manualshive.com logo in svg

Cisco Catalyst 2960 Series, Configuration Manual

The Cisco Catalyst 2960 Series is a powerful network switch series designed for efficient and reliable connectivity. Enhance your network management skills with the comprehensive Command Reference Manual, available for free download from manualshive.com, providing detailed instructions and guidance for optimal performance and seamless integration.

Share
Download
background image

You can control logging messages. ACL entries can be set to log traffic only at certain times of the day.
Therefore, you can simply deny access without needing to analyze many logs generated during peak
hours.

Time-based access lists trigger CPU activity because the new configuration of the access list must be merged
with other features and the combined configuration loaded into the hardware memory. For this reason, you
should be careful not to have several access lists configured to take affect in close succession (within a small
number of minutes of each other.)

The time range relies on the switch system clock; therefore, you need a reliable clock source. We
recommend that you use Network Time Protocol (NTP) to synchronize the switch clock.

Note

IPv4 ACL Interface Considerations

When you apply the

ip access-group

interface configuration command to a Layer 3 interface (an SVI, a Layer

3 EtherChannel, or a routed port), the interface must have been configured with an IP address. Layer 3 access
groups filter packets that are routed or are received by Layer 3 processes on the CPU. They do not affect
packets bridged within a VLAN.

For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL permits
the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch discards the
packet.

For outbound ACLs, after receiving and routing a packet to a controlled interface, the switch checks the packet
against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects the packet,
the switch discards the packet.

By default, the input interface sends ICMP Unreachable messages whenever a packet is discarded, regardless
of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the
output interface. ICMP Unreachables are normally limited to no more than one every one-half second per
input interface, but this can be changed by using the

ip icmp rate-limit unreachable

global configuration

command.

When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the
interface and permits all packets. Remember this behavior if you use undefined ACLs for network security.

Apply an Access Control List to an Interface

With some protocols, you can apply up to two access lists to an interface: one inbound access list and one
outbound access list. With other protocols, you apply only one access list that checks both inbound and
outbound packets.

If the access list is inbound, when a device receives a packet, Cisco software checks the access list

s criteria

statements for a match. If the packet is permitted, the software continues to process the packet. If the packet
is denied, the software discards the packet.

If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software
checks the access list

s criteria statements for a match. If the packet is permitted, the software transmits the

packet. If the packet is denied, the software discards the packet.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)    

1181

Information About Configuring IPv4 Access Control Lists

Summary of Contents for Catalyst 2960 Series

Page 1: ...lease15 2 4 E Catalyst 2960 X Switches First Published 2015 09 21 Last Modified 2016 06 30 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 2: ... IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE T...

Page 3: ... Help System 4 How to Use the CLI to Configure Features 6 Configuring the Command History 6 Changing the Command History Buffer Size 6 Recalling Commands 6 Disabling the Command History Feature 7 Enabling and Disabling Editing Features 7 Editing Commands Through Keystrokes 8 Editing Command Lines That Wrap 9 Searching and Filtering Output of show and more Commands 10 Accessing the CLI on a Switch ...

Page 4: ...Interface Configuration 21 Interface Speed and Duplex Mode 22 Speed and Duplex Configuration Guidelines 23 IEEE 802 3x Flow Control 23 How to Configure Interface Characteristics 24 Configuring Interfaces 24 Adding a Description for an Interface 25 Configuring a Range of Interfaces 26 Configuring and Using Interface Range Macros 28 Configuring Ethernet Interfaces 29 Setting the Interface Speed and ...

Page 5: ... MDIX 45 Information about Configuring Auto MDIX 45 Auto MDIX on an Interface 45 How to Configure Auto MDIX 46 Configuring Auto MDIX on an Interface 46 Example for Configuring Auto MDIX 47 Additional References 48 Feature History and Information for Auto MDIX 48 C H A P T E R 4 Configuring Ethernet Management Port 51 Finding Feature Information 51 Prerequisites for Ethernet Management Ports 51 Inf...

Page 6: ...Service 70 Enabling Wired Location Service on the Switch 72 Configuration Examples for LLDP LLDP MED and Wired Location Service 74 Configuring Network Policy TLV Examples 74 Monitoring and Maintaining LLDP LLDP MED and Wired Location Service 74 Additional References for LLDP LLDP MED and Wired Location Service 75 Feature Information for LLDP LLDP MED and Wired Location Service 76 C H A P T E R 6 C...

Page 7: ...89 Power Consumption Values 90 How to Configure PoE 91 Configuring a Power Management Mode on a PoE Port 91 Fast POE 92 Configuring Fast POE 93 Budgeting Power for Devices Connected to a PoE Port 94 Budgeting Power to All PoE ports 95 Budgeting Power to a Specific PoE Port 96 Configuring Power Policing 97 Monitoring Power Status 100 Configuration Examples for Configuring PoE 100 Budgeting Power Ex...

Page 8: ... Multicast VLAN Registration 115 Finding Feature Information 115 Prerequisites for Configuring IGMP Snooping and MVR 115 Prerequisites for IGMP Snooping 115 Prerequisites for MVR 116 Restrictions for Configuring IGMP Snooping and MVR 116 Restrictions for IGMP Snooping 116 Restrictions for MVR 117 Information About IGMP Snooping and MVR 118 IGMP Snooping 118 IGMP Versions 119 Joining a Multicast Gr...

Page 9: ...the Multicast Flooding Time After a TCN Event 138 Recovering from Flood Mode 139 Disabling Multicast Flooding During a TCN Event 141 Configuring the IGMP Snooping Querier 142 Disabling IGMP Report Suppression 145 Configuring MVR Global Parameters 146 Configuring MVR Interfaces 149 Configuring IGMP Profiles 151 Applying IGMP Profiles 154 Setting the Maximum Number of IGMP Groups 155 Configuring the...

Page 10: ...I I I IPv6 167 C H A P T E R 1 2 Configuring MLD Snooping 169 Finding Feature Information 169 Information About Configuring IPv6 MLD Snooping 169 Understanding MLD Snooping 170 MLD Messages 170 MLD Queries 171 Multicast Client Aging Robustness 171 Multicast Router Discovery 171 MLD Reports 172 MLD Done Messages and Immediate Leave 172 Topology Change Notification Processing 172 MLD Snooping in Swi...

Page 11: ...Features 186 128 Bit Wide Unicast Addresses 187 DNS for IPv6 187 ICMPv6 187 Neighbor Discovery 187 IPv6 Stateless Autoconfiguration and Duplicate Address Detection 187 IPv6 Applications 188 Dual IPv4 and IPv6 Protocol Stacks 188 SNMP and Syslog Over IPv6 189 HTTP S Over IPv6 189 IPv6 and Switch Stacks 189 Default IPv6 Configuration 190 Configuring IPv6 Addressing and Enabling IPv6 Routing 190 Conf...

Page 12: ...xample Creating IPv6 ACL 207 Example Applying IPv6 ACLs 207 Example Displaying IPv6 ACLs 207 P A R T I V Layer 2 209 C H A P T E R 1 5 Configuring Spanning Tree Protocol 211 Finding Feature Information 211 Restrictions for STP 211 Information About Spanning Tree Protocol 212 Spanning Tree Protocol 212 Spanning Tree Topology and BPDUs 213 Bridge ID Device Priority and Extended System ID 214 Port Pr...

Page 13: ...ot Switch 227 Configuring a Secondary Root Device 229 Configuring Port Priority 230 Configuring Path Cost 231 Configuring the Device Priority of a VLAN 233 Configuring the Hello Time 234 Configuring the Forwarding Delay Time for a VLAN 235 Configuring the Maximum Aging Time for a VLAN 236 Configuring the Transmit Hold Count 237 Monitoring Spanning Tree Status 238 Feature Information for STP 239 C ...

Page 14: ...Processing 255 Processing Superior BPDU Information 256 Processing Inferior BPDU Information 256 Topology Changes 256 Protocol Migration Process 257 Default MSTP Configuration 257 About MST to PVST Interoperability PVST Simulation 258 About Detecting Unidirectional Link Failure 259 How to Configure MSTP Features 261 Specifying the MST Region Configuration and Enabling MSTP 261 Configuring the Root...

Page 15: ...ion 287 Restriction for Optional Spanning Tree Features 287 Information About Optional Spanning Tree Features 288 PortFast 288 BPDU Guard 288 BPDU Filtering 289 UplinkFast 290 Cross Stack UplinkFast 291 How Cross Stack UplinkFast Works 292 Events That Cause Fast Convergence 294 BackboneFast 294 EtherChannel Guard 297 Root Guard 297 Loop Guard 298 STP PortFast Port Types 298 Bridge Assurance 299 Ho...

Page 16: ...ation for Optional Spanning Tree Features 322 C H A P T E R 1 8 Configuring EtherChannels 323 Finding Feature Information 323 Restrictions for EtherChannels 323 Information About EtherChannels 324 EtherChannel Overview 324 EtherChannel Modes 325 EtherChannel on Switches 326 EtherChannel Link Failover 327 Channel Groups and Port Channel Interfaces 327 Port Aggregation Protocol 328 PAgP Modes 329 Si...

Page 17: ...ing LACP Hot Standby Ports 349 Configuring the LACP System Priority 350 Configuring the LACP Port Priority 351 Configuring the LACP Port Channel Min Links Feature 352 Configuring LACP Fast Rate Timer 353 Configuring Auto LAG Globally 355 Configuring Auto LAG on a Port Interface 356 Configuring Persistence with Auto LAG 357 Monitoring EtherChannel PAgP and LACP Status 358 Configuration Examples for...

Page 18: ...pport 375 Multicast Fast Convergence with Flex Links Failover 376 Learning the Other Flex Links Port as the mrouter Port 376 Generating IGMP Reports 376 Leaking IGMP Reports 377 MAC Address Table Move Update 377 Flex Links VLAN Load Balancing Configuration Guidelines 379 MAC Address Table Move Update Configuration Guidelines 379 Default Flex Links and MAC Address Table Move Update Configuration 37...

Page 19: ...ssive Mode 397 Methods to Detect Unidirectional Links 397 Neighbor Database Maintenance 397 Event Driven Detection and Echoing 398 UDLD Reset Options 398 Default UDLD Configuration 398 How to Configure UDLD 399 Enabling UDLD Globally 399 Enabling UDLD on an Interface 400 Monitoring and Maintaining UDLD 401 Additional References for UDLD 402 Feature Information for UDLD 403 P A R T V Network Manage...

Page 20: ...uration for Cisco IOS CNS Agent 418 Refreshing DeviceIDs 423 Enabling a Partial Configuration for Cisco IOS CNS Agent 425 Monitoring CNS Configurations 427 Additional References 428 Feature History and Information for the Configuration Engine 429 C H A P T E R 2 3 Configuring the Cisco Discovery Protocol 431 Finding Feature Information 431 Information About CDP 431 CDP Overview 431 CDP and Stacks ...

Page 21: ...nfiguration Guidelines 451 How to Configure SNMP 452 Disabling the SNMP Agent 452 Configuring Community Strings 454 Configuring SNMP Groups and Users 456 Configuring SNMP Notifications 459 Setting the Agent Contact and Location Information 464 Limiting TFTP Servers Used Through SNMP 465 Monitoring SNMP Status 467 SNMP Examples 468 Additional References 469 Feature History and Information for Simpl...

Page 22: ...sion 484 Creating a Local SPAN Session and Configuring Incoming Traffic 486 Specifying VLANs to Filter 489 Configuring a VLAN as an RSPAN VLAN 491 Creating an RSPAN Source Session 492 Specifying VLANs to Filter 494 Creating an RSPAN Destination Session 496 Creating an RSPAN Destination Session and Configuring Incoming Traffic 499 Monitoring SPAN and RSPAN Operations 501 SPAN and RSPAN Configuratio...

Page 23: ...ow Lite and Stacking 520 Default Settings 520 How to Configure NetFlow Lite 520 Creating a Flow Record 520 Creating a Flow Exporter 523 Creating a Flow Monitor 525 Creating a Sampler 527 Applying a Flow to an Interface 529 Configuring a Bridged NetFlow on a VLAN 531 Configuring Layer 2 NetFlow 532 Monitoring Flexible NetFlow 533 Configuration Examples for NetFlow Lite 534 Example Configuring a Flo...

Page 24: ...546 Classification Flowchart 548 Access Control Lists 548 Classification Based on Class Maps and Policy Maps 549 Policing and Marking Overview 550 Physical Port Policing 550 Mapping Tables Overview 552 Queueing and Scheduling Overview 554 Weighted Tail Drop 554 SRR Shaping and Sharing 555 Queueing and Scheduling on Ingress Queues 556 Configurable Ingress Queue Types 557 WTD Thresholds 558 Buffer a...

Page 25: ...g DSCP Transparency Mode 580 DSCP Transparency Mode 581 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain 582 Configuring a QoS Policy 584 Classifying Traffic by Using ACLs 584 Creating an IP Standard ACL for IPv4 Traffic 584 Creating an IP Extended ACL for IPv4 Traffic 586 Creating an IPv6 ACL for IPv6 Traffic 588 Creating a Layer 2 MAC ACL for Non IP Traffic 590 Classifying...

Page 26: ...edite Queue 627 Limiting the Bandwidth on an Egress Interface 629 Monitoring Standard QoS 630 Configuration Examples for QoS 631 Example Configuring Port to the DSCP Trusted State and Modifying the DSCP to DSCP Mutation Map 631 Examples Classifying Traffic by Using ACLs 631 Examples Classifying Traffic by Using Class Maps 632 Examples Classifying Policing and Marking Traffic on Physical Ports Usin...

Page 27: ...n Running Configuration 650 How to Configure Auto QoS 651 Configuring Auto QoS 651 Enabling Auto QoS 651 Enabling Auto Qos Compact 653 Troubleshooting Auto QoS 654 Monitoring Auto QoS 655 Configuration Examples for Auto Qos 655 Examples Global Auto QoS Configuration 655 Examples Auto QoS Generated Configuration for VoIP Devices 658 Examples Auto QoS Generated Configuration for VoIP Devices 661 Exa...

Page 28: ...Snooping Policy to a Layer 2 EtherChannel Interface 684 How to Configure the IPv6 Binding Table Content 685 How to Configure an IPv6 Neighbor Discovery Inspection Policy 687 How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface 689 How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel Interface 690 How to Attach an IPv6 Neighbor Discovery Multica...

Page 29: ... a Layer 2 EtherChannel Interface 712 Examples How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface 712 Additional References 712 P A R T I X Security 715 C H A P T E R 3 1 Managing Switch Stacks 717 Finding Feature Information 717 Prerequisites for Switch Stacks 717 Restrictions for Switch Stacks 718 Information About Switch Stacks 718 Switch Stack Overview 718 Supported ...

Page 30: ...n IP Address 733 Connectivity to the Switch Stack Through Console Ports or Ethernet Management Ports 733 How to Configure a Switch Stack 733 Enabling the Persistent MAC Address Feature 733 Assigning a Stack Member Number 735 Setting the Stack Member Priority Value 736 Setting the Stack Port Speed to 10 Gbps 738 Provisioning a New Member for a Switch Stack 739 Removing Provisioned Switch Informatio...

Page 31: ...tch Access with Passwords and Privilege Levels 758 Setting or Changing a Static Enable Password 758 Protecting Enable and Enable Secret Passwords with Encryption 760 Disabling Password Recovery 762 Setting a Telnet Password for a Terminal Line 764 Configuring Username and Password Pairs 765 Setting the Privilege Level for a Command 767 Changing the Default Privilege Level for Lines 769 Logging int...

Page 32: ...ion 883 TACACS Accounting 883 Default TACACS Configuration 883 Per VRF for TACACS Servers 883 How to Configure TACACS 883 Identifying the TACACS Server Host and Setting the Authentication Key 883 Configuring TACACS Login Authentication 885 Configuring TACACS Authorization for Privileged EXEC Access and Network Services 888 Starting TACACS Accounting 889 Establishing a Session with a Router if the ...

Page 33: ...nting 906 Vendor Specific RADIUS Attributes 906 RADIUS Disconnect Cause Attribute Values 918 RADIUS Progress Codes 923 Vendor Proprietary RADIUS Server Communication 924 Enhanced Test Command 924 How to Configure RADIUS 924 Identifying the RADIUS Server Host 924 Configuring Settings for All RADIUS Servers 926 Configuring RADIUS Login Authentication 928 Defining AAA Server Groups 930 Configuring RA...

Page 34: ...s for RADIUS Server Load Balancing 946 Information About RADIUS Server Load Balancing 946 RADIUS Server Load Balancing Overview 946 Transaction Load Balancing Across RADIUS Server Groups 946 RADIUS Server Status and Automated Testing 947 How to Configure RADIUS Server Load Balancing 948 Enabling Load Balancing for a Named RADIUS Server Group 948 Enabling Load Balancing for a Global RADIUS Server G...

Page 35: ...ation Requests 963 RFC 5176 Compliance 963 Preconditions 965 CoA Request Response Code 965 Session Identification 965 Session Identification 966 CoA ACK Response Code 966 CoA NAK Response Code 966 Session Reauthentication 967 Session Reauthentication in a Switch Stack 967 Session Termination 967 CoA Activate Service Command 968 CoA Deactivate Service Command 969 CoA Request Disable Host Port 969 C...

Page 36: ...ring the KDC Using Kerberos Commands 985 Adding Users to the KDC Database 985 Creating and Extracting a SRVTAB on the KDC 986 Configuring the Device to Use the Kerberos Protocol 987 Defining a Kerberos Realm 987 Copying SRVTAB Files 989 Specifying Kerberos Authentication 989 Enabling Credentials Forwarding 989 Opening a Telnet Session to a Device 990 Establishing an Encrypted Kerberized Telnet Ses...

Page 37: ...Resource Accounting 1013 AAA Resource Failure Stop Accounting 1013 AAA Resource Accounting for Start Stop Records 1014 VRRS Accounting 1015 VRRS Accounting Plug in 1015 AAA Accounting Enhancements 1016 AAA Broadcast Accounting 1016 AAA Session MIB 1016 Accounting Attribute Value Pairs 1017 How to Configure Accounting 1018 Configuring AAA Accounting Using Named Method Lists 1018 Configuring RADIUS ...

Page 38: ...guring Accounting 1031 Feature Information for Configuring Accounting 1032 C H A P T E R 4 1 Configuring Local Authentication and Authorization 1035 Finding Feature Information 1035 How to Configure Local Authentication and Authorization 1035 Configuring the Switch for Local Authentication and Authorization 1035 Monitoring Local Authentication and Authorization 1038 Additional References 1038 Feat...

Page 39: ...Password Change Policy 1055 User Reauthentication Policy 1055 Support for Framed noninteractive Session 1055 How to Configure Password Strength and Management for Common Criteria 1055 Configuring the Password Security Policy 1055 Verifying the Common Criteria Policy 1057 Configuration Examples for Password Strength and Management for Common Criteria 1059 Example Password Strength and Management fo...

Page 40: ...ersions 1071 RSA Authentication Support 1071 SSL Configuration Guidelines 1071 Secure Copy Protocol Overview 1072 Secure Copy Protocol 1072 How Secure Copy Works 1072 Reverse Telnet 1072 Reverse SSH 1073 How to Configure Secure Shell 1073 Setting Up the Switch to Run SSH 1073 Configuring the SSH Server 1075 Invoking an SSH Client 1077 Troubleshooting Tips 1077 Configuring Reverse SSH for Console A...

Page 41: ...rver to Perform RSA Based User Authentication 1096 Configuring the Cisco IOS SSH Client to Perform RSA Based Server Authentication 1098 Starting an Encrypted Session with a Remote Device 1100 Enabling Secure Copy Protocol on the SSH Server 1101 Verifying the Status of the Secure Shell Connection 1103 Verifying the Secure Shell Status 1104 Monitoring and Maintaining Secure Shell Version 2 1105 Conf...

Page 42: ... Verifying the Server and User Authentication Using Digital Certificates 1122 Configuration Examples for X 509v3 Certificates for SSH Authentication 1123 Example Configuring Digital Certificates for Server Authentication 1123 Example Configuring Digital Certificate for User Authentication 1123 Additional References for X 509v3 Certificates for SSH Authentication 1124 Feature Information for X 509v...

Page 43: ...ting IPsec with Multiple Root CAs 1144 How CA Certificates Are Used by IPsec Devices 1144 Registration Authorities 1145 How to Configure Certification Authority 1145 Managing NVRAM Memory Usage 1145 Configuring the Device Host Name and IP Domain Name 1146 Generating an RSA Key Pair 1147 Declaring a Certification Authority 1148 Configuring a Root CA Trusted Root 1150 Authenticating the CA 1151 Requ...

Page 44: ...67 Supported ACLs 1167 ACL Precedence 1168 Port ACLs 1168 Router ACLs 1169 Access Control Entries 1170 ACEs and Fragmented and Unfragmented Traffic 1170 ACEs and Fragmented and Unfragmented Traffic Examples 1170 C H A P T E R 5 1 Configuring IPv4 Access Control Lists 1173 Finding Feature Information 1173 Prerequisites for Configuring IPv4 Access Control Lists 1174 Restrictions for Configuring IPv4...

Page 45: ...ith Noncontiguous Ports 1191 Consolidating Access List Entries with Noncontiguous Ports into One Access List Entry 1193 Sequencing Access List Entries and Revising the Access List 1195 Configuring Commented IP ACL Entries 1199 Configuring Time Ranges for ACLs 1200 Applying an IPv4 ACL to a Terminal Line 1202 Applying an IPv4 ACL to an Interface 1203 Monitoring IPv4 ACLs 1204 Configuration Examples...

Page 46: ...CLs 1220 Interactions with Other Features and Switches 1220 Default Configuration for IPv6 ACLs 1221 Supported ACL Features 1221 IPv6 Port Based Access Control List Support 1221 ACLs and Traffic Forwarding 1221 How to Configure IPv6 ACLs 1222 Configuring IPv6 ACLs 1222 Attaching an IPv6 ACL to an Interface 1225 Monitoring IPv6 ACLs 1227 Configuring PACL Mode and Applying IPv6 PACL on an Interface ...

Page 47: ...g Packets That Contain TCP Flags 1242 Additional References for ACL Support for Filtering IP Options 1243 Feature Information for Creating an IP Access List to Filter 1244 C H A P T E R 5 4 VLAN Access Control Lists 1245 Finding Feature Information 1245 Information About VLAN Access Control Lists 1246 VLAN Maps 1246 VLAN Map Configuration Guidelines 1246 VLAN Maps with Router ACLs 1247 VLAN Maps a...

Page 48: ...mple ACLs and Routed Packets 1263 Example ACLs and Multicast Packets 1264 C H A P T E R 5 5 Configuring DHCP 1265 Finding Feature Information 1265 Information About DHCP 1265 DHCP Server 1265 DHCP Relay Agent 1265 DHCP Snooping 1266 Option 82 Data Insertion 1267 Cisco IOS DHCP Server Database 1270 DHCP Snooping Binding Database 1270 DHCP Snooping and Switch Stacks 1272 How to Configure DHCP Featur...

Page 49: ...P Source Guard Configuration Guidelines 1293 How to Configure IP Source Guard 1294 Enabling IP Source Guard 1294 Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 1295 Monitoring IP Source Guard 1297 Additional References 1298 C H A P T E R 5 7 Configuring Dynamic ARP Inspection 1299 Finding Feature Information 1299 Restrictions for Dynamic ARP Inspection 1299 Understanding Dyn...

Page 50: ...thentication and Switch Stacks 1327 802 1x Host Mode 1328 802 1x Multiple Authentication Mode 1328 Multi auth Per User VLAN assignment 1329 Limitation in Multi auth Per User VLAN assignment 1330 MAC Move 1331 MAC Replace 1331 802 1x Accounting 1332 802 1x Accounting Attribute Value Pairs 1332 802 1x Readiness Check 1333 Switch to RADIUS Server Communication 1333 802 1x Authentication with VLAN Ass...

Page 51: ...hentication 1348 Limiting Login for Users 1349 802 1x Supplicant and Authenticator Switches with Network Edge Access Topology NEAT 1349 Voice Aware 802 1x Security 1351 Common Session ID 1351 How to Configure 802 1x Port Based Authentication 1352 Default 802 1x Authentication Configuration 1352 802 1x Authentication Configuration Guidelines 1353 802 1x Authentication 1353 VLAN Assignment Guest VLA...

Page 52: ...uring 802 1x User Distribution 1390 Example of Configuring VLAN Groups 1391 Configuring NAC Layer 2 802 1x Validation 1392 Configuring Limiting Login for Users 1394 Configuring an Authenticator Switch with NEAT 1395 Configuring a Supplicant Switch with NEAT 1397 Configuring 802 1x Authentication with Downloadable ACLs and Redirect URLs 1400 Configuring Downloadable ACLs 1400 Configuring a Download...

Page 53: ...r Features 1428 802 1x Authentication 1428 AAA Accounting with Authentication Proxy 1429 ACLs 1429 Context Based Access Control 1429 EtherChannel 1429 Gateway IP 1429 LAN Port IP 1429 Port Security 1430 Default Web Based Authentication Configuration 1430 Web Based Authentication Configuration Guidelines and Restrictions 1430 How to Configure Web Based Authentication 1432 Configuring the Authentica...

Page 54: ...51 Additional References for Web Based Authentication 1451 Feature Information for Web Based Authentication 1452 C H A P T E R 6 0 Auto Identity 1453 Auto Identity 1453 Finding Feature Information 1453 Information About Auto Identity 1453 Auto Identity Overview 1453 Auto Identity Global Template 1454 Auto Identity Interface Templates 1455 Auto Identity Built in Policies 1455 Auto Identity Class Ma...

Page 55: ...otected Port Configuration 1473 Protected Ports Guidelines 1473 How to Configure Protected Ports 1474 Configuring a Protected Port 1474 Monitoring Protected Ports 1475 Where to Go Next 1475 Additional References 1476 Feature Information 1476 Finding Feature Information 1477 Information About Port Blocking 1477 Port Blocking 1477 How to Configure Port Blocking 1477 Blocking Flooded Traffic on an In...

Page 56: ...is Measured 1494 Traffic Patterns 1495 How to Configure Storm Control 1495 Configuring Storm Control and Threshold Levels 1495 Configuring Small Frame Arrival Rate 1498 Finding Feature Information 1500 Information About Protected Ports 1500 Protected Ports 1500 Default Protected Port Configuration 1501 Protected Ports Guidelines 1501 How to Configure Protected Ports 1501 Configuring a Protected Po...

Page 57: ...n 1512 Additional References 1513 C H A P T E R 6 2 Configuring FIPS 1515 Information About FIPS and Common Criteria 1515 C H A P T E R 6 3 Configuring Control Plane Policing 1517 Finding Feature Information 1517 Restrictions for Control Plane Policing 1517 Control Plane Policing 1517 Configuring Control Plane Policing 1518 Examples Configuring CoPP 1520 P A R T X System Management 1521 C H A P T ...

Page 58: ...he Time Zone 1532 Configuring Summer Time Daylight Saving Time 1533 1535 Configuring a System Name 1537 Setting Up DNS 1538 Configuring a Message of the Day Login Banner 1540 Configuring a Login Banner 1541 Managing the MAC Address Table 1542 Changing the Address Aging Time 1542 Configuring MAC Address Change Notification Traps 1543 Configuring MAC Address Move Notification Traps 1546 Configuring ...

Page 59: ...d Autoconfiguration Overview 1561 DHCP Client Request Process 1561 DHCP based Autoconfiguration and Image Update 1562 Restrictions for DHCP based Autoconfiguration 1562 DHCP Autoconfiguration 1563 DHCP Auto Image Update 1563 DHCP Server Configuration Guidelines 1563 Purpose of the TFTP Server 1564 Purpose of the DNS Server 1565 How to Obtain Configuration Files 1565 How to Control Environment Vari...

Page 60: ... Feature History and Information For Performing Switch Setup Configuration 1587 C H A P T E R 6 6 Configuring SDM Templates 1589 Finding Feature Information 1589 Information About Configuring SDM Templates 1589 Restrictions for SDM Templates 1589 SDM Templates 1590 Default and LAN Base Templates 1590 SDM Templates and Switch Stacks 1592 How to Configure SDM Templates 1592 Setting the SDM Template ...

Page 61: ... Additional References for System Message Logs 1610 Feature History and Information For System Message Logs 1611 C H A P T E R 6 8 Configuring Online Diagnostics 1613 Information About Configuring Online Diagnostics 1613 Online Diagnostics 1613 How to Configure Online Diagnostics 1614 Starting Online Diagnostic Tests 1614 Configuring Online Diagnostics 1614 Scheduling Online Diagnostics 1614 Confi...

Page 62: ...lization 1631 How to Troubleshoot the Software Configuration 1632 Recovering from a Software Failure 1632 Recovering from a Lost or Forgotten Password 1633 Procedure with Password Recovery Enabled 1635 Procedure with Password Recovery Disabled 1636 Recovering from a Command Switch Failure 1638 Replacing a Failed Command Switch with a Cluster Member 1639 Replacing a Failed Command Switch with Anoth...

Page 63: ...nd Information for Troubleshooting Software Configuration 1656 P A R T X I Embedded Event Manager 1657 C H A P T E R 7 0 Embedded Event Manager Overview 1659 Finding Feature Information 1659 Information About Embedded Event Manager 1659 Embedded Event Manager 1659 Embedded Event Manager 1 0 1661 Embedded Event Manager 2 0 1661 Embedded Event Manager 2 1 1661 Embedded Event Manager 2 1 Software Mod...

Page 64: ...Variables 1697 Alphabetical Order of EEM Action Labels 1697 Troubleshooting Tips 1700 Registering and Defining an EEM Tcl Script 1701 Unregistering Embedded Event Manager Policies 1702 Suspending All Embedded Event Manager Policy Execution 1704 Displaying Embedded Event Manager History Data 1706 Displaying Embedded Event Manager Registered Policies 1707 Configuring Event SNMP Notification 1708 Con...

Page 65: ...f Conditional Blocks 1733 Specifying if else Conditional Blocks 1734 Specifying foreach Iterating Statements 1736 Using Regular Expressions 1738 Incrementing the Values of Variables 1739 Configuring Event SNMP Object 1740 Disabling AAA Authorization 1742 Configuring Description of an Embedded Event Manager Applet 1743 Configuration Examples for Writing Embedded Event Manager Policies Using Tcl 174...

Page 66: ...4 EEM Policies 1764 EEM Policy Tcl Command Extension Categories 1765 General Flow of EEM Event Detection and Recovery 1766 Safe Tcl 1767 Bytecode Support for EEM 2 4 1769 Registration Substitution 1769 Cisco File Naming Convention for EEM 1770 How to Write Embedded Event Manager Policies Using Tcl 1771 Registering and Defining an EEM Tcl Script 1771 Displaying EEM Registered Policies 1773 Unregist...

Page 67: ...Writing EEM 4 0 Policies Using the Cisco IOS CLI 1824 C H A P T E R 7 3 Signed Tcl Scripts 1825 Finding Feature Information 1825 Prerequisites for Signed Tcl Scripts 1826 Restrictions for Signed Tcl Scripts 1826 Information About Signed Tcl Scripts 1826 Cisco PKI 1826 RSA Key Pair 1827 Certificate and Trustpoint 1827 How to Configure Signed Tcl Scripts 1827 Generating a Key Pair 1827 Generating a ...

Page 68: ... E R 7 4 EEM CLI Library Command Extensions 1849 cli_close 1850 cli_exec 1850 cli_get_ttyname 1851 cli_open 1851 cli_read 1852 cli_read_drain 1853 cli_read_line 1853 cli_read_pattern 1854 cli_run 1854 cli_run_interactive 1855 cli_write 1856 C H A P T E R 7 5 EEM Context Library Command Extensions 1861 context_retrieve 1861 context_save 1864 C H A P T E R 7 6 EEM Event Registration Tcl Command Exte...

Page 69: ...p_notification 1938 event_register_snmp_object 1941 event_register_syslog 1944 event_register_timer 1948 event_register_timer_subscriber 1953 event_register_track 1956 event_register_wdsysmon 1958 C H A P T E R 7 7 EEM Event Tcl Command Extensions 1977 event_completion 1977 event_completion_with_wait 1978 event_publish 1979 event_wait 1982 C H A P T E R 7 8 EEM Library Debug Command Extensions 198...

Page 70: ...s_reqinfo_proc_all 2003 sys_reqinfo_routername 2004 sys_reqinfo_snmp 2004 sys_reqinfo_syslog_freq 2005 sys_reqinfo_syslog_history 2006 C H A P T E R 8 2 EEM Utility Tcl Command Extensions 2009 appl_read 2010 appl_reqinfo 2011 appl_setinfo 2011 counter_modify 2012 description 2013 fts_get_stamp 2014 register_counter 2014 register_timer 2016 timer_arm 2017 timer_cancel 2019 unregister_counter 2020 P...

Page 71: ...es and Software Images 2035 C H A P T E R 8 4 Working with the Cisco IOS File System Configuration Files and Software Images 2037 Working with the Flash File System 2037 Information About the Flash File System 2037 Displaying Available File Systems 2038 Setting the Default File System 2040 Displaying Information About Files on a File System 2040 Changing Directories and Displaying the Working Dire...

Page 72: ... a Configuration File By Using RCP 2058 Clearing Configuration Information 2059 Clearing the Startup Configuration File 2059 Deleting a Stored Configuration File 2059 Replacing and Rolling Back Configurations 2059 Information on Configuration Replacement and Rollback 2059 Configuration Archive 2059 Configuration Replace 2060 Configuration Rollback 2060 Configuration Guidelines 2061 Configuring the...

Page 73: ...rerequisites for VTP 2083 Restrictions for VTP 2084 Information About VTP 2084 VTP 2084 VTP Domain 2085 VTP Modes 2086 VTP Advertisements 2087 VTP Version 2 2087 VTP Version 3 2088 VTP Pruning 2089 VTP and Switch Stacks 2089 VTP Configuration Guidelines 2090 VTP Configuration Requirements 2090 VTP Settings 2090 Domain Names for Configuring VTP 2090 Passwords for the VTP Domain 2091 VTP Version 209...

Page 74: ...equisites for VLANs 2109 Restrictions for VLANs 2110 Information About VLANs 2110 Logical Networks 2110 Supported VLANs 2111 VLAN Port Membership Modes 2111 VLAN Configuration Files 2112 Normal Range VLAN Configuration Guidelines 2113 Extended Range VLAN Configuration Guidelines 2114 Default VLAN Configurations 2115 Default Ethernet VLAN Configuration 2115 Default VLAN Configuration 2116 How to Co...

Page 75: ... 2132 Network Load Sharing Using STP Path Cost 2132 Feature Interactions 2132 Default Layer 2 Ethernet Interface VLAN Configuration 2133 How to Configure VLAN Trunks 2133 Configuring an Ethernet Interface as a Trunk Port 2134 Configuring a Trunk Port 2134 Defining the Allowed VLANs on a Trunk 2136 Changing the Pruning Eligible List 2138 Configuring the Native VLAN for Untagged Traffic 2139 Configu...

Page 76: ...val 2158 Changing the Retry Count 2160 Troubleshooting Dynamic Access Port VLAN Membership 2161 Monitoring the VMPS 2161 Configuration Example for VMPS 2162 Example VMPS Configuration 2162 Where to Go Next 2163 Additional References 2164 Feature History and Information for VMPS 2165 C H A P T E R 8 9 Configuring Voice VLANs 2167 Finding Feature Information 2167 Prerequisites for Voice VLANs 2167 R...

Page 77: ...le Configuring the Priority of Incoming Data Frames 2175 Where to Go Next 2175 Additional References 2176 Feature History and Information for Voice VLAN 2177 A P P E N D I X A Important Notice 2179 Disclaimer 2179 Statement 361 VoIP and Emergency Calling Services do not Function if Power Fails 2179 Statement 1071 Warning Definition 2181 Consolidated Platform Configuration Guide Cisco IOS Release 1...

Page 78: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches lxxviii Contents ...

Page 79: ... are not case sensitive or Ctrl Commands and keywords and user entered text appear in bold font bold font Document titles new or emphasized terms and arguments for which you supply values are in italic font Italic font Terminal sessions and information the system displays appear in courier font Courier font Bold Courier font indicates text that the user must enter Bold Courier font Elements in squ...

Page 80: ...brackets Default responses to system prompts are in square brackets An exclamation point or a pound sign at the beginning of a line of code indicates a comment line Reader Alert Conventions This document may use the following conventions for reader alerts Means reader take note Notes contain helpful suggestions or references to material not covered in the manual Note Means the following informatio...

Page 81: ...cuments located at http www cisco com go designzone Obtaining Documentation and Submitting a Service Request For information on obtaining documentation submitting a service request and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com c en us td docs general whatsnew wh...

Page 82: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches lxxxii Preface Obtaining Documentation and Submitting a Service Request ...

Page 83: ...mmands which show the current configuration status and clear commands which clear counters or interfaces The user EXEC commands are not saved when the switch reboots To have access to all commands you must enter privileged EXEC mode Normally you must enter a password to enter privileged EXEC mode From this mode you can enter any privileged EXEC command or enter global configuration mode Using the ...

Page 84: ...d EXEC mode enter the configure command Global configuration Use this mode to configure VLAN parameters When VTP mode is transparent you can create extended range VLANs VLAN IDs greater than 1005 and save configurations in the switch startup configuration file To exit to global configuration mode enter the exit command To return to privileged EXEC mode press Ctrl Z or enter end Switch config vlan ...

Page 85: ...ds Almost every configuration command also has a no form In general use the no form to disable a feature or function or reverse the action of a command For example the no shutdown interface configuration command reverses the shutdown of an interface Use the command without the keyword no to reenable a disabled feature or to enable a feature that is disabled by default Configuration commands can al...

Page 86: ...nd appear You entered the command incorrectly The caret marks the point of the error Invalid input detected at marker Configuration Logging You can log and view changes to the switch configuration You can use the Configuration Change Logging and Notification feature to track changes on a per session and per user basis The logger tracks each configuration command that is applied the user who entere...

Page 87: ...ompletes a partial command name abbreviated command entry Tab Example Switch sh conf tab Switch show configuration Step 3 Lists all commands available for a particular command mode Example Switch Step 4 Lists the associated keywords for a command command Example Switch show Step 5 Lists the associated arguments for a keyword command keyword Example Switch config cdp holdtime 10 255 Length of time ...

Page 88: ...y size number of lines DETAILED STEPS Purpose Command or Action Changes the number of command lines that the switch records during the current terminal session in privileged EXEC mode You can configure the size from 0 to 256 terminal history size number of lines Example Switch terminal history size 200 Step 1 Recalling Commands To recall commands from the history buffer perform one of the actions ...

Page 89: ...istory global configuration command and the history line configuration command Disabling the Command History Feature The command history feature is automatically enabled You can disable it for the current terminal session or for the command line This procedure is optional SUMMARY STEPS 1 terminal no history DETAILED STEPS Purpose Command or Action Disables the feature during the current terminal s...

Page 90: ... Commands Description Editing Commands Moves the cursor back one character Ctrl B or use the left arrow key Moves the cursor forward one character Ctrl F or use the right arrow key Moves the cursor to the beginning of the command line Ctrl A Moves the cursor to the end of the command line Ctrl E Moves the cursor back one word Esc B Moves the cursor forward one word Esc F Transposes the character t...

Page 91: ...y Scrolls down one screen Space bar Redisplays the current command line if the switch suddenly sends a message to your screen Ctrl L or Ctrl R Editing Command Lines That Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen When the cursor reaches the right margin the command line shifts ten spaces to the left You cannot see the first ten characters of t...

Page 92: ...ss list 101 permit tcp 10 15 22 25 255 255 255 0 10 15 2 The dollar sign appears at the end of the line to show that the line has been scrolled to the right Execute the commands Return key Step 3 The software assumes that you have a terminal screen that is 80 columns wide If you have a different width use the terminal width privileged EXEC command to set the width of your terminal Use line wrappin...

Page 93: ...de the stack member number in the CLI command interface notation To debug the standby switch use the session standby ios privileged EXEC command from the active switch to access the IOS console of the standby switch To debug a specific stack member use the session switch stack member number privileged EXEC command from the active switch to access the diagnostic shell of the stack member For more i...

Page 94: ...l SSH package from a remote management station The switch must have network connectivity with the Telnet or SSH client and the switch must have an enable secret password configured The switch supports up to 16 simultaneous Telnet sessions Changes made by one Telnet user are reflected in all other Telnet sessions The switch supports up to five simultaneous secure SSH sessions After you connect thro...

Page 95: ...iguring Auto MDIX page 45 Configuring Ethernet Management Port page 51 Configuring LLDP LLDP MED and Wired Location Service page 57 Configuring System MTU page 77 Configuring Boot Fast page 81 Configuring PoE page 85 Configuring 2 event Classification page 103 Configuring EEE page 107 ...

Page 96: ......

Page 97: ...d software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cis...

Page 98: ... configuration commands Identify the interface For a trunk port set trunk characteristics and if desired define the VLANs to which it can belong For an access port set and define the VLAN to which it belongs Switch Ports Switch ports are Layer 2 only interfaces associated with a physical port Switch ports belong to one or more VLANs A switch port can be an access port or a trunk port You can confi...

Page 99: ...new enabled VLAN that is not in the allowed list for a trunk port the port does not become a member of the VLAN and no traffic for the VLAN is forwarded to or from the port Switch Virtual Interfaces A switch virtual interface SVI represents a VLAN of switch ports as one interface to the routing or bridging function in the system You can associate only one SVI with a VLAN You configure an SVI for a...

Page 100: ... the traffic load across the links in the channel If a link within the EtherChannel fails traffic previously carried over the failed link changes to the remaining links You can group multiple trunk ports into one logical trunk port or multiple access ports into one logical access port Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports...

Page 101: ...bootloader did not change to the USB console the first log from Switch 1 shows the RJ 45 console A short time later the console changes and the USB console log appears Switch 2 and Switch 3 have connected RJ 45 console cables switch stack 1 Mar 1 00 01 00 171 USB_CONSOLE 6 MEDIA_RJ45 Console media type is RJ45 Mar 1 00 01 00 431 USB_CONSOLE 6 MEDIA_USB Console media type is USB switch stack 2 Mar ...

Page 102: ...he switch and then to Host B Figure 1 Connecting VLANs with the Switch With a standard Layer 2 switch ports in different VLANs have to exchange information through a router Interface Configuration Mode The switch supports these interface types Physical ports switch ports and routed ports VLANs switch virtual interfaces Port channels EtherChannel interfaces You can also configure a range of interfa...

Page 103: ...ou can also use the show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch The remainder of this chapter primarily provides physical interface configuration procedures These are examples of how to identify interfaces on a stacking capable switch To configure 10 100 1000 port 4 on a standalone switch enter this command Switch config inter...

Page 104: ...owered device is connected to the switch through a crossover cable This is regardless of whether auto MIDX is enabled on the switch port Note Auto MDIX Enabled auto Power over Ethernet PoE Disabled on SFP module ports enabled on all other ports Keepalive messages Interface Speed and Duplex Mode Ethernet interfaces on the switch operate at 10 100 or 1000 Mb s and in either full or half duplex mode ...

Page 105: ...k to auto or to fixed on both the ends If one side of the link is configured to auto and the other side is configured to fixed the link will not be up and this is expected s As best practice we suggest configuring the speed and duplex options on a link to auto or to fixed on both the ends If one side of the link is configured to auto and the other side is configured to fixed the link will not be u...

Page 106: ...face configuration processes DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Identifies the interface type the switch number only on stacking capable switches and the number of the connector interface Example Swit...

Page 107: ...inal 3 interface interface id 4 description string 5 end 6 show interfaces interface id description 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the interface for whic...

Page 108: ...e multiple interfaces with the same configuration parameters use the interface range global configuration command When you enter the interface range configuration mode all command parameters that you enter are attributed to all interfaces within that range until you exit this mode SUMMARY STEPS 1 enable 2 configure terminal 3 interface range port range macro macro_name 4 end 5 show interfaces inte...

Page 109: ...ype for each entry and enter spaces before and after the comma In a hyphen separated port range you do not need to re enter the interface type but you must enter a space before the hyphen Use the normal configuration commands to apply the configuration parameters to all interfaces in the range Each command is executed as it is entered Note Returns to privileged EXEC mode end Example Switch config ...

Page 110: ...face range macro and save it in NVRAM define interface range macro_name interface range Step 3 The macro_name is a 32 character maximum character string Example Switch config define interface range A macro can contain up to five comma separated interface ranges enet_list gigabitethernet1 0 1 2 Each interface range must consist of the same port type Before you can use the macro keyword in the inter...

Page 111: ...tch copy running config startup config Step 7 Configuring Ethernet Interfaces Setting the Interface Speed and Duplex Parameters SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 speed 10 100 1000 2500 5000 10000 auto 10 100 1000 2500 5000 10000 nonegotiate 5 duplex auto full half 6 end 7 show interfaces interface id 8 copy running config startup config 9 copy running config st...

Page 112: ...nected device If you specify a speed and also set the auto keyword the port autonegotiates only at the specified speeds The nonegotiate keyword is available only for SFP module ports SFP module ports operate only at 1000 Mb s but can be configured to not negotiate if connected to a device that does not support autonegotiation This command is not available on a 10 Gigabit Ethernet interface duplex ...

Page 113: ... copy running config startup config Example Switch copy running config Step 9 startup config Configuring IEEE 802 3x Flow Control SUMMARY STEPS 1 configure terminal 2 interface interface id 3 flowcontrol receive on off desired 4 end 5 show interfaces interface id 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Exampl...

Page 114: ...erface flow control settings show interfaces interface id Example Switch show interfaces gigabitethernet1 0 1 Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Configuring SVI Autostate Exclude SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 switchport autostate exclude 5 e...

Page 115: ...r trunk port when defining the status of an SVI line state up or down switchport autostate exclude Example Switch config if switchport autostate Step 4 exclude Returns to privileged EXEC mode end Example Switch config if end Step 5 Optional Shows the running configuration show running config interface interface id Step 6 Verifies the configuration Optional Saves your entries in the configuration f...

Page 116: ...shutdown 5 no shutdown 6 end 7 show running config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters global configuration mode configure terminal Example Switch configure terminal Step 2 Selects the interface to be configured interface vlan vlan id gigabitethernetinterface id port channel port channel nu...

Page 117: ...figure the console as RJ 45 USB console operation is disabled and input comes only through the RJ 45 connector This configuration applies to all switches in a stack SUMMARY STEPS 1 enable 2 configure terminal 3 line console 0 4 media type rj45 5 end 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Exam...

Page 118: ...e configuration file copy running config startup config Example Switch copy running config startup config Step 6 Configuring the USB Inactivity Timeout The configurable inactivity timeout reactivates the RJ 45 console port if the USB console port is activated but no input activity occurs on it for a specified time period When the USB console port is deactivated due to a timeout you can restore its...

Page 119: ... enters line configuration mode line console 0 Example Switch config line console 0 Step 3 Specify an inactivity timeout for the console port The range is 1 to 240 minutes The default is to have no timeout configured usb inactivity timeout timeout minutes Example Switch config line usb inactivity timeout 30 Step 4 Optional Saves your entries in the configuration file copy running config startup co...

Page 120: ...nterface interface id Displays the input and output packets by the switching path for the interface show interface interface id stats Optional Displays speed and duplex on the interface show interfaces interface id Optional Displays Digital Optical Monitoring DOM status on the connect SFP modules show interfaces transceiver dom supported list Optional Displays temperature voltage or amount of curr...

Page 121: ... config if description Connects to Marketing Switch config if end Switch show interfaces gigabitethernet1 0 2 description Interface Status Protocol Description Gi1 0 2 admin down down Connects to Marketing Configuring a Range of Interfaces Examples This example shows how to use the interface range global configuration command to set the speed to 100 Mb s on ports 1 to 4 on switch 1 Switch configur...

Page 122: ... Switch config define interface range macro1 gigabitethernet1 0 1 2 gigabitethernet1 0 5 7 tengigabitethernet1 0 1 2 Switch config end This example shows how to enter interface range configuration mode for the interface range macro enet_list Switch configure terminal Switch config interface range macro enet_list Switch config if range This example shows how to delete the interface range macro enet...

Page 123: ...at is connected Switch configure terminal Switch config line console 0 Switch config line no media type rj45 Configuring the USB Inactivity Timeout Example This example configures the inactivity timeout to 30 minutes Switch configure terminal Switch config line console 0 Switch config line usb inactivity timeout 30 To disable the configuration use these commands Switch configure terminal Switch co...

Page 124: ...al Assistance Link Description http www cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Not...

Page 125: ...e Characteristics Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 43 Feature History and Information for Configuring Interface Characteristics ...

Page 126: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 44 Feature History and Information for Configuring Interface Characteristics ...

Page 127: ...h might not support a pre standard powered device such as Cisco IP phones and access points that do not fully support IEEE 802 3af if that powered device is connected to the switch through a crossover cable This is regardless of whether auto MIDX is enabled on the switch port Information about Configuring Auto MDIX Auto MDIX on an Interface When automatic medium dependent interface crossover auto ...

Page 128: ...rrect Cabling With Correct Cabling Remote Side Auto MDIX Local Side Auto MDIX Link up Link up On On Link up Link up Off On Link up Link up On Off Link down Link up Off Off How to Configure Auto MDIX Configuring Auto MDIX on an Interface SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 speed auto 5 duplex auto 6 end 7 copy running config startup config DETAILED STEPS Purpose C...

Page 129: ...connected device duplex auto Example Switch config if duplex auto Step 5 Returns to privileged EXEC mode end Example Switch config if end Step 6 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 7 Example for Configuring Auto MDIX This example shows how to enable auto MDIX on a port Switch configure termi...

Page 130: ...site provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS ...

Page 131: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 49 Feature History and Information for Auto MDIX ...

Page 132: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 50 Feature History and Information for Auto MDIX ...

Page 133: ...eature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisites for Ethernet Management Ports When connecting a PC to the Ethernet management port you must firs...

Page 134: ...t port on the active switchstack masterthrough the hub to the PC If the activeswitch fails and a new active switch is elected the active link is now from the Ethernet management port on the new active switch to the PC This figure displays how a PC uses a hub to connect to a switch stack Figure 3 Connecting a Switch Stack to a PC Supported Features on the Ethernet Management Port The Ethernet manag...

Page 135: ...unsupported feature on the Ethernet Management port the feature might not work properly and the switch might fail Caution How to Configure the Ethernet Management Port Disabling and Enabling the Ethernet Management Port SUMMARY STEPS 1 configure terminal 2 interface fastethernet0 3 shutdown 4 no shutdown 5 exit 6 show interfaces fastethernet0 DETAILED STEPS Purpose Command or Action Enters global ...

Page 136: ... link status to the PC you can monitor the LED for the Ethernet management port The LED is green on when the link is active and the LED is off when the link is down The LED is amber when there is a POST failure What to Do Next Proceed to manage or configure your switch using the Ethernet management port Refer to the Catalyst 2960 X Switch Network Management Configuration Guide Additional Reference...

Page 137: ...ine resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools ...

Page 138: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 56 Feature Information for Ethernet Management Ports ...

Page 139: ...tes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com ...

Page 140: ...c LLDP TLVs are also advertised to support LLDP MED Port VLAN ID TLV IEEE 802 1 organizationally specific TLVs MAC PHY configuration status TLV IEEE 802 3 organizationally specific TLVs LLDP and Cisco Switch Stacks A switch stack appears as a single switch in the network Therefore LLDP discovers the switch stack not the individual stack members LLDP and Cisco Medianet When you configure LLDP or CD...

Page 141: ...and either grants or denies power based on the current power budget If the request is granted the switch updates the power budget If the request is denied the switch turns off power to the port generates a syslog message and updates the power budget If LLDP MED is disabled or if the endpoint does not support the LLDP MED power TLV the initial allocation value is used throughout the duration of the...

Page 142: ...ername If the client is LLDP MED or CDP capable the switch obtains the serial number and UDI through the LLDP MED location TLV or CDP Depending on the device capabilities the switch obtains this client information at link up Slot and port specified in port connection MAC address specified in the client MAC address IP address specified in port connection 802 1X username if applicable Device categor...

Page 143: ... is globally enabled LLDP MED TLV is also enabled LLDP med tlv select Restrictions for LLDP If the interface is configured as a tunnel port LLDP is automatically disabled If you first configure a network policy profile on an interface you cannot apply the switchport voice vlan command on the interface If the switchport voice vlan vlan id is already configured on an interface you can apply a networ...

Page 144: ...nable Example Switch enable Step 1 Enters global configuration mode configure terminal Example Switch configure terminal Step 2 Enables LLDP globally on the switch lldp run Example Switch config lldp run Step 3 Specifies the interface on which you are enabling LLDP and enter interface configuration mode interface interface id Example Switch config interface Step 4 gigabitethernet2 0 1 Consolidated...

Page 145: ...entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 9 Configuring LLDP Characteristics You can configure the frequency of LLDP updates the amount of time to hold the information before discarding it and the initialization delay time You can also select the LLDP and LLDP MED TLVs to send and receive Steps 2 through 5 are option...

Page 146: ...ld hold the information from your device before discarding it lldp holdtime seconds Example Switch config lldp holdtime 120 Step 3 The range is 0 to 65535 seconds the default is 120 seconds Optional Specifies the delay time in seconds for LLDP to initialize on an interface lldp reinit delay Example Switch config lldp reinit 2 Step 4 The range is 2 to 5 seconds the default is 2 seconds Optional Set...

Page 147: ...e configuration show lldp Example Switch show lldp Step 10 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 11 Configuring LLDP MED TLVs By default the switch only sends LLDP packets until it receives LLDP MED packets from the end device It then sends LLDP packets with MED TLVs as well When the LLDP MED ...

Page 148: ...g config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the interface on which you are enabling LLDP and enter interface configuration mode interface interface id Example Switch config interf...

Page 149: ...able 2 configure terminal 3 network policy profile profile number 4 voice voice signaling vlan vlan id cos cvalue dscp dvalue dot1p cos cvalue dscp dvalue none untagged 5 exit 6 interface interface id 7 network policy profile number 8 lldp med tlv select network policy 9 end 10 show network policy profile 11 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privil...

Page 150: ...ce traffic The range is 1 to 4094 100 cos 4 cos cvalue Optional Specifies the Layer 2 priority class of service CoS for the configured VLAN The range is 0 to 7 the default is 5 dscp dvalue Optional Specifies the differentiated services code point DSCP value for the configured VLAN The range is 0 to 63 the default is 46 dot1p Optional Configures the telephone to use IEEE 802 1p priority tagging and...

Page 151: ... Step 7 Specifies the network policy TLV lldp med tlv select network policy Example Switch config if lldp med tlv select Step 8 network policy Returns to privileged EXEC mode end Example Switch config end Step 9 Verifies the configuration show network policy profile Example Switch show network policy profile Step 10 Optional Saves your entries in the configuration file copy running config startup ...

Page 152: ...how location elin location identifier id 8 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the location information for an endpoint location admin tag string civic location identifier id host elin location string identifier id Step 2 admin tag Specifies an administrati...

Page 153: ... information for an interface location additional location information word civic location id id host elin location id id Step 5 additional location information Specifies additional information for a location or place custom location id id host geo location id id host Example Switch config if location elin location id 1 civic location id Specifies global civic location information for an interface...

Page 154: ...opy running config startup config Example Switch copy running config Step 8 startup config Enabling Wired Location Service on the Switch Before You Begin For wired location to function you must first enter the ip device tracking global configuration command SUMMARY STEPS 1 enable 2 configure terminal 3 nmsp notification interval attachment location interval seconds 4 end 5 show network policy prof...

Page 155: ...es the location notification interval interval seconds Duration in seconds before the switch sends the MSE the location or attachment updates The range is 1 to 30 the default is 30 location 10 Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies the configuration show network policy profile Example Switch show network policy profile Step 5 Optional Saves your entries in th...

Page 156: ... and Maintaining LLDP LLDP MED and Wired Location Service Commands for monitoring and maintaining LLDP LLDP MED and wired location service Description Command Resets the traffic counters to zero clear lldp counters Deletes the LLDP neighbor information table clear lldp table Clears the NMSP statistic counters clear nmsp statistics Displays global information such as frequency of transmissions the ...

Page 157: ...r id Displays the location information for an emergency location show location elin location identifier id Displays the configured network policy profiles show network policy profile Displays the NMSP information show nmsp Additional References for LLDP LLDP MED and Wired Location Service Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you ...

Page 158: ...ious services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for LLDP LLDP MED and Wired Location Service Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform...

Page 159: ...ported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information about the MTU The default maximum transmission unit MTU size for frames received and transmitted on all interfa...

Page 160: ...ing of the system mtu command applies to all Gigabit Ethernet interfaces How to Configure MTU Configuring the System MTU Beginning in privileged EXEC mode follow these steps to change the MTU size for all 10 100 or Gigabit Ethernet interfaces SUMMARY STEPS 1 configure terminal 2 system mtu bytes 3 system mtu jumbo bytes 4 end 5 copy running config startup config 6 reload 7 show system mtu DETAILED...

Page 161: ...how system mtu Step 7 Configuration Examples for System MTU This example shows how to set the maximum packet size for a Gigabit Ethernet port to 7500 bytes Switch config system mtu 1900 Switch config system mtu jumbo 7500 Switch config exit If you enter a value that is outside the allowed range for the specific type of interface the value is not accepted This example shows the response when you tr...

Page 162: ...rt website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndicatio...

Page 163: ...ture information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Configuring Boot Fast on the switch This features when enabled helps the switch to Boot up fast The Memory test is performed for a limited ra...

Page 164: ... 3 Example Switch config boot fast Performs Memory test for a limited range Skips File system check FSCK and Skips Post test Returns to privileged EXEC mode end Example Switch config end Step 4 Disabling Boot Fast To disable the boot fast feature perform the following steps SUMMARY STEPS 1 enable 2 configure terminal 3 no boot fast 4 end Consolidated Platform Configuration Guide Cisco IOS Release ...

Page 165: ...uration mode configure terminal Example Switch configure terminal Step 2 Disables the boot fast feature no boot fast Example Switch config no boot fast Step 3 Returns to privileged EXEC mode end Example Switch config end Step 4 Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 83 Configuring Boot Fast on the switch ...

Page 166: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 84 Configuring Boot Fast on the switch ...

Page 167: ...Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go...

Page 168: ...e first boots up in low power mode consumes less than 7 W and negotiates to obtain enough power to operate in high power mode The device changes to high power mode only when it receives confirmation from the switch High power devices can operate in low power mode on switches that do not support power negotiation CDP Cisco intelligent power management is backward compatible with CDP with power cons...

Page 169: ...ific power consumption requirement of the connected Cisco powered devices which is the amount of power to allocate based on the CDP messages The switch adjusts the power budget accordingly This does not apply to third party PoE devices The switch processes a request and either grants or denies power If the request is granted the switch updates the power budget If the request is denied the switch e...

Page 170: ...at it is still powering the device whether the device is being powered by the switch or receiving power from an AC power source If a powered device is removed the switch automatically detects the disconnect and removes power from the port You can connect a nonpowered device without damaging it You can specify the maximum wattage that is allowed on the port If the IEEE class maximum wattage of the ...

Page 171: ...ge by comparing the real time power consumption to the maximum power allocated to the device The maximum power consumption is also referred to as the cutoff power on a PoE port If the device uses more than the maximum power allocation on the port the switch can either turn off power to the port or the switch can generate a syslog message and update the LEDs the port LED is now blinking amber while...

Page 172: ...the configured values that determine when the switch should turn on or turn off power on the PoE port The maximum power allocation is not the same as the actual power consumption of the powered device The actual cutoff power value that the switch uses for power policing is not equal to the configured power value When power policing is enabled the switch polices the power usage at the switch port w...

Page 173: ...co only powered device Note SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 power inline auto max max wattage never static max max wattage 5 end 6 show power inline interface id module switch number 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Ent...

Page 174: ...tection The switch allocates power to a port configured in static mode before it allocates power to a port configured in auto mode Returns to privileged EXEC mode end Example Switch config if end Step 5 Displays PoE status for a switch or a switch stack for the specified interface or for a specified stack member show power inline interface id module switch number Step 6 Example Switch show power i...

Page 175: ... interface interface id 4 power inline port poe ha 5 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the physical port to be configured and enters interface configuration mode interface interface id Exam...

Page 176: ...fication defaults to class 0 the switch can power fewer devices because it uses the IEEE class information to track the global power budget By using the power inline consumption wattage interface configuration command or the power inline consumption default wattage global configuration command you can override the default power requirement specified by the IEEE classification The difference betwee...

Page 177: ...al Disables CDP no cdp run Example Switch config no cdp run Step 3 Configures the power consumption of powered devices connected to each PoE port power inline consumption default wattage Example Switch config power inline consumption default 5000 Step 4 The range for each device is 4000 to 30000 mW PoE The default is 30000 mW Note Returns to privileged EXEC mode end Example Switch config end Step ...

Page 178: ...sumption wattage 6 end 7 show power inline consumption 8 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters global configuration mode configure terminal Example Switch configure terminal Step 2 Optional Disables CDP no cdp run Example Switch config no cdp run Step 3 Cons...

Page 179: ...Returns to privileged EXEC mode end Example Switch config if end Step 6 Displays the power consumption data show power inline consumption Example Switch show power inline consumption Step 7 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 8 Configuring Power Policing By default the switch monitors the re...

Page 180: ...able Enters global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the physical port to be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet2 0 1 Step 3 If the real time power consumption exceeds the maximum power allocation on the port configures the switch to take one of these actions ...

Page 181: ...xample Switch config if exit Step 5 Optional Enables error recovery from the PoE error disabled state and configures the PoE recover mechanism variables Use one of the following Step 6 errdisable detect cause inline power By default the recovery interval is 300 seconds errdisable recovery cause inline power For interval interval specifies the time in seconds to recover from the error disabled stat...

Page 182: ...in the stack These keywords are available only on stacking capable switches show env power switch switch number Displays PoE status for a switch or switch stack for an interface or for a specific switch in the stack show power inline interface id module switch number Displays the power policing data show power inline police Configuration Examples for Configuring PoE Budgeting Power Example When yo...

Page 183: ... and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs All supported MIBs for this release Technical Assistance Link Description http www cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security a...

Page 184: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 102 Additional References ...

Page 185: ...go to http www cisco com go cfn An account on Cisco com is not required Information about 2 event Classification When a class 4 device gets detected IOS allocates 30W without any CDP or LLDP negotiation This means that even before the link comes up the class 4 power device gets 30W Also on the hardware level the PSE does a 2 event classification which allows a class 4 PD to detect PSE capability o...

Page 186: ...cal port to be configured and enters interface configuration mode interface interface id Example Switch config interface gigabitethernet2 0 1 Step 3 Configures 2 event classification on the switch power inline port 2 event Example Switch config if power inline port 2 event Step 4 Returns to privileged EXEC mode end Example Switch config if end Step 5 Related Topics Example Configuring 2 Event Clas...

Page 187: ...configure terminal Switch config interface gigabitethernet2 0 1 Switch config if power inline port 2 event Switch config if end Related Topics Configuring 2 event Classification on page 103 Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 105 Example Configuring 2 Event Classification ...

Page 188: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 106 Example Configuring 2 Event Classification ...

Page 189: ...module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About EEE EEE Overview Energy Efficient Et...

Page 190: ...y are able to accept data on their receive paths Doing so enables the device to negotiate for extended system wakeup times from the transmitting link partner How to Configure EEE You can enable or disable EEE on an interface that is connected to an EEE capable link partner Enabling or Disabling EEE SUMMARY STEPS 1 configure terminal 2 interface interface id 3 power efficient ethernet auto 4 no pow...

Page 191: ...auto Example Switch config if no power efficient ethernet Step 4 auto Returns to privileged EXEC mode end Example Switch config if end Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Monitoring EEE Table 12 Commands for Displaying EEE Settings Purpose Command Displays EEE capabilities for the s...

Page 192: ...uto Additional References Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco ...

Page 193: ...scribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information for Configuring EEE Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform...

Page 194: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 112 Feature History and Information for Configuring EEE ...

Page 195: ...P A R T II IP Multicast Routing Configuring IGMP Snooping and Multicast VLAN Registration page 115 ...

Page 196: ......

Page 197: ...n this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table Use Cisco Feature Navigator to find information about platform support and Cisco software ...

Page 198: ...n the VLAN PIM is enabled on the SVI of the corresponding VLAN Related Topics Configuring the IGMP Snooping Querier on page 142 IGMP Snooping on page 118 Prerequisites for MVR The following are the prerequisites for Multicast VLAN Registration MVR To use MVR the switch must be running the LAN Base image Restrictions for Configuring IGMP Snooping and MVR Restrictions for IGMP Snooping The following...

Page 199: ...N per switch or switch stack is supported Receiver ports can only be access ports they cannot be trunk ports Receiver ports on a switch can be in different VLANs but should not belong to the multicast VLAN The maximum number of multicast entries MVR group addresses that can be configured on a switch that is the maximum number of television channels that can be received is 256 MVR multicast data re...

Page 200: ... VLAN in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join request The switch supports IP multicast group based bridging instead of MAC addressed based groups With multicast MAC address based groups if an IP address being configured translates aliases to a previously configured MAC address or to any reserved multicast MAC addresses in the range 224 ...

Page 201: ...it is an IGMP version 2 client it sends an unsolicited IGMP join message specifying the IP multicast group to join Alternatively when the switch receives a general query from the router it forwards the query to all ports in the VLAN IGMP version 1 or version 2 hosts wanting to join the multicast group respond by sending a join message to the switch The switch CPU creates a multicast forwarding tab...

Page 202: ...the host that has joined the group If another host for example Host 4 sends an unsolicited IGMP join message for the same group the CPU receives that message and adds the port number of Host 4 to the forwarding table Because the forwarding table directs IGMP messages only to the CPU the message is not flooded to other ports on the switch Any known multicast traffic is forwarded to the group and no...

Page 203: ...P snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group specific queries to the interface The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message Immediate Leave ensures optimal bandwidth management for all hosts on a switched network even when multiple multi...

Page 204: ...Related Topics Disabling IGMP Report Suppression on page 145 IGMP Snooping and Switch Stacks IGMP snooping functions across the switch stack that is IGMP control information from one switch is distributed to all switches in the stack Regardless of the stack member through which IGMP multicast data enters the stack the data reaches the hosts that have registered for that group If a switch in the st...

Page 205: ...at subscriber ports subscribe and unsubscribe join and leave these multicast streams by sending out IGMP join and leave messages These messages can originate from an IGMP version 2 compatible host with an Ethernet connection Although MVR operates on the underlying method of IGMP snooping the two features operate independently of each other One can be enabled or disabled without affecting the behav...

Page 206: ...runs in compatible mode MVR and Switch Stacks Only one MVR multicast VLAN per switch or switch stack is supported Receiver ports and source ports can be on different switches in a switch stack Multicast data sent on the multicast VLAN is forwarded to all MVR receiver ports across the stack When a new switch is added to a stack by default it has no receiver ports If a switch fails or is removed fro...

Page 207: ...re called MVR source ports When a subscriber changes channels or turns off the television the set top box sends an IGMP leave message for the multicast stream The switch CPU sends a MAC based general query through the receiver port VLAN If there is another set top box in the VLAN still subscribing to this group that set top box must respond within the maximum response time specified in the query I...

Page 208: ...urce uplink port based on the MVR mode Default MVR Configuration Table 16 Default MVR Configuration Default Setting Feature Disabled globally and per interface MVR None configured Multicast addresses 0 5 second Query response time VLAN 1 Multicast VLAN Compatible Mode Neither a receiver nor a source port Interface per port default Disabled on all ports Immediate Leave IGMP Filtering and Throttling...

Page 209: ...receives an IGMP join report you can configure an interface to drop the IGMP report or to replace the randomly selected multicast entry with the received IGMP report IGMPv3 join and leave messages are not supported on switches running IGMP filtering Note Related Topics Configuring IGMP Profiles on page 151 Applying IGMP Profiles on page 154 Setting the Maximum Number of IGMP Groups on page 155 Con...

Page 210: ...nable 2 configure terminal 3 ip igmp snooping 4 end 5 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Globally enables IGMP snooping in all existing VLAN interfaces ip igmp snoop...

Page 211: ...ning config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables IGMP snooping on the VLAN interface The VLAN ID range is 1 to 1001 and 1006 to 4094 ip igmp snooping vlan vlan id Example Switch c...

Page 212: ...y connecting to a multicast router port using the ip igmp snooping mrouter global configuration command You can configure the switch either to snoop on IGMP queries and PIM DVMRP packets or to listen to CGMP self join or proxy join packets By default the switch snoops on PIM DVMRP packets on all VLANs To learn of multicast router ports through only CGMP packets use the ip igmp snooping vlan vlan i...

Page 213: ...outer learn cgmp pim dvmrp Step 3 cgmp Listens for CGMP packets This method is useful for reducing control traffic Example Switch config ip igmp snooping vlan 1 mrouter learn cgmp pim dvmrp Snoops on IGMP queries and PIM DVMRP packets This is the default To return to the default learning method use the no ip igmp snooping vlan vlan id mrouter learn cgmp global configuration command Note Returns to...

Page 214: ...ooping vlan vlan id mrouter interface interface id 4 end 5 show ip igmp snooping mrouter vlan vlan id 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the multicast ro...

Page 215: ... interface show ip igmp snooping mrouter vlan vlan id Example Switch show ip igmp snooping mrouter vlan Step 5 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Related Topics Example Enabling a Static Connection to a Multicast Router on page 161 Configuring a Host Statically to Join a Group Hosts or ...

Page 216: ...id static ip_address interface interface id Step 3 Example Switch config ip igmp snooping vlan 105 vlan id is the multicast group VLAN ID The range is 1 to 1001 and 1006 to 4094 ip address is the group IP address static 230 0 0 1 interface gigabitethernet1 0 1 interface id is the member port It can be a physical interface or a port channel 1 to 128 To remove the Layer 2 port from the multicast gro...

Page 217: ...e When you enable IGMP Immediate Leave the switch immediately removes a port when it detects an IGMP Version 2 leave message on that port You should use the Immediate Leave feature only when there is a single receiver present on every port in the VLAN Immediate Leave is supported only on IGMP Version 2 hosts IGMP Version 2 is the default version for the switch Note SUMMARY STEPS 1 enable 2 configu...

Page 218: ...AN use the no ip igmp snooping vlan vlan id immediate leave global configuration command Note immediate leave Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies that Immediate Leave is enabled on the VLAN interface show ip igmp snooping vlan vlan id Example Switch show ip igmp snooping vlan 21 Step 5 Returns to privileged EXEC mode end Example Switch config end Step 6 Re...

Page 219: ...ery interval time Step 3 Example Switch config ip igmp snooping The default leave time is 1000 milliseconds To globally reset the IGMP leave timer to the default setting use the no ip igmp snooping last member query interval global configuration command Note last member query interval 1000 Optional Configures the IGMP leave time on the VLAN interface The range is 100 to 32767 milliseconds ip igmp ...

Page 220: ...cation TCN event If you set the TCN flood query count to 1 the flooding stops after receiving 1 general query If you set the count to 7 the flooding continues until 7 general queries are received Groups are relearned based on the general queries received during the TCN event Some examples of TCN events are when the client location is changed and the receiver is on same port that was blocked but is...

Page 221: ...figuration command Note Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies the TCN settings show ip igmp snooping Example Switch show ip igmp snooping Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Recovering from Flood Mode When a topology change occurs the spanning...

Page 222: ...obal configuration mode configure terminal Example Switch configure terminal Step 2 Sends an IGMP leave message global leave to speed the process of recovering from the flood mode caused during a TCN event By default query solicitation is disabled ip igmp snooping tcn query solicit Example Switch config ip igmp snooping tcn query Step 3 To return to the default query solicitation use the no ip igm...

Page 223: ...ps to control TCN flooding SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 no ip igmp snooping tcn flood 5 end 6 show ip igmp snooping 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Swi...

Page 224: ... Note flood Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies the TCN settings show ip igmp snooping Example Switch show ip igmp snooping Step 6 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 7 Configuring the IGMP Snooping Querier Follow these steps to enable the IGMP snoop...

Page 225: ...ers the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables the IGMP snooping querier ip igmp snooping querier Example Switch config ip igmp snooping querier Step 3 Optional Specifies an IP address for the IGMP snooping querier If you do not specify an IP address the querier tries to use the global IP address configured for the IGMP querier ip igmp snoopin...

Page 226: ...iry timeout Example Switch config ip igmp snooping querier timer Step 7 expiry 180 Optional Selects the IGMP version number that the querier feature uses Select 1 or 2 ip igmp snooping querier version version Example Switch config ip igmp snooping querier Step 8 version 2 Returns to privileged EXEC mode end Example Switch config end Step 9 Optional Verifies that the IGMP snooping querier is enable...

Page 227: ...on Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Disables IGMP report suppression When report suppression is disabled all IGMP reports are forwarded to the multicast routers no ip igmp snooping report suppression Example Switch config no ip igmp snoopi...

Page 228: ...fig Step 6 Related Topics IGMP Report Suppression on page 122 Configuring MVR Global Parameters You do not need to set the optional MVR parameters if you choose to use the default settings If you want to change the default parameters except for the MVR VLAN you must first enable MVR For complete syntax and usage information for the commands used in this section see the command reference for this r...

Page 229: ...gures an IP multicast address on the switch or use the count parameter to configure a contiguous series of MVR group addresses the range for mvr group ip address count Example Switch config mvr group Step 4 count is 1 to 256 the default is 1 Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast a...

Page 230: ... Example Switch config mvr mode dynamic Allows dynamic MVR membership on source ports compatible Is compatible with Catalyst 3500 XL and Catalyst 2900 XL switches and does not support IGMP dynamic joins on source ports dynamic The default is compatible mode To return the switch to its default settings use the no mvr mode group ip address querytime vlan global configuration commands Note Returns to...

Page 231: ...d 9 Use one of the following show mvr show mvr interface show mvr members 10 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Consolidated Platform Configuration Guide Cisco IOS R...

Page 232: ... non MVR port with MVR characteristics the operation fails To return the interface to its default settings use the no mvr type immediate vlan vlan id group interface configuration commands Note Optional Statically configures a port to receive multicast traffic sent to the multicast VLAN and the IP multicast address A port statically mvr vlan vlan id group ip address Example Switch config if mvr vl...

Page 233: ...ype Status Immediate Leave Gi1 0 2 RECEIVER ACTIVE DOWN ENABLED Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 10 startup config Configuring IGMP Profiles Follow these steps to create an IGMP profile This task is optional Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 15...

Page 234: ... profile number Example Switch config ip igmp profile 3 Step 3 When you are in IGMP profile configuration mode you can create the profile by using these commands deny Specifies that matching addresses are denied this is the default exit Exits from igmp profile configuration mode no Negates a command or returns to its defaults permit Specifies that matching addresses are permitted range Specifies a...

Page 235: ... 229 9 9 0 To delete an IP multicast address or range of IP multicast addresses use the no range ip multicast address IGMP profile configuration command Note Returns to privileged EXEC mode end Example Switch config end Step 6 Verifies the profile configuration show ip igmp profile profile number Example Switch show ip igmp profile 3 Step 7 Verifies your entries show running config Example Switch ...

Page 236: ...ose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the physical interface and enters interface configuration mode The interface must be a Layer 2 port that does not belong to an EtherChannel port group interface interface id ...

Page 237: ...se steps to set the maximum number of IGMP groups that a Layer 2 interface can join Before You Begin This restriction can be applied to Layer 2 ports only you cannot set a maximum number of IGMP groups on routed ports or SVIs You also can use this command on a logical EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group SUMMARY STEPS 1 enable 2 configure term...

Page 238: ...e range is 0 to 4294967294 The default is to have no maximum set ip igmp max groups number Example Switch config if ip igmp max groups 20 Step 4 To remove the maximum group limitation and return to the default of no maximum use the no ip igmp max groups interface configuration command Note Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show running confi...

Page 239: ...urpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the physical interface to be configured and enters interface configuration mode The interface can be a Layer 2 port that does not belong interface interface id Example Swi...

Page 240: ... the received IGMP report To prevent the switch from removing the forwarding table entries you can configure the IGMP throttling action before an interface adds entries to the forwarding table To return to the default action of dropping the report use the no ip igmp max groups action interface configuration command Note Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies ...

Page 241: ...r of entries for the specified command options instead of the actual entries dynamic Displays entries learned through IGMP snooping user Displays only the user configured multicast entries show ip igmp snooping groups count dynamic count user count Displays multicast table information for a multicast VLAN or about a specific parameter for the VLAN vlan id The VLAN ID range is 1 to 1001 and 1006 to...

Page 242: ...aying MVR Information Purpose Command Displays MVR status and values for the switch whether MVR is enabled or disabled the multicast VLAN the maximum 256 and current 0 through 256 number of multicast groups the query response time and the MVR mode show mvr Displays all MVR interfaces and their MVR configurations When a specific interface is entered displays this information Type Receiver or Source...

Page 243: ...ace or the configuration of all interfaces on the switch including if configured the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface show running config interface interface id Configuration Examples for IGMP Snooping and MVR Example Configuring IGMP Snooping Using CGMP Packets This example shows how to configure IGMP snooping to use CGMP...

Page 244: ... page 121 Example Setting the IGMP Snooping Querier Source Address This example shows how to set the IGMP snooping querier source address to 10 0 0 64 Switch configure terminal Switch config ip igmp snooping querier 10 0 0 64 Switch config end Related Topics Configuring the IGMP Snooping Querier on page 142 IGMP Snooping on page 118 Example Setting the IGMP Snooping Querier Maximum Response Time T...

Page 245: ...P multicast address and how to verify the configuration If the action was to deny the default it would not appear in the show ip igmp profile output display Switch config ip igmp profile 4 Switch config igmp profile permit Switch config igmp profile range 229 9 9 0 Switch config igmp profile end Switch show ip igmp profile 4 IGMP Profile 4 permit range 229 9 9 0 229 9 9 0 Example Applying IGMP Pro...

Page 246: ...config mvr Switch config interface gigabitethernet1 0 2 Switch config if mvr type receiver Switch config if mvr vlan 22 group 228 1 23 4 Switch config if mvr immediate Switch config end Switch show mvr interface Port Type Status Immediate Leave Gi1 0 2 RECEIVER ACTIVE DOWN ENABLED Additional References Related Documents Document Title Related Topic IGMP Snooping and MVR Configuration Guide Cisco I...

Page 247: ...h Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information...

Page 248: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 166 Feature History and Information for IGMP Snooping ...

Page 249: ...P A R T III IPv6 Configuring MLD Snooping page 169 Configuring IPv6 Unicast Routing page 185 Configuring IPv6 ACL page 199 ...

Page 250: ......

Page 251: ... list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Configuring IPv6 MLD Snooping You can use Multicast Lis...

Page 252: ... are a subset of ICMPv6 messages identified in IPv6 packets by a preceding Next Header value of 58 The switch supports two versions of MLD snooping MLDv1 snooping detects MLDv1 control packets and sets up traffic bridging based on IPv6 destination multicast addresses MLDv2 basic snooping MBSS uses MLDv2 control packets to set up traffic forwarding based on IPv6 destination multicast addresses The ...

Page 253: ... When a group exists in the MLD snooping database the switch responds to a group specific query by sending an MLDv1 report When the group is unknown the group specific query is flooded to the ingress VLAN When a host wants to leave a multicast group it can send out an MLD Done message equivalent to IGMP Leave message When the switch receives an MLDv1 Done message if Immediate Leave is not enabled ...

Page 254: ...ediate Leave on VLANs and as with IGMP snooping you should only use the feature on VLANs where a single host is connected to the port If the port was the last member of a group the group is also deleted and the leave information is forwarded to the detected IPv6 multicast routers When Immediate Leave is not enabled in a VLAN which would be the case when there are multiple clients for a group on th...

Page 255: ...d IPv6 multicast information from the stack master Until the synchronization is complete data ingress on the newly added switch is treated as unknown multicast data How to Configure IPv6 MLD Snooping Default MLD Snooping Configuration Table 21 Default MLD Snooping Configuration Default Setting Feature Disabled MLD snooping Global Enabled MLD snooping must be globally enabled for VLAN MLD snooping ...

Page 256: ...he maximum number of address entries allowed for the switch or switch stack is 1000 Enabling or Disabling MLD Snooping on the Switch CLI By default IPv6 MLD snooping is globally disabled on the switch and enabled on all VLANs When MLD snooping is globally disabled it is also disabled on all VLANs When you globally enable MLD snooping the VLAN configuration overrides the global configuration That i...

Page 257: ...perating system reload Example Switch config reload Step 5 Enabling or Disabling MLD Snooping on a VLAN CLI Beginning in privileged EXEC mode follow these steps to enable MLD snooping on a VLAN DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Enables MLD snooping on the switch ipv6 mld snooping Example Switch conf...

Page 258: ...er of a multicast group DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Configures a multicast group with a Layer 2 port as a member of a multicast group ipv6 mld snooping vlan vlan id static ipv6_multicast_address interface interface id Step 2 Example Switch config ipv6 mld snooping vlan 1 static vlan id is the ...

Page 259: ...these steps to add a multicast router port to a VLAN DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the multicast router VLAN ID and specify the interface to the multicast router ipv6 mld snooping vlan vlan id mrouter interface interface id Step 2 Example Switch config ipv6 mld snooping vlan 1 mrouter ...

Page 260: ...ction Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Enables MLD Immediate Leave on the VLAN interface ipv6 mld snooping vlan vlan id immediate leave Example Switch config ipv6 mld snooping vlan 1 immediate leave Step 2 Returns to privileged EXEC mode end Example Switch config end Step 3 Verifies that Immediate Leave is enabled on the VLAN interface sh...

Page 261: ...fore aging out an MLD client The range is 1 to 7 the default is 2 The queries are sent 1 second apart ipv6 mld snooping last listener query count count Example Switch config ipv6 mld snooping last listener query count 7 Step 4 Optional Sets the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 ipv6 mld snooping vlan vlan id last listen...

Page 262: ...ch config ipv6 mld snooping tcn flood query count 5 Step 9 Returns to privileged EXEC mode end Step 10 Optional Verifies that the MLD snooping querier information for the switch or for the VLAN show ipv6 mld snooping querier vlan vlan id Example Switch config show ipv6 mld snooping querier vlan 1 Step 11 Disabling MLD Listener Message Suppression CLI MLD snooping listener message suppression is en...

Page 263: ...for Displaying MLD Snooping Information Purpose Command Displays the MLD snooping configuration information for all VLANs on the switch or for a specified VLAN Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6 mld snooping vlan vlan id Displays information on dynamically learned and manually configured multicast router in...

Page 264: ...how ipv6 mld snooping address vlan vlan id count dynamic user Displays MLD snooping for the specified VLAN and IPv6 multicast address show ipv6 mld snooping address vlan vlan id ipv6 multicast address Configuration Examples for Configuring MLD Snooping Configuring a Static Multicast Group Example This example shows how to statically configure an IPv6 multicast group Switch configure terminal Switc...

Page 265: ...e 3 Switch config exit This example shows how to set the MLD snooping last listener query count for a VLAN to 3 Switch configure terminal Switch config ipv6 mld snooping vlan 200 last listener query count 3 Switch config exit This example shows how to set the MLD snooping last listener query interval maximum response time to 2000 2 seconds Switch configure terminal Switch config ipv6 mld snooping ...

Page 266: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 184 Configuration Examples for Configuring MLD Snooping ...

Page 267: ...Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Configuring IPv6 Host Functions This chapter describes how to configure IPv6 host functions on the Catalyst 2960 2960 S and 2960 C To use IPv6 Host Functions the switch must be running the LAN Base image Note For information about configuring IPv6 Multicast Listener Discovery MLD snooping see Config...

Page 268: ...cimal fields separated by colons in the format n n n n n n n n This is an example of an IPv6 address 2031 0000 130F 0000 0000 09C0 080F 130B For easier implementation leading zeros in each field are optional This is the same address without leading zeros 2031 0 130F 0 0 9C0 80F 130B You can also use two colons to represent successive hexadecimal fields of zeros but you can use this short version o...

Page 269: ...itch supports DNS resolution for IPv4 and IPv6 ICMPv6 The Internet Control Message Protocol ICMP in IPv6 generates error messages such as ICMP destination unreachable messages to report errors during processing and other diagnostic functions In IPv6 ICMP packets are also used in the neighbor discovery protocol and path MTU discovery Neighbor Discovery The switch supports NDP for IPv6 a protocol ru...

Page 270: ... dual stack environments supporting both IPv4 and IPv6 For more information about the dual IPv4 and IPv6 SDM template see Configuring SDM Templates The dual IPv4 and IPv6 templates allow the switch to be used in dual stack environments If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template a warning message appears In IPv4 only environments the switch routes IPv4 packet...

Page 271: ...guration Library on Cisco com HTTP S Over IPv6 The HTTP client sends requests to both IPv4 and IPv6 HTTP servers which respond to requests from both IPv4 and IPv6 HTTP clients URLs with literal IPv6 addresses must be specified in hexadecimal using 16 bit values between colons The accept socket call chooses an IPv4 or IPv6 address family The accept socket is either an IPv4 or IPv6 socket The listen...

Page 272: ...bles with the address specified in hexadecimal using 16 bit values between colons The prefix length variable preceded by a slash is a decimal value that shows how many of the high order contiguous bits of the address comprise the prefix the network portion of the address To forward IPv6 traffic on an interface you must configure a global IPv6 address on that interface Configuring an IPv6 address o...

Page 273: ...s the Layer 3 interface to configure interface interface id Example Switch config interface gigabitethernet Step 6 1 0 1 Use one of the following Step 7 Specifies a global IPv6 address with an extended unique identifier EUI in the low order 64 bits of the IPv6 ipv6 address ipv6 prefix prefix length eui 64 address Specify only the network prefix the last 64 bits are automatically computed from the ...

Page 274: ...8 Returns to privileged EXEC mode end Example Switch config end Step 9 Verifies your entries show ipv6 interface interface id Example Switch show ipv6 interface gigabitethernet Step 10 1 0 1 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 11 Configuring IPv6 ICMP Rate Limiting CLI ICMP rate limiting is ...

Page 275: ...ch show ipv6 interface gigabitethernet Step 4 1 0 1 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 5 Configuring Static Routing for IPv6 CLI Before configuring a static IPv6 route you must enable routing by using the ip routing global configuration command enable the forwarding of IPv6 packets by using...

Page 276: ...st interfaces With point to point interfaces there is no need to specify the IPv6 address of the next hop With broadcast interfaces you should always specify the IPv6 address of the next hop or ensure that the specified prefix is assigned to the link specifying a link local address as the next hop You can optionally specify the IPv6 address of the next hop to which packets are sent You must specif...

Page 277: ...up config Example Switch copy running config Step 5 startup config Displaying IPv6 For complete syntax and usage information on these commands see the Cisco IOS command reference publications Table 24 Command for Monitoring IPv6 Purpose Command Displays a summary of access lists show ipv6 access list Displays Cisco Express Forwarding for IPv6 show ipv6 cef Displays IPv6 interface status and config...

Page 278: ...t1 0 11 GigabitEthernet1 0 11 is up line protocol is up IPv6 is enabled link local address is FE80 20B 46FF FE2F D940 Global unicast address es 2001 0DB8 c18 1 20B 46FF FE2F D940 subnet is 2001 0DB8 c18 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DA...

Page 279: ...ress es 3FFE C000 0 1 20B 46FF FE2F D940 subnet is 3FFE C000 0 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 m...

Page 280: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 198 Configuration Examples for IPv6 Unicast Routing ...

Page 281: ...mation about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Configuring IPv6 ACLs You can filter IP version 6 IPv6 traffic by creating IPv6 access control lists ACLs and applying them to interfaces similarly to the way that you create and apply IP version 4 IPv4 named ACLs...

Page 282: ...to which a port ACL is applied are filtered by the port ACL Outgoing routed IPv6 packets are filtered by the router ACL Other packets are not filtered If any port ACL IPv4 IPv6 or MAC is applied to an interface that port ACL is used to filter packets and any router ACLs attached to the SVI of the port VLAN are ignored Note Supported ACL Features IPv6 ACLs on the switch have these characteristics F...

Page 283: ...n the ACL regardless of whether or not they are supported on the platform When you apply the ACL to an interface that requires hardware forwarding physical ports or SVIs the switch checks to determine whether or not the ACL can be supported on the interface If not attaching the ACL is rejected If an ACL is applied to an interface and you attempt to add an access control entry ACE with an unsupport...

Page 284: ...g command to attach an ACL for example an IPv4 command to attach an IPv6 ACL you receive an error message You cannot use MAC ACLs to filter IPv6 frames MAC ACLs can only filter non IP frames If the hardware memory is full for any additional configured ACLs packets are dropped to the CPU and the ACLs are applied in software When the hardware is full a message is printed to the console indicating th...

Page 285: ...breviation for the IPv6 prefix 0 For host source ipv6 address or destination ipv6 address enter the source or destination IPv6 host address for which to set deny or permit conditions specified in hexadecimal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq...

Page 286: ...s if the TCP datagram has the ACK or RST bits set operator port number ack dscp value established fin log log input neq port protocol psh range port protocol rst routing sequence fin Finished bit set no more data from sender value syn time range name urg neq port protocol Matches only packets that are not on a given port number psh Push function bit set range port protocol Matches only packets in ...

Page 287: ...ting sequence value time range name icmp code Enter to filter ICMP packets that are filtered by the ICMP message code type a number from 0 to 255 icmp message Enter to filter ICMP packets by the ICMP message type name or the ICMP message type and code name To see a list of ICMP message type names and code names use the key or see command reference for this release Returns to privileged EXEC mode e...

Page 288: ...nd is not required on Layer 2 interfaces or if the interface has already been configured with an explicit IPv6 address ipv6 address ipv6_address Example Switch ipv6 address ipv6 address Step 4 Apply the access list to incoming or outgoing traffic on the interface The out keyword is not supported for Layer 2 interfaces port ACLs ipv6 traffic filter access list name Example Switch ipv6 traffic filte...

Page 289: ... permit entry is necessary because an implicit deny all condition is at the end of each IPv6 access list Logging is supported only on Layer 3 interfaces Note Switch config ipv6 access list CISCO Switch config ipv6 acl deny tcp any any gt 5000 Switch config ipv6 acl deny 0 lt 5000 0 log Switch config ipv6 acl permit icmp any any Switch config ipv6 acl permit any any Example Applying IPv6 ACLs This ...

Page 290: ... stack Switch show ipv6 access list IPv6 access list inbound permit tcp any any eq bgp 8 matches sequence 10 permit tcp any any eq telnet 15 matches sequence 20 permit udp any any sequence 30 IPv6 access list outbound deny udp any any sequence 10 deny tcp any any eq telnet sequence 20 Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 208 Configuration Ex...

Page 291: ...anning Tree Protocol page 241 Configuring Optional Spanning Tree Features page 287 Configuring EtherChannels page 323 Configuring Link State Tracking page 365 Configuring Flex Links and the MAC Address Table Move Update Feature page 373 Configuring UniDirectional Link Detection page 395 ...

Page 292: ......

Page 293: ...ure Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Restrictions for STP An attempt to configure a switch as the root switch fails if the value necessary to be the root switch is less than 1 If your network consists of switches that support and do not supp...

Page 294: ...n The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is called the designated switch Spanning tree forces redundant data paths into a standby blocked state If a network segment in the spanning tree fails and a redundant path exists the spanning tree algorithm recalculates the span...

Page 295: ...ated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is discarded and superior information is propagated on the network A BPDU exchange results in these actions One switch in the network is elected as the root switch the logical center of the spanning tree topology in a...

Page 296: ...the same switch must have a different bridge ID for each configured VLAN Each VLAN on the switch has a unique 8 byte bridge ID The 2 most significant bytes are used for the switch priority and the remaining 6 bytes are derived from the switch MAC address The switch supports the IEEE 802 1t spanning tree extensions and some of the bits previously used for the switch priority are now used as the VLA...

Page 297: ...iguring the Root Switch on page 227 Restrictions for STP on page 211 Configuring the Root Switch on page 264 Root Switch on page 244 Specifying the MST Region Configuration and Enabling MSTP on page 261 Port Priority Versus Path Cost If a loop occurs spanning tree uses port priority when selecting an interface to put into the forwarding state You can assign higher priority values lower numerical v...

Page 298: ...ree exists in one of these states Blocking The interface does not participate in frame forwarding Listening The first transitional state after the blocking state when the spanning tree decides that the interface should participate in frame forwarding Learning The interface prepares to participate in frame forwarding Forwarding The interface forwards frames Disabled The interface is not participati...

Page 299: ...ion for the forwarding database 4 When the forward delay timer expires spanning tree moves the interface to the forwarding state where both learning and frame forwarding are enabled Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding After initialization a BPDU is sent to each switch interface A switch initially functions as the root until it exchanges...

Page 300: ...ed from another interface for forwarding Learns addresses Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames The interface enters the forwarding state from the learning state An interface in the forwarding state performs these functions Receives and forwards frames received on the interface Forwards frames switched from another interface Learns addresses Re...

Page 301: ...gher speed links to an interface that has a higher number than the root port can cause a root port change The goal is to make the fastest link the root port For example assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B a 10 100 link is the root port Network traffic might be more efficient over the Gigabit Ethernet link By changing the spanning tree port ...

Page 302: ...ng dynamic addresses is 5 minutes the default setting of the mac address table aging time global configuration command However a spanning tree reconfiguration can cause many station locations to change Because these stations could be unreachable for 5 minutes or more during a reconfiguration the address aging time is accelerated so that station addresses can be dropped from the address table and t...

Page 303: ... needs only minimal extra configuration The benefit of Rapid PVST is that you can migrate a large PVST install base to Rapid PVST without having to learn the complexities of the Multiple Spanning Tree Protocol MSTP configuration and without having to reprovision your network In Rapid PVST mode each VLAN runs its own spanning tree instance up to the maximum supported MSTP This spanning tree mode is...

Page 304: ...a network The standard requires only one spanning tree instance for all VLANs allowed on the trunks However in a network of Cisco switches connected through IEEE 802 1Q trunks the switches maintain one spanning tree instance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree inte...

Page 305: ...port ID becomes the stack root If the stack master fails or leaves the stack the stack members elect a new stack master and all stack members change their bridge IDs of the spanning trees to the new master bridge ID If the switch stack is the spanning tree root and the stack master fails or leaves the stack the stack members elect a new stack master and a spanning tree reconvergence occurs If the ...

Page 306: ...5 2 4 E release the default mode of STP is Rapid PVST Note Related Topics Disabling Spanning Tree on page 226 Supported Spanning Tree Instances on page 221 How to Configure Spanning Tree Features Changing the Spanning Tree Mode The switch supports three spanning tree modes per VLAN spanning tree plus PVST Rapid PVST or multiple spanning tree protocol MSTP By default the switch runs the Rapid PVST ...

Page 307: ... Select rapid pvst to enable rapid PVST Specifies an interface to configure and enters interface configuration mode Valid interfaces include physical ports VLANs and port interface interface id Example Switch config interface GigabitEthernet1 0 1 Step 4 channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 48 Specifies that the link type for this port is point to point spanning tr...

Page 308: ... tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning tree limit Disable spanning tree only if you are sure there are no loops in the network topology When spanning tree is disabled and loops are present in the topology excessive traffic and indefinite packet duplication can drastically reduce network performance Caution This procedure is optional SUMMARY STEPS 1 ...

Page 309: ...ot switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN Use the diameter keyword to specify the Layer 2 network diameter that is the maximum number of switch hops between any two end stations in the Layer 2 network When you specify the network ...

Page 310: ...iameter specify the maximum number of switches between any two end stations The range is 2 to 7 Returns to privileged EXEC mode end Example Switch config end Step 4 What to Do Next After configuring the switch as the root switch we recommend that you avoid manually configuring the hello time forward delay time and maximum age time through the spanning tree vlan vlan id hello time spanning tree vla...

Page 311: ...condary diameter net diameter 4 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Configures a switch to become the secondary root for the specified VLAN spanning tree vlan vlan id root secondary diameter net di...

Page 312: ...t you want selected first and higher cost values that you want selected last Note This procedure is optional SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 spanning tree port priority priority 5 spanning tree vlan vlan id port priority priority 6 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example S...

Page 313: ...anning tree vlan vlan id port priority priority Step 5 For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 Example Switch config if spanning tree vlan 20 25 port priority 0 For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0 16 32 48 64...

Page 314: ...panning tree uses the path cost when selecting an interface to place into the forwarding state A lower path cost represents higher speed transmission For cost the range is 1 to 200000000 the default value is derived from the media speed of the interface Configures the cost for a VLAN spanning tree vlan vlan id cost cost Step 5 Example Switch config if spanning tree vlan 10 12 15 20 cost 300 If a l...

Page 315: ...dalone switch or a switch in the stack will be chosen as the root switch Exercise care when using this command For most situations we recommend that you use the spanning tree vlan vlan id root primary and the spanning tree vlan vlan id root secondary global configuration commands to modify the switch priority Note This procedure is optional SUMMARY STEPS 1 enable 2 configure terminal 3 spanning tr...

Page 316: ...likely the switch will be chosen as the root switch Valid priority values are 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 and 61440 All other values are rejected Returns to privileged EXEC mode end Example Switch config if end Step 4 Configuring the Hello Time The hello time is the time interval between configuration messages generated and sent by the root swi...

Page 317: ... a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 1 to 10 the default is 2 Returns to privileged EXEC mode end Example Switch config if end Step 3 Configuring the Forwarding Delay Time for a VLAN This procedure is optional SUMMARY STEPS 1 enable 2 configure terminal 3 spanning tree vlan vlan id forward time seconds 4 end DETAILED STEPS Purpose Comm...

Page 318: ...ed by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Returns to privileged EXEC mode end Example Switch config end Step 4 Configuring the Maximum Aging Time for a VLAN This procedure is optional SUMMARY STEPS 1 enable 2 configure terminal 3 spanning tree vlan vlan id max age s...

Page 319: ... a comma The range is 1 to 4094 For seconds the range is 6 to 40 the default is 20 Returns to privileged EXEC mode end Example Switch config if end Step 4 Configuring the Transmit Hold Count You can configure the BPDU burst size by changing the transmit hold count value Changing this parameter to a higher value can have a significant impact on CPU utilization especially in Rapid PVST mode Lowering...

Page 320: ...ands for Displaying Spanning Tree Status Displays spanning tree information on active interfaces only show spanning tree active Displays a detailed summary of interface information show spanning tree detail Displays spanning tree information for the specified VLAN show spanning tree vlan vlan id Displays spanning tree information for the specified interface show spanning tree interface interface i...

Page 321: ...rface interface id privileged EXEC command Feature Information for STP Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 239 Feature Information for STP ...

Page 322: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 240 Feature Information for STP ...

Page 323: ...he end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisites for MSTP For two or more switches to be in the same multiple spanning tree MST region they must have the same VLAN to instance map the same configuration ...

Page 324: ...lly configure the MST configuration region name revision number and VLAN to instance mapping on each switch within the MST region by using the command line interface CLI or through the Simple Network Management Protocol SNMP support Partitioning the network into a large number of regions is not recommended However if this situation is unavoidable we recommend that you partition the switched LAN in...

Page 325: ... provider environment When the switch is in the MST mode the RSTP which is based on IEEE 802 1w is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maint...

Page 326: ...witches to become the root for the specified spanning tree instance If any root switch for the specified instance has a switch priority lower than 24576 the switch sets its own priority to 4096 less than the lowest switch priority 4096 is the value of the least significant bit of a 4 bit switch priority value For more information select Bridge ID Switch Priority and Extended System ID link in Rela...

Page 327: ...n a network but each region can support up to 65 spanning tree instances Instances can be identified by any number in the range from 0 to 4094 You can assign a VLAN to only one spanning tree instance at a time Related Topics Illustration of MST Regions on page 248 Specifying the MST Region Configuration and Enabling MSTP on page 261 Prerequisites for MSTP on page 241 Restrictions for MSTP on page ...

Page 328: ...for all of them If the switch receives superior MST root information lower switch ID lower path cost and so forth than currently stored for the port it relinquishes its claim as the CIST regional root During initialization a region might have many subregions each with its own CIST regional root As switches receive superior IST information they leave their old subregions and join the new subregion ...

Page 329: ...o the CIST root This cost is left unchanged within an MST region Remember that an MST region looks like a single switch for the CIST The CIST external root path cost is the root path cost calculated between these virtual switches and switches that do not belong to any region The CIST regional root was called the IST master in the prestandard implementation If the CIST root is in the region the CIS...

Page 330: ... not use the message age and maximum age information in the configuration BPDU to compute the spanning tree topology Instead they use the path cost to the root and a hop count mechanism similar to the IP time to live TTL mechanism By using the spanning tree mst max hops global configuration command you can configure the maximum hops inside the region and apply it to the IST and all MST instances i...

Page 331: ...BPDU is a topology change it could have an impact on the MST instances An MST region includes both switches and LANs A segment belongs to the region of its designated port Therefore a port in a different region than the designated port for a segment is a boundary port This definition allows two ports internal to a region to share a segment with a port belonging to a different region creating the p...

Page 332: ...ches can fail you can use an interface configuration command to identify prestandard ports A region cannot be formed between a standard and a prestandard switch but they can interoperate by using the CIST Only the capability of load balancing over different instances is lost in that particular case The CLI displays different flags depending on the port configuration when a port receives prestandar...

Page 333: ...rs use the same bridge ID for a given spanning tree The bridge ID is derived from the MAC address of the active switchstack master The active switchstack master is the stack root when the stack is the root of the network and no root selection has been made within the stack If the switch stack is the spanning tree root and the active switchstack master fails or leaves the stack the standby switch b...

Page 334: ...either a Version 0 configuration and TCN BPDUs or Version 3 MSTP BPDUs on a boundary port A boundary port connects to a LAN the designated switch of which is either a single spanning tree switch or a switch with a different MST configuration RSTP Overview The RSTP takes advantage of point to point wiring and provides rapid convergence of the spanning tree Reconfiguration of the spanning tree can o...

Page 335: ...ou configure a port as an edge port on an RSTP switch by using the spanning tree portfast interface configuration command the edge port immediately transitions to the forwarding state An edge port is the same as a Port Fast enabled port and you should enable it only on ports that connect to a single end station Root ports If the RSTP selects a new root port it blocks the old root port and immediat...

Page 336: ...he port to the forwarding state CSRT is automatically enabled when the switch is in MST mode The switch learns the link type from the port duplex mode a full duplex port is considered to have a point to point connection a half duplex port is considered to have a shared connection You can override the default setting that is controlled by the duplex setting by using the spanning tree link type inte...

Page 337: ...nnected by a point to point link are in agreement about their port roles the RSTP immediately transitions the port states to forwarding Figure 16 Sequence of Events During Rapid Convergence Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802 1D BPDU format except that the protocol version is set to 2 A new 1 byte Version 1 Length field is set to zero wh...

Page 338: ... starts the forward delay timer for the port The new root port requires twice the forward delay time to transition to the forwarding state If the superior information received on the port causes the port to become a backup or alternate port RSTP sets the port to the blocking state but does not send the agreement message The designated port continues sending BPDUs with the proposal flag set until t...

Page 339: ...eived on that port and ignores the protocol type If the switch receives an IEEE 802 1D BPDU after the port migration delay timer has expired it assumes that it is connected to an IEEE 802 1D switch and starts using only IEEE 802 1D BPDUs However if the RSTP switch is using IEEE 802 1D BPDUs on a port and receives an RSTP BPDU after the timer has expired it restarts the timer and starts using RSTP ...

Page 340: ... Rapid PVST enabled port Because Rapid PVST is the default STP mode you may encounter many Rapid PVST enabled connections Disabling this feature causes the switch to stop the MST region from interacting with PVST regions The MST enabled port moves to a PVST peer inconsistent blocking state once it detects it is connected to a Rapid PVST enabled port This port remains in the inconsistent state unti...

Page 341: ...e Cisco Access Manager CAM entries in the other region are not flushed To make the topology change visible throughout other MST regions you can map that VLAN to IST or connect the PVST switch to the two regions through access links When you disable the PVST simulation note that the PVST peer inconsistency can also occur while the port is already in other states of inconsistency For example the roo...

Page 342: ...ing the role and state of the port initiating BPDUs It may result in loss of connectivity For example in the figure below Bridge A cannot transmit on the port it elected as a root port As a result of this situation there is loss of connectivity r1 and r2 are designated a1 is root and a2 is alternate There is only a one way connectivity between A and R Figure 18 Loss of Connectivity It may cause pe...

Page 343: ...e one member or multiple members with the same MST configuration each member must be capable of processing RSTP BPDUs There is no limit to the number of MST regions in a network but each region can only support up to 65 spanning tree instances You can assign a VLAN to only one spanning tree instance at a time SUMMARY STEPS 1 enable 2 configure terminal 3 spanning tree mst configuration 4 instance ...

Page 344: ...the command are added to or removed from the VLANs that were previously mapped To specify a VLAN range use a hyphen for example instance 1 vlan 1 63 maps VLANs 1 through 63 to MST instance 1 To specify a VLAN series use a comma for example instance 1 vlan 10 20 30 maps VLANs 10 20 and 30 to MST instance 1 Specifies the configuration name The name string has a maximum length of 32 characters and is...

Page 345: ...P on page 242 Spanning Tree Interoperability and Backward Compatibility on page 222 Optional Spanning Tree Configuration Guidelines BackboneFast on page 294 UplinkFast on page 290 Default MSTP Configuration on page 257 Configuring the Root Switch on page 264 Restrictions for MSTP on page 242 Bridge ID Device Priority and Extended System ID on page 214 Configuring a Secondary Root Switch on page 26...

Page 346: ...ary 4 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Configures a switch as the root switch spanning tree mst instance id root primary Step 3 Example Switch config spanning tree mst 0 root primary For instanc...

Page 347: ...an one switch to configure multiple backup root switches Use the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree mst instance id root primary global configuration command This procedure is optional Before You Begin A multiple spanning tree MST must be specified and enabled on the switch For instructions see Related Topics...

Page 348: ...rfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces If the switch is a member of a switch stack you must use the spanning tree mst instance id cost cost interface configurati...

Page 349: ...enters interface configuration mode interface interface id Example Switch config interface GigabitEthernet1 0 1 Step 3 Configures port priority spanning tree mst instance id port priority priority Step 4 For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 Example Switch config if spanning ...

Page 350: ... same cost value the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces This procedure is optional Before You Begin A multiple spanning tree MST must be specified and enabled on the switch For instructions see Related Topics You must also know the specified MST instance ID and the interface used This example uses 0 as the instance ID an...

Page 351: ...nces separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For cost the range is 1 to 200000000 the default value is derived from the media speed of the interface Returns to privileged EXEC mode end Example Switch config if end Step 5 The show spanning tree mst interface interface id privileged EXEC command displays information only for ports that are in a link...

Page 352: ...ity priority 4 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Configures the switch priority spanning tree mst instance id priority priority Step 3 For instance id you can specify a single instance a range of...

Page 353: ...A multiple spanning tree MST must be specified and enabled on the switch For instructions see Related Topics SUMMARY STEPS 1 enable 2 configure terminal 3 spanning tree mst hello time seconds 4 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example ...

Page 354: ...h config end Step 4 Related Topics Specifying the MST Region Configuration and Enabling MSTP on page 261 Configuring the Forwarding Delay Time Before You Begin A multiple spanning tree MST must be specified and enabled on the switch For instructions see Related Topics SUMMARY STEPS 1 enable 2 configure terminal 3 spanning tree mst forward time seconds 4 end DETAILED STEPS Purpose Command or Action...

Page 355: ...he default is 20 Returns to privileged EXEC mode end Example Switch config end Step 4 Related Topics Specifying the MST Region Configuration and Enabling MSTP on page 261 Configuring the Maximum Aging Time Before You Begin A multiple spanning tree MST must be specified and enabled on the switch For instructions see Related Topics SUMMARY STEPS 1 enable 2 configure terminal 3 spanning tree mst max ...

Page 356: ...g a reconfiguration For seconds the range is 6 to 40 the default is 20 Returns to privileged EXEC mode end Example Switch config end Step 4 Related Topics Specifying the MST Region Configuration and Enabling MSTP on page 261 Configuring the Maximum Hop Count This procedure is optional Before You Begin A multiple spanning tree MST must be specified and enabled on the switch For instructions see Rel...

Page 357: ... another port through a point to point link and the local port becomes a designated port the RSTP negotiates a rapid transition with the other port by using the proposal agreement handshake to ensure a loop free topology By default the link type is controlled from the duplex mode of the interface a full duplex port is considered to have a point to point connection a half duplex port is considered ...

Page 358: ...onfigure terminal Step 2 Specifies an interface to configure and enters interface configuration mode Valid interfaces include physical ports interface interface id Example Switch config interface GigabitEthernet1 0 1 Step 3 VLANs and port channel logical interfaces The VLAN ID range is 1 to 4094 The port channel range is 1 to 48 Specifies that the link type of a port is point to point spanning tre...

Page 359: ...Related Topics SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 spanning tree mst pre standard 5 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies an interface to configure and en...

Page 360: ...fore You Begin A multiple spanning tree MST must be specified and enabled on the switch For instructions see Related Topics If you want to use the interface version of the command you must also know the MST interface used This example uses GigabitEthernet1 0 1 as the interface because that was the interface set up by the instructions listed under Related Topics SUMMARY STEPS 1 enable 2 Enter one o...

Page 361: ...DUs BPDUs with the protocol version set to 0 Related Topics Specifying the MST Region Configuration and Enabling MSTP on page 261 Protocol Migration Process on page 257 Configuring PVST Simulation PVST simulation is enabled by default This means that all ports automatically interoperate with a connected device that is running in Rapid PVST mode If you disabled the feature and want to re configure ...

Page 362: ...bal To prevent the switch from automatically interoperating with a connecting switch that is running Rapid PVST enter the no version of the command Returns to privileged EXEC mode end Example Switch config end Step 4 Enabling PVST Simulation on a Port To enable PVST simulation on a port perform this task SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 spanning tree mst simul...

Page 363: ...t a specified interface from automatically interoperating with a connecting switch that is not running MST enter the spanning tree mst simulate pvst disable command Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies the configuration show spanning tree summary Example Switch show spanning tree summary Step 6 Examples Examples PVST Simulation This example shows how to pre...

Page 364: ...e is cleared Message SPANTREE_PVST_PEER_UNBLOCK Unblocking port s port number Severity Critical Explanation The interface specified in the error message has been restored to normal spanning tree state Action None This example shows the spanning tree status when port 1 0 1 has been configured to disable PVST simulation and is currently in the peer type inconsistent state Switch show spanning tree V...

Page 365: ...ed UplinkFast is disabled BackboneFast is disabled Pathcost method used is long PVST Simulation Default is disabled Name Blocking Listening Learning Forwarding STP Active MST0 2 0 0 0 2 1 mst 2 0 0 0 2 This example shows the spanning tree summary when the switch is not in MSTP mode that is the switch is in PVST or Rapid PVST mode The output string displays the current STP mode Switch show spanning...

Page 366: ... port Switch show spanning tree interface1 0 1 detail Port 269 GigabitEthernet1 0 1 of VLAN0002 is forwarding Port path cost 4 Port priority 128 Port Identifier 128 297 Designated root has priority 32769 address 0013 5f20 01c0 Designated bridge has priority 32769 address 0013 5f20 01c0 Designated port id is 128 297 designated path cost 0 Timers message age 0 forward delay 0 hold 0 Number of transi...

Page 367: ...rward delay 0 hold 0 Number of transitions to forwarding state 1 Link type is point to point by default BPDU sent 132 received 1 Monitoring MST Configuration and Status Table 34 Commands for Displaying MST Status Displays the MST region configuration show spanning tree mst configuration Displays the MD5 digest included in the current MSTCI show spanning tree mst configuration digest Displays MST i...

Page 368: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 286 Feature Information for MSTP ...

Page 369: ...bout the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Restriction for O...

Page 370: ...ree Features on page 287 BPDU Guard The Bridge Protocol Data Unit BPDU guard feature can be globally enabled on the switch or can be enabled per port but the feature operates with some differences When you enable BPDU guard at the global level on PortFast edge enabled ports spanning tree shuts down ports that are in a PortFast edge operational state if any BPDU is received on them In a valid confi...

Page 371: ...Us at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a PortFast edge enabled interface the interface loses its PortFast edge operational status and BPDU filtering is disabled Enabling BPDU filtering on an interface without also enabling the Port...

Page 372: ...rface You can limit these bursts of multicast traffic by reducing the max update rate parameter the default for this parameter is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not...

Page 373: ...Fast Example After Direct Link Failure Related Topics Specifying the MST Region Configuration and Enabling MSTP on page 261 MSTP Configuration Guidelines on page 243 Multiple Spanning Tree Regions on page 245 Enabling UplinkFast for Use with Redundant Links on page 307 Events That Cause Fast Convergence on page 294 Cross Stack UplinkFast Cross Stack UplinkFast CSUF provides a fast spanning tree tr...

Page 374: ...ed as the path to the root The stack root port on Switch 1 provides the path to the root of the spanning tree The alternate stack root ports on Switches 2 and 3 can provide an alternate path to the spanning tree root if the current stack root switch fails or if its link to the spanning tree root fails Link 1 the root link is in the spanning tree forwarding state Links 2 and 3 are alternate redunda...

Page 375: ... an acknowledgment otherwise it sends a fast transition request The sending switch then has not received acknowledgments from all stack switches When acknowledgments are received from all stack switches the Fast Uplink Transition Protocol on the sending switch immediately transitions its alternate stack root port to the forwarding state If acknowledgments from all stack switches are not obtained b...

Page 376: ...become the stack root is added to the stack Related Topics Enabling UplinkFast for Use with Redundant Links on page 307 UplinkFast on page 290 Cross Stack UplinkFast on page 291 How Cross Stack UplinkFast Works on page 292 BackboneFast BackboneFast detects indirect failures in the core of the backbone BackboneFast is a complementary technology to the UplinkFast feature which responds to failures o...

Page 377: ... RLQ reply from a nonstack member and the response is destined for the stack the stack member forwards the reply so that all the other stack members receive it If the switch discovers that it still has an alternate path to the root it expires the maximum aging time on the interface that received the inferior BPDU If all the alternate paths to the root switch indicate that the switch has lost conne...

Page 378: ...duced into a shared medium topology BackboneFast is not activated because the inferior BPDUs did not come from the recognized designated switch Switch B The new switch begins sending inferior BPDUs that indicate it is the root switch However the other switches ignore these inferior BPDUs and the new switch learns that Switch B is the designated switch to Switch A the root switch Figure 27 Adding a...

Page 379: ...itch interfaces that connect to switches in your customer s network If spanning tree calculations cause an interface in the customer network to be selected as the root port root guard then places the interface in the root inconsistent blocked state to prevent the customer s switch from becoming the root switch or being in the path to the root Figure 28 Root Guard in a Service Provider Network If a...

Page 380: ...n all MST instances Related Topics Enabling Loop Guard on page 313 STP PortFast Port Types You can configure a spanning tree port as an edge port a network port or a normal port A port can be in only one of these states at a given time The default spanning tree port type is normal You can configure the port type either globally or per interface Depending on the type of device to which the interfac...

Page 381: ...ditions that are caused by unidirectional links one way traffic on a link or port or a malfunction in a neighboring switch Here a malfunction refers to a switch that is not able to run STP any more while still forwarding traffic a brain dead switch BPDUs are sent out on all operational network ports including alternate and backup ports for each hello time period Bridge Assurance monitors the recei...

Page 382: ... demonstrates a potential network problem when the device fails brain dead and Bridge Assurance is not enabled on the network Figure 30 Network Loop Due to a Malfunctioning Switch Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 300 Information About Optional Spanning Tree Features ...

Page 383: ...ssurance Enabled The system generates syslog messages when a port is block and unblocked The following sample output shows the log that is generated for each of these states BRIDGE_ASSURANCE_BLOCK Sep 17 09 48 16 249 PDT SPANTREE 2 BRIDGE_ASSURANCE_BLOCK Bridge Assurance blocking port GigabitEthernet1 0 1 on VLAN0001 BRIDGE_ASSURANCE_UNBLOCK Sep 17 09 48 58 426 PDT SPANTREE 2 BRIDGE_ASSURANCE_UNBL...

Page 384: ...etwork Related Topics Enabling Bridge Assurance on page 318 How to Configure Optional Spanning Tree Features Enabling PortFast An interface with the PortFast feature enabled is moved directly to the spanning tree forwarding state without waiting for the standard forward time delay If you enable the voice VLAN feature the PortFast feature is automatically enabled When you disable voice VLAN the Por...

Page 385: ...ee Step 4 To enable PortFast on trunk ports you must use the spanning tree portfast trunk interface configuration command The spanning tree portfast command will not work on trunk ports Make sure that there are no loops in the network between the trunk port and the workstation or server before you enable PortFast on a trunk port Note By default PortFast is disabled on all interfaces portfast trunk...

Page 386: ...TAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Globally enables BPDU guard spanning tree portfast edge bpduguard default Step 3 Example Switch config spanning tree portfast edge bpduguard default By default BPDU gu...

Page 387: ...ted Topics BPDU Guard on page 288 Enabling BPDU Filtering You can also use the spanning tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the PortFast edge feature This command prevents the interface from sending or receiving BPDUs Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result...

Page 388: ...efault Step 3 Example Switch config spanning tree portfast edge bpdufilter default By default BPDU filtering is disabled Specifies the interface connected to an end station and enters interface configuration mode interface interface id Example Switch config interface gigabitethernet1 0 2 Step 4 Enables the PortFast edge feature on the specified interface spanning tree portfast edge Example Switch ...

Page 389: ...st restore the switch priority on the VLAN to the default value using the no spanning tree vlan vlan id priority global configuration command SUMMARY STEPS 1 enable 2 configure terminal 3 spanning tree uplinkfast max update rate pkts per second 4 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the ...

Page 390: ...duce the chance that a switch will become the root switch When UplinkFast is disabled the switch priorities of all VLANs and path costs of all interfaces are set to default values if you did not modify them from their defaults When you enable the UplinkFast feature using these instructions CSUF is automatically globally enabled on nonstack port interfaces Related Topics UplinkFast on page 290 Cros...

Page 391: ... UplinkFast feature using these instructions CSUF is automatically globally disabled on nonstack port interfaces Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning tree reconfiguration sooner You can configure the BackboneFast feature for Rapid PVST or for the MSTP but the feature remains disabled inactive until you change the spanning tree...

Page 392: ...ast Example Switch config spanning tree backbonefast Step 3 Returns to privileged EXEC mode end Example Switch config end Step 4 Related Topics BackboneFast on page 294 Enabling EtherChannel Guard You can enable EtherChannel guard to detect an EtherChannel misconfiguration if your switch is running PVST Rapid PVST or MSTP This procedure is optional Follow these steps to enable EtherChannel Guard o...

Page 393: ...mode end Example Switch config end Step 4 What to Do Next You can use the show interfaces status err disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration On the remote device you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration After the configuration is corrected enter the shutd...

Page 394: ...ng PVST Rapid PVST or MSTP This procedure is optional Follow these steps to enable root guard on the switch SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 spanning tree guard root 5 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure termi...

Page 395: ...the entire switched network Loop guard operates only on interfaces that are considered point to point by the spanning tree You cannot enable both loop guard and root guard at the same time Note You can enable this feature if your switch is running PVST Rapid PVST or MSTP This procedure is optional Follow these steps to enable loop guard on the switch SUMMARY STEPS 1 Enter one of the following comm...

Page 396: ...t Step 3 Example Switch config spanning tree loopguard default By default loop guard is disabled Returns to privileged EXEC mode end Example Switch config end Step 4 Related Topics Loop Guard on page 298 Enabling PortFast Port Types This section describes the different steps to enable Portfast Port types Related Topics STP PortFast Port Types on page 298 Configuring the Default Port State Globally...

Page 397: ...ports are connected to hosts servers Optional network Configures all interfaces as spanning tree network ports This assumes all ports are connected to switches and bridges Bridge Assurance is enabled on all network ports by default Optional normal Configures all interfaces normal spanning tree ports These ports can be connected to any type of device default The default port type is normal Returns ...

Page 398: ...mode configure terminal Example Switch configure terminal Step 2 Specifies an interface to configure interface interface id port channel port_channel_number Step 3 Example Switch config interface gigabitethernet 1 0 1 port channel port_channel_number Enables edge behavior on a Layer 2 access port connected to an end workstation or server spanning tree portfast edge trunk Example Switch config if s...

Page 399: ...s that are connected to Layer 2 switches and bridges can be configured as network ports Bridge Assurance is enabled only on PortFast network ports For more information refer to Bridge Assurance Note To configure a port as a network port perform this task SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id port channel port_channel_number 4 spanning tree portfast network 5 end 6 sh...

Page 400: ...le Switch config if spanning tree portfast network Step 4 Configures the port as a network port If you have enabled Bridge Assurance globally it automatically runs on a spanning tree network port Use the no version of the command to disable PortFast Exits configuration mode end Example Switch config if end Step 5 Verifies the configuration show running interface interface id port channel port_chan...

Page 401: ...Switch config spanning tree bridge assurance Bridge Assurance is enabled by default Use the no version of the command to disable the feature Disabling Bridge Assurance causes all configured network ports to behave as normal spanning tree ports Returns to privileged EXEC mode end Example Switch config end Step 4 Displays spanning tree information and shows if Bridge Assurance is enabled show spanni...

Page 402: ...Address 001b 2a68 5fc0 Cost 3 Port 125 GigabitEthernet5 9 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 2 priority 0 sys id ext 2 Address 7010 5c9c 5200 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 0 sec Interface Role Sts Cost Prio Nbr Type Gi1 0 1 Desg FWD 4 128 1 P2p Edge Examples Configuring a PortFast Network Port on a Specified Interface This exam...

Page 403: ...s network and BA_Inc indicating that the port is in an inconsistent state Note Switch show spanning tree VLAN0010 Spanning tree enabled protocol rstp Root ID Priority 32778 Address 0002 172c f400 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 priority 32768 sys id ext 10 Address 0002 172c f400 Hello Time 2 sec Max Age 20 sec Forward Delay 15 s...

Page 404: ...nformation for the specified interface show spanning tree interface interface id Displays MST information for the specified interface show spanning tree mst interface interface id Displays a summary of interface states or displays the total lines of the spanning tree state section show spanning tree summary totals Displays spanning tree portfast information for the specified interface show spannin...

Page 405: ...ed in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Restrictions for EtherChannels All ports in...

Page 406: ...ividual Ethernet links bundled into a single logical link Figure 33 Typical EtherChannel Configuration The EtherChannel provides full duplex bandwidth up to 8 Gb s Gigabit EtherChannel or 80 Gb s 10 Gigabit EtherChannel between your switch and another switch or host Each EtherChannel can consist of up to eight compatibly configured Ethernet ports The LAN Lite feature set supports up to six EtherCh...

Page 407: ...ny other single link The port configuration does not change but the port does not participate in the EtherChannel When you configure an EtherChannel in the on mode no negotiations take place The switch forces all compatible ports to become active in the EtherChannel The other end of the channel on the other switch must also be configured in the on mode otherwise packet loss can occur Related Topic...

Page 408: ...h in the stack or on multiple switches in the stack known as cross stack EtherChannel Figure 34 Single Switch EtherChannel Figure 35 Cross Stack EtherChannel Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 326 Information About EtherChannels ...

Page 409: ... on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel Related Topics Configuring Layer 2 EtherChannels on page 342 EtherChannel Configuration Guidelines on page 338 Default EtherChannel Configuration on page 337 Layer 2 EtherChannel Configuration Guidelines on page 340 Channel Groups and Port Channel Interfaces An EtherChannel comprises a channel group an...

Page 410: ...e the same as the port channel number or you can use a new number If you use a new number the channel group command dynamically creates a new port channel Related Topics Creating Port Channel Logical Interfaces EtherChannel Configuration Guidelines on page 338 Default EtherChannel Configuration on page 337 Layer 2 EtherChannel Configuration Guidelines on page 340 Configuring the Physical Interface...

Page 411: ... by sending PAgP packets This mode is not supported when the EtherChannel members are from different switches in the switch stack cross stack EtherChannel desirable Switch ports exchange PAgP packets only with partner ports configured in the auto or desirable modes Ports configured in the on mode do not exchange PAgP packets Both the auto and desirable modes enable ports to negotiate with partner ...

Page 412: ...ge 340 Configuring the Physical Interfaces EtherChannel Configuration Guidelines on page 338 Default EtherChannel Configuration on page 337 Layer 2 EtherChannel Configuration Guidelines on page 340 PAgP Learn Method and Priority Network devices are classified as PAgP physical learners or aggregate port learners A device is a physical learner if it learns addresses by physical ports and directs tra...

Page 413: ...d Dual Active Detection A virtual switch can be two or more core switches connected by virtual switch links VSLs that carry control and data traffic between them One of the switches is in active mode The others are in standby mode For redundancy remote switches are connected to the virtual switch by remote satellite links RSLs If the VSL between two switches fails one switch does not know the stat...

Page 414: ...CP Modes Description Mode Places a port into an active negotiating state in which the port starts negotiations with other ports by sending LACP packets active Places a port into a passive negotiating state in which the port responds to LACP packets that it receives but does not start LACP packet negotiation This setting minimizes the transmission of LACP packets passive Both the active and passive...

Page 415: ...configuration and ports on both ends of the EtherChannel must have the same configuration If the group is misconfigured packet loss or spanning tree loops can occur Caution Load Balancing and Forwarding Methods EtherChannel balances the traffic load across the links in a channel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of t...

Page 416: ...ddresses use different ports in the channel and packets from the same IP address use the same port in the channel With destination IP address based forwarding packets are distributed across the ports in the EtherChannel based on the destination IP address of the incoming packet To provide load balancing packets from the same IP source address sent to different IP destination addresses could be sen...

Page 417: ...might result in better load balancing Related Topics Configuring EtherChannel Load Balancing EtherChannel Configuration Guidelines on page 338 Layer 2 EtherChannel Configuration Guidelines on page 340 Default EtherChannel Configuration on page 337 EtherChannel Load Deferral Overview In an Instant Access system the EtherChannel Load Deferral feature allows ports to be bundled into port channels but...

Page 418: ... This feature is enabled on a per port channel basis however the load deferral timer is configured globally and not per port channel As a result when a new port is bundled the timer starts only if it is not already running If some other ports are already deferred then the new port will be deferred only for the remaining amount of time The load deferral is stopped as soon as a member in one of the ...

Page 419: ... MAC address changes during a active switch failover Default EtherChannel Configuration The default EtherChannel configuration is described in this table Table 38 Default EtherChannel Configuration Default Setting Feature None assigned Channel groups None defined Port channel logical interface No default PAgP mode Aggregate port learning on all ports PAgP learn method 128 on all ports PAgP priorit...

Page 420: ...iguration Guidelines If improperly configured some EtherChannel ports are automatically disabled to avoid network loops and other problems Follow these guidelines to avoid configuration problems Do not try to configure more than 24 EtherChannels on the switch or switch stack In a mixed switch stack that contains one or more Catalyst 2960 S switches do not configure more than six EtherChannels on t...

Page 421: ...nfigured on switch interfaces remove the EtherChannel configuration from the interfaces before globally enabling IEEE 802 1x on a switch by using the dot1x system auth control global configuration command For cross stack EtherChannel configurations ensure that all ports targeted for the EtherChannel are either configured for LACP or are manually configured to be in the channel group using the chan...

Page 422: ...e auto or desirable mode Ports with different spanning tree path costs can form an EtherChannel if they are otherwise compatibly configured Setting different spanning tree path costs does not by itself make ports incompatible for the formation of an EtherChannel Related Topics Configuring Layer 2 EtherChannels on page 342 EtherChannel Overview on page 324 EtherChannel Modes on page 325 EtherChanne...

Page 423: ...reation of auto EtherChannels When auto LAG is disabled on a port interface that is already a part of an auto created EtherChannel the port interface will unbundle from the auto EtherChannel The following table shows the supported auto LAG configurations between the actor and partner devices Table 39 The supported auto LAG configurations between the actor and partner devices Auto Passive Active Ac...

Page 424: ...3 interface and Layer 3 EtherChannel Related Topics Configuring Auto LAG Globally on page 355 Configuring Auto LAG Examples on page 360 Configuring Auto LAG on a Port Interface on page 356 Configuring Persistence with Auto LAG on page 357 Auto LAG on page 341 How to Configure EtherChannels After you configure an EtherChannel configuration changes applied to the port channel interface apply to all ...

Page 425: ...the same VLAN or configure them as trunks switchport mode access trunk Example Switch config if switchport Step 3 If you configure the port as a static access port assign it to only one VLAN The range is 1 to 4094 mode access Optional If you configure the port as a static access port assign it to only one VLAN The range is 1 to 4094 switchport access vlan vlan id Example Switch config if switchpor...

Page 426: ...packet analyzers This setting allows PAgP to operate to attach the port to a channel group and to use the port for transmission active Enables LACP only if a LACP device is detected It places the port into an active negotiating state in which the port starts negotiations with other ports by sending LACP packets passive Enables LACP on the port and places it into a passive negotiating state in whic...

Page 427: ... dst ip src dst mac src ip src mac Step 2 The default is src mac Select one of these load distribution methods Example Switch config port channel dst ip Specifies destination host IP address dst mac Specifies the destination host MAC address of the incoming packet load balance src mac src dst ip Specifies the source and destination host IP address src dst mac Specifies the source and destination h...

Page 428: ...channel load defer seconds Example Switch config port channel load defer 60 Step 3 seconds The time interval during which load sharing is initially 0 for deferred port channels The range is 1 to 1800 seconds the default is 120 seconds Configures a port channel interface and enters interface configuration mode interface type number Example Switch config interface port channel 10 Step 4 Enables port...

Page 429: ...0x00000000 HotStandBy port null Port state Port channel Ag Not Inuse Protocol Port security Disabled Load share deferral Enabled defer period 120 sec time left 0 sec The following is sample output from the show platform pm group masks command Deferred ports have the group mask of 0xFFFF when the defer timer is running Switch show platform pm group masks Etherchannel members and group masks table G...

Page 430: ... the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not important on which physical port the packet arrives physical port Selects physical port to connect with another switch that is a physical learner Make sure to configure the port channel load balance global configuration command to src mac The learning method must be configur...

Page 431: ...ority To every link between systems that operate LACP the software assigns a unique priority made up of these elements in priority order LACP system priority System ID the switch MAC address LACP port priority Port number In priority comparisons numerically lower values have higher priority The priority decides which ports should be put in standby mode when there is a hardware limitation that prev...

Page 432: ...priority This procedure is optional SUMMARY STEPS 1 enable 2 configure terminal 3 lacp system priority priority 4 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters global configuration mode configure terminal Example Switch configure terminal Step 2 Configures the LACP system priority lacp system pri...

Page 433: ...ee which ports are in the hot standby mode denoted with an H port state flag If LACP is not able to aggregate all the ports that are compatible for example the remote system might have more restrictive hardware limitations all the ports that cannot be actively included in the EtherChannel are put in the hot standby state and are used only if one of the channeled ports fails Note Follow these steps...

Page 434: ...rChannel PAgP and LACP Status on page 358 Configuring the LACP Port Channel Min Links Feature You can specify the minimum number of active ports that must be in the link up state and bundled in an EtherChannel for the port channel interface to transition to the link up state Using EtherChannel min links you can prevent low bandwidth LACP EtherChannels from becoming active Port channel min links al...

Page 435: ...tate port channel min links min links number Example Switch config if port channel min links Step 4 For min links number the range is 2 to 8 3 Returns to privileged EXEC mode end Example Switch config end Step 5 Related Topics Configuring LACP Port Channel Min Links Examples on page 361 Configuring LACP Fast Rate Timer You can change the LACP timer rate to modify the duration of the LACP timeout U...

Page 436: ...net gigabitethernet tengigabitethernet slot port Step 3 Example Switch config interface gigabitEthernet 2 1 Configures the rate at which LACP control packets are received by an LACP supported interface lacp rate normal fast Example Switch config if lacp rate fast Step 4 To reset the timeout rate to its default use the no lacp rate command Returns to privileged EXEC mode end Example Switch config e...

Page 437: ...configure terminal Step 2 Enables the auto LAG feature on a switch globally Use the no form of this command to disable the auto LAG feature on the switch globally no port channel auto Example Switch config port channel auto Step 3 By default the auto LAG feature is enabled on the port Note Returns to privileged EXEC mode end Example Switch config end Step 4 Displays that EtherChannel is created au...

Page 438: ...itch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the port interface to be enabled for auto LAG and enters interface configuration mode interface interface id Example Switch config interface gigabitethernet 1 0 1 Step 3 Optional Enables auto LAG feature on individual port interface Use the no form of this command to disabl...

Page 439: ...age 357 Configuring Auto LAG Examples on page 360 Configuring Persistence with Auto LAG You use the persistence command to convert the auto created EtherChannel into a manual one and allow you to add configuration on the existing EtherChannel SUMMARY STEPS 1 enable 2 port channel channel number persistent 3 show etherchannel summary DETAILED STEPS Purpose Command or Action Enables privileged EXEC ...

Page 440: ...n Command Clears LACP channel group information and traffic counters clear lacp channel group number counters counters Clears PAgP channel group information and traffic counters clear pagp channel group number counters counters Displays EtherChannel information in a brief detailed and one line summary form Also displays the load balance or frame distribution scheme port port channel protocol and A...

Page 441: ...ch config if range switchport mode access Switch config if range switchport access vlan 10 Switch config if range channel group 5 mode desirable non silent Switch config if range end This example shows how to configure an EtherChannel on a single switch in the stack It assigns two ports as static access ports in VLAN 10 to channel 5 with the LACP mode active Switch configure terminal Switch config...

Page 442: ...and alone s suspended H Hot standby LACP only R Layer3 S Layer2 U in use f failed to allocate aggregator M not in use minimum links not met u unsuitable for bundling w waiting to be aggregated d default port A formed by Auto LAG Number of channel groups in use 1 Number of aggregators 1 Group Port channel Protocol Ports 1 Po1 SUA LACP Gi1 0 45 P Gi2 0 21 P Gi3 0 21 P The following example shows the...

Page 443: ...ed in port channel I stand alone s suspended H Hot standby LACP only R Layer3 S Layer2 U in use N not in use no aggregration f failed to allocate aggregator M not in use no aggregation due to minimum links not met m not in use port not aggregated due to minimum links not met u unsuitable for bundling w waiting to be aggregated d default port Number of channel groups in use 125 Number of aggregator...

Page 444: ...t switch show lacp counters LACPDUs Marker Marker Response LACPDUs Port Sent Recv Sent Recv Sent Recv Pkts Err Channel group 24 Te1 1 27 2 2 0 0 0 0 0 Te2 1 25 2 2 0 0 0 0 0 Related Topics Configuring LACP Fast Rate Timer on page 353 Additional References for EtherChannels Related Documents Document Title Related Topic Catalyst 2960 X Switch Layer 2 Command Reference Layer 2 command reference Erro...

Page 445: ...hnologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for EtherChannels Modification Rele...

Page 446: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 364 Feature Information for EtherChannels ...

Page 447: ...find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required...

Page 448: ...multiple interfaces Link state tracking can be with server NIC adapter teaming to provide redundancy in the network When the server NIC adapters are configured in a primary or secondary relationship and the link is lost on the primary interface network connectivity is transparently changed to the secondary interface An interface can be an aggregation of ports an EtherChannel or a single physical p...

Page 449: ...Server 3 and server 4 use switch B for primary links and switch A for secondary links Link state group 1 on switch A Switch A provides primary links to server 1 and server 2 through link state group 1 Port 1 is connected to server 1 and port 2 is connected to server 2 Port 1 and port 2 are the downstream interfaces in link state group 1 Consolidated Platform Configuration Guide Cisco IOS Release 1...

Page 450: ...er fails the cables are disconnected or the link is lost These are the interactions between the downstream and upstream interfaces when link state tracking is enabled If any of the upstream interfaces are in the link up state the downstream interfaces can change to or remain in the link up state If all of the upstream interfaces become unavailable link state tracking automatically puts the downstr...

Page 451: ...roup number can be 1 or 2 the default is 1 link state track number Example Switch config link state track 2 Step 2 Specifies a physical interface or range of interfaces to configure and enters interface configuration mode interface interface id Example Switch config interface Step 3 Valid interfaces include switch ports in access or trunk mode IEEE 802 1q or routed ports gigabitethernet2 0 1 Do no...

Page 452: ...ink state group 1 and configure the interfaces in the link state group Switch configure terminal Switch config link state track 1 Switch config if interface range gigabitethernet1 0 21 22 Switch config if link state group 1 upstream Switch config if interface gigabitethernet1 0 1 Switch config if link state group 1 downstream Switch config if interface gigabitethernet1 0 3 Switch config if link st...

Page 453: ...isco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newslet...

Page 454: ... Tracking Feature Information Releases This feature was introduced Cisco IOS Release 15 0 2 EX Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 372 Feature Information for Link State Tracking ...

Page 455: ...ot support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Naviga...

Page 456: ...e Messages on page 385 Configuring MAC Address Table Move Update on page 384 Configuring the MAC Address Table Move Update Examples on page 389 Information About Flex Links and MAC Address Table Move Update Flex Links Flex Links are a pair of a Layer 2 interfaces switch ports or port channels where one interface is configured to act as a backup to the other The feature provides an alternative solu...

Page 457: ...face preemption delay interface configuration commands Figure 39 Flex Links Configuration Example If a primary forwarding link goes down a trap notifies the network management stations If the standby link goes down a trap notifies the users Flex Links are supported only on Layer 2 ports and port channels not on VLANs or on Layer 3 ports Related Topics Configuring a Preemption Scheme for a Pair of ...

Page 458: ... is learned as the mrouter port Both Flex Links ports are always part of multicast groups Although both Flex Links ports are part of the groups in normal operation mode all traffic on the backup port is blocked The normal multicast data flow is not affected by the addition of the backup port as an mrouter port When the changeover happens the backup port is unblocked allowing the traffic to flow In...

Page 459: ... switches and on the backup link between the distribution and access switches This feature is disabled by default and can be configured by using the switchport backup interface interface id multicast fast convergence command When this feature has been enabled at changeover the switch does not generate the proxy reports on the backup port which became the forwarding port MAC Address Table Move Upda...

Page 460: ... from the PC to the server The switch sends a MAC address table move update packet from port 2 Switch C gets this packet on port 4 and immediately learns the MAC address of the PC on port 4 which reduces the reconvergence time You can configure the access switch switch A to send MAC address table move update messages You can also configure the uplink switches B C and D to get and process the MAC a...

Page 461: ...onfiguring VLAN Load Balancing on Flex Links Examples on page 387 MAC Address Table Move Update Configuration Guidelines You can enable and configure this feature on the access switch to send the MAC address table move updates You can enable and configure this feature on the uplink switches to get the MAC address table move updates Default Flex Links and MAC Address Table Move Update Configuration...

Page 462: ...terface id Example Switch conf interface gigabitethernet1 0 1 Step 2 Configures a physical Layer 2 interface or port channel as part of a Flex Links pair with the interface When one link is forwarding traffic the other interface is in standby mode switchport backup interface interface id Example Switch conf if switchport backup interface Step 3 gigabitethernet1 0 2 Returns to privileged EXEC mode ...

Page 463: ...igure terminal Example Switch configure terminal Step 1 Specifies the interface and enters interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 24 interface interface id Example Switch conf interface gigabitethernet1 0 1 Step 2 Configures a physical Layer 2 interface or port channel as part of a Flex Links...

Page 464: ... Verifies the configuration show interface interface id switchport backup Step 7 Example Switch show interface gigabitethernet1 0 2 switchport backup Optional Saves your entries in the switch startup configuration file copy running config startup config Example Switch copy running config startup config Step 8 Related Topics Flex Links on page 374 Default Flex Links and MAC Address Table Move Updat...

Page 465: ...l as part of a Flex Links pair with the interface and specifies the switchport backup interface interface id prefer vlan vlan range Step 3 VLANs carried on the interface The VLAN ID range is 1 to 4094 Example Switch config if switchport backup interface gigabitethernet2 0 8 prefer vlan 2 Returns to privileged EXEC mode end Example Switch config if end Step 4 Related Topics Flex Links VLAN Load Bal...

Page 466: ...to 24 interface interface id Example Switch interface gigabitethernet1 0 1 Step 2 Configures a physical Layer 2 interface or port channel as part of a Flex Links pair with the interface The MAC address table move update VLAN is the lowest VLAN ID on the interface Use one of the following Step 3 switchport backup interface interface id switchport backup interface interface id mmu primary vlan vlan ...

Page 467: ...les on page 389 Monitoring Flex Links Multicast Fast Convergence and MAC Address Table Move Update on page 386 MAC Address Table Move Update on page 377 Restrictions for Configuring Flex Links and MAC Address Table Move Update on page 373 Configuring the MAC Address Table Move Update Examples on page 389 Configuring a Switch to Obtain and Process MAC Address Table Move Update Messages SUMMARY STEP...

Page 468: ... 373 Configuring the MAC Address Table Move Update Examples on page 389 Monitoring Flex Links Multicast Fast Convergence and MAC Address Table Move Update Purpose Command Displays the Flex Links backup interface configured for an interface or all the configured Flex Links and the state of each active and backup interface up or standby mode show interface interface id switchport backup Displays the...

Page 469: ... Interface Pair Gi1 0 1 Gi1 0 2 Preemption Mode forced Preemption Delay 50 seconds Bandwidth 100000 Kbit Gi1 0 1 100000 Kbit Gi1 0 2 Mac Address Move Update Vlan auto Related Topics Configuring a Preemption Scheme for a Pair of Flex Links on page 381 Configuring Flex Links on page 380 Flex Links on page 374 Default Flex Links and MAC Address Table Move Update Configuration on page 379 Restrictions...

Page 470: ... to the forwarding state on the interface that has just come up In this example if interface Gi2 0 6 comes up VLANs preferred on this interface are blocked on the peer interface Gi2 0 8 and forwarded on Gi2 0 6 Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet2 0 6 GigabitEthernet2 0 8 Active Up Backup Standby Vlans Prefe...

Page 471: ... 385 Configuring MAC Address Table Move Update on page 384 MAC Address Table Move Update on page 377 Restrictions for Configuring Flex Links and MAC Address Table Move Update on page 373 Configuring Multicast Fast Convergence with Flex Links Failover Examples These are configuration examples for learning the other Flex Links port as the mrouter port when Flex Links is configured on GigabitEthernet...

Page 472: ... 11 because the backup port GigabitEthernet1 0 12 is blocked When the active link GigabitEthernet1 0 11 goes down the backup port GigabitEthernet1 0 12 begins forwarding As soon as this port starts forwarding the switch sends proxy reports for the groups 228 1 5 1 and 228 1 5 2 on behalf of the host The upstream router learns the groups and starts forwarding multicast data This is the default beha...

Page 473: ...d by the switch on GigabitEthernet1 0 11 it is also leaked to the backup port GigabitEthernet1 0 12 The upstream router learns the groups and starts forwarding multicast data which is dropped at the ingress because GigabitEthernet1 0 12 is blocked When the active link GigabitEthernet1 0 11 goes down the backup port GigabitEthernet1 0 12 begins forwarding You do not need to send any proxy reports a...

Page 474: ...www cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Ne...

Page 475: ...Table Move Update Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 393 Feature Information for Flex Links and MAC Address Table Move Update ...

Page 476: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 394 Feature Information for Flex Links and MAC Address Table Move Update ...

Page 477: ...ted in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Restrictions for Configuring UDLD The foll...

Page 478: ...s that autonegotiation cannot perform such as detecting the identities of neighbors and shutting down misconnected ports When you enable both autonegotiation and UDLD the Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols A unidirectional link occurs whenever traffic sent by a local device is received by...

Page 479: ...tion because autonegotiation operates at Layer 1 Related Topics Enabling UDLD Globally on page 399 Enabling UDLD on an Interface on page 400 Methods to Detect Unidirectional Links UDLD operates by using two methods Neighbor database maintenance Event driven detection and echoing Related Topics Enabling UDLD Globally on page 399 Enabling UDLD on an Interface on page 400 Neighbor Database Maintenanc...

Page 480: ... followed by the no shutdown interface configuration command restarts the disabled port The no udld aggressive enable global configuration command followed by the udld aggressive enable global configuration command reenables the disabled ports The no udld port interface configuration command followed by the udld port aggressive interface configuration command reenables the disabled fiber optic por...

Page 481: ...ifies the UDLD mode of operation udld aggressive enable message time message timer interval Step 2 aggressive Enables UDLD in aggressive mode on all fiber optic ports Example Switch config udld enable enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configurati...

Page 482: ...ks on page 397 Event Driven Detection and Echoing on page 398 UDLD Reset Options on page 398 Default UDLD Configuration on page 398 Enabling UDLD on an Interface Follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port SUMMARY STEPS 1 configure terminal 2 interface interface id 3 udld port aggressive 4 end DETAILED STEPS Purpose Command or Action Enter...

Page 483: ...ation command to disable UDLD on a specified fiber optic port Note Returns to privileged EXEC mode end Example Switch config if end Step 4 Related Topics Monitoring and Maintaing UDLD Aggressive Mode on page 397 Normal Mode on page 396 Methods to Detect Unidirectional Links on page 397 Event Driven Detection and Echoing on page 398 UDLD Reset Options on page 398 Default UDLD Configuration on page ...

Page 484: ...and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC None MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs All supported MIBs for this release Consolidated Platform Configuration Guide Cisco IOS Re...

Page 485: ...ur products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for UDLD Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform...

Page 486: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 404 Feature Information for UDLD ...

Page 487: ...Network Management Configuring Cisco IOS Configuration Engine page 407 Configuring the Cisco Discovery Protocol page 431 Configuring Simple Network Management Protocol page 445 Configuring SPAN and RSPAN page 471 ...

Page 488: ......

Page 489: ... each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisites for Configuring the Configuration Engine Obtain the name of the configuration engine inst...

Page 490: ...ing the deployment and management of network devices and services Each Cisco Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their configurations and delivering them as needed The Cisco Configuration Engine automates initial configurations and configuration updates by generating device specific configuration changes sending them...

Page 491: ...o send and receive configuration change events and to send success and failure notifications The Configuration Server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration information in the form of CLI commands ...

Page 492: ...e Similarly for a publisher when given a unique group ID device ID and event the mapping service returns a set of events on which to publish Cisco Networking Services IDs and Device Hostnames The Cisco Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular ...

Page 493: ... on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway For instructions on refreshing DeviceIDs see Related Topics When the connection is reestablished the switch sends its modified hostname to the event gateway The event gateway redefines the DeviceID to the new value When using the Cisco Configuration Engine user interface you must...

Page 494: ... IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon successful download of the bootstrap configuration file the switch loads the file in its running configuration The Cisco IOS C...

Page 495: ...defer application of the configuration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Aut...

Page 496: ...event agent configured to push the configuration file to the switch TFTP server One or more templates for each type of device with the ConfigID of the device mapped to the template CNS Configuration Engine 2 A DHCP Relay is needed only when the DHCP Server is on a different subnet from the client How to Configure the Configuration Engine Enabling the CNS Event Agent You must enable the CNS event a...

Page 497: ...alive 120 10 Optional For port number enter the port number for the event gateway The default port number is 11011 Optional For keepalive seconds enter how often the switch sends keepalive messages For retry count enter the number of unanswered keepalive messages that the switch sends before the connection is terminated The default for each is 0 Optional For failover time seconds enter how long th...

Page 498: ...bout the event agent use the show cns event connections command in privileged EXEC mode To disable the CNS event agent use the no cns event ip address hostname global configuration command Related Topics Event Service on page 410 Enabling the Cisco IOS CNS Agent Follow these steps to enable the Cisco IOS CNS agent on the switch Before You Begin You must enable the CNS event agent on the switch bef...

Page 499: ... For hostname ip address enter either the hostname or the IP address of the configuration server Optional For port number enter the port number for the configuration server 10 180 1 27 10 This command enables the Cisco IOS CNS agent and initiates an initial configuration on the switch Enables the Cisco IOS CNS agent and enters the configuration server parameters cns config partial hostname ip addr...

Page 500: ...Start the Cisco IOS CNS agent on the switch Step 8 What to Do Next You can now use the Cisco Configuration Engine to remotely send incremental configurations to the switch Related Topics Cisco IOS CNS Agents on page 412 Enabling an Initial Configuration for Cisco IOS CNS Agent Follow these steps to enable the CNS configuration agent and initiate an initial configuration on the switch Consolidated ...

Page 501: ...ame 13 ip route network number 14 cns id interface num dns reverse ipaddress mac address event image 15 cns id hardware serial hostname string string udi event image 16 cns config initial hostname ip address port number event no persist page page source ip address syntax check 17 end 18 show running config 19 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privi...

Page 502: ... to 30 The default is 3 Optional For retry interval seconds enter the interval between successive connection attempts to the Configuration Engine The range is 1 to 40 seconds The default is 10 seconds Optional For sleep seconds enter the amount of time before which the first connection attempt occurs The range is 0 to 250 seconds The default is 0 Optional For timeout seconds enter the amount of ti...

Page 503: ...nter this command do not enter the cns id hardware serial hostname string string udi event image command cns id interface num dns reverse ipaddress mac address event image Example RemoteSwitch config cns id GigabitEthernet1 0 1 ipaddress Step 14 For interface num enter the type of interface For example ethernet group async loopback or virtual template This setting specifies from which interface th...

Page 504: ...sist Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finished Optional Enable no persist to suppress the automatic writing to NVRAM of the configuration pulled as a result of entering the cns config initial global configuration command If th...

Page 505: ...ch SUMMARY STEPS 1 enable 2 show cns config connections 3 Make sure that the CNS event agent is properly connected to the event gateway 4 show cns event connections 5 Record from the output of Step 4 the information for the currently connected connection listed below You will be using the IP address and port number in subsequent steps of these instructions 6 configure terminal 7 no cns event ip ad...

Page 506: ...tep 4 Record from the output of Step 4 the information for the currently connected connection listed below You Step 5 will be using the IP address and port number in subsequent steps of these instructions Enters global configuration mode configure terminal Example Switch configure terminal Step 6 Specifies the IP address and port number that you recorded in Step 5 in this command no cns event ip a...

Page 507: ...artup config Step 12 Related Topics Hostname and DeviceID on page 411 Enabling a Partial Configuration for Cisco IOS CNS Agent Follow these steps to enable the Cisco IOS CNS agent and to initiate a partial configuration on the switch SUMMARY STEPS 1 enable 2 configure terminal 3 cns config partial ip address hostname port number source ip address 4 end 5 show running config 6 copy running config s...

Page 508: ...Enter source ip address to use for the source IP address Though visible in the command line help string the encrypt keyword is not supported Note Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries show running config Example Switch show running config Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Swit...

Page 509: ... about the Cisco IOS CNS agent show cns config stats Switch show cns config stats Displays the status of the CNS event agent connections show cns event connections Switch show cns event connections Displays the event gateway information for your switch show cns event gateway Switch show cns event gateway Displays statistics about the CNS event agent show cns event stats Switch show cns event stats...

Page 510: ...m cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC None MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs All supported MIBs for this ...

Page 511: ... various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information for the Configuration Engine Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform...

Page 512: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 430 Feature History and Information for the Configuration Engine ...

Page 513: ...ftware image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About CDP CDP Overview CDP is a device discovery protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bridges access servers controllers and switches and allows network management applications to discover Cisco devices t...

Page 514: ...1 CDP and Stacks A switch stack appears as a single switch in the network Therefore CDP discovers the switch stack not the individual stack members The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership such as stack members being added or removed Default CDP Configuration This table shows the default CDP configuration Default Setti...

Page 515: ...enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Optional Sets the transmission frequency of CDP updates in seconds cdp timer seconds Example Switch config cdp timer 20 Step 3 The range is 5 to 254 the default is 60 seconds Optional Specifies the amount of time a receiving device should hold the information sent by your device before di...

Page 516: ...config Step 8 What to Do Next Use the no form of the CDP commands to return to the default settings Related Topics CDP Overview on page 431 Monitoring and Maintaining CDP on page 441 Disabling CDP CDP is enabled by default Switch clusters and other Cisco devices such as Cisco IP Phones regularly exchange CDP messages Disabling CDP can interrupt cluster discovery and device connectivity Note Follow...

Page 517: ...ample Switch configure terminal Step 2 Disables CDP no cdp run Example Switch config no cdp run Step 3 Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries show running config Example Switch show running config Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step ...

Page 518: ... CDP when it has been disabled Before You Begin CDP must be disabled or it cannot be enabled SUMMARY STEPS 1 enable 2 configure terminal 3 cdp run 4 end 5 show running config 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure ter...

Page 519: ... If you enter only show run the enabling of CDP may not be displayed Related Topics Default CDP Configuration on page 432 Disabling CDP on page 434 Disabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information Switch clusters and other Cisco devices such as Cisco IP Phones regularly exchange CDP messages Disabling CDP can interrupt clust...

Page 520: ...rminal Step 2 Specifies the interface on which you are disabling CDP and enters interface configuration mode interface interface id Example Switch config interface gigabitethernet1 0 1 Step 3 Disables CDP on the interface specified in Step 3 no cdp enable Example Switch config if no cdp enable Step 4 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show ru...

Page 521: ... Phones regularly exchange CDP messages Disabling CDP can interrupt cluster discovery and device connectivity Note CDP bypass is not supported and may cause a port go into err disabled state Note Follow these steps to enable CDP on a port on which it has been disabled Before You Begin CDP must be disabled on the port that you are trying to CDP enable on or it cannot be enabled SUMMARY STEPS 1 enab...

Page 522: ...tep 3 Enables CDP on a disabled interface cdp enable Example Switch config if cdp enable Step 4 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show running config Example Switch show running config Step 6 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 7 Relat...

Page 523: ...are running on the device show cdp entry entry name version protocol Displays information about interfaces where CDP is enabled You can limit the display to the interface about which you want information show cdp interface interface id Displays information about neighbors including device type interface type and number holdtime settings capabilities platform and port ID You can limit the display t...

Page 524: ...esearch and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC None MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs All supported MIBs for this release Consolidated Platform Configuration Guide Cisc...

Page 525: ... various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information for Cisco Discovery Protocol Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform...

Page 526: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 444 Feature History and Information for Cisco Discovery Protocol ...

Page 527: ... Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator g...

Page 528: ...word SNMPv2C includes a bulk retrieval function and more detailed error message reporting to management stations The bulk retrieval function retrieves tables and large quantities of information minimizing the number of round trips required The SNMPv2C improved error handling includes expanded error codes that distinguish different kinds of error conditions these conditions are reported through a s...

Page 529: ...hms DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard 3DES 168 bit encryption AES 128 bit 192 bit or 256 bit encryption Data Encryption Standard DES or Advanced Encryption Standard AES MD5 or SHA authPriv SNMPv3 You must configure the SNMP agent to use the SNMP version supported by the management station Because an agent can communicate with multiple managers...

Page 530: ...r to a condition on the network Traps can mean improper user authentication restarts link status up or down MAC address tracking closing of a TCP connection loss of connection to a neighbor or other significant events SNMP Manager Functions The SNMP manager uses information in the MIB to perform the operations described in the following table Table 47 SNMP Operations Description Operation Retrieve...

Page 531: ...e three community string definitions on the switch A community string can have one of the following attributes Read only RO Gives all objects in the MIB except the community strings read access to authorized management stations but does not allow write access Read write RW Gives all objects in the MIB read and write access to authorized management stations but does not allow access to the communit...

Page 532: ...n be resent informs are more likely than traps to reach their intended destination The characteristics that make informs more reliable than traps also consume more resources in the switch and in the network Unlike a trap which is discarded as soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be ...

Page 533: ...the switch starts and the startup configuration does not have any snmp server global configuration commands SNMP Configuration Guidelines If the switch starts and the switch startup configuration has at least one snmp server global configuration command the SNMP agent is enabled An SNMP group is a table that maps SNMP users to SNMP views An SNMP user is a member of an SNMP group An SNMP host is th...

Page 534: ... by RFC 2274 Because of this deletion if the value of the engine ID changes the security digests of SNMPv3 users become invalid and you need to reconfigure SNMP users by using the snmp server user username global configuration command Similar restrictions require the reconfiguration of community strings when the engine ID changes Related Topics Configuring SNMP Groups and Users on page 456 Monitor...

Page 535: ...server Step 3 Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries show running config Example Switch show running config Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Related Topics SNMP Agent Functions on page 449 Monitoring SNMP Status on page 467 Cons...

Page 536: ...list number deny permit source source wildcard 5 end 6 show running config 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Configures the community string snmp server community...

Page 537: ...tep 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source enter the IP address of the SNMP managers that are permitted to use the community string to gain access to the agent Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions t...

Page 538: ...MP users to SNMP views and you can add new users to the SNMP group Follow these steps to configure SNMP groups and users on the switch SUMMARY STEPS 1 enable 2 configure terminal 3 snmp server engineID local engineid string remote ip address udp port port number engineid string 4 snmp server group group name v1 v2c v3 auth noauth priv read readview write writeview notify notifyview access access l...

Page 539: ...llowing security models Example Switch config snmp server group public v2c access lmnop v1 is the least secure of the possible security models v2c is the second least secure model It allows transmission of informs and integers twice the normal width v3 the most secure requires you to select one of the following authentication levels auth Enables the Message Digest 5 MD5 and the Secure Hash Algorit...

Page 540: ...session that can be either the HMAC MD5 96 md5 or the HMAC SHA 96 sha authentication level and requires a password string auth password not to exceed 64 characters If you enter v3 you can also configure a private priv encryption algorithm and password string priv password using the following keywords not to exceed 64 characters priv specifies the User based Security Model USM des specifies the use...

Page 541: ...otification Types Description Notification Type Keyword Generates Border Gateway Protocol BGP state change traps This option is only available when the IP services feature set is enabled bgp Generates STP bridge MIB traps bridge Generates a trap when the cluster configuration changes cluster Generates a trap for SNMP configuration changes config Generates a trap for SNMP copy configuration changes...

Page 542: ...e the port security trap first and then configure the port security trap rate Note 1 snmp server enable traps port security 2 snmp server enable traps port security trap rate rate port security Generates a trap for the SNMP Response Time Reporter RTR rtr Generates a trap for SNMP type notifications for authentication cold start warm start link up or link down snmp Generates a trap for SNMP storm c...

Page 543: ...d or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the engine ID for the remote host snmp server engineID remote ip address engineid string Step 3 Example Switch config snmp server engineID remote 192 180 1 27 00000063000100a1c0b4011b ...

Page 544: ...n 1 or version 2c is specified enter the password like community string sent with the notification operation When version 3 is specified enter the SNMPv3 username The symbol is used for delimiting the context information Avoid using the symbol as part of the SNMP community string when configuring this command Optional For notification type use the keywords listed in the table above If no type is s...

Page 545: ...our entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 13 What to Do Next The snmp server host command specifies which hosts receive the notifications The snmp server enable trap command globally enables the method for the specified notification for traps and informs To enable a host to receive an inform you must configure an...

Page 546: ...rtup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Sets the system contact string snmp server contact text Example Switch config snmp server contact Dial System Operator at beeper 21555 Step 3 Sets the sy...

Page 547: ...P Follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list SUMMARY STEPS 1 enable 2 configure terminal 3 snmp server tftp server list access list number 4 access list access list number deny permit source source wildcard 5 end 6 show running config 7 copy running config startup config DETAILED STEPS Purpose...

Page 548: ...ig access list 44 permit 10 1 1 2 For access list number enter the access list number specified in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source enter the IP address of the TFTP servers that can access the switch Optional For source wildcard enter the wildcard bits in dotted decimal notation to be appl...

Page 549: ...nes that have been configured on the device Displays information on each SNMP group on the network show snmp group Displays information on pending SNMP requests show snmp pending Displays information on the current SNMP sessions show snmp sessions Displays information on each SNMP user name in the SNMP users table You must use this command to display SNMPv3 configuration information for auth noaut...

Page 550: ...aps snmp authentication Switch config snmp server host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled The second line specifies the destination of these traps and overwrites any previous snmp server host command...

Page 551: ... and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC None MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs All supported MIBs for this release Consolidated Platform Configuration Guide Cisco IOS R...

Page 552: ...ervices such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information for Simple Network Management Protocol Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform...

Page 553: ...ease notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cis...

Page 554: ... original encapsulation headers untagged ISL or IEEE 802 1Q if the encapsulation replicate keywords are specified If the keywords are not specified the packets are sent in native form You can configure a disabled port to be a source or destination port but the SPAN function does not start until the destination port and at least one source port or source VLAN are enabled You cannot mix source VLANs...

Page 555: ...PAN sessions when source trunk ports have active RSPAN VLANs RSPAN VLANs can also be sources in SPAN sessions However since the switch does not monitor spanned traffic it does not support egress spanning of packets on any RSPAN VLAN identified as the destination of an RSPAN source session on the switch If you enable VTP and VTP pruning RSPAN traffic is pruned in the trunks to prevent the unwanted ...

Page 556: ... one switch all source ports or source VLANs and destination ports are in the same switch or switch stack Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis All traffic on port 5 the source port is mirrored to port 10 the destination port A network analyzer on port 10 receives all network traffic from port 5 without bein...

Page 557: ...toring of multiple switches across your network The figure below shows source ports on Switch A and Switch B The traffic for each RSPAN session is carried over a user specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over trunk ports carrying the RSPAN VLAN to a de...

Page 558: ...ating an RSPAN Destination Session on page 496 Creating an RSPAN Destination Session and Configuring Incoming Traffic on page 499 Examples Creating an RSPAN VLAN on page 503 SPAN and RSPAN Concepts and Terminology SPAN Sessions Monitored Traffic Source Ports Source VLANs VLAN Filtering Destination Port RSPAN VLAN Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X ...

Page 559: ...rce session and more than one destination session can be active in the same RSPAN VLAN Intermediate switches also can separate the RSPAN source and destination sessions These switches are unable to run RSPAN but they must respond to the requirements of the RSPAN VLAN Traffic monitoring in a SPAN session has these restrictions Sources can be ports or VLANs but you cannot mix source ports and source...

Page 560: ...ded after the packet is modified Packets that are modified because of routing for example with modified time to live TTL MAC address or QoS values are duplicated with the modifications at the destination port Features that can cause a packet to be dropped during transmit processing also affect the duplicated copy for SPAN These features include IP standard and extended output ACLs and egress QoS p...

Page 561: ...ource ports or VLANs You cannot mix ports and VLANs in a single session A source port has these characteristics It can be monitored in multiple SPAN sessions Each source port can be configured with a direction ingress egress or both to monitor It can be any port type for example EtherChannel Gigabit Ethernet and so forth For EtherChannel sources you can monitor traffic for the entire EtherChannel ...

Page 562: ...sion There is no destination port on a switch or switch stack running only an RSPAN source session When a port is configured as a SPAN destination port the configuration overwrites the original port configuration When the SPAN destination configuration is removed the port reverts to its previous configuration If a configuration change is made to the port while it is acting as a SPAN destination po...

Page 563: ...n on RSPAN VLAN trunks but not on SPAN destination ports An RSPAN VLAN cannot be a private VLAN primary or secondary VLAN For VLANs 1 to 1005 that are visible to VLAN Trunking Protocol VTP the VLAN ID and its associated RSPAN characteristic are propagated by VTP If you assign an RSPAN VLAN ID in the extended VLAN range 1006 to 4094 you must manually configure all intermediate switches It is normal...

Page 564: ...n EtherChannel group is configured as a SPAN destination it is removed from the group After the port is removed from the SPAN session it rejoins the EtherChannel group Ports removed from an EtherChannel group remain members of the group but they are in the inactive or suspended state If a physical port that belongs to an EtherChannel group is a destination port and the EtherChannel group is a sour...

Page 565: ... interface interface id vlan vlan id global configuration command or the no monitor session session_number destination interface interface id global configuration command For destination interfaces the encapsulation options are ignored with the no form of the command To monitor all VLANs on the trunk port use the no monitor session session_number filter global configuration command Related Topics ...

Page 566: ...ation Session and Configuring Incoming Traffic on page 499 Examples Creating an RSPAN VLAN on page 503 How to Configure SPAN and RSPAN Creating a Local SPAN Session Follow these steps to create a SPAN session and specify the source monitored ports or VLANs and the destination monitoring ports SUMMARY STEPS 1 enable 2 configure terminal 3 no monitor session session_number all local remote 4 monitor...

Page 567: ...AN to monitor The range is 1 to 4094 excluding the RSPAN VLAN A single session can include multiple sources ports or VLANs defined in a series of commands but you cannot combine source ports and source VLANs in one session Note Optional Specifies a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyphen Optional both rx tx Specifies the dire...

Page 568: ..._number destination command multiple times to configure multiple destination ports Note Returns to privileged EXEC mode end Example Switch config end Step 6 Verifies your entries show running config Example Switch show running config Step 7 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 8 startup config Related Topic...

Page 569: ...ession_number all local remote Step 3 For session_number the range is 1 to 66 Example Switch config no monitor session all all Removes all SPAN sessions local Removes all local sessions remote Removes all remote SPAN sessions Specifies the SPAN session and the source port monitored port monitor session session_number source interface interface id vlan vlan id both rx tx Step 4 Example Switch confi...

Page 570: ... and to specify the encapsulation type dot1q vlan vlan id Accepts incoming packets with IEEE 802 1Q encapsulation with the specified VLAN as the default VLAN untagged vlan vlan id or vlan vlan id Accepts incoming packets with untagged encapsulation type with the specified VLAN as the default VLAN Returns to privileged EXEC mode end Example Switch config end Step 6 Verifies your entries show runnin...

Page 571: ...xample Switch configure terminal Step 2 Removes any existing SPAN configuration for the session no monitor session session_number all local remote Step 3 For session_number the range is 1 to 66 Example Switch config no monitor session all all Removes all SPAN sessions local Removes all local sessions remote Removes all remote SPAN sessions Specifies the characteristics of the source port monitored...

Page 572: ...erface id specify the destination port The destination interface must be a physical port it cannot be an EtherChannel and it cannot be a VLAN destination interface gigabitethernet1 0 1 Optional Specifies a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyphen Optional encapsulation replicate specifies that the destination interface replica...

Page 573: ...minal Example Switch configure terminal Step 2 Enters a VLAN ID to create a VLAN or enters the VLAN ID of an existing VLAN and enters VLAN configuration mode The range is 2 to 1001 and 1006 to 4094 vlan vlan id Example Switch config vlan 100 Step 3 The RSPAN VLAN cannot be VLAN 1 the default VLAN or VLAN IDs 1002 through 1005 reserved for Token Ring and FDDI VLANs Configures the VLAN as an RSPAN V...

Page 574: ...traffic To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN use the no remote span VLAN configuration command To remove a source port or VLAN from the SPAN session use the no monitor session session_number source interface interface id vlan vlan id global configuration command To remove the RSPAN VLAN from the session use the no monitor session session_number ...

Page 575: ...N session For interface id specifies the source port to monitor Valid interfaces include physical interfaces and port channel logical source interface gigabitethernet1 0 1 tx interfaces port channel port channel number Valid port channel numbers are 1 to 48 For vlan id specifies the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN A single session can include multiple sources...

Page 576: ...le Switch config end Step 6 Verifies your entries show running config Example Switch show running config Step 7 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 8 startup config Related Topics Remote SPAN on page 475 RSPAN VLAN on page 481 RSPAN Configuration Guidelines on page 483 Specifying VLANs to Filter Follow the...

Page 577: ...e Step 3 For session_number the range is 1 to 66 Example Switch config no monitor session 2 all Removes all SPAN sessions local Removes all local sessions remote Removes all remote SPAN sessions Specifies the characteristics of the source port monitored port and SPAN session monitor session session_number source interface interface id Step 4 Example Switch config monitor session 2 source interface...

Page 578: ...red traffic to the destination port Returns to privileged EXEC mode end Example Switch config end Step 7 Verifies your entries show running config Example Switch show running config Step 8 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 9 Creating an RSPAN Destination Session You configure an RSPAN dest...

Page 579: ...configure terminal Example Switch configure terminal Step 2 Specifies the VLAN ID of the RSPAN VLAN created from the source switch and enters VLAN configuration mode vlan vlan id Example Switch config vlan 901 Step 3 If both switches are participating in VTP and the RSPAN VLAN ID is from 2 to 1005 Steps 3 through 5 are not required because the RSPAN VLAN ID is propagated through the VTP network Id...

Page 580: ...efined in Step 7 Example Switch config monitor session 1 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical interface destination interface gigabitethernet2 0 1 Though visible in the command line help string encapsulation replicate is ...

Page 581: ...n interface interface id ingress dot1q vlan vlan id untagged vlan vlan id vlan vlan id 6 end 7 show running config 8 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Removes any e...

Page 582: ...n interface gigabitethernet1 0 2 ingress vlan 6 Though visible in the command line help string encapsulation replicate is not supported for RSPAN The original VLAN ID is overwritten by the RSPAN VLAN ID and all packets appear on the destination port as untagged Optional Specifies a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyphen Ente...

Page 583: ...uration show monitor SPAN and RSPAN Configuration Examples Example Configuring Local SPAN This example shows how to set up SPAN session 1 for monitoring source port traffic to a destination port First any existing SPAN configuration for session 1 is deleted and then bidirectional traffic is mirrored from source Gigabit Ethernet port 1 to destination Gigabit Ethernet port 2 retaining the encapsulat...

Page 584: ...ure SPAN session 2 to monitor received traffic on Gigabit Ethernet source port 1 and send it to destination Gigabit Ethernet port 2 with the same egress encapsulation type as the source port and to enable ingress forwarding with IEEE 802 1Q encapsulation and VLAN 6 as the default ingress VLAN Switch enable Switch configure terminal Switch config no monitor session 2 Switch config monitor session 2...

Page 585: ...nitor session 2 source interface gigabitethernet1 0 2 rx Switch config monitor session 2 filter vlan 1 5 9 Switch config monitor session 2 destination remote vlan 902 Switch config end This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination interface Switch enable Switch configure terminal Switch config monitor session 1 source remote vlan 901 Switch co...

Page 586: ...h and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC None MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs All supported MIBs for this release Consolidated Platform Configuration Guide Cisco IOS ...

Page 587: ...ification Release Switch Port Analyzer SPAN Allows monitoring of switch traffic on a port or VLAN using a sniffer analyzer or RMON probe This feature was introduced Cisco IOS 15 0 2 EX SPAN destination port support on EtherChannels Provides the ability to configure a SPAN destination port on an EtherChannel This feature was introduced Cisco IOS 15 0 2 EX Switch Port Analyzer SPAN distributed egres...

Page 588: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 506 Feature History and Information for SPAN and RSPAN ...

Page 589: ...P A R T VI Cisco Flexible NetFlow Configuring NetFlow Lite page 509 ...

Page 590: ......

Page 591: ...each feature is supported see the feature information table Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to www cisco com go cfn An account on Cisco com is not required Prerequisites for NetFlow Lite NetFlow Lite is only supported on a Catalyst 2960 X Switch with a LAN Base license and on a Catalyst 296...

Page 592: ...ame for the flows to be created You cannot attach an IP and port based monitor to an interface at the same time on the switch A 48 port switch supports a maximum of 48 monitors IP or port based and for 256 SVIs you can configure up to 256 monitors IP or port based When running the show flow monitor flow_name cache command the switch displays cache information from an earlier switch software versio...

Page 593: ... mixed stack configuration the master switch must always be a Catalyst 2960 X switch The Catalyst 2960 S switch must never be the master switch in this type of mixed stack configuration Each switch in a stack hardware can support the creation of a maximum of 16 000 flows at any time But as the flows are periodically pushed to the software cache the software cache can hold a much larger amount of f...

Page 594: ...rking device with a minimum number of configuration commands Each flow monitor can have a unique combination of flow record flow exporter and cache type If you change a parameter such as the destination IP address for a flow exporter it is automatically changed for all the flow monitors that use the flow exporter The same flow monitor can be used in conjunction with different flow samplers to samp...

Page 595: ...etFlow enables you to define your own records for a Flexible NetFlow flow monitor cache by specifying the key and nonkey fields to customize the data collection to your specific requirements When you define your own records for a Flexible NetFlow flow monitor cache they are referred to as user defined records The values in nonkey fields are added to flows to provide additional information about th...

Page 596: ...tches to the IPv4 Type of Service fields match ipv4 destination address protocol source address tos Specifies a match to the IPv6 fields The following command options are available destination Matches to the IPv6 destination address based fields flow label Matches to the IPv6 flow label fields protocol Matches to the IPv6 payload protocol fields source Matches to the IPv6 source address based fiel...

Page 597: ...nd provides the actual first hop interface for directly connected hosts A value of 0 means that interface information is not available in the cache Some NetFlow collectors require this information in the flow record The following table describes NetFlow Lite collect parameters Table 54 Collect Parameters Purpose Command Collects the counter fields total bytes and total packets collect counter byte...

Page 598: ...cent evolution of the NetFlow export format is known as Version 9 The distinguishing feature of the NetFlow Version 9 export format is that it is template based Templates provide an extensible design to the record format a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow record format Using templates provides several key benef...

Page 599: ... to be sent and also export the data flow set for the template The key advantage to Flexible NetFlow is that the user configures a flow record which is effectively converted to a Version 9 template and then forwarded to the collector The figure below is a detailed example of the NetFlow Version 9 export format including the header template flow and data flow sets Figure 49 Detailed Example of the ...

Page 600: ...twork traffic and added to the flow monitor cache during the monitoring process based on the key and nonkey fields in the flow record Flexible NetFlow can be used to perform different types of analysis on the same traffic In the figure below packet 1 is analyzed using a record designed for standard traffic analysis on the input interface and a record designed for security analysis on the output in...

Page 601: ... number of packets that are selected for analysis Samplers use random sampling techniques modes that is a randomly selected sampling position is used each time a sample is taken Flow sampling exchanges monitoring accuracy for router performance When you apply a sampler to a flow monitor the overhead load on the router of running the flow monitor is reduced because the number of packets that the fl...

Page 602: ...changing it to a lower value of 180 or 300 seconds Note Flow active timeout Enabled 30 seconds Flow timeout inactive 1800 seconds Flow update timeout 16640 bits Default cache size How to Configure NetFlow Lite To configure NetFlow Lite follow these general steps 1 Create a flow record by specifying keys and non key fields to the flow 2 Create an optional flow exporter by specifying the protocol an...

Page 603: ... record test Step 2 Switch config flow record Optional Describes this flow record as a maximum 63 character string description string Example Switch config flow record description Step 3 Ipv4Flow Specifies a match key match type Step 4 Example Switch config flow record match ipv4 source address Switch config flow record match ipv4 destination address Switch config flow record match flow direction ...

Page 604: ... L3 broadcast L2 broadcast L3 Multicast L2 Multicast L2 unknown destination bytes layer2 long Switch config flow record collect counter bytes long Switch config flow record collect timestamp absolute first Switch config flow record collect transport tcp flags Switch config flow record collect interface output Returns to privileged EXEC mode end Example Switch config flow record end Step 6 Optional...

Page 605: ...ssign them to the flow monitor You can export to a destination using IPv4 address Note SUMMARY STEPS 1 configure terminal 2 flow exporter name 3 description string 4 destination ipv4 address vrf vrf name 5 dscp value 6 source source type 7 transport udp number 8 ttl seconds 9 export protocol netflow v9 10 end 11 show flow exporter name record name 12 copy running config startup config DETAILED STE...

Page 606: ...scp value Example Switch config flow exporter dscp 0 Step 5 Optional Specifies the interface to use to reach the NetFlow collector at the configured destination The following interfaces can be configured as source source source type Example Switch config flow exporter source Step 6 gigabitEthernet1 0 1 Optional Specifies the UDP port to use to reach the NetFlow collector The range is from 1 to 655...

Page 607: ...mple Switch show flow exporter ExportTest Step 11 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 12 startup config What to Do Next Define a flow monitor based on the flow record and flow exporter Related Topics Exporters Example Configuring a Flow on page 534 Creating a Flow Monitor You can create a flow monitor and ...

Page 608: ...tor MonitorTest Step 2 Switch config flow monitor Optional Describes this flow record as a maximum 63 character string description string Example Switch config flow monitor description Ipv4Monitor Step 3 Associates a flow exporter with this flow monitor exporter name Step 4 Example Switch config flow monitor exporter ExportTest Associates a flow record with the specified flow monitor record name E...

Page 609: ... 8 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 9 startup config What to Do Next Apply the flow monitor to a Layer 2 interface Layer 3 interface or VLAN Related Topics Monitors Example Configuring a Flow on page 534 Creating a Sampler You can create a sampler to define the NetFlow sampling rate for a flow Consolida...

Page 610: ...a random or deterministic sampler to an interface Select m packets out of an n packet window The window size to select packets from ranges from 32 to 1022 Example Switch config flow sampler mode Note the following when configuring a sampler to an interface random 1 out of 1022 When you attach a monitor using deterministic sampler for example s1 every attachment with same sampler s1 uses one new fr...

Page 611: ... sampler name Step 6 Example Switch show sample SampleTest Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 7 startup config What to Do Next Apply the flow monitor to a source interface or a VLAN Applying a Flow to an Interface You can apply a flow monitor and an optional sampler to an interface SUMMARY STEPS 1 configu...

Page 612: ...would use datalink flow monitor name sampler sampler name input interface command This specific command associates a datalink L2 flow monitor and required sampler to the interface for input packets When a datalink flow monitor MonitorTest input is assigned to an interface or VLAN record it only creates flows for non IPv6 or non IPv4 traffic Whenever you assign a flow monitor to an interface you mu...

Page 613: ...an id Step 2 Example Switch config vlan configuration 30 Switch config vlan config Specifies the SVI for the configuration interface vlan vlan id Step 3 Example Switch config interface vlan 30 Associates a flow monitor and an optional sampler to the VLAN for input or output packets ip flow monitor monitor name sampler sampler name input output Step 4 Example Switch config vlan config ip flow monit...

Page 614: ...rd L2_record Switch config flow record Specifies the Layer 2 attribute as a key In this example the keys are the source and destination MAC addresses from the packet at input match datalink ethertype mac destination address input source address input Example Switch config flow record match datalink mac source Step 3 When a datalink flow monitor is assigned to an interface or VLAN record it only cr...

Page 615: ...ollowing table can be used to monitor Flexible NetFlow Table 56 Flexible NetFlow Monitoring Commands Purpose Command Displays information about NetFlow flow exporters and statistics show flow exporter broker export ids name name statistics templates Displays information about NetFlow flow exporters and statistics show flow exporter name exporter name Displays information about NetFlow interfaces s...

Page 616: ...rter export1 Switch config flow exporter destination 10 0 101 254 Switch config flow exporter transport udp 2055 Switch config flow exporter template data timeout 60 Switch config flow exporter exit Switch config flow record record1 Switch config flow record match ipv4 source address Switch config flow record match ipv4 destination address Switch config flow record match ipv4 protocol Switch confi...

Page 617: ...ents Document Title Related Topic Flexible NetFlow Command Reference Cisco IOS XE Release 3SE Cisco WLC 5700 Series Flexible NetFlow CLI Commands Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC Cisco System...

Page 618: ...ssues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information fo...

Page 619: ...P A R T VII QoS Configuring QoS page 539 Configuring Auto QoS page 645 ...

Page 620: ......

Page 621: ...e notes for your platform and software release Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisites for QoS Before configuring standard QoS you must have a thorough understanding of these items The types of applications used and ...

Page 622: ...an one physical port supports 256 policers 255 user configurable policers plus 1 policer reserved for system internal use The maximum number of user configurable policers supported per port is 63 Policers are allocated on demand by the software and are constrained by the hardware and ASIC boundaries You cannot reserve policers per port there is no guarantee that a port will be assigned to any poli...

Page 623: ...oundary policing marking mapping tables and weighted tail drop Ingress queueing is not supported The switch supports 4 default egress queues with the option to enable an additional 4 egress queues for a total of 8 This option is only available on a standalone switch running the LAN Base image We recommend that you do not enable 8 egress queues by using the mls qos srr queue output queues 8 command...

Page 624: ...relative importance and use congestion management and congestion avoidance techniques to provide preferential treatment Implementing QoS in your network makes network performance more predictable and bandwidth utilization more effective The QoS implementation is based on the Differentiated Services Diff Serv architecture a standard from the Internet Engineering Task Force IETF This architecture sp...

Page 625: ...significant bits which are called the User Priority bits On ports configured as Layer 2 802 1Q trunks all traffic is in 802 1Q frames except for traffic in the native VLAN Other frame types cannot carry Layer 2 CoS values Layer 2 CoS values range from 0 for low priority to 7 for high priority Layer 3 Packet Prioritization Bits Layer 3 IP packets can carry either an IP precedence value or a Differe...

Page 626: ...our network and the granularity of control that you need over incoming and outgoing traffic QoS Basic Model To implement QoS the switch must distinguish packets or flows from one another classify assign a label to indicate the given quality of service as the packets move through the switch make the packets comply with the configured resource usage limits police and mark and provide different treat...

Page 627: ... before the other queues are serviced Classification Overview Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet Classification is enabled only if QoS is globally enabled on the switch By default QoS is globally disabled so no classification occurs During classification the switch performs a lookup and assigns a QoS label to the p...

Page 628: ... which can examine the MAC source address the MAC destination address and other fields If no ACL is configured the packet is assigned 0 as the DSCP and CoS values which means best effort traffic Otherwise the policy map action specifies a DSCP or CoS value to assign to the incoming frame Perform classification based on configured Layer 2 MAC ACL After classification the packet is sent to the polic...

Page 629: ...lt port CoS value Trust the CoS value Perform the classification based on a configured IP standard or an extended ACL which examines various fields in the IP header If no ACL is configured the packet is assigned 0 as the DSCP and CoS values which means best effort traffic Otherwise the policy map action specifies a DSCP or CoS value to assign to the incoming frame IP standard or an extended ACL Ov...

Page 630: ... group of packets with the same characteristics class You can also classify IP traffic based on IPv6 ACLs In the QoS context the permit and deny actions in the access control entries ACEs have different meanings from security ACLs Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 548 Information About QoS ...

Page 631: ...v6 Traffic on page 588 Creating a Layer 2 MAC ACL for Non IP Traffic on page 590 Classification Based on Class Maps and Policy Maps To use policy maps the switch must be running the LAN Base image A class map is a mechanism that you use to name a specific traffic flow or class and to isolate it from all other traffic The class map defines the criteria used to match against a specific traffic flow ...

Page 632: ...ing through the packet without modification dropping the packet or modifying marking down the assigned DSCP of the packet and allowing the packet to pass through The configurable policed DSCP map provides the packet with a new DSCP based QoS label Marked down packets use the same queues as the original QoS label to prevent packets in a flow from getting out of order All traffic regardless of wheth...

Page 633: ...ed down How quickly the bucket fills is a function of the bucket depth burst byte the rate at which the tokens are removed rate bps and the duration of the burst above the average rate The size of the bucket imposes an upper limit on the burst length and limits the number of frames that can be transmitted back to back If the burst is short the bucket does not overflow and no action is taken agains...

Page 634: ... Tables Overview During QoS processing the switch represents the priority of all traffic including non IP traffic with a QoS label based on the DSCP or CoS value from the classification stage The following table describes QoS processing and mapping tables Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 552 Information About QoS ...

Page 635: ...liced dscp global configuration command Policing Before the traffic reaches the scheduling stage QoS stores the packet in an egress queue according to the QoS label The QoS label is based on the DSCP or the CoS value in the packet and selects the queue through the DSCP output queue threshold maps or through the CoS output queue threshold maps In addition to an egress queue the QOS label also ident...

Page 636: ...frame is enqueued to a particular queue WTD uses the frame s assigned QoS label to subject it to different thresholds If the threshold is exceeded for that QoS label the space available in the destination queue is less than the size of the frame the switch drops the frame Each queue has three threshold values The QoS label determines which of the three threshold values is subjected to the frame Of...

Page 637: ...gress queues SRR sends packets to the egress port You can configure SRR on egress queues for sharing or for shaping In shaped mode the egress queues are guaranteed a percentage of the bandwidth and they are rate limited to that amount Shaped traffic does not use more than the allocated bandwidth even if the link is idle Shaping provides a more even flow of traffic over time and reduces the peaks a...

Page 638: ...ng flowcharts for ingress ports on Catalyst 3750 E and 3750 X switches Figure 58 Queueing and Scheduling Flowchart for Ingress Ports on Catalyst 3750 E and 3750 X Switches Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 556 Information About QoS ...

Page 639: ...the Ingress Queues on page 614 Examples Configuring Ingress Queue Characteristics on page 639 Allocating Bandwidth Between the Ingress Queues on page 616 Examples Configuring Ingress Queue Characteristics on page 639 Configuring the Ingress Priority Queue Examples Configuring Ingress Queue Characteristics on page 639 Configuring the Ingress Priority Queue Mapping Tables Overview on page 552 Config...

Page 640: ...p DSCP or CoS values to a threshold ID You use the mls qos srr queue input dscp map queue queue id dscp1 dscp8 threshold threshold id dscp1 dscp8 or the mls qos srr queue input cos map queue queue id cos1 cos8 threshold threshold id cos1 cos8 global configuration command You can display the DSCP input queue threshold map and the CoS input queue threshold map by using the show mls qos maps privileg...

Page 641: ... used for traffic such as voice that requires guaranteed delivery because this queue is guaranteed part of the bandwidth regardless of the load on the stack or internal ring SRR services the priority queue for its configured weight as specified by the bandwidth keyword in the mls qos srr queue input priority queue queue id bandwidth weight global configuration command Then SRR shares the remaining...

Page 642: ... on the switch Figure 60 Queueing and Scheduling Flowchart for Egress Ports on the Switch If the expedite queue is enabled SRR services it until it is empty before servicing the other three queues Note Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 560 Information About QoS ...

Page 643: ... the queue is over limit the switch drops the frame Figure 61 Egress Queue Buffer Allocation Buffer and Memory Allocation You guarantee the availability of buffers set drop thresholds and configure the maximum memory allocation for a queue set by using the mls qos queue set output qset id threshold queue id drop threshold1 drop threshold2 reserved threshold maximum threshold global configuration c...

Page 644: ...the WTD threshold percentages The switch supports 4 egress queues by default although there is an option to enable a total of 8 egress queues Use the mls qos srr queue output queues 8 global configuration command to enable all 8 egress queues Once 8 egress queues are enabled you are able to configure thresholds and buffers for all 8 queues The 8 egress queue configuration is only supported on a st...

Page 645: ...the policer specifies a markdown DSCP Once again the DSCP in the packet is not modified but an indication of the marked down value is carried along For IP packets the packet modification occurs at a later stage for non IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions Depending on the QoS label assigned to a frame and the mutation chosen the DSCP and CoS values...

Page 646: ...eature bandwidth is equally shared between the queues SRR sends packets in shared mode only Queue 2 is the priority queue SRR services the priority queue for its configured share before servicing the other queue Table 61 Default Ingress Queue Configuration Queue 2 Queue 1 Feature 10 percent 90 percent Buffer allocation 4 4 Bandwidth allocation 10 0 Priority queue bandwidth 100 percent 100 percent ...

Page 647: ...r each queue set when QoS is enabled All ports are mapped to queue set 1 The port bandwidth limit is set to 100 percent and rate unlimited Note that for the SRR shaped weights absolute feature a shaped weight of zero indicates that the queue is operating in shared mode Note that for the SRR shared weights feature one quarter of the bandwidth is allocated to each queue Table 64 Default Egress Queue...

Page 648: ...ID DSCP Value 2 1 0 15 3 1 16 31 4 1 32 39 1 1 40 47 4 1 48 63 The following table displays the default egress queue configuration when the 8 egress queue configuration is enabled using the mls qos srr queue output queues 8 command Table 67 Default 8 Egress Queue Configuration Queue 8 Queue 7 Queue 6 Queue 5 Queue 4 Queue 3 Queue 2 Queue 1 Feature 10 10 10 10 10 10 30 10 Buffer allocation 100 100 ...

Page 649: ...is enabled and the 8 egress queue configuration is enabled using the mls qos srr queue output queues 8 command Table 68 Default CoS Output 8 Queue Threshold Map 4 Egress Queue Mapping Threshold ID Egress Queue CoS 2 1 2 0 2 1 3 1 3 1 4 2 3 1 5 3 4 1 6 4 1 1 1 5 4 1 7 6 4 1 8 7 The following table displays the default DSCP output queue threshold map when QoS is enabled and the 8 egress queue config...

Page 650: ...d DSCP map is a null map which maps an incoming DSCP value to the same DSCP value no markdown Related Topics Default CoS to DSCP Map on page 568 Default IP Precedence to DSCP Map on page 569 Default DSCP to CoS Map on page 570 DSCP Maps Default CoS to DSCP Map You use the CoS to DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the...

Page 651: ... DSCP map to map IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic The following table shows the default IP precedence to DSCP map If these values are not appropriate for your network you need to modify them Table 71 Default IP Precedence to DSCP Map DSCP Value IP Precedence Value 0 0 8 1 16 2 24 3 32 4 40 5 48 6 Consolidated...

Page 652: ...ueues The following table shows the default DSCP to CoS map If these values are not appropriate for your network you need to modify them Table 72 Default DSCP to CoS Map CoS Value DSCP Value 0 0 7 1 8 15 2 16 23 3 24 31 4 32 39 5 40 47 6 48 55 7 56 63 Related Topics Default Mapping Table Configuration on page 568 Configuring the DSCP to CoS Map on page 608 Configuring the Policed DSCP Map on page ...

Page 653: ...lly mls qos Step 2 Example Switch config mls qos QoS operates with the default settings described in the related topic sections below To disable QoS use the no mls qos global configuration command Note Returns to privileged EXEC mode end Example Switch config end Step 3 Verifies the QoS configuration show mls qos Example Switch show mls qos Step 4 Optional Saves your entries in the configuration f...

Page 654: ...ed in the interface level of a hierarchical policy map on a Switch Virtual Interface SVI SUMMARY STEPS 1 configure terminal 2 interface interface id 3 mls qos vlan based 4 end 5 show mls qos interface interface id 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the p...

Page 655: ...tep 5 gigabitethernet 1 0 1 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 6 startup config Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states Depending on your network configuration you must perform one or more of these tasks in this...

Page 656: ... trusted states because there is no need to classify the packets at every switch within the QoS domain Figure 62 Port Trusted States on Ports Within the QoS Domain SUMMARY STEPS 1 configure terminal 2 interface interface id 3 mls qos trust cos dscp ip precedence 4 end 5 show mls qos interface 6 copy running config startup config Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E ...

Page 657: ... default port CoS value is 0 dscp Classifies an ingress packet by using the packet DSCP value For a non IP packet the packet CoS value is used if the packet is tagged for an untagged packet the default port CoS is used Internally the switch maps the CoS value to a DSCP value by using the CoS to DSCP map ip precedence Classifies an ingress packet by using the packet IP precedence value For a non IP...

Page 658: ...cos interface configuration command to untagged frames received on trusted and untrusted ports Beginning in privileged EXEC mode follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port SUMMARY STEPS 1 configure terminal 2 interface interface id 3 mls qos cos default cos override 4 end 5 show mls qos interface 6 copy running conf...

Page 659: ...ng packets on specified ports deserve higher or lower priority than packets entering from other ports Even if a port was previously set to trust DSCP CoS or IP precedence this command overrides the previously configured trust state and all the incoming CoS values are assigned the default CoS value configured with this command If an incoming packet is tagged the CoS value of the packet is modified ...

Page 660: ...c received on that port With the trusted setting you also can use the trusted boundary feature to prevent misuse of a high priority queue if a user bypasses the telephone and connects the PC directly to the switch Without trusted boundary the CoS labels generated by the PC are trusted by the switch because of the trusted CoS setting By contrast trusted boundary uses CDP to detect the presence of a...

Page 661: ...e Use one of the following Step 5 mls qos trust cos or mls qos trust dscp Configures the routed port to trust the DSCP value in traffic received from the Cisco IP Phone Example Switch config if mls qos trust cos By default the port is not trusted Specifies that the Cisco IP Phone is a trusted device mls qos trust device cisco phone Step 6 Example Switch config if mls qos trust You cannot enable bo...

Page 662: ...ing and the DSCP to DSCP mutation map If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command the switch does not modify the DSCP field in the incoming packet and the DSCP field in the outgoing packet is the same as that in the incoming packet Regardless of the DSCP transparency configuration the switch modifies the internal DSCP value of the packet which the switch uses to...

Page 663: ... entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 DSCP Transparency Mode To configure the switch to modify the DSCP value based on the trust setting or on an ACL by disabling DSCP transparency use the mls qos rewrite ip dscp global configuration command If you disable QoS by using the no mls qos global configuration comma...

Page 664: ...domain Figure 63 DSCP Trusted State on a Port Bordering Another QoS Domain Beginning in privileged EXEC mode follow these steps to configure the DSCP trusted state on a port and modify the DSCP to DSCP mutation map To ensure a consistent mapping strategy across both QoS domains you must perform this procedure on the ports in both domains SUMMARY STEPS 1 configure terminal 2 mls qos map dscp mutati...

Page 665: ...Example Switch config interface Valid interfaces include physical ports gigabitethernet1 0 2 Configures the ingress port as a DSCP trusted port By default the port is not trusted mls qos trust dscp Example Switch config if mls qos trust dscp Step 4 To return a port to its non trusted state use the no mls qos trust interface configuration command Note Applies the map to the specified ingress DSCP t...

Page 666: ...a QoS policy typically requires the following tasks Classifying traffic into classes Configuring policies applied to those traffic classes Attaching policies to ports These sections describe how to classify police and mark traffic Depending on your network configuration you must perform one or more of the modules in this section Related Topics Policing and Marking Overview on page 550 Classificati...

Page 667: ...yword to deny a certain type of traffic if conditions are matched permit 192 2 255 0 1 1 1 255 For source enter the network or host from which the packet is being sent You can use the any keyword as an abbreviation for 0 0 0 0 255 255 255 255 Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ...

Page 668: ... determine which access lists you will be using for your QoS configuration SUMMARY STEPS 1 configure terminal 2 access list access list number deny permit protocol source source wildcard destination destination wildcard 3 end 4 show access lists 5 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure...

Page 669: ...specify the wildcard by using dotted decimal notation by using the any keyword as an abbreviation for source 0 0 0 0 source wildcard 255 255 255 255 or by using the host keyword for source 0 0 0 0 For destination enter the network or host to which the packet is being sent You have the same options for specifying the destination and destination wildcard as those described by source and source wildc...

Page 670: ...v6 Accesses list names cannot contain a space or quotation mark or begin with a numeric To delete an access list use the no ipv6 access list access list number global configuration command Note access list ipv6_Name_ACL Enters deny or permit to specify whether to deny or permit the packet if conditions are matched These are the conditions deny permit protocol source ipv6 prefix prefix length any S...

Page 671: ...ering UDP Optional Enter dscp value to match a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header The acceptable range is from 0 to 63 Optional Enter fragments to check noninitial fragments This keyword is visible only if the protocol is IPv6 Optional Enter log to cause a logging message to be sent to the console about the...

Page 672: ...me 3 permit deny host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask 4 end 5 show access lists access list number access list name 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Creates a Layer 2 MAC ACL by specifying the name of the list mac access list ...

Page 673: ...he hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard ffff ffff ffff or by using the host keyword for source 0 0 0 Optional For type mask specify the Ethertype number of a packet with Ethernet II or SNAP encapsulation to identify the protocol of the packet For type the range is from 0 to 65535 typically specified in hexadecimal For mask enter the ...

Page 674: ...terminal 2 Use one of the following access list access list number deny permit source source wildcard access list access list number deny permit protocol source source wildcard destination destination wildcard ipv6 access list access list name deny permit protocol source ipv6 prefix prefix length any host source ipv6 address operator port number destination ipv6 prefix prefix length any host desti...

Page 675: ...er destination ipv6 prefix prefix length any host destination ipv6 address operator port number dscp value fragments log log input routing sequence value time range name mac access list extended name permit deny host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask Example Switch config access list 103 permit ip any any dscp 10 Creates a class map and enters class map configurat...

Page 676: ...reate an IPv6 ACL as described in Step 2 For ip dscp dscp list enter a list of up to eight IP DSCP values to match against incoming packets Separate each value with a space The range is 0 to 63 For ip precedence ip precedence list enter a list of up to eight IP precedence values to match against incoming packets Separate each value with a space The range is 0 to 7 To remove a match criterion use t...

Page 677: ...l ip ipv6 4 match ip dscp dscp list ip precedence ip precedence list 5 end 6 show class map 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Creates a class map and enters class map configuration mode class map match all class map name Step 2 Example Switch config class map...

Page 678: ...rate each value with a space The range is 0 to 63 10 For ip precedence ip precedence list enter a list of up to eight IP precedence values to match against incoming packets Separate each value with a space The range is 0 to 7 To remove a match criterion use the no match access group acl index or name ip dscp ip precedence class map configuration command Note Returns to privileged EXEC mode end Exa...

Page 679: ...fect packets on ingress interfaces that are configured to trust the IP precedence value In a policy map if you set the packet IP precedence value to a new value by using the set ip precedence new precedence policy map class configuration command the egress DSCP value is not affected by the IP precedence to DSCP map If you want the egress DSCP value to be different than the ingress value use the se...

Page 680: ...match all match any class map name Step 2 By default no class maps are defined Example Switch config class map Optional Use the match all keyword to perform a logical AND of all matching statements under this class map All match criteria in the class map must be matched ipclass1 Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or more m...

Page 681: ...he same policy map If you enter the trust command go to Step 6 dscp By default the port is not trusted If no keyword is specified when the command is entered the default is dscp The keywords have these meanings cos QoS derives the DSCP value by using the received or default port CoS value and the CoS to DSCP map dscp QoS derives the DSCP value by using the DSCP value from the ingress packet For no...

Page 682: ...dscp transmit keywords to mark down the DSCP value by using the policed DSCP map and to send the packet To remove an existing policer use the no police rate bps burst byte exceed action drop policed dscp transmit policy map configuration command Note Returns to policy map configuration mode exit Example Switch config pmap c exit Step 8 Returns to global configuration mode exit Example Switch confi...

Page 683: ...c by Using Class Maps on page 592 Policy Map on Physical Port Examples Classifying Policing and Marking Traffic on Physical Ports Using Policy Maps on page 634 Policy Map on Physical Port Guidelines Classifying Policing and Marking Traffic by Using Aggregate Policers By using an aggregate policer you can create a policer that is shared by multiple traffic classes within the same policy map However...

Page 684: ...gate policer name rate bps burst byte exceed action drop policed dscp transmit Step 2 By default no aggregate policer is defined Example Switch config mls qos aggregate police For aggregate policer name specify the name of the aggregate policer For rate bps specify average traffic rate in bits per second b s The range is 8000 to 10000000000 transmit1 48000 8000 exceed action policed dscp transmit ...

Page 685: ... from a policy map use the no police aggregate aggregate policer name policy map transmit1 configuration command To delete an aggregate policer and its parameters use the no mls qos aggregate policer aggregate policer name global configuration command Returns to global configuration mode exit Example Switch configure cmap p exit Step 7 Specifies the port to attach to the policy map and enters inte...

Page 686: ...cing and Marking Overview on page 550 Examples Classifying Policing and Marking Traffic by Using Aggregate Policers on page 637 Configuring DSCP Maps Related Topics Mapping Tables Overview on page 552 Configuring the CoS to DSCP Map You use the CoS to DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic Beginning in privil...

Page 687: ...rate each DSCP value with a space The DSCP range is 0 to 63 cos dscp 10 15 20 25 30 35 40 45 To return to the default map use the no mls qos cos dscp global configuration command Note Returns to privileged EXEC mode end Example Switch config end Step 3 Verifies your entries show mls qos maps cos dscp Example Switch show mls qos maps cos dscp Step 4 Optional Saves your entries in the configuration ...

Page 688: ...pose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Modifies the IP precedence to DSCP map mls qos map ip prec dscp dscp1 dscp8 Step 2 Example Switch config mls qos map For dscp1 dscp8 enter eight DSCP values that correspond to the IP precedence values 0 to 7 Separate each DSCP value with a space ip prec dscp 10 15 20 25 30 35 40 The ...

Page 689: ...g in privileged EXEC mode follow these steps to modify the policed DSCP map This procedure is optional SUMMARY STEPS 1 configure terminal 2 mls qos map policed dscp dscp list to mark down dscp 3 end 4 show mls qos maps policed dscp 5 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step...

Page 690: ... configuration file copy running config startup config Example Switch copy running config Step 5 startup config Related Topics Default CoS to DSCP Map on page 568 Default IP Precedence to DSCP Map on page 569 Default DSCP to CoS Map on page 570 Examples Configuring DSCP Maps on page 637 Configuring the DSCP to CoS Map You use the DSCP to CoS map to generate a CoS value which is used to select one ...

Page 691: ...he to keyword For cos enter the CoS value to which the DSCP values correspond 16 24 32 40 48 50 to 0 The DSCP range is 0 to 63 the CoS range is 0 to 7 To return to the default map use the no mls qos dscp cos global configuration command Note Returns to privileged EXEC mode end Example Switch config end Step 3 Verifies your entries show mls qos maps dscp to cos Example Switch show mls qos maps Step...

Page 692: ...ow these steps to modify the DSCP to DSCP mutation map This procedure is optional SUMMARY STEPS 1 configure terminal 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp 3 interface interface id 4 mls qos trust dscp 5 mls qos dscp mutation dscp mutation name 6 end 7 show mls qos maps dscp mutation 8 copy running config startup config DETAILED STEPS Purpose Command or Action Enters th...

Page 693: ...plies the map to the specified ingress DSCP trusted port mls qos dscp mutation dscp mutation name Step 5 Example Switch config if mls qos dscp mutation For dscp mutation name enter the mutation map name specified in Step 2 mutation1 Returns to privileged EXEC mode end Example Switch config if end Step 6 Verifies your entries show mls qos maps dscp mutation Example Switch show mls qos maps dscp mut...

Page 694: ...rviced based on their SRR weights If the egress expedite queue is enabled it overrides the SRR shaped and shared weights for queue 1 If the egress expedite queue is disabled and the SRR shaped and shared weights are configured the shaped mode overrides the shared mode for queue 1 and SRR services this queue in shaped mode If the egress expedite queue is disabled and the SRR shaped weights are not ...

Page 695: ...nput cos map queue queue id threshold threshold id cos1 cos8 For queue id the range is 1 to 2 For threshold id the range is 1 to 3 The drop threshold percentage for threshold 3 is predefined It is set to the queue full state Example Switch config mls qos srr queue For dscp1 dscp8 enter up to eight values and separate each value with a space The range is 0 to 63 input For cos1 cos8 enter up to eigh...

Page 696: ...g config To return to the default CoS input queue threshold map or the default DSCP input queue threshold map use the no mls qos srr queue input cos map or the no mls qos srr queue input dscp map global configuration command To return to the default WTD threshold percentages use the no mls qos srr queue input threshold queue id global configuration command startup config Related Topics Queueing an...

Page 697: ... buffers are allocated to queue 1 and 10 percent of the buffers are allocated to queue 2 Example Switch config mls qos srr queue input For percentage1 percentage2 the range is 0 to 100 Separate each value with a space buffers 60 40 You should allocate the buffers so that the queues can handle any incoming bursty traffic Returns to privileged EXEC mode end Example Switch config end Step 3 Verifies ...

Page 698: ...is the ratio of the frequency in which the SRR scheduler sends packets from each queue The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped On ingress queues SRR operates only in shared mode SRR bandwidth limit works in both mls qos enabled and disabled states Note Beginning in privileged EXEC mode follow these steps to allocate bandwidth between...

Page 699: ... global configuration command Then SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Returns to privileged EXEC mode end Example Switch config end Step 3 Verifies your entries Use one of the following Step 4 show mls qos interface queueing show ...

Page 700: ...e serviced based on their SRR weights If the egress expedite queue is enabled it overrides the SRR shaped and shared weights for queue 1 If the egress expedite queue is disabled and the SRR shaped and shared weights are configured the shaped mode overrides the shared mode for queue 1 and SRR services this queue in shaped mode If the egress expedite queue is disabled and the SRR shaped weights are ...

Page 701: ...s allocation1 allocation8 4 mls qos queue set output qset id threshold queue id drop threshold1 drop threshold2 reserved threshold maximum threshold 5 interface interface id 6 queue set qset id 7 end 8 show mls qos interface interface id buffers 9 copy running config startup config DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch confi...

Page 702: ...imum memory allocation for the queue set four egress queues per port mls qos queue set output qset id threshold queue id drop threshold1 Step 4 drop threshold2 reserved threshold maximum threshold By default the WTD thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 200 percent The reserved thresholds for queues Example Switch config mls qos 1 2 3 and 4 ar...

Page 703: ...nal Saves your entries in the configuration file copy running config startup config Step 9 Example Switch copy running config To return to the default setting use the no mls qos queue set output qset id buffers global configuration command To return to the default WTD threshold percentages use the no mls qos queue set output qset id threshold queue id global configuration command startup config Re...

Page 704: ...ped to queue 3 and threshold 1 DSCP values 32 39 and 48 63 are mls qos srr queue output dscp map queue queue id mapped to queue 4 and threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 threshold threshold id dscp1 dscp8 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and threshold 1 CoS values 4 6 and 7 are mapped to que...

Page 705: ...nal Saves your entries in the configuration file copy running config startup config Step 5 Example Switch copy running config To return to the default DSCP output queue threshold map or the default CoS output queue threshold map use the no mls qos srr queue output dscp map or the no mls qos srr queue output cos map global configuration command startup config Related Topics Queueing and Scheduling ...

Page 706: ...tage of the port that is shaped The inverse ratio 1 weight controls the shaping bandwidth for this queue Separate each value with a space The range is 0 to 65535 bandwidth shape 8 0 0 0 If you configure a weight of 0 the corresponding queue operates in shared mode The weight specified with the srr queue bandwidth shape command is ignored and the weights specified with the srr queue bandwidth share...

Page 707: ...share the bandwidth among them according to the configured weights The bandwidth is guaranteed at this level but not limited to it For example if a queue empties and does not require a share of the link the remaining queues can expand into the unused bandwidth and share it among them With sharing the ratio of the weights controls the frequency of dequeuing the absolute values are meaningless The e...

Page 708: ...t2 weight3 weight4 Step 3 Example Switch config id srr queue For weight1 weight2 weight3 weight4 enter the weights to control the ratio of the frequency in which the SRR scheduler sends packets Separate each value with a space The range is 1 to 255 bandwidth share 1 2 3 4 To return to the default setting use the no srr queue bandwidth share interface configuration command If you enabled 8 egress q...

Page 709: ...rtain packets have priority over all others by queuing them in the egress expedite queue SRR services this queue until it is empty before servicing the other queues Beginning in privileged EXEC mode follow these steps to enable the egress expedite queue This procedure is optional SUMMARY STEPS 1 configure terminal 2 mls qos 3 interface interface id 4 priority queue out 5 end 6 show running config ...

Page 710: ...hare command is ignored not used in the ratio calculation To disable the egress expedite queue use the no priority queue out interface configuration command Note Returns to privileged EXEC mode end Example Switch config if end Step 5 Verifies your entries show running config Example Switch show running config Step 6 Optional Saves your entries in the configuration file copy running config startup ...

Page 711: ...mls qos interface interface id queueing 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the port to be rate limited and enters interface configuration mode interface interface id Example Switch config interface Step 2 gigabitethernet2 0 1 Specifies the percentage of ...

Page 712: ...ueue Characteristics on page 640 Monitoring Standard QoS Table 73 Commands for Monitoring Standard QoS on the Switch Description Command Displays QoS class maps which define the match criteria to classify traffic show class map class map name Displays global QoS configuration information show mls qos Displays the aggregate policer configuration show mls qos aggregate policer aggregate policer name...

Page 713: ...dify the DSCP to DSCP mutation map named gi1 0 2 mutation so that incoming DSCP values 10 to 13 are mapped to DSCP 30 Switch config mls qos map dscp mutation gigabitethernet1 0 2 mutation 10 11 12 13 to 30 Switch config interface gigabitethernet1 0 2 Switch config if mls qos trust dscp Switch config if mls qos dscp mutation gigabitethernet1 0 2 mutation Switch config if end Related Topics Configur...

Page 714: ...MAC ACL with two permit statements The first statement allows traffic from the host with MAC address 0001 0000 0001 to the host with MAC address 0002 0000 0001 The second statement allows only Ethertype XNS IDP traffic from the host with MAC address 0001 0000 0002 to the host with MAC address 0002 0000 0002 Switch config mac access list extended maclist1 Switch config ext macl permit 0001 0000 000...

Page 715: ...pmap c set dscp 6 Switch config pmap c exit Switch config pmap exit Switch config interface G1 0 1 Switch config if service policy input pm1 This example shows how to configure a class map that applies to both IPv4 and IPv6 traffic Switch config ip access list 101 permit ip any any Switch config ipv6 access list ipv6 any permit ip any any Switch config Class map cm 1 Switch config cmap match acces...

Page 716: ...nfig mac access list extended maclist1 Switch config ext mac permit 0001 0000 0001 0 0 0 0002 0000 0001 0 0 0 Switch config ext mac permit 0001 0000 0002 0 0 0 0002 0000 0002 0 0 0 xns idp Switch config ext mac exit Switch config mac access list extended maclist2 Switch config ext mac permit 0001 0000 0003 0 0 0 0002 0000 0003 0 0 0 Switch config ext mac permit 0001 0000 0004 0 0 0 0002 0000 0004 ...

Page 717: ...itch configure terminal Enter configuration commands one per line End with CNTL Z Switch config class map cm interface 1 Switch config cmap match input gigabitethernet3 0 1 gigabitethernet3 0 2 Switch config cmap exit Switch config policy map port plcmap Switch config pmap class cm interface 1 Switch config pmap c police 900000 9000 exc policed dscp transmit Switch config pmap c exit Switch config...

Page 718: ... 1 Switch config if service policy input pm1 This example shows how to configure default traffic class to a policy map Switch configure terminal Switch config class map cm 3 Switch config cmap match ip dscp 30 Switch config cmap match protocol ipv6 Switch config cmap exit Switch config class map cm 4 Switch config cmap match ip dscp 40 Switch config cmap match protocol ip Switch config cmap exit S...

Page 719: ...8000 8000 exceed action policed dscp transmit Switch config class map ipclass1 Switch config cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match access group 2 Switch config cmap exit Switch config policy map aggflow1 Switch config pmap class ipclass1 Switch config pmap c trust dscp Switch config pmap c police aggregate transmit1 Switch confi...

Page 720: ...icant digit of the original DSCP The intersection of the d1 and d2 values provides the marked down value For example an original DSCP value of 53 corresponds to a marked down DSCP value of 0 Note This example shows how to map DSCP values 0 8 16 24 32 40 48 and 50 to CoS value 0 and to display the map Switch config mls qos map dscp cos 0 8 16 24 32 40 48 50 to 0 Switch config end Switch show mls qo...

Page 721: ...e d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the mutated value For example a DSCP value of 12 corresponds to a mutated value of 10 Note Related Topics Configuring the CoS to DSCP Map on page 604 Configuring the IP Precedence to DSCP Map on page 606 Configuring the Policed DSCP Map on page 607 Configuring the DSCP to CoS Map o...

Page 722: ... Queueing and Scheduling on Ingress Queues on page 556 Examples Configuring Egress Queue Characteristics This example shows how to map a port to queue set 2 It allocates 40 percent of the buffer space to egress queue 1 and 20 percent to egress queues 2 3 and 4 It configures the drop thresholds for queue 2 to 40 and 60 percent of the allocated memory guarantees reserves 100 percent of the allocated...

Page 723: ...le 20 percent of the time The line rate drops to 80 percent of the connected speed which is 800 Mb s These values are not exact because the hardware adjusts the line rate in increments of six Related Topics Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set on page 618 Queueing and Scheduling on Egress Queues Mapping DSCP or CoS Values to an Egress Queue and to a Thresho...

Page 724: ...n Roadmap Cisco EnergyWise Partner Development Guide Cisco EnergyWise Programmer Reference Guide for the Endpoint SDK Cisco EnergyWise Programmer Reference Guide for the Management API Cisco EnergyWise partner documentation MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco IOS MIB Locator found at the following URL http www cisco co...

Page 725: ... you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information for QoS Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform...

Page 726: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 644 Feature History and Information for QoS ...

Page 727: ...rm and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account o...

Page 728: ...esults to choose the appropriate egress queue You can use auto QoS commands to identify ports connected to the following Cisco devices Cisco IP Phones Devices running the Cisco SoftPhone application Cisco TelePresence Cisco IP Camera Cisco digital media player You also use the auto QoS commands to identify ports that receive trusted traffic through an uplink Auto QoS then performs these functions ...

Page 729: ...e to 0 When there is no Cisco IP Phone the ingress classification is set to not trust the QoS label in the packet The policing is applied to the traffic matching the policy map classification before the switch enables the trust boundary feature When you enter the auto qos voip cisco softphone interface configuration command on a port at the network edge that is connected to a device running the Ci...

Page 730: ...S configuration for the egress queues Table 76 Auto QoS Configuration for the Egress Queues Queue Buffer Size for 10 100 Ethernet Ports Queue Buffer Size for Gigabit Capable Ports Queue Weight Bandwidth Queue Number Egress Queue Egress Queue 15 percent 25percent up to100 percent 4 5 1 Priority 25 percent 25 percent 10 percent 2 3 6 7 2 SRR shared 40 percent 25 percent 60 percent 0 3 SRR shared 20 ...

Page 731: ... previously configured with legacy auto QoS migrates to enhanced auto QoS voice commands and configuration are updated to match the new global QoS commands Note Auto QoS configuration migration from enhanced auto QoS to legacy auto QoS can occur only when you disable all existing auto QoS configurations from the interface Auto QoS Configuration Guidelines Before configuring auto QoS you should be ...

Page 732: ...nning Configuration When auto QoS is enabled the auto qos interface configuration commands and the generated global configuration are added to the running configuration The switch applies the auto QoS generated commands as if the commands were entered from the CLI An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated command...

Page 733: ...s generated commands should not be modified If the interface is configured with auto QoS and if AQC needs to be disabled auto qos should be disabled at interface level first How to Configure Auto QoS Configuring Auto QoS Enabling Auto QoS For optimum QoS performance enable auto QoS on all the devices in your network SUMMARY STEPS 1 configure terminal 2 interface interface id 3 Use one of the follo...

Page 734: ... running the Cisco SoftPhone feature auto qos classify police trust The uplink port is connected to a trusted switch or router and the VoIP traffic classification in the ingress packet is trusted auto qos trust cos dscp Example Switch config if auto qos trust dscp Enables auto QoS for a video device cts A port connected to a Cisco Telepresence system ip camera A port connected to a Cisco video sur...

Page 735: ... 1 Enables auto QoS on the port and specifies that the port is connected to a trusted router or switch auto qos trust Example Switch config if auto qos trust Step 6 Returns to privileged EXEC mode end Example Switch config if end Step 7 Verifies your entries show auto qos interface interface id Step 8 Example Switch show auto qos interface This command displays the auto QoS command on the interfac...

Page 736: ...t remove auto Qos instances from all interfaces by entering the no form of the corresponding auto QoS commands and then enter the no auto qos global compact global configuration command Troubleshooting Auto QoS To troubleshoot auto QoS use the debug auto qos privileged EXEC command For more information see the debug auto qos command in the command reference for this release To disable auto QoS on ...

Page 737: ...ed by auto QoS show mls qos maps cos dscp cos output q dscp cos dscp mutation dscp output q ip prec dscp policed dscp Displays information about the QoS queue set configuration that might be affected by auto QoS show mls qos queue set queue set ID Displays information about the QoS stack port buffer configuration that might be affected by auto QoS show mls qos stack port buffers Displays informati...

Page 738: ...Switch config mls qos srr queue output cos map queue 2 threshold 2 3 Switch config mls qos srr queue output cos map queue 3 threshold 3 0 Switch config mls qos srr queue output cos map queue 4 threshold 3 1 Switch config no mls qos srr queue output cos map Switch config mls qos srr queue output cos map queue 1 threshold 3 5 Switch config mls qos srr queue output cos map queue 2 threshold 3 3 6 7 S...

Page 739: ...9 11 13 15 Switch config mls qos srr queue output dscp map queue 4 threshold 2 10 12 14 Switch config no mls qos srr queue output dscp map Switch config mls qos srr queue output dscp map queue 1 threshold 3 40 41 42 43 44 45 46 47 Switch config mls qos srr queue output dscp map queue 2 threshold 3 24 25 26 27 28 29 30 31 Switch config mls qos srr queue output dscp map queue 2 threshold 3 48 49 50 ...

Page 740: ...138 138 92 400 Switch config mls qos queue set output 1 threshold 3 36 77 100 318 Switch config mls qos queue set output 1 threshold 4 20 50 67 400 Switch config mls qos queue set output 2 threshold 1 149 149 100 149 Switch config mls qos queue set output 2 threshold 2 118 118 100 235 Switch config mls qos queue set output 2 threshold 3 41 68 100 272 Switch config mls qos queue set output 2 thresh...

Page 741: ...hold 3 40 41 42 43 44 45 46 47 Switch config mls qos srr queue output dscp map queue 2 threshold 3 24 25 26 27 28 29 30 31 Switch config mls qos srr queue output dscp map queue 2 threshold 3 48 49 50 51 52 53 54 55 Switch config mls qos srr queue output dscp map queue 2 threshold 3 56 57 58 59 60 61 62 63 Switch config mls qos srr queue output dscp map queue 3 threshold 3 16 17 18 19 20 21 22 23 S...

Page 742: ... config if mls qos trust device cisco phone If you entered the auto qos voip cisco softphone command the switch automatically creates class maps and policy maps as shown below Switch config mls qos map policed dscp 24 26 46 to 0 Switch config class map match all AutoQoS VoIP RTP Trust Switch config cmap match ip dscp ef Switch config class map match all AutoQoS VoIP Control Trust Switch config cma...

Page 743: ...he Cisco SoftPhone feature is enabled Switch config if service policy input AutoQoS Police SoftPhone If you entered the auto qos voip cisco phone command the switch automatically creates class maps and policy maps Switch config if mls qos trust device cisco phone If you entered the auto qos voip cisco softphone command the switch automatically creates class maps and policy maps Switch config mls q...

Page 744: ... class map match all AUTOQOS_TRANSACTION_CLASS Switch config cmap match access group name AUTOQOS ACL TRANSACTIONAL DATA Switch config class map match all AUTOQOS_SIGNALING_CLASS Switch config cmap match access group name AUTOQOS ACL SIGNALING Switch config class map match all AUTOQOS_BULK_DATA_CLASS Switch config cmap match access group name AUTOQOS ACL BULK DATA Switch config class map match all...

Page 745: ...p Switch config pmap class AUTOQOS_SIGNALING_CLASS Switch config pmap c set dscp cs3 Switch config pmap c police 32000 8000 exceed action drop Switch config pmap class AUTOQOS_DEFAULT_CLASS Switch config pmap c set dscp default Switch config pmap c police 10000000 8000 exceed action policed dscp transmit Switch config if service policy input AUTOQOS SRND4 CLASSIFY POLICE POLICY This is the enhance...

Page 746: ...onfig pmap class AUTOQOS_MULTIENHANCED_CONF_CLASS Switch config pmap c set dscp af41 Switch config pmap c police 5000000 8000 exceed action drop Switch config pmap class AUTOQOS_BULK_DATA_CLASS Switch config pmap c set dscp af11 Switch config pmap c police 10000000 8000 exceed action policed dscp transmit Switch config pmap class AUTOQOS_TRANSACTION_CLASS Switch config pmap c set dscp af21 Switch ...

Page 747: ...der Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go...

Page 748: ...can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information for Auto QoS Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform...

Page 749: ...P A R T VIII Routing Configuring IP Unicast Routing page 669 Configuring IPv6 First Hop Security page 677 ...

Page 750: ......

Page 751: ...n this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Configuring IP Unicast Routin...

Page 752: ...the router When Host A sends a packet to Host C in VLAN 20 Switch A forwards the packet to the router which receives the traffic on the VLAN 10 interface The router checks the routing table finds the correct outgoing interface and forwards the packet on the VLAN 20 interface to Switch B Switch B receives the packet and forwards it to Host C Types of Routing Routers and Layer 3 switches can route p...

Page 753: ...hbor transitions Upon election the new active switch performs these functions It starts generating receiving and processing routing updates It builds routing tables generates the CEF database and distributes it to stack members It uses its MAC address as the router MAC address To notify its network peers of the new MAC address it periodically every few seconds for 5 minutes sends a gratuitous ARP ...

Page 754: ...c routes The switch can have an IP address assigned to each SVI Before enabling routing enter the sdm prefer lanbase routing global configuration command and reload the switch Note Procedures for configuring routing To support VLAN interfaces create and configure VLANs on the switch or switch stack and assign VLAN membership to Layer 2 interfaces For more information see chapter Configuring VLANs ...

Page 755: ...ng is disabled by default and no IP addresses are assigned to SVIs An IP address identifies a location to which IP packets can be sent Some IP addresses are reserved for special uses and cannot be used for host subnet or network addresses RFC 1166 Internet Numbers contains the official description of IP addresses An interface can have one primary IP address A mask identifies the bits that denote t...

Page 756: ...s ip address subnet mask Example Switch config if ip address 10 1 5 1 255 255 255 0 Step 4 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show interfaces interface id Example Switch show ip interface gigabitethernet 1 0 1 Step 6 Verifies your entries show ip interface interface id Example Switch show ip interface gigabitethernet 1 0 1 Step 7 Verifies you...

Page 757: ...st resort to which all unroutable packets are sent Follow these steps to configure a static route DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Establish a static route ip route prefix mask address interface dis...

Page 758: ...tatic routes until you remove them Monitoring and Maintaining the IP Network You can remove all contents of a particular cache table or database You can also display specific statistics Table 80 Commands to Clear IP Routes or Display Route Status Displays the current state of the routing table show ip route address mask longer prefixes Displays the current state of the routing table in summary for...

Page 759: ... 705 How to Configure IPv6 Prefix Guard page 708 Configuration Examples for IPv6 First Hop Security page 712 Additional References page 712 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information abo...

Page 760: ...rst Hop Security in IPv6 First Hop Security in IPv6 FHS IPv6 is a set of IPv6 security features the policies of which can be attached to a physical interface an EtherChannel interface or a VLAN An IPv6 software policy database service stores and accesses these policies When a policy is configured or modified the attributes of the policy are stored or updated in the software policy database then ap...

Page 761: ...nd attach it to an interface or a VLAN To debug DHCP guard packets use the debug ipv6 snooping dhcp guard privileged EXEC command IPv6 Source Guard Like IPv4 Source Guard IPv6 Source Guard validates the source address or prefix to prevent source address spoofing A source guard programs the hardware to allow or deny traffic based on source or destination addresses It deals exclusively with data pac...

Page 762: ...HCPv6 Relay Agent The DHCPv6 Relay Lightweight DHCPv6 Relay Agent feature allows relay agent information to be inserted by an access node that performs a link layer bridging non routing function Lightweight DHCPv6 Relay Agent LDRA functionality can be implemented in existing access nodes such as DSL access multiplexers DSLAMs and Ethernet switches that do not support IPv6 control or routing functi...

Page 763: ...an IPv6 Snooping Policy Beginning in privileged EXEC mode follow these steps to configure IPv6 Snooping Policy SUMMARY STEPS 1 configure terminal 2 ipv6 snooping policy policy name 3 default device role node switch limit address count value no protocol dhcp ndp security level glean guard inspect tracking disable stale lifetime seconds infinite enable reachable lifetime seconds infinite trusted por...

Page 764: ... Gleans addresses and inspects messages In addition it rejects RA and DHCP server messages This is the default option inspect Gleans addresses validates messages for consistency and conformance and enforces address ownership Optional tracking disable enable Overrides the default tracking behavior and specifies a tracking option Optional trusted port Sets up a trusted port It disables the guard on ...

Page 765: ...ameters to put the interface into Layer 2 mode This shuts down the interface and then re enables it which might generate messages on the device to which the interface is connected When you put an interface that is in Layer 3 mode into Layer 2 mode the previous configuration information related to the affected interface might be lost and the interface is returned to its default configuration The co...

Page 766: ...herChannel Interface Beginning in privileged EXEC mode follow these steps to attach an IPv6 Snooping policy on an EtherChannel interface or VLAN SUMMARY STEPS 1 configure terminal 2 interface range Interface_name 3 ipv6 snooping attach policy policy_name vlan vlan_ids add vlan_ids except vlan_ids none remove vlan_ids all vlan vlan_ids add vlan_ids exceptvlan_ids none remove vlan_ids all 4 do show ...

Page 767: ...ep 3 Example Switch config if range ipv6 snooping attach policy example_policy or Switch config if range ipv6 snooping attach policy example_policy vlan 222 223 224 or Switch config if range ipv6 snooping vlan 222 223 224 Confirms that the policy is attached to the specified interface without exiting the configuration mode do show running config interfaceportchannel_interface_name Example Switch c...

Page 768: ...interface_type stack module port hw_address reachable lifetimevalue seconds default infinite tracking default disable Step 2 reachable lifetimevalue seconds default infinite enable reachable lifetimevalue seconds default infinite retry interval seconds default reachable lifetimevalue seconds default infinite Example Switch config ipv6 neighbor binding Specifies the maximum number of entries that a...

Page 769: ...e 6 sec level minimum value 7 tracking enable reachable lifetime value infinite disable stale lifetime value infinite 8 trusted port 9 validate source mac 10 no device role drop unsecure limit address count sec level minimum tracking trusted port validate source mac 11 default device role drop unsecure limit address count sec level minimum tracking trusted port validate source mac 12 do show ipv6 ...

Page 770: ...he default tracking policy on a port tracking enable reachable lifetime value infinite disable stale lifetime value infinite Step 7 Example Switch config nd inspection tracking disable stale lifetime infinite Configures a port to become a trusted port trusted port Example Switch config nd inspection trusted port Step 8 Checks the source media access control MAC address against the link layer addre...

Page 771: ...n_ids add vlan_ids except vlan_ids none remove vlan_ids all vlan vlan_ids add vlan_ids exceptvlan_ids none remove vlan_ids all 4 do show running config DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies an interface type and identifier enters the interface configuration mode interface Interface_type st...

Page 772: ...p Security in IPv6 on page 678 How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel Interface Beginning in privileged EXEC mode follow these steps to attach an IPv6 Neighbor Discovery Inspection policy on an EtherChannel interface or VLAN SUMMARY STEPS 1 configure terminal 2 interface range Interface_name 3 ipv6 nd inspection attach policy policy_name vlan vlan_ids ...

Page 773: ...n_ids all vlan vlan_ids add vlan_ids exceptvlan_ids none remove vlan_ids all Step 3 Example Switch config if range ipv6 nd inspection attach policy example_policy or Switch config if range ipv6 nd inspection attach policy example_policy vlan 222 223 224 or Switch config if range ipv6 nd inspection vlan 222 223 224 Confirms that the policy is attached to the specified interface without exiting the ...

Page 774: ... suppress in IPv6 DAD proxy mode mode dad proxy Step 4 Enables Neighbor Discovery suppress to proxy multicast and unicast Neighbor Solicitation messages mode full proxy Step 5 Enables Neighbor Discovery suppress to proxy multicast Neighbor Solicitation messages mode mc proxy Step 6 Related Topics Information about First Hop Security in IPv6 on page 678 How to Attach an IPv6 Neighbor Discovery Mult...

Page 775: ...nfigure terminal Step 2 Specifies an interface type and number and places the device in interface configuration mode Attaches the IPv6 Neighbor Discovery Multicast Policy to an interface or a VLAN Perform one of the following tasks Step 3 interface type number ipv6 nd inspection attach policy policy_name vlan add except none remove all vlan vlan1 vlan2 vlan3 OR vlan configuration vlan id ipv6 nd i...

Page 776: ...all vlan vlan1 vlan2 vlan3 4 exit DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Step 2 Specifies an interface type and port number and places the switch in the port channel configuration mode Perform one of the following tasks Step 3 interface port cha...

Page 777: ...itch 4 no hop limit maximum minimum value 5 no managed config flag off on 6 no match ipv6 access list list ra prefix list list 7 no other config flag on off 8 no router preference maximum high medium low 9 no trusted port 10 default device role hop limit maximum minimum managed config flag match ipv6 access list ra prefix list other config flag router preference maximum trusted port 11 do show ipv...

Page 778: ...e value you specify Enables filtering of Router Advertisement messages by the Managed Address Configuration or M flag field A rouge RA message with no managed config flag off on Example Switch config nd raguard managed config flag on Step 5 an M field of 1 can cause a host to use a rogue DHCPv6 server If not configured this filter is disabled On Accepts and forwards RA messages with an M value of ...

Page 779: ...ue default device role hop limit maximum minimum managed config flag match ipv6 Step 10 access list ra prefix list other config flag router preference maximum trusted port Example Switch config nd raguard default hop limit Optional Displays the ND Guard Policy configuration without exiting the RA Guard policy configuration mode do show ipv6 nd raguard policy policy_name Example Switch config nd ra...

Page 780: ... VLANs on that ipv6 nd raguard attach policy policy_name vlan vlan_ids add vlan_ids except vlan_ids none remove vlan_ids all Step 3 interface The default policy is attached if the attach policy option is not used vlan vlan_ids add vlan_ids exceptvlan_ids none remove vlan_ids all Example Switch config if ipv6 nd raguard attach policy example_policy or Switch config if ipv6 nd raguard attach policy ...

Page 781: ...was created Enters the interface range configuration mode interface range Interface_name Example Switch config interface Po11 Step 2 Enter the do show interfaces summary command for quick reference to interface names and types Tip Attaches the RA Guard policy to the interface or the specified VLANs on that interface The default policy is attached if the attach policy option is not used ipv6 nd rag...

Page 782: ...ame 3 no device role client server 4 no match server access list ipv6 access list name 5 no match reply prefix list ipv6 prefix list name 6 no preference max limit min limit 7 no trusted port 8 default device role trusted port 9 do show ipv6 dhcp guard policy policy_name DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure termin...

Page 783: ...x list ipv6 prefix list name Example Assume a preconfigured IPv6 prefix list Step 5 configured this check will be bypassed An empty prefix list is treated as a permit as follows Switch config ipv6 prefix list my_prefix permit 2001 0DB8 64 le 128 Configure DCHPv6 Guard to match prefix Switch config dhcp guard match reply prefix list my_prefix Configure max and min when device role is serverto filte...

Page 784: ...x list abc preference min 0 preference max 255 trusted port interface GigabitEthernet 0 2 0 switchport ipv6 dhcp guard attach policy pol1 vlan add 1 vlan 1 ipv6 dhcp guard attach policy pol1 show ipv6 dhcp guard policy pol1 Related Topics Information about First Hop Security in IPv6 on page 678 How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface Beginning in privilege...

Page 785: ..._ids all Example Switch config if ipv6 dhcp guard attach policy example_policy or Switch config if ipv6 dhcp guard attach policy example_policy vlan 222 223 224 or Switch config if ipv6 dhcp guard vlan 222 223 224 Confirms that the policy is attached to the specified interface without exiting the configuration mode do show running config interface Interface_type stack module port Example Switch co...

Page 786: ... Tip Attaches the DHCP Guard policy to the interface or the specified VLANs on that interface The default policy is attached if the attach policy option is not used ipv6 dhcp guard attach policy policy_name vlan vlan_ids add vlan_ids except vlan_ids none remove vlan_ids all vlan vlan_ids add vlan_ids exceptvlan_ids none remove vlan_ids all Step 3 Example Switch config if range ipv6 dhcp guard atta...

Page 787: ...cy configuration mode no ipv6 source guard policy policy_name Example Switch config ipv6 source guard policy example_policy Step 3 Optional Defines the IPv6 Source Guard policy deny global autoconf permit link local default exit no Step 4 deny global autoconf Denies data traffic from auto configured global addresses This is useful when all Example Switch config sisf sourceguard deny global autocon...

Page 788: ...op Security in IPv6 on page 678 How to Attach an IPv6 Source Guard Policy to an Interface SUMMARY STEPS 1 enable 2 configure terminal 3 interface Interface_type stack module port 4 ipv6 source guard attach policy policy_name 5 show ipv6 source guard policy policy_name DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable ...

Page 789: ...cy is applied show ipv6 source guard policy policy_name Example Switch config if show ipv6 source guard policy example_policy Step 5 Related Topics Information about First Hop Security in IPv6 on page 678 How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface SUMMARY STEPS 1 enable 2 configure terminal 3 interface port channel port channel number 4 ipv6 source guard attach p...

Page 790: ...ed show ipv6 source guard policy policy_name Example Switch config if show ipv6 source guard policy example_policy Step 5 Related Topics Information about First Hop Security in IPv6 on page 678 Examples How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface on page 712 How to Configure IPv6 Prefix Guard To allow routing protocol control packets sourced by a link local addres...

Page 791: ...ured no validate address Example Switch config sisf sourceguard no validate address Step 4 Enables IPv6 source guard to perform the IPv6 prefix guard operation validate prefix Example Switch config sisf sourceguard validate prefix Step 5 Exits switch integrated security features source guard policy configuration mode and returns to privileged EXEC mode exit Example Switch config sisf sourceguard e...

Page 792: ...nterface Interface_type stack module port Example Switch config interface gigabitethernet 1 1 4 Step 3 Attaches the IPv6 Source Guard policy to the interface The default policy is attached if the attach policy option is not used ipv6 source guard attach policy policy_name Example Switch config if ipv6 source guard attach policy example_policy Step 4 Shows the policy configuration and all the inter...

Page 793: ...el port channel number Example Switch config interface Po4 Step 3 Attaches the IPv6 Source Guard policy to the interface The default policy is attached if the attach policy option is not used ipv6 source guard attach policy policy_name Example Switch config if ipv6 source guard attach policy example_policy Step 4 Shows the policy configuration and all the interfaces where the policy is applied sho...

Page 794: ... to a Layer 2 EtherChannel Interface Switch configure terminal Switch config ipv6 source guard policy POL Switch config sisf sourceguard no validate address Switch config sisf sourceguard validate prefix Switch config interface Po4 Switch config if ipv6 snooping Switch config if ipv6 source guard attach policy POL Related Topics How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel I...

Page 795: ...w cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services News...

Page 796: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 714 Additional References ...

Page 797: ...ver Load Balancing page 945 RADIUS Change of Authorization Support page 961 Configuring Kerberos page 979 Configuring Accounting page 1003 Configuring Local Authentication and Authorization page 1035 MAC Authentication Bypass page 1041 Password Strength and Management for Common Criteria page 1053 AAA SERVER MIB Set Operation page 1063 Configuring Secure Shell page 1069 Secure Shell Version 2 Supp...

Page 798: ...t for Filtering IP Options page 1235 VLAN Access Control Lists page 1245 Configuring DHCP page 1265 Configuring IP Source Guard page 1291 Configuring Dynamic ARP Inspection page 1299 Configuring IEEE 802 1x Port Based Authentication page 1319 Configuring Web Based Authentication page 1415 Auto Identity page 1453 Configuring Port Based Traffic Control page 1465 Configuring FIPS page 1515 Configurin...

Page 799: ...d the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to htt...

Page 800: ...nly one switch type in a stack or you can connect a mix of Catalyst 2960 X and Catalyst 2960 S switches in the stack The stack can have one of these configurations Homogeneous stack A Catalyst 2960 X stack with only Catalyst 2960 X switches as stack members A homogenous stack can have up to 8 stack members Mixed stack A stack with a mix of Catalyst 2960 X and Catalyst 2960 S switches A mixed stack...

Page 801: ...l ring stack becomes inoperable there is a disruption in the forwarding of packets and the stack moves to a half ring In a homogenous stack of Catalyst 2960 X switches this disruption of traffic or stack convergence time takes milliseconds In a mixed stack configuration the stack takes 1 to 2 seconds to reconverge When a single link in a full ring stack becomes inoperable there is a disruption in ...

Page 802: ...an identical model the new switch functions with exactly the same configuration as the replaced switch assuming that the new switch referred to as the provisioned switch is using the same member number as the replaced switch The operation of the switch stack continues uninterrupted during membership changes unless you remove the active switchstack master or you add powered on standalone switches o...

Page 803: ...adding or removing stack members make sure that the switch stack is operating at full bandwidth Press the Mode button on a stack member until the Stack mode LED is on The last two right port LEDs on all switches in the stack should be green Depending on the switch model the last two right ports are 10 Gigabit Ethernet ports or small form factor pluggable SFP module ports 10 100 1000 ports If one o...

Page 804: ...member to a different Switch stack the stack member retains its number only if the number is not being used by another member in the stack If it is being used the Switch selects the lowest available number in the stack If you merge Switch stacks the Switch that join the Switch stack of a new active switchstack master select the lowest available numbers in the stack As described in the hardware ins...

Page 805: ...iority value takes effect immediately but does not affect the current active switchstack master The new priority value helps determine which stack member is elected as the new active switchstack master when the current active switchstack master or the switch stack resets Switch Stack Bridge ID and MAC Address The MAC address of the active switchstack master determines the stack MAC address When th...

Page 806: ...tacks All stack members are eligible stack masters If the stack master becomes unavailable the remaining members elect a new stack master from among themselves The active switchstack master is elected or reelected based on one of these factors and in the order listed 1 The switch that is currently the active switchstack master 2 The switch with the highest stack member priority value We recommend ...

Page 807: ...tallation chapter in the hardware installation guide The new stack master becomes available after a few seconds In the meantime the switch stack uses the forwarding tables in memory to minimize network disruption The physical interfaces on the other available stack members are not affected during a new stack master election and reset After a new stack master is elected and the previous stack maste...

Page 808: ...ion to Provision a Stack Member You can use the offline configuration feature to provision to supply a configuration to a new switch before it joins the switch stack You can configure the stack member number the switch type and the interfaces associated with a switch that is not currently part of the stack The configuration that you create on the switch stack is called the provisioned configuratio...

Page 809: ... stack The stack member numbers and the Switch types match The switch stack applies the default configuration to the provisioned switch and adds it to the stack The provisioned configuration is changed to reflect the new information 1 If the stack member number of the provisioned switch matches the stack member number in the provisioned configuration on the stack but 2 The Switch type of the provi...

Page 810: ...the switch stack the configuration associated with the removed stack member remains in the running configuration as provisioned information To completely remove the configuration use the no switch stack member number provision global configuration command Stack Protocol Version Each software image includes a stack protocol version The stack protocol version has a major version number and a minor v...

Page 811: ...to upgrade is enabled the boot auto copy sw global configuration command is enabled You can disable auto upgrade by using the no boot auto copy sw global configuration command on the stack master You can check the status of auto upgrade by using the show boot privileged EXEC command and by checking the Auto upgrade line in the display Auto upgrade includes an auto copy process and an auto extract ...

Page 812: ...that there are no other system messages generated by the switch This example shows that the switch stack detected a new switch that is running a different minor version number than the switch stack Auto copy starts finds suitable software to copy from a stack member to the switch in VM mode upgrades the switch in VM mode and then reloads it Mar 11 20 31 19 247 STACKMGR 6 STACK_LINK_CHANGE Stack Po...

Page 813: ...GR 6 AUTO_COPY_SW Requested system reload in progress Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Software successfully copied to Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW system s 1 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Done copying software Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Reloading system s 1 This example shows that the switch stack detected a new switch that is running a dif...

Page 814: ...mode exist the switch stack first attempts to resolve the VM mode condition For more information about SDM templates see the Catalyst 2960 X Switch System Management Configuration Guide Switch Stack Management Connectivity You manage the switch stack and the stack member interfaces through the active switchstack master You can use the CLI SNMP and supported network management applications such as ...

Page 815: ... PC to the active switchstack master through the Ethernet management ports of one or more stack members For more information about connecting to the switch stack through Ethernet management ports see the Using the Ethernet Management Port section You can connect to the active switchstack master by connecting a terminal or a PC to the stack master through the console port of one or more stack membe...

Page 816: ...no value to set the default delay of approximately 4 minutes We recommend that you always enter a value If the command is entered without a value the time delay appears in the running config file with an explicit timer value of 4 minutes Enter 0 to continue using the MAC address of the current active switchstack master indefinitely The stack MAC address of the previous active switchstack master is...

Page 817: ...tup config What to Do Next Use the no stack mac persistent timer global configuration command to disable the persistent MAC address feature Assigning a Stack Member Number This optional task is available only from the active switchstack master Follow these steps to assign a member number to a stack member SUMMARY STEPS 1 enable 2 configure terminal 3 switch current stack member number renumber new...

Page 818: ...sing the show switch user EXEC command Returns to privileged EXEC mode end Example Switch config end Step 4 Resets the stack member reload slot stack member number Example Switch reload slot 4 Step 5 Verify the stack member number show switch Example showSwitch Step 6 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup...

Page 819: ...itch stack member number priority new priority number Example Switch switch 3 priority 2 Step 3 You can display the current priority value by using the show switch user EXEC command The new priority value takes effect immediately but does not affect the current active switchstack master The new priority value helps determine which stack member is elected as the new active switchstack master when t...

Page 820: ...u add a 2960 S switch to the stack Otherwise the switches will not stack SUMMARY STEPS 1 configure terminal 2 switch stack port speed 10 3 end 4 copy running config startup config 5 reload DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Sets the stack port speed to 10 Gbps switch stack port speed 10 Example Switc...

Page 821: ...TAILED STEPS Purpose Command or Action Displays summary information about the switch stack show switch Example Switch show switch Step 1 Enters global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the stack member number for the preconfigured switch By default no switches are provisioned switch stack member number provision type Example Switch config swit...

Page 822: ...d switch from the stack This optional task is available only from the active switchstack master SUMMARY STEPS 1 configure terminal 2 no switch stack member number provision 3 end 4 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Removes the provisioning information for the speci...

Page 823: ...nal task is for debugging purposes and is available only from the active switchstack master You can access all or specific members by using the remote command all stack member number privileged EXEC command The stack member number range is 1 to 8 You can access specific members by using the session stack member number privileged EXEC command The member number is appended to the system prompt For e...

Page 824: ...EPS Purpose Command or Action Disables the specified stack port switch stack member number stack port port number disable Step 1 Example Switch switch 2 stack port 1 disable Reenables the stack port switch stack member number stack port port number enable Example Switch switch 2 stack port 1 enable Step 2 When you disable a stack port and the stack is in the full ring state you can disable only on...

Page 825: ...e switches to reload If Switch 4 is powered on first you might need to enter the switch 1 stack port 1 enable and the switch 4 stack port 2 enable privileged EXEC commands to bring up the link Caution Monitoring the Switch Stack Table 82 Commands for Displaying Stack Information Description Command Displays stack port counters or per interface and per stack port send and receive statistics read fr...

Page 826: ...s Result Scenario Only one of the two stack mastersactive switches becomes the new active switchstack master Connect two powered on switch stacks through the StackWise 480stack ports Stack masterActive switch election specifically determined by existing stack mastersactive switches The stack member with the higher priority value is elected active switchstack master 1 Connect two switches through t...

Page 827: ...ember number The other stack member has a new stack member number Assuming that one stack member has a higher priority value than the other stack member 1 Ensure that both stack members have the same stack member number If necessary use the switch current stack member number renumber new stack member number global configuration command 2 Restart both stack members at the same time Stack member num...

Page 828: ...witchover until the MAC WARNING persistency timer expires During this time the Network WARNING Administrators must make sure that the old stack mac does WARNING not appear elsewhere in this network domain If it does WARNING user traffic may be blackholed Switch config end Switch show switch Switch Stack Mac Address 0016 4727 a900 Mac persistency wait time 7 mins H W Current Switch Role Mac Address...

Page 829: ...co com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC None MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and software images use Cisco MIB Locator found at the following URL http www cisco com go mibs All supported MIBs f...

Page 830: ...security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalys...

Page 831: ...eb authentication login screen IEEE 802 1x Authentication with ACLs and the RADIUS Filter Id Attribute Password protected access read only and read write access to management interfaces device manager Network Assistant and the CLI for protection against unauthorized configuration changes Multilevel security for a choice of security level notification and resulting actions Static MAC addressing for...

Page 832: ...llow a dynamic voice VLAN on an MDA enabled port VLAN assignment for restricting 802 1x authenticated users to a specified VLAN Support for VLAN assignment on a port configured for multi auth mode The RADIUS server assigns a VLAN to the first host to authenticate on the port and subsequent hosts use the same VLAN Voice VLAN assignment is supported for one IP phone Port security for controlling acc...

Page 833: ...uthentication methods that a port tries when authenticating a new host Multiple user authentication to allow more than one host to authenticate on an 802 1x enabled port TACACS a proprietary feature for managing network security through a TACACS server for both IPv4 and IPv6 RADIUS for verifying the identity of granting access to and tracking the actions of remote users through authentication auth...

Page 834: ...ge the port host mode and to apply a standard port configuration on the authenticator switch port VLAN ID based MAC authentication to use the combined VLAN and MAC address information for user authentication to prevent network access from unauthorized VLANs MAC move to allow hosts including the hosts connected behind an IP phone to move across ports within the same switch without any restrictions ...

Page 835: ... the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch port These passwords are locally stored on the switch When users attempt to access the switch through a port...

Page 836: ...r of unsuccessful attempts are made For more information see the Cisco IOS Login Enhancements documentation Related Topics Configuring Username and Password Pairs on page 765 TACACS and Switch Access on page 777 Setting a Telnet Password for a Terminal Line on page 764 Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 754 Preventing Unauthorized Access ...

Page 837: ...lease To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not...

Page 838: ...d Security To provide an additional layer of security particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol TFTP server you can use either the enable password or enable secret global configuration commands Both commands accomplish the same thing that is you can establish an encrypted password that users must enter to access privileged EXEC mode th...

Page 839: ...opics Disabling Password Recovery on page 762 Restrictions for Controlling Switch Access with Passwords and Privileges on page 755 Terminal Line Telnet Configuration When you power up your switch for the first time an automatic setup program runs to assign IP information and to create a default configuration for continued use The setup program also prompts you to configure your switch for Telnet a...

Page 840: ...ute that password to a more restricted group of users Command Privilege Levels When you set a command to a privilege level all commands whose syntax is a subset of that command are also set to that level For example if you set the show ip traffic command to level 15 the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different leve...

Page 841: ...allows spaces but secret321 ignores leading spaces It can contain the question mark character if you precede the question mark with the key combination Crtl v when you create the password for example to create the password abc 123 do this 1 Enter abc 2 Enter Crtl v 3 Enter 123 When the system prompts you to enter the enable password you need not precede the question mark with the Ctrl v you can si...

Page 842: ...ny privilege level you specify SUMMARY STEPS 1 enable 2 configure terminal 3 Use one of the following enable password level level password encryption type encrypted password enable secret level level password encryption type encrypted password 4 service password encryption 5 end 6 show running config 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged E...

Page 843: ...ading spaces By default no password is defined Optional For encryption type only type 5 a Cisco proprietary encryption algorithm is available If you specify or Switch config enable secret level 1 password secret123sample an encryption type you must provide an encrypted password an encrypted password that you copy from another switch configuration If you specify an encryption type and then enter a ...

Page 844: ...p copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default syste...

Page 845: ...sible by any user Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries show running config Example Switch show running config Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 What to Do Next To re enable password recovery use the service password recovery gl...

Page 846: ... EXEC mode you will be prompted for it Note Enters privileged EXEC mode enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Configures the number of Telnet sessions lines and enters line configuration mode line vty 0 15 Example Switch config line vty 0 15 Step 3 There are 16 possible sessions on a command capable Swit...

Page 847: ...ing config startup config Example Switch copy running config Step 7 startup config Related Topics Preventing Unauthorized Access on page 753 Terminal Line Telnet Configuration on page 757 Example Setting a Telnet Password for a Terminal Line on page 772 Configuring Username and Password Pairs Follow these steps to configure username and password pairs Consolidated Platform Configuration Guide Cisc...

Page 848: ...allowed Example Switch config username adamsample You can configure a maximum of 12000 clients each for both username and MAC filter privilege 1 password secret456 Switch config username 111111111111 mac attribute Optional For level specify the privilege level the user has after gaining access The range is 0 to 15 Level 15 gives privileged EXEC mode access Level 1 gives user EXEC mode access For e...

Page 849: ... EXEC mode end Example Switch config end Step 6 Verifies your entries show running config Example Switch show running config Step 7 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 8 startup config Related Topics Preventing Unauthorized Access on page 753 Username and Password Pairs on page 757 Setting the Privilege Le...

Page 850: ... configuration mode 14 configure For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 is the level of access permitted by the enable password For command specify the command to which you want to restrict access Specifies the password to enable the privilege level enable password level level password Step 4 Example Switch config enable password level For leve...

Page 851: ...nging the Default Privilege Level for Lines Follow these steps to change the default privilege level for the specified line SUMMARY STEPS 1 enable 2 configure terminal 3 line vty line 4 privilege level level 5 end 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Consolidate...

Page 852: ...ch copy running config startup config Step 6 What to Do Next Users can override the privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privilege level They can lower the privilege level by using the disable command If users know the password to a higher privilege level they can use that password to enable the higher privi...

Page 853: ...ted Topics Privilege Levels on page 757 Monitoring Switch Access Table 85 Commands for Displaying DHCP Information Displays the privilege level configuration show privilege Configuration Examples for Setting Passwords and Privilege Levels Example Setting or Changing a Static Enable Password This example shows how to change the enable password to l1u2c3k4y5 The password is not encrypted and provide...

Page 854: ...n89 Switch config line vty 10 Switch config line password let45me67in89 Related Topics Setting a Telnet Password for a Terminal Line on page 764 Terminal Line Telnet Configuration on page 757 Example Setting the Privilege Level for a Command This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands Sw...

Page 855: ...cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsle...

Page 856: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 774 Additional References ...

Page 857: ...re Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the e...

Page 858: ...ntication before proceeding to TACACS authorization To use any of the AAA commands listed in this section or elsewhere you must first enable AAA with the aaa new model command At a minimum you must identify the host or hosts maintaining the TACACS daemon and define the method lists for TACACS authentication You can optionally define method lists for TACACS authorization and accounting The method l...

Page 859: ...ication that provides centralized validation of users attempting to gain access to your switch TACACS provides for separate and modular authentication authorization and accounting facilities TACACS allows for a single access control server the TACACS daemon to provide each service authentication authorization and accounting independently Each service can be tied into its own database to take advan...

Page 860: ... send messages to user screens For example a message could notify users that their passwords must be changed because of the company s password aging policy Authorization Provides fine grained control over user capabilities for the duration of the user s session including but not limited to setting autocommands access control session duration or protocol support You can also enforce restrictions on...

Page 861: ...etween the daemon and the switch If an ERROR response is received the switch typically tries to use an alternative method for authenticating the user CONTINUE The user is prompted for additional authentication information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentica...

Page 862: ...plemented Table 86 Supported TACACS Authentication and Authorization AV Pairs 12 2 12 1 12 0 11 3 11 2 11 1 11 0 Description Attribute yes yes yes yes yes yes yes ASCII number representing a connection access list Used only when service shell acl x yes yes yes yes yes yes yes A network address Used with service slip service ppp and protocol ip Contains the IP address that the remote host should us...

Page 863: ... 12 0 11 3 11 2 11 1 11 0 Description Attribute yes yes yes yes yes yes yes addr pool x Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 781 Information About TACACS ...

Page 864: ...local pooling It specifies the name of a local pool which must be preconfigured on the network access server Use the ip local pool command to declare local pools For example ip address pool local ip local pool boo 10 0 0 1 10 0 0 10 ip local pool moo 10 0 0 1 10 0 0 20 You can then use TACACS to return Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 78...

Page 865: ... you want to get this remote node s address yes yes yes yes yes yes yes Specifies an autocommand to be executed at EXEC startup for example autocmd telnet example com Used only with service shell autocmd x Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 783 Information About TACACS ...

Page 866: ...get the dial string through other means Used with service arap service slip service ppp service shell Not valid for ISDN callback dialstring yes yes yes yes yes yes no The number of a TTY line to use for callback for example callback line 4 Used with service arap service slip service ppp service shell Not valid for ISDN callback line Consolidated Platform Configuration Guide Cisco IOS Release 15 2...

Page 867: ... shell Not valid for ISDN callback rotary yes yes yes yes yes yes yes An argument to a shell EXEC command This indicates an argument for the shell command that is to be run Multiple cmd arg attributes can be specified and they are order dependent This T A C A C S AV pair cannot be used with RADIUS attribute 26 Note cmd arg x Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Cata...

Page 868: ...e indicates that the shell itself is being referred to This T A C A C S AV pair cannot be used with RADIUS attribute 26 Note cmd x yes yes no no no no no Used with the service outbound and protocol ip data service yes yes no no no no no Defines the number to dial Used with the service outbound and protocol ip dial number Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst...

Page 869: ...uested by Microsoft PPP clients from the network access server during IPCP negotiation To be used with service ppp and protocol ip The IP address identifying each DNS server is entered in dotted decimal format dns servers Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 787 Information About TACACS ...

Page 870: ...ted as false Used with the service outbound and protocol ip force 56 yes yes yes yes yes no no Specifies the password for the home gateway during the L2F tunnel authentication Used with service ppp and protocol vpdn gw password yes yes yes yes yes yes no Sets a value in minutes after which an idle session is terminated A value of zero indicates no timeout idletime x Consolidated Platform Configura...

Page 871: ...p and protocol ip and service service ppp and protocol ipx Per user access lists do not currently work with ISDN interfaces inacl n yes yes yes yes yes yes yes ASCII identifier for an interface input access list Used with service ppp and protocol ip Per user access lists do not currently work with ISDN interfaces inacl x Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst...

Page 872: ...of the attributes are allowed but each instance must have a unique number Used with service ppp and protocol lcp This attribute replaces the interface config attribute Note interface config n yes yes yes yes yes no no Space separated list of possible IP addresses that can be used for the end point of a tunnel Used with service ppp and protocol vpdn ip addresses Consolidated Platform Configuration ...

Page 873: ...n of a new L2TP session that finds no pre cloned interface to which to connect If the attribute is true the default the session will be disconnected by the LNS Otherwise a new interface will be cloned from the virtual template Used with service ppp and protocol vpdn l2tp busy disconnect Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 791 Information Ab...

Page 874: ... vpdn l2tp cm local window size yes yes no no no no no Respects sequence numbers on data packets by dropping those that are received out of order This does not ensure that sequence numbers will be sent on data packets just how to handle them if they are received Used with service ppp and protocol vpdn l2tp drop out of order Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catal...

Page 875: ...hello interval yes yes no no no no no When enabled sensitive AVPs in L2TP control messages are scrambled or hidden Used with service ppp and protocol vpdn l2tp hidden avp yes yes no no no no no Specifies the number of seconds that a tunnel will stay active with no sessions before timing out and shutting down Used with service ppp and protocol vpdn l2tp nosession timeout Consolidated Platform Confi...

Page 876: ...nd protocol vpdn l2tp tos reflect yes yes no no no no no If this attribute is set it performs L2TP tunnel authentication Used with service ppp and protocol vpdn l2tp tunnel authen yes yes no no no no no Shared secret used for L2TP tunnel authentication and AVP hiding Used with service ppp and protocol vpdn l2tp tunnel password Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Ca...

Page 877: ...ult is no Used with service ppp and protocol vpdn l2tp udp checksum yes yes yes yes no no no Defines whether to turn on or turn off stac compression over a PPP link Used with service ppp Link compression is defined as a numeric value as follows 0 None 1 Stac 2 Stac Draft 9 3 MS Stac link compression Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 795 I...

Page 878: ...ad goes below the specified value links are deleted Used with service ppp and protocol multilink The range for n is from 1 to 255 load threshold n yes yes no no no no no Allows the user profile to reference information configured in a map class of the same name on the network access server that dials out Used with the service outbound and protocol ip map class Consolidated Platform Configuration G...

Page 879: ...ax links n yes yes no no no no no Sets the minimum number of links for MLP Used with service ppp and protocol multilink protocol vpdn min links yes yes yes yes yes no no Specifies the password for the network access server during the L2F tunnel authentication Used with service ppp and protocol vpdn nas password Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Sw...

Page 880: ... with service arap service slip service ppp service shell There is no authentication on callback Not valid for ISDN nocallback verify yes yes yes yes yes yes yes Prevents user from using an escape character Used with service shell Can be either true or false for example noescape true noescape x Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 798 Inform...

Page 881: ...Can be either true or false for example nohangup false nohangup x yes yes yes yes yes yes yes Allows providers to make the prompts in TACACS appear identical to those of earlier systems TACACS and Extended TACACS This allows administrators to upgrade from TACACS or Extended TACACS to TACACS transparently to users old prompts Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Cata...

Page 882: ...installed and applied to an interface for the duration of the current condition Used with service ppp and protocol ip and service service ppp and protocol ipx Per user access lists do not currently work with ISDN interfaces outacl n Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 800 Information About TACACS ...

Page 883: ...P output access list for SLIP or PPP IP for example outacl 4 The access list itself must be preconfigured on the router Per user access lists do not currently work with ISDN interfaces outacl x yes yes yes yes no no no Defines IP address pools on the network access server Used with service ppp and protocol ip pool def n Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst ...

Page 884: ... negotiation if an IP pool name is specified for a user see the addr pool attribute a check is made to see if the named pool is defined on the network access server If it is the pool is consulted for an IP address Used with service ppp and protocol ip pool timeout Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 802 Information About TACACS ...

Page 885: ... y n c h r o n o u s 2 I S D N S y n c h r o n o u s 3 I S D N A s y n c h r o n o u s V 120 4 ISDN A s y n c h r o n o u s V 110 5 Virtual Used with service any and protocol aaa port type yes yes yes yes no no no Instructs the Cisco router not to use slot compression when sending VJ compressed packets over a PPP link ppp vj slot compression Consolidated Platform Configuration Guide Cisco IOS Rele...

Page 886: ...highest priv lvl x yes yes yes yes yes yes yes A protocol that is a subset of a service An example would be any PPP NCP Currently known values are lcp ip ipx atalk vines lat xremote tn3270 telnet rlogin pad vpdn osicp deccp ccp cdp bridging xns nbf bap multilink and unknown protocol x Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 804 Information Abou...

Page 887: ...amic ACLs by using the authentication proxy feature so that users can have the configured authorization to permit traffic going through the configured interfaces Used with the service shell and protocol exec proxyacl n Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 805 Information About TACACS ...

Page 888: ...12 1 12 0 11 3 11 2 11 1 11 0 Description Attribute yes yes yes yes yes yes no route Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 806 Information About TACACS ...

Page 889: ...static route to be installed by TACACS as follows route dst_address mask gateway This indicates a temporary static route that is to be applied The dst_address mask and gateway are expected to be in the usual dotted decimal notation with the same meanings as in the familiar ip route configuration command on a network Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960...

Page 890: ...ates yes yes yes yes no no no Like the route AV pair this specifies a route to be applied to an interface but these routes are numbered allowing multiple routes to be applied Used with service ppp and protocol ip and service ppp and protocol ipx route n Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 808 Information About TACACS ...

Page 891: ...LIP and PPP commands Can either be true or false for example routing true routing x yes yes yes yes no no no Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection Used with service ppp and protocol ip and with service ppp and protocol ipx rte fltr in n Consolidated Platform Configuration Guide Ci...

Page 892: ...of the current connection Used with service ppp and protocol ip and with service ppp and protocol ipx rte fltr out n yes yes yes yes no no no Specifies static Service Advertising Protocol SAP entries to be installed for the duration of a connection Used with service ppp and protocol ipx sap n Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 810 Informat...

Page 893: ...no Specifies an output SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection Used with service ppp and protocol ipx sap fltr out n yes yes no no no no no Defines the protocol to use PAP or CHAP for username password authentication following CLID authentication Used with service any and protocol aaa send auth Consolidated P...

Page 894: ...p and protocol ip send secret yes yes yes yes yes yes yes The primary service Specifying a service attribute indicates that this is a request for authorization or accounting of that service Current values are slip ppp arap shell tty daemon connection and system This attribute must always be included service x Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Swit...

Page 895: ...as the source IP address of all VPDN packets generated as part of a VPDN tunnel This is equivalent to the Cisco vpdn outgoing global configuration command source ip x Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 813 Information About TACACS ...

Page 896: ...obile secure host addr configuration command Basically it contains the rest of the configuration command that follows that string verbatim It provides the Security Parameter Index SPI key authentication algorithm authentication mode and replay protection timestamp range Used with the service mobileip and protocol ip spi Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst ...

Page 897: ... with service arap timeout x yes yes yes yes yes no no Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected This is analogous to the remote name in the vpdn outgoing command Used with service ppp and protocol vpdn tunnel id Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 815 Informatio...

Page 898: ...s yes yes yes yes yes yes A numeric zonelist value Used with service arap Specifies an AppleTalk zonelist for ARA for example zonelist 5 zonelist x See Configuring TACACS module for the documents used to configure TACACS and TACACS authentication and authorization TACACS Accounting AV Pairs The following table lists and describes the supported TACACS accounting AV pairs and specifies the Cisco IOS...

Page 899: ... are FAP Fax Application Process TIFF the TIFF reader or the TIFF writer fax mail client fax mail server ESMTP client or ESMTP server Abort Cause yes yes yes yes yes yes yes The number of input bytes transferred during this connection bytes_in yes yes yes yes yes yes yes The number of output bytes transferred during this connection bytes_out Consolidated Platform Configuration Guide Cisco IOS Rele...

Page 900: ...type of fax activity fax receive or fax send Call Type yes yes yes yes yes yes yes The command the user executed cmd This AV pair has been renamed See nas rx speed data rate Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 818 Information About TACACS ...

Page 901: ...enerating start records if disconnection occurs before authentication is performed Refer to the following table Disconnect Cause Extensions for a list of Disconnect Cause values and their meanings disc cause yes yes yes yes no no no Extends the disc cause attribute to support vendor specific reasons why a connection was taken off line disc cause ext Consolidated Platform Configuration Guide Cisco ...

Page 902: ...l Server Address yes yes no no no no no Indicates that the on ramp gateway has received a positive acknowledgment from the e mail server accepting the fax mail message Email Server Ack Flag yes yes yes yes yes yes yes Information included in the accounting packet that describes a state change in the router Events described are accounting starting and accounting stopping event Consolidated Platform...

Page 903: ...ndicates whether or not authentication for this fax session was successful Possible values for this field are success failed bypassed or unknown Fax Auth Status yes yes no no no no no Indicates the modem speed at which this fax mail was initially transmitted or received Possible values are 1200 4800 9600 and 14400 Fax Connect Speed Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4...

Page 904: ...Coverpage Flag yes yes no no no no no Indicates the address to which DSNs will be sent Fax Dsn Address yes yes no no no no no Indicates whether or not DSN has been enabled True indicates that DSN has been enabled false means that DSN has not been enabled Fax Dsn Flag yes yes no no no no no Indicates the address to which MDNs will be sent Fax Mdn Address Consolidated Platform Configuration Guide Ci...

Page 905: ... yes yes no no no no no Indicates the amount of time in seconds the modem sent fax data x and the amount of time in seconds of the total fax session y which includes both fax mail and PSTN time in the form x y For example 10 15 means that the transfer time took 10 seconds and the total fax session took 15 seconds Fax Modem T ime Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E ...

Page 906: ...es cover pages Fax Pages yes yes no no no no no Indicates that the fax session was aborted or successful True means that the session was aborted false means that the session was successful Fax Process Abort Flag yes yes no no no no no Indicates the number of recipients for this fax transmission Until e mail servers support Session mode the number should be 1 Fax Recipient Count Consolidated Platfo...

Page 907: ...ich are known to have been in a given multilink session at the time the accounting record is generated mlp links max yes yes yes yes no no no Reports the identification number of the multilink bundle when the session closes This attribute applies to sessions that are part of a multilink bundle This attribute is sent in authentication response packets mlp sess id Consolidated Platform Configuration...

Page 908: ...speed yes yes yes yes yes yes yes The number of input packets transferred during this connection paks_in yes yes yes yes yes yes yes The number of output packets transferred during this connection paks_out yes yes yes yes yes yes yes The port the user was logged in to port yes yes no no no no no Indicates the slot port number of the Cisco AS5300used to either transmit or receive this fax mail Port...

Page 909: ...ttribute is sent in accounting stop records pre bytes out yes yes yes yes no no no Records the number of input packets before authentication This attribute is sent in accounting stop records pre paks in yes yes yes yes no no no Records the number of output packets before authentication The Pre Output Packets attribute is sent in accounting stop records pre paks out Consolidated Platform Configurat...

Page 910: ...s yes yes yes yes yes yes The protocol associated with the action protocol yes yes yes yes yes yes yes Information included in the accounting packet that describes the event that caused a system change Events described are system reload system shutdown or when accounting is reconfigured turned on or off reason yes yes yes yes yes yes yes The service the user used service Consolidated Platform Conf...

Page 911: ...nds since the epoch The clock must be configured to receive this information stop_time yes yes yes yes yes yes yes Start and stop records for the same event must have matching unique task_id numbers task_id yes yes yes yes yes yes yes The time zone abbreviation for all timestamps included in this packet timezone This AV pair has been renamed See nas tx speed xmit rate Consolidated Platform Configu...

Page 912: ...disconnect 1001 No Disconnect yes yes yes yes no no no no The reason for the disconnect is unknown This code can appear when the remote connection goes down 1002 Unknown yes yes yes yes no no no no The call has disconnected 1003 Call Disconnect yes yes yes yes no no no no Calling line ID CLID authentication has failed 1004 CLID Auth Fail yes yes yes yes no no no no The modem is not available 1009 ...

Page 913: ...s yes no no no no The modem detected DCD but became inactive This code can appear if a disconnect occurs during the initial modem connection 1011 Lost Carrier yes yes yes yes no no no no The result codes could not be parsed This code can appear if a disconnect occurs during the initial modem connection 1012 No Modem Results Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catal...

Page 914: ...sconnects during a terminal server session 1020 TS User Exit yes yes yes yes no no no no The user exited from the terminal server because the idle timer expired This code is related to immediate Telnet and raw TCP disconnects during a terminal server session 1021 Idle Timeout Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 832 Information About TACACS ...

Page 915: ...TS Exit Telnet yes yes yes yes no no no no The user could not switch to Serial Line Internet Protocol SLIP or PPP because the remote host had no IP address or because the dynamic pool could not assign one This code is related to immediate Telnet and raw TCP disconnects during a terminal server session 1023 TS No IP Addr Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst ...

Page 916: ...a terminal server session 1024 TS TCP Raw Exit yes yes yes yes no no no no The login process ended because the user failed to enter a correct password after three attempts This code is related to immediate Telnet and raw TCP disconnects during a terminal server session 1025 TS Bad Password Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 834 Information...

Page 917: ...The login process ended because the user typed Ctrl C This code is related to immediate Telnet and raw TCP disconnects during a terminal server session 1027 TS CNTL C yes yes yes yes no no no no The terminal server session has ended This code is related to immediate Telnet and raw TCP disconnects during a terminal server session 1028 TS Session End Consolidated Platform Configuration Guide Cisco I...

Page 918: ... no no The virtual connection has ended This code is related to immediate Telnet and raw TCP disconnects during a terminal server session 1030 TS End Vconn yes yes yes yes no no no no The user exited normally from an Rlogin session This code is related to immediate Telnet and raw TCP disconnects during a terminal server session 1031 TS Rlogin Exit Consolidated Platform Configuration Guide Cisco IO...

Page 919: ...ng a terminal server session 1032 TS Rlogin Opt Invalid yes yes yes yes no no no no The access server has insufficient resources for the terminal server session This code is related to immediate Telnet and raw TCP disconnects during a terminal server session 1033 TS Insuff Resources Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 837 Information About ...

Page 920: ...040 PPP LCP Timeout yes yes yes yes no no no no There was a failure to converge on PPP LCP negotiations This code concerns PPP connections 1041 PPP LCP Fail yes yes yes yes no no no no PPP Password Authentication Protocol PAP authentication failed This code concerns PPP connections 1042 PPP Pap Fail Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 838 I...

Page 921: ... the remote server This code concerns PPP sessions 1044 PPP Remote Fail yes yes yes yes no no no no The peer sent a PPP termination request This code concerns PPP connections 1045 PPP Receive Term yes yes yes yes no no no no LCP got a close request from the upper layer while LCP was in an open state This code concerns PPP connections PPP LCP Close 1046 Consolidated Platform Configuration Guide Cis...

Page 922: ... it could not determine to which Multilink PPP bundle that it should add the user This code concerns PPP connections 1048 PPP MP Error yes yes yes yes no no no no LCP closed because the access server could not add any more channels to an MP session This code concerns PPP connections 1049 PPP Max Channels Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches ...

Page 923: ...tion than the Telnet and TCP codes listed earlier in this table 1050 TS Tables Full yes yes yes yes no no no no Internal resources are full This code relates to immediate Telnet and raw TCP disconnects and contains more specific information than the Telnet and TCP codes listed earlier in this table 1051 TS Resource Full Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst ...

Page 924: ...net and TCP codes listed earlier in this table 1052 TS Invalid IP Addr yes yes yes yes no no no no The access server could not resolve the host name This code relates to immediate Telnet and raw TCP disconnects and contains more specific information than the Telnet and TCP codes listed earlier in this table 1053 TS Bad Hostname Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E C...

Page 925: ...ts and contains more specific information than the Telnet and TCP codes listed earlier in this table 1054 TS Bad Port yes yes yes yes no no no no The host reset the TCP connection The TCP stack can return this disconnect code during an immediate Telnet or raw TCP session 1060 TCP Reset Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 843 Information Abo...

Page 926: ...s no no no no The TCP connection timed out The TCP stack can return this disconnect code during an immediate Telnet or raw TCP session 1062 TCP Timeout yes yes yes yes no no no no A foreign host closed the TCP connection The TCP stack can return this disconnect code during an immediate Telnet or raw TCP session 1063 TCP Foreign Host Close Consolidated Platform Configuration Guide Cisco IOS Release...

Page 927: ... The TCP host was unreachable The TCP stack can return this disconnect code during an immediate Telnet or raw TCP session 1065 TCP Host Unreachable yes yes yes yes no no no no The TCP network was administratively unreachable The TCP stack can return this disconnect code during an immediate Telnet or raw TCP session 1066 TCP Net Admin Unreachable Consolidated Platform Configuration Guide Cisco IOS ...

Page 928: ...hable yes yes yes yes no no no no The TCP port was unreachable The TCP stack can return this disconnect code during an immediate Telnet or raw TCP session 1068 TCP Port Unreachable yes yes yes yes no no no no The session timed out because there was no activity on a PPP link This code applies to all session types 1100 Session Timeout Consolidated Platform Configuration Guide Cisco IOS Release 15 2 ...

Page 929: ...n types 1102 Callback yes yes yes yes no no no no One end refused the call because the protocol was disabled or unsupported This code applies to all session types 1120 Unsupported yes yes yes yes no no no no The RADIUS server requested the disconnect 1150 Radius Disc yes yes yes yes no no no no The local administrator has disconnected 1151 Local Admin Disc Consolidated Platform Configuration Guide...

Page 930: ...ication timeout This code applies to PPP sessions 1170 PPP Auth Timeout yes yes yes yes no no no no The call disconnected as the result of a local hangup 1180 Local Hangup yes yes yes yes no no no no The call disconnected because the remote end hung up 1185 Remote Hangup yes yes yes yes no no no no The call disconnected because the T1 line that carried it was quiesced 1190 T1 Quiesced Consolidated...

Page 931: ...yes no no no no no no The user disconnected This value applies to virtual private dial up network VPDN sessions 1600 VPDN User Disconnect yes yes no no no no no no Carrier loss has occurred This code applies to VPDN sessions 1601 VPDN Carrier Loss yes yes no no no no no no There are no resources This code applies to VPDN sessions 1602 VPDN No Resources Consolidated Platform Configuration Guide Cis...

Page 932: ...no no no no no The tunnel is down or the setup failed This code applies to VPDN sessions 1605 VPDN Tunnel Down Setup Fail yes yes no no no no no no There was a local PPP disconnect This code applies to VPDN sessions 1606 VPDN Local PPP Disconnect yes yes no no no no no no New sessions cannot be established on the VPN tunnel This code applies to VPDN sessions 1607 VPDN Softshut Session Limit Consol...

Page 933: ... applies to VPDN sessions 1608 VPDN Call Redirected yes no no no no no no no The number has not been assigned This code applies to ISDN or modem calls that came in over ISDN 1801 Q850 Unassigned Number Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 851 Information About TACACS ...

Page 934: ... 12 0 11 3 11 2 11 1 11 0 Description Cause Codes yes no no no no no no no 1802 Q850 No Route Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 852 Information About TACACS ...

Page 935: ...gnize The equipment that is sending this code does not recognize the transit network because either the transit network does not exist or because that particular transit network while it does exist does not serve the equipment that is sending this code This code applies to ISDN or Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 853 Information About TA...

Page 936: ...esired This code applies to ISDN or modem calls that came in over ISDN 1803 Q850 No Route To Destination yes no no no no no no no The channel that has been most recently identified is not acceptable to the sending entity for use in this call This code applies to ISDN or modem calls that came in over ISDN 1806 Q850 Channel Unacceptable Consolidated Platform Configuration Guide Cisco IOS Release 15 ...

Page 937: ...eared because one of the users who is involved in the call has requested that the call be cleared This code applies to ISDN or modem calls that came in over ISDN 1816 Q850 Normal Clearing Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 855 Information About TACACS ...

Page 938: ...tion has been encountered This code may be generated by the called user or by the network In the case of the user the user equipment is compatible with the call This code applies to ISDN or modem calls that came in over ISDN 1817 Q850 User Busy Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 856 Information About TACACS ...

Page 939: ... allocated This code applies to ISDN or modem calls that came in over ISDN 1818 Q850 No User Responding yes no no no no no no no The called party has been alerted but does not respond with a connect indication within a prescribed period of time This code applies to ISDN or modem calls that came in over ISDN 1819 Q850 No User Answer Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4...

Page 940: ... 0 11 3 11 2 11 1 11 0 Description Cause Codes yes no no no no no no no 1821 Q850 Call Rejected Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 858 Information About TACACS ...

Page 941: ...de is neither busy nor incompatible This code may also be generated by the network indicating that the call was cleared due to a supplementary service constraint The diagnostic field may contain additional information about the supplementary service and reason for rejection This code applies to ISDN or Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 85...

Page 942: ... indicated for the called party is no longer assigned The new called party number may optionally be included in the diagnostic field This code applies to ISDN or modem calls that came in over ISDN 1822 Q850 Number Changed Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 860 Information About TACACS ...

Page 943: ...he destination is not functioning correctly The term not functioning correctly indicates that a signaling message was unable to be delivered to the remote party This code applies to ISDN or modem calls that came in over ISDN 1827 Q850 Destination Out of Order Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 861 Information About TACACS ...

Page 944: ...r modem calls that came in over ISDN 1828 Q850 Invalid Number Format yes no no no no no no no This code is returned when a supplementary service that was requested by the user cannot be provided by the network This code applies to ISDN or modem calls that have come in over ISDN 1829 Q850 Facility Rejected Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches...

Page 945: ...n over ISDN 1830 Q850 Responding to Status Enquiry yes no no no no no no no No other code applies This code applies to ISDN or modem calls that came in over ISDN 1831 Q850 Unspecified Cause yes no no no no no no no No circuit or channel is available to handle the call This code applies to ISDN or modem calls that came in over ISDN 1834 Q850 No Circuit Available Consolidated Platform Configuration ...

Page 946: ...to ISDN or modem calls that came in over ISDN 1838 Q850 Network Out of Order yes no no no no no no no The network is not functioning correctly and the condition is not likely to last a long period of time This code applies to ISDN or modem calls that came in over ISDN 1841 Q850 Temporary Failure Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 864 Infor...

Page 947: ... 1842 Q850 Network Congestion yes no no no no no no no This code indicates that the network could not deliver access information to the remote user as requested This code applies to ISDN or modem calls that came in over ISDN 1843 Q850 Access Info Discarded Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 865 Information About TACACS ...

Page 948: ... by the other side of the interface This code applies to ISDN or modem calls that came in over ISDN 1844 Q850 Requested Channel Not Available yes no no no no no no no The call was preempted This code applies to ISDN or modem calls that came in over ISDN 1845 Q850 Call Pre empted Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 866 Information About TACA...

Page 949: ...available class applies This code applies to ISDN or modem calls that came in over ISDN 1847 Q850 Resource Unavailable yes no no no no no no no Not a subscribed facility This code applies to ISDN or modem calls that came in over ISDN 1850 Q850 Facility Not Subscribed Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 867 Information About TACACS ...

Page 950: ... or modem calls that came in over ISDN 1852 Q850 Outgoing Call Barred yes no no no no no no no Although the called party is a member of the closed user group for the incoming closed user group call incoming calls are not allowed to this member This code applies to ISDN or modem calls that have come in over ISDN Q850 Incoming Call Barred 1854 Consolidated Platform Configuration Guide Cisco IOS Rele...

Page 951: ... calls that have come in over ISDN 1858 Q850 Bearer Capability Not Available yes no no no no no no no The code is used to report a service or option not available event only when no other code in the service or option not available class applies This code applies to ISDN or modem calls that have come in over ISDN 1863 Q850 Service Not Available Consolidated Platform Configuration Guide Cisco IOS R...

Page 952: ... calls that have come in over ISDN 1865 Q850 Bearer Capability Not Implemented yes no no no no no no no The equipment that is sending this code does not support the channel type that was requested This code applies to ISDN or modem calls that have come in over ISDN 1866 Q850 Channel Not Implemented Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 870 In...

Page 953: ... ISDN 1869 Q850 Facility Not Implemented yes no no no no no no no The equipment that is sending this code has received a message having a call reference that is not currently in use on the user network interface This code applies to ISDN or modem calls that have come in over ISDN 1881 Q850 Invalid Call Reference Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X S...

Page 954: ...able to the sending entity for use in this call This code applies to ISDN or modem calls that have come in over ISDN This code applies to ISDN or modem calls that have come in over ISDN 1882 Q850 Channel Does Not Exist Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 872 Information About TACACS ...

Page 955: ...quest to establish a call that has low layer compatibility or other compatibility attributes that cannot be accommodated This code applies to ISDN or modem calls that have come in over ISDN 1888 Q850 Incompatible Destination Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 873 Information About TACACS ...

Page 956: ...ge that is missing an information element that must be present in the message before that message can be processed This code applies to ISDN or modem calls that have come in over ISDN 1896 Q850 Mandatory Info Element Is Missing Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 874 Information About TACACS ...

Page 957: ...does not recognize either because this is a message that is not defined or that is defined but not implemented by the equipment that is sending this code This code applies to ISDN or modem calls that have come in over ISDN 1897 Q850 Non Existent Message Type Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 875 Information About TACACS ...

Page 958: ...applies This code applies to ISDN or modem calls that have come in over ISDN 1898 Q850 Invalid Message yes no no no no no no no The information element not recognized This code applies to ISDN or modem calls that have come in over ISDN 1899 Q850 Bad Info Element Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 876 Information About TACACS ...

Page 959: ...mented however one or more fields in the information element are coded in such a way that has not been implemented by the equipment that is sending this code This code applies to ISDN or modem calls that have come in over ISDN 1900 Q850 Invalid Element Contents Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 877 Information About TACACS ...

Page 960: ...e in over ISDN 1901 Q850 Wrong Message for State yes no no no no no no no A procedure has been initiated by the expiration of a timer in association with error handling procedures This code applies to ISDN or modem calls that have come in over ISDN 1902 Q850 Recovery on Timer Expiration Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 878 Information Ab...

Page 961: ...that are not recognized because the information element identifiers or paramenter names are not defined or are defined but not implemented by the equipment that is sending this code This code applies to ISDN or modem calls that have come in over ISDN 1903 Q850 Info Element Error Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 879 Information About TACA...

Page 962: ...akes This code applies to ISDN or modem calls that have come in over ISDN 1927 Q850 Unspecified Internetworking Event Configuring AAA Server Group Selection Based on DNIS Cisco software allows you to authenticate users to a particular AAA server group based on the Dialed Number Identification Service DNIS number of the session Any phone line a regular home phone or a commercial T1 PRI line can be ...

Page 963: ...e AAA services The order of precedence is as follows Per DNIS If you configure the network access server to use DNIS to identify which server group provides AAA services then this method takes precedence over any additional AAA selection method Per interface If you configure the network access server per interface to use access lists to determine how a server provides AAA services this method take...

Page 964: ...uence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authentication method in the method list Th...

Page 965: ...counting records Each accounting record contains accounting attribute value AV pairs and is stored on the security server This data can then be analyzed for network management client billing or auditing Default TACACS Configuration TACACS and AAA are disabled by default To prevent a lapse in security you cannot configure TACACS through a network management application When enabled TACACS can authe...

Page 966: ...r Enter this command multiple times to create a list of preferred tacacs server host hostname Example Switch config tacacs server host Step 3 hosts The software searches for hosts in the order in which you specify them For hostname specify the name or IP address of the host yourserver Enables AAA aaa new model Example Switch config aaa new model Step 4 Optional Defines the AAA server group with a ...

Page 967: ...config startup config Step 9 Configuring TACACS Login Authentication Follow these steps to configure TACACS login authentication Before You Begin To configure AAA authentication you define a named list of authentication methods and then apply that list to various ports To secure the switch for HTTP access by using AAA methods you must configure the switch with the ip http authentication aaa global...

Page 968: ... method list aaa authentication login default list name method1 method2 Step 4 To create a default list that is used when a named list is not specified in the login authentication command use the default keyword followed Example Switch config aaa authentication by the methods that are to be used in default situations The default method list is automatically applied to all ports login default tacac...

Page 969: ...ive local username database for authentication You must enter username information in the database by using the username name password global configuration command none Do not use any authentication for login Enters line configuration mode and configures the lines to which you want to apply the authentication list line console tty vty line number ending line number Example Switch config line 2 4 S...

Page 970: ...ypassed for authenticated users who log in through the CLI even if authorization has been configured Note Follow these steps to specify TACACS authorization for privileged EXEC access and network services SUMMARY STEPS 1 enable 2 configure terminal 3 aaa authorization network tacacs 4 aaa authorization exec tacacs 5 end 6 show running config 7 copy running config startup config DETAILED STEPS Purp...

Page 971: ...mple Switch config aaa authorization exec tacacs Step 4 The exec keyword might return user profile information such as autocommand information Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show running config Example Switch show running config Step 6 Optional Saves your entries in the configuration file copy running config startup config Example Switch ...

Page 972: ...Step 2 Enables TACACS accounting for all network related service requests aaa accounting network start stop tacacs Example Switch config aaa accounting network start stop Step 3 tacacs Enables TACACS accounting to send a start record accounting notice at the beginning of a privileged EXEC process and a stop record at the end aaa accounting exec start stop tacacs Example Switch config aaa accountin...

Page 973: ...he default condition In some situations users might be prevented from starting a session on the console or terminal connection until after the system reloads which can take more than 3 minutes To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads use the no aaa accounting system guarantee first command Establishing a Session with a Router...

Page 974: ...face name 14 exit DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Configures a VRF table and enters VRF configuration mode ip vrf vrf name Example Device config ip vrf cisco Step 3 Creates routing and forwarding table...

Page 975: ...nfig if exit Step 9 Groups different TACACS server hosts into distinct lists and distinct methods and enters server group configuration mode aaa group server tacacs group name Example Device config aaa group server tacacs tacacs1 Step 10 Configures the IP address of the private TACACS server for the group server server private ip address name nat single connection port port number timeout seconds ...

Page 976: ...rform the following steps The debug commands may be used in any order Note SUMMARY STEPS 1 enable 2 debug tacacs authentication 3 debug tacacs authorization 4 debug tacacs accounting 5 debug tacacs packets DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Displays information about AAA TACACS authentication deb...

Page 977: ...CACS as the security protocol for PPP authentication using the default method list it also shows how to configure network authorization via TACACS aaa new model aaa authentication ppp default if needed group tacacs local aaa authorization network default group tacacs tacacs server host 10 1 2 3 tacacs server key goaway interface serial 0 ppp authentication chap default The lines in the preceding s...

Page 978: ...10 1 2 3 tacacs server key goaway interface serial 0 ppp authentication chap default The lines in the preceding sample configuration are defined as follows The aaa new model command enables the AAA security services The aaa authentication command defines a method list default to be used on serial interfaces running PPP The keyword default means that PPP authentication is applied by default to all ...

Page 979: ...eeded group tacacs local tacacs server host 10 1 2 3 tacacs server key goaway interface serial 0 ppp authentication chap default The lines in the preceding sample configuration are defined as follows The aaa new model command enables the AAA security services The aaa authentication command defines a method list default to be used on serial interfaces running PPP The keyword default means that PPP ...

Page 980: ...d applies the default method list to this line The following example shows the configuration for a TACACS daemon with an IP address of 10 2 3 4 and an encryption key of apple aaa new model aaa authentication login default group tacacs local tacacs server host 10 2 3 4 tacacs server key apple The lines in the preceding sample configuration are defined as follows The aaa new model command enables th...

Page 981: ...t the following URL http www cisco com go mibs Technical Assistance Link Description http www cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services ...

Page 982: ...RF to be configured for authentication authorization and accounting AAA on TACACS servers The following commands were introduced or modified ip tacacs source interface ip vrf forwarding server group server private TACACS Cisco IOS 12 2 54 SG Cisco IOS 15 2 1 E Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 900 Feature Information for TACACS ...

Page 983: ...pport all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator t...

Page 984: ... on the switch CoA can be used to identify a session and enforce a disconnect request The update affects only the specified session For RADIUS operation Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization if it is enabled Restrictions for Configuring RADIUS This topic covers restrictions for controlling Switch access with RADIUS General To prevent...

Page 985: ...ich applications support the RADIUS protocol such as in an access environment that uses a smart card access control system In one case RADIUS has been used with Enigma s security cards to validates users and to grant access to network resources Networks already using RADIUS You can add a Cisco Switch containing a RADIUS client to the network This might be the first step when you make a transition ...

Page 986: ...e RADIUS server ACCEPT The user is authenticated REJECT The user is either not authenticated and is prompted to re enter the username and password or access is denied CHALLENGE A challenge requires additional data from the user CHALLENGE PASSWORD A response requests the user to select a new password The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or n...

Page 987: ...switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retransmission and encryption key values can be configured globally for all RADIUS servers on a per server basis or in some combinati...

Page 988: ...which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it RADIUS Accounting The AAA accounting feature tracks the services that users are using and the amount of network resources that they are consuming When you enable AAA accounting the switch reports user a...

Page 989: ...or IDs and VSAs see RFC 2138 Remote Authentication Dial In User Service RADIUS Attribute 26 contains the following three elements Type Length String also known as data Vendor Id Vendor Type Vendor Length Vendor Data The figure below shows the packet format for a VSA encapsulated behind attribute 26 Figure 69 VSA Encapsulated Behind Attribute 26 It is up to the vendor to specify the format of their...

Page 990: ...ribute Attribute Description of the attribute Description Table 91 Vendor Specific RADIUS IETF Attributes Description Attribute Sub Type Number Vendor Specific Company Code Number MS CHAP Attributes Contains the response value provided by a PPP MS CHAP user in response to the challenge It is only used in Access Request packets This attribute is identical to the PPP CHAP Identifier RFC 2548 MSCHAP ...

Page 991: ...kets are sent when no data has been sent on a tunnel for the number of seconds configured here l2tp hello interval 1 9 26 When enabled sensitive AVPs in L2TP control messages are scrambled or hidden l2tp hidden avp 1 9 26 Specifies the number of seconds that a tunnel will stay active with no sessions before timing out and shutting down l2tp nosession timeout 1 9 26 Copies the IP ToS field from the...

Page 992: ...p aaa receive id or the mmoip aaa send id commands Fax Account Id Origin 3 9 26 Indicates a unique fax message identification number assigned by Store and Forward Fax Fax Msg Id 4 9 26 Indicates the number of pages transmitted or received during this fax session This page count includes cover pages Fax Pages 5 9 26 Indicates whether or not a cover page was generated by the off ramp gateway for thi...

Page 993: ... Indicates the number of recipients for this fax transmission Until e mail servers support Session mode the number should be 1 Fax Recipient Count 9 9 26 Indicates that the fax session was aborted or successful True means that the session was aborted false means that the session was successful Fax Process Abort Flag 10 9 26 Indicates the address to which DSNs will be sent Fax Dsn Address 11 9 26 I...

Page 994: ... the on ramp fax mail message Email Server Address 16 9 26 Indicates that the on ramp gateway has received a positive acknowledgment from the e mail server accepting the fax mail message Email Server Ack Flag 17 9 26 Indicates the name of the gateway that processed the fax session The name appears in the following format hostname domain name Gateway Id 18 9 26 Describes the type of fax activity fa...

Page 995: ... 26 Indicates the setup time for this connection in Coordinated Universal Time UTC formerly known as Greenwich Mean Time GMT and Zulu time Setup Time h323 setup time 25 9 26 Indicates the origin of the call relative to the gateway Possible values are originating and terminating answer Call Origin h323 call origin 26 9 26 Indicates call leg type Possible values are telephony and VoIP Call Type h323...

Page 996: ...ack callback dialstring 1 9 26 No description available data service 1 9 26 Defines the number to dial dial number 1 9 26 Determines whether the network access server uses only the 56 K portion of a channel even when all 64 K appear to be available force 56 1 9 26 Allows the user profile to reference information configured in a map class of the same name on the network access server that dials out...

Page 997: ...und authentication but also for inbound authentication For a CHAP inbound case the NAS will use the name defined in preauth send name in the challenge packet to the caller box The send name attribute has changed over time Initially it performed the functions now provided by both the send name and remote name attributes Because the remote name attribute has been added the send name attribute is res...

Page 998: ...nd secret will be used in the response packet send secret 1 9 26 Provides the name of the remote host for use in large scale dial out Dialer checks that the large scale dial out remote name matches the authenticated name to protect against accidental user RADIUS misconfiguration For example dialing a valid phone number but connecting to the wrong device remote name 1 9 26 Miscellaneous Attributes ...

Page 999: ...ally used in Accounting but may also be used in Authentication Access Request packets Note Cisco NAS Port 2 9 26 Sets the minimum number of links for MLP min links 1 9 26 Allows users to configure the downloadable user profiles dynamic ACLs by using the authentication proxy feature so that users can have the configured authorization to permit traffic going through the configured interfaces proxyac...

Page 1000: ...te values are sent in Accounting request packets These values are sent at the end of a session even if the session fails to be authenticated If the session is not authenticated the attribute can cause stop records to be generated without first generating start records The table below lists the cause codes values and descriptions for the Disconnect Cause 195 attribute The Disconnect Cause is increm...

Page 1001: ...apply to all session types Idle Timeout 21 Disconnect due to exiting Telnet session Exit Telnet Session 22 Could not switch to SLIP PPP the remote end has no IP address No Remote IP Addr 23 Disconnect due to exiting raw TCP Exit Raw TCP 24 Bad passwords Password Fail 25 Raw TCP disabled Raw TCP Disabled 26 Control C detected Control C Detected 27 EXEC process destroyed EXEC Process Destroyed 28 Us...

Page 1002: ...r PPP 48 PPP session closed because maximum channels were reached PPP Maximum Channels 49 Disconnect due to full terminal server tables Tables Full 50 Disconnect due to full internal resources Resources Full 51 IP address is not valid for Telnet host Invalid IP Address 52 Hostname cannot be validated Bad Hostname 53 Port number is invalid or missing Bad Port 54 TCP connection has been reset Codes ...

Page 1003: ...P Disconnect 152 Allowed V 110 retries have been exceeded V110 Retries 160 PPP authentication timed out PPP Authentication Timeout 170 Disconnected by local hangup Local Hangup 180 Disconnected by remote end hangup Remote Hangup 185 Disconnected because T1 line was quiesced T1 Quiesced 190 Disconnected because the maximum duration of the call was exceeded Call Duration 195 Call disconnected by cli...

Page 1004: ...n limit or exceeds maximum hopcount Code is sent when a tunnel is brought down by issuing the clear vpdn tunnel command VPN Admin Disconnect 604 Tunnel teardown or tunnel setup has failed Code is sent when there are active sessions in a tunnel and the tunnel goes down This code is not sent when tunnel authentication fails Note VPN Tunnel Shut 605 Call is disconnected by LNS PPP module Code is sent...

Page 1005: ...ds facilitate the debugging of call failures In accounting start records attribute 196 does not have a value Note Table 93 Newly Supported Progress Codes for Attribute 196 Description Code Modem allocation and negotiation is complete the call is up 10 The modem is up 30 The modem is waiting for result codes 33 The max TNT is establishing the TCP connection by setting up a TCP clear call 41 Link co...

Page 1006: ...itch use the three unique global configuration commands radius server timeout radius server retransmit and radius server key To apply these values on a specific RADIUS server use the radius server host global configuration command You can configure the Switch to use AAA server groups to group existing server hosts for authentication For more information see Related Topics below You also need to co...

Page 1007: ... specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the Switch and the RADIUS...

Page 1008: ...ng in privileged EXEC mode follow these steps to configure settings for all RADIUS servers SUMMARY STEPS 1 configure terminal 2 radius server key string 3 radius server retransmit retries 4 radius server timeout seconds 5 radius server deadtime minutes 6 end 7 show running config 8 copy running config startup config DETAILED STEPS Purpose Command or Action Enters the global configuration mode conf...

Page 1009: ...or a reply to a RADIUS request before resending the request The default is 5 seconds the range is 1 to 1000 radius server timeout seconds Example Switch config radius server timeout Step 4 3 When a RADIUS server is not responding to authentication requests this command specifies a time to stop the request on that server This radius server deadtime minutes Example Switch config radius server deadti...

Page 1010: ...onfig DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables AAA aaa new model Example Switch config aaa new model Step 3 Creates a login authentication method list aaa authentication login default list name meth...

Page 1011: ...ntication You must enter username information in the database Use the username name password global configuration command local case Use a case sensitive local username database for authentication You must enter username information in the database by using the username password global configuration command none Do not use any authentication for login Enters line configuration mode and configure t...

Page 1012: ...ss or identify multiple host instances or entries by using the optional auth port and acct port keywords Follow these steps to define AAA server groups SUMMARY STEPS 1 enable 2 configure terminal 3 radius server name 4 address ipv4 ipv6 ip address hostname auth port port number acct port port number 5 end 0 7 string string 6 end 7 show running config 8 copy running config startup config DETAILED S...

Page 1013: ...witch config radius server address ipv4 Step 4 10 1 1 1 auth port 1645 acct port 1646 Specifies the authentication and encryption key for all RADIUS communications between the device and the RADIUS server end 0 7 string string Example Switch config radius server key cisco123 Step 5 Exits RADIUS server configuration mode and returns to privileged EXEC mode end Example Switch config radius server en...

Page 1014: ...C mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Configures the switch for user RADIUS authorization for all network related service requests aaa authorization network radius Example Switch config aaa authorization network Step 3 radius Configures the switch for user RADIUS au...

Page 1015: ... access to privileged EXEC mode The aaa authorization exec radius local command sets these authorization parameters Use RADIUS for privileged EXEC access authorization if authentication was performed by using RADIUS Use the local database if authentication was not performed by using RADIUS Starting RADIUS Accounting Follow these steps to start RADIUS accounting SUMMARY STEPS 1 enable 2 configure t...

Page 1016: ...to send a start record accounting notice at the beginning of a privileged EXEC process and a stop record at the end aaa accounting exec start stop radius Example Switch config aaa accounting exec start stop radius Step 4 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show running config Example Switch show running config Step 6 Optional Saves your entrie...

Page 1017: ...IUS Progress Codes To verify attribute 196 in accounting start and stop records perform the following steps SUMMARY STEPS 1 enable 2 debug aaa accounting 3 show radius statistics DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Displays information on accountable events as they occur debug aaa accounting Examp...

Page 1018: ...g authentication Step 3 Example Switch config radius server vsa send Optional Use the accounting keyword to limit the set of recognized vendor specific attributes to only accounting attributes Optional Use the authentication keyword to limit the set of recognized vendor specific attributes to only authentication attributes If you enter this command without keywords both accounting and authenticati...

Page 1019: ...5 end 6 show running config 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the IP address or hostname of the remote RADIUS server host and identifies that it is usin...

Page 1020: ... Note Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show running config Example Switch show running config Step 6 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 7 startup config Configuring a User Profile and Associating it with the RADIUS Record This section describes how...

Page 1021: ...the RADIUS server test aaa group group name radius username password new code profile profile name Step 6 Example Device test aaa group radius secret new code profile profilename1 The profile name must match the profile name specified in the aaa user profile command Note Verifying the Enhanced Test Command Configuration To verify the Enhanced Test Command configuration use the following commands i...

Page 1022: ...0 0 1 auth port 1645 acct port 1646 Switch config aaa new model Switch config aaa group server radius group1 Switch config sg radius server 172 20 0 1 auth port 1000 acct port 1001 Switch config sg radius exit Switch config aaa group server radius group2 Switch config sg radius server 172 20 0 1 auth port 2000 acct port 2001 Switch config sg radius exit Examples AAA Server Groups The following exa...

Page 1023: ...ing the Switch to Use Vendor Specific RADIUS Attributes For example this AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP IPCP address assignment cisco avpair ip addr pool first This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands cisco avpair shell priv lvl 15 This example shows how ...

Page 1024: ... attribute clid clidvalue no aaa attribute clid exit Associate the dnis user profile with the test aaa group command test aaa group radius user1 pass new code profile profl1 debug radius output which shows that the dnis value has been passed to the radius server Dec 31 16 35 48 RADIUS Sending packet for Unique id 0 Dec 31 16 35 48 RADIUS Initial Transmit unknown id 8 172 22 71 21 1645 Access Reque...

Page 1025: ...on CoA extensions RFC 5176 Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco...

Page 1026: ...roduced Cisco IOS 15 0 2 EX The RADIUS Progress Codes feature adds additional progress codes to RADIUS attribute 196 Ascend Connect Progress which indicates a connection state before a call is disconnected through progress codes Cisco IOS 15 2 1 E The Enhanced Test Command feature allows a named user profile to be created with calling line ID CLID or Dialed Number Identification Service DNIS attri...

Page 1027: ...Feature Information for RADIUS Server Load Balancing page 959 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in...

Page 1028: ...eases However if a large batch size is used all available server resources may not be fully utilized As batch size decreases CPU load increases and network throughput decreases There is no set number for large or small batch sizes A batch with more than 50 transactions is considered large and a batch with fewer than 25 transactions is considered small Note If a server group contains ten or more se...

Page 1029: ... considers the server status when assigning batches Transaction batches are sent only to live servers We recommend that you test the status of all RADIUS load balanced servers including low usage servers for example backup servers Transactions are not sent to a server that is marked dead A server is marked dead until its timer expires at which time it moves to quarantine state A server is in quara...

Page 1030: ...nables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Enables RADIUS automated testing radius server host hostname ip address test username name auth port number ignore auth port acct port number ignore acct port idle time seconds Step 3 Example Device config radiu...

Page 1031: ...s SUMMARY STEPS 1 enable 2 configure terminal 3 radius server host hostname ip address test username name auth port number ignore auth port acct port number ignore acct port idle time seconds 4 radius server load balance method least outstanding batch size number ignore preferred server 5 load balance method least outstanding batch size number ignore preferred server 6 end DETAILED STEPS Purpose C...

Page 1032: ... size 5 Step 5 Exits server group configuration mode and enters privileged EXEC mode end Example Device config sg end Step 6 Troubleshooting RADIUS Server Load Balancing After configuring the RADIUS Server Load Balancing feature you can monitor the idle timer dead timer and load balancing server selection or verify the server status by using a manual test command SUMMARY STEPS 1 Use the debug aaa ...

Page 1033: ...rmine the server that is selected for load balancing The following sample output from the debug aaa sg server selection command shows five access requests being sent to a server group with a batch size of three Example Device debug aaa sg server selection Jul 16 03 15 05 AAA SG SERVER_SELECT Obtaining least loaded server Jul 16 03 15 05 AAA SG SERVER_SELECT 3 transactions remaining in batch Reusin...

Page 1034: ...DIUS Server Group The following examples show load balancing enabled for a named RADIUS server group These examples are shown in three parts the current configuration of the RADIUS command output debug output and authentication authorization and accounting AAA server status information The following sample output shows the relevant RADIUS configuration Device show running config aaa group server r...

Page 1035: ...SELECT 0000002F Server 192 0 2 238 2095 2096 now being used as preferred server Feb 28 13 51 16 019 AAA SG SERVER_SELECT 00000030 No preferred server available Feb 28 13 51 16 019 AAA SG SERVER_SELECT Obtaining least loaded server Feb 28 13 51 16 019 AAA SG SERVER_SELECT 1 transactions remaining in batch Reusing server Feb 28 13 51 16 019 AAA SG SERVER_SELECT 00000030 Server 192 0 2 238 2095 2096 ...

Page 1036: ...evant RADIUS configuration Device show running config include radius aaa authentication ppp default group radius aaa accounting network default start stop group radius radius server host 192 0 2 238 auth port 2095 acct port 2096 key cisco radius server host 192 0 2 238 auth port 2015 acct port 2016 key cisco radius server load balance method least outstanding batch size 5 Lines in the current conf...

Page 1037: ...32 199 AAA SG SERVER_SELECT 1 transactions remaining in batch Reusing server Feb 28 13 40 32 199 AAA SG SERVER_SELECT 00000018 Server 192 0 2 238 2095 2096 now being used as preferred server Feb 28 13 40 32 199 AAA SG SERVER_SELECT 00000019 No preferred server available Feb 28 13 40 32 199 AAA SG SERVER_SELECT Obtaining least loaded server Feb 28 13 40 32 199 AAA SG SERVER_SELECT No more transacti...

Page 1038: ... of a server group The radius server host command defines the IP address of the RADIUS server host with authorization and accounting ports specified and the authentication and encryption key identified The radius server load balance command enables load balancing for the RADIUS server with the batch size specified The show debug sample output below shows test requests being sent to servers The res...

Page 1039: ...erver group and the accounting server group do not share any common servers A preferred server is never found for accounting transactions therefore authentication and accounting servers are load balanced based on transactions Start and stop records are sent to the same server for a session Example ConfiguringthePreferredServerwithOverlappingAuthenticationandAuthorization Servers The following exam...

Page 1040: ...5 209 165 200 226 and 209 165 201 1 and an authorization server group that uses servers 209 165 200 225 and 209 165 200 226 Both server groups have the preferred server flag enabled aaa group server radius authentication group server 209 165 200 225 key radkey1 server 209 165 200 226 key radkey2 server 209 165 201 1 key radkey3 aaa group server radius accounting group server 209 165 200 225 key ra...

Page 1041: ...etter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for RADIUS Server Load Balancing The following table provides release information about the feature or features described in this module This table lists only the software release that introduced support for a given feature in a given softwar...

Page 1042: ...These servers can share the AAA transaction load and thereby respond faster to incoming requests The following commands were introduced or modified debug aaa sg server selection debug aaa test load balance server group radius server host radius server load balance and test aaa group Cisco IOS 15 2 1 E RADIUS Server Load Balancing Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E...

Page 1043: ...ure information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To ac...

Page 1044: ... attributes Security and Password refer to the Preventing Unauthorized Access to Your Switch section in this guide Accounting refer to the Starting RADIUS Accounting section in the Configuring Switch Based Authentication chapter in this guide Cisco IOS software supports the RADIUS CoA extensions defined in RFC 5176 that are typically used in a push model to allow the dynamic reconfiguring of sessi...

Page 1045: ...This is a standard disconnect request and does not require a VSA Session terminate Cisco AVpair interface template name interfacetemplate Interface template Change of Authorization Requests Change of Authorization CoA requests as described in RFC 5176 are used in a push model to allow for session identification host reauthentication and session termination The model is comprised of one request CoA...

Page 1046: ...et Ignored 202 Unsupported Attribute 401 Missing Attribute 402 NAS Identification Mismatch 403 Invalid Request 404 Unsupported Service 405 Unsupported Extension 406 Invalid Attribute Value 407 Administratively Prohibited 501 Request Not Routable Proxy 502 Session Context Not Found 503 Session Context Not Removable 504 Other Proxy Processing Error 505 Resources Unavailable 506 Consolidated Platform...

Page 1047: ...F attribute 31 which contains the host MAC address IPv6 Attributes which can be one of the following Framed IPv6 Prefix IETF attribute 97 and Framed Interface Id IETF attribute 96 which together create a full IPv6 address per RFC 3162 Framed IPv6 Address Plain IP Address IETF attribute 8 Unless all session identification attributes included in the CoA message match the session the switch returns a...

Page 1048: ...IP Address IETF attribute 8 If more than one session identification attribute is included in the message all of the attributes must match the session or the device returns a Disconnect NAK or CoA NAK with the error code Invalid Attribute Value For CoA requests targeted at a particular enforcement policy the device returns a CoA NAK with the error code Invalid Attribute Value if any of the above se...

Page 1049: ... to be attempted first The current authorization of the session is maintained until the reauthentication leads to a different authorization result Session Reauthentication in a Switch Stack When a switch stack receives a session reauthentication message It checkpoints the need for a re authentication before returning an acknowledgment ACK It initiates reauthentication for the appropriate session I...

Page 1050: ...re returning a CoA ACK to the client the process is repeated on the new active device when the request is re sent from the client If the device fails after returning a CoA ACK message to the client but before the operation is complete the operation is restarted on the new active device Session Identification For disconnect and CoA requests targeted at a particular session the device locates the se...

Page 1051: ...owing attributes Acct Session Id IETF attribute 44 Audit Session Id Cisco VSA Calling Station Id IETF attribute 31 which contains the host MAC address IPv6 Attributes which can be one of the following Framed IPv6 Prefix IETF attribute 97 and Framed Interface Id IETF attribute 96 which together create a full IPv6 address per RFC 3162 Framed IPv6 Address Plain IP Address IETF attribute 8 If more tha...

Page 1052: ...s session oriented it must be accompanied by one or more of the session identification attributes If the session cannot be located the switch returns a CoA NAK message with the Session Context Not Found error code attribute If the session is located the switch disables the hosting port for a period of 10 seconds re enables it port bounce and returns a CoA ACK If the switch fails before returning a...

Page 1053: ...lowing VSAs Cisco Avpair subscriber command reauthenticate Cisco Avpair subscriber reauthenticate type last rerun reauthenticate type defines whether the CoA reauthentication request uses the authentication method that last succeeded on the session or whether the authentication process is completely rerun The following rules apply subscriber command reauthenticate must be present to trigger a reau...

Page 1054: ...ecause the bounce port command is targeted at a session not a port if the session is not found the command cannot be executed When the Auth Manager command handler on the stack master receives a valid bounce port command it checkpoints the following information before returning a CoA ACK message the need for a port bounce the port id found in the local session context The switch initiates a port b...

Page 1055: ...eps to configure CoA on a switch This procedure is required SUMMARY STEPS 1 enable 2 configure terminal 3 aaa new model 4 aaa server radius dynamic author 5 client ip address name vrf vrfname server key string 6 server key 0 7 string 7 port port number 8 auth type any all session key 9 ignore session key 10 ignore server key 11 authentication command bounce port ignore 12 authentication command di...

Page 1056: ...nts server key 0 7 string Example Switch config sg radius server key Step 6 your_server_key Specifies the port on which a device listens for RADIUS requests from configured RADIUS clients port port number Example Switch config sg radius port 25 Step 7 Specifies the type of authorization the switch uses for RADIUS clients auth type any all session key Example Switch config sg radius auth type any S...

Page 1057: ... administratively shut down Shutting down the port results in termination of the session authentication command disable port ignore Example Switch config sg radius authentication Step 12 Use standard CLI or SNMP commands to re enable the port command disable port ignore Returns to privileged EXEC mode end Example Switch config sg radius end Step 13 Verifies your entries show running config Example...

Page 1058: ...ot and resolve technical issues with Cisco products and technologies Access to most tools on the Cisco Support and Documentation website requires a Cisco com user ID and password Feature Information for RADIUS Change of Authorization Support The following table provides release information about the feature or features described in this module This table lists only the software release that introd...

Page 1059: ...mplates on sessions Port bounce Port shutdown Querying a session Reauthenticating a session Terminating a session These VSAs are sent in a standard CoA Request message from a AAA server Cisco IOS Release 15 2 1 E RADIUS Change of Authorization Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 977 Feature Information for RADIUS Change of Authorization Sup...

Page 1060: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 978 Feature Information for RADIUS Change of Authorization Support ...

Page 1061: ...beros page 992 Additional References page 1001 Feature Information for Kerberos page 1002 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to s...

Page 1062: ...nd that can authenticate users by using the Kerberos protocol Note Kerberos Overview Kerberos is a secret key network authentication protocol which was developed at the Massachusetts Institute of Technology MIT It uses the Data Encryption Standard DES cryptographic algorithm for encryption and authentication and authenticates requests for network resources Kerberos uses the concept of a trusted th...

Page 1063: ...ros credentials verify the identity of a user or service If a network service decides to trust the Kerberos server that issued a ticket it can be used in place of re entering a username and password Credentials have a default life span of eight hours Credential An authorization level label for Kerberos principals Most Kerberos principals are of the form user REALM for example smith EXAMPLE COM A K...

Page 1064: ...ros versions the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it In Kerberos versions earlier than Kerberos 5 KEYTAB is referred to as SRVTAB11 KEYTAB10 Also known as a Kerberos identity this is who you are or what a service is according to the Kerberos server The Kerberos principal name must be in all lowercase characters Note Principal A credential...

Page 1065: ... The user must first authenticate to the boundary switch This process then occurs 1 The user opens an un Kerberized Telnet connection to the boundary switch 2 The switch prompts the user for a username and password 3 The switch requests a TGT from the KDC for this user 4 The KDC sends an encrypted TGT that includes the user identity to the switch 5 The switch attempts to decrypt the TGT by using t...

Page 1066: ...rvices Authenticating to Network Services This section describes the third layer of security through which a remote user must pass The user with a ticket granting ticket TGT must now authenticate to the network services in a Kerberos realm The following process describes how a remote user with a TGT authenticates to network services within a given Kerberos realm Assume the user is on a remote work...

Page 1067: ... KDC by using Kerberos commands Configure the switch to use the Kerberos protocol Configuring the KDC Using Kerberos Commands After a host is configured to function as the KDC in the Kerberos realm entries must be made to the KDC database and to modify existing database information for all principals in the realm Principals can be network services on devices and hosts or principals can be users Al...

Page 1068: ...er enabled modes See the Enabling Kerberos Instance Mapping on page 991 for more information on mapping Kerberos instances to various Cisco IOS privilege levels Creating and Extracting a SRVTAB on the KDC All devices authenticated through Kerberos must have a SRVTAB that contains the password or randomly generated key for the service principal key that was entered into the KDC database A service p...

Page 1069: ...mpany com COMPANY COM host Configuring the Device to Use the Kerberos Protocol Defining a Kerberos Realm For a device to authenticate a user defined in the Kerberos database it must know the host name or IP address of the host running the KDC the name of the Kerberos realm and optionally be able to map the host name or Domain Name System DNS domain to the Kerberos realm To configure the device to ...

Page 1070: ...tocol NTP Note The kerberos local realm kerberos realm and kerberos server commands are equivalent to the UNIX krb conf file The table below identifies mappings from the Cisco IOS configuration commands to a Kerberos 5 configuration file krb5 conf Table 100 Kerberos 5 Configuration File and Commands Cisco IOS Configuration Command krb5 conf File in configuration mode kerberos local realm DOMAIN CO...

Page 1071: ...rberos Authentication See the Configuring Authentication feature module for more information on configuring authentication on the device aaa authentication command is used to specify Kerberos as the authentication method Enabling Credentials Forwarding With Kerberos configured thus far a user authenticated to a Kerberized device has a TGT and can use it to authenticate to a host on the network How...

Page 1072: ...le only if you have the 56 bit encryption image 56 bit DES encryption is subject to U S Government export control regulations Note To establish an encrypted Kerberized Telnet session from a device to a remote host use either of the following commands in EXEC command mode Purpose Command Establishes an encrypted Telnet session Device config connect host port encrypt kerberos or Device config telnet...

Page 1073: ...beros instance to a Cisco IOS privilege level use the following command in global configuration mode Purpose Command Maps a Kerberos instance to a Cisco IOS privilege level Device config kerberos instance map instance privilege level If there is a Kerberos instance for user loki in the KDC database for example loki admin user loki can now open a Telnet session to the device as loki admin and authe...

Page 1074: ... from the write term command then builds on this configuration by adding optional Kerberos functionality Output for each configuration is presented for comparison against the previous configuration This example shows how to use the kdb5_edit program to perform the following configuration tasks Adding user chet to the Kerberos database Adding a privileged Kerberos instance of user chet chet admin t...

Page 1075: ...lays the configuration of device chet 2500 This is a typical configuration with no Kerberos authentication chet 2500 write term Building configuration Current configuration Last configuration change at 14 03 55 PDT Mon May 13 1996 version 11 2 service udp small servers service tcp small servers hostname chet 2500 clock timezone PST 8 clock summer time PDT recurring aaa new model aaa authentication...

Page 1076: ...ion via the Kerberos database you would perform the following tasks Entering configuration mode Defining the Kerberos local realm Identifying the machine hosting the KDC Enabling credentials forwarding Specifying Kerberos as the method of authentication for login Exiting configuration mode CTL Z Writing the new configuration to the terminal chet 2500 configure term Enter configuration commands one...

Page 1077: ...ocal realm CISCO COM kerberos server CISCO COM 172 71 54 14 kerberos credentials forward interface Ethernet0 ip address 172 16 0 0 255 255 255 0 interface Serial0 no ip address shutdown no fair queue interface Serial1 no ip address shutdown no fair queue interface Async2 ip unnumbered Ethernet0 encapsulation ppp shutdown async dynamic routing async mode dedicated no cdp enable ppp authentication p...

Page 1078: ...ystems Inc SunOS 5 4 Generic July 1994 unknown mode new chet ss20 The following example shows how to authenticate to the device using Kerberos credentials To authenticate using Kerberos credentials you would perform the following tasks Entering configuration mode Remotely copying over the SRVTAB file from the KDC Setting authentication at login to use the Kerberos 5 Telnet authentication protocol ...

Page 1079: ...ard interface Ethernet0 ip address 172 16 0 0 255 255 255 0 interface Serial0 no ip address shutdown no fair queue interface Serial1 no ip address shutdown no fair queue interface Async2 ip unnumbered Ethernet0 encapsulation ppp shutdown async dynamic routing async mode dedicated no cdp enable ppp authentication pap local no tarp propagate interface Async3 ip unnumbered Ethernet0 encapsulation ppp...

Page 1080: ...wing tasks Entering configuration mode Mapping the Kerberos instance admin to privilege level 15 Mapping the Kerberos instance restricted to privilege level 3 Specifying that the instance defined by the kerberos instance map command be used for AAA Authorization Writing the configuration to the terminal chet 2500 configure term Enter configuration commands one per line End with CNTL Z chet 2500 co...

Page 1081: ...ce Serial1 no ip address shutdown no fair queue interface Async2 ip unnumbered Ethernet0 encapsulation ppp shutdown async dynamic routing async mode dedicated no cdp enable ppp authentication pap local no tarp propagate interface Async3 ip unnumbered Ethernet0 encapsulation ppp shutdown async dynamic address async dynamic routing async mode dedicated no cdp enable ppp authentication pap local no t...

Page 1082: ...Valid Starting Expires Service Principal 13 May 1996 14 59 44 13 May 1996 23 00 45 krbtgt CISCO COM CISCO COM chet 2500 show privilege Current privilege level is 15 chet 2500 q Connection closed by foreign host chet ss20 telnet chet 2500 Trying 172 16 0 0 Connected to chet 2500 cisco com Escape character is User Access Verification Username chet restricted Password chet 2500 show kerberos creds De...

Page 1083: ...MIBs for this release Technical Assistance Link Description http www cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert...

Page 1084: ... for Kerberos Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1002 Feature Information for Kerberos ...

Page 1085: ...xamples for Accounting page 1028 Additional References for Configuring Accounting page 1031 Feature Information for Configuring Accounting page 1032 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find inform...

Page 1086: ...hich is named default The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined A defined method list overrides the default method list A method list is simply a named list describing the accounting methods to be queried such as RADIUS or TACACS in sequence Method lists allow one or more security protocols to be designated and ...

Page 1087: ...s A server group is a way to group existing LDAP RADIUS or TACACS server hosts for use in method lists The figure below shows a typical AAA network configuration that includes four security servers R1 and R2 are RADIUS servers and T1 and T2 are TACACS servers R1 and R2 make up the group of RADIUS servers T1 and T2 make up the group of TACACS servers Using server groups a subset of the configured s...

Page 1088: ...s For more accounting information use the start stop keyword to send a start accounting notice at the beginning of the requested event and a stop accounting notice at the end of the event To stop all accounting activities on this line or interface use the none keyword AAA Accounting Methods The Cisco IOS software supports the following two methods for accounting TACACS The network access server re...

Page 1089: ...D 562 Acct Status Type Start Acct Authentic RADIUS Service Type Framed Acct Session Id 0000000E Framed IP Address 10 1 1 2 Framed Protocol PPP Acct Delay Time 0 User Id username1 NAS Identifier 172 16 25 15 Wed Jun 27 04 47 46 2001 NAS IP Address 172 16 25 15 NAS Port 5 User Name username1 Client Port DNIS 4327528 Caller ID 562 Acct Status Type Stop Acct Authentic RADIUS Service Type Framed Acct S...

Page 1090: ...shell elapsed_time 57 The precise format of accounting packets records may vary depending on the security server daemon Note The following example shows the information contained in a RADIUS network accounting record for a PPP user who comes in through autoselect Wed Jun 27 04 30 52 2001 NAS IP Address 172 16 25 15 NAS Port 3 User Name username1 Client Port DNIS 4327528 Caller ID 562 Acct Status T...

Page 1091: ...ername1 Client Port DNIS 4327528 Caller ID 5622329483 Acct Status Type Start Acct Authentic RADIUS Service Type Exec User Acct Session Id 00000006 Acct Delay Time 0 User Id username1 NAS Identifier 172 16 25 15 Wed Jun 27 04 27 25 2001 NAS IP Address 172 16 25 15 NAS Port 1 User Name username1 Client Port DNIS 4327528 Caller ID 5622329483 Acct Status Type Stop Acct Authentic RADIUS Service Type Ex...

Page 1092: ...o executed it The following example shows the information contained in a TACACS command accounting record for privilege level 1 Wed Jun 27 03 46 47 2001 172 16 25 15 username1 tty3 5622329430 4327528 stop task_id 3 service shell priv lvl 1 cmd show version cr Wed Jun 27 03 46 58 2001 172 16 25 15 username1 tty3 5622329430 4327528 stop task_id 4 service shell priv lvl 1 cmd show interfaces Ethernet...

Page 1093: ...tets 10774 Acct Output Octets 112 Acct Input Packets 91 Acct Output Packets 99 Acct Session Time 39 Acct Delay Time 0 User Id username1 NAS Identifier 172 16 25 15 The following example shows the information contained in a TACACS connection accounting record for an outbound Telnet connection Wed Jun 27 03 47 43 2001 172 16 25 15 username1 tty3 5622329430 4327528 start task_id 10 service connection...

Page 1094: ...dr 10 68 202 158 cmd rlogin username1 sun user username1 bytes_in 659926 bytes_out 138 paks_in 2378 paks_ out 1251 elapsed_time 171 The following example shows the information contained in a TACACS connection accounting record for an outbound LAT connection Wed Jun 27 03 53 06 2001 172 16 25 15 username1 tty3 5622329430 4327528 start task_id 18 service connection protocol lat addr VAX cmd lat VAX ...

Page 1095: ...orks This section includes the following subsections AAA Resource Failure Stop Accounting Before AAA resource failure stop accounting there was no method of providing accounting records for calls that failed to reach the user authentication stage of a call setup sequence Such records are necessary for users employing accounting records to manage and monitor their networks and their wholesale custo...

Page 1096: ...rates a call setup sequence with call disconnect occurring before user authentication and without AAA resource failure stop accounting enabled Figure 73 Modem Dial In Call Setup Sequence With Call Disconnect Occurring Before User Authentication and Without Resource Failure Stop Accounting Enabled AAA Resource Accounting for Start Stop Records AAA resource accounting for start stop records supports...

Page 1097: ...stateless and stateful redundancy information to clients and protocols VRRS Accounting Plug in The VRRS Accounting plug in provides a configurable AAA method list mechanism that provides updates to a RADIUS server when a VRRS group transitions its state The VRRS accounting plug in is an extension of existing AAA system accounting messages The VRRS Accounting plug in provides accounting on and acco...

Page 1098: ...ervers independently As for voice applications redundant accounting information can be managed independently through a separate group with its own failover sequence AAA Session MIB The AAA session MIB feature allows customers to monitor and terminate their authenticated client connections using Simple Network Management Protocol SNMP The data of the client is presented so that it correlates direct...

Page 1099: ... the AAA summary information provided by the AAA session MIB feature using SNMP on a per system basis Table 102 SNMP AAA Session Summary Number of sessions currently active ActiveTableEntries Maximum number of sessions present at once since last system reinstallation ActiveTableHighWaterMark Total number of sessions since last system reinstallation TotalSessions Total number of sessions that have ...

Page 1100: ...thod2 4 Do one of the following line aux console tty vty line number ending line number interface interface type interface number 5 Do one of the following accounting arap commands level connection exec default list name ppp accounting default list name 6 Device config line end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your pass...

Page 1101: ...unting method list is applied interface interface type interface number Example Device config line aux line1 Applies the accounting method list to a line or set of lines Do one of the following Step 5 or accounting arap commands level connection exec default list name Applies the accounting method list to an interface or set of interfaces ppp accounting default list name Example Device config line...

Page 1102: ...nfig aaa new model Step 3 Enables the device to send a system accounting record for the addition and deletion of a RADIUS server radius server accounting system host config Example Device config radius server accounting system host config Step 4 Adds the RADIUS server and enters server group configuration mode aaa group server radius server name Example Device config aaa group server radius radgro...

Page 1103: ...rver group configuration mode and returns to privileged EXEC mode end Example Device config sg radius end Step 8 Suppressing Generation of Accounting Records for Null Username Sessions When AAA Accounting is activated the Cisco IOS software issues accounting records for all users on the system including users whose username string because of protocol translation is NULL An example of this is users...

Page 1104: ...nd can cause heavy congestion when many users are logged in to the network Caution Generating Accounting Records for Failed Login or Session When AAA Accounting is activated the Cisco IOS software does not generate accounting records for system users who fail login authentication or who succeed in login authentication but fail PPP negotiation for some reason To specify that accounting stop records...

Page 1105: ...tion Before configuring this feature the tasks described in the Prerequisites for ConfiguringAccounting onpage1003section must be performed and SNMP must be enabled on the network access server Note Device config aaa accounting resource method list stop failure group server group Configuring AAA Resource Accounting for Start Stop Records To enable full resource accounting for start stop records us...

Page 1106: ...he global aaa accounting command Enables sending accounting records to multiple AAA servers Simultaneously sends accounting records to the first server in each group If the first server is unavailable failover occurs using the backup servers defined within that group Device config aaa dnis map dnis number accounting network start stop stop only none broadcast method1 method2 Configuring AAA Sessio...

Page 1107: ...a attribute list list name 5 attribute type name value service service protocol protocol mandatory tag tag value 6 exit 7 vrrs vrrs group name 8 accounting delay seconds 9 accounting method default accounting method list 10 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode c...

Page 1108: ...de exit Example Device config attr list exit Step 6 Optional Defines a VRRP group and configures parameters for the VRRS group and enters VRRS configuration mode vrrs vrrs group name Example Device config vrrs vrrs1 Step 7 Optional Specifies the delay time for sending accounting off messages to the VRRS accounting delay seconds Example Device config vrrs accounting delay 10 Step 8 Optional Enables...

Page 1109: ...ion by which the console or telnet session can be started For example if the privileged EXEC session is being authenticated by TACACS and the TACACS server is not reachable then the session cannot start Note Monitoring Accounting No specific show command exists for either RADIUS or TACACS accounting To obtain accounting records displaying information about users currently logged in use the followi...

Page 1110: ...n authentication The aaa authentication ppp dialins group radius local command defines the authentication method list dialins which specifies that first RADIUS authentication and then if the RADIUS server does not respond local authentication is used on serial lines using PPP The aaa authorization network blue1 group radius local command defines the network authorization method list named blue1 wh...

Page 1111: ...ssion to start up automatically on these selected lines The autoselect during login command is used to display the username and password prompt without pressing the Return key After the user logs in the autoselect function in this case PPP begins The login authentication admins command applies the admins method list for login authentication The modem dialin command configures modems attached to th...

Page 1112: ...s aaa accounting network default start stop group radius Enable failure stop accounting aaa accounting resource default stop failure group radius Enable resource accounting for start stop records aaa accounting resource default start stop group radius Example Configuring AAA Broadcast Accounting The following example shows how to turn on broadcast accounting using the global aaa accounting command...

Page 1113: ...henticated client connections for PPP users aaa new model aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting network default start stop group radius aaa session mib disconnect Example Configuring VRRS Accounting The following example shows how to configure VRRS to send AAA Accounting messages to the AAA server Router configure terminal Router ...

Page 1114: ...o download documentation software and tools Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies Access to most tools on the Cisco Support and Documentation website requires a Cisco com user ID and password Feature Information for Configuring Accounting The following table provides release information about ...

Page 1115: ...op record at the call disconnect This functionality can be used to manage and monitor wholesale customers from one source of data reporting such as accounting records Cisco IOS 15 2 1 E AAA Resource Accounting for Start Stop Records The AAA session MIB feature allows customers to monitor and terminate their authenticated client connections using SNMP The data of the client is presented so that it ...

Page 1116: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1034 Feature Information for Configuring Accounting ...

Page 1117: ...mation table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required How to Configure Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to oper...

Page 1118: ...s privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables AAA aaa new model Example Switch config aaa new model Step 3 Sets the login authentication to use the local username database The default keyword applies the local user database authentication to all port...

Page 1119: ...are not allowed privilege 1 password 7 secret567 Optional For level specify the privilege level the user has after gaining access The range is 0 to 15 Level 15 gives privileged EXEC mode access Level 0 gives user EXEC mode access For encryption type enter 0 to specify that an unencrypted password follows Enter 7 to specify that a hidden password follows For password specify the password the user m...

Page 1120: ...r Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs All supported MIBs...

Page 1121: ...us services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for Local Authentication and Authorization Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platf...

Page 1122: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1040 Feature Information for Local Authentication and Authorization ...

Page 1123: ...ypass page 1042 How to Configure MAC Authentication Bypass page 1044 Configuration Examples for MAC Authentication Bypass page 1050 Additional References for MAC Authentication Bypass page 1050 Feature Information for MAC Authentication Bypass page 1051 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature in...

Page 1124: ...ion attempts authentications authorizations and disconnections and as such serves as a session manager The possible states for Auth Manager sessions are as follows Idle In the idle state the authentication session has been initialized but no methods have yet been run This is an intermediate state Running A method is currently running This is an intermediate state Authc Success The authentication m...

Page 1125: ...he password uses the same value as the username The table below describes the formatting of the username and the password Password Created Password Configured Username Username Format Group Size Separator MAC Address 0 8 0 0 2 b 8 6 1 9 d e 0 8 0 0 2 b 8 6 1 9 d e 0 8 0 0 2 b 8 6 1 9 d e None 0 8 0 0 2 b 8 6 1 9 d e 0 8 0 0 2 b 8 6 1 9 d e 0 8 0 0 2 b 8 6 1 9 d e 1 1 1 08002b8619de Password Passwo...

Page 1126: ... slot port 4 mab 5 end 6 show authentication sessions interface type slot port details DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Enters interface configuration mode interface type slot port Example Device config...

Page 1127: ...rt By default ports are not automatically reauthenticated You can enable automatic reauthentication and specify how often reauthentication attempts are made SUMMARY STEPS 1 enable 2 configure terminal 3 interface type slot port 4 switchport 5 switchport mode access 6 authentication port control auto 7 mab eap 8 authentication periodic 9 authentication timer reauthenticate seconds server 10 end DET...

Page 1128: ...ss Example Device config if switchport mode access Step 5 Configures the authorization state of the port authentication port control auto Example Device config if authentication port control auto Step 6 Enables MAB mab eap Example Device config if mab Step 7 Enables reauthentication authentication periodic Example Device config if authentication periodic Step 8 Configures the time in seconds betwe...

Page 1129: ...able 2 configure terminal 3 interface type slot port 4 switchport 5 switchport mode access 6 authentication port control auto 7 mab eap 8 authentication violation restrict shutdown 9 authentication timer restart seconds 10 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode co...

Page 1130: ... control auto Step 6 Enables MAB mab eap Example Device config if mab Step 7 Configures the action to be taken when a security violation occurs on the port authentication violation restrict shutdown Example Device config if authentication violation shutdown Step 8 Configures the period of time in seconds after which an attempt is made to authenticate an unauthorized port authentication timer resta...

Page 1131: ...ple Device configure terminal Step 2 Configures the username format for MAB requests mab request format attribute 1 groupsize 1 2 4 12 separator lowercase uppercase Example Device config mab request format attribute 1 groupsize 2 separator Step 3 Configures a global password for all MAB requests mab request format attribute 2 0 7 password Example Device config mab request format attribute 2 passwo...

Page 1132: ...and password for MAC Authentication Bypass MAB In this example the username format is configured as a group of 12 hexadecimal digits with no separator and the global password as password1 Device enable Device configure terminal Device config mab request format attribute 1 groupsize 2 separator Device config mab request format attribute 2 password1 Device config end Additional References for MAC Au...

Page 1133: ...h Cisco products and technologies Access to most tools on the Cisco Support and Documentation website requires a Cisco com user ID and password Feature Information for MAC Authentication Bypass The following table provides release information about the feature or features described in this module This table lists only the software release that introduced support for a given feature in a given soft...

Page 1134: ...sco IOS XE 3 5E Cisco IOS 15 2 1 E MAC Authentication Bypass MAB The Configurable MAB Username and Password feature enables you to configure MAC Authentication Bypass MAB username format and password to allow interoperability between the Cisco IOS Authentication Manager and existing MAC databases and RADIUS servers The following commands were introduced or modified mab request format attribute 1 m...

Page 1135: ...d Strength and Management for Common Criteria page 1054 How to Configure Password Strength and Management for Common Criteria page 1055 Configuration Examples for Password Strength and Management for Common Criteria page 1059 Additional References for Password Strength and Management for Common Criteria page 1059 Feature Information for Password Strength and Management for Common Criteria page 106...

Page 1136: ...en the password will be valid for one month after the system reboots Password Expiry Policy If the user attempts to log on and if the user s password credentials have expired then the following happens 1 The user is prompted to set the new password after successfully entering the expired password 2 When the user enters the new password the password is validated against the password security policy...

Page 1137: ...es will be sent to the clients and the clients must contact the security administrator to renew the password User Reauthentication Policy Users are reauthenticated when they change their passwords When users change their passwords on expiry they will be authenticated against the new password In such cases the actual authentication happens based on the previous credentials and the new password is u...

Page 1138: ...mode configure terminal Example Device configure terminal Step 2 Enables AAA globally aaa new model Example Device config aaa new model Step 3 Creates the AAA security password policy and enters common criteria configuration policy mode aaa common criteria policy policy name Example Device config aaa common criteria policy policy1 Step 4 Optional Specifies the number of changed characters between ...

Page 1139: ...cial case 3 Step 9 Optional Exits common criteria configuration policy mode and returns to global configuration mode exit Example Device config cc policy exit Step 10 Optional Applies a specific policy and password to a user profile username username common criteria policy policy name password password Example Device config username user1 common criteria policy policy1 password password1 Step 11 R...

Page 1140: ...orever User tied to this policy will not expire Step 3 show aaa common criteria policy all Displays password security policy information for all the configured policies Example Device show aaa common criteria policy all Policy name policy1 Minimum length 1 Maximum length 64 Upper Count 20 Lower Count 20 Numeric Count 5 Special Count 2 Number of character changes 4 Valid forever User tied to this p...

Page 1141: ...se 2 Device config cc policy exit Device config username user1 common criteria policy policy1 password password1 Device config end Additional References for Password Strength and Management for Common Criteria The following sections provide references related to the RADIUS Packet of Disconnect feature Related Documents Document Title Related Topic Cisco IOS Master Command List All Releases Cisco I...

Page 1142: ...isco Support website requires a Cisco com user ID and password Feature Information for Password Strength and Management for Common Criteria The following table provides release information about the feature or features described in this module This table lists only the software release that introduced support for a given feature in a given software release train Unless noted otherwise subsequent r...

Page 1143: ...g retrieving and providing rules to specify user passwords The following commands were introduced or modified aaa common criteria policy debug aaa common criteria and show aaa common criteria policy Cisco IOS 15 0 2 SE Cisco IOS 15 2 1 E Password Strength and Management for Common Criteria Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1061 Feature In...

Page 1144: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1062 Feature Information for Password Strength and Management for Common Criteria ...

Page 1145: ...Set Operation page 1068 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see t...

Page 1146: ...upported only the get operation Effective with this release the CISCO AAA SERVER MIB supports the set operation With the set operation you can do the following Create or add a new AAA server Modify the KEY under the CISCO AAA SERVER MIB This secret key is used for secure connectivity to the AAA server which is present with the network access server NAS and the AAA server Delete the AAA server conf...

Page 1147: ...a servers Example Device show aaa servers Step 3 Configuration Examples for AAA SERVER MIB Set Operation RADIUS Server Configuration and Server Statistics Example The following sample output shows the RADIUS server configuration and server statistics before and after the set operation Before the Set Operation Device show running config include radius server host The following line is for server 1 ...

Page 1148: ...uration and Statistics of the RADIUS Servers aaa server5 users smetri getmany 10 0 1 42 casConfigTable casAddress 2 2 172 19 192 238 casAddress 2 3 172 19 192 238 casAuthenPort 2 2 2095 casAuthenPort 2 3 1645 casAcctPort 2 2 2096 casAcctPort 2 3 1646 casKey 2 2 casKey 2 3 The following line shows priority for server 1 casPriority 2 2 1 The following line shows priority for server 2 casPriority 2 3...

Page 1149: ...h port 2095 acct port 2096 State current UP duration 209s previous duration 0s Dead total time 0s count 7 Authen request 0 timeouts 0 Response unexpected 0 server error 0 incorrect 0 time 0ms Transaction success 0 failure 0 Author request 0 timeouts 0 Response unexpected 0 server error 0 incorrect 0 time 0ms Transaction success 0 failure 0 Account request 0 timeouts 0 Response unexpected 0 server ...

Page 1150: ...a given software release train Unless noted otherwise subsequent releases of that software release train also support that feature Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to www cisco com go cfn An account on Cisco com is not required Table 107 Feature Information for AAA SERVER MIB Set Operation F...

Page 1151: ...upport all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator ...

Page 1152: ...ports only the execution shell application The SSH server and the SSH client are supported only on Data Encryption Standard DES 56 bit and 3DES 168 bit data encryption software In DES software images DES is the only encryption algorithm available In 3DES software images both DES and 3DES encryption algorithms are available The Switch supports the Advanced Encryption Standard AES encryption algorit...

Page 1153: ...the switch The SSH server works with the SSH client supported in this release and with non Cisco SSH clients The SSH client works with publicly and commercially available SSH servers The SSH client supports the ciphers of Data Encryption Standard DES 3DES and password authentication The switch supports an SSHv1 or an SSHv2 server The switch supports an SSHv1 client The SSH client functionality is ...

Page 1154: ...security SCP also requires that authentication authorization and accounting AAA authorization be configured so the switch can determine whether the user has the correct privilege level To configure the Secure Copy feature you should understand the SCP concepts How Secure Copy Works The behavior of Secure Copy SCP is similar to that of remote copy RCP which comes from the Berkeley r tools suite Ber...

Page 1155: ...u want to enable SSH The previous method of configuring reverse SSH limited the number of ports that can be accessed to 100 The Reverse SSH Enhancements feature removes the port number limitation How to Configure Secure Shell Setting Up the Switch to Run SSH Follow these steps to set up your Switch to run SSH Before You Begin Configure user authentication for local or remote access This step is re...

Page 1156: ...ly enables SSH crypto key generate rsa Example Switch config crypto key generate rsa Step 5 We recommend that a minimum modulus size of 1024 bits When you generate RSA keys you are prompted to enter a modulus length A longer modulus length might be more secure but it takes longer to generate and to use Follow this procedure only if you are configuring the Switch as an SSH server Note Returns to pr...

Page 1157: ...Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Optional Configures the Switch to run SSH Version 1 or SSH Version 2 ip ssh version 1 2 Example Switch config ip ssh version 1 Step 3 1 Configure the Switch to run SSH Version 1 2 Configure the Switch to ru...

Page 1158: ...enticate to the server The default is 3 the range is 0 to 5 Repeat this step when configuring both parameters Optional Configures the virtual terminal line settings Use one or both of the following Step 5 line vtyline_number ending_line_number Enters line configuration mode to configure the virtual terminal line settings For line_number and ending_line_number specify a pair of lines The range is 0...

Page 1159: ...Step 2 Troubleshooting Tips If your Secure Shell SSH configuration commands are rejected as illegal commands you have not successfully generated an Rivest Shamir and Adleman RSA key pair for your device Make sure that you have specified a hostname and domain Then use the crypto key generate rsa command to generate an RSA key pair and enable the SSH server When configuring the RSA key pair you migh...

Page 1160: ... Configuring Reverse SSH for Console Access To configure reverse SSH console access on the SSH server perform the following steps SUMMARY STEPS 1 enable 2 configure terminal 3 line line number ending line number 4 no exec 5 login authentication listname 6 transport input ssh 7 exit 8 exit 9 ssh l userid number ip address DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable ...

Page 1161: ...it Example Device config line exit Step 7 Exits global configuration mode exit Example Device config exit Step 8 Specifies the user ID to use when logging in on the remote networking device that is running the SSH server ssh l userid number ip address Example Device ssh l lab 1 router example com Step 9 userid User ID Signifies that a port number and terminal IP address will follow the userid argu...

Page 1162: ...thentication listname 6 rotary group 7 transport input ssh 8 exit 9 exit 10 ssh l userid rotary number ip address DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Identifies a line for configuration and enters line con...

Page 1163: ...xits global configuration mode exit Example Device config exit Step 9 Specifies the user ID to use when logging in on the remote networking device that is running the SSH server ssh l userid rotary number ip address Example Device ssh l lab rotary1 router example com Step 10 userid User ID Signifies that a port number and terminal IP address will follow the userid argument number Terminal or auxil...

Page 1164: ...e SSH on the Server To troubleshoot the reverse SSH configuration on the terminal server perform the following steps The steps may be configured in any order or independent of one another SUMMARY STEPS 1 enable 2 debug ip ssh 3 show ssh 4 show line DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Consolidated ...

Page 1165: ...atus This table displays the SSH server configuration and status Table 108 Commands for Displaying the SSH Server Configuration and Status Purpose Command Shows the version and configuration information for the SSH server show ip ssh Shows the status of the SSH server show ssh Configuring Secure Copy To configure a Cisco device for Secure Copy SCP server side functionality perform the following st...

Page 1166: ...l Example Device configure terminal Step 2 Sets AAA authentication at login aaa new model Example Device config aaa new model Step 3 Enables the AAA access control system aaa authentication login default list name method1 method2 Step 4 Example Device config aaa authentication login default group tacacs Sets parameters that restrict user access to a network aaa authorization network exec commands ...

Page 1167: ...mode exit Example Device config exit Step 8 Optional Displays the SCP server side functionality show running config Example Device show running config Step 9 Optional Troubleshoots SCP authentication problems debug ip scp Example Device debug ip scp Step 10 Configuration Examples for Secure Shell Example Secure Copy Configuration Using Local Authentication The following example shows how to config...

Page 1168: ...at reverse SSH has been configured for console access for terminal lines 1 through 3 Terminal Server Configuration line 1 3 no exec login authentication default transport input ssh Client Configuration The following commands configured on the SSH client will form the reverse SSH session with lines 1 2 and 3 respectively ssh l lab 1 router example com ssh l lab 2 router example com ssh l lab 3 rout...

Page 1169: ... device when SSH is enabled Device show ssh Connection Version Encryption State Username 0 1 5 3DES Session Started guest The following example shows that SSH is disabled Device show ssh No SSH server connections running Additional References for Secure Shell Related Documents Document Title Related Topic Cisco IOS Master Command List All Releases Cisco IOS commands Cisco IOS Security Command Refe...

Page 1170: ...s a Cisco com user ID and password Feature Information for SSH Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX The Reverse SSH Enhancements feature which is supported for SSH Version 1 and 2 provides an alternative way to configure reverse Secure Shell SSH so that separate lines do not need to be configured for every terminal or auxiliary line on which SSH must be enabl...

Page 1171: ...itional References for Secure Shell Version 2 Support page 1113 Feature Information for Secure Shell Version 2 Support page 1113 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the feat...

Page 1172: ...ng Virtual Routing and Forwarding VRF Aware SSH SSH debug enhancements and Diffie Hellman DH group exchange support The VRF Aware SSH feature is supported depending on your release Note The Cisco SSH implementation has traditionally used 768 bit modulus but with an increasing need for higher key sizes to accommodate DH Group 14 2048 bits and Group 16 4096 bits cryptographic applications a message ...

Page 1173: ...the signature by using the server host key If the server is successfully authenticated the session establishment continues otherwise it is terminated and displays a Server Authentication Failed message Storing public keys on a server uses memory therefore the number of public keys configurable on an SSH server is restricted to ten users with a maximum of two public keys per user Note RSA based use...

Page 1174: ...0 0 2 55246 1015 ltcpConnEntry 1 10 0 0 1 22 10 0 0 2 55246 1056 ltcpConnEntry 2 10 0 0 1 22 10 0 0 2 55246 1392 local 9 2 1 18 2 lab Jul 18 10 18 42 879 SNMP Packet sent via UDP to 10 0 0 2 Switch SSH Keyboard Interactive Authentication The SSH Keyboard Interactive Authentication feature also known as Generic Message Authentication for SSH is a method that can be used to implement different types...

Page 1175: ... your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Configures a hostname for your device hostname name Example Device config hostname cisco7200 Step 3 Configures a domain name for your device ip domain name name Example cisco7200 config ip domain name example com Step 4 Enables the SSH server for local and remote authentication c...

Page 1176: ...no hostname command to return to the default host Configuring a Device for SSH Version 2 Using RSA Key Pairs SUMMARY STEPS 1 enable 2 configure terminal 3 ip ssh rsa keypair name keypair name 4 crypto key generate rsa usage keys label key label modulus modulus size 5 ip ssh time out seconds authentication retries integer 6 ip ssh version 2 7 exit DETAILED STEPS Purpose Command or Action Enables pr...

Page 1177: ... modulus 768 For SSH Version 2 the modulus size must be at least 768 bits To delete the RSA key pair use the crypto key zeroize rsa command When you delete the RSA key pair you automatically disable the SSH server Note Configures SSH control variables on your device ip ssh time out seconds authentication retries integer Step 5 Example Device config ip ssh time out 12 Specifies the version of SSH t...

Page 1178: ...rd if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Specifies the hostname hostname name Example Device config hostname host1 Step 3 Defines a default domain name that the Cisco software uses to complete unqualified hostnames ip domain name name Example host1 config ip domain name name1 Step 4 Generates RSA key pairs crypto key generate rsa E...

Page 1179: ...le Note Optional Specifies the SSH key type and version key hash key type key name Step 9 Example host1 conf ssh pubkey data key hash ssh rsa key1 The key type must be ssh rsa for the configuration of private public key pairs This step is optional only if the key string command is configured You must configure either the key string command or the key hash command You can use a hashing software to ...

Page 1180: ... Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Specifies the hostname hostname name Example Device config hostname host1 Step 3 Defines a default domain name that the Cisco software uses to complete unqualified hostnames ip domain name name Example host1 c...

Page 1181: ...nd enters public key server configuration mode exit Example host1 conf ssh pubkey data exit Step 9 Optional Specifies the SSH key type and version key hash key type key name Step 10 Example host1 conf ssh pubkey server key hash ssh rsa key1 The key type must be ssh rsa for the configuration of private public key pairs This step is optional only if the key string command is configured You must conf...

Page 1182: ...6 ctr aes128 cbc 3des aes192 cbc aes256 cbc l user id l user id vrf name number ip address ip address l user id rotary number ip address m hmac md5 128 hmac md5 96 hmac sha1 160 hmac sha1 96 o numberofpasswordprompts n p port num ip addr hostname command vrf DETAILED STEPS Purpose Command or Action Starts an encrypted session with a remote networking device ssh v 1 2 c aes128 ctr aes192 ctr aes256...

Page 1183: ...e level password password 7 ip ssh time outseconds 8 ip ssh authentication retries integer 9 ip scpserverenable 10 exit 11 debug ip scp DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Enables the AAA access control mo...

Page 1184: ...rd1 Step 6 The minimum value for the privilege level argument is 15 A privilege level of less than 15 results in the connection closing Note Sets the time interval in seconds that the device waits for the SSH client to respond ip ssh time outseconds Example Device config ip ssh time out 120 Step 7 Sets the number of authentication attempts after which the interface is reset ip ssh authentication r...

Page 1185: ...ple Device exit Step 3 Examples The following sample output from the show ssh command displays status of various SSH Version 1 and Version 2 connections for Version 1 and Version 2 connections Device show ssh Connection Version Encryption State Username 0 1 5 3DES Session started lab Connection Version Mode Encryption Hmac State Username 1 2 0 IN aes128 cbc hmac md5 Session started lab 1 2 0 OUT a...

Page 1186: ...1 connection with no Version 2 connection Device show ssh Connection Version Encryption State Username 0 1 5 3DES Session started lab No SSHv2 server connections running Verifying the Secure Shell Status SUMMARY STEPS 1 enable 2 show ip ssh 3 exit DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Displays the v...

Page 1187: ...meout 120 secs Authentication retries 3 The following sample output from the show ip ssh command displays the version of SSH that is enabled the authentication timeout values and the number of authentication retries for a Version 1 connection with no Version 2 connection Device show ip ssh 3d06h SYS 5 CONFIG_I Configured from console by console SSH Enabled version 1 5 Authentication timeout 120 se...

Page 1188: ...x server client aes128 cbc hmac md5 none 00 33 55 SSH2 1 expecting SSH2_MSG_KEXDH_INIT 00 33 55 SSH2 1 ssh_receive 144 bytes received 00 33 55 SSH2 1 input packet len 144 00 33 55 SSH2 1 partial packet 8 need 136 maclen 0 00 33 55 SSH2 1 input padlen 5 00 33 55 SSH2 1 received packet type 30 00 33 55 SSH2 1 SSH2_MSG_KEXDH_INIT received 00 33 55 SSH2 1 signature length 111 00 33 55 SSH2 1 send len ...

Page 1189: ...4 04 SSH2 1 input packet len 64 00 34 04 SSH2 1 partial packet 16 need 48 maclen 16 00 34 04 SSH2 1 MAC 8 ok 00 34 04 SSH2 1 input padlen 13 00 34 04 SSH2 1 received packet type 98 00 34 04 SSH2 1 pty req request 00 34 04 SSH2 1 setting TTY requested height 24 width 80 set height 24 width 80 00 34 04 SSH2 1 input packet len 96 00 34 04 SSH2 1 partial packet 16 need 80 maclen 16 00 34 04 SSH2 1 MAC...

Page 1190: ...SH2 1 send len 48 includes padlen 18 00 34 08 SSH2 1 done calc MAC out 13 00 34 08 SSH2 1 send len 16 includes padlen 6 00 34 08 SSH2 1 done calc MAC out 14 00 34 08 SSH2 1 send len 16 includes padlen 6 00 34 08 SSH2 1 done calc MAC out 15 00 34 08 SSH1 Session terminated normally Configuration Examples for Secure Shell Version 2 Support Example Configuring Secure Shell Version 2 Device configure ...

Page 1191: ...0 1 22 10 0 0 2 55246 1056 ltcpConnEntry 2 10 0 0 1 22 10 0 0 2 55246 1392 local 9 2 1 18 2 lab Jul 18 10 18 42 879 SNMP Packet sent via UDP to 10 0 0 2 Device1 Examples SSH Keyboard Interactive Authentication Example Enabling Client Side Debugs The following example shows that the client side debugs are turned on and the maximum number of prompts is six three for the SSH keyboard interactive auth...

Page 1192: ...ctive Authentication method A TACACS access control server ACS is used as the back end AAA server Device1 ssh l cisco 10 1 1 3 Password Old Password cisco New Password cisco123 Re enter New password cisco123 Device2 exit Connection to 10 1 1 3 closed by foreign host Example Enabling ChPass and Changing the Password on First Login In the following example the ChPass feature is enabled and TACACS AC...

Page 1193: ...xample SNMP Debugging The following is sample output from the debug snmp packet command The output provides SNMP trap information for an SSH session Device1 debug snmp packet SNMP packet debugging is on Device1 ssh l lab 10 0 0 2 Password Device2 exit Connection to 10 0 0 2 closed by foreign host Device1 Jul 18 10 18 42 619 SNMP Queuing packet to 10 0 0 2 Jul 18 10 18 42 619 SNMP V1 Trap ent cisco...

Page 1194: ...ed 00 05 43 SSH2 0 partial packet length block size 8 bytes needed 272 bytes maclen 0 00 05 43 SSH2 0 ssh_receive 64 bytes received 00 05 43 SSH2 0 partial packet length block size 8 bytes needed 272 bytes maclen 0 00 05 43 SSH2 0 ssh_receive 64 bytes received 00 05 43 SSH2 0 partial packet length block size 8 bytes needed 272 bytes maclen 0 00 05 43 SSH2 0 ssh_receive 24 bytes received 00 05 43 S...

Page 1195: ... online resources to download documentation software and tools Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies Access to most tools on the Cisco Support and Documentation website requires a Cisco com user ID and password Feature Information for Secure Shell Version 2 Support The following table provides...

Page 1196: ...re SSH SSH debug enhancements and DH Group 14 and Group 16 exchange support This feature was supported on CAT2960 CAT3560E CAT3560X CAT3750 CAT3750E CAT3750X CAT4500 The VRF Aware SSH feature is supported depending on your release Note The following commands were introduced or modified debug ip ssh and ip ssh dh min size Cisco IOS XE Release 3 4SG Secure Shell Version 2 Enhancements The Secure She...

Page 1197: ...r name ip ssh version and ssh Cisco IOS XE Release 3 4SG Secure Shell Version 2 Support The SSH Keyboard Interactive Authentication feature also known as Generic Message Authentication for SSH is a method that can be used to implement different types of authentication mechanisms Basically any currently supported authentication method that requires only user input can be performed with this feature...

Page 1198: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1116 Feature Information for Secure Shell Version 2 Support ...

Page 1199: ...eferences for X 509v3 Certificates for SSH Authentication page 1124 Feature Information for X 509v3 Certificates for SSH Authentication page 1124 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find informati...

Page 1200: ...thenticate public key authentication the client to the server The validity of the authentication depends upon the strength of the linkage between the public signing key and the identity of the signer Digital certificates such as those in X 509 Version 3 X 509v3 are used to provide identity management X 509v3 uses a chain of signatures by a trusted root certification authority and intermediate cert...

Page 1201: ... response stapling a device obtains the revocation information of its own certificate by contacting the OCSP server and then stapling the result along with its certificates and sending the information to the peer rather than having the peer contact the OCSP responder How to Configure X 509v3 Certificates for SSH Authentication Configuring Digital Certificates for Server Authentication SUMMARY STEP...

Page 1202: ... 5 The server profile is used to send out the certificate of the server to the SSH client during server authentication Attaches the public key infrastructure PKI trustpoint to the server certificate profile trustpoint sign PKI trustpoint name Example Switch ssh server cert profile server trustpoint sign trust1 Step 6 The SSH server uses the certificate associated with this PKI trustpoint for serve...

Page 1203: ... server algorithm authentication publickey keyboard password Step 3 Example Switch config ip ssh server algorithm authentication publickey Note The IOS SSH server must have at least one configured user authentication algorithm To use the certificate method for user authentication the publickey keyword must be configured Defines the order of public key algorithms Only the configured algorithm is ac...

Page 1204: ...d multiple times A maximum of 10 trustpoints can be configured Note Optional Mandates the presence of the Online Certificate Status Protocol OCSP response with the incoming user certificate ocsp response required Example Switch ssh server cert profile user ocsp response required Step 8 By default the user certificate is accepted without an OCSP response Note Exits SSH server certificate profile us...

Page 1205: ...ntication Switch enable Switch configure terminal Switch config ip ssh server algorithm hostkey x509v3 ssh rsa Switch config ip ssh server certificate profile Switch ssh server cert profile server Switch ssh server cert profile server trustpoint sign trust1 Switch ssh server cert profile server exit Example Configuring Digital Certificate for User Authentication Switch enable Switch configure term...

Page 1206: ... Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for X 509v3 Certificates for SSH Authentication The following table provides release information about the feature or features described in this module This table lists only the software release that introduced support for a given feature in a given software releas...

Page 1207: ...m authentication and ip ssh server certificate profile This feature was implemented on the following platforms Catalyst 2960C 2960CX 2960P 2960X and 2960XR Series Switches Catalyst 3560CX and 3560X Series Switches Catalyst 3750X Series Switches Catalyst 4500E Sup7 E Sup7L E Sup8 E and 4500X Series Switches Catalyst 4900M 4900F E Series Switches Cisco IOS 15 2 4 E1 X 509v3 Certificates for SSH Auth...

Page 1208: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1126 Feature Information for X 509v3 Certificates for SSH Authentication ...

Page 1209: ... may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature ...

Page 1210: ...nfigure a CA trustpoint If a CA trustpoint is not configured for the device running the HTTPS server the server certifies itself and generates the needed RSA key pair Because a self certified self signed certificate does not provide adequate security the connecting client generates a notification that the certificate is self certified and the user has the opportunity to accept or reject the connec...

Page 1211: ...urity Configuration Guide Release 12 4 CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection When connecting to the HTTPS server the client Web browser offers a list of supported CipherSuites and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both For example Netscape Comm...

Page 1212: ...s of Chrome do not support the four original cipher suites thus disallowing access to both web GUI and guest portals Note RSA in conjunction with the specified encryption and digest algorithm combinations is used for both key generation and authentication on SSL connections This usage is independent of whether or not a CA trustpoint is configured Default SSL Configuration The standard HTTP server ...

Page 1213: ...rify the secure HTTP connection by using a Web browser enter https URL where the URL is the IP address or hostname of the server switch If you configure a port other than the default port you must also specify the port number after the URL For example https 209 165 129 1026 or https host domain com 1026 SUMMARY STEPS 1 show ip http server status 2 configure terminal 3 ip http secure server 4 ip ht...

Page 1214: ...ecure port port number Example Switch config ip http secure port 443 Step 4 Optional Specifies the CipherSuites encryption algorithms to be used for encryption over the HTTPS connection If you do not have a reason ip http secure ciphersuite 3des ede cbc sha rc4 128 md5 rc4 128 sha des cbc sha Step 5 to specify a particularly CipherSuite you should allow the server and client to negotiate a CipherS...

Page 1215: ... recommend that the value be at least 10 and not less This is required for the UI to function as expected ip http max connections value Example Switch config ip http max connections Step 10 4 Optional Specifies how long a connection to the HTTP server can remain open under the defined circumstances ip http timeout policy idle seconds life seconds requests value Step 11 Example Switch config ip htt...

Page 1216: ... be used if the remote HTTP server requests client authentication Using this command assumes ip http client secure trustpoint name Example Switch config ip http client Step 2 that you have already configured a CA trustpoint by using the previous procedure The command is optional if client authentication is not needed or if a primary trustpoint has been configured secure trustpoint your_trustpoint ...

Page 1217: ...DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the hostname of the switch required only if you have not previously configured a hostname The hostname is required for security keys and certificates hostname hostname Example Switch config hostname your_hostname Step 2 Specifies the IP domain name of ...

Page 1218: ...oxy server enrollment http proxy host name port number Example Switch ca trustpoint enrollment Step 7 For host name specify the proxy server used to get the CA For port number specify the port number used to access the CA http proxy your_host 49 Configures the switch to request a certificate revocation list CRL to ensure that the certificate of the peer has not been revoked crl query url Example S...

Page 1219: ...le Switch config end Step 13 Monitoring Secure HTTP Server and Client Status To monitor the SSL secure server and client status use the privileged EXEC commands in the following table Table 111 Commands for Displaying the SSL Secure Server and Client Status Purpose Command Shows the HTTP secure client configuration show ip http client secure status Shows the HTTP secure server configuration show i...

Page 1220: ...tp secure server Device config ip http client secure trustpoint CA trust local Device config ip http secure port 1024 Invalid secure port value Device config ip http secure port 1025 Device config ip http secure ciphersuite rc4 128 sha rc4 128 md5 Device config end Device show ip http serversecure status HTTP secure server status Enabled HTTP secure server port 1025 HTTP secure server ciphersuite ...

Page 1221: ...ve online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most ...

Page 1222: ...the context of SSL signing means to encrypt with a private key In digital signing one way hash functions are used as input for a signing algorithm In RSA signing a 36 byte structure of two hashes one SHA and one MD5 is signed encrypted with the private key SSL 3 0 Secure Socket Layer version 3 0 SSL is a security protocol that provides communications privacy over the Internet The protocol allows c...

Page 1223: ...nformation Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end o...

Page 1224: ...ol ISAKMP framework Although IKE can be used with other protocols its initial implementation is with the IPSec protocol IKE provides authentication of the IPSec peers negotiates IPSec keys and negotiates IPSec security associations Public Key Cryptography Standard 7 PKCS 7 A standard from RSA Data Security Inc used to encrypt and sign certificate enrollment messages Public Key Cryptography Standar...

Page 1225: ...r public keys or secrets between each pair of devices that use IPSec to protect communications between them Without certificates every new device added to the network requires a configuration change on every other device with which it communicates securely With digital certificates each device is enrolled with a certification authority When two devices wish to communicate they exchange certificate...

Page 1226: ...hange IKE phase one signature verification the initiator will send the responder a list of its CA certificates The responder should send the certificate issued by one of the CAs in the list If the certificate is verified the device saves the public key contained in the certificate on its public key ring With multiple root CAs VPN users can establish trust in one domain and easily and securely dist...

Page 1227: ...s not support an RA only one CRL gets stored in the device If your CA supports an RA multiple CRLs can be stored in the device In some cases storing these certificates and CRLs locally will not present any difficulty In other cases memory might become a problem particularly if the CA supports an RA and a large number of CRLs have to be stored on the device If the NVRAM is too small to store root c...

Page 1228: ...host name and IP domain name of a device if this has not already been done This is required because the device assigns a fully qualified domain name FQDN to the keys and certificates used by IPsec and the FQDN is based on the host name and IP domain name assigned to the device For example a certificate named device20 example com is based on a device host name of device20 and a device IP domain nam...

Page 1229: ...erating an RSA Key Pair Rivest Shamir and Adelman RSA key pairs are used to sign and encrypt IKE key management messages and are required before obtaining a certificate for your device SUMMARY STEPS 1 enable 2 configure terminal 3 crypto key generate rsa usage keys 4 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Example Device enable Step 1 Enter your password if...

Page 1230: ...l 3 crypto ca trustpoint name 4 enrollment url url 5 enrollment command 6 exit 7 crypto pki trustpoint name 8 crl query ldap url port 9 enrollment mode ra retry count number retry period minutes url url 10 enrollment mode ra retry count number retry period minutes url url 11 revocation check method1 method2 method3 12 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable...

Page 1231: ...Device config crypto pki trustpoint ka Step 7 Queries the certificate revocation list CRL to ensure that the certificate of the peer is not revoked crl query ldap url port Example Device ca trustpoint crl query ldap bar cisco com 3899 Step 8 Specifies the enrollment wait period between certificate request retries enrollment mode ra retry count number retry period minutes url url Example Device ca ...

Page 1232: ...rompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Declares the trustpoint that your device should use and enters CA trustpoint configuration mode crypto ca trustpoint name Example Device config crypto ca trustpoint ka Step 3 Checks the revocation status of a certificate revocation check method1 method2 method3 Example Device ca trustpoint revocati...

Page 1233: ...key of the CA should be manually authenticated by contacting the CA administrator to compare the fingerprint of the CA certificate when you perform this step Perform the following task to get the public key of the CA SUMMARY STEPS 1 enable 2 configure terminal 3 crypto pki authenticatename 4 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Example Device enable Step...

Page 1234: ...the CA If your device reboots after you have issued the crypto pki enroll command but before you have received the certificates you must reissue the command and notify the CA administrator Note SUMMARY STEPS 1 enable 2 configure terminal 3 crypto pki enroll number 4 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Example Device enable Step 1 Enter your password if ...

Page 1235: ...ly when the CA does not support an RA When a device receives a certificate from a peer your device will download a CRL from the CA The device then checks the CRL to make sure the certificate that the peer sent has not been revoked If the certificate appears on the CRL the device will not accept the certificate and will not authenticate the peer A CRL can be reused with subsequent certificates unti...

Page 1236: ... with a trusted root When your device receives a certificate from a peer from another domain with a different CA the CRL downloaded from the CA of the device will not include certificate information about the peer Therefore you should check the CRL published by the configured root with the LDAP URL to ensure that the certificate of the peer has not been revoked If you would like CRL of the root ce...

Page 1237: ...en revoked crl query ldap url port Example Device ca trustpoint crl query ldap url port Step 4 Exits CA trustpoint configuration mode and returns to privileged EXEC mode end Example Device ca trustpoint end Step 5 Deleting RSA Keys from a Device Under certain circumstances you may want to delete RSA keys from your device For example if you believe the RSA keys were compromised in some way and shou...

Page 1238: ...s Ask the CA administrator to revoke the device certificates at the CA you must supply the challenge password that you created when you originally obtained the device certificates with the crypto pki enroll command Manually remove the device certificates from the device configuration Deleting Public Keys for a Peer Under certain circumstances you may want to delete RSA public keys of peer devices ...

Page 1239: ...n mode and returns to privileged EXEC mode end Example Device config pubkey end Step 5 Deleting Certificates from the Configuration If the need arises you can delete certificates that are saved in your device Your devices saves its own certificates the certificate of the CA and any RA certificates To delete the CA s certificate you must remove the entire CA identity which also removes all certific...

Page 1240: ...ain myca Step 4 Deletes the certificate no certificate certificate serial number Example Device config cert chain no certificate 0123456789ABCDEF0123456789ABCDEF Step 5 Exits certificate chain configuration mode and returns to global configuration mode exit Example Device config cert chain exit Step 6 Deletes a certificate manually no crypto pki import name certificate Example Device config no cry...

Page 1241: ...vice show crypto key pubkey chain rsa Example Device show crypto key pubkey chain rsa Step 3 Displays the address of a specific key show crypto key pubkey chain rsa name key name address key address Step 4 Example Device show crypto key pubkey chain rsa address 209 165 202 129 Displays information about the device certificate the certification authority CA certificate and any registration authorit...

Page 1242: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1160 Monitoring and Maintaining Certification Authority ...

Page 1243: ... release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www...

Page 1244: ...s lists on your device all packets passing through the device are allowed access to all parts of your network Access lists can allow a host to access a part of your network and prevent another host from accessing the same area In the figure below Host A is allowed to access the Human Resources network but Host B is prevented from accessing the Human Resources network You can also use access lists ...

Page 1245: ...y protocol enabled on an interface if you want to control traffic flow for that protocol Software Processing of an Access List The following general steps describe how the an access list is processed when it is applied to an interface a vty or referenced by any command These steps apply to an access list that has 13 or fewer access list entries The software receives an IP packet and tests parts of...

Page 1246: ...tatement packets are discarded Outbound access lists process packets before they leave the device Incoming packets are routed to the outbound interface and then processed by the outbound access list For outbound access lists when you configure a permit statement packets are sent to the output buffer and when you configure a deny statement packets are discarded Note An access list can control traff...

Page 1247: ...you want to deny access to a particular host or network and find out if someone from that network or host is attempting to gain access include the log keyword with the corresponding deny statement so that the packets denied from that source are logged for you This hint applies to the placement of your access list When trying to save resources remember that an inbound access list applies the filter...

Page 1248: ... a 1 and 0 mean the opposite of what they mean in a subnet network mask A wildcard mask bit 0 means check the corresponding bit value they must match A wildcard mask bit 1 means ignore that corresponding bit value they need not match If you do not supply a wildcard mask with a source or destination address in an access list statement the software assumes an implicit wildcard mask of 0 0 0 0 meanin...

Page 1249: ... IPv4 traffic including TCP User Datagram Protocol UDP Internet Group Management Protocol IGMP and Internet Control Message Protocol ICMP Ethernet ACLs filter non IP traffic This switch also supports quality of service QoS classification ACLs Supported ACLs The switch supports three types of ACLs to filter traffic Port ACLs access control traffic entering a Layer 2 interface You can apply only one...

Page 1250: ...her packets are filtered only by the VLAN map When a VLAN map output router ACL and input port ACL exist in an SVI incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL Outgoing routed IP packets are filtered by both the VLAN map and the router ACL Other packets are filtered only by the VLAN map Port ACLs Port ACLs are ACLs that are applied to Laye...

Page 1251: ...rface If an IP access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access list or MAC access list to the interface the new ACL replaces the previously configured one Note Router ACLs You can apply router ACLs on switch virtual interfaces SVIs which are Layer 3 interfaces to VLANs on physical Layer 3 interfaces and on Layer 3 EtherChannel interfaces Yo...

Page 1252: ...en the fragment contains no Layer 4 information and the ACE tests some Layer 4 information the matching rules are modified Permit ACEs that check the Layer 3 information in the fragment including protocol type such as TCP UDP and so on are considered to match the fragment regardless of what the missing Layer 4 information might have been Deny ACEs that check Layer 4 information never match a fragm...

Page 1253: ...semble a complete packet so packet B is effectively denied However the later fragments that are permitted will consume bandwidth on the network and resources of host 10 1 1 2 as it tries to reassemble the packet Fragmented packet C is from host 10 2 2 2 port 65001 going to host 10 1 1 3 port ftp If this packet is fragmented the first fragment matches the fourth ACE a deny All other fragments also ...

Page 1254: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1172 Information About Access Control Lists ...

Page 1255: ... 1174 Restrictions for Configuring IPv4 Access Control Lists page 1174 Information About Configuring IPv4 Access Control Lists page 1175 How to Configure ACLs page 1183 Monitoring IPv4 ACLs page 1204 Configuration Examples for ACLs page 1206 Examples Troubleshooting ACLs page 1213 Additional References page 1214 Feature Information for IPv4 Access Control Lists page 1215 Finding Feature Informatio...

Page 1256: ...AN interface or a VLAN map applied to the VLAN If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch the ACL only filters packets that are intended for the CPU such as SNMP Telnet or web traffic You do not have to enable routing to apply ACLs to Layer 2 interfaces By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is ...

Page 1257: ...If there are no restrictions the switch forwards the packet otherwise the switch drops the packet The switch can use ACLs on all packets it forwards including packets bridged within a VLAN You configure access lists on a router or Layer 3 switch to provide basic security for your network If you do not configure ACLs all packets passing through the switch could be allowed onto all parts of the netw...

Page 1258: ...IPv4 standard and extended access lists numbers 1 to 199 and 1300 to 2699 Table 113 Access List Numbers Supported Type Access List Number Yes IP standard access list 1 99 Yes IP extended access list 100 199 No Protocol type code access list 200 299 No DECnet access list 300 399 No XNS standard access list 400 499 No XNS extended access list 500 599 No AppleTalk access list 600 699 No 48 bit MAC ad...

Page 1259: ...re entered After creating a numbered standard IPv4 ACL you can apply it to VLANs to terminal lines or to interfaces Numbered Extended IPv4 ACLs Although standard ACLs use only source addresses for matching you can use extended ACL source and destination addresses for matching operations and optional protocol type information for finer granularity of control When you are creating ACEs in numbered e...

Page 1260: ...he Named ACL Support for Noncontiguous Ports on an Access Control Entry Feature The Named ACL Support for Noncontiguous Ports on an Access Control Entry feature allows you to specify noncontiguous ports in a single access control entry which greatly reduces the number of entries required in an access control list when several entries have the same source address destination address and protocol bu...

Page 1261: ...tion mode then sequence numbers for that access list are generated automatically Distributed support is provided so that the sequence numbers of entries in the Route Processor RP and line card are in synchronization at all times Sequence numbers are not nvgened That is the sequence numbers themselves are not saved In the event that the system is reloaded the configured sequence numbers revert to t...

Page 1262: ...or switched and routed packets Router ACLs function as follows The hardware controls permit and deny actions of standard and extended ACLs input and output for security access control If log has not been specified the flows that match a deny statement in a security ACL are dropped by the hardware if ip unreachables is disabled The flows matching a permit statement are switched in hardware Adding t...

Page 1263: ...ket the switch sends the packet If the ACL rejects the packet the switch discards the packet By default the input interface sends ICMP Unreachable messages whenever a packet is discarded regardless of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the output interface ICMP Unreachables are normally limited to no more than one every one half second...

Page 1264: ...de logging messages about packets permitted or denied by a standard IP access list That is any packet that matches the ACL causes an informational logging message about the packet to be sent to the console The level of messages logged to the console is controlled by the logging console commands controlling the syslog messages Because routing is done in hardware and logging is done in software if a...

Page 1265: ...access conditions 2 Apply the ACL to interfaces or terminal lines You can also apply standard and extended IP ACLs to VLAN maps DETAILED STEPS Purpose Command or Action Create an ACL by specifying an access list number or name and the access conditions Step 1 Apply the ACL to interfaces or terminal lines You can also apply standard and extended IP ACLs to VLAN maps Step 2 Creating a Numbered Stand...

Page 1266: ...hich the packet is being sent specified as your_host The 32 bit quantity in dotted decimal format The keyword any as an abbreviation for source and source wildcard of 0 0 0 0 255 255 255 255 You do not need to enter a source wildcard The keyword host as an abbreviation for source and source wildcard of source 0 0 0 0 Optional The source wildcard applies wildcard bits to the source Optional Enter l...

Page 1267: ...ination wildcard operator port precedence precedence tos tos fragments log log input time range time range name dscp dscp 5 access list access list number deny permit icmp source source wildcard destination destination wildcard icmp type icmp type icmp code icmp message precedence precedence tos tos fragments time range time range name dscp dscp 6 access list access list number deny permit igmp so...

Page 1268: ... any host The keyword host for a single host 0 0 0 0 The other keywords are optional and have these meanings precedence Enter to match packets with a precedence level specified as a number from 0 to 7 or by name routine 0 priority 1 immediate 2 flash 3 flash override 4 critical 5 internet 6 network 7 fragments Enter to check non initial fragments tos Enter to match by type of service level specifi...

Page 1269: ...or port precedence precedence tos tos fragments log log input time range time range name dscp dscp Example Switch config access list 101 permit udp any any eq 100 Defines an extended ICMP access list and the access conditions access list access list number deny permit icmp source source wildcard Step 5 The ICMP parameters are the same as those described for most IP protocols in an extended IPv4 AC...

Page 1270: ...EPS 1 enable 2 configure terminal 3 ip access list standard name 4 Use one of the following deny source source wildcard host source any log permit source source wildcard host source any log 5 end 6 show running config 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Consoli...

Page 1271: ...st source A source and source wildcard of source 0 0 0 0 permit source source wildcard host source any log any A source and source wildcard of 0 0 0 0 255 255 255 255 Example Switch config std nacl deny 192 168 0 0 0 0 255 255 255 255 0 0 0 0 255 255 or Switch config std nacl permit 10 108 0 0 0 0 0 0 255 255 255 0 0 0 0 0 Returns to privileged EXEC mode end Example Switch config std nacl end Step...

Page 1272: ...access list configuration mode ip access list extended name Example Switch config ip access list extended 150 Step 3 The name can be a number from 100 to 199 In access list configuration mode specify the conditions allowed or denied Use the log keyword to get access list logging messages including violations deny permit protocol source source wildcard host source any destination destination wildca...

Page 1273: ...ver you can use no permit and no deny access list configuration mode commands to remove entries from a named ACL Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs What to Do Next After creating a named ACL you can apply it to interfaces or to VLANs Configuring an Access Control Entry with Noncontiguous Ports Perform this task to...

Page 1274: ...onfiguration mode configure terminal Example Device configure terminal Step 2 Specifies the IP access list by name and enters named access list configuration mode ip access list extended access list name Example Device config ip access list extended acl extd 1 Step 3 Specifies a permit statement in named IP access list configuration mode sequence number permit tcp source source wildcard operator p...

Page 1275: ...ure up to 10 ports after the eq and neqoperators All other operators require one port number To filter UDP ports use the UDP syntax of this command Allows you to revise the access list Repeat Step 4 or Step 5 as necessary adding statements by sequence number where you planned Step 6 Use the no sequence number command to delete an entry Optional Exits named access list configuration mode and return...

Page 1276: ...access list show ip access lists access list name Step 2 Example Device show ip access lists mylist1 Review the output to see if you can consolidate any access list entries Enters global configuration mode configure terminal Example Device configure terminal Step 3 Specifies the IP access list by name and enters named access list configuration mode ip access list extended access list name Example ...

Page 1277: ...ntry Step 7 Optional Exits named access list configuration mode and returns to privileged EXEC mode end Example Device config std nacl end Step 8 Optional Displays the contents of the access list show ip access lists access list name Example Device show ip access lists mylist1 Step 9 Sequencing Access List Entries and Revising the Access List This task shows how to assign sequence numbers to entri...

Page 1278: ...o one of the following sequence number permit source source wildcard sequence number permit protocol source source wildcard destination destination wildcard precedence precedence tos tos log time range time range name fragments 8 Do one of the following sequence number deny source source wildcard sequence number deny protocol source source wildcard destination destination wildcard precedence prece...

Page 1279: ...rst depending on the order of statements you need sequence number permit protocol source source wildcard destination destination wildcard As the prompt indicates this access list was a standard access list If you had specified extended in Step 4 the precedence precedence tos tos log time range time range name fragments prompt for this step would be Device config ext nacl and you would use the exte...

Page 1280: ...mber deny source source wildcard This access list happens to use a permitstatement first but a deny statement could appear first depending on the order of statements you need sequence number deny protocol source source wildcard destination destination wildcard precedence precedence tos tos log time range time range name fragments See the deny IP command for additional command syntax to permit uppe...

Page 1281: ... standard extended name number 4 remark remark 5 deny protocol host host address any eq port 6 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Example Device enable Step 1 Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Identifies the access list by a name or number and enters extended nam...

Page 1282: ...a time range parameter for an ACL SUMMARY STEPS 1 enable 2 configure terminal 3 time range time range name 4 Use one of the following absolute start time date end time date periodic day of the week hh mm to day of the week hh mm periodic weekdays weekend daily hh mm to hh mm 5 end 6 show running config 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged...

Page 1283: ...he one configured last is executed periodic day of the week hh mm to day of the week hh mm You can enter multiple periodic statements For example you could configure different hours for weekdays and weekends periodic weekdays weekend daily hh mm to hh mm Example Switch config time range absolute start 00 00 See the example configurations 1 Jan 2006 end 23 59 1 Jan 2006 or Switch config time range ...

Page 1284: ... vty line number 4 access class access list number in out 5 end 6 show running config 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch config enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Identifies a specific line to confi...

Page 1285: ...es show running config Example Switch show running config Step 6 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 7 Applying an IPv4 ACL to an Interface This section describes how to apply IPv4 ACLs to network interfaces Beginning in privileged EXEC mode follow these steps to control access to an interfa...

Page 1286: ... Step 4 Displays the access list configuration show running config Example Switch show running config Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Monitoring IPv4 ACLs You can monitor IPv4 ACLs by displaying the ACLs that are configured on the switch and displaying the ACLs that have been ap...

Page 1287: ...and ACLs have been applied by using the ip access group interface configuration command the access groups are included in the display show ip interface interface id Displays the contents of the configuration file for the switch or the specified interface including all configured MAC and IP access lists and which access groups are applied to an interface show running config interface interface id D...

Page 1288: ...ple Numbered ACLs In this example network 36 0 0 0 is a Class A network whose second octet specifies a subnet that is its subnet mask is 255 255 0 0 The third and fourth octets of a network 36 0 0 0 address specify a particular host Using access list 2 the switch accepts one address on subnet 48 and reject all others on that subnet The last line of the list shows that the switch accepts addresses ...

Page 1289: ...tgoing services are separately controlled The ACL must be configured as an input ACL on the outbound interface and an output ACL on the inbound interface Switch config access list 102 permit tcp any 128 88 0 0 0 0 255 255 eq 23 Switch config access list 102 permit tcp any 128 88 0 0 0 0 255 255 eq 25 Switch config interface gigabitethernet1 0 1 Switch config if ip access group 102 in In this examp...

Page 1290: ...e individual ACEs from the named access list border list Switch config ip access list extended border list Switch config ext nacl no permit ip host 10 1 1 3 any Example Configuring an Access Control Entry with Noncontiguous Ports The following access list entry can be created because up to ten ports can be entered after the eq and neq operators ip access list extended aaa permit tcp any eq telnet ...

Page 1291: ... ip host 10 4 4 4 any 50 Dynamic test permit ip any any 60 permit ip host 172 16 2 2 host 10 3 3 12 70 permit ip host 10 3 3 3 any log 80 permit tcp host 10 3 3 3 host 10 1 2 2 90 permit ip host 10 3 3 3 any 100 permit ip any any Router config ip access list extended carls Router config ip access list resequence carls 1 2 Router config end Router show access list carls Extended IP access list carl...

Page 1292: ... 10 4 4 4 0 0 0 255 Router config std nacl end Router show access list Standard IP access list resources 10 permit 10 1 1 1 wildcard bits 0 0 0 255 20 permit 10 2 2 2 wildcard bits 0 0 0 255 30 permit 10 3 3 3 wildcard bits 0 0 0 255 40 permit 10 4 4 4 wildcard bits 0 0 0 255 Examples Configuring Commented IP ACL Entries In this example of a numbered ACL the workstation that belongs to Jones is al...

Page 1293: ...ccess list 188 10 deny tcp any any time range new_year_day_2006 inactive 20 permit tcp any any time range workhours inactive This example uses named ACLs to permit and deny the same traffic Switch config ip access list extended deny_access Switch config ext nacl deny tcp any any time range new_year_day_2006 Switch config ext nacl exit Switch config ip access list extended may_access Switch config ...

Page 1294: ...bytes 00 00 48 NTP authentication delay calculation problems output truncated 00 09 34 SEC 6 IPACCESSLOGS list stan1 permitted 0 0 0 0 1 packet 00 09 59 SEC 6 IPACCESSLOGS list stan1 denied 10 1 1 15 1 packet 00 10 11 SEC 6 IPACCESSLOGS list stan1 permitted 0 0 0 0 1 packet This example is a named extended access list ext1 that permits ICMP packets from any source to 10 1 1 0 0 0 0 255 and denies ...

Page 1295: ...rdware resources enter the show platform layer4 acl map privileged EXEC command If the switch does not have available resources the output shows that index 0 to index 15 are not available For more information about configuring ACLs with insufficient resources see CSCsq63926 in the Bug Toolkit For example if you apply this ACL to an interface permit tcp source source wildcard destination destinatio...

Page 1296: ...3850 Switches http www cisco com en US docs ios xml ios security config_library xe 3se 3850 secdata xe 3se 3850 library html IPv4 Access Control List topics Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and downlo...

Page 1297: ...rk This feature was introduced Cisco IOS 15 0 2 EX The Named ACL Support for Noncontiguous Ports on an Access Control Entry feature allows you to specify noncontiguous ports in a single access control entry which greatly reduces the number of entries required in an access control list when several entries have the same source address destination address and protocol but differ only in the ports Ci...

Page 1298: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1216 Feature Information for IPv4 Access Control Lists ...

Page 1299: ...ACLs page 1218 Restrictions for IPv6 ACLs page 1218 Information About Configuring IPv6 ACLs page 1219 How to Configure IPv6 ACLs page 1222 Configuration Examples for IPv6 ACLs page 1230 Additional References page 1232 Feature Information for IPv6 Access Control Lists page 1233 Finding Feature Information Your software release may not support all the features documented in this module For the lates...

Page 1300: ... EtherChannels When configuring an ACL there is no restriction on keywords entered in the ACL regardless of whether or not they are supported on the platform When you apply the ACL to an interface that requires hardware forwarding physical ports or SVIs the switch checks to determine whether or not the ACL can be supported on the interface If not attaching the ACL is rejected If an ACL is applied ...

Page 1301: ...e switch can use ACLs on all packets it forwards including packets bridged within a VLAN You configure access lists on a router or Layer 3 switch to provide basic security for your network If you do not configure ACLs all packets passing through the switch could be allowed onto all parts of the network You can use ACLs to control which hosts can access different parts of a network or to decide whi...

Page 1302: ...uted IPv6 packets are filtered by the router ACL Other packets are not filtered If any port ACL IPv4 IPv6 or MAC is applied to an interface that port ACL is used to filter packets and any router ACLs attached to the SVI of the port VLAN are ignored Note Interactions with Other Features and Switches If an IPv6 router ACL is configured to deny a packet the packet is not routed A copy of the packet i...

Page 1303: ...in software Logging is supported for router ACLs but not for port ACLs IPv6 Port Based Access Control List Support The IPv6 PACL feature provides the ability to provide access control permit or deny on Layer 2 switch ports for IPv6 traffic IPv6 PACLs are similar to IPv4 PACLs which provide access control on Layer 2 switch ports for IPv4 traffic They are supported only in the ingress direction and ...

Page 1304: ...t protocol psh range port protocol rst routing sequence value syn time range name urg 6 deny permit udp source ipv6 prefix prefix length any host source ipv6 address operator port number destination ipv6 prefix prefix length any host destination ipv6 address operator port number dscp value log log input neq port protocol range port protocol routing sequence value time range name 7 deny permit icmp...

Page 1305: ...For host source ipv6 address or destination ipv6 address enter the source or destination IPv6 host address for which to set deny or permit conditions specified in hexadecimal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If...

Page 1306: ...r psh Push function bit set range port protocol Matches only packets in the port number range rst Reset bit set syn Synchronize bit set urg Urgent pointer bit set Optional Define a UDP access list and the access conditions deny permit udp source ipv6 prefix prefix length any host Step 6 Enter udp for the User Datagram Protocol The UDP parameters are the same as those described for TCP except that ...

Page 1307: ...e access list configuration show ipv6 access list Step 9 Verifies your entries show running config Example Switch show running config Step 10 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 11 startup config What to Do Next Attach the IPv6 ACL to an Interface Attaching an IPv6 ACL to an Interface You can apply an ACL ...

Page 1308: ... for router ACLs on which to apply an access list and enter interface configuration mode interface interface id Step 3 If applying a router ACL this changes the interface from Layer 2 mode the default to Layer 3 mode no switchport Step 4 Configure an IPv6 address on a Layer 3 interface for router ACLs ipv6 address ipv6 address Step 5 Apply the access list to incoming or outgoing traffic on the int...

Page 1309: ...his is an example of the output from the show access lists privileged EXEC command The output shows all access lists that are configured on the switch or switch stack Switch show access lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10 This is an example of the output from the show ipv6 access list privileged EXEC command The output show...

Page 1310: ...n Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Defines an IPv6 ACL and enters IPv6 access list configuration mode ipv6 access list access list name Example Device config ipv6 access list list1 Step 3 Exits IPv6 access list configuration mode and enters gl...

Page 1311: ...nput mobility mobility type mh number mh type reflect name timeout value routing routing type routing number sequence value time range name 5 deny protocol source ipv6 prefix prefix length any host source ipv6 address auth operator port number destination ipv6 prefix prefix length any host destination ipv6 address auth operator port number dest option type header number header type dscp value flow...

Page 1312: ...refix prefix length any host destination ipv6 address auth operator port number dest option type header number header type dscp value flow label value fragments hbh log log input mobility mobility type mh number mh type routing routing type routing number sequence value time range name undetermined transport Example Device config ipv6 acl deny icmp any any dest option type Returns to privileged EX...

Page 1313: ...ice config ipv6 access list hbh_acl Device config ipv6 acl permit tcp any any hbh Device config ipv6 acl permit tcp any any Device config ipv6 acl permit udp any any Device config ipv6 acl permit udp any any hbh Device config ipv6 acl permit hbh any any Device config ipv6 acl permit any any Device config ipv6 acl hardware statistics Device config ipv6 acl exit Assign an IP address and add the ACL ...

Page 1314: ...ommand ipv6 xe 3se 3850 cr book html IPv6 command reference Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at...

Page 1315: ...ists only the software release that introduced support for a given feature in a given software release train Unless noted otherwise subsequent releases of that software release train also support that feature Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to www cisco com go cfn An account on Cisco com is...

Page 1316: ...tended to support traffic filtering based on IPv6 option headers and optional upper layer protocol type information for finer granularity of control 12 2 25 SG IPv6 Services Extended Access Control Lists Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses inbound and outbound to a specific i...

Page 1317: ...pport for Filtering IP Options page 1242 Additional References for ACL Support for Filtering IP Options page 1243 Feature Information for Creating an IP Access List to Filter page 1244 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform...

Page 1318: ... to RFC 791 Internet Protocol at the following URL http www faqs org rfcs rfc791 html Benefits of Filtering IP Options Filtering of packets that contain IP Options from the network relieves downstream devices and hosts of the load from options packets This feature also minimizes load to the Route Processor RP for packets with IP Options that require RP processing on distributed systems Previously ...

Page 1319: ...t specifies the next sequence number the sender of this segment is expecting to receive ACK Finish flag Used to clear connections FIN Push flag Indicates the data in the call should be immediately pushed through to the receiving user PSH Reset flag Indicates that the receiver should delete the connection without further interaction RST Synchronize flag Used to establish connections SYN Urgent flag...

Page 1320: ...tination destination wildcard option option value precedence precedence tos tos log time range time range name fragments 6 Repeat Step 4 or Step 5 as necessary 7 end 8 show ip access lists access list name DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Exam...

Page 1321: ...time range time range name fragments Example Device config ext nacl permit ip any any option security Use the no sequence number form of this command to delete an entry Allows you to revise the access list Repeat Step 4 or Step 5 as necessary Step 6 Optional Exits named access list configuration mode and returns to privileged EXEC mode end Example Device config ext nacl end Step 7 Optional Display...

Page 1322: ...applied leading to possible security loopholes Caution SUMMARY STEPS 1 enable 2 configure terminal 3 ip access list extended access list name 4 sequence number permit tcp source source wildcard operator port destination destination wildcard operator port established match any match all flag name precedence precedence tos tos log time range time range name fragments 5 sequence number deny tcp sourc...

Page 1323: ...ce wildcard operator port destination destination wildcard Step 5 operator port established match any match all This access list happens to use a permitstatement first but a deny statement could appear first depending on the order of statements you need flag name precedence precedence tos tos log time range time range name fragments Example Device config ext nacl deny tcp any any match all ack fin...

Page 1324: ...been entered to show how many packets were matched and therefore permitted Device show ip access list mylist2 Extended IP access list test 10 permit ip any any option eool 1 match 20 permit ip any any option record route 1 match 30 permit ip any any option zsu 1 match 40 permit ip any any option mtup 1 match Example Filtering Packets That Contain TCP Flags The following access list allows TCP pack...

Page 1325: ... html RFC 791 Transmission Control Protocol RFC 793 Traceroute Using an IP Option RFC 1393 Technical Assistance Link Description http www cisco com cisco web support index html The Cisco Support and Documentation website provides online resources to download documentation software and tools Use these resources to install and configure the software and to troubleshoot and resolve technical issues w...

Page 1326: ...rmation for Creating an IP Access List to Filter Feature Configuration Information Releases Feature Name This feature allows you to filter packets having IP Options in order to prevent routers from becoming saturated with spurious packets Cisco IOS 15 2 2 E ACL Support for Filtering IP Options This feature provides a flexible mechanism for filtering on TCP flags The ACL TCP Flags Filtering feature...

Page 1327: ...ow to Configure VLAN Access Control Lists page 1248 Configuration Examples for ACLs and VLAN Maps page 1257 Configuration Examples for Using VLAN Maps in Your Network page 1260 Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs page 1262 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature ...

Page 1328: ...e 79 Using VLAN Maps to Control Traffic VLAN Map Configuration Guidelines VLAN maps are the only way to control filtering within a VLAN VLAN maps have no direction To filter traffic in a specific direction by using a VLAN map you need to include an ACL with specific source or destination addresses If there is a match clause for that type of packet IP or MAC in the VLAN map the default action is to...

Page 1329: ...MAC and the packet does not match the type the default is to drop the packet If there is no match clause in the VLAN map and no action specified the packet is forwarded if it does not match any VLAN map entry VLAN Maps and Router ACL Configuration Guidelines These guidelines are for configurations where you need to have an router ACL and a VLAN map on the same VLAN These guidelines do not apply to...

Page 1330: ...yslog message is generated the timer and packet counter are reset VACL logging restrictions Only denied IP packets are logged Packets that require logging on the outbound port ACLs are not logged if they are denied by a VACL How to Configure VLAN Access Control Lists Creating Named MAC Extended ACLs You can filter non IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and name...

Page 1331: ...type 8042 lat lavc sca mop console Optional You can also enter these options mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos type mask An arbitrary EtherType number of a packet with Ethernet II or SNAP encapsulation in decimal hexadecimal Example Switch config ext macl deny any any or octal with optional mask of don t care bits applied to the EtherType before testing for a...

Page 1332: ...UMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 mac access group name in out 5 end 6 show mac access group interface interface id 7 show running config 8 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure term...

Page 1333: ...roup interface Step 6 gigabitethernet1 0 2 Verifies your entries show running config Example Switch show running config Step 7 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 8 After receiving a packet the switch checks it against the inbound ACL If the ACL permits it the switch continues to process the...

Page 1334: ... to modify or delete 20 VLAN maps do not use the specific permit or deny keywords To deny a packet by using VLAN maps create an ACL that would match the packet and set the action to drop A permit in the ACL counts as a match A deny in the ACL means no match Entering this command changes to access map configuration mode Match the packet using either the IP or MAC address against one or more standar...

Page 1335: ...p 1 The list can be a single VLAN ID 22 a consecutive list 10 22 or a string of VLAN IDs 12 22 30 Spaces around the comma and hyphen are optional vlan list 20 22 Creating a VLAN Map Each VLAN map consists of an ordered series of entries Beginning in privileged EXEC mode follow these steps to create add to or delete a VLAN map entry SUMMARY STEPS 1 configure terminal 2 vlan access map name number 3...

Page 1336: ...match Entering this command changes to access map configuration mode Match the packet using either the IP or MAC address against one or more standard or extended access lists Note that packets are only matched match ip mac address name number name number Step 3 against access lists of the correct protocol type IP packets are matched Example Switch config access map match ip against standard or ext...

Page 1337: ... DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Applies the VLAN map to one or more VLAN IDs vlan filter mapname vlan list list Step 2 Example Switch config vlan filter map 1 vlan list The list can be a single VLAN ID 22 a consecutive list 10 22 or a string of VLAN IDs 12 22 30 Spaces around the comma and hy...

Page 1338: ...mmand or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Creates a VLAN map Give it a name and optionally a number The number is the sequence number of the entry within the map vlan access map name number Example Switch config vlan access map Step 2 The sequence number range is from 0 to 65535 When you create VLAN maps with the same name numb...

Page 1339: ...ch config vlan access log The range is from 0 to 2048 The default is 500 threshold 4000 threshold pkt_count Sets the logging threshold A logging message is generated if the threshold for a flow is reached before the 5 minute interval The threshold range is from 0 to 2147483647 The default threshold is 0 which means that a syslog message is generated every 5 minutes Returns to privileged EXEC mode ...

Page 1340: ...P Packets and Forwarding MAC Packets In this example the VLAN map has a default action of drop for IP packets and a default action of forward for MAC packets Used with standard ACL 101 and extended named access lists igmp match and tcp match the map will have the following results Forward all UDP packets Drop all IGMP packets Forward all TCP packets Drop all other IP packets Forward all non IP pac...

Page 1341: ...map match mac address good hosts Switch config access map action forward Switch config access map exit Switch config vlan access map drop mac default 20 Switch config access map match mac address good protocols Switch config access map action forward Example Default Action of Dropping All Packets In this example the VLAN map has a default action of drop for all packets IP and non IP Used with acce...

Page 1342: ...rom Host X IP address 10 1 1 32 to Host Y IP address 10 1 1 34 at Switch A and not bridge it to Switch B First define the IP access list http that permits matches any TCP traffic on the HTTP port Switch config ip access list extended http Switch config ext nacl permit tcp host 10 1 1 32 host 10 1 1 34 eq www Switch config ext nacl exit Next create VLAN access map map2 so that traffic that matches ...

Page 1343: ...ies access to hosts in subnet 10 1 2 0 8 host 10 1 1 4 and host 10 1 1 8 and permits other IP traffic The final step is to apply the map SERVER1 to VLAN 10 Define the IP ACL that will match the correct packets Switch config ip access list extended SERVER1_ACL Switch config ext nacl permit ip 10 1 2 0 0 0 0 255 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 4 host 10 1 1 100 Switch co...

Page 1344: ... also possible that the packet might be dropped rather than forwarded Example ACLs and Switched Packets This example shows how an ACL is applied on packets that are switched within a VLAN Packets switched within the VLAN without being routed or forwarded by fallback bridging are only subject to the VLAN map of the input VLAN Figure 82 Applying ACLs on Switched Packets Example ACLs and Bridged Pack...

Page 1345: ...he ACLs are applied in this order 1 VLAN map for input VLAN 2 Input router ACL 3 Output router ACL 4 VLAN map for output VLAN Figure 84 Applying ACLs on Routed Packets Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1263 Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs ...

Page 1346: ...than one output VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be permitted in some of the output VLANs and not in others A copy of the packet is forwarded to those destinations where it is permitted However if the input VLAN map drops the packet no destination receives a copy of the packet Figure 85 App...

Page 1347: ...upport To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About DHCP DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them If the DHCP server cannot give the DHCP client the requested configuration parameters from its database it forwards the request to ...

Page 1348: ... configure as trusted is one connected to a port on a device in the same network An example of an untrusted interface is one that is connected to an untrusted interface in the network or to an interface on a device that is not in the network When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled the switch compares the source...

Page 1349: ...h as DHCP OFFER DHCP ACK and DHCP NACK messages The ip dhcp snooping wireless bootp broadcast enable can be used to revert this behavior When the wireless BOOTP broadcast is enabled the broadcast DHCP packets from server are forwarded to wireless clients without changing the destination MAC address Related Topics Prerequisites for Configuring DHCP Snooping and Option 82 on page 1277 Option 82 Data...

Page 1350: ...ives the packet If the server is option 82 capable it can use the remote ID the circuit ID or both to assign IP addresses and implement policies such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID Then the DHCP server echoes the option 82 field in the DHCP reply The DHCP server unicasts the reply to the switch if the request was relayed to the se...

Page 1351: ...he switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command Figure 87 Suboption Packet Formats The illustration User Configured Suboption Packet Formats shows the packet formats for user configured remote ID and circuit ID suboptions The switch uses these packet formats when DHCP snooping is globally enable...

Page 1352: ...dress from a DHCP address pool For more information about manual and automatic address bindings see the Configuring DHCP chapter of the Cisco IOS IP Configuration Guide Release 12 4 For procedures to enable and configure the Cisco IOS DHCP server database see the DHCP Configuration Task List section in the Configuring DHCP chapter of the Cisco IOS IP Configuration Guide Release 12 4 DHCP Snooping ...

Page 1353: ...e format of the file with bindings initial checksum TYPE DHCP SNOOPING VERSION 1 BEGIN entry 1 checksum 1 entry 2 checksum 1 2 entry n checksum 1 2 n END Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file The initial checksum entry on the first line distinguishes entries associated with the latest file update from entries associ...

Page 1354: ...rocessing the new incoming DHCP packets How to Configure DHCP Features Default DHCP Snooping Configuration Table 118 Default DHCP Configuration Default Setting Feature Enabled in Cisco IOS software requires configuration12 DHCP server Enabled13 DHCP relay agent None configured DHCP packet forwarding address Enabled invalid messages are dropped Checking the relay agent information Replace the exist...

Page 1355: ...ooping statistics user EXEC command and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command Configuring the DHCP Server The switch can act as a DHCP server For procedures to configure the switch as a DHCP server see the Configuring DHCP section of the IP addressing and Services section of the Cisco IOS IP Configuration Guide Rele...

Page 1356: ...s the DHCP server and relay agent on your switch By default this feature is enabled service dhcp Example Switch config service dhcp Step 3 Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries show running config Example Switch show running config Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy...

Page 1357: ...can be the network address if other DHCP servers are on the destination network segment Using the network address enables any DHCP server to respond to requests Beginning in privileged EXEC mode follow these steps to specify the packet forwarding address SUMMARY STEPS 1 enable 2 configure terminal 3 interface vlan vlan id 4 ip address ip address subnet mask 5 ip helper address address 6 end 7 Use ...

Page 1358: ...s are on the destination network segment Using the network address enables other servers to respond to DHCP requests If you have multiple servers you can configure one helper address for each server Returns to global configuration mode end Example Switch config if end Step 6 Configures multiple physical ports that are connected to the DHCP clients and enter interface range configuration mode Use o...

Page 1359: ...enabled If you want the switch to respond to DHCP requests it must be configured as a DHCP server Before configuring the DHCP snooping information option on your switch be sure to configure the device that is acting as the DHCP server You must specify the IP addresses that the DHCP server can assign or exclude or you must configure DHCP options for these devices For DHCP snooping to function prope...

Page 1360: ...file only when the switch system clock is synchronized with NTP Before configuring the DHCP relay agent on your switch make sure to configure the device that is acting as the DHCP server You must specify the IP addresses that the DHCP server can assign or exclude configure DHCP options for devices or set up the DHCP database agent If you want the switch to relay DHCP packets the IP address of the ...

Page 1361: ...Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables DHCP snooping globally ip dhcp snooping Example Switch config ip dhcp snooping Step 3 Enables DHCP snooping on a VLAN or range of VLANs The range is 1 to 4094 You can enter a single VLAN ID identifi...

Page 1362: ...enables the switch to accept incoming DHCP snooping packets with option 82 information from the edge switch ip dhcp snooping information option allow untrusted Example Switch config ip dhcp snooping information option allow untrusted Step 7 The default setting is disabled Enter this command only on aggregation switches that are connected to trusted devices Note Specifies the interface to be config...

Page 1363: ... assigned to more than one VLAN with DHCP snooping Note Returns to global configuration mode exit Example Switch config if exit Step 12 Optional Configures the switch to verify that the source MAC address in a DHCP packet received on untrusted ports matches the client ip dhcp snooping verify mac address Example Switch config ip dhcp snooping verify mac address Step 13 hardware address in the packe...

Page 1364: ...ocation is a feature that enables DHCP to maintain the same IP address on an Ethernet switch port regardless of the attached device client identifier or client hardware address When Ethernet switches are deployed in the network they offer connectivity to the directly connected devices In some environments such as on a factory floor if a device fails the replacement device must be working immediate...

Page 1365: ...are not offered to the client and other clients are not served by the pool you can enter the reserved only DHCP pool configuration command Enabling the DHCP Snooping Binding Database Agent Beginning in privileged EXEC mode follow these steps to enable and configure the DHCP snooping binding database agent on the switch SUMMARY STEPS 1 enable 2 configure terminal 3 ip dhcp snooping database flash n...

Page 1366: ...username password hostname host ip directory image name tar rcp user host filename tftp host filename Specifies in seconds how long to wait for the database transfer process to finish before stopping the process ip dhcp snooping database timeout seconds Example Switch config ip dhcp snooping database timeout 300 Step 4 The default is 300 seconds The range is 0 to 86400 Use 0 to define an infinite ...

Page 1367: ...abase detail Step 8 Verifies your entries show running config Example Switch show running config Step 9 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 10 Enabling DHCP Server Port Based Address Allocation Follow these steps to globally enable port based address allocation and to automatically generate ...

Page 1368: ...nterface name Step 4 A subscriber identifier configured on a specific interface takes precedence over this command Specifies the interface to be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet1 0 1 Step 5 Configures the DHCP server to use the subscriber identifier as the client identifier on all incoming DHCP messages on the ...

Page 1369: ...ocation Information Purpose Command Displays the status and configuration of a specific interface show interface interface id Displays the DHCP address pools show ip dhcp pool Displays address bindings on the Cisco IOS DHCP server show ip dhcp binding Additional References Related Documents Document Title Related Topic IP Addressing DHCP Configuration Guide Cisco IOS XE Release 3S http www cisco c...

Page 1370: ...ources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the ...

Page 1371: ...r EXEC command for displaying DHCP snooping statistics clear ip dhcp snooping statistics privileged EXEC command for clearing the snooping statistics counters Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1289 Configuring DHCP Server Port Based Address Allocation ...

Page 1372: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1290 Configuring DHCP Server Port Based Address Allocation ...

Page 1373: ...software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco...

Page 1374: ...port security at Layer 3 IPSG for static hosts also supports dynamic hosts If a dynamic host receives a DHCP assigned IP address that is available in the IP DHCP snooping table the same entry is learned by the IP device tracking table In a stacked environment when the master failover occurs the IP source guard entries for static hosts attached to member ports are retained When you enter the show i...

Page 1375: ...ure IP source guard smart logging packets with a source address other than the specified address or an address learned by DHCP are denied and the packet contents are sent to a NetFlow collector If you configure this feature make sure that smart logging is globally enabled In a switch stack if IP source guard is configured on a stack member interface and you remove the the configuration of that swi...

Page 1376: ...enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the interface to be configured and enters interface configuration mode interface interface id Example Switch config interface gigabitethernet 1 0 1 Step 3 Enables IP source guard with source IP address filtering ip verify source mac check Step 4 Example Switch config if ip verif...

Page 1377: ...Step 8 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 9 Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port You must configure the ip device tracking maximum limit number interface configuration command globally for IPSG for static hosts to work If you only configure this command on a...

Page 1378: ... global configuration mode configure terminal Example Switch configure terminal Step 2 Turns on the IP host table and globally enables IP device tracking ip device tracking Example Switch config ip device tracking Step 3 Enters interface configuration mode interface interface id Example Switch config interface gigabitethernet Step 4 1 0 1 Configures a port as access switchport mode access Example ...

Page 1379: ...number is 10 ip device tracking maximum number Example Switch config if ip device tracking Step 8 You must configure the ip device tracking maximum limit number interface configuration command Note maximum 8 Returns to privileged EXEC mode end Example Switch config end Step 9 Monitoring IP Source Guard Table 121 Privileged EXEC show Commands Purpose Command Displays the IP source guard configurati...

Page 1380: ...MIBs for this release Technical Assistance Link Description http www cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert...

Page 1381: ...all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find...

Page 1382: ...er than the configured value For example if you set the rate limit to 30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2 each port can receive packets at 29 pps without causing the EtherChannel to become error disabled The operating rate for the port channel is cumulative across all the physical ports within the channel For example if you configure the port channel wi...

Page 1383: ...te to Host B at the IP layer it broadcasts an ARP request for the MAC address associated with IP address IB When the switch and Host B receive the ARP request they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA for example IP address IA is bound to MAC address MA When Host B responds the switch and Host A populate their ARP caches with a bindin...

Page 1384: ... Ethernet header Use the ip arp inspection validate src mac dst mac ip global configuration command Interface Trust States and Network Security Dynamic ARP inspection associates a trust state with each interface on the switch Packets arriving on trusted interfaces bypass all dynamic ARP inspection validation checks and those arriving on untrusted interfaces undergo the dynamic ARP inspection valid...

Page 1385: ... bindings of packets from nondynamic ARP inspection switches configure the switch running dynamic ARP inspection with ARP ACLs When you cannot determine such bindings at Layer 3 isolate switches running dynamic ARP inspection from switches not running dynamic ARP inspection switches Depending on the setup of the DHCP server and the network it might not be possible to validate a given ARP packet on...

Page 1386: ...After the message is generated the switch clears the entry from the log buffer Each log entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses You use the ip arp inspection log buffer global configuration command to configure the number of entries in the buffer and the number of entries needed ...

Page 1387: ...binding exists in the database populated by DHCP snooping Configuring ARP ACLs for Non DHCP Environments This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 2 does not support dynamic ARP inspection or DHCP snooping If you configure port 1 on Switch A as trusted a security hole is created because both Switch A and Host 1 could be attacked by either Switch B o...

Page 1388: ...our password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Defines an ARP ACL and enters ARP access list configuration mode By default no ARP access lists are defined arp access list acl name Step 3 At the end of the ARP access list there is an implicit deny ip any mac any command Note Permits ARP pa...

Page 1389: ...ress bindings are compared against the ACL Packets are permitted only if the access list permits them Specifies Switch A interface that is connected to Switch B and enters the interface configuration mode interface interface id Step 7 Configures Switch A interface that is connected to Switch B as untrusted no ip arp inspection trust Step 8 By default all interfaces are untrusted For untrusted inte...

Page 1390: ...sts are located A DHCP server is connected to Switch A Both hosts acquire their IP addresses from the same DHCP server Therefore Switch A has the bindings for Host 1 and Host 2 and Switch B has the binding for Host 2 Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP to MAC address bindings in incoming ARP requests and ARP responses Make sure to enable...

Page 1391: ...witches show cdp neighbors Example Switch config if show cdp neighbors Step 2 Enters the global configuration mode configure terminal Example Switch configure terminal Step 3 Enable dynamic ARP inspection on a per VLAN basis By default dynamic ARP inspection is disabled on all VLANs For vlan range ip arp inspection vlan vlan range Example Switch config ip arp inspection vlan 1 Step 4 specify a sin...

Page 1392: ...og buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command Returns to privileged EXEC mode end Example Switch config if end Step 7 Verifies the dynamic ARP inspection configuration on interfaces show ip arp inspection interfaces Example Step 8 Verifies the dynamic ARP inspection configuration on VLAN show ip arp inspection vlan v...

Page 1393: ...covery so that ports automatically emerge from this state after a specified timeout period Unless you configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you enter the no ip arp inspection ...

Page 1394: ...Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the interface to be rate limited and enter interface configuration mode interface interface id Step 3 Limits the rate of incoming ARP requests and responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval...

Page 1395: ...or disabled state The range is 30 to 86400 Returns to privileged EXEC mode exit Step 7 Verifies your settings Use the following show commands Step 8 show ip arp inspection interfaces show errdisable recovery Verifies your entries show running config Example Switch show running config Step 9 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy...

Page 1396: ... MAC addresses are classified as invalid and are dropped For dst mac check the destination MAC address in the Ethernet header against the target MAC address in ARP body This check is performed for ARP responses When enabled packets with different MAC addresses are classified as invalid and are dropped For ip check the ARP body for invalid and unexpected IP addresses Addresses include 0 0 0 0 255 2...

Page 1397: ...r the specified VLAN If no VLANs are specified or if a range is specified displays information only for VLANs with dynamic ARP inspection enabled active show ip arp inspection statistics vlan vlan range Clears the dynamic ARP inspection log buffer clear ip arp inspection log Displays the configuration and contents of the dynamic ARP inspection log buffer show ip arp inspection log For the show ip ...

Page 1398: ...ified displays information only for VLANs with dynamic ARP inspection enabled active show ip arp inspection vlan vlan range Additional References Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and download MIBs for...

Page 1399: ... receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 ...

Page 1400: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1318 Additional References ...

Page 1401: ...g Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Nav...

Page 1402: ...authentication times out while waiting for an EAPOL message exchange and MAC authentication bypass is enabled the switch can use the client MAC address for authorization If the client MAC address is valid and the authorization succeeds the switch grants the client access to the network If the client MAC address is invalid and the authorization fails the switch assigns the client to a guest VLAN th...

Page 1403: ...RADIUS attribute Attribute 27 specifies the time after which re authentication occurs The Termination Action RADIUS attribute Attribute 29 specifies the action to take during re authentication The actions are Initialize and ReAuthenticate When the Initialize action is set the attribute value is DEFAULT the 802 1x session ends and connectivity is lost during re authentication When the ReAuthenticat...

Page 1404: ...re dropped If the client does not receive an EAP request identity frame after three attempts to start authentication the client sends frames as if the port is in the authorized state A port in the authorized state effectively means that the client has been successfully authenticated Note When the client supplies its identity the switch begins its role as the intermediary passing EAP frames between...

Page 1405: ... for an Ethernet packet the switch stops the MAC authentication bypass process and starts 802 1x authentication This figure shows the message exchange during MAC authentication bypass Figure 93 Message Exchange During MAC Authentication Bypass Authentication Manager for Port Based Authentication Port Based Authentication Methods Table 123 802 1x Features Mode Authentication method Multiple Authent...

Page 1406: ...allback method16 15 Supported in Cisco IOS Release 12 2 50 SE and later 16 For clients that do not support 802 1x authentication Per User ACLs and Filter Ids You can only set any as the source in the ACL Note For any ACL configured for multiple host mode the source portion of statement must be any For example permit icmp any host 10 10 1 1 Note You must specify any in the source ports of any defin...

Page 1407: ...nerated by the authentication manager the filtered content typically relates to authentication success You can also filter verbose messages for 802 1x authentication and MAB authentication There is a separate command for each authentication method The no authentication logging verbose global configuration command filters verbose messages from the authentication manager The no dot1x logging verbose...

Page 1408: ...tion violation protect restrict shutdown Ports in Authorized and Unauthorized States During 802 1x authentication depending on the switch port state the switch can grant a client access to the network The port starts in the unauthorized state While in this state the port that is not configured as a voice VLAN port disallows all ingress and egress traffic except for 802 1x authentication CDP and ST...

Page 1409: ...number of attempts authentication fails and network access is not granted When a client logs off it sends an EAPOL logoff message causing the switch port to change to the unauthorized state If the link state of a port changes from up to down or if an EAPOL logoff frame is received the port returns to the unauthorized state Port Based Authentication and Switch Stacks If a switch is added to or remo...

Page 1410: ...on when port based authentication is configured Note The switch supports multidomain authentication MDA which allows both a data device and a voice device such as an IP Phone Cisco or non Cisco to connect to the same switch port 802 1x Multiple Authentication Mode Multiple authentication multiauth mode allows multiple authenticated clients on the data VLAN Each host is individually authenticated I...

Page 1411: ...ical auth VLAN is not changed for multi auth mode When a host tries to authenticate and the server is not reachable all authorized hosts are reinitialized in the configured VLAN Multi auth Per User VLAN assignment This feature is supported only on Catalyst 2960X switches running the LAN base image Note The Multi auth Per User VLAN assignment feature allows you to create multiple operational access...

Page 1412: ...igned to VLAN V0 The combination of Open mode and VLAN assignment has an adverse affect on host H2 because it has an IP address in the subnet that corresponds to VLAN V1 Note Limitation in Multi auth Per User VLAN assignment In the Multi auth Per User VLAN assignment feature egress traffic from multiple vlans are untagged on a port where the hosts receive traffic that is not meant for them This ca...

Page 1413: ... data hosts In open authentication mode a MAC address is immediately moved from the original port to the new port with no requirement for authorization on the new port Note MAC Replace The MAC replace feature can be configured to address the violation that occurs when a host attempts to connect to a port where another host was previously authenticated This feature does not apply to ports in multi ...

Page 1414: ...tets attributes of a RADIUS packet AV pairs are automatically sent by a switch that is configured for 802 1x accounting Three types of RADIUS accounting packets are sent by a switch START sent when a new user session starts INTERIM sent during an existing session for updates STOP sent when a session terminates You can view the AV pairs that are being sent by the switch by entering the debug radius...

Page 1415: ...tch ports and displays information about the devices connected to the ports that support 802 1x You can use this feature to determine if the devices connected to the switch ports are 802 1x capable You use an alternate authentication such as MAC authentication bypass or web authentication for the devices that do not support 802 1x functionality This feature only works if the supplicant on the clie...

Page 1416: ...ion from the RADIUS server is not valid authorization fails and configured VLAN remains in use This prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error Configuration errors could include specifying a VLAN for a routed port a malformed VLAN ID a nonexistent or internal routed port VLAN ID an RSPAN VLAN a shut down or suspended VLAN In the case of a m...

Page 1417: ...nt feature is not supported on trunk ports dynamic ports or with dynamic access port assignment through a VLAN Membership Policy Server VMPS To configure VLAN assignment you need to perform these tasks Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server Enable 802 1x authentication The VLAN assignment feature is automatically enabled when y...

Page 1418: ...hey are created by using the extended naming convention However if you use the Filter Id attribute it can point to a standard ACL You can use the Filter Id attribute to specify an inbound or outbound ACL that is already configured on the switch The attribute contains the ACL number followed by in for ingress filtering or out for egress filtering If the RADIUS server does not allow the in or out sy...

Page 1419: ...n a port in closed authentication mode An auth default ACL is created The auth default ACL allows only DHCP traffic until policies are enforced When the first host authenticates the authorization policy is applied without IP address insertion When a second host is detected the policies for the first host are refreshed and policies for the first and subsequent sessions are enforced with IP address ...

Page 1420: ...ct Note Traffic that matches a permit ACE in the ACL is redirected Define the URL redirect ACL and the default port ACL on the switch If a redirect URL is configured for a client on the authentication server a default port ACL on the connected client switch port must also be configured Cisco Secure ACS and Attribute Value Pairs for Downloadable ACLs You can set the CiscoSecure Defined ACL Attribut...

Page 1421: ...e switch does not receive a response to its EAP request identity frame or when EAPOL packets are not sent by the client The switch maintains the EAPOL packet history If an EAPOL packet is detected on the interface during the lifetime of the link the switch determines that the device connected to that interface is an IEEE 802 1x capable supplicant and the interface does not change to the guest VLAN...

Page 1422: ...hentication process A restricted VLAN allows users without valid credentials in an authentication server typically visitors to an enterprise to access a limited set of services The administrator can control the services available to the restricted VLAN You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide the same services to both types of users Note Wit...

Page 1423: ...ch grants network access to the host and puts the port in the critical authentication state which is a special case of the authentication state Inaccessible Authentication Bypass Support on Multiple Authentication Ports When a port is configured on any host mode and the AAA server is unavailable the port is then configured to multi host mode and moved to the critical VLAN To support this inaccessi...

Page 1424: ...s are unavailable the switch puts the critical port in the critical authentication state in the restricted VLAN 802 1x accounting Accounting is not affected if the RADIUS servers are unavailable Private VLAN You can configure inaccessible authentication bypass on a private VLAN host port The access VLAN must be a secondary private VLAN Voice VLAN Inaccessible authentication bypass is compatible wi...

Page 1425: ...ation through CDP Cisco devices or through LLDP or DHCP You can configure the voice VLAN for a port by entering the switchport voice vlan vlan id interface configuration command This feature is supported in multidomain and multi auth host modes Although you can enter the command when the switch in single host or multi host mode the command has no effect unless the device changes to multidomain or ...

Page 1426: ... the IP phone is allowed on the voice VLAN In multiple hosts mode additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID When multiple hosts mode is enabled the supplicant authentication affects both the PVID and the VVID A voice VLAN port becomes active when there is a link and the device MAC address appears after the first CDP message from the IP ph...

Page 1427: ...receive packets from the host When you configure a port as bidirectional by using the authentication control direction both interface configuration command the port is access controlled in both directions The port does not receive packets from or send packets to the host IEEE 802 1x Authentication with MAC Authentication Bypass You can configure the switch to authorize clients based on the client ...

Page 1428: ...02 1x authentication times out the switch uses the MAC authentication bypass feature to initiate re authorization For more information about these AV pairs see RFC 3580 IEEE 802 1X Remote Authentication Dial In User Service RADIUS Usage Guidelines MAC authentication bypass interacts with the features IEEE 802 1x authentication You can enable MAC authentication bypass only if 802 1x authentication ...

Page 1429: ...ost The IEEE 802 1X Flexible Authentication feature supports three authentication methods dot1X IEEE 802 1X authentication is a Layer 2 authentication method mab MAC Authentication Bypass is a Layer 2 authentication method webauth Web authentication is a Layer 3 authentication method Using this feature you can control which ports use which authentication methods and you can control the failover se...

Page 1430: ...d a voice domain For all host modes the line protocol stays up before authorization when port based authentication is configured Note MDA does not enforce the order of device authentication However for best results we recommend that a voice device is authenticated before a data device on an MDA enabled port When migrating from Cisco Discovery Protocol bypass to next generation authentication bypas...

Page 1431: ...fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a port changes from single or multihost mode to multidomain mode Switching a port host mode from multidomain to single or multihost mode removes all authorized devices from the port If a data domain is authorized first and placed in the guest VLAN non IEEE 802 1x capable voice devices need to tag their packets on th...

Page 1432: ...ant controlled transientcommand on a supplicant switch when BPDU guard is enabled on the authenticator switch port with the spanning tree bpduguard enable interface configuration command If you globally enable BPDU guard on the authenticator switch by using the spanning tree portfast bpduguard default global configuration command entering the dot1x supplicant controlled transient command does not ...

Page 1433: ...nts where a PC is connected to the IP phone A security violation found on the data VLAN results in the shutdown of only the data VLAN The traffic on the voice VLAN flows through the switch without interruption Related Topics Configuring Voice Aware 802 1x Security on page 1358 Common Session ID Authentication manager uses a single session ID referred to as a common session ID for a client no matte...

Page 1434: ...configuration is required How to Configure 802 1x Port Based Authentication Default 802 1x Authentication Configuration Table 126 Default 802 1x Authentication Configuration Default Setting Feature Disabled Switch 802 1x enable state Disabled force authorized The port sends and receives normal traffic without 802 1x based authentication of the client Per port 802 1x enable state Disabled AAA None ...

Page 1435: ...erver You can change this timeout period by using the dot1x timeout server timeout interface configuration command Authentication server timeout period Disabled Inactivity timeout None specified Guest VLAN Disabled Inaccessible authentication bypass None specified Restricted VLAN None specified Authenticator switch mode Disabled MAC authentication bypass Disabled Voice aware security 802 1x Authen...

Page 1436: ... RSPAN source port Before globally enabling 802 1x authentication on a switch by entering the dot1x system auth control global configuration command remove the EtherChannel configuration from the interfaces on which 802 1x authentication and EtherChannel are configured Cisco IOS Release 12 2 55 SE and later supports filtering of system messages related to 802 1x authentication VLAN Assignment Gues...

Page 1437: ...hentication guidelines If you disable MAC authentication bypass from a port after the port has been authorized with its MAC address the port state is not affected If the port is in the unauthorized state and the client MAC address is not the authentication server database the port remains in the unauthorized state However if the client MAC address is added to the database the switch can use MAC au...

Page 1438: ...ponds with a notification packet it is 802 1x capable A syslog message is generated if the client responds within the timeout period If the client does not respond to the query the client is not 802 1x capable No syslog message is generated When you configure the dot1x test eapol capable command on an 802 1x enabled port and the link comes up the port queries the connected client about its 802 1x ...

Page 1439: ... are tested Note DOT1X_PORT_EAPOL_CAPABLE DOT1X MAC 00 01 02 4b f1 a3 on gigabitethernet1 0 13 is EAPOL capable Optional Configures the timeout used to wait for EAPOL response The range is from 1 to 65535 seconds The default is 10 seconds dot1x test timeout timeout Step 4 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show running config Example Switch s...

Page 1440: ...you do not include the shutdown vlan keywords the entire port is shut down when it enters the error disabled state Note If you use the errdisable recovery cause security violation global configuration command to configure error disabled recovery the port is automatically re enabled If error disabled recovery is not configured for the port you re enable it by using the shutdown and no shutdown inte...

Page 1441: ... Step 5 shutdown no shutdown Return to privileged EXEC mode end Step 6 Verify your entries show errdisable detect Step 7 This example shows how to configure the switch to shut down any VLAN on which a security violation error occurs Switch config errdisable detect cause security violation shutdown vlan This example shows how to re enable all VLANs that were error disabled on port Gigabit Ethernet ...

Page 1442: ... dot1x To create a default list that is used when a named list is not specified in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports default group radius For method1 enter the group radius keywords to use the list of all RADIUS servers for authentication Though other keywo...

Page 1443: ...with the new host Returns to privileged EXEC mode end Example Switch config if end Step 7 Configuring 802 1x Authentication To allow per user ACLs or VLAN assignment you must enable AAA authorization to configure the switch for all network related service requests This is the 802 1x AAA process Before You Begin To configure 802 1x port based authentication you must enable authentication authorizat...

Page 1444: ...h Step 1 Authentication is performed Step 2 VLAN assignment is enabled as appropriate based on the RADIUS server configuration Step 3 The switch sends a start message to an accounting server Step 4 Re authentication is performed as necessary Step 5 The switch sends an interim accounting update to the accounting server that is based on the result of re authentication Step 6 The user disconnects fro...

Page 1445: ... 802 1x authentication method list aaa authentication dot1x default method1 Step 3 Example Switch config aaa authentication dot1x To create a default list that is used when a named list is not specified in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports default group rad...

Page 1446: ... the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server radius server key string Example Switch config radius server key abc1234 Step 7 Specifies the port connected to the client that is to be enabled for IEEE 802 1x authentication and enter interface configuration mode interface interface id Example Switch config interface Step 8 gigabitet...

Page 1447: ... settings on the RADIUS server These settings include the IP address of the switch and the key string to be shared by both the server and the switch For more information see the RADIUS server documentation Follow these steps to configure the RADIUS server parameters on the switch This procedure is required Before You Begin You must enable authentication authorization and accounting AAA and specify...

Page 1448: ...ecause leading spaces are ignored but spaces within and at the end of the key are used If you use spaces in the key do not enclose the key in quotation marks unless the quotation marks are part of the key This key must match the encryption used on the RADIUS daemon Note If you want to use multiple RADIUS servers re enter this command Returns to privileged EXEC mode end Example Switch config end St...

Page 1449: ...uth Allow one client on the voice VLAN and multiple authenticated clients on the data VLAN The multi auth keyword is only available with the authentication host mode command Note host mode multi host multi host Allow multiple hosts on an 802 1x authorized port after a single host has been authenticated multi domain Allow both a host and a voice device such as an IP phone Cisco or non Cisco to be a...

Page 1450: ...nfigured and enter interface configuration mode interface interface id Example Switch config interface Step 2 gigabitethernet2 0 1 Enables periodic re authentication of the client which is disabled by default authentication periodic Example Switch config if authentication Step 3 The default value is 3600 seconds To change the value of the reauthentication timer or to have the switch use a RADIUS p...

Page 1451: ...ommand controls the idle period A failed authentication of the client might occur because the client provided an invalid password You can provide a faster response time to the user by entering a number smaller than the default Beginning in privileged EXEC mode follow these steps to change the quiet period This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 auth...

Page 1452: ...tries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Changing the Switch to Client Retransmission Time The client responds to the EAP request identity frame from the switch with an EAP response identity frame If the switch does not receive this response it waits a set period of time known as the retransmission time and then res...

Page 1453: ...to an EAP request identity frame from the client before resending the request authentication timer reauthenticate seconds Example Switch config if authentication timer Step 3 The range is 1 to 65535 seconds the default is 5 reauthenticate 60 Returns to privileged EXEC mode end Example Switch config if end Step 4 Verifies your entries show authentication sessions interface interface id Example Swit...

Page 1454: ... procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 dot1x max reauth req count 4 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the port to be configured and enter interface configuration mode interface interface id Example Switch config interface Step 2 gigabit...

Page 1455: ...rs Note Beginning in privileged EXEC mode follow these steps to set the re authentication number This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 switchport mode access 4 dot1x max req count 5 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the port to be ...

Page 1456: ... MAC move allows an authenticated host to move from one port on the switch to another Beginning in privileged EXEC mode follow these steps to globally enable MAC move on the switch This procedure is optional SUMMARY STEPS 1 configure terminal 2 authentication mac move permit 3 end 4 show running config 5 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global conf...

Page 1457: ...the configuration file copy running config startup config Example Switch copy running config startup config Step 5 Enabling MAC Replace MAC replace allows a host to replace an authenticated host on a port Beginning in privileged EXEC mode follow these steps to enable MAC replace on an interface This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 authentication ...

Page 1458: ...The other keywords have these effects protect the port drops packets with unexpected MAC addresses without generating a system message replace restrict violating packets are dropped by the CPU and a system message is generated shutdown the port is error disabled when it receives an unexpected MAC address Returns to privileged EXEC mode end Example Switch config if end Step 4 Verifies your entries ...

Page 1459: ...DIUS server to perform accounting tasks such as logging start stop and interim update messages and time stamps To turn on these functions enable logging of Update Watchdog packets from this AAA client in your RADIUS server Network Configuration tab Next enable CVS RADIUS Accounting in your RADIUS server System Configuration tab Note Beginning in privileged EXEC mode follow these steps to configure...

Page 1460: ...d EXEc mode end Example Switch config if end Step 5 Verifies your entries show running config Example Switch show running config Step 6 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 7 Configuring a Guest VLAN When you configure a guest VLAN clients that are not 802 1x capable are put into the guest VL...

Page 1461: ...of the following Step 3 Sets the port to access mode Configures the Layer 2 port as a private VLAN host port switchport mode access switchport mode private vlan host Example Switch config if switchport mode private vlan host Specifies an active VLAN as an 802 1x guest VLAN The range is 1 to 4094 authentication event no response action authorize vlan vlan id Step 4 Example Switch config if authenti...

Page 1462: ...dure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 Use one of the following switchport mode access switchport mode private vlan host 4 authentication port control auto 5 authentication event fail action authorize vlan vlan id 6 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Sp...

Page 1463: ...ernal VLAN routed port an RSPAN VLAN or a voice VLAN as an 802 1x restricted VLAN action authorize vlan 2 Returns to privileged EXEC mode end Example Switch config if end Step 6 Configuring Number of Authentication Attempts on a Restricted VLAN You can configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN by using the authentication event ...

Page 1464: ... configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet2 0 3 Step 2 Use one of the following Step 3 Sets the port to access mode Configures the Layer 2 port as a private VLAN host port switchport mode access switchport mode private vlan host Example or Switch config if switchport mode access Enables 802 1x authentication on the port...

Page 1465: ...itical Voice VLAN Beginning in privileged EXEC mode follow these steps to configure critical voice VLAN on a port and enable the inaccessible authentication bypass feature SUMMARY STEPS 1 configure terminal 2 aaa new model 3 radius server dead criteria time seconds tries number 4 radius serverdeadtimeminutes 5 radius server host ip address address acct port udp port auth port udp port testusername...

Page 1466: ...rver host ip address address acct port udp port auth port Step 5 udp port testusername name idle time time acct portudp port Specify the UDP port for the RADIUS accounting server The range for the UDP port number is from 0 to 65536 The default is 1646 ignore acct port ignore auth port key string Example Switch config radius server host auth portudp port Specify the UDP port for the RADIUS authenti...

Page 1467: ...ecify that the switch sends an EAPOL Success message when the switch successfully authenticates the critical port Example Switch config dot1x critical eapol recovery delaymilliseconds Set the recovery delay period during which the switch waits to re initialize a critical port when a RADIUS config dot1x critical recovery delay 2000 server that was unavailable becomes available The range is from 1 t...

Page 1468: ...no radius server deadtime and the no radius server host global configuration commands To disable inaccessible authentication bypass use the no authentication event server dead action interface configuration command To disable critical voice VLAN use the no authentication event server dead action authorize voice interface configuration command Example of Configuring Inaccessible Authentication Bypa...

Page 1469: ...o be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet2 0 3 Step 2 Enables 802 1x authentication with WoL on the port and use these keywords to configure the port as bidirectional or unidirectional authentication control direction both in Example Switch config if authentication Step 3 both Sets the port as bidirectional The por...

Page 1470: ...ig startup config Step 6 Configuring MAC Authentication Bypass Beginning in privileged EXEC mode follow these steps to enable MAC authentication bypass This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 authentication port control auto 4 mab eap 5 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switc...

Page 1471: ...MAC Authentication Bypass Username and Password Use the optional mab request format command to format the MAB username and password in a style accepted by the authentication server The username and password are usually the MAC address of the client Some authentication server configurations require the password to be different from the username Beginning in privileged EXEC mode follow these steps t...

Page 1472: ...ercase Specifies if nonnumeric hex nibbles should be in lowercase or uppercase 2 Specifies a custom nondefault value for the User Password attribute in MAB generated Access Request packets mab request format attribute2 0 7 text Example Switch config mab request format Step 3 0 Specifies a cleartext password to follow 7 Specifies an encrypted password to follow attribute 2 7 A02f44E18B12 text Speci...

Page 1473: ...ears the VLAN group configuration or elements of the VLAN group configuration no vlan group vlan group name vlan list vlan list Example Switch config no vlan group eng dept vlan list Step 4 10 Example of Configuring VLAN Groups This example shows how to configure the VLAN groups to map the VLANs to the groups to and verify the VLAN group configurations and mapping to the specified VLANs Switch con...

Page 1474: ... end dept vlan list all Switch config show vlan group all For more information about these commands see the Cisco IOS Security Command Reference Configuring NAC Layer 2 802 1x Validation You can configure NAC Layer 2 802 1x validation which is also referred to as 802 1x authentication with a RADIUS server Beginning in privileged EXEC mode follow these steps to configure NAC Layer 2 802 1x validati...

Page 1475: ...ntication event You can configure any active VLAN except an internal VLAN routed port an RSPAN VLAN or a voice VLAN as an 802 1x guest VLAN no response action authorize vlan 8 Enables periodic re authentication of the client which is disabled by default authentication periodic Example Switch config if authentication periodic Step 5 Sets re authentication attempt for the client set to one hour auth...

Page 1476: ...ault local 5 aaa authentication rejected n in m ban x 6 end 7 show aaa local user blocked 8 clear aaa local user blocked username username DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Example Device enable Step 1 Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Enables the authentication aut...

Page 1477: ...gin Exits global configuration mode and returns to privileged EXEC mode end Example Device config end Step 6 Displays the list of local users who were blocked show aaa local user blocked Example Device show aaa local user blocked Step 7 Clears the information about the blocked local user clear aaa local user blocked username username Example Device clear aaa local user blocked username user1 Step ...

Page 1478: ...fig interface interface id 10 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Enables CISP cisp enable Example Switch config cisp enable Step 2 Specifies the port to be configured and enter interface configuration mode interface interface id Example Switch config interface gigab...

Page 1479: ...ast trunk Step 7 Returns to privileged EXEC mode end Example Switch config if end Step 8 Verifies your configuration show running config interface interface id Example Switch show running config interface Step 9 gigabitethernet2 0 1 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 10 Configuring a Suppli...

Page 1480: ...orts Macros DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Enables CISP cisp enable Example Switch config cisp enable Step 2 Creates 802 1x credentials profile This must be attached to the port that is configured as supplicant dot1x credentials profile Example Switch config dot1x credentials test Step 3 Creates ...

Page 1481: ... 7 Sets the port to trunk mode switchport trunk encapsulation dot1q Example Switch config if switchport trunk Step 8 encapsulation dot1q Configures the interface as a VLAN trunk port switchport mode trunk Example Switch config if switchport mode trunk Step 9 Configures the interface as a port access entity PAE supplicant dot1x pae supplicant Example Switch config if dot1x pae supplicant Step 10 At...

Page 1482: ...2 1x authentication on the switch you need to configure the ACS For more information see the Configuration Guide for Cisco Secure ACS 4 2 http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_windows 4 2 configuration guide acs_config pdf You must configure a downloadable ACL on the ACS before downloading it to the switch Note After authentication on the port you can use th...

Page 1483: ...mple Switch config ip device tracking Step 2 Enables AAA aaa new model Example Switch config aaa new model Step 3 Sets the authorization method to local To remove the authorization method use the no aaa authorization network default local group radius command aaa authorization network default local group radius Example Switch config aaa authorization network default Step 4 local group radius Confi...

Page 1484: ...itethernet2 0 4 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 9 Configuring a Downloadable Policy Beginning in privileged EXEC mode SUMMARY STEPS 1 configure terminal 2 access list access list number deny permit hostname any host log 3 interface interface id 4 ip access group acl id in 5 exit 6 aaa ne...

Page 1485: ...5 255 255 You do not need to enter a source wildcard value host The keyword host as an abbreviation for source and source wildcard of source 0 0 0 0 Optional Applies the source wildcard wildcard bits to the source Optional Enters log to cause an informational logging message about the packet that matches the entry to be sent to the console Enters interface configuration mode interface interface id...

Page 1486: ...count Sets the number of times that the switch sends the ARP probe The range is from 1 to 5 The default is 3 Example Switch config ip device tracking interval interval Sets the number of seconds that the switch waits for a response before resending the ARP probe The range is from 30 to 300 seconds The default is 30 seconds probe count use svi Uses the switch virtual interface SVI IP address as sou...

Page 1487: ...rtup config Step 3 Configuring Flexible Authentication Ordering The examples used in the instructions below changes the order of Flexible Authentication Ordering so that MAB is attempted before IEEE 802 1X authentication dot1x MAB is configured as the first authentication method so MAB will have priority over all other authentication methods Before changing the default order and priority of these ...

Page 1488: ...s mode only if you previously configured the RADIUS server switchport mode access Example Switch config if switchport mode access Step 3 Optional Sets the order of authentication methods used on a port authentication order dot1x mab webauth Example Switch config if authentication order mab dot1x Step 4 Optional Adds an authentication method to the port priority list authentication priority dot1x m...

Page 1489: ...entication periodic 10 authentication port control auto force authorized force un authorized 11 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the port to be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet 1 0 1 Step 2 Set...

Page 1490: ...st mode Step 6 multi auth Optional Enables or disable open access on a port authentication open Example Switch config if authentication open Step 7 Optional Sets the order of authentication methods used on a port authentication order dot1x mab webauth Example Switch config if authentication order dot1x Step 8 webauth Optional Enables or disable reauthentication on a port authentication periodic Ex...

Page 1491: ...port This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 switchport mode access 4 no dot1x pae authenticator 5 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the port to be configured and enter interface configuration mode interface interface id Example Swit...

Page 1492: ...etting the 802 1x Authentication Configuration to the Default Values Beginning in privileged EXEC mode follow these steps to reset the 802 1x authentication configuration to the default values This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 dot1x default 4 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal E...

Page 1493: ...plays 802 1x statistics for a specific port show dot1x interface interface id statistics Displays the 802 1x administrative and operational status for a switch show dot1x all count details statistics summary Displays the 802 1x administrative and operational status for a specific port show dot1x interface interface id Table 128 Global Configuration Commands Purpose Command Filters verbose 802 1x a...

Page 1494: ... docs ios xml ios security config_library xe 3se 3850 secuser xe 3se 3850 library html Configuring RADIUS TACACS Secure Shell 802 1X and AAA Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and download MIBs for sele...

Page 1495: ...isco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for 802 1x Port Based Authentication Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX Supports the use of same authorization methods on all the Catalyst switches in a network Supports fi...

Page 1496: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1414 Feature Information for 802 1x Port Based Authentication ...

Page 1497: ...atest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco softwa...

Page 1498: ...lients and SSIDs This ensures that all the clients have the same web authentication method If the requirement is to use Consent for one SSID and Web authentication for another SSID then you should use two named parameter maps You should configure Consent in first parameter map and configure webauth in second parameter map Note Device Roles With web based authentication the devices in the network h...

Page 1499: ...tes a DHCP binding entry for the host Session Creation When web based authentication detects a new host it creates a session as follows Reviews the exception list If the host IP is included in the exception list the policy from the exception list entry is applied and the session is established Reviews for authorization bypass If the host IP is not on the exception list web based authentication sen...

Page 1500: ...ature applies the downloaded timeout or the locally configured session timeout If the terminate action is RADIUS the feature sends a nonresponsive host NRH request to the server The terminate action is included in the response from the server If the terminate action is default the session is dismantled and the applied policy is removed Using Authentication Proxy The authentication proxy feature re...

Page 1501: ...ddress or global access policies Authenticating and authorizing users from any host IP address also allows network administrators to configure host IP addresses using DHCP You want to authenticate and authorize local users before permitting access to intranet or Internet services You want to authenticate and authorize remote users before permitting access to local services You want to control acce...

Page 1502: ...ecify a host or group of hosts whose initial HTTP traffic triggers the proxy The figure below shows the authentication proxy applied at the LAN interface with all network users required to be authenticated upon the initial connection all traffic is blocked at each interface Figure 97 Applying the Authentication Proxy at the Local Interface The figure below shows the authentication proxy applied at...

Page 1503: ...ch host name Authentication appear on the Login Page Cisco Systems appears on the authentication result pop up page Figure 99 Authentication Successful Banner The banner can be customized as follows Add a message such as switch router or company name to the banner Legacy mode Use the ip admission auth proxy banner http banner textglobal configuration command New style mode Use the parameter map ty...

Page 1504: ... map type webauth global banner global configuration command Figure 100 Customized Web Banner Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1422 Information About Web Based Authentication ...

Page 1505: ...ing the web based authentication process the switch internal HTTP server hosts four HTML pages to deliver to an authenticating client The server uses these pages to notify you of these four authentication process states Login Your credentials are requested Success The login was successful Fail The login failed Expire The login session has expired because of excessive login failures Guidelines You ...

Page 1506: ...en the command configuring web pages is entered the CLI command redirecting users to a specific URL does not take effect Configured web pages can be copied to the switch boot flash or flash On stackable switches configured pages can be accessed from the flash on the stack master or members The login page can be on one flash and the success and failure pages can be another flash for example the fla...

Page 1507: ...e an intercept ACL within the admission rule Any external link from a custom page requires configuration of an intercept ACL within the admission rule To access a valid DNS server any name resolution required for external links or images requires configuration of an intercept ACL within the admission rule If the custom web pages feature is enabled a configured auth proxy banner is not used If the ...

Page 1508: ...se Guest users of an enterprise network can connect to the guest access network through either a wired Ethernet connection or a wireless connection Guest access uses a captive portal to gather all web requests made by guests and redirect these requests to one of the guest on boarding web pages When guests successfully complete the guest workflow they are redirected to the page that they had origin...

Page 1509: ...dress is sent to the Cisco ISE 2 The Cisco ISE returns a RADIUS access accept message even if the MAC address is not received along with the redirect access control list ACL the ACL WEBAUTH REDIRECT message and the guest web portal URL to the device The RADIUS message instructs the device to open a port that is restricted based on the configured port and the redirect ACLs for regular network traff...

Page 1510: ...th its neighbor to become a trunk port If you try to enable 802 1x authentication on a dynamic port an error message appears and 802 1x authentication is not enabled If you try to change the mode of an 802 1x enabled port to dynamic an error message appears and the port mode is not changed Dynamic access ports If you try to enable 802 1x authentication on a dynamic access VLAN Query Protocol VQP p...

Page 1511: ...or ingress traffic from hosts connected to the port After authentication the web based authentication host policy overrides the PACL The Policy ACL is applied to the session even if there is no ACL configured on the port You cannot configure a MAC ACL and web based authentication on the same interface You cannot configure web based authentication on a port whose access VLAN is configured for VACL ...

Page 1512: ...onfigure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment These hosts are not detected by the web based authentication feature because they do not send ARP messages By default the IP device tracking feature is disabled on a switch You must enable the IP device tracking feature to use w...

Page 1513: ... configured When you configure the RADIUS server parameters Specify the key string on a separate command line For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server The key is a text string that must match the encryption key used on the RADIUS server When you specify the key string use spaces within and at the end of ...

Page 1514: ... group name 6 ip admission name 7 exit 8 ip device tracking 9 end 10 show ip admission status 11 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Configures an authentication rule...

Page 1515: ...ame Example Switch config if ip admission webauth1 Step 6 Returns to configuration mode exit Example Switch config if exit Step 7 Enables the IP device tracking table ip device tracking Example Switch config ip device tracking Step 8 Returns to privileged EXEC mode end Example Switch config end Step 9 Displays the configuration show ip admission status Example Switch show ip admission status Step ...

Page 1516: ... Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables AAA functionality aaa new model Example Switch config aaa new model Step 3 Defines the list of authentication methods at login aaa authentication login default group tacacs radius...

Page 1517: ...S server tacacs server key key data Example Switch config tacacs server key Step 7 Returns to privileged EXEC mode end Example Switch config end Step 8 Verifies your entries show running config Example Switch show running config Step 9 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 10 Configuring Switc...

Page 1518: ...ecifies the host name or IP address of the remote RADIUS server radius server host hostname ip address test username username Step 4 The test username username option enables automated testing of the RADIUS server connection The specified username does not need to be a valid user name Example Switch config radius server host The key option specifies an authentication and encryption key to use betw...

Page 1519: ...n the Switch You can enable the server for either HTTP or HTTPS The Apple psuedo browser will not open if you configure only the ip http secure server command You should also configure the ip http server command Note Follow these steps to enable the server for either HTTP or HTTPS SUMMARY STEPS 1 enable 2 configure terminal 3 ip http server 4 ip http secure server 5 end DETAILED STEPS Purpose Comm...

Page 1520: ...turns to privileged EXEC mode end Example Switch config end Step 5 Customizing the Authentication Proxy Web Pages You can configure web authentication to display four substitute HTML pages to the user in place of the Switch default HTML pages during web based authentication For the equivalent Session Aware Networking configuration example for this feature see the section Configuring a Parameter Ma...

Page 1521: ...in place of the default login page The device is flash memory ip admission proxy http login page file device login filename Example Switch config ip admission proxy http login page Step 3 file disk1 login htm Specifies the location of the custom HTML file to use in place of the default login success page ip admission proxy http success page file device success filename Example Switch config ip adm...

Page 1522: ...w these steps to specify a URL to which the user is redirected after authentication effectively replacing the internal Success HTML page SUMMARY STEPS 1 enable 2 configure terminal 3 ip admission proxy http success redirect url string 4 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global con...

Page 1523: ...mber of failed login attempts before the client is placed in a watch list for a waiting period SUMMARY STEPS 1 enable 2 configure terminal 3 ip admission max login attempts number 4 end 5 show running config 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global...

Page 1524: ...uthentication Local Banner For the equivalent Session Aware Networking configuration example for this feature see the section Configuring a Parameter Map for Web Based Authentication in the chapter Configuring Identity Control Policies of the book Session Aware Networking Configuration Guide Cisco IOS XE Release 3SE Catalyst 3850 Switches Beginning in privileged EXEC mode follow these steps to con...

Page 1525: ...ch config copy running config startup config Step 4 Configuring Web Based Authentication without SVI You configure the web based authentication without SVI feature to redirect the HTML login page to the client without creating an IP address in the routing table These steps are optional You configure the web based authentication without SVI feature to redirect the HTML login page to the client This...

Page 1526: ...bal keyword differ from the commands supported for a named parameter map defined with the parameter map name argument Enables the web based authentication without SVI feature l2 webauth enabled Example Switch config params parameter map l2 webauth enabled Step 4 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show running config Example Switch show runnin...

Page 1527: ...gure terminal Step 2 Creates a parameter map and enters parameter map webauth configuration mode The specific configuration commands parameter map type webauth global Example Switch config parameter map type webauth global Step 3 supported for a global parameter map defined with the global keyword differ from the commands supported for a named parameter map defined with the parameter map name argu...

Page 1528: ...bles privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Delete authentication proxy entries Use an asterisk to delete all cache entries Enter a specific IP address to delete the entry for a single host clear ip auth proxy cache host ip address Example Switch clear ip auth proxy cache Step 2 192 168 4 5 Delete authentication proxy entries Use an asterisk to del...

Page 1529: ... this task to display the web based authentication settings for all interfaces or for specific ports SUMMARY STEPS 1 show authentication sessions interfacetype slot DETAILED STEPS Purpose Command or Action Displays the web based authentication settings type fastethernet gigabitethernet or tengigabitethernet show authentication sessions interfacetype slot Example Step 1 This example shows how to vi...

Page 1530: ...tion on the device debug ip auth proxy detailed Example Device debug ip auth proxy detailed Step 2 Verifying HTTPS Authentication Proxy To verify your HTTPS authentication proxy configuration perform the following optional steps SUMMARY STEPS 1 enable 2 show ip auth proxy configuration 3 show ip auth proxy cache 4 show ip http server secure status DETAILED STEPS Purpose Command or Action Enables p...

Page 1531: ...eb Based Authentication Example Configuring the Authentication Rule and Interfaces This example shows how to enable web based authentication on Fast Ethernet port 5 1 Switch config ip admission name webauth1 proxy http Switch config interface fastethernet 5 1 Switch config if ip admission webauth1 Switch config if exit Switch config ip device tracking This example shows how to verify the configura...

Page 1532: ...shows how to configure custom authentication proxy web pages Switch config ip admission proxy http login page file flash login htm Switch config ip admission proxy http success page file flash success htm Switch config ip admission proxy http fail page file flash fail htm Switch config ip admission proxy http login expired page flash flash expired htm This example shows how to verify the configura...

Page 1533: ...n connections 0 Hi watermark 0 TCP new connections 0 Hi watermark 0 TCP half open new 0 Hi watermark 0 HTTPD1 Contexts 0 Hi watermark 0 Parameter Map Global Custom Pages Custom pages not configured Banner Banner not configured Additional References for Web Based Authentication Related Documents Document Title Related Topic Cisco IOS Master Command List All Releases Cisco IOS commands Cisco IOS Ide...

Page 1534: ...cribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for Web Based Authentication Feature Information Release This feature is introduced Cisco IOS 15 0 2 EX Consolidated Platfo...

Page 1535: ...eases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Auto Identity Auto Identity Overview The Cisco Identity Based Networkin...

Page 1536: ...ed If you delete an edited built in template the built in template reverts to the default and is not deleted from the configuration However if you delete a user defined template it is deleted from the configuration Before you delete a template ensure that it is not attached to a device Note Auto Identity Global Template To enable the global template configure the source template template name comm...

Page 1537: ...e AI_CLOSED_MODE switchport mode access access session closed access session port control auto access session host mode multi auth dot1x pae authenticator mab service policy type control subscriber AI_DOT1X_MAB_POLICIES Auto Identity Built in Policies The following five built in policies are available in the Auto Identity feature AI_DOT1X_MAB_AUTH Enables flexible authentication with dot1x and the...

Page 1538: ...ccounting AAA server is down and the client is in authorized state AI_AAA_SVR_DOWN_UNAUTHD_HOST Specifies that the AAA server is down and the client is in authorized state AI_IN_CRITICAL_AUTH Specifies that the critical authentication service template is applied AI_NOT_IN_CRITICAL_AUTH Specifies that the critical authentication service template is not applied AI_METHOD_DOT1X_DEVICE_PHONE Specifies...

Page 1539: ...Configures an auto identity template sourcetemplate AI_GLOBAL_CONFIG_TEMPLATE template name Step 3 AI_GLOBAL_CONFIG_TEMPLATE is a built in template Example Switch config source template AI_GLOBAL_CONFIG_TEMPLATE template name is a user defined template Enables the authentication authorization and accounting AAA access control mode aaa new model Example Switch config aaa new model Step 4 Specifies ...

Page 1540: ...Switch config radius server end Step 8 Configuring Auto Identity at an Interface Level When you configure two interface templates you must configure the merge keyword If you do not the last configured template is used SUMMARY STEPS 1 enable 2 configure terminal 3 interface type number 4 source template AI_CLOSED_MODE AI_LOW_IMPACT_MODE AI_MONITOR_MODE template name merge 5 source template AI_CLOSE...

Page 1541: ... if source template AI_MONITOR_MODE merge Step 5 When you configure two templates if you do not configure the merge keyword the last configured template is used Sets the VLAN when the interface is in access mode switchport access vlan vlan id Example Switch config if switchport access vlan 100 Step 6 Configures a voice VLAN on a multiple VLAN access port switchport voice vlan vlan id Example Switc...

Page 1542: ...e Enables Privileged EXEC mode Enter your password if prompted Step 2 show template interface source built in all Displays all the configured built in interface templates Example Switch show template interface source built in all Template Name AI_CLOSED_MODE Modified No Template Definition dot1x pae authenticator switchport mode access mab access session closed access session port control auto ser...

Page 1543: ...ays the composite results of all the configuration commands that apply to an interface including commands that come from sources such as static templates dynamic templates dialer interfaces and authentication authorization and accounting AAA per user attributes Example Switch show derived config inc aaa radius server aaa new model aaa authentication dot1x default group radius aaa authorization net...

Page 1544: ...in VOICE Oper host mode multi auth Oper control dir both Session timeout N A Common Session ID 091A1C5B00000017002003EE Acct Session ID 0x00000005 Handle 0xBB00000B Current Policy AI_DOT1X_MAB_POLICIES Local Policies Server Policies Vlan Group Vlan 100 Security Policy Must Not Secure Security Status Link Unsecure Method status list Method State dot1x Authc Success Step 7 show running config interf...

Page 1545: ...equent releases of that software release train also support that feature Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to www cisco com go cfn An account on Cisco com is not required Table 132 Feature Information for Auto Identity Feature Information Releases Feature Name The Auto Identity feature provid...

Page 1546: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1464 Auto Identity ...

Page 1547: ...es page 1476 Feature Information page 1476 Finding Feature Information page 1477 Information About Port Blocking page 1477 How to Configure Port Blocking page 1477 Monitoring Port Blocking page 1479 Where to Go Next page 1479 Additional References page 1480 Feature Information page 1481 Prerequisites for Port Security page 1481 Restrictions for Port Security page 1481 Information About Port Securi...

Page 1548: ...feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Storm Control Storm Control Storm control prevents traffic on a LAN from being disrupted by...

Page 1549: ... higher the level the less effective the protection against broadcast storms When the storm control threshold for multicast traffic is reached all multicast traffic except control traffic such as bridge protocol data unit BDPU and Cisco Discovery Protocol CDP frames are blocked However the switch does not differentiate between routing updates such as OSPF and regular multicast data traffic so both...

Page 1550: ...approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Storm control is supported on physical interfaces You can also configure storm control on an EtherChannel When storm control is configured on an EtherChannel the storm control settings propagate to the EtherChannel phy...

Page 1551: ...of the bandwidth This value must be less than or equal to the rising suppression value The port forwards traffic when traffic drops below this level If you do not configure a falling suppression level it is set to the rising suppression level The range is 0 00 to 100 00 If you set the threshold to the maximum value 100 percent no limit is placed on the traffic If you set the threshold to 0 0 all b...

Page 1552: ...if end Step 6 Verifies the storm control suppression levels set on the interface for the specified traffic type If you do not enter a traffic type broadcast storm control settings are displayed show storm control interface id broadcast multicast unicast Example Switch show storm control gigabitethernet1 0 1 unicast Step 7 Optional Saves your entries in the configuration file copy running config st...

Page 1553: ...ure terminal Step 2 Enables the small frame rate arrival feature on the switch errdisable detect cause small frame Example Switch config errdisable detect cause Step 3 small frame Optional Specifies the time to recover from the specified error disabled state errdisable recovery interval interval Example Switch config errdisable recovery interval Step 4 60 Optional Configures the recovery time for ...

Page 1554: ... error disable the port The range is 1 to 10 000 packets per second pps small frame violation rate pps Example Switch config if small frame violation rate Step 7 10000 Returns to privileged EXEC mode end Example Switch config end Step 8 Verifies the configuration show interfaces interface id Example Switch show interfaces gigabitethernet1 0 2 Step 9 Verifies your entries show running config Exampl...

Page 1555: ...rotected ports have these features A protected port does not forward any traffic unicast multicast or broadcast to any other port that is also a protected port Data traffic cannot be forwarded between protected ports at Layer 2 only control traffic such as PIM packets is forwarded because these packets are processed by the CPU and forwarded in software All data traffic passing between protected po...

Page 1556: ...ivileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the interface to be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet1 0 1 Step 3 Configures the interface to be a protected port switc...

Page 1557: ...figuration file copy running config startup config Example Switch copy running config startup config Step 8 Monitoring Protected Ports Table 133 Commands for Displaying Protected Port Settings Purpose Command Displays the administrative and operational status of all switching nonrouting ports or the specified port including port blocking and port protection settings show interfaces interface id sw...

Page 1558: ...pport website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndica...

Page 1559: ...known destination MAC addresses out of all ports If unknown unicast and multicast traffic is forwarded to a protected port there could be security issues To prevent unknown unicast or multicast traffic from being forwarded from one port to another you can block a port protected or nonprotected from flooding unknown unicast or multicast packets to other ports With multicast traffic the port blockin...

Page 1560: ...es the interface to be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet1 0 1 Step 3 Blocks unknown multicast forwarding out of the port switchport block multicast Step 4 Example Switch config if switchport block multicast Pure Layer 2 multicast traffic as well as multicast packets that contain IPv6 information in the header ar...

Page 1561: ...onfiguration file copy running config startup config Example Switch copy running config startup config Step 9 Monitoring Port Blocking Table 134 Commands for Displaying Port Blocking Settings Purpose Command Displays the administrative and operational status of all switching nonrouting ports or the specified port including port blocking and port protection settings show interfaces interface id swi...

Page 1562: ... error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1480 Additional Ref...

Page 1563: ...nformation Release This feature was introduced Cisco IOS 15 0 2 EX Prerequisites for Port Security If you try to set the maximum value to a number less than the number of secure addresses already configured on an interface the command is rejected Note Restrictions for Port Security The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum n...

Page 1564: ...nning configuration Dynamic secure MAC addresses These are dynamically configured stored only in the address table and removed when the switch restarts Sticky secure MAC addresses These can be dynamically learned or manually configured stored in the address table and added to the running configuration If these addresses are saved in the configuration file when the switch restarts the interface doe...

Page 1565: ...emove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses In this mode you are notified that a security violation has occurred An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown a port security violation causes the interface to become error disabled and to shut down immediately ...

Page 1566: ...rt are deleted only if the secure addresses are inactive for the specified aging time Related Topics Enabling and Configuring Port Security Aging on page 1491 Port Security and Switch Stacks When a switch joins a stack the new switch will get the configured secure addresses All dynamic secure addresses are downloaded by the new stack member from the other stack members When a switch either the act...

Page 1567: ...gh secure addresses to allow one for each PC and one for the phone When a trunk port configured with port security and assigned to an access VLAN for data traffic and to a voice VLAN for voice traffic entering the switchport voice and switchport priority extend interface configuration commands has no effect When a connected device uses the same MAC address to request an IP address for the access V...

Page 1568: ...s vlan dynamic interface configuration command 24 You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN Overview of Port Based Traffic Control Port based traffic control is a set of Layer 2 features on the Cisco Catalyst switches used to filter or block packets at the port level in response to specific traffic co...

Page 1569: ...hutdown shutdown vlan 10 switchport port security mac address mac address vlan vlan id access voice 11 switchport port security mac address sticky 12 switchport port security mac address sticky mac address vlan vlan id access voice 13 switchport port security mac address forbidden mac address 14 end 15 show port security 16 show running config 17 copy running config startup config DETAILED STEPS P...

Page 1570: ...tchport Step 7 port security Optional Sets the maximum number of secure MAC addresses for the interface The maximum number of secure MAC addresses that you can configure on a switchport port security maximum value vlan vlan list access voice Step 8 switch or switch stack is set by the maximum number of available MAC Example Switch config if switchport addresses allowed in the system This number is...

Page 1571: ...er of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown The interface is error disabled when a violation occurs and the port LED turns off An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown vlan Use to set the security violation mode per ...

Page 1572: ...Step 12 the maximum the remaining MAC addresses are dynamically learned are converted to sticky secure MAC addresses and are added to the running configuration Example Switch config if switchport If you do not enable sticky learning before this command is entered an error message appears and you cannot enter a sticky secure MAC address Note Optional vlan sets a per VLAN maximum value port security...

Page 1573: ...copy running config Step 17 startup config Related Topics Port Security on page 1482 Configuration Examples for Port Security on page 1508 Enabling and Configuring Port Security Aging Use this feature to remove and add devices on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port You can enable or disable the aging ...

Page 1574: ...thernet1 0 1 Enables or disable static aging for the secure port or set the aging time or type switchport port security aging static time time type absolute inactivity Step 4 Example Switch config if switchport The switch does not support port security aging of sticky secure addresses Note Enter static to enable aging for statically configured secure addresses on this port port security aging time...

Page 1575: ...tartup config Step 8 Related Topics Port Security Aging on page 1484 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the rele...

Page 1576: ...at which broadcast multicast or unicast packets are received Traffic rate in bits per second at which broadcast multicast or unicast packets are received Traffic rate in packets per second and for small frames This feature is enabled globally The threshold for small frames is configured for each interface With each method the port blocks traffic when the rising threshold is reached The port remain...

Page 1577: ...is placed on the traffic A value of 0 0 means that all broadcast multicast or unicast traffic on that port is blocked Because packets do not arrive at uniform intervals the 1 second time interval during which traffic activity is measured can affect the behavior of storm control Note You use the storm control interface configuration commands to set the threshold value for each traffic type How to C...

Page 1578: ... 3 interface interface id 4 storm control broadcast multicast unicast level level level low bps bps bps low pps pps pps low 5 storm control action shutdown trap 6 end 7 show storm control interface id broadcast multicast unicast 8 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch ena...

Page 1579: ...imal place The port blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specifies the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic drops below this level The range is 0 0 to 10000000000 0 For pps pps specifies the rising thre...

Page 1580: ...e considered small frames They are forwarded by the switch but they do not cause the switch storm control counters to increment You globally enable the small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled S...

Page 1581: ...he arrival of small frames errdisable recovery cause small frame Example Switch config errdisable recovery cause Step 5 Storm control is supported on physical interfaces You can also configure storm control on an EtherChannel When storm small frame control is configured on an EtherChannel the storm control settings propagate to the EtherChannel physical interfaces Enters interface configuration mo...

Page 1582: ...s documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Protected Ports...

Page 1583: ...ifferent switches in the stack Default Protected Port Configuration The default is to have no protected ports defined Protected Ports Guidelines You can configure protected ports on a physical interface for example Gigabit Ethernet port 1 or an EtherChannel group for example port channel 5 When you enable protected ports for a port channel it is enabled for all ports in the port channel group How ...

Page 1584: ...ace gigabitethernet1 0 1 Step 3 Configures the interface to be a protected port switchport protected Example Switch config if switchport protected Step 4 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show interfaces interface id switchport Example Switch show interfaces gigabitethernet1 0 1 Step 6 switchport Verifies your entries show running config Exa...

Page 1585: ...s show interfaces interface id switchport Where to Go Next Additional References Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco...

Page 1586: ... Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator g...

Page 1587: ...n the port channel group SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 switchport block multicast 5 switchport block unicast 6 end 7 show interfaces interface id switchport 8 show running config 9 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enter...

Page 1588: ...t forwarding out of the port switchport block unicast Example Switch config if switchport block unicast Step 5 Returns to privileged EXEC mode end Example Switch config end Step 6 Verifies your entries show interfaces interface id switchport Example Switch show interfaces gigabitethernet1 0 1 Step 7 switchport Verifies your entries show running config Example Switch show running config Step 8 Opti...

Page 1589: ...e Related Topic Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the f...

Page 1590: ...MAC addresses are configured and sticky learning is enabled Switch config interface gigabitethernet1 0 1 Switch config if switchport mode access Switch config if switchport port security Switch config if switchport port security maximum 50 Switch config if switchport port security mac address sticky This example shows how to configure a static secure MAC address on VLAN 3 on a port Switch config i...

Page 1591: ...config if switchport port security maximum 10 vlan access Switch config if switchport port security maximum 10 vlan voice Related Topics Port Security on page 1482 Enabling and Configuring Port Security on page 1487 Additional References Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this r...

Page 1592: ...on table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Protocol Storm Protection Protocol Storm Protection When a switch is flooded with Address Resolution Protocol ARP or control packets high...

Page 1593: ...ote Default Protocol Storm Protection Configuration Protocol storm protection is disabled by default When it is enabled auto recovery of the virtual port is disabled by default How to Configure Protocol Storm Protection Enabling Protocol Storm Protection SUMMARY STEPS 1 enable 2 configure terminal 3 psp arp dhcp igmp pps value 4 errdisable detect cause psp 5 errdisable recovery interval time 6 end...

Page 1594: ...ep 4 If this feature is disabled the port drops excess packets without error disabling the port psp Optional Configures an auto recovery time in seconds for error disabled virtual ports When a virtual port is error disabled the errdisable recovery interval time Example Switch Step 5 switch auto recovers after this time The range is from 30 to 86400 seconds Returns to privileged EXEC mode end Examp...

Page 1595: ...cription http www cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technic...

Page 1596: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1514 Additional References ...

Page 1597: ...Policy document describes the FIPS implementation hardware installation firmware initialization and software configuration procedures for FIPS operation Common Criteria is an international standard ISO IEC 15408 for computer security certification This standard is a set of requirements tests and evaluation methods that ensures that the Target of Evaluation complies with a specific Protection Profi...

Page 1598: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1516 Information About FIPS and Common Criteria ...

Page 1599: ... restrictions apply while Configuring Control Plane Policing Only six among the following protocols can be configured simultaneously rip ospf v6 eigrp v6 rip v6 dhcp snoop client to server dhcp snoop server to client ndp router solicitation ndp router advertisement ndp redirect dhcpv6 client to server dhcpv6 server to client igrp For ospf eigrp and ripv2 protocols control packets which are destine...

Page 1600: ...igure terminal 3 mls qos copp protocol autorp announce autorp discovery bgp cdp cgmp dai dhcp snoop client to server dhcp snoop server to client dhcpv6 client to server dhcpv6 server to client eigrp eigrp v6 energy wise igmp gs query igmp leave igmp query igmp report igrp ipv6 pimv2 lldp mld gs query mld leave mld query mld report ndp redirect ndp router advertisement ndp router solicitation ospf ...

Page 1601: ...p rip rip v6 rsvp snoop stp police pps bps police rate Example Switch config mls qos copp protocol cdp police bps 10000 Switch config mls qos copp protocol cdp police pps 500 Returns to privileged EXEC mode end Example Switch config end Step 4 Displays the CoPP parameters and counters for all the configured protocol show mls qos copp protocols Example Switch show mls qos copp protocols Step 5 Opti...

Page 1602: ...the configured protocol Switch show running config inc copp Switch show running config inc copp mls qos copp protocol rep hfl police pps 5600 mls qos copp protocol lldp police bps 908900 mls qos copp protocol cdp police pps 3434 Copp detailed output Switch show mls qos copp protocols Protocol Mode PolicerRate PolicerBurst InProfilePackets OutProfilePackets InProfileBytes OutProfileBytes rep hfl pp...

Page 1603: ...g the System page 1523 Performing Switch Setup Configuration page 1559 Configuring SDM Templates page 1589 Configuring System Message Logs page 1597 Configuring Online Diagnostics page 1613 Troubleshooting the Software Configuration page 1625 ...

Page 1604: ......

Page 1605: ...Date Management You can manage the system time and date on your switch using automatic configuration methods RTC and NTP or manual configuration methods For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Referenceon Cisco com Note System Clock The basis of the time service is the system clock This clock runs from the...

Page 1606: ...extremely efficient no more than one packet per minute is necessary to synchronize two devices to within a millisecond of one another NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source A stratum 1 time server has a radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time serve...

Page 1607: ... as an NTP peer to the upstream and downstream Switch Switch B and Switch F respectively Figure 106 Typical NTP Network Configuration If the network is isolated from the Internet Cisco s implementation of NTP allows a device to act as if it is synchronized through NTP when in fact it has learned the time by using other means Other devices then synchronize to that device through NTP When multiple s...

Page 1608: ...e is given the IP address of all devices with which it should form associations Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association However in a LAN environment NTP can be configured to use IP broadcast messages instead This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast...

Page 1609: ...through NTP When multiple sources of time are available NTP is always considered to be more authoritative NTP time overrides the time set by any other method Several manufacturers include NTP software for their host systems and a publicly available version for systems running UNIX and its various derivatives is also available This software allows host systems to be time synchronized as well NTP Ve...

Page 1610: ...The stack member number range is from 1 through 8 When you use this command the stack member number is appended to the system prompt For example Switch 2 is the prompt in privileged EXEC mode for stack member 2 and the system prompt for the switch stack is Switch Default System Name and Prompt Configuration The default switch system name and prompt is Switch DNS The DNS protocol controls the Domai...

Page 1611: ...onfiguration The MOTD and login banners are not configured MAC Address Table The MAC address table contains address information that the switch uses to forward traffic between ports All MAC addresses in the address table are associated with one or more ports The address table includes these types of addresses Dynamic address A source MAC address that the switch learns and then ages when it is not ...

Page 1612: ...es for example could be forwarded to port 1 in VLAN 1 and ports 9 10 and 1 in VLAN 5 Each VLAN maintains its own logical address table A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN Default MAC Address Table Settings The following table shows the default settings for the MAC address table Table 141 Default Settings for t...

Page 1613: ...st reconfigure this setting if you have manually configured the system clock before the active switchstack master fails and a different stack member assumes the role of active switchstack master Note Setting the System Clock If you have an outside source on the network that provides time services such as an NTP server you do not need to manually set the system clock Follow these steps to set the s...

Page 1614: ...mezone zone hours offset minutes offset 4 end 5 show running config 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Sets the time zone clock timezone zone hours offset minutes ...

Page 1615: ... in the configuration file copy running config startup config Example Switch copy running config Step 6 startup config Configuring Summer Time Daylight Saving Time To configure summer time daylight saving time in areas where it starts and ends on a particular day of the week each year perform this task SUMMARY STEPS 1 enable 2 configure terminal 3 clock summer time zone date date month year hh mm ...

Page 1616: ...ck summer time Step 4 The end time is relative to summer time Summer time is disabled by default If you specify clock summer time zone recurring without parameters the summer time rules default to the United States rules PDT recurring 10 March 2013 2 00 3 November 2013 2 00 If the starting month is after the ending month the system assumes that you are in the southern hemisphere zone Specifies the...

Page 1617: ...ern configure the exact date and time of the next summer time events SUMMARY STEPS 1 enable 2 configure terminal 3 clock summer time zone date month date year hh mm month date year hh mm offset orclock summer time zone date date month year hh mm date month year hh mm offset 4 end 5 show running config 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged ...

Page 1618: ...week of the month 1 to 5 or last Optional For day specify the day of the week Sunday Monday Optional For month specify the month January February Optional For hh mm specify the time 24 hour format in hours and minutes Optional For offset specify the number of minutes to add during summer time The default is 60 Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entri...

Page 1619: ...stem name When you set the system name it is also used as the system prompt hostname name Example Switch config hostname Step 3 The default setting is Switch The name must follow the rules for ARPANET hostnames They must start with a letter end with a letter or digit and have as remote users interior characters only letters digits and hyphens Names can be up to 63 characters Returns to privileged ...

Page 1620: ...in the hostname the Cisco IOS software looks up the IP address without appending any default domain name to the hostname Follow these steps to set up your switch to use the DNS SUMMARY STEPS 1 enable 2 configure terminal 3 ip domain name name 4 ip name server server address1 server address2 server address6 5 ip domain lookup nsap source interface interface 6 end 7 show running config 8 copy runnin...

Page 1621: ...erver specified is the primary server The switch sends DNS queries to the primary server first If that query fails the backup servers are queried name server 192 168 1 100 192 168 1 200 192 168 1 300 Optional Enables DNS based hostname to address translation on your switch This feature is enabled by default ip domain lookup nsap source interface interface Step 5 Example Switch config ip domain loo...

Page 1622: ...ample Switch configure terminal Step 2 Specifies the message of the day banner motd c message c Step 3 Example Switch config banner motd c Enters the delimiting character of your choice for example a pound sign and press the Return key The delimiting character signifies the beginning and end of the banner text Characters after the ending delimiter are discarded This is a secure site Only authorize...

Page 1623: ...he MOTD banner and before the login prompt Follow these steps to configure a login banner SUMMARY STEPS 1 enable 2 configure terminal 3 banner login c message c 4 end 5 show running config 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode...

Page 1624: ...urns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries show running config Example Switch show running config Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Managing the MAC Address Table Changing the Address Aging Time Follow these steps to configure the dynam...

Page 1625: ... enter 0 which disables aging Static address entries are never aged or removed from the table aging time 500 vlan 2 vlan id Valid IDs are 1 to 4094 Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries show running config Example Switch show running config Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Sw...

Page 1626: ...cipient of the trap message snmp server host host addr community string notification type informs traps version 1 2c 3 vrf vrf instance name Step 3 host addr Specifies the name or address of the NMS Example Switch config snmp server host 172 20 10 10 traps private mac notification traps the default Sends SNMP traps to the host informs Sends SNMP informs to the host version Specifies the SNMP versi...

Page 1627: ... seconds the default is 1 second notification change interval 123 Optional history size value Specifies the maximum number of entries in the MAC notification history table The range is 0 to 500 the default is 1 Switch config mac address table notification change history size 100 Enters interface configuration mode and specifies the Layer 2 interface on which to enable the SNMP MAC address notifica...

Page 1628: ...ithin the same VLAN Follow these steps to configure the switch to send MAC address move notification traps to an NMS host SUMMARY STEPS 1 enable 2 configure terminal 3 snmp server host host addr traps informs version 1 2c 3 community string notification type 4 snmp server enable traps mac notification move 5 mac address table notification mac move 6 end 7 show running config 8 copy running config ...

Page 1629: ... can set this string by using the snmp server host command we recommend that you define this string by using the snmp server community command before using the snmp server host command notification type Uses the mac notification keyword Enables the switch to send MAC address move notification traps to the NMS snmp server enable traps mac notification move Example Switch config snmp server enable t...

Page 1630: ...SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded Follow these steps to configure the switch to send MAC address table threshold notification traps to an NMS host SUMMARY STEPS 1 enable 2 configure terminal 3 snmp server host host addr traps informs version 1 2c 3 community string notification type 4 snmp server...

Page 1631: ... by using the snmp server community command before using the snmp server host command notification type Uses the mac notification keyword Enables MAC threshold notification traps to the NMS snmp server enable traps mac notification threshold Step 4 Example Switch config snmp server enable traps mac notification threshold Enables the MAC address threshold notification feature mac address table noti...

Page 1632: ...uration file copy running config startup config Example Switch copy running config startup config Step 9 What to Do Next Adding and Removing Static Address Entries Follow these steps to add a static address SUMMARY STEPS 1 enable 2 configure terminal 3 mac address table static mac addr vlan vlan id interface interface id 4 end 5 show running config 6 copy running config startup config DETAILED STE...

Page 1633: ...d packet is forwarded Valid interfaces include physical ports or port channels For static multicast addresses you can enter multiple interface IDs For static unicast addresses you can enter only one interface at a time but you can enter the command multiple times with the same MAC address and VLAN ID Returns to privileged EXEC mode Alternatively you can also press Ctrl Z to exit global configurati...

Page 1634: ...ied source or destination unicast static address mac address table static mac addr vlan vlan id drop Example Switch config mac address table Step 3 mac addr Specifies a source or destination unicast MAC address 48 bit Packets with this MAC address are dropped static c2f3 220a 12f4 vlan 4 drop vlan id Specifies the VLAN for which the packet with the specified MAC address is received Valid VLAN IDs ...

Page 1635: ...s for all VLANs or the specified VLAN show ip igmp snooping groups Displays MAC address table information for the specified MAC address show mac address table address mac address Displays the aging time in all VLANs or the specified VLAN show mac address table aging time Displays the number of addresses present in all VLANs or the specified VLAN show mac address table count Displays only dynamic M...

Page 1636: ...ple for daylight savings time shows how to specify that summer time starts on March 10 at 02 00 and ends on November 3 at 02 00 Switch config clock summer time PDT recurring PST date 10 March 2013 2 00 3 November 2013 2 00 This example shows how to set summer time start and end dates Switch config clock summer time PST date 20 March 2013 2 00 20 November 2013 2 00 Example Configuring a MOTD Banner...

Page 1637: ...nfig snmp server host 172 20 10 10 traps private mac notification Switch config snmp server enable traps mac notification change Switch config mac address table notification change Switch config mac address table notification change interval 123 Switch config mac address table notification change history size 100 Switch config interface gigabitethernet1 2 1 Switch config if snmp trap mac notificat...

Page 1638: ...e packet is dropped Switch config mac address table static c2f3 220a 12f4 vlan 4 drop Additional References for Switch Administration Related Documents Document Title Related Topic Catalyst 2960 X Switch System Management Command Reference Switch administration commands Catalyst 2960 X Switch Network Management Configuration Guide Network management configuration Catalyst 2960 X Switch Layer 2 Con...

Page 1639: ...roducts and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information for Swit...

Page 1640: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1558 Feature History and Information for Switch Administration ...

Page 1641: ...ch configuration IP address subnet mask default gateway secret and Telnet passwords and so forth The boot loader software performs the normal boot process and includes these activities Locates the bootable base package in the bundle or installed package set Performs low level CPU initialization It initializes the CPU registers which control where physical memory is mapped its quantity its speed an...

Page 1642: ...se the switch setup program if you want to be prompted for specific IP information With this program you can also configure a hostname and an enable secret password It gives you the option of assigning a Telnet password to provide security during remote management and configuring your switch as a command or member switch of a cluster or as a standalone switch Use a DHCP server for centralized cont...

Page 1643: ...you might also need to configure a Trivial File Transfer Protocol TFTP server and a Domain Name System DNS server The DHCP server for your switch can be on the same LAN or on a different LAN than the switch If the DHCP server is running on a different LAN you should configure a DHCP relay device between your switch and the DHCP server A relay device forwards broadcast traffic between two directly ...

Page 1644: ...had a chance to formally request the address If the switch accepts replies from a BOOTP server and configures itself the switch broadcasts instead of unicasts TFTP requests to obtain the switch configuration file The DHCP hostname option allows a group of switches to obtain hostnames and a standard configuration from the central management DHCP server A client switch includes in its DCHPDISCOVER m...

Page 1645: ...d to a switch that already has a configuration the downloaded configuration is appended to the configuration file stored on the switch Any existing configuration is not overwritten by the downloaded one To enable a DHCP auto image update on the switch the TFTP server where the image and configuration files are located must be configured with the correct option 67 the configuration filename option ...

Page 1646: ... server or if the configuration file could not be downloaded the switch attempts to download a configuration file by using various combinations of filenames and TFTP server addresses The files include the specified configuration filename if any and these files network config cisconet cfg hostname config or hostname cfg where hostname is the switch s current hostname The TFTP server addresses used ...

Page 1647: ... switch sends a broadcast message to a TFTP server to retrieve the named configuration file from the base directory of the server and upon receipt it completes its boot up process Only the IP address is reserved for the switch and provided in the DHCP reply The configuration filename is not provided two file read method The switch receives its IP address subnet mask and the TFTP server address fro...

Page 1648: ...value of the variable A variable has no value if it is not present it has a value if it is listed even if the value is a null string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which does not read the Cisco IOS configuration file...

Page 1649: ...nnot be loaded the system attempts to boot the first bootable file that it can find in the flash file system BOOT boot manual Enables manually booting the switch during the next boot cycle and changes the setting of the MANUAL_BOOT environment variable The next time you reboot the system the switch is in boot loader mode To boot up the system use the boot flash filesystem file url boot loader comm...

Page 1650: ...ember number priority priority number Changes the priority value of a stack member set SWITCH_PRIORITY stack member number Changes the priority value of a stack member SWITCH_PRIORITY line console 0 speedspeed value Configures the baud rate set BAUD baud rate BAUD boot enable break switch yes no This command can be issued when the flash filesystem is initialized when ENABLE_BREAK is set to yes set...

Page 1651: ...to take place at the specified time using a 24 hour clock If you specify the month and day the reload is scheduled to take place at the specified time and date If you do not specify the month and day the reload takes place at the specified time on the current day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifyin...

Page 1652: ...the autoconfiguration of a new switch SUMMARY STEPS 1 configure terminal 2 ip dhcp pool poolname 3 boot filename 4 network network number mask prefix length 5 default router address 6 option 150 address 7 exit 8 tftp server flash filename text 9 interface interface id 10 no switchport 11 ip address address mask 12 end DETAILED STEPS Purpose Command or Action Enters global configuration mode config...

Page 1653: ...IP address of the default router for a DHCP client default router address Example Switch dhcp config default router 10 10 10 1 Step 5 Specifies the IP address of the TFTP server option 150 address Example Switch dhcp config option 150 10 10 10 1 Step 6 Returns to global configuration mode exit Example Switch dhcp config exit Step 7 Specifies the configuration file on the TFTP server tftp server fl...

Page 1654: ...mage Update Configuration File and Image This task describes DHCP autoconfiguration to configure TFTP and DHCP settings on an existing switch to support the installation of a new switch Before You Begin You must first create a text file for example autoinstall_dhcp that will be uploaded to the switch In the text file put the name of the image that you want to download forexample c3750e ipservices ...

Page 1655: ...ress mask 17 end 18 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Creates a name for the DHCP server address pool and enter DHCP pool configuration mode ip dhcp pool poolname Example Switch config ip dhcp pool pool1 Step 2 Specifies the name of the file that is used as a boot ...

Page 1656: ...IP address of the TFTP server option 150 address Example Switch dhcp config option 150 10 10 10 1 Step 6 Specifies the path to the text file that describes the path to the image file option 125 hex Example Switch dhcp config option 125 hex Step 7 0000 0009 0a05 08661 7574 6f69 6e73 7461 6c6c 5f64 686370 Uploads the text file to the switch copy tftp flash filename txt Example Switch config copy tft...

Page 1657: ...he client that will receive the configuration file interface interface id Example Switch config interface gigabitEthernet1 0 4 Step 14 Puts the interface into Layer 3 mode no switchport Example Switch config if no switchport Step 15 Specifies the IP address and mask for the interface ip address address mask Example Switch config if ip address 10 10 10 1 255 255 255 0 Step 16 Returns to privileged ...

Page 1658: ...ion with a saved configuration boot host dhcp Example Switch conf boot host dhcp Step 2 Optional Sets the amount of time the system tries to download a configuration file boot host retry timeout timeout value Example Switch conf boot host retry timeout 300 Step 3 If you do not set a timeout the system will try indefinitely to obtain an IP address from the DHCP server Note Optional Creates warning ...

Page 1659: ...s task describes how to manually assign IP information to multiple switched virtual interfaces SVIs SUMMARY STEPS 1 configure terminal 2 interface vlan vlan id 3 ip address ip address subnet mask 4 exit 5 ip default gateway ip address 6 end 7 show interfaces vlan vlan id 8 show ip redirects DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch ...

Page 1660: ...Switch config ip default gateway Step 5 configured The default gateway receives IP packets with unresolved destination IP addresses from the switch Once the default gateway is configured the switch has connectivity to the remote networks with which a host needs to communicate 10 10 10 1 When your switch is configured to route with IP it does not need to have a default gateway set Note Returns to p...

Page 1661: ...he new switch syncs with the stack and reloads automatically Note SUMMARY STEPS 1 configure terminal 2 boot buffersize size 3 end 4 show boot DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Configures the NVRAM buffersize in KB The valid range for size is from 4096 to 1048576 boot buffersize size Example Switch c...

Page 1662: ...h file url 3 end 4 show boot 5 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the configuration file to load during the next boot cycle boot flash file url Example Switch config boot flash config text Step 2 file url The path directory and the configuration filename F...

Page 1663: ...configure it to manually boot up Before You Begin Use a standalone switch for this task SUMMARY STEPS 1 configure terminal 2 boot manual 3 end 4 show boot 5 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Enables the switch to manually boot up during the next boot cycle boot man...

Page 1664: ...l Specifies the path directory and the name of the bootable image Filenames and directory names are case sensitive Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 5 startup config Configuring a Scheduled Software Image Reload This task describes how to configure your switch to reload the software image at a later time...

Page 1665: ...occur reload at hh mm month day day month text Step 4 Use the at keyword only if the switch system clock has been set through Network Time Protocol NTP the hardware calendar or manually The time is relative to the configured time zone on the switch To schedule reloads across several switches to occur simultaneously the time on each switch must be synchronized with NTP Note Example Switch config re...

Page 1666: ...isplays software bootup in install mode switch boot flash c2960x universalk9 mz 150 2 EX c2960x universalk9 mz 150 2 EX bin Configuration Examples for Performing Switch Setup Example Configuring a Switch as a DHCP Server Switch configure terminal Switch config ip dhcp pool pool1 Switch dhcp config network 10 10 10 0 255 255 255 0 Switch dhcp config boot config boot text Switch dhcp config default ...

Page 1667: ... Example Configuring a Switch to Download Configurations from a DHCP Server This example uses a Layer 3 SVI interface on VLAN 99 to enable DHCP based autoconfiguration with a saved configuration Switch configure terminal Switch config boot host dhcp Switch config boot host retry timeout 300 Switch config banner config save C Caution Saving Configuration File to NVRAM May Cause You to No longer Aut...

Page 1668: ...ge 1579 Additional References for Performing Switch Setup Related Documents Document Title Related Topic Catalyst 2960 X Switch System Management Command Reference Switch setup commands Boot loader commands Catalyst 2960 X Switch Interface and Hardware Component Configuration Guide Catalyst 2960 X Switch Managing Cisco IOS Image Files Configuration Guide USB flash devices Catalyst 2960 X Switch Ha...

Page 1669: ...ducts and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information For Perfor...

Page 1670: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1588 Feature History and Information For Performing Switch Setup Configuration ...

Page 1671: ...f the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Configuring SDM Templates Restrictions for SDM Templates The f...

Page 1672: ...configuration The LAN Base routing template prevents other features from using the memory allocated to unicast routing Routing must be enabled on your switch before you can use the routing template For more information about homogeneous and mixed stacks see the Catalyst 2960 X Switch Stacking Configuration Guide After you change the template and the system reboots you can use the show sdm prefer p...

Page 1673: ...5 K 1 K 25 K IPv6 multicast groups 0 75 K 2 K 25 K Directly connected IPv6 addresses 0 32 1 K 32 Indirect IPv6 unicast routes 0 0 0 0 IPv6 policy based routing ACEs 256 K 375 K 5 K 375 K Ipv4 MAC QoS ACEs 256 K 375 K 625 K 375 K IPv4 MAC security ACEs 0 0 0 0 IPv6 policy based routing ACEs 0 125 K 5 K 60 IPv6 QoS ACEs Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 29...

Page 1674: ...M mode condition and an SDM mismatch mode exist the switch stack first attempts to resolve the VM mode condition You can use the show switch privileged EXEC command to see if any stack members are in SDM mismatch mode How to Configure SDM Templates Setting the SDM Template Follow these steps to use the SDM template to maximize feature usage SUMMARY STEPS 1 enable 2 configure terminal 3 sdm prefer ...

Page 1675: ...o be used on the switch The keywords have these meanings sdm prefer default dual ipv4 and ipv6 default lanbase routing Step 4 default The default template provides balance for all Layer 2 IPv4 and IPv6 functionality Example Switch config sdm prefer dual ipv4 and ipv6 dual ipv4 and ipv6 The dual IP template supports both IPv4 and IPv6 routing The default option balances IPv4 and IPv6 Layer 2 functi...

Page 1676: ...resources in the switch to support this level of features for 0 routed interfaces and 1024 VLANs number of unicast mac addresses 16K number of IPv4 IGMP groups multicast routes 1K number of IPv4 unicast routes 3K number of directly connected IPv4 hosts 2K number of indirect IPv4 routes 1K number of IPv6 multicast groups 1K number of directly connected IPv6 addresses 2K number of indirect IPv6 unic...

Page 1677: ... Examples Configuring SDM Templates This example shows how to configure the VLAN template Switch config sdm prefer lanbase routing Switch config exit Switch reload Proceed with reload confirm Switch config sdm prefer dual ipv4 and ipv6 default Switch config exit Switch reload Proceed with reload confirm Additional References for SDM Templates Related Documents Document Title Related Topic Catalyst...

Page 1678: ...cts and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information for Configur...

Page 1679: ...g buffer terminal lines or a UNIX syslog server depending on your configuration The process also sends messages to the console When the logging process is disabled messages are sent only to the console The messages are sent as they are generated so message and debug output are interspersed with prompts or output from other commands Messages appear on the active consoles after the process that gene...

Page 1680: ...ese global configuration commands service sequence numbers service timestamps log datetime service timestamps log datetime localtime msec show timezone service timestamps log uptime Table 146 System Log Message Elements Description Element Stamps log messages with a sequence number only if the service sequence numbers global configuration command is configured seq no Date and time of the message o...

Page 1681: ...ation 4096 bytes Logging buffer size 1 message Logging history size Disabled Time stamps Disabled Synchronous logging Disabled Logging server None configured Syslog server IP address Local7 Server facility Informational Server severity Syslog Message Limits If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration...

Page 1682: ...uffered size 3 logging host 4 logging file flash filename max file size min file size severity level number type 5 end 6 terminal monitor DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Logs messages to an internal buffer on the switch or on a standalone switch or in the case of a switch stack on the active switc...

Page 1683: ...n terminal monitor Step 6 Example Switch terminal monitor Terminal parameter setting commands are set locally and do not remain in effect after the session has ended You must perform this step for each session to see the debugging messages Synchronizing Log Messages You can synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a spec...

Page 1684: ...also change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to line configuration Enables synchronous logging of messages logging synchronous level severity level all limit number of buffers Step 3 Optional level severity level Specifies the message severity leve...

Page 1685: ...sole as soon as they are produced often appearing in the middle of command output The logging synchronous global configuration command also affects the display of messages to the console When this command is enabled messages appear only after you press Return To reenable message logging after it has been disabled use the logging on global configuration command This task is optional SUMMARY STEPS 1...

Page 1686: ... Example Switch configure terminal Step 1 Enables log time stamps Use one of these commands Step 2 service timestamps log uptime log uptime Enables time stamps on log messages showing the time since the system was rebooted service timestamps log datetime msec localtime show timezone log datetime Enables time stamps on log messages Depending on the options selected the time stamp can Example Switch...

Page 1687: ... log messages are not displayed This task is optional SUMMARY STEPS 1 configure terminal 2 service sequence numbers 3 end DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Enables sequence numbers service sequence numbers Example Switch config service sequence numbers Step 2 Returns to privileged EXEC mode end Exam...

Page 1688: ...vel Step 2 Example Switch config logging console 3 By default the console receives debugging messages and numerically lower levels Limits messages logged to the terminal lines logging monitor level Step 3 Example Switch config logging monitor 3 By default the terminal receives debugging messages and numerically lower levels Limits messages logged to the syslog servers logging trap level Step 4 Exa...

Page 1689: ...rminal Example Switch configure terminal Step 1 Changes the default level of syslog messages stored in the history file and sent to the SNMP server logging history level Example Switch config logging history 3 Step 2 By default warnings errors critical alerts and emergencies messages are sent Specifies the number of syslog messages that can be stored in the history table logging history size numbe...

Page 1690: ...mon on a UNIX server SUMMARY STEPS 1 Add a line to the file etc syslog conf 2 Enter these commands at the UNIX shell prompt 3 Make sure the syslog daemon reads the new changes DETAILED STEPS Purpose Command or Action Add a line to the file etc syslog conf Step 1 local7 Specifies the logging facility Example local7 debug usr adm logs cisco log debug Specifies the syslog level The file must already ...

Page 1691: ...le shows a partial switch system message on a switch 00 00 46 LINK 3 UPDOWN Interface Port channel1 changed state to up 00 00 47 LINK 3 UPDOWN Interface GigabitEthernet0 1 changed state to up 00 00 47 LINK 3 UPDOWN Interface GigabitEthernet0 2 changed state to up 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interface Vlan1 changed state to down 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interfac...

Page 1692: ... part of a logging display with the sequence numbers enabled 000019 SYS 5 CONFIG_I Configured from console by vty2 10 34 195 36 Switch 2 Additional References for System Message Logs Related Documents Document Title Related Topic Catalyst 2960 X Switch System Management Command Reference System message log commands Cisco IOS 15 3M T Command References Platform independent command references Cisco ...

Page 1693: ... products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information For Sy...

Page 1694: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1612 Feature History and Information For System Message Logs ...

Page 1695: ...ents and verify the data path and the control signals The online diagnostics detect problems in these areas Hardware components Interfaces Ethernet ports and so forth Solder joints Online diagnostics are categorized as on demand scheduled or health monitoring diagnostics On demand diagnostics run from the CLI scheduled diagnostics run at user designated intervals or at specified times when the Swi...

Page 1696: ... from 1 to 8 Example Switch diagnostic start switch 2 test You can specify the tests by using one of these options name Enters the name of the test basic test id Enters the ID number of the test test id range Enters the range of test IDs by using integers separated by a comma and a hyphen all Starts all of the tests basic Starts the basic test suite non disruptive Starts the non disruptive test su...

Page 1697: ...d output switch 1 test 1 5 on July 3 2013 23 10 test id ID number of the test that appears in the show diagnostic content command output test id range ID numbers of the tests that appear in the show diagnostic content command output all All test IDs basic Starts the basic on demand diagnostic tests non disruptive Starts the non disruptive test suite You can schedule the tests as follows Daily Use ...

Page 1698: ...le Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Configures the health monitoring interval of the specified tests diagnostic monitor interval switch number test name test id test id range all hh mm ss milliseconds day Step 3 The switch number keyword is supported only on stacking switches When specifying the tests use one of these pa...

Page 1699: ...ic content command output threshold switch 2 test 1 failure count 20 test id ID number of the test that appears in the show diagnostic content command output test id range ID numbers of the tests that appear in the show diagnostic content command output all All of the diagnostic tests The range for the failure threshold count is 0 to 99 Enables the specified health monitoring tests diagnostic moni...

Page 1700: ...itor threshold testtest id test id range failure countcommand to remove the failure threshold Monitoring and Maintaining Online Diagnostics Displaying Online Diagnostic Tests and Test Results You can display the online diagnostic tests that are configured for the Switch or Switch stack and check the test results by using the privileged EXEC show commands in this table Table 148 Commands for Diagno...

Page 1701: ... diagnostic start privileged EXEC command to begin diagnostic testing After starting the tests you cannot stop the testing process Use this privileged EXEC command to manually start online diagnostic testing SUMMARY STEPS 1 diagnostic start switch number test name test id test id range all basic non disruptive DETAILED STEPS Purpose Command or Action Starts the diagnostic tests diagnostic start sw...

Page 1702: ...itch Switch config diagnostic schedule switch 1 test 1 2 4 6 weekly saturday 10 30 Displaying Online Diagnostics Examples This example shows how to display the online diagnostic detailed information on a specific switch Switch show diagnostic switch 1 detail Switch 1 SerialNo Overall Diagnostic Result for Switch 1 UNTESTED Test results Pass F Fail U Untested _______________________________________...

Page 1703: ..._________________________________________________________________ 5 TestInlinePwrCtlr U Error code 3 DIAG_SKIPPED Total run count 0 Last test testing type n a Last test execution time n a First test failure time n a Last test failure time n a Last test pass time n a Total failure count 0 Consecutive failure count 0 ___________________________________________________________________________ This ex...

Page 1704: ... status Switch show diagnostic status BU Bootup Diagnostics HM Health Monitoring Diagnostics OD OnDemand Diagnostics SCH Scheduled Diagnostics Card Description Current Running Test Run by 1 N A N A 2 TestPortAsicStackPortLoopback OD TestPortAsicLoopback OD TestPortAsicCam OD TestPortAsicRingLoopback OD TestMicRingLoopback OD TestPortAsicMem OD 3 N A N A 4 N A N A Switch This example shows how to d...

Page 1705: ...e resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on...

Page 1706: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1624 Feature History and Information for Configuring Online Diagnostics ...

Page 1707: ...he Software Configuration page 1646 Scenarios for Troubleshooting the Software Configuration page 1650 Configuration Examples for Troubleshooting Software page 1652 Additional References for Troubleshooting Software Configuration page 1655 Feature History and Information for Troubleshooting Software Configuration page 1656 Information About Troubleshooting the Software Configuration Software Failu...

Page 1708: ... power source The device does not receive redundant power when it is only connected to the PoE port After the switch detects a powered device the switch determines the device power requirements and then grants or denies power to the device The switch can also detect the real time power consumption of the device by monitoring and policing the power usage For more information see the Configuring PoE...

Page 1709: ...exist an unknown host message is returned Destination unreachable If the default gateway cannot reach the specified network a destination unreachable message is returned Network or host unreachable If there is no entry in the route table for the host or network a network or host unreachable message is returned Related Topics Executing Ping on page 1643 Example Pinging an IP Host on page 1652 Layer...

Page 1710: ... Layer 2 path when the specified source and destination IP addresses belong to the same subnet When you specify the IP addresses the Switch uses the Address Resolution Protocol ARP to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs If an ARP entry exists for the specified IP address the Switch uses the associated MAC address and identifies the physical path If an A...

Page 1711: ...to itself containing a destination port number that is unused locally it sends an ICMP port unreachable error to the source Because all errors except port unreachable errors come from intermediate hops the receipt of a port unreachable error means that this message was sent by the destination port Related Topics Executing IP Traceroute on page 1644 Example Performing a Traceroute to an IP Host on ...

Page 1712: ... All System Diagnostics on page 1654 Onboard Failure Logging on the Switch You can use the onboard failure logging OBFL feature to collect information about the Switch The information includes uptime temperature and voltage information and helps Cisco technical support representatives to troubleshoot Switch problems We recommend that you keep OBFL enabled and do not erase the data stored in the fl...

Page 1713: ...fore logging of new data begins Related Topics Configuring OBFL on page 1646 Displaying OBFL Information Possible Symptoms of High CPU Utilization Excessive CPU utilization might result in these symptoms but the symptoms might also result from other causes Spanning tree topology changes EtherChannel links brought down due to loss of communication Failure to respond to management requests ICMP ping...

Page 1714: ...e by using the tar tvf image_filename tar UNIX command Example unix 1 tar tvf image_filename tar b Locate the bin file and extract it by using the tar xvf image_filename tar image_filename bin UNIX command Example unix 1 tar xvf image_filename tar image_filename bin x c2960x universalk9 mz 150 2 EX1 c2960x universalk9 mz 150 2 EX1 bin 2928176 bytes 5720 tape blocks c Verify that the bin file was e...

Page 1715: ...ownloaded Cisco IOS image Example switch boot flash image_filename bin Step 13 Use the archive download sw privileged EXEC command to download the software image to the switch or to the switch stack Step 14 Use the reload privileged EXEC command to restart the switch and to verify that the new software image is operating properly Step 15 Delete the flash image_filename bin file from the switch Rec...

Page 1716: ...o 9600 baud Step 3 On a switch power off the switch Step 4 Reconnect the power cord to the switch Within 15 seconds press the Mode button while the System LED is still flashing green Continue pressing the Mode button until all the system LEDs turn on and remain solid then release the Mode button Several lines of information about the software appear with instructions informing you if the password ...

Page 1717: ...60x universalk9 mz 150 2 EX1 bin 11 rwx 5825 Mar 01 2013 22 31 59 config text 16128000 bytes total 10003456 bytes free Step 5 Rename the configuration file to config text old This file contains the password definition Switch rename flash config text flash config text old Step 6 Boot up the system Switch boot You are prompted to start the setup program Enter N at the prompt Continue with the config...

Page 1718: ...e in a shutdown state You can see which interface is in this state by entering the show running config privileged EXEC command To reenable the interface enter the interface vlan vlan id global configuration command and specify the VLAN ID of the shutdown interface With the switch in interface configuration mode enter the no shutdown command Note Step 14 Boot the switch with the packages conf file ...

Page 1719: ... the password Step 1 Choose to continue with password recovery and delete the existing configuration Would you like to reset the system back to the default configuration y n Y Step 2 Display the contents of flash memory Switch dir flash The Switch file system appears Directory of flash 13 drwx 192 Mar 01 2013 22 30 48 c2960x universalk9 mz 150 2 0 63 UCP bin 16128000 bytes total 10003456 bytes fre...

Page 1720: ...tandby command switch and your command switch loses power or fails in some other way management contact with the member switches is lost and you must install a new command switch However connectivity between switches that are still connected is not affected and the member switches forward packets as usual You can manage the members as standalone switches through the console port or if they have IP...

Page 1721: ...Enter configuration commands one per line End with CNTL Z Step 7 Remove the member switch from the cluster Example Switch config no cluster commander address Step 8 Return to privileged EXEC mode Example Switch config end Switch Step 9 Use the setup program to configure the switch IP information This program prompts you for IP address information and passwords From privileged EXEC mode enter EXEC ...

Page 1722: ...e correct Step 16 If the displayed information is correct enter Y and press Return If this information is not correct enter N press Return and begin again at Step 9 Step 17 Start your browser and enter the IP address of the new command switch Step 18 From the Cluster menu select Add to Cluster to display a list of candidate switches to add to the cluster Replacing a Failed Command Switch with Anot...

Page 1723: ...c characters is case sensitive allows spaces but ignores leading spaces Step 8 When prompted for the enable secret and enable passwords enter the passwords of the failed command switch again Step 9 When prompted make sure to enable the switch as the cluster command switch and press Return Step 10 When prompted assign a name to the cluster and press Return The cluster name can be 1 to 31 alphanumer...

Page 1724: ...k members causes the switch stack to divide partition into two or more switch stacks each with the same configuration If you want the switch stacks to remain separate change the IP address or addresses of the newly created switch stacks To recover from a partitioned switch stack follow these steps 1 Power off the newly created switch stacks 2 Reconnect them to the original switch stack through the...

Page 1725: ...nterval for recovering from the error disabled state After the elapsed interval the Switch brings the interface out of the error disabled state and retries the operation For more information about the errdisable recovery command see the command reference for this release If the module is identified as a Cisco SFP module but the system is unable to read vendor data information to verify its accurac...

Page 1726: ...ation see the command reference for this release Monitoring the Physical Path You can monitor the physical path that a packet takes from a source device to a destination device by using one of these privileged EXEC commands Table 149 Monitoring the Physical Path Purpose Command Displays the Layer 2 path taken by the packets from the specified source MAC address to the specified destination MAC add...

Page 1727: ...system overhead When you log messages to the console very high overhead occurs When you log messages to a virtual terminal less overhead occurs Logging messages to a syslog server produces even less and logging to an internal buffer produces the least overhead of any method For more information about system message logging see Configuring System Message Logging Note Related Topics Debug Commands o...

Page 1728: ... the clear onboard switch switch number privileged EXEC command In a switch stack you can enable OBFL on a standalone switch or on all stack members by using the hw switch switch switch number logging onboard message level level global configuration command You can enable or disable OBFL on a member switch from the active switchstack master For more information about the commands in this section s...

Page 1729: ... stack members start the reason the standalone switch or specified stack members restart and the length of time that the standalone switch or the specified stack members have been running since they last restarted show logging onboard module switch number uptime Switch show logging onboard 1 uptime Displays the system voltages of a standalone switch or the specified stack members show logging onbo...

Page 1730: ...e Problem and Cause for High CPU Utilization To determine if high CPU utilization is a problem enter the show processes cpu sorted privileged EXEC command Note the underlined information in the first line of the output example Switch show processes cpu sorted CPU utilization for five seconds 8 0 one minute 7 five minutes 8 PID Runtime ms Invoked uSecs 5Sec 1Min 5Min TTY Process 309 42289103 752750...

Page 1731: ...s almost as high as total CPU utilization value Identify the unusual event and troubleshoot the root cause See the section on Debugging Active Processes One or more Cisco IOS process is consuming too much CPU time This is usually triggered by an event that activated the process Total CPU utilization is greater than 50 with minimal time spent on interrupts Consolidated Platform Configuration Guide ...

Page 1732: ...the switch front panel to the powered device is not more than 100 meters Disconnect the Ethernet cable from the switch port Use a short Ethernet cable to connect a known good Ethernet device directly to this port on the switch front panel not on a patch panel Verify that it can establish an Ethernet link and exchange traffic with another host or ping the port VLAN SVI Next connect a powered device...

Page 1733: ...ct a powered device to this port and verify that it powers on If the device powers on verify that all intermediate patch panels are correctly connected Disconnect all but one of the Ethernet cables from switch ports Using a short patch cord connect a powered device to only one PoE port Verify the powered device does not require more power than can be delivered by the switch port Use the show power...

Page 1734: ...ormally a Cisco phone or wireless access point intermittently reloads or disconnects from PoE Use the show power inline command to verify that the switch power budget available PoE is not depleted before or after the powered device is connected Verify that sufficient power is available for the powered device type before you connect it Use the show interface status command to verify that the switch...

Page 1735: ...ult Simultaneously press and release the Ctrl Shift and 6 keys and then press the X key Related Topics Ping on page 1627 Executing Ping on page 1643 Example Performing a Traceroute to an IP Host This example shows how to perform a traceroute to an IP host Switch traceroute ip 192 0 2 10 Type escape sequence to abort Tracing the route to 192 0 2 10 1 192 0 2 1 0 msec 0 msec 4 msec 2 192 0 2 203 12 ...

Page 1736: ...stics Because debugging output takes priority over other network traffic and because the debug all privileged EXEC command generates more output than any other debug command it can severely diminish switch performance or even render it unusable In virtually all cases it is best to use more specific debug commands Caution This command disables all system diagnostics Switch debug all The no debug al...

Page 1737: ...ces Platform independent command references Cisco IOS 15 3M T Configuration Guides Platform independent configuration information Standards and RFCs Title Standard RFC None MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs All supported MIBs for this release Consolida...

Page 1738: ...es such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information for Troubleshooting Software Configuration Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform ...

Page 1739: ... CLI Library Command Extensions page 1849 EEM Context Library Command Extensions page 1861 EEM Event Registration Tcl Command Extensions page 1869 EEM Event Tcl Command Extensions page 1977 EEM Library Debug Command Extensions page 1985 EEM Multiple Event Support Tcl Command Extensions page 1987 EEM SMTP Library Command Extensions page 1991 EEM System Information Tcl Command Extensions page 1995 E...

Page 1740: ......

Page 1741: ...tional References page 1679 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported s...

Page 1742: ...he event subscriber Event detectors notify the EEM server when an event of interest occurs The EEM policies that are configured using the Cisco command line interface CLI then implement recovery on the basis of the current state of the system and the actions specified in the policy for the given event EEM offers the ability to monitor events and take informational or corrective action when the mon...

Page 1743: ... event detector publishes an event when a named counter crosses a specified threshold Interface Counter The interface counter event detector publishes an event when a generic Cisco IOS interface counter for a specified interface crosses a defined threshold Timer The timer event detector publishes events for the following four different types of timers absolute time of day countdown watchdog and CR...

Page 1744: ...ager The system manager event detector generates events for Cisco IOS Software Modularity process start normal or abnormal stop and restart events The events generated by the system manager allows policies to change the default behavior of the process restart Watchdog System Monitor WDSysMon The Cisco Software Modularity watchdog system monitor event detector detects infinite loops deadlocks and m...

Page 1745: ...fy testing type test name test id consecutive failure platform action and maxrun keywords for improved reaction to GOLD test failures and conditions The following platform wide GOLD Event Detector information can be accessed through new read only EEM built in environment variables Boot up diagnostic level Card index name serial number Port counts Test counts The following test specific GOLD Event ...

Page 1746: ...ability to run multiple events was introduced and show event manager commands were enhanced to show multiple events Support for parameters The parameter argument has been added to the event manager run command A maximum of 15 parameters can be used Display of Job IDs and completion status Some of the show event manager commands were enhanced to display Job IDs and completion status Bytecode suppor...

Page 1747: ... include functionality for SNMP getid inform trap and set type operations SNMP Notification IPv6 support IPv6 address is supported for the source and destination IP addresses CLI Library XML PI support Provides a programmable interface which encapsulates IOS command line interface CLI show commands in XML format in a consistent way across different Cisco products Customers using XML PI will be abl...

Page 1748: ... or after normal user traffic on the port is allowed to flow Mac Address Table Mac Address Table event detector generates an event when a MAC address is learned in the MAC address table The Mac Address Table event detector is supported only on switch platforms and can be used only on Layer 2 interfaces where MAC addresses are learned Layer 3 interfaces do not learn addresses and devices do not usu...

Page 1749: ...ds clear event manager detector counters and clear event manager server counters are introduced to clear the event manager queue counters EEM Event Detector Enhancements CLI event detector enhancement Provides the ability to detect the session where the user enters the event cli command Four new keywords and built in environmental variables username host privilege and tty are added to the event cl...

Page 1750: ...ent Detector Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes A p p l i c a t i o n S p e c i f i c Yes Yes Yes Yes Yes Yes Yes Yes CLI Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Counter Yes Yes Custom CLI Yes Yes Yes Yes Yes Enhanced Object Tracking Yes Environmental Yes Yes Yes Yes Yes Yes GOLD Yes Yes Yes Identity Yes Yes Yes Yes Yes Yes Yes Yes Yes Interface Counter Yes Yes Yes IPSLA Yes Yes Yes M a c A d...

Page 1751: ...DSysMon Cisco IOS Software Modularity watchdog Event Detectors Embedded Event Manager EEM uses software programs known as event detectors to determine when an EEM event occurs Event detectors are separate systems that provide an interface between the agent being monitored for example Simple Network Management Protocol SNMP and the EEM policies where an action can be implemented Some event detector...

Page 1752: ...ent when a named counter crosses a specified threshold There are two or more participants that affect counter processing The counter event detector can modify the counter and one or more subscribers define the criteria that cause the event to be published After a counter event has been published the counter monitoring logic can be reset to start monitoring the counter immediately or it can be rese...

Page 1753: ...vent when a generic Cisco IOS interface counter for a specified interface crosses a defined threshold A threshold can be specified as an absolute value or an incremental value If the incremental value is set to 50 for example an event would be published when the interface counter increases by 50 After an interface counter event has been published the interface counter monitoring logic is reset usi...

Page 1754: ...rypted connection using Secure Shell SSH The RPC event detector uses Simple Object Access Protocol SOAP data encoding for exchanging XML based messages This event detector can be used to run EEM policies and then receive output in a SOAP XML formatted reply Routing Event Detector The routing event detector publishes an event when a route entry changes in the Routing Information Base RIB SNMP Event...

Page 1755: ... Cisco IOS processes are now referred to as tasks to distinguish them from Cisco IOS Software Modularity processes Note Two events may be monitored at the same time and the event publishing criteria can be specified to require one event or both events to cross their specified thresholds Watchdog System Monitor WDSysMon Event Detector for Cisco IOS Software Modularity The Cisco IOS Software Modular...

Page 1756: ...enerate a prioritized syslog message Yes Yes Yes Yes Yes Yes Yes Yes Yes Generate an SNMP trap Yes Yes Yes Yes Yes Yes Yes Yes Manually run an EEM policy Yes Yes Yes Yes Yes Yes Yes Yes Yes Publish an application specific event Yes Yes Yes Yes Yes Read the state of a tracked object Yes Yes Yes Yes Yes Yes Yes Yes Yes Reload the Cisco software Yes Yes Yes Yes Yes Yes Yes Yes Request system informat...

Page 1757: ...ease see the EEM Actions Available by Cisco IOS Release concept in the Writing Embedded Event Manager Policies Using the Cisco IOS CLI or the Writing Embedded Event Manager Policies Using Tcl modules EEM supports the following actions Executing a Cisco IOS command line interface CLI command Generating a CNS event for upstream processing by Cisco CNS devices Setting or modifying a named counter Swi...

Page 1758: ...ent variables see the table below and Cisco system defined environment variables may apply to one specific event detector or to all event detectors Environment variables that are user defined or defined by Cisco in a sample policy are set using the event manager environment command Variables that are used in the EEM policy must be defined before you register the policy A Tcl policy contains a sect...

Page 1759: ...mail _email_server engineer yourdomain com The address to which e mail is sent _email_to devtest yourdomain com The address from which e mail is sent _email_from manager yourdomain com The address to which the e mail is be copied _email_cc 209 165 201 1 or IPv6 address 2001 0DB8 1 The source IP address of the recipient _email_ipaddr 1 3 6 1 2 1 2 or iso internet mgmt mib 2 interfaces The SNMP obje...

Page 1760: ...state of the system and the actions specified in the policy for a given event Recovery actions are triggered when the policy is run Although there are some EEM CLI configuration and show commands EEM is implemented through the creation of policies An EEM policy is an entity that defines an event and the actions to be taken when that event occurs There are two types of EEM policies an applet or a s...

Page 1761: ...information about the feature or features described in this module This table lists only the software release that introduced support for a given feature in a given software release train Unless noted otherwise subsequent releases of that software release train also support that feature Use Cisco Feature Navigator to find information about platform support and Cisco software image support To acces...

Page 1762: ...rd No new or modified standards are supported and support for existing standards has not been modified MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs CISCO EMBEDDED EVENT MGR MIB RFCs Title RFC No new or modified RFCs are supported and support for existing RFCs has...

Page 1763: ...ologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Consolidated Platform Configuration Guide Cisco IOS Relea...

Page 1764: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1682 Additional References ...

Page 1765: ...otes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to www cisco com go cfn An account on Cisco com...

Page 1766: ...iated with this applet If no event is specified this applet is not considered registered When no action is associated with this applet events are still triggered but no actions are performed Multiple action configuration commands are allowed within an applet configuration Use the show event manager policy registered command to display a list of registered applets Before modifying an EEM applet be ...

Page 1767: ...s Read Only Description Environment Variable All Events Unique number that indicates the ID for this published event Multiple policies may be run for the same event and each policy will have the same event_id _event_id Type of event _event_type An ASCII string identifier of the event type that triggered the event _event_type_string The time in seconds and milliseconds at which the event was publis...

Page 1768: ...name The value of the counter _counter_value Enhanced Object Tracking Event Detector The number of the tracked object _track_number The state of the tracked object down or up _track_state GOLD Event Detector The action notify information in a GOLD event flag either false or true _action_notify The event severity which can be one of the following normal minor or major _event_severity The boot diagn...

Page 1769: ...test failure information in a GOLD event flag either true or false _gold_new_failure The overall diagnostic result which can be one of the following values 0 OK 3 minor error 4 major error 14 unknown result _gold_overall_result Port counts _gold_pc Test total run count where testnum is the test number For example _gold_rc3 is the EEM built in variable for the total run count of test 3 _gold_rc tes...

Page 1770: ...estnum Per device test result where testnum is the test number and devnum is the device number For example _gold_tr3d20 is the EEM built in variable for the test result for test 3 device 20 The test result is one of the following values P diagnostic result Pass F diagnostic result Fail U diagnostic result Unknown _gold_tr testnum d devnum Per port test result where testnum is the test number and p...

Page 1771: ...r to be monitored _interface_parameter A value with which the current interface counter value is compared _interface_value None Event Detector A value of 1 indicates an insertion event a value of 2 indicates a removal event _event_id The parameters that are passed from the XML SOAP command to the script _none_argc _none_arg1 _none_arg2 _none_arg3 _none_arg4 _none_arg5 _none_arg6 _none_arg7 _none_a...

Page 1772: ...ormal minor major and critical _resource_level The ERM notify data flag _resource_notify_data_flag The ERM resource owner ID _resource_owner_id The ERM policy ID _resource_policy_id The ERM policy violation flag either false or true _resource_policy_violation_flag The ERM event time in nanoseconds _resource_time_sent The ERM resource user ID _resource_user_id RF Event Detector A value of 0 indicat...

Page 1773: ...oid The actual incremental difference between the value of the current SNMP object ID and the value when the event was last triggered _snmp_oid_delta_val The SNMP object ID value when the event was published _snmp_oid_val SNMP Notification Event Detector A user specified object ID _snmp_notif_oid A user specified object ID value _snmp_notif_oid_val The source IP address of the SNMP Protocol Data U...

Page 1774: ... last respawned _process_last_respawn The node name of the Posix process _process_node_name The path of the Posix process _process_path The name of the Posix process _process_process_name The number of times that a Posix process was respawned _process_respawn_count Timer Event Detector The time available before the timer expires This environment variable is not available for the CRON timer Note _t...

Page 1775: ...s a percentage _ioswd_sub1_value _ioswd_sub2_value Watchdog System Monitor IOSWDSysMon mem_proc Subevents A percentage value of the difference that triggered the event This variable is set only when the _ioswd_sub1_is_percent or _ioswd_sub2_is_percent variable contains a value of 1 Note _ioswd_sub1_diff _ioswd_sub2_diff A number that identifies whether the value is a percentage A value of 0 means ...

Page 1776: ...wd_sub2_procname The CPU utilization of subevents measured as a percentage _wd_sub1_value _wd_sub2_value Watchdog System Monitor WDSysMon cpu_tot Subevents The slot number for the subevent RP reporting node _wd_sub1_node _wd_sub2_node The time period in seconds and optional milliseconds used for measurement in subevents _wd_sub1_period _wd_sub2_period The CPU utilization of subevents measured as a...

Page 1777: ...e The time period in seconds and optional milliseconds used for measurement in subevents _wd_sub1_period _wd_sub2_period The process name of subevents _wd_sub1_procname _wd_sub2_procname The CPU utilization of subevents measured as a percentage _wd_sub1_value _wd_sub2_value Watchdog System Monitor WDSysMon mem_proc Subevents A percentage value of the difference that triggered the event This variab...

Page 1778: ...value of 1 means that the value is a percentage _wd_sub1_is_percent _wd_sub2_is_percent The slot number for the subevent RP reporting node _wd_sub1_node _wd_sub2_node The time period in seconds and optional milliseconds used for measurement in subevents _wd_sub1_period _wd_sub2_period The CPU utilization of subevents measured as a percentage _wd_sub1_value _wd_sub2_value The memory used by subeven...

Page 1779: ...pecific Environmental Variables Example Description Environment Variable The e mail server name Mailservername can be in any one of the following template formats username password host username host host A Simple Mail Transfer Protocol SMTP mail server used to send e mail _email_server engineering example com The address to which e mail is sent _email_to devtest example com The address from which...

Page 1780: ...s subject subject body body text 11 Add more action commands as required 12 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Optional Displays the name and value of EEM environment variables show event manager environment all variable name Step 2 Example Device show event manager environment all The option...

Page 1781: ...mple Device config applet event snmp oid 1 3 6 1 4 1 9 9 48 1 1 1 6 1 get type exact entry op lt entry val 5120000 poll interval 90 Specifies the action of executing a Cisco IOS CLI command when an EEM applet is triggered action label cli command cli string pattern pattern string Step 8 Example Device config applet action 1 0 cli command enable The pattern keyword is optional and is used only when...

Page 1782: ...ent specifies the fully qualified domain name of the e mail server to be used to forward the e mail Example Device config applet action 2 0 mail The to address argument specifies the e mail address where the e mail is to be sent server 192 168 1 10 to engineering example com from devtest example com subject Memory failure The from address argument specifies the e mail address from which the e mail...

Page 1783: ...g and Defining an EEM Tcl Script to configure all the environment variables required by the policy to be registered in Registering and Defining an EEM Tcl Script 6 event manager policy policy filename type system user trap 7 exit DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Optional Displays the name and v...

Page 1784: ...stem policy Use the trap keyword to generate an SNMP trap when the policy is triggered In this example the sample EEM policy named tm_cli_cmd tcl is registered as a system policy Exits global configuration mode and returns to privileged EXEC mode exit Example Device config exit Step 7 Examples In the following example the show event manager environment privileged EXEC command is used to display th...

Page 1785: ...type event name system user time ordered name ordered The optional systemand user keywords display the registered system and user policies Example Device show event manager policy registered If no keywords are specified EEM registered policies for all event types are displayed in time order Enters global configuration mode configure terminal Example Device configure terminal Step 3 Removes the EEM...

Page 1786: ...6 1 get type exact entry op lt entry val 5120000 poll interval 90 action 1 0 syslog priority critical msg Memory exhausted current available memory is _snmp_oid_val bytes action 2 0 force switchover In the following example the show event manager policy registered privileged EXEC command is used to show that applet IPSLAping1 has been removed after entering the no event manager policy command Devi...

Page 1787: ...e system user time ordered name ordered The optional systemand user keywords display the registered system and user policies Example Device show event manager policy registered If no keywords are specified EEM registered policies for all event types are displayed in time order Enters global configuration mode configure terminal Example Device configure terminal Step 3 Immediately suspends the exec...

Page 1788: ...ce configure terminal Step 3 event manager history size events traps size Use this command to change the size of the EEM event history table or the size of the EEM SNMP trap history table In the following example the size of the EEM event history table is changed to 30 entries Example Device config event manager history size events 30 Step 4 exit Exits global configuration mode and returns to priv...

Page 1789: ...ple Device show event manager history traps policy No Time Trap Type Name 1 Wed Aug18 22 30 58 2004 policy EEM Policy Director 2 Wed Aug18 22 34 58 2004 policy EEM Policy Director 3 Wed Aug18 22 51 18 2004 policy EEM Policy Director Displaying Embedded Event Manager Registered Policies Perform this optional task to display registered EEM policies SUMMARY STEPS 1 enable 2 show event manager policy ...

Page 1790: ...g Interface state change _syslog_msg 2 applet snmp Thu May30 05 57 16 2004 memory fail oid 1 3 6 1 4 1 9 9 48 1 1 1 6 1 get type exact entry op lt entry val 5120000 poll interval 90 action 1 0 syslog priority critical msg Memory exhausted current available memory is _snmp_oid_val bytes action 2 0 force switchover Use this command with the event typekeyword to display information about currently re...

Page 1791: ... event manager applet applet name Example Device config event manager applet snmp Step 3 Specifies the event criteria for an Embedded Event Manager EEM applet that is run by sampling Simple Network Management Protocol SNMP notification event tag event tag snmp notification oid oid string oid val comparison value op operator maxrun maxruntime number src ip address ip address dest ip address ip addr...

Page 1792: ...d parameters SUMMARY STEPS 1 enable 2 configure terminal 3 event manager applet applet name 4 event tag event tag cli pattern regular expression sync yes no skip yes no occurs num occurrences period period value maxrun maxruntime number 5 trigger occurs occurs value period period value period start period start value delay delay value 6 correlate event event tag track object number boolean operato...

Page 1793: ...roup events such as traps or syslog messages then the default trigger occurrence window is three minutes Note Specifies up to eight attribute statements to build a complex event for an EEM applet attribute tag event tag occurs occurs value Example Device config applet attribute tag 1 0 occurs 1 Step 7 Specifies the action of executing a CLI command when an EEM applet is triggered action label cli ...

Page 1794: ... in the specified class and a scheduler rule for the class is configured the policy will wait until a thread of that class is available for execution Synchronous policies that are triggered from the same input event should be scheduled in the same execution thread SUMMARY STEPS 1 enable 2 configure terminal 3 event manager scheduler applet axp call home thread class class options number thread num...

Page 1795: ...t class class options processor rp_primary rp_standby 4 show event manager policy pending queue type applet call home axp script class class options detailed DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Displays the pending EEM policies show event manager policy pending queue type applet call home axp scri...

Page 1796: ...nager policy pending no job id status time of event event type name 1 1 pend Thu Sep 7 02 54 04 2006 syslog applet one 2 2 held Thu Sep 7 02 54 04 2006 syslog applet two 3 3 pend Thu Sep 7 02 54 04 2006 syslog applet three Resuming Execution of EEM Policy Events or Event Queues To resume the execution of specified EEM policies perform this task In this task the policy that was put on hold in the H...

Page 1797: ...te Examples The following example shows how to view all pending EEM policies to specify the policy that will resume execution and to see that the policy is now back in a pending status Device show event manager policy pending no job id status time of event event type name 1 1 pend Thu Sep 7 02 54 04 2006 syslog applet one 2 2 held Thu Sep 7 02 54 04 2006 syslog applet two 3 3 pend Thu Sep 7 02 54 ...

Page 1798: ... is cleared from the pending queue class options processor rp_primary rp_standby Example Device event manager scheduler clear policy 2 Displays all the pending EEM policies except the policy cleared in Step 3 show event manager policy pending Example Device show event manager policy pending Step 4 Only the syntax applicable to this task is used in this example For more details see the Cisco IOS Ne...

Page 1799: ... Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Displays the pending EEM policies show event manager policy pending Step 2 Example Device show event manager policy pending Only the syntax applicable to this task is used in this example For more details see the Cisco IOS Network Management Command Reference Note Modifies the scheduling parameters of...

Page 1800: ...y active queue type applet call home axp script class class options detailed DETAILED STEPS show event manager policy active queue type applet call home axp script class class options detailed This command displays only the running EEM policies This command includes class detailed and queue type optional keywords The following is sample output from this command Example Device show event manager po...

Page 1801: ...p tcl 4 12650 N A running Mon Oct29 20 49 59 2007 timer watchdog loop tcl 5 12842 N A running Mon Oct29 20 51 13 2007 timer watchdog loop tcl default class 6 applet events no job id p s status time of event event type name 1 15852 N A running Mon Oct29 21 11 09 2007 counter WDOG_SYSLG_CNTR_TRACK_INTF_APPL 2 15853 N A running Mon Oct29 21 11 09 2007 counter WDOG_SYSLG_CNTR_TRACK_INTF_APPL 3 15854 N...

Page 1802: ... The output for synchronous applets will bypass the system logger The local console will be opened by the applets and serviced by the corresponding synchronous Event Detector pty Synchronous output will be directed to the opened console Reading and Writing Input from the Active Console for Synchronous EEM Applets Use the following tasks to implement EEM applet interactive CLI support Reading Input...

Page 1803: ...ole in a synchronous applet and stores the value in the given variable when an EEM applet is triggered action label gets variable Example Device config applet action label2 gets input Step 5 Specifies the action to be taken when an EEM applet is triggered action label syslog priority priority level msg msg text Step 6 Example Device config applet action label3 syslog msg Input entered was input In...

Page 1804: ...ewline keyword is specified The output from the action puts command for a synchronous applet is displayed directly to the console bypassing the system logger The output of the action puts command for an asynchronous applet is directed to the system logger SUMMARY STEPS 1 enable 2 configure terminal 3 event manager applet applet name 4 event none 5 action label regexp string pattern string input st...

Page 1805: ...match is _match Step 6 The nonewline keyword is optional and is used to suppress the display of the new line character Exits applet configuration mode and returns to privileged EXEC mode exit Example Device config applet exit Step 7 Manually runs a registered EEM policy event manager run applet name Step 8 Example Device event manager run action In this example the policy registered in Step 3 is t...

Page 1806: ...alue of 1 3 6 1 2 1 1 1 you should specify the variable value that is 1 3 6 1 2 1 1 1 If the specified values do not match a trap will be generated and an error message will be written to the syslog history The action info type snmp oid get type command specifies the type of the get operation to be performed To retrieve the exact variable the get operation type should be specified as exact To retr...

Page 1807: ...e of the sysContact variable _info_snmp_syscontact_oid The value string for the sysContact variable _info_snmp_syscontact_value The get operation requests can be sent to both local and remote hosts SNMP Set Operation All SNMP variables are assigned a default value in the MIB view The SNMP event manager can modify the value of these MIB variables through set operation The set operation can be perfo...

Page 1808: ...on SNMP inform requests refer to the SNMP notifications that alert the SNMP manager to a network condition and request for confirmation of receipt from the SNMP manager An SNMP event occurs when SNMP MIB object ID values are sampled or when the SNMP counter crosses a defined threshold If the notifications are enabled and configured for such events the SNMP traps or inform messages generated An SNM...

Page 1809: ...ion Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Registers the applet with the event manager server and enters applet configuration mode event manager applet applet name Example Device config event manager applet snmp Step 3 Specifies the event criteria t...

Page 1810: ...6 1 get type Example exact community public ipaddr 172 17 16 69 Optional Specifies the variable to be set action label info type snmp oid oid value set type oid type oid type value community community string ipaddr ip address Step 6 In this example the sysName 0 variable is specified for the set operation and community string is specified as rw Example Device config applet action 1 4 info type For...

Page 1811: ...EM Applet for SNMP OID Notifications Perform this task to configure SNMP notifications Before You Begin SNMP event manager must be configured using the snmp server managercommand and SNMP agents must be configured to send and receive SNMP traps generated for an EEM policy SNMP traps and informs must be enabled by using the snmp server enable traps event manager and snmp server enable traps command...

Page 1812: ...eged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Registers the applet with the event manager server and enters applet configuration mode event manager applet applet name Example Device config event manager applet snmp Step 3 Specifies the event criteria that cause the EEM ...

Page 1813: ...rise oid enterprise oid value generic trapnum generic trap number Step 6 specific trapnum specific trap number trap oid trap oid value trap var trap variable In this example the authenticationFailure trap is generated Example Device config applet action 1 4 info type The specific trap number refers to the enterprise specific trap which is generated when an enterprise event occurs If the generic tr...

Page 1814: ...re each action is executed in the order in which they are configured when the event is triggered Conditional logic introduces a control structure that can change the flow of actions within applets depending on conditional expressions Each control structure can contain a list of applet actions including looping and if else actions which determine if the structure is executed or not The information ...

Page 1815: ...ng Cisco IOS Release 12 4 22 T or a later release Configuring Variable Logic for EEM Applets EEM 3 0 adds new applet action commands to permit simple variable logic within applets To configure the variable logic using action commands perform the following tasks Specifying a Loop of Conditional Blocks To specify a loop of a conditional block when an EEM applet is triggered perform this task In this...

Page 1816: ...tring_op2 Step 5 Example Device config applet action 2 while i lt 10 In this example a loop is set to check if the value of the variable i is less than 10 Performs the action as indicated by the action command Add any action as required Step 6 Example Device config applet action 3 syslog msg i is i In this example the message i is _i is written to the syslog Exits from the running action action la...

Page 1817: ...PS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Registers the applet with the Embedded Event Manager EEM and enters applet configuration mode event manager applet applet name Example Device config event manager applet ifcondition...

Page 1818: ...end Step 9 Specifying foreach Iterating Statements To specify a conditional statement that iterates over an input string using the delimiter as a tokenizing pattern perform this task The foreach iteration statement is used to iterate through a collection to get the desired information The delimiter is a regular expression pattern string The token found in each iteration is assigned to the given it...

Page 1819: ...applet iteration Step 3 Iterates over an input string using the delimter as a tokenizing pattern action label foreach string iterator string input string delimiter Step 4 Example Device config applet action 2 0 foreach iterator red blue green orange In this example the iteration is run through the elements of the input string red blue green and orange Performs the action as indicated by the action...

Page 1820: ...e enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Registers the applet with the Embedded Event Manager EEM and enters applet configuration mode event manager applet applet name Example Device config event manager applet regexp Step 3 Specifies an expression pattern to match with an inpu...

Page 1821: ... action label set 5 action label increment variable name long integer DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Registers the applet with the Embedded Event Manager EEM and enters applet configuration mode event...

Page 1822: ...MP object event for an Embedded Event Manager EEM applet that is run by sampling SNMP object SUMMARY STEPS 1 enable 2 configure terminal 3 event manager applet applet name 4 event snmp object oid oid value type value sync yes no skip yes no istable yes no default seconds maxrun maxruntime number 5 exit DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Devi...

Page 1823: ...the applet indicates whether to reply to the SNMP Example action 2 syslog msg request _snmp_request request The description for code 0 is do not reply to the request and the description for code 1 is reply to the request When the return code from the applet replies to the request a value is specified in the applet for the object using action snmp object value command Example action 3 syslog msg re...

Page 1824: ...le Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Registers the applet with the Embedded Event Manager EEM and enters applet configuration mode event manager applet applet name authorization bypass class class options trap Example Device config event manager applet one class A authorization bypass Step 3 Ex...

Page 1825: ...xt 7 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode enable Step 1 Example Device enable Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Registers the applet with the EEM and enters applet configuration mode event manager applet applet name Example Device config event manager applet increment Ste...

Page 1826: ... steps outlined in the Registering and Defining an Embedded Event Manager Applet on page 1696 Application Specific Event Detector The following example shows how a policy named EventPublish_A runs every 20 seconds and publishes an event type numbered 1 to an EEM subsystem numbered 798 The subsystem value of 798 specifies that a publish event has occurred from an EEM policy A second policy named Ev...

Page 1827: ...tor only allows a regular expression pattern match on a valid IOS CLI command itself This does not include text after a pipe character when redirection is used Note The following example shows that when show version include test is entered the applet fails to trigger because the CLI event detector does not match on characters entered after the pipe character and the debug event manager detector cl...

Page 1828: ...a based on an RF state change notification event manager applet start rf event rf event rf_prog_initialization action 1 0 syslog msg rf state rf_prog_initialization reached RPC Event Detector The RPC event detector allows an outside entity to make a Simple Object Access Protocol SOAP request to the device and invokes a defined EEM policy or script The following example shows how an EEM applet call...

Page 1829: ...EEM applet has been registered through the CLI using the event manager applet command The applet will run when the available memory on the primary RP falls below the specified threshold of 5 120 000 bytes The applet actions are to write a message to syslog that indicates the number of bytes of memory available and to switch to the secondary RP Figure 110 Dual RP Topology The commands used to regis...

Page 1830: ...sso event manager applet memory demo event snmp oid 1 3 6 1 4 1 9 9 48 1 1 1 6 1 get type exact entry op lt entry val 5120000 poll interval 90 action 1 0 syslog priority critical msg Memory exhausted current available memory is _snmp_oid_val bytes action 2 0 force switchover SNMP Notification Event Detector The following example shows how to configure the snmp server community public RW and snmp s...

Page 1831: ...sco Discovery Protocol CDP cache entry changes event manager applet EventNeighbor event neighbor discovery interface FastEthernet0 cdp all action 1 0 syslog msg Applet EventNeighbor Embedded Event Manager Manual Policy Execution Examples The following examples show how to use the none event detector to configure an EEM policy applet or script to be run manually Using the event manager run Command ...

Page 1832: ...System Monitor Sample2 Policy The second policy triggers an applet when the total amount of memory used by the process named Net Input is greater than 100 kb event manager applet IOSWD_Sample2 event ioswdsysmon sub1 mem proc taskname Net Input op gt val 100 is percent false action 1 0 syslog msg IOSWD_Sample2 Policy Triggered Watchdog System Monitor Sample3 Policy The third policy triggers an appl...

Page 1833: ...1 1 1 0 get type exact entry op lt entry val 5120000 poll interval 90 Device config applet action 1 3 info type snmp oid 1 3 6 1 2 1 1 1 0 get type exact community public Device config applet action 1 3 info type snmp oid 1 3 6 1 2 1 1 4 0 get type next community public The following log message will be written to the SNMP event manager log 1d03h HA_EM 6 LOG lg 1 3 6 1 2 1 1 1 0 1d04h HA_EM 6 LOG ...

Page 1834: ...2 1 1 1 0 get type exact entry op lt entry val 5120000 poll interval 90 Device config applet action 1 3 info type snmp getid 1 3 6 1 2 1 1 1 0 community public ipaddr 172 17 16 69 The following log message is written to the SNMP event manager log 1d04h HA_EM 6 LOG lgid _info_snmp_sysname_oid 1 3 6 1 2 1 1 5 0 1d04h HA_EM 6 LOG lgid _info_snmp_sysname_value jubjub cisco com 1d04h HA_EM 6 LOG lgid _...

Page 1835: ... Device config applet action 1 3 info type snmp var sysUpTime 0 oid 1 3 6 1 4 1 9 9 43 1 1 6 1 3 41 integer 2 Device config applet action 1 4 info type snmp trap enterprise oid ciscoSyslogMIB 2 generic trapnum 6 specific trapnum 1 trap oid 1 3 6 1 4 1 9 9 41 2 0 1 trap var sysUpTime 0 The following output is generated if the debug snmp packets command is enabled Device debug snmp packets 1d04h SNM...

Page 1836: ...h SNMP Response reqid 24 errstat 0 erridx 0 1d04h SNMP Response reqid 24 errstat 0 erridx 0 1d04h SNMP Inform request reqid 25 errstat 0 erridx 0 sysUpTime 0 10244396 snmpTrapOID 0 ciscoConfigManMIB 2 0 1 ccmHistoryEventEntry 3 41 2 1d04h SNMP Packet sent via UDP to 172 19 209 24 162 1d04h SNMP Packet received via UDP from 172 19 209 24 on FastEthernet0 0 1d04h SNMP Response reqid 25 errstat 0 err...

Page 1837: ...rx rate If the rx rate is greater than the threshold a syslog message is displayed This applet makes use of the foreach conditional statement to poll the interface the if conditional block to compare the value under RXPS with max_rx_rate that was set in the EEM environment variable event manager environment poll_interfaces F0 0 event manager environment max_rx_rate 3 ev man app check_rx_rate ev ti...

Page 1838: ...is triggered action context retrieve Saves information across multiple policy triggers when an EEM applet is triggered action context save Continues with a loop of actions when an EEM applet is triggered action continue Decrements the value of a variable when an EEM applet is triggered action decrement Divides the dividend value by the given divisor value when an EEM applet is triggered action div...

Page 1839: ... get operation and the object to retrieve during the SNMP set operation when an EEM applet is triggered action info type snmp oid Sends SNMP trap requests when an EEM applet is triggered action info type snmp trap Creates a variable for an SNMP object identifier OID and its value from an EEM applet action info type snmp var Specifies the action of multiplying the variable value with a specified gi...

Page 1840: ... in lowercase when an EEM applet is triggered action string tolower Specifies the action of storing specific range of characters of a string in uppercase when an EEM applet is triggered action string toupper Specifies the action to trim a string when an EEM applet is triggered action string trim Specifies the action to trim the characters of one string from the left end of another string when an E...

Page 1841: ...ences The following sections provide references related to writing EEM policies Using the Cisco IOS CLI Related Documents Document Title Related Topic Cisco IOS Master Commands List All Releases Cisco IOS commands Cisco IOS Embedded Event Manager Command Reference EEM commands complete command syntax defaults command mode command history usage guidelines and examples Embedded Event Manager Overvie...

Page 1842: ...s the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for Writing EEM 4 0 Policies Using the Cisco IOS CLI The following table provides release information about the feature or features described in this module This table lists only the software release that i...

Page 1843: ...n Releases Feature Name This feature was introduced and is supported only on c2960cx platform 15 2 5 E1 Embedded Event Manager 4 0 Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1761 Feature Information for Writing EEM 4 0 Policies Using the Cisco IOS CLI ...

Page 1844: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1762 Feature Information for Writing EEM 4 0 Policies Using the Cisco IOS CLI ...

Page 1845: ... Policies Using Tcl page 1771 Configuration Examples for Writing Embedded Event Manager Policies Using Tcl page 1802 Additional References page 1823 Feature Information for Writing EEM 4 0 Policies Using the Cisco IOS CLI page 1824 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Sear...

Page 1846: ...ion commands are allowed within an applet configuration Use the show event manager policy registered command to display a list of registered applets Before modifying an EEM applet be aware that the existing applet is not replaced until you exit applet configuration mode While you are in applet configuration mode modifying the applet the existing applet may be executing It is safe to modify the app...

Page 1847: ...ries There are different categories of EEM policy Tcl command extensions The Tcl command extensions available in each of these categories for use in all EEM policies are described in later sections in this document Note Table 166 EEM Policy Tcl Command Extension Categories Definition Category This category is represented by the event_register_ xxx family of event specific commands There is a separ...

Page 1848: ...e event publishers event detectors and the event subscribers policies Basically event publishers screen events and publish them when there is a match on an event specification that is provided by the event subscriber Event detectors notify the EEM server when an event of interest occurs When an event or fault is detected Embedded Event Manager determines from the event publishers an example would ...

Page 1849: ... user defined scripts run in Safe Tcl mode Safe Tcl allows Cisco to disable or customize individual Tcl commands For more details about Tcl commands go to http www tcl tk man The following list of Tcl commands are restricted with a few exceptions Restrictions are noted against each command or command keyword cd Change directory is not allowed to one of the restricted Cisco directory names encoding...

Page 1850: ...ile atime file attributes file channels file copy file delete file executable file isfile file link file lstat file mkdir file mtime file nativename file normalize file owned file readable file readlink file rename file rootname file separator file size Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1768 Information About Writing Embedded Event Manage...

Page 1851: ...policy size and obscures the policy code Obfuscation makes it a little more difficult to modify scripts and hides logic to preserve intellectual property rights Support for bytecode is being added to provide another option for release of supported and trusted code We recommend that you only run well understood or trusted and supported software on network devices To generate Tcl bytecode for IOS EE...

Page 1852: ...rd Embedded Event Manager policy filenames adhere to the following specification An optional prefix Mandatory indicating if present that this is a system policy that should be registered automatically at boot time if it is not already registered For example Mandatory sl_text tcl A filename body part containing a two character abbreviation see the table below for the first event specified an unders...

Page 1853: ...onment variables and register an EEM policy EEM schedules and runs policies on the basis of an event specification that is contained within the policy itself When an EEM policy is registered the software examines the policy and registers it to be run when the specified event occurs Before You Begin You must have a policy available that is written in the Tcl scripting language Sample policies are p...

Page 1854: ...e nameargument displays information about the specified environment variable Enters global configuration mode configure terminal Example Device configure terminal Step 3 Configures the value of the specified EEM environment variable event manager environment variable name string Step 4 Example Device config event manager environment _cron_entry 0 59 2 0 23 1 0 6 In this example the software assign...

Page 1855: ...ileged EXEC command is used to display the name and value of all EEM environment variables Device show event manager environment all No Name Value 1 _cron_entry 0 59 2 0 23 1 0 6 2 _show_cmd show ver 3 _syslog_pattern UPDOWN Ethernet1 0 4 _config_cmd1 interface Ethernet1 0 5 _config_cmd2 no shut Displaying EEM Registered Policies Perform this optional task to display EEM registered policies SUMMAR...

Page 1856: ...red name ordered No Type Event Type Trap Time Registered Name 1 system proc abort Off Wed May11 01 43 38 2005 pr_cdp_abort tcl instance 1 path cdp2 iosproc nice 0 priority normal maxrun 20 2 system syslog Off Wed May11 01 43 28 2005 sl_intf_down tcl occurs 1 pattern UPDOWN Ethernet1 0 nice 0 priority normal maxrun 90 3 system timer cron Off Wed May11 01 43 18 2005 tm_cli_cmd tcl name crontimer2 cr...

Page 1857: ...stem or user policies Example Device show event manager policy registered If no keywords are specified EEM registered policies for all event types are displayed in time order Enters global configuration mode configure terminal Example Device configure terminal Step 3 Removes the EEM policy from the configuration causing the policy to be unregistered no event manager policy policy filename Example ...

Page 1858: ...event manager policy command Device configure terminal Device config no event manager policy pr_cdp_abort tcl Device config exit The show event manager policy registered privileged EXEC command is entered again to display the EEM policies that are currently registered The policy pr_cdp_abort tcl is no longer registered Device show event manager policy registered No Type Event Type Trap Time Regist...

Page 1859: ... 2 The optional systemor user keyword displays the registered system or user policies Example Device show event manager policy registered If no keywords are specified EEM registered policies for all event types are displayed in time order Enters global configuration mode configure terminal Example Device configure terminal Step 3 Immediately suspends the execution of all EEM policies event manager...

Page 1860: ...and is entered to immediately suspend the execution of all EEM policies Device configure terminal Device config event manager scheduler suspend Nov 2 15 34 39 000 HA_EM 6 FMS_POLICY_EXEC fh_io_msg Policy execution has been suspended Managing EEM Policies Perform this task to specify a directory to use for storing user library files or user defined EEM policies This task applies only to EEM policie...

Page 1861: ..._library Device config event manager directory user library bootflash user_library Use the pathargument to specify the absolute pathname to the user directory Exits global configuration mode and returns to privileged EXEC mode exit Example Device config exit Step 5 Examples In the following example the show event manager directory user privileged EXEC command is used to display the directory if it...

Page 1862: ...e In the following example the size of the EEM event history table is changed to 30 entries Example Device config event manager history size events 30 Step 4 exit Exits global configuration mode and returns to privileged EXEC mode Example Device config exit Step 5 show event manager history events detailed maximum number Use this command to display information about each EEM event that has been tr...

Page 1863: ...ger metric process all process name DETAILED STEPS Step 1 enable Enables privileged EXEC mode Enter your password if prompted Example Device enable Step 2 show event manager metric process all process name Use this command to display the reliability metric data for processes The system keeps a record of when processes start and end and this data is used as the basis for reliability analysis In thi...

Page 1864: ...mber of abnormal ends within the past 60 minutes since reload 0 number of abnormal ends within the past 24 hours since reload 0 number of abnormal ends within the past 30 days since reload 0 Troubleshooting Tips Use the debug event manager command in privileged EXEC mode to troubleshoot EEM command operations Use any debugging command with caution because the volume of output generated can slow or...

Page 1865: ...the details of the abort pr_iprouting_abort tcl This policy runs when a configurable syslog message is logged It will execute a configurable CLI command and e mail the results sl_intf_down tcl This policy runs using a configurable CRON entry It will execute a configurable CLI command and e mail the results tm_cli_cmd tcl Introduced with Cisco Software Modularity images This policy runs at midnight...

Page 1866: ... password if prompted Example Device enable Step 2 show event manager policy available detailed policy filename Displays the actual specified sample policy including details about the environment variables used by the policy and instructions for running the policy The detailed keyword was introduced for the show event manager policy available and the show event manager policy registered commands D...

Page 1867: ...les Specifies a directory to use for storing user library files or user defined EEM policies In the following example the user_library directory on bootflash is specified as the directory for storing user library files Example Device config event manager directory user library disk0 user_library Device config event manager directory user library bootflash user_library Step 8 event manager policy p...

Page 1868: ...ow to check for and define some environment variables Check if all the env variables that we need exist If any of them does not exist print out an error msg and quit if info exists _email_server set result Policy cannot be run variable _email_server has not been set error result errorInfo if info exists _email_from set result Policy cannot be run variable _email_from has not been set error result ...

Page 1869: ...fo msg msg if _cerrno 0 set result format component s subsys err s posix err s n s _cerr_sub_num _cerr_sub_err _cerr_posix_err _cerr_str error result EEM Entry Status The entry status part of an EEM policy is used to determine if a prior policy has been run for the same event and to determine the exit status of the prior policy If the _entry_status variable is defined a prior policy has already ru...

Page 1870: ...E This number is interpreted as the following 32 bit value 10000110001001000011100110101110 This 32 bit integer is divided up into the five variables shown in the table below Table 169 _cerrno 32 Bit Error Return Value Variables Description Variable The error class indicates the severity of the error This variable corresponds to the first two bits in the 32 bit error return value 10 in the case ab...

Page 1871: ...propriate namespace under the cisco hierarchy 6 Program the must defines section to check for each environment variable that is used in this policy 7 Program the body of the script 8 Check the entry status to determine if a policy has previously run for this event 9 Check the exit status to determine whether or not to apply the default action for this event if a default action exists 10 Set Cisco ...

Page 1872: ...Device show event manager policy available detailed tm_cli_cmd tcl Step 3 Cut and paste the contents of the sample policy displayed on the screen to a text editor Use the edit and copy functions to move the contents from the device to a text editor on another device Use the text editor to edit the policy as a Tcl script Step 4 Define the required event_register Tcl command extension Choose the app...

Page 1873: ...register_track event_register_wdsysmon Step 5 Add the appropriate namespace under the cisco hierarchy Policy developers can use the new namespace cisco in Tcl policies in order to group all the extensions used by Cisco IOS EEM There are two namespaces under the cisco hierarchy and the table below shows which category of EEM Tcl command extension belongs under each namespace Consolidated Platform C...

Page 1874: ...Tcl global variables that are defined external to the policy before the policy is run To define an EEM environment variable use the Embedded Event Manager configuration command event manager environment CLI command By convention all Cisco EEM environment variables begin with _ an underscore In order to avoid future conflict customers are urged not to define new variables that start with _ You can ...

Page 1875: ...rror result errorInfo if info exists _email_from set result Policy cannot be run variable _email_from has not been set error result errorInfo if info exists _email_to set result Policy cannot be run variable _email_to has not been set error result errorInfo if info exists _email_cc set result Policy cannot be run variable _email_cc has not been set error result errorInfo Step 7 Program the body of...

Page 1876: ...ority warning msg A sample message generated by action_syslog if _cerrno 0 set result format component s subsys err s posix err s n s _cerr_sub_num _cerr_sub_err _cerr_posix_err _cerr_str error result Step 11 Save the Tcl script with a new filename and copy the Tcl script to the device Embedded Event Manager policy filenames adhere to the following specification An optional prefix Mandatory indica...

Page 1877: ...not execute correctly Use the Cisco IOS debug event manager CLI command with its various keywords to debug issues Refer to the Troubleshooting Tips on page 1795 for details about using Tcl specific keywords Troubleshooting Tips Use the debug event manager tcl commands CLI command to debug issues with Tcl extension commands When enabled this command displays all data that is passed in and read back...

Page 1878: ...ry directory and copy the Tcl library files into the directory 2 tclsh 3 auto_mkindex directory_name tcl 4 Copy the Tcl library files from Creating an EEM User Tcl Library Index and the tclIndex file from Creating an EEM User Tcl Library Index to the directory used for storing user library files on the target device 5 Copy a user defined EEM policy file written in Tcl to the directory used for sto...

Page 1879: ... each line is a command that sets an element in the auto_index array where the element name is the name of a command and the value is a script that loads the command set auto_index test1 list source file join dir lib1 tcl set auto_index test2 list source file join dir lib1 tcl set auto_index test3 list source file join dir lib2 tcl Step 4 Copy the Tcl library files from Creating an EEM User Tcl Li...

Page 1880: ...to which the files in Creating an EEM User Tcl Library Index were copied Example Device config event manager directory user library disk2 eem_library Step 9 event manager directory user policy path Use this command to specify the EEM user policy directory this is the directory to which the file in Creating an EEM User Tcl Library Index was copied Example Device config event manager directory user ...

Page 1881: ... directory When a package require Tcl command is executed the user library directory is searched first for a pkgIndex tcl file If the pkgIndex tcl file is not found in the user directory the system library directory is searched In this task a Tcl package directory the pkgIndex tcl file is created in the appropriate library directory using the pkg_mkIndex command to contain information about all of...

Page 1882: ...tion UNIX Linux PC or Mac create a library directory and copy the Tcl package files into the directory Step 2 tclsh Use this command to enter the Tcl shell Example workstation tclsh Step 3 pkg_mkindex directory_name tcl Use the pkg_mkindex command to create the pkgIndex file The pkgIndex file contains a directory of all the packages contained in the Tcl library files We recommend that you run pkg_...

Page 1883: ... directory for storing user defined EEM policies can be the same directory used in Creating an EEM User Tcl Package Index The following example user defined EEM policy can be used to test the Tcl package support in EEM packagetest tcl Example cisco eem event_register_none maxrun 1000000 000 test if xmlrpc available Namespace imports namespace import cisco eem namespace import cisco lib package req...

Page 1884: ...ssociated with a Tcl session If you are using authentication authorization and accounting AAA security and implement authorization on a command basis you should use the event manager session cli username command to set a username to be associated with a Tcl session The username is used when a Tcl policy executes a CLI command TACACS verifies each CLI command using the username associated with the ...

Page 1885: ... policy before the policy is registered and run The sample policies require three of the e mail environment variables to be set only _email_cc is optional Other required and optional variable settings are outlined in the following tables The table below describes the EEM environment variables that must be set before the ap_perf_test_base_cpu tcl sample policy is run Table 174 Environment Variables...

Page 1886: ...cified _perf_cmd2 show interface counters protocol status The third non interactive CLI command that is as part of the measurement test To use _perf_cmd3 _perf_cmd1 must be defined This variable is optional and need not be specified _perf_cmd3 The table below describes the EEM environment variables that must be set before the sl_intf_down tcl sample policy is run Table 176 Environment Variables Us...

Page 1887: ...ow describes the EEM environment variables that must be set before the tm_crash_reporter tcl sample policy is run Table 178 Environment Variables Used in the tm_crash_reporter tcl Policy Example Description Environment Variable 1 A value that identifies whether debug information for tm_crash_reporter tcl will be enabled This variable is optional and need not be specified _crash_reporter_debug http...

Page 1888: ...his variable is optional and need not be specified _tm_fsys_usage_percent Registration of Some EEM Policies Some EEM policies must be unregistered and then reregistered if an EEM environment variable is modified after the policy is registered The event_register_xxx statement that appears at the start of the policy contains some of the EEM environment variables and this statement is used to establi...

Page 1889: ...e GOLD TCL scripts for each test which runs as a part of GOLD EEM Policy You can modify the TCL script for the test specify the consecutive failure count and also change the default corrective action For example one could chose to power down a linecard card instead of reset or other CLI based actions For each registered test a default TCL script is available which can be registered with the system...

Page 1890: ...n enter the show event manager policy registered command to verify that no policies are currently registered The next command is the show event manager policy available command to display which policies are available to be installed After you enter the configure terminal command to reach global configuration mode enter the service timestamps debug datetime msec command and then you can register th...

Page 1891: ...cy gathers detailed information about the event and uses the CLI library to execute the configuration commands specified in the EEM environment variables _config_cmd1 and optionally _config_cmd2 An e mail message is sent with the results of the CLI command The following sample configuration demonstrates how to use this policy Starting in user EXEC mode enter the enable command at the device prompt...

Page 1892: ...on file the policy is triggered 5 seconds after bootup When triggered the script attempts to find the reload reason If the reload reason was due to a crash the policy searches for the related crashinfo file and sends this information to a URL location specified by the user in the environment variable _crash_reporter_url A CGI script interface_tm cgi has been created to receive the URL from the tm_...

Page 1893: ...it from global configuration mode and enter the show event manager policy registered command again to verify that the policy has been registered If you had configured any of the optional environment variables that are used in the tm_fsys_usage tcl policy the show event manager environment command displays the configured variables enable show event manager policy registered show event manager polic...

Page 1894: ...han last namespace import cisco eem namespace import cisco lib 1 query the information of latest triggered eem event array set arr_einfo event_reqinfo if _cerrno 0 set result format component s subsys err s posix err s n s _cerr_sub_num _cerr_sub_err _cerr_posix_err _cerr_str error result puts GOLD EEM TCL policy for TestIPSecEncrypDecrypPkt set msg format array s array names arr_einfo puts msg ms...

Page 1895: ...d2 show ver _perf_cmd3 optional optional non interactive cli command to be executed as part of the measurement test To use _perf_cmd3 _perf_cmd1 MUST be defined Example event manager environment _perf_cmd3 show int counters protocol status Description Iterate through _perf_iterations of this policy It is up to the user to calculate the average execution time based on the system timestamps Optional...

Page 1896: ...tions 0 error result errorInfo namespace import cisco eem namespace import cisco lib query the event info array set arr_einfo event_reqinfo if _cerrno 0 set result format component s subsys err s posix err s n s _cerr_sub_num _cerr_sub_err _cerr_posix_err _cerr_str error result set iter arr_einfo data1 set iter expr iter 1 if _perf_cmd1 is defined if info exists _perf_cmd1 open the cli library if ...

Page 1897: ...An optional log file can be defined to which the output is appended with a timestamp cisco eem event_register_timer cron name crontimer2 cron_entry _cron_entry maxrun 240 EEM policy that will periodically execute a cli command and email the results to a user July 2005 Cisco EEM team Copyright c 2005 by cisco Systems Inc All rights reserved The following EEM environment variables are used _cron_ent...

Page 1898: ...f info exists _email_cc _email_cc is an option must set to empty string if not set set _email_cc if info exists _show_cmd set result Policy cannot be run variable _show_cmd has not been set error result errorInfo namespace import cisco eem namespace import cisco lib query the event info and log a message array set arr_einfo event_reqinfo if _cerrno 0 set result format component s subsys err s posi...

Page 1899: ...mp time_now puts fileD cmd_output close fileD 4 if _email_server is defined send the email out if info exists _email_server set routername info hostname if string match routername error Host name is not configured if catch smtp_subst file join tcl_library email_template_cmd tm result error result errorInfo if catch smtp_send_email result result error result errorInfo sl_intf_down tcl Sample Policy...

Page 1900: ... an error msg and quit if info exists _email_server set result Policy cannot be run variable _email_server has not been set error result errorInfo if info exists _email_from set result Policy cannot be run variable _email_from has not been set error result errorInfo if info exists _email_to set result Policy cannot be run variable _email_to has not been set error result errorInfo if info exists _e...

Page 1901: ...file is used with the EEM sample policy above email_template_cfg tm Mailservername _email_server From _email_from To _email_to Cc _email_cc Subject From router routername Periodic _show_cmd Output cmd_output Debugging Embedded Event Manager Policies Examples The following examples show how to debug the CLI library and the SMTP library Debugging the CLI Library The CLI library allows users to run C...

Page 1902: ... 5 CONFIG_I Configured from console by vty0 The output above shows that show event manager environment is an invalid command in configuration mode The IN keyword signifies all data passed in to the TTY through the CLI library The OUT keyword signifies all data read back from the TTY through the CLI library The CTL keyword signifies helper functions used in the CLI library These helper functions ar...

Page 1903: ...d Apr3 02 16 33 2002 sl_intf_down tcl 00 39 47 tm_cli_cmd tcl 0 DEBUG smtp_lib smtp_write 4 system Mon Jun24 23 34 16 2002 tm_cli_cmd tcl 00 39 47 tm_cli_cmd tcl 0 DEBUG smtp_lib smtp_write 5 system Wed Mar27 05 53 15 2002 tm_crash_hist tcl 00 39 47 tm_cli_cmd tcl 0 DEBUG smtp_lib smtp_write nelson 00 39 47 tm_cli_cmd tcl 0 DEBUG smtp_lib smtp_write 00 39 47 tm_cli_cmd tcl 0 DEBUG smtp_lib smtp_wr...

Page 1904: ...lt return code error result foreach cmd clist array set sendexp cmd if catch cli_write cliarr fd sendexp send result return code error result foreach response sendexp responses array set resp response if catch cli_read_pattern cliarr fd resp expect result return code error result if catch cli_write cliarr fd resp reply result return code error result if catch cli_read cliarr fd result return code ...

Page 1905: ...nt Title Related Topic Cisco IOS Master Commands List All Releases Cisco IOS commands Cisco IOS Embedded Event Manager Command Reference EEM commands complete command syntax defaults command mode command history usage guidelines and examples Embedded Event Manager Overview module Embedded Event Manager overview Writing Embedded Event Manager Policies Using the Cisco IOS CLI module Embedded Event M...

Page 1906: ...ase information about the feature or features described in this module This table lists only the software release that introduced support for a given feature in a given software release train Unless noted otherwise subsequent releases of that software release train also support that feature Use Cisco Feature Navigator to find information about platform support and Cisco software image support To a...

Page 1907: ...ure Signed Tcl Scripts page 1827 Configuration Examples for Signed Tcl Script page 1840 Additional References page 1844 Feature Information for Signed Tcl Scripts page 1845 Glossary page 1845 Notices page 1846 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the releas...

Page 1908: ... in a limited mode known as Safe Tcl mode or may not run at all To create and use signed Tcl scripts you should understand the following concepts Cisco PKI Cisco PKI provides certificate management to support security protocols such as IP security IPsec secure shell SSH and secure socket layer SSL A PKI is composed of the following entities Peers communicating on a secure network At least one cert...

Page 1909: ...ncryption and decryption operations take longer with larger keys Certificate and Trustpoint A certification authority CA also known as a trustpoint manages certificate requests and issues certificates to participating network devices These services managing certificate requests and issuing certificates provide centralized key management for the participating devices and are explicitly trusted by t...

Page 1910: ... Step 3 openssl rsa in private key file pubout out public key file This command generates a public key based on the specified private key in the private key file file and writes the public key to the public key filefile Example Host openssl rsa in privkey pem pubout out pubkey pem writing RSA key Step 4 ls l This command displays detailed information about each file in the current directory includ...

Page 1911: ...do not enter a value before you press Enter This example shows how to create an X 509 certificate that has full access to the private key in the privkey pem file The certificate is written to the cert pem file and will expire 1095 days after the creation date Example Host openssl req new x509 key privkey pem out cert pem days 1095 You are about to be asked to enter information that will be incorpo...

Page 1912: ...EPS 1 openssl smime sign in tcl file out signed tcl file signer certificate file inkey private key file outform DER binary 2 ls l DETAILED STEPS Step 1 openssl smime sign in tcl file out signed tcl file signer certificate file inkey private key file outform DER binary This command signs the Tcl filename tcl file using the certificate stored in certificate file and the private key stored in private...

Page 1913: ...in signed tcl file CAfile certificate file inform DER content tcl file This command verifies the signed Tcl file stored in DER PKCS 7 format in signed tcl file using the trusted Certificate Authority CA certificates in certificate file and then writes the detached content to the file tcl file The following example shows how to verify the signature with the input file hello pk7 Example Host openssl...

Page 1914: ...e whose name is formed by appending the text string _sig to the name of the input file 3 Run the script supplying the name of the file containing the nonbinary signature file nonbinary signature file as the input argument 4 ls l 5 cat signed tcl file commented nonbinary signature file signed tcl script 6 cat signed tcl script DETAILED STEPS Step 1 xxd ps signed tcl file nonbinary signature file Th...

Page 1915: ...janedoe eng12 115 Jun 13 10 17 hello rw r r 1 janedoe eng12 3815 Jun 13 10 20 hello hex rw r r 1 janedoe eng12 3907 Jun 13 10 22 hello hex_sig rw r r 1 janedoe eng12 1876 Jun 13 10 16 hello pk7 rwxr r 1 janedoe eng12 444 Jun 13 10 22 my_append rw r r 1 janedoe eng12 1679 Jun 12 14 55 privkey pem rw r r 1 janedoe eng12 451 Jun 12 14 57 pubkey pem The hello hex file contains nonbinary data stored as...

Page 1916: ...9bb25ca23c2921d85fbf745c106e7aff93c72316cbc654 4a34ea88174a8ba7777fa60662974e1fbac85a0f0aeac925dba6e5e850b8 7caffce2fe8bb04b61b62f532b5893c081522d538005df81670b931b0ad0 e1e76ae648f598a9442d5d0976e67c8d55889299147d0203010001a381f5 3081f2301d0603551d0e04160414bc34132be952ff8b9e1af3b93140a255 e54a667c3081c20603551d230481ba3081b78014bc34132be952ff8b9e1a f3b93140a255e54a667ca1819ba48198308195310b300906...

Page 1917: ...4 ad4c107901d1f2bca4d7ffaadddbc54192a25da662f8b8509782c76977b8 94879453fbb00486ccc55f88db50fcc149bae066916b350089cde51a6483 2ec14019611720fc5bbe2400f24225fc Configuring the Device with a Certificate Perform this task to configure the device with a certificate Before You Begin You must already have a Cisco IOS Crypto image otherwise you cannot configure a certificate SUMMARY STEPS 1 enable 2 config...

Page 1918: ...icate and authenticates it Check the certificate fingerprint if prompted Because the CA signs its own certificate you should manually authenticate the public key of the CA by contacting the CA administrator when you perform this command Note Example Device config crypto pki authenticate mytrust Step 7 At the prompt enter the base encoded CA certificate Example Enter the base 64 encoded CA certific...

Page 1919: ...ice config scripting tcl secure mode Step 9 scripting tcl trustpoint name name Associates an existing configured trustpoint name with a certificate to verify Tcl scripts Device config scripting tcl trustpoint name mytrust Step 10 scripting tcl trustpoint untrusted execute safe execute terminate Optional Allows the interactive Tcl scripts to run regardless of the scripts failing in the signature ch...

Page 1920: ... Cisco command line interface in untrusted safe mode Device tclsafe Example Verifying the Trustpoint To display the trustpoints that are configured in the device use the show crypto pki trustpoints command SUMMARY STEPS 1 enable 2 show crypto pki trustpoints DETAILED STEPS Step 1 enable This command enables privileged EXEC mode Example Device enable Step 2 show crypto pki trustpoints This command ...

Page 1921: ...PS Step 1 enable This command enables privileged EXEC mode Example Device enable Step 2 debug crypto pki transactions This command display debugging messages for the trace of interaction message type between the CA and the device Example Device debug crypto pki transactions Crypto PKI Trans debugging is on Step 3 tclsh flash signed tcl file This command executes the Tcl script in Tcl shell The fil...

Page 1922: ...ting RSA private key 2048 bit long modulus e is 65537 0x10001 Host ls l total 8 rw r r 1 janedoe eng12 1679 Jun 12 14 55 privkey pem Host Generate a Public Key from the Private Key Host openssl rsa in privkey pem pubout out pubkey pem writing RSA key Host ls l total 16 rw r r 1 janedoe eng12 1679 Jun 12 14 55 privkey pem rw r r 1 janedoe eng12 451 Jun 12 14 57 pubkey pem Generating a Certificate E...

Page 1923: ...rw r r 1 janedoe eng12 1679 Jun 12 14 55 privkey pem rw r r 1 janedoe eng12 451 Jun 12 14 57 pubkey pem Verifying the Signature Example The following example shows how to verify the signature Host openssl smime verify in hello pk7 CAfile cert pem inform DER content hello puts hello puts argc argc puts argv argv puts argv0 argv0 puts tcl_interactive tcl_interactive Verification successful Convertin...

Page 1924: ...ad865c19c3d3172674a13b24c8f2c01dd8b1bd491c13e84e29171b85 f28155d81ac8c69bb25ca23c2921d85fbf745c106e7aff93c72316cbc654 4a34ea88174a8ba7777fa60662974e1fbac85a0f0aeac925dba6e5e850b8 7caffce2fe8bb04b61b62f532b5893c081522d538005df81670b931b0ad0 e1e76ae648f598a9442d5d0976e67c8d55889299147d0203010001a381f5 3081f2301d0603551d0e04160414bc34132be952ff8b9e1af3b93140a255 e54a667c3081c20603551d230481ba3081b780...

Page 1925: ... 6D308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 0A028201 0100BC6D A933028A B31BF827 7258BB87 A1600CF0 21090F04 2080BECC 5818688B 74D231DF F0C365C1 07D6E206 D7651FA8 C7B230A2 3B0011E4 EA2B6A4C 1F3F27FB 9AF449D8 FA8900BB 3E567F77 5412881B AAD9525E 3EC1D3B1 EBCE8155 D74866F1 0940F6D1 3A2613CD F6B3595E F468B315 6DDEFF07 BBC5D521 B560AF72 D6D5FDA7 D9D9C99D 31E3B380 5DEB7039 A1A29EF9 46E...

Page 1926: ...ing Tcl module Embedded Event Manager policy writing using Tcl Configuring Enhanced Object Tracking module Configuring enhanced object tracking Standards Title Standard No new or modified standards are supported and support for existing standards has not been modified MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator fou...

Page 1927: ...re image support To access Cisco Feature Navigator go to www cisco com go cfn An account on Cisco com is not required Table 181 Feature Information for Signed Tcl Scripts Feature Information Releases Feature Name This feature was introduced and is supported only on c2960cx 15 2 5 E1 Signed Tcl Scripts Glossary CA certification authority Service responsible for managing certificate requests and iss...

Page 1928: ... com This product includes software written by Tim Hudson tjh cryptsoft com License Issues The OpenSSL toolkit stays under a dual license i e both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit See below for the actual license texts Actually both licenses are BSD style Open Source licenses In case of any license issues related to OpenSSL please contact o...

Page 1929: ...c Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Netscapes SSL This library is free for commercial and non commercial use as long as the following conditions are adhered to The following conditions apply to all code found in this distribution be it the RC4 RSA lhash DES e...

Page 1930: ...RS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF...

Page 1931: ...mmands using an EEM script different CLI library command sequences should be used which are documented in the Using the CLI Library to Run a Noninteractive Command section and in the Using the CLI Library to Run an Interactive Command section in the cli_write Tcl command The vty lines are allocated from the pool of vty lines that are configured using the line vty CLI configuration command EEM will...

Page 1932: ...ed from the cli_open command extension tty_id Result String None Set _cerrno Cannot close the channel cli_exec Writes the command to the specified channel handler to execute the command Then reads the output of the command from the channel and returns the output Syntax cli_exec fd cmd Arguments Mandatory The command line interface CLI channel handler fd Mandatory The CLI command to execute cmd Con...

Page 1933: ...isco IOS EXEC session that allocates a Cisco IOS vty line The vty remains in use until the cli_close routine is called The vty lines are allocated from the pool of vty lines that are configured using the line vty CLI configuration command EEM will use a vty line when a vty line is not being used by EEM and there are available vty lines EEM will also use a vty line when EEM is already using a vty l...

Page 1934: ...t cli_read Reads the command output from the specified command line interface CLI channel handler until the pattern of the device prompt occurs in the contents read Returns all the contents read up to the match Syntax cli_read fd Arguments Mandatory The CLI channel handler fd Result String All the contents read Set _cerrno Cannot get device name Consolidated Platform Configuration Guide Cisco IOS ...

Page 1935: ... fd Arguments Mandatory The CLI channel handler fd Result String All the contents read Set _cerrno None cli_read_line Reads one line of the command output from the specified command line interface CLI channel handler Returns the line read Syntax cli_read_line fd Arguments Mandatory The CLI channel handler fd Result String The line read Set _cerrno None Consolidated Platform Configuration Guide Cis...

Page 1936: ...aracters If more than 256 characters in the output buffer are required for the match to succeed the pattern will not match Note Syntax cli_read_pattern fd ptn Arguments Mandatory The CLI channel handler fd Mandatory The pattern to be matched when reading the command output from the channel ptn Result String All the contents read Set _cerrno None This Tcl command extension will block waiting for th...

Page 1937: ... failure returns error from the failure Also uses arrays when possible as a way of making things easier to read later by keeping expect and reply separated Syntax cli_run_interactive clist Arguments Mandatory List of three items command Command to be executed expect A regular expression pattern match for the expected reply prompt responses A list of possible responses to the reply prompt construct...

Page 1938: ...resps expect confirm set resps reply y lappend cmdarr responses array get resps set rc catch cli_run_interactive list array get cmdarr result Possible errors raised include cannot get pty for exec cannot spawn exec error reading the first prompt error reading the channel cannot close channel cli_write Writes the command that is to be executed to the specified CLI channel handler The CLI channel ha...

Page 1939: ...brary to Run a Noninteractive Command To run a noninteractive command use the cli_exec command extension to issue the command and then wait for the complete output and the device prompt For example the following shows the use of configuration CLI commands to bring up Ethernet interface 1 0 if catch cli_open result error result errorInfo else set fd result if catch cli_exec fd en result error resul...

Page 1940: ...2 Q A phase wait for prompted question All deleted files will be removed Continue confirm if catch cli_read_pattern cli1 fd All deleted result error result errorInfo write a newline character if catch cli_write cli1 fd n result error result errorInfo wait for prompted question Squeeze operation may take a while Continue confirm if catch cli_read_pattern cli1 fd Squeeze operation result error resul...

Page 1941: ...error result errorInfo else set cmd_output result if catch cli_write cli1 fd no result error result errorInfo else set cmd_output result if catch cli_read_pattern cli1 fd Proceed with reload confirm result error result errorInfo else set cmd_output result if catch cli_write cli1 fd y result error result errorInfo else set cmd_output result if catch cli_close cli1 fd cli1 tty_id result error result...

Page 1942: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1860 cli_write ...

Page 1943: ...nce saved information is retrieved it is automatically deleted If that information is needed by another policy the policy that retrieves it using the context_retrieve command extension should also save it again using the context_save command extension Note Syntax context_retrieve ctxt var index_if_array Arguments Mandatory Context name ctxt Optional Scalar variable name or array variable name Defa...

Page 1944: ...save and retrieve data The examples are shown in save and retrieve pairs Example 1 Save If var is unspecified or if a pattern if specified saves multiple variables to the context cisco eem event_register_none namespace import cisco eem namespace import cisco lib set testvara 123 set testvarb 345 set testvarc 789 if catch context_save TESTCTX testvar errmsg action_syslog msg context_save failed err...

Page 1945: ...lar variable retrieves the value of var cisco eem event_register_none namespace import cisco eem namespace import cisco lib if catch set testvar context_retrieve TESTCTX testvar errmsg action_syslog msg context_retrieve failed errmsg else action_syslog msg context_retrieve succeeded if info exists testvar action_syslog msg testvar exists and is testvar else action_syslog msg testvar does not exist...

Page 1946: ...failed errmsg else action_syslog msg context_save succeeded Example 4 Retrieve If var is specified and index_if_array is specified and var is an array variable retrieves the specified array element value cisco eem event_register_none namespace import cisco eem namespace import cisco lib if catch set testvar context_retrieve TESTCTX testvar testvar1 errmsg action_syslog msg context_retrieve failed ...

Page 1947: ...tern Result String None Set _cerrno A string displaying _cerrno _cerr_sub_num _cerr_sub_err _cerr_posix_err _cerr_str due to appl_setinfo error Sample Usage The following examples show how to use the context_saveand context_retrieve command extension functionality to save and retrieve data The examples are shown in save and retrieve pairs Example 1 Save If var is unspecified or if a pattern if spe...

Page 1948: ...ot exist Example 2 Save If var is specified saves the value of var cisco eem event_register_none namespace import cisco eem namespace import cisco lib set testvar 123 if catch context_save TESTCTX testvar errmsg action_syslog msg context_save failed errmsg else action_syslog msg context_save succeeded Example 2 Retrieve If var is specified and index_if_array is not specified or if index_if_array i...

Page 1949: ...e action_syslog msg testvar does not exist Example 4 Save If var is specified saves the value of var even if it is an array cisco eem event_register_none namespace import cisco eem namespace import cisco lib array set testvar testvar1 ok testvar2 not_ok if catch context_save TESTCTX testvar errmsg action_syslog msg context_save failed errmsg else action_syslog msg context_save succeeded Example 4 ...

Page 1950: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1868 context_save ...

Page 1951: ... error the returned Tcl result string contains the error information Note Arguments for which no numeric range is specified take an integer from 2147483648 to 2147483647 inclusive Note event_register_appl page 1870 event_register_cli page 1873 event_register_counter page 1877 event_register_gold page 1879 event_register_identity page 1887 event_register_interface page 1889 event_register_ioswdsysm...

Page 1952: ...application event is triggered following another policy s execution of an event_publish Tcl command extension the event_publish command extension publishes an application event In order to register for an application event a subsystem must be specified Either a Tcl policy or the internal Embedded Event Manager EEM API can publish an application event If the event is being published by a policy the...

Page 1953: ...t is to be queued at a priority level greater than low priority but less than high priority queue_priority high Specifies that the script is to be queued at the highest of the three priority levels queue_priority last Specifies that the script is to be queued at the lowest priority level If more than one script is registered with the queue_priority_last argument set these scripts will execute in t...

Page 1954: ...and each policy will have the same event_id event_id Type of event event_type An ASCII string that represents the name of the event for this event type event_type_string The time in seconds and milliseconds when the event was published to the Embedded Event Manager EEM event_pub_sec event_pub_msec Number assigned to the EEM policy that published the application event Number is set to 798 because a...

Page 1955: ... script tag Mandatory A yes means that the policy the event publish will run synchronously with the CLI command a no means that the event publish will be performed asynchronously with the CLI command The event detector will be notified when the policy completes running The exit status of the policy indicates whether or not the CLI command should be executed if the exit status is zero which means t...

Page 1956: ...f this argument is not specified the most recent event is used period Mandatory Specifies the regular expression used to perform the CLI command pattern match pattern Optional The time period during which the CLI event detector waits for the policy to exit specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM mu...

Page 1957: ...this argument is not specified the default queuing priority is normal queue_priority Optional Specifies to perform the event match when the user presses the Enter key When this parameter is used the input string will not be expanded before matching enter Optional Specifies to perform the event match when the user presses the key When this parameter is used the input string will not be expanded bef...

Page 1958: ...tered the CLI event detector finds a pattern match and triggers this policy to run When the policy execution ends the CLI event detector determines if the copy command needs to be executed according to sync skip set in the policy and the exit status of the policy execution if needed Note Event_reqinfo event_id u event_type u event_type_string s event_pub_sec u event_pub_msec u event_severity u msg...

Page 1959: ...ng a threshold This event counter as a subscriber identifies the name of the counter to which it wants to subscribe and depends on another policy or another process to actually manipulate the counter For example let policyB act as a counter policy whereas policyA although it does not need to be a counter policy uses register_counter counter_modify or unregister_counter Tcl command extensions to ma...

Page 1960: ...reater than low priority but less than high priority queue_priority high Specifies that the script is to be queued at the highest of the three priority levels queue_priority last Specifies that the script is to be queued at the lowest priority level If more than one script is registered with the queue_priority_last argument set these scripts will execute in the order in which the events are publis...

Page 1961: ...ent for this event type event_type_string The time in seconds and milliseconds when the event was published to the EEM event_pub_sec event_pub_msec Counter name name event_register_gold Registers for a Generic Online Diagnostic GOLD failure event Use this Tcl command extension to run a policy on the basis of a Generic Online Diagnostic GOLD failure event for the specified card and subcard Syntax e...

Page 1962: ... to be monitored If this argument is not specified all subcards are monitored by default subcard Optional Specifies event criteria based on the new test failure information from GOLD new_failure TRUE Specifies that the event criterion for the new test failure is true from GOLD new_failure FALSE Specifies that the event criterion for the new test failure is false from GOLD If this argument is not s...

Page 1963: ...nning on system bootup testing_type ondemand Specifies the diagnostic tests that are running from CLI after the card is online testing_type schedule Specifies the scheduled diagnostic tests testing_type monitoring Specifies the diagnostic tests that are running periodically in the background to monitor the health of the system If this argument is not specified the testing type information from GOL...

Page 1964: ... on the occurrence of consecutive failure number consecutive test failures If this argument is not specified consecutive test failure information from GOLD is not considered in the event criteria consecutive_failure Optional Specifies whether callback to the platform is needed when all the event criteria are matched When callback is needed the platform needs to register a callback function through...

Page 1965: ... priority levels queue_priority last Specifies that the script is to be queued at the lowest priority level If more than one script is registered with the queue_priority_last argument set these scripts will execute in the order in which the events are published The queue_priority argument specifies the queuing priority but not the execution priority of the script being registered Note If this argu...

Page 1966: ...on for the GOLD event card Consecutive failure where testnum is the test number For example cf3 is the EEM built in environment variable for consecutive failure of test 3 cf testnum Card index ci Card name cn Test error code where testnum is the test number For example ec3 is the EEM built in environment variable for the error code of test 3 ec testnum Unique number that indicates the ID for this ...

Page 1967: ...LD event flag true or false new_failure The overall diagnostic result which can be one of the following values 0 OK 3 minor error 4 major error 14 unknown result overall_result Port counts pc Test total run count where testnum is the test number For example rc3 is the EEM built in variable for the total run count of test 3 rc testnum Card serial number sn The subcard on which a GOLD failure event ...

Page 1968: ...nown tr testnum Per device test result where testnum is the test number and devnum is the device number For example tr3d20 is the EEM built in variable for the test result for test 3 device 20 The test result is one of the following values P diagnostic result Pass F diagnostic result Fail U diagnostic result Unknown tr testnum d devnum Per port test result where testnum is the test number and port...

Page 1969: ...nal String identifying a tag that can be used with the trigger Tcl command extension to support multiple event statements within a Tcl script tag A regular expression pattern to match against interface names interface Optional A regular expression that can be used to filter events by specific AAA attributes aaa attribute Optional Triggers events on successful failed or both successful and failed a...

Page 1970: ...t less than high priority queue_priority high Specifies that the script is to be queued at the highest of the three priority levels queue_priority last Specifies that the script is to be queued at the lowest priority level If more than one script is registered with the queue_priority_last argument set these scripts will execute in the order in which the events are published The queue_priority argu...

Page 1971: ...cess or one of these failure types fail_authc fail_aaa_server fail_no_response fail_timeout fail_authz For autherization complete it is always success identity_status The interface for the event interface The MAC address of the remote device for the event identity_mac For each AAA attribute a set a dynamic variable to the value corresponding to that AAA attribute in the attribute or value list ide...

Page 1972: ... of enumerated input error counts input_errors_crc Cyclic redundancy checksum generated by the originating LAN station or far end device does not match the checksum calculated from the data received input_errors_frame Number of packets received incorrectly having a CRC error and a noninteger number of octets input_errors_overrun Number of times the receiver hardware was unable to hand received dat...

Page 1973: ...rate_bps Interface receive rate in bytes per second receive_rate_pps Interface receive rate in packets per second receive_runts Number of packets that are discarded because they are smaller than the minimum packet size of the medium receive_throttle Number of times that the receiver on the port was disabled possibly because of buffer or processor overload reliability Reliability of the interface a...

Page 1974: ...ument Increment uses the entry val field as an incremental difference and the entry valis compared with the difference between the current counter value and the value when the event was last triggered or the first polled sample if this is a new event A negative value checks the incremental difference for a counter that is decreasing Rate is defined as the average rate of change over a period of ti...

Page 1975: ...he exit val argument Increment uses the exit val field as an incremental difference and the exit val is compared with the difference between the current counter value and the value when the event was last triggered or the first polled sample if this is a new event A negative value checks the incremental difference for a counter that is decreasing Rate is defined as the average rate of change over ...

Page 1976: ... than low priority but less than high priority queue_priority high Specifies that the script is to be queued at the highest of the three priority levels queue_priority last Specifies that the script is to be queued at the lowest priority level If more than one script is registered with the queue_priority_last argument set these scripts will execute in the order in which the events are published Th...

Page 1977: ...me event_id event_id Type of event event_type An ASCII string that represents the name of the event for this event type event_type_string The time in seconds and milliseconds when the event was published to the EEM event_pub_sec event_pub_msec Interface event severity which can be one of the following values normal minor major event_severity Name of the interface name Name of the parameter paramet...

Page 1978: ...pport multiple event statements within a Tcl script tag Optional Defines the time window within which all of the subevents must occur in order for an event to be generated specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer representing milliseconds between 0 and 999 timewin Optional The com...

Page 1979: ...ote If this argument is not specified the default queuing priority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer representing milliseconds between 0 and 999 If this argument is not specified the default 20 second run time...

Page 1980: ... 4294967295 inclusive and where MMM must be an integer representing milliseconds between 0 and 999 If this argument is not specified the most recent sample is used period Mandatory Specifies the use of a sample collection of memory statistics mem_proc Optional Whether the specified value is a percentage is_percent Result String None Set _cerrno No Event_reqinfo event_id u event_type u event_type_s...

Page 1981: ...t taskname Cisco IOS task ID for this subevent taskid Actual average CPU utilization over the measured interval value Elapsed time period for this measured interval sec msec Where the subevent info string is for a MEM_UTIL subevent type s procname s pid u taskname s taskid u is_percent s value u diff d sec ld msec ld Description Subevent Type Type of subevent type POSIX process name for this subev...

Page 1982: ... reaction is triggered The group ID or the operation ID is required to register the event Syntax event_register_ipsla tag group_name operation_id reaction_type dest_ip_addr queue_priority low normal high last maxrun nice 0 1 Arguments Optional String identifying a tag that can be used with the trigger Tcl command extension to support multiple event statements within a Tcl script tag Mandatory Spec...

Page 1983: ...or can be specified Type of IP SLAs reaction One of the following keywords can be specified connectionLoss icpif jitterAvg jitterDSAvg jitterSDAvg maxOfNegativeDS maxOfNegativeSD maxOfPositiveDS maxOfPositiveSD mos packetLateArrival packetLossDS packetLossSD packetMIA packetOutOfSequence rtt timeout verifyError reaction_type Optional Specifies the destination IP address of the destination port for...

Page 1984: ...ority argument specifies the queuing priority but not the execution priority of the script being registered Note If this argument is not specified the default queuing priority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 31536000 inclusive and where MMM must be an integer r...

Page 1985: ...conds and milliseconds when the event was published to the EEM event_pub_sec event_pub_msec The severity of the event event_severity The name of theIPSLA group group_name The IPSLA operation ID operation_id The condition of IPSLA which can be one of the following cleared occurred condition The IPSLA reaction type reaction_type The IPSLA destination IP address dest_ip_address The IPSLA configured r...

Page 1986: ...ased on a mac address table event type of add or delete If not specified the event type is not used in determining whether the event should be triggered type Optional When a mac address table event comes in the hold down timer can be set to make the event to wait between 1 and 4294967295 seconds before processing the policy If not set then the policy is not delayed in being processed hold down Opt...

Page 1987: ...ec event_pub_msec The severity of the event event_severity Notification type add or delete notification The interface name for the address table entry intf_name The mac address for the address table entry mac_address event_register_neighbor_discovery Registers for a neighbor discover event Use this Tcl command extension to generate an event when a Cisco Discovery Protocol CDP or Link Layer Discove...

Page 1988: ... the remote CDP device sends a CDP keepalive to update the CDP cache entry cdp Trigger an event when a matching lldp event occurs One of the following options should be specified add Trigger events only when a new cdp cache entry is created in the cdp table all Trigger an event when a cdp cache entry is added or deleted from the cdp cache table and when a remote cdp device sends a keepalive to upd...

Page 1989: ...y argument specifies the queuing priority but not the execution priority of the script being registered If this argument is not specified the default queuing priority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 31536000 inclusive and where MMM must be an integer representi...

Page 1990: ...rrent interface link status up or down nd_intf_linkstatus The current interface line status down goingdown init testing up reset admindown deleted nd_intf_linestatus The local interface name for the event nd_local_intf_name The short name of the local interface for the event nd_short_local_intf_name The port id as identified by either the cdp or lldp protocol This is not set for link or line proto...

Page 1991: ...es_bits A series of values that will be set to YES if that bit in the capabilities field is set or NO if it is not set nd_cdp_capabilities_bit_ 0 31 LLDP specific Event_reqinfo Identifies which protocol triggered the event for LLDP it will always be set to lldp nd_protocol Identifies which type of protocol event triggered the event add update or delete nd_proto_notif If set to 1 the event was trig...

Page 1992: ...DP cache entry Provided as a hexadecimal number preceded by 0x nd_lldp_capabilities_bits A series of values that will be set to YES if that bit in the capabilities field is set or NO if it is not set nd_lldp_capabilities_bit_ 0 31 event_register_nf Registers for an event when a NetFlow event is triggered by the event nfcommand Use this Tcl command to publish an event when an NetFlow reaction is tr...

Page 1993: ... representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer representing milliseconds between 0 and 999 If this argument is not specified the default 20 second run time limit is used maxrun Optional Policy run time priority setting When the nice argument is set to 1 the policy is run at a run time priority that is less than the default priority The default value is 0 ...

Page 1994: ...sysuptime first last Specifies the timestamp fields transport field type Specifies the Transport layer fields field Mandatory Specifies the rate interval value in seconds used to calculate the rate This field is only valid for event1 rate_interval Mandatory Specifies the field or rate value entry_value Mandatory Specifies the field operator The comparison operator valid values are eq Equal to ge G...

Page 1995: ...type_string s event_pub_sec u event_pub_msec u event_severity u monitor_name u event1 event4_field u event1 event4_value Description Event Type Unique number that indicates the ID for this published event Multiple policies may be run for the same event and each policy will have the same event_id event_id The type of event to monitor for the create update and delete flow event_type An ASCII string ...

Page 1996: ...ts within a Tcl script tag Optional A yes or a no is required to complete this keyword If the yes keyword is specified the policy will run synchronously with the CLI command If the no keyword is specified the policy will run asynchronously with the CLI command sync Optional The time period during which the CLI event detector waits for the policy to exit specified in SSSSSSSSSS MMM format where SSS...

Page 1997: ...ority argument specifies the queuing priority but not the execution priority of the script being registered Note If this argument is not specified the default queuing priority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer...

Page 1998: ...onds when the event was published to the EEM event_pub_sec event_pub_msec The severity of the event event_severity The parameters that are passed from the XML SOAP command to the script argc arg1 arg2 arg3 arg4 arg6 arg7 arg8 arg9 arg10 arg11 arg12 arg13 arg14 arg15 event_register_oir Registers for an online insertion and removal OIR event Use this Tcl command extension to run a policy on the basi...

Page 1999: ...gistered with the queue_priority_last argument set these scripts will execute in the order in which the events are published The queue_priority argument specifies the queuing priority but not the execution priority of the script being registered Note If this argument is not specified the default queuing priority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSS...

Page 2000: ... removal event or an OIR insertion event event event_register_process Registers for a process event Use this Tcl command extension to run a policy on the basis of an event raised when a Cisco IOS Software Modularity process starts or stops These events are handled by the System Manager event detector that screens for this event This Tcl command extension is supported only in Software Modularity im...

Page 2001: ...nal Process instance ID If specified this argument must be an integer between 1 and 4294967295 inclusive instance Optional Process pathname a regular expression string If the value of the process name argument contains embedded blanks enclose it in double quotation marks Use path to match all processes path Optional The node name is a string that consists of the word node followed by two fields se...

Page 2002: ...tered Note If this argument is not specified the default queuing priority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer representing milliseconds between 0 and 999 If this argument is not specified the default 20 second r...

Page 2003: ...98 because all other numbers are reserved for Cisco use sub_system Process instance ID instance Process name process_name Process absolute name including path path Process last exit status exit_status Number of times that the process was restarted respawn_count The calendar time when the last restart occurred last_respawn_sec last_respawn_msec Number of restart attempts of the process that failed ...

Page 2004: ...ority queue_priority high Specifies that the script is to be queued at the highest of the three priority levels queue_priority last Specifies that the script is to be queued at the lowest priority level If more than one script is registered with the queue_priority_last argument set these scripts will execute in the order in which the events are published The queue_priority argument specifies the q...

Page 2005: ... will have the same event_id event_id Type of event event_type An ASCII string that represents the name of the event for this event type event_type_string The time in seconds and milliseconds when the event was published to the EEM event_pub_sec event_pub_msec The Embedded Resource Manager ERM owner ID owner_id The ERM user ID user_id The ERM event time in nanoseconds time_sent The ERM dampen time...

Page 2006: ...and extension to run a policy when an RF progression or status event notification occurs Syntax event_register_rf tag event queue_priority low normal high last maxrun nice 0 1 Arguments Optional String identifying a tag that can be used with the trigger Tcl command extension to support multiple event statements within a Tcl script tag Consolidated Platform Configuration Guide Cisco IOS Release 15 ...

Page 2007: ..._STANDBY_BULK RF_PROG_STANDBY_COLD RF_PROG_STANDBY_CONFIG RF_PROG_STANDBY_FILESYS RF_PROG_STANDBY_HOT RF_PROG_STANDBY_OIR_SYNC_DONE RF_REGISTRATION_STATUS RF_STATUS_MAINTENANCE_ENABLE RF_STATUS_MANUAL_SWACT RF_ST A TUS_OPER_REDUNDANCY_MODE_CHANGE RF_STATUS_PEER_COMM RF_STATUS_PEER_PRESENCE RF_STATUS_REDUNDANCY_MODE_CHANGE RF_STATUS_SWACT_INHIBIT event Consolidated Platform Configuration Guide Cisc...

Page 2008: ...iority argument specifies the queuing priority but not the execution priority of the script being registered Note If this argument is not specified the default queuing priority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an intege...

Page 2009: ...riggered by the event routing command These events are handled by the routing event detector to publish an event when route entries change in Routing Information Base RIB infrastructure Use this Tcl command extension to run a routing policy for this script The network IP address for the route to be monitored must be specified Syntax event_register_routing tag network length ge le ne type add remov...

Page 2010: ...The ne keyword represents not equal to operator When ge le and ne keywords are not configured an exact match of network length is processed length Optional Specifies the desired policy trigger The type options are add remove modify and all The default is all type Optional Specifies the protocol value for the network being monitored One of the following protocols can be used all bgp connected eigrp...

Page 2011: ...ity argument specifies the queuing priority but not the execution priority of the script being registered Note If this argument is not specified the default queuing priority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer r...

Page 2012: ...msec The severity of the event event_severity The network prefix in IP address format network The network mask in IP address format mask Type of network protocol protocol Type of event to add remove or modify type The last known gateway lastgateway The administrative distance distance Time of event in seconds and milliseconds when the event was published to the EEM time_sec time_msec Path metric m...

Page 2013: ... will execute in the order in which the events are published The queue_priority argument specifies the queuing priority but not the execution priority of the script being registered Note If this argument is not specified the default queuing priority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing s...

Page 2014: ...od is set to 30 seconds default Result String None Set _cerrno No Event_reqinfo event_id u event_type u event_type_string s event_pub_sec u event_pub_msec u arg u Description Event Type Unique number that indicates the ID for this published event Multiple policies may be run for the same event and each policy will have the same event_id event_id Type of event event_type An ASCII string that repres...

Page 2015: ...Syntax event_register_snmp tag oid get_type exact next entry_op gt ge eq ne lt le entry_val entry_type value increment rate exit_comb or and exit_op gt ge eq ne lt le exit_val exit_type value increment rate exit_time poll_interval average_factor queue_priority low normal high last maxrun nice 0 1 Arguments Optional String identifying a tag that can be used with the trigger Tcl command extension to...

Page 2016: ...will be disabled until exit criteria are met entry_op Mandatory Type of SNMP get operation that needs to be applied to the OID specified If the get_type argument is exact the value of the specified OID is retrieved if the get_type argument is next the value of the lexicographical successor to the specified OID is retrieved get_type Mandatory Value with which the current oid data value should be co...

Page 2017: ...previous average factor value samples is taken to be the rate of change entry type Optional Exit combination operator used to indicate the combination of exit condition tests required to decide if the exit criteria are met so that the event monitoring can be reenabled If it is and both exit value and exit time tests must be passed to meet the exit criteria If it is or either exit value or exit tim...

Page 2018: ... to be the rate of change exit type Optional Number of POSIX timer units after an event is raised when event monitoring will be enabled again Specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer number representing seconds between 0 and 4294967295 inclusive MMM represents milliseconds and must be an integer number between 0 and 999 exit_time Mandatory Interval between consecutive...

Page 2019: ...ority argument specifies the queuing priority but not the execution priority of the script being registered Note If this argument is not specified the default queuing priority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer...

Page 2020: ...nt_severity Object ID of data element in SNMP dot notation oid Value of the data element val Delta value between the value of the policies delta_val event_register_snmp_notification Registers for a Simple Network Management Protocol SNMP notification trap event Use this Tcl command extension to run a policy when an SNMP trap with the specified SNMP object ID oid is encountered on a specific interf...

Page 2021: ...e the current OID data value with the SNMP Protocol Data Unit PDU OID data value if this is true an event is raised op Optional Maximum run time of the script specified in ssssssss mmm format where ssssssss must be an integer representing seconds between 0 and 31536000 inclusive and where mmm must be an integer representing milliseconds between 0 and 999 If this argument is not specified the defau...

Page 2022: ...s not specified the default queuing priority is normal queue_priority Optional Specifies the time period in seconds during which the snmp notification event detector waits for the policy to exit The time period is specified in ssssssssss mmm format where ssssssssss must be an integer representing seconds between 0 and 4294967295 and mmm must be an integer representing milliseconds between 0 and 99...

Page 2023: ...r specified object ID oid An user specified object ID value oid_val The source IP address of the SNMP protocol data unit PDU src_ip_addr The destination IP address of the SNMP PDU dest_ip_addr The SNMP PDU varbind information x_x_x_x_x varbinds Indicates the trap OID value trap_oid Indicates the enterprise OID value enterprise_oid Indicates one of a number of generic trap types There are seven gen...

Page 2024: ... return value is 0 then SNMP will handle the request If the return value is 1 SNMP will use the value provided by the policy for the get request and will not process the set request A no means that EEM will not be notified and SNMP will handle the request Only one OID can be associated with a synchronous policy However multiple synchronous policies can be registered for the same OID sync Mandatory...

Page 2025: ...pt will be queued queue_priority low Specifies that the script is to be queued at the lowest of the three priority levels queue_priority normal Specifies that the script is to be queued at a priority level greater than low priority but less than high priority queue_priority high Specifies that the script is to be queued at the highest of the three priority levels queue_priority last Specifies that...

Page 2026: ...e severity of the event event_severity The ID of the SNMP object in the received get or set request oid The get or set request type request The type of request exact or next request_type For set requests only The value to set the object to value event_register_syslog Registers for a syslog event Use this Tcl command extension to trigger a policy when a syslog message of a specific pattern is logge...

Page 2027: ...ise an event specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer number representing seconds between 0 and 4294967295 inclusive and where MMM represents milliseconds and must be an integer number between 0 and 999 If this argument is not specified no period check is applied period Mandatory A regular expression used to perform syslog message pattern match This argument is what t...

Page 2028: ...iority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer representing milliseconds between 0 and 999 If this argument is not specified the default 20 second run time limit is used maxrun Optional Policy run time priority sett...

Page 2029: ...BUG 7 severity_debugging Result String None Set _cerrno No Event_reqinfo event_id u event_type u event_type_string s event_pub_sec u event_pub_msec u msg s Description Event Type Unique number that indicates the ID for this published event Multiple policies may be run for the same event and each policy will have the same event_id event_id Type of event event_type An ASCII string that represents th...

Page 2030: ...oth the CRON and absolute time specifications work on local time Note Syntax event_register_timer tag watchdog countdown absolute cron name cron_entry time queue_priority low normal high last maxrun nice 0 1 Arguments Optional String identifying a tag that can be used with the trigger Tcl command extension to support multiple event statements within a Tcl script tag Mandatory Watchdog timer watchd...

Page 2031: ...cron_entry Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1949 event_register_timer ...

Page 2032: ... used in the hour field to specify an event that is triggered every other hour Steps are also permitted after an asterisk so if you want to say every two hours use 2 Names can also be used for the month and the day of week fields Use the first three letters of the particular day or month case does not matter Ranges or lists of names are not allowed The day on which a timer event is triggered can b...

Page 2033: ...e specified has already passed the timer expires immediately time Optional Priority level at which the script will be queued queue_priority low Specifies that the script is to be queued at the lowest of the three priority levels queue_priority normal Specifies that the script is to be queued at a priority level greater than low priority but less than high priority queue_priority high Specifies tha...

Page 2034: ... default priority The default value is 0 nice Table 183 Time and Date When CRON Events Will Be Triggered Allowed Values Field 0 59 minute 0 23 hour 1 31 day of month 1 12 or names see below month 0 7 0 or 7 is Sun or names see the table titled Special Strings for cron_entry day of week Table 184 Special Strings for cron_entry Meaning String Trigger once a year 0 0 1 1 yearly Same as yearly annuall...

Page 2035: ...tchdog countdown absolute timer_type Time when the timer expired timer_time_sec timer_time_msec The remaining time before the next expiration timer_remain_sec timer_remain_msec See Also event_register_timer_subscriber event_register_timer_subscriber Registers for a timer event as a subscriber Use this Tcl command extension to identify the name of the timer to which the event timer as a subscriber ...

Page 2036: ...e_priority last Specifies that the script is to be queued at the lowest priority level If more than one script is registered with the queue_priority_last argument set these scripts will execute in the order in which the events are published The queue_priority argument specifies the queuing priority but not the execution priority of the script being registered Note If this argument is not specified...

Page 2037: ...nique number that indicates the ID for this published event Multiple policies may be run for the same event and each policy will have the same event_id event_id Type of event event_type An ASCII string that represents the name of the event for this event type event_type_string The time in seconds and milliseconds when the event was published to the EEM event_pub_sec event_pub_msec Type of the time...

Page 2038: ...tring identifying a tag that can be used with the trigger Tcl command extension to support multiple event statements within a Tcl script tag Optional Specifies that the tracked object transition will cause an event to be raised If up is specified an event will be raised when the tracked object transitions from a down state to an up state If down is specified an event will be raised when the tracke...

Page 2039: ...t not the execution priority of the script being registered Note If this argument is not specified the default queuing priority is normal queue_priority Optional Maximum run time of the script specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer representing milliseconds between 0 and 999 If ...

Page 2040: ...r_wdsysmon Registers for a Watchdog system monitor event Use this Tcl command extension to register for a composite event which is a combination of several subevents or conditions For example you can use this command to register for the combination of conditions wherein the CPU usage of a certain process is over 80 percent and the memory used by the process is greater than 50 percent of its initia...

Page 2041: ...pecified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer representing milliseconds between 0 and 999 timewin Optional Combination operator for comparison between subevent 1 and subevent 2 sub12_op Optional Combination operator for comparison between subevent 1 and 2 and subevent 3 sub23_op Optiona...

Page 2042: ... queued at a priority level greater than low priority but less than high priority queue_priority high Specifies that the script is to be queued at the highest of the three priority levels queue_priority last Specifies that the script is to be queued at the lowest priority level If more than one script is registered with the queue_priority_last argument set these scripts will execute in the order i...

Page 2043: ...nteger between 0 and 4294967295 inclusive 1 deadlock procname Arguments Mandatory A regular expression that specifies the process name that you wish to monitor for deadlock conditions This subevent will ignore the time window even if it is given procname 2 dispatch_mgr procname op gt ge eq ne lt le val period Arguments Optional A regular expression that specifies the process name that you wish to ...

Page 2044: ...l The percentage value with which the average CPU usage during the sample period should be compared val Optional The time period for averaging the collection of samples specified in SSSSSSSSSS MMM format where SSSSSSSSSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer representing milliseconds between 0 and 999 If this argument is not spe...

Page 2045: ...st sample in the specified time period and the latest sample If memory usage has increased from 150 KB to 300 KB within the time period the percentage increase is 100 This is the value with which the measured value should be compared val Optional If TRUE the percentage value is collected and compared Otherwise the absolute value is collected and compared is_percent Optional If is_percent is set to...

Page 2046: ...SSS must be an integer representing seconds between 0 and 4294967295 inclusive and where MMM must be an integer representing milliseconds between 0 and 999 If this argument is not specified the most recent sample is used period 7 mem_tot_used op gt ge eq ne lt le val is_percent TRUE FALSE period Arguments Optional Comparison operator used to compare the collected used memory with the specified val...

Page 2047: ...ent_pub_sec u event_pub_msec u num_subs u Description Event Type Unique number that indicates the ID for this published event Multiple policies may be run for the same event and each policy will have the same event_id event_id Type of event event_type An ASCII string that represents the name of the event for this event type event_type_string The time in seconds and milliseconds when the event was ...

Page 2048: ... A thread m is on node Name of process A procname Process ID of process A pid Thread ID of process A thread m tid Thread state of process A thread m Can be one of the following STATE_CONDVAR STATE_DEAD STATE_INTR STATE_JOIN STATE_MUTEX STATE_NANOSLEEP STATE_READY STATE_RECEIVE STATE_REPLY STATE_RUNNING STATE_SEM STATE_SEND STATE_SIGSUSPEND STATE_SIGWAITINFO STATE_STACK STATE_STOPPED STATE_WAITPAGE...

Page 2049: ...stration Tcl command extension the number of events processed by the dispatch manager is in the latest sample If a time window is specified and is greater than zero in the event registration Tcl command extension the total number of events processed by this dispatch manager is in the given time window value If the sec and msec variables are specified as 0 or are unspecified in the event registrati...

Page 2050: ...and extension they are both 0 If a time window is specified and is greater than zero in the event registration Tcl command extension the sec and msec variables are the actual time difference between the time stamps of the oldest and latest samples in this time window sec msec For cpu_tot Subevent type s node s value u sec ld msec ld Description Subevent Type Type of wdsysmon subevent type Name of ...

Page 2051: ...ocess name for this subevent procname POSIX process ID for this subevent The three fields above describe the process whose memory usage is being monitored Note pid Can be either TRUE or FALSE TRUE means that the value is a percentage value FALSE means that the value is an absolute value may be an averaged value is_percent If the sec and msec variables are specified as 0 or are unspecified in the e...

Page 2052: ...re unspecified in the event registration Tcl command extension value is the process used memory in the latest sample diff is 0 sec and msec are both 0 If the is_percent argument is FALSE and a time window is specified as greater than zero in the event registration Tcl command extension value is the averaged process used memory sample value in the specified time window diff is 0 sec and msec are bo...

Page 2053: ...ro in the event registration Tcl command extension the averaged total used memory utilization is in the given time window used If the sec and msec variables are specified as 0 or are unspecified in the event registration Tcl command extension the avail is in the latest total available memory sample If a time window is specified and is greater than zero in the event registration Tcl command extensi...

Page 2054: ...y sample value in the specified time window diff is 0 sec and msec are both the actual time difference between the time stamps of the oldest and latest total available memory samples in this time window If the is_percent argument is TRUE and a time window is specified as greater than zero in the event registration Tcl command extension used is 0 avail is 0 diff is the percentage difference between...

Page 2055: ...ed total used memory utilization is in the given time window used If the sec and msec variables are specified as 0 or are unspecified in the event registration Tcl command extension the avail is in the latest total used memory sample If a time window is specified and is greater than zero in the event registration Tcl command extension the avail is the total used memory utilization in the specified...

Page 2056: ...used memory sample value in the specified time window avail is 0 diff is 0 sec and msec are both the actual time difference between the time stamps of the oldest and latest total used memory samples in this time window If the is_percent argument is TRUE and a time window is specified as greater than zero in the event registration Tcl command extension used is 0 avail is 0 diff is the percentage di...

Page 2057: ...rst total used memory sample ever collected and the latest total used memory sample Inside a subevent description each argument is position independent Note Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1975 event_register_wdsysmon ...

Page 2058: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1976 event_register_wdsysmon ...

Page 2059: ...is an error the returned Tcl result string contains the error information Note Arguments for which no numeric range is specified take an integer from 2147483648 to 2147483647 inclusive Note event_completion page 1977 event_completion_with_wait page 1978 event_publish page 1979 event_wait page 1982 event_completion Sends a notification to the EEM server that the policy is done servicing the event t...

Page 2060: ...ait places the Tcl policy into a sleep state When the Tcl policy receives a new signal announcing a new event the policy is placed into a wake state and again returns to a sleep state This loop continues If event_wait policy is invoked before event_completed policy an error results and the policy exits Syntax event_completion_with_wait status refresh_vars Arguments Mandatory exit_status return_cod...

Page 2061: ...state_arr event_state 0 action_syslog msg Exiting failed event_state event_state_arr event_state priority info exit 0 The running configuration output is the same as the event_publishTcl command Note event_publish Publishes an application specific event Syntax event_publish sub_system type arg1 arg2 arg3 arg4 Arguments Mandatory Number assigned to the EEM policy that published the application spec...

Page 2062: ...pt executes the remaining statements and reschedules another run To measure the CPU utilization for Script2 use a value of test_iterations that is a multiple of 10 to calculate the amount of average CPU time used by Script2 To run the Tcl scripts enter the following Cisco IOS commands configure terminal event manager environment test_iterations 100 event manager policy script1 tcl event manager po...

Page 2063: ...rg1 value used to publish this event set iter arr_einfo data1 Use the arg1 info from the previous run to determine when to end if iter test_iterations Log a message action_syslog priority info msg EEM application_publish test end if _cerrno 0 set result format component s subsys err s posix err s n s _cerr_sub_num _cerr_sub_err _cerr_posix_err _cerr_str error result exit 0 set iter expr iter 1 Log...

Page 2064: ... would be if the user configured event_wait before configuring event_completion when handling the event instance The following sample output shows the use of both event_completion and event_waitTcl commands cisco eem event_register_syslog tag e1 occurs 1 pattern CLEAR maxrun 0 namespace import cisco eem namespace import cisco lib set i 1 while 1 1 Start high performance policy loop array set arr_e...

Page 2065: ...irt Source filename user eem_scripts high_perf_example tcl Destination filename high_perf_example tcl Warning There is a file already existing with this name Do you want to over write confirm Accessing tftp dirt user eem_scripts high_perf_example tcl Loading user eem_scripts high_perf_example tcl from 192 0 2 19 via FastEthernet0 0 OK 909 bytes 909 bytes copied in 0 360 secs 2525 bytes sec Device ...

Page 2066: ...high_perf_example tcl event 5 serviced 01 02 36 HA_EM 6 LOG high_perf_example tcl Exiting after servicing 5 events Device Also while an event has been serviced and is waiting for the next event to come in show event manager policy active command will display the following output Device show event manager policy active Key p Priority L Low H High N Normal Z Last s Scheduling node A Active S Standby...

Page 2067: ...if the debug event manager tcl cli_library Cisco IOS CLI command is in effect Syntax cli_debug spec_string debug_string Arguments Mandatory The spec_string argument is used to indicate the type of debug statement spec_string Mandatory The debug_string argument is used to indicate the debugging text debug_string Result String None Set _cerrno No Consolidated Platform Configuration Guide Cisco IOS R...

Page 2068: ...e interface CLI command is in effect Syntax smtp_debug spec_string debug_string Arguments Mandatory The spec_string argument is used to indicate the type of debug statement spec_string Mandatory The debug_string argument is used to indicate the debugging text debug_string Result String None Set _cerrno No Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches...

Page 2069: ...n arguments are represented by pipes for example priority low normal high For all EEM Tcl command extensions if there is an error the returned Tcl result string contains the error information Note Arguments for which no numeric range is specified take an integer from 2147483648 to 2147483647 inclusive Note attribute page 1987 correlate page 1988 trigger page 1989 attribute Specifies a complex even...

Page 2070: ...ot and or event track Arguments Specifies the event that can be used with the trigger command to support multiple event statements within an script If the event associated with the event tag argument occurs for the number of times specified by the trigger command the result is true If not the result is false event Specifies the event object number for tracking The range is from 1 to 500 If the tra...

Page 2071: ... is executed or Result String None Set _cerrno No trigger Specifies the multiple event configuration ability of Embedded Event Manager EEM events A multiple event is one that can involve one or more event occurrences one or more tracked object states and a time period for the event to occur The events are raised based on the specified parameters Syntax trigger occurs period period start delay Argu...

Page 2072: ...ion window If not specified event monitoring is enabled after the first CRON period occurs period start Optional Specifies the number of seconds and optional milliseconds after which an event will be raised if all the conditions are true specified in the format ssssssssss mmm where ssssssssss must be an integer number representing seconds between 0 and 4294967295 inclusive and mmm represents milli...

Page 2073: ... mail server name Mailservername can be in any one of the following template formats username password host username host or host Note Mailservername space the list of candidate SMTP server addresses From space the e mail address of sender To space the list of e mail addresses of recipients Cc space the list of e mail addresses that the e mail will be copied to Sourceaddr space the IP addresses of...

Page 2074: ...file with all global variables already substituted text Result String None Set _cerrno Wrong 1st line format Mailservername list of server names Wrong 2nd line format From from address Wrong 3rd line format To list of to addresses Wrong 4th line format CC list of cc addresses Error connecting to mail server sock closed by remote server where sock is the name of the socket opened to the mail server...

Page 2075: ...ion Syntax smtp_subst e mail_template Arguments Mandatory Name of an e mail template file in which global variables need to be substituted by a user defined value An example filename could be disk0 example template which represents a file named example template in a top level directory on an ATA flash disk in slot 0 e mail_template Result String The text of the e mail template file with all the gl...

Page 2076: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1994 smtp_subst ...

Page 2077: ...ion commands sys_reqinfo_xxx have the Set _cerrno section set to yes Note For all EEM Tcl command extensions if there is an error the returned Tcl result string contains the error information Note Arguments for which no numeric range is specified take an integer from 2147483648 to 2147483647 inclusive Note sys_reqinfo_cli_freq page 1996 sys_reqinfo_cli_history page 1997 sys_reqinfo_cpu_all page 19...

Page 2078: ...en this CLI event was raised time_sec time_msec Number of times that a CLI command matches the pattern specified by this CLI event specification match count Number of times that this CLI event was raised The following fields are information about the CLI event specification sync A yes means that event publish should be performed sychronously The event detector will be notified when the Event Manag...

Page 2079: ...tching pattern Set _cerrno Yes sys_reqinfo_cli_history Queries the history of command line interface CLI commands Syntax sys_reqinfo_cli_history Arguments None Result String rec_list CLI history string 0 CLI history str 1 Where each CLI history string is time_sec ld time_msec ld cmd s Marks the start of the CLI command history list rec_list Time when the CLI command was run time_sec time_msec Text...

Page 2080: ...and milliseconds during which the average CPU utilization is calculated Must be integers in the range from 0 to 4294967295 If not specified or if both sec and msec are specified as 0 the most recent CPU sample is used sec msec Optional Number of entries from the top of the sorted list of processes to be displayed Must be an integer in the range from 1 to 4294967295 Default value is 5 num Result St...

Page 2081: ...c_list crash info string 0 crash info string 1 Where each crash info string is job_id u name s respawn_count u fail_count u dump_count u inst_id d exit_status 0x x exit_type d proc_state s component_id 0x x crash_time_sec ld crash_time_msec ld System manager assigned job ID for the process An integer between 1 and 4294967295 inclusive job_id Process name name Total number of restarts for the proce...

Page 2082: ...order This Tcl command extension is supported only in Software Modularity images Syntax sys_reqinfo_mem_all order allocates increase used sec msec num Arguments Mandatory Order used for sorting the memory usage of processes order Mandatory Specifies that the memory usage is sorted by the number of process allocations during the specified time window and in descending order allocates Mandatory Spec...

Page 2083: ...o 4294967295 Default value is 5 num Result String rec_list process mem info string 0 process mem info string 1 Where each process mem info string is pid u name s delta_allocs d initial_alloc u current_alloc u percent_increase d Marks the start of the process memory usage information list rec_list Process ID pid Process name name Specifies the difference between the number of allocations in the old...

Page 2084: ... last_respawn_msec ld inst_id u proc_state s level d exit_status 0x x exit_type d System manager assigned job ID for the process An integer between 1 and 4294967295 inclusive job_id Version manager assigned component ID for the component to which the process belongs component_id Process name name Helper process name helper_name Executable path of the helper process helper_path Executable path of t...

Page 2085: ...e last time the process was started last_respawn_sec last_respawn_msec Process instance ID inst_id Sysmgr process states One of the following error forced_stop hold init ready_to_run run run_rnode stop waitEOltimer wait_rnode wait_spawntimer wait_tpl proc_state Process run level level Last exit status of the process exit_status Last exit type exit_type Set _cerrno Yes sys_reqinfo_proc_all Queries ...

Page 2086: ...he value of the entity specified by a Simple Network Management Protocol SNMP object ID Syntax sys_reqinfo_snmp oid get_type exact next Arguments Mandatory SNMP OID in dot notation for example 1 3 6 1 2 1 2 1 0 oid Mandatory Type of SNMP get operation that needs to be applied to the specified oid If the get_type is exact the value of the specified oid is retrieved if the get_type is next the value...

Page 2087: ...MP object type _cerr_sub_err 51 FH_ESTATSTYP invalid statistics data type This error means that the SNMP statistics data type was invalid _cerr_sub_err 54 FH_EFDUNAVAIL connection to event detector unavailable This error means that the event detector was unavailable sys_reqinfo_syslog_freq Queries the frequency information of all syslog events Syntax sys_reqinfo_syslog_freq Arguments None Result S...

Page 2088: ...etermine the cause of the operating system error _cerr_sub_err 9 FH_EMEMORY insufficient memory for request This error means that an internal EEM request for memory failed _cerr_sub_err 22 FH_ENULLPTR event detector internal error ptr is null This error means that an internal EEM event detector pointer was null when it should have contained a value _cerr_sub_err 45 FH_ESEQNUM sequence or workset n...

Page 2089: ...operating system error _cerr_sub_err 22 FH_ENULLPTR event detector internal error ptr is null This error means that an internal EEM event detector pointer was null when it should have contained a value _cerr_sub_err 44 FH_EHISTEMPTY history list is empty This error means that the history list was empty _cerr_sub_err 45 FH_ESEQNUM sequence or workset number out of sync This error means that the eve...

Page 2090: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2008 sys_reqinfo_syslog_history ...

Page 2091: ...r all EEM Tcl command extensions if there is an error the returned Tcl result string contains the error information Note Arguments for which no numeric range is specified take an integer from 2147483648 to 2147483647 inclusive Note appl_read page 2010 appl_reqinfo page 2011 appl_setinfo page 2011 counter_modify page 2012 description page 2013 fts_get_stamp page 2014 register_counter page 2014 regi...

Page 2092: ...ata to read Must be an integer number between 1 and 4294967295 inclusive length Result String data s Where data is the application published string data to be read Set _cerrno Yes _cerr_sub_err 2 FH_ESYSERR generic unknown error from OS system This error means that the operating system reported an error The POSIX errno value that is reported with the error should be used to determine the cause of ...

Page 2093: ...erating system reported an error The POSIX errno value that is reported with the error should be used to determine the cause of the operating system error _cerr_sub_err 7 FH_ENOSUCHKEY could not find key This error means that the application event detector info key or other ID was not found appl_setinfo Saves information in the Embedded Event Manager EEM This Tcl command extension provides support...

Page 2094: ...e object length or number exceeded the maximum _cerr_sub_err 43 FH_EBADLENGTH bad API length This error means that the API message length was invalid counter_modify Modifies a counter value Syntax counter_modify event_id val op nop set inc dec Arguments Mandatory The counter event ID returned by the register_counter Tcl command extension Must be an integer between 0 and 4294967295 inclusive event_...

Page 2095: ...specification ID This error means that the event specification ID could not be matched when the event was being registered or that an event detector internal event structure is corrupt _cerr_sub_err 22 FH_ENULLPTR event detector internal error ptr is null This error means that an internal EEM event detector pointer was null when it should have contained a value _cerr_sub_err 30 FH_ECTBADOPER bad c...

Page 2096: ...em trigger cisco eem correlate event 1 and event 2 cisco eem attribute tag 1 occurs 1 cisco eem attribute tag 2 occurs 1 fts_get_stamp Returns the time period elapsed since the last software boot Use this Tcl command extension to return the number of nanoseconds since boot in an array nsec nnnn where nnnn is the number of nanoseconds Syntax fts_get_stamp Arguments None Result String nsec d Where n...

Page 2097: ...is error means that the event type specified in the internal event specification was invalid _cerr_sub_err 9 FH_EMEMORY insufficient memory for request This error means that an internal EEM request for memory failed _cerr_sub_err 10 FH_ECORRUPT internal EEM API context is corrupt This error means that the internal EEM API context structure is corrupt _cerr_sub_err 11 FH_ENOSUCHESID unknown event s...

Page 2098: ...blisher to perform this registration before using the event ID to manipulate the timer if it does not use the event_register_timer command extension to register as a publisher and subscriber Syntax register_timer watchdog countdown absolute cron name Arguments Mandatory The name of the timer to be manipulated name Result String event_id u Where event_id is the timer event ID for the specified time...

Page 2099: ...ans that an internal EEM event detector pointer was null when it should have contained a value _cerr_sub_err 25 FH_ESUBSEXCEED number of subscribers exceeded This error means that the number of timer or counter subscribers exceeded the maximum _cerr_sub_err 26 FH_ESUBSIDXINV invalid subscriber index This error means that the subscriber index was invalid _cerr_sub_err 54 FH_EFDUNAVAIL connection to...

Page 2100: ...ystem reported an error The POSIX errno value that is reported with the error should be used to determine the cause of the operating system error _cerr_sub_err 6 FH_EBADEVENTTYPE unknown EEM event type This error means that the event type specified in the internal event specification was invalid _cerr_sub_err 9 FH_EMEMORY insufficient memory for request This error means that an internal EEM reques...

Page 2101: ...main ld Where sec_remain and msec_remain are the remaining time before the next expiration of the timer A value of 0 will be returned for sec_remain and msec_remain if the timer type is CRON Note Set _cerrno Yes _cerr_sub_err 2 FH_ESYSERR generic unknown error from OS system This error means that the operating system reported an error The POSIX errno value that is reported with the error should be...

Page 2102: ...ter_counter Unregisters a counter This Tcl command extension is used by a counter publisher to unregister a counter that was previously registered with the register_counter Tcl command extension Syntax unregister_counter event_id event_spec_id Arguments Mandatory Counter event ID returned by the register_counter command extension Must be an integer between 0 and 4294967295 inclusive event_id Manda...

Page 2103: ...internal EEM event detector pointer was null when it should have contained a value _cerr_sub_err 26 FH_ESUBSIDXINV invalid subscriber index This error means that the subscriber index was invalid _cerr_sub_err 54 FH_EFDUNAVAIL connection to event detector unavailable This error means that the event detector was unavailable _cerr_sub_err 56 FH_EFDCONNERR event detector connection error This error me...

Page 2104: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2022 unregister_counter ...

Page 2105: ...P A R T XII Configuring Cisco IOS IP SLAs Configuring Cisco IP SLAs page 2025 ...

Page 2106: ......

Page 2107: ... each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Restrictions on SLAs This section lists the restrictions on SLAs The following are restrictions on IP S...

Page 2108: ... command line interface CLI and Simple Network Management Protocol SNMP MIBs IP SLA packets have configurable IP and application layer options such as source and destination IP address User Datagram Protocol UDP TCP port numbers a type of service ToS byte including Differentiated Services Code Point DSCP and IP Prefix bits Virtual Private Network VPN routing forwarding instance VRF and URL web add...

Page 2109: ...ement with Cisco IOS IP SLAs You can use IP SLAs to monitor the performance between any area in the network core distribution and edge without deploying a physical probe It uses generated traffic to measure network performance between two networking devices The following figure shows how IP SLAs begin when the source device sends a generated packet to the destination device After the destination d...

Page 2110: ...port for the specified duration During this time the responder accepts the requests and responds to them It disables the port after it responds to the IP SLA packet or when the specified time expires MD5 authentication for control messages is available for added security Figure 114 Cisco IOS IP SLAs Operation You do not need to enable the responder on the destination device for all IP SLA operatio...

Page 2111: ...15 Cisco IOS IP SLA Responder Time Stamping An additional benefit of the two time stamps at the target device is the ability to track one way delay jitter and directional packet loss Because much network behavior is asynchronous it is critical to have these statistics However to capture one way delay measurements you must configure both the source router and target router with Network Time Protoco...

Page 2112: ...e IP SLA responder on the target device the operational target SUMMARY STEPS 1 enable 2 configure terminal 3 ip sla responder tcp connect udp echo ipaddress ip address port port number 4 end 5 show running config 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the g...

Page 2113: ...h config end Step 4 Verifies your entries show running config Example Switch show running config Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Related Topics IP SLA Responder and IP SLA Control Protocol on page 2028 Response Time Computation for IP SLAs on page 2028 Restrictions on SLAs on pa...

Page 2114: ... e t a d a t a f r a m e w o r k p d f Cisco Medianet Metadata Guide http www cisco com c en us td docs ios xml ios msp configuration 15 mt msp 15 mt book pdf Cisco Media Services Proxy Configuration Guide h t t p w w w c i s c o c o m c e n u s t d d o c s i o s x m l i o s m e d i a _ m o n i t o r i n g c o n f i g u r a t i o n 1 5 m t m m 1 5 m t b o o k m m m e d i a t r a c e h t m l Cisco ...

Page 2115: ...ucts and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information for Service...

Page 2116: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2034 Feature History and Information for Service Level Agreements ...

Page 2117: ...P A R T XIII Working with the Cisco IOS File System Configuration Files and Software Images Working with the Cisco IOS File System Configuration Files and Software Images page 2037 ...

Page 2118: ......

Page 2119: ...uration files The default flash file system on the switch is named flash As viewed from the active switch or any stack member flash refers to the local flash device which is the device attached to the same switch on which the file system is being viewed In a switch stack each of the flash devices from the various stack members can be viewed from the active switch The names of these flash file syst...

Page 2120: ...4 disk rw crashinfo 3 146014208 0 disk rw crashinfo 4 146014208 1572864 disk rw crashinfo 5 248512512 30932992 disk rw crashinfo 6 146014208 6291456 disk rw crashinfo 7 146276352 15728640 disk rw crashinfo 8 146276352 73400320 disk rw crashinfo 9 741621760 481730560 disk rw flash flash 1 1622147072 1360527360 disk rw flash 2 stby flash 729546752 469762048 disk rw flash 3 729546752 469762048 disk r...

Page 2121: ...nfo file network The file system for network devices for example an FTP server or and HTTP server nvram The file system is for a NVRAM device opaque The file system is a locally generated pseudo file system for example the system or a download interface such as brimux unknown The file system is an unknown type Type Permission for file system ro read only rw read write wo write only Flags Consolida...

Page 2122: ...om related commands For example for all privileged EXEC commands that have the optional filesystem argument the system uses the file system specified by the cd command By default the default file system is flash You can display the current default file system as specified by the cd command by using the pwd privileged EXEC command Displaying Information About Files on a File System You can view a l...

Page 2123: ...ow these steps to change directories and to display the working directory SUMMARY STEPS 1 enable 2 dir filesystem 3 cd directory_name 4 pwd 5 cd DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Displays the directories on the specified file system dir filesystem Step 2 Example Switch dir flash For filesystem u...

Page 2124: ... dir filesystem DETAILED STEPS Purpose Command or Action Displays the directories on the specified file system dir filesystem Step 1 Example Switch dir flash For filesystem use flash for the system board flash device Creates a new directory Directory names are case sensitive and are limited to 45 characters between the slashes the name cannot mkdir directory_name Example Switch mkdir new_configs S...

Page 2125: ...nd destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of flash memory to be used as the configuration during system initialization You can also copy from special file systems xmodem ymodem as the source for the file from a network machine that...

Page 2126: ...5 Copy to crashinfo 5 file system crashinfo Copy to crashinfo file system flash 1 Copy to flash 1 file system flash 2 Copy to flash 2 file system flash 3 Copy to flash 3 file system flash 4 Copy to flash 4 file system flash 5 Copy to flash 5 file system flash Copy to flash file system ftp Copy to ftp file system http Copy to http file system https Copy to https file system null Copy to null file s...

Page 2127: ... file url you specify the path directory and the name of the file to be deleted When you attempt to delete any files the system prompts you to confirm the deletion When files are deleted their contents cannot be recovered Caution This example shows how to delete the file myconfig from the default flash memory device Switch delete myconfig Creating Displaying and Extracting Files You can create a f...

Page 2128: ... to display These options are supported Local flash file system syntax flash FTP syntax ftp username password location directory filename RCP syntax rcp username location directory filename TFTP syntax tftp location directory filename You can also limit the file displays by specifying a list of files or directories after the file Only those files appear If none are specified all files and director...

Page 2129: ...se reasons To restore a backed up configuration file To use the configuration file for another switch For example you might add another switch to your network and want it to have a configuration similar to the original switch By copying the file to the new switch you can change the relevant parts rather than recreating the whole file To load the same configuration commands on all the switches in y...

Page 2130: ...s a different IP address in a particular command than the existing configuration the IP address in the copied configuration is used However some commands in the existing configuration might not be replaced or negated In this case the resulting configuration file is a mixture of the existing configuration file and the copied configuration file with the copied configuration file having precedence To...

Page 2131: ...configuration files to a TFTP server for storage Preparing to Download or Upload a Configuration File By Using TFTP Before you begin downloading or uploading a configuration file by using TFTP do these tasks Ensure that the workstation acting as the TFTP server is properly configured On a Sun workstation make sure that the etc inetd conf file contains this line tftp dgram udp wait root usr etc in ...

Page 2132: ...loading the Configuration File By Using TFTP To configure the switch by using a configuration file downloaded from a TFTP server follow these steps SUMMARY STEPS 1 2 3 4 DETAILED STEPS Purpose Command or Action Copy the configuration file to the appropriate TFTP directory on the workstation Step 1 Verify that the TFTP server is properly configured Step 2 Log into the switch through the console por...

Page 2133: ...switch configuration to the TFTP server Specify the IP address or hostname of the TFTP server and the destination filename Step 3 Use one of these privileged EXEC commands copy system running config tftp location directory filename copy nvram startup config tftp location directory filename copy flash n directory startup config tftp location directory filename You can only enter the flashn paramete...

Page 2134: ...stem image resides in the home directory of a user on the server specify that user name as the remote username Refer to the documentation for your FTP server for more information Use the ip ftp username and ip ftp password global configuration commands to specify a username and password for all copies Include the username in the copy EXEC command if you want to specify a username for that copy ope...

Page 2135: ... see Steps 2 3 and 4 Optional Change the default remote username ip ftp username username Step 2 Optional Change the default password ip ftp password password Step 3 Return to privileged EXEC mode end Step 4 Using FTP copy the configuration file from a network server to the running configuration or to the startup configuration file Do one of the following Step 5 copy system running config ftp user...

Page 2136: ... from host2 config by ftp from 172 16 101 101 Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode follow these steps to upload a configuration file by using FTP SUMMARY STEPS 1 configure terminal 2 ip ftp username username 3 ip ftp password password 4 end 5 Do one of the following copy system running config ftp username password location directory filename or copy nvram s...

Page 2137: ...d of downloading uploading and copying configuration files between remote hosts and the switch Unlike TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files b...

Page 2138: ...t the current RCP username is the one that you want to use for the RCP download You can enter the show users privileged EXEC command to view the valid username If you do not want to use this username create a new RCP username by using the ip rcmd remote username username global configuration command to be used during all copy operations The new username is stored in NVRAM If you are accessing the ...

Page 2139: ...ation directory filename nvram startup config This example shows how to copy a configuration file named host1 confg from the netadmin1 directory on the remote server with an IP address of 172 16 101 101 and load and run those commands on the switch Switch copy rcp netadmin1 172 16 101 101 host1 confg system running config Configure using host1 confg from 172 16 101 101 confirm Connected to 172 16 ...

Page 2140: ...terminal Step 1 This step is required only if you override the default remote username see Steps 2 and 3 Optional Specify the remote username ip rcmd remote username username Step 2 Return to privileged EXEC mode end Step 3 Using RCP copy the configuration file from a switch running configuration or startup configuration file to a network server Do one of the following Step 4 copy system running c...

Page 2141: ...vileged EXEC command Depending on the setting of the file prompt global configuration command you might be prompted for confirmation before you delete a file By default the switch prompts for confirmation on destructive file operations For more information about the file prompt command see the Cisco IOS Command Reference for Release 12 4 You cannot restore a file after it has been deleted Note Rep...

Page 2142: ...iguration replacement operation is usually completed in no more than three passes To prevent looping behavior no more than five passes are performed You can use the copy source url running config privileged EXEC command to copy a stored configuration file to the running configuration When using this command as an alternative to the configure replace target url privileged EXEC command note these ma...

Page 2143: ...evice When using the configure replace command you must specify a saved configuration as the replacement configuration file for the running configuration The replacement file must be a complete configuration generated by a Cisco IOS device for example a configuration generated by the copy running configdestination url command If you generate the replacement configuration file externally it must co...

Page 2144: ...ally saving an archive file of the running configuration in the configuration archive minutes Specify how often in minutes to automatically save an archive file of the running configuration in the configuration archive time period minutes Step 5 Return to privileged EXEC mode end Step 6 Verify the configuration show running config Step 7 Optional Save your entries in the configuration file copy ru...

Page 2145: ...or confirmation timeseconds Specify the time in seconds within which you must enter the configure confirm command to confirm replacement of the running configuration file If you do not enter the configure confirm command within the specified time limit the configuration replacement operation is automatically stopped In other words the running configuration file is restored to the configuration tha...

Page 2146: ... can replace the current image with the new one or keep the current image in flash memory after a download You upload a switch image file to a TFTP FTP or RCP server for backup purposes You can use this uploaded image for future downloads to the same switch or to another of the same type The protocol that you use depends on which type of server you are using The FTP and RCP transport mechanisms pr...

Page 2147: ...ion Field Specifies the Cisco IOS image version string suffix version_suffix Specifies the directory where the Cisco IOS image and the HTML subdirectory are installed version_directory Specifies the name of the Cisco IOS image within the tar file image_name Specifies the Cisco IOS image size in the tar file which is an approximate measure of how much flash memory is required to hold just the Cisco...

Page 2148: ...e file by using TFTP do these tasks Ensure that the workstation acting as the TFTP server is properly configured On a Sun workstation make sure that the etc inetd conf file contains this line tftp dgram udp wait root usr etc in tftpd in tftpd p s tftpboot Make sure that the etc services file contains this line tftp 69 udp You must restart the inetd daemon after modifying the etc inetd conf and etc...

Page 2149: ...witch and overwrite the current image archive download sw overwrite reload tftp location directory image name tar Step 3 The overwrite option overwrites the software image in flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For location specify the IP address of the TFTP server For d...

Page 2150: ...T environment variable is updated to point to the newly installed image If you keep the old image during the download process you specified the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old image All the files in the...

Page 2151: ...e from a server to upgrade the switch software You can overwrite the current image with the new one or keep the current image after a download You upload a switch image file to a server for backup purposes You can use this uploaded image for future downloads to the switch or another switch of the same type Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command...

Page 2152: ...le is written to or copied from the directory associated with the username on the server For example if the image file resides in the home directory of a user on the server specify that user s name as the remote username Before you begin downloading or uploading an image file by using FTP do these tasks Ensure that the switch has a route to the FTP server The switch and the FTP server must be in t...

Page 2153: ...figuration mode configure terminal Step 3 This step is required only if you override the default remote username or password see Steps 4 5 and 6 Optional Change the default remote username ip ftp username username Step 4 Optional Change the default password ip ftp passwordpassword Step 5 Return to privileged EXEC mode end Step 6 Download the image file from the FTP server to the switch and overwri...

Page 2154: ...for the switch model and that enough DRAM is present or it aborts the process and reports an error If you specify the overwrite option the download algorithm removes the existing image on the flash device whether or not it is the same as the new one downloads the new image and then reloads the software If the flash device has sufficient space to hold two images and you want to overwrite one of the...

Page 2155: ...to upload an image to an FTP server SUMMARY STEPS 1 configure terminal 2 ip ftp usernameusername 3 ip ftp passwordpassword 4 end 5 archive upload sw ftp username password location directory image name tar DETAILED STEPS Purpose Command or Action Enter global configuration mode configure terminal Step 1 This step is required only if you override the default remote username or password see Steps 2 3...

Page 2156: ...oaded image for future downloads to the same switch or another of the same type Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command we recommend using the archive download sw and archive upload sw privileged EXEC commands to download and upload software image files For switch stacks the archive download sw and archive upload sw privileged EXEC commands can ...

Page 2157: ...sername Before you begin downloading or uploading an image file by using RCP do these tasks Ensure that the workstation acting as the RCP server supports the remote shell rsh Ensure that the switch has a route to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the RCP server by using the ping...

Page 2158: ...username or password see Steps 4 5 and 6 Optional Specify the remote username ip rcmd remote username username Step 4 Return to privileged EXEC mode end Step 5 Download the image file from the RCP server to the switch and overwrite the current image archive download sw overwrite reload rcp username location directory image name tar Step 6 The overwrite option overwrites the software image in flash...

Page 2159: ... image and then reloads the software If the flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version you must specify the overwrite option Note If you specify the leave old sw the existing files are not removed If there is not enough space to install the new image and keep the running image the download process stops and an error mess...

Page 2160: ...rn to privileged EXEC mode end Step 3 Upload the currently running switch image to the RCP server archive upload sw rcp username location directory image name tar Step 4 For username specify the username for the RCP copy request to execute an account must be defined on the network server for the remote username For location specify the IP address of the RCP server For directory image name tar spec...

Page 2161: ...n stack member number force reloadsource stack member number 2 reload slotstack member number DETAILED STEPS Purpose Command or Action Copy the running image file from a stack member and then unconditionally reload the updated stack member At least one stack member must be running the image that is to be copied to the switch that is running the incompatible software Note For destination systemdest...

Page 2162: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2080 Copying an Image File from One Stack Member to Another ...

Page 2163: ...P A R T XIV VLAN Configuring VTP page 2083 Configuring VLANs page 2109 Configuring VLAN Trunks page 2129 Configuring VMPS page 2151 Configuring Voice VLANs page 2167 ...

Page 2164: ......

Page 2165: ...e features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisites for VTP Be...

Page 2166: ...h the highest VTP configuration revision number If you add a switch that has a revision number higher than the revision number in the VTP domain it can erase all VLAN information from the VTP server and VTP domain Note The following are restrictions for configuring VTPs 1K VLAN is supported only on switches running the LAN Base image with the lanbase default template set To avoid warning messages ...

Page 2167: ...AN information is not propagated over the network If the switch receives a VTP advertisement over a trunk link it inherits the management domain name and the VTP configuration revision number The switch then ignores advertisements with a different domain name or an earlier configuration revision number When you make a change to the VLAN configuration on a VTP server the change is propagated to all...

Page 2168: ...nt VTP transparent switches do not participate in VTP A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements However in VTP version 2 or version 3 transparent switches do forward VTP advertisements that they receive from other switches through their trunk interfaces You can create modify and delete VLANs o...

Page 2169: ...N state Additional VLAN configuration information specific to the VLAN type In VTP version 3 VTP advertisements also include the primary server ID an instance number and a start index Related Topics Prerequisites for VTP VTP Version 2 If you use VTP in your network you must decide which version of VTP to use By default VTP operates in version 1 VTP version 2 supports these features that are not su...

Page 2170: ...addition to propagating VTP information version 3 can propagate Multiple Spanning Tree MST protocol database information A separate instance of the VTP protocol runs for each application that uses VTP VTP primary server and VTP secondary servers A VTP primary server updates the database information and sends updates that are honored by all devices in the system A VTP secondary server can only back...

Page 2171: ... VLANs 1002 to 1005 are always pruning ineligible traffic from these VLANs cannot be pruned Extended range VLANs VLAN IDs higher than 1005 are also pruning ineligible Related Topics Enabling VTP Pruning on page 2099 VTP and Switch Stacks The switch supports homogeneous stacking and mixed stacking Mixed stacking is supported only with the Catalyst 2960 S switches A homogenous stack can have up to e...

Page 2172: ...onfig privileged EXEC command You must use this command if you want to save VTP mode as transparent even if the switch resets When you save VTP information in the switch startup configuration file and reboot the switch the switch configuration is selected as follows If the VTP mode is transparent in the startup configuration and the VLAN database and the VTP domain name from the VLAN database matc...

Page 2173: ...s the next VTP advertisement that uses the same password and domain name in the advertisement If you are adding a new switch to an existing network with VTP capability the new switch learns the domain name only after the applicable password has been configured on it When you configure a VTP domain password the management domain does not function properly if you do not assign a management domain pa...

Page 2174: ...xtended range VLANs and support for extended range VLAN database propagation When a VTP version 3 device trunk port receives messages from a VTP version 2 device it sends a scaled down version of the VLAN database on that particular trunk in VTP version 2 format A VTP version 3 device does not send VTP version 2 formatted packets on a trunk unless it first receives VTP version 2 packets on that tr...

Page 2175: ... VLAN configuration The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly VTP transparent mode In VTP transparent mode VTP is disabled on the switch The switch does not send VTP updates and does not act on VTP updates received from other switch However a VTP transparent switch running VTP version 2 does forward received VTP adver...

Page 2176: ...p domain eng_group Step 3 the same administrative responsibility must be configured with the same domain name This command is optional for modes other than server mode VTP server mode requires a domain name If the switch has a trunk connection to a VTP domain the switch learns the domain name from the VTP server in the domain You should configure the VTP domain before configuring other VTP paramet...

Page 2177: ...ep 7 Optional Saves the configuration in the startup configuration file copy running config startup config Step 8 Example Switch copy running config Only VTP mode and domain name are saved in the switch running configuration and can be copied to the startup configuration file startup config Related Topics VTP Modes on page 2086 Example Configuring Switch as VTP Server on page 2105 Configuring a VT...

Page 2178: ...ver you are prompted to reenter the password hidden Optional secret Directly configures the password The secret password must contain 32 hexadecimal characters Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries The output appears like this show vtp password Step 5 Example Switch show vtp password VTP password 89914640C8D90868B6A0D8103847A733 Optional Saves y...

Page 2179: ... Settings on page 2090 Enabling the VTP Version VTP version 2 and version 3 are disabled by default When you enable VTP version 2 on a switch every VTP version 2 capable switch in the VTP domain enables version 2 To enable VTP version 3 you must manually configure it on each switch With VTP versions 1 and 2 you can configure the version only on switches in VTP server or transparent mode If a switc...

Page 2180: ...ple Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables the VTP version on the switch The default is VTP version 1 vtp version 1 2 3 Example Switch config vtp version 2 Step 3 Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies that the configured VTP version is enabled show vtp status Example Switc...

Page 2181: ... the entire network Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to the VTP transparent switch pruning ineligible To configure VTP pruning on an interface use the switchport trunk pruning vlan interface configuration command VTP pruning operates when an interface is trunking You can set VLAN pruning eligibility whether or not VTP pruning is enabled for the VTP domai...

Page 2182: ...y one switch in VTP server mode Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries in the VTP Pruning Mode field of the display show vtp status Example Switch show vtp status Step 5 Related Topics VTP Pruning on page 2089 Configuring VTP on a Per Port Basis With VTP version 3 you can enable or disable VTP on a per port basis You can enable VTP only on ports ...

Page 2183: ...nfigure terminal Step 2 Identifies an interface and enters interface configuration mode interface interface id Example Switch config interface gigabitethernet1 0 1 Step 3 Enables VTP on the specified port vtp Example Switch config vtp Step 4 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies the change to the port show running config interface interface id Example Switch...

Page 2184: ...n of the switch with the highest VTP configuration revision number With VTP versions 1 and 2 adding a switch that has a revision number higher than the revision number in the VTP domain can erase all VLAN information from the VTP server and VTP domain With VTP version 3 the VLAN information is not erased You can use the vtp mode transparent global configuration command to disable VTP on the switch...

Page 2185: ...ion mode configure terminal Example Switch configure terminal Step 3 Changes the domain name from the original one displayed in Step 1 to a new name vtp domain domain name Example Switch config vtp domain domain123 Step 4 Returns to privileged EXEC mode The VLAN information on the switch is updated and the configuration revision number is reset to 0 end Example Switch config end Step 5 Verifies th...

Page 2186: ... used to display and monitor the VTP configuration You monitor VTP by displaying VTP configuration information the domain name the current VTP revision and the number of VLANs You can also display statistics about the advertisements sent and received by the switch Table 191 VTP Monitoring Commands Purpose Command Displays counters about VTP messages that have been sent and received show vtp counte...

Page 2187: ...ary server for vlan feature in the VTP domain VTP Database Conf Switch ID Primary Server Revision System Name VLANDB Yes 00d0 00b8 1400 00d0 00b8 1400 1 stp7 Do you want to continue y n n y Related Topics Configuring a VTP Version 3 Password on page 2095 Passwords for the VTP Domain on page 2091 Example Configuring Switch as VTP Server This example shows how to configure the switch as a VTP server...

Page 2188: ...d mypassword hidden Generating the secret associated to the password Switch config end Switch show vtp password VTP password 89914640C8D90868B6A0D8103847A733 Where to Go Next After configuring VTP you can configure the following VLANS VLAN Trunking VLAN Membership Policy Server VMPS Voice VLANs Additional References Related Documents Document Title Related Topic Catalyst 2960 X Switch VLAN Managem...

Page 2189: ...ssues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and In...

Page 2190: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2108 Feature History and Information for VTP ...

Page 2191: ...se To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not re...

Page 2192: ...d to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded only to end stations in the VLAN Each VLAN is considered a logical network and packets destined for stations ...

Page 2193: ...e Note The switch supports per VLAN spanning tree plus PVST or rapid PVST with a maximum of 128 spanning tree instances One spanning tree instance is allowed per VLAN The switch supports only IEEE 802 1Q trunking methods for sending VLAN traffic over Ethernet ports Up to 64 spanning tree instances are supported when the switch is running the LAN Lite image Note VLAN Port Membership Modes You confi...

Page 2194: ...dynamic access port to an end station or hub and not to another switch Dynamic access VTP is not required it has no effect on a voice VLAN A voice VLAN port is an access port attached to a Cisco IP Phone configured to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone Voice VLAN VLAN Configuration Files Configurations for VLAN IDs 1 to 1005 are wri...

Page 2195: ...ot be removed With VTP versions 1 and 2 the switch supports VLAN IDs 1006 through 4094 only in VTP transparent mode VTP disabled These are extended range VLANs and configuration options are limited Extended range VLANs created in VTP transparent mode are not saved in the VLAN database and are not propagated VTP version 3 supports extended range VLAN VLANs 1006 to 4094 database propagation in VTP s...

Page 2196: ... a VLAN Monitoring VLANs Creating or Modifying an Ethernet VLAN Deleting a VLAN on page 2119 Assigning Static Access Ports to a VLAN Monitoring VLANs Creating or Modifying an Ethernet VLAN Deleting a VLAN on page 2119 Assigning Static Access Ports to a VLAN Monitoring VLANs Creating or Modifying an Ethernet VLAN Deleting a VLAN on page 2119 Assigning Static Access Ports to a VLAN Monitoring VLANs ...

Page 2197: ... Range VLAN Creating an Extended Range VLAN with an Internal VLAN ID Monitoring VLANs Creating an Extended Range VLAN Creating an Extended Range VLAN with an Internal VLAN ID Monitoring VLANs Creating an Extended Range VLAN Creating an Extended Range VLAN with an Internal VLAN ID Monitoring VLANs Creating an Extended Range VLAN Creating an Extended Range VLAN with an Internal VLAN ID Monitoring VL...

Page 2198: ...ge only the MTU size and the remote SPAN configuration state on extended range VLANs all other characteristics must remain at the default state The switch must be running the LAN Base image to support remote SPAN Note How to Configure VLANs How to Configure Normal Range VLANs You can set these parameters when you create a new normal range VLAN or modify an existing VLAN in the VLAN database VLAN I...

Page 2199: ...Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique 4 digit ID that can be a number from 1 to 1001 VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs To create a normal range VLAN to be added to the VLAN database assign a number and name to the VLAN With VTP version 1 and 2 if the switch is in VTP transparent mode you can assign VLAN IDs greater than 1006 ...

Page 2200: ... the VLAN the default is to append the vlan id value with name vlan name Example Switch config vlan name test20 Step 4 leading zeros to the word VLAN For example VLAN0004 is a default VLAN name for VLAN 4 Optional Changes the MTU size or other VLAN characteristic mtu mtu size Example Switch config vlan mtu 256 Step 5 Optional Configures the VLAN as the RSPAN VLAN for a remote SPAN session remote s...

Page 2201: ...cannot delete the default VLANs for the different media types Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005 When you delete a VLAN any ports assigned to that VLAN become inactive They remain associated with the VLAN and thus inactive until you assign them to a new VLAN Caution SUMMARY STEPS 1 enable 2 configure terminal 3 no vlan vlan id 4 end 5 show vlan brief 6 copy running config st...

Page 2202: ... configuration file copy running config startup config Example Switch copy running config startup config Step 6 Related Topics Supported VLANs Normal Range VLAN Configuration Guidelines on page 2113 Monitoring VLANs Supported VLANs Normal Range VLAN Configuration Guidelines on page 2113 Monitoring VLANs Supported VLANs Normal Range VLAN Configuration Guidelines on page 2113 Monitoring VLANs Suppor...

Page 2203: ...ace interface id 7 show interfaces interface id switchport DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Enters the interface to be added to the VLAN interface interface id Example Switch config interface gigabitethernet2 0 1 Step 2 Defines the VLAN membership mode for the port Layer 2 access port switchpor...

Page 2204: ...h VTP version 1 or 2 extended range VLAN configurations are not stored in the VLAN database but because VTP mode is transparent they are stored in the switch running configuration file and you can save the configuration in the startup configuration file by using the copy running config startup config privileged EXEC command Extended range VLANs created in VTP version 3 are stored in the VLAN datab...

Page 2205: ...n Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Configures the switch for VTP transparent mode disabling VTP vtp mode transparent Step 2 Example Switch config vtp mode transparent This step is not required for VTP version 3 Note Enters an extended range VLAN ID and enters VLAN configuration mode The range is 1006 to 4094 vlan vlan id Example Switc...

Page 2206: ... startup configuration file Otherwise if the switch resets it will default to VTP server mode and the extended range VLAN IDs will not be saved startup config This step is not required for VTP version 3 because VLANs are saved in the VLAN database Note Related Topics Extended Range VLAN Configuration Guidelines on page 2114 Example Creating an Extended Range VLAN on page 2127 Monitoring VLANs Tabl...

Page 2207: ...s VTP VLAN status by identification number ifindex Displays SNMP ifIndex mtu Displays VLAN MTU information name Display the VTP VLAN information by specified name remote span Displays the remote SPAN VLANs summary Displays a summary of VLAN information show vlan brief group group name name id vlan id ifindex internal mtu name name remote span summary Consolidated Platform Configuration Guide Cisco...

Page 2208: ...ame private vlan Displays private VLAN information remote span Displays the remote SPAN VLANs summary Displays a summary of VLAN information show vlan access log config flow statistics access map name brief dot1q tag native filter access map vlan group group name name id vlan id ifindex internal usage mtu name name private vlan type remote span summary Configuration Examples Example Creating a VLA...

Page 2209: ...enter VLAN configuration mode and save the new VLAN in the switch startup configuration file Switch config vtp mode transparent Switch config vlan 2000 Switch config vlan end Switch copy running config startup config Related Topics Creating an Extended Range VLAN on page 2122 Extended Range VLAN Configuration Guidelines on page 2114 Where to Go Next After configuring VLANs you can configure the fo...

Page 2210: ...olving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feat...

Page 2211: ... at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisites for VLAN Trunks The IEEE 802 1Q trunks impose these limitations on the trunking strategy for a network In a network of Cisco switches connected throu...

Page 2212: ...A trunk is a point to point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch Ethernet trunks carry the traffic of multiple VLANs over a single link and you can extend the VLANs across an entire network You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle Note Trunking Modes Ethernet trunk interfaces supp...

Page 2213: ...eighboring link into a trunk link The interface becomes a trunk interface even if the neighboring interface is not a trunk interface switchport mode trunk Prevents the interface from generating DTP frames You can use this command only when the interface switchport mode is access or trunk You must manually configure the neighboring interface as a trunk interface to establish a trunk link switchport...

Page 2214: ...path costs For load sharing using STP port priorities both load sharing links must be connected to the same switch For load sharing using STP path costs each load sharing link can be connected to the same switch or to two different switches Network Load Sharing Using STP Priorities When two ports on the same switch form a loop the switch uses the STP port priority to decide which port is enabled a...

Page 2215: ...tiate with its neighbor to become a trunk port If you try to enable IEEE 802 1x on a dynamic port an error message appears and IEEE 802 1x is not enabled If you try to change the mode of an IEEE 802 1x enabled port to dynamic the port mode is not changed Default Layer 2 Ethernet Interface VLAN Configuration The following table shows the default Layer 2 Ethernet interface VLAN configuration Table 1...

Page 2216: ...h cannot receive any VTP advertisements Before You Begin SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 switchport mode dynamic auto desirable trunk 5 switchport access vlan vlan id 6 switchport trunk native vlan vlan id 7 end 8 show interfaces interface id switchport 9 show interfaces interface id trunk 10 copy running config startup config DETAILED STEPS Purpose Command o...

Page 2217: ...nterface in permanent trunking mode and negotiate to convert the link to a trunk link even if the neighboring interface is not a trunk interface Optional Specifies the default VLAN which is used if the interface stops trunking switchport access vlan vlan id Example Switch config if switchport access vlan Step 5 200 Specifies the native VLAN for IEEE 802 1Q trunks switchport trunk native vlan vlan ...

Page 2218: ...nk ports in all Cisco switches and it has previously been a requirement that VLAN 1 always be enabled on every trunk link You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic including spanning tree advertisements is sent or received on VLAN 1 SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 switchport mode tr...

Page 2219: ...runk allowed vlan add all except remove vlan list Step 5 The vlan list parameter is either a single VLAN number from 1 to 4094 or a range of VLANs described by two VLAN Example Switch config if switchport trunk allowed numbers the lower one first separated by a hyphen Do not enter any spaces between comma separated VLAN parameters or in hyphen specified ranges vlan remove 2 All VLANs are allowed b...

Page 2220: ... to take effect SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 switchport trunk pruning vlan add except none remove vlan list vlan vlan 5 end 6 show interfaces interface id switchport 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global...

Page 2221: ...e default list of VLANs allowed to be pruned contains VLANs 2 to 1001 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries in the Pruning VLANs Enabled field of the display show interfaces interface id switchport Example Switch show interfaces Step 6 gigabitethernet2 0 1 switchport Optional Saves your entries in the configuration file copy running config start...

Page 2222: ...e global configuration mode configure terminal Example Switch configure terminal Step 2 Defines the interface that is configured as the IEEE 802 1Q trunk and enters interface configuration mode interface interface id Example Switch config interface gigabitethernet1 0 2 Step 3 Configures the VLAN that is sending and receiving untagged traffic on the trunk port switchport trunk native vlan vlan id E...

Page 2223: ...orities If your switch is a member of a switch stack you must use the spanning tree vlan vlan id cost cost interface configuration command instead of the spanning tree vlan vlan id port priority priority interface configuration command to select an interface to put in the forwarding state Assign lower cost values to interfaces that you want selected first and higher cost values that you want selec...

Page 2224: ... show vlan 16 configure terminal 17 interface interface id 18 spanning tree vlan vlan range port priority priority value 19 exit 20 interface interface id 21 spanning tree vlan vlan range port priority priority value 22 end 23 show running config 24 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Exampl...

Page 2225: ...isplay check the VTP Operating Mode and the VTP Domain Name fields Verifies that the VLANs exist in the database on Switch A show vlan Example Switch show vlan Step 7 Enters global configuration mode configure terminal Example Switch configure terminal Step 8 Defines the interface to be configured as a trunk and enters interface configuration mode interface interface id Example Switch config inter...

Page 2226: ...hat Switch B has learned the VLAN configuration show vlan Example Switch show vlan Step 15 Enters global configuration mode on Switch A configure terminal Example Switch configure terminal Step 16 Defines the interface to set the STP port priority and enters interface configuration mode interface interface id Example Switch config interface gigabitethernet1 0 1 Step 17 Assigns the port priority fo...

Page 2227: ...onfig if spanning tree vlan 3 6 Step 21 port priority 16 Returns to privileged EXEC mode end Example Switch config if end Step 22 Verifies your entries show running config Example Switch show running config Step 23 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 24 Related Topics Network Load Sharing Us...

Page 2228: ...st to 30 for VLANs 8 9 and 10 15 exit 16 show running config 17 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters global configuration mode on Switch A configure terminal Example Switch configure terminal Step 2 Defines the interface to be configured as a trunk and ente...

Page 2229: ...nks come up Switch A receives the VTP information from the other switches This command show vlan Example Switch show vlan Step 9 verifies that Switch A has learned the VLAN configuration Enters global configuration mode configure terminal Example Switch configure terminal Step 10 Defines the interface on which to set the STP cost and enters interface configuration mode interface interface id Examp...

Page 2230: ...ile copy running config startup config Example Switch copy running config startup config Step 17 Related Topics Network Load Sharing Using STP Path Cost on page 2132 Configuration Examples for VLAN Trunking Example Configuring a Trunk Port The following example shows how to configure a port as an IEEE 802 1Q trunk The example assumes that the neighbor interface is configured to support IEEE 802 1Q...

Page 2231: ...d Documents Document Title Related Topic Catalyst 2960 X Switch VLAN Management Command Reference For complete syntax and usage information for the commands used in this chapter Standards and RFCs Title Standard RFC MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs Al...

Page 2232: ...subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature History and Information for VLAN Trunks Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform ...

Page 2233: ...tion about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisit...

Page 2234: ... default template set Information About VMPS Dynamic VLAN Assignments The VLAN Query Protocol VQP is used to support dynamic access ports which are not permanently assigned to a VLAN but give VLAN assignments based on the MAC source addresses seen on the port Each time an unknown MAC address is seen the switch sends a VQP query to a remote VLAN Membership Policy Server VMPS the query includes the ...

Page 2235: ...he dynamic access port and attempts to match the MAC address to a VLAN in the VMPS database If there is a match the VMPS sends the VLAN number for that port If the client switch was not previously configured it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS If the client switch was previously configured it includes its domain name in the query packet to ...

Page 2236: ... ports How to Configure VMPS Entering the IP Address of the VMPS If the VMPS is being defined for a cluster of switches enter the address on the command switch Note Before You Begin You must first enter the IP address of the server to configure the switch as a client SUMMARY STEPS 1 enable 2 configure terminal 3 vmps server ipaddress primary 4 vmps server ipaddress 5 end 6 show vmps 7 copy running...

Page 2237: ...ss of the switch acting as a secondary VMPS server vmps server ipaddress Example Switch config vmps server 10 3 4 5 Step 4 You can enter up to three secondary server addresses Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries in the VMPS Domain Server field of the display show vmps Example Switch show vmps Step 6 Optional Saves your entries in the configura...

Page 2238: ...face interface id interface configuration command To return an interface to its default switchport mode dynamic auto use the no switchport mode interface configuration command To reset the access mode to the default VLAN for the switch use the no switchport access vlan interface configuration command Note SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 switchport mode access...

Page 2239: ... be connected to an end station dynamic Returns to privileged EXEC mode end Example Switch config end Step 6 Verifies your entries in the Operational Mode field of the display show interfaces interface id switchport Example Switch show interfaces gigabitethernet 1 0 1 Step 7 switchport Optional Saves your entries in the configuration file copy running config startup config Example Switch copy runn...

Page 2240: ...the dynamic VLAN reconfirmation status show vmps Example Switch show vmps Step 3 Changing the Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS You can set the number of minutes after which reconfirmation occurs If you are configuring a member switch in a cluster this parameter must be equal to or greater than the reconfirmation sett...

Page 2241: ...e dynamic VLAN membership The range is 1 to 120 The default is 60 minutes vmps reconfirm minutes Example Switch config vmps reconfirm 90 Step 3 Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies the dynamic VLAN reconfirmation status in the Reconfirm Interval field of the display show vmps Example Switch show vmps Step 5 Optional Saves your entries in the configuration f...

Page 2242: ... Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Changes the retry count The retry range is 1 to 10 the default is 3 vmps retry count Example Switch config vmps retry 5 Step 3 Returns to privileged EXEC mode end Example Switch config end Step 4 Consolida...

Page 2243: ...sing the show vmps privileged EXEC command The switch displays this information about the VMPS VMPS VQP Version The version of VQP used to communicate with the VMPS The switch queries the VMPS that is using VQP Version 1 Reconfirm Interval The number of minutes the switch waits before reconfirming the VLAN to MAC address assignments Server Retry Count The number of times VQP resends a query to the...

Page 2244: ...r switch and VMPS client switches with dynamic access ports with this configuration The VMPS server and the VMPS client are separate switches The Catalyst 6500 series Switch A is the primary VMPS server The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers End stations are connected to the clients Switch B and Switch I The database configuration file is stored on the TFTP serve...

Page 2245: ...ess Ports on VMPS Clients on page 2156 Dynamic VLAN Assignments on page 2152 Dynamic Access Port VLAN Membership on page 2153 Where to Go Next You can configure the following VTP Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2163 Where to Go Next ...

Page 2246: ...nk Description http www cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco T...

Page 2247: ...rmation for VMPS Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2165 Feature History and Information for VMPS ...

Page 2248: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2166 Feature History and Information for VMPS ...

Page 2249: ... Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navi...

Page 2250: ...s which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable manner The Cisco 7960 IP Phone is a configurable device and you can configure it to forward traffic with an ...

Page 2251: ...d Topics Configuring the Priority of Incoming Data Frames on page 2173 Example Configuring the Priority of Incoming Data Frames on page 2175 Voice VLAN Configuration Guidelines Because a Cisco 7960 IP Phone also supports a connection to a PC or other device a port connecting the switch to a Cisco IP Phone can carry mixed traffic You can configure a port to decide how the Cisco IP Phone carries voi...

Page 2252: ... switch for up to 30 seconds Note Protected port A source or destination port for a SPAN or RSPAN session Secure port When you enable port security on an interface that is also configured with a voice VLAN you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN When the port is connected to a Cisco IP Phone the pho...

Page 2253: ...yer 3 IP precedence value the default is 5 SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 mls qos trust cos 5 switchport voice vlan vlan id dot1p none untagged 6 end 7 Use one of the following show interfaces interface id switchport show running config interface interface id 8 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXE...

Page 2254: ...t1p Configures the switch to accept voice and data IEEE 802 1p priority frames tagged with VLAN ID 0 the native VLAN By default the switch drops all voice and data traffic tagged with VLAN 0 If configured for 802 1p the Cisco IP Phone forwards the traffic with an IEEE 802 1p priority of 5 none Allows the phone to use its own configuration to send untagged voice traffic untagged Configures the phon...

Page 2255: ... phone to not change trust or to override not trust the priority of frames arriving on the phone port from connected devices Follow these steps to set the priority of data traffic received from the non voice port on the Cisco IP Phone SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 switchport priority extend cos value trust 5 end 6 show interfaces interface id switchport 7 c...

Page 2256: ...s the phone access port to trust the priority received from the PC or the attached device Returns to privileged EXEC mode end Example Switch config if end Step 5 Verifies your entries show interfaces interface id switchport Example Switch show interfaces gigabitethernet1 0 1 Step 6 switchport Optional Saves your entries in the configuration file copy running config startup config Example Switch co...

Page 2257: ...fic on page 2168 Example Configuring the Priority of Incoming Data Frames This example shows how to configure a port connected to a Cisco IP Phone to not change the priority of frames received from the PC or the attached device Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet1 0 1 Switch config if switchport priority extend...

Page 2258: ... Link Description http www cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisc...

Page 2259: ...n for Voice VLAN Modification Release This feature was introduced Cisco IOS 15 0 2 EX Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2177 Feature History and Information for Voice VLAN ...

Page 2260: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2178 Feature History and Information for Voice VLAN ...

Page 2261: ...mergency calls These phones should be clearly identified and all employees or others who might require emergency access to make or receive calls should be informed of the availability of these phones Statement 361 VoIP and Emergency Calling Services do not Function if Power Fails Voice over IP VoIP service and the emergency calling service do not function if power fails or is disrupted After power...

Page 2262: ... il numero di emergenza è 911 Si consiglia di individuare il numero di emergenza del proprio Paese Avvertenza Tjenesten Voice over IP VoIP og nødanropstjenesten fungerer ikke ved strømbrudd Etter at strømmen har kommet tilbake må du kanskje nullstille eller konfigurere utstyret på nytt for å få tilgang til VoIP og nødanropstjenesten I USA er dette nødnummeret 911 Du må vite hva nødnummeret er i di...

Page 2263: ...rning BELANGRIJKE VEILIGHEIDSINSTRUCTIES Dit waarschuwingssymbool betekent gevaar U verkeert in een situatie die lichamelijk letsel kan veroorzaken Voordat u aan enige apparatuur gaat werken dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico s en dient u op de hoogte te zijn van de standaard praktijken om ongelukken te voorkomen Gebruik het nummer van de verklaring on...

Page 2264: ...ren elektrischer Schaltungen und den üblichen Verfahren zur Vorbeugung vor Unfällen vertraut Suchen Sie mit der am Ende jeder Warnung angegebenen Anweisungsnummer nach der jeweiligen Übersetzung in den übersetzten Sicherheitshinweisen die zusammen mit diesem Gerät ausgeliefert wurden BEWAHREN SIE DIESE HINWEISE GUT AUF Warnung IMPORTANTI ISTRUZIONI SULLA SICUREZZA Questo simbolo di avvertenza indi...

Page 2265: ...de la corriente eléctrica y familiarícese con los procedimientos estándar de prevención de accidentes Al final de cada advertencia encontrará el número que le ayudará a encontrar el texto traducido en el apartado de traducciones que acompaña a este dispositivo GUARDE ESTAS INSTRUCCIONES Advertencia VIKTIGA SÄKERHETSANVISNINGAR Denna varningssignal signalerar fara Du befinner dig i en situation som...

Page 2266: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2184 Important Notice Statement 1071 Warning Definition ...

Page 2267: ... authentication authorization and accounting continued server groups continued broadcast accounting 1016 1032 session MIB 1016 1024 1031 1032 example 1031 aaa accounting resource start stop group command 1023 aaa accounting resource stop failure group command 1023 access control entries 1170 See ACEs 1170 access groups 1181 Layer 3 1181 access groups applying IPv4 ACLs to interfaces 1203 access li...

Page 2268: ... formats 186 address resolution 1530 addresses 186 220 1529 1530 1550 dynamic 220 1529 1530 accelerated aging 220 addresses continued dynamic continued default aging 220 defined 1529 learning 1530 IPv6 186 MAC discovering 1530 multicast 220 STP address management 220 static 1550 adding and removing 1550 aggregatable global unicast addresses 187 aggregate policers 601 637 aggregate port learners 34...

Page 2269: ...grades auto upgrade in switch stacks 729 automatic upgrades with auto upgrade 729 autonegotiation 1642 mismatches 1642 B BackboneFast 294 309 described 294 enabling 309 backup 212 port 212 backup interfaces 374 See Flex Links 374 banners 1529 1540 1541 configuring 1540 1541 login 1541 message of the day login 1540 default configuration 1529 Berkeley r tools replacement 1072 binding configuration 1...

Page 2270: ...131 1134 1135 1592 2156 accounting 889 933 authentication 928 authentication key 883 configuring continued authorization 888 932 communication global 924 926 communication per server 924 Layer 2 interfaces 342 login authentication 885 member number 735 multiple UDP ports 924 on Layer 2 interfaces 342 priority value 736 Configuring a Multicast Router Port 182 Example command 182 configuring a secur...

Page 2271: ...9 980 1127 1291 1613 1627 1630 2153 designated 212 port 212 switch 212 desktop template 732 destination IP address based forwarding 334 destination IP address based forwarding EtherChannel 333 destination MAC address forwarding 333 destination MAC address forwarding EtherChannel 333 detecting indirect link failures STP 294 device 219 root 219 device priority 233 269 MSTP 269 STP 233 device stack 4...

Page 2272: ...ng all system diagnostics 1654 enabling and disabling 174 Enabling MLD Immediate Leave 183 Example command 183 encrypting 760 encryption for passwords 760 encryption methods 1071 encryption CipherSuite 1129 enhanced PoE 86 96 entering server address 2154 EtherChannel 324 327 328 329 330 331 332 333 336 337 338 342 345 348 349 350 351 352 automatic creation of 328 332 channel groups 327 binding phy...

Page 2273: ...P 244 STP 214 227 extended universal identifier 187 See EUI 187 extended range VLAN 2122 extended range VLAN configuration guidelines 2114 F Fa0 port 51 See Ethernet management port 51 fallback bridging 212 222 STP 212 keepalive messages 212 VLAN bridge STP 222 Fast Uplink Transition Protocol 293 fastethernet0 port 51 See Ethernet management port 51 feature history 666 auto QoS 666 feature informa...

Page 2274: ...s 86 IGMP 119 121 122 123 137 138 139 141 145 178 180 181 configurable leave timer 121 137 described 121 configurable leave timer 121 137 enabling 137 flooded multicast traffic 138 139 141 controlling the length of time 138 disabling on an interface 141 global leave 139 recovering from flood mode 139 join messages 119 leave processing enabling 178 leaving multicast group 121 queries 119 report sup...

Page 2275: ...26 configuration 2029 measuring network performance 2027 response time 2028 IP SLAs continued SNMP support 2026 supported metrics 2026 IP source guard 1291 1293 1294 1295 802 1x 1293 binding configuration 1291 automatic 1291 manual 1291 binding table 1291 configuration guidelines 1293 described 1291 DHCP snooping 1291 enabling 1294 1295 EtherChannels 1293 port security 1293 routed ports 1293 stati...

Page 2276: ...system priority 350 Layer 2 EtherChannel configuration guidelines 340 Layer 2 interface modes 2131 Layer 2 interfaces 342 Layer 2 NetFlow 532 Layer 2 traceroute 1627 1628 and ARP 1628 and CDP 1628 broadcast traffic 1627 described 1627 IP addresses and subnets 1628 MAC addresses and VLANs 1628 multicast traffic 1628 multiple devices on a port 1628 unicast traffic 1627 usage guidelines 1628 Layer 3 ...

Page 2277: ...4 606 607 610 CoS to DSCP 568 604 DSCP 604 DSCP to CoS 570 DSCP to DSCP mutation 610 IP precedence to DSCP 569 606 policed DSCP 607 described 552 marking 597 601 637 action in policy map 597 action with aggregate policers 601 637 match 512 datalink 512 flow 512 interface 512 ipv4 512 ipv6 512 transport 512 match parameters 513 maximum aging time 236 273 MSTP 273 STP 236 maximum hop count MSTP 274 ...

Page 2278: ...cking to forwarding 288 interoperability and compatibility among modes 222 242 interoperability with IEEE 802 1D 252 278 described 252 restarting migration process 278 IST 246 operations within a region 246 MSTP continued loop guard 298 313 described 298 enabling 313 mapping VLANs to MST instance 262 MST region 245 246 248 261 CIST 246 configuring 261 described 245 hop count mechanism 248 IST 245 ...

Page 2279: ...ith dual action detection 331 partitioned 719 1641 password 2091 password and privilege level 756 password recovery disable considerations 762 passwords 753 756 758 760 762 764 765 1626 default configuration 756 disabling recovery of 762 encrypting 760 overview 753 recovery of 1626 setting 758 760 764 765 enable 758 enable secret 760 Telnet 764 with usernames 765 path cost 212 231 268 MSTP 268 STP...

Page 2280: ...ilege levels continued logging into 770 overview 757 setting a command with 767 Protecting Enable and Enable Secret Passwords with Encryption 772 Example command 772 provisioned configuration defined 726 provisioned switch defined 726 provisioning a new member 739 provisioning new members for a switch stack 726 proxy reports 376 pruning eligible list 2138 PVST mode 2132 PVST 221 222 described 221 ...

Page 2281: ...ocation of 554 WTD described 554 rewrites 563 SRR 616 configuring 616 shared weights on ingress queues 616 QoS policy 584 queries IGMP 119 queueing 556 560 R RADIUS 903 904 905 924 926 928 930 932 933 935 937 942 attributes 935 937 942 vendor proprietary 937 942 vendor specific 935 configuring 924 926 928 932 933 accounting 933 authentication 928 authorization 932 communication global 924 926 comm...

Page 2282: ...nteraction with other features 481 monitored ports 479 monitoring ports 480 overview 473 RSPAN continued received traffic 478 session limits 472 sessions 477 491 492 494 499 creating 491 492 defined 477 limiting source traffic to specific VLANs 494 specifying monitored ports 491 492 with ingress traffic enabled 499 source ports 479 transmitted traffic 478 VLAN based 479 RSTP 252 253 254 255 256 27...

Page 2283: ...how forward command 1645 show interfaces switchport 389 show platform forward command 1645 Simple Network Management Protocol SNMP 431 single switch EtherChannel 326 SNMP 1543 1546 1548 2026 and IP SLAs 2026 traps 1543 1546 1548 enabling MAC address notification 1543 1546 1548 SNMP and Syslog Over IPv6 189 snooping 181 source and destination MAC address forwarding EtherChannel 333 source and desti...

Page 2284: ...h auto upgrade 729 stacks switch continued version mismatch VM mode continued described 729 upgrades with auto extract 729 stacks switch version mismatch VM mode 729 manual upgrades with auto advise 729 stacks switch 719 729 735 740 assigning information 735 member number 735 auto copy 729 merged 719 offline configuration 740 removing a provisioned member 740 partitioned 719 standards supported 86...

Page 2285: ... 903 summer time 1533 supported features 52 186 supported watts per port 18 86 SVIs 1169 and router ACLs 1169 Switch Access 771 displaying 771 switch as trusted third party 980 switch stack 1646 switch stack consideration 732 switch stacks 173 2089 switched packets ACLs on 1262 switchport backup interface 390 system 77 system capabilities TLV 57 system clock 1523 1531 1532 1533 configuring 1531 15...

Page 2286: ... 1543 1546 1548 enabling 1543 1546 1548 troubleshooting 654 1627 1628 1630 1643 1645 2161 auto QoS 654 setting packet forwarding 1645 troubleshooting continued SFP security and identification 1643 show forward command 1645 with debug commands 1630 with ping 1627 with traceroute 1628 Troubleshooting Examples command 1652 trunk 2133 2136 configuration 2133 trunk failover 366 trunk interfaces 1293 tr...

Page 2287: ...3 2154 2158 2160 2161 dynamic port membership 2153 2158 2161 described 2153 reconfirming 2158 VMPS continued dynamic port membership continued troubleshooting 2161 entering server address 2154 reconfirmation interval changing 2158 reconfirming membership 2158 retry count changing 2160 VMPS client configuration 2154 default 2154 VMPS Configuration Example command 2162 voice VLAN 2169 2173 configura...

Page 2288: ...WTD 612 618 setting thresholds 612 618 egress queue sets 618 ingress queues 612 Z zzz 980 Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches IN 22 Index ...

Reviews:

No comments

Related manuals for Catalyst 2960 Series

D-Link DIR-855L Quick Installation Manual preview
DIR-855L
Brand: D-Link Pages: 28
D-Link DIR-826L Quick Install Manual preview
DIR-826L
Brand: D-Link Pages: 2
D-Link DIR-655 - Xtreme N Gigabit Router Wireless Quick Start Manual preview
DIR-655 - Xtreme N Gigabit Router Wireless
Brand: D-Link Pages: 3
D-Link DIR-605L Technical Support Setup Procedure preview
DIR-605L
Brand: D-Link Pages: 11
D-Link DIR-822 Quick Instillation Manual preview
DIR-822
Brand: D-Link Pages: 35
D-Link DIR-880L Quick Install Manual preview
DIR-880L
Brand: D-Link Pages: 12
D-Link DIR-842 Quick Install Manual preview
DIR-842
Brand: D-Link Pages: 12
D-Link DIR-821 Quick Install Manual preview
DIR-821
Brand: D-Link Pages: 24
D-Link DIR-803 Quick Installation Manual preview
DIR-803
Brand: D-Link Pages: 20
D-Link DIR-815/AC Quick Installation Manual preview
DIR-815/AC
Brand: D-Link Pages: 44
D-Link DIR-830M Quick Installation Manual preview
DIR-830M
Brand: D-Link Pages: 52
D-Link DIR-821 User Manual preview
DIR-821
Brand: D-Link Pages: 103
H3C SR8800 IM-FW-II Command Reference Manual preview
SR8800 IM-FW-II
Brand: H3C Pages: 107
3Com MSR 50 Series Safety Information Manual preview
MSR 50 Series
Brand: 3Com Pages: 12
H3C S9500 Series Operating Manual preview
S9500 Series
Brand: H3C Pages: 16
H3C H3C S3600 Series Datasheet preview
H3C S3600 Series
Brand: H3C Pages: 10
H3C MSR 930 Installation Manual preview
MSR 930
Brand: H3C Pages: 42
H3C MSR 800 Installation, Quick Start preview
MSR 800
Brand: H3C Pages: 2

Brands by name

Popular brands

Load more brands