking device such as a router or a switch Ethernet trunks carry the traffic of multiple VLANs over a single link and you can extend the VLANs across an entire network The switch supports the IEEE 802 1Q industry standard trunking encapsulation You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle For more information about EtherChannels see Chapter 28...

Page 218: ... spanning tree loops might result Disabling spanning tree on the native VLAN of an IEEE 802 1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning tree loops We recommend that you leave spanning tree enabled on the native VLAN of an IEEE 802 1Q trunk or disable spanning tree on every VLAN in the network Make sure that your network is loop free before d...

Page 219: ...EE 802 1Q trunk port To return an interface to its default configuration use the default interface interface id interface configuration command To reset all trunking characteristics of a trunking interface to the defaults use the no switchport trunk interface configuration command To disable trunking use the switchport mode access interface configuration command to configure the port as a static a...

Page 220: ...o disable VLAN 1 on any individual VLAN trunk link so that no user traffic including spanning tree advertisements is sent or received on VLAN 1 You do this by removing VLAN 1 from the allowed VLAN list To reduce the risk of spanning tree loops or storms you can disable VLAN 1 on any individual VLAN trunk port by removing VLAN 1 from the allowed list When you remove VLAN 1 from a trunk port the int...

Page 221: ... Considerations section on page 10 10 Beginning in privileged EXEC mode follow these steps to configure the native VLAN on an IEEE 802 1Q trunk Step 4 switchport trunk allowed vlan add all except remove vlan list Optional Configure the list of VLANs allowed on the trunk For explanations about using the add all except and remove keywords see the command reference for this release The vlan list para...

Page 222: ...e switch uses the STP port priority to decide which port is enabled and which port is in a blocking state You can set the priorities on a parallel STP trunk port so that the port carries all the traffic for a given VLAN The trunk port with the higher priority lower values for a VLAN is forwarding traffic for that VLAN The trunk port with the lower priority higher values for the same VLAN remains i...

Page 223: ...d Purpose Step 7 show vlan Verify that the referenced VLANs exist on Switch A If not create the VLANs by entering the VLAN IDs Step 8 configure terminal Enter global configuration mode Step 9 interface gigabitethernet 0 1 Define the interface to be configured as the Trunk 1 interface and enter interface configuration mode Step 10 switchport mode trunk Configure the port as a trunk port Step 11 spa...

Page 224: ... Trunk port 1 and enter interface configuration mode Step 3 switchport mode trunk Configure the port as a trunk port Step 4 exit Return to global configuration mode Step 5 interface gigabitethernet0 2 Define the interface to be configured as Trunk port 2 and enter interface configuration mode Step 6 switchport mode trunk Configure the port as a trunk port Step 7 end Return to privileged EXEC mode ...

Page 225: ...nk 2 with a path cost of 30 for VLANs 8 through 10 Step 17 Repeat Steps 9 through 11 on the other configured trunk interface on Switch A and set the spanning tree path cost to 30 for VLANs 8 9 and 10 Step 18 exit Return to privileged EXEC mode Step 19 show running config Verify your entries In the display verify that the path costs are set correctly for both trunk interfaces Step 20 copy running c...

Page 226: ...10 18 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 10 Configuring VLANs Configuring VLAN Trunks ...

Page 227: ...have its own matching criteria and rewrite operation An incoming frame is matched against EFP matching criteria on the interface learned on the matching EFP and forwarded to one or more EFPs in the bridge domain If there are no matching EFPs the frame is dropped You can use EFPs to configure VLAN translation For example if there are two EFPs egressing the same interface each EFP can have a differe...

Page 228: ...ure EFPs as members of a bridge domain up to 64 EFPs per bridge domain Rewrite VLAN translation Pop symmetric only the supported rewrite configuration implies egress pushing adding a tag pop 1 removes the outermost tag pop 2 removes the two outermost tags pop symmetric adds a tag or 2 tags for pop 2 symmetric on egress for a push operation QinQ with rewrite Ingress rewrite is not supported EVC for...

Page 229: ...unique number per interface but you can use the same number on different interfaces because service instances on different ports are not related If you have defined an EVC by entering the ethernet evc evc id global configuration command you can associate the EVC with the service instance optional There is no default behavior for a service instance You can configure a service instance only on trunk...

Page 230: ... switchport commands are available access backup block host mode and trunk When one or more service instances are configured on a Layer 2 port no switchport commands are accepted on that interface Encapsulation Encapsulation defines the matching criteria that maps a VLAN a range of VLANs cost of service CoS bits Ethertype or a combination of these to a service instance You configure encapsulation ...

Page 231: ...he payload encapsulation type after VLAN encapsulation ethertype The etype string can have these values ipv4 ipv6 pppoe discovery pppoe session or pppoe all Matches any or an exact outermost VLAN or VLAN range and a payload ethertype encapsulation dot1q vlan_id cos cos_value second dot1q vlan id cos cos_value CoS value encapsulation defines match criterion after including the CoS for the S Tag and...

Page 232: ...up cannot forward data between each other but can forward data between other service instances that are in the same bridge domain but not in the same split horizon group Service instances do not have to be in a split horizon group If a service instance does not belong to a group it can send and receive from all ports within the bridge domain A service instance cannot join more than one split horiz...

Page 233: ...tion default or encapsulation any the symmetric keyword is not accepted for rewrite operations The ME 3800X and ME 3600X switches support only these rewrite commands rewrite ingress tag pop 1 symmetric rewrite ingress tag pop 2 symmetric The switch does not support rewrite commands for ingress push and translate in this release However you can use the rewrite ingress tag pop symmetric command to a...

Page 234: ... 8000 bridge domains All licenses support a maximum of 64 EFPs per bridge domain You can configure a service instance only on trunk ports with no allowed VLANs Any other configuration is not allowed To configure a service instance on an interface these commands are prerequisites Switch config interface gigabitethernet0 2 Switch config if switchport mode trunk Switch config if switchport allowed vl...

Page 235: ...instance and enter service instance configuration mode The number is the EFP identifier an integer from 1 to 4000 Optional ethernet name is the name of a previously configured EVC You do not need to use an EVC name in a service instance Step 6 encapsulation default dot1q priority tagged untagged Configure encapsulation type for the service instance default Configure to match all unmatched packets ...

Page 236: ...terfaces Gigabit Ethernet 0 1 and 0 2 can bridge between each other Switch config interface gigabitethernet0 1 Switch config if service instance 1 Ethernet Switch config if srv encapsulation dot1q 10 Switch config if srv bridge domain 10 Switch config interface gigabitethernet0 2 Switch config if service instance 1 Ethernet Switch config if srv encapsulation dot1q 10 Switch config if srv bridge do...

Page 237: ...ch config if srv bridge domain 8000 Rewrite In this example a packet that matches the encapsulation will have one tag removed popped off The symmetric keyword allows the reverse direction to have the inverse action a packet that egresses out this service instance will have the encapsulation VLAN 10 added pushed on Switch config interface gigabitethernet0 1 Switch config if service instance 1 Ether...

Page 238: ...Switch config if srv encapsulation dot1q 20 Switch config if srv rewrite ingress tag pop 1 symmetric Switch config if srv bridge domain 5000 Egress Filtering In EVC switching egress filtering is performed before the frame is sent on the egress EFP Egress filtering ensures that when a frame is sent it conforms to the matching criteria of the service instance applied on the ingress direction EFP doe...

Page 239: ...abitethernet 0 1 Switch config if switchport mode trunk Switch config if switchport mode allowed vlan none Switch config if service instance 1 ethernet Switch config if srv encapsulation default Switch config if srv bridge domain 10 Switch config if srv exit Switch config if service instance 2 ethernet Switch config if srv encapsulation dot1q 10 Switch config if srv bridge domain 10 Example 2 Serv...

Page 240: ...vice instance 1 Ethernet Switch config if srv encapsulation dot1q 10 second dot1q 20 Switch config if srv rewrite ingress pop 2 symmetric Switch config if srv bridge domain 2 Switch config if srv exit Switch config if service instance 2 Ethernet Switch config if srv encapsulation dot1q 30 Switch config if srv bridge domain 2 Example 2 Service instance 1 pops two tags at ingress and service instanc...

Page 241: ...of these examples if service instance 2 was configured before service instance 1 the configuration for service instance 1 would be rejected Configuring Other Features on EFPs EFPs and EtherChannels page 11 15 EFPs and Layer 2 Protocols page 11 16 MAC Address Forwarding Learning and Aging on EFPs page 11 16 Configuring IEEE 802 1Q Tunneling and Layer 2 Protocol Tunneling using EFPs page 11 17 EFPs ...

Page 242: ...rames the bridge domain equal to the access VLAN configured in the interface is used If there is no matching entry in the Layer 2 forwarding table for the ingress frame the frame is flooded to all the ports within the bridge domain Flooding within the bridge domain occurs for unknown unicast unknown multicast and broadcast Dynamic addresses are addresses learned from the source MAC address when th...

Page 243: ...AN IDs and the number of VLANs to be supported The VLAN ranges required by different customers in the same service provider network might overlap and traffic of customers through the infrastructure might be mixed Assigning a unique range of VLAN IDs to each customer would restrict customer configurations and could easily exceed the VLAN limit 4096 of the 802 1Q specification Using the EVCs service...

Page 244: ...onfigure 802 1Q tunneling in two ways Method 1 In this example for Customer A interface Gigabit Ethernet 0 1 is the customer facing port and Gigabit Ethernet 0 2 is a trunk port facing the service provider network For Customer B Gigabit Ethernet 0 3 is the customer facing port and Gigabit Ethernet 0 4 is the trunk port facing the service provider network Customer A Switch config interface gigabite...

Page 245: ... 5000 Switch config interface gigabitethernet0 4 Switch config if service instance 2 Ethernet Switch config if srv encapsulation dot1q 40 Switch config if srv rewrite ingress pop 1 symmetric Switch config if srv bridge domain 5000 Method 2 QinQ is also supported when sending packets between an EFP and a switchport trunk because the switchport trunk is implicitly defined as rewrite ingress pop 1 sy...

Page 246: ...fig if switchport trunk allowed vlan none Switch config if switchport mode trunk Switch config if service instance 10 Ethernet Switch config if srv encapsulation dot1q 10 Switch config if srv rewrite ingress tag pop 1 symmetric Switch config if srv bridge domain 10 Egress port configuration Switch config interface gigabitethernet0 2 Switch config if switchport trunk allowed vlan none Switch config...

Page 247: ...h config if srv bridge domain 10 Egress port configuration Switch config interface gigabitethernet0 2 Switch config if switchport trunk allowed vlan none Switch config if switchport mode trunk Switch config if service instance 10 Ethernet Switch config if srv encapsulation dot1q 30 second dot1q 40 Switch config if srv rewrite ingress tag pop 2 symmetric Switch config if srv bridge domain 10 Layer ...

Page 248: ...ol tunneling to tunnel BPDUs through a service provider network without interfering with internal provider network BPDUs Note On ME 3800X and ME 3600X switches Layer 2 protocol tunneling is supported on EFPs but not on switchports In Figure 11 3 Customer X has four switches in the same VLAN which are connected through the service provider network If the network does not tunnel PDUs switches on the...

Page 249: ...c creation of EtherChannels without needing dedicated lines Figure 11 5 Layer 2 Protocol Tunneling for EtherChannels Use the l2protocol tunnel protocol service instance configuration command to enable Layer 2 protocol tunneling on a service instance Valid protocols include CDP DTP LACP LLDP PAgP STP VTP and UDLD If a protocol is not specified for a service instance the protocol frame is dropped at...

Page 250: ...ports also still apply See the EoMPLS and EVC section on page 34 35 for more information and a configuration example Bridge Domain Routing The switch supports IP routing and multicast routing for bridge domains including Layer 3 and Layer 2 VPNs using the SVI model There are the limitations You must configure SVIs for bridge domain routing The bridge domain must be in the range of 1 to 4094 to mat...

Page 251: ...Ps and switchports in the same switch is a typical configuration in the edge of the network where network facing interfaces are switchports and user network interfaces are EVC ports where various VLAN rewrites take place The user facing interfaces have EVC configuration because the incoming VLANs are only significant on the ingress interface customer VLANs which requires VLAN tagging modification ...

Page 252: ...ion dot1q 1000 Switch config if srv bridge domain 1000 When data packets are forwarded between EFPs and switchports the EFP and switchport configurations are applied to the packet This removes the ambiguity of the tagging behavior between them The following illustrations show tagging behavior between an EFP and a switchport A switchport trunk has an implicit outer VLAN pop at ingress and an implic...

Page 253: ...0 On egress at the switchport a VLAN tag equal to the bridge domain VLAN 10 is pushed and the double tagged packet VLAN 10 and 20 goes out the switchport Figure 11 8 Untagged Traffic Between a Switchport with Native or Access VLAN and an EFP with Rewrite At ingress on the switchport an untagged packet is bridged over bridge domain 10 On egress at the EFP after a rewrite a VLAN tag equal to the enc...

Page 254: ... a single tagged packet VLAN 20 is bridged over bridge domain 10 On egress at the switchport a VLAN tag corresponding to the bridge domain VLAN 10 is pushed and a double tagged packet VLAN 10 and VLAN 20 is sent out on the switchport Figure 11 11 Untagged Traffic From a Switchport with Native or Access VLAN to an EFP with No Rewrite After ingress at the switchport the untagged packet is bridged ov...

Page 255: ... mapped to a bridge domain must belong to the same MST instance or loops could occur For all EFPs that are mapped to the same MST instance you must configure backup EFPs on every redundant path to prevent loss of connectivity due to STP blocking a port When STP mode is PVST or PVRST EFP information is not passed to the protocol EVC only supports only MSTP Changing STP mode from MST to PVST or PVRS...

Page 256: ...ays all the members of bridge domain n that belong to split horizon group 0 If you specify a numerical group_id this command displays all the members of the specified group id When you enter group all the command displays all members of any split horizon group show ethernet service instance detail This command displays detailed service instance information including Layer 2 protocol information Th...

Page 257: ...tistics command Switch show ethernet service instance id 1 interface gigabitEthernet 0 13 stats Service Instance 1 Interface GigabitEthernet0 13 Pkts In Bytes In Pkts Out Bytes Out 214 15408 97150 6994800 This is an example of output from the show mac address table count command Switch show mac address table count bridge domain 10 Mac Entries for BD 10 Dynamic Address Count 20 Static Address Count...

Page 258: ...11 32 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 11 Configuring Ethernet Virtual Connections EVCs Monitoring EVC ...

Page 259: ...command macro is a set of command line interface CLI commands that you define Command macros do not contain new CLI commands they are simply a group of existing CLI commands When you apply a command macro on an interface the CLI commands within the macro are configured on the interface When the macro is applied to an interface the existing interface configurations are not lost The new commands are...

Page 260: ...e invalid and are not applied When a macro is applied globally to a switch or to a switch interface all existing configuration on the interface is retained This is helpful when applying an incremental configuration If you modify a macro definition by adding or deleting commands the changes are not reflected on the interface where the original macro was applied You need to reapply the updated macro...

Page 261: ...a macro name A macro definition can contain up to 3000 characters Enter the macro commands with one command per line Use the character to end the macro Use the character at the beginning of a line to enter comment text within the macro Optional You can define keywords within a macro by using a help string to specify the keywords Enter macro keywords word to define the keywords that are available f...

Page 262: ... interface configuration mode and specify the interface on which to apply the macro Step 5 no shutdown Enable the port if necessary By default UNIs and enhanced network interfaces ENIs are disabled and network node interfaces NNIs are enabled Step 6 default interface interface id Optional Clear all configuration from the specified interface Step 7 macro apply trace macro name parameter value param...

Page 263: ...command snmp server enable traps linkup Applying command snmp server enable traps linkdown Applying command snmp server host Error Unknown error Applying command snmp server ip precedence 7 This example shows how to apply the user created macro called desktop config and to verify the configuration Switch config interface gigabitethernet0 2 Switch config if macro apply desktop config Switch config ...

Page 264: ...12 6 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 12 Configuring Command Macros Displaying Command Macros ...

Page 265: ... Fast root guard and so forth see Chapter 15 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release Understanding Spanning Tree Features page 13 1 Configuring Spanning Tree Features page 13 10 Displaying the Spanning Tree Status page 13 22 Understanding Spanning Tree Features STP Ov...

Page 266: ... in a loopback configuration The switch that has all of its ports as the designated role or the backup role is the root switch The switch that has at least one of its ports in the designated role is called the designated switch Spanning tree forces redundant data paths into a standby blocked state If a network segment in the spanning tree fails and a redundant path exists the spanning tree algorit...

Page 267: ...pagated on the network A BPDU exchange results in these actions One switch in the network is elected as the root switch the logical center of the spanning tree topology in a switched network For each VLAN the switch with the highest switch priority the lowest numerical priority value is elected as the root switch If all switches are configured with the default priority 32768 the switch with the lo...

Page 268: ... when protocol information passes through a switched LAN As a result topology changes can take place at different times and at different places in a switched network When an STP port transitions directly from nonparticipation in the spanning tree topology to the forwarding state it can create temporary data loops Interfaces must wait for new topology information to propagate through the switched L...

Page 269: ...n the learning state the interface continues to block frame forwarding as the switch learns end station location information for the forwarding database 4 When the forward delay timer expires spanning tree moves the interface to the forwarding state where both learning and frame forwarding are enabled Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding...

Page 270: ... listening state An interface in the learning state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Learns addresses Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames The interface enters the forwarding state from the learning state An interface in the forwarding state perfor...

Page 271: ...ork might not be ideal For instance connecting higher speed links to an interface that has a higher number than the root port can cause a root port change The goal is to make the fastest link the root port For example assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B a 10 100 link is the root port Network traffic might be more efficient over the Gigabit ...

Page 272: ...ckets as unknown multicast addresses Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes the default setting of the mac address table aging time global configuration command However a spanning tree reconfiguration can cause many station locations to change Because these stations could be unreachable for 5 minutes or more during a reconfiguration the addres...

Page 273: ... learned MAC address entries on a per port basis upon receiving a topology change By contrast PVST uses a short aging time for dynamically learned MAC address entries The rapid PVST uses the same configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to l...

Page 274: ...tree instance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it instead of PVST The switch combines the spanning tree instance of the IEEE 802 1Q VLAN of the trunk with the spanning tree instance of the non Cisco 802 1...

Page 275: ...ing MSTP If 128 instances of spanning tree are already in use you can disable spanning tree on STP ports in one of the VLANs and then enable it on the VLAN where you want it to run Use the no spanning tree vlan vlan id global configuration command to disable spanning tree on a specific VLAN and use the spanning tree vlan vlan id global configuration command to enable spanning tree on the desired V...

Page 276: ...ensive to add another VLAN to the network Spanning tree commands control the configuration of VLAN spanning tree instances You create a spanning tree instance when you assign an STP port an NNI or ENI with STP enabled to a VLAN The spanning tree instance is removed when the last port is moved to another VLAN You can configure switch and port parameters before a spanning tree instance is created th...

Page 277: ...figuration mode Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 26 Step 4 spanning tree link type point to point Recommended only for rapid PVST mode Specify that the link type for this port is point to point If you connect this port to a remote port through a point to point link and the local port becomes a designated p...

Page 278: ...tree vlan vlan id root global configuration command fails if the value necessary to be the root switch is less than 1 If your network consists of switches that both do and do not support the extended system ID it is unlikely that the switch with the extended system ID support will become the root switch The extended system ID increases the switch priority value every time the VLAN number is greate...

Page 279: ...oot switches Use the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree vlan vlan id root primary global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id root primary diameter net diameter hello time seconds Configure a switch to become the root...

Page 280: ...ocks the other interfaces Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id root secondary diameter net diameter hello time seconds Configure a switch to become the secondary root for the specified VLAN For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separate...

Page 281: ...LAN only ports with spanning tree enabled in the VLAN will run spanning tree If the interface is a port channel all members of the port channel must be have spanning tree enabled Step 3 spanning tree port priority priority Configure the port priority for the spanning tree port For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0 16 32 48 64 80 96 112 128 144...

Page 282: ...r global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place i...

Page 283: ...de follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id priority priority Configure the switch priority of a VLAN For vlan id you can specify a sin...

Page 284: ...n Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the STP port begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an STP port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Page 285: ...istening states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startu...

Page 286: ...about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Table 13 5 Commands for Displaying Spanning Tree Status Command Purpose show spanning tree active Displays spanning tree information only on active spanning tree interfaces show spanning tree detail Displays a detailed summary of interface information show spanning tree interface inte...

Page 287: ...twork required in a service provider environment When the switch is in the MST mode the Rapid Spanning Tree Protocol RSTP which is based on IEEE 802 1w is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MST...

Page 288: ...by using the spanning tree mst configuration global configuration command after which the switch enters the MST configuration mode From this mode you can map VLANs to an MST instance by using the instance MST configuration command specify the region name by using the name MST configuration command and set the revision number by using the revision MST configuration command A region can have one mem...

Page 289: ...e ID and path cost to the CST root The IST master also is the CST root if there is only one region within the network If the CST root is outside the region one of the MSTP switches at the boundary of the region is selected as the IST master When an MSTP switch initializes it sends BPDUs claiming itself as the root of the CST and the IST master with both of the path costs to the CST root and to the...

Page 290: ... instance sends and receives BPDUs and MST instances add their spanning tree information into the BPDUs to interact with neighboring switches and compute the final spanning tree topology Because of this the spanning tree parameters related to BPDU transmission for example hello time forward time max age and max hops are configured only on the CST instance but affect all MST instances Parameters re...

Page 291: ...nt to the IST instance 0 Table 14 1 compares the IEEE standard and the Cisco prestandard terminology Hop Count The IST and MST instances do not use the message age and maximum age information in the configuration BPDU to compute the spanning tree topology Instead they use the path cost to the root and a hop count mechanism similar to the IP time to live TTL mechanism By using the spanning tree mst...

Page 292: ...o share a segment with a port belonging to a different region creating the possibility of receiving both internal and external messages on a port The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary unless it is running in an STP compatible mode Note If there is a legacy STP switch on the segment messages are always considered external T...

Page 293: ...ured for prestandard BPDU transmission Figure 14 2 illustrates this scenario Assume that A is a standard switch and B a prestandard switch both configured to be in the same region A is the root switch for the CIST and thus B has a root port BX on segment X and an alternate port BY on segment Y If segment Y flaps and the port on BY becomes the alternate before sending out a single prestandard BPDU ...

Page 294: ...ot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch Also a switch might continue to assign a boundary role to a port when the switch to which this switch is connected has joined the region To restart the protocol migration process force the renegotiation with neighboring switches use the clear spanning tree detected protocols privile...

Page 295: ...ed port role is included in the active topology A port with the alternate or backup port role is excluded from the active topology In a stable topology with consistent port roles throughout the network the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state equivalent to blockin...

Page 296: ... port the port from which the proposal message was received forces all nonedge ports to the blocking state and sends an agreement message a BPDU with the agreement flag set through its new root port After receiving Switch B s agreement message Switch A also immediately transitions its designated port to the forwarding state No loops in the network are formed because Switch B blocked all of its non...

Page 297: ... port is in the forwarding state and is not configured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions its port state is set to blocking After ensuring all of the ports are synchronized the switch...

Page 298: ... sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN The port role in the proposal message is always set to the designated port The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal The port role in the agreement message is always set to the root port 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Desig...

Page 299: ...ath cost and so forth than currently stored for the port with a designated port role it immediately replies with its own information Topology Changes This section describes the differences between the RSTP and the IEEE 802 1D in handling spanning tree topology changes Detection Unlike IEEE 802 1D in which any transition between the blocking and the forwarding state causes a topology change only tr...

Page 300: ...onfiguration page 14 14 MSTP Configuration Guidelines page 14 15 Specifying the MST Region Configuration and Enabling MSTP page 14 16 required Configuring the Root Switch page 14 17 optional Configuring a Secondary Root Switch page 14 18 optional Configuring Port Priority page 14 19 optional Configuring Path Cost page 14 21 optional Configuring the Switch Priority page 14 22 optional MSTP and Ethe...

Page 301: ...vision number and VLAN to instance mapping on each switch within the MST region by using the command line interface CLI or through the SNMP support For load balancing across redundant paths in the network to work all VLAN to instance mapping assignments must match otherwise all traffic flows on a single link All MST boundary ports must be forwarding for load balancing between a PVST and an MST clo...

Page 302: ...nge the range is 1 to 4094 When you map VLANs to an MST instance the mapping is incremental and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped To specify a VLAN range use a hyphen for example instance 1 vlan 1 63 maps VLANs 1 through 63 to MST instance 1 To specify a VLAN series use a comma for example instance 1 vlan 10 20 30 maps VLANs 10 20...

Page 303: ... the switch priority and the switch MAC address is associated with each instance For a group of VLANs the switch with the lowest bridge ID becomes the root switch To configure a switch to become the root use the spanning tree mst instance id root global configuration command to modify the switch priority from the default value 32768 to a significantly lower value so that the switch becomes the roo...

Page 304: ...odified from the default value 32768 to 28672 The switch is then likely to become the root switch for the specified instance if the primary root switch fails This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch You can execute this command on more than one switch to configure multiple backup root switches Use...

Page 305: ...tep 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root secondary diameter net diameter hello time seconds Configure a switch as the secondary root switch For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 Optional For diameter net diameter speci...

Page 306: ... a physical interface is a UNI before attempting to configure MST port priority you must enter the port type nni interface configuration command or configure the port as an ENI and enable spanning tree on the port See Changing the Spanning Tree Mode section on page 13 12 If the interface is a VLAN only ports with spanning tree enabled in the VLAN will run spanning tree If the interface is a port c...

Page 307: ...rt channel range is 1 to 48 Note If a physical interface is a UNI before attempting to configure MST port priority you must enter the port type nni interface configuration command or configure the port as an ENI and enable spanning tree on the port See Changing the Spanning Tree Mode section on page 13 12 If the interface is a VLAN only ports with spanning tree enabled in the VLAN will run spannin...

Page 308: ...y the switch priority Beginning in privileged EXEC mode follow these steps to configure the switch priority This procedure is optional To return the switch to its default setting use the no spanning tree mst instance id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id priority priority Configure the...

Page 309: ...g the hello time Note Exercise care when using this command For most situations we recommend that you use the spanning tree mst instance id root primary and the spanning tree mst instance id root secondary global configuration commands to modify the hello time Beginning in privileged EXEC mode follow these steps to configure the hello time for all MST instances This procedure is optional To return...

Page 310: ...time seconds Configure the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config Opti...

Page 311: ...g This procedure is optional To return the port to its default setting use the no spanning tree link type interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst max hops hop count Specify the number of hops in a region before the BPDU is discarded and the information held for a port is aged For hop count the range is 1 to ...

Page 312: ...BPDU Version 3 associated with a different region or an RST BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives 802 1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch A switch also might continue to assign a boundary role to a port when the switch to which...

Page 313: ...keywords for the show spanning tree privileged EXEC command see the command reference for this release Table 14 5 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst configuration digest Displays the MD5 digest included in the current MSTCI show spanning tree mst instance id Displays MST information fo...

Page 314: ...14 28 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 14 Configuring MSTP Displaying the MST Configuration and Status ...

Page 315: ...n on configuring the PVST and rapid PVST see Chapter 13 Configuring STP For information about the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 14 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release Understanding Optional Spanning Tree Fea...

Page 316: ...isk creating a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default global configuration command Figure 15 1 Port Fast Enabled Interfaces Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface but the feature operates with some differences At th...

Page 317: ...vents the interface from sending or receiving BPDUs Caution Enabling BPDU filtering on an STP port is the same as disabling spanning tree on it and can result in spanning tree loops You can enable the BPDU filtering feature for the entire switch or for an STP port Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a con...

Page 318: ...of the root guard feature can cause a loss of connectivity Figure 15 2 Root Guard in a Service Provider Network Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is enabled on the entire switched network Loop guard prevents alternate and ro...

Page 319: ...nel guard root guard or loop guard if your switch is running PVST rapid PVST or MSTP Enabling Port Fast An STP port with the Port Fast feature enabled is moved directly to the spanning tree forwarding state without waiting for the standard forward time delay Caution Use Port Fast only when connecting a single end station to an access or trunk port Enabling this feature on an interface connected to...

Page 320: ...state The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service Use the BPDU guard feature in a service provider network to prevent an access port from participating in the spanning tree Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an STP interface to con...

Page 321: ...nable BPDU filtering on Port Fast enabled STP ports it prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port F...

Page 322: ...pdufilter enable interface configuration command on an STP port Enabling EtherChannel Guard You can enable EtherChannel guard to detect an EtherChannel misconfiguration if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to enable EtherChannel guard This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mod...

Page 323: ...EXEC mode follow these steps to enable root guard on an interface This procedure is optional To disable root guard use the no spanning tree guard interface configuration command Enabling Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on ...

Page 324: ...he command reference for this release Command Purpose Step 1 show spanning tree active or show spanning tree mst Verify which interfaces are alternate or root ports Step 2 configure terminal Enter global configuration mode Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entri...

Page 325: ... these sections Understanding REP page 16 1 Configuring REP page 16 6 Monitoring REP page 16 14 Understanding REP A REP segment is a chain of ports connected to each other and configured with a segment ID Each segment consists of standard nonedge segment ports and two user configured edge ports A switch can have only two ports belonging to the same segment and each segment port can have only one e...

Page 326: ...ith both edge ports located on the same switch is a ring segment In this configuration there is connectivity between the edge ports through the segment With this configuration you can create a redundant connection between any two switches in the segment Figure 16 2 REP Ring Segment REP segments have these characteristics If all ports in the segment are operational one port referred to as the alter...

Page 327: ...ed port within the segment multiple port failures within the REP segment cause loss of network connectivity You should configure REP only in networks with redundancy Configuring REP in a network without redundancy causes loss of connectivity Link Integrity REP does not use an end to end polling mechanism between edge ports to verify link integrity It implements local link failure detection The REP...

Page 328: ... that do not belong to the segment treat them as data traffic You can control flooding of these messages by configuring a dedicated administrative VLAN for the whole domain The estimated convergence recovery time on fiber interfaces is less than 200 ms for the local segment with 200 VLANs configured Convergence for VLAN load balancing is 300 ms or less VLAN Load Balancing One edge port in the REP ...

Page 329: ... VLAN load balancing begins after the configured preemption time period elapses Note that the delay timer restarts if another port fails before the time has elapsed Note When VLAN load balancing is configured it does not start working until triggered by either manual intervention or a link failure and recovery When VLAN load balancing is triggered the primary edge port sends a message to alert all...

Page 330: ... all VLANs A regular segment port converted to an edge port or an edge port converted to a regular segment port does not always result in a topology change If you convert an edge port into a regular segment port VLAN load balancing is not implemented unless it has been configured For VLAN load balancing you must configure two edge ports in the segment A segment port that is reconfigured as a spann...

Page 331: ...r 2 trunk ports REP ports cannot be access ports REP is not supported on ports configured with service instances Be careful when configuring REP through a Telnet connection Because REP blocks all VLANs until another REP interface sends a message to unblock the VLAN you might lose connectivity to the switch if you enable REP in a Telnet session that accesses the switch through the REP interface You...

Page 332: ... switch Configuring the REP Administrative VLAN To avoid the delay introduced by relaying messages in software for link failure or VLAN blocking notification during load balancing REP floods packets at the hardware flood layer HFL to a regular multicast address These messages are flooded to the whole network not just the REP segment You can control flooding of these messages by configuring an admi...

Page 333: ... tx 118 EPA COMMAND TLV rx 0 tx 0 EPA INFO TLV rx 4214 tx 4190 Configuring REP Interfaces For REP operation you need to enable it on each segment interface and to identify the segment ID This step is required and must be done before other REP configuration You must also configure a primary and secondary edge port on each segment All other steps are optional Note You cannot configure REP on interfa...

Page 334: ...configure VLAN load balancing Note Although each segment can have only one primary edge port if you configure edge ports on two different switches and enter the primary keyword on both switches the configuration is allowed However REP selects only one of these ports as the segment primary edge port You can identify the primary edge port for a segment by entering the show rep topology privileged EX...

Page 335: ...offset number 1 you would never enter an offset value of 1 to identify an alternate port Enter preferred to select the regular segment port previously identified as the preferred alternate port for VLAN load balancing Enter vlan vlan list to block one VLAN or a range of VLANs Enter vlan all to block all VLANs Note Enter this command only on the REP primary edge port Step 7 rep preempt delay second...

Page 336: ...onf if end This example shows how to configure the same configuration when the interface has no external REP neighbor Switch configure terminal Switch conf interface gigabitethernet0 1 Switch conf if rep segment 1 edge no neighbor primary Switch conf if rep stcn segment 2 5 Switch conf if rep block port 0009001818D68700 vlan all Switch conf if rep preempt delay 60 Switch conf if rep lsl age timer ...

Page 337: ...send REP specific traps to notify the SNMP server of link operational status changes and port role changes Beginning in privileged EXEC mode follow these steps to configure REP traps To remove the trap enter the no snmp mib rep trap rate global configuration command This example configures the switch to send REP traps at a rate of 10 per second Switch config snmp mib rep trap rate 10 Command Purpo...

Page 338: ...P Table 16 1 REP Monitoring Commands Command Purpose show interface interface id rep detail Displays REP configuration and status for a specified interface or for all interfaces show rep topology segment segment_id archive detail Displays REP topology information for a segment or for all segments including the primary and secondary edge ports in the segment ...

Page 339: ...le Move Update page 17 1 Configuring Flex Links and MAC Address Table Move Update page 17 7 Monitoring Flex Links and the MAC Address Table Move Update page 17 13 Understanding Flex Links and the MAC Address Table Move Update Flex Links page 17 1 VLAN Flex Link Load Balancing and Support page 17 2 Flex Link Multicast Fast Convergence page 17 3 MAC Address Table Move Update page 17 6 Flex Links Fle...

Page 340: ...s not forward traffic port 2 continues forwarding traffic You can also choose to configure a preemption mechanism specifying the preferred port for forwarding traffic In Figure 17 1 for example you can configure the Flex Link pair with preemption mode so that after port 1 comes back up in the scenario if it has greater bandwidth than port 2 port 1 begins forwarding after 60 seconds and port 2 beco...

Page 341: ...orts are learned as mrouter ports whenever either Flex Link port is learned as the mrouter port Both Flex Link ports are always part of multicast groups Though both Flex Link ports are part of the groups in normal operation mode all traffic on the backup port is blocked So the normal multicast data flow is not affected by the addition of the backup port as an mrouter port When the changeover happe...

Page 342: ...t fast convergence command When this feature has been enabled at changeover the switch does not generate the proxy reports on the backup port which became the forwarding port Configuration Examples This configuration example shows learning the other Flex Link port as the mrouter port when Flex Link is configured on GigabitEthernet 0 11 and GigabitEthernet 0 12 The example shows the output for the ...

Page 343: ...roxy reports for the groups 228 1 5 1 and 228 1 5 2 on behalf of the host The upstream router learns the groups and starts forwarding multicast data This is the default behavior of Flex Link This behavior changes when the user configures fast convergence using the switchport backup interface gigabitEthernet 0 12 multicast fast convergence command This example shows turning on this feature Switch c...

Page 344: ...through a Flex Link pair Port 1 is forwarding traffic and port 2 is in the backup state Traffic from the PC to the server is forwarded from port 1 to port 3 The MAC address of the PC has been learned on port 3 of switch C Traffic from the server to the PC is forwarded from port 3 to port 1 If the MAC address table move update feature is not configured and port 1 goes down port 2 starts forwarding ...

Page 345: ... Configuration Guidelines page 17 8 Configuring Flex Links page 17 8 Configuring VLAN Load Balancing on Flex Links page 17 10 Configuring the MAC Address Table Move Update Feature page 17 11 Default Configuration The Flex Links are not configured and there are no backup interfaces defined The preemption mode is off The preemption delay is 35 seconds Flex Link VLAN load balancing is not configured ...

Page 346: ...raffic STP is disabled on Flex Link ports If STP is configured on the switch Flex Links do not participate in STP in all VLANs in which STP is configured With STP not running be sure that there are no loops in the configured topology Follow these guidelines to configure VLAN load balancing on the Flex Links feature For Flex Link VLAN load balancing you must choose the preferred VLANs on the backup...

Page 347: ...nfigure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 26 Step 3 switchport backup interface interface id Configure a physical Layer 2 interface or port channel as part of a Flex Link pair with the ...

Page 348: ... 50 60 and 100 to 120 are configured on the switch Switch config interface gigabitEthernet 0 6 Switch config if switchport backup interface gigabitEthernet 0 8 prefer vlan 60 100 120 When both interfaces are up gigabitethernet port 0 8 forwards traffic for VLANs 60 and 100 to 120 and gigabitethernet port 0 6 forwards traffic for VLANs 1 to 50 Switch show interfaces switchport backup Switch Backup ...

Page 349: ...preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up In this example if interface 0 6 comes up VLANs preferred on this interface are blocked on the peer interface 0 8 and forwarded on 0 6 Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet0 6 ...

Page 350: ...rming packet count 5 Rcv invalid packet count 0 Rcv packet count this min 0 Rcv threshold exceed count 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 swi...

Page 351: ...to get and process MAC address table move update messages Switch configure terminal Switch conf mac address table move update receive Switch conf end Monitoring Flex Links and the MAC Address Table Move Update Table 17 1 shows the privileged EXEC command for monitoring Flex Link configuration Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mac address table move up...

Page 352: ...sco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 17 Configuring Flex Links and the MAC Address Table Move Update Feature Monitoring Flex Links and the MAC Address Table Move Update ...

Page 353: ...ring and Throttling Configuration page 18 18 Note You can either manage IP multicast group addresses through features such as IGMP snooping or you can use static IP addresses Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces a...

Page 354: ...tree a port group or a VLAN ID change occurs the IGMP snooping learned multicast groups from this port on the VLAN are deleted These sections describe IGMP snooping characteristics IGMP Versions page 18 2 Joining a Multicast Group page 18 3 Leaving a Multicast Group page 18 4 Immediate Leave page 18 5 IGMP Configurable Leave Timer page 18 5 IGMP Report Suppression page 18 5 IGMP Versions The switc...

Page 355: ...ves multicast traffic for that multicast group See Figure 18 1 Figure 18 1 Initial IGMP Join Message Router A sends a general query to the switch which forwards the query to ports 2 through 5 which are all members of the same VLAN Host 1 wants to join multicast group 224 1 2 3 and multicasts an IGMP membership report IGMP join message to the group The switch CPU uses the information in the IGMP re...

Page 356: ...ing to a multicast router port with the ip igmp snooping mrouter global configuration command Leaving a Multicast Group The router sends periodic multicast general queries and the switch forwards these queries through all ports in the VLAN Interested hosts respond to the queries If at least one host in the VLAN wishes to receive multicast traffic the router continues forwarding the multicast traff...

Page 357: ...up specific query to determine if hosts are still interested in a specific multicast group The IGMP leave response time can be configured from 100 to 5000 milliseconds The timer can be set either globally or on a per VLAN basis The VLAN configuration of the leave time overrides the global configuration For configuration steps see the Configuring the IGMP Leave Timer section on page 18 9 IGMP Repor...

Page 358: ...led it is also enabled or disabled in all existing VLAN interfaces IGMP snooping is by default enabled on all VLANs but can be enabled and disabled on a per VLAN basis Global IGMP snooping overrides the VLAN IGMP snooping If global snooping is disabled you cannot enable VLAN snooping If global snooping is enabled you can enable or disable VLAN snooping Beginning in privileged EXEC mode follow thes...

Page 359: ...py running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id Enable IGMP snooping on the VLAN interface The VLAN ID range is 1 to 1001 and 1006 to 4094 Note IGMP snooping must be globally enabled before you can enable VLAN snooping Step 3 end Retur...

Page 360: ... to statically configure a host on a port Switch configure terminal Switch config ip igmp snooping vlan 105 static 224 2 4 12 interface gigabitethernet0 1 Switch config end Enabling IGMP Immediate Leave When you enable IGMP Immediate Leave the switch immediately removes a port when it detects an IGMP Version 2 leave message on that port You should only use the Immediate Leave feature when there is...

Page 361: ... and the amount of traffic sent through the interface Beginning in privileged EXEC mode follow these steps to enable the IGMP configurable leave timer Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id immediate leave Enable IGMP Immediate Leave on the VLAN interface Step 3 end Return to privileged EXEC mode Step 4 show ip igmp snooping v...

Page 362: ...e If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command the flooding stops after receiving one general query If you set the count to 7 the flooding of multicast traffic due to the TCN event lasts until 7 general queries are received Groups are relearned based on the general queries received during the TCN event Beginning in privileged EXEC mode follo...

Page 363: ...ion command to control this behavior Beginning in privileged EXEC mode follow these steps to disable multicast flooding on an interface To re enable multicast flooding on an interface use the ip igmp snooping tcn flood interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping tcn query solicit Send an IGMP leave message global...

Page 364: ...es for a VLAN configured for IGMP snooping To display IGMP snooping information use one or more of the privileged EXEC commands in Table 18 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no ip igmp snooping report suppression Disable IGMP report suppression Step 3 end Return to privileged EXEC mode Step 4 show ip igmp snooping Verify that IGMP report suppression...

Page 365: ...at a Layer 2 interface can join IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP multicast traffic The filtering feature operates in the same manner whether IGMP or MVR is used to forward the multicast traffic show ...

Page 366: ...onfiguring the IGMP Throttling Action page 18 17 optional Default IGMP Filtering and Throttling Configuration Table 18 5 shows the default IGMP filtering configuration When the maximum number of groups is in forwarding table the default IGMP throttling action is to deny the IGMP report For configuration guidelines see the Configuring the IGMP Throttling Action section on page 18 17 Configuring IGM...

Page 367: ... 9 9 0 229 9 9 0 Applying IGMP Profiles To control access as defined in an IGMP profile use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces You can apply IGMP profiles only to Layer 2 access ports you cannot apply IGMP profiles to routed ports or SVIs You cannot apply profiles to ports that belong to an EtherChannel port group You can apply a p...

Page 368: ... maximum number of IGMP groups in the forwarding table Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the physical interface and enter interface configuration mode The interface must be a Layer 2 port that does not belong to an EtherChannel port group Step 3 ip igmp filter profile number Apply the specified IGMP profile to the interf...

Page 369: ...forwarding table the forwarding table entries are either aged out or removed depending on the throttling action If you configure the throttling action as deny the entries that were previously in the forwarding table are not removed but are aged out After these entries are aged out and the maximum number of entries is in the forwarding table the switch drops the next IGMP report received on the int...

Page 370: ...interfaces on the switch or for a specified interface You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface Use the privileged EXEC commands in Table 18 6 to display IGMP filtering and throttling configuration Step 4 end Return to privileged EXEC mode Step 5 show running config interface interface id Verify the configuration Step 6 cop...

Page 371: ...support storm control on physical interfaces When you configure storm control on an interface it also affects traffic on Ethernet Flow Points EFPs configured on the interface Storm control prevents traffic on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when packets flood the LAN creating excessive traffic and degrading n...

Page 372: ... available bandwidth that can be used by broadcast multicast or unicast traffic The graph in Figure 19 1 shows broadcast traffic patterns on an interface over a given period of time The example can also be applied to multicast and unicast traffic In this example the broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and between T4 and T5 When the a...

Page 373: ...particular type of traffic However because of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note You can configure storm control on physical interfaces or on...

Page 374: ...hed The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic drops below this level The range is 0 0 to 10000000000 0 For pps pps specify the rising threshold level for broadcast multicast or unicast traffic in packets per se...

Page 375: ...el 20 Configuring Port Blocking By default the switch floods packets with unknown destination MAC addresses out of all ports If unknown unicast and multicast traffic is forwarded to a protected port there could be security issues To prevent unknown unicast or multicast traffic from being forwarded from one port to another you can block a port protected or nonprotected from flooding unknown unicast...

Page 376: ... maximum addresses service instance command to configure an upper limit for the number of secure MAC addresses allowed on an EFP including permitted addresses dynamically learned addresses and sticky addresses If you do not configure an upper limit the default number of secured MAC addresses is 1 If an EFP is configured as a secure EFP and the maximum number of secure MAC addresses is reached when...

Page 377: ...ally learned stored only in the address table and removed when the switch restarts Sticky secure MAC addresses These can be dynamically learned or manually configured stored in the address table and added to the running configuration If these addresses are saved in the configuration file when the switch restarts the service instance does not need to dynamically reconfigure them The sticky secure M...

Page 378: ...tely An SNMP trap is sent a syslog message is logged and the violation counter increments When a secure EFP is in the error disabled state you can manually re enable it using clear ethernet service instance number interface interface id privileged EXEC command or entering the shutdown and no shutdown service instance configuration commands This is the default mode Table 19 1 shows the violation mo...

Page 379: ...urs when a MAC move occurs and a MAC entry already exists for an EFP in a given bridge domain and the same MAC address is received on a different EFP in the bridge domain If the move takes place from one secured EFP to another secured EFP the move is not allowed and the configured violation action occurs A move between a secured and non secured EFP is allowed because no violation occurs Enabling a...

Page 380: ...MAC security on the EFP Step 9 mac security address permit deny mac address Optional Configure the specified MAC address to be permitted or denied on the service instance Step 10 mac security maximum addresses value Optional Set the maximum number of secure MAC addresses allowed on the service instance The range is 1 to 1000 Entering a value of 0 disables dynamic MAC address learning The maximum n...

Page 381: ...ged EXEC command Step 12 mac security aging static sticky time aging time inactivity Optional Configure MAC security aging characteristics for the service instance static Specify that the configured aging time applies to permitted MAC addresses By default this only affects dynamically learned addresses sticky Specify that the aging time also applies to dynamically learned sticky addresses time agi...

Page 382: ...erface interface id mac security Displays information about MAC security configured on the service instance show interfaces interface id switchport Displays the administrative and operational status of all switching nonrouting ports or the specified port including port blocking settings show storm control interface id broadcast multicast unicast Displays storm control suppression levels set on all...

Page 383: ...s to discover Cisco devices that are neighbors of already known devices With CDP network management applications can learn the device type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Pro...

Page 384: ...ll optional and can be performed in any order Table 20 1 Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enabled only on NNIs disabled on ENIs Note CDP is not supported on UNIs CDP timer packet update frequency 60 seconds CDP holdtime before discarding 180 seconds CDP Version 2 advertisements Enabled Command Purpose Step 1 configure terminal Enter glo...

Page 385: ...P can interrupt device connectivity Beginning in privileged EXEC mode follow these steps to globally disable the CDP device discovery capability Beginning in privileged EXEC mode follow these steps to globally enable CDP when it has been disabled This example shows how to globally enable CDP if it has been disabled Switch configure terminal Switch config cdp run Switch config end Step 6 show cdp V...

Page 386: ...r cdp service instance configuration command on the service instance See the Configuring Ethernet Virtual Connections EVCs chapter for more information on EFPs Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interface configuration mode CDP is enabled by default Step 3 no cdp enab...

Page 387: ...information such as frequency of transmissions and the holdtime for packets being sent show cdp entry entry name protocol version Display information about a specific neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified nei...

Page 388: ...20 6 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 20 Configuring CDP Monitoring and Maintaining CDP ...

Page 389: ...link layer on all Cisco manufactured devices routers bridges access servers and switches CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network To support non Cisco devices and to allow for interoperability between other devices the switch supports the IEEE 802 1AB Link Layer Discovery Protocol LLDP LLDP is a neighbor disco...

Page 390: ...orts and what capabilities the device has enabled Network policy TLV Allows both network connectivity devices and endpoints to advertise VLAN configurations and associated Layer 2 and Layer 3 attributes for the specific application on that port For example the switch can notify a phone of the VLAN number that it should use The phone can connect into any switch obtain its VLAN number and then start...

Page 391: ...D TLVs page 21 6 LLDP and Ethernet Flow Points EFPs page 21 7 Default LLDP Configuration Table 21 1 shows the default LLDP configuration To change the default settings use the LLDP global configuration and LLDP interface configuration commands Configuring LLDP Characteristics You can configure the frequency of LLDP updates the amount of time to hold the information before discarding it and the ini...

Page 392: ...se steps to globally disable LLDP Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp holdtime seconds Optional Specify the amount of time a receiving device should hold the information sent by your device before discarding it The range is 0 to 65535 seconds the default is 120 seconds Step 3 lldp reinit Optional Specify the delay time in seconds for LLDP to initia...

Page 393: ...g and receiving LLDP packets on an interface after it has been disabled Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp run Enable LLDP Step 3 end Return to privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling LLDP and enter interface config...

Page 394: ...ivileged EXEC mode follow these steps to enable a TLV on an interface Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 21 2 LLDP MED TLVs LLDP MED TLV Description inventory management LLDP MED inventory management TLV location LLDP MED location TLV network policy LLDP MED network policy TL...

Page 395: ...Switch config if srv encapsulation untagged Switch config if srv l2protocol peer lldp Switch config if srv bridge domain 10 Switch config if srv end Monitoring and Maintaining LLDP and LLDP MED To monitor and maintain LLDP and LLDP MED on your device perform one or more of these tasks beginning in privileged EXEC mode Step 3 lldp med tlv select tlv Specify the TLV to enable Step 4 end Return to pr...

Page 396: ...y information about neighbors including device type interface type and number holdtime settings capabilities and port ID You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information show lldp traffic Display LLDP counters including the number of packets sent and received number of packets discarded and number of unrecognized TLVs Command...

Page 397: ... variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggressive mode UDLD can also detect unidirectional links due to one way traffic on fiber optic and twisted pair links and to misconnected por...

Page 398: ... the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirectional link If both fiber strands in a cable are working normally from a Layer 1 perspective UDLD in aggressive mode detects whether those fiber strands are connected correctly and whether traffic is flowing bidirectionally between the correct neighbors This check cannot be performed by...

Page 399: ...ent or in the detection phase UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbor UDLD shuts down the port if after the fast train of messages the link state is still undetermined Figure 22 1 shows an example of a unidirectional link condition Figure 22 1 UDLD Detection of a Unidirectional Link Configuring UDLD Default UDLD Configuration page 22 4 Configur...

Page 400: ...rmal or aggressive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that is running STP Table 22 1 Default UDLD Configuration Feature Default Setting UDLD global enable state Globally disabled UDLD per port enable state for fiber optic media Disabled on a...

Page 401: ...LD in aggressive mode on all fiber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 22 1 message time message timer interval Conf...

Page 402: ...al configuration command specifies the time to recover from the UDLD error disabled state UDLD and Ethernet Flow Points EFPs For UDLD to peer with a neighbor on a port that has an Ethernet Virtual Connection EVC EFP service instance configured you need to enter the l2 protocol peer udld service instance configuration command on the service instance See the Configuring Ethernet Virtual Connections ...

Page 403: ...itch config if switchport trunk allowed vlan none Switch config if service instance 1 Ethernet Switch config if srv encapsulation untagged Switch config if srv l2protocol peer udld Switch config if srv bridge domain 10 Switch config if srv end Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detaile...

Page 404: ...22 8 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 22 Configuring UDLD Displaying UDLD Status ...

Page 405: ...ormation Note For complete syntax and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Understanding RMON page 23 1 Configuring RMON page 23 3 Displaying RMON Status page 23 6 Understanding RMON RMON is an Internet Engineering Task Force IETF standard monitoring specificatio...

Page 406: ...ecific management information base MIB object for a specified interval triggers an alarm at a specified value rising threshold and resets the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to gen...

Page 407: ...ounters are not supported for RMON alarms Beginning in privileged EXEC mode follow these steps to enable RMON alarms and events This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB objec...

Page 408: ...d can be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this comman...

Page 409: ...llection history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default is ...

Page 410: ... Reference Release 12 2 Step 3 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 show rmon stat...

Page 411: ...of logging messages to various destinations such as the logging buffer terminal lines or a UNIX syslog server depending on your configuration The process also sends messages to the console Note The syslog format is compatible with 4 3 BSD UNIX When the logging process is disabled messages are sent only to the console The messages are sent as they are generated so message and debug output are inter...

Page 412: ... percent sign which follows the optional sequence number or time stamp information if configured Messages appear in this format seq no timestamp facility severity MNEMONIC description The part of the message preceding the percent sign depends on the setting of the service sequence numbers service timestamps log datetime service timestamps log datetime localtime msec show timezone or service timest...

Page 413: ...nabled by default It must be enabled to send messages to any destination other than the console When enabled log messages are sent to a logging process which logs messages to designated locations asynchronously to the processes that generated the messages severity Single digit code from 0 to 7 that is the severity of the message For a description of the severity levels see Table 24 3 on page 24 9 ...

Page 414: ... logging is enabled you can send messages to specific locations in addition to the console Beginning in privileged EXEC mode use one or more of the following commands to specify the locations that receive messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no logging console Disable message logging Step 3 end Return to privileged EXE...

Page 415: ...ed Unsolicited messages and debug command output appears on the console after the prompt for user input Step 3 logging host Log messages to a UNIX syslog server host For host specify the name or IP address of the host to be used as the syslog server To build a list of syslog servers that receive logging messages enter this command more than once For complete syslog server configuration steps see t...

Page 416: ...y connection for configurations that occur through a Telnet session The range of line numbers is from 0 to 15 You can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to lin...

Page 417: ...equence numbers so that you can unambiguously see a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service timestamps log uptime or service timestamps log datetime ms...

Page 418: ...nfiguration command To disable logging to syslog servers use the no logging trap global configuration command Table 24 3 describes the level keywords It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logged to the console B...

Page 419: ...witch history table You also can change the number of messages that are stored in the history table Messages are stored in the history table because SNMP traps are not guaranteed to reach their destination By default one message of the level warning and numerically lower levels see Table 24 3 on page 24 9 are stored in the history table even if syslog traps are not enabled Beginning in privileged ...

Page 420: ... provisioning privileged EXEC command to display the complete configuration log or the log for specified parameters The default is that configuration logging is disabled For information about the commands see the Cisco IOS Configuration Fundamentals and Network Management Command Reference Release 12 4 at this URL http www cisco com en US docs ios fundamentals configuration guide 12_4 cf_12_4_book...

Page 421: ... 0 1 43 14 temi vty4 switchport mode trunk 44 14 temi vty4 exit 45 16 temi vty5 interface FastEthernet5 0 1 46 16 temi vty5 switchport mode trunk 47 16 temi vty5 exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility Logging Messages to a UNIX Syslog Daemon Before you can send system log mess...

Page 422: ...ilities Beginning in privileged EXEC mode follow these steps to configure UNIX system facility message logging This procedure is optional To remove a syslog server use the no logging host global configuration command and specify the syslog server IP address To disable logging to syslog servers enter the no logging trap global configuration command Table 24 4 lists the UNIX system facilities suppor...

Page 423: ...ogging privileged EXEC command For information about the fields in this display see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Table 24 4 Logging Facility Type Keywords Facility Type Keyword Description auth Authorization system cron Cron facility daemon System daemon kern Kernel local0 7 Locally defined messages lpr Line printer system mail Mail system news USENET new...

Page 424: ...24 14 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 24 Configuring System Message Logging Displaying the Logging Configuration ...

Page 425: ...SNMP system consists of an SNMP manager an SNMP agent and a MIB The SNMP manager can be part of a network management system NMS such as CiscoWorks The agent and MIB reside on the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from...

Page 426: ...curity features Message integrity ensuring that a packet was not tampered with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted software image is installed Bo...

Page 427: ...HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA Data Encryption Standard DES or Advanced Encryption Standard AES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Allows specifying the User based Security Model USM with these encryption algorithms DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard 3DE...

Page 428: ...d access to authorized management stations to all objects in the MIB except the community strings but does not allow write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software CiscoWorks 2000...

Page 429: ...oon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore traps and informs require a trade off between reliability and resources If it is important that the SNMP manager receive ...

Page 430: ...rval After you configure the data to be collected a single virtual bulk statistics file is created with all the collected data You can specify how the file is transferred to the NMS FTP RCP or TFTP how often the file is transferred the default is 30 minutes and a secondary destination if the primary NMS is not available The transfer interval time is also the collection interval time After the coll...

Page 431: ...ion and privacy digests If you do not configure the remote engine ID first the configuration command fails When configuring SNMP informs you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it If a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authP...

Page 432: ...nager and the agent The community string acts like a password to permit access to the agent on the switch Optionally you can specify one or more of these characteristics associated with the string An access list of IP addresses of the SNMP managers that are permitted to use the community string to gain access to the agent A MIB view which defines the subset of all MIB objects accessible to the giv...

Page 433: ...ized management stations to retrieve MIB objects or specify read write rw if you want authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects Optional For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 access list access list number deny permit source source wildcard...

Page 434: ...w these steps to configure SNMP on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string remote ip address udp port port number engineid string Configure a name for either the local or remote copy of SNMP The engineid string is a 24 character ID string with the name of the copy of SNMP You need not specify the entire ...

Page 435: ...t authentication noauth Enables the noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in which you can o...

Page 436: ...these additional options encrypted specifies that the password appears in encrypted format This keyword is available only when the v3 keyword is specified auth is an authentication level setting session that can be either the HMAC MD5 96 md5 or the HMAC SHA 96 sha authentication level and requires a password string auth password not to exceed 64 characters If you enter v3 and the switch is running...

Page 437: ...rap for SNMP EIGRP changes envmon Generates environmental monitor traps You can enable any or all of these environmental traps fan shutdown status supply temperature ethernet cfm Generates an SNMP Ethernet CFM trap flash Generates SNMP FLASH notifications hsrp Generates a trap for Hot Standby Router Protocol HSRP changes ipmulticast Generates a trap for IP multicast routing changes mac notificatio...

Page 438: ... port Generates a trap for notification of host UDP port number change default is port 162 vlan membership Generates a trap for SNMP VLAN membership changes vlancreate Generates SNMP VLAN created traps vlandelete Generates SNMP VLAN deleted traps Table 25 5 Switch Notification Types continued Notification Type Keyword Description Command Purpose Step 1 configure terminal Enter global configuration...

Page 439: ...5 on page 25 13 If no type is specified all notifications are sent Step 6 snmp server enable traps notification types Enable the switch to send traps or informs and specify the type of notifications to be sent For a list of notification types see Table 25 5 on page 25 13 or enter snmp server enable traps To enable multiple types of traps you must enter a separate snmp server enable traps command f...

Page 440: ... global configuration mode Step 2 process cpu threshold type total process interrupt rising percentage interval seconds falling fall percentage interval seconds Set the CPU threshold notification types and values total set the notification type to total CPU utilization process set the notification type to CPU process utilization interrupt set the notification type to CPU interrupt utilization risi...

Page 441: ...ep 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server tftp server list access list number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list For access list number enter a...

Page 442: ... enter only object names from the Interfaces MIB or the Cisco Committed Access Rate MIB For oid enter the Object ID of the MIB object to add to the list All the objects in an object list must be in the same MIB index but the objects need not belong to the same MIB table Repeat the command until all objects to be monitored are added Step 4 exit Return to global configuration mode Step 5 snmp mib bu...

Page 443: ... transfer configuration mode Step 3 buffer size bytes Optional Specify the maximum size for the bulk statistics data file in bytes The range is from 1024 to 2147483647 bytes the default is 2048 bytes Step 4 format bulkBinary bulkASCII schemaASCII Optional Specify the format of the bulk statistics data file The default is schemaASCII Step 5 schema schema name Specify the bulk statistics schema to b...

Page 444: ...e CLI to configure the Cisco Process MIB CPU threshold table Note For commands for configuring the Cisco Process MIB CPU threshold table see the Cisco IOS Commands Master List Release 12 4 at this URL at this URL http www cisco com en US products ps6350 products_product_indices_list html Beginning in privileged EXEC mode follow these steps to configure a CPU threshold table Step 10 enable Begin th...

Page 445: ...access ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled The second line specifies the destination of these traps and o...

Page 446: ...oup v3 auth Switch config snmp server user authuser authgroup remote 192 180 1 27 v3 auth md5 mypassword Switch config snmp server user authuser authgroup v3 auth md5 mypassword Switch config snmp server host 192 180 1 27 informs version 3 auth authuser config Switch config snmp server enable traps Switch config snmp server inform retries 0 This example shows how to enable SNMP notifications to pr...

Page 447: ...re Default Setting show snmp Displays SNMP statistics show snmp engineID local remote Displays information on the local SNMP engine and all remote engines that have been configured on the device show snmp group Displays information on each SNMP group on the network show snmp mib bulk transfer Displays transfer status of files generated by the Periodic MIB Data Collection and Transfer Mechanism bul...

Page 448: ...25 24 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 25 Configuring SNMP Displaying SNMP Status ...

Page 449: ...ter ACLs page 26 35 Displaying IPv4 ACL Configuration page 26 39 Note Not all ACL parameters can be used for QoS classification See the Ingress Classification Based on QoS ACLs section on page 27 9 Understanding ACLs Packet filtering can help limit network traffic and restrict network use by certain users or devices ACLs filter traffic as it passes through a router or switch and permit or deny pac...

Page 450: ...on page 27 2 These sections contain this conceptual information Supported ACLs page 26 2 Handling Fragmented and Unfragmented Traffic page 26 5 Supported ACLs The switch supports three applications of ACLs to filter traffic Port ACLs access control traffic entering a Layer 2 interface The switch does not support port ACLs in the outbound direction You can apply only one IP access list and one MAC ...

Page 451: ...y filtered by the port ACL Outgoing routed IPv4 packets are filtered by both the VLAN map and the router ACL Other packets are filtered only by the VLAN map Port ACLs Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and you can apply them only in the inbound direction You cannot apply an ACL...

Page 452: ...u apply a new IP access list or MAC access list to the interface the new ACL replaces the previously configured one Router ACLs You can apply router ACLs on switch virtual interfaces SVIs which are Layer 3 interfaces to VLANs on physical Layer 3 interfaces and on Layer 3 EtherChannel interfaces You apply router ACLs on interfaces for specific directions inbound or outbound You can apply one router...

Page 453: ...filtering and are not defined by direction input or output You can configure VLAN maps to match Layer 3 addresses for IPv4 traffic All non IP protocols are access controlled through MAC addresses and Ethertype using MAC VLAN maps IP traffic is not access controlled by MAC VLAN maps You can enforce VLAN maps only on packets going through the switch you cannot enforce VLAN maps on traffic between ho...

Page 454: ...nts also match the first ACE even though they do not contain the SMTP port information because the first ACE only checks Layer 3 information when applied to fragments Packet B is from host 10 2 2 2 port 65001 going to host 10 1 1 2 on the Telnet port If this packet is fragmented the first fragment matches the second ACE a deny because all Layer 3 and Layer 4 information is present The remaining fr...

Page 455: ...andard and Extended IPv4 ACLs This section describes IP ACLs An ACL is a sequential collection of permit and deny conditions One by one the switch tests packets against the conditions in an access list The first match determines whether the switch accepts or rejects the packet Because the switch stops testing after the first match the order of the conditions is critical If no conditions match the ...

Page 456: ...IP access list That is any packet that matches the ACL causes an informational logging message about the packet to be sent to the console The level of messages logged to the console is controlled by the logging console commands controlling the syslog messages Note Because routing is done in hardware and logging is done in software if a large number of packets match a permit or deny ACE containing ...

Page 457: ...from an associated IP host address ACL specification 0 0 0 0 is assumed to be the mask Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard log Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or pe...

Page 458: ...bered extended access lists remember that after you create the ACL any additions are placed at the end of the list You cannot reorder the list or selectively add or remove ACEs from a numbered list Some protocols also have specific parameters and keywords that apply to that protocol These IP protocols are supported protocol keywords are in parentheses in bold Authentication Header Protocol ahp Enh...

Page 459: ...ing ICMP TCP and UDP use the keyword ip Note This step includes options for most IP protocols For additional specific parameters for TCP UDP ICMP and IGMP see steps 2b through 2e The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destinati...

Page 460: ...ontrol Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a port numb...

Page 461: ...ments log log input time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these meanings icmp type Enter to filter by IC...

Page 462: ...igure more IPv4 access lists in a router than if you were to use numbered access lists If you identify your access list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers...

Page 463: ...e and source wildcard of source 0 0 0 0 any A source and source wildcard of 0 0 0 0 255 255 255 255 Step 4 end Return to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode S...

Page 464: ...IPv4 ACLs section on page 26 7 and the Creating Named Standard and Extended ACLs section on page 26 14 These are some of the many possible benefits of using time ranges You have more control over permitting or denying a user access to resources such as an application identified by an IP address mask pair and a port number You can control logging messages ACL entries can be set to log traffic only ...

Page 465: ...eny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range workhours Switch config end Switch show access lists Extended IP access list 188 10 deny tcp any any time range new_year_day_2006 inactive 20 permit tcp any any time range workhours inactive This example uses named ACLs to permit and deny the same traffic Switch config ip access list extended d...

Page 466: ...mmand To remove the remark use the no form of this command In this example the Jones subnet is not allowed to use outbound Telnet Switch config ip access list extended telnetting Switch config ext nacl remark Do not allow Jones subnet to telnet out Switch config ext nacl deny tcp host 171 69 2 88 any eq telnet Applying an IPv4 ACL to a Terminal Line You can use numbered ACLs to control access to o...

Page 467: ...ply ACLs to Layer 2 interfaces Note By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is denied by an access group These access group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP unreachable message Beginning in privileged EXEC mode follow these steps to control access to an interfa...

Page 468: ...be changed by using the ip icmp rate limit unreachable global configuration command When you apply an undefined ACL to an interface the switch acts as if the ACL has not been applied to the interface and permits all packets Remember this behavior if you use undefined ACLs for network security Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware but requir...

Page 469: ...rdware resources causes this problem Logical operation units are needed for a TCP flag match or a test other than eq ne gt lt or range on TCP UDP or SCTP port numbers Use one of these workarounds Modify the ACL configuration to use fewer resources Rename the ACL with a name or number that alphanumerically precedes the ACL names or numbers To determine the specialized hardware resources enter the s...

Page 470: ...Security Configuration Guide Release 12 2 and to the Configuring IP Services section in the IP Addressing and Services chapter of the Cisco IOS IP Configuration Guide Release 12 2 Figure 26 3 shows a small networked office environment with routed Port 2 connected to Server A containing benefits and other information that all employees can access and routed Port 1 connected to Server B containing c...

Page 471: ...network 36 0 0 0 is a Class A network whose second octet specifies a subnet that is its subnet mask is 255 255 0 0 The third and fourth octets of a network 36 0 0 0 address specify a particular host Using access list 2 the switch accepts one address on subnet 48 and reject all others on that subnet The last line of the list shows that the switch accepts addresses on all other network 36 0 0 0 subn...

Page 472: ..._filter ACL allows all traffic from the source address 1 2 3 4 Switch config ip access list standard Internet_filter Switch config ext nacl permit 1 2 3 4 Switch config ext nacl exit The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171 69 0 0 0 0 255 255 and denies any other TCP traffic It permits ICMP traffic denies UDP traffic from any source to the d...

Page 473: ...d ACL the Jones subnet is not allowed access Switch config ip access list standard prevention Switch config std nacl remark Do not allow Jones subnet through Switch config std nacl deny 171 69 0 0 0 0 255 255 In this example of a named ACL the Jones subnet is not allowed to use outbound Telnet Switch config ip access list extended telnetting Switch config ext nacl remark Do not allow Jones subnet ...

Page 474: ...0 1 1 61 0 0 7 packets 01 26 12 SEC 6 IPACCESSLOGP list ext1 denied udp 0 0 0 0 0 255 255 255 255 0 1 packet 01 31 33 SEC 6 IPACCESSLOGP list ext1 denied udp 0 0 0 0 0 255 255 255 255 0 8 packets Note that all logging entries for IP ACLs start with SEC 6 IPACCESSLOG with minor variations in format depending on the kind of ACL and the access entry that has been matched This is an example of an outp...

Page 475: ...urce MAC address mask any host destination MAC address destination MAC address mask type mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos In extended MAC access list configuration mode specify to permit or deny any source MAC address a source MAC address with ...

Page 476: ...iguration command This example shows how to apply MAC access list mac1 to a port to filter packets entering the port Switch config interface gigabitethernet0 2 Router config if mac access group mac1 in Note The mac access group interface configuration command is only valid when applied to a physical Layer 2 interface You cannot use the command on EtherChannel port channels After receiving a packet...

Page 477: ...map global configuration command to create a VLAN ACL map entry Step 3 In access map configuration mode optionally enter an action forward the default or drop and enter the match command to specify an IP packet or a non IP packet with only a known MAC address and to match the packet against one or more ACLs standard or extended Note If the VLAN map has a match clause for a type of packet IP or MAC...

Page 478: ...teps to create add to or delete a VLAN map entry Use the no vlan access map name global configuration command to delete a map Use the no vlan access map name number global configuration command to delete a single sequence entry from within the map Use the no action access map configuration command to enforce the default action which is to forward Command Purpose Step 1 configure terminal Enter glo...

Page 479: ...a packet ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded In this map any IP packets that did not match any of the previous ACLs that is packets that are not TCP packets or UDP packets would get dropped Switch config ip access list extended ip2 Switch config ext nacl permit udp any any Switch config ext nacl exit Switch config vlan access map map_1 20 Switch config ...

Page 480: ...ch config mac access list extended good protocols Switch config ext macl permit any any decnet ip Switch config ext macl permit any any vines ip Switch config ext nacl exit Switch config vlan access map drop mac default 10 Switch config access map match mac address good hosts Switch config access map action forward Switch config access map exit Switch config vlan access map drop mac default 20 Swi...

Page 481: ...e enabled on the switch In this configuration the switch can still support a VLAN map and a QoS classification ACL In Figure 26 4 assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C Traffic from Host X to Host Y is eventually being routed by Switch B a Layer 3 switch with routing enabled Traffic from Host X to Host Y can be access controlled at ...

Page 482: ...P traffic is forwarded Switch config vlan access map map2 10 Switch config access map match ip address http Switch config access map action drop Switch config access map exit Switch config ip access list extended match_all Switch config ext nacl permit ip any any Switch config ext nacl exit Switch config vlan access map map2 20 Switch config access map match ip address match_all Switch config acce...

Page 483: ...hat will drop IP packets that match SERVER1_ACL and forward IP packets that do not match the ACL Switch config vlan access map SERVER1_MAP Switch config access map match ip address SERVER1_ACL Switch config access map action drop Switch config vlan access map SERVER1_MAP 20 Switch config access map action forward Switch config access map exit Step 3 Apply the VLAN map to VLAN 10 Switch config vlan...

Page 484: ...the router ACL with the VLAN map might significantly increase the number of ACEs If you must configure a router ACL and a VLAN map on the same VLAN use these guidelines for both router ACL and VLAN map configuration You can configure only one VLAN map and one router ACL in each direction input output on a VLAN interface Whenever possible try to write the ACL with all entries having a single action...

Page 485: ...e that the packet might be dropped rather than forwarded ACLs and Switched Packets Figure 26 6 shows how an ACL is applied on packets that are switched within a VLAN Packets switched within the VLAN without being routed or forwarded are only subject to the VLAN map of the input VLAN Figure 26 6 Applying ACLs on Switched Packets ACLs and Routed Packets Figure 26 7 shows how ACLs are applied on rout...

Page 486: ...be routed to more than one output VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be permitted in some of the output VLANs and not in others A copy of the packet is forwarded to those destinations where it is permitted However if the input VLAN map VLAN 10 map in Figure 26 8 drops the packet no destinatio...

Page 487: ...urrent IP and MAC address access lists or a specific access list numbered or named show ip access lists number name Displays the contents of all current IP access lists or a specific IP access list numbered or named show ip interface interface id Displays detailed configuration and status of an interface If IP is enabled on the interface and ACLs have been applied by using the ip access group inte...

Page 488: ...26 40 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 26 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ...

Page 489: ...iated Services Code Point DSCP IP precedence or the multiprotocol label switching MPLS experimental EXP value in the inbound packet You can classify based on Layer 2 MAC IP standard or IP extended access control lists ACLs Egress QoS supports the same classifications as ingress QoS except for ACLs and also includes classification based on QoS group or discard class Egress QoS also includes queuein...

Page 490: ...ormation rate CIR and peak information rate PIR and set actions to perform on packets that conform to the CIR and PIR conform action packets that conform to the PIR but not the CIR exceed action and packets that exceed the PIR value violate action See the Policing section on page 27 13 All packets that belong to a classification can be remarked When you configure a policer packets that meet or exc...

Page 491: ...ch statement is allowed for match all except for outer VLAN and inner VLAN or outer CoS and inner CoS matches for 802 1Q tunneling QinQ packets A series of match class map configuration commands to specify criteria for classifying packets Criteria can include matching an access group defined by an ACL or matching a specific list of COS DSCP IP precedence or MPLS EXP values If a packet matches the ...

Page 492: ...ote If you enter the no policy map policy map name global configuration command to delete a policy map that is attached to an interface or service instance a warning message appears that lists any interfaces from which the policy map is being detached The policy map is then detached and deleted For example Warning Detaching Policy test1 from Interface GigabitEthernet0 1 Hierarchical QoS Hierarchic...

Page 493: ... policy If no parent policy is configured the parent policy represents the physical port Configure unconditional marking by using the set command In a physical level policy map class default is the only class that you can configure You use the service policy input output policy map name interface configuration command to attach a hierarchical policy to a physical port or to an EFP Classification C...

Page 494: ...nd In class map configuration mode you use the match class map configuration command to define the match criterion for the traffic You can also create a class map that requires that all matching criteria in the class map be in the packet header by using the class map match all class map name global configuration command Note The match all keyword is supported only for outer and inner VLAN or outer...

Page 495: ...map exit Classification Based on Layer 2 CoS You use the match cos command to classify Layer 2 traffic based on the CoS value which ranges from 0 to 7 This example shows how to create a class map to match a CoS value of 5 Switch config class map premium Switch config cmap match cos 5 Switch config cmap exit Classification Based on IP Precedence You can classify IPv4 traffic based on the packet IP ...

Page 496: ...with CS3 precedence 3 dscp 011000 cs4 Match packets with CS4 precedence 4 dscp 100000 cs5 Match packets with CS5 precedence 5 dscp 101000 cs6 Match packets with CS6 precedence 6 dscp 110000 cs7 Match packets with CS7 precedence 7 dscp 111000 default Match packets with default dscp 000000 ef Match packets with EF dscp 101110 For more information on DSCP prioritization see RFC 2597 AF per hop behavi...

Page 497: ...o not match ACLs that use the deny keyword If a match with a permit action is encountered first match principle the specified QoS related action is taken If a match with a deny action is encountered the ACL being processed is omitted and the next ACL is processed If no match with a permit action is encountered and all the ACEs have been examined no QoS processing occurs on the packet and the switc...

Page 498: ...you can classify an ACL on ingress by using the set qos group command and then use the match qos group command in an output policy Switch config class map acl Switch config cmap match access group name acl Switch config cmap exit Input policy map Switch config policy map set qos group Switch config pmap class acl Switch config pmap c set qos group 5 Switch config cmap c exit Output policy map Swit...

Page 499: ...acket could be classified on input into one QoS group but within that QoS group a policer could mark one of three discard classes depending on whether the packet was determined to conform to exceed or violate the configured specifications On output a class would match the QoS group but you could configure three different drop curves one for each of the discard classes The discard class value range...

Page 500: ...S QoS to classify packets according to the type input interface and other factors by setting marking each packet within the MPLS experimental field without changing the IP precedence or DSCP field You can use the IP precedence or DSCP bits to specify the QoS for an IP packet and use the MPLS experimental bits to specify the QoS for an MPLS packet In an MPLS network configure the MPLS experimental ...

Page 501: ...on the policer configuration All traffic whether it is bridged or routed is subjected to a configured policer As a result packets might be dropped or might have the DSCP or CoS fields modified when they are policed and marked Note Input hierarchical service policies are applied to a traffic stream before any other services act on that traffic For example an input hierarchical service policy applie...

Page 502: ...e information see the Attaching a Service Policy to an Interface or EFP section on page 27 56 Policing is done only on received traffic so you can only attach a policer to an input service policy See the Configuring a Policy Map with 1 Rate 2 Color Policing section on page 27 34 for configuration examples You can use the conform action exceed action and violate action policy map class configuratio...

Page 503: ...nterface gigabitethernet0 1 Switch config if service policy input Example Switch config if exit Congestion Avoidance and Queuing Congestion avoidance uses algorithms such as tail drop to control the number of packets entering the queuing and scheduling stage to avoid congestion and network bottlenecks The switch uses WTD to manage the queue sizes and provide a drop precedence for traffic classific...

Page 504: ... is when you configure queue limit for the class default of an output policy map The switch supports up to three unique queue limit configurations including the default across all output policy maps Within an output policy map four or eight queues classes are allowed including the class default Each queue can have three defined thresholds Only three unique threshold value configurations are allowe...

Page 505: ...ime to send them to one of the four or eight traffic queues Queuing assigns a packet to a particular queue based on the packet class and is enhanced by the WTD algorithm for congestion avoidance You can use different scheduling mechanisms to provide a guaranteed bandwidth to a particular class of traffic while also serving other traffic in a fair way You can limit the maximum bandwidth that can be...

Page 506: ...and to limit the rate of data transmission in bits per second to be used for the committed information rate for a class of traffic The switch supports separate queues for four or eight classes of traffic including the default queue for class class default unclassified traffic See the Configuring Class Based Shaping section on page 27 47 Port Shaping Port shaping is applied to all traffic leaving a...

Page 507: ...s bandwidth on the port is allocated to each class in the same ratio in which the CIR rates are configured The CIR range is from 1 Kb s to 10 Gb s or 1 to 100 percent You configure the bandwidth percent command mainly in hierarchical policy maps where a child CIR guarantee is tied to the parent CIR guarantee The sum of all CIR commitments for a set of peer classes cannot exceed the PIR shape of th...

Page 508: ...euing might cause congestion in other queues Priority queuing has these restrictions You can associate the priority command with a a single unique class for each policy map You cannot configure priority and any other scheduling action shape average or bandwidth in the same class You cannot configure priority queuing for the class default of an output policy map For more information see the Configu...

Page 509: ...actions Any one level class VLAN or physical Output Policy Maps Classification Outer VLAN Inner VLAN or both VLAN level Outer CoS Inner CoS or both MAC ACLs IP ACLs IPv4 DSCP or Precedence MPLS EXP Match any only Class level Queuing Tail drop queue limit or weighted tail drop based on outer CoS IPv4 DSCP or precedence MPLS EXP QoS group or discard class Class level 208742 Classification Policing M...

Page 510: ...you can attach a 3 level hierarchical policy to an EFP the policy should conform to these rules Only two or the three levels can have a scheduling action bandwidth priority or shape One of the two levels must be the class bottom most level Output policy maps do not support matching of access groups You can use QoS groups as an alternative by matching the appropriate access group in the input polic...

Page 511: ...e configured queueing policies for normal traffic Marking By default the CoS marking of CFM traffic including IP SLAs using CFM probes is not changed QoS configuration cannot change this behavior By default IP traffic marking and the CoS marking of all other Layer 2 non IP traffic is not changed The QoS marking feature can change this behavior Queuing IP SLAs traffic is queued according to its ToS...

Page 512: ...rt a VLAN class or an EFP service instance You can configure a maximum of 1024 policy maps You can apply one input policy map and one output policy map to an interface or service instance The maximum number of classification criteria per class map is 64 The maximum number of classes per policy map is 4000 Policy configurations are validated as they are configured When invalid configurations are de...

Page 513: ...cy map attached can use any classification criteria specified in the egress policy When an input policy map is attached to a target even if traffic does not match any classes in the input policy it cannot be egress classified When configuring both MPLS VPN and QoS you can apply most QoS functions to MPLS VPN traffic However for a hierarchical QoS function you cannot apply a service policy that wou...

Page 514: ...tions on ingress Beginning in privileged EXEC mode follow these steps to create a class map and to define the match criterion to classify traffic Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 class map match all match any class map name Create a class map and enter class map configuration mode By default no class maps are defined For class map name specify the na...

Page 515: ...ach value with a space You can enter multiple dscp list lines to match more than eight DSCP values The numerical range is 0 to 63 You can also configure DSCP values in other forms af numbers cs numbers default or ef For ip precedence ip precedence list enter a list of up to four IPv4 precedence values to match against incoming packets Separate each value with a space You can enter multiple ip prec...

Page 516: ... config cmap exit This example shows how to create a class map called parent class which matches incoming traffic with VLAN IDs in the range from 30 to 40 Switch config class map match any parent class Switch config cmap match vlan 30 40 Switch config cmap exit Using ACLs to Classify Traffic You can classify IP traffic by using IP standard or IP extended ACLs You can classify IP and non IP traffic...

Page 517: ...ported keywords are dscp or tos You can also specify a time range Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list number enter the access list number The range is 1 to 99 and 1300 to 1999 Always use the permit keywo...

Page 518: ...r host sending the packet The source wildcard applies wildcard bits to the source The destination is the network or host number receiving the packet The destination wildcard applies wildcard bits to the destination You can specify source destination and wildcards as The 32 bit quantity in dotted decimal format The keyword any for 0 0 0 0 255 255 255 255 any host The keyword host for a single host ...

Page 519: ...ing the name of the list and enter extended MAC ACL configuration mode Step 3 permit any host dst MAC addr dst MAC addr mask type mask Note Although visible in the command line help the host src MAC addr mask keywords are not supported Always use the permit keyword for ACLs used as match criteria in QoS policies For dst MAC addr enter the MAC address of the host to which the packet is being sent Y...

Page 520: ...you configure marking on one level you can configure policing without marking transmit drop on another level Beginning in privileged EXEC mode follow these steps to create an input policy map that marks traffic Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 policy map policy map name Create a policy map by entering the policy map name and enter policy map configur...

Page 521: ...override 4 critical 5 internet 6 network 7 Note A class can have either DSCP or precedence marking If one of these is already configured in a class and you configure the other keyword the newer command overwrites the previous command If the value configured for a set ip precedence class in an earlier class in a policy overlaps the value configured for a set ip dscp class in a later class then the ...

Page 522: ...ic and the action to take for a class of traffic The switch supports 1 rate policing with a 2 color marker or 2 rate policing with a 3 color marker Mapped packets can be sent without modification dropped or marked to options specified by the set command Note that traffic rates are configured in bits per second and burst size is entered in bytes Follow these guidelines when configuring policing Hie...

Page 523: ...e range is 8000 to 16000000 For bc burst bytes optional specify the conformed burst bc or the number of acceptable burst bytes The range is 8000 to 16000000 For cir percent percent specify the rate as a percentage of the bandwidth assigned to the class The range is 1 to 100 percent For burst ms optional enter the conform burst size in milliseconds The range is 1 to 2000 The default is 250 ms For b...

Page 524: ...alue and send the packet The range is 0 to 63 You also can enter a mnemonic name for a commonly used value or use the question mark to see a list of available values set mpls exp imposition transmit new exp enter the new MPLS experimental value to be set at tag imposition and send the packet The range is 0 to 7 set mpls exp topmost transmit new exp enter the new MPLS experimental value for the out...

Page 525: ...rop drop the packet set cos transmit cos_value set the CoS value to a new value and send the packet The range is 0 to 7 set discard class transmit discard_value set the discard value to a new value and send the packet The range is 0 to 7 set dscp transmit dscp_value set the IP DSCP value to a new value and send the packet The range is 0 to 63 You also can enter a mnemonic name for a commonly used ...

Page 526: ...p1 Switch config pmap class cos set 1 Switch config pmap c police cir 23000 bc 10000 Switch config pmap c police conform action set dscp transmit 48 Switch config pmap c police conform action set cos transmit 5 Switch config pmap c police exceed action drop Switch config pmap c police exit Switch config pmap exit Switch config interface gigabitethernet0 1 Switch config if service policy input map1...

Page 527: ... burst ms optional enter the conform burst size in milliseconds The range is 1 to 2000 For bc burst ms optional specify the conformed burst bc in ms The range is 1 to 2000 Optional For pir pir bps specify the peak information rate PIR for the policy The range is 64000 to 10000000000 If you do not enter a pir pir bps the policer is configured as a 1 rate 2 color policer For be peak burst optional s...

Page 528: ...the packet Note If the conform action is set to drop the exceed and violate actions are automatically set to drop If the exceed action is set to drop the violate action is automatically set to drop set cos transmit cos_value set the CoS value to a new value and send the packet The range is 0 to 7 set discard class transmit discard_value set the discard value to a new value and send the packet The ...

Page 529: ...it Switch config policy map in policy Switch config pmap class cos 4 Switch config pmap c police cir 5000000 pir 8000000 Switch config pmap c police conform action transmit Switch config pmap c police exceed action set dscp transmit 24 Switch config pmap c police violate action drop Switch config pmap c police end Configuring Output Policy Maps Configuring Output Class Maps page 27 41 Configuring ...

Page 530: ...ve match criteria Create a class map and enter class map configuration mode By default no class maps are defined Optional Use the match all keyword to perform a logical AND of all matching statements under this class map All match criteria in the class map must be matched Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or more match cr...

Page 531: ... enter multiple dscp list lines to match more than eight DSCP values The numerical range is 0 to 63 You can also configure DSCP values in other forms af numbers cs numbers default or ef For ip precedence ip precedence list enter a list of up to four IPv4 precedence values to match against incoming packets Separate each value with a space You can enter multiple ip precedence list lines to match mor...

Page 532: ... by reserving the configured bandwidth for that class Follow these guidelines You can configure CBWFQ at the class level and at the VLAN level The total of the minimum bandwidth guaranteed for each queue of the policy cannot exceed the total speed of the parent You cannot configure bandwidth as an absolute rate or a percentage of total bandwidth when strict priority is configured for another class...

Page 533: ...ap exit Switch config interface gigabitethernet0 1 Switch config if service policy output gold_policy Switch config if exit Note When you configure CIR bandwidth for a class as an absolute rate or percentage of the total bandwidth any excess bandwidth remaining after servicing the CIR of all the classes in the policy map is divided among the classes in the same proportion as the CIR rates If the C...

Page 534: ...ment The other classes are configured to get percentages of the excess bandwidth if any remains after servicing the priority queue outclass2 is configured to get 50 percent outclass3 to get 20 percent and the class class default to get the remaining 30 percent Switch config policy map out policy Switch config pmap class outclass1 Switch config pmap c priority Switch config pmap c exit Switch confi...

Page 535: ... 10 Mb s of the available port bandwidth Switch config policy map out policy Switch config pmap class classout1 Switch config pmap c shape average 50000000 Switch config pmap c exit Switch config pmap class classout2 Switch config pmap c shape average 20000000 Switch config pmap c exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 policy map policy map name Creat...

Page 536: ...onfiguring a hierarchical policy map that shapes a port to 90 Mb s allocated according to the out policy policy map configured in the previous example Switch config policy map out policy parent Switch config pmap class class default Switch config pmap c shape average 90000000 Switch config pmap c service policy out policy Switch config pmap c exit Command Purpose Step 1 configure terminal Enter gl...

Page 537: ... delete an existing policy map or class map or to cancel strict priority queuing for the priority class or the bandwidth setting for the other classes Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 class map class map name Create classes for three egress queues Enter match conditions classification for each class Step 3 policy map policy map name Create a policy m...

Page 538: ...Configuring Weighted Tail Drop Weighted tail drop WTD adjusts the queue size associated with a traffic class in terms of time and bytes You configure WTD by using the queue limit policy map class configuration command The queue limit command is allowed only after you have configured a scheduling action bandwidth shape average or priority Beginning in privileged EXEC mode follow these steps to use ...

Page 539: ...is from 0 to 7 Optional Enter discard class value to specify the drop precedence for a packet during congestion management The range is 0 to 7 Optional For dscp value specify a DSCP value The range is from 0 to 63 Optional For exp value specify an MPLS experimental value The range is from 0 to 7 Optional For precedence value specify an IP precedence value The range is from 0 to 7 Optional For qos ...

Page 540: ...e only three unique qualified queue limit thresholds In this example there are four unique thresholds so the configuration is rejected Switch config pmap c queue limit 100 us Switch config pmap c queue limit cos 2 200 us Switch config pmap c queue limit cos 3 300 us Switch config pmap c queue limit cos 4 400 us In the next example although there appear to be only three unique thresholds in reality...

Page 541: ... exit This is an example of a 2 level output policy You can attach this policy to physical ports or to EFP service instances Switch config policy map interface policy with phb child Switch config pmap class class default Switch config pmap c service policy vlan policy Switch config pmap c exit Configuring MPLS and EoMPLS QoS Default MPLS and EoMPLS QoS Configuration page 27 53 MPLS QoS Configurati...

Page 542: ...e experimental bits in both the virtual connection and tunnel labels The process includes these steps on the ingress router Configure a class map to classify IP packets according to their DSCP or IP precedence classification Configure a policy map to mark MPLS packets write their classification into the MPLS experimental field Attach the service policy to the input interface or service instance Be...

Page 543: ...ing Modes The switch supports MPLS DiffServ tunneling modes which allows QoS to be transparent from one edge of a network to the other edge A tunnel starts where there is label imposition and ends where there is label disposition The switch supports three tunnelling modes uniform mode short pipe mode pipe mode For additional information see MPLS DiffServ Tunneling Modes at this URL http www cisco ...

Page 544: ...is being detached The policy map is then detached and deleted For example Warning Detaching Policy test1 from Interface GigabitEthernet0 1 Beginning in privileged EXEC mode follow these steps to attach a policy map to a port To remove the policy map and port association use the no service policy input output policy map name interface configuration command Beginning in privileged EXEC mode follow t...

Page 545: ...e You must configure encapsulation type and a bridge domain for the service instance or the service policy command will be rejected Step 5 bridge domain bridge id split horizon group group id Configure the bridge domain ID The range is from 1 to 8000 Step 6 service policy input output policy map name Specify the policy map name and whether it is an input policy map or an output policy map Step 7 e...

Page 546: ...on such as policing or scheduling and the associated statistics This is an example of the output of the show policy map interface command showing statistics for an output policy map Switch show policy map interface gigabitethernet 0 2 GigabitEthernet0 2 Service policy output phb Class map phb match all 0 packets 0 bytes 5 minute offered rate 0 bps drop rate 0 bps Match cos 2 Bandwidth 1000 kbps Qu...

Page 547: ...ic from the failed link to the remaining links in the channel without intervention Note Although EtherChannels are not supported on ports configured with service instances you can configure a service instance on an EtherChannel port channel For complete syntax and usage information for the commands used in this chapter see the command reference for this release Understanding EtherChannels page 28 ...

Page 548: ...e no switchport interface configuration command For more information see the Chapter 9 Configuring Interfaces You can configure an EtherChannel in one of these modes Port Aggregation Protocol PAgP Link Aggregation Control Protocol LACP or On mode Configure both ends of the EtherChannel in the same mode When you configure one end of an EtherChannel in either PAgP or LACP mode the system negotiates ...

Page 549: ... you must use the channel group channel group number command to bind the logical interface to a physical port The channel group number can be the same as the port channel number or you can use a new number If you use a new number the channel group command dynamically creates a new port channel With Layer 3 ports you should manually create the logical interface by using the interface port channel g...

Page 550: ...Modes Table 28 1 shows the user configurable EtherChannel PAgP modes for the channel group interface configuration command on an port Switch ports exchange PAgP packets only with partner ports configured in the auto or desirable modes Ports configured in the on mode do not exchange PAgP packets Both the auto and desirable modes enable ports to negotiate with partner ports to form an EtherChannel b...

Page 551: ...Cisco switches to manage Ethernet channels between switches that conform to the standard LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports By using LACP the switch learns the identity of partners capable of supporting LACP and the capabilities of each port It then dynamically groups similarly configured ports into a single logical link chann...

Page 552: ...e on mode a usable EtherChannel exists only when both ends of the link are configured in the on mode Ports that are configured in the on mode in the same channel group must have compatible port characteristics such as speed and duplex Ports that are not compatible are suspended even though they are configured in the on mode Caution You should use care when using the on mode This is a manual config...

Page 553: ...ddress use the same port in the channel With destination IP address based forwarding when packets are forwarded to an EtherChannel they are distributed across the ports in the EtherChannel based on the destination IP address of the incoming packet Therefore to provide load balancing packets from the same IP source address sent to different IP destination addresses could be sent on different ports ...

Page 554: ...n Method and Priority page 28 16 optional Configuring LACP Hot Standby Ports page 28 17 optional EtherChannels and Ethernet Flow Points EFPs page 28 19 optional Note Make sure that the ports are correctly configured For more information see the EtherChannel Configuration Guidelines section on page 28 9 Note After you configure an EtherChannel configuration changes applied to the port channel inter...

Page 555: ...rts follow the parameters set for the first port to be added to the group If you change the configuration of one of these parameters you must also make the changes to all ports in the group Allowed VLAN list Spanning tree path cost for each VLAN Spanning tree port priority for each VLAN Spanning tree Port Fast setting Do not configure a port to be a member of more than one EtherChannel group Do no...

Page 556: ...uring Ethernet Virtual Connections EVCs you can add a service instance to an EtherChannel port channel Configuring Layer 2 EtherChannels You configure Layer 2 EtherChannels by assigning ports to a channel group with the channel group interface configuration command This command automatically creates the port channel logical interface Note Although you cannot assign a port configured with an EFP se...

Page 557: ... in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is assumed The silent setting is for connections to file servers or packet analyzers This setting allows PAgP to op...

Page 558: ...sections Creating Port Channel Logical Interfaces When configuring Layer 3 EtherChannels you should first manually create the port channel logical interface by using the interface port channel global configuration command Then you put the logical interface into the channel group by using the channel group interface configuration command Note To move an IP address from a physical port to an EtherCh...

Page 559: ...nterfaces Beginning in privileged EXEC mode follow these steps to assign an Ethernet port to a Layer 3 EtherChannel This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify a physical port and enter interface configuration mode Valid interfaces include physical ports For a PAgP EtherChannel you can configure up to ei...

Page 560: ...s only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is assumed The silent setting is for connections to file servers or packet analyzers This s...

Page 561: ...therChannel load balancing to the default configuration use the no port channel load balance global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 port channel load balance dst ip dst mac src dst ip src dst mac src ip src mac Configure an EtherChannel load balancing method The default is src mac Select one of these load distribution methods d...

Page 562: ...n just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The higher the priority the more likely that the port will be selected Note The switch supports address learning only on aggregate ports even though the physical ...

Page 563: ... Port number In priority comparisons numerically lower values have higher priority The priority decides which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the so...

Page 564: ...ure the LACP system priority This procedure is optional To return the LACP system priority to the default value use the no lacp system priority global configuration command Configuring the LACP Port Priority By default all ports use the same port priority If the local system has a lower value for the system priority and the system ID than the remote system you can affect which of the hot standby l...

Page 565: ... configure Layer 2 protocol LACP peer on a service instance Switch config interface gigabitethernet0 1 Switch config if switchport mode trunk Switch config if switchport trunk allowed vlan none Switch config if service instance 1 Ethernet Switch config if srv encapsulation untagged Switch config if srv l2protocol peer lacp Switch config if srv bridge domain 10 Switch config if srv end Command Purp...

Page 566: ...led information about the fields in the displays see the command reference for this release Table 28 4 Commands for Displaying EtherChannel PAgP and LACP Status Command Description show etherchannel channel group number detail port port channel protocol summary detail load balance port port channel protocol summary Displays EtherChannel information in a brief detailed and one line summary form Als...

Page 567: ...ting page 29 1 Steps for Configuring Routing page 29 2 Configuring IP Addressing page 29 3 Enabling IPv4 Unicast Routing page 29 16 Configuring RIP page 29 17 Configuring OSPF page 29 22 Configuring EIGRP page 29 33 Configuring BGP page 29 41 Configuring ISO CLNS Routing page 29 61 Configuring BFD page 29 71 Configuring Multi VRF CE page 29 80 Configuring Protocol Independent Features page 29 93 M...

Page 568: ...through a single path into and out of a network Static routing does not automatically respond to changes in the network and therefore might result in unreachable destinations By dynamically calculating routes by using a routing protocol Steps for Configuring Routing By default IPv4 routing is disabled on the switch and you must enable it before routing can take place For detailed IP routing config...

Page 569: ...g requires that Layer 3 network interfaces are assigned IP addresses to enable the interfaces and to allow communication with the hosts on interfaces that use IP These sections describe how to configure various IP addressing features Assigning IP addresses to the interface is required the other procedures are optional Default Addressing Configuration page 29 3 Assigning IP Addresses to Network Int...

Page 570: ... helper address is defined or User Datagram Protocol UDP flooding is configured UDP forwarding is enabled on default ports Any local broadcast Disabled Turbo flood Disabled IP helper address Disabled IP host Disabled IRDP Disabled Defaults when enabled Broadcast IRDP advertisements Maximum interval between advertisements 600 seconds Minimum interval between advertisements 0 75 times max interval P...

Page 571: ... a network with no default route the router forwards the packet to the best supernet route A supernet consists of contiguous blocks of Class C address spaces used to simulate a single larger address space and is designed to relieve the pressure on the rapidly depleting Class B address space In Figure 29 2 classless routing is enabled When the host sends a packet to 120 20 4 1 instead of discarding...

Page 572: ...ess Routing To prevent the switch from forwarding packets destined for unrecognized subnets to the best supernet route possible you can disable classless routing behavior Beginning in privileged EXEC mode follow these steps to disable classless routing Host 128 20 1 0 128 20 2 0 128 20 3 0 128 20 4 1 128 0 0 0 8 128 20 4 1 IP classless 45749 128 20 0 0 Host 128 20 1 0 128 20 2 0 128 20 3 0 128 20 ...

Page 573: ...l SNAP Proxy ARP helps hosts with no routing tables learn the MAC addresses of hosts on other networks or subnets If the switch router receives an ARP request for a host that is not on the same interface as the ARP request sender and if the router has all of its routes to the host through other interfaces it generates a proxy ARP packet giving its own local data link address The host that sent the...

Page 574: ...bally associate an IP address with a MAC hardware address in the ARP cache and specify encapsulation type as one of these arpa ARP encapsulation for Ethernet interfaces snap Subnetwork Address Protocol encapsulation for Token Ring and FDDI interfaces sap HP s ARP type Step 3 arp ip address hardware address type alias Optional Specify that the switch respond to ARP requests as if it were the owner ...

Page 575: ...ommand Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 arp arpa snap Specify the ARP encapsulation method arpa Address Resolution Protocol snap Subnetwork Address Protocol Step 4 end Return to privileged EXEC mode Step 5 show interfaces interface id Verif...

Page 576: ...P works as long as other routers support it Default Gateway Another method for locating routes is to define a default router or default gateway All nonlocal packets are sent to this router which either routes them appropriately or sends an IP Control Message Protocol ICMP redirect message back defining which local router the host should use The switch caches the redirect messages and forwards each...

Page 577: ... global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip irdp Enable IRDP processing on the interface Step 4 ip irdp multicast Optional Send IRDP advertisements to the multicast address 224 0 0 1 instead of IP broadcasts Note This command allows for compatibility with Sun Microsystems Solaris which requires...

Page 578: ...es for forwarding broadcast messages Enabling Directed Broadcast to Physical Broadcast Translation page 29 12 Forwarding UDP Broadcast Packets and Protocols page 29 13 Establishing an IP Broadcast Address page 29 14 Flooding IP Broadcasts page 29 14 Enabling Directed Broadcast to Physical Broadcast Translation By default IP directed broadcasts are not forwarded they are dropped to make routers les...

Page 579: ...ress has been defined for an interface The description for the ip forward protocol interface configuration command in the Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services Release 12 2 lists the ports that are forwarded by default if you do not specify any UDP ports If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts you are configuring the ro...

Page 580: ...ured on an interface the interface can receive broadcasts but it never forwards the broadcasts it receives and the router never uses that interface to send broadcasts received on a different interface Packets that are forwarded to a single network address using the IP helper address mechanism can be flooded Only one copy of the packet is sent on each network segment Step 4 exit Return to global co...

Page 581: ...he bridging spanning tree database to flood UDP datagrams Use the no ip forward protocol spanning tree global configuration command to disable the flooding of IP broadcasts In the switch the majority of packets are forwarded in hardware most packets do not go through the switch CPU For those packets that do go to the CPU you can speed up spanning tree based UDP flooding by a factor of about four t...

Page 582: ... the IP ARP cache and the fast switching cache clear host name Remove one or all entries from the hostname and the address cache clear ip route network mask Remove one or more routes from the IP routing table Table 29 3 Commands to Display Caches Tables and Databases Command Purpose show arp Display the entries in the ARP table show hosts Display the default domain name style of lookup service nam...

Page 583: ... information You can find detailed information about RIP in IP Routing Fundamentals published by Cisco Press Using RIP the switch sends routing information updates advertisements every 30 seconds If a router does not receive an update from another router for 180 seconds or more it marks the routes served by that router as unusable If there is still no update after 240 seconds the router removes al...

Page 584: ...ge 29 20 Default RIP Configuration Configuring Basic RIP Parameters To configure RIP you enable RIP routing for a network and optionally configure other parameters On the Cisco ME switch RIP configuration commands are ignored until you configure the network number Table 29 4 Default RIP Configuration Feature Default Setting Auto summary Enabled Default information originate Disabled Default metric...

Page 585: ...nds invalid The timer after which a route is declared invalid The default is 180 seconds holddown The time before a route is removed from the routing table The default is 180 seconds flush The amount of time for which routing updates are postponed The default is 240 seconds Step 8 version 1 2 Optional Configure the switch to receive and send only RIP Version 1 or RIP Version 2 packets By default t...

Page 586: ... the no ip rip authentication mode interface configuration command To prevent authentication use the no ip rip authentication key chain interface configuration command Configuring Split Horizon Routers connected to broadcast type IP networks and using distance vector routing protocols normally use the split horizon mechanism to reduce the possibility of routing loops Split horizon blocks informati...

Page 587: ...mmary address rip router configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to configure Step 3 ip address ip address subnet mask Configure the IP address and IP subnet Step 4 no ip split horizon Disable split horizon on the interface Step 5 end Return to privileg...

Page 588: ...ing and receiving packets This section briefly describes how to configure O SPF For a complete description of the OSPF commands see the OSPF Commands chapter of the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 2 Note OSPF classifies different media into broadcast nonbroadcast multiaccess NBMA or point to point networks Broadcast and nonbroadcast networks can also be co...

Page 589: ...efault cost predefined Retransmit interval 5 seconds Transmit delay 1 second Priority 1 Hello interval 10 seconds Dead interval 4 times the hello interval No authentication No password specified MD5 authentication disabled Area Authentication type 0 no authentication Default cost 1 Range Disabled Stub No stub area defined NSSA No NSSA area defined Auto cost 100 Mbps Default information originate D...

Page 590: ... OSPF routing process specify the range of IP addresses to be associated with the routing process and assign area IDs to be associated with that range Log adjacency changes Enabled Neighbor None specified Neighbor database filter Disabled All outgoing LSAs are flooded to the neighbor Network area Disabled NSF1 awareness Enabled2 Allows Layer 3 switches to continue forwarding packets from a neighbo...

Page 591: ... Purpose Step 1 configure terminal Enter global configuration mode Step 2 router ospf process id Enable OSPF routing and enter router configuration mode The process ID is an internally used identification parameter that is locally assigned and can be any positive integer Each OSPF routing process has a unique value Step 3 network address wildcard mask area area id Define an interface on which OSPF...

Page 592: ...5535 seconds The default is 4 times the hello interval Step 9 ip ospf authentication key key Optional Assign a password to be used by neighboring OSPF routers The password can be any string of keyboard entered characters up to 8 bytes in length All neighboring routers on the same network must have the same password to exchange OSPF information Step 10 ip ospf message digest key keyid md5 key Optio...

Page 593: ...igure routers that interconnect to nonbroadcast networks On point to multipoint nonbroadcast networks you then use the neighbor router configuration command to identify neighbors Assigning a cost to a neighbor is optional Configuring Network Types for OSPF Interfaces You can configure network interfaces as either broadcast or NBMA and as point to point or point to multipoint regardless of the defa...

Page 594: ...network If you do not enter another keyword the interface is point to multipoint for broadcast media point to multipoint non broadcast Specify an OSPF nonbroadcast point to multipoint network point to point Specify an OSPF point to point network Step 4 exit Return to global configuration mode Step 5 router ospf process id Optional for point to multipoint required for point to multipoint nonbroadca...

Page 595: ...rea id authentication Optional Allow password based protection against unauthorized access to the identified area The identifier can be either a decimal value or an IP address Step 4 area area id authentication message digest Optional Enable MD5 authentication on the area Step 5 area area id stub no summary Optional Define an area as a stub area The no summary keyword prevents an ABR from sending ...

Page 596: ...bor ID Default Metrics OSPF calculates the OSPF metric for an interface according to the bandwidth of the interface The metric is calculated as ref bw divided by bandwidth where ref is 10 by default and bandwidth bw is specified by the bandwidth interface configuration command For multiple links with high bandwidth you can specify a larger number to differentiate the cost on those links Administra...

Page 597: ... value metric type type value route map map name Optional Force the ASBR to generate a default route into the OSPF routing domain Parameters are all optional Step 6 ip ospf name lookup Optional Configure DNS name lookup The default is disabled Step 7 ip auto cost reference bandwidth ref bw Optional Specify an address range for which a single route will be advertised Use this command only with area...

Page 598: ...oses the highest IP address among all loopback interfaces Beginning in privileged EXEC mode follow these steps to configure a loopback interface Use the no interface loopback 0 global configuration command to disable the loopback interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router ospf process id Enable OSPF routing and enter router configuration mode ...

Page 599: ...reased network width With RIP the largest possible width of your network is 15 hops Because the EIGRP metric is large enough to support thousands of hops the only barrier to expanding the network is the transport layer hop counter EIGRP increments the transport control field only when an IP packet has traversed 15 routers and the next hop to the destination was learned through EIGRP Table 29 6 Sho...

Page 600: ...ckets quickly when there are unacknowledged packets pending The DUAL finite state machine handles the decision process for all route computations It tracks all routes advertised by all neighbors and uses the distance information known as a metric to select efficient loop free paths DUAL selects routes to be inserted into a routing table based on feasible successors A successor is a neighboring rou...

Page 601: ...on unit size of the route in bytes 0 or any positive integer Distance Internal distance 90 External distance 170 EIGRP log neighbor changes Disabled No adjacency changes logged IP authentication key chain No authentication provided IP authentication mode No authentication provided IP bandwidth percent 50 percent IP hello interval For low speed nonbroadcast multiaccess NBMA networks 60 seconds all ...

Page 602: ... are optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router eigrp autonomous system Enable an EIGRP routing process and enter router configuration mode The AS number identifies the routes to other EIGRP routers and is used to tag routing information Step 3 network network number Associate networks with an EIGRP routing process EIGRP sends updates to the in...

Page 603: ...ss eigrp autonomous system number address mask Optional Configure a summary aggregate address for a specified interface not usually necessary if auto summary is enabled Step 5 ip hello interval eigrp autonomous system number seconds Optional Change the hello time interval for an EIGRP routing process The range is 1 to 65535 seconds The default is 60 seconds for low speed NBMA networks and 5 second...

Page 604: ... global configuration mode Step 6 key chain name of chain Identify a key chain and enter key chain configuration mode Match the name configured in Step 4 Step 7 key number In key chain configuration mode identify the key number Step 8 key string text In key chain key configuration mode identify the key string Step 9 accept lifetime start time infinite end time duration seconds Optional Specify the...

Page 605: ...ork The switch uses EIGRP stub routing at the access layer to eliminate the need for other types of routing advertisements If you try to configure multi VRF CE and EIGRP stub routing at the same time the configuration is not allowed Any neighbor that receives a packet informing it of the stub status does not query the stub router for any routes and a router that has a stub peer does not query that...

Page 606: ...4 eigrp stub receive only connected static summary Configure a remote router as an EIGRP stub router The keywords have these meanings Enter receive only to set the router as a receive only neighbor Enter connected to advertise connected routes Enter static to advertise static routes Enter summary to advertise summary routes Step 5 end Return to privileged EXEC mode Step 6 show ip eigrp neighbor de...

Page 607: ...ates run internal BGP IBGP and routers that belong to different autonomous systems and that exchange BGP updates run external BGP EBGP Most configuration commands are the same for configuring EBGP and IBGP The difference is that the routing updates are exchanged either between autonomous systems EBGP or within an AS IBGP Figure 29 5 shows a network that is running both EBGP and IBGP Figure 29 5 EB...

Page 608: ...isions A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next hop router and it has received synchronization from an IGP unless IGP synchronization is disabled When multiple routes are available BGP bases its path selection on attribute values See the Configuring BGP Decision Attributes section on page 29 48 for information about BGP a...

Page 609: ... range is 0 to 4294967295 with the higher value preferred BGP network None specified no backdoor route advertised BGP route dampening Disabled by default When enabled Half life is 15 minutes Re use is 750 10 second increments Suppress is 2000 10 second increments Max suppress time is 4 times half life 60 minutes BGP router ID The IP address of a loopback interface if one is configured or the highe...

Page 610: ... Disabled Password Disabled Peer group None defined no members assigned Prefix list None specified Remote AS add entry to neighbor BGP table No peers defined Private AS number removal Disabled Route maps None applied to a peer Send community attributes None sent to neighbors Shutdown or soft reconfiguration Not enabled Timers keepalive 60 seconds holdtime 180 seconds Update source Best local addre...

Page 611: ...he private AS numbers are from 64512 to 65535 You can configure external neighbors to remove private AS numbers from the AS path by using the neighbor remove private as router configuration command Then when an update is passed to an external neighbor if the AS path includes private AS numbers these numbers are dropped If your AS must pass traffic through it from another AS to a third AS it is imp...

Page 612: ... other end of the connection For IBGP the IP address can be the address of any of the router interfaces Step 6 neighbor ip address peer group name remove private as Optional Remove private AS numbers from the AS path in outbound routing updates Step 7 no synchronization Optional Disable synchronization between BGP and an IGP Step 8 no auto summary Optional Disable automatic network summarization B...

Page 613: ...om the network router configuration command controls only which networks are advertised This is in contrast to Interior Gateway Protocols IGPs such as EIGRP which also use the network command to specify where to send updates For detailed descriptions of BGP configuration see the IP Routing Protocols part of the Cisco IOS IP Configuration Guide Release 12 2 For details about specific commands see t...

Page 614: ...vantages and Disadvantages of Hard and Soft Resets Type of Reset Advantages Disadvantages Hard reset No memory overhead The prefixes in the BGP IP and FIB tables provided by the neighbor are lost Not recommended Outbound soft reset No configuration no storing of routing table updates Does not reset inbound routing table updates Dynamic inbound soft reset Does not clear the BGP session and cache Do...

Page 615: ...the route that was originated by BGP running on the local router 5 Prefer the route with the shortest AS path 6 Prefer the route with the lowest origin type An interior route or IGP is lower than a route learned by EGP and an EGP learned route is lower than one of unknown origin or learned in another way 7 Prefer the route with the lowest multi exit discriminator MED metric attribute if the neighb...

Page 616: ... 4294967295 The lowest value is the most desirable Step 7 bgp bestpath med missing as worst Optional Configure the switch to consider a missing MED as having a value of infinity making the path without a MED value the least desirable path Step 8 bgp always compare med Optional Configure the switch to compare MEDs for paths from neighbors in different autonomous systems By default MED comparison is...

Page 617: ... AS path community and network numbers Autonomous system path matching requires the match as path access list route map command community based matching requires the match community list route map command and network based matching requires the ip access list global configuration command Beginning in privileged EXEC mode follow these steps to apply a per neighbor route map Command Purpose Step 1 c...

Page 618: ...prefix is permitted or denied is based upon these rules An empty prefix list permits all prefixes An implicit deny is assumed if a given prefix does not match any entries in a prefix list Step 3 neighbor ip address peer group name distribute list access list number name in out Optional Filter BGP routing updates to or from neighbors as specified in an access list Note You can also use the neighbor...

Page 619: ...t sequence number command To clear the hit count table of prefix list entries use the clear ip prefix list privileged EXEC command Configuring BGP Community Filtering One way that BGP controls the distribution of routing information based on the value of the COMMUNITIES attribute A community is a group of destinations that share some common attribute Each destination can belong to multiple communi...

Page 620: ...ps to Redistribute Routing Information section on page 29 97 By default no COMMUNITIES attribute is sent to a neighbor You can specify that the COMMUNITIES attribute be sent to the neighbor at an IP address by using the neighbor send community router configuration command Beginning in privileged EXEC mode follow these steps to create and to apply a community list Command Purpose Step 1 configure t...

Page 621: ...down router configuration command Beginning in privileged EXEC mode use these commands to configure BGP peers Step 9 show ip bgp community Verify the configuration Step 10 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP rout...

Page 622: ...ute map map name in out Optional Apply a route map to incoming or outgoing routes Step 17 neighbor ip address peer group name send community Optional Specify that the COMMUNITIES attribute be sent to the neighbor at this IP address Step 18 neighbor ip address peer group name timers keepalive holdtime Optional Set timers for the neighbor or peer group The keepalive interval is the time within which...

Page 623: ...p MED and local preference information is preserved You can then use a single IGP for all of the autonomous systems Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from ...

Page 624: ...ster do not communicate with IBGP speakers outside their cluster When the route reflector receives an advertised route it takes one of these actions depending on the neighbor A route from an external BGP speaker is advertised to all clients and nonclient peers A route from a nonclient peer is advertised to all clients A route from a client is advertised to all clients and nonclient peers Hence the...

Page 625: ...s peer group name route reflector client Configure the local router as a BGP route reflector and the specified neighbor as a client Step 4 bgp cluster id cluster id Optional Configure the cluster ID if the cluster has more than one route reflector Step 5 no bgp client to client reflection Optional Disable client to client route reflection By default the routes from a route reflector client are ref...

Page 626: ...tistics to make it less likely that a route will be dampened Step 9 clear ip bgp dampening Optional Clear route dampening information and unsuppress the suppressed routes Step 10 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 29 11 IP BGP Clear and Show Commands Command Purpose clear ip bgp address Reset a particular BGP connection cle...

Page 627: ...ports two levels of routing station routing within an area and area routing between areas The key difference between the ISO IGRP and IS IS NSAP addressing schemes is in the definition of area addresses Both use the system ID for Level 1 routing routing within an area However they differ in the way addresses are specified for area routing An ISO IGRP NSAP address includes three separate fields for...

Page 628: ...l 2 routing You can configure additional router instances which are automatically treated as Level 1 areas You must configure the parameters for each instance of the IS IS routing process individually For IS IS multiarea routing you can configure only one process to perform Level 2 routing although you can define up to 29 Level 1 areas for each Cisco unit If Level 2 routing is configured on any pr...

Page 629: ...ng timers Maximum interval between two consecutive occurrences 5 seconds Initial LSP generation delay 50 ms Hold time between the first and second LSP generation 5000 ms LSP maximum lifetime without a refresh 1200 seconds 20 minutes before t he LSP packet is deleted LSP refresh interval Send LSP refreshes every 900 seconds 15 minutes Maximum LSP packet size 1497 bytes NSF1 Awareness Enabled2 Allow...

Page 630: ... by using the is type global configuration command Step 4 net network entity title Configure the NETs for the routing process If you are configuring multiarea IS IS specify a NET for each routing process You can specify a name for a NET and for an address Step 5 is type level 1 level 1 2 level 2 only Optional You can configure the router to act as a Level 1 station router a Level 2 area router for...

Page 631: ... config if clns router isis Switch config router exit Configuring IS IS Global Parameters You can force a default route into an IS IS routing domain by configuring a default route controlled by a route map You can also specify other filtering options configurable under a route map You can configure the router to ignore IS IS LSPs that are received with internal checksum errors or to purge corrupte...

Page 632: ...authentication password which is inserted in Level 2 area router level LSPs Step 8 summary address address mask level 1 level 1 2 level 2 Optional Create a summary of addresses for a given level Step 9 set overload bit on startup seconds wait for bgp Optional Set an overload bit a hippity bit to allow other routers to ignore the router in their shortest path first SPF calculations if the router is...

Page 633: ...and second SFP calculation in milliseconds The range is 1 to 10000 the default is 5500 Step 14 prc interval prc max wait prc initial wait prc second wait Optional Sets IS IS partial route computation PRC throttling timers prc max wait the maximum interval in seconds between two consecutive PRC calculations The range is 1 to 120 the default is 5 prc initial wait the initial PRC calculation delay in...

Page 634: ...the hello multiplier and lower the hello interval correspondingly to make the hello protocol more reliable without increasing the time required to detect a link failure Other time intervals Complete sequence number PDU CSNP interval CSNPs are sent by the designated router to maintain database synchronization Retransmission interval This is the time between retransmission of IS IS LSPs for point to...

Page 635: ...he network The range is from 0 to 65535 The default is 5 seconds Step 8 isis retransmit throttle interval milliseconds Optional Configure the IS IS LSP retransmission throttle interval which is the maximum rate number of milliseconds between packets at which IS IS LSPs will be re sent on point to point links The range is from 0 to 65535 The default is determined by the isis lsp interval command St...

Page 636: ...amically derived CLNS routing information show clns Display information about the CLNS network show clns cache Display the entries in the CLNS routing cache show clns es neighbors Display ES neighbor entries including the associated areas show clns filter expr Display filter expressions show clns filter set Display filter sets show clns interface interface id Display the CLNS specific or ES IS inf...

Page 637: ... To create a BFD session you must configure BFD on both systems BFD peers Enabling BFD at the interface and routing protocol level on BFD peers creates a BFD session BFD timers are negotiated and the BFD peers send control packets to each other at the negotiated intervals If the neighbor is not directly connected BFD neighbor registration is rejected Figure 29 6 shows a simple network with two rou...

Page 638: ...mmand When echo mode is disabled control packets are used to detect forwarding failures Control packets are exchanged at the configured slow timer rate which could result in longer failure detection time You configure this rate by entering the bfd slow timer global configuration command The range is from 1000 to 3000 ms the default rate is every 1000 ms You can enable or disable echo processing at...

Page 639: ...or port channels Although you can configure BFD interface commands on a Layer 2 port BFD sessions do not operate on the interface unless it is configured as a Layer 3 interface no switchport and assigned an IP address In HSRP BFD standby BFD is enabled globally by default and on all interfaces If you disable it on an interface you then must disable and reenable it globally for BFD sessions to be a...

Page 640: ...ces You can enable BFD support for OSPF by enabling it globally on all OSPF interfaces or by enabling it on one or more interfaces Step 5 bfd interval milliseconds min_rx milliseconds multiplier value Set BFD parameters for echo packets on the interface interval Specify the rate at which BFD echo packets are sent to BFD peers The range is from 50 to 999 milliseconds ms min_rx Specify the rate at w...

Page 641: ...ing in privileged EXEC mode follow these steps to configure OSFP BFD on an individual interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router ospf process id Specify an OSPF process and enter router configuration mode Step 3 bfd all interfaces Enable BFD globally on all interfaces associated with the OSPF routing process Step 4 exit Optional Return to glob...

Page 642: ...ion command on the interface Step 5 ip ospf bfd Enable BFD on the specified OSPF interface Repeat Steps 3 and 4 for all OSPF interfaces on which you want to run BFD sessions Step 6 end Return to privileged EXEC mode Step 7 show bfd neighbors detail Verify the configuration Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose...

Page 643: ... an example of configuring BFD for IS IS on a single interface Switch config router is is tag1 Switch config router exit Switch config interface gigabitethernet0 1 Switch config if isis bfd Configuring BFD for BGP When you start BFD sessions for BGP BGP must be running on all participating devices You enter the IP address of the BFD neighbor to enable BFD for BGP Beginning in privileged EXEC mode ...

Page 644: ...EF enabled the default Step 3 neighbor ip address fall over bfd Enable BFD support for fallover on the BFD neighbor Step 4 end Return to privileged EXEC mode Step 5 show bfd neighbors detail show ip bgp neighbor Verify the configuration Display information about BGP connections to neighbors Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpo...

Page 645: ...se steps to disable echo mode on a BFD device and to set the slow timer rate Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface for a BFD session and enter interface configuration mode Only physical interfaces support BFD Step 3 ip address ip address subnet mask Configure the IP address and IP subnet mask for the interface S...

Page 646: ...iguration Example page 29 88 Displaying Multi VRF CE Status page 29 92 Understanding Multi VRF CE Multi VRF CE allows a service provider to support two or more VPNs where IP addresses can be overlapped among the VPNs Multi VRF CE uses input interfaces to distinguish routes for different VPNs and forms virtual packet forwarding tables by associating one or more Layer 3 interfaces with each VRF Inte...

Page 647: ...example small companies In this case multi VRF CE support is required in the Cisco ME switches Because multi VRF CE is a Layer 3 feature each interface in a VRF must be a Layer 3 interface Figure 29 8 Switches Acting as Multiple Virtual CEs When the CE switch receives a command to add a Layer 3 interface to a VRF it sets up the appropriate mapping between the VLAN ID and the policy label PL in mul...

Page 648: ... distribute VPN routing information across the provider s backbone The multi VRF CE network has three major components VPN route target communities lists of all other members of a VPN community You need to configure VPN route targets for each VPN community member Multiprotocol BGP peering of VPN community PE routers propagates VRF reachability information to all members of a VPN community You need...

Page 649: ...een systems run by different administrations BGP makes it easy to pass attributes of the routes to the CE Multi VRF CE does not affect the packet switching rate If no VRFs are configured up to 105 policies can be configured If even one VRF is configured than 41 policies can be configured If more than 41 policies are configured then VRF cannot be configured VRF and private VLANs are mutually exclus...

Page 650: ...P entries for specific VRFs These services are VRF Aware ARP Ping Simple Network Management Protocol SNMP Hot Standby Router Protocol HSRP Syslog Traceroute FTP and TFTP Note VRF Aware services are not supported for Unicast Reverse Path Forwarding uRPF Step 5 route target export import both route target ext community Create a list of import export or import and export route target communities for ...

Page 651: ...addresses are added to the correct IP routing table Beginning in privileged EXEC mode follow these steps to configure VRF aware services for HSRP For complete syntax and usage information for the commands refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference Release 12 2 Command Purpose show ip arp vrf vrf name Display the ARP table in the sp...

Page 652: ...le the VRF table is Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 4 ip vrf forwarding vrf name Configure VRF on the interface Step 5 ip address ip addr...

Page 653: ...thin a VRF instance you must configure an autonomous system number by entering the autonomous system autonomous system number address family configuration mode command Beginning in privileged EXEC mode follow these steps to configure OSPF in the VPN Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip ftp source interface interface type interface number Specify the s...

Page 654: ... Switch A for a Catalyst 6000 or Catalyst 6500 switch acting as a PE router Step 6 end Return to privileged EXEC mode Step 7 show ip ospf process id Verify the configuration of the OSPF network Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp aut...

Page 655: ... vrf exit Configure the loopback and physical interfaces on Switch A Gigabit Ethernet port 1 is a trunk connection to the PE Fast Ethernet ports 8 and 11 connect to VPNs Switch config interface loopback1 Switch config if ip vrf forwarding v11 Switch config if ip address 8 8 1 8 255 255 255 0 Switch config if exit Switch config interface loopback2 Switch config if ip vrf forwarding v12 Switch confi...

Page 656: ...if ip vrf forwarding v12 Switch config if ip address 83 0 0 8 255 255 255 0 Switch config if exit Switch config interface vlan118 Switch config if ip vrf forwarding v12 Switch config if ip address 118 0 0 8 255 255 255 0 Switch config if exit Switch config interface vlan208 Switch config if ip vrf forwarding v11 Switch config if ip address 208 0 0 8 255 255 255 0 Switch config if exit Configure OS...

Page 657: ...on to Switch A by using these commands Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip routing Switch config interface fastethernet0 1 Switch config if no shutdown Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if no ip address Switch config if exit Switch config interface vlan118 Switc...

Page 658: ...uter af neighbor 83 0 0 8 remote as 800 Router config router af neighbor 83 0 0 8 activate Router config router af network 3 3 2 0 mask 255 255 255 0 Router config router af exit Router config router address family ipv4 vrf vl Router config router af neighbor 38 0 0 8 remote as 800 Router config router af neighbor 38 0 0 8 activate Router config router af network 3 3 1 0 mask 255 255 255 0 Router ...

Page 659: ...ation based switching of IP packets The two main components in CEF are the distributed FIB and the distributed adjacency tables The FIB is similar to a routing table or information base and maintains a mirror image of the forwarding information in the IP routing table When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB Th...

Page 660: ...control the maximum number of parallel paths supported by an IP routing protocol in its routing table Beginning in privileged EXEC mode follow these steps to change the maximum number of parallel paths installed in a routing table from the default Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip cef Enable CEF operation Step 3 interface interface id Enter interfa...

Page 661: ...dministrative distance values Each dynamic routing protocol has a default administrative distance as listed in Table 29 16 If you want a static route to be overridden by information from a dynamic routing protocol set the administrative distance of the static route higher than that of the dynamic protocol Step 5 show ip protocols Verify the setting in the Maximum path field Step 6 copy running con...

Page 662: ...y learned or can be configured in the individual routers Most dynamic interior routing protocols include a mechanism for causing a smart router to generate dynamic default information that is then forwarded to other routers If a router has a directly connected interface to the specified default network the dynamic routing protocols running on that device generate a default route In RIP it advertis...

Page 663: ...route map configuration commands are specific to a particular protocol One or more match commands and one or more set commands follow a route map command If there are no match commands everything matches If there are no set commands nothing is done other than the match Therefore you need at least one match or set command Note A route map with no set route map configuration commands is sent to the ...

Page 664: ...cess list number access list name access list number access list name Match a standard access list by specifying the name or number It can be an integer from 1 to 199 Step 6 match metric metric value Match the specified route metric The metric value can be an EIGRP metric with a specified value from 0 to 4294967295 Step 7 match ip next hop access list number access list name access list number acc...

Page 665: ...ive the redistributed routes for EIGRP only bandwidth Metric value or IGRP bandwidth of the route in kilobits per second in the range 0 to 4294967295 delay Route delay in tens of microseconds in the range 0 to 4294967295 reliability Likelihood of successful packet transmission expressed as a number between 0 and 255 where 255 means 100 percent reliability and 0 means no reliability loading Effecti...

Page 666: ... You can filter routing protocol information by performing the tasks described in this section Note When routes are redistributed between OSPF processes no OSPF metrics are preserved Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp rip ospf eigrp Enter router configuration mode Step 3 redistribute protocol process id level 1 level 1 2 level 2 metric metri...

Page 667: ...dividual interfaces where you want adjacencies by using the no passive interface router configuration command The default keyword is useful in Internet service provider and large enterprise networks where many of the distribution routers have more than 200 interfaces Controlling Advertising and Processing in Routing Updates You can use the distribute list router configuration command with access c...

Page 668: ...ting information Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp rip eigrp Enter router configuration mode Step 3 distribute list access list number access list name out interface name routing process autonomous system number Permit or deny routes from being advertised in routing updates depending upon the action listed in the access list Step 4 distribu...

Page 669: ...r must know these lifetimes Beginning in privileged EXEC mode follow these steps to manage authentication keys To remove the key chain use the no key chain name of chain global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 key chain name of chain Identify a key chain and enter key chain configuration mode Step 3 key number Identify the key n...

Page 670: ...to Clear IP Routes or Display Route Status Command Purpose clear ip route network mask Clear one or more routes from the IP routing table show ip protocols Display the parameters and state of the active routing protocol process show ip route address mask longer prefixes protocol process id Display the current state of the routing table show ip route summary Display the current state of the routing...

Page 671: ... together to present the appearance of a single virtual router or default gateway to the hosts on a LAN When HSRP is configured on a network or segment it provides a virtual Media Access Control MAC address and an IP address that is shared among a group of configured routers HSRP allows two or more HSRP configured routers to use the MAC address and IP network address of a virtual router The virtua...

Page 672: ...ng in Layer 3 to make more use of the redundant routers To do so specify a group number for each Hot Standby command group you configure for an interface For example you might configure an interface on switch 1 as an active router and one on switch 2 as a standby router and also configure another interface on switch 2 as an active router with another interface on switch 1 as its standby router Fig...

Page 673: ...ally exclusive HSRPv2 Version 2 of the HSRP has these features To match the HSRP group number to the VLAN ID of a subinterface HSRPv2 can use a group number from 0 to 4095 and a MAC address from 0000 0C9F F000 to 0000 0C9F FFFF HSRPv2 uses the multicast address 224 0 0 102 to send hello packets HSRPv2 and CGMP leave processing are no longer mutually exclusive and both can be enabled at the same ti...

Page 674: ...nts are configured for Router B Together the configuration for Routers A and B establishes two HSRP groups For group 1 Router A is the default active router because it has the assigned highest priority and Router B is the standby router For group 2 Router B is the default active router because it has the assigned highest priority and Router A is the standby router During normal operation the two r...

Page 675: ...on command SVI a VLAN interface created by using the interface vlan vlan_id global configuration command and by default a Layer 3 interface Etherchannel port channel in Layer 3 mode a port channel logical interface created by using the interface port channel port channel number global configuration command and binding the Ethernet interface into the channel group For more information see the Confi...

Page 676: ... EXEC mode follow these steps to create or enable HSRP on a Layer 3 interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Layer 3 interface on which you want to enable HSRP Step 3 no switchport If necessary disable Layer 2 switching on the port to enable the Layer 3 interface Step 4 standby...

Page 677: ...t or both you must specify at least one keyword priority preempt or both The priority of the device can change dynamically if an interface is configured with the standby track command and another interface on the router goes down The standby track interface configuration command ties the router hot standby priority to the availability of its interfaces and is useful for tracking interfaces that ar...

Page 678: ...the shown number of seconds The range is 0 to 3600 1 hour the default is 0 no delay before taking over Use the no form of the command to restore the default values Step 4 standby group number priority priority preempt delay delay Configure the router to preempt which means that when the local router has a higher priority than the active router it assumes control as the active router Optional group...

Page 679: ... router fails and comes back up the preemption occurs and restores load balancing Router A is configured as the active router for group 1 and Router B is configured as the active router for group 2 The HSRP interface for Router A has an IP address of 10 0 0 1 with a group 1 standby priority of 110 the default is 100 The HSRP interface for Router B has an IP address of 10 0 0 2 with a group 2 stand...

Page 680: ...tandby group number authentication string interface configuration command to delete an authentication string Use the no standby group number timers hellotime holdtime interface configuration command to restore timers to their default values Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the HSRP i...

Page 681: ...nostic functions such as sending and directing error packets to the host When the switch is running HSRP make sure hosts do not discover the interface or real MAC addresses of routers in the HSRP group If a host is redirected by ICMP to the real MAC address of a router and that router later fails packets from the host are lost For more information see the Cisco IOS IP Configuration Guide Release 1...

Page 682: ...Chapter 30 Configuring HSRP Displaying HSRP Configurations Hellotime 3 holdtime 10 Next hello sent in 00 00 02 262 Hot standby IP address is 172 20 138 51 configured Active router is local Standby router is unknown expired Standby virtual mac address is 0000 0c07 ac64 Name is test ...

Page 683: ...p www cisco com en US docs ios ipsla command reference sla_book html This chapter consists of these sections Understanding Cisco IOS IP SLAs page 31 1 Configuring IP SLAs Operations page 31 6 Monitoring IP SLAs Operations page 31 12 Understanding Cisco IOS IP SLAs Cisco IOS IP SLAs sends data across the network to measure performance between multiple network locations or across multiple network pa...

Page 684: ...asurements IP service network health assessment to verify that the existing QoS is sufficient for new IP services Edge to edge network availability monitoring for proactive verification and connectivity testing of network resources for example shows the network availability of an NFS server used to store business critical data from a remote site Troubleshooting of network operation by providing co...

Page 685: ...pters in the Cisco IOS IP SLAs Configuration Guide at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html Note The switch does not support IP SLAs Voice over IP VoIP service levels using the gatekeeper registration delay operations measurements Before configuring any IP SLAs application you can use the show ip sla application privileged EXEC command to ve...

Page 686: ...the response times would not accurately represent true network delays IP SLAs minimizes these processing delays on the source device as well as on the target device if the responder is being used to determine true round trip times IP SLAs test packets use time stamping to minimize the processing delays When the IP SLAs responder is enabled it allows the target device to take time stamps when the p...

Page 687: ...calability For more details about the IP SLAs multioperations scheduling functionality see the IP SLAs Multiple Operation Scheduling chapter of the Cisco IOS IP SLAs Configuration Guide at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html IP SLAs Operation Threshold Monitoring To support successful service level agreement monitoring you must have mechan...

Page 688: ...sco IOS IP SLAs Command Reference Release 12 4T command reference at this URL http www cisco com en US docs ios ipsla command reference sla_book html For detailed descriptions and configuration procedures see the Cisco IOS IP SLAs Configuration Guide Release 12 4T at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html Note that not all of the IP SLAs comm...

Page 689: ... mode follow these steps to configure the IP SLAs responder on the target device the operational target To disable the IP SLAs responder enter the no ip sla responder global configuration command This example shows how to configure the device as a responder for the UDP jitter IP SLAs operation in the next procedure Switch config ip sla responder udp echo 172 29 139 134 5000 Command Purpose Step 1 ...

Page 690: ...erage round trip time Because the paths for the sending and receiving of data can be different asymmetric you can use the per direction data to more readily identify where congestion or other problems are occurring in the network The UDP jitter operation generates synthetic simulated UDP traffic and sends a number of UDP packets each of a specified size sent a specified number of milliseconds apar...

Page 691: ...inter packet interval Enter the interval between sending packets in milliseconds The range is 1 to 6000 the default value is 20 ms Step 4 frequency seconds Optional Set the rate at which a specified IP SLAs operation repeats The range is from 1 to 604800 seconds the default is 60 seconds Step 5 exit Exit UDP jitter configuration mode and return to global configuration mode Step 6 ip sla monitor sc...

Page 692: ... Life seconds 3600 Entry Ageout seconds never Recurring Starting Everyday FALSE Status of entry SNMP RowStatus notInService Threshold milliseconds 5000 Distribution Statistics Number of statistic hours kept 2 Number of statistic distribution buckets kept 1 Statistic distribution interval milliseconds 20 Enhanced History Analyzing IP Service Levels by Using the ICMP Echo Operation The ICMP echo ope...

Page 693: ...peration repeats The range is from 1 to 604800 seconds the default is 60 seconds Step 5 exit Exit UDP jitter configuration mode and return to global configuration mode Step 6 ip sla schedule operation number life forever seconds start time hh mm ss month day day month pending now after hh mm ss ageout seconds recurring Configure the scheduling parameters for an individual IP SLAs operation operati...

Page 694: ...eters 0x0 Verify data No Vrf Name Schedule Operation frequency seconds 60 Next Scheduled Start Time Pending trigger Group Scheduled FALSE Randomly Scheduled FALSE Life seconds 3600 Entry Ageout seconds never Recurring Starting Everyday FALSE Status of entry SNMP RowStatus notInService Threshold milliseconds 5000 Distribution Statistics Number of statistic hours kept 2 Number of statistic distribut...

Page 695: ...tor configuration entry number Display IP SLAs automatic Ethernet configuration show ip sla group schedule schedule entry number Display IP SLAs group scheduling configuration and details show ip sla history entry number full tabular Display history collected for all IP SLAs operations show ip sla mpls lsp monitor collection statistics configuration ldp operational state scan queue summary entry n...

Page 696: ...31 14 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 31 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations ...

Page 697: ...2_2sr_book html For complete syntax of the commands used in this chapter see the command reference for this release and the Cisco IOS Carrier Ethernet Command Reference at this URL http www cisco com en US docs ios cether command reference ce_book html This chapter contains these sections Understanding Ethernet CFM page 32 1 Configuring Ethernet CFM page 32 6 Managing and Displaying Ethernet CFM I...

Page 698: ...nal to it but at its boundary You assign a unique maintenance level from 0 to 7 to define the hierarchical relationship between domains The larger the domain the higher the level For example as shown in Figure 32 1 a service provider domain would be larger than an operator domain and might have a maintenance level of 6 while the operator domain maintenance level is 3 or 4 As shown in Figure 32 2 d...

Page 699: ...nance domain Maintenance points drop all lower level frames and forward all higher level frames There are two types of maintenance points Maintenance end points MEPs are points at the edge of the domain that define the boundaries and confine CFM messages within these boundaries Outward facing or Down MEPs communicate through the wire side connected to the port Inward facing or Up MEPs communicate ...

Page 700: ...t traffic going to the other lower level down MEP The MEP transparently forwards all CFM frames at a higher level regardless of whether they are received from the relay or through the wire Maintenance intermediate points MIPs are internal to a domain not at the boundary and respond to CFM only when triggered by traceroute and loopback messages They forward CFM frames received from MEPs and other M...

Page 701: ...osscheck function is performed only one time and is initiated from the command line interface CLI CFM 802 1ag also supports static remote MEPs or static RMEP check Unlike the crosscheck function which is performed only once configured static RMEP checks run continuously To configure static RMEP check enter the continuity check static rmep Ethernet CFM service mode command SNMP Traps and Fault Alar...

Page 702: ...an also configure an IP SLAs automatic Ethernet operation that queries the CFM database for all MEPs in a given maintenance domain and VLAN The operation then automatically creates individual Ethernet ping or jitter operations based on the discovered MEPs For more information about IP SLAs operation with CFM see the IP SLAs for Metro Ethernet feature module at this URL http www cisco com en US doc...

Page 703: ...e VLAN MEP or MIP but it cannot be a port MEP CFM is supported on ports running STP You must configure a port MEP at a lower level than any service VLAN MEPs on an interface You cannot configure tunnel mode by using the native VLAN as the S VLAN or the C VLAN Do not configure double tagged 802 1ag CFM packets entering a trunk port Configuring the CFM Domain Beginning in privileged EXEC mode follow...

Page 704: ...umber can be from 0 to 65535 dns name Enter a DNS name string The name can be a maximum of 43 characters null Assign no domain name Step 9 service ma name ma number vpn id vpn vlan vlan id direction down port Define a customer service maintenance association MA name or number or VPN ID to be associated with the domain a VLAN ID or port MEP and enter ethernet cfm service configuration mode ma name ...

Page 705: ...wer active level none No MIP auto create Step 16 exit Return to ethernet cfm configuration mode Step 17 mip auto create lower mep only Optional Configure auto creation of MIPs for the domain lower mep only Create a MIP only if there is a MEP for the service in another domain at the next lower active level Step 18 mep archive hold time minutes Optional Set the number of minutes that data from a mis...

Page 706: ...entifier Enter a maintenance end point identifier The identifier must be unique for each VLAN The range is 1 to 4094 vlan vlan id Enter the service provider VLAN ID or IDs as a VLAN ID 1 to 4094 a range of VLAN IDs separated by a hyphen or a series of VLAN IDs separated by comma port Configure port MEP Step 24 cos value Optional Specify the class of service CoS value to be sent with the messages T...

Page 707: ... to 4094 Step 6 end Return to privileged EXEC mode Step 7 ethernet cfm mep crosscheck enable disable domain domain name vlan vlan id any port Enable or disable CFM crosscheck for one or more VLANs or a port MEP in the domain domain domain name Specify the name of the created domain vlan vlan id any Enter the service provider VLAN ID or IDs as a VLAN ID 1 to 4094 a range of VLAN IDs separated by a ...

Page 708: ... at the same level Optional direction down specify the service direction as down port Configure port MEP a down MEP that is untagged and not associated with a VLAN Step 4 continuity check Enable sending and receiving of continuity check messages Step 5 mep mpid identifier Define the static remote maintenance end point identifier The range is 1 to 4094 Step 6 continuity check static rmep Enable che...

Page 709: ...than 100 characters that identifies the MAID ma number a value from 0 to 65535 vpn id vpn enter a VPN ID as the ma name Step 4 mep mpid identifier Define the static remote maintenance end point identifier in the domain and service The range is 1 to 4094 Step 5 continuity check Enable sending and receiving of continuity check messages Step 6 continuity check interval value Optional Set the interval...

Page 710: ... for the domain domain domain name Specify the name of the created domain mpid identifier Enter a maintenance end point identifier The identifier must be unique for each VLAN The range is 1 to 4094 Step 13 end Return to privileged EXEC mode Step 14 show ethernet cfm maintenance points remote static Verify the configuration Step 15 show ethernet cfm errors configuration Enter this command after you...

Page 711: ...error and connection defects xcon Report only connection defects Step 3 ethernet cfm alarm delay value Optional Set a delay period before a CFM fault alarm is sent The range is 2500 to 10000 milliseconds ms The default is 2500 ms Step 4 ethernet cfm alarm reset value Optional Specify the time period before the CFM fault alarm is reset The range is 2500 to 10000 milliseconds ms The default is 10000...

Page 712: ...ut IP SLAs commands see the command reference at this URL http www cisco com en US docs ios ipsla command reference sla_book html This section includes these procedures Manually Configuring an IP SLAs CFM Probe or Jitter Operation page 32 16 Configuring an IP SLAs Operation with Endpoint Discovery page 32 18 Manually Configuring an IP SLAs CFM Probe or Jitter Operation Beginning in privileged EXEC...

Page 713: ...ptional Set a class of service value for the operation Step 5 frequency seconds Optional Set the rate at which the IP SLAs operation repeats The range is from 1 to 604800 seconds the default is 60 seconds Step 6 history history parameter Optional Specify parameters for gathering statistical history information for the IP SLAs operation Step 7 owner owner id Optional Configure the SNMP owner of the...

Page 714: ... default is 0 seconds Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional recurring Set the probe to be automatically scheduled every day Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter the hour minute secon...

Page 715: ...onal for jitter only Enter the interval between sending of jitter packets Optional for jitter only Enter the num frames and the number of frames to be sent Step 4 cos cos value Optional Set a class of service value for the operation Step 5 owner owner id Optional Configure the SNMP owner of the IP SLAs operation Step 6 request data size bytes Optional Specify the protocol data size for an IP SLAs ...

Page 716: ...initely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional recurring Set the probe to be automatically scheduled every day Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter the hour minute second in 24 hour notation and day of the month Enter pending to select...

Page 717: ...C 0021 d7ef 0700 LCK Status Enabled LCK Period 60000 ms LCK Expiry Threshold 3 5 Level to transmit LCK Default Table 32 2 Displaying CFM Information Command Purpose show ethernet cfm domain brief Displays CFM domain information or brief domain information show ethernet cfm errors configuration domain id Displays CFM continuity check error conditions logged on a device since it was last reset or th...

Page 718: ...operation does not require Ethernet OAM You can implement Ethernet OAM on any full duplex point to point or emulated point to point Ethernet link for a network or part of a network specified interfaces OAM frames called OAM protocol data units OAM PDUs use the slow protocol destination MAC address 0180 c200 0002 They are intercepted by the MAC sublayer and cannot propagate beyond a single hop with...

Page 719: ...optional phase allows the local station to accept or reject the configuration of the peer OAM entity Link monitoring detects and indicates link faults under a variety of conditions and uses the event notification OAM PDU to notify the remote OAM device when it detects problems on the link Error events include when the number of symbol errors the number of frame errors the number of frame errors wi...

Page 720: ...monitor transmit crc interface configuration or template configuration commands are visible but are not supported on the switch The commands are accepted but are not applied to an interface For a remote failure indication the switch does not generate Link Fault or Critical Event OAM PDUs However if these PDUs are received from a link partner they are processed The switch supports generating and re...

Page 721: ... min rate seconds mode active passive timeout seconds You can configure these optional OAM parameters Optional Enter max rate oampdus to configure the maximum number of OAM PDUs sent per second The range is from 1 to 10 Optional Enter min rate seconds to configure the minimum transmission rate in seconds when one OAM PDU is sent per second The range is from 1 to 10 Optional Enter mode active to se...

Page 722: ...Ethernet remote loopback on the interface or set a loopback timeout period Enter supported to enable remote loopback Enter timeout seconds to set a remote loopback timeout period The range is from 1 to 10 seconds Step 4 end Return to privileged EXEC mode Step 5 ethernet oam remote loopback start stop interface interface id Turn on or turn off Ethernet OAM remote loopback on an interface Step 6 sho...

Page 723: ...es that trigger an error frame link event Enter threshold high high frames to set a high threshold in number of frames The range is 1 to 65535 The default is none Enter threshold high none to disable the high threshold if it was set This is the default Enter threshold low low frames to set a low threshold in number of frames The range is 0 to 65535 The default is 1 Enter window milliseconds to set...

Page 724: ...e in number of milliseconds The range is 100 to 9000 each value is a multiple of 100 milliseconds The default is 1000 Step 8 ethernet oam link monitor receive crc threshold high high frames none low low frames window milliseconds Note Repeat this step to configure both high and low thresholds Optional Configure thresholds for monitoring ingress frames received with cyclic redundancy code CRC error...

Page 725: ...eate a template for configuring a common set of options on multiple Ethernet OAM interfaces The template can be configured to monitor frame errors frame period errors frame second errors received CRS errors and symbol period errors and thresholds You can also set the template to put the interface in error disabled state if any high thresholds are exceeded These steps are optional and can be perfor...

Page 726: ... Enter threshold high none to disable the high threshold Enter threshold low low frames to set a low threshold in number of frames The range is 0 to 65535 The default is 1 Enter window milliseconds to set the a window and period of time during which frames with CRC errors are counted The range is 10 to 1800 and represents the number of milliseconds in multiples of 100 The default is 100 Step 4 eth...

Page 727: ...for the error frame period that triggers an error frame period link event Enter threshold high high frames to set a high threshold in number of frames The range is 1 to 65535 You must enter a high threshold Enter threshold high none to disable the high threshold Enter threshold low low frames to set a low threshold in number of frames The range is 0 to 65535 The default is 1 Enter window frames to...

Page 728: ...to collect OAM status CFM runs at the provider maintenance level UPE to UPE with up MEPs at the UNI Step 8 ethernet oam link monitor high threshold action error disable interface Optional Configure the switch to put an interface in an error disabled state when a high threshold for an error is exceeded Step 9 exit Return to global configuration mode Step 10 interface interface id Define an Ethernet...

Page 729: ...MI CE configuration Default E LMI Configuration page 32 33 E LMI Configuration Guidelines page 32 33 Enabling E LMI page 32 34 Enabling Ethernet OAM page 32 36 Ethernet OAM and CFM Configuration Example page 32 36 Default E LMI Configuration Ethernet LMI is globally disabled by default When you globally enable E LMI by entering the ethernet lmi global global configuration command it is automatical...

Page 730: ...Ethernet LMI on the interface If E LMI is enabled globally it is enabled on all interfaces unless you disable it on specific interfaces If E LMI is disabled globally you can use this command to enable it on specified interfaces Step 6 ethernet lmi n391 value n393 value t391 value t392 value Configure E LMI parameters for the UNI The keywords have these meanings n391 value Set the event counter on ...

Page 731: ...t when in trunking mode Displaying E LMI You can use the privileged EXEC commands in Table 32 5 to display E LMI information Ethernet CFM and Ethernet OAM Interaction When the Ethernet OAM Protocol is running on an interface that has CFM MEPs configured Ethernet OAM informs CFM of the state of the interface Interaction is unidirectional from the Ethernet OAM to the CFM Protocol and the only inform...

Page 732: ... each endpoint You must configure CFM and Ethernet OAM between the customer edge and the provider edge switch Customer edge switch 1 CE1 configuration Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Define an interface to configure as an Ethernet OAM interface and enter interface configuration mode Step 3 ethernet oam max rate oampdus min rat...

Page 733: ...id 101 vlan 10 Switch config if ethernet uni id 2004 20 Switch config if ethernet oam remote loopback supported Switch config if ethernet oam Switch config if srv exit Customer edge switch 2 CE2 configuration Switch config t Switch config interface gigabitethernet0 1 Switch config if switchport trunk allowed vlan 10 Switch config if switchport mode trunk Switch config if ethernet oam remote loopba...

Page 734: ...Switch show ethernet cfm maintenance points remote MPID Level Mac Address Vlan PortState InGressPort Age sec Service ID 101 4 0015 633f 6900 10 UP Gi0 1 27 blue Switch PE2 Switch show ethernet cfm maintenance points remote MPID Level Mac Address Vlan PortState InGressPort Age sec Service ID 100 4 0012 00a3 3780 10 TEST Gi1 1 1 8 blue Total Remote MEPs 1 In addition if you shut down the CE1 interfa...

Page 735: ...f a group can sent to a group However only the members of a group receive the message Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 Understanding Cisco s Implementation of IP Multicast Routing page 33 1 Configuring IP Multicast Routing page 33 8 Configuring Advanced PIM Features page ...

Page 736: ... join and leave multicast groups Any host regardless of whether it is a member of a group can send to a group However only the members of a group receive the message Membership in a multicast group is dynamic hosts can join and leave at any time There is no restriction on the location or number of members in a multicast group A host can be a member of more than one multicast group at a time How ac...

Page 737: ...s information to perform multicast forwarding instead of maintaining a separate multicast routing table PIM is defined in RFC 2362 Protocol Independent Multicast Sparse Mode PIM SM Protocol Specification PIM is defined in these Internet Engineering Task Force IETF Internet drafts Protocol Independent Multicast PIM Motivation and Architecture Protocol Independent Multicast PIM Dense Mode Protocol S...

Page 738: ... distribution tree leaving only branches that contain receivers When a new receiver on a previously pruned branch of the tree joins a multicast group the PIM DM device detects the new receiver and immediately sends a graft message up the distribution tree toward the source When the upstream PIM DM device receives the graft message it immediately puts the interface on which the graft was received i...

Page 739: ...RP Stub Routing section on page 29 39 The redundant PIM stub router topology is not supported The redundant topology exists when there is more than one PIM router forwarding multicast traffic to a single access domain PIM messages are blocked and the PIM assert and designated router election mechanisms are not supported on the PIM passive interfaces Only the nonredundant access router topology is ...

Page 740: ... discovery messages and the Group to RP mapping information expires it switches to a statically configured RP that was defined with the ip pim rp address global configuration command If no statically configured RP exists the router or switch changes the group to dense mode operation Multiple RPs serve different group ranges or serve as hot backups of each other Bootstrap Router PIMv2 BSR is anothe...

Page 741: ...s and shown in Figure 33 2 1 The router or multilayer switch examines the source address of the arriving multicast packet to decide whether the packet arrived on an interface that is on the reverse path back to the source 2 If the packet arrives on the interface leading back to the source the RPF check is successful and the packet is forwarded to all interfaces in the outgoing interface list which...

Page 742: ...RP Dense mode PIM uses only source trees and use RPF as previously described Configuring IP Multicast Routing Default Multicast Routing Configuration page 33 8 Multicast Routing Configuration Guidelines page 33 9 Configuring Basic Multicast Routing page 33 10 required Configuring PIM Stub Routing page 33 12 optional Configuring Source Specific Multicast page 33 13 Configuring Source Specific Multi...

Page 743: ...e IETF We recommend that you use PIMv2 The BSR mechanism interoperates with Auto RP on Cisco routers and multilayer switches For more information see the Auto RP and BSR Configuration Guidelines section on page 33 10 When PIMv2 devices interoperate with PIMv1 devices Auto RP should have already been deployed A PIMv2 BSR that is also an Auto RP mapping agent automatically advertises the RP elected ...

Page 744: ...ng agent and the BSR For more information see the Using Auto RP and a BSR section on page 33 31 Configuring Basic Multicast Routing You must enable IP multicast routing and configure the PIM version and the PIM mode Then the software can forward multicast packets and the switch can populate its multicast routing table You can configure an interface to be in PIM dense mode sparse mode or sparse den...

Page 745: ...ng the interface vlan vlan id global configuration command These interfaces must have IP addresses assigned to them For more information see the Configuring Layer 3 Interfaces section on page 9 19 Step 4 ip pim version 1 2 Configure the PIM version on the interface By default Version 2 is enabled and is the recommended setting An interface in PIMv2 mode automatically downgrades to PIMv1 mode if th...

Page 746: ...ol is not supported in access domains The redundant PIM stub router topology is not supported Enabling PIM Stub Routing Beginning in privileged EXEC mode follow these steps to enable PIM stub routing on an interface This procedure is optional To disable PIM stub routing on an interface use the no ip pim passive interface configuration command In this example IP multicast routing is enabled Switch ...

Page 747: ... source group show ip igmp mroute verifies that the multicast stream forwards from the source to the interested clients Configuring Source Specific Multicast This section describes how to configure source specific multicast SSM For a complete description of the SSM commands in this section refer to the IP Multicast Routing Commands chapter of the Cisco IOS IP Command Reference Volume 3 of 3 Multic...

Page 748: ...e IGMP include mode membership reports which are supported only in IGMP version 3 SSM IP Address Range SSM can coexist with the ISM service by applying the SSM delivery model to a configured subset of the IP multicast group address range Cisco IOS software allows SSM configuration for the IP multicast address range of 224 0 0 0 through 239 255 255 255 When an SSM range is defined existing IP multi...

Page 749: ...ns if they use addresses within the designated SSM range Address Management Restrictions Address management is still necessary to some degree when SSM is used with Layer 2 switching mechanisms Cisco Group Management Protocol CGMP IGMP snooping or Router Port Group Management Protocol RGMP support only group specific filtering not S G channel specific filtering If different receivers in a switched ...

Page 750: ...configure SSM Monitoring SSM Use the commands in Table 33 3 to monitor SSM Configuring Source Specific Multicast Mapping The Source Specific Multicast SSM mapping feature supports SSM transition when supporting SSM on the end system is impossible or unwanted due to administrative or technical reasons You can use SSM mapping to leverage SSM for video delivery to legacy STBs that do not support IGMP...

Page 751: ...t IGMPv3 but not SSM the hosts send IGMPv3 group reports SSM mapping does not support these IGMPv3 group reports and the router does not correctly associate sources with these reports SSM Mapping Overview In a typical STB deployment each TV channel uses one separate IP multicast group and has one active server host sending the TV channel A single server can send multiple TV channels but each to a ...

Page 752: ...orms a reverse lookup into the DNS The router looks up IP address resource records and uses them as the source addresses associated with this group SSM mapping supports up to 20 sources for each group The router joins all sources configured for a group see Figure 33 3 Figure 33 3 DNS Based SSM Mapping The SSM mapping mechanism that enables the last hop router to join multiple sources for a group c...

Page 753: ...e Step 2 ip igmp ssm map enable Enable SSM mapping for groups in the configured SSM range Note By default this command enables DNS based SSM mapping Step 3 no ip igmp ssm map query dns Optional Disable DNS based SSM mapping Note Disable DNS based SSM mapping if you only want to rely on static SSM mapping By default the ip igmp ssm map global configuration command enables DNS based SSM mapping Step...

Page 754: ...e Step 1 configure terminal Enter global configuration mode Step 2 ip igmp ssm map enable Enable SSM mapping for groups in a configured SSM range Step 3 ip igmp ssm map query dns Optional Enable DNS based SSM mapping By default the ip igmp ssm map command enables DNS based SSM mapping Only the no form of this command is saved to the running configuration Note Use this command to re enable DNS base...

Page 755: ...SSM mapping or statically configured SSM mapping Step 3 ip igmp static group group address source ssm map Configure SSM mapping to statically forward a S G channel from the interface Use this command if you want to statically forward SSM traffic for certain groups Use DNS based SSM mapping to determine the source addresses of the channels Step 4 show running config Verify your entries Step 5 copy ...

Page 756: ...Ps to join a multicast group by using explicit join messages RPs are not members of the multicast group rather they serve as a meeting place for multicast sources and group members You can configure a single RP for multiple groups defined by an access list If there is no RP configured for a group the multilayer switch treats the group as dense and uses the dense mode PIM techniques Beginning in pr...

Page 757: ...IM in sparse mode or sparse dense mode and do not configure Auto RP you must manually configure an RP as described in the Manually Assigning an RP to Multicast Groups section on page 33 22 Note If routed interfaces are configured in sparse mode Auto RP can still be used if all devices are configured with a manual RP address for the Auto RP groups Step 3 access list access list number deny permit s...

Page 758: ...erify that a default RP is already configured on all PIM devices and the RP in the sparse mode network It was previously configured with the ip pim rp address global configuration command This step is not required for spare dense mode environments The selected RP should have good connectivity and be available across the network Use this RP for the global groups for example 224 x x x and other glob...

Page 759: ...ndard access list repeating the command as many times as necessary For access list number enter the access list number specified in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source enter the multicast group address range for which the RP should be used Optional For source wildcard enter the wildcard bits ...

Page 760: ...cement Messages You can add configuration commands to the mapping agents to prevent a maliciously configured router from masquerading as a candidate RP and causing problems Beginning in privileged EXEC mode follow these steps to filter incoming RP announcement messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp announce fil...

Page 761: ...f the announcements are for any groups in the 239 0 0 0 through 239 255 255 255 range This range is the administratively scoped address range Configuring PIMv2 BSR These sections describe how to set up BSR in your PIMv2 network Defining the PIM Domain Border page 33 28 optional Defining the IP Multicast Boundary page 33 29 optional Step 3 access list access list number deny permit source source wi...

Page 762: ...eged EXEC mode follow these steps to define the PIM domain border This procedure is optional To remove the PIM border use the no ip pim bsr border interface configuration command Figure 33 4 Constraining PIMv2 BSR Messages Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration ...

Page 763: ...hould have good connectivity to other devices and be in the backbone portion of the network Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditi...

Page 764: ...Auto RP is used any device can be configured as an RP In a network that includes only Cisco PIMv2 routers and multilayer switches and with routers from other vendors any device can be used as an RP In a network of Cisco PIMv1 routers Cisco PIMv2 routers and routers from other vendors configure only Cisco PIMv2 routers and multilayer switches as RPs Command Purpose Step 1 configure terminal Enter g...

Page 765: ...itch be both the Auto RP mapping agent and the BSR Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your switch to be a candidate RP For interface id specify the interface whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels a...

Page 766: ... the RP that was selected for the specified group show ip pim rp group name group address mapping displays how the switch learns of the RP through the BSR or the Auto RP mechanism Troubleshooting PIMv1 and PIMv2 Interoperability Problems When debugging interoperability problems between PIMv1 and PIMv2 check these in the order shown 1 Verify RP mapping with the show ip pim rp hash privileged EXEC c...

Page 767: ...ee rooted at the source This type of distribution tree is called a shortest path tree or source tree By default the software switches to a source tree upon receiving the first data packet from a source This process describes the move from a shared tree to a source tree 1 A receiver joins a group leaf Router C sends a join message toward the RP 2 The RP puts a link to Router C in its outgoing inter...

Page 768: ...an configure when a PIM leaf router should join the shortest path tree for a specified group If a source sends at a rate greater than or equal to the specified kbps rate the multilayer switch triggers a PIM join message toward the source to construct a source tree shortest path tree If the traffic rate from the source drops below the threshold value the leaf router switches back to the shared tree...

Page 769: ...s infinity group list access list number Specify the threshold that must be reached before moving to shortest path tree spt For kbps specify the traffic rate in kilobits per second The default is 0 kbps Note Because of switch hardware limitations 0 kbps is the only valid entry even though the range is 0 to 4294967 Specify infinity if you want all sources for the specified group to use the shared t...

Page 770: ... multicast group and discover multicast reachability in a network If all the multicast capable routers and multilayer switches that you administer are members of a multicast group pinging that group causes all these devices to respond The devices respond to IGMP echo request packets addressed to a group of which they are members Another example is the multicast trace route tools provided in the so...

Page 771: ... This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp join group group address Configure the switch to join a multicast group By default no group memberships are defined For group address specify the multicast IP address in dotte...

Page 772: ...ional Step 5 access list access list number deny permit source source wildcard Create a standard access list For access list number specify the access list created in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source specify the multicast group that hosts on the subnet can join Optional For source wildcard...

Page 773: ...egister and PIM join messages toward the RP router Beginning in privileged EXEC mode follow these steps to modify the host query interval This procedure is optional To return to the default setting use the no ip igmp query interval interface configuration command Changing the IGMP Query Timeout for IGMPv2 If you are using IGMPv2 you can specify the period of time before the switch takes over as th...

Page 774: ...to the default setting use the no ip igmp query max response time interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp querier timeout seconds Specify the IGMP query timeout The default is 60 seconds twice the query interval...

Page 775: ...oup group address interface configuration command Configuring Optional Multicast Routing Features Configuring sdr Listener Support page 33 41 optional for MBONE multimedia conference session and set up Configuring an IP Multicast Boundary page 33 43 optional to control bandwidth utilization Configuring sdr Listener Support The MBONE is the small subset of Internet routers and hosts that are interc...

Page 776: ...how long the entry remains active so that if a source stops advertising SAP information old advertisements are not needlessly kept Beginning in privileged EXEC mode follow these steps to limit how long an sdr cache entry stays active in the cache This procedure is optional To return to the default setting use the no ip sdr cache timeout global configuration command To delete the entire cache use t...

Page 777: ...lticast address range 239 0 0 0 8 on all routed interfaces at the perimeter of its network This boundary prevents any multicast traffic in the range 239 0 0 0 through 239 255 255 255 from entering or leaving the network Similarly the engineering and marketing departments have an administratively scoped boundary of 239 128 0 0 16 around the perimeter of their networks This boundary prevents multica...

Page 778: ...en the contents of the particular structure are or suspected to be invalid Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are ma...

Page 779: ...Delete the Session Directory Protocol Version 2 cache or an sdr cache entry Table 33 7 Commands for Displaying System and Network Statistics Command Purpose ping group name group address Send an ICMP Echo Request to a multicast group address show ip igmp groups group name group address type number Display the multicast groups that are directly connected to the switch and that were learned through ...

Page 780: ...ast routers packets and paths Table 33 8 Commands for Monitoring IP Multicast Routing Command Purpose mrinfo hostname address source address interface Query a multicast router or multilayer switch about which neighboring multicast devices are peering with it mstat source destination group Display IP multicast packet rate and loss information mtrace source destination group Trace the path from a so...

Page 781: ... path LSP integrity and to quickly isolate MPLS forwarding problems MPLS IP Service Level Agreements IP SLAs MPLS traffic engineering fast reroute link protection This feature provides link protection to label switched paths LSPs enabling LSP traffic that crosses a failed link to be rerouted around the failure EoMPLS is a tunneling mechanism that transports Layer 2 Ethernet frames over an MPLS net...

Page 782: ...guration_Guide_Chapter html wp1423607 Understanding MPLS Services In conventional Layer 3 forwarding as a packet travels across the network each router extracts the packet forwarding information from the Layer 3 header and uses this information as a key for a routing table lookup to determine the packet s next hop In most cases the only relevant field in the header is the destination address field...

Page 783: ... performs a lookup on the exposed label The exposed label might specify a Swap or Pop operation The switch performs up to three recursive MPLS label lookups in the ternary content addressable memory TCAM Drop packet The switch drops the packet based on lookup of the top label A label represents a forwarding equivalence class but it does not represent a particular path through the network In genera...

Page 784: ...trol the information in the routing tables A customer site VRF contains all the routes available to the site from the VPNs to which it belongs VPN routing information is stored in the IP routing table and the Cisco Express Forwarding table for each VRF A separate set of tables is maintained for each VRF which prevents information from being forwarded outside a VPN and prevents packets that are out...

Page 785: ...ies are required and you can add sites to intranets and extranets to form closed user groups Flexible addressing Customers can continue to use their present address spaces without network address translation NAT because the MPLS VPN provides a public and private view of the address A NAT is required only if two VPNs with overlapping address spaces want to communicate Straightforward migration You ...

Page 786: ...oute that carries any of those route target extended communities A B or C is imported into the VRF A PE router can learn an IP prefix from a CE device by static configuration through a BGP session or through a routing protocol such as OSPF EIGRP and Routing Information Protocol RIP with the CE device The IP prefix is a member of the IPv4 address family After it learns the IP prefix the PE router c...

Page 787: ...e 34 13 Configuring Static Route Provider Edge to Customer Edge Routing Sessions page 34 14 EIGRP Provider Edge to Customer Edge Configuration page 34 14 For an example of packet flow in an MPLS VPN see the Packet Flow in an MPLS VPN section on page 34 15 Default MPLS Configuration By default label switching of IPv4 packets along normally routed paths is globally enabled MPLS forwarding of IPv4 pa...

Page 788: ... disabled Step 3 mpls label protocol ldp Set the label protocol on the switch to LDP The default protocol is TDP Step 4 interface Loopback0 Enter interface configuration mode for a loopback interface Note The loopback must be 32 Step 5 ip address ip address Assign an IP address to the loopback interface The subnet mask value has to be a host mask 32 Step 6 mpls ldp router id loopback 0 force Speci...

Page 789: ...community Create a list of import export or import and export route target communities for the specified VRF Enter either an AS system number and an arbitrary number xxx y or an IP address and an arbitrary number A B C D y The route target ext community should be the same as the route distinguisher entered in Step 4 Optional Repeat Steps 3 to 5 to create additional VPN routing instances Step 6 imp...

Page 790: ...er passed to the other BGP routers and enter router configuration mode The AS number can be from 1 to 65535 with 64512 to 65535 designated as private autonomous numbers Step 4 no bgp default ipv4 unicast Step 5 neighbor ip address peer group name remote as as number Specify a neighbor IP address or BGP peer group that identifies it to the local autonomous system The AS number can be from 1 to 6553...

Page 791: ...ion Beginning in privileged EXEC mode follow these steps on the provider edge router to configure a provider edge to customer edge PE to CE routing session in a provider network that uses BGP Step 7 show ip bgp ipv4 neighbors vpnv4 Verify BGP configuration Display information about all BGP IPv4 prefixes Step 8 copy running config startup config Optional Save your entries in the configuration file ...

Page 792: ...table Step 6 neighbor address remote as as number Define an EBGP session between PE and CE routers Step 7 neighbor address activate Activate the advertisement of the IPv4 address family Step 8 end Return to privileged EXEC mode Step 9 show ip bgp ipv4 neighbors Verify BGP configuration Display information about all BGP IPv4 prefixes Step 10 show ip bgp vpnv4 vrf vrf name Display VPNv4 address info...

Page 793: ...ily configuration mode Note The default is off for auto summary and synchronization in the VRF address family configuration mode Step 5 network ip address Enable RIP on the PE to CE link Step 6 router bgp as number address family ipv4 unicast vrf vrf name redistribute rip Redistribute per VRF RIP routes in MBGP Step 7 router rip Enable RIP routing and enter router configuration mode Step 8 version...

Page 794: ...ork number mask network mask route map map name Redistribute the IPV4 address family in BGP Step 5 end Return to privileged EXEC mode Step 6 show ip bgp vpnv4 vrf vrf name Display VPNv4 address information from the BGP table Step 7 show ip route vrf vrf name Display the IP routing table associated with a VRF instance Step 8 copy running config startup config Optional Save your entries in the confi...

Page 795: ...igured in this step BGP must be redistributed into EIGRP for the CE site to accept the BGP routes that carry the EIGRP information A metric must also be specified for the BGP network and is configured in this step Step 7 end Return to privileged EXEC mode Step 8 show ip eigrp vrf neighbors Display neighbors discovered by EIGRP that carry VRF information Step 9 show ip eigrp vrf topology Display VR...

Page 796: ... labels adds the appropriate labels to the packet and forwards the packet out of the ES port to the next hop router P3 Step 3 The P3 router receives the packet and forwards it over the MPLS VPN network based on the packet s top label the interior gateway protocol IGP label and then removes the top label Step 4 PE3 receives the packet removes the MPLS encapsulation and forwards the packet by using ...

Page 797: ...ackup Autotunnel page 34 19 MPLS TE MPLS traffic engineering TE provides control over how traffic is routed through the network This increases the bandwidth efficiency by preventing over use of some links while other links are under used TE overrides the shortest path selected by the Interior Gateway Protocol IGP to select the most efficient path for traffic Network resources are advertised by usi...

Page 798: ...ecify addresses to exclude from the path Support for LDP over TE tunnels for Layer 3 VPN traffic by entering the mpls ip interface configuration command on the tunnel interface The switch does not support LDP over TE tunnels for Layer 2 VPN traffic Traffic forwarding to the TE tunnel using static routing TE autoroute which installs the routers announced by the tailend router and the downstream rou...

Page 799: ...n an interface encounters a link status change and RSVP hello enables the RSVP nodes to detect when a neighboring node is not reachable You can configure RSVP hello messages by entering the ip rsvp signalling hello fast reroute refresh global configuration command Note The ip rsvp signalling hello fast reroute refresh command is needed only when loss of signal cannot be detected Backup tunnels hav...

Page 800: ...itching MPLS Commands section on page C 6 of Appendix C Unsupported Commands in Cisco IOS Release 12 2 52 EY To configure MPLS traffic engineering and fast reroute the network must be running IP Cisco Express Forwarding CEF and MPLS and support at least one of these protocols OSPF or IS IS For information on all MPLS commands see the MPLS command reference at this URL http www cisco com en US docs...

Page 801: ...terface The command is not effective until loopback0 is configured with an IP address Step 4 tunnel destination A B C D Specify the destination for a tunnel Step 5 tunnel mode mpls traffic eng Set the encapsulation mode of the tunnel to MPLS traffic engineering Step 6 tunnel mpls traffic eng autoroute announce Specify that the Interior Gateway Protocol IGP should use the tunnel if the tunnel is up...

Page 802: ...erence mp_book html Step 16 exclude address A B C X Optional Exclude an address from the IP explicit path Step 17 end Return to privileged EXEC mode Step 18 show ip explicit paths Verify the configuration Step 19 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ro...

Page 803: ...next next hop of the LSP to be protected Step 5 tunnel mode mpls traffic eng Set the mode of a tunnel to MPLS for traffic engineering Step 6 tunnel mpls traffic eng path option number dynamic explicit name path name path number lockdown Configure a path option for an MPLS TE tunnel Keywords have these meanings number When multiple paths are configured lower numbered options are preferred dynamic S...

Page 804: ...ileged EXEC mode Step 5 show mpls traffic eng fast reroute database Verify the that backup protection is configured A ready status means that the tunnel is ready to switch to backup an active status means that tunnel traffic is on backup Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuratio...

Page 805: ...nd Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mpls traffic eng auto tunnel primary onehop Configure the switch to automatically create primary MPLS tunnels to all next hops Step 3 mpls traffic eng auto tunnel primary tunnel num min num max num Configure the range of tunnel interface numbers for primary autotunnels Optional min num Specify the minimum n...

Page 806: ...ter receives an Ethernet frame and encapsulates the packet by removing the preamble the start of frame delimiter SFD and the frame check sequence FCS The rest of the packet header is not changed Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mpls traffic eng auto tunnel backup Configure the switch to automatically create next hop NHOP and next next hop NNHOP backu...

Page 807: ... virtual connections dedicated to transporting Layer 2 traffic Other routers do not have table entries for these virtual connections This section includes additional information about these topics Interaction with Other Features page 34 27 EoMPLS Limitations page 34 30 Interaction with Other Features This section describes how EoMPLS interacts other features It includes these sections EoMPLS and I...

Page 808: ...connects to an MPLS network through a switch functioning as a PE you configure the ingress port on the provider edge that receives the Layer 2 protocol traffic as a tunnel port The Layer 2 protocol traffic is encapsulated before it is forwarded over the MPLS network For more information about Layer 2 protocol tunneling see Chapter 11 Configuring Ethernet Virtual Connections EVCs This example shows...

Page 809: ...rnet Switch config if srv encapsulation dot1q 11 Switch config if srv bridge domain 101 Switch config if srv exit Switch config if exit Switch config interface Vlan101 Switch config if platform rewrite imposition tag push 1 symmetric Switch config if xconnect 12 12 12 12 300 encapsulation mpls Switch show running config interface gigabitEthernet 0 15 Building configuration Current configuration 18...

Page 810: ... EoMPLS supports VLAN packets that conform to the IEEE 802 1Q standard ISL encapsulation is not supported between provider edge and customer edge routers Layer 2 connection restrictions You cannot have more than one Layer 2 connection between routers if those routers are configured to transport Ethernet VLANs over the MPLS backbone Adding a second Layer 2 connection causes the spanning tree state ...

Page 811: ...must be reachable through IP by the other Use the optional mpls ldp router id global configuration command to control the selection of the LDP router ID by specifying the interface whose IP address should be used If the specified interface is up and has an IP address you can use the command without the optional force keyword When the router ID is selected that IP address is selected as the router ...

Page 812: ...encapsulation mpls Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mpls label protocol ldp Enable LDP for all interfaces By default TDP is enabled This command causes all interfaces to use LDP Step 3 interface loopback0 Enter interface configuration mode for a loopback interface Step 4 ip address ip address subnet mask Assign an IP address to the loopback interface...

Page 813: ...Vl20 Eth VLAN 20 10 1 1 2 20 UP Vl20 Eth VLAN 20 10 1 1 4 20 DOWN This example shows how to display the preferred path using the show mpls l2transport vc 2 detail command Switch show mpls l2transport vc 2 detail Local interface Gi0 24 up line protocol up Ethernet up Destination address 2 2 2 2 VC ID 2 VC status down Output interface none imposed label stack Preferred path Tunnel100 no route Defaul...

Page 814: ...tch does not support ATM interfaces Point to Point Protocol PPP or frame relay as mentioned in this document It also does not support Layer 2 Tunnel Protocol Version 3 L2TPv3 L2VPN interworking on the ME 3800X and ME 3600X switches works in either Ethernet mode VC type 5 or VLAN mode VC type 4 You specify the mode by entering the interworking ethernet vlan command in pseudowire class configuration...

Page 815: ...trictions on switching between EFPs or between EFPs and switch ports also apply This example shows how to configure a pseudowire on a VLAN interface Switch config interface GigabitEthernet0 1 Switch config if switchport access vlan 100 Switch config interface GigabitEthernet0 2 Switch config if switchport mode trunk Switch config interface GigabitEthernet0 3 Switch config if description all egress...

Page 816: ...omain 100 Note The output of the show mac address table command does not include the port name for a pseudowire from which a MAC address is learned Packet Flow in an EoMPLS Network Figure 34 5 is an example of packet flow in an EoMPLS network A customer port on PE1 is configured for a per port EoMPLS tunnel to a remote customer port on PE2 This allows the two physically separated customer switches...

Page 817: ...LS network to the remote PE2 switch PE2 removes the MPLS encapsulation and sends the packet out the port associated with the virtual connection label Customer Switch B removes the final VLAN tag and forwards the packet to the remote host B VLAN based EoMPLS packet flow is basically the same as port based EoMPLS except that the customer VLAN is used instead of an internal VLAN The PE1 switch looks ...

Page 818: ...the provider edge router switches to the backup pseudowire You can configure the primary pseudowire to resume operation after it restarts You can also configure the network with redundant pseudowires and redundant network elements routers Figure 34 7 shows a network with redundant pseudowires and redundant attachment circuits You can also optionally configure the network with redundant CE routers ...

Page 819: ...e Configuring Pseudowire Redundancy When configuring pseudowire redundancy you use the xconnect interface configuration command for each transport type Beginning in privileged EXEC mode follow these steps to configure pseudowire redundancy on a PE router Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface and enter interface configuration mo...

Page 820: ...nt circuit or the IP address and VC ID of the peer router If the specified interface or peer is not available the switchover does not occur The backup pseudowire becomes active when you enter the command Beginning in privileged EXEC mode follow these steps to force a pseudowire switchover This command forces a switchover to the peer with the IP address 10 1 1 4 and VCID 33 Switch xconnect backup f...

Page 821: ...gation Access or ME 3800S Scaled Metro Aggregation Access software license H VPLS uses spoke connections usually between Layer 2 switches acting as the CE and PE devices at the service provider s point of presence POP The spoke connections can be either an IEEE 802 1Q tagged connection or an MPLS LSP Figure 34 8 shows two Metro 3800X or Metro 3600X customer located equipment CLE switches PE1 and P...

Page 822: ...S docs ios mpls configuration guide mp_ldp_te_lsp_vccv_ps6922_TSD_ Products_Configuration_Guide_Chapter html Note The switch does not support all of the commands referenced in the MPLS LSP Ping Traceroute feature module For a list of commands that are visible in the CLI help but not supported on the switch see Appendix C Unsupported Commands in Cisco IOS Release 12 2 52 EY Beginning with Cisco IOS...

Page 823: ...red and ping or traceroute actions are automatically generated for each provider edge router For more information on configuring the LSP Health Monitor go to this URL http www cisco com en US docs ios ipsla configuration guide sla_lsp_mon_autodisc html LSP Ping MPLS LSP ping uses MPLS echo request and reply packets similar to Internet Control Message Protocol ICMP echo request and reply messages t...

Page 824: ...abel signaling A switching component that causes the AToM VC payload to be treated as a control packet An LSP ping through a Layer 2 pseudowire requires that the originating router first validate the pseudowire control channel capability during the exchange of virtual circuit labels In the switch this is done by using a router alert label which sends the LSP ping or traceroute packet to the egress...

Page 825: ...echo reply to interrogate the next router It interrogates each successive router until it finds one bitmap setting that is common to all routers along the path You can manually configure tree trace by using downsteam mapping Type Length Values TLVs You can also use the ECMP tree trace feature in the IP SLAs LSP Health Monitor When you enter the path discover command in auto IP SLA MPLS parameter c...

Page 826: ...s interval ms pad pattern repeat count reply dscp dscp value reply mode ipv4 router alert revision 1 2 3 size packet size sweep minimum maximum size increment source source address timeout seconds ttl time to live verbose revision tlv revision number force explicit null output interface interface id nexthop ip address dsmap hashkey none ipv4 bitmap bitmap size flags fec Configure LSP IPv4 ping The...

Page 827: ...nal sweep minimum maximum size increment Set a range packet sizes to be sent ranging from a start size to an end size The lower boundary of the sweep range depends on the LSP type The range for the minimum and maximum is 100 to 18024 the increment range is 1 to 8993 Optional timeout seconds Specify the timeout interval for an MPLS request packet The range is from 0 to 3600 seconds The default is 2...

Page 828: ...ss range Optional exp exp bits Specify the MPLS experimental field value in the MPLS header for an echo reply The range is from 0 to 7 The default is 0 Optional reply dscp dscp value Specify a specific class of service CoS in an echo reply by providing a differentiated services code point DSCP value Optional reply mode ipv4 router alert Specify the reply mode for the echo request packet Enter ipv4...

Page 829: ... the peer vc id Specify virtual circuit identification number The range is from 1 to 4294967295 Optional destination start address end address increment Enter the destination 127 network address or address range with increment Optional exp exp bits Specify the MPLS experimental field value in the MPLS header The range is from 0 to 7 The default is 0 Optional interval ms Specify the time in millise...

Page 830: ...uling is particularly useful in cases where the LSP Health Monitor is enabled on a source PE router that has a large number of PE neighbors and therefore a large number of IP SLAs operations running at the same time This section includes these configuration procedures Configuring the IP SLAs LSP Health Monitor page 34 51 Manually Configuring IP SLAs MPLS LSP Ping or Traceroute page 34 54 For more ...

Page 831: ...auto ip sla mpls lsp monitor operation number Specify an LSP Health Monitor operation number and enter auto IP SLA MPLS configuration mode The operation number range is from 1 to 2147483647 Step 3 type echo pathEcho ipsla vrf all vrf vpn name Configure the parameters of the LSP Health Monitor by selecting the operation and entering auto IP SLAs MPLS parameters configuration mode echo Select an LSP...

Page 832: ...connection loss timeout frequency Optional Set the secondary frequency faster measurement frequency to which an IP SLAs operation should change when a reaction condition occurs The frequency range is 1 to 604800 Step 14 tag text Optional Create a user specified identifier for an IP SLAs operation Step 15 threshold milliseconds Optional Specify the rising threshold hysteresis that generates a react...

Page 833: ...o ip sla mpls lsp monitor schedule operation number schedule period seconds frequency seconds start time hh mm ss month day day month pending now after hh mm ss Schedule time parameters for the LSP Health Monitor operation number Enter the operation number schedule period seconds Enter the schedule period in seconds The range is 1 to 604800 seconds Optional frequency seconds Enter the frequency fo...

Page 834: ...peration number Enter an IP SLAs operation number and enter IP SLAs configuration mode The range is from 1 to 2147483647 Step 3 mpls lsp ping trace ipv4 destination_address destination_mask force explicit null lsp selector ip_address reply dscp reply mode ipv4 router alert source_ipaddr source_address Manually configure the IP SLAs LSP monitor and enter IP SLAs monitor LSP ping or trace configurat...

Page 835: ... pending now after hh mm ss Schedule the time parameters for MPLS LSP monitoring operation number Enter the IP SLAs operation number Optional ageout seconds Enter the number of seconds to keep the operation in memory when it is not actively collecting information The default is 0 seconds never ages out The range is 0 to 2073600 seconds Optional life Set the operation to run indefinitely forever or...

Page 836: ...d points are automatically discovered and ping or traceroute actions are automatically generated for each provider edge router This section includes these configuration procedures Manually Setting LSP Tree Trace page 34 56 Configuring ECMP IP SLAs Tree Trace page 34 57 Manually Setting LSP Tree Trace Beginning in privileged EXEC mode follow these steps to manually set LSP tree trace Command Purpos...

Page 837: ...Display the MPLS echo reply sender address of the packet and return codes Optional revision number Enter a Cisco TLV revision number 1 through 4 Optional force explicit null Add an explicit NULL label to the end of the label stack Optional output interface interface id Specify the output interface for the echo request Optional nexthop ip address Force packets to go through the specified next hop a...

Page 838: ...egative impact on the switch CPU Step 9 scan period minutes Optional Set a time period in minutes for completing tree trace discovery This is the amount of time after which the LSP discovery process can restart for an LSP Health Monitor operation Step 10 session timeout seconds Optional Set a timeout value in seconds for tree trace requests This is the amount of time the LSP discovery process for ...

Page 839: ...ging traps Optional Enable the generation of SNMP system logging messages specific to IP SLAs trap notifications Step 16 auto ip sla mpls lsp monitor schedule operation number schedule period seconds frequency seconds start time hh mm ss month day day month pending now after hh mm ss Schedule the time parameters for the LSP Health Monitor operation number Enter the IP SLAs MPLS LSP monitor operati...

Page 840: ...gured IP explicit paths show ip rsvp fast reroute detail Display specific information for RSVP categories including fast reroute show ip rsvp host Display RSVP terminal point information for receivers or senders show isis database verbose Display information about the IS IS database show isis mpls traffic eng Display information about IS IS MPLS traffic engineering show mpls forwarding table Displ...

Page 841: ...st show mpls traffic eng autoroute Display tunnels announced to the IGP including interface destination and bandwidth show mpls traffic eng fast reroute database Display the contents of the Fast Reroute FRR database show mpls traffic eng link management Display link information about MPLS traffic engineering link management show mpls traffic eng topology Display the MPLS traffic engineering global...

Page 842: ...34 62 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 34 Configuring MPLS MPLS VPN MPLS OAM and EoMPLS Monitoring and Maintaining MPLS and EoMPLS ...

Page 843: ...mplete syntax and usage information for the commands used in this chapter see the command reference for this release and the Cisco IOS Command Summary Release 12 2 Recovering from a Lost or Forgotten Password page 2 Note Recovery procedures require that you have physical access to the switch Preventing Autonegotiation Mismatches page 6 SFP Module Security and Identification page 7 Monitoring SFP M...

Page 844: ...ted break keys for most common operating systems and an alternative break key sequence for those terminal emulators that do not support the break keys To see that list go to http www cisco com en US products hw routers ps133 products_tech_note09186a0080174a34 shtml These sections describes how to recover a forgotten or lost switch password Procedure with Password Recovery Enabled page 3 Procedure ...

Page 845: ...bled section on page 5 and follow the steps Step 5 After recovering the password reload the switch Switch reload Proceed with reload confirm y Procedure with Password Recovery Enabled If the password recovery mechanism is enabled this message appears The system has been interrupted or encountered an error during initializion of the flash filesystem The following commands will initialize the flash ...

Page 846: ... Press Return in response to the confirmation prompts The configuration file is now reloaded and you can change the password Step 10 Enter global configuration mode Switch configure terminal Step 11 Change the password Switch config enable secret password The secret password can be from 1 to 25 alphanumeric characters can start with a number is case sensitive and allows spaces but ignores leading ...

Page 847: ...administrator to verify if there are backup switch and VLAN configuration files Note Disabling password recovery provides configuration file security by preventing unauthorized users from accessing the configuration file If you enter n no the normal boot process continues as if the break key had not been pressed you cannot access the boot loader prompt and you cannot enter a new password You see t...

Page 848: ...onfig privileged EXEC command To re enable the interface enter the interface vlan vlan id global configuration command and specify the VLAN ID of the shutdown interface With the switch in interface configuration mode enter the no shutdown command Step 10 You must now reconfigure the switch If the system administrator has the backup switch and VLAN configuration files available you should use those...

Page 849: ...terval for recovering from the error disabled state After the elapsed interval the switch brings the interface out of the error disabled state and retries the operation For more information about the errdisable recovery command see the command reference for this release If the module is identified as a Cisco SFP module but the system is unable to read vendor data information to verify its accuracy...

Page 850: ...e information see the command reference for this release Using Ping The switch supports IP ping which you can use to test connectivity to remote hosts Ping sends an echo request packet to an address and waits for a reply To ping a host in a different IP subnetwork from the switch you must have IP routing configured to route between the subnets and a static route to the destination might also be ap...

Page 851: ...ty by using the ping privileged EXEC command All switches in the physical path must be reachable from each other The maximum number of hops identified in the path is ten You can enter the traceroute mac or the traceroute mac ip privileged EXEC command on a switch that is not in the physical path from the source device to the destination device All switches in the path must be reachable from this s...

Page 852: ...f the switch is the destination of the traceroute it is displayed as the final destination in the output Intermediate switches do not show up in the output if they are only bridging the packet from one port to another within the same VLAN However if the intermediate switch is a multilayer switch that is routing a particular packet this switch shows up as a hop in the output The traceroute privileg...

Page 853: ...ute ip 171 9 15 10 Type escape sequence to abort Tracing the route to 171 69 115 10 1 172 2 52 1 0 msec 0 msec 4 msec 2 172 2 1 203 12 msec 8 msec 0 msec 3 171 9 16 6 4 msec 0 msec 0 msec 4 171 9 4 5 0 msec 4 msec 0 msec 5 171 9 121 34 0 msec 4 msec 4 msec 6 171 9 15 9 120 msec 132 msec 128 msec 7 171 9 15 10 132 msec 128 msec 128 msec Switch The display shows the hop count IP address of the route...

Page 854: ...remote device For example a shorted twisted pair can occur if one wire of the twisted pair is soldered to the other wire If one of the twisted pair wires is open TDR can find the length at which the wire is open Use TDR to diagnose and resolve cabling problems in these situations Replacing a switch Setting up a wiring closet Troubleshooting a connection between two devices when a link cannot be es...

Page 855: ...able a debug command and no output appears consider these possibilities The switch might not be properly configured to generate the type of traffic that you want to monitor Use the show running config command to check its configuration Even if the switch is properly configured it might not generate the type of traffic that you want to monitor during the particular period that debugging is enabled ...

Page 856: ... IOS image to fail crash The switch writes the crash information to the console at the time of the failure and the file is created the next time you boot the Cisco IOS image after the failure instead of while the system is failing The information in the file includes the Cisco IOS image name and version that failed a list of the processor registers and a stack trace You can provide this informatio...

Page 857: ... number Message Record of the hardware related system messages generated by a switch Temperature Temperature of a switch Uptime data Time when a switch starts the reason the switch restarts and the length of time the switch has been running since it last restarted Voltage System voltages of a switch You should manually set the system clock or configure it by using Network Time Protocol NTP When th...

Page 858: ...r logging onboard message level Enable OBFL on the switch You can specify these optional parameters Optional slot number The slot number is always 1 and is not relevant for the switch Optional message level Specify the severity level of messages to be generated and stored The range is from 1 to 7 with 1 being the most severe Step 3 end Return to privileged EXEC mode Step 4 copy logging onboard mod...

Page 859: ...No historical data to display Switch show logging onboard uptime UPTIME SUMMARY INFORMATION First customer power on 03 01 1993 00 06 06 Total uptime 0 years 20 weeks 4 days 6 hours 20 minutes Total downtime 0 years 0 weeks 0 days 0 hours 0 minutes Number of resets 90 Number of slot changes 0 Current reset reason 0x0 Current reset timestamp 03 01 1993 00 05 43 Current slot 1 Current uptime 0 years ...

Page 860: ...FORMATION Number of sensors 6 Sampling frequency 1 minutes Maximum time of storage 720 minutes Sensor ID Maximum Voltage 12 00V 0 12 567 1 25V 2 1 258 3 30V 3 3 305 2 50V 4 2 517 1 80V 5 1 825 1 50V 6 1 508 Nominal Range Sensor ID No historical data to display For more information about using the commands in Table 35 2 and for examples of OBFL data see the command reference for this release ...

Page 861: ... diagnostics you can test and verify the hardware functionality of the switch while the switch is connected to a live network The online diagnostics contain packet switching tests that monitor different hardware components and verify the data path and the control signals The online diagnostics detect problems in these areas Hardware components Interfaces Ethernet ports and so forth Solder joints T...

Page 862: ...g for a specific day and time and verify the schedule Switch config diagnostic schedule test 1 on Dec 4 2008 10 22 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 diagnostic schedule test name test id test id range all basic daily hh mm on mm dd yyyy hh mm weekly day of week hh mm Schedule on demand diagnostic tests for a specific day and time When specifying the t...

Page 863: ...ck ID 1 has completed successfully Dec 4 10 22 00 498 DIAG 6 SCHED_COMPLETE Scheduled Online Diagnostic is completed For more examples see the Examples section for the diagnostic schedule test command in the command reference for this release Running Online Diagnostic Tests After you configure online diagnostics you can manually start diagnostic tests or display the test results You can also see t...

Page 864: ...the show diagnostic content privileged EXEC command to display the test ID list See Table 36 1 test id Enter the ID number of the test Use the show diagnostic content privileged EXEC command to display the test ID list See Table 36 1 test id range Enter the range of test IDs by using integers separated by a comma and a hyphen For more information see the diagnostic start command in the command ref...

Page 865: ...mory Tests Begin POST PortASIC Memory Tests End Status Passed POST CPU MIC interface Loopback Tests Begin POST CPU MIC interface Loopback Tests End Status Passed POST PortASIC RingLoopback Tests Begin POST PortASIC RingLoopback Tests End Status Passed POST Thermal Fan Tests Begin POST Thermal Fan Tests End Status Passed POST PortASIC CAM Subsystem Tests Begin POST PortASIC CAM Subsystem Tests End ...

Page 866: ...36 6 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Chapter 36 Configuring Online Diagnostics Running Online Diagnostic Tests ...

Page 867: ...ote The BRIDGE MIB supports the context of a single VLAN By default SNMP messages using the configured community string always provide information for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN x use this community string in the SNMP message configured community string x CISCO CDP MIB CISCO CLASS BASED QOS MIB CISCO ENTITY FRU CONTROL MIB CISCO ENTITY SENSOR MIB C...

Page 868: ...CO RFC1213 CAPABILITY my RMON MIB RMON2 MIB SNMPv2 MIB TDR MIB Note For information about MIB support for a specific Cisco product and release go to the MIB Locator tool at this URL http tools cisco com ITDIT MIBS MainServlet Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure Step 1 Make sure that your FTP client is in passive mode Note Some FTP clients do not s...

Page 869: ...Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Appendix A Supported MIBs Using FTP to Access the MIB Files Step 6 Use the get MIB_filename command to obtain a copy of the MIB file ...

Page 870: ...A 4 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 Appendix A Supported MIBs Using FTP to Access the MIB Files ...

Page 871: ...s Command Reference Release 12 2 Working with the Flash File System page B 1 Working with Configuration Files page B 8 Working with Software Images page B 23 Working with the Flash File System The flash file system is a single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the sw...

Page 872: ...in the file system in bytes Free b Amount of free memory in the file system in bytes Type Type of file system flash The file system is for a flash memory device nvram The file system is for a NVRAM device opaque The file system is a locally generated pseudo file system for example the system or a download interface such as brimux unknown The file system is an unknown type Flags Permission for file...

Page 873: ...nfiguration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table B 2 Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode follow these steps to change d...

Page 874: ...eir contents cannot be recovered Copying Files To copy a file from a source to a destination use the copy source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of flash memory ...

Page 875: ...d with configuration files see the Working with Configuration Files section on page B 8 To copy software images either by downloading a new version or by uploading the existing one use the archive download sw or the archive upload sw privileged EXEC command For more information see the Working with Software Images section on page B 23 Deleting Files When you no longer need a file on a flash memory...

Page 876: ...ssword location directory tar filename tar For the RCP the syntax is rcp username location directory tar filename tar For the TFTP the syntax is tftp location directory tar filename tar The tar filename tar is the tar file to be created For flash file url specify the location on the local flash file system from which the new tar file is created You can also specify an optional list of files or dir...

Page 877: ... file For source url specify the source URL alias for the local file system These options are supported For the local flash file system the syntax is flash For the FTP the syntax is ftp username password location directory tar filename tar For the RCP the syntax is rcp username location directory tar filename tar For the TFTP the syntax is tftp location directory tar filename tar The tar filename ...

Page 878: ...he switch You might want to perform this for one of these reasons To restore a backed up configuration file To use the configuration file for another switch For example you might add another switch to your network and want it to have a configuration similar to the original switch By copying the file to the new switch you can change the relevant parts rather than recreating the whole file To load t...

Page 879: ...if you were entering the commands at the command line The switch does not erase the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is erased For example if the copied configuration file contains a different IP address in a particular command than the existing configur...

Page 880: ...h by using configuration files you create download from another switch or download from a TFTP server You can copy upload configuration files to a TFTP server for storage These sections contain this configuration information Preparing to Download or Upload a Configuration File By Using TFTP page B 10 Downloading the Configuration File By Using TFTP page B 11 Uploading the Configuration File By Usi...

Page 881: ...n File By Using TFTP section on page B 10 Step 3 Log into the switch through the console port or a Telnet session Step 4 Download the configuration file from the TFTP server to configure the switch Specify the IP address or hostname of the TFTP server and the name of the file to download Use one of these privileged EXEC commands copy tftp location directory filename system running config copy tftp...

Page 882: ...s specified The password set by the ip ftp password password global configuration command if the command is configured The switch forms a password named username switchname domain The variable username is the username associated with the current session switchname is the configured hostname and domain is the domain of the switch The username and password must be associated with an account on the F...

Page 883: ...do not need to set the FTP username Include the username in the copy command if you want to specify a username for only that copy operation When you upload a configuration file to the FTP server it must be properly configured to accept the write request from the user on the switch For more information see the documentation for your FTP server Downloading a Configuration File By Using FTP Beginning...

Page 884: ...Switch config ip ftp username netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile sto...

Page 885: ...DP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with TFTP You only need to have access to a server that support...

Page 886: ...h Ensure that the switch has a route to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the RCP server by using the ping command If you are accessing the switch through the console or a Telnet session and you do not have a valid username make sure that the current RCP username is the one that...

Page 887: ...tion Switch configure terminal Switch config ip rcmd remote username netadmin1 Switch config end Switch copy rcp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile s...

Page 888: ...f configuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Clearing Configuration Information You can clear the configuration information from the startup configuration If you reboot the switch with no startup configuration the switch enters the setup program so that you can reconfigure the switch with all new settings Command Purpose Step 1 Verify that ...

Page 889: ... and rollback feature replaces the running configuration with any saved Cisco IOS configuration file You can use the rollback function to roll back to a previous configuration These sections contain this information Understanding Configuration Replacement and Rollback page B 19 Configuration Replacement and Rollback Guidelines page B 20 Configuring the Configuration Archive page B 21 Performing a ...

Page 890: ...vileged EXEC command note these major differences The copy source url running config command is a merge operation and preserves all the commands from both the source file and the running configuration This command does not remove commands from the running configuration that are not present in the source file In contrast the configure replace target url command removes commands from the running con...

Page 891: ...ration archive and with the archive config command is optional but offers significant benefit for configuration rollback scenarios Before using the archive config command you must first configure the configuration archive Starting in privileged EXEC mode follow these steps to configure the configuration archive Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 archiv...

Page 892: ... command entries applied by the software parser during each pass of the configuration replacement operation The total number of passes also appears force Replace the running configuration file with the specified saved configuration file without prompting you for confirmation time seconds Specify the time in seconds within which you must enter the configure confirm command to confirm replacement of...

Page 893: ...hat you use depends on which type of server you are using The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP These improvements are possible because FTP and RCP are built on and use the TCP IP stack which is connection oriented These sections contain this configuration information Image Location on the Switch page B 23 tar File Format of Im...

Page 894: ...rom a server to upgrade the switch software You can overwrite the current image with the new one or keep the current image after a download You upload a switch image file to a server for backup purposes this uploaded image can be used for future downloads to the same or another switch of the same type Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command...

Page 895: ...stop the inetd process and restart it or enter a fastboot command on the SunOS 4 x or a reboot command on Solaris 2 x or SunOS 5 x For more information on the TFTP daemon see the documentation for your workstation Ensure that the switch has a route to the TFTP server The switch and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets Check con...

Page 896: ...on Make sure the TFTP server is properly configured see the Preparing to Download or Upload an Image File By Using TFTP section on page B 25 Step 2 Log into the switch through the console port or a Telnet session Step 3 archive download sw overwrite reload tftp location directory image name tar Download the image file from the TFTP server to the switch and overwrite the current image The overwrite...

Page 897: ...image to the switch or to another switch of the same type Beginning in privileged EXEC mode follow these steps to upload an image to a TFTP server The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and the web management files After these files are uploaded the upload algorithm creates the tar file format Caut...

Page 898: ... command is configured Anonymous The switch sends the first valid password in this list The password specified in the archive download sw or archive upload sw privileged EXEC command if a password is specified The password set by the ip ftp password password global configuration command if the command is configured The switch forms a password named username switchname domain The variable username ...

Page 899: ...pecify a username for that operation only When you upload an image file to the FTP server it must be properly configured to accept the write request from the user on the switch For more information see the documentation for your FTP server Downloading an Image File By Using FTP You can download a new image file and overwrite the current image or keep the current image Beginning in privileged EXEC ...

Page 900: ...n flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username password specify the username and password these must be associated with an account on the FTP server For more information see the Preparing to Download or Upload an Image File By Using FTP section on page B 28 For locat...

Page 901: ...manager have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to an FTP server Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 13 Step 2 Log into the switch through the console port or a Telnet session Step 3 ...

Page 902: ...reparing to Download or Upload an Image File By Using RCP page B 32 Downloading an Image File By Using RCP page B 33 Uploading an Image File By Using RCP page B 35 Preparing to Download or Upload an Image File By Using RCP RCP provides another method of downloading and uploading image files between remote hosts and the switch Unlike TFTP which uses User Datagram Protocol UDP a connectionless proto...

Page 903: ... download You can enter the show users privileged EXEC command to view the valid username If you do not want to use this username create a new RCP username by using the ip rcmd remote username username global configuration command to be used during all archive operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this ...

Page 904: ...uccessfully an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File By Using RCP section on page B 32 For location specify the IP address of the RCP server For directory image name tar specify the directory optional and the image to download Directory and image names are case sensitive Step 7 archive downlo...

Page 905: ...led image If you kept the old software during the download process you specified the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution F...

Page 906: ... names Step 5 end Return to privileged EXEC mode Step 6 archive upload sw rcp username location directory image na me tar Upload the currently running switch image to the RCP server For username specify the username for the RCP copy request to execute an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File ...

Page 907: ...by software feature and command mode or they are listed by command mode under Other Unsupported Commands Access Control List Commands page C 2 Address Resolution Protocol ARP Commands page C 2 Hot Standby Routing Protocol HSRP Commands page C 2 IGMP Snooping Commands page C 3 IP Multicast Routing Commands page C 3 IP Unicast Routing Commands page C 4 Multiprotocol Label Switching MPLS Commands pag...

Page 908: ... Mode arp access list access list rate limit acl index precedence mask prec mask access list dynamic extended Address Resolution Protocol ARP Commands Global Configuration Mode arp ip address hardware address smds arp ip address hardware address srp a arp ip address hardware address srp b Interface Configuration Mode arp probe Hot Standby Routing Protocol HSRP Commands Global Configuration Mode in...

Page 909: ...ceived by the switch CPU Because most multicast packets are hardware switched use this command only when you know that the route will forward the packet to the CPU debug ip pim atm show ip dvmrp route commands The show ip mcache command displays entries in the cache for those packets that are sent to the switch CPU Because most multicast packets are switched in hardware without CPU involvement you...

Page 910: ...interface configuration command ip pim nbma mode IP Unicast Routing Commands Privileged EXEC or User EXEC Mode clear ip accounting checkpoint clear ip bgp address flap statistics show cef drop not cef switched show ip accounting checkpoint output packets access violations show ip bgp dampened paths show ip bgp inconsistent as show ip bgp regexp regular expression show ipv6 all Global Configuration...

Page 911: ...ode default information originate neighbor advertise map neighbor allowas in neighbor default originate neighbor description network backdoor table map Route Map Configuration Mode match route type for policy based routing PBR set automatic tag set dampening half life reuse suppress max suppress time set default interface interface id interface id set interface interface id interface id set ip def...

Page 912: ...fic eng exp show mpls traffic eng forwarding adjacency Global Configuration Mode ip rsvp signalling hello bfd graceful restart mpls traffic eng auto bw mpls traffic eng lsp Interface Configuration Mode Physical Interfaces ip rsvp bandwidth mam rdm ip rsvp signalling hello bfd dscp fast reroute graceful restart refresh reroute mpls traffic eng srlg Tunnel Interfaces tunnel mpls traffic eng auto bw ...

Page 913: ...tion mesh group Multicast Source Discovery Protocol MSDP Commands Privileged EXEC Mode show access expression show exception show pm LINE show smf interface id show subscriber policy policy number show template template name Global Configuration Mode ip msdp default peer ip address name prefix list list Because BGP MBGP is not supported use the ip msdp peer command instead of this command NetFlow ...

Page 914: ...fault line aaa nas port extended authentication command bounce port ignore authentication command disable port ignore radius server attribute nas port radius server configure radius server extended portnames Simple Network Management Protocol SNMP Commands Global Configuration Mode snmp server enable informs snmp server ifindex persist Spanning Tree Commands Global Configuration Mode spanning tree...

Page 915: ... allocation policy ascending descending VLAN Configuration Mode remote span Other Unsupported Commands Privileged EXEC and User EXEC Mode All event manager commands renew ip dhcp snooping database test cable diagnostics prbs verify Clear Commands All clear dot1x commands clear ip arp inspection All clear ip dhcp snooping commands All clear ipv6 commands Debug Commands All debug dot1x commands All ...

Page 916: ...s All show platform commands show table map Global Configuration Mode All dot1x commands All event manager commands exception crashinfo errdisable detect cause dhcp rate limit errdisable recovery cause dhcp rate limit interface tunnel All ip arp inspection commands All ip dhcp snooping commands ip source binding ip sticky arp All macro auto commands memory reserve critical service compress config ...

Page 917: ...kets 26 37 time ranges to 26 16 to an interface 26 19 to QoS 27 9 classifying traffic for QoS 27 28 comments in 26 18 compiling 26 22 defined 26 1 26 7 examples of 26 22 extended IPv4 creating 26 10 matching criteria 26 7 hardware and software handling 26 20 host keyword 26 12 27 30 IP creating 26 7 implicit deny 26 9 26 13 26 15 implicit masks 26 9 matching criteria 26 7 undefined 26 20 IPv4 appl...

Page 918: ... 5 20 removing 5 21 MAC discovering 5 30 multicast group address range 33 2 STP address management 13 8 static adding and removing 5 26 defined 5 19 address resolution 5 30 29 7 Address Resolution Protocol See ARP adjacency tables with CEF 29 93 administrative distances defined 29 102 OSPF 29 30 routing protocol defaults 29 95 administrative VLAN REP configuring 16 8 defined 16 8 advertisements CD...

Page 919: ... mismatches 35 6 autonomous system boundary routers See ASBRs autonomous systems in BGP 29 45 Auto RP described 33 6 autosensing port speed 1 2 availability features 1 5 B backup interfaces See Flex Links backup links 17 2 bandwidth QoS configuring 27 44 bandwidth command for CBWFQ 27 17 banners configuring login 5 19 message of the day login 5 18 default configuration 5 17 when displayed 5 17 Ber...

Page 920: ...bed 15 3 disabling 15 8 enabling 15 7 support for 1 5 BPDU guard described 15 2 disabling 15 7 enabling 15 6 support for 1 5 bridge domain configuring 11 6 creating 11 4 rewrite command 11 7 split horizon 11 6 symmetric rewrite 11 7 broadcast flooding 29 14 broadcast packets directed 29 12 flooded 29 12 broadcast storm control command 19 4 broadcast storms 19 1 29 12 bulk statistics defined 25 6 f...

Page 921: ...omain 32 2 maintenance point 32 3 manually configuring IP SLAs ping or jitter 32 16 measuring network performance 32 6 messages continuity check 32 5 loopback 32 5 traceroute 32 5 monitoring 32 20 32 22 on EtherChannel port channels 32 7 port MEP configuring 32 13 remote MEPs 32 5 SNMP traps 32 5 static RMEP configuring 32 11 static RMEP check 32 5 traceroute messages 32 5 types of messages 32 4 u...

Page 922: ... 6 2 CNS Configuration Engine configID deviceID hostname 4 3 configuration service 4 2 described 4 1 event service 4 3 embedded agents described 4 5 enabling automated configuration 4 6 enabling configuration agent 4 8 enabling event agent 4 7 for upgrading 4 13 command line interface See CLI command macros applying global parameter values 12 4 applying macros 12 4 applying parameter values 12 4 c...

Page 923: ...S VPN 34 7 multi VRF CE 29 82 PIM stub routing 33 12 pseudowire redundancy 34 38 QoS class maps 27 26 27 41 REP 16 7 rollback and replacement B 20 SSM 33 15 SSM mapping 33 17 VLANs 10 6 configuration replacement B 19 configuration rollback B 19 configuration settings saving 3 16 configure terminal command 9 6 configuring marking in input policy maps 27 32 congestion avoidance QoS 27 2 27 15 conges...

Page 924: ...e move update 17 7 MPLS 34 7 MPLS OAM 34 45 MPLS QoS 27 53 MPLS TE and fast reroute 34 20 MSTP 14 14 multi VRF CE 29 82 NTP 5 4 optional spanning tree configuration 15 5 OSPF 29 23 password and privilege level 8 2 PIM 33 8 QoS 27 24 RADIUS 8 20 REP 16 7 RIP 29 18 RMON 23 3 SNMP 25 7 STP 13 11 SyncE 6 6 system message logging 24 3 system name and prompt 5 15 TACACS 8 13 UDLD 22 4 VLAN Layer 2 Ether...

Page 925: ...figuration 5 17 overview 5 15 setting up 5 16 support for 1 3 DNS based SSM mapping 33 18 33 20 DoM displaying supported transceivers 9 22 domain names DNS 5 15 Domain Name System See DNS domains ISO IGRP routing 29 61 downloading configuration files preparing B 10 B 13 B 16 reasons for B 8 using FTP B 13 using RCP B 17 using TFTP B 11 image files deleting old image B 27 preparing B 25 B 28 B 32 r...

Page 926: ...guration 34 31 limitations 34 30 monitoring 34 60 packet flow 34 36 equal cost multipath tree trace See ECMP tree trace equal cost routing 1 8 29 94 error messages during command entry 2 4 EtherChannel 802 3ad described 28 5 automatic creation of 28 4 28 5 channel groups binding physical and logical interfaces 28 3 numbering of 28 3 configuration guidelines 28 9 configuring Layer 2 interfaces 28 1...

Page 927: ... configuration guidelines 32 24 default configuration 32 24 discovery 32 23 enabling 32 24 32 36 features 32 23 link monitoring 32 23 32 26 messages 32 23 protocol defined 32 22 monitoring 32 32 remote failure indications 32 23 32 29 remote loopback 32 23 32 25 templates 32 29 Ethernet OAM protocol CFM notifications 32 35 defined 32 1 Ethernet operation administration and maintenance See Ethernet ...

Page 928: ...Links configuration guidelines 17 8 configuring 17 8 17 9 configuring preferred VLAN 17 11 configuring VLAN load balancing 17 10 default configuration 17 7 description 17 1 link load balancing 17 2 monitoring 17 13 VLANs 17 2 flooded traffic blocking 19 6 flow control 1 2 9 17 forward delay time MSTP 14 23 STP 13 21 forwarding equivalence class See FEC forwarding equivalence classes 34 3 Forwardin...

Page 929: ...0 10 tracking 30 7 H VPLS defined 34 41 spoke connections 34 41 I IBGP 34 6 IBPG 29 41 ICMP redirect messages 29 10 support for 1 8 time exceeded messages 35 10 traceroute 35 10 unreachable messages 26 19 unreachables and ACLs 26 20 ICMP Echo operation configuring 31 11 IP SLAs 31 10 ICMP Router Discovery Protocol See IRDP IEEE 802 1ag 32 1 IEEE 802 1D See STP IEEE 802 1Q and trunk ports 9 3 confi...

Page 930: ...MP configurable leave timer 18 5 IGMP filtering configuring 18 14 default configuration 18 14 described 18 13 monitoring 18 18 IGMP groups configuring filtering 18 17 setting the maximum number 18 16 IGMP helper 33 5 IGMP leave timer configuring 18 9 IGMP profile applying 18 15 configuration mode 18 14 configuring 18 15 IGMP snooping and address aliasing 18 2 configuring 18 6 default configuration...

Page 931: ...0 IP addresses classes of 29 4 default configuration 29 3 discovering 5 30 for IP routing 29 3 MAC address association 29 7 monitoring 29 16 IP broadcast address 29 14 ip cef distributed command 29 93 IP directed broadcasts 29 12 ip igmp profile command 18 14 IP information assigned manually 3 15 through DHCP based autoconfiguration 3 4 default configuration 3 3 IP multicast routing addresses all ...

Page 932: ...g 33 45 RP assigning manually 33 22 configuring Auto RP 33 23 configuring PIMv2 BSR 33 27 monitoring mapping information 33 32 using Auto RP and BSR 33 31 statistics displaying system and network 33 45 See also IGMP See also PIM IP packets classification 27 5 IP precedence classification 27 7 values 27 5 IP protocols in ACLs 26 11 routing 1 8 IP routes monitoring 29 104 IP routing connecting inter...

Page 933: ... 5 configuring static routes 29 95 default addressing configuration 29 3 gateways 29 10 networks 29 96 routes 29 96 routing 29 2 directed broadcasts 29 12 disabling 29 17 enabling 29 16 EtherChannel Layer 3 interface 29 2 IGP 29 22 inter VLAN 29 1 IP addressing classes 29 4 configuring 29 3 IRDP 29 10 Layer 3 interfaces 29 2 MAC address and IP address 29 7 passive interfaces 29 101 proxy ARP 29 7 ...

Page 934: ...as trusted third party 8 31 terms 8 32 TGT 8 33 tickets 8 31 key distribution center See KDC L L2VPN interworking 34 34 L2VPN pseudowire redundancy 34 37 label binding 34 3 labels MPLS 34 2 label switching router See LSR LACP See EtherChannel Layer 2 interfaces default configuration 9 13 Layer 2 traceroute and ARP 35 9 and CDP 35 9 broadcast traffic 35 9 described 35 9 IP addresses and subnets 35 ...

Page 935: ...1 21 2 supported TLVs 21 2 LLDP Media Endpoint Discovery See LLDP MED load balancing 30 4 location TLV 21 2 21 6 logging messages ACL 26 8 login authentication with RADIUS 8 22 with TACACS 8 14 login banners 5 17 log messages See system message logging loop guard described 15 4 enabling 15 9 support for 1 5 LSP Health Monitor configuring 34 51 described 34 50 LSP multipath tree trace 34 45 LSP pin...

Page 936: ...onsole port connection 1 4 management options CLI 2 1 CNS 4 1 overview 1 3 manual preemption REP configuring 16 13 match command QoS for classification 27 3 27 7 guidelines 27 26 27 41 matching IPv4 ACLs 26 7 matching classifications QoS 27 7 maximum aging time MSTP 14 24 STP 13 21 maximum hop count MSTP 14 24 maximum paths command 29 49 29 94 membership mode VLAN port 10 4 MEPs and STP 32 4 defin...

Page 937: ...guring 34 8 default configuration 34 7 experimental field 27 11 fast link change detection 34 19 fast reroute configuration guidelines 34 20 IP SLAs ping 34 50 trace 34 50 IP SLAs LSP ping 34 44 traceroute 34 44 label 34 2 LSP Health Monitor 34 43 34 50 LSP ping 34 43 LSP traceroute 34 44 monitoring 34 60 network monitoring 34 44 QoS default configuration 27 53 experimental bits 27 12 RSVP hello m...

Page 938: ...14 17 secondary root switch 14 18 switch priority 14 22 CST defined 14 3 operations between regions 14 3 default configuration 14 14 default optional feature configuration 15 5 displaying status 14 27 enabling the mode 14 16 EtherChannel guard described 15 3 enabling 15 8 extended system ID effects on root switch 14 17 effects on secondary root switch 14 18 unexpected behavior 14 17 IEEE 802 1s im...

Page 939: ... See multi VRF CE multiprotocol label switching See MPLS multi VRF CE configuration example 29 88 configuration guidelines 29 82 configuring 29 82 default configuration 29 82 defined 29 80 displaying 29 92 monitoring 29 92 network components 29 82 packet forwarding process 29 82 support for 1 8 N named IPv4 ACLs 26 14 NameSpace Mapper See NSM native VLAN configuring 10 13 default 10 13 neighbor di...

Page 940: ...onizing 5 2 O OAM 32 33 client 32 23 features 32 23 sublayer 32 23 OAM PDUs 32 24 OAM protocol data units 32 22 OBFL configuring 35 15 described 35 15 displaying 35 16 on board failure logging See OBFL online diagnostics described 36 1 overview 36 1 running tests 36 3 Open Shortest Path First See OSPF options management 1 3 OSPF area parameters configuring 29 29 configuring 29 24 default configura...

Page 941: ... 33 4 rendezvous point RP described 33 4 RPF lookups 33 8 displaying neighbors 33 45 enabling a mode 33 11 overview 33 3 router query message interval modifying 33 35 shared tree and source tree overview 33 33 shortest path tree delaying the use of 33 34 sparse mode join messages and shared tree 33 4 overview 33 4 prune messages 33 4 RPF lookups 33 8 stub routing configuration guidelines 33 12 ena...

Page 942: ...ary links 17 2 primary pseudowire 34 38 priority HSRP 30 7 priority command for QoS scheduling 27 17 for strict priority queuing 27 20 priority queues described 27 20 for QoS scheduling 27 17 privileged EXEC mode 2 2 privilege levels changing the default for lines 8 9 exiting 8 9 logging into 8 9 overview 8 2 8 7 setting a command with 8 8 protocol dependent modules EIGRP 29 34 Protocol Independen...

Page 943: ...7 2 27 15 congestion management 27 2 27 17 default configuration 27 24 implicit deny 27 9 input policy maps 27 22 IP packet classification 27 5 marking described 27 2 match command 27 7 output policy maps described 27 22 overview 27 2 packet classification 27 2 packet marking 27 14 packet policing 27 2 parent child hierarchy 27 18 per port per VLAN hierarchical policy maps 27 11 policers 27 13 pol...

Page 944: ...es downloading B 17 overview B 15 preparing the server B 16 uploading B 18 image files deleting old image B 35 downloading B 33 preparing the server B 32 uploading B 35 redundancy EtherChannel 28 3 HSRP 30 1 pseudowire 34 37 STP backbone 13 7 path cost 10 15 port priority 10 14 redundant peer 34 39 redundant pseudowires 34 38 reference clocks 6 1 reliable transport protocol EIGRP 29 34 reloading s...

Page 945: ...5 8 overview 8 1 passwords and privilege levels 8 2 RADIUS 8 17 TACACS 8 10 reverse address resolution 29 7 Reverse Address Resolution Protocol See RARP RFC 1112 IP multicast and IGMP 18 1 1157 SNMPv1 25 2 1305 NTP 5 2 1587 NSSAs 29 22 1757 RMON 23 2 1901 SNMPv2C 25 2 1902 to 1907 SNMPv2 25 2 2236 IP multicast and IGMP 18 1 2273 2275 SNMPv3 25 2 2475 DSCP 27 8 2597 AF per hop behavior 27 8 2598 EF...

Page 946: ...logy changes 14 13 overview 14 8 port roles described 14 9 synchronized 14 11 proposal agreement handshake process 14 10 rapid convergence described 14 9 edge ports and Port Fast 14 9 point to point links 14 10 14 25 root ports 14 10 root port defined 14 9 See also MSTP running configuration replacing B 19 B 20 rolling back B 19 B 20 running configuration saving 3 16 S scheduled reloads 3 21 sched...

Page 947: ... Management Protocol See SNMP SMNP traps and CFM 32 5 SNAP 20 1 SNMP accessing MIB variables with 25 4 agent described 25 4 disabling 25 8 and IP SLAs 31 2 authentication level 25 11 community strings configuring 25 8 overview 25 4 configuration examples 25 21 default configuration 25 7 engine ID 25 7 groups 25 7 25 10 host 25 7 ifIndex values 25 5 in band management 1 4 informs and trap keyword 2...

Page 948: ...tions 33 15 CGMP limitations 33 15 components 33 13 configuration guidelines 33 15 configuring 33 13 33 16 differs from Internet standard multicast 33 14 IGMP snooping 33 15 IGMPv3 33 13 IGMPv3 Host Signalling 33 15 IP address range 33 14 monitoring 33 16 operations 33 14 PIM 33 13 state maintenance limitations 33 16 SSM mapping configuration guidelines 33 17 configuring 33 16 33 19 defined 33 16 ...

Page 949: ...witch priority 13 19 counters clearing 13 22 default configuration 13 11 default optional feature configuration 15 5 designated port defined 13 3 designated switch defined 13 3 disabling 13 13 displaying status 13 22 EtherChannel guard described 15 3 disabling 15 9 enabling 15 8 extended system ID effects on root switch 13 14 effects on the secondary root switch 13 15 overview 13 3 unexpected beha...

Page 950: ...et mask 29 4 subnet zero 29 5 summer time 5 13 SunNet Manager 1 3 supernet 29 5 SVIs and IP unicast routing 29 2 and router ACLs 26 4 connecting VLANs 9 5 defined 9 4 routing between VLANs 10 2 switch console port 1 4 switched packets ACLs on 26 37 switched ports 9 2 switchport backup interface 17 4 17 5 switchport block multicast command 19 6 switchport block unicast command 19 6 switchport comma...

Page 951: ... ISO IGRP 29 61 T TACACS accounting defined 8 11 authentication defined 8 11 authorization defined 8 11 configuring accounting 8 16 authentication key 8 13 authorization 8 16 login authentication 8 14 default configuration 8 13 displaying the configuration 8 17 identifying the server 8 13 limiting the services to the user 8 16 operation of 8 12 overview 8 10 support for 1 6 tracking services acces...

Page 952: ...ss defined 27 3 traffic marking 27 14 traffic policies elements in 27 3 traffic shaping for QoS scheduling 27 17 QoS traffic control 27 18 trap door mechanism 3 2 traps configuring MAC address notification 5 22 5 24 5 25 configuring managers 25 12 defined 25 3 enabling 5 22 5 24 5 25 25 12 notification types 25 13 overview 25 1 25 4 troubleshooting connectivity problems 35 8 35 10 detecting unidir...

Page 953: ... 19 1 unicast storm control command 19 4 unicast traffic blocking 19 6 UNI community VLAN 10 5 UniDirectional Link Detection protocol See UDLD UNI isolated VLAN 10 5 UNIX syslog servers daemon configuration 24 11 facilities supported 24 12 message logging configuration 24 12 upgrading software images See downloading upgrading with CNS 4 13 uploading configuration files preparing B 10 B 13 B 16 rea...

Page 954: ...r 1 6 wiring closet configuration example 26 34 with router ACLs 26 39 VLAN membership modes 10 4 VLANs adding 10 7 aging dynamic addresses 13 8 allowed on trunk 10 12 and spanning tree instances 10 3 10 6 configuration guidelines 10 6 configuration guidelines normal range VLANs 10 6 configuring 10 1 connecting through SVIs 9 5 default configuration 10 5 described 9 2 10 1 displaying 10 9 extended...

Page 955: ...23400 01 in MPLS VPNs 34 4 tables 29 80 VRF aware services ARP 29 85 configuring 29 84 ftp 29 86 HSRP 29 85 ping 29 85 SNMP 29 85 syslog 29 86 tftp 29 86 traceroute 29 86 W weighted tail drop See WTD WTD configuring 27 50 described 27 15 support for 1 7 X xconnect command 34 39 ...

Page 956: ...Index IN 40 Cisco ME 3800X and 3600X Switch Software Configuration Guide OL 23400 01 ...

Reviews: