manualshive.com logo in svg

Cisco Catalyst 3130, Software Configuration Manual

The Cisco Catalyst 3130 is a high-performance networking switch designed for seamless data transfer. To ensure a smooth setup, make use of the comprehensive "Getting Started Manual" available for free download. Simply visit manualshive.com to access the manual and unlock the full potential of your Catalyst 3130 switch.

Share
Download
background image

 

9-28

Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide

OL-12247-04

Chapter 9      Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

Network Admission Control Layer 2 802.1x Validation

The switch supports the Network Admission Control (NAC) Layer 2 802.1x validation, which checks 
the antivirus condition or 

posture

 of endpoint systems or clients before granting the devices network 

access. With NAC Layer 2 802.1x validation, you can do these tasks:

Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action 
RADIUS attribute (Attribute[29]) from the authentication server.

Set the number of seconds between re-authentication attempts as the value of the Session-Timeout 
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS 
server.

Set the action to be taken when the switch tries to re-authenticate the client by using the 
Termination-Action RADIUS attribute (Attribute[29]). If the value is the 

DEFAULT

 or is not set, the 

session ends. If the value is RADIUS-Request, the re-authentication process starts.

View the NAC posture token, which shows the posture of the client, by using the

 show dot1x

 

privileged EXEC command.

Configure secondary private VLANs as guest VLANs.

Configuring NAC Layer 2 802.1x validation is similar to configuring 802.1x port-based authentication 
except that you must configure a posture token on the RADIUS server. For information about 
configuring NAC Layer 2 802.1x validation, see th

“Configuring NAC Layer 2 802.1x Validation” 

section on page 9-57

 and the 

“Configuring Periodic Re-Authentication” section on page 9-43

.

For more information about NAC, see the 

Network Admission Control Software Configuration Guide

.

For more configuration information, see the 

“Authentication Manager” section on page 9-8

.

Flexible Authentication Ordering

You can use flexible authentication ordering to configure the order of methods that a port uses to 
authenticate a new host. MAC authentication bypass and 802.1x can be the primary or secondary 
authentication methods, and web authentication can be the fallback method if either or both of those 
authentication attempts fail. For more information see the 

“Configuring Flexible Authentication 

Ordering” section on page 9-62

.

Open1x Authentication

Open1x authentication allows a device access to a port before that device is authenticated. When open 
authentication is configured, a new host on the port can only send traffic to the switch. After the host is 
authenticated, the policies configured on the RADIUS server are applied to that host. 

You can configure open authentication with these scenarios:

Single-host mode with open authentication–Only one user is allowed network access before and 
after authentication.

MDA mode with open authentication–Only one user in the voice domain and one user in the data 
domain are allowed.

Multiple-hosts mode with open authentication–Any host can access the network.

Multiple-authentication mode with open authentication–Similar to MDA, except multiple hosts can 
be authenticated.

For more information see th

“Configuring the Host Mode” section on page 9-42.

Summary of Contents for Catalyst 3130

Page 1: ...n Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide Cisco IOS Release 12 2 52 SE October 2009 Text Part Number OL 12247 04 ...

Page 2: ... TelePresence Cisco Unified Computing System Cisco WebEx DCE Flip Channels Flip for Good Flip Mino Flipshare Design Flip Ultra Flip Video Flip Video Design Instant Broadband and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn Cisco Capital Cisco Capital Design Cisco Financed Stylized Cisco Store and Flip Gift Card are service marks and Access Registrar Airo...

Page 3: ...eatures 1 8 VLAN Features 1 9 Security Features 1 10 QoS and CoS Features 1 13 Layer 3 Features 1 14 Monitoring Features 1 16 Default Settings After Initial Switch Configuration 1 17 Network Configuration Examples 1 20 Design Concepts for Using the Switch 1 20 Small to Medium Sized Network 1 23 Where to Go Next 1 24 C H A P T E R 2 Using the Command Line Interface 2 1 Understanding Command Modes 2...

Page 4: ...equest Process 3 4 Understanding DHCP based Autoconfiguration and Image Update 3 5 DHCP Autoconfiguration 3 5 DHCP Auto Image Update 3 5 Limitations and Restrictions 3 6 Configuring DHCP Based Autoconfiguration 3 6 DHCP Server Configuration Guidelines 3 7 Configuring the TFTP Server 3 7 Configuring the DNS 3 8 Configuring the Relay Device 3 8 Obtaining Configuration Files 3 9 Example Configuration...

Page 5: ...ding Cisco IOS Agents 4 5 Initial Configuration 4 5 Incremental Partial Configuration 4 6 Synchronized Configuration 4 6 Configuring Cisco IOS Agents 4 6 Enabling Automated CNS Configuration 4 7 Enabling the CNS Event Agent 4 8 Enabling the Cisco IOS CNS Agent 4 9 Enabling an Initial Configuration 4 9 Enabling a Partial Configuration 4 13 Displaying CNS Configuration 4 14 C H A P T E R 5 Managing ...

Page 6: ...Console Ports or Ethernet Management Ports 5 19 Connectivity to Specific Stack Members 5 19 Switch Stack Configuration Scenarios 5 19 Configuring the Switch Stack 5 21 Default Switch Stack Configuration 5 21 Enabling Persistent MAC Address 5 22 Assigning Stack Member Information 5 24 Assigning a Stack Member Number 5 24 Setting the Stack Member Priority Value 5 25 Provisioning a New Member for a S...

Page 7: ...one 6 12 Configuring Summer Time Daylight Saving Time 6 13 Configuring a System Name and Prompt 6 14 Default System Name and Prompt Configuration 6 15 Configuring a System Name 6 15 Understanding DNS 6 15 Default DNS Configuration 6 16 Setting Up DNS 6 16 Displaying the DNS Configuration 6 17 Creating a Banner 6 17 Default Banner Configuration 6 17 Configuring a Message of the Day Login Banner 6 1...

Page 8: ...d Pairs 7 6 Configuring Multiple Privilege Levels 7 7 Setting the Privilege Level for a Command 7 8 Changing the Default Privilege Level for Lines 7 9 Logging into and Exiting a Privilege Level 7 9 Controlling Switch Access with TACACS 7 10 Understanding TACACS 7 10 TACACS Operation 7 12 Configuring TACACS 7 12 Default TACACS Configuration 7 13 Identifying the TACACS Server Host and Setting the Au...

Page 9: ... 7 39 Configuring RADIUS Server Load Balancing 7 39 Displaying the RADIUS Configuration 7 39 Controlling Switch Access with Kerberos 7 39 Understanding Kerberos 7 40 Kerberos Operation 7 42 Authenticating to a Boundary Switch 7 42 Obtaining a TGT from a KDC 7 43 Authenticating to Network Services 7 43 Configuring Kerberos 7 43 Configuring the Switch for Local Authentication and Authorization 7 44 ...

Page 10: ...late 8 4 Default SDM Template 8 4 SDM Template Configuration Guidelines 8 4 Setting the SDM Template 8 5 Displaying the SDM Templates 8 6 C H A P T E R 9 Configuring IEEE 802 1x Port Based Authentication 9 1 Understanding IEEE 802 1x Port Based Authentication 9 1 Device Roles 9 3 Authentication Process 9 4 Authentication Initiation and Message Exchange 9 6 Authentication Manager 9 8 Port Based Aut...

Page 11: ...26 802 1x Authentication with MAC Authentication Bypass 9 26 Network Admission Control Layer 2 802 1x Validation 9 28 Flexible Authentication Ordering 9 28 Open1x Authentication 9 28 Multidomain Authentication 9 29 Voice Aware 802 1x Security 9 30 802 1x Supplicant and Authenticator Switches with Network Edge Access Topology NEAT 9 30 Guidelines 9 31 Configuring 802 1x Authentication 9 31 Default ...

Page 12: ...idation 9 57 Configuring an Authenticator and a Supplicant Switch with NEAT 9 58 Configuring NEAT with ASP 9 60 Configuring 802 1x Authentication with Downloadable ACLs and Redirect URLs 9 60 Configuring Downloadable ACLs 9 60 Configuring a Downloadable Policy 9 61 Configuring VLAN ID based MAC Authentication 9 62 Configuring Flexible Authentication Ordering 9 62 Configuring Open1x 9 63 Disabling ...

Page 13: ...tion 10 11 Configuring Switch to RADIUS Server Communication 10 11 Configuring the HTTP Server 10 13 Customizing the Authentication Proxy Web Pages 10 13 Specifying a Redirection URL for Successful Login 10 15 Configuring an AAA Fail Policy 10 15 Configuring the Web Based Authentication Parameters 10 16 Configuring a Web Authentication Local Banner 10 17 Removing Web Based Authentication Cache Ent...

Page 14: ...lex Mode 11 19 Speed and Duplex Configuration Guidelines 11 19 Setting the Interface Speed and Duplex Parameters 11 20 Configuring IEEE 802 3x Flow Control 11 21 Configuring Auto MDIX on an Interface 11 22 Adding a Description for an Interface 11 23 Configuring Layer 3 Interfaces 11 24 Configuring SVI Autostate Exclude 11 25 Configuring the System MTU 11 26 Monitoring and Maintaining the Interface...

Page 15: ...nded Range VLAN 13 12 Creating an Extended Range VLAN with an Internal VLAN ID 13 13 Displaying VLANs 13 14 Configuring VLAN Trunks 13 15 Trunking Overview 13 15 Encapsulation Types 13 17 IEEE 802 1Q Configuration Considerations 13 18 Default Layer 2 Ethernet Interface VLAN Configuration 13 18 Configuring an Ethernet Interface as a Trunk Port 13 18 Interaction with Other Features 13 19 Configuring...

Page 16: ...2 C H A P T E R 14 Configuring VTP 14 1 Understanding VTP 14 1 The VTP Domain 14 2 VTP Modes 14 3 VTP Advertisements 14 4 VTP Version 2 14 4 VTP Version 3 14 5 VTP Pruning 14 6 VTP and Switch Stacks 14 8 Configuring VTP 14 8 Default VTP Configuration 14 8 VTP Configuration Guidelines 14 9 Domain Names 14 9 Passwords 14 10 VTP Version 14 10 Configuration Requirements 14 11 Configuring VTP Mode 14 1...

Page 17: ...ssing Scheme with Private VLANs 16 3 Private VLANs across Multiple Switches 16 4 Private VLAN Interaction with Other Features 16 4 Private VLANs and Unicast Broadcast and Multicast Traffic 16 5 Private VLANs and SVIs 16 5 Private VLANs and Switch Stacks 16 5 Configuring Private VLANs 16 6 Tasks for Configuring Private VLANs 16 6 Default Private VLAN Configuration 16 6 Private VLAN Configuration Gu...

Page 18: ...yer 2 Protocol Tunneling Configuration Guidelines 17 12 Configuring Layer 2 Protocol Tunneling 17 13 Configuring Layer 2 Tunneling for EtherChannels 17 14 Configuring the SP Edge Switch 17 14 Configuring the Customer Switch 17 16 Monitoring and Maintaining Tunneling Status 17 18 C H A P T E R 18 Configuring STP 18 1 Understanding Spanning Tree Features 18 1 STP Overview 18 2 Spanning Tree Topology...

Page 19: ...guring Path Cost 18 20 Configuring the Switch Priority of a VLAN 18 21 Configuring Spanning Tree Timers 18 22 Configuring the Hello Time 18 22 Configuring the Forwarding Delay Time for a VLAN 18 23 Configuring the Maximum Aging Time for a VLAN 18 23 Configuring the Transmit Hold Count 18 24 Displaying the Spanning Tree Status 18 24 C H A P T E R 19 Configuring MSTP 19 1 Understanding MSTP 19 2 Mul...

Page 20: ...ath Cost 19 21 Configuring the Switch Priority 19 21 Configuring the Hello Time 19 22 Configuring the Forwarding Delay Time 19 23 Configuring the Maximum Aging Time 19 23 Configuring the Maximum Hop Count 19 24 Specifying the Link Type to Ensure Rapid Transitions 19 24 Designating the Neighbor Type 19 25 Restarting the Protocol Migration Process 19 25 Displaying the MST Configuration and Status 19...

Page 21: ... 20 19 C H A P T E R 21 Configuring Flex Links and the MAC Address Table Move Update Feature 21 1 Understanding Flex Links and the MAC Address Table Move Update 21 1 Flex Links 21 1 VLAN Flex Link Load Balancing and Support 21 2 Flex Link Multicast Fast Convergence 21 3 Learning the Other Flex Link Port as the mrouter Port 21 3 Generating IGMP Reports 21 3 Leaking IGMP Reports 21 4 Configuration E...

Page 22: ...bling the DHCP Snooping Binding Database Agent 22 15 Displaying DHCP Snooping Information 22 16 Understanding IP Source Guard 22 16 Source IP Address Filtering 22 17 Source IP and MAC Address Filtering 22 17 IP Source Guard for Static Hosts 22 17 Configuring IP Source Guard 22 18 Default IP Source Guard Configuration 22 18 IP Source Guard Configuration Guidelines 22 18 Enabling IP Source Guard 22 ...

Page 23: ...r 23 12 Displaying Dynamic ARP Inspection Information 23 14 C H A P T E R 24 Configuring IGMP Snooping and MVR 24 1 Understanding IGMP Snooping 24 2 IGMP Versions 24 3 Joining a Multicast Group 24 3 Leaving a Multicast Group 24 5 Immediate Leave 24 6 IGMP Configurable Leave Timer 24 6 IGMP Report Suppression 24 6 IGMP Snooping and Switch Stacks 24 7 Configuring IGMP Snooping 24 7 Default IGMP Snoo...

Page 24: ... IGMP Groups 24 27 Configuring the IGMP Throttling Action 24 28 Displaying IGMP Filtering and Throttling Configuration 24 29 C H A P T E R 25 Configuring IPv6 MLD Snooping 25 1 Understanding MLD Snooping 25 1 MLD Messages 25 2 MLD Queries 25 3 Multicast Client Aging Robustness 25 3 Multicast Router Discovery 25 3 MLD Reports 25 4 MLD Done Messages and Immediate Leave 25 4 Topology Change Notificat...

Page 25: ...ation 26 8 Blocking Flooded Traffic on an Interface 26 8 Configuring Port Security 26 8 Understanding Port Security 26 9 Secure MAC Addresses 26 9 Security Violations 26 10 Default Port Security Configuration 26 11 Port Security Configuration Guidelines 26 11 Enabling and Configuring Port Security 26 13 Enabling and Configuring Port Security Aging 26 17 Port Security and Switch Stacks 26 18 Port S...

Page 26: ...ED and Wired Location Service 29 1 LLDP 29 1 LLDP MED 29 2 Wired Location Service 29 3 Configuring LLDP LLDP MED and Wired Location Service 29 4 Default LLDP Configuration 29 4 Configuration Guidelines 29 4 Enabling LLDP 29 5 Configuring LLDP Characteristics 29 5 Configuring LLDP MED TLVs 29 6 Configuring Network Policy TLV 29 7 Configuring Location TLV and Wired Location Service 29 9 Monitoring a...

Page 27: ...LANs to Filter 30 20 Creating an RSPAN Destination Session 30 21 Creating an RSPAN Destination Session and Configuring Incoming Traffic 30 22 Configuring FSPAN and FRSPAN 30 24 Configuration Guidelines 30 24 Configuring an FSPAN Session 30 25 Configuring an FRSPAN Session 30 26 Displaying SPAN and RSPAN Status 30 28 C H A P T E R 31 Configuring RMON 31 1 Understanding RMON 31 1 Configuring RMON 31...

Page 28: ...tem Logging Facility 32 13 Displaying the Logging Configuration 32 14 C H A P T E R 33 Configuring SNMP 33 1 Understanding SNMP 33 1 SNMP Versions 33 2 SNMP Manager Functions 33 3 SNMP Agent Functions 33 4 SNMP Community Strings 33 4 Using SNMP to Access MIB Variables 33 4 SNMP Notifications 33 5 SNMP ifIndex MIB Object Values 33 5 Configuring SNMP 33 6 Default SNMP Configuration 33 6 SNMP Configu...

Page 29: ... Information 33 7 C H A P T E R 34 Configuring Network Security with ACLs 34 1 Understanding ACLs 34 1 Supported ACLs 34 2 Port ACLs 34 3 Router ACLs 34 4 VLAN Maps 34 5 Handling Fragmented and Unfragmented Traffic 34 5 ACLs and Switch Stacks 34 6 Configuring IPv4 ACLs 34 7 Creating Standard and Extended IPv4 ACLs 34 8 Access List Numbers 34 8 ACL Logging 34 9 Creating a Numbered Standard ACL 34 1...

Page 30: ... in Your Network 34 35 Denying Access to a Server on Another VLAN 34 35 Using VLAN Maps with Router ACLs 34 36 VLAN Maps and Router ACL Configuration Guidelines 34 36 Examples of Router ACLs and VLAN Maps Applied to VLANs 34 37 ACLs and Switched Packets 34 37 ACLs and Bridged Packets 34 38 ACLs and Routed Packets 34 39 ACLs and Multicast Packets 34 39 Displaying IPv4 ACL Configuration 34 40 C H A ...

Page 31: ...18 Packet Modification 36 20 Configuring Auto QoS 36 21 Generated Auto QoS Configuration 36 22 Effects of Auto QoS on the Configuration 36 26 Auto QoS Configuration Guidelines 36 26 Enabling Auto QoS for VoIP 36 27 Auto QoS Configuration Example 36 28 Displaying Auto QoS Information 36 30 Configuring Standard QoS 36 30 Default Standard QoS Configuration 36 31 Default Ingress Queue Configuration 36...

Page 32: ...ing Traffic by Using Aggregate Policers 36 65 Configuring DSCP Maps 36 67 Configuring the CoS to DSCP Map 36 68 Configuring the IP Precedence to DSCP Map 36 69 Configuring the Policed DSCP Map 36 70 Configuring the DSCP to CoS Map 36 71 Configuring the DSCP to DSCP Mutation Map 36 72 Configuring Ingress Queue Characteristics 36 73 Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thre...

Page 33: ... 37 9 Configuring EtherChannels 37 10 Default EtherChannel Configuration 37 10 EtherChannel Configuration Guidelines 37 11 Configuring Layer 2 EtherChannels 37 12 Configuring Layer 3 EtherChannels 37 14 Creating Port Channel Logical Interfaces 37 14 Configuring the Physical Interfaces 37 15 Configuring EtherChannel Load Balancing 37 17 Configuring the PAgP Learn Method and Priority 37 18 Configuri...

Page 34: ...P Routing is Disabled 38 12 Proxy ARP 38 12 Default Gateway 38 12 ICMP Router Discovery Protocol IRDP 38 13 Configuring Broadcast Packet Handling 38 14 Enabling Directed Broadcast to Physical Broadcast Translation 38 15 Forwarding UDP Broadcast Packets and Protocols 38 16 Establishing an IP Broadcast Address 38 16 Flooding IP Broadcasts 38 17 Monitoring and Maintaining IP Addressing 38 18 Enabling...

Page 35: ...nabling BGP Routing 38 50 Managing Routing Policy Changes 38 53 Configuring BGP Decision Attributes 38 54 Configuring BGP Filtering with Route Maps 38 56 Configuring BGP Filtering by Neighbor 38 57 Configuring Prefix Lists for BGP Filtering 38 58 Configuring BGP Community Filtering 38 59 Configuring BGP Neighbors and Peer Groups 38 61 Configuring Aggregate Addresses 38 63 Configuring Routing Domai...

Page 36: ...P PE to CE Routing Sessions 38 87 Multi VRF CE Configuration Example 38 87 Displaying Multi VRF CE Status 38 91 Configuring Unicast Reverse Path Forwarding 38 92 Configuring Protocol Independent Features 38 92 Configuring Cisco Express Forwarding and Distributed Cisco Express Forwarding 38 92 Configuring the Number of Equal Cost Routing Paths 38 94 Configuring Static Unicast Routes 38 95 Specifyin...

Page 37: ... Routes for IPv6 39 6 RIP for IPv6 39 7 OSPF for IPv6 39 7 EIGRP for IPv6 39 7 HSRP for IPv6 39 7 SNMP and Syslog Over IPv6 39 7 HTTP S Over IPv6 39 8 Unsupported IPv6 and Unicast Routing Features 39 8 Limitations 39 9 IPv6 and Switch Stacks 39 9 Configuring IPv6 39 11 Default IPv6 Configuration 39 11 Configuring IPv6 Addressing and Enabling IPv6 Host Functions or Routing 39 12 Configuring Default...

Page 38: ...HSRP Priority 40 8 Configuring MHSRP 40 10 Configuring HSRP Authentication and Timers 40 11 Enabling HSRP Support for ICMP Redirect Messages 40 12 Displaying HSRP Configurations 40 12 C H A P T E R 41 Configuring Cisco IOS IP SLAs Operations 41 1 Understanding Cisco IOS IP SLAs 41 1 Using Cisco IOS IP SLAs to Measure Network Performance 41 2 IP SLAs Responder and IP SLAs Control Protocol 41 3 Resp...

Page 39: ... HSRP Object Tracking 42 7 Configuring Other Tracking Characteristics 42 8 Configuring IP SLAs Object Tracking 42 9 Monitoring Enhanced Object Tracking 42 10 C H A P T E R 43 Configuring Web Cache Services By Using WCCP 43 1 Understanding WCCP 43 2 WCCP Message Exchange 43 3 WCCP Negotiation 43 3 MD5 Security 43 4 Packet Redirection and Service Groups 43 4 WCCP and Switch Stacks 43 5 Unsupported W...

Page 40: ...iguring Basic Multicast Routing 44 12 Configuring Source Specific Multicast 44 14 SSM Components Overview 44 14 How SSM Differs from Internet Standard Multicast 44 14 SSM IP Address Range 44 15 SSM Operations 44 15 IGMPv3 Host Signalling 44 16 Configuration Guidelines 44 16 Configuring SSM 44 17 Monitoring SSM 44 17 Configuring Source Specific Multicast Mapping 44 18 Configuration Guidelines 44 18...

Page 41: ...CGMP Server Support 44 44 Configuring sdr Listener Support 44 45 Enabling sdr Listener Support 44 46 Limiting How Long an sdr Cache Entry Exists 44 46 Configuring an IP Multicast Boundary 44 46 Configuring Basic DVMRP Interoperability Features 44 48 Configuring DVMRP Interoperability 44 49 Configuring a DVMRP Tunnel 44 51 Advertising Network 0 0 0 0 to DVMRP Neighbors 44 52 Responding to mrinfo Re...

Page 42: ...urce Information that Your Switch Receives 45 13 Configuring an MSDP Mesh Group 45 15 Shutting Down an MSDP Peer 45 15 Including a Bordering PIM Dense Mode Region in MSDP 45 16 Configuring an Originating Address other than the RP Address 45 17 Monitoring and Maintaining MSDP 45 18 C H A P T E R 46 Configuring Fallback Bridging 46 1 Understanding Fallback Bridging 46 1 Fallback Bridging Overview 46...

Page 43: ...Understanding Layer 2 Traceroute 47 12 Usage Guidelines 47 13 Displaying the Physical Path 47 14 Using IP Traceroute 47 14 Understanding IP Traceroute 47 14 Executing IP Traceroute 47 15 Using TDR 47 16 Understanding TDR 47 16 Running TDR and Displaying the Results 47 16 Using Debug Commands 47 17 Enabling Debugging on a Specific Feature 47 17 Enabling All System Diagnostics 47 18 Redirecting Debu...

Page 44: ...ories and Displaying the Working Directory B 4 Creating and Removing Directories B 5 Copying Files B 5 Deleting Files B 6 Creating Displaying and Extracting Files B 6 Working with Configuration Files B 9 Guidelines for Creating and Using Configuration Files B 10 Configuration File Types and Location B 10 Creating a Configuration File By Using a Text Editor B 11 Copying Configuration Files By Using...

Page 45: ...By Using TFTP B 29 Copying Image Files By Using FTP B 29 Preparing to Download or Upload an Image File By Using FTP B 30 Downloading an Image File By Using FTP B 31 Uploading an Image File By Using FTP B 33 Copying Image Files By Using RCP B 34 Preparing to Download or Upload an Image File By Using RCP B 35 Downloading an Image File By Using RCP B 36 Uploading an Image File By Using RCP B 38 Copyi...

Page 46: ...rface Commands C 6 Unsupported Privileged EXEC Commands C 6 Unsupported Global Configuration Commands C 6 Unsupported Interface Configuration Commands C 6 IP Multicast Routing C 6 Unsupported Privileged EXEC Commands C 6 Unsupported Global Configuration Commands C 7 Unsupported Interface Configuration Commands C 7 IP Unicast Routing C 7 Unsupported Privileged EXEC or User EXEC Commands C 7 Unsuppo...

Page 47: ...12 Unsupported Global Configuration Command C 12 Unsupported Interface Configuration Commands C 12 Unsupported Policy Map Configuration Command C 12 RADIUS C 12 Unsupported Global Configuration Commands C 12 SNMP C 13 Unsupported Global Configuration Commands C 13 Spanning Tree C 13 Unsupported Global Configuration Command C 13 Unsupported Interface Configuration Command C 13 VLAN C 13 Unsupported...

Page 48: ...Contents xlviii Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 ...

Page 49: ...ommands For detailed information about these commands see the command reference for this release For information about the standard Cisco IOS Release 12 2 commands see the Cisco IOS documentation set available from the Cisco com home page at Products Services Technical Support Documentation See Documentation Cisco IOS Software This guide does not provide detailed information on the GUIs for the em...

Page 50: ...note Notes contain helpful suggestions or references to materials not contained in this manual Caution Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Related Publications These documents provide complete information about the switch and are available from this Cisco com site http www cisco com en US products ps8742 tsd_product...

Page 51: ...tion Notes Cisco CWDM GBIC and CWDM SFP Installation Note These compatibility matrix documents are available from this Cisco com site http www cisco com en US products hw modules ps5455 products_device_support_tables_list html Cisco Gigabit Ethernet Transceiver Modules Compatibility Matrix Cisco 100 Megabit Ethernet SFP Modules Compatibility Matrix Cisco Small Form Factor Pluggable Modules Compati...

Page 52: ...lii Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Preface ...

Page 53: ...witch supports either the cryptographic supports encryption or the noncryptographic universal software image The cryptographic and noncryptographic universal software images support the IP base and IP services feature sets To enable a specific feature set you must have a Cisco IOS software license for that feature set For more information about the software license see the Cisco Software Activatio...

Page 54: ...tures Deployment Features page 1 2 Performance Features page 1 4 Management Options page 1 5 Manageability Features page 1 6 includes a feature requiring the cryptographic universal software image Availability and Redundancy Features page 1 8 VLAN Features page 1 9 Security Features page 1 10 includes a feature requiring the cryptographic universal software image QoS and CoS Features page 1 13 Lay...

Page 55: ...and eligible switches that can join a cluster and to identify link information between switches Monitoring real time status of a switch or multiple switches from the LEDs on the front panel images The system and port LED colors on the images are similar to those used on the physical LEDs Cisco StackWise Plus technology on stacking capable switches for Connecting up to nine switches through their S...

Page 56: ...Channel for enhanced fault tolerance and for providing up to 8 Gb s Gigabit EtherChannel or 80 Gb s 10 Gigabit EtherChannel full duplex bandwidth among switches routers and servers Port Aggregation Protocol PAgP and Link Aggregation Control Protocol LACP for automatic creation of EtherChannel links Support for up to 64 EtherChannels Forwarding of Layer 2 and Layer 3 packets at Gigabit line rate Fo...

Page 57: ...edianet is auto provisioning for Cisco Digital Media Players and Cisco IP Video Surveillance cameras through Auto Smartports Management Options These are the options for configuring and managing the switch An embedded device manager The device manager is a GUI that is integrated in the universal software image You use it to configure and to monitor a single switch For information about starting th...

Page 58: ...hosts DHCP server port based address allocation for the preassignment of an IP address to a switch port Directed unicast requests to a DNS server for identifying a switch through its IP address and its corresponding hostname and to a TFTP server for administering software upgrades from a TFTP server Address Resolution Protocol ARP for identifying a switch through its IP address and its correspondi...

Page 59: ...d devices to a Cisco Mobility Services Engine MSE LLDP MED network policy profile time length value TLV for creating a profile for voice and voice signalling by specifying the values for VLAN class of service CoS differentiated services code point DSCP and tagging mode CPU utilization threshold trap to monitor CPU utilization The HTTP client in Cisco IOS supports can send requests to both IPv4 and...

Page 60: ...nd BackboneFast for fast convergence after a spanning tree topology change and for achieving load balancing between redundant uplinks including Gigabit uplinks and cross stack Gigabit uplinks only stacking capable switches IEEE 802 1s Multiple Spanning Tree Protocol MSTP for grouping VLANs into a spanning tree instance and for providing multiple forwarding paths for data traffic and load balancing...

Page 61: ...s for high security users and network resources Dynamic Trunking Protocol DTP for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation IEEE 802 1Q or ISL to be used VLAN Trunking Protocol VTP and VTP pruning for reducing network traffic by restricting flooded traffic to links destined for stations receiving the traffic Voice VLAN for creating su...

Page 62: ...d IP access control lists ACLs for defining security policies in both directions on routed interfaces router ACLs and VLANs and inbound on Layer 2 interfaces port ACLs Extended MAC access control lists for defining security policies in the inbound direction on Layer 2 interfaces VLAN ACLs VLAN maps for providing intra VLAN security by filtering traffic based on information in the MAC IP and TCP UD...

Page 63: ...to provide limited services to non IEEE 802 1x compliant users Restricted VLAN to provide limited services to users who are IEEE 802 1x compliant but do not have the credentials to authenticate via the standard IEEE 802 1x processes IEEE 802 1x accounting to track network usage IEEE 802 1x with wake on LAN to allow dormant PCs to be powered on based on the receipt of a specific Ethernet frame Voic...

Page 64: ...y system to authenticate requests for network resources by using a trusted third party requires the cryptographic universal software image Secure Socket Layer SSL Version 3 0 support for the HTTP 1 1 server authentication encryption and message integrity and HTTP client authentication to allow secure HTTP communications requires the cryptographic universal software image Support for IP source guar...

Page 65: ...ndividual switch basis only stacking capable switches Classification IP type of service Differentiated Services Code Point IP ToS DSCP and IEEE 802 1p CoS marking priorities on a per port basis for protecting the performance of mission critical applications IP ToS DSCP and IEEE 802 1p CoS marking based on flow based packet classification classification based on information in the MAC IP and TCP UD...

Page 66: ...ort bandwidth Shared egress queues are also guaranteed a configured share of bandwidth but can use more than the guarantee if other queues become empty and do not use their share of the bandwidth Automatic quality of service QoS voice over IP VoIP enhancement for port based trust of DSCP and priority queuing for egress traffic Full QoS support for IPv6 traffic Layer 3 Features These are the Layer ...

Page 67: ... SM domains requires the IP services feature set Distance Vector Multicast Routing Protocol DVMRP tunneling for interconnecting two multicast enabled networks across nonmulticast networks requires the IP services feature set DHCP relay for forwarding UDP broadcasts including IP address requests from DHCP clients DHCP for IPv6 relay client server address assignment and prefix delegation IPv6 unicas...

Page 68: ...the physical path that a packet takes from a source device to a destination device Time Domain Reflector TDR to diagnose and resolve cabling problems on 10 100 and 10 100 1000 copper Ethernet ports SFP module diagnostic management interface to monitor physical or operational status of an SFP module Online diagnostics to test the hardware functionality of the supervisor engine modules and switch wh...

Page 69: ...r 3 Assigning the Switch IP Address and Default Gateway DHCP client is enabled the DHCP server is enabled only if the device acting as a DHCP server is configured and is enabled and the DHCP relay agent is enabled only if the device is acting as a DHCP relay agent is configured and is enabled For more information see Chapter 3 Assigning the Switch IP Address and Default Gateway and Chapter 22 Conf...

Page 70: ... are configured For more information see Chapter 16 Configuring Private VLANs Voice VLAN is disabled For more information see Chapter 15 Configuring Voice VLAN IEEE 802 1Q tunneling and Layer 2 protocol tunneling are disabled For more information see Chapter 17 Configuring IEEE 802 1Q and Layer 2 Protocol Tunneling STP PVST is enabled on VLAN 1 For more information see Chapter 18 Configuring STP M...

Page 71: ...rmation see Chapter 28 Configuring UDLD SPAN and RSPAN are disabled For more information see Chapter 30 Configuring SPAN and RSPAN RMON is disabled For more information see Chapter 31 Configuring RMON Syslog messages are enabled and appear on the console For more information see Chapter 32 Configuring System Message Logging SNMP is enabled Version 1 For more information see Chapter 33 Configuring ...

Page 72: ...ance to degrade and how you can configure your network to increase the bandwidth available to your network users Table 1 1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network segment and a growing number of users accessing the Internet Create smaller network segments so that fewer users share the bandwidth and use VLANs and IP subnets to place...

Page 73: ...ulticast routing to design networks better suited for multicast traffic Use MVR to continuously send multicast streams in a multicast VLAN but to isolate the streams from subscriber VLANs for bandwidth and security reasons High demand on network redundancy and availability to provide always on mission critical applications Use switch stacks where all stack members are eligible stack masters in cas...

Page 74: ...affic streams into different paths for processing Security features on the switch ensure rapid handling of packets Fault tolerance from the server racks to the core is achieved through dual homing of servers connected to dual switch stacks or the switches which have redundant Gigabit EtherChannels and cross stack EtherChannels Using dual SFP module uplinks from the switches provides redundant upli...

Page 75: ...nt Data and multimedia traffic are configured on the same VLAN Voice traffic is configured on separate VVIDs If data multimedia and voice traffic are assigned to the same VLAN only one VLAN can be configured per wiring closet When an end station in one VLAN needs to communicate with an end station in another VLAN a router or Layer 3 switch routes the traffic to the destination VLAN In this network...

Page 76: ...es Network Address Translation NAT services voice over IP VoIP gateway services and WAN and Internet access Figure 1 3 Switch Stack in a Collapsed Backbone Where to Go Next Before configuring the switch review these sections for startup information Chapter 2 Using the Command Line Interface Chapter 3 Assigning the Switch IP Address and Default Gateway 201914 Campus core Catalyst 6500 switches Blad...

Page 77: ...ch command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters or interfaces The user EXEC commands are not saved wh...

Page 78: ...nter the vlan vlan id command Switch config vlan To exit to global configuration mode enter the exit command To return to privileged EXEC mode press Ctrl Z or enter end Use this mode to configure VLAN parameters When VTP mode is transparent you can create extended range VLANs VLAN IDs greater than 1005 and save configurations in the switch startup configuration file Interface configuration While i...

Page 79: ...the show configuration privileged EXEC command in an abbreviated form Switch show conf Table 2 2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode abbreviated command entry Obtain a list of commands that begin with a particular character string For example Switch di dir disable disconnect abbreviated command entry Tab Complete a partial command nam...

Page 80: ...s In these cases the default command enables the command and sets variables to their default values Understanding CLI Error Messages Table 2 3 lists some error messages that you might encounter while using the CLI to configure your switch Table 2 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for your switch to recog...

Page 81: ...54f 73 html Note Only CLI or HTTP changes are logged Using Command History The software provides a history or record of commands that you have entered The command history feature is particularly useful for recalling long or complex commands or entries including access lists You can customize this feature to suit your needs as described in these sections Changing the Command History Buffer Size pag...

Page 82: ...onal Editing Command Lines that Wrap page 2 8 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced editing These procedures are optional To globally disable enhanced editing mode enter this command in line configuration mode Switch config line no editing Table 2 4 Recal...

Page 83: ...and line Press Ctrl E Move the cursor to the end of the command line Press Esc B Move the cursor back one word Press Esc F Move the cursor forward one word Press Ctrl T Transpose the character to the left of the cursor with the character located at the cursor Recall commands from the buffer and paste them in the command line The switch provides a buffer with the last ten items that you deleted Pre...

Page 84: ...s to the left Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 Switch config 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 25 Switch config t tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 Capitalize or lowercase words or capitalize a set of letters Press Esc C Capitalize at th...

Page 85: ...nclude or exclude and an expression that you want to search for or filter out command begin include exclude regular expression Expressions are case sensitive For example if you enter exclude output the lines that contain output are not displayed but the lines that contain Output appear This example shows how to include in the output display only lines where the expression protocol appears Switch s...

Page 86: ...ote Telnet session but your switch must first be configured for this type of access For more information see the Setting a Telnet Password for a Terminal Line section on page 7 6 You can use one of these methods to establish a connection with the switch Connect the switch console port to a management station or dial up modem or connect the Ethernet management port to a PC For information about con...

Page 87: ... This chapter consists of these sections Understanding the Boot Process page 3 1 Assigning Switch Information page 3 2 Checking and Saving the Running Configuration page 3 16 Modifying the Startup Configuration page 3 17 Scheduling a Reload of the Software Image page 3 22 Note Information in this chapter about configuring IP addresses and DHCP is specific to IP Version 4 IPv4 If you plan to enable...

Page 88: ...u can format the flash file system reinstall the operating system software image by using the Xmodem Protocol recover from a lost or forgotten password and finally restart the operating system For more information see the Recovering from a Software Failure section on page 47 2 and the Recovering from a Lost or Forgotten Password section on page 47 3 Note You can disable password recovery For more ...

Page 89: ...iguration page 3 3 Configuring DHCP Based Autoconfiguration page 3 6 Manually Assigning IP Information page 3 15 Default Switch Information Table 3 1 shows the default switch information Understanding DHCP Based Autoconfiguration DHCP provides configuration information to Internet hosts and internetworking devices This protocol consists of two components one for delivering configuration parameters...

Page 90: ...nfiguration information from a DHCP server when the configuration file is not present on the switch If the configuration file is present and the configuration includes the ip address dhcp interface configuration command on specific routed interfaces the DHCP client is invoked and requests the IP address information for those interfaces Figure 3 1 shows the sequence of messages that are exchanged b...

Page 91: ... hostnames If a client has a default hostname the hostname name global configuration command is not configured or the no hostname global configuration command is entered to remove the hostname the DHCP hostname option is not included in the packet when you enter the ip address dhcp interface configuration command In this case if the client receives the DCHP hostname option from the DHCP interactio...

Page 92: ...guration with a saved configuration process stops if there is not at least one Layer 3 interface in an up state without an assigned IP address in the network Unless you configure a timeout the DHCP based autoconfiguration with a saved configuration feature tries indefinitely to download an IP address The auto install process stops if a configuration file cannot be downloaded or it the configuratio...

Page 93: ...send broadcast instead of unicast TFTP requests Unavailability of other lease options does not affect autoconfiguration The switch can act as a DHCP server By default the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured These features are not operational If your DHCP server is a Cisco device for additional information about configuring DHCP see the C...

Page 94: ...he TFTP server name to an IP address You must configure the TFTP server name to IP address map on the DNS server The TFTP server contains the configuration files for the switch You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them You can enter up to two DNS server IP addresses in the lease database The DNS ser...

Page 95: ...y the IP address is reserved for the switch and provided in the DHCP reply The configuration filename is not provided two file read method The switch receives its IP address subnet mask and the TFTP server address from the DHCP server The switch sends a unicast message to the TFTP server to retrieve the network confg or cisconet cfg default configuration file If the network confg file cannot be re...

Page 96: ...The DNS server maps the TFTP server name tftpserver to IP address 10 0 0 3 Switch 1 00e0 9f1e 2001 Cisco router 111394 Switch 2 00e0 9f1e 2002 Switch 3 00e0 9f1e 2003 DHCP server DNS server TFTP server tftpserver 10 0 0 1 10 0 0 10 10 0 0 2 10 0 0 3 Switch 4 00e0 9f1e 2004 Table 3 2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key hardware address 00e0 9f1e 2001 00e0 9f1e ...

Page 97: ...ply Switch A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its host table by indexing its IP address 10 0 0 21 to its hostname switcha It reads the configuration file that corresponds to its hostname for example it reads switch1 confg from the TFTP server Switches B through D retrieve their configur...

Page 98: ...n this table you must create a text file for example autoinstall_dhcp that will be uploaded to the switch In the text file put the name of the image that you want to download This image must be a tar and not a bin file Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that compris...

Page 99: ... Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the network mask of the client The prefix length must be preceded by a forward slash Step 5 default router address Specify the IP address of the defau...

Page 100: ...oot BOOT path list Config file flash config text Private Config file flash private config text Enable Break no Manual Boot no HELPER path list NVRAM Config file buffer size 32768 Timeout for Config Download 300 seconds Config Download via DHCP enabled next boot enabled Switch Note You should only configure and enable the Layer 3 interface Do not assign an IP address or DHCP based autoconfiguration...

Page 101: ...er the show interfaces vlan vlan id privileged EXEC command to show the MAC and IP addresses The MAC addresses that appear in the show interfaces vlan vlan id command output are not the same as the MAC address that is printed on the switch label the base MAC address Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration...

Page 102: ...tch show running config Building configuration Current configuration 1363 bytes version 12 2 no service pad service timestamps debug uptime service timestamps log uptime no service password encryption hostname Stack1 enable secret 5 1 ej9 DMUvAUnZOAmvmgqBEzIxE0 output truncated interface gigabitethernet6 0 17 no switchport ip address 172 20 137 50 255 255 255 0 interface gigabitethernet6 0 18 mvr ...

Page 103: ...ges for information about switch configuration files See the Switch Stack Configuration Files section on page 5 16 for information about switch stack configuration files Default Boot Configuration Table 3 3 shows the default boot configuration Automatically Downloading a Configuration File You can automatically download a configuration file to your switch by using the DHCP based autoconfiguration ...

Page 104: ... can configure it to manually boot up Note On stacking capable switches this command only works properly from a standalone switch Beginning in privileged EXEC mode follow these steps to configure the switch to manually boot up during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot config file flash file url Specify the configuration file to...

Page 105: ...e next time you reboot the system the switch is in boot loader mode shown by the switch prompt To boot up the system use the boot filesystem file url boot loader command For filesystem use flash for the system board flash device For file url specify the path directory and the name of the bootable image Filenames and directory names are case sensitive Step 5 copy running config startup config Optio...

Page 106: ... equal sign followed by the value of the variable A variable has no value if it is not listed in this file it has a value if it is listed in the file even if the value is a null string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code ...

Page 107: ...cally or manually boots Valid values are 1 yes 0 and no If it is set to no or 0 the boot loader attempts to automatically boot up the system If it is set to anything else you must manually boot up the switch from the boot loader mode boot manual Enables manually booting the switch during the next boot cycle and changes the setting of the MANUAL_BOOT environment variable The next time you reboot th...

Page 108: ...ours and minutes The reload must take place within approximately 24 days You can specify the reason for the reload in a string up to 255 characters in length To reload a specific switch in a switch stack use the reload slot stack member number privileged EXEC command reload at hh mm month day day month text This command schedules a reload of the software to take place at the specified time using a...

Page 109: ...e the switch prompts you to save the configuration before reloading During the save operation the system requests whether you want to proceed with the save if the CONFIG_FILE environment variable points to a startup configuration file that no longer exists If you proceed in this situation the system enters setup mode upon reload This example shows how to reload the software on the switch on the cu...

Page 110: ...3 24 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image ...

Page 111: ... 4 14 Understanding Cisco Configuration Engine Software The Cisco Configuration Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services see Figure 4 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their configurations and deliv...

Page 112: ...figuration Service uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configu...

Page 113: ...ven a unique group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses...

Page 114: ...f the connection to the event gateway and does not change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re establishe...

Page 115: ...ress to the new switch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server ...

Page 116: ... showing an error status When the switch has applied the incremental configuration it can write it to NVRAM or wait until signaled to do so Synchronized Configuration When the switch receives a configuration it can defer application of the configuration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses ...

Page 117: ...ww cisco com en US docs net_mgmt configuration_engine 1 5 installation_linux guide setup_ 1 html Table 4 1 Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default no configuration file Distribution switch IP helper address Enable DHCP relay agent IP routing if used as default gateway DHCP server IP address assignment TFTP server IP address Pat...

Page 118: ...r either the hostname or the IP address of the event gateway Optional For port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For failover time seconds enter how long the switch waits for the primary gateway route after the route to the backup gateway i...

Page 119: ...ect configuration mode and specify the name of the CNS connect template Step 3 cli config text Enter a command line for the CNS connect template Repeat this step for each command line in the template Step 4 Repeat Steps 2 to 3 to configure another CNS connect template Step 5 exit Return to global configuration mode Step 6 cns connect name retries number retry interval seconds sleep seconds timeout...

Page 120: ...r specify the point to point subinterface number that is used to search for active DLCIs For interface interface type enter the type of interface For line line type enter the line type Step 8 template name name Specify the list of CNS connect templates in the CNS connect profile to be applied to the switch configuration You can specify more than one template Step 9 Repeat Steps 7 to 8 to specify m...

Page 121: ...everse ipaddress mac address enter dns reverse to retrieve the hostname and assign it as the unique ID enter ipaddress to use the IP address or enter mac address to use the MAC address as the unique ID Optional Enter event to set the ID to be the event id value used to identify the switch Optional Enter image to set the ID to be the image id value used to identify the switch Note If both the event...

Page 122: ...ge source ip address syntax check Enable the Cisco IOS agent and initiate an initial configuration For hostname ip address enter the hostname or the IP address of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finis...

Page 123: ...st Enabling a Partial Configuration Beginning in privileged EXEC mode follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Command Purpose Step 1 configure ...

Page 124: ...Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the Cisco IOS agent show cns event connections Displays the status of the CNS event agent connections show cns event st...

Page 125: ...switches in a switch stack might cause the switch to work improperly or to fail Understanding Switch Stacks A switch stack is a set of up to nine stacking capable switches connected through their StackWise Plus ports One of the switches controls the operation of the stack and is called the stack master The stack master and the other switches in the stack are all stack members The stack members use...

Page 126: ...o any other stack member You can manage the stack through the same IP address even if you remove the stack master or any other stack member from the stack You can use these methods to manage switch stacks Network Assistant available on Cisco com Command line interface CLI over a serial connection to the console port of any stack member or the Ethernet management port of a stack member A network ma...

Page 127: ... switch stacks Note Make sure that you power off the switches that you add to or remove from the switch stack After adding or removing stack members make sure that the switch stack is operating at full bandwidth 64 Gb s Press the Mode button on a stack member until the Stack mode LED is on The last two right port LEDs on all switches in the stack should be green Depending on the switch model the l...

Page 128: ... Creating a Switch Stack from Two Standalone Switches in Two Enclosures Blade switch Blade switch Blade switch 1 2 Blade switch Blade switch Blade switch Blade switch Blade switch Blade switch 3 Blade switch Blade switch Blade switch 1 2 Enclosure 1 Enclosure 2 Enclosure 1 Enclosure 2 Stack member 1 Stack member 1 Stack member 1 Stack member 2 and stack master 201911 ...

Page 129: ...witch Stacks Understanding Switch Stacks Figure 5 2 Creating a Switch Stack from Two Standalone Switches in the Same Enclosures Blade switch Blade switch Blade switch Blade switch Blade switch Blade switch 3 Enclosure Enclosure Stack member 1 Stack member 2 and stack master Stack member 1 Stack member 1 201912 1 2 2 ...

Page 130: ...t you prefer to be the stack master This ensures that the switch is re elected as stack master if a re election occurs 1 Chassis management module 2 Internal Ethernet management port that is not active 3 Active internal Ethernet management port on the stack master Note The internal Ethernet management ports on the stack members are disabled Blade switch Blade switch Blade switch 1 3 Blade switch B...

Page 131: ...switch with the lowest MAC address A stack master retains its role unless one of these events occurs The switch stack is reset The stack master is removed from the switch stack The stack master is reset or powered off The stack master fails The switch stack membership is increased by adding powered on standalone switches or switch stacks In the events marked by an asterisk the current stack master...

Page 132: ...number Every stack member including a standalone switch retains its member number until you manually change the number or unless the number is already being used by another member in the stack If you manually change the stack member number by using the switch current stack member number renumber new stack member number global configuration command the new number goes into effect after that stack m...

Page 133: ...an configure in advance the stack member number the switch type and the interfaces associated with a switch that is not currently part of the stack The configuration that you create on the switch stack is called the provisioned configuration The switch that is added to the switch stack and that receives this configuration is called the provisioned switch You manually create the provisioned configu...

Page 134: ...he default configuration to the provisioned switch and adds it to the stack The provisioned configuration is changed to reflect the new information The stack member number is not found in the provisioned configuration The switch stack applies the default configuration to the provisioned switch and adds it to the stack The provisioned configuration is changed to reflect the new information The stac...

Page 135: ...mmand that matches the new switch For configuration information see the Provisioning a New Member for a Switch Stack section on page 5 25 Effects of Replacing a Provisioned Switch in a Switch Stack When a provisioned switch in a switch stack fails is removed from the stack and is replaced with another switch the stack applies either the provisioned configuration or the default configuration to it ...

Page 136: ...or more information see the Stack Protocol Version Compatibility section on page 5 12 Stack Protocol Version Compatibility Each software image includes a stack protocol version The stack protocol version has a major version number and a minor version number for example 1 4 where 1 is the major version number and 4 is the minor version number Both version numbers determine the level of compatibilit...

Page 137: ...he boot auto copy sw global configuration command is enabled You can disable auto upgrade by using the no boot auto copy sw global configuration command on the stack master You can check the status of auto upgrade by using the show boot privileged EXEC command and by checking the Auto upgrade line in the display Auto copy automatically copies the software image running on any stack member to the s...

Page 138: ...software image Auto Upgrade and Auto Advise Example Messages When you add a switch that has a different minor version number to the switch stack the software displays messages in sequence assuming that there are no other system messages generated by the switch This example shows that the switch stack detected a new switch that is running a different minor version number than the switch stack Auto ...

Page 139: ...MGR 6 AUTO_COPY_SW extracting cbs31x0 universal mz 122 40 EX1 info 450 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW extracting info 104 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Installing renaming flash1 update cbs31x0 universal mz 122 0 0 313 EX1 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW flash1 cbs31x0 universal mz 122 40 EX1 Mar 11 20 3...

Page 140: ... file and by searching the directory structure on the switch stack If you download your image by using the copy tftp boot loader command instead of the archive download sw privileged EXEC command the proper directory structure is not created For more information about the info file see the File Format of Images on a Server or Cisco com section on page B 25 Incompatible Software and Stack Member Im...

Page 141: ...lacement switch must have the same stack member number as the failed switch For information about the benefits of provisioning a switch stack see the Switch Stack Offline Configuration section on page 5 9 You back up and restore the stack configuration in the same way as you would for a standalone switch configuration For more information about file systems and configuration files see Appendix B W...

Page 142: ...ddress The switch stack is managed through a single IP address The IP address is a system level setting and is not specific to the stack master or to any other stack member You can still manage the stack through the same IP address even if you remove the stack master or any other stack member from the stack provided there is IP connectivity Note Stack members retain their IP addresses when you rem...

Page 143: ... the Using Interface Configuration Mode section on page 11 8 To debug a specific stack member you can access it from the stack master by using the session stack member number privileged EXEC command The stack member number is appended to the system prompt For example Switch 2 is the prompt in privileged EXEC mode for stack member 2 and the system prompt for the stack master is Switch Only the show...

Page 144: ...lection specifically determined by the cryptographic software image and the IP base feature set Assuming that all stack members have the same priority value 1 Make sure that one stack member has the cryptographic image installed and the IP base feature set enabled and that the other stack member has the noncryptographic image installed and the IP base feature set enabled 2 Restart both stack membe...

Page 145: ...escribed in the Stack Master Election and Re Election section on page 5 6 one of the remaining stack members becomes the new stack master All other stack members in the stack remain as stack members and do not reboot Add more than nine stack members 1 Through their StackWise Plus ports connect ten switches 2 Power on all switches Two switches become stack masters One stack master has nine stack me...

Page 146: ...C address of the new stack master Note When you enter the command to configure this feature a warning message appears containing the consequences of your configuration You should use this feature cautiously Using the old stack master MAC address elsewhere in the same domain could result in lost traffic You can configure the time period as 0 to 60 minutes If you enter the command with no value the ...

Page 147: ...es We recommend that you always configure a value Enter 0 to continue using the MAC address of the current stack master indefinitely Enter a time value from 1 to 60 minutes to configure the time period before the stack MAC address changes to the new stack master Note When you enter this command a warning states that traffic might be lost if the old master MAC address appears elsewhere in the netwo...

Page 148: ... 1 0 Ready Assigning Stack Member Information These sections describe how to assign stack member information Assigning a Stack Member Number page 5 24 optional Setting the Stack Member Priority Value page 5 25 optional Provisioning a New Member for a Switch Stack page 5 25 optional Assigning a Stack Member Number Note This task is available only from the stack master Beginning in privileged EXEC m...

Page 149: ...show switch user EXEC command The new priority value takes effect immediately but does not affect the current stack master The new priority value helps determine which stack member is elected as the new stack master when the current stack master or switch stack resets Step 3 end Return to privileged EXEC mode Step 4 reload slot stack member number Reset the stack member and apply this configuratio...

Page 150: ...iated with the provisioned switch Switch config switch 2 provision WS CBS3130G Switch config end Switch show running config include switch 2 interface GigabitEthernet2 0 1 interface GigabitEthernet2 0 2 interface GigabitEthernet2 0 3 output truncated Accessing the CLI of a Specific Stack Member Note This task is only for debugging purposes and is only available from the master You can access all o...

Page 151: ...ion show platform stack manager all Display all stack information such as the stack protocol version show platform stack ports buffer history Display the stack port events and history show switch Display summary information about the stack including the status of provisioned switches and switches in version mismatch mode show switch stack member number Display information about a specific member s...

Page 152: ... can disable only one stack port This message appears Enabling disabling a stack port may cause undesired stack changes Continue confirm The stack is in the partial ring state you cannot disable the port This message appears Disabling stack port not allowed with current stack configuration Re Enabling a Stack Port While Another Member Starts Stack Port 1 on Switch 1 is connected to Port 2 on Switc...

Page 153: ...or is up Neighbor Switch number of the active member at the other end of the stack cable Cable Length Valid lengths are 50 cm 1 m or 3 m If the switch cannot detect the cable length the value is no cable The cable might not be connected or the link might be unreliable Link OK This shows if the link is stable The link partner is a stack port on a neighbor switch No The link partner receives invalid...

Page 154: ...K 1 50 cm Yes Yes Yes 1 No If you disconnect the stack cable from Port 1 on Switch 1 these messages appear 01 09 55 STACKMGR 4 STACK_LINK_CHANGE Stack Port 2 Switch 3 has changed to state DOWN 01 09 56 STACKMGR 4 STACK_LINK_CHANGE Stack Port 1 Switch 1 has changed to state DOWN Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Change...

Page 155: ... Loopback Examples Connected Stack Cables On Port 1 on Switch 1 the port status is Down and a cable is connected On Port 2 on Switch 1 the port status is Absent and no cable is connected Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Changes Loopback Status To LinkOK 1 1 Down None 50 Cm No No No 1 No 1 2 Absent None No cable No No...

Page 156: ...6031805 55AAFFFF FFFFFFFF 1CE61CE6 Yes Yes No cable Event type RAC 0000000013 1 FF08FF00 860302A5 AA55FFFF FFFFFFFF 1CE61CE6 Yes Yes No cable 0000000013 2 FF08FF00 86031805 55AAFFFF FFFFFFFF 1CE61CE6 Yes Yes No cable On a member If a stack port has an connected stack cable the Loopback HW value for the stack port is No If the stack port does not have an connected stack cable the Loopback HW value ...

Page 157: ... NOT OK Stack Port 1 0000009732 1 FF01FF00 00015B12 5555FFFF A49CFFFF 0C140CE4 No No 50 cm 0000009732 2 FF01FF00 86020823 AAAAFFFF 00000000 0C140CE4 No No 3 m Event type RAC 0000009733 1 FF01FF00 00015B4A 5555FFFF A49CFFFF 0C140CE4 No No 50 cm 0000009733 2 FF01FF00 86020823 AAAAFFFF 00000000 0C140CE4 No No 3 m Event type LINK NOT OK Stack Port 2 0000010119 1 FF01FF00 00010E69 25953FFF FFFFFFFF 0C1...

Page 158: ...he cable connection for Port 2 on Switch 1 Port 2 on Switch 1 has a port or cable problem if The In Loopback value is Yes or The Link OK Link Active or Sync OK value is No Fixing a Bad Connection Between Stack Ports Stack cables connect all members Port 2 on Switch 1 connects to Port 1 on Switch 2 This is the port status Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link ...

Page 159: ...te You can manage the system time and date on your switch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 These sections contain this configuration information Understanding the System Cl...

Page 160: ... has a radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP This strategy effectively builds a self organizing tree of NTP speakers NTP avoids synchronizing to a device whose ti...

Page 161: ...r means Other devices then synchronize to that device through NTP When multiple sources of time are available NTP is always considered to be more authoritative NTP time overrides the time set by any other method Several manufacturers include NTP software for their host systems and a publicly available version for systems running UNIX and its various derivatives is also available This software allo...

Page 162: ...ith the administrator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server Beginning in privileged EXEC mode follow these steps to authenticate the associations communications between devices running NTP that provide for accurate timekeeping with other devices for security purposes Table 6 1 De...

Page 163: ...is switch synchronizes to the other device and not the other way around Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 specifies that message authentication support is provided by using the message digest algorithm 5 MD5 For value enter an arbitrary string of up to eight char...

Page 164: ...ice can simply be configured to send or receive broadcast messages However the information flow is one way only Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be...

Page 165: ... peers Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to send NTP broadcast packets and enter interface configuration mode Step 3 ntp broadcast version number key keyid destination address Enable the interface to send NTP broadcast packets to a peer By default this feature is disabled on all interfaces Optional For numb...

Page 166: ... mode follow these steps to control access to NTP services by using access lists Step 5 ntp broadcastdelay microseconds Optional Change the estimated round trip delay between the switch and the NTP broadcast server The default is 3000 microseconds the range is 1 to 999999 Step 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries Step 8 copy running config startup con...

Page 167: ...ch NTP services use the no ntp access group query only serve only serve peer global configuration command This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99 However the switch restricts access to allow only time requests from access list 42 Switch configure terminal Switch config ntp access group peer 99 Switch config ntp access group serve ...

Page 168: ...he IP source address is to be taken The specified interface is used for the source address for all packets sent to all destinations If a source address is to be used for a specific association use the source keyword in the ntp peer or ntp server global configuration command as described in the Configuring NTP Associations section on page 6 5 Command Purpose Step 1 configure terminal Enter global c...

Page 169: ...tem clock and the stack master fails and different stack member resumes the role of stack master These sections contain this configuration information Setting the System Clock page 6 11 Displaying the Time and Date Configuration page 6 12 Configuring the Time Zone page 6 12 Configuring Summer Time Daylight Saving Time page 6 13 Setting the System Clock If you have an outside source on the network ...

Page 170: ...nually configure the time zone The minutes offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC For example the time zone for some sections of Atlantic Canada AST is UTC 3 5 where the 3 means 3 hours and 5 means 50 percent In this case the necessary command is clock timezone AST 3 30 To...

Page 171: ...Switch config clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone r...

Page 172: ...pt A greater than symbol is appended The prompt is updated whenever the system name changes If you are accessing a stack member through the stack master you must use the session stack member number privileged EXEC command The stack member number range is from 1 through 9 When you use this command the stack member number is appended to the system prompt For example Switch 2 is the prompt in privile...

Page 173: ...a distributed database with which you can map hostnames to IP addresses When you configure DNS on your switch you can substitute the hostname for the IP address with all IP commands such as ping telnet connect and related Telnet support operations IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as...

Page 174: ... name name Define a default domain name that the software uses to complete unqualified hostnames names without a dotted decimal domain name Do not include the initial period that separates an unqualified name from the domain name At bootup time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default dom...

Page 175: ...ation command Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login bann...

Page 176: ...172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals This banner appears after the MOTD banner and before the login prompt Command Purpose Step 1 configu...

Page 177: ...lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For complete syntax and usage information for the commands used in this section see the command reference for this release These sections contain this configuration information Building the Address Table page 6 20 MAC...

Page 178: ...sis The switch sends packets between any combination of ports based on the destination address of the received packet Using the MAC address table the switch forwards the packet only to the port associated with the destination address If the destination address is on the port that sent the packet the packet is filtered and not forwarded The switch always uses the store and forward method complete p...

Page 179: ...unknown destination it floods the packet to all ports in the same VLAN as the receiving port This unnecessary flooding can impact performance Setting too long an aging time can cause the address table to be filled with unused addresses which prevents new addresses from being learned Flooding results which can impact switch performance Beginning in privileged EXEC mode follow these steps to configu...

Page 180: ... for each port for which the trap is set MAC address change notifications are generated for dynamic and secure MAC addresses Notifications are not generated for self addresses multicast addresses or other static addresses Beginning in privileged EXEC mode follow these steps to configure the switch to send MAC address change notification traps to an NMS host Command Purpose Step 1 configure termina...

Page 181: ...e history size 100 Switch config interface gigabitethernet1 0 2 Switch config if snmp trap mac notification change added You can verify your settings by entering the show mac address table notification change interface and the show mac address table notification change privileged EXEC commands Step 5 mac address table notification change interval value history size value Enter the trap interval ti...

Page 182: ...fig mac address table notification mac move You can verify your settings by entering the show mac address table notification mac move privileged EXEC commands Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server host host addr traps informs version 1 2c 3 community string notification type Specify the recipient of the trap message For host addr specify the n...

Page 183: ...ring specify the string to send with the notification operation Though you can set this string by using the snmp server host command we recommend that you define this string by using the snmp server community command before using the snmp server host command For notification type use the mac notification keyword Step 3 snmp server enable traps mac notification threshold Enable the switch to send M...

Page 184: ... characteristics It is manually entered in the address table and must be manually removed It can be a unicast or multicast address It does not age and is retained when the switch restarts You can add and remove static addresses and define the forwarding behavior for them The forwarding behavior defines how a port that receives a packet forwards it to another port for transmission Because all ports...

Page 185: ...c address table static mac addr vlan vlan id drop global configuration command one of these messages appears Only unicast addresses can be configured to be dropped CPU destined address cannot be configured as drop address Packets that are forwarded to the CPU are also not supported Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mac address table static mac addr vl...

Page 186: ...s table static mac addr vlan vlan id global configuration command This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3 220a 12f4 When a packet is received in VLAN 4 with this MAC address as its source or destination the packet is dropped Switch config mac address table static c2f3 220a 12f4 vlan...

Page 187: ...AC address learning on an RSPAN VLAN The configuration is not allowed If you disable MAC address learning on a VLAN that includes a secure port MAC address learning is not disabled on that port If you disable port security the configured MAC address learning state is enabled Beginning in privileged EXEC mode follow these steps to disable MAC address learning on a VLAN To reenable MAC address learn...

Page 188: ...t is specified by the Subnetwork Access Protocol SNAP By default standard Ethernet style ARP encapsulation represented by the arpa keyword is enabled on the IP interface ARP entries added manually to the table do not age and must be manually removed For CLI procedures see the Cisco IOS Release 12 2 documentation on Cisco com Table 6 4 Commands for Displaying the MAC Address Table Command Descripti...

Page 189: ...k administrators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you ...

Page 190: ...syntax and usage information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 2 These sections contain this configuration information Default Password and Privilege Level Configuration page 7 2 Setting or Changing a Static Enable Password page 7 3 Protecting Enable and Enable Secret Passwords with Encryption page 7 3 Disabling Password Recovery page 7 5...

Page 191: ...efault or any privilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Def...

Page 192: ... Enter global configuration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15...

Page 193: ...rrupts the bootup process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the...

Page 194: ...access the switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port or attach a PC to the Ethernet management port The default data characteristics of the console port are 9600 8 1 no parity Y...

Page 195: ...ration information Setting the Privilege Level for a Command page 7 8 Changing the Default Privilege Level for Lines page 7 9 Logging into and Exiting a Privilege Level page 7 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specif...

Page 196: ...wd14 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Leve...

Page 197: ...d Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege leve...

Page 198: ... your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch Note We recommend a redundant connection between a switch stack and the TACACS server This is to help ensure that the TACACS server remains accessible i...

Page 199: ...s access control session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing...

Page 200: ... to use an alternative method for authenticating the user CONTINUE The user is prompted for additional authentication information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TAC...

Page 201: ...ion You can group servers to select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list and contains the list of IP addresses of the selected server hosts Beginning in privileged EXEC mode follow these steps to identify the IP host or host maintaining TACACS server and optionally set the encryption key Command Purpos...

Page 202: ...a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authentication method in the method list This process continues until there is successful communication wi...

Page 203: ... server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 7 13 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in...

Page 204: ...nted access to a requested service only if the information in the user profile allows it You can use the aaa authorization global configuration command with the tacacs keyword to set parameters that restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authe...

Page 205: ...lling Switch Access with RADIUS This section describes how to enable and configure the RADIUS which provides detailed accounting information and flexible administrative control over authentication and authorization processes RADIUS is facilitated through AAA and can be enabled only through AAA commands Note For complete syntax and usage information for the commands used in this section see the Cis...

Page 206: ...onment that uses a smart card access control system In one case RADIUS has been used with Enigma s security cards to validates users and to grant access to network resources Networks already using RADIUS You can add a Cisco switch containing a RADIUS client to the network This might be the first step when you make a transition to a TACACS server See Figure 7 2 on page 7 19 Network in which the use...

Page 207: ...ated b REJECT The user is either not authenticated and is prompted to re enter the username and password or access is denied c CHALLENGE A challenge requires additional data from the user d CHALLENGE PASSWORD A response requests the user to select a new password The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization Users must first ...

Page 208: ...s Beginning with Cisco IOS Release 12 2 52 SE the switch supports these per session CoA requests Session reauthentication Session termination Session termination with port shutdown Session termination with port bounce The RADIUS interface is enabled by default on Catalyst switches However some basic configuration is required for the following attributes Security and Password refer to the Preventin...

Page 209: ...le values for the Error Cause attribute Table 7 2 Supported IETF Attributes Attribute Number Attribute Name 24 State 31 Calling Station ID 44 Acct Session ID 80 Message Authenticator 101 Error Cause Table 7 3 Error Cause Values Value Explanation 201 Residual Session Context Removed 202 Invalid EAP Packet Ignored 401 Unsupported Attribute 402 Missing Attribute 403 NAS Identification Mismatch 404 In...

Page 210: ...nect NAK or CoA NAK with the Invalid Attribute Value error code attribute For disconnect and CoA requests targeted to a particular session any one of the following session identifiers can be used Calling Station ID IETF attribute 31 which should contain the MAC address Audit Session ID Cisco vendor specific attribute Accounting Session ID IETF attribute 44 If more than one session identification a...

Page 211: ... sends a standard CoA Request message which contains a Cisco vendor specific attribute VSA in this form Cisco Avpair subscriber command reauthenticate and one or more session identification attributes The current session state determines the switch response to the message If the session is currently authenticated by IEEE 802 1x the switch responds by sending an EAPoL1 RequestId message see footnot...

Page 212: ... machine for the specified host but does not restrict that host s access to the network To restrict a host s access to the network use a CoA Request with the Cisco Avpair subscriber command disable host port VSA This command is useful when a host is known to be causing problems on the network and you need to immediately block network access for the host When you want to restore network access on t...

Page 213: ...ication attributes described in the Session Identification section on page 7 22 If the session cannot be located the switch returns a CoA NAK message with the Session Context Not Found error code attribute If the session is located the switch disables the hosting port for a period of 10 seconds re enables it port bounce and returns a CoA ACK If the switch fails before returning a CoA ACK to the cl...

Page 214: ...for RADIUS authorization and accounting A method list defines the sequence and methods to be used to authenticate to authorize or to keep accounts on a user You can use method lists to designate one or more security protocols to be used such as TACACS or local username lookup thus ensuring a backup system if the initial method fails The software uses the first method listed to authenticate to auth...

Page 215: ... provide accounting services the RADIUS 4 RADIUS_DEAD message appears and then the switch tries the second host entry configured on the same device for accounting services The RADIUS host entries are tried in the order that they are configured A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security comma...

Page 216: ...ius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authen...

Page 217: ...med it must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authen...

Page 218: ...e you can use this authentication method you must define an enable password by using the enable password global configuration command group radius Use RADIUS authentication Before you can use this authentication method you must configure the RADIUS server For more information see the Identifying the RADIUS Server Host section on page 7 27 line Use the line password for authentication Before you ca...

Page 219: ...ar service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multiple host entries for the same server if each entry has a unique identifier the combination of the IP address and UDP port number allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service If you co...

Page 220: ... no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure th...

Page 221: ... for User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it...

Page 222: ...rk services To disable accounting use the no aaa accounting network exec start stop method1 global configuration command Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access The exec keyword might return user profile information such as autocommand information Step 4 end Return to privileged EXEC mode Step 5 show running con...

Page 223: ...ined in the Cisco TACACS specification and sep is for mandatory attributes and is for optional attributes The full set of features available for TACACS authorization can then be used for RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secret text string used between the switch and all RADIUS servers Note The key is...

Page 224: ...his connection cisco avpair ip outacl 2 deny ip 10 10 10 10 0 0 255 255 any Other vendors have their own unique vendor IDs options and associated VSAs For more information about vendor IDs and VSAs see RFC 2138 Remote Authentication Dial In User Service RADIUS Beginning in privileged EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attrib...

Page 225: ...al configuration command To disable the key use the no radius server key global configuration command This example shows how to specify a vendor proprietary RADIUS host and to use a secret key of rad124 between the switch and the server Switch config radius server host 172 20 30 15 nonstandard Switch config radius server key rad124 Command Purpose Step 1 configure terminal Enter global configurati...

Page 226: ...ADIUS clients Step 7 auth type any all session key Specify the type of authorization the switch uses for RADIUS clients The client must match all the configured attributes for authorization Step 8 ignore session key Optional Configure the switch to ignore the session key For more information about the ignore command see the Cisco IOS Intelligent Services Gateway Command Reference on Cisco com Step...

Page 227: ...laying the RADIUS Configuration To display the RADIUS configuration use the show running config privileged EXEC command Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system which authenticates requests for network resources by using a trusted third party To use this feature the cryptographic that is supports encryption versions of ...

Page 228: ...a trusted third party to perform secure verification of users and services This trusted third party is called the key distribution center KDC Kerberos verifies that users are who they claim to be and the network services that they use are what the services claim to be To do this a KDC or trusted Kerberos server issues tickets to users These tickets which have a limited lifespan are stored in user ...

Page 229: ...d to specify the authorization level for the user if authentication is successful The server of each network service might implement and enforce the authorization mappings of Kerberos instances but is not required to do so Note The Kerberos principal and instance names must be in all lowercase characters The Kerberos realm name must be in all uppercase characters KDC2 Key distribution center that ...

Page 230: ... process then occurs 1 The user opens an un Kerberized Telnet connection to the boundary switch 2 The switch prompts the user for a username and password 3 The switch requests a TGT from the KDC for this user 4 The KDC sends an encrypted TGT that includes the user identity to the switch Principal Also known as a Kerberos identity this is who you are or what a service is according to the Kerberos s...

Page 231: ...elease 12 2 at this URL http www cisco com en US products sw iosswrel ps1835 products_configuration_guide_book09186a 0080087df1 html Authenticating to Network Services This section describes the third layer of security through which a remote user must pass The user with a TGT must now authenticate to the network services in a Kerberos realm For instructions about how to authenticate to a network s...

Page 232: ... global configuration mode Step 2 aaa new model Enable AAA Step 3 aaa authentication login default local Set the login authentication to use the local username database The default keyword applies the local user database authentication to all ports Step 4 aaa authorization exec local Configure user AAA authorization check the local database and allow the user to run an EXEC shell Step 5 aaa author...

Page 233: ...re image on your switch You can download the cryptographic software image from www dell com support For more information see the release notes for this release These sections contain this information Understanding SSH page 7 46 Configuring SSH page 7 47 Displaying the SSH Configuration and Status page 7 50 For SSH configuration examples see the SSH Configuration Examples section in the Configuring...

Page 234: ...ailable if the stack master is running the noncryptographic software image and the feature set SSH Servers Integrated Clients and Supported Versions The SSH feature has an SSH server and an SSH integrated client which are applications that run on the switch You can use an SSH client to connect to a switch running the SSH server The SSH server works with the SSH client supported in this release and...

Page 235: ...itch as an SSH server or SSH client An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server and the reverse If the SSH server is running on a stack master and the stack master fails the new stack master uses the RSA key pair generated by the previous stack master If you get CLI error messages after entering the crypto key generate rsa global configuration command an RSA key pair...

Page 236: ...eps to configure a hostname and an IP domain name and to generate an RSA key pair This procedure is required if you are configuring the switch as an SSH server To delete the RSA key pair use the crypto key zeroize rsa global configuration command After the RSA key pair is deleted the SSH server is automatically disabled Command Purpose Step 1 configure terminal Enter global configuration mode Step...

Page 237: ... to 120 seconds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out values of the CLI based sessions By default up to five simultaneous encrypted SSH connections for multiple CLI based sessions over the network are available session 0 to session 4 After the execution shell starts the CLI based session time out value returns t...

Page 238: ...more information about the cryptographic image see the release notes for this release These sections contain this information Understanding Secure HTTP Servers and Clients page 7 50 Configuring Secure HTTP Servers and Clients page 7 53 Displaying Secure HTTP Server and Client Status page 7 56 For configuration examples and complete syntax and usage information for the commands used in this section...

Page 239: ...nt is not configured for the device running the HTTPS server the server certifies itself and generates the needed RSA key pair Because a self certified self signed certificate does not provide adequate security the connecting client generates a notification that the certificate is self certified and the user has the opportunity to accept or reject the connection This option is useful for internal ...

Page 240: ...lgorithm and the digest algorithm to use on a SSL connection When connecting to the HTTPS server the client Web browser offers a list of supported CipherSuites and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both For example Netscape Communicator 4 76 supports U S security with RSA Public Key Cryptography MD2 MD5 RC2 CBC RC4 DES...

Page 241: ...P connections we recommend that you configure an official CA trustpoint A CA trustpoint is more secure than a self signed certificate Beginning in privileged EXEC mode follow these steps to configure a CA trustpoint Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 hostname hostname Specify the hostname of the switch required only if you have not previously configure...

Page 242: ...ificate of the peer has not been revoked Step 9 primary Optional Specify that the trustpoint should be used as the primary default trustpoint for CA requests Step 10 exit Exit CA trustpoint configuration mode and return to global configuration mode Step 11 crypto ca authentication name Authenticate the CA by getting the public key of the CA Use the same name used in Step 5 Step 12 crypto ca enroll...

Page 243: ...est a certificate from the server but the server does not attempt to authenticate the client Step 7 ip http secure trustpoint name Specify the CA trustpoint to use to get an X 509v3 security certificate and to authenticate the client certificate connection Note Use of this command assumes you have already configured a CA trustpoint according to the previous procedure Step 8 ip http path path name ...

Page 244: ...ep 2 ip http client secure trustpoint name Optional Specify the CA trustpoint to be used if the remote HTTP server requests client authentication Using this command assumes that you have already configured a CA trustpoint by using the previous procedure The command is optional if client authentication is not needed or if a primary trustpoint has been configured Step 3 ip http client secure ciphers...

Page 245: ... its secure transport the router must have an Rivest Shamir and Adelman RSA key pair Note When using SCP you cannot enter the password into the copy command You must enter the password when prompted Information About Secure Copy To configure Secure Copy feature you should understand these concepts The behavior of SCP is similar to that of remote copy rcp which comes from the Berkeley r tools suite...

Page 246: ...7 58 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 7 Configuring Switch Based Authentication Configuring the Switch for Secure Copy Protocol ...

Page 247: ... specific features depending on how the switch is used in the network You can select a template to provide maximum system usage for some functions for example use the default template to balance resources and use access template to obtain maximum ACL usage To allocate hardware resources for different usages the switch SDM templates prioritize system resources to optimize support for certain featur...

Page 248: ...es allow the switch to be used in dual stack environments supporting both IPv4 and IPv6 Using the dual stack templates results in less hardware capacity allowed for each resource Do not use them if you plan to forward only IPv4 traffic These SDM templates support IPv4 and IPv6 environments Dual IPv4 and IPv6 default template supports Layer 2 multicast routing QoS and ACLs for IPv4 and Layer 2 rout...

Page 249: ...h privileged EXEC command when an SDM mismatch exists Switch show switch Current Switch Role Mac Address Priority State 2 Master 000a fdfd 0100 5 Ready 4 Member 0003 fd63 9c00 5 SDM Mismatch Table 8 2 Approximate Feature Resources Allowed by Dual IPv4 IPv6 Templates Resource IPv4 and IPv6 Default IPv4 and IPv6 Routing IPv4 and IPv6 VLAN Unicast MAC addresses 2 K 1 5 K 8 K IPv4 IGMP groups and mult...

Page 250: ...uration information Default SDM Template page 8 4 SDM Template Configuration Guidelines page 8 4 Setting the SDM Template page 8 5 Default SDM Template The default template is the default Switch Database Management SDM desktop template SDM Template Configuration Guidelines Follow these guidelines when selecting and configuring SDM templates You must reload the switch for the configuration to take ...

Page 251: ...uration mode Step 2 sdm prefer access default dual ipv4 and ipv6 default routing vlan routing vlan Specify the SDM template to be used on the switch The keywords have these meanings access Maximize system resources for ACLs default Give balance to all functions dual ipv4 and ipv6 Select a template that supports both IPv4 and IPv6 routing default Balance IPv4 and IPv6 Layer 2 and Layer 3 functional...

Page 252: ...m prefer routing Switch config end Switch reload Proceed with reload confirm This example shows how to configure the IPv4 and IPv6 default template Switch config sdm prefer dual ipv4 and ipv6 default Switch config exit Switch reload Proceed with reload confirm Displaying the SDM Templates Use the show sdm prefer privileged EXEC command with no parameters to display the active template To display t...

Page 253: ...s is an example of output from the show sdm prefer dual ipv4 and ipv6 routing command Switch show sdm prefer dual ipv4 and ipv6 routing The current template is desktop IPv4 and IPv6 routing template The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 1 5K number of IPv4 IGMP groups mult...

Page 254: ...8 8 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 8 Configuring SDM Templates Displaying the SDM Templates ...

Page 255: ... 9 65 Understanding IEEE 802 1x Port Based Authentication The IEEE 802 1x standard defines a client server based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated The authentication server authenticates each client connected to a switch port before making available any serv...

Page 256: ...ith Guest VLAN page 9 20 802 1x Authentication with Restricted VLAN page 9 21 802 1x Authentication with Inaccessible Authentication Bypass page 9 22 802 1x User Distribution page 9 26 802 1x Authentication with Voice VLAN Ports page 9 24 802 1x Authentication with Port Security page 9 24 802 1x Authentication with Downloadable ACLs and Redirect URLs page 9 18 VLAN ID based MAC Authentication page...

Page 257: ...rates in a client server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients Switch edge switch or wireless access point controls the physical access to the network based on the authentication status of the client The switch acts as an intermediary proxy between the client and the authentication server requesting identity informati...

Page 258: ...ess is valid and the authorization succeeds the switch grants the client access to the network If the client MAC address is invalid and the authorization fails the switch assigns the client to a guest VLAN that provides limited services if a guest VLAN is configured If the switch gets an invalid identity from an 802 1x capable client and a restricted VLAN is specified the switch can assign the cli...

Page 259: ... down All authentication servers are down Client identity is valid The switch gets an EAPOL message and the EAPOL message exchange begins Yes No 1 1 1 1 This occurs if the switch does not detect EAPOL packets from the client Client MAC address identity is invalid Client MAC address identity is valid Is the client IEEE 802 1x capable Start IEEE 802 1x port based authentication Use inaccessible auth...

Page 260: ... authentication on a port by using the authentication port control auto or dot1x port control auto interface configuration command the switch initiates authentication when the link state changes from down to up or periodically as long as the port remains up and unauthenticated The switch sends an EAP request identity frame to the client to request its identity Upon receipt of the frame the client ...

Page 261: ... switch uses the MAC address of the client as its identity and includes this information in the RADIUS access request frame that is sent to the RADIUS server After the server sends the switch the RADIUS access accept frame authorization is successful the port becomes authorized If authorization fails and a guest VLAN is specified the switch assigns the port to the guest VLAN If the switch detects ...

Page 262: ...luding CLI commands and messages on this switch and also on other network devices such as Catalyst 6000 switches You had to use separate authentication configurations Cisco IOS Release 12 2 50 SE and later supports the same authorization methods on all Catalyst switches in a network Port Based Authentication Methods page 9 9 Per User ACLs and Filter Ids page 9 10 Authentication Manager CLI Command...

Page 263: ...adable ACL2 Redirect URL2 MAC authentication bypass VLAN assignment Per user ACL Filter ID attribute Downloadable ACL2 Redirect URL2 VLAN assignment VLAN assignment Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 Standalone web authentication4 Proxy ACL Filter Id attribute downloadable ACL2 NAC Layer 2 IP validat...

Page 264: ... and the authentication timer Generic authentication commands include the authentication host mode authentication violation and authentication timer interface configuration commands 802 1x specific commands begin with the dot1x keyword For example the authentication port control auto interface configuration command enables authentication on an interface However the dot1x system authentication cont...

Page 265: ...lient sends the request for a fixed number of times Because no response is received the client begins sending frames as if the port is in the authorized state authentication fallback fallback profile dot1x fallback fallback profile Configure a port to use web authentication as a fallback method for clients that do not support 802 1x authentication authentication host mode multi auth multi domain m...

Page 266: ...he request If no response is received from the server after the specified number of attempts authentication fails and network access is not granted When a client logs off it sends an EAPOL logoff message causing the switch port to change to the unauthorized state If the link state of a port changes from up to down or if an EAPOL logoff frame is received the port returns to the unauthorized state 8...

Page 267: ...cation in a wireless LAN In this mode only one of the attached clients must be authorized for all clients to be granted network access If the port becomes unauthorized re authentication fails or an EAPOL logoff message is received the switch denies network access to all of the attached clients In this topology the wireless access point is responsible for authenticating the clients attached to it a...

Page 268: ...evice for example a hub or an IP phone between an authenticated host and a switch port you might want to disconnect the host from the device and connect it directly to another port on the same switch You can globally enable MAC move so the device is reauthenticated on the new port When a host moves to a second port the session on the first port is deleted and the host is reauthenticated on the new...

Page 269: ...ommand Reference Release 12 2 at this URL http www cisco com en US products sw iosswrel ps1835 products_command_reference_book09186a 00800872ce html For more information about AV pairs see RFC 3580 802 1x Remote Authentication Dial In User Service RADIUS Usage Guidelines Table 9 3 Accounting AV Pairs Attribute Number AV Pair Name START INTERIM STOP Attribute 1 User Name Always Always Always Attrib...

Page 270: ...ve packets on the assigned voice VLAN Voice VLAN assignment behaves the same as data VLAN assignment on multidomain authentication MDA enabled ports For more information see the Multidomain Authentication section on page 9 29 When configured on the switch and the RADIUS server 802 1x authentication with VLAN assignment has these characteristics If no VLAN is supplied by the RADIUS server or if 802...

Page 271: ...ess port Assign vendor specific tunnel attributes in the RADIUS server The RADIUS server must return these attributes to the switch 64 Tunnel Type VLAN 65 Tunnel Medium Type 802 81 Tunnel Private Group ID VLAN name or VLAN ID Attribute 64 must contain the value VLAN type 13 Attribute 65 must contain the value 802 type 6 Attribute 81 specifies the VLAN name or VLAN ID assigned to the IEEE 802 1x au...

Page 272: ... access list is applied to the outbound ACL by default Because of limited support of Cisco IOS access lists on the switch the Filter Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 IP standard and IP extended ACLs Per user ACLs are supported only in single host mode The maximum size of the per user ACL is 4000 ASCII characters but is limited by the maximum size of RAD...

Page 273: ... the default port ACL on the switch If a redirect URL configured for a client on the authentication server a default port ACL on the connected client switch port must also be configured Cisco Secure ACS and Attribute Value Pairs for Downloadable ACLs You can set the CiscoSecure Defined ACL Attribute Value AV pair on the Cisco Secure ACS with the RADIUS cisco av pair vendor specific attributes VSAs...

Page 274: ...tion and some hosts such as Windows 98 systems might not be IEEE 802 1x capable When you enable a guest VLAN on an 802 1x port the switch assigns clients to a guest VLAN when the switch does not receive a response to its EAP request identity frame or when EAPOL packets are not sent by the client The switch maintains the EAPOL packet history If an EAPOL packet is detected on the interface during th...

Page 275: ...AN section on page 9 49 802 1x Authentication with Restricted VLAN You can configure a restricted VLAN also referred to as an authentication failed VLAN for each IEEE 802 1x port on a switch stack or a switch to provide limited services to clients that cannot access the guest VLAN These clients are 802 1x compliant and cannot access another VLAN because they fail the authentication process A restr...

Page 276: ...ing and IP source guard can be configured independently on a restricted VLAN For more information see the Configuring a Restricted VLAN section on page 9 50 802 1x Authentication with Inaccessible Authentication Bypass Overview Use the inaccessible authentication bypass feature also referred to as critical authentication or the AAA fail policy when the switch cannot reach the configured RADIUS ser...

Page 277: ... Inaccessible authentication bypass is compatible with guest VLAN When a guest VLAN is enabled on 8021 x port the features interact as follows If at least one RADIUS server is available the switch assigns a client to a guest VLAN when the switch does not receive a response to its EAP request identity frame or when EAPOL packets are not sent by the client If all the RADIUS servers are not available...

Page 278: ... is equal to a voice VLAN Note If you enable 802 1x authentication on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected the Cisco IP phone loses connectivity to the switch for up to 30 seconds For more information about voice VLANs see Chapter 15 Configuring Voice VLAN 802 1x Authentication with Port Security You can configure an 802 1x port with port se...

Page 279: ...formation see the Maximum Number of Allowed Devices Per Port section on page 9 36 and the command reference for this release For more information about enabling port security on your switch see the Configuring Port Security section on page 26 8 802 1x Authentication with Wake on LAN The 802 1x authentication with wake on LAN WoL feature allows dormant PCs to be powered when the switch receives a s...

Page 280: ...t one VLAN is mapped to the VLAN group You can map more than one VLAN to a VLAN group You can modify the VLAN group by adding or deleting a VLAN When you clear an existing VLAN from the VLAN group name none of the authenticated ports in the VLAN are cleared but the mappings are removed from the existing VLAN group If you clear the last VLAN from the VLAN group name the VLAN group is cleared You ca...

Page 281: ...igns the port to the guest VLAN if one is configured If re authentication is based on the Session Timeout RADIUS attribute Attribute 27 and the Termination Action RADIUS attribute Attribute 29 and if the Termination Action RADIUS attribute Attribute 29 action is Initialize the attribute value is DEFAULT the MAC authentication bypass session ends and connectivity is lost during re authentication If...

Page 282: ...about configuring NAC Layer 2 802 1x validation see the Configuring NAC Layer 2 802 1x Validation section on page 9 57 and the Configuring Periodic Re Authentication section on page 9 43 For more information about NAC see the Network Admission Control Software Configuration Guide For more configuration information see the Authentication Manager section on page 9 8 Flexible Authentication Ordering ...

Page 283: ...ion on either the voice or the data domain of a port it is error disabled Until a device is authorized the port drops its traffic Non Cisco IP phones or voice devices are allowed into both the data and voice VLANs The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire the voice VLAN information After the voice device starts sending on the voice VLAN its ...

Page 284: ... areas outside the wiring closet such as conference rooms This allows any type of device to authenticate on the port 802 1x switch supplicant You can configure a switch to act as a supplicant to another switch by using the 802 1x supplicant feature This configuration is helpful in a scenario where for example a switch is outside a wiring closet and is connected to an upstream switch through a trun...

Page 285: ...witch port you can also use AutoSmart ports user defined macros instead of the switch VSA This allows you to remove unsupported configurations on the authenticator switch port and to change the port mode from access to trunk For more information see Chapter 12 Configuring Smartports Macros For more information see the Configuring an Authenticator and a Supplicant Switch with NEAT section on page 9...

Page 286: ...ation Bypass page 9 56 optional Configuring 802 1x User Distribution page 9 55 optional Configuring NAC Layer 2 802 1x Validation page 9 57 optional Configuring an Authenticator and a Supplicant Switch with NEAT page 9 58 optional Configuring 802 1x Authentication with Downloadable ACLs and Redirect URLs page 9 60 optional Configuring VLAN ID based MAC Authentication page 9 62 optional Configuring...

Page 287: ...ponse to an EAP request identity frame from the client before resending the request Maximum retransmission number 2 times number of times that the switch will send an EAP request identity frame before restarting the authentication process Client timeout period 30 seconds when relaying a request from the authentication server to the client the amount of time the switch waits for a response before r...

Page 288: ...ic access ports voice VLAN ports and Layer 3 routed ports but it is not supported on these port types Trunk port If you try to enable 802 1x authentication on a trunk port an error message appears and 802 1x authentication is not enabled If you try to change the mode of an 802 1x enabled port to trunk an error message appears and the port mode is not changed Dynamic ports A port in dynamic mode ca...

Page 289: ...onfigure a guest VLAN for an 802 1x port to which a DHCP client is connected you might need to get a host IP address from a DHCP server You can change the settings for restarting the 802 1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server Decrease the settings for the 802 1x authentication process authentic...

Page 290: ...e authorization occurs Maximum Number of Allowed Devices Per Port This is the maximum number of devices allowed on an 802 1x enabled port In single host mode only one device is allowed on the access VLAN If the port is also configured with a voice VLAN an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN In multidomain authentication MDA mode one device is all...

Page 291: ...ult list that is used when a named list is not specified in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports For method1 enter the group radius keywords to use the list of all RADIUS servers for authentication Note Though other keywords are visible in the command line hel...

Page 292: ...sible in the command line help string only the group radius keywords are supported Step 4 dot1x system auth control Enable 802 1x authentication globally on the switch Step 5 aaa authorization network default group radius Optional Configure the switch to use user RADIUS authorization for all network related service requests such as per user ACLs or VLAN assignment Note For per user ACLs single hos...

Page 293: ...e timeout period If the client does not respond to the query the client is not 802 1x capable No syslog message is generated The readiness check can be sent on a port that handles multiple hosts for example a PC that is connected to an IP phone A syslog message is generated for each of the clients that respond to the readiness check within the timer period Beginning in privileged EXEC mode follow ...

Page 294: ...utomatically re enabled If error disabled recovery is not configured for the port you re enable it by using the shutdown and no shutdown interface configuration commands You can re enable individual VLANs by using the clear errdisable interface interface id vlan vlan list privileged EXEC command If you do not specify a range all VLANs on the port are enabled Beginning in privileged EXEC mode follo...

Page 295: ...ng in privileged EXEC mode follow these steps to configure the RADIUS server parameters on the switch This procedure is required To delete the specified RADIUS server use the no radius server host hostname ip address global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address auth port port number key string C...

Page 296: ...uthorized port that has the dot1x port control interface configuration command set to auto Use the multi domain keyword to configure and enable multidomain authentication MDA which allows both a host and a voice device such as an IP phone Cisco or non Cisco on the same switch port This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface ...

Page 297: ...vlan 101 Switch config if end Configuring Periodic Re Authentication You can enable periodic 802 1x client re authentication and specify how often it occurs If you do not specify a time period before enabling re authentication the number of seconds between attempts is 3600 Beginning in privileged EXEC mode follow these steps to enable periodic re authentication of the client and to configure the n...

Page 298: ... connected to a port Switch dot1x re authenticate interface gigabitethernet2 0 1 Step 4 authentication timer inactivity reauthenticate server am restart value or dot1x timeout reauth period seconds server Set the number of seconds between re authentication attempts The authentication timer keywords have these meanings inactivity Interval in seconds after which if there is no activity from the clie...

Page 299: ...ame If the switch does not receive this response it waits a set period of time known as the retransmission time and then resends the frame Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers Beginning in privileged EXEC mode follow these steps to ch...

Page 300: ... set the switch to client frame retransmission number This procedure is optional To return to the default retransmission number use the no dot1x max req interface configuration command Step 3 dot1x timeout tx period seconds Set the number of seconds that the switch waits for a response to an EAP request identity frame from the client before resending the request The range is 1 to 65535 seconds the...

Page 301: ...on command This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state Switch config if dot1x max reauth req 4 Enabling MAC Move MAC move allows an authenticated host to move from one port on the switch to another Beginning in privileged EXEC mode follow these steps to globally enable MAC move on the s...

Page 302: ...erim update messages and time stamps To turn on these functions enable logging of Update Watchdog packets from this AAA client in your RADIUS server Network Configuration tab Next enable CVS RADIUS Accounting in your RADIUS server System Configuration tab Beginning in privileged EXEC mode follow these steps to configure 802 1x accounting after AAA is enabled on your switch This procedure is option...

Page 303: ...the guest VLAN use the no dot1x guest vlan interface configuration command The port returns to the unauthorized state This example shows how to enable VLAN 2 as an 802 1x guest VLAN Switch config interface gigabitethernet2 0 2 Switch config if dot1x guest vlan 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured...

Page 304: ...ng in privileged EXEC mode follow these steps to configure a restricted VLAN This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the 802 1x Authentication Configuration Guidelines section on page 9 34 Step 3 switchp...

Page 305: ...before the port moves to the restricted VLAN Switch config if dot1x auth fail max attempts 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the 802 1x Authentication Configuration Guidelines section on page 9 34 Step 3 switchport mode ac...

Page 306: ...pass feature This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server dead criteria time time tries tries Optional Set the conditions that are used to decide when a RADIUS server is considered unavailable or dead The range for time is from 1 to 120 seconds The switch dynamically determines the default seconds value that is 10 to 60 s...

Page 307: ...DIUS server accounting port ignore auth port Disable testing on the RADIUS server authentication port For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server The key is a text string that must match the encryption key used on the RADIUS server Note Always configure the key as the last item in the radius server host com...

Page 308: ...itical recovery action reinitialize Switch config if dot1x critical vlan 20 Switch config if end Step 6 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the 802 1x Authentication Configuration Guidelines section on page 9 34 Step 7 authentication event server dead action authorize reinitialize vlan vlan id Use these ke...

Page 309: ...oup eng dept vlan list 30 switch config show vlan group eng dept Group Name Vlans Mapped eng dept 10 30 This example shows how to remove a VLAN from a VLAN group switch no vlan group eng dept vlan list 10 This example shows that when all the VLANs are cleared from a VLAN group the VLAN group is cleared switch config no vlan group eng dept vlan list 30 Vlan 30 is successfully cleared from vlan grou...

Page 310: ...the supported port types see the 802 1x Authentication Configuration Guidelines section on page 9 34 Step 3 dot1x control direction both in Enable 802 1x authentication with WoL on the port and use these keywords to configure the port as bidirectional or unidirectional both Sets the port as bidirectional The port cannot receive packets from or send packets to the host By default the port is bidire...

Page 311: ...rify your entries Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 dot1x guest vlan vlan id Specify an active VLAN as an 802 1x guest VLAN The range is 1 ...

Page 312: ...d Beginning in privileged EXEC mode follow these steps to configure a switch as an authenticator Step 6 end Return to privileged EXEC mode Step 7 show authentication interface id or show dot1x interface interface id Verify your 802 1x authentication configuration Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 co...

Page 313: ...h config if dot1x credentials test Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cisp enable Enable CISP Step 3 dot1x credentials profile Create 802 1x credentials profile This must be attached to the port that is configured as supplicant Step 4 username suppswitch Create a username Step 5 password password Create a password for the new usern...

Page 314: ...le ACLs The policies take effect after client authentication and the client IP address addition to the IP device tracking table The switch then applies the downloadable ACL to the port Beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip device tracking Configure the ip device tracking table Step 3 aaa new model Enables AAA Step 4 aa...

Page 315: ...essage about the packet that matches the entry to be sent to the console Step 3 interface interface id Enter interface configuration mode Step 4 ip access group acl id in Configure the default ACL on the port in the input direction Note The acl id is an access list name or number Step 5 exit Returns to global configuration mode Step 6 aaa new model Enables AAA Step 7 aaa authorization network defa...

Page 316: ...ion You can use the debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32 For more information about this command see the Cisco IOS Debug Command Reference Release 12 2 at this URL http www cisco com en US docs ios debug command reference db_q1 html wp1123741 This example shows how to globally enable VLAN ID based MAC authentication on a switch Switch config terminal E...

Page 317: ...entication Optional Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication control direction both in Optional Configure the port control as u...

Page 318: ...uration command This example shows how to disable 802 1x authentication on the port Switch config interface gigabitethernet2 0 1 Switch config if no dot1x pae authenticator Resetting the 802 1x Authentication Configuration to the Default Values Beginning in privileged EXEC mode follow these steps to reset the 802 1x authentication configuration to the default values This procedure is optional Comm...

Page 319: ...ce id privileged EXEC command To display the 802 1x administrative and operational status for the switch use the show dot1x all details statistics summary privileged EXEC command To display the 802 1x administrative and operational status for a specific port use the show dot1x interface interface id privileged EXEC command For detailed information about the fields in these displays see the command...

Page 320: ...9 66 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 9 Configuring IEEE 802 1x Port Based Authentication Displaying 802 1x Statistics and Status ...

Page 321: ...not run the IEEE 802 1x supplicant Note You can configure web based authentication on Layer 2 and Layer 3 interfaces When you initiate an HTTP session web based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the users The users enter their credentials which the web based authentication feature sends to the authentication authorization and accounting AA...

Page 322: ...ponds to requests from the switch The workstation must be running an HTML browser with Java Script enabled Authentication server Authenticates the client The authentication server validates the identity of the client and notifies the switch that the client is authorized to access the LAN and the switch services or that the client is denied Switch Controls the physical access to the network based o...

Page 323: ...is established Reviews for authorization bypass If the host IP is not on the exception list web based authentication sends a nonresponsive host NRH request to the server If the server response is access accepted authorization is bypassed for this host The session is established Sets up the HTTP intercept ACL If the server response to the NRH request is access rejected the HTTP intercept ACL is act...

Page 324: ...in the response from the server If the terminate action is default the session is dismantled and the applied policy is removed Local Web Authentication Banner You can create a banner that will appear when you log in to a switch by using web authentication The banner appears on both the login page and the authentication result pop up pages Authentication Successful Authentication Failed Authenticat...

Page 325: ...Customized Web Banner If you do not enable a banner only the username and password dialog boxes appear in the web authentication login screen and no banner appears when you log into the switch as shown in Figure 10 4 Figure 10 4 Login Screen With No Banner For more information see the Cisco IOS Security Command Reference and the Configuring a Web Authentication Local Banner section on page 10 17 ...

Page 326: ...age time out to set a hidden password or to confirm that the same page is not submitted twice The CLI command to redirect users to a specific URL is not available when the configured login form is enabled The administrator should ensure that the redirection is configured in the web page If the CLI command redirecting users to specific URL after authentication occurs is entered and then the command...

Page 327: ...ity page 10 7 LAN Port IP page 10 8 Gateway IP page 10 8 ACLs page 10 8 Context Based Access Control page 10 8 802 1x Authentication page 10 8 EtherChannel page 10 8 Port Security You can configure web based authentication and port security on the same port Web based authentication authenticates the port and port security manages network access for all MAC addresses including that of the client Yo...

Page 328: ...ased authentication host policy ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface the ACL is applied to the host traffic only after the web based authentication host policy is applied For Layer 2 web based authentication you must configure a port ACL PACL as the default access policy for ingress traffic from hosts connected to the port After authentication the web based authentic...

Page 329: ...gress only feature You can configure web based authentication only on access ports Web based authentication is not supported on trunk ports EtherChannel member ports or dynamic trunk ports You must configure the default ACL on the interface before configuring web based authentication Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface You cannot authenticate hos...

Page 330: ...rfaces This example shows how to enable web based authentication on Fast Ethernet port 5 1 Switch config ip admission name webauth1 proxy http Switch config interface fastethernet 5 1 Switch config if ip admission webauth1 Switch config if exit Switch config ip device tracking This example shows how to verify the configuration Switch show ip admission configuration Authentication Proxy Banner not ...

Page 331: ...nation of the IP address and UDP port number creates a unique identifier that enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address If two different host entries on the same RADIUS server are configured for the same service for example authentication the second host entry that is configured functions as the failover backup to the first one The RADIUS host entr...

Page 332: ...nd Reference Release 12 2 at this URL http www cisco com en US docs ios 12_2 security command reference fsecur_r html Note You need to configure some settings on the RADIUS server including the switch IP address the key string to be shared by both the server and the switch and the downloadable ACL DACL For more information see the RADIUS server documentation Command Purpose Step 1 ip radius source...

Page 333: ...uthentication to display four substitute HTML pages to the user in place of the switch default HTML pages during web based authentication To specify the use of your custom authentication proxy web pages first store your custom HTML files on the switch flash memory then perform this task in global configuration mode Command Purpose Step 1 ip http server Enable the HTTP server The web based authenti...

Page 334: ...of a custom file use the no form of the command Because the custom login page is a public web form consider these guidelines for the page The login form must accept user entries for the username and password and must show them as uname and pwd The custom login page should follow best practices for a web form such as page timeout hidden password and prevention of redundant submissions This example ...

Page 335: ...ion configuration Authentication Proxy Banner not configured Customizable Authentication Proxy webpage not configured HTTP Authentication success redirect to URL http www cisco com Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch list is disabled Authentication Proxy Max HTT...

Page 336: ...Address 209 165 201 11 MAC Address 0000 0000 0000 Interface Vlan333 Port 3999 Timeout 60 Age 1 State AAA Down AAA Down policy AAA_FAIL_POLICY Configuring the Web Based Authentication Parameters You can configure the maximum number of failed login attempts before the client is placed in a watch list for a waiting period This example shows how to set the maximum number of failed login attempts to 10...

Page 337: ...shows how to remove the web based authentication session for the client at the IP address 209 165 201 1 Switch clear ip auth proxy cache 209 165 201 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip admission auth proxy banner http banner text file path Enable the local banner Optional Create a custom banner by entering C banner text C where C is a delimiting ch...

Page 338: ... shows how to view only the global web based authentication status Switch show authentication sessions This example shows how to view the web based authentication settings for gigabit interface 3 27 Switch show authentication sessions interface gigabitethernet 3 27 Command Purpose Step 1 show authentication sessions interface type slot port Displays the web based authentication settings type faste...

Page 339: ...nterfaces page 11 28 Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the online Cisco IOS Interface Command Reference Release 12 2 Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information ...

Page 340: ...erver mode These VLANs are saved in the VLAN database In a switch stack the VLAN database is downloaded to all switches in a stack and all switches in the stack build the same VLAN database In a switch stack the running configuration and the saved configuration are the same for all switches in a stack Add ports to a VLAN by using the switchport interface configuration commands Identify the interfa...

Page 341: ... device attached to the phone For more information about voice VLAN ports see Chapter 15 Configuring Voice VLAN Trunk Ports A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database These trunk port types are supported In an ISL trunk port all received packets are expected to be encapsulated with an ISL header and all transmitted packets are se...

Page 342: ... like a regular router interface except that it does not support VLAN subinterfaces Routed ports can be configured with a Layer 3 routing protocol A routed port is a Layer 3 interface only and does not support Layer 2 protocols such as DTP and STP Configure routed ports by putting the interface into Layer 3 mode with the no switchport interface configuration command Then assign an IP address to th...

Page 343: ...er the vlan interface configuration command for a VLAN interface The VLAN corresponds to the VLAN tag associated with data frames on an ISL or IEEE 802 1Q encapsulated trunk or the VLAN ID configured for an access port Configure a VLAN interface for each VLAN for which you want to route traffic and assign it an IP address For more information see the Manually Assigning IP Information section on pa...

Page 344: ...ic previously carried over the failed link changes to the remaining links You can group multiple trunk ports into one logical trunk port group multiple access ports into one logical access port group multiple tunnel ports into one logical tunnel port or group multiple routed ports into one logical routed port Most protocols operate over either single ports or aggregated switch ports and do not rec...

Page 345: ... need for an external router Figure 11 1 Figure 11 1 Connecting VLANs with the Blade Switch When the IP services feature set is running on the switch or the stack master the switch uses two methods to forward traffic between interfaces routing and fallback bridging If the IP base feature set is on the switch or the stack master only basic routing static routing and RIP is supported Whenever possib...

Page 346: ...umber and enter interface configuration mode Type Gigabit Ethernet gigabitethernet or gi for 10 100 1000 Mb s Ethernet ports 10 Gigabit Ethernet tengigabitethernet or te for 10 000 Mb s or small form factor pluggable SFP module Gigabit Ethernet interfaces gigabitethernet or gi Stack member number The number that identifies the switch within the stack The switch number range is 1 to 9 and is assign...

Page 347: ...ace configuration processes Step 1 Enter the configure terminal command at the privileged EXEC prompt Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config Step 2 Enter the interface global configuration command Identify the interface type the switch number only stacking capable switches and the number of the connector In this example Gigabit Ethernet po...

Page 348: ...witches tengigabitethernet module first port last port where the module is always 0 for nonstacking capable switches tengigabitethernet stack member module first port last port where the module is always 0 for stacking capable switches port channel port channel number port channel number where the port channel number is 1 to 64 Command Purpose Step 1 configure terminal Enter global configuration m...

Page 349: ...o use a comma to add different interface type strings to the range to enable Gigabit Ethernet ports 1 to 3 and 10 Gigabit Ethernet ports 1 and 2 to receive flow control pause frames Switch configure terminal Switch config interface range gigabitethernet1 0 1 3 tengigabitethernet1 0 1 2 Switch config if range flowcontrol receive on If you enter multiple configuration commands while you are in inter...

Page 350: ...le gigabitethernet1 0 1 4 is a valid range gigabitethernet1 0 1 4 is not a valid range The VLAN interfaces must have been configured with the interface vlan command The show running config privileged EXEC command displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used as interface ranges All interfaces defined as in a range must be th...

Page 351: ...rnal Ethernet Management Port page 11 13 Supported Features on the Ethernet Management Port page 11 15 Layer 3 Routing Configuration Guidelines page 11 16 Monitoring the Ethernet Management Port page 11 16 TFTP and the Ethernet Management Port page 11 17 Understanding the Internal Ethernet Management Port The internal Ethernet management port also referred to as the Fa0 or fastethernet0 port is an...

Page 352: ...nected to the Chassis Management Module However only the Ethernet management port for the stack master is enabled The active link is from the Ethernet management port on the stack master through the Chassis Management Module to the PC If the stack master fails and a new stack master is elected the active link is now from the Ethernet management port on the new stack master through the Chassis Mana...

Page 353: ...ports only these features Express Setup only in switch stacks Network Assistant 1 Chassis Management Module 2 Internal Ethernet management port that are not active because they are not on the stack master stack member 4 3 Active internal Ethernet management port on the stack master Note The internal Ethernet management ports on the stack members are disabled 201910 PC Blade switch Blade switch Enc...

Page 354: ... Protocol RIP or Open Shortest Path First OSPF is enabled RIP or OSPF advertises routes with the internal Ethernet management port By default RIP and OSPF are disabled For traffic to be routed between VLAN 1 and the Ethernet management port IP routing must be enabled Virtual private network routing and forwarding VRF can be used to separate the routing domains for the Ethernet management port and ...

Page 355: ...e Layer 2 parameters if the interface is in Layer 3 mode you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode This shuts down the interface and then re enables it which might generate messages on the device to which Table 11 1 Boot Loader Commands Command Description arp ip_address Displays the currently cached ARP1 table when ...

Page 356: ...ts nonconfigurable Autonegotiate for the external 10 100 1000 Mb s and SFP module ports Not supported on the 10 Gigabit interfaces Duplex mode Full duplex for the internal ports nonconfigurable Autonegotiate for the external 10 100 1000 Mb s and SFP module ports Not supported on the 10 Gigabit interfaces Flow control Flow control is set to receive off It is always off for sent packets EtherChannel...

Page 357: ...e external Gigabit Ethernet 10 100 1000 Mb s ports support all speed options and all duplex options auto half and full However Gigabit Ethernet ports operating at 1000 Mb s do not support half duplex mode The internal Ethernet management ports do not support the speed and duplex features These ports operate only at 1000 Mb s and in full duplex mode For SFP module ports the speed and duplex CLI opt...

Page 358: ...meter for the interface Enter 10 100 or 1000 to set a specific speed for the interface The 1000 keyword is available only for 10 100 1000 Mb s ports Enter auto to enable the interface to autonegotiate speed with the connected device If you use the 10 100 or the 1000 keywords with the auto keyword the port autonegotiates only at the specified speeds The nonegotiate keyword is available only for SFP...

Page 359: ...ed to send flow control packets or with an attached device that is not required to but can send flow control packets These rules apply to flow control settings on the device receive on or desired The port cannot send pause frames but can operate with an attached device that is required to or can send pause frames the port can receive pause frames receive off Flow control does not operate in either...

Page 360: ...the feature operates correctly Auto MDIX is supported on all 10 100 1000 Mb s and on 10 100 1000BASE TX small form factor pluggable SFP module interfaces It is not supported on 1000BASE SX or LX SFP module interfaces Table 11 3 shows the link states that result from auto MDIX settings and correct and incorrect cabling Beginning in privileged EXEC mode follow these steps to configure auto MDIX on a...

Page 361: ...figuration command to delete the description This example shows how to add a description on a port and how to verify the description Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet1 0 2 Switch config if description Connects to Marketing Switch config if end Switch show interfaces gigabitethernet1 0 2 description Interface ...

Page 362: ...the number of other features being configured might have an impact on CPU usage because of hardware limitations If the switch is using its maximum hardware resources attempts to create a routed port or SVI have these results If you try to create a new routed port the switch generates a message that there are not enough resources to convert the interface to a routed port and the interface remains a...

Page 363: ...p the SVI state up You can use this command to exclude the monitoring port status when determining the status of the SVI Beginning in privileged EXEC mode follow these steps to exclude a port from SVI state change calculations Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface gigabitethernet interface id vlan vlan id port channel port channel number Specify...

Page 364: ... switch does not support the MTU on a per interface basis You can enter the system mtu bytes global configuration command on a switch but the command does not take effect on the switch The system mtu jumbo global configuration commands do not take effect when you enter the system mtu routing command on a switch on which only Layer 2 ports are configured When you use the system mtu bytes or system ...

Page 365: ...abit Ethernet interfaces to an out of range number Switch config system mtu jumbo 25000 Invalid input detected at marker Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 system mtu jumbo bytes Optional Change the MTU size for all Gigabit Ethernet and 10 Gigabit Ethernet interfaces on the switch or the switch stack The range is from 1500 to 9198 bytes Step 3 system m...

Page 366: ...sabled Display interface status or a list of interfaces in the error disabled state show interfaces interface id switchport Display administrative and operational status of switching nonrouting ports You can use this command to find out if a port is in routing or in switching mode show interfaces interface id description Display the description configured on an interface or all interfaces and the ...

Page 367: ...on the specified interface and marks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface configuration command to restart the int...

Page 368: ...11 30 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces ...

Page 369: ... a set of command line interface CLI commands that you define Smartports macros do not contain new CLI commands they are simply a group of existing CLI commands When you apply a Smartports macro on an interface the CLI commands within the macro are configured on the interface When the macro is applied to an interface the existing interface configurations are not lost The new commands are added to ...

Page 370: ... change the command mode by using interface interface id This could cause commands that follow exit end or interface interface id to execute in a different command mode When creating a macro all CLI commands should be in the same configuration mode cisco phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port This macro is a...

Page 371: ...cro name interface configuration command to apply and debug a macro to find any syntax or configuration errors If a command fails because of a syntax error or a configuration error the macro continues to apply the remaining commands Some CLI commands are specific to certain interface types If a macro is applied to an interface that does not accept the configuration the macro will fail the syntax c...

Page 372: ...ition and enter a macro name A macro definition can contain up to 3000 characters Enter the macro commands with one command per line Use the character to end the macro Use the character at the beginning of a line to enter comment text within the macro Optional You can define keywords within a macro by using a help string to specify the keywords Enter macro keywords word to define the keywords that...

Page 373: ...ut entering the keyword values the commands are invalid and are not applied Step 3 macro global description text Optional Enter a description about the macro that is applied to the switch Step 4 interface interface id Optional Enter interface configuration mode and specify the interface on which to apply the macro Step 5 default interface interface id Optional Clear all configuration from the spec...

Page 374: ...iption Interface Macro Description Gi1 0 2 desktop config This example shows how to apply the user created macro called desktop config and to replace all occurrences of VLAN 1 with VLAN 25 Switch config if macro apply desktop config vlan 25 Applying Cisco Default Smartports Macros Beginning in privileged EXEC mode follow these steps to apply a Smartports macro Command Purpose Step 1 show parser ma...

Page 375: ... security age is greater than one minute and use inactivity timer switchport port security violation restrict switchport port security aging time 2 switchport port security aging type inactivity Configure port as an edge network port spanning tree portfast spanning tree bpduguard enable Switch Switch configure terminal Switch config gigabitethernet1 0 4 Switch config if macro apply cisco desktop A...

Page 376: ...use one or more of the privileged EXEC commands in Table 12 2 Table 12 2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros show parser macro name macro name Displays a specific macro show parser macro brief Displays the configured macro names show parser macro description interface interface id Displays the macro description for all interfac...

Page 377: ...LAN is a switched network that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded on...

Page 378: ...ge 11 5 and the Configuring Layer 3 Interfaces section on page 11 24 Note If you plan to configure many VLANs on the switch and to not enable routing you can use the sdm prefer vlan global configuration command to set the Switch Database Management sdm feature to the VLAN template which configures system resources to support the maximum number of unicast MAC addresses For more information on the S...

Page 379: ...ng Static Access Ports to a VLAN section on page 13 10 VTP is not required If you do not want VTP to globally propagate information set the VTP mode to transparent To participate in VTP there must be at least one trunk port on the switch or the switch stack connected to a trunk port of a second switch or switch stack Trunk ISL or IEEE 802 1Q A trunk port is a member of all VLANs by default includi...

Page 380: ...t file that is consistent with the stack master Voice VLAN A voice VLAN port is an access port attached to a Cisco IP Phone configured to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone For more information about voice VLAN ports see Chapter 15 Configuring Voice VLAN VTP is not required it has no effect on a voice VLAN Private VLAN A private VLA...

Page 381: ...er SAID Bridge identification number for TrBRF VLANs Ring number for FDDI and TrCRF VLANs Parent VLAN number for TrCRF VLANs Spanning Tree Protocol STP type for TrCRF VLANs VLAN number to use when translating from one VLAN type to another Note This section does not provide configuration details for most of these parameters For complete information on the commands and parameters that control VLAN c...

Page 382: ...on If extended VLANs are configured you cannot convert from VTP version 3 to version 1 or 2 See the Configuring Extended Range VLANs section on page 13 11 Before you can create a VLAN the switch must be in VTP server mode or VTP transparent mode If the switch is a VTP server you must define a VTP domain or VTP will not function The switch does not support Token Ring or FDDI media The switch does n...

Page 383: ... config startup config privileged EXEC command to save the configuration in the startup configuration file In a switch stack the whole stack uses the same vlan dat file and running configuration To display the VLAN configuration enter the show vlan privileged EXEC command When you save VLAN and VTP information including extended range VLAN configuration information in the startup configuration fil...

Page 384: ...ese steps to create or modify an Ethernet VLAN Table 13 2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 1 to 4094 Note Extended range VLANs VLAN IDs 1006 to 4094 are not saved in the VLAN database VLAN name VLANxxxx where xxxx represents four numeric digits including leading zeros equal to the VLAN ID number No range IEEE 802 10 SAID 100001 100000 plus the VLAN ID 1 to 429496...

Page 385: ...d to that VLAN become inactive They remain associated with the VLAN and thus inactive until you assign them to a new VLAN Beginning in privileged EXEC mode follow these steps to delete a VLAN on the switch Step 3 name vlan name Optional Enter a name for the VLAN If no name is entered for the VLAN the default is to append the vlan id with leading zeros to the word VLAN For example VLAN0004 is a def...

Page 386: ...ch config if switchport mode access Switch config if switchport access vlan 2 Switch config if end Step 4 show vlan brief Verify the VLAN removal Step 5 copy running config startup config Optional If the switch is in VTP transparent mode the VLAN configuration is saved in the running configuration file as well as in the VLAN database This saves the configuration in the switch startup configuration...

Page 387: ... Guidelines page 13 11 Creating an Extended Range VLAN page 13 12 Creating an Extended Range VLAN with an Internal VLAN ID page 13 13 Default VLAN Configuration See Table 13 2 on page 13 8 for the default configuration for Ethernet VLANs You can change only the MTU size private VLAN and the remote SPAN configuration state on extended range VLANs all other characteristics must remain at the default...

Page 388: ...ernal VLAN ID section on page 13 13 Although the switch or switch stack supports a total of 1005 normal range and extended range VLANs the number of routed ports SVIs and other configured features affects the use of the switch hardware If you try to create an extended range VLAN and there are not enough hardware resources available an error message is generated and the extended range VLAN is rejec...

Page 389: ...ID you must temporarily shut down the routed port that is using the internal VLAN ID Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vtp mode transparent Configure the switch for VTP transparent mode disabling VTP Note This step is not required for VTP version 3 Step 3 vlan vlan id Enter an extended range VLAN ID and enter VLAN configuration mode The range is 1006 ...

Page 390: ...hut down the port to free the internal VLAN ID Step 5 exit Return to global configuration mode Step 6 vtp mode transparent Set the VTP mode to transparent for creating extended range VLANs Note This step is not required for VTP version 3 Step 7 vlan vlan id Enter the new extended range VLAN ID and enter VLAN configuration mode Step 8 exit Exit from VLAN configuration mode and return to global conf...

Page 391: ...h interfaces and another networking device such as a router or a switch Ethernet trunks carry the traffic of multiple VLANs over a single link and you can extend the VLANs across an entire network Two trunking encapsulations are available on all Ethernet interfaces Inter Switch Link ISL Cisco proprietary trunking encapsulation IEEE 802 1Q industry standard trunking encapsulation Figure 13 2 shows ...

Page 392: ...should configure interfaces connected to devices that do not support DTP to not forward DTP frames that is to turn off DTP If you do not intend to trunk across those links use the switchport mode access interface configuration command to disable trunking To enable trunking to a device that does not support DTP use the switchport mode trunk and switchport nonegotiate interface configuration command...

Page 393: ...vert the link to a trunk link The interface becomes a trunk interface if the neighboring interface is set to trunk desirable or auto mode switchport mode trunk Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link The interface becomes a trunk interface even if the neighboring interface is not a trunk interface switchport nonegotiate Preve...

Page 394: ...d spanning tree loops might result Disabling spanning tree on the native VLAN of an IEEE 802 1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning tree loops We recommend that you leave spanning tree enabled on the native VLAN of an IEEE 802 1Q trunk or disable spanning tree on every VLAN in the network Make sure your network is loop free before disab...

Page 395: ... a group is first created all ports follow the parameters set for the first port to be added to the group If you change the configuration of one of these parameters the switch propagates the setting you entered to all ports in the group allowed VLAN list STP port priority for each VLAN STP Port Fast setting trunk status if one port in a port group ceases to be a trunk all ports cease to be trunks ...

Page 396: ...e specific VLANs from the allowed list Step 3 switchport trunk encapsulation isl dot1q negotiate Configure the port to support ISL or IEEE 802 1Q encapsulation or to negotiate the default with the neighboring interface for encapsulation type You must configure each end of the link with the same encapsulation type Step 4 switchport mode dynamic auto desirable trunk Configure the interface as a Laye...

Page 397: ...ly becomes a member of the enabled VLAN When VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port the trunk port does not become a member of the new VLAN Beginning in privileged EXEC mode follow these steps to modify the allowed list of a trunk To return to the default allowed VLAN list of all VLANs use the no switchport trunk allowed vlan interface configuration command...

Page 398: ...AN ID For information about IEEE 802 1Q configuration issues see the IEEE 802 1Q Configuration Considerations section on page 13 18 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Select the trunk port for which VLANs should be pruned and enter interface configuration mode Step 3 switchport trunk pruning vlan add except none remove vlan list ...

Page 399: ...m a loop the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN The trunk port with the higher priority lower values for a VLAN is forwarding traffic for that VLAN The trunk port with the lower priority higher values for the same VLAN re...

Page 400: ...370 Switch A Switch B Trunk 2 VLANs 3 6 priority 16 VLANs 8 10 priority 128 Trunk 1 VLANs 8 10 priority 16 VLANs 3 6 priority 128 Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A Step 2 vtp domain domain name Configure a VTP administrative domain The domain name can be 1 to 32 characters Step 3 vtp mode server Configure Switch A as the VTP server Step 4 end Ret...

Page 401: ... for a second port in the switch or switch stack Step 14 Repeat Steps 7 through 11 on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A Step 15 show vlan When the trunk links come up VTP passes the VTP and VLAN information to Switch B Verify that Switch B has learned the VLAN configuration Step 16 configure terminal Enter global configuration mode on Swit...

Page 402: ...turn to global configuration mode Step 6 Repeat Steps 2 through 5 on a second interface in Switch A Step 7 end Return to privileged EXEC mode Step 8 show running config Verify your entries In the display make sure that the interfaces are configured as trunk ports Step 9 show vlan When the trunk links come up Switch A receives the VTP information from the other switches Verify that Switch A has lea...

Page 403: ...g and whether or not the server is in open or secure mode In secure mode the server shuts down the port when an illegal host is detected In open mode the server simply denies the host access to the port If the port is currently unassigned that is it does not yet have a VLAN assignment the VMPS provides one of these responses If the host is allowed on the port the VMPS sends the client a vlan assig...

Page 404: ... be active on a dynamic access port if they are all in the same VLAN however the VMPS shuts down a dynamic access port if more than 20 hosts are active on the port If the link goes down on a dynamic access port the port returns to an isolated state and does not belong to a VLAN Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned t...

Page 405: ...ic access ports A dynamic access port can participate in fallback bridging The VTP management domain of the VMPS client and the VMPS server must be the same The VLAN configured on the VMPS server should not be a voice VLAN Configuring the VMPS Client You configure dynamic VLANs by using the VMPS server The switch can be a VMPS client it cannot be a VMPS server Entering the IP Address of the VMPS Y...

Page 406: ...ow these steps to confirm the dynamic access port VLAN membership assignments that the switch has received from the VMPS Changing the Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS You can set the number of minutes after which reconfirmation occurs Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 in...

Page 407: ...arts to query the secondary VMPS VMPS domain server the IP address of the configured VLAN membership policy servers The switch sends queries to the one marked current The one marked primary is the primary server VMPS Action the result of the most recent reconfirmation attempt A reconfirmation attempt can occur automatically when the reconfirmation interval expires or you can force it by entering t...

Page 408: ...t The VMPS shuts down the port to prevent the host from connecting to the network More than 20 active hosts reside on a dynamic access port To re enable a disabled dynamic access port enter the shutdown interface configuration command followed by the no shutdown interface configuration command VMPS Configuration Example Figure 13 6 shows a network with a VMPS server switch and VMPS client switches...

Page 409: ...ver 2 Catalyst 6500 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B Server 2 Server 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Swit...

Page 410: ...13 34 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 13 Configuring VLANs Configuring VMPS ...

Page 411: ...ecifications and security violations Before you create VLANs you must decide whether to use VTP in your network Using VTP you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work in an environment where ...

Page 412: ...By default the switch is in the VTP no management domain state until it receives an advertisement for a domain over a trunk link a link that carries the traffic of multiple VLANs or until you configure a domain name Until the management domain name is specified or learned you cannot create or modify VLANs on a VTP server and VLAN information is not propagated over the network If the switch receive...

Page 413: ...the domain that is in server mode In VTP versions 1 and 2 in VTP client mode VLAN configurations are not saved in NVRAM In VTP version 3 VLAN configurations are saved in NVRAM in client mode VTP transparent VTP transparent switches do not participate in VTP A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertise...

Page 414: ...for each configured VLAN VLAN IDs ISL and IEEE 802 1Q VLAN name VLAN type VLAN state Additional VLAN configuration information specific to the VLAN type In VTP version 3 VTP advertisements also include the primary server ID an instance number and a start index VTP Version 2 If you use VTP in your network you must decide which version of VTP to use By default VTP operates in version 1 VTP version 2...

Page 415: ...rved and cannot be modified Private VLAN support Support for any database in a domain In addition to propagating VTP information version 3 can propagate Multiple Spanning Tree MST protocol database information A separate instance of the VTP protocol runs for each application that uses VTP VTP primary server and VTP secondary servers A VTP primary server updates the database information and sends u...

Page 416: ...Ns on trunk ports that are included in the pruning eligible list Only VLANs included in the pruning eligible list can be pruned By default VLANs 2 through 1001 are pruning eligible switch trunk ports If the VLANs are configured as pruning ineligible the flooding continues VTP pruning is supported in all VTP versions Figure 14 1 shows a switched network without VTP pruning enabled Port 1 on Switch ...

Page 417: ...le VLAN 1 and VLANs 1002 to 1005 are always pruning ineligible traffic from these VLANs cannot be pruned Extended range VLANs VLAN IDs higher than 1005 are also pruning ineligible VTP pruning is not designed to function in VTP transparent mode If one or more switches in the network are in VTP transparent mode you should do one of these Turn off VTP pruning in the entire network Turn off VTP prunin...

Page 418: ...onfigure the persistent MAC address feature by entering the stack mac persistent timer 0 time value global configuration command when the new master is elected it sends a takeover message with the new master MAC address as the primary server If persistent MAC address is configured the new master waits for the configured stack mac persistent timer value If the previous master switch does not rejoin...

Page 419: ...e VLAN database matches that in the startup configuration file the VLAN database is ignored cleared and the VTP and VLAN configurations in the startup configuration file are used The VLAN database revision number remains unchanged in the VLAN database If the VTP mode or domain name in the startup configuration do not match the VLAN database the domain name and VTP mode and configuration for the fi...

Page 420: ...unning VTP version 1 if version 2 is disabled on the version 2 capable switch version 2 is disabled by default If a switch running VTP version 1 but capable of running VTP version 2 receives VTP version 3 advertisements it automatically moves to VTP version 2 If a switch running VTP version 3 is connected to a switch running VTP version 1 the VTP version 1 switch moves to VTP version 2 and the VTP...

Page 421: ...ches in the domain For more information see the Configuring VLAN Trunks section on page 13 15 In VTP versions 1 and 2 when you configure extended range VLANs on the switch the switch must be in VTP transparent mode VTP version 3 also supports creating extended range VLANs in client or server mode VTP does not support private VLANs VTP version 3 does support private VLANs If you configure private V...

Page 422: ... resets the VTP configuration to the default To keep the VTP configuration with VTP client mode after the switch restarts you must first configure the VTP domain name before the VTP mode Caution If all switches are operating in VTP client mode do not configure a VTP domain name If you do it is impossible to make changes to the VLAN configuration of that domain Therefore make sure you configure at ...

Page 423: ...racters If you configure a VTP password the VTP domain does not function properly if you do not assign the same password to each switch in the domain See the Configuring a VTP Version 3 Password section on page 14 13 for options available with VTP version 3 Step 5 end Return to privileged EXEC mode Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields ...

Page 424: ... vlan Enter VTP password mypassword This switch is becoming Primary server for vlan feature in the VTP domain VTP Database Conf Switch ID Primary Server Revision System Name VLANDB Yes 00d0 00b8 1400 00d0 00b8 1400 1 stp7 Do you want to continue y n n y Step 4 show vtp password Verify your entries Step 5 copy running config startup config Optional Save the configuration in the startup configuratio...

Page 425: ...n 2 In TrCRF and TrBRF Token ring environments you must enable VTP version 2 or VTP version 3 for Token Ring VLAN switching to function properly For Token Ring and Token Ring Net media disable VTP version 2 must be disabled VTP version 3 is supported on switches running Cisco IOS Release 12 2 52 SE or later Caution In VTP version 3 both the primary and secondary servers can exist on an instance in...

Page 426: ...runing eligible VLANs see the Changing the Pruning Eligible List section on page 13 22 Configuring VTP on a Per Port Basis With VTP version 3 you can enable or disable VTP on a per port basis You can enable VTP only on ports that are in trunk mode Incoming and outgoing VTP traffic are blocked not forwarded Beginning in privileged EXEC mode follow these steps to enable VTP on a port To disable VTP ...

Page 427: ... command to disable VTP on the switch and then to change its VLAN information without affecting the other switches in the VTP domain Command Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Con...

Page 428: ...p counters Display counters about VTP messages that have been sent and received show vtp devices conflict Display information about all VTP version 3 devices in the domain Conflicts are VTP version 3 devices with conflicting primary servers The show vtp devices command does not display information when the switch is in transparent or off mode show vtp interface interface id Display VTP status and ...

Page 429: ...960 IP Phone the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable ...

Page 430: ...AN untagged no Layer 2 CoS priority value Note In all configurations the voice traffic carries a Layer 3 IP precedence value the default is 5 for voice traffic and 3 for voice control traffic Cisco IP Phone Data Traffic The switch can also process tagged data traffic traffic in IEEE 802 1Q or IEEE 802 1p frame types from the device attached to the access port on the Cisco IP Phone see Figure 15 1 ...

Page 431: ...figure a voice VLAN only on Layer 2 ports Note Voice VLAN is only supported on access ports and not on trunk ports even though the configuration is allowed The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN Use the show vlan privileged EXEC command to see if the VLAN is present listed in the display If the VLAN is not listed see Ch...

Page 432: ... more information Note If you enable IEEE 802 1x on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected the phone loses connectivity to the switch for up to 30 seconds Protected port See the Configuring Protected Ports section on page 26 6 for more information A source or destination port for a SPAN or RSPAN session Secure port See the Configuring Port Sec...

Page 433: ...re configuring the port trust state you must first globally enable QoS by using the mls qos global configuration command Step 4 switchport voice detect cisco phone full duplex vlan vlan id dot1p none untagged Configure how the Cisco IP Phone carries voice traffic detect Configure the interface to detect and recognize a Cisco IP phone cisco phone When you initially implement the switchport voice de...

Page 434: ...ll duplex Cisco IP Phone Switch config if switchport voice detect cisco phone full duplex full duplex full duplex keyword Switch config if end This example shows how to disable switchport voice detect on a Cisco IP Phone Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet 1 0 1 Switch config if no switchport voice detect cisco...

Page 435: ...Displaying Voice VLAN To display voice VLAN configuration for an interface use the show interfaces interface id switchport privileged EXEC command Step 3 switchport priority extend cos value trust Set the priority of data traffic received from the Cisco IP Phone access port cos value Configure the phone to override the priority received from the PC or the attached device with the specified CoS val...

Page 436: ...15 8 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 15 Configuring Voice VLAN Displaying Voice VLAN ...

Page 437: ... addresses two problems that service providers face when using VLANs Scalability The switch supports up to 1005 active VLANs If a service provider assigns one VLAN per customer this limits the numbers of customers the service provider can support To enable IP routing each VLAN is assigned a subnet address space or a block of addresses which can result in wasting the unused IP addresses and cause I...

Page 438: ...d with the primary VLAN Isolated An isolated port is a host port that belongs to an isolated secondary VLAN It has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous ports Private VLANs block all traffic to isolated ports except traffic from promiscuous ports Traffic received from an isolated port is forwarded only to promiscuous ports Community A ...

Page 439: ...nicate outside the private VLAN You can use private VLANs to control access to end stations in these ways Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2 For example if the end stations are servers this configuration prevents Layer 2 communication between the servers Configure interfaces connected to default gateways and selected en...

Page 440: ...e switches in the network the Layer 2 databases in these switches are not merged This can result in unnecessary flooding of private VLAN traffic on those switches Note When configuring private VLANs on the switch always use the default Switch Database Management SDM template to balance system resources between unicast routes and Layer 2 entries If another SDM template is configured use the sdm pre...

Page 441: ...irtual interface SVI represents the Layer 3 interface of a VLAN Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs Configure Layer 3 VLAN interfaces SVIs only for primary VLANs You cannot configure Layer 3 VLAN interfaces for secondary VLANs SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN If you try t...

Page 442: ...e page 16 14 Tasks for Configuring Private VLANs To configure a private VLAN perform these steps Step 1 Set VTP mode to transparent Step 2 Create the primary and secondary VLANs and associate them See the Configuring and Associating VLANs in a Private VLAN section on page 16 10 Note If the VLAN is not created already the private VLAN configuration process creates it Step 3 Configure interfaces to ...

Page 443: ...ANs on each device where you want private VLAN ports unless the devices are running VTP version 3 You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs Extended VLANs VLAN IDs 1006 to 4094 can belong to private VLANs A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it An isolated or community VLAN can have only one primary VLAN associ...

Page 444: ...hough private VLANs provide host isolation at Layer 2 hosts can communicate with each other at Layer 3 Private VLANs support these Switched Port Analyzer SPAN features You can configure a private VLAN port as a SPAN source port You can use VLAN based SPAN VSPAN on primary isolated and community VLANs or use SPAN on only one VLAN to separately monitor egress or ingress traffic Private VLAN Port Con...

Page 445: ...Web Cache Communication Protocol WCCP You can configure IEEE 802 1x port based authentication on a private VLAN port but do not configure 802 1x with port security voice VLAN or per user ACL on private VLAN ports A private VLAN host or promiscuous port cannot be a SPAN destination port If you configure a SPAN destination port as a private VLAN port the port becomes inactive If you configure a stat...

Page 446: ...is 2 to 1001 and 1006 to 4094 Step 7 private vlan isolated Designate the VLAN as an isolated VLAN Step 8 exit Return to global configuration mode Step 9 vlan vlan id Optional Enter VLAN configuration mode and designate or create a VLAN that will be a community VLAN The VLAN ID range is 2 to 1001 and 1006 to 4094 Step 10 private vlan community Designate the VLAN as a community VLAN Step 11 exit Ret...

Page 447: ...s community VLANs to associate them in a private VLAN and to verify the configuration Switch configure terminal Switch config vlan 20 Switch config vlan private vlan primary Switch config vlan exit Switch config vlan 501 Switch config vlan private vlan isolated Switch config vlan exit Switch config vlan 502 Switch config vlan private vlan community Switch config vlan exit Switch config vlan 503 Sw...

Page 448: ...ss Mode VLAN 1 default Trunking Native Mode VLAN 1 default Administrative Native VLAN tagging enabled Voice VLAN none Administrative private vlan host association 20 501 Administrative private vlan mapping none Administrative private vlan trunk native VLAN none Administrative private vlan trunk Native VLAN tagging enabled Administrative private vlan trunk encapsulation dot1q Administrative private...

Page 449: ...onfigure an interface as a private VLAN promiscuous port and map it to a private VLAN The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it Switch configure terminal Switch config interface gigabitethernet1 0 2 Switch config if switchport mode private vlan promiscuous Switch config if switchport private vlan mapping 20 add 501 503 Switch config if end Use the...

Page 450: ...condary_vlan_list to map the secondary VLANs to the primary VLAN Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the primary VLAN This example shows how to map the interfaces of VLANs 501and 502 to primary VLAN 10 which permits routing of secondary VLAN ingress traffic from private VLANs 501 to 502 Switch configure terminal Switch config interface...

Page 451: ...an private vlan Primary Secondary Type Ports 10 501 isolated Gi2 0 1 Gi3 0 1 Gi3 0 2 10 502 community Gi2 0 11 Gi3 0 1 Gi3 0 4 10 503 non operational Table 16 1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces including the VLANs to which they belongs show vlan private vlan type Display the private VLAN information for the switch show interf...

Page 452: ...16 16 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 16 Configuring Private VLANs Monitoring Private VLANs ...

Page 453: ... page 17 7 Configuring Layer 2 Protocol Tunneling page 17 10 Monitoring and Maintaining Tunneling Status page 17 18 Understanding IEEE 802 1Q Tunneling Business customers of service providers often have specific requirements for VLAN IDs and the number of VLANs to be supported The VLAN ranges required by different customers in the same service provider network might overlap and traffic of customer...

Page 454: ...ts remain intact inside the switch and when they exit the trunk port into the service provider network they are encapsulated with another layer of an IEEE 802 1Q tag called the metro tag that contains the VLAN ID that is unique to the customer The original customer IEEE 802 1Q tag is preserved in the encapsulated packet Therefore packets entering the service provider network are double tagged with...

Page 455: ...VLAN numbering space used by other customers and the VLAN numbering space used by the service provider network At the outbound tunnel port the original VLAN numbers on the customer s network are recovered It is possible to have multiple levels of tunneling and tagging but the switch supports only one level in this release If traffic coming from a customer network is not tagged native VLAN frames t...

Page 456: ...smission units MTUs are explained in these next sections Native VLANs When configuring IEEE 802 1Q tunneling on an edge switch you must use IEEE 802 1Q trunk ports for sending packets into the service provider network However packets going through the core of the service provider network can be carried through IEEE 802 1Q trunks ISL trunks or nontrunking links When IEEE 802 1Q trunks are used in t...

Page 457: ...for traffic on the switch is 1500 bytes You can configure 10 Gigabit and Gigabit Ethernet ports to support frames larger than 1500 bytes by using the system mtu jumbo global configuration command The system jumbo MTU values do not include the IEEE 802 1Q header Because the IEEE 802 1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added you must configure all switches ...

Page 458: ... groups are compatible with tunnel ports as long as the IEEE 802 1Q configuration is consistent within an EtherChannel port group Port Aggregation Protocol PAgP Link Aggregation Control Protocol LACP and UniDirectional Link Detection UDLD are supported on IEEE 802 1Q tunnel ports Dynamic Trunking Protocol DTP is not compatible with IEEE 802 1Q tunneling because you must manually configure asymmetr...

Page 459: ... scale their topologies to include all remote sites as well as the local sites STP must run properly and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service provider network Cisco Discovery Protocol CDP must discover neighboring Cisco devices from local and remote sites VLAN Trunking Protocol VTP must provide consistent VLAN configura...

Page 460: ...l tunneling is enabled on the trunk port the encapsulated tunnel MAC address is removed and the protocol packets have their normal MAC address Layer 2 protocol tunneling can be used independently or can enhance IEEE 802 1Q tunneling If protocol tunneling is not enabled on IEEE 802 1Q tunneling ports remote switches at the receiving end of the service provider network do not receive the PDUs and ca...

Page 461: ...tion of EtherChannels by emulating a point to point network topology When you enable protocol tunneling PAgP or LACP on the SP switch remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels Customer X Site 2 VLANs 1 to 100 Customer Y Site 2 VLANs 1 to 200 Customer Y Site 1 VLANs 1 to 200 Customer X Site 1 VLANs 1 to 100 VLAN 30 Trunk ports Switch A Trunk...

Page 462: ... switchport mode dynamic desirable The switch supports Layer 2 protocol tunneling for CDP STP and VTP For emulated point to point network topologies it also supports PAgP LACP and UDLD protocols The switch does not support Layer 2 protocol tunneling for LLDP Caution PAgP LACP and UDLD protocol tunneling is only intended to emulate a point to point topology An erroneous configuration that sends tun...

Page 463: ...r 2 protocol tunneling configuration is distributed among all stack members Each stack member that receives an ingress packet on a local port encapsulates or decapsulates the packet and forwards it to the appropriate destination port On a single switch ingress Layer 2 protocol tunneled traffic is sent across all local ports in the same VLAN on which Layer 2 protocol tunneling is enabled In a stack...

Page 464: ...ts or on access ports If you enable PAgP or LACP tunneling we recommend that you also enable UDLD on the interface for faster link failure detection Loopback detection is not supported on Layer 2 protocol tunneling of PAgP LACP or UDLD packets EtherChannel port groups are compatible with tunnel ports when the IEEE 802 1Q configuration is consistent within an EtherChannel port group If an encapsula...

Page 465: ...ol types The range is 1 to 4096 The default is to have no threshold configured Note If you also set a drop threshold on this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 l2protocol tunnel drop threshold cdp stp vtp value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the co...

Page 466: ...Decapsulation Drop Threshold Threshold Counter Counter Counter Gi1 0 11 cdp 1500 1000 2288 2282 0 stp 1500 1000 116 13 0 vtp 1500 1000 3 67 0 pagp 0 0 0 lacp 0 0 0 udld 0 0 0 Configuring Layer 2 Tunneling for EtherChannels To configure Layer 2 point to point tunneling to facilitate the automatic creation of EtherChannels you need to configure both the SP edge switch and the customer switch Configu...

Page 467: ...dld value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured threshold is exceeded If no protocol option is specified the threshold applies to each of the tunneled Layer 2 protocol types The range is 1 to 4096 The default is to have no threshold configured Note If you also set a shutdown threshold on this interface the d...

Page 468: ...point udld Switch config if l2protocol tunnel drop threshold point to point pagp 1000 Switch config if exit Switch config interface gigabitethernet1 0 2 Switch config if switchport access vlan 18 Switch config if switchport mode dot1q tunnel Switch config if l2protocol tunnel point to point pagp Switch config if l2protocol tunnel point to point udld Command Purpose Step 1 configure terminal Enter ...

Page 469: ...witchport trunk encapsulation isl Switch config if switchport mode trunk This example shows how to configure the customer switch at Site 1 Fast Ethernet interfaces 1 2 3 and 4 are set for IEEE 802 1Q trunking UDLD is enabled EtherChannel group 1 is enabled and the port channel is shut down and then enabled to activate the EtherChannel configuration Switch config interface gigabitethernet1 0 1 Swit...

Page 470: ...rpose clear l2protocol tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports show dot1q tunnel Display IEEE 802 1Q tunnel ports on the switch show dot1q tunnel interface interface id Verify if a specific interface is a tunnel port show l2protocol tunnel Display information about Layer 2 protocol tunneling ports show errdisable recovery Verify if the recovery timer from a ...

Page 471: ... see Chapter 19 Configuring MSTP For information about other spanning tree features such as Port Fast UplinkFast root guard and so forth see Chapter 20 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Spanning Tree Features...

Page 472: ... topology Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is called...

Page 473: ...to all attached LANs for which it is the designated switch If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior informat...

Page 474: ...1 Spanning Tree Port States in a Switch Stack All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning tree blocking mode Bridge ID Switch Priority and Extended System ID The IEEE 802 1D standard requires that each switch has an unique bridge identifier bridge ID which controls the selection of the root switch Because each VLAN is cons...

Page 475: ...ction on page 18 16 the Configuring a Secondary Root Switch section on page 18 18 and the Configuring the Switch Priority of a VLAN section on page 18 21 Spanning Tree Interface States Propagation delays can occur when protocol information passes through a switched LAN As a result topology changes can take place at different times and at different places in a switched network When an interface tra...

Page 476: ...state and resets the forward delay timer 3 In the learning state the interface continues to block frame forwarding as the switch learns end station location information for the forwarding database 4 When the forward delay timer expires spanning tree moves the interface to the forwarding state where both learning and frame forwarding are enabled Blocking State A Layer 2 interface in the blocking st...

Page 477: ...s the learning state from the listening state An interface in the learning state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Learns addresses Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames The interface enters the forwarding state from the learning state An interface i...

Page 478: ...d stations in a switched network might not be ideal For instance connecting higher speed links to an interface that has a higher number than the root port can cause a root port change The goal is to make the fastest link the root port For example assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B a 10 100 link is the root port Network traffic might be mor...

Page 479: ... the switch or each switch in the stack forwards those packets as unknown multicast addresses Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes the default setting of the mac address table aging time global configuration command However a spanning tree reconfiguration can cause many station locations to change Because these stations could be unreachable ...

Page 480: ...me configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to learn the complexities of the MSTP configuration and without having to reprovision your network In rapid PVST mode each VLAN runs its own spanning tree instance up to the maximum supported MSTP ...

Page 481: ...anning tree instance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it instead of PVST The switch combines the spanning tree instance of the IEEE 802 1Q VLAN of the trunk with the spanning tree instance of the non Cisc...

Page 482: ...vergence occurs within the stack and possibly outside the stack The remaining stack member with the lowest stack port ID becomes the stack root If the stack master fails or leaves the stack the stack members elect a new stack master and all stack members change their bridge IDs of the spanning trees to the new master bridge ID If the switch stack is the spanning tree root and the stack master fail...

Page 483: ...es of spanning tree are already in use you can disable spanning tree on one of the VLANs and then enable it on the VLAN where you want it to run Use the no spanning tree vlan vlan id global configuration command to disable spanning tree on a specific VLAN and use the spanning tree vlan vlan id global configuration command to enable spanning tree on the desired VLAN Table 18 3 Default Spanning Tree...

Page 484: ...ly if there are several adjacent switches that have all run out of spanning tree instances You can prevent this possibility by setting up allowed lists on the trunk ports of switches that have used up their allocation of spanning tree instances Setting up allowed lists is not necessary in many cases and can make it more labor intensive to add another VLAN to the network Spanning tree commands cont...

Page 485: ...STP Select rapid pvst to enable rapid PVST Step 3 interface interface id Recommended for rapid PVST mode only Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 64 Step 4 spanning tree link type point to point Recommended for rapid PVST mode only Speci...

Page 486: ...he switch priority from the default value 32768 to a significantly lower value When you enter this command the software checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN If any root switch for the speci...

Page 487: ...forward time and the spanning tree vlan vlan id max age global configuration commands Beginning in privileged EXEC mode follow these steps to configure a switch to become the root for the specified VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id root global configuration command Command Purpose Step 1 configure terminal Enter global configurat...

Page 488: ... the forwarding state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 conf...

Page 489: ...figuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid val...

Page 490: ...onfiguration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forward...

Page 491: ...t primary and the spanning tree vlan vlan id root secondary global configuration commands to modify the switch priority Beginning in privileged EXEC mode follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter ...

Page 492: ...Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDU...

Page 493: ... and listening states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config ...

Page 494: ...ters by using the clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure the number of BPDUs that can be sent before pausing f...

Page 495: ...des rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward compatibility with equipment that is based on the original IEEE 802 1D spanning tree with existing Cisco proprietary Multi...

Page 496: ...ion controls to which MST region each switch belongs The configuration includes the name of the region the revision number and the MST VLAN to instance assignment map You configure the switch for a region by using the spanning tree mst configuration global configuration command after which the switch enters the MST configuration mode From this mode you can map VLANs to an MST instance by using the...

Page 497: ...rations Within an MST Region The IST connects all the MSTP switches in a region When the IST converges the root of the IST becomes the CIST regional root called the IST master before the implementation of the IEEE 802 1s standard as shown in Figure 19 1 on page 19 4 It is the switch within the region with the lowest switch ID and path cost to the CIST root The CIST regional root is also the CIST r...

Page 498: ...ons Figure 19 1 MST Regions CIST Masters and CST Root Only the CST instance sends and receives BPDUs and MST instances add their spanning tree information into the BPDUs to interact with neighboring switches and compute the final spanning tree topology Because of this the spanning tree parameters related to BPDU transmission for example hello time forward time max age and max hops are configured o...

Page 499: ...nly relevant to the IST instance 0 Table 19 1 compares the IEEE standard and the Cisco prestandard terminology Hop Count The IST and MST instances do not use the message age and maximum age information in the configuration BPDU to compute the spanning tree topology Instead they use the path cost to the root and a hop count mechanism similar to the IP time to live TTL mechanism By using the spannin...

Page 500: ...al to a region to share a segment with a port belonging to a different region creating the possibility of receiving both internal and external messages on a port The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary unless it is running in an STP compatible mode Note If there is a legacy STP switch on the segment messages are always consi...

Page 501: ...een configured for prestandard BPDU transmission Figure 19 2 illustrates this scenario Assume that A is a standard switch and B a prestandard switch both configured to be in the same region A is the root switch for the CIST and thus B has a root port BX on segment X and an alternate port BY on segment Y If segment Y flaps and the port on BY becomes the alternate before sending out a single prestan...

Page 502: ...e occurs if the newly added switch contains a better root port for the switch stack or a better designated port for the LAN connected to the stack The newly added switch causes a topology change in the network if another switch connected to the newly added switch changes its root port or designated ports When a stack member leaves the stack spanning tree reconvergence occurs within the stack and p...

Page 503: ...onfiguration information see the Configuring MSTP Features section on page 19 14 Port Roles and the Active Topology The RSTP provides rapid convergence of the spanning tree by assigning port roles and by learning the active topology The RSTP builds upon the IEEE 802 1D STP to select the switch with the highest switch priority lowest numerical priority value as the root switch as described in the S...

Page 504: ...it blocks the old root port and immediately transitions the new root port to the forwarding state Point to point links If you connect a port to another port through a point to point link and the local port becomes a designated port it negotiates a rapid transition with the other port by using the proposal agreement handshake to ensure a loop free topology As shown in Figure 19 4 Switch A is connec...

Page 505: ...the default setting that is controlled by the duplex setting by using the spanning tree link type interface configuration command Figure 19 4 Proposal and Agreement Handshaking for Rapid Convergence Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port the RSTP forces all other ports to synchronize with the new ...

Page 506: ... Events During Rapid Convergence Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802 1D BPDU format except that the protocol version is set to 2 A new 1 byte Version 1 Length field is set to zero which means that no version 1 protocol information is present Table 19 3 shows the RSTP flag fields 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root po...

Page 507: ...the port to the blocking state but does not send the agreement message The designated port continues sending BPDUs with the proposal flag set until the forward delay timer expires at which time the port transitions to the forwarding state Processing Inferior BPDU Information If a designated port receives an inferior BPDU higher switch ID higher path cost and so forth than currently stored for the ...

Page 508: ...f the RSTP switch is using IEEE 802 1D BPDUs on a port and receives an RSTP BPDU after the timer has expired it restarts the timer and starts using RSTP BPDUs on that port Configuring MSTP Features These sections contain this configuration information Default MSTP Configuration page 19 14 MSTP Configuration Guidelines page 19 15 Specifying the MST Region Configuration and Enabling MSTP page 19 16 ...

Page 509: ... For example all VLANs run PVST all VLANs run rapid PVST or all VLANs run MSTP For more information see the Spanning Tree Interoperability and Backward Compatibility section on page 18 11 For information on the recommended trunk port configuration see the Interaction with Other Features section on page 13 19 All stack members run the same version of spanning tree all PVST rapid PVST or MSTP For mo...

Page 510: ...ve one member or multiple members with the same MST configuration each member must be capable of processing RSTP BPDUs There is no limit to the number of MST regions in a network but each region can only support up to 65 spanning tree instances You can assign a VLAN to only one spanning tree instance at a time Beginning in privileged EXEC mode follow these steps to specify the MST region configura...

Page 511: ...t Switch config Configuring the Root Switch The switch maintains a spanning tree instance for the group of VLANs mapped to it A switch ID consisting of the switch priority and the switch MAC address is associated with each instance For a group of VLANs the switch with the lowest switch ID becomes the root switch To configure a switch to become the root use the spanning tree mst instance id root gl...

Page 512: ...gence time You can use the hello keyword to override the automatically calculated hello time Note After configuring the switch as the root switch we recommend that you avoid manually configuring the hello time forward delay time and maximum age time through the spanning tree mst hello time spanning tree mst forward time and the spanning tree mst max age global configuration commands Beginning in p...

Page 513: ...warding state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure termina...

Page 514: ... command to confirm the configuration To return the interface to its default setting use the no spanning tree mst instance id port priority interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port ch...

Page 515: ...panning tree mst instance id cost interface configuration command Configuring the Switch Priority You can configure the switch priority and make it more likely that a standalone switch or a switch in the stack will be chosen as the root switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interfac...

Page 516: ...al configuration mode Step 2 spanning tree mst instance id priority priority Configure the switch priority For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For priority the range is 0 to 61440 in increments of 4096 the default is 32768 The lower the number the more likely the switch wil...

Page 517: ...pose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst forward time seconds Configure the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode ...

Page 518: ...ed connection If you have a half duplex link physically connected point to point to a single port on a remote switch running MSTP you can override the default setting of the link type and enable rapid transitions to the forwarding state Beginning in privileged EXEC mode follow these steps to override the default link type setting This procedure is optional Command Purpose Step 1 configure terminal...

Page 519: ...t sends only IEEE 802 1D BPDUs on that port An MSTP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU Version 3 associated with a different region or an RST BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D BPDUs because it cannot detect whether the legacy switch has been ...

Page 520: ...se one or more of the privileged EXEC commands in Table 19 5 For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Table 19 5 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst configuration digest Displays the MD5 digest inc...

Page 521: ...nformation about the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 19 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 20 1 Configuring Optional ...

Page 522: ...ou risk creating a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default global configuration command Figure 20 1 Port Fast Enabled Interfaces Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per port but the feature operates with some differences At the...

Page 523: ... This command prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port Fast enabled interface the interface loses...

Page 524: ... this parameter is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkF...

Page 525: ...stack UplinkFast CSUF provides a fast spanning tree transition fast convergence in less than 1 second under normal network conditions across a switch stack During the fast transition an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning tree loops or loss of connectivity to the backbone With this feature you can have a redundant and re...

Page 526: ...ternate stack root port on Switch 2 or Switch 3 and puts it into the forwarding state in less than 1 second Figure 20 5 Cross Stack UplinkFast Topology When certain link loss or spanning tree events occur described in the Events that Cause Fast Convergence section on page 20 7 the Fast Uplink Transition Protocol uses the neighbor list to send fast transition requests to stack members The switch se...

Page 527: ...ons occurs under these circumstances The stack root port link fails If two switches in the stack have alternate paths to the root only one of the switches performs the fast transition The failed link which connects the stack root to the spanning tree root recovers A network reconfiguration causes a new stack root switch to be selected A network reconfiguration causes a new port on the current stac...

Page 528: ...rnate paths to send a root link query RLQ request The stacking capable switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack The nonstacking capable switch sends the RLQ request on all alternate paths and waits for an RLQ reply from other switches in th...

Page 529: ...he forwarding state providing a path from Switch B to Switch A The root switch election takes approximately 30 seconds twice the Forward Delay time if the default Forward Delay time of 15 seconds is set Figure 20 7 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 20 7 BackboneFast Example After Indirect Link Failure If a new switch is introduced into a ...

Page 530: ...s shown in Figure 20 9 You can avoid this situation by enabling root guard on data center switch interfaces that connect to switches in your customer s network If spanning tree calculations cause an interface in the customer network to be selected as the root port root guard then places the interface in the root inconsistent blocked state to prevent the customer s switch from becoming the root swi...

Page 531: ... becoming designated ports and spanning tree does not send BPDUs on root or alternate ports When the switch is operating in MST mode BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features These sections contain this configuration i...

Page 532: ...e delay Caution Use Port Fast only when connecting a single end station to an access or trunk port Enabling this feature on an interface connected to a switch or hub could prevent spanning tree from detecting and disabling loops in your network which could cause broadcast storms and address learning problems If you enable the voice VLAN feature the Port Fast feature is automatically enabled When y...

Page 533: ...pens the switch shuts down the entire port on which the violation occurred To prevent the port from shutting down you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an ...

Page 534: ...ning tree portfast bpduguard default global configuration command by using the spanning tree bpduguard enable interface configuration command Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast enabled interfaces it prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switc...

Page 535: ...le interface configuration command Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority To enable UplinkFast on a VLAN with switch priority configured first restore the switch priority on the VLAN to the default value by using the no spanning tree vlan vlan id priority global configuration command Note When you enab...

Page 536: ... no spanning tree uplinkfast command Enabling Cross Stack UplinkFast When you enable or disable the UplinkFast feature by using the spanning tree uplinkfast global configuration command CSUF is automatically globally enabled or disabled on nonstack port interfaces For more information see the Enabling UplinkFast for Use with Redundant Links section on page 20 15 To disable UplinkFast on the switch...

Page 537: ...able the EtherChannel guard feature use the no spanning tree etherchannel guard misconfig global configuration command You can use the show interfaces status err disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration On the remote device you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel confi...

Page 538: ...g Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard operates only on interfaces that are considered point to point by the spanning tree Note You cannot enable both loop guard and root guard at the s...

Page 539: ... show spanning tree privileged EXEC command see the command reference for this release Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 20 2 Commands fo...

Page 540: ...20 20 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 20 Configuring Optional Spanning Tree Features Displaying the Spanning Tree Status ...

Page 541: ...e for this release The chapter consists of these sections Understanding Flex Links and the MAC Address Table Move Update page 21 1 Configuring Flex Links and MAC Address Table Move Update page 21 7 Monitoring Flex Links and the MAC Address Table Move Update Information page 21 14 Understanding Flex Links and the MAC Address Table Move Update This section contains this information Flex Links page 2...

Page 542: ...omes up and starts forwarding traffic to switch C When port 1 comes back up it goes into standby mode and does not forward traffic port 2 continues forwarding traffic You can also choose to configure a preemption mechanism specifying the preferred port for forwarding traffic For example in the example in Figure 21 1 you can configure the Flex Links pair with preemption mode In the scenario shown w...

Page 543: ...f traffic both Flex Link ports are learned as mrouter ports whenever either Flex Link port is learned as the mrouter port Both Flex Link ports are always part of multicast groups Though both Flex Link ports are part of the groups in normal operation mode all traffic on the backup port is blocked So the normal multicast data flow is not affected by the addition of the backup port as an mrouter port...

Page 544: ...up port which became the forwarding port Configuration Examples These are configuration examples for learning the other Flex Link port as the mrouter port when a Flex Link is configured on Gigabit Ethernet1 0 11 and Gigabit Ethernet1 0 12 with output for the show interfaces switchport backup command Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config i...

Page 545: ...itchport backup interface gigabitethernet 1 0 12 multicast fast convergence command This example shows enabling this feature Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet 1 0 11 Switch config if switchport backup interface gigabitethernet 1 0 12 multicast fast convergence Switch config if exit Switch show interfaces swit...

Page 546: ... port 3 The MAC address of the PC has been learned on port 3 of switch C Traffic from the server to the PC is forwarded from port 3 to port 1 If the MAC address table move update feature is not configured and port 1 goes down port 2 starts forwarding traffic However for a short time switch C keeps forwarding traffic from the server to the PC through port 3 and the PC does not get the traffic becau...

Page 547: ...21 3 MAC Address Table Move Update Example Configuring Flex Links and MAC Address Table Move Update These sections contain this information Configuration Guidelines page 21 8 Default Configuration page 21 8 Configuring Flex Links page 21 9 Configuring VLAN Load Balancing on Flex Links page 21 11 Configuring the MAC Address Table Move Update Feature page 21 12 Switch C Port 3 Port 1 Port 2 Port 4 S...

Page 548: ...port channel as the active link However you should configure both Flex Links with similar characteristics so that there are no loops or changes in behavior if the standby link begins to forward traffic STP is disabled on Flex Link ports A Flex Link port does not participate in STP even if the VLANs present on the port are configured for STP When STP is not enabled be sure that there are no loops i...

Page 549: ...ep 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 64 Step 3 switchport backup interface interface id Configure a physical Layer 2 interface or port channel as part of a Flex Link pair wi...

Page 550: ...t backup detail Active Interface Backup Interface State GigabitEthernet1 0 1 GigabitEthernet1 0 2 Active Up Backup Standby Interface Pair Gi1 0 1 Gi1 0 2 Preemption Mode forced Preemption Delay 50 seconds Bandwidth 100000 Kbit Gi1 0 1 100000 Kbit Gi1 0 2 Mac Address Move Update Vlan auto Step 4 switchport backup interface interface id preemption mode forced bandwidth off Configure a preemption mec...

Page 551: ...ns Preferred on Backup Interface 60 100 120 When a Flex Link interface goes down LINK_DOWN VLANs preferred on this interface are moved to the peer interface of the Flex Link pair In this example if interface Gi2 0 6 goes down Gi2 0 8 carries all VLANs of the Flex Link pair Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet...

Page 552: ...ackup Interface 3 4 Preemption Mode off Bandwidth 10000 Kbit Fa1 0 3 100000 Kbit Fa1 0 4 Mac Address Move Update Vlan auto Configuring the MAC Address Table Move Update Feature This section contains this information Configuring a switch to send MAC address table move updates Configuring a switch to get MAC address table move updates Beginning in privileged EXEC mode follow these steps to configure...

Page 553: ...x packets per min Rcv 40 Xmt 60 Rcv packet count 5 Rcv conforming packet count 5 Rcv invalid packet count 0 Rcv packet count this min 0 Rcv threshold exceed count 0 Rcv last sequence this min 0 Rcv last interface Po2 Rcv last src mac address 000b 462d c502 Rcv last switch ID 0403 fd6a 8700 Xmt packet count 0 Xmt packet count this min 0 Xmt threshold exceed count 0 Xmt pak buf unavail cnt 0 Xmt las...

Page 554: ...e Switch conf end Monitoring Flex Links and the MAC Address Table Move Update Information Table 21 1 shows the privileged EXEC commands for monitoring the Flex Links configuration and the MAC address table move update information Step 3 end Return to privileged EXEC mode Step 4 show mac address table move update Verify the configuration Step 5 copy running config startup config Optional Save your ...

Page 555: ...eatures page 22 1 Configuring DHCP Features page 22 8 Displaying DHCP Snooping Information page 22 16 Understanding IP Source Guard page 22 16 Configuring IP Source Guard page 22 18 Displaying IP Source Guard Information page 22 25 Understanding DHCP Server Port Based Address Allocation page 22 26 Configuring DHCP Server Port Based Address Allocation page 22 26 Displaying DHCP Server Port Based Ad...

Page 556: ...es network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database also referred to as a DHCP snooping binding table For more information about this database see the Displaying DHCP Snooping Information section on page 22 16 DHCP snooping acts like a firewall between untrusted hosts and DHCP servers You use DHCP snooping to differentiate betwe...

Page 557: ...ption 82 information when packets are received on an untrusted interface If DHCP snooping is enabled and packets are received on a trusted port the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the...

Page 558: ...iguring these suboptions see the Enabling DHCP Snooping and Option 82 section on page 22 12 If the IP address of the relay agent is configured the switch adds this IP address in the DHCP packet The blade switch forwards the DHCP request that includes the option 82 field to the DHCP server The DHCP server receives the packet If the server is option 82 capable it can use the remote ID the circuit ID...

Page 559: ... when the default suboption configuration is used For the circuit ID suboption the module number corresponds to the switch number in the stack The switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command Figure 22 2 Suboption Packet Formats Figure 22 3 shows the packet formats for user configured remote ID ...

Page 560: ...atic address bindings see the Configuring DHCP chapter of the Cisco IOS IP Configuration Guide Release 12 2 DHCP Snooping Binding Database When DHCP snooping is enabled the switch uses the DHCP snooping binding database to store information about untrusted interfaces The database can have up to 8192 bindings Each database entry binding has an IP address an associated MAC address the lease time in ...

Page 561: ...ry n checksum 1 2 n END Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file The initial checksum entry on the first line distinguishes entries associated with the latest file update from entries associated with a previous file update This is an example of a binding file 2bb4c2a1 TYPE DHCP SNOOPING VERSION 1 BEGIN 192 1 168 1 3 00...

Page 562: ...s page 22 9 Configuring the DHCP Server page 22 10 DHCP Server and Switch Stacks page 22 10 Configuring the DHCP Relay Agent page 22 11 Specifying the Packet Forwarding Address page 22 11 Enabling DHCP Snooping and Option 82 page 22 12 Enabling DHCP Snooping on Private VLANs page 22 14 Enabling the Cisco IOS DHCP Server Database page 22 14 Enabling the DHCP Snooping Binding Database Agent page 22 ...

Page 563: ...n configuring a large number of circuit IDs on a switch consider the impact of lengthy character strings on the NVRAM or the flash memory If the circuit ID configurations combined with other data exceed the capacity of the NVRAM or the flash memory an error message appears Before configuring the DHCP relay agent on your switch make sure to configure the device that is acting as the DHCP server For...

Page 564: ...and an untrusted device might spoof the option 82 information Starting with Cisco IOS Release 12 2 37 SE you can display DHCP snooping statistics by entering the show ip dhcp snooping statistics user EXEC command and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command Do not enable Dynamic Host Configuration Protocol DHCP snoopin...

Page 565: ...are on the destination network segment Using the network address enables any DHCP server to respond to requests Beginning in privileged EXEC mode follow these steps to specify the packet forwarding address Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service dhcp Enable the DHCP server and relay agent on your switch By default this feature is enabled Step 3 end ...

Page 566: ...ning config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp snooping Enable DHCP snooping globally Step 3 ip dhcp snooping vlan vlan range Enable DHCP snooping on a VLAN or range of VLANs The range is 1 to 4094 You can enter a single VLAN ID identified by VLAN ID number a se...

Page 567: ...he VLAN and port identifier using a VLAN ID in the range of 1 to 4094 The default circuit ID is the port identifier in the format vlan mod port You can configure the circuit ID to be a string of 3 to 63 ASCII characters no spaces Optional Use the override keyword when you do not want the circuit ID suboption inserted in TLV format to define subscriber information Step 9 ip dhcp snooping trust Opti...

Page 568: ...condary VLANs If DHCP snooping is already configured on the primary VLAN and you configure DHCP snooping with different settings on a secondary VLAN the configuration for the secondary VLAN does not take effect You must configure DHCP snooping on the primary VLAN If DHCP snooping is not configured on the primary VLAN this message appears when you are configuring DHCP snooping on the secondary VLAN...

Page 569: ...s flash number filename Optional Use the number parameter to specify the stack member number of the stack master The range for number is 1 to 9 ftp user password host filename http username password hostname host ip directory image name tar rcp user host filename tftp host filename Step 3 ip dhcp snooping database timeout seconds Specify in seconds how long to wait for the database transfer proces...

Page 570: ...CP packets allowed by DHCP snooping A port access control list ACL is applied to the interface The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic Note The port ACL takes precedence over any router ACLs or VLAN maps that affect the same interface The IP source binding table bindings are learned by DHCP snooping or are manually co...

Page 571: ...ther types of packets except DHCP packets The switch uses port security to filter source MAC addresses The interface can shut down when a port security violation occurs IP Source Guard for Static Hosts Note Do not use IPSG for static hosts on uplink ports or trunk ports IPSG for static hosts extends the IPSG capability to non DHCP and static environments The previous IPSG used the entries created ...

Page 572: ...P address bindings This feature can be used with DHCP snooping Multiple bindings are established on a port that is connected to both DHCP and static hosts For example bindings are stored in both the device tracking database as well as in the DHCP snooping binding database Configuring IP Source Guard Default IP Source Guard Configuration page 22 18 IP Source Guard Configuration Guidelines page 22 1...

Page 573: ...e removed from the binding table but they are not removed from the running configuration If you again provision the switch by entering the switch stack member number provision command the binding is restored To remove the binding from the running configuration you must disable IP source guard before entering the no switch provision command The configuration is also removed if the switch reloads wh...

Page 574: ... IP Source Guard for Static Hosts on a Private VLAN Host Port page 22 24 Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port Note You must configure the ip device tracking maximum limit number interface configuration command globally for IPSG for static hosts to work If you only configure this command on a port without enabling IP device tracking globally or by setting an IP devi...

Page 575: ...lient is not assigned an IP address The MAC address in the DHCP packet is not learned as a secure address The MAC address of the DHCP client is learned as a secure address only when the switch receives non DHCP data traffic Step 7 ip device tracking maximum number Establish a maximum limit for the number of static IPs that the IP device tracking table allows on the port The range is 1to 10 The max...

Page 576: ...he number of bindings on this interface has reached the maximum Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip device tracking Switch config interface gigabitethernet1 0 3 Switch config if switchport mode access Switch config if switchport access vlan 1 Switch config if ip device tracking maximum 5 Switch config if switchport port security Swit...

Page 577: ...TE 200 1 1 1 0001 0600 0000 9 GigabitEthernet0 1 ACTIVE 200 1 1 2 0001 0600 0000 9 GigabitEthernet0 1 ACTIVE 200 1 1 3 0001 0600 0000 9 GigabitEthernet0 1 ACTIVE 200 1 1 4 0001 0600 0000 9 GigabitEthernet0 1 ACTIVE 200 1 1 5 0001 0600 0000 9 GigabitEthernet0 1 ACTIVE This example displays all inactive IP or MAC binding entries for all interfaces The host was first learned on GigabitEthernet 1 0 1 ...

Page 578: ... id2 Enter configuration VLAN mode for another VLAN Step 6 private vlan isolated Establish an isolated VLAN on a private VLAN port Step 7 exit Exit VLAN configuration mode Step 8 vlan vlan id1 Enter configuration VLAN mode Step 9 private vlan association 201 Associate the VLAN on an isolated private VLAN port Step 10 exit Exit VLAN configuration mode Step 11 interface fastEthernet interface id Ent...

Page 579: ...0304 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 20 0000 0000 0305 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 21 0000 0000 0306 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 22 0000 0000 0307 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 23 0000 0000 0308 200 GigabitEthernet1 0 3 ACTIVE The output shows the five valid IP MAC bindings that have been learned on the interface GigabitEthernet 1 0 3 For the private VLAN case...

Page 580: ...es in the DHCP messages received on that port The DHCP protocol recognizes DHCP clients by the client identifier option in the DHCP packet Clients that do not include the client identifier option are identified by the client hardware address When you configure this feature the port name of the interface overrides the client identifier or hardware address and the actual point of connection the swit...

Page 581: ... to clients To restrict assignments from the DHCP pool to preconfigured reservations you can enter the reserved only DHCP pool configuration command Unreserved addresses that are part of the network or on pool ranges are not offered to the client and other clients are not served by the pool By entering this command users can configure a group of switches with DHCP pools that share a common IP subn...

Page 582: ...nstead The subscriber identifier is based on the short name of the interface and the client preassigned IP address 10 1 1 7 switch show running config Building configuration Current configuration 4899 bytes version 12 2 hostname switch no aaa new model clock timezone EST 0 ip subnet zero ip dhcp relay information policy removal pad no ip dhcp use vrf connected ip dhcp use subscriber id client id i...

Page 583: ...ved address is currently in the pool Address Client 10 1 1 7 Et1 0 For more information about configuring the DHCP server port based address allocation feature go to Cisco com and enter Cisco IOS IP Addressing Services in the Search field to locate the Cisco IOS software documentation You can also locate the documentation at this URL http www cisco com en US docs ios ipaddr command reference iad_b...

Page 584: ...30 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 22 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port Based Address Allocation ...

Page 585: ... Inspection ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A All hosts within the...

Page 586: ...network It intercepts logs and discards ARP packets with invalid IP to MAC address bindings This capability protects the network from certain man in the middle attacks Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets ...

Page 587: ... given switch bypass the security check No other validation is needed at any other place in the VLAN or in the network You configure the trust setting by using the ip arp inspection trust interface configuration command Caution Use the trust state configuration carefully Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity In Figure 23 2 assume that ...

Page 588: ...ate limited to prevent a denial of service attack By default the rate for untrusted interfaces is 15 packets per second pps Trusted interfaces are not rate limited You can change this setting by using the ip arp inspection limit interface configuration command When the rate of incoming ARP packets exceeds the configured limit the switch places the port in the error disabled state The port remains ...

Page 589: ...onfiguring Dynamic ARP Inspection These sections contain this configuration information Default Dynamic ARP Inspection Configuration page 23 5 Dynamic ARP Inspection Configuration Guidelines page 23 6 Configuring Dynamic ARP Inspection in DHCP Environments page 23 7 required in DHCP environments Configuring ARP ACLs for Non DHCP Environments page 23 8 required in non DHCP environments Limiting the...

Page 590: ...hysical port remains suspended in the port channel A port channel inherits its trust state from the first physical port that joins the channel Consequently the trust state of the first physical port need not match the trust state of the channel Conversely when you change the trust state on the port channel the switch configures a new trust state on all the physical ports that comprise the channel ...

Page 591: ... shown in Figure 23 2 on page 23 3 Both switches are running dynamic ARP inspection on VLAN 1 where the hosts are located A DHCP server is connected to Switch A Both hosts acquire their IP addresses from the same DHCP server Therefore Switch A has the bindings for Host 1 and Host 2 and Switch B has the binding for Host 2 Note Dynamic ARP inspection depends on the entries in the DHCP snooping bindi...

Page 592: ...s of Host 2 is not static it is impossible to apply the ACL configuration on Switch A you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them Step 5 ip arp inspection trust Configure the connection between the switches as trusted By default all interfaces are untrusted The switch does not check ARP packets that it receives from the other switch on the tru...

Page 593: ... more information see the Configuring the Log Buffer section on page 23 12 Step 4 exit Return to global configuration mode Step 5 ip arp inspection filter arp acl name vlan vlan range static Apply the ARP ACL to the VLAN By default no defined ARP ACLs are applied to any VLAN For arp acl name specify the name of the ACL created in Step 2 For vlan range specify the VLAN that the switches and hosts a...

Page 594: ...able error disabled recovery so that ports automatically emerge from this state after a specified timeout period Note Unless you configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you ente...

Page 595: ...ion limit rate pps burst interval seconds none Limit the rate of incoming ARP requests and responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second The keywords have these meanings For rate pps specify an upper limit for the number of incoming packets processed per second The range is 0 to 2048 pps Optional For...

Page 596: ...inal Enter global configuration mode Step 2 ip arp inspection validate src mac dst mac ip Perform a specific check on incoming ARP packets By default no checks are performed The keywords have these meanings For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets wi...

Page 597: ...nd Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip arp inspection log buffer entries number logs number interval seconds Configure the dynamic ARP inspection logging buffer By default when dynamic ARP inspection is enabled denied or dropped ARP packets are logged The number of log entries is 32 The number of system messages is limited to 5 per second The logging rate in...

Page 598: ...VLANs separated by a comma The range is 1 to 4094 For acl match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match ACLs For dhcp bindings all log all packet...

Page 599: ... the privileged EXEC commands in Table 23 4 For more information about these commands see the command reference for this release Table 23 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MA...

Page 600: ...23 16 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information ...

Page 601: ...ing for IPv4 traffic For information about MLD snooping see Chapter 25 Configuring IPv6 MLD Snooping Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the IP Multicast Routing Commands section in the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 This chapter consists of these sections Und...

Page 602: ...h it receives an IGMP join request The switch supports IP multicast group based bridging rather than MAC addressed based groups With multicast MAC address based groups if an IP address being configured translates aliases to a previously configured MAC address or to any reserved multicast MAC addresses in the range 224 0 0 xxx the command fails Because the switch uses IP multicast groups there are ...

Page 603: ... your network includes IGMPv3 hosts It constrains traffic to approximately the same set of ports as the IGMP snooping feature on IGMPv2 or IGMPv1 hosts Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast SSM feature For more information about...

Page 604: ...t group 224 1 2 3 and multicasts an IGMP membership report IGMP join message to the group The switch CPU uses the information in the IGMP report to set up a forwarding table entry as shown in Table 24 1 that includes the port numbers of Blade Server 1 and the router The switch hardware can distinguish IGMP information packets from other packets for the multicast group The information in the table ...

Page 605: ...es to receive multicast traffic the router continues forwarding the multicast traffic to the VLAN The switch forwards multicast group traffic only to those blade servers listed in the forwarding table for that IP multicast group maintained by IGMP snooping When blade servers want to leave a multicast group they can silently leave or they can send a leave message When the switch receives a leave me...

Page 606: ...me can be configured from 100 to 5000 milliseconds The timer can be set either globally or on a per VLAN basis The VLAN configuration of the leave time overrides the global configuration For configuration steps see the Configuring the IGMP Leave Timer section on page 24 12 IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports ...

Page 607: ...ight take longer to converge if the stack master is removed Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on their content These sections contain this configuration information Default IGMP Snooping Configuration page 24 7 Enabling or Disabling IGMP Snooping page 24 8 Setting the Snooping Method page 24 9 Configuring a Multicast...

Page 608: ...llow these steps to enable IGMP snooping on a VLAN interface To disable IGMP snooping on a VLAN interface use the no ip igmp snooping vlan vlan id global configuration command for the specified VLAN number IGMP snooping querier Disabled IGMP report suppression Enabled 1 TCN Topology Change Notification Table 24 3 Default IGMP Snooping Configuration continued Feature Default Setting Command Purpose...

Page 609: ...the ip igmp snooping vlan vlan id mrouter learn pim dvmrp global configuration command Note If you want to use CGMP as the learning method and no multicast routers in the VLAN are CGMP proxy enabled you must enter the ip cgmp router only command to dynamically access the router For more information see Chapter 44 Configuring IP Multicast Routing Beginning in privileged EXEC mode follow these steps...

Page 610: ...e terminal Switch config ip igmp snooping vlan 200 mrouter interface gigabitethernet0 2 Switch config end Configuring a Blade Server Statically to Join a Group Blade servers that are connected to Layer 2 ports normally join multicast groups dynamically You can also statically configure a Layer 2 port to which a blade server is connected so that the port joins a multicast group Command Purpose Step...

Page 611: ... IGMP Version 2 blade servers Beginning in privileged EXEC mode follow these steps to enable IGMP Immediate Leave Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id static ip_address interface interface id Statically configure a Layer 2 port as a member of a multicast group vlan id is the multicast group VLAN ID The range is 1 to 1001 and...

Page 612: ...e IGMP configurable leave timer To globally reset the IGMP leave timer to the default setting use the no ip igmp snooping last member query interval global configuration command To remove the configured IGMP leave time setting from the specified VLAN use the no ip igmp snooping vlan vlan id last member query interval global configuration command Configuring TCN Related Commands These sections desc...

Page 613: ...ast address 0 0 0 0 However when you enable the ip igmp snooping tcn query solicit global configuration command the switch sends the global leave message whether or not it is the spanning tree root When the router receives this special leave it immediately sends general queries which expedite the process of recovering from the flood mode during the TCN event Leaves are always sent if the switch is...

Page 614: ...ss as the query source address If there is no IP address configured on the VLAN interface the IGMP snooping querier tries to use the configured global IP address for the IGMP querier If there is no global IP address specified the IGMP querier tries to use the VLAN switch virtual interface SVI IP address if one exists If there is no SVI IP address the switch uses the first available IP address conf...

Page 615: ... snooping querier Enable the IGMP snooping querier Step 3 ip igmp snooping querier address ip_address Optional Specify an IP address for the IGMP snooping querier If you do not specify an IP address the querier tries to use the global IP address configured for the IGMP querier Note The IGMP snooping querier does not generate an IGMP general query if it cannot find an IP address on the switch Step ...

Page 616: ...ort suppression is disabled all IGMP reports are forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disable IGMP report suppression To re enable IGMP report suppression use the ip igmp snooping report suppression global configuration command Displaying IGMP Snooping Information You can display IGMP snooping information for dynamically learned and statically ...

Page 617: ... count user count Display multicast table information for a multicast VLAN or about a specific parameter for the VLAN vlan id The VLAN ID range is 1 to 1001 and 1006 to 4094 count Display the total number of entries for the specified command options instead of the actual entries dynamic Display entries learned through IGMP snooping ip_address Display characteristics of the multicast group with the...

Page 618: ...g behavior selectively allows traffic to cross between different VLANs You can set the switch for compatible or dynamic mode of MVR operation In compatible mode multicast data received by MVR blade servers is forwarded to all MVR data ports regardless of MVR blade server membership on those ports The multicast data is forwarded only to those receiver ports that MVR blade servers have joined either...

Page 619: ... it eliminates the receiver ports as a forwarding destination for this group Without Immediate Leave when the switch receives an IGMP leave message from a subscriber on a receiver port it sends out an IGMP query on that port and waits for IGMP group membership reports If no reports are received in a configured time period the receiver port is removed from multicast group membership With Immediate ...

Page 620: ...22 Default MVR Configuration Table 24 5 shows the default MVR configuration MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR Receiver ports can only be access ports they cannot be trunk ports Receiver ports on a switch can be in different VLANs but should not belong to the multicast VLAN The maximum number of multicast entries MVR group addresses that can b...

Page 621: ...Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mvr Enable MVR on the switch Step 3 mvr group ip address count Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of MVR group addresses the range for count is 1 to 256 the default is 1 Any multicast data sent to this address is sent to all source ports on the s...

Page 622: ... show mvr members Verify the configuration Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mvr Enable MVR on the switch Step 3 interface interface id Specify the Layer 2 port to configure and enter interface configuration mode Step 4 mvr type source receiv...

Page 623: ...R ACTIVE DOWN ENABLED Step 5 mvr vlan vlan id group ip address Optional Statically configure a port to receive multicast traffic sent to the multicast VLAN and the IP multicast address A port statically configured as a member of a group remains a member of the group until statically removed Note In compatible mode this command applies to only receiver ports In dynamic mode it applies to receiver p...

Page 624: ... the multicast group the IGMP report from the port is forwarded for normal processing You can also set the maximum number of IGMP groups that a Layer 2 interface can join IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding o...

Page 625: ...mber of IGMP Groups page 24 27 optional Configuring the IGMP Throttling Action page 24 28 optional Default IGMP Filtering and Throttling Configuration Table 24 7 shows the default IGMP filtering configuration When the maximum number of groups is in forwarding table the default IGMP throttling action is to deny the IGMP report For configuration guidelines see the Configuring the IGMP Throttling Act...

Page 626: ...the default it would not appear in the show ip igmp profile output display Switch config ip igmp profile 4 Switch config igmp profile permit Switch config igmp profile range 229 9 9 0 Switch config igmp profile end Switch show ip igmp profile 4 IGMP Profile 4 permit range 229 9 9 0 229 9 9 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp profile profile nu...

Page 627: ...terface configuration command Use the no form of this command to set the maximum back to the default which is no limit This restriction can be applied to Layer 2 ports only you cannot set a maximum number of IGMP groups on routed ports or SVIs You also can use this command on a logical EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group Beginning in privileg...

Page 628: ...no maximum entering the ip igmp max groups action deny replace command has no effect If you configure the throttling action and set the maximum group limitation after an interface has added multicast entries to the forwarding table the forwarding table entries are either aged out or removed depending on the throttling action If you configure the throttling action as deny the entries that were prev...

Page 629: ...hysical interface to be configured and enter interface configuration mode The interface can be a Layer 2 port that does not belong to an EtherChannel group or an EtherChannel interface The interface cannot be a trunk port Step 3 ip igmp max groups action deny replace When an interface receives an IGMP report and the maximum number of entries is in the forwarding table specify the action that the i...

Page 630: ...24 30 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Page 631: ...ocumentation referenced in the procedures This chapter includes these sections Understanding MLD Snooping section on page 25 1 Configuring IPv6 MLD Snooping section on page 25 5 Displaying MLD Snooping Information section on page 25 11 Understanding MLD Snooping In IP Version 4 IPv4 Layer 2 switches can use Internet Group Management Protocol IGMP snooping to limit the flooding of multicast traffic...

Page 632: ...witch then performs IPv6 multicast address based bridging in hardware According to IPv6 multicast standards the switch derives the MAC multicast address by performing a logical OR of the four low order octets of the switch MAC address with the MAC address of 33 33 00 00 00 00 For example the IPv6 MAC address of FF02 DEAD BEEF 1 3 maps to the Ethernet MAC address of 33 33 00 01 00 03 A multicast pa...

Page 633: ...nd you are using extended VLANs in the range 1006 to 4094 IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the switch to receive queries on the VLAN For normal range VLANs 1 to 1005 it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch When a group exists in the MLD snooping database the switch responds to a group spe...

Page 634: ...bled and all MLDv1 reports are flooded to the ingress VLAN The switch also supports MLDv1 proxy reporting When an MLDv1 MASQ is received the switch responds with MLDv1 reports for the address on which the query arrived if the group exists in the switch on another port and if the port on which the query arrived is not the last member port for the address MLD Done Messages and Immediate Leave When t...

Page 635: ...witch Stacks The MLD IPv6 group and MAC address databases are maintained on all switches in the stack regardless of which switch learns of an IPv6 multicast group Report suppression and proxy reporting are done stack wide During the maximum response time only one received report for a group is forwarded to the multicast routers regardless of which switch the report arrives on The election of a new...

Page 636: ...tures at the same time on the switch The maximum number of multicast entries allowed on the switch or switch stack is determined by the configured SDM template The maximum number of address entries allowed for the switch or switch stack is 1000 Table 25 1 Default MLD Snooping Configuration Feature Default Setting MLD snooping Global Disabled MLD snooping per VLAN Enabled MLD snooping must be globa...

Page 637: ...n the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs in the range 1006 to 4094 IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the switch to receive queries on the VLAN For normal range VLANs 1 to 1005 it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch To disable MLD snooping on a...

Page 638: ...mmand line interface CLI to add a multicast router port to a VLAN To add a multicast router port add a static connection to a multicast router use the ipv6 mld snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports Beginning in privileged EXEC mode follow these steps to add a multicast router port to a VLAN C...

Page 639: ...ping vlan vlan id immediate leave global configuration command This example shows how to enable MLD Immediate Leave on VLAN 130 Switch configure terminal Switch config ipv6 mld snooping vlan 130 immediate leave Switch config exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping vlan vlan id mrouter interface interface id Specify the multicast route...

Page 640: ...nge is 1 to 7 the default is 2 The queries are sent 1 second apart Step 5 ipv6 mld snooping vlan vlan id last listener query count count Optional Set the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 the default is 0 When set to 0 the global count value is used Queries are sent 1 second apart Step 6 ipv6 mld snooping last listener ...

Page 641: ...tch forwards only one MLD report per multicast router query When message suppression is disabled multiple MLD reports could be forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disable MLD listener message suppression To re enable MLD message suppression use the ipv6 mld snooping listener message suppression global configuration command Displaying MLD Snoop...

Page 642: ...aces Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6 mld snooping querier vlan vlan id Display information about the IPv6 address and incoming port for the most recently received MLD query messages in the VLAN Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to...

Page 643: ...s contain this conceptual and configuration information Understanding Storm Control page 26 1 Default Storm Control Configuration page 26 3 Configuring Storm Control and Threshold Levels page 26 3 Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when packets flood ...

Page 644: ...tocol CDP frames are blocked However the switch does not differentiate between routing updates such as OSPF and regular multicast data traffic so both types of traffic are blocked The graph in Figure 26 1 shows broadcast traffic patterns on an interface over a given period of time The example can also be applied to multicast and unicast traffic In this example the broadcast traffic being forwarded...

Page 645: ...affic However because of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note Storm control is supported on physical interfaces You can also configure storm co...

Page 646: ...ify the rising threshold level for broadcast multicast or unicast traffic in bits per second up to one decimal place The port blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic whe...

Page 647: ...o be error disabled if small frames arrive at a specified rate threshold You globally enable the small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled If the errdisable recovery cause small frame global conf...

Page 648: ...between protected ports at Layer 2 only control traffic such as PIM packets is forwarded because these packets are processed by the CPU and forwarded in software All data traffic passing between protected ports must be forwarded through a Layer 3 device Forwarding behavior between a protected port and a nonprotected port proceeds as usual Because a switch stack represents a single logical switch L...

Page 649: ...ethernet1 0 1 Switch config if switchport protected Switch config if end Configuring Port Blocking By default the switch floods packets with unknown destination MAC addresses out of all ports If unknown unicast and multicast traffic is forwarded to a protected port there could be security issues To prevent unknown unicast or multicast traffic from being forwarded from one port to another you can b...

Page 650: ...rt block multicast Switch config if switchport block unicast Switch config if end Configuring Port Security You can use the port security feature to restrict input to an uplink interface by limiting and identifying MAC addresses of the stations allowed to access the uplink port When you assign secure MAC addresses to a secure port the port does not forward packets with source addresses outside the...

Page 651: ...aximum value interface configuration command Note If you try to set the maximum value to a number less than the number of secure addresses already configured on an interface the command is rejected The switch supports these types of secure MAC addresses Static secure MAC addresses These are manually configured by using the switchport port security mac address mac address interface configuration co...

Page 652: ... three violation modes based on the action to be taken if a violation occurs protect when the number of secure MAC addresses reaches the maximum limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses You are not notified that a secu...

Page 653: ...orts even though the configuration is allowed Table 26 1 Security Violation Mode Actions Violation Mode Traffic is forwarded1 1 Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses Sends SNMP trap Sends syslog message Displays error message2 2 The switch returns an error message if you manually configure an address that would cause a securi...

Page 654: ...nly the access VLAN is assigned an IP address When you enter a maximum secure address value for an interface and the new value is greater than the previous value the new value overwrites the previously configured value If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value the command is rejected The switch does not sup...

Page 655: ... list access voice Optional Set the maximum number of secure MAC addresses for the interface The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system This number is set by the active Switch Database Management SDM template See Chapter 8 Configuring the Switch SDM Template This number ...

Page 656: ...e port has not reached its maximum limit restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown The interface...

Page 657: ...rface is configured for voice VLAN configure a maximum of two secure MAC addresses Step 9 switchport port security mac address sticky Optional Enable sticky learning on the interface Step 10 switchport port security mac address sticky mac address vlan vlan id access voice Optional Enter a sticky secure MAC address repeating the command as many times as necessary If you configure fewer secure MAC a...

Page 658: ...tion command followed by the switchport port security command to re enable port security on the interface If you use the no switchport port security mac address sticky interface configuration command to convert sticky secure MAC addresses to dynamic secure MAC addresses before entering the no switchport port security command all secure addresses on the interface except those that were manually con...

Page 659: ... secure addresses on a per port basis Beginning in privileged EXEC mode follow these steps to configure port security aging Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 switchport port security aging static time time type absolute inactivity Enable or disa...

Page 660: ... When a switch joins a stack the new switch will get the configured secure addresses All dynamic secure addresses are downloaded by the new stack member from the other stack members When a switch either the stack master or a stack member leaves the stack the remaining stack members are notified and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC addres...

Page 661: ...he show interfaces interface id switchport privileged EXEC command displays among other characteristics the interface traffic suppression and control configuration The show storm control and show port security privileged EXEC commands display those storm control and port security settings To display traffic control information use one or more of the privileged EXEC commands in Table 26 4 Table 26 ...

Page 662: ...26 20 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 26 Configuring Port Based Traffic Control Displaying Port Based Traffic Control Settings ...

Page 663: ... applications to discover Cisco devices that are neighbors of already known devices With CDP network management applications can learn the device type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwor...

Page 664: ...ault CDP Configuration Table 27 1 shows the default CDP configuration Configuring the CDP Characteristics You can configure the frequency of CDP updates the amount of time to hold the information before discarding it and whether or not to send Version 2 advertisements Beginning in privileged EXEC mode follow these steps to configure the CDP timer holdtime and advertisement type Note Steps 2 throug...

Page 665: ...This example shows how to enable CDP if it has been disabled Switch configure terminal Switch config cdp run Switch config end Step 3 cdp holdtime seconds Optional Specify the amount of time a receiving device should hold the information sent by your device before discarding it The range is 10 to 255 seconds the default is 180 seconds Step 4 cdp advertise v2 Optional Configure CDP to send Version ...

Page 666: ... if cdp enable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interface configuration mode Step 3 no cdp enable Disable CDP on the interface Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Optional Save your entries in the ...

Page 667: ...neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface interface id Display information about interfaces where CDP is enabled You ...

Page 668: ...27 6 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 27 Configuring CDP Monitoring and Maintaining CDP ...

Page 669: ...the affected port and alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggressive mode UDLD can also detect unidirectional links due to one way traf...

Page 670: ...onversely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirectional link If both fiber strands in a cable are working normally from a Layer 1 perspective UDLD in aggressive mode detects whether those fiber strands are connected correctly and whether traffic is flowing bidirectionally between the correct neighbors This check cannot be per...

Page 671: ...tisement or in the detection phase UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbor UDLD shuts down the port if after the fast train of messages the link state is still undetermined Figure 28 1 shows an example of a unidirectional link condition Figure 28 1 UDLD Detection of a Unidirectional Link Configuring UDLD These sections contain this configuratio...

Page 672: ...rt of another switch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that is running STP Table 28 1 Default UDLD Configuration Feature Default Setting UDLD global enable state Globally disabled UDLD per port...

Page 673: ...ssive mode on all fiber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 28 1 message time message timer interval Configures the ...

Page 674: ...ation command enables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be enabled for UDLD and enter interface conf...

Page 675: ...apter 28 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release ...

Page 676: ...28 8 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 28 Configuring UDLD Displaying UDLD Status ...

Page 677: ...ice LLDP The Cisco Discovery Protocol CDP is a device discovery protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bridges access servers and switches CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network To support non Cisco devices and to allow for interoperability between other...

Page 678: ...e enabled LLDP MED supports these TLVs LLDP MED capabilities TLV Allows LLDP MED endpoints to determine the capabilities that the connected device supports and has enabled Network policy TLV Allows both network connectivity devices and endpoints to advertise VLAN configurations and associated Layer 2 and Layer 3 attributes for the specific application on that port For example the switch can notify...

Page 679: ...ces Protocol NMSP location and attachment notifications The MSE starts the NMSP connection to the switch which opens a server port When the MSE connects to the switch there are a set of message exchanges to establish version compatibility and service exchange information followed by location information synchronization After connection the switch periodically sends location and attachment notifica...

Page 680: ...hat identifies the affected ports and the changed address information Configuring LLDP LLDP MED and Wired Location Service Default LLDP Configuration page 29 4 Configuration Guidelines page 29 4 Enabling LLDP page 29 5 Configuring LLDP Characteristics page 29 5 Configuring LLDP MED TLVs page 29 6 Configuring Network Policy TLV page 29 7 Configuring Location TLV and Wired Location Service page 29 9...

Page 681: ... LLDP on an interface use the no lldp transmit and the no lldp receive interface configuration commands This example shows how to globally enable LLDP Switch configure terminal Switch config lldp run Switch config end This example shows how to enable LLDP on an interface Switch configure terminal Switch config interface interface_id Switch config if lldp transmit Switch config if lldp receive Swit...

Page 682: ...TLVs as well When the LLDP MED entry has been aged out it again only sends LLDP packets Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp holdtime seconds Optional Specify the amount of time a receiving device should hold the information from your device before discarding it The range is 0 to 65535 seconds the default is 120 seconds Step 3 lldp reinit delay Opti...

Page 683: ...profile configure the policy attributes and apply it to an interface Table 29 2 LLDP MED TLVs LLDP MED TLV Description inventory management LLDP MED inventory management TLV location LLDP MED location TLV network policy LLDP MED network policy TLV power management LLDP MED power management TLV Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id S...

Page 684: ...ice signaling application type vlan Specify the native VLAN for voice traffic vlan id Optional Specify the VLAN for voice traffic The range is 1 to 4094 cos cvalue Optional Specify the Layer 2 priority class of service CoS for the configured VLAN The range is 0 to 7 the default is 0 dscp dvalue Optional Specify the differentiated services code point DSCP value for the configured VLAN The range is ...

Page 685: ...ifier id Specify the location information for an endpoint admin tag Specify an administrative tag or site information civic location Specify civic location information elin location Specify emergency location information ELIN identifier id Specify the ID for the civic location string Specify the site or location information in alphanumeric format Step 3 exit Return to global configuration mode Ste...

Page 686: ...attachment location interval seconds Specify the NMSP notification interval attachment Specify the attachment notification interval location Specify the location notification interval interval seconds Duration in seconds before the switch sends the MSE the location or attachment updates The range is 1 to 30 the default is 30 Step 4 end Return to privileged EXEC mode Step 5 show network policy prof...

Page 687: ...interface type and number holdtime settings capabilities and port ID You can limit the display to neighbors of a specific interface or expand the display for more detailed information show lldp traffic Display LLDP counters including the number of packets sent and received number of packets discarded and number of unrecognized TLVs show location Display the location information for an endpoint sho...

Page 688: ...talyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 29 Configuring LLDP LLDP MED and Wired Location Service Monitoring and Maintaining LLDP LLDP MED and Wired Location Service ...

Page 689: ...etwork analyzer or other monitoring or security device SPAN copies or mirrors traffic received or sent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destination ports do ...

Page 690: ...orts are in the same switch or switch stack Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis For example in Figure 30 1 all traffic on port 5 the source port is mirrored to port 10 the destination port A network analyzer on port 10 receives all network traffic from port 5 without being physically attached to port 5 Fig...

Page 691: ...r specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN Each RSPAN source switch must have either ports or VLANs as RSPAN sources The destination is always a physical port as sh...

Page 692: ...ts specified by the user and form them into a stream of SPAN data which is directed to the destination port RSPAN consists of at least one RSPAN source session an RSPAN VLAN and at least one RSPAN destination session You separately configure RSPAN source sessions and RSPAN destination sessions on different network devices To configure an RSPAN source session on a device you associate a set of sour...

Page 693: ...PAN source ports and VLANs Both switched and routed ports can be configured as SPAN sources and destinations You can have multiple destination ports in a SPAN session but no more than 64 destination ports per switch stack SPAN sessions do not interfere with the normal operation of the switch However an oversubscribed SPAN destination for example a 10 Mb s port monitoring a 100 Mb s port can result...

Page 694: ...ccur Packets are sent on the destination port with the same encapsulation untagged Inter Switch Link ISL or IEEE 802 1Q that they had on the source port Packets of all types including BPDU and Layer 2 protocol packets are monitored Therefore a local SPAN session with encapsulation replicate enabled can have a mixture of untagged ISL and IEEE 802 1Q tagged packets appear on the destination port Swi...

Page 695: ...rce ports and can be monitored in either or both directions On a given port only traffic on the monitored VLAN is sent to the destination port If a destination port belongs to a source VLAN it is excluded from the source list and is not monitored If ports are added to or removed from the source VLANs the traffic on the source VLAN received by those ports is added to or removed from the sources bei...

Page 696: ...ny Ethernet physical port It cannot be a secure port It cannot be a source port It cannot be an EtherChannel group or a VLAN It can participate in only one SPAN session at a time a destination port in one SPAN session cannot be a destination port for a second SPAN session When it is active incoming traffic is disabled The port does not transmit any traffic except that required for the SPAN session...

Page 697: ...es Routing SPAN does not monitor routed traffic VSPAN only monitors traffic that enters or exits the switch not traffic that is routed between VLANs For example if a VLAN is being Rx monitored and the switch routes traffic from another VLAN to the monitored VLAN that traffic is not monitored and not received on the SPAN destination port STP A destination port does not participate in STP while its ...

Page 698: ...emoved as a SPAN destination For SPAN sessions do not enable IEEE 802 1x on ports with monitored egress when ingress forwarding is enabled on the destination port For RSPAN source sessions do not enable IEEE 802 1x on any ports that are egress monitored SPAN and RSPAN and Switch Stacks Because the stack of switches is treated as one logical switch local SPAN source ports and destination ports can ...

Page 699: ...SPAN ACLs can be unloaded or reloaded independently If a VLAN based FSPAN session configured on a stack cannot fit in the hardware memory on one or more switches it is treated as unloaded on those switches and traffic meant for the FSPAN ACL and sourcing on that switch is not copied to the SPAN destination ports The FSPAN ACL continues to be correctly applied and traffic is copied to the SPAN dest...

Page 700: ...ough the SPAN destination port Entering SPAN configuration commands does not remove previously configured SPAN parameters You must enter the no monitor session session_number all local remote global configuration command to delete configured SPAN parameters For local SPAN outgoing packets through the SPAN destination port carry the original encapsulation headers untagged ISL or IEEE 802 1Q if the ...

Page 701: ...er the range is 1 to 66 For interface id specify the source port or source VLAN to monitor For source interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 64 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN No...

Page 702: ...thernet1 0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interface gigabitethernet1 0 1 rx The monitoring of traffic received on port 1 is disabled but traffic sent from this port continues to be monitored Step 4 monitor session session_number destination interf...

Page 703: ...sion_number all local remote Remove any existing SPAN configuration for the session Step 3 monitor session session_number source interface interface id vlan vlan id both rx tx Specify the SPAN session and the source port monitored port Step 4 monitor session session_number destination interface interface id encapsulation replicate ingress dot1q vlan vlan id isl untagged vlan vlan id vlan vlan id S...

Page 704: ... dot1q vlan 6 Switch config end Specifying VLANs to Filter Beginning in privileged EXEC mode follow these steps to limit SPAN source traffic to specific VLANs Step 5 end Return to privileged EXEC mode Step 6 show monitor session session_number show running config Verify the configuration Step 7 copy running config startup config Optional Save the configuration in the configuration file Command Pur...

Page 705: ...nd Configuring Incoming Traffic page 30 22 RSPAN Configuration Guidelines Follow these guidelines when configuring RSPAN All the items in the SPAN Configuration Guidelines section on page 30 12 apply to RSPAN As RSPAN VLANs have special properties you should reserve a few VLANs across your network for use as RSPAN VLANs do not assign access ports to these VLANs Step 5 monitor session session_numbe...

Page 706: ... that you configure an RSPAN VLAN before you configure an RSPAN source or a destination session If you enable VTP and VTP pruning RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005 Configuring a VLAN as an RSPAN VLAN First create a new VLAN to be the RSPAN VLAN for the RSPAN session You must create the RS...

Page 707: ...he RSPAN session and the source port monitored port For session_number the range is 1 to 66 Enter a source port or source VLAN for the RSPAN session For interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 64 For vlan id specify the source VLAN to monitor...

Page 708: ...e steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs Step 6 show monitor session session_number show running config Verify the configuration Step 7 copy running config startup config Optional Save the configuration in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session se...

Page 709: ...AN and the destination port Step 5 monitor session session_number destination remote vlan vlan id Specify the RSPAN session and the destination remote VLAN RSPAN VLAN For session_number enter the session number specified in step 3 For vlan id specify the RSPAN VLAN to carry the monitored traffic to the destination port Step 6 end Return to privileged EXEC mode Step 7 show monitor session session_n...

Page 710: ...e Creating an RSPAN Destination Session section on page 30 21 This procedure assumes that the RSPAN VLAN has already been configured Step 6 monitor session session_number source remote vlan vlan id Specify the RSPAN session and the source RSPAN VLAN For session_number the range is 1 to 66 For vlan id specify the source RSPAN VLAN to monitor Step 7 monitor session session_number destination interfa...

Page 711: ...d vlan vlan id Specify the SPAN session the destination port the packet encapsulation and the incoming VLAN and encapsulation For session_number enter the number defined in Step 4 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical inte...

Page 712: ... Catalyst 3750 ports as source ports the FSPAN ACL command is rejected If the session has FSPAN ACL configured any commands including Catalyst 3750 ports as source ports are rejected The Catalyst 3750 ports can be added as destination ports in an FSPAN session VLAN based FSPAN sessions cannot be configured on a stack that includes Catalyst 3750 switches FSPAN ACLs cannot be applied to per port per...

Page 713: ...ecify the SPAN session and the source port monitored port For session_number the range is 1 to 66 For interface id specify the source port or the source VLAN to monitor For source interface id specify the source port to monitor Only physical interfaces are valid For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN Note A single session can include multiple...

Page 714: ...nterface replicates the source interface encapsulation method If not selected the default is to send packets in native form untagged Note You can use monitor session session_number destination command multiple times to configure multiple destination ports Step 5 monitor session session_number filter ip ipv6 mac access group access list number name Specify the SPAN session the types of packets to f...

Page 715: ...ived traffic both Monitor both received and sent traffic rx Monitor received traffic tx Monitor sent traffic Step 4 monitor session session_number destination remote vlan vlan id Specify the RSPAN session and the destination RSPAN VLAN For session_number enter the number defined in Step 3 For vlan id specify the source RSPAN VLAN to monitor Step 5 vlan vlan id Enter the VLAN sub mode For vlan id s...

Page 716: ...apter 30 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured SPAN or RSPAN sessions ...

Page 717: ...syntax and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References This chapter consists of these sections Understanding RMON page 31 1 Configuring RMON page 31 2 Displaying RMON Status ...

Page 718: ...rm at a specified value rising threshold and resets the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this software release ...

Page 719: ...inning in privileged EXEC mode follow these steps to enable RMON alarms and events This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The ran...

Page 720: ...s reset and can be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by t...

Page 721: ... 3 rmon collection history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The d...

Page 722: ...co com page under Documentation Cisco IOS Software 12 2 Mainline Command References Step 3 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to privileged EXEC mode Step 5 s...

Page 723: ...s the output from system messages and debug privileged EXEC commands to a logging process Stack members can trigger system messages A stack member that generates a system message appends its hostname in the form of hostname n where n is a switch number from 1 to 9 and redirects the output to the logging process on the stack master Though the stack master is a stack member it does not append its ho...

Page 724: ...em Message Logging These sections contain this configuration information System Log Message Format page 32 2 Default System Message Logging Configuration page 32 4 Disabling Message Logging page 32 4 optional Setting the Message Display Destination Device page 32 5 optional Synchronizing Log Messages page 32 6 optional Enabling and Disabling Time Stamps on Log Messages page 32 8 optional Enabling ...

Page 725: ...ge on a nonstacking capable switch 00 00 46 LINK 3 UPDOWN Interface Port channel1 changed state to up 00 00 47 LINK 3 UPDOWN Interface GigabitEthernet0 1 changed state to up 00 00 47 LINK 3 UPDOWN Interface GigabitEthernet0 2 changed state to up 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interface Vlan1 changed state to down 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interface GigabitEthernet0...

Page 726: ...sages Beginning in privileged EXEC mode follow these steps to disable message logging This procedure is optional Table 32 2 Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled Console severity Debugging and numerically lower levels see Table 32 3 on page 32 10 Logging file configuration No filename specified Logging buffer size 4096 by...

Page 727: ...the locations that receive messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging buffered size Log messages to an internal buffer on the switch or on a standalone switch or in the case of a switch stack on the stack master The range is 4096 to 2147483647 bytes The default buffer size is 4096 bytes If the standalone switch or th...

Page 728: ...ages and debug command output is enabled unsolicited device output appears on the console or printed after solicited device output appears or is printed Unsolicited messages and debug command output appears on the console after the prompt for user input is returned Therefore unsolicited messages and debug command output are not interspersed with solicited device output and prompts After the unsoli...

Page 729: ... line numbers is from 0 to 15 You can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to line configuration Step 3 logging synchronous level severity level all limit number...

Page 730: ...ore than one log message can have the same time stamp you can display messages with sequence numbers so that you can unambiguously see a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configur...

Page 731: ...lobal configuration command To disable logging to syslog servers use the no logging trap global configuration command Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logged...

Page 732: ...k messages displayed at the informational level This message is only for information switch functionality is not affected Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration command you can change the level of messages sent and stored in the swit...

Page 733: ...le command followed by the logging enable command to disable and re enable logging Use the show archive log config all number end number user username session number number end number statistics provisioning privileged EXEC command to display the complete configuration log or the log for specified parameters The default is that configuration logging is disabled For information about the commands s...

Page 734: ...art stop group radius 41 13 unknown user vty3 no aaa accounting system default 42 14 temi vty4 interface GigabitEthernet4 0 1 43 14 temi vty4 switchport mode trunk 44 14 temi vty4 exit 45 16 temi vty5 interface GigabitEthernet5 0 1 46 16 temi vty5 switchport mode trunk 47 16 temi vty5 exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and...

Page 735: ... sends messages at this level or at a more severe level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these commands at the UNIX shell prompt touch var log cisco log chmod 666 var log cisco log Step 3 Make sure the syslog daemon reads the new changes kill HUP cat etc syslog pid Fo...

Page 736: ...XEC command For information about the fields in this display see the Cisco IOS Configuration Fundamentals Command Reference Release 12 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References Step 4 logging facility facility type Configure the syslog facility See Table 32 4 on page 32 14 for facility type keywords The default is local7 Step 5 end Return ...

Page 737: ...the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the repository for information about device parameters and network data The agent can also respon...

Page 738: ...these security features Message integrity ensuring that a packet was not tampered with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted universal software ima...

Page 739: ... or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic universal software image MD5 or SHA Data Encryption Standard DES or Advanced Encryption Standard AES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Allows specifying the User based Security Model USM with these encryption algorithms DES 56 bit encryption in addition to authentication based on the CBC DES DES 5...

Page 740: ... Gives read access to authorized management stations to all objects in the MIB except the community strings but does not allow write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software Cisco...

Page 741: ...rded as soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore traps and informs require a trade off between reliability and resources If it is important that the SNMP manager...

Page 742: ...tarts and the switch startup configuration has at least one snmp server global configuration command the SNMP agent is enabled An SNMP group is a table that maps SNMP users to SNMP views An SNMP user is a member of an SNMP group An SNMP host is the recipient of an SNMP trap operation An SNMP engine ID is a name for the local or remote SNMP engine Table 33 4 Default SNMP Configuration Feature Defau...

Page 743: ...forms to it If a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authPriv authentication levels Changing the value of the SNMP engine ID has important side effects A user s password entered on the command line is converted to an MD5 or SHA security digest based on the password and the local engine ID The command line password is...

Page 744: ...igure one or more community strings of any length Optional For view specify the view record accessible to the community Optional Specify either read only ro if you want authorized management stations to retrieve MIB objects or specify read write rw if you want authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects O...

Page 745: ... add new users to the SNMP group Beginning in privileged EXEC mode follow these steps to configure SNMP on the switch Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string ...

Page 746: ...acket authentication noauth Enables the noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic universal software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in w...

Page 747: ...3 If you enter v3 you have these additional options encrypted specifies that the password appears in encrypted format This keyword is available only when the v3 keyword is specified auth is an authentication level setting session that can be either the HMAC MD5 96 md5 or the HMAC SHA 96 sha authentication level and requires a password string auth password not to exceed 64 characters If you enter v...

Page 748: ...ated traps entity Generates a trap for SNMP entity changes envmon Generates environmental monitor traps You can enable any or all of these environmental traps fan shutdown status supply temperature flash Generates SNMP FLASH notifications In a switch stack you can optionally enable notification for flash insertion or removal which would cause a trap to be issued whenever a switch in the stack is r...

Page 749: ...ity configure the port security trap first and then configure the port security trap rate snmp server enable traps port security snmp server enable traps port security trap rate rate rtr Generates a trap for the SNMP Response Time Reporter RTR snmp Generates a trap for SNMP type notifications for authentication cold start warm start link up or link down storm control Generates a trap for SNMP stor...

Page 750: ...ication level auth noauth or priv Note The priv keyword is available only when the cryptographic universal software image is installed For community string when version 1 or version 2c is specified enter the password like community string sent with the notification operation When version 3 is specified enter the SNMPv3 username Optional For notification type use the keywords listed in Table 33 5 o...

Page 751: ...nds Step 10 end Return to privileged EXEC mode Step 11 show running config Verify your entries Note To display SNMPv3 information about auth noauth priv mode configuration you must enter the show snmp user privileged command Step 12 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configur...

Page 752: ...onal Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server contact text Set the system contact string For example snmp server contact Dial System Operator at beeper 21555 Step 3 snmp server location text Set the system location string For example snmp server location Building 3 Room 222 Step 4 end Re...

Page 753: ...s to members of access list 4 that use the comaccess community string No other SNMP managers have access to any objects SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco com using the community string public Switch config snmp server community comaccess ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public S...

Page 754: ... 1 27 v3 auth md5 mypassword Switch config snmp server user authuser authgroup v3 auth md5 mypassword Switch config snmp server host 192 180 1 27 informs version 3 auth authuser config Switch config snmp server enable traps Switch config snmp server inform retries 0 Displaying SNMP Status To display SNMP input and output statistics including the number of illegal community string entries errors an...

Page 755: ... then acts on them through a set policy This policy is a programmed script that you can use to customize a script to invoke an action based on a given set of events occurring The script generates actions such as generating custom syslog or Simple Network Management Protocol SNMP traps invoking CLI commands forcing a failover and so forth The event management capabilities of EEM are useful because ...

Page 756: ...hat provide an interface between the agent being monitored for example SNMP and the EEM polices where an action can be implemented Event detectors are generated only by the master switch CLI and routing processes also run only from the master switch Note The stack member switch does not generate events and does not support memory threshold notifications or IOSWdSysmon event detectors EEM allows th...

Page 757: ... data encoding for exchanging XML based messages It also runs EEM policies and then gets the output in a SOAP XML formatted reply SNMP event detector Allows a standard SNMP MIB object to be monitored and an event to be generated when The object matches specified values or crosses specified thresholds The SNMP delta value the difference between the monitored Object Identifier OID value at the begin...

Page 758: ...a and the actions to be taken when that event occurs Scripts are defined on the networking device by using an ASCII editor The script which can be a bytecode tbc and text tcl script is then copied to the networking device and registered with EEM You can also register multiple events in a tcl file You use EEM to write and implement your own policies using the EEM policy tool command language TCL sc...

Page 759: ...in this configuration information Registering and Defining an Embedded Event Manager Applet page 33 5 Registering and Defining an Embedded Event Manager TCL Script page 33 6 For complete information about configuring embedded event manager see the Cisco IOS Network Management Configuration Guide Release 12 4T Registering and Defining an Embedded Event Manager Applet Beginning in privileged EXEC mo...

Page 760: ...ority level msg msg text Specify the action when an EEM applet is triggered Repeat this action to add other CLI commands to the applet Optional The priority keyword specifies the priority level of the syslog messages If selected you need to define the priority level argument For msg text the argument can be character text an environment variable or a combination of the two Step 5 end Exit applet c...

Page 761: ...ond minute every hour of every day Switch config event manager environment_cron_entry 0 59 2 0 23 1 0 6 This example shows the sample EEM policy named tm_cli_cmd tcl registered as a system policy The system policies are part of the Cisco IOS image User defined TCL scripts must first be copied to flash memory Switch config event manager policy tm_cli_cmd tcl type system Displaying Embedded Event Ma...

Page 762: ...33 8 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 33 Configuring Embedded Event Manager Displaying Embedded Event Manager Information ...

Page 763: ...ge 34 28 Configuring VLAN Maps page 34 30 Using VLAN Maps with Router ACLs page 34 36 Displaying IPv4 ACL Configuration page 34 40 Understanding ACLs Packet filtering can help limit network traffic and restrict network use by certain users or devices ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs An ACL is a sequential ...

Page 764: ...rts three applications of ACLs to filter traffic Port ACLs access control traffic entering a Layer 2 interface The switch does not support port ACLs in the outbound direction You can apply only one IP access list and one MAC access list to a Layer 2 interface For more information see the Port ACLs section on page 34 3 Router ACLs access control routed traffic between VLANs and are applied to Layer...

Page 765: ... ACLs This is because the switch does not recognize the protocol inside the IEEE 802 1Q header This restriction applies to router ACLs port ACLs and VLAN maps For more information about IEEE 802 1Q tunneling see Chapter 17 Configuring IEEE 802 1Q and Layer 2 Protocol Tunneling Port ACLs Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch Port ACLs are supported only on physical i...

Page 766: ...ace and you apply a new IP access list or MAC access list to the interface the new ACL replaces the previously configured one Router ACLs You can apply router ACLs on switch virtual interfaces SVIs which are Layer 3 interfaces to VLANs on physical Layer 3 interfaces and on Layer 3 EtherChannel interfaces You apply router ACLs on interfaces for specific directions inbound or outbound You can apply ...

Page 767: ...hertype using MAC VLAN maps IP traffic is not access controlled by MAC VLAN maps You can enforce VLAN maps only on packets going through the switch you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch With VLAN maps forwarding of packets is permitted or denied based on the action specified in the map Figure 34 2 shows how a VLAN map is applie...

Page 768: ...cond ACE a deny because all Layer 3 and Layer 4 information is present The remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information Instead they match the third ACE a permit Because the first fragment was denied host 10 1 1 2 cannot reassemble a complete packet so packet B is effectively denied However the later fragments that are permitted will co...

Page 769: ... more detailed information on configuring ACLs see the Configuring IP Services section in the IP Addressing and Services chapter of the Cisco IOS IP Configuration Guide Release 12 2 For detailed information about the commands see the Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services Release 12 2 The switch does not support these Cisco IOS router ACL related features Non IP proto...

Page 770: ...em Access List Numbers page 34 8 ACL Logging page 34 9 Creating a Numbered Standard ACL page 34 10 Creating a Numbered Extended ACL page 34 11 Resequencing ACEs in an ACL page 34 15 Creating Named Standard and Extended ACLs page 34 15 Using Time Ranges with ACLs page 34 17 Including Comments in ACLs page 34 19 Access List Numbers The number you use to denote your ACL shows the type of access list ...

Page 771: ...vel of messages logged to the console is controlled by the logging console commands controlling the syslog messages Note Because routing is done in hardware and logging is done in software if a large number of packets match a permit or deny ACE containing a log keyword the software might not be able to match the hardware processing rate and not all packets will be logged The first packet that trig...

Page 772: ...s lists Standard IP access list 2 10 deny 171 69 198 102 20 permit any Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard log Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or permit to specify ...

Page 773: ...t the end of the list You cannot reorder the list or selectively add or remove ACEs from a numbered list Some protocols also have specific parameters and keywords that apply to that protocol These IP protocols are supported protocol keywords are in parentheses in bold Authentication Header Protocol ahp Enhanced Interior Gateway Routing Protocol eigrp Encapsulation Security Payload esp generic rout...

Page 774: ...l specific parameters for TCP UDP ICMP and IGMP see steps 2b through 2e The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wil...

Page 775: ...mission Control Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a ...

Page 776: ...essage precedence precedence tos tos fragments log log input time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these...

Page 777: ... access lists in a router than if you were to use numbered access lists If you identify your access list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers That is the na...

Page 778: ...ep 4 end Return to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name Define an extended IPv4 access list using a name and enter access list configuratio...

Page 779: ...et the times and the dates or the days of the week in the time range Then enter the time range name when applying an ACL to set restrictions to the access list You can use the time range to define when the permit or deny statements in the ACL are in effect for example during a specified time period or on specified days of the week The time range keyword and argument are referenced in the named and...

Page 780: ... verify extended access list 188 that denies TCP traffic from any source to any destination during the defined holiday times and permits all TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range workhours Switch config end Switch show access lists Extended IP access list 188 10 deny tcp ...

Page 781: ...ociated permit or deny statements and some remarks after the associated statements To include a comment for IP numbered standard or extended ACLs use the access list access list number remark remark global configuration command To remove the remark use the no form of this command In this example the server that belongs to Jones is allowed access and the workstation that belongs to Smith is not all...

Page 782: ... as SNMP Telnet or web traffic You do not have to enable routing to apply ACLs to Layer 2 interfaces When private VLANs are configured you can apply router ACLs only on the primary VLAN SVIs The ACL is applied to both primary and secondary VLAN Layer 3 traffic Note By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is denied by an access group The...

Page 783: ...hecks the packet against the ACL If the ACL permits the packet the switch sends the packet If the ACL rejects the packet the switch discards the packet By default the input interface sends ICMP Unreachable messages whenever a packet is discarded regardless of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the output interface ICMP Unreachables are...

Page 784: ...n cannot be applied in hardware packets arriving in a VLAN that must be routed are routed in software but are bridged in hardware If ACLs cause large numbers of packets to be sent to the CPU the switch performance can be negatively affected When you enter the show ip access lists privileged EXEC command the match count displayed does not account for packets that are access controlled in hardware U...

Page 785: ...ource source wildcard destination destination wildcard permit tcp source source wildcard destination destination wildcard range 5 60 permit tcp source source wildcard destination destination wildcard range 15 160 permit tcp source source wildcard destination destination wildcard range 115 1660 or Rename the ACL with a name or number that alphanumerically precedes the other ACLs for example rename ...

Page 786: ...gigabitethernet1 0 1 Switch config if ip access group 6 out This example uses an extended ACL to filter traffic coming from blade server B into a port permitting traffic from any source address in this case Server B to only the Accounting destination addresses 172 20 128 64 to 172 20 128 95 The ACL is applied to traffic going into routed Port 1 permitting it to go only to the specified destination...

Page 787: ...that you have a network connected to the Internet and you want any host on the network to be able to form TCP connections to any host on the Internet However you do not want IP hosts to be able to form TCP connections to hosts on your network except to the mail SMTP port of a dedicated mail host SMTP uses TCP port 25 on one end of the connection and a random port number on the other end The same p...

Page 788: ...ny tcp any any Switch config ext nacl permit icmp any any Switch config ext nacl deny udp any 171 69 0 0 0 0 255 255 lt 1024 Switch config ext nacl deny ip any any log Switch config ext nacl exit The Internet_filter ACL is applied to outgoing traffic and the marketing_group ACL is applied to incoming traffic on a Layer 3 port Switch config interface gigabitethernet3 0 2 Switch config if no switchp...

Page 789: ...lnet Switch config ip access list extended telnetting Switch config ext nacl remark Do not allow Jones subnet to telnet out Switch config ext nacl deny tcp 171 69 0 0 0 0 255 255 any eq telnet ACL Logging Two variations of logging are supported on router ACLs The log keyword sends an informational logging message to the console about the packet that matches the entry the log input keyword includes...

Page 790: ... kind of ACL and the access entry that has been matched This is an example of an output message when the log input keyword is entered 00 04 21 SEC 6 IPACCESSLOGDP list inputlog permitted icmp 10 1 1 10 Vlan1 0001 42ef a400 10 1 1 61 0 0 1 packet A log message for the same sort of packet using the log keyword does not include the input interface information 00 05 47 SEC 6 IPACCESSLOGDP list inputlo...

Page 791: ... access list filters only IP packets and the MAC access list filters non IP packets Step 3 deny permit any host source MAC address source MAC address mask any host destination MAC address destination MAC address mask type mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 655...

Page 792: ... permits all packets Remember this behavior if you use undefined ACLs for network security Configuring VLAN Maps This section describes how to configure VLAN maps which is the only way to control filtering within a VLAN VLAN maps have no direction To filter traffic in a specific direction by using a VLAN map you need to include an ACL with specific source or destination addresses If there is a mat...

Page 793: ... Map page 34 32 Applying a VLAN Map to a VLAN page 34 35 Using VLAN Maps in Your Network page 34 35 VLAN Map Configuration Guidelines Follow these guidelines when configuring VLAN maps If there is no ACL configured to deny traffic on an interface and no VLAN map is configured all traffic is permitted Each VLAN map consists of a series of entries The order of entries in an VLAN map is important A p...

Page 794: ...nfiguration command to delete a single sequence entry from within the map Use the no action access map configuration command to enforce the default action which is to forward VLAN maps do not use the specific permit or deny keywords To deny a packet by using VLAN maps create an ACL that would match the packet and set the action to drop A permit in the ACL counts as a match A deny in the ACL means ...

Page 795: ...kets would get dropped Switch config ip access list extended ip2 Switch config ext nacl permit udp any any Switch config ext nacl exit Switch config vlan access map map_1 20 Switch config access map match ip address ip2 Switch config access map action forward Example 2 In this example the VLAN map has a default action of drop for IP packets and a default action of forward for MAC packets Used with...

Page 796: ... ip Switch config ext macl permit any any vines ip Switch config ext nacl exit Switch config vlan access map drop mac default 10 Switch config access map match mac address good hosts Switch config access map action forward Switch config access map exit Switch config vlan access map drop mac default 20 Switch config access map match mac address good protocols Switch config access map action forward...

Page 797: ... You can restrict access to a server on another VLAN For example server 10 1 1 100 in VLAN 10 needs to have access denied to these hosts see Figure 34 4 Hosts in subnet 10 1 2 0 8 in VLAN 20 should not have access Hosts 10 1 1 4 and 10 1 1 8 in VLAN 10 should not have access Figure 34 4 Deny Access to a Server on Another VLAN Command Purpose Step 1 configure terminal Enter global configuration mod...

Page 798: ...AN map to VLAN 10 Switch config vlan filter SERVER1_MAP vlan list 10 Using VLAN Maps with Router ACLs To access control both bridged and routed traffic you can use VLAN maps only or a combination of router ACLs and VLAN maps You can define router ACLs on both input and output routed VLAN interfaces and you can define a VLAN map to access control the bridged traffic If a packet flow matches a VLAN ...

Page 799: ... including Layer 4 information in an ACL adding this information complicates the merging process The best merge results are obtained if the ACLs are filtered based on IP addresses source and destination and not on the full flow source IP address destination IP address protocol and protocol ports It is also helpful to use don t care bits in the IP address whenever possible If you need to specify th...

Page 800: ... on fallback bridged packets For bridged packets only Layer 2 ACLs are applied to the input VLAN Only non IP non ARP packets can be fallback bridged Figure 34 6 Applying ACLs on Bridged Packets VLAN 10 map Frame Input router ACL Output router ACL Routing function or fallback bridge VLAN 10 VLAN 20 Blade server B VLAN 10 Blade server A VLAN 10 VLAN 20 map Packet 201776 Frame Fallback bridge VLAN 10...

Page 801: ...two different kinds of filters applied one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed The packet might be routed to more than one output VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be perm...

Page 802: ...0 Blade server B VLAN 20 VLAN 20 map Packet 201779 Table 34 2 Commands for Displaying Access Lists and Access Groups Command Purpose show access lists number name Display the contents of one or all current IP and MAC address access lists or a specific access list numbered or named show ip access lists number name Display the contents of all current IP access lists or a specific IP access list numb...

Page 803: ...out VLAN access maps or VLAN filters Use the privileged EXEC commands in Table 34 3 to display VLAN map information Table 34 3 Commands for Displaying VLAN Map Information Command Purpose show vlan access map mapname Show information about all VLAN access maps or the specified access map show vlan filter access map name vlan vlan id Show information about all VLAN filters or about a specified VLAN...

Page 804: ...34 42 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ...

Page 805: ...related information see these chapters For more information about SDM templates see Chapter 8 Configuring SDM Templates For information about IPv6 on the switch see Chapter 39 Configuring IPv6 Unicast Routing For information about ACLs on the switch see Chapter 34 Configuring Network Security with ACLs Note For complete syntax and usage information for the commands used in this chapter see the com...

Page 806: ...ts to which a port ACL is applied are filtered by the port ACL Routed IP packets received on other ports are filtered by the router ACL Other packets are not filtered When an output router ACL and input port ACL exist in an SVI packets received on the ports to which a port ACL is applied are filtered by the port ACL Outgoing routed IPv6 packets are filtered by the router ACL Other packets are not ...

Page 807: ... rejected If an ACL is applied to an interface and you attempt to add an access control entry ACE with an unsupported keyword the switch rejects the ACE addition to the ACL IPv6 ACLs and Switch Stacks The stack master supports IPv6 ACLs in hardware and distributes the IPv6 ACLs to the stack members Note For full IPv6 functionality in a switch stack all stack members must be running the IP services...

Page 808: ...ped due to a port ACL the frame is not bridged You can create both IPv4 and IPv6 ACLs on a switch or switch stack and you can apply both IPv4 and IPv6 ACLs to the same interface Each ACL must have a unique name an error message appears if you try to use a name that is already configured You use different commands to create IPv4 and IPv6 ACLs and to attach them to the same Layer 2 or Layer 3 interf...

Page 809: ...pecified in hexadecimal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator follows the source ipv6 prefix prefix length argument it must match the source port If the operator follows the destination ipv6 prefix p...

Page 810: ...pecified in hexadecimal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator follows the source ipv6 prefix prefix length argument it must match the source port If the operator follows the destination ipv6 prefix p...

Page 811: ...e port protocol routing sequence value time range name Optional Define a UDP access list and the access conditions Enter udp for the User Datagram Protocol The UDP parameters are the same as those described for TCP but the operator port port number or name must be a UDP port number or name and the established parameter is not valid for UDP Step 3d deny permit icmp source ipv6 prefix prefix length ...

Page 812: ...f the switch is running the IP services or IP base feature set you can apply ACLs only to inbound management traffic on Layer 3 interfaces Beginning in privileged EXEC mode follow these steps to control access to an interface Use the no ipv6 traffic filter access list name interface configuration command to remove an access list from an interface Command Purpose Step 1 configure terminal Enter glo...

Page 813: ... access lists that are configured on the switch or switch stack Switch show access lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10 This is an example of the output from the show ipv6 access lists privileged EXEC command The output shows only IPv6 input and output access lists configured on the switch or switch stack Switch show ipv6 ac...

Page 814: ...35 10 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 35 Configuring IPv6 ACLs Displaying IPv6 ACLs ...

Page 815: ...S on physical ports and on switch virtual interfaces SVIs Other than to apply policy maps you configure the QoS settings such as classification queueing and scheduling the same way on physical ports and SVIs When configuring QoS on a physical port you apply a nonhierarchical policy map When configuring QoS on an SVI you apply a nonhierarchical or a hierarchical policy map Note For complete syntax ...

Page 816: ...se special bits in the Layer 2 frame or a Layer 3 packet are described here and shown in Figure 36 1 Prioritization bits in Layer 2 frames Layer 2 Inter Switch Link ISL frame headers have a 1 byte User field that carries an IEEE 802 1p class of service CoS value in the three least significant bits On ports configured as Layer 2 ISL trunks all traffic is in ISL frames Layer 2 802 1Q frame headers h...

Page 817: ... resources allocated per traffic class The behavior of an individual device when handling traffic in the DiffServ architecture is called per hop behavior If all devices along a path provide a consistent per hop behavior you can construct an end to end QoS solution Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking device...

Page 818: ...ction to be taken when a packet is out of profile and determines what to do with the packet pass through a packet without modification mark down the QoS label in the packet or drop the packet For more information see the Policing and Marking section on page 36 9 Queueing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of the two ingress queues to place a packet...

Page 819: ...s as shown in Figure 36 3 Trust the CoS value in the incoming frame configure the port to trust CoS Then use the configurable CoS to DSCP map to generate a DSCP value for the packet Layer 2 ISL frame headers carry the CoS value in the 3 least significant bits of the 1 byte User field Layer 2 802 1Q frame headers carry the CoS value in the 3 most significant bits of the Tag Control Information fiel...

Page 820: ...ge from 0 for low priority to 7 for high priority Beginning with Cisco IOS Release 12 2 52 SE there is an option to classify IP traffic based on IPv6 IP precedence Trust the CoS value if present in the incoming packet and generate a DSCP value for the packet by using the CoS to DSCP map If the CoS value is not present use the default port CoS value Override the configured CoS of incoming packets a...

Page 821: ...to DSCP in packet Check if packet came with CoS label tag Use the CoS value to generate the QoS label Generate DSCP from CoS to DSCP map Use the DSCP value to generate the QoS label Yes Read next ACL Is there a match with a permit action Assign the DSCP or CoS as specified by ACL action to generate the QoS label Assign the default DSCP 0 Are there any more QoS ACLs configured for this interface Ch...

Page 822: ...AC ACLs to classify non IP traffic by using the mac access list extended global configuration command For configuration information see the Configuring a QoS Policy section on page 36 43 Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to name a specific traffic flow or class and to isolate it from all other traffic The class map defines the criteria used ...

Page 823: ... or out of profile and specifies the actions on the packet These actions carried out by the marker include passing through the packet without modification dropping the packet or modifying marking down the assigned DSCP of the packet and allowing the packet to pass through The configurable policed DSCP map provides the packet with a new DSCP based QoS label For information on the policed DSCP map s...

Page 824: ...e is enough room in the bucket If there is not enough room the packet is marked as nonconforming and the specified policer action is taken dropped or marked down How quickly the bucket fills is a function of the bucket depth burst byte the rate at which the tokens are removed rate bps and the duration of the burst above the average rate The size of the bucket imposes an upper limit on the burst le...

Page 825: ...ndary interface level of the hierarchical policy map A hierarchical policy map has two levels The first level the VLAN level specifies the actions to be taken against a traffic flow on an SVI The second level the interface level specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface level policy map 86835 Yes Yes No No ...

Page 826: ...level policy map only supports individual policers and does not support aggregate policers You can configure different interface level policy maps for each class defined in the VLAN level policy map See the Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps section on page 36 58 for an example of a hierarchical policy map Figure 36 5 shows the policing and marking p...

Page 827: ...nfigure this map by using the mls qos map policed dscp global configuration command Before the traffic reaches the scheduling stage QoS stores the packet in an ingress and an egress queue according to the QoS label The QoS label is based on the DSCP or the CoS value in the packet and selects the queue through the DSCP input and output queue threshold maps or through the CoS input and output queue ...

Page 828: ...at QoS label the space available in the destination queue is less than the size of the frame the switch drops the frame Each queue has three threshold values The QOS label is determines which of the three threshold values is subjected to the frame Of the three thresholds two are configurable explicit and one is not implicit Figure 36 7 shows an example of WTD operating on a queue whose size is 100...

Page 829: ...e of the bandwidth and they are rate limited to that amount Shaped traffic does not use more than the allocated bandwidth even if the link is idle Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic With shaping the absolute value of each weight is used to compute the bandwidth available for the queues In shared mode the queues share the bandw...

Page 830: ...e the queue according to the SRR weights Send packet to the stack ring Drop packet Start Yes No Table 36 1 Ingress Queue Types Queue Type1 1 The switch uses two nonconfigurable queues for traffic that is essential for proper network and stack operation Function Normal User traffic that is considered to be normal priority You can configure three different thresholds to differentiate among the flows...

Page 831: ...of space with which to divide the ingress buffers between the two queues by using the mls qos srr queue input buffers percentage1 percentage2 global configuration command The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped You allocate bandwidth as a percentage by using the mls qos srr queue input bandwidth weight1 ...

Page 832: ...ss Ports Each port supports four egress queues one of which queue 1 can be the egress expedite queue These queues are assigned to a queue set All traffic exiting the switch flows through one of these four queues and is subjected to a threshold based on the QoS label assigned to the packet 86694 Receive packet from the stack ring Read QoS label DSCP or CoS value Determine egress queue number and th...

Page 833: ...or a queue set by using the mls qos queue set output qset id threshold queue id drop threshold1 drop threshold2 reserved threshold maximum threshold global configuration command Each threshold value is a percentage of the queue s allocated memory which you specify by using the mls qos queue set output qset id buffers allocation1 allocation4 global configuration command The sum of all the allocated...

Page 834: ...onfiguration command For an explanation of the differences between shaping and sharing see the SRR Shaping and Sharing section on page 36 15 The buffer allocation together with the SRR weight ratios control how much data can be buffered and sent before packets are dropped The weight ratio is the ratio of the frequency in which the SRR scheduler sends packets from each queue All four queues partici...

Page 835: ...ing Auto QoS You can use the auto QoS feature to simplify the deployment of existing QoS features Auto QoS makes assumptions about the network design and as a result the switch can prioritize different traffic flows and appropriately use the ingress and egress queues instead of using the default QoS behavior The default is that QoS is disabled The switch then offers best effort service to each pac...

Page 836: ...ning the Cisco SoftPhone the switch uses policing to determine whether a packet is in or out of profile and to specify the action on the packet Table 36 2 Traffic Types Packet Labels and Queues VoIP1 Data Traffic 1 VoIP voice over IP VoIP Control Traffic Routing Protocol Traffic STP BPDU Traffic Real Time Video Traffic All Other Traffic DSCP 46 24 26 48 56 34 CoS 5 3 6 7 4 CoS to Ingress Queue Map...

Page 837: ...n the traffic type and ingress packet label and applies the commands listed in Table 36 5 to the port Table 36 5 Generated Auto QoS Configuration Description Automatically Generated Command The switch automatically enables standard QoS and configures the CoS to DSCP map maps CoS values in incoming packets to a DSCP value Switch config mls qos Switch config mls qos map cos dscp 0 8 16 26 32 46 48 5...

Page 838: ...fig mls qos srr queue output dscp map queue 1 threshold 3 40 41 42 43 44 45 46 47 Switch config mls qos srr queue output dscp map queue 2 threshold 3 24 25 26 27 28 29 30 31 Switch config mls qos srr queue output dscp map queue 2 threshold 3 48 49 50 51 52 53 54 55 Switch config mls qos srr queue output dscp map queue 2 threshold 3 56 57 58 59 60 61 62 63 Switch config mls qos srr queue output dsc...

Page 839: ...he packet on a routed port by using the mls qos trust dscp command Switch config if mls qos trust cos Switch config if mls qos trust dscp If you entered the auto qos voip cisco phone command the switch automatically enables the trusted boundary feature which uses the CDP to detect the presence or absence of a Cisco IP Phone Switch config if mls qos trust device cisco phone If you entered the auto ...

Page 840: ...lso configures the switch for VoIP with devices running the Cisco SoftPhone application Note When a device running Cisco SoftPhone is connected to a nonrouted or routed port the switch supports only one Cisco SoftPhone application per port To take advantage of the auto QoS defaults you should enable auto QoS before you configure other QoS commands If necessary you can fine tune the QoS configurati...

Page 841: ...s through mode packets are switched without any rewrites and classified as best effort without any policing This example shows how to enable auto QoS and to trust the QoS labels received in incoming packets when the switch or router connected to a port is a trusted device Switch config interface gigabitethernet2 0 1 Switch config if auto qos voip trust Command Purpose Step 1 configure terminal Ent...

Page 842: ...ample Network Figure 36 11 shows a network in which the VoIP traffic is prioritized over all other traffic Auto QoS is enabled on the switches in the wiring closets at the edge of the QoS domain 201780 Cisco router To Internet Cisco Blade switch Trunk link Trunk link Cisco IP phones Blade servers Cisco IP phones Video server 172 20 10 16 IP IP IP IP Identify this interface as connected to a truste...

Page 843: ...able auto QoS on the port and specify that the port is connected to a Cisco IP Phone The QoS labels of incoming packets are trusted only when the Cisco IP Phone is detected Step 6 exit Return to global configuration mode Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone Step 8 interface interface id Specify the switch port identified as connected to a trusted swit...

Page 844: ... about these commands see the command reference for this release Configuring Standard QoS Before configuring standard QoS you must have a thorough understanding of these items The types of applications used and the traffic patterns on your network Traffic characteristics and needs of your network Is the traffic bursty Do you need to reserve bandwidth for voice and video streams Bandwidth requireme...

Page 845: ... Queue Configuration section on page 36 31 and the Default Egress Queue Configuration section on page 36 32 Default Ingress Queue Configuration Table 36 6 shows the default ingress queue configuration when QoS is enabled Table 36 7 shows the default CoS input queue threshold map when QoS is enabled Table 36 8 shows the default DSCP input queue threshold map when QoS is enabled Table 36 6 Default I...

Page 846: ...ueue 2 Queue 3 Queue 4 Buffer allocation 25 percent 25 percent 25 percent 25 percent WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Reserved threshold 50 percent 50 percent 50 percent 50 percent Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights absolute 1 1 A shaped weight ...

Page 847: ...e 36 34 Policing Guidelines section on page 36 35 General QoS Guidelines section on page 36 35 QoS ACL Guidelines These are the guidelines with for configuring QoS with access control lists ACLs It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS IP fragments are sent as best effort IP fragments are denoted by fields in the IP header Only one ACL per class m...

Page 848: ...or removed from the hierarchical policy map A new interface level policy map also cannot be added to the hierarchical policy map If you want these changes to occur the hierarchical policy map must first be removed from the SVI You also cannot add or remove a class map specified in the hierarchical policy map Configuring IPv6 QoS on Switch Stacks Beginning with Cisco IOS Release 12 2 52 SE you can ...

Page 849: ... However you cannot use the aggregate policer across different policy maps On a port configured for QoS all traffic received through the port is classified policed and marked according to the policy map attached to the port On a trunk port configured for QoS traffic in all VLANs received through the port is classified policed and marked according to the policy map attached to the port If you have ...

Page 850: ... ports that are specified in the interface level of a hierarchical policy map on an SVI Use the no mls qos vlan based interface configuration command to disable VLAN based QoS on the physical port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS globally QoS runs with the default settings described in the Default Standard QoS Configuration section...

Page 851: ... Interface page 36 38 Configuring a Trusted Boundary to Ensure Port Security page 36 39 Enabling DSCP Transparency Mode page 36 40 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 36 41 Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain When the packets are classified at the edge the swit...

Page 852: ...nterface configuration mode Valid interfaces include physical ports Step 3 mls qos trust cos dscp ip precedence Configure the port trust state By default the port is not trusted If no keyword is specified the default is dscp The keywords have these meanings cos Classifies an ingress packet by using the packet CoS value For an untagged packet the port default CoS value is used The default port CoS ...

Page 853: ...ust the CoS labels of all traffic received on that port Use the mls qos trust dscp interface configuration command to configure a routed port to which the telephone is connected to trust the DSCP labels of all traffic received on that port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface co...

Page 854: ...y feature use the no mls qos trust device interface configuration command Enabling DSCP Transparency Mode The switch supports the DSCP transparency feature It affects only the DSCP field of a packet at egress By default DSCP transparency is disabled The switch modifies the DSCP field in an incoming packet and the DSCP field in the outgoing packet is based on the quality of service QoS configuratio...

Page 855: ...global configuration command the CoS and DSCP values are not changed the default QoS setting If you enter the no mls qos rewrite ip dscp global configuration command to enable DSCP transparency and then enter the mls qos trust cos dscp interface configuration command DSCP transparency is still enabled Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering ...

Page 856: ...p is a null map which maps an incoming DSCP value to the same DSCP value For dscp mutation name enter the mutation map name You can create more than one map by specifying a new name For in dscp enter up to eight DSCP values separated by spaces Then enter the to keyword For out dscp enter a single DSCP value The DSCP range is 0 to 63 Step 3 interface interface id Specify the port to be trusted and ...

Page 857: ...tation Switch config if end Configuring a QoS Policy Configuring a QoS policy typically requires classifying traffic into classes configuring policies applied to those traffic classes and attaching policies to ports For background information see the Classification section on page 36 5 and the Policing and Marking section on page 36 9 For configuration guidelines see the Standard QoS Configuration...

Page 858: ...ll other access implicitly denied Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list number enter the access list number The range is 1 to 99 and 1300 to 1999 Use the permit keyword to permit a certain type of tra...

Page 859: ... number The range is 100 to 199 and 2000 to 2699 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of available protocol keywords For source enter the network or host from which the packet...

Page 860: ...Beginning in privileged EXEC mode follow these steps to create an IPv6 ACL for IP traffic Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 access list access list name Create an IPv6 ACL and enter IPv6 access list configuration mode Access list names cannot contain a space or quotation mark or begin with a numeric ...

Page 861: ...cified in hexadecimal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator follows the source ipv6 prefix prefix length argument it must match the source port If the operator follows the destination ipv6 prefix pre...

Page 862: ... to extended MAC ACL configuration Step 3 permit deny host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask Specify the type of traffic to permit or deny if the conditions are matched entering the command as many times as necessary For src MAC addr enter the MAC address of the host from which the packet is being sent You specify this by using the hexadecimal format H H H by usin...

Page 863: ...plicitly denied Classifying Traffic by Using Class Maps You use the class map global configuration command to name and to isolate a specific traffic flow or class from all other traffic The class map defines the criteria to use to match against a specific traffic flow to further classify it Match statements can include criteria such as an ACL IP precedence values or DSCP values The match criterion...

Page 864: ...source ipv6 prefix prefix length any host source ipv6 address operator port number destination ipv6 prefix prefix length any host destination ipv6 address operator port number dscp value fragments log log input routing sequence value time range name or mac access list extended name permit deny host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask Create an IP standard or extende...

Page 865: ...o specify IPv4 traffic and ipv6 to specify IPv6 traffic When you use the match protocol command only the match all keyword is supported for the class map command Note This command is available only when the dual IPv4 and IPv6 SDM template is configured You can use the match protocol command with the match ip dscp or match precedence commands but not with the match access group command For more inf...

Page 866: ...tch config cmap end Switch This example shows how to create a class map called class3 which matches incoming traffic with IP precedence values of 5 6 and 7 Switch config class map class3 Switch config cmap match ip precedence 5 6 7 Switch config cmap end Switch Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic In Cisco IOS Release 12 2 52 SE and later the switch supports both IPv4...

Page 867: ...When you use the match protocol command only the match all keyword is supported For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Step 3 match protocol ip ipv6 Optional Specify the IP protocol to which the class map applies Use the argument ip to specify IPv4 traffic and ipv6 to specify IPv6 traffic When you use...

Page 868: ... and Marking Traffic on Physical Ports by Using Policy Maps You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on Actions can include trusting the CoS DSCP or IP precedence values in the traffic class setting a specific DSCP or IP precedence value in the traffic class and specifying the traffic bandwidth limitations for each matched traffic ...

Page 869: ...Use the match all keyword to perform a logical AND of all matching statements under this class map All match criteria in the class map must be matched Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword ...

Page 870: ...ved CoS value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 36 68 Step 6 set dscp new dscp ip precedence new precedence Classify IP traffic by setting a new value in the packet For dscp new dscp enter a ...

Page 871: ...scp Switch config pmap c police 1000000 8000 exceed action policed dscp transmit Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet2 0 1 Switch config if service policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port The first permit statement allows traffic from the host with MAC add...

Page 872: ...nfig pmap class cm 2 Switch config pmap c set dscp 6 Switch config pmap c exit Switch config pmap exit Switch config interface G0 1 Switch config if switch mode access Switch config if service policy input pm1 Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps You can configure hierarchical policy maps on SVIs but not on other types of interfaces Hierarchical polici...

Page 873: ...p is attached to the SVI and affects all traffic belonging to the VLAN The actions specified in the VLAN level policy map affect the traffic belonging to the SVI The police action on the port level policy map affects the ingress traffic on the affected physical interfaces When configuring a hierarchical policy map on trunk ports the VLAN ranges must not overlap If the ranges overlap the actions sp...

Page 874: ... be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Note Because only one match command per class map is supported the match all and match any keywords function the same See the Creating Named Standard and Extended ACLs section on page 34 15 for limitations when using the match all and the match any ke...

Page 875: ...he match all keyword to perform a logical AND of all matching statements under this class map All match criteria in the class map must be matched Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is sp...

Page 876: ...b s The range is 8000 to 1000000000 For burst byte specify the normal burst size in bytes The range is 8000 to 1000000 Optional Specify the action to take when the rates are exceeded Use the exceed action drop keywords to drop the packet Use the exceed action policed dscp transmit keywords to mark down the DSCP value by using the policed DSCP map and to send the packet For more information see the...

Page 877: ...e from the ingress packet and the IP precedence to DSCP map For non IP packets that are tagged QoS derives the DSCP value by using the received CoS value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 36 ...

Page 878: ...tch access 101 Switch config cmap exit Switch config exit Switch Switch This example shows how to attach the new map to an SVI Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config class map cm interface 1 Switch config cmap match input gigabitethernet3 0 1 gigabitethernet3 0 2 Switch config cmap exit Switch config policy map port plcmap Switch config pm...

Page 879: ... match IP DSCP and IPv6 Switch config Class map cm 1 Switch config cmap match ip dscp 10 Switch config cmap match protocol ipv6 Switch config cmap exit Switch config Class map cm 2 Switch config cmap match ip dscp 20 Switch config cmap match protocol ip Switch config cmap exit Switch config Policy map pm1 Switch config pmap class cm 1 Switch config pmap c set dscp 4 Switch config pmap c exit Switc...

Page 880: ...ket For more information see the Configuring the Policed DSCP Map section on page 36 70 Step 3 class map match all match any class map name Create a class map to classify traffic as necessary For more information see the Classifying Traffic by Using Class Maps section on page 36 49 and the Creating Named Standard and Extended ACLs section on page 34 15 Step 4 policy map policy map name Create a po...

Page 881: ... transmit1 48000 8000 exceed action policed dscp transmit Switch config class map ipclass1 Switch config cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match access group 2 Switch config cmap exit Switch config policy map aggflow1 Switch config pmap class ipclass1 Switch config pmap c trust dscp Switch config pmap c police aggregate transmit1 ...

Page 882: ...the default map use the no mls qos cos dscp global configuration command This example shows how to modify and display the CoS to DSCP map Switch config mls qos map cos dscp 10 15 20 25 30 35 40 45 Switch config end Switch show mls qos maps cos dscp Cos dscp map cos 0 1 2 3 4 5 6 7 dscp 10 15 20 25 30 35 40 45 Table 36 12 Default CoS to DSCP Map CoS Value DSCP Value 0 0 1 8 2 16 3 24 4 32 5 40 6 48...

Page 883: ... command This example shows how to modify and display the IP precedence to DSCP map Switch config mls qos map ip prec dscp 10 15 20 25 30 35 40 45 Switch config end Switch show mls qos maps ip prec dscp IpPrecedence dscp map ipprec 0 1 2 3 4 5 6 7 dscp 10 15 20 25 30 35 40 45 Table 36 13 Default IP Precedence to DSCP Map IP Precedence Value DSCP Value 0 0 1 8 2 16 3 24 4 32 5 40 6 48 7 56 Command ...

Page 884: ...11 12 13 14 15 16 17 18 19 2 20 21 22 23 24 25 26 27 28 29 3 30 31 32 33 34 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 00 00 00 00 00 00 00 00 58 59 6 60 61 62 63 Note In this policed DSCP map the marked down DSCP values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original ...

Page 885: ...p Switch config mls qos map dscp cos 0 8 16 24 32 40 48 50 to 0 Switch config end Switch show mls qos maps dscp cos Dscp cos map d1 d2 0 1 2 3 4 5 6 7 8 9 0 00 00 00 00 00 00 00 00 00 01 1 01 01 01 01 01 01 00 02 02 02 2 02 02 02 02 00 03 03 03 03 03 Table 36 14 Default DSCP to CoS Map DSCP Value CoS Value 0 7 0 8 15 1 16 23 2 24 31 3 32 39 4 40 47 5 48 55 6 56 63 7 Command Purpose Step 1 configur...

Page 886: ...ple DSCP to DSCP mutation maps on an ingress port The default DSCP to DSCP mutation map is a null map which maps an incoming DSCP value to the same DSCP value Beginning in privileged EXEC mode follow these steps to modify the DSCP to DSCP mutation map This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation ...

Page 887: ... 57 58 59 6 60 61 62 63 Note In the above DSCP to DSCP mutation map the mutated values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the mutated value For example a DSCP value of 12 corresponds to a mutated value of 10...

Page 888: ...are mapped to queue 1 and threshold 1 CoS value 5 is mapped to queue 2 and threshold 1 For queue id the range is 1 to 2 For threshold id the range is 1 to 3 The drop threshold percentage for threshold 3 is predefined It is set to the queue full state For dscp1 dscp8 enter up to eight values and separate each value with a space The range is 0 to 63 For cos1 cos8 enter up to eight values and separat...

Page 889: ...n to the default setting use the no mls qos srr queue input buffers global configuration command This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2 Switch config mls qos srr queue input buffers 60 40 Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is alloc...

Page 890: ...rd in the mls qos srr queue input priority queue queue id bandwidth weight global configuration command Then SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls q...

Page 891: ...in the next sections You will need to make decisions about these characteristics Which packets are mapped by DSCP or CoS value to each queue and threshold ID What drop percentage thresholds apply to the queue set four egress queues per port and how much reserved and maximum memory is needed for the traffic type How much of the fixed buffer space is allocated to the queue set Does the bandwidth of ...

Page 892: ...dite queue is disabled and the SRR shaped and shared weights are configured the shaped mode overrides the shared mode for queue 1 and SRR services this queue in shaped mode If the egress expedite queue is disabled and the SRR shaped weights are not configured SRR services this queue in shared mode Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set You can guarantee the a...

Page 893: ...Configure the WTD thresholds guarantee the availability of buffers and configure the maximum memory allocation for the queue set four egress queues per port By default the WTD thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 200 percent The reserved thresholds for queues 1 2 3 and 4 are set to 50 percent The maximum thresholds for all queues are set to 4...

Page 894: ...ent as the maximum memory that this queue can have before packets are dropped Switch config mls qos queue set output 2 buffers 40 20 20 20 Switch config mls qos queue set output 2 threshold 2 40 60 100 200 Switch config interface gigabitethernet1 0 1 Switch config if queue set 2 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with p...

Page 895: ...d to queue 4 and threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and threshold 1 CoS values 4 6 and 7 are mapped to queue 4 and threshold 1 CoS value 5 is mapped to queue 1 and threshold 1 For queue id the range is 1 to 4 For threshold id the range is 1 to 3 The drop thr...

Page 896: ...s 1 8 which is 12 5 percent Switch config interface gigabitethernet2 0 1 Switch config if srr queue bandwidth shape 8 0 0 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port of the outbound traffic and enter interface configuration mode Step 3 srr queue bandwidth shape weight1 weight2 weight3 weight4 Assign SRR weights to the e...

Page 897: ...e used and the bandwidth ratio allocated for each queue in shared mode is 1 1 2 3 4 2 1 2 3 4 3 1 2 3 4 and 4 1 2 3 4 which is 10 percent 20 percent 30 percent and 40 percent for queues 1 2 3 and 4 This means that queue 4 has four times the bandwidth of queue 1 twice the bandwidth of queue 2 and one and a third times the bandwidth of queue 3 Switch config interface gigabitethernet2 0 1 Switch conf...

Page 898: ...o not meet your QoS solution Beginning in privileged EXEC mode follow these steps to limit the bandwidth on an egress port This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on a switch Step 3 interface interface id Specify the egress port and enter interface configuration mode Step 4 priority queue out Enable the egress e...

Page 899: ...36 15 Step 5 show mls qos interface interface id queueing Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 36 15 Commands for Displaying Standard QoS Information Command Purpose show class map class map name Display QoS class maps which define the match criteria to classify traffic show mls qos Display global Q...

Page 900: ... classification criteria for incoming traffic Note Do not use the show policy map interface privileged EXEC command to display classification information for incoming traffic The control plane and interface keywords are not supported and the statistics shown in the display should be ignored show running config include rewrite Display the DSCP transparency setting Table 36 15 Commands for Displayin...

Page 901: ...g links in the channel without intervention This chapter also describes how to configure link state tracking Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding EtherChannels page...

Page 902: ...th ends of the EtherChannel in the same mode When you configure one end of an EtherChannel in either PAgP or LACP mode the system negotiates with the other end of the channel to determine which ports should become active If the remote port cannot negotiate an EtherChannel the local port is put into an independent state and continues to carry data traffic as would any other single link The port con...

Page 903: ... Tracking Understanding EtherChannels Figure 37 2 Single Switch EtherChannel Figure 37 3 Cross Stack EtherChannel Switch 1 Blade switch stack Switch 2 Channel group 1 Channel group 2 StackWise Plus port connections Switch 3 Switch A 201782 Switch 1 Blade switch stack Switch 2 Channel group 1 StackWise Plus port connections Switch 3 Switch A 201783 ...

Page 904: ...l configuration command followed by the no switchport interface configuration command Then you manually assign an interface to the EtherChannel by using the channel group interface configuration command For both Layer 2 and Layer 3 ports the channel group command binds the physical port and the logical interface together as shown in Figure 37 4 Each EtherChannel has a port channel logical interfac...

Page 905: ...artner ports configured in the auto or desirable modes Ports configured in the on mode do not exchange PAgP packets Both the auto and desirable modes enable ports to negotiate with partner ports to form an EtherChannel based on criteria such as port speed and for Layer 2 EtherChannels trunking state and VLAN numbers Ports can form an EtherChannel when they are in different PAgP modes as long as th...

Page 906: ...tch fails or resets the standby switch takes over as the active switch If the VSL goes down one core switch knows the status of the other and does not change state PAgP Interaction with Other Features The Dynamic Trunking Protocol DTP and the Cisco Discovery Protocol CDP send and receive packets over the physical ports in the EtherChannel Trunk ports send and receive PAgP protocol data units PDUs ...

Page 907: ...f this port is removed from the bundle one of the remaining ports in the bundle provides its MAC address to the EtherChannel For Layer 3 EtherChannels the MAC address is allocated by the stack master as soon as the interface is created through the interface port channel global configuration command LACP sends and receives LACP PDUs only from ports that are up and have LACP enabled for the active o...

Page 908: ...f load distribution can be used if it is not clear whether source MAC or destination MAC address forwarding is better suited on a particular switch With source and destination MAC address forwarding packets sent from host A to host B host A to host C and host C to host B could all use different ports in the channel With source IP address based forwarding when packets are forwarded to an EtherChann...

Page 909: ...cks If a stack member that has ports participating in an EtherChannel fails or leaves the stack the stack master removes the failed stack member switch ports from the EtherChannel The remaining ports of the EtherChannel if any continue to provide connectivity When a switch is added to an existing stack the new switch receives the running configuration from the stack master and updates itself with ...

Page 910: ...h Stacks Configuring EtherChannels These sections contain this configuration information Default EtherChannel Configuration page 37 10 EtherChannel Configuration Guidelines page 37 11 Configuring Layer 2 EtherChannels page 37 12 required Configuring Layer 3 EtherChannels page 37 14 required Configuring EtherChannel Load Balancing page 37 17 optional Configuring the PAgP Learn Method and Priority p...

Page 911: ...e parameters you must also make the changes to all ports in the group Allowed VLAN list Spanning tree path cost for each VLAN Spanning tree port priority for each VLAN Spanning tree Port Fast setting Do not configure a port to be a member of more than one EtherChannel group Do not configure an EtherChannel in both the PAgP and LACP modes EtherChannel groups running PAgP and LACP can coexist on the...

Page 912: ... not to the physical ports in the channel For cross stack EtherChannel configurations ensure that all ports targeted for the EtherChannel are either configured for LACP or are manually configured to be in the channel group using the channel group channel group number mode on interface configuration command The PAgP protocol is not supported on cross stack EtherChannels If cross stack EtherChannel ...

Page 913: ...t supported when EtherChannel members are from different switches in the switch stack on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when ...

Page 914: ... This example shows how to configure a cross stack EtherChannel It uses LACP passive mode and assigns two ports on stack member 2 and one port on stack member 3 as static access ports in VLAN 10 to channel 5 Switch configure terminal Switch config interface range gigabitethernet2 0 4 5 Switch config if range switchport mode access Switch config if range switchport access vlan 10 Switch config if r...

Page 915: ...hannel logical interface and enter interface configuration mode For port channel number the range is 1 to 64 Step 3 no switchport Put the interface into Layer 3 mode Step 4 ip address ip address mask Assign an IP address and subnet mask to the EtherChannel Step 5 end Return to privileged EXEC mode Step 6 show etherchannel channel group number detail Verify your entries Step 7 copy running config s...

Page 916: ...erent switches in the switch stack on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do...

Page 917: ...if no switchport Switch config if channel group 7 mode active Switch config if exit Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source based or destination based forwarding methods For more information see the Load Balancing and Forwarding Methods section on page 37 8 Beginning in privileged EXEC mode follow these steps to co...

Page 918: ...figure a single port within the group for all transmissions and use other ports for hot standby The unused ports in the group can be swapped into operation in just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The h...

Page 919: ...inal Enter global configuration mode Step 2 interface interface id Specify the port for transmission and enter interface configuration mode Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not impo...

Page 920: ...ity and the LACP port priority to affect how the software selects active and standby links For more information see the Configuring the LACP System Priority section on page 37 20 and the Configuring the LACP Port Priority section on page 37 21 Configuring the LACP System Priority You can configure the system priority for all the EtherChannels that are enabled for LACP by using the lacp system prio...

Page 921: ... system might have more restrictive hardware limitations all the ports that cannot be actively included in the EtherChannel are put in the hot standby state and are used only if one of the channeled ports fails Beginning in privileged EXEC mode follow these steps to configure the LACP port priority This procedure is optional To return the LACP port priority to the default value use the no lacp por...

Page 922: ...37 6 on page 37 23 shows a network configured with link state tracking To enable link state tracking create a link state group and specify the interfaces that are assigned to the link state group An interface can be an aggregation of ports an EtherChannel a single physical port in access or trunk mode or a routed port In a link state group these interfaces are bundled together The downstream inter...

Page 923: ... all the blade servers to distribution switch 2 through port channel 2 The blade servers can choose which Ethernet server interfaces are active To balance the network traffic flow some Ethernet interfaces in link state group 1 and some Ethernet interfaces in link state group 2 are active For example when half of the Ethernet server interfaces connected to blade switch 1 are active and the remainin...

Page 924: ...nfigured link state tracking is disabled and the upstream interfaces lose connectivity the link states of the downstream interfaces remain unchanged The server does not recognize that upstream connectivity has been lost and does not failover to the secondary interface You can recover a downstream interface link down condition by removing the failed downstream port from the link state group To reco...

Page 925: ...aces are part of an EtherChannel you must specify the port channel name as part of the link state group not the individual port members To disable a link state group use the no link state track number global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 link state track number Create a link state group and enable link state tracking For nons...

Page 926: ...o the group Enter the detail keyword to display detailed information about the group This is an example of output from the show link state group 1 command Switch show link state group 1 Link State Group 1 Status Enabled Down This is an example of output from the show link state group detail command Switch show link state group detail Up Interface up Dwn Interface Down Dis Interface disabled Link S...

Page 927: ...nformation about configuring IPv6 on the switch see Chapter 39 Configuring IPv6 Unicast Routing For more detailed IP unicast configuration information see the Cisco IOS IP Configuration Guide Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Configuration Guides For complete syntax and usage information for the commands used in this chapter see these command...

Page 928: ...r 3 device router to route traffic between the VLAN referred to as inter VLAN routing You configure one or more routers to route traffic to the appropriate destination VLAN Figure 38 1 shows a basic routing topology Switch A is in VLAN 10 and Switch B is in VLAN 20 The router has an interface in each VLAN Figure 38 1 Routing Topology Example When Host A in VLAN 10 needs to communicate with Host B ...

Page 929: ...protocols Distance vector protocols supported by the switch use Routing Information Protocol RIP a single distance metric cost that determines the best path and Border Gateway Protocol BGP which adds a path vector mechanism The switch also supports the Open Shortest Path First OSPF link state protocol and Enhanced IGRP EIGRP which adds some link state routing features to traditional Interior Gatew...

Page 930: ...itch stack supports NSF capable routing for OSPF and EIGRP For more information see the OSPF NSF Capability section on page 38 29 and the EIGRP NSF Capability section on page 38 40 Upon election the new stack master performs these functions It starts generating receiving and processing routing updates It builds routing tables generates the CEF database and distributes it to stack members It uses i...

Page 931: ... routing will occur must have IP addresses assigned to them See the Assigning IP Addresses to Network Interfaces section on page 38 7 A Layer 3 switch can have an IP address assigned to each routed port and SVI The number of routed ports and SVIs that you can configure is not limited by software However the interrelationship between this number and the number and volume of features being implement...

Page 932: ...hernet style ARP Timeout 14400 seconds 4 hours IP broadcast address 255 255 255 255 all ones IP classless routing Enabled IP default gateway Disabled IP directed broadcast Disabled all IP directed broadcasts are dropped IP domain Domain list No domain names defined Domain lookup Enabled Domain name Enabled IP forward protocol If a helper address is defined or User Datagram Protocol UDP flooding is...

Page 933: ...se the all ones subnet 131 108 255 0 and even though we discourage this practice you can enable the subnet zero if you need the entire subnet space for your IP address Beginning in privileged EXEC mode follow these steps to enable subnet zero Use the no ip subnet zero global configuration command to restore the default and to disable the use of subnet zero Command Purpose Step 1 configure terminal...

Page 934: ... the pressure on the rapidly depleting Class B address space In Figure 38 2 classless routing is enabled When the host sends a packet to 120 20 4 1 instead of discarding the packet the router forwards it to the best supernet route If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route the router discards the packet Figure 38 ...

Page 935: ...l segment or LAN and a network address which identifies the network to which the device belongs Note In a switch stack network communication uses a single MAC address and the IP address of the stack The local address or the MAC address is known as a data link address because it is contained in the data link layer Layer 2 section of the packet header and is read by data link Layer 2 devices To comm...

Page 936: ...the router interface Use the ip rarp server address interface configuration command to identify the server For more information on RARP see the Cisco IOS Configuration Fundamentals Configuration Guide Release 12 2 under Documentation Cisco IOS Software 12 2 Mainline Configuration Guides from the Cisco com page You can perform these tasks to configure address resolution Define a Static ARP Cache pa...

Page 937: ...ter interface configuration mode and specify the interface to configure Step 5 arp timeout seconds Optional Set the length of time that an ARP cache entry stays in the cache The range is 0 to 2147483 seconds The default is 14400 seconds 4 hours Step 6 end Return to privileged EXEC mode Step 7 show interfaces interface id Verify the type of ARP and the timeout value used on all interfaces or on a s...

Page 938: ...t If it does it sends an ARP reply packet with its own Ethernet MAC address The host that sent the request then sends the packet to the switch which forwards it to the intended host Proxy ARP treats all networks as if they are local and performs ARP requests for every IP address Proxy ARP is enabled by default To enable it after it has been disabled see the Enable Proxy ARP section on page 38 12 P...

Page 939: ...time out because of excessive retransmissions The only required task for IRDP routing on an interface is to enable IRDP processing on that interface When enabled the default parameters apply You can change any of these parameters Beginning in privileged EXEC mode follow these steps to enable and configure IRDP on an interface Command Purpose Step 1 configure terminal Enter global configuration mod...

Page 940: ...g intelligent bridges because they are Layer 2 devices forward broadcasts to all network segments thus propagating broadcast storms The best solution to the broadcast storm problem is to use a single broadcast address scheme on a network In most IP implementations you can set the broadcast address Many implementations including the one in the switch support several addressing schemes for forwardin...

Page 941: ...roadcasts Use the no ip forward protocol global configuration command to remove a protocol or a port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to configure Step 3 ip directed broadcast access list number Enable directed broadcast to physical broadcast translation on the interf...

Page 942: ...ny UDP ports If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts you are configuring the router to act as a BOOTP forwarding agent BOOTP packets carry DHCP information Beginning in privileged EXEC mode follow these steps to enable forwarding of UDP broadcast packets on an interface and to specify the destination address Use the no ip helper address interface con...

Page 943: ...sing IP helper addresses The packet must be a MAC level broadcast The packet must be an IP level broadcast The packet must be a TFTP DNS Time NetBIOS Network Disk or BOOTP packet or a UDP specified by the ip forward protocol udp global configuration command The time to live TTL value of the packet must be at least 2 A flooded UDP datagram is given the destination address specified with the ip broa...

Page 944: ...ache table or database have become or are suspected to be invalid you can remove all its contents by using the clear privileged EXEC commands Table 38 2 lists the commands for clearing contents Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip forward protocol spanning tree Use the bridging spanning tree database to flood UDP datagrams Step 3 end Return to privile...

Page 945: ... aliases Display IP addresses mapped to TCP ports aliases show ip arp Display the IP ARP cache show ip interface interface id Display the IP status of interfaces show ip irdp Display IRDP values show ip masks address Display the masks used for network addresses and the number of subnets using each mask show ip redirects Display the address of a default gateway show ip route address mask protocol D...

Page 946: ... be running the IP services feature set Using RIP the switch sends routing information updates advertisements every 30 seconds If a router does not receive an update from another router for 180 seconds or more it marks the routes served by that router as unusable If there is still no update after 240 seconds the router removes all routing table entries for that router RIP uses hop counts to rate t...

Page 947: ...matic metric translations IP RIP authentication key chain No authentication Authentication mode clear text IP RIP receive version According to the version router configuration command IP RIP send version According to the version router configuration command IP RIP triggered According to the version router configuration command IP split horizon Varies with media Neighbor None defined Network None s...

Page 948: ...The amount of time for which routing updates are postponed The default is 240 seconds Step 8 version 1 2 Optional Configure the switch to receive and send only RIP Version 1 or RIP Version 2 packets By default the switch receives Version 1 and Version 2 but sends only Version 1 You can also use the interface commands ip rip send receive version 1 2 1 2 to control what versions are used for sending...

Page 949: ...The amount of time for which routing updates are postponed The default is 240 seconds Step 8 version 1 2 Optional Configure the switch to receive and send only RIP Version 1 or RIP Version 2 packets By default the switch receives Version 1 and Version 2 but sends only Version 1 You can also use the interface commands ip rip send receive version 1 2 1 2 to control what versions are used for sending...

Page 950: ...ntication use the no ip rip authentication mode interface configuration command To prevent authentication use the no ip rip authentication key chain interface configuration command Configuring Summary Addresses and Split Horizon Routers connected to broadcast type IP networks and using distance vector routing protocols normally use the split horizon mechanism to reduce the possibility of routing l...

Page 951: ...uration command before entering the ip address interface configuration command Note If split horizon is enabled neither autosummary nor interface summary addresses those configured with the ip summary address rip router configuration command are advertised Switch config router rip Switch config router interface gigabitethernet1 0 2 Switch config if ip address 10 1 5 1 255 255 255 0 Switch config i...

Page 952: ...lease 12 2 Note OSPF classifies different media into broadcast nonbroadcast and point to point networks The switch supports broadcast Ethernet Token Ring and FDDI and point to point networks Ethernet interfaces configured as point to point links OSPF is an Interior Gateway Protocol IGP designed expressly for IP networks supporting IP subnetting and tagging of externally derived routing information...

Page 953: ...routers area border routers ABRs connected to multiple areas and autonomous system boundary routers ASBRs The minimum configuration would use all default parameter values no authentication and interfaces assigned to areas If you customize your environment you must ensure coordinated configuration of all routers These sections contain this configuration information Default OSPF Configuration page 3...

Page 954: ...ult information originate Disabled When enabled the default metric setting is 10 and the external route type default is Type 2 Default metric Built in automatic metric translation as appropriate for each routing protocol Distance OSPF dist1 all routes within an area 110 dist2 all routes from one area to another 110 dist3 routes from other routing domains 110 OSPF database filter Disabled All outgo...

Page 955: ...US products ps6350 products_configuration_guide_chapter09186a00804557 a8 html OSPF NSF Capability The IP services feature set also supports OSPF NSF capable routing for IPv4 for better convergence and lower traffic loss following a stack master change When a stack master change occurs in an OSPF NSF capable stack the new stack master must do two things to resynchronize its link state database with...

Page 956: ...g configuration command to enable OSPF NSF routing Use the show ip ospf privileged EXEC command to verify that it is enabled For more information about this feature see the Cisco Nonstop Forwarding Feature Overview at this URL http www cisco com en US products sw iosswrel ps1829 products_feature_guide09186a00800ab7fc html Note NSF is not supported on interfaces configured for Hot Standby Router Pr...

Page 957: ...er 3 interface to configure Step 3 ip ospf cost Optional Specify the cost of sending a packet on the interface Step 4 ip ospf retransmit interval seconds Optional Specify the number of seconds between link state advertisement transmissions The range is 1 to 65535 seconds The default is 5 seconds Step 5 ip ospf transmit delay seconds Optional Set the estimated number of seconds to wait before sendi...

Page 958: ...advertise a summary route that covers all networks in the range Note The OSPF area router configuration commands are all optional Beginning in privileged EXEC mode follow these steps to configure area parameters Step 10 ip ospf message digest key keyid md5 key Optional Enable MDS authentication keyid An identifier from 1 to 255 key An alphanumeric password of up to 16 bytes Step 11 ip ospf databas...

Page 959: ...sword based protection against unauthorized access to the identified area The identifier can be either a decimal value or an IP address Step 4 area area id authentication message digest Optional Enable MD5 authentication on the area Step 5 area area id stub no summary Optional Define an area as a stub area The no summary keyword prevents an ABR from sending summary link advertisements into the stu...

Page 960: ...each other through the hello packet for the receiving interface Route calculation timers You can configure the delay time between when OSPF receives a topology change and when it starts the shortest path first SPF calculation and the hold time between two SPF calculations Log neighbor changes You can configure the router to send a syslog message when an OSPF neighbor state changes providing a high...

Page 961: ... resend all its routing information through its interfaces If a loopback interface is configured with an IP address OSPF uses this IP address Step 10 timers throttle spf spf delay spf holdtime spf wait Optional Configure route calculation timers spf delay Delay between receiving a change to SPF calculation The range is from 1 to 600000 miliseconds spf holdtime Delay between first and second SPF ca...

Page 962: ...ate a loopback interface and enter interface configuration mode Step 3 ip address address mask Assign an IP address to this interface Step 4 end Return to privileged EXEC mode Step 5 show ip interface Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Table 38 6 Show IP OSPF Statistics Commands Command Purpose show ip ospf process id ...

Page 963: ...acket has traversed 15 routers and the next hop to the destination was learned through EIGRP When a RIP route is used as the next hop to the destination the transport control field increments as usual EIGRP offers these features Fast convergence Incremental updates when the state of a destination changes rather than sending the entire contents of the routing table minimizing the bandwidth required...

Page 964: ...id recomputation if it is not necessary When a topology change occurs DUAL tests for feasible successors If there are feasible successors it uses any it finds to avoid unnecessary recomputation The protocol dependent modules are responsible for network layer protocol specific tasks An example is the IP EIGRP module which is responsible for sending and receiving EIGRP packets that are encapsulated ...

Page 965: ...on mode No authentication provided IP bandwidth percent 50 percent IP hello interval For low speed nonbroadcast multiaccess NBMA networks 60 seconds all other networks 5 seconds IP hold time For low speed NBMA networks 180 seconds all other networks 15 seconds IP split horizon Enabled IP summary address No summary aggregate addresses are predefined Metric weights tos 0 k1 and k3 1 k2 k4 and k5 0 N...

Page 966: ...o com en US products ps6350 products_configuration_guide_chapter09186a00804529 72 html EIGRP NSF Capability The IP services feature set also supports EIGRP NSF capable routing for IPv4 for better convergence and lower traffic loss following a stack master change When an EIGRP NSF capable stack master restarts or a new stack master starts and NSF restarts the switch has no neighbors and the topolog...

Page 967: ...ks with an EIGRP routing process EIGRP sends updates to the interfaces in the specified networks Step 5 eigrp log neighbor changes Optional Enable logging of EIGRP neighbor changes to monitor routing system stability Step 6 metric weights tos k1 k2 k3 k4 k5 Optional Adjust the EIGRP metric Although the defaults have been carefully set to provide excellent operation in most networks you can adjust ...

Page 968: ...p summary address eigrp autonomous system number address mask Optional Configure a summary aggregate address for a specified interface not usually necessary if auto summary is enabled Step 5 ip hello interval eigrp autonomous system number seconds Optional Change the hello time interval for an EIGRP routing process The range is 1 to 65535 seconds The default is 60 seconds for low speed NBMA networ...

Page 969: ... to global configuration mode Step 6 key chain name of chain Identify a key chain and enter key chain configuration mode Match the name configured in Step 4 Step 7 key number In key chain configuration mode identify the key number Step 8 key string text In key chain key configuration mode identify the key string Step 9 accept lifetime start time infinite end time duration seconds Optional Specify ...

Page 970: ... peer does not query that peer The stub router depends on the distribution router to send the proper updates to all peers In Figure 38 4 Switch B is configured as an EIGRP stub router Switches A and C are connected to the rest of the WAN Switch B advertises connected static redistribution and summary routes to Switches A and C Switch B does not advertise any routes learned from switch A and the re...

Page 971: ...eighbors type number Display EIGRP discovered neighbors show ip eigrp topology autonomous system number ip address mask Display the EIGRP topology table for a given process show ip eigrp traffic autonomous system number Display the number of packets sent and received for all or a specified EIGRP process Table 38 8 IP EIGRP Clear and Show Commands continued Command Purpose ...

Page 972: ... run internal BGP IBGP Routers belonging to different autonomous systems and exchanging BGP updates run external BGP EBGP Most configuration commands are the same for configuring EBGP and IBGP The difference is that the routing updates are exchanged either between autonomous systems EBGP or within an autonomous system IBGP Figure 38 5 shows a network that is running both EBGP and IBGP Figure 38 5 ...

Page 973: ...ation including information about the list of autonomous system paths with other BGP systems This information determines autonomous system connectivity to prune routing loops and to enforce autonomous system level policy decisions A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next hop router and it has received synchronization from...

Page 974: ...ilar routes from external BGP peers Compare router ID Disabled BGP community list Number None defined When you permit a value for the community number the list defaults to an implicit deny for everything else that has not been permitted Format Cisco IOS default format 32 bit number BGP confederation identifier peers Identifier None configured Peers None identified BGP fast external fallover Enable...

Page 975: ...ist None defined External BGP multihop Only directly connected neighbors are allowed Filter list None used Maximum number of prefixes received No limit Next hop router as next hop for BGP neighbor Disabled Password Disabled Peer group None defined no members assigned Prefix list None specified Remote autonomous system add entry to neighbor BGP table No peers defined Private autonomous system numbe...

Page 976: ...ystem numbers usually assigned by service providers and given to systems whose routes are not advertised to external neighbors The private autonomous system numbers are from 64512 to 65535 You can configure external neighbors to remove private autonomous system numbers from the autonomous system path by using the neighbor remove private as router configuration command Then when an update is passed...

Page 977: ...r Add an entry to the BGP neighbor table specifying that the neighbor identified by the IP address belongs to the specified autonomous system EBGP neighbors are usually directly connected and the IP address is the interface address at the other end of the connection For IBGP the IP address can be the address of any of the router interfaces Step 6 neighbor ip address peer group name remove private ...

Page 978: ...config router bgp 200 Switch config router neighbor 175 220 212 1 remote as 200 Switch config router neighbor 192 208 10 1 remote as 300 Router D Switch config router bgp 300 Switch config router neighbor 192 208 10 2 remote as 200 To verify that BGP peers are running use the show ip bgp neighbors privileged EXEC command This is the output of this command on Router A Switch show ip bgp neighbors B...

Page 979: ...weight distance version or timer or make a similar configuration change you must reset the BGP sessions so that the configuration changes take effect There are two types of reset hard reset and soft reset Cisco IOS Releases 12 1 and later support a soft reset without any prior configuration To use a soft reset without preconfiguration both BGP peers must support the soft route refresh capability w...

Page 980: ...e automatically determined by the software is the IP address of the next hop to be used to reach a destination For EBGP this is usually the IP address of the neighbor specified by the neighbor remote as router configuration command You can disable next hop processing by using route maps or the neighbor next hop self router configuration command 2 Prefer the path with the largest weight a Cisco pro...

Page 981: ...next hop 10 If these conditions are all true insert the route for this path into the IP routing table Both the best route and this route are external Both the best route and this route are from the same neighboring autonomous system maximum paths is enabled 11 If multipath is not enabled prefer the route with the lowest IP address value for the BGP router ID The router ID is usually the highest IP...

Page 982: ...Configure the switch to consider the MED in choosing a path from among those advertised by different subautonomous systems within a confederation Step 10 bgp deterministic med Optional Configure the switch to consider the MED variable when choosing among routes advertised by different peers in the same autonomous system Step 11 bgp default local preference value Optional Change the default local p...

Page 983: ...and network based matching requires the ip access list global configuration command Beginning in privileged EXEC mode follow these steps to apply a per neighbor route map Step 3 set ip next hop ip address ip address peer address Optional Set a route map to disable next hop processing In an inbound route map set the next hop of matching routes as the neighbor peering address overriding third party ...

Page 984: ...s in loading and lookup of large lists incremental update support easier CLI configuration and greater flexibility Prefix list filtering matches the prefixes of routes with those listed in the prefix list as when matching access lists When there is a match the route is used Whether a prefix is permitted or denied is based upon these rules An empty prefix list permits all prefixes An implicit deny ...

Page 985: ...able of prefix list entries use the clear ip prefix list privileged EXEC command Configuring BGP Community Filtering One way that BGP controls the distribution of routing information is based on the value of the COMMUNITIES attribute The attribute groups destinations into communities and applies routing decisions based on the communities This method simplifies the configuration of a BGP speaker to...

Page 986: ...and match clauses based on communities see the match community list and set community route map configuration commands in the Using Route Maps to Redistribute Routing Information section on page 38 96 By default no COMMUNITIES attribute is sent to a neighbor You can specify that the COMMUNITIES attribute be sent to the neighbor at an IP address by using the neighbor send community router configura...

Page 987: ... neighbor shutdown router configuration command Beginning in privileged EXEC mode use these commands to configure BGP peers Step 9 show ip bgp community Verify the configuration Step 10 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system ...

Page 988: ... ip address peer group name route map map name in out Optional Apply a route map to incoming or outgoing routes Step 17 neighbor ip address peer group name send community Optional Specify that the COMMUNITIES attribute is sent to the neighbor at this IP address Step 18 neighbor ip address peer group name timers keepalive holdtime Optional Set timers for the neighbor or peer group The keepalive int...

Page 989: ... local preference information is preserved You can then use a single IGP for all of the autonomous systems Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from the auton...

Page 990: ...utside their cluster When the route reflector receives an advertised route it takes one of these actions depending on the neighbor A route from an external BGP speaker is advertised to all clients and nonclient peers A route from a nonclient peer is advertised to all clients A route from a client is advertised to all clients and nonclient peers Hence the clients need not be fully meshed Usually a ...

Page 991: ... 3 neighbor ip address peer group name route reflector client Configure the local router as a BGP route reflector and the specified neighbor as a client Step 4 bgp cluster id cluster id Optional Configure the cluster ID if the cluster has more than one route reflector Step 5 no bgp client to client reflection Optional Disable client to client route reflection By default the routes from a route ref...

Page 992: ...it less likely that a route is dampened Step 9 clear ip bgp dampening Optional Clear route dampening information and unsuppress the suppressed routes Step 10 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 38 11 IP BGP Clear and Show Commands Command Purpose clear ip bgp address Reset a particular BGP connection clear ip bgp Reset all B...

Page 993: ...uters know how to reach the proper area IS IS supports two levels of routing station routing within an area and area routing between areas The key difference between the ISO IGRP and IS IS NSAP addressing schemes is in the definition of area addresses Both use the system ID for Level 1 routing routing within an area However they differ in the way addresses are specified for area routing An ISO IGR...

Page 994: ...ing in up to 29 areas and can perform Level 2 routing in the backbone In general each routing process corresponds to an area By default the first instance of the routing process configured performs both Level 1and Level 2 routing You can configure additional router instances which are automatically treated as Level 1 areas You must configure the parameters for each instance of the IS IS routing pr...

Page 995: ...generation throttling timers Maximum interval between two consecutive occurrences 5 seconds Initial LSP generation delay 50 ms Hold time between the first and second LSP generation 5000 ms LSP maximum lifetime without a refresh 1200 seconds 20 minutes before t he LSP packet is deleted LSP refresh interval Send LSP refreshes every 900 seconds 15 minutes Maximum LSP packet size 1497 bytes NSF Awaren...

Page 996: ...cally Level 1 You can change the level of routing by using the is type global configuration command Step 4 net network entity title Configure the NETs for the routing process If you are configuring multiarea IS IS specify a NET for each routing process You can specify a name for a NET and for an address Step 5 is type level 1 level 1 2 level 2 only Optional You can configure the router to act as a...

Page 997: ...t1 0 2 Switch config if ip router isis Switch config if clns router isis Switch config router exit Router C Switch config clns routing Switch config router isis Switch config router net 49 0001 0000 0000 000c 00 Switch config router exit Switch config interface gigabitethernet1 0 1 Switch config if ip router isis Switch config if clns router isis Switch config interface gigabitethernet1 0 2 Switch...

Page 998: ... Step 5 ignore lsp errors Optional Configure the router to ignore LSPs with internal checksum errors instead of purging the LSPs This command is enabled by default corrupted LSPs are dropped To purge the corrupted LSPs enter the no ignore lsp errors router configuration command Step 6 area password password Optional Configure the area authentication password which is inserted in Level 1 station ro...

Page 999: ...t the initial SFP calculation after a topology change in milliseconds The range is 1 to 10000 the default is 5500 spf second wait the holdtime between the first and second SFP calculation in milliseconds The range is 1 to 10000 the default is 5500 Step 14 prc interval prc max wait prc initial wait prc second wait Optional Sets IS IS partial route computation PRC throttling timers prc max wait the ...

Page 1000: ...ace to determine the hold time sent in IS IS hello packets The hold time determines how long a neighbor waits for another hello packet before declaring the neighbor down This determines how quickly a failed link or neighbor is detected so that routes can be recalculated Change the hello multiplier in circumstances where hello packets are lost frequently and IS IS adjacencies are failing unnecessar...

Page 1001: ...fault is 3 Using a smaller hello multiplier causes fast convergence but can result in more routing instability Step 6 isis csnp interval seconds level 1 level 2 Optional Configure the IS IS complete sequence number PDU CSNP interval for the interface The range is from 0 to 65535 The default is 10 seconds Step 7 isis retransmit interval seconds Optional Configure the number of seconds between retra...

Page 1002: ... interface interface id Verify your entries Step 14 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 38 13 ISO CLNS and IS IS Clear and Show Commands Command Purpose clear clns cache Clear and reinitialize the CLNS routing cache clear clns es neighbors Remove end system ES neighbor information from the adjacency database clear clns is ne...

Page 1003: ... Cisco IOS Switching Services Configuration Guide Release 12 2 These sections contain this information Understanding Multi VRF CE page 38 78 Default Multi VRF CE Configuration page 38 80 Multi VRF CE Configuration Guidelines page 38 80 Configuring VRFs page 38 81 Configuring VRF Aware Services page 38 82 Configuring Multicast VRFs page 38 85 Configuring a VPN Routing Session page 38 86 Configuring...

Page 1004: ...equired to maintain VPN routes for those VPNs to which it is directly attached The PE only needs to maintain all of the service provider VPN routes Each PE router maintains a VRF for each of its directly connected sites Multiple interfaces on a PE router can be associated with a single VRF if all of these sites participate in the same VPN Each VPN is mapped to a specified VRF After learning local ...

Page 1005: ...routing table based on the input policy label number When a route is found the switch forwards the packet to the PE When the ingress PE receives a packet from the CE it performs a VRF lookup When a route is found the router adds a corresponding MPLS label to the packet and sends it to the MPLS network When an egress PE receives a packet from the network it strips the label and uses the label to id...

Page 1006: ...s The PE router does not recognize a difference between using multi VRF CE or using multiple CEs In Figure 38 6 multiple virtual Layer 3 interfaces are connected to the multi VRF CE device The switch supports VRF over physical ports VLAN SVIs or a combination of both The SVIs can be connected through an access port or a trunk port A customer can use multiple VLANs if they do not overlap with those...

Page 1007: ...onfigure terminal Enter global configuration mode Step 2 ip routing Enable IP routing Step 3 ip vrf vrf name Name the VRF and enter VRF configuration mode Step 4 rd route distinguisher Create a VRF table by specifying a route distinguisher Enter either an autonomous system number and an arbitrary number nnn y or an IP address and arbitrary number A B C D y Step 5 route target export import both ro...

Page 1008: ...ess Resolution Protocol ARP entries for specific VRFs These services are VRF aware ARP Ping Simple Network Management Protocol SNMP Hot Standby Router Protocol HSRP Unicast Reverse Path Forwarding uRPF Syslog Traceroute FTP and TFTP User Interface for ARP Beginning in privileged EXEC mode follow these steps to configure VRF aware services for ARP For complete syntax and usage information for the c...

Page 1009: ...nmp server trap authentication vrf Enable SNMP traps for packets on a VRF Step 3 snmp server engineID remote host vrf vpn instance engine id string Configure a name for the remote SNMP engine on a switch Step 4 snmp server host host vrf vpn instance traps community Specify the recipient of an SNMP trap operation and specify the VRF table used for sending SNMP traps Step 5 snmp server host host vrf...

Page 1010: ...se 12 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 4 ip vrf forwarding vrf name Configure VRF on the interface Step 5 ip address ip address Enter th...

Page 1011: ...he ip tftp source interface show mode command To return to the default use the no form of this command Configuring Multicast VRFs Beginning in privileged EXEC mode follow these steps to configure a multicast within a VRF table For complete syntax and usage information for the commands see the switch command reference for this release and the Cisco IOS Switching Services Command Reference Release 1...

Page 1012: ...the same as the route distinguisher entered in Step 4 Step 6 import map route map Optional Associate a route map with the VRF Step 7 ip multicast routing vrf vrf name distributed Optional Enable global multicast routing for VRF table Step 8 interface interface id Specify the Layer 3 interface to be associated with the VRF and enter interface configuration mode The interface can be a routed port or...

Page 1013: ...ea ID for that network address Step 6 end Return to privileged EXEC mode Step 7 show ip ospf process id Verify the configuration of the OSPF network Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system number Configure the BGP routi...

Page 1014: ...get export 800 1 Switch config vrf route target import 800 1 Switch config vrf exit Switch config ip vrf v12 Switch config vrf rd 800 2 Switch config vrf route target export 800 2 Switch config vrf route target import 800 2 Switch config vrf exit Configure the loopback and physical interfaces on Switch A Gigabit Ethernet port 1 is a trunk connection to the PE Gigabit Ethernet ports 8 and 11 connec...

Page 1015: ...ch D respectively Switch config interface vlan10 Switch config if ip vrf forwarding v11 Switch config if ip address 38 0 0 8 255 255 255 0 Switch config if exit Switch config interface vlan20 Switch config if ip vrf forwarding v12 Switch config if ip address 83 0 0 8 255 255 255 0 Switch config if exit Switch config interface vlan118 Switch config if ip vrf forwarding v12 Switch config if ip addre...

Page 1016: ...g router network 208 0 0 0 0 0 0 255 area 0 Switch config router end Configuring Switch F Switch F belongs to VPN 2 Configure the connection to Switch A by using these commands Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip routing Switch config interface gigabitethernet1 0 1 Switch config if switchport trunk encapsulation dot1q Switch config i...

Page 1017: ...router address family ipv4 vrf v2 Router config router af neighbor 83 0 0 8 remote as 800 Router config router af neighbor 83 0 0 8 activate Router config router af network 3 3 2 0 mask 255 255 255 0 Router config router af exit Router config router address family ipv4 vrf vl Router config router af neighbor 38 0 0 8 remote as 800 Router config router af neighbor 38 0 0 8 activate Router config ro...

Page 1018: ...ches running the IP base or the IP services feature set However on the IP base feature set protocol related features are available only for RIP For a complete description of the IP routing protocol independent commands in this chapter see the IP Routing Protocol Independent Commands chapter of the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 2 from the Cisco com page u...

Page 1019: ...the switch or switch stack uses ASICs to achieve Gigabit speed line rate IP traffic CEF or dCEF forwarding applies only to the software forwarding path that is traffic that is forwarded by the CPU The default configuration is CEF or dCEF enabled on all Layer 3 interfaces Entering the no ip route cache cef interface configuration command disables CEF for traffic that is being forwarded by software ...

Page 1020: ...r of parallel paths in a routing table from the default Use the no maximum paths router configuration command to restore the default value Step 7 show cef linecard detail or show cef linecard stack member number detail Display CEF related interface information on a standalone switch or display dCEF related interface information for all switches in the stack or for the specified stack member Option...

Page 1021: ...ve distance of the static route higher than that of the dynamic protocol Static routes that point to an interface are advertised through RIP IGRP and other dynamic routing protocols whether or not static redistribute router configuration commands were specified for those routing protocols These static routes are advertised because static routes that point to an interface are considered as connecte...

Page 1022: ...e the route When default information passes through a dynamic routing protocol no further configuration is required The system periodically scans its routing table to choose the best default network as its default route IGRP networks might have several candidate networks for the system default Cisco routers use administrative distance and metric information to set the default route or the gateway ...

Page 1023: ...and organize more modular policy definitions so that specific policy configurations are not repeated within the same route map The switch supports the continue clause for outbound policies For more information about using the route map continue clause see the BGP Route Map Continue Support for an Outbound Policy feature guide for Cisco IOS Release 12 4 4 T at this URL http www cisco com en US prod...

Page 1024: ...e specified interfaces Step 10 match ip route source access list number access list name access list number access list name Match the address specified by the specified advertised access lists Step 11 match route type local internal external type 1 type 2 Match the specified route type local Locally generated BGP routes internal OSPF intra area and interarea routes or EIGRP internal routes extern...

Page 1025: ...u Minimum maximum transmission unit MTU size of the route in bytes in the range 0 to 4294967295 Step 19 set metric type type 1 type 2 Set the OSPF external metric type for redistributed routes Step 20 set metric type internal Set the multi exit discriminator MED value on prefixes advertised to an external BGP neighbor to match the IGP metric of the next hop Step 21 set weight Set the BGP weight fo...

Page 1026: ...use PBR to provide equal access and source sensitive routing routing based on interactive instead of batch traffic or routing based on dedicated links For example you could transfer stock records to a corporate office on a high bandwidth high cost link for a short time while sending routine application data such as e mail over a low bandwidth low cost link With PBR you classify traffic using acces...

Page 1027: ... PBR applies to only to unicast traffic You can enable PBR on a routed port or on an SVI The switch does not support route map deny statements for PBR You can apply a policy route map to an EtherChannel port channel in Layer 3 mode but you cannot apply a policy route map to a physical interface that is a member of the EtherChannel If you try to do so the command is rejected When a policy route map...

Page 1028: ...hat the DSCP value of the traffic is unchanged you should configure the DSCP trust state on the port where traffic enters the switch by entering the mls qos trust dscp interface configuration command If the trust state is not DSCP by default all nontrusted traffic has the DSCP value marked as 0 Enabling PBR By default PBR is disabled on the switch To enable PBR you must create a route map that spe...

Page 1029: ...at are permitted by one or more standard or extended access lists Note Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address If you do not specify a match command the route map applies to all packets Step 4 set ip next hop ip address ip address Specify the action to take on the packets that match the criteria Set the next hop to which to route the packet ...

Page 1030: ... domain OSPF routing information is neither sent nor received through that interface In networks with many interfaces you do not need to manually set them as passive You can set all interfaces to be passive by default by using the passive interface default router configuration command You can then manually setting interfaces where adjacencies are desired Beginning in privileged EXEC mode follow th...

Page 1031: ...u can also use a distribute list router configuration command to avoid processing certain routes listed in incoming updates This feature does not apply to OSPF Beginning in privileged EXEC mode follow these steps to control the advertising or processing of routing updates Use the no distribute list in router configuration command to change or cancel a filter To cancel suppression of network advert...

Page 1032: ...ion keys are available for EIGRP and RIP Version 2 Before you manage authentication keys you must enable authentication See the appropriate protocol section to see how to enable authentication for that protocol To manage authentication keys define a key chain identify the keys that belong to the key chain and specify how long each key is valid Each key has its own key identifier specified with the...

Page 1033: ...key string text Identify the key string The string can contain from 1 to 80 uppercase and lowercase alphanumeric characters but the first character cannot be a number Step 5 accept lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can be received The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Mon...

Page 1034: ...le 38 17 Commands to Clear IP Routes or Display Route Status Command Purpose clear ip route network mask Clear one or more routes from the IP routing table show ip protocols Display the parameters and state of the active routing protocol process show ip route address mask longer prefixes protocol process id Display the state of the routing table show ip route summary Display the state of the routi...

Page 1035: ...v4 and IPv6 switch database management SDM template See the Dual IPv4 and IPv6 Protocol Stacks section on page 39 5 Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS documentation referenced in the procedures This chapter consists of these sections Underst...

Page 1036: ...it addresses are represented as a series of eight 16 bit hexadecimal fields separated by colons in the format n n n n n n n n This is an example of an IPv6 address 2031 0000 130F 0000 0000 09C0 080F 130B For easier implementation leading zeros in each field are optional This is the same address without leading zeros 2031 0 130F 0 0 9C0 80F 130B You can also use two colons to represent successive h...

Page 1037: ... 7 EIGRP for IPv6 page 39 7 HSRP for IPv6 page 39 7 SNMP and Syslog Over IPv6 page 39 7 HTTP S Over IPv6 page 39 8 Support on the switch includes expanded address capability header format simplification improved support of extensions and options and hardware parsing of the extension header The switch supports hop by hop extension header packets which are routed or bridged in software The switch pr...

Page 1038: ... unicast addresses in the Implementing IPv6 Addressing and Basic Connectivity chapter in the Cisco IOS IPv6 Configuration Library on Cisco com DNS for IPv6 IPv6 supports Domain Name System DNS record types in the DNS name to address and address to name lookup processes The DNS AAAA resource record types support IPv6 addresses and are equivalent to an A address record in IPv4 The switch supports DN...

Page 1039: ... can configure an IPv6 host to prefer one router over another provided both are reachable or probably reachable For more information about DRP for IPv6 see the Implementing IPv6 Addresses and Basic Connectivity chapter in the Cisco IOS IPv6 Configuration Library on Cisco com IPv6 Stateless Autoconfiguration and Duplicate Address Detection The switch uses stateless autoconfiguration to manage link ...

Page 1040: ...r each resource For more information about IPv4 and IPv6 protocol stacks see the Implementing IPv6 Addressing and Basic Connectivity chapter of Cisco IOS IPv6 Configuration Library on Cisco com DHCP for IPv6 Address Assignment DHCPv6 enables DHCP servers to pass configuration parameters such as IPv6 network addresses to IPv6 clients The address assignment feature manages nonduplicate address assig...

Page 1041: ...y IPv4 node always has an available router ID However EIGRP IPv6 might be running in a network with only IPv6 nodes and therefore might not have an available IPv4 router ID For more information about EIGRP for IPv6 see the Implementing EIGRP for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com HSRP for IPv6 The switch supports the Hot Standby Router Protocol HSRP for IPv6 HSRP...

Page 1042: ... sends requests to both IPv4 and IPv6 HTTP servers which respond to requests from both IPv4 and IPv6 HTTP clients URLs with literal IPv6 addresses must be specified in hexadecimal using 16 bit values between colons The accept socket call chooses an IPv4 or IPv6 address family The accept socket is either an IPv4 or IPv6 socket The listening socket continues to listen for both IPv4 and IPv6 signals ...

Page 1043: ...IPv4 to IPv6 packets in hardware but the switch cannot be an IPv6 to IPv4 or IPv4 to IPv6 tunnel endpoint Bridged IPv6 packets with hop by hop extension headers are forwarded in software In IPv4 these packets are routed in software but bridged in hardware In addition to the normal SPAN and RSPAN limitations defined in the software configuration guide these limitations are specific to IPv6 packets ...

Page 1044: ...e ipv6 address ipv6 prefix prefix length eui 64 interface configuration command the address is based on the interface MAC address See the Configuring IPv6 Addressing and Enabling IPv6 Host Functions or Routing section on page 39 12 If you configure the persistent MAC address feature on the stack and the stack master changes the stack MAC address does not change for approximately 4 minutes For more...

Page 1045: ...tack might need up to 60 seconds to recover all routes and resume forwarding traffic IPv6 host functionality is supported on the stack master and all IPv6 applications run on the stack master Configuring IPv6 These sections contain this IPv6 forwarding configuration information Default IPv6 Configuration page 39 11 Configuring IPv6 Addressing and Enabling IPv6 Host Functions or Routing page 39 12 ...

Page 1046: ...address comprise the prefix the network portion of the address To forward IPv6 traffic on an interface you must configure a global IPv6 address on that interface Configuring an IPv6 address on an interface automatically configures a link local address and activates IPv6 for the interface The configured interface automatically joins these required multicast groups for that link solicited node multi...

Page 1047: ...nter interface configuration mode and specify the Layer 3 interface to configure The interface can be a physical interface a switch virtual interface SVI or a Layer 3 EtherChannel Step 7 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 8 ipv6 address ipv6 prefix prefix length eui 64 or ipv6 address ipv6 address link local or ipv6 enable Specify ...

Page 1048: ... group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router adve...

Page 1049: ... and to enable IPv6 routing Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable routing on the switch Step 3 ipv6 unicast routing Enable forwarding of IPv6 data packets on the switch Step 4 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 5 no switchport Remove the interface from Layer 2 con...

Page 1050: ...itch config if end Configuring DHCP for IPv6 Address Assignment These sections describe how to configure Dynamic Host Configuration Protocol for IPv6 DHCPv6 address assignment Default DHCPv6 Address Assignment Configuration page 39 16 DHCPv6 Address Assignment Configuration Guidelines page 39 16 Enabling DHCPv6 Server Function page 39 17 Enabling DHCPv6 Client Function page 39 19 Default DHCPv6 Ad...

Page 1051: ... state The range is 5 to 4294967295 seconds Specify infinite for no time interval Step 4 link address IPv6 prefix Optional Specify a link address IPv6 prefix When an address on the incoming interface or a link address in the packet matches the specified IPv6 prefix the server uses the configuration information pool This address must be in hexadecimal using 16 bit values between colons Step 5 vendo...

Page 1052: ...hows how to configure a pool called 350 with vendor specific options Switch configure terminal Switch config ipv6 dhcp pool 350 Switch config dhcpv6 address prefix 2001 1005 0 48 Switch config dhcpv6 vendor specific 9 Step 10 ipv6 dhcp server poolname automatic rapid commit preference value allow hint Enable DHCPv6 server function on an interface poolname Optional User defined name for the IPv6 DH...

Page 1053: ... the DHCPv6 address assignment For more information about configuring the DHCPv6 client server or relay agent functions see the Implementing DHCP for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com Configuring IPv6 ICMP Rate Limiting ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size maximum number of ...

Page 1054: ...ipv6 cef distributed global configuration command To reenable IPv6 CEF or dCEF if it has been disabled use the ipv6 cef or ipv6 cef distributed global configuration command You can verify the IPv6 state by entering the show ipv6 cef privileged EXEC command For more information about configuring CEF and dCEF see the Implementing IPv6 Addressing and Basic Connectivity chapter in the Cisco IOS IPv6 C...

Page 1055: ...hop need not be directly connected recursion is done to find the IPv6 address of the directly connected next hop The address must be specified in hexadecimal using 16 bit values between colons interface id Specify direct static routes from point to point and broadcast interfaces With point to point interfaces there is no need to specify the IPv6 address of the next hop With broadcast interfaces yo...

Page 1056: ...ace interface id recursive detail or show ipv6 route static updated Verify your entries by displaying the contents of the IPv6 routing table interface interface id Optional Display only those static routes with the specified interface as an egress interface recursive Optional Display only recursive static routes The recursive keyword is mutually exclusive with the interface keyword but it can be u...

Page 1057: ... commands Changing the defaults might adversely affect OSPF for the IPv6 network Before you enable IPv6 OSPF on an interface you must enable routing by using the ip routing global configuration command enable the forwarding of IPv6 packets by using the ipv6 unicast routing global configuration command and enable IPv6 on Layer 3 interfaces on which you are enabling IPv6 OSPF Step 7 ipv6 rip name de...

Page 1058: ...vertise Optional Set the address range status to advertise and to generate a Type 3 summary link state advertisement LSA not advertise Optional Set the address range status to DoNotAdvertise The Type 3 summary LSA is suppressed and component networks remain hidden from other networks cost cost Optional Metric or cost for this summary route which is used during OSPF SPF calculation to determine the...

Page 1059: ...faces Use the passive interface default command to make all interfaces passive and then use the no passive interface command on selected interfaces to make them active EIGRP IPv6 does not need to be configured on a passive interface For more configuration procedures see the Implementing EIGRP for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com Configuring HSRP for IPv6 Hot St...

Page 1060: ...EC mode Step 5 show standby Verify the configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Layer 3 interface on which you want to enable HSRP for IPv6 Step 3 standby group number ipv6 link l...

Page 1061: ...minimum seconds reload seconds sync seconds Configure the router to preempt which means that when the local router has a higher priority than the active router it assumes control as the active router Optional group number The group number to which the command applies Optional delay Set to cause the local router to postpone taking over the active role for the shown number of seconds The range is 0 ...

Page 1062: ...Pv6 routing protocols on the switch show ipv6 rip1 Display IPv6 RIP routing protocol status show ipv6 route1 Display the IPv6 route table entries show ipv6 routers 1 Display the local IPv6 routers show ipv6 static Display IPv6 static routes show ipv6 traffic Display IPv6 traffic statistics Table 39 3 Commands for Displaying EIGRP IPv6 Information Command Purpose show ipv6 eigrp as number interface...

Page 1063: ...800 seconds output truncated This is an example of the output from the show ipv6 cef privileged EXEC command Switch show ipv6 cef 0 nexthop 3FFE C000 0 7 777 Vlan7 3FFE C000 0 1 64 attached to Vlan1 3FFE C000 0 1 20B 46FF FE2F D940 128 receive 3FFE C000 0 7 64 attached to Vlan7 3FFE C000 0 7 777 128 attached to Vlan7 3FFE C000 0 7 20B 46FF FE2F D97F 128 receive 3FFE C000 111 1 64 attached to Gigab...

Page 1064: ... example of the output from the show ipv6 neighbor privileged EXEC command Switch show ipv6 neighbors IPv6 Address Age Link layer Addr State Interface 3FFE C000 0 7 777 0007 0007 0007 REACH Vl7 3FFE C101 113 1 33 0000 0000 0033 REACH Fa1 0 13 This is an example of the output from the show ipv6 static privileged EXEC command Switch show ipv6 static IPv6 Static routes Code installed in RIB 0 via nex...

Page 1065: ...ragments 0 failed 0 encapsulation failed 0 no route 0 too big 0 RPF drops 0 RPF suppressed drops Mcast 1 received 36861 sent ICMP statistics Rcvd 1 input 0 checksum errors 0 too short 0 unknown info type 0 unknown error type unreach 0 routing 0 admin 0 neighbor 0 address 0 port parameter 0 error 0 header 0 option 0 hopcount expired 0 reassembly timeout 0 too big 0 echo request 0 echo reply 0 group...

Page 1066: ...39 32 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 ...

Page 1067: ...y of any single router It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN When HSRP is configured on a network or segment it provides a virtual Media Access Control MAC address and an IP address that is shared among a group of configured routers HSRP allows two or more HSRP configured routers to use t...

Page 1068: ... more use of the redundant routers To do so specify a group number for each Hot Standby command group you configure for an interface For example you might configure an interface on switch 1 as an active router and one on switch 2 as a standby router and also configure another interface on switch 2 as an active router with another interface on switch 1 as its standby router Figure 40 1 shows a segm...

Page 1069: ...o Group Management Protocol CGMP leave processing You cannot enable HSRPv1 and CGMP at the same time they are mutually exclusive HSRPv2 Version 2 of the HSRP has these features To match the HSRP group number to the VLAN ID of a subinterface HSRPv2 can use a group number from 0 to 4095 and a MAC address from 0000 0C9F F000 to 0000 0C9F FFFF HSRPv2 uses the multicast address 224 0 0 102 to send hell...

Page 1070: ... MHSRP to achieve load balancing and to use two or more standby groups and paths from a blade server network to a server network In Figure 40 2 one enclosure with blade servers is configured for Router A and the other enclosure with blade servers is configured for Router B Together the configuration for Routers A and B establishes two HSRP groups For group 1 Router A is the default active router b...

Page 1071: ...d and initialized and the standby router might become active after the stack master fails Configuring HSRP These sections contain this configuration information Default HSRP Configuration page 40 6 HSRP Configuration Guidelines page 40 6 Enabling HSRP page 40 7 Configuring HSRP Priority page 40 8 Configuring MHSRP page 40 10 201791 Active router for group 1 Standby router for group 2 Blade switch ...

Page 1072: ...ated by using the interface port channel port channel number global configuration command and binding the Ethernet interface into the channel group For more information see the Configuring Layer 3 EtherChannels section on page 37 14 All Layer 3 interfaces must have IP addresses assigned to them See the Configuring Layer 3 Interfaces section on page 11 24 HSRPv2 and HSRPv1 can be configured on the ...

Page 1073: ...ce id Enter interface configuration mode and enter the Layer 3 interface on which you want to enable HSRP Step 3 standby version 1 2 Optional Configure the HSRP version on the interface 1 Select HSRPv1 2 Select HSRPv2 If you do not enter this command or do not specify a keyword the interface runs the default HSRP version HSRP v1 Step 4 standby group number ip ip address secondary Create or enable ...

Page 1074: ...reempt or both The priority of the device can change dynamically if an interface is configured with the standby track command and another interface on the router goes down The standby track interface configuration command ties the router hot standby priority to the availability of its interfaces and is useful for tracking interfaces that are not configured for HSRP When a tracked interface fails t...

Page 1075: ...y Configure the router to preempt which means that when the local router has a higher priority than the active router it assumes control as the active router Optional group number The group number to which the command applies Optional priority Enter to set or change the group priority The range is 1 to 255 the default is 100 Optional delay Set to cause the local router to postpone taking over the ...

Page 1076: ...ndby preempt interface configuration command on each HSRP interface so that if a router fails and comes back up the preemption occurs and restores load balancing Router A is configured as the active router for group 1 and Router B is configured as the active router for group 2 The HSRP interface for Router A has an IP address of 10 0 0 1 with a group 1 standby priority of 110 the default is 100 Th...

Page 1077: ... authentication string interface configuration command to delete an authentication string Use the no standby group number timers hellotime holdtime interface configuration command to restore timers to their default values Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the HSRP interface on which y...

Page 1078: ...ges ICMP redirect messages are automatically enabled on interfaces configured with HSRP ICMP is a network layer Internet protocol that provides message packets to report errors and other information relevant to IP processing ICMP provides diagnostic functions such as sending and directing error packets to the host This feature filters outgoing ICMP redirect messages through HSRP in which the next ...

Page 1079: ...Standby priority 105 may preempt Hellotime 3 holdtime 10 Next hello sent in 00 00 02 182 Hot standby IP address is 172 20 128 3 configured Active router is 172 20 128 1 expires in 00 00 09 Standby router is local Standby virtual mac address is 0000 0c07 ac01 Name is bbb VLAN1 Group 100 Local state is Active priority 105 may preempt Hellotime 3 holdtime 10 Next hello sent in 00 00 02 262 Hot standb...

Page 1080: ...40 14 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 40 Configuring HSRP Displaying HSRP Configurations ...

Page 1081: ... see the command reference at this URL http www cisco com en US docs ios ipsla command reference sla_book html This chapter consists of these sections Understanding Cisco IOS IP SLAs page 41 1 Configuring IP SLAs Operations page 41 6 Monitoring IP SLAs Operations page 41 13 Understanding Cisco IOS IP SLAs Cisco IOS IP SLAs sends data across the network to measure performance between multiple netwo...

Page 1082: ...ictable measurements IP service network health assessment to verify that the existing QoS is sufficient for new IP services Edge to edge network availability monitoring for proactive verification and connectivity testing of network resources for example shows the network availability of an NFS server used to store business critical data from a remote site Troubleshooting of network operation by pr...

Page 1083: ...ion specific chapters in the Cisco IOS IP SLAs Configuration Guide at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html Note The switch does not support Voice over IP VoIP service level analysis or IP service level analysis using DLSw operation Before configuring any IP SLAs application you can use the show ip sla application privileged EXEC command to ...

Page 1084: ... would not accurately represent true network delays IP SLAs minimizes these processing delays on the source device as well as on the target device if the responder is being used to determine true round trip times IP SLAs test packets use time stamping to minimize the processing delays When the IP SLAs responder is enabled it allows the target device to take time stamps when the packet arrives on t...

Page 1085: ... network scalability For more details about the IP SLAs multioperations scheduling functionality see the IP SLAs Multiple Operation Scheduling chapter of the Cisco IOS IP SLAs Configuration Guide at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html IP SLAs Operation Threshold Monitoring To support successful service level agreement monitoring you must h...

Page 1086: ... commands see the Cisco IOS IP SLAs Command Reference Release 12 4T command reference at this URL http www cisco com en US docs ios ipsla command reference sla_book html For detailed descriptions and configuration procedures see the Cisco IOS IP SLAs Configuration Guide Release 12 4T at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html Note that not all...

Page 1087: ... steps to configure the IP SLAs responder on the target device the operational target To disable the IP SLAs responder enter the no ip sla responder global configuration command This example shows how to configure the device as a responder for the UDP jitter IP SLAs operation in the next procedure Switch config ip sla responder udp echo 172 29 139 134 5000 Command Purpose Step 1 configure terminal...

Page 1088: ...p delay average round trip time Because the paths for the sending and receiving of data can be different asymmetric you can use the per direction data to more readily identify where congestion or other problems are occurring in the network The UDP jitter operation generates synthetic simulated UDP traffic and sends a number of UDP packets each of a specified size sent a specified number of millise...

Page 1089: ... interval inter packet interval Enter the interval between sending packets in milliseconds The range is 1 to 6000 the default value is 20 ms Step 4 frequency seconds Optional Set the rate at which a specified IP SLAs operation repeats The range is from 1 to 604800 seconds the default is 60 seconds Step 5 exit Exit UDP jitter configuration mode and return to global configuration mode Step 6 ip sla ...

Page 1090: ...uled FALSE Life seconds 3600 Entry Ageout seconds never Recurring Starting Everyday FALSE Status of entry SNMP RowStatus notInService Threshold milliseconds 5000 Distribution Statistics Number of statistic hours kept 2 Number of statistic distribution buckets kept 1 Statistic distribution interval milliseconds 20 Enhanced History Analyzing IP Service Levels by Using the ICMP Echo Operation The ICM...

Page 1091: ... IP SLAs operation repeats The range is from 1 to 604800 seconds the default is 60 seconds Step 5 exit Exit UDP jitter configuration mode and return to global configuration mode Step 6 ip sla schedule operation number life forever seconds start time hh mm ss month day day month pending now after hh mm ss ageout seconds recurring Configure the scheduling parameters for an individual IP SLAs operati...

Page 1092: ... size ARR data portion 28 Operation timeout milliseconds 5000 Type Of Service parameters 0x0 Verify data No Vrf Name Schedule Operation frequency seconds 60 Next Scheduled Start Time Pending trigger Group Scheduled FALSE Randomly Scheduled FALSE Life seconds 3600 Entry Ageout seconds never Recurring Starting Everyday FALSE Status of entry SNMP RowStatus notInService Threshold milliseconds 5000 Dis...

Page 1093: ...istics for all IP SLAs operations or a specific operation show ip sla ethernet monitor configuration entry number Display IP SLAs automatic Ethernet configuration show ip sla group schedule schedule entry number Display IP SLAs group scheduling configuration and details show ip sla history entry number full tabular Display history collected for all IP SLAs operations show ip sla mpls lsp monitor c...

Page 1094: ...41 14 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 41 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations ...

Page 1095: ...nd to a switch stack For more information about enhanced object tracking and the commands used to configure it see this URL http www cisco com en US products sw iosswrel ps1839 products_feature_guide09186a00801541be html The chapter includes these sections Understanding Enhanced Object Tracking page 42 1 Configuring Enhanced Object Tracking Features page 42 2 Monitoring Enhanced Object Tracking pa...

Page 1096: ...hese conditions are not met the IP routing state is down Beginning in privileged EXEC mode follow these steps to track the line protocol state or IP routing state of an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track object number interface interface id line protocol Optional Create a tracking list to track the line protocol state of an interface an...

Page 1097: ...st The state of the tracked list is determined by whether or not the threshold was met The state of each object is determined by comparing the total weight of all objects against a threshold weight for each object When you measure the tracked list by a percentage threshold you assign a percentage threshold to all objects in the tracked list The state of each object is determined by comparing the a...

Page 1098: ... cannot use the Boolean NOT operator in a weight threshold list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list boolean and or Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 boolean Specify the state of the tracked list based on a Boolean calculation and Specify that the list is up...

Page 1099: ...t of objects specify that a percentage will be used as the threshold and specify a percentage for all objects in the list The state of the list is determined by comparing the assigned percentage of each object to the list You cannot use the Boolean NOT operator in a percentage threshold list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list th...

Page 1100: ... list object and enter tracking configuration mode The track number can be from 1 to 500 threshold Specify the state of the tracked list based on a threshold percentage Specify that the threshold is based on percentage Step 3 object object number Specify the object to be tracked The range is from 1 to 500 Note An object must exist before you can add it to a tracked list Step 4 threshold percentage...

Page 1101: ...default up threshold is 254 and the default down threshold is 255 Enter list to track objects grouped in a list Configure the list as described on the previous pages For boolean see the Configuring a Tracked List with a Boolean Expression section on page 42 3 For threshold weight see the Configuring a Tracked List with a Weight Threshold section on page 42 4 For threshold percentage see the Config...

Page 1102: ...rify enhanced object tracking configuration For more information about enhanced object tracking and the commands used to configure it see this URL http www cisco com en US products sw iosswrel ps1839 products_feature_guide09186a00801541be html Step 6 standby group number track object number decrement priority decrement Configure HSRP to track an object and change the hot standby priority based on ...

Page 1103: ... OK the track state is down For reachability if the return code is OK or OverThreshold reachability is up if not OK reachability is down Beginning in privileged EXEC mode follow these steps to track the state of an IP SLAs operation or the reachability of an IP SLAs IP host Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track object number rtr operation number sta...

Page 1104: ... Time Reporter 1 reachability Reachability is Up 1 change last change 00 00 47 Latest operation return code over threshold Latest RTT millisecs 4 Tracked by HSRP Ethernet0 1 3 Monitoring Enhanced Object Tracking Use the privileged EXEC or user EXEC commands in Table 42 1 to display enhanced object tracking information Table 42 1 Commands for Displaying Tracking Information Command Purpose show tra...

Page 1105: ...dentical content from web servers Application engines accelerate content delivery and ensure maximum scalability and availability of content In a service provider network you can deploy the WCCP and application engine solution at the points of presence POPs In an enterprise network you can deploy the WCCP and application engine solution at the regional site and the small branch office To use this ...

Page 1106: ...The word transparent means that the end user does not know that a requested file such as a web page came from the application engine instead of from the originally specified server When an application engine receives a request it attempts to service it from its own local cache If the requested information is not present the application engine sends a separate request to the end server to retrieve ...

Page 1107: ... connected to the switch at Layer 2 Assignment method the method by which packets are distributed among the application engines in the cluster The switch uses some bits of the destination IP address the source IP address the destination Layer 4 port and the source Layer 4 port to determine which application engine receives the redirected packets Packet return method the method by which packets are...

Page 1108: ...ncoming packet with source and destination port 80 is forwarded by using service group 1 because it has the higher priority WCCP supports a cluster of application engines for every service group Redirected traffic can be sent to any one of the application engines The switch supports the mask assignment method of load balancing the traffic among the application engines in the cluster for a service ...

Page 1109: ...protocol packets from any WCCP enabled interface and sends them out any WCCP enabled interface in the stack It processes the WCCP configuration and propagates the information to all stack members It distributes the WCCP information to any switch that joins the stack It programs its hardware with the WCCP information it processes Stack members receive the WCCP information from the master switch and...

Page 1110: ... reduced as more interfaces are enabled for WCCP ingress redirection For every interface that supports service groups one label is consumed The WCCP labels are taken from the PBR labels You need to monitor and manage the labels that are available between PBR and WCCP When labels are not available the switch cannot add service groups However if another interface has the same sequence of service gro...

Page 1111: ... list of valid IP addresses that correspond to the application engines that are participating in the service group Optional For redirect list access list specify the redirect service for specific hosts or specific packets from hosts Optional For password encryption number password specify an encryption number The range is 0 to 7 Use 0 for not encrypted and use 7 for proprietary Specify a password ...

Page 1112: ...nfig if no switchport Switch config if ip address 172 20 10 30 255 255 255 0 Switch config if no shutdown Switch config if ip wccp web cache group listen Switch config if exit Switch config interface gigabitethernet1 0 2 Switch config if no switchport Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if no shutdown Switch config if exit Switch config interface gigabitethernet1 0...

Page 1113: ...clients are configured as access ports in VLAN 301 The switch redirects packets received from the client interfaces to the application engine Switch configure terminal Switch config ip wccp web cache 80 group list 15 Switch config access list 15 permit host 171 69 198 102 Switch config access list 15 permit host 171 69 198 104 Switch config access list 15 permit host 171 69 198 106 Switch config v...

Page 1114: ...oring and Maintaining WCCP Command Purpose clear ip wccp web cache Removes statistics for the web cache service show ip wccp web cache Displays global information related to WCCP show ip wccp web cache detail Displays information for the switch and all application engines in the WCCP cluster show ip interface Displays status about any IP WCCP redirection commands that are configured on an interfac...

Page 1115: ...ster must be running the IP services feature set To use the PIM stub routing feature the switch or stack master can be running the IP base image Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 Thi...

Page 1116: ...ese protocols operate within the IP multicast environment Figure 44 1 IP Multicast Routing Protocols According to IPv4 multicast standards the MAC destination multicast address begins with 0100 5e and is appended by the last 23 bits of the IP address For example if the IP destination address is 239 1 1 39 the MAC destination address is 0100 5e01 0127 A multicast packet is unmatched when the destin...

Page 1117: ...0 to 224 0 0 255 are reserved for use by routing protocols and other network control traffic The address 224 0 0 0 is guaranteed not to be assigned to any group IGMP packets are sent using these IP multicast group addresses IGMP general queries are destined to the address 224 0 0 1 all systems on a subnet IGMP group specific queries are destined to the group IP address for which the switch is quer...

Page 1118: ...ave more flexible encoding for multiple address families A more flexible hello packet format replaces the query packet to encode current and future capability options Register messages to an RP specify whether they are sent by a border router or a designated router PIM packets are no longer inside IGMP packets they are standalone packets PIM Modes PIM can operate in dense mode DM sparse mode SM or...

Page 1119: ...ote The IP base image contains only PIM stub routing The IP services image contains complete multicast routing On a switch running the IP base image if you try to configure a VLAN interface with PIM dense mode sparse mode or dense sparse mode the configuration is not allowed In a network using PIM stub routing the only allowable route for IP traffic to the user is through a switch that is configur...

Page 1120: ...n this feature is configured When the upstream central router receives the helper IGMP reports or leaves it adds or removes the interfaces from its outgoing interface list for that group For complete syntax and usage information for the ip igmp helper address command see the Cisco IOS IP and IP Routing Command Reference Release 12 1 Auto RP This proprietary feature eliminates the need to manually ...

Page 1121: ...aces except the one on which it was received with a TTL of 1 In this way BSR messages travel hop by hop throughout the PIM domain Because BSR messages contain the IP address of the current BSR the flooding mechanism enables candidate RPs to automatically learn which device is the elected BSR Candidate RPs send candidate RP advertisements showing the group range for which they are responsible to th...

Page 1122: ...ifferently for each If a PIM router or multilayer switch has a source tree state that is an S G entry is present in the multicast routing table it performs the RPF check against the IP address of the source of the multicast packet If a PIM router or multilayer switch has a shared tree state and no explicit source tree state it performs the RPF check on the RP address which is known when members jo...

Page 1123: ... software release provides CGMP server support on your switch no client side functionality is provided The switch serves as a CGMP server for devices that do not support IGMP snooping but have CGMP client functionality CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP CGMP permits Layer 2 grou...

Page 1124: ... IP Multicast Routing These sections contain this configuration information Default Multicast Routing Configuration page 44 10 Multicast Routing Configuration Guidelines page 44 11 Configuring Basic Multicast Routing page 44 12 required Enabling PIM Stub Routing page 44 23 Enabling PIM Stub Routing page 44 23 optional Configuring a Rendezvous Point page 44 24 required if the interface is in sparse...

Page 1125: ...ry Cisco protocol PIMv2 is a standards track protocol in the IETF We recommend that you use PIMv2 The BSR mechanism interoperates with Auto RP on Cisco routers and multilayer switches For more information see the Auto RP and BSR Configuration Guidelines section on page 44 12 When PIMv2 devices interoperate with PIMv1 devices Auto RP should have already been deployed A PIMv2 BSR that is also an Aut...

Page 1126: ...P and a BSR section on page 44 34 Configuring Basic Multicast Routing You must enable IP multicast routing and configure the PIM version and the PIM mode Then the software can forward multicast packets and the switch can populate its multicast routing table You can configure an interface to be in PIM dense mode sparse mode or sparse dense mode The switch populates its multicast routing table and f...

Page 1127: ...ces must have IP addresses assigned to them For more information see the Configuring Layer 3 Interfaces section on page 11 24 Step 4 ip pim version 1 2 Configure the PIM version on the interface By default Version 2 is enabled and is the recommended setting An interface in PIMv2 mode automatically downgrades to PIMv1 mode if that interface has a PIMv1 neighbor The interface returns to Version 2 mo...

Page 1128: ...GMPv3 To run SSM with IGMPv3 SSM must be supported in the Cisco IOS router the host where the application is running and the application itself How SSM Differs from Internet Standard Multicast The current IP multicast infrastructure in the Internet and many enterprise intranets is based on the PIM SM protocol and Multicast Source Discovery Protocol MSDP These protocols have the limitations of the ...

Page 1129: ...he application is modified to use an explicit S G channel subscription SSM Operations An established network in which IP multicast service is based on PIM SM can support SSM services SSM can also be deployed alone in a network without the full range of protocols that are required for interdomain PIM SM for example MSDP Auto RP or bootstrap router BSR if only SSM service is needed If SSM is deploye...

Page 1130: ...de and include mode reports are applicable In SSM only include mode reports are accepted by the last hop router Exclude mode reports are ignored Configuration Guidelines This section contains the guidelines for configuring SSM Legacy Applications Within the SSM Range Restrictions Existing applications in a network predating SSM do not work within the SSM range unless they are modified to support S...

Page 1131: ...s from the source arrive again through the RPT Because no mechanism in PIM SSM notifies a receiver that a source is active the network must maintain the S G state in PIM SSM as long as receivers are requesting receipt of that channel Configuring SSM Beginning in privileged EXEC mode follow these steps to configure SSM Monitoring SSM Beginning in privileged EXEC mode follow these steps to monitor S...

Page 1132: ...eady have a DNS server running you need to install one You can use a product such as Cisco Network Registrar Go to this URL for more information http www cisco com warp public cc pd nemnsw nerr index shtml These are the SSM mapping restrictions The SSM mapping feature does not have all the benefits of full SSM Because SSM mapping takes a group join from a host and identifies this group with an app...

Page 1133: ...SM mapping http www cisco com en US products sw iosswrel ps5207 products_feature_guide09186a00801a6d6f html Static SSM Mapping With static SSM mapping you can configure the last hop router to use a static map to determine the sources that are sending to groups Static SSM mapping requires that you configure ACLs to define group ranges Then you can map the groups permitted by those ACLs to sources b...

Page 1134: ... TV channel Thus the server side switchover mechanism ensures that only one of the servers is actively sending video traffic for the TV channel To look up one or more source addresses for a group that includes G1 G2 G3 and G4 you must configure these DNS records on the DNS server G4 G3 G2 G1 multicast domain timeout IN A source address 1 IN A source address 2 IN A source address n Refer to your DN...

Page 1135: ...ups in the configured SSM range Note By default this command enables DNS based SSM mapping Step 3 no ip igmp ssm map query dns Optional Disable DNS based SSM mapping Note Disable DNS based SSM mapping if you only want to rely on static SSM mapping By default the ip igmp ssm map global configuration command enables DNS based SSM mapping Step 4 ip igmp ssm map static access list source address Confi...

Page 1136: ... address6 Specify the address of one or more name servers to use for name and address resolution Step 6 Repeat Step 5 to configure additional DNS servers for redundancy if required Step 7 end Return to privileged EXEC mode Step 8 show running config Verify your entries Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Ste...

Page 1137: ...up address interface type interface number detail Display the multicast groups with receivers that are directly connected to the router and that were learned through IGMP show host Display the default domain name the style of name lookup service a list of name server hosts and the cached list of hostnames and addresses debug ip igmp group address Display the IGMP packets received and sent and IGMP...

Page 1138: ...e the show ip pim interface privileged EXEC command Switch show ip pim interface Address Interface Ver Nbr Query DR DR Mode Count Intvl Prior 3 1 1 2 GigabitEthernet3 0 25 v2 SD 1 30 1 3 1 1 2 100 1 1 1 Vlan100 v2 P 0 30 1 100 1 1 1 10 1 1 1 GigabitEthernet3 0 20 v2 P 0 30 1 10 1 1 1 Use these privileged EXEC commands to display information about PIM stub configuration and status show ip pim inter...

Page 1139: ... must configure the IP address of RPs on all routers and multilayer switches including the RP If there is no RP configured for a group the switch treats the group as dense using the dense mode PIM techniques A PIM device can be an RP for more than one group Only one RP address can be used at a time within a PIM domain The access list conditions specify for which groups the device is an RP For ip a...

Page 1140: ...igure an RP as described in the Manually Assigning an RP to Multicast Groups section on page 44 25 If routed interfaces are configured in sparse mode Auto RP can still be used if all devices are configured with a manual RP address for the Auto RP groups If routed interfaces are configured in sparse mode and you enter the ip pim autorp listener global configuration command Auto RP can still be used...

Page 1141: ...d rp announce interface id scope ttl group list access list number interval seconds Configure another PIM device to be the candidate RP for local groups For interface id enter the interface type and number that identifies the RP address Valid interfaces include physical ports port channels and VLANs For scope ttl specify the time to live value in hops Enter a hop count that is high enough so that ...

Page 1142: ...all interfaces are in sparse mode use a default configured RP to support the two well known groups 224 0 1 39 and 224 0 1 40 Auto RP uses these two well known groups to collect and distribute RP mapping information When this is the case and the ip pim accept rp auto rp command is configured another ip pim accept rp command accepting the RP must be configured as follows Switch config ip pim accept ...

Page 1143: ...d is accepted for the group ranges supplied in the group list access list number variable If this variable is omitted the filter applies to all multicast groups If more than one mapping agent is used the filters must be consistent across all mapping agents to ensure that no conflicts occur in the Group to RP mapping information Step 3 access list access list number deny permit source source wildca...

Page 1144: ...n on page 44 7 Defining the PIM Domain Border As IP multicast becomes more widespread the chance of one PIMv2 domain bordering another PIMv2 domain is increasing Because these two domains probably do not share the same set of RPs BSR candidate RPs and candidate BSRs you need to constrain PIMv2 BSR messages from flowing into or out of the domain Allowing these messages to leak across the domain bor...

Page 1145: ...ayer 3 switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched For source enter multicast addresses 224 0 1 39 and 224 0 1 40...

Page 1146: ...iority of 10 Switch config interface gigabitethernet1 0 2 Switch config if ip address 172 21 24 18 255 255 255 0 Switch config if ip pim sparse dense mode Switch config if ip pim bsr candidate gigabitethernet1 0 2 30 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim bsr candidate interface id hash mask length priority Configure your switch to be a candidate...

Page 1147: ...l configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your switch to be a candidate RP For interface id specify the interface whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels and VLANs Optional For group...

Page 1148: ... candidate BSRs as the RP mapping agents for Auto RP For more information see the Configuring Auto RP section on page 44 26 and the Configuring Candidate BSRs section on page 44 32 For group prefixes advertised through Auto RP the PIMv2 BSR mechanism should not advertise a subrange of these group prefixes served by a different set of RPs In a mixed PIMv1 and PIMv2 domain have backup RPs serve the ...

Page 1149: ...with the show ip pim rp hash privileged EXEC command making sure that all systems agree on the same RP for the same group 2 Verify interoperability between different versions of DRs and RPs Make sure the RPs are interacting with the DRs properly by responding with register stops and forwarding decapsulated data packets from registers Configuring Advanced PIM Features These sections describe the op...

Page 1150: ...ard the source At this point data might arrive twice at Router C once encapsulated and once natively 5 When data arrives natively unencapsulated at the RP it sends a register stop message to Router A 6 By default reception of the first data packet prompts Router C to send a join message toward the source 7 When Router C receives data on S G it sends a prune message for the source up the shared tre...

Page 1151: ...lies to all groups Beginning in privileged EXEC mode follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest path tree This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a st...

Page 1152: ... mode follow these steps to modify the router query message interval This procedure is optional To return to the default setting use the no ip pim query interval seconds interface configuration command Configuring Optional IGMP Features These sections contain this configuration information Default IGMP Configuration page 44 39 Configuring the Switch as a Member of a Group page 44 39 optional Contr...

Page 1153: ...t trace route tools provided in the software Caution Performing this procedure might impact the CPU performance because the CPU will receive all data traffic for the group address Beginning in privileged EXEC mode follow these steps to configure the switch to be a member of a group This procedure is optional Table 44 4 Default IGMP Configuration Feature Default Setting Multilayer switch as a membe...

Page 1154: ...ep 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp access group access list number Specify the multicast groups that hosts on the subnet serviced...

Page 1155: ... Modifying the IGMP Host Query Message Interval The switch periodically sends IGMP host query messages to discover which multicast groups are present on attached networks These messages are sent to the all hosts multicast group 224 0 0 1 with a time to live TTL of 1 The switch sends host query messages to refresh its knowledge of memberships present on the network If after some number of queries t...

Page 1156: ...at time if the switch has received no queries it becomes the querier You can configure the query interval by entering the show ip igmp interface interface id privileged EXEC command Beginning in privileged EXEC mode follow these steps to change the IGMP query timeout This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id S...

Page 1157: ...pull multicast traffic down to a network segment Use the ip igmp join group interface configuration command With this method the switch accepts the multicast packets in addition to forwarding them Accepting the multicast packets prevents the switch from fast switching Use the ip igmp static group interface configuration command With this method the switch does not accept the packets itself but onl...

Page 1158: ...for devices that do not support IGMP snooping but have CGMP client functionality CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages which are both at the MAC level and are ...

Page 1159: ...eir conference sessions These SAP packets contain a session description the time the session is active its IP multicast group addresses media format contact person and other information about the advertised multimedia session The information in the SAP packet is displayed in the SDR Session Announcement window Step 3 ip cgmp proxy Enable CGMP on the interface By default CGMP is disabled on all int...

Page 1160: ...he use the clear ip sdr privileged EXEC command To display the session directory cache use the show ip sdr privileged EXEC command Configuring an IP Multicast Boundary Administratively scoped boundaries can be used to limit the forwarding of multicast traffic outside of a domain or subdomain This approach uses a special range of multicast addresses called administratively scoped addresses as the b...

Page 1161: ...ange 239 0 0 0 through 239 255 255 255 from entering or leaving the network Similarly the engineering and marketing departments have an administratively scoped boundary of 239 128 0 0 16 around the perimeter of their networks This boundary prevents multicast traffic in the range of 239 128 0 0 through 239 128 255 255 from entering or leaving their respective networks Figure 44 7 Administratively S...

Page 1162: ...features see the Configuring Advanced DVMRP Interoperability Features section on page 44 53 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the ...

Page 1163: ...s over an MBONE tunnel DVMRP advertisements produced by the Cisco IOS software can cause older versions of the mrouted protocol to corrupt their routing tables and those of their neighbors You can configure what sources are advertised and what metrics are used by configuring the ip dvmrp metric interface configuration command You can also direct all sources learned through a particular unicast rou...

Page 1164: ...it Switch config access list 1 permit 198 92 35 0 0 0 0 255 Switch config access list 1 permit 198 92 36 0 0 0 0 255 Switch config access list 1 permit 198 92 37 0 0 0 0 255 Switch config access list 1 permit 131 108 0 0 0 0 255 255 Switch config access list 1 permit 150 136 0 0 0 0 255 255 Switch config access list 1 deny 0 0 0 0 255 255 255 255 Switch config access list 2 permit 0 0 0 0 255 255 ...

Page 1165: ... through the tunnel Beginning in privileged EXEC mode follow these steps to configure a DVMRP tunnel This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 Th...

Page 1166: ...ss list 1 permit 198 92 37 0 0 0 0 255 Advertising Network 0 0 0 0 to DVMRP Neighbors If your switch is a neighbor of an mrouted Version 3 6 device you can configure the software to advertise network 0 0 0 0 the default route to the DVMRP neighbor The DVMRP default route computes the RPF information for any multicast sources that do not match a more specific route Do not advertise the DVMRP defaul...

Page 1167: ... 137 0 0 0 0 1 0 pim querier down leaf 171 69 214 203 0 0 0 0 1 0 pim querier down leaf 171 69 214 18 171 69 214 20 mm1 45e cisco com 1 0 pim 171 69 214 18 171 69 214 19 mm1 45c cisco com 1 0 pim 171 69 214 18 171 69 214 17 mm1 45a cisco com 1 0 pim Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and recei...

Page 1168: ...r the MBONE topology When DVMRP unicast routing is enabled the router or switch caches routes learned in DVMRP report messages in a DVMRP routing table When PIM is running these routes might be preferred over routes in the unicast routing table enabling PIM to run on the MBONE topology when it is different from the unicast topology DVMRP unicast routing can run on all interfaces For DVMRP tunnels ...

Page 1169: ...RP Neighbor You can prevent the switch from peering communicating with a DVMRP neighbor if that neighbor does not support DVMRP pruning or grafting To do so configure the switch which is a neighbor to the leaf nonpruning DVMRP machine with the ip dvmrp reject non pruners interface configuration command on the interface connected to the nonpruning machine as shown in Figure 44 9 In this case when t...

Page 1170: ...mand Controlling Route Exchanges These sections describe how to tune the Cisco device advertisements of DVMRP routes Limiting the Number of DVMRP Routes Advertised page 44 57 optional Changing the DVMRP Route Threshold page 44 57 optional 101245 Router A Router B RP Multicast traffic gets to receiver not to leaf DVMRP device Source router or RP Leaf nonpruning DVMRP device Configure the ip dvmrp r...

Page 1171: ...e occurring The warning is typically used to quickly detect when devices have been misconfigured to inject a large number of routes into the MBONE Beginning in privileged EXEC mode follow these steps to change the threshold number of routes that trigger the warning This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dvmrp route limit count...

Page 1172: ... are advertisements for the two directly connected networks 176 32 10 0 24 and 176 32 15 0 24 that were taken from the unicast routing table Because the DVMRP tunnel shares the same IP address as Fast Ethernet port 1 and falls into the same Class B network as the two directly connected subnets classful summarization of these routes was not performed As a result the DVMRP router is able to poison r...

Page 1173: ...02 13 3 0 24 m 40 176 32 10 0 24 m 1 176 32 15 0 24 m 1 DVMRP router Cisco router Tunnel Gigabit Ethernet 1 0 1 176 32 10 0 24 Gigabit Ethernet 1 0 2 176 32 15 0 24 DVMRP Report 159888 DVMRP Route Table Unicast Routing Table 10 000 Routes interface tunnel 0 ip unnumbered gigabitethernet1 0 1 interface gigabitethernet1 0 1 ip addr 176 32 10 1 255 255 255 0 ip pim dense mode interface gigabitetherne...

Page 1174: ...iguration command Adding a Metric Offset to the DVMRP Route By default the switch increments by one the metric hop count of a DVMRP route advertised in incoming DVMRP reports You can change the metric if you want to favor or not favor a certain route For example a route is learned by multilayer switch A and the same route is learned by multilayer switch B with a higher metric If you want to use th...

Page 1175: ...et in out increment Change the metric added to DVMRP routes advertised in incoming reports The keywords have these meanings Optional in Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies Optional out Specifies that the increment value is added to outgoing DVMRP reports for routes from the DVMRP routing table If neither in nor out is specified in...

Page 1176: ...2 cache or an sdr cache entry Table 44 5 Commands for Clearing Caches Tables and Databases continued Command Purpose Table 44 6 Commands for Displaying System and Network Statistics Command Purpose ping group name group address Send an ICMP Echo Request to a multicast group address show ip dvmrp route ip address Display the entries in the DVMRP routing table show ip igmp groups group name group ad...

Page 1177: ...s doing Reverse Path Forwarding that is from the unicast routing table DVMRP routing table or static mroutes show ip sdr group session name detail Display the Session Directory Protocol Version 2 cache Table 44 6 Commands for Displaying System and Network Statistics continued Command Purpose Table 44 7 Commands for Monitoring IP Multicast Routing Command Purpose mrinfo hostname address source addr...

Page 1178: ...44 64 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing ...

Page 1179: ...standing MSDP MSDP allows multicast sources for a group to be known to all rendezvous points RPs in different domains Each PIM SM domain uses its own RPs and does not depend on RPs in other domains An RP runs MSDP over the Transmission Control Protocol TCP to discover multicast sources in other domains An RP in a PIM SM domain has an MSDP peering relationship with MSDP enabled devices in another d...

Page 1180: ...P to achieve peer reverse path flooding RPF The MSDP device examines the BGP or MBGP routing table to discover which peer is the next hop toward the originating RP of the SA message Such a peer is called an RPF peer reverse path forwarding peer The MSDP device forwards the message to all MSDP peers other than the RPF peer For information on how to configure an MSDP peer when BGP and MBGP are not s...

Page 1181: ...er domain This increases security because you can prevent your sources from being known outside your domain Domains with only receivers can receive data without globally advertising group membership Global source multicast routing table state is not required saving memory Configuring MSDP These sections contain this configuration information Default MSDP Configuration page 45 4 Configuring a Defau...

Page 1182: ...onfigured the switch always accepts all SA messages from that peer Figure 45 2 shows a network in which default MSDP peers might be used In Figure 45 2 a customer who owns Switch B is connected to the Internet through two Internet service providers ISPs one owning Router A and the other owning Router C They are not running BGP or MBGP between them To learn about sources in the ISP s domain or in o...

Page 1183: ...SDP SA messages For ip address name enter the IP address or Domain Name System DNS server name of the MSDP default peer Optional For prefix list list enter the list name that specifies the peer to be the default peer only for the listed prefixes You can have multiple active default peers when you have a prefix list associated with each When you enter multiple ip msdp default peer commands with the...

Page 1184: ...roup soon after a SA message is received by the local RP that member needs to wait until the next SA message to hear about the source This delay is known as join latency If you want to sacrifice some memory in exchange for reducing the latency of the source information you can configure the switch to cache SA messages Step 3 ip prefix list name description string seq number permit deny network len...

Page 1185: ...list are cached For list access list number the range is 100 to 199 Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Create an IP extended access list repeating the command as many times as necessary For access list number the range is 100 to 199 Enter the same number created in Step 2 The deny keyword denies access if the condition...

Page 1186: ...eive multicast traffic This procedure is optional To return to the default setting use the no ip msdp sa request ip address name global configuration command This example shows how to configure the switch to send SA request messages to the MSDP peer at 171 69 1 1 Switch config ip msdp sa request 171 69 1 1 Controlling Source Information that Your Switch Originates You can control the multicast sou...

Page 1187: ...ap Configure which S G entries from the multicast routing table are advertised in SA messages By default only sources within the local domain are advertised Optional For list access list name enter the name or number of an IP standard or extended access list The range is 1 to 99 for standard access lists and 100 to 199 for extended lists The access list controls which local sources are advertised ...

Page 1188: ...ing the command as many times as necessary or Create an IP extended access list repeating the command as many times as necessary For access list number the range is 1 to 99 for standard access lists and 100 to 199 for extended lists Enter the same number created in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched Fo...

Page 1189: ... Enter global configuration mode Step 2 ip msdp filter sa request ip address name or ip msdp filter sa request ip address name list access list number Filter all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for groups that pass the standard access list The access list describes a multicast group address The range for the access list nu...

Page 1190: ...r pass only those SA messages that meet the match criteria in the route map map tag If all match criteria are true a permit from the route map passes routes through the filter A deny filters routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as neces...

Page 1191: ...mode follow these steps to establish a TTL threshold This procedure is optional To return to the default setting use the no ip msdp ttl threshold ip address name global configuration command Controlling Source Information that Your Switch Receives By default the switch receives all SA messages that its MSDP RPF peers send to it However you can control the source information that you receive from M...

Page 1192: ...g If all match criteria are true a permit from the route map passes routes through the filter A deny will filter routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For access list number enter the number specified in Step 2 The deny keyw...

Page 1193: ...switch Beginning in privileged EXEC mode follow these steps to create a mesh group This procedure is optional To remove an MSDP peer from a mesh group use the no ip msdp mesh group name ip address name global configuration command Shutting Down an MSDP Peer If you want to configure many MSDP commands for the same peer and you do not want the peer to become active you can shut down the peer configu...

Page 1194: ...MSDP peers This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp shutdown peer name peer address Administratively shut down the specified MSDP peer without losing configuration information For peer name peer address enter the IP address or name of the MSDP peer to shut down Step 3 end Return to privileged EXEC mode Step 4 show running c...

Page 1195: ... dense mode sources to be known to the outside world Because this switch is not an RP it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface Beginning in privileged EXEC mode follow these steps to allow an MSDP speaker that originates an SA message to use the IP address on the interface as the RP address in ...

Page 1196: ... autonomous system The ip msdp cache sa state command must be configured for this command to produce any output show ip msdp peer peer address name Displays detailed information about an MSDP peer show ip msdp sa cache group address source address group name source name autonomous system number Displays S G state learned from MSDP peers show ip msdp summary Displays MSDP peer status and SA message...

Page 1197: ...ing page 46 11 Understanding Fallback Bridging These sections describe how fallback bridging works Fallback Bridging Overview page 46 1 Fallback Bridging and Switch Stacks page 46 3 Fallback Bridging Overview With fallback bridging the switch bridges together two or more VLANs or routed ports essentially connecting multiple VLANs within one bridge domain Fallback bridging forwards traffic that the...

Page 1198: ... address is in the bridge table the packet is forwarded on a single interface in the bridge group If the packet destination address is not in the bridge table the packet is flooded on all forwarding interfaces in the bridge group A source MAC address is learned on a bridge group only when the address is learned on a VLAN the reverse is not true Any address that is learned on a stack member is lear...

Page 1199: ...elearned in the bridge group Note If a stack master running the IP services feature set fails and if the newly elected stack master is running the IP base feature set the switch stack loses its fallback bridging capability If stacks merge or if a switch is added to the stack any new VLANs that are part of a bridge group and become active are included in the VLAN bridge STP When a stack member fail...

Page 1200: ...g a Bridge Group To configure fallback bridging for a set of SVIs or routed ports these interfaces must be assigned to bridge groups All interfaces in the same group belong to the same bridge domain Each SVI or routed port can be assigned to only one bridge group Note The protected port feature is not compatible with fallback bridging When fallback bridging is enabled it is possible for packets to...

Page 1201: ...ion mode Step 2 bridge bridge group protocol vlan bridge Assign a bridge group number and specify the VLAN bridge spanning tree protocol to run in the bridge group The ibm and dec keywords are not supported For bridge group specify the bridge group number The range is 1 to 255 You can create up to 32 bridge groups Frames are bridged only among interfaces in the same group Step 3 interface interfac...

Page 1202: ...l Adjusting BPDU Intervals page 46 8 optional Disabling the Spanning Tree on an Interface page 46 10 optional Note Only network administrators with a good understanding of how switches and STP function should make adjustments to spanning tree parameters Poorly planned adjustments can have a negative impact on performance A good source on switching is the IEEE 802 1D specification For more informat...

Page 1203: ...mand This example shows how to change the priority to 20 on a port in bridge group 10 Switch config interface gigabitethernet2 0 1 Switch config if bridge group 10 priority 20 Assigning a Path Cost Each port has a path cost associated with it By convention the path cost is 1000 data rate of the attached LAN in Mb s Step 4 show running config Verify your entry Step 5 copy running config startup con...

Page 1204: ...aximum Idle Interval page 46 10 optional Note Each switch in a spanning tree adopts the interval between hello BPDUs the forward delay interval and the maximum idle interval parameters of the root switch regardless of what its individual configuration might be Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to set the path co...

Page 1205: ... no bridge bridge group forward time global configuration command This example shows how to change the forward delay interval to 10 seconds in bridge group 10 Switch config bridge 10 forward time 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group hello time seconds Specify the interval between hello BPDUs For bridge group specify the bridge grou...

Page 1206: ...m traveling across the WAN link Beginning in privileged EXEC mode follow these steps to disable spanning tree on a port This procedure is optional To re enable spanning tree on the port use the no bridge group bridge group spanning disabled interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group max age seconds Specify th...

Page 1207: ...a stack member start a session from the stack master to the stack member by using the session stack member number global configuration command Enter the show bridge bridge group interface id mac address verbose privileged EXEC command at the stack member prompt For information about the fields in these displays see the Cisco IOS Bridging and IBM Networking Command Reference Volume 1 of 2 Release 1...

Page 1208: ...46 12 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 46 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging ...

Page 1209: ...mands used in this chapter see the command reference for this release and the Cisco IOS Command Summary Release 12 2 This chapter consists of these sections Recovering from a Software Failure page 47 2 Recovering from a Lost or Forgotten Password page 47 3 Preventing Switch Stack Problems page 47 8 Note Recovery procedures require that you have physical access to the switch Preventing Autonegotiat...

Page 1210: ...o com see the release notes Step 2 Extract the bin file from the tar file If you are using Windows use a zip program that can read a tar file Use the zip program to navigate to and extract the bin file If you are using UNIX follow these steps 1 Display the contents of the tar file by using the tar tvf image_filename tar UNIX command switch tar tvf image_filename tar 2 Locate the bin file and extra...

Page 1211: ...t ip_addr ip_address mask b Specify the default router switch set default_router ip_address Step 10 Copy the software image from the TFTP server to the switch switch copy tftp ip_address filesystem source file url flash image_filename bin Step 11 Boot up the newly downloaded Cisco IOS image switch boot flash image_filename bin Step 12 Use the archive download sw privileged EXEC command to download...

Page 1212: ...off the switch by using one of these methods Power off the standalone switch or the entire switch stack by using the CMC GUI Remove the switch or stack members from the enclosure On a nonstacking capable switch power off the switch by using the CMC GUI or remove the switch from the enclosure Step 4 Power on the switch by using one of these methods If you powered off the switch by using the CMC GUI...

Page 1213: ... set the console port speed to anything other than 9600 it has been reset to that particular speed Change the emulation software line speed to match that of the switch console port Step 3 Load any helper files switch load_helper Step 4 Display the contents of flash memory switch dir flash The switch file system appears Directory of flash 2 rwx 5752 Mar 1 1993 00 06 02 00 00 config text 3 rwx 24 Ma...

Page 1214: ...oaded and you can change the password Step 10 Enter global configuration mode Switch configure terminal Step 11 Change the password Switch config enable secret password The secret password can be from 1 to 25 alphanumeric characters can start with a number is case sensitive and allows spaces but ignores leading spaces Step 12 Return to privileged EXEC mode Switch config exit Switch Step 13 Write t...

Page 1215: ...ontinues as if the Mode button had not been pressed you cannot access the boot loader prompt and you cannot enter a new password You see the message Press Enter to continue If you enter y yes the configuration file in flash memory and the VLAN database file are deleted When the default configuration loads you can reset the password Step 1 Elect to continue with password recovery and lose the exist...

Page 1216: ... VLAN configuration files available you should use those Step 11 Reload the switch Switch reload Preventing Switch Stack Problems Note Make sure that the switches that you add to or remove from the switch stack are powered off For all powering considerations in switch stacks see the Switch Installation chapter in the hardware installation guide After adding or removing stack members make sure that...

Page 1217: ...e switch settings for speed 10 Mb s 100 Mb s and 1000 Mb s excluding SFP module ports and duplex half or full There are situations when this protocol can incorrectly align these settings reducing performance A mismatch occurs under these circumstances A manually set speed or duplex parameter is different from the manually set speed or duplex parameter on the connected port A port is set to autoneg...

Page 1218: ...odule error message is generated In this case you should remove and re insert the SFP module If it continues to fail the SFP module might be defective Monitoring SFP Module Status You can check the physical or operational status of an SFP module by using the show interfaces transceiver privileged EXEC command This command shows the operational status such as the temperature and the current for an ...

Page 1219: ...estination unreachable message is returned Network or host unreachable If there is no entry in the route table for the host or network a network or host unreachable message is returned Executing Ping If you attempt to ping a host in a different IP subnetwork you must define a static route to the network or have IP routing configured to route between those subnets For more information see Chapter 3...

Page 1220: ...ute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device Layer 2 traceroute supports only unicast source and destination MAC addresses It finds the path by using the MAC address tables of the switches in the path When the switch detects a device in the path that does not support Layer 2 traceroute the switch continues to send Laye...

Page 1221: ...AN If you specify source and destination MAC addresses that belong to different VLANs the Layer 2 path is not identified and an error message appears If you specify a multicast source or destination MAC address the path is not identified and an error message appears If the source or destination MAC address belongs to multiple VLANs you must specify the VLAN to which both the source and destination...

Page 1222: ...the intermediate switch is a multilayer switch that is routing a particular packet this switch shows up as a hop in the traceroute output The traceroute privileged EXEC command uses the Time To Live TTL field in the IP header to cause routers and servers to generate specific return messages Traceroute starts by sending a User Datagram Protocol UDP datagram to the destination host with the TTL fiel...

Page 1223: ...msec 0 msec 4 171 9 4 5 0 msec 4 msec 0 msec 5 171 9 121 34 0 msec 4 msec 4 msec 6 171 9 15 9 120 msec 132 msec 128 msec 7 171 9 15 10 132 msec 128 msec 128 msec Switch The display shows the hop count the IP address of the router and the round trip time in milliseconds for each of the three probes that are sent To end a trace in progress enter the escape sequence Ctrl X by default Simultaneously p...

Page 1224: ...air wires is open TDR can find the length at which the wire is open Use TDR to diagnose and resolve cabling problems in these situations Replacing a switch Setting up a wiring closet Troubleshooting a connection between two devices when a link cannot be established or when it is not operating properly When you run TDR the switch reports accurate information if The cable for the Gigabit link is a s...

Page 1225: ...k member you must start a session from the stack master by using the session switch number privileged EXEC command Then enter the debug command at the command line prompt of the stack member All debug commands are entered in privileged EXEC mode and most debug commands take no arguments For example beginning in privileged EXEC mode enter this command to enable the debugging for Switched Port Analy...

Page 1226: ... Possible destinations include the console virtual terminals internal buffer and UNIX hosts running a syslog server The syslog format is compatible with 4 3 Berkeley Standard Distribution BSD UNIX and its derivatives Note Be aware that the debugging destination you use affects system overhead Logging messages to the console produces very high overhead whereas logging messages to a virtual terminal...

Page 1227: ...a InptACL 40_0D020202_0D010101 00_40000014_000A0000 01FFA 03000000 L2Local 80_00050002_00020002 00_00000000_00000000 00C71 0000002B Station Descriptor 02340000 DestIndex 0239 RewriteIndex F005 Egress Asic 2 switch 1 Output Packets Packet 1 Lookup Key Used Index Hit A Data OutptACL 50_0D020202_0D010101 00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Cos Dscpv Gi1 0 1 0005 0001 0001 0001...

Page 1228: ...D010101 00_41000014_000A0000 01FFA 03000000 L3Local 00_00000000_00000000 90_00001400_0D020202 010F0 01880290 L3Scndr 12_0D020202_0D010101 00_40000014_000A0000 034E0 000C001D_00000000 Lookup Used Secondary Station Descriptor 02260000 DestIndex 0226 RewriteIndex 0000 This is an example of the output when the packet coming in on port 1 in VLAN 5 has a destination MAC address set to the router MAC add...

Page 1229: ...ent failure Version numbers are used instead of a timestamp because the switches do not include a real time clock You cannot change the name of the file that the system will use when it creates the file However after the file is created you can use the rename privileged EXEC command to rename it but the contents of the renamed file will not be displayed by the show stacks or the show tech support ...

Page 1230: ...of the hardware related system messages generated by a standalone switch or a stack member Temperature Temperature of a standalone switch or a stack member Uptime data Time when a standalone switch or a stack member starts the reason the switch restarts and the length of time the switch has been running since it last restarted Voltage System voltages of a standalone switch or a stack member You sh...

Page 1231: ...or Displaying OBFL Information Command Purpose show logging onboard module switch number clilog Displays the OBFL CLI commands that were entered on a standalone switch or the specified stack members show logging onboard module switch number environment Display the UDI information for a standalone switch or the specified stack members and for all the connected FRU devices the PID the VID and the se...

Page 1232: ...ld DHCP or IEEE 802 1x failures if the switch does not forward or respond to requests Layer 3 switches Dropped packets or increased latency for packets routed in software BGP or OSPF routing topology changes HSRP flapping Verifying the Problem and Cause To determine if high CPU utilization is a problem enter the show processes cpu sorted privileged EXEC command Note the underlined information in t...

Page 1233: ...rrective Action Interrupt percentage value is almost as high as total CPU utilization value The CPU is receiving too many packets from the network Determine the source of the network packet Stop the flow or change the switch configuration See the section on Analyzing Network Traffic Total CPU utilization is greater than 50 with minimal time spent on interrupts One or more Cisco IOS process is cons...

Page 1234: ...47 26 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 12247 04 Chapter 47 Troubleshooting Troubleshooting CPU Utilization ...

Page 1235: ...ng Online Diagnostics With online diagnostics you can test and verify the hardware functionality of the switch while the switch is connected to a live network The online diagnostics contain packet switching tests that check different hardware components and verify the data path and the control signals The online diagnostics detect problems in these areas Hardware components Interfaces Ethernet por...

Page 1236: ...sting for a specific day and time on a standalone switch Switch config diagnostic schedule test TestPortAsicCam on december 3 2006 22 25 Command Purpose diagnostic schedule switch number test name test id test id range all basic non disruptive daily hh mm on mm dd yyyy hh mm weekly day of week hh mm Schedule on demand diagnostic tests for a specific day and time The switch number keyword is suppor...

Page 1237: ...gure and enable the health monitoring diagnostic tests Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 diagnostic monitor interval switch number test name test id test id range all hh mm ss milliseconds day Configure the health monitoring interval of the specified tests The switch number keyword is supported only on stacking capable switches The range is from 1 to ...

Page 1238: ...mber of the test that appears in the show diagnostic content command output test id range ID numbers of the tests that appear in the show diagnostic content command output all All of the diagnostic tests The range for the failure threshold count is 0 to 99 Step 5 diagnostic monitor switch number test name test id test id range all Enable the specified health monitoring tests The switch number keyw...

Page 1239: ...8 5 Displaying Online Diagnostic Tests and Test Results page 48 6 Starting Online Diagnostic Tests After you configure diagnostic tests to run on the switch use the diagnostic start privileged EXEC command to begin diagnostic testing Use this privileged EXEC command to manually start online diagnostic testing After starting the tests you cannot stop the testing process Command Purpose diagnostic s...

Page 1240: ...agnostic command output see the Examples section of the show diagnostic command in the command reference for this release Table 48 1 Commands for Diagnostic Test Configuration and Results Command Purpose show diagnostic content switch number all 1 1 The switch number all parameter is supported only on stacking capable switches Display the online diagnostics configured for a switch show diagnostic ...

Page 1241: ...mation for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN x use this community string in the SNMP message configured community string x CISCO CABLE DIAG MIB CISCO CDP MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO DHCP SNOOPING MIB CISCO ENTITY FRU CONTROL MIB CISCO ENTITY VENDORTYPE OID MIB CISCO ENVMON MIB CISCO ERR DISABLE MIB CISCO FLASH MIB Flash memory on ...

Page 1242: ...rs depending on switch configuration CISCO PORT STORM CONTROL MIB CISCO PRIVATE VLAN MIB CISCO POWER ETHERNET EXT MIB CISCO PROCESS MIB Only stack master details are shown CISCO PRODUCTS MIB CISCO RTTMON MIB CISCO SLB MIB Only with the IP services feature sets CISCO SMI MIB CISCO STACK MIB Partial support on stacking capable switches for some objects only stack master information is supported ENTI...

Page 1243: ...OLD CISCO IP MIB OLD CISCO SYS MIB OLD CISCO TCP MIB OLD CISCO TS MIB PIM MIB powerConnect3000MIB Partial support on the Cisco Catalyst Blade Switch 3130 for Dell RFC1213 MIB Functionality is as per the agent capabilities specified in the CISCO RFC1213 CAPABILITY my RFC1253 MIB OSPF MIB RMON MIB RMON2 MIB SNMP FRAMEWORK MIB SNMP MPD MIB SNMP NOTIFICATION MIB SNMP TARGET MIB SNMPv2 MIB TCP MIB UDP ...

Page 1244: ...this procedure Step 1 Make sure that your FTP client is in passive mode Note Some FTP clients do not support passive mode Step 2 Use FTP to access the server ftp cisco com Step 3 Log in with the username anonymous Step 4 Enter your e mail username when prompted for the password Step 5 At the ftp prompt change directories to pub mibs v1 and pub mibs v2 Step 6 Use the get MIB_filename command to obt...

Page 1245: ... a single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the switch is named flash As viewed from the stack master or any stack member flash refers to the local flash device which is attached to the same switch on which the file system is being viewed In a switch stack each of th...

Page 1246: ...20138 nvram rw nvram network rw tftp opaque rw null opaque rw system opaque ro xmodem opaque ro ymodem To display the available file systems on your switch use the show file systems privileged EXEC command as shown in this example for a stacking capable switch In this example the stack master is stack member 2 therefore flash2 is aliased to flash The file system on stack member 5 is displayed as f...

Page 1247: ...g a new configuration file to flash memory you might want to verify that the file system does not already contain a configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command Type Type of file system flash The file system is for a flash memory device nvram The file system is for a NV...

Page 1248: ...Directory Beginning in privileged EXEC mode follow these steps to change directories and to display the working directory Table B 2 Commands for Displaying Information About Files Command Description dir all filesystem filename Display a list of files on a file system show file systems Display more information about each of the files on a file system show file information file url Display informat...

Page 1249: ...s cannot be recovered Copying Files To copy a file from a source to a destination use the copy source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of flash memory to be used ...

Page 1250: ...only once at the beginning of this deletion process Use the force and recursive keywords for deleting old software images that were installed by using the archive download sw command but are no longer needed If you omit the filesystem option the switch uses the default device specified by the cd command For file url you specify the path directory and the name of the file to be deleted When you att...

Page 1251: ...rectory filename TFTP syntax tftp location directory filename For flash file url specify the location on the local flash file system in which the new file is created You can also specify an optional list of files or directories within the source directory to add to the new file If none are specified all files and directories at this level are written to the newly created file Step 2 archive table ...

Page 1252: ...31x0 universal mz 122 40 EX1 html xhome htm 9373 bytes cbs31x0 universal mz 122 40 EX1 html menu css 1654 bytes output truncated This example shows how to extract the contents of a file located on the TFTP server at 172 20 10 30 Switch archive xtract tftp 172 20 10 30 saved flash new configs This example shows how to display the contents of a configuration file on a TFTP server Switch more tftp se...

Page 1253: ...r network and want it to have a configuration similar to the original switch By copying the file to the new switch you can change the relevant parts rather than recreating the whole file To load the same configuration commands on all the switches in your network so that all the switches have similar configurations You can copy upload configuration files from the switch to a file server by using TF...

Page 1254: ... the command line The switch does not erase the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is erased For example if the copied configuration file contains a different IP address in a particular command than the existing configuration the IP address in the copied c...

Page 1255: ...the switch by using configuration files you create download from another switch or download from a TFTP server You can copy upload configuration files to a TFTP server for storage These sections contain this configuration information Preparing to Download or Upload a Configuration File By Using TFTP page B 11 Downloading the Configuration File By Using TFTP page B 12 Uploading the Configuration Fi...

Page 1256: ...he Preparing to Download or Upload a Configuration File By Using TFTP section on page B 11 Step 3 Log into the switch through the console port the Ethernet management port or a Telnet session Step 4 Download the configuration file from the TFTP server to configure the switch Specify the IP address or hostname of the TFTP server and the name of the file to download Use one of these privileged EXEC ...

Page 1257: ...isco IOS software sends the first valid username in this list The username specified in the copy command if a username is specified The username set by the ip ftp username username global configuration command if the command is configured Anonymous The switch sends the first valid password in this list The password specified in the copy command if a password is specified The password set by the ip...

Page 1258: ...sername create a new FTP username by using the ip ftp username username global configuration command during all copy operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the copy command if you want to specify a username for only...

Page 1259: ...name netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from host2 ...

Page 1260: ...he switch Unlike TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with T...

Page 1261: ...oad a Configuration File By Using RCP Before you begin downloading or uploading a configuration file by using RCP do these tasks Ensure that the workstation acting as the RCP server supports the remote shell rsh Ensure that the switch has a route to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivit...

Page 1262: ...Switch configure terminal Switch config ip rcmd remote username netadmin1 Switch config end Switch copy rcp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store ...

Page 1263: ...figuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Clearing Configuration Information You can clear the configuration information from the startup configuration If you reboot the switch with no startup configuration the switch enters the setup program so that you can reconfigure the switch with all new settings Command Purpose Step 1 Verify that the R...

Page 1264: ...aces the running configuration with any saved Cisco IOS configuration file You can use the rollback function to roll back to a previous configuration These sections contain this information Understanding Configuration Replacement and Rollback page B 20 Configuration Guidelines page B 21 Configuring the Configuration Archive page B 22 Performing a Configuration Replacement or Rollback Operation pag...

Page 1265: ...ve to the configure replace target url privileged EXEC command note these major differences The copy source url running config command is a merge operation and preserves all the commands from both the source file and the running configuration This command does not remove commands from the running configuration that are not present in the source file In contrast the configure replace target url com...

Page 1266: ...e Configuration Archive Using the configure replace command with the configuration archive and with the archive config command is optional but offers significant benefit for configuration rollback scenarios Before using the archive config command you must first configure the configuration archive Starting in privileged EXEC mode follow these steps to configure the configuration archive Command Pur...

Page 1267: ...ration file created in Step 2 by using the archive config privileged EXEC command list Display a list of the command entries applied by the software parser during each pass of the configuration replacement operation The total number of passes also appears force Replace the running configuration file with the specified saved configuration file without prompting you for confirmation time seconds Spe...

Page 1268: ...ease notes You can replace the current image with the new one or keep the current image in flash memory after a download You can use the archive download sw allow feature upgrade privileged EXEC command to allow installation of an image with a different feature set for example upgrading from the noncryptographic universal image with the IP services feature set to the cryptographic universal image ...

Page 1269: ...ile format which contains these files An info file which serves as a table of contents for the file One or more subdirectories containing other images and files such as Cisco IOS images and web management files This example shows some of the information contained in the info file Table B 3 provides additional details about this information system_type 0x00000000 cbs31x0 universal mz 122 40 EX1 ima...

Page 1270: ...a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack member to the incompatible switch That switch automatically reloads and joins the stack as a fully functioning member These sections contain this configuration information Preparing to Download or Upload an Image File By Using TFTP page B 26 Downloading an ...

Page 1271: ...le are set correctly The permission on the file should be world read Before uploading the image file you might need to create an empty file on the TFTP server To create an empty file enter the touch filename command where filename is the name of the file you will use when uploading the image to the server During upload operations if you are overwriting an existing file including an empty file if y...

Page 1272: ...e option allows installation of a software images with different feature sets Optional The directory option specifies a directory for the images The overwrite option overwrites the software image in flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For location specify the IP address ...

Page 1273: ...he existing image Beginning in privileged EXEC mode follow these steps to upload an image to a TFTP server The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and the web management files After these files are uploaded the upload algorithm creates the file format Caution For the download and upload algorithms t...

Page 1274: ...res a client to send a remote username and password on each FTP request to a server When you copy an image file from the switch to a server by using FTP the Cisco IOS software sends the first valid username in this list The username specified in the archive download sw or archive upload sw privileged EXEC command if a username is specified The username set by the ip ftp username username global co...

Page 1275: ... this username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username for that operation only When you upload an image file to the FTP server it must be properly configured to accept the write request from the user on the switch For more information see the documentation for ...

Page 1276: ... section on page B 30 For location specify the IP address of the FTP server For directory image name1 tar directory image name2 tar image name3 tar image name4 tar specify the directory optional and the images to download Directory and image names are case sensitive Step 8 archive download sw directory leave old sw reload tftp location directory image name1 tar image name2 tar image name3 tar imag...

Page 1277: ...the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image nam...

Page 1278: ...files For switch stacks the archive download sw and archive upload sw privileged EXEC commands can only be used through the stack master Software images downloaded to the stack master are automatically downloaded to the rest of the stack members To upgrade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack ...

Page 1279: ...r example if the user is connected to the router through Telnet and was authenticated through the username command the switch software sends the Telnet username as the remote username The switch hostname For the RCP copy request to execute successfully an account must be defined on the network server for the remote username If the server has a directory structure the image file is written to or co...

Page 1280: ...mpany com Switch1 For more information see the documentation for your RCP server Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image Beginning in privileged EXEC mode follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image To keep the current image go to Step 6 Command Purpose Step 1 Verify that...

Page 1281: ...ion specify the IP address of the RCP server For directory image name1 tar directory image name2 tar image name3 tar image name4 tar specify the directory optional and the images to download Directory and image names are case sensitive Step 7 archive download sw directory leave old sw reload tftp location directory image name1 tar image name2 tar image name3 tar image name4 tar Download the images...

Page 1282: ...mage If you kept the old software during the download process you specified the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For th...

Page 1283: ...to copy the software image from an existing stack member to the one that has incompatible software That switch automatically reloads and joins the stack as a fully functioning member Note To use the archive copy sw privileged EXEC command you must have downloaded from a TFTP server the images for both the stack member switch being added and the stack master You use the archive download sw privileg...

Page 1284: ...d the updated stack member Note At least one stack member must be running the image that is to be copied to the switch that is running the incompatible software For destination system destination stack member number specify the number of the stack member the destination to which to copy the source running image file If you do not specify this stack member number the default is to copy the running ...

Page 1285: ...ftware feature and command mode Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic name source destination show access lists rate limit destination show accounting show ip accounting checkpoint output packets access ...

Page 1286: ...ve config logging persistent show archive config show archive log ARP Commands Unsupported Global Configuration Commands arp ip address hardware address smds arp ip address hardware address srp a arp ip address hardware address srp b Unsupported Interface Configuration Commands arp probe ip probe proxy Boot Loader Commands Unsupported User EXEC Commands verify Unsupported Global Configuration Comm...

Page 1287: ...rameters are not supported for this command event manager run policy name paramater1 paramater15 Unsupported Global Configuration Commands no event manager directory user repository url location event manager applet applet name maxrun Unsupported Commands in Applet Configuration Mode no event interface name interface name parameter counter name entry val entry counter value entry op gt ge eq ne lt...

Page 1288: ...up circuit group circuit group pause milliseconds bridge bridge group circuit group circuit group source based bridge cmf bridge crb bridge bridge group domain domain name bridge irb bridge bridge group mac address table limit number bridge bridge group multicast source bridge bridge group protocol dec bridge bridge group route protocol bridge bridge group subscriber policy policy subscriber polic...

Page 1289: ... output pattern list access list number bridge group bridge group output type list access list number bridge group bridge group sse bridge group bridge group subscriber loop control bridge group bridge group subscriber trunk bridge bridge group lat service filtering frame relay map bridge dlci broadcast interface bvi bridge group x25 map bridge x 121 address broadcast options keywords HSRP Unsuppo...

Page 1290: ... type number The debug ip packet command displays packets received by the switch CPU It does not display packets that are hardware switched The debug ip mcache command affects packets received by the switch CPU It does not display packets that are hardware switched The debug ip mpacket detail access list number group name or address command affects only packets received by the switch CPU Because m...

Page 1291: ...ds frame relay ip rtp header compression active passive frame relay map ip ip address dlci broadcast compress frame relay map ip ip address dlci rtp header compression active passive ip igmp helper address ip address ip multicast helper map group address broadcast broadcast address multicast address extended access list number ip multicast rate limit in out video whiteboard group list access list ...

Page 1292: ... Configuration Commands ip accounting precedence input output ip accounting list ip address wildcard ip as path access list ip accounting transits count ip cef accounting per prefix non recursive ip cef traffic statistics load interval seconds update rate seconds ip flow aggregation ip flow cache ip flow export ip gratuitous arps ip local ip prefix list ip reflexive list router egp router isis rou...

Page 1293: ...ion network backdoor table map Unsupported VPN Configuration Commands All Unsupported Route Map Commands match route type for policy based routing PBR set as path tag prepend as path string set automatic tag set dampening half life reuse suppress max suppress time set default interface interface id interface id set interface interface id interface id set ip default next hop ip address ip address s...

Page 1294: ...how mac address table multicast show mac address table notification show mac address table static show mac address table vlan show mac address table multicast Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address table entries for a VLAN Unsupported Global Configuration Commands mac address table aging time mac address table notification mac address...

Page 1295: ...stacking capable switches track object number rtr MSDP Unsupported Privileged EXEC Commands show access expression show exception show location show pm LINE show smf interface id show subscriber policy policy number show template template name Unsupported Global Configuration Commands ip msdp default peer ip address name prefix list list Because BGP MBGP is not supported use the ip msdp peer comma...

Page 1296: ...show ip nat translations QoS Unsupported Global Configuration Command priority list Unsupported Interface Configuration Commands priority group rate limit Unsupported Policy Map Configuration Command class class default where class default is the class map name RADIUS Unsupported Global Configuration Commands aaa nas port extended aaa authentication feature default enable aaa authentication featur...

Page 1297: ...nds snmp server enable informs snmp server ifindex persist Spanning Tree Unsupported Global Configuration Command spanning tree pathcost method long short Unsupported Interface Configuration Command spanning tree stack port VLAN Unsupported Global Configuration Command vlan internal allocation policy ascending descending Unsupported User EXEC Commands show running config vlan show vlan ifindex vla...

Page 1298: ... OL 12247 04 Appendix C Unsupported Commands in Cisco IOS Release 12 2 52 SE VTP Unsupported VLAN Database commands vtp vlan VTP Unsupported Privileged EXEC Command vtp password password pruning version number Note This command has been replaced by the vtp global configuration command ...

Page 1299: ...tunneling 17 11 defined 11 3 access template 8 1 accounting with 802 1x 9 48 with IEEE 802 1x 9 14 with RADIUS 7 34 with TACACS 7 11 7 17 ACEs and QoS 36 8 defined 34 2 Ethernet 34 2 IP 34 2 ACLs ACEs 34 2 any keyword 34 13 applying on bridged packets 34 38 on multicast packets 34 39 on routed packets 34 39 on switched packets 34 37 time ranges to 34 17 to an interface 34 20 35 8 to IPv6 interface...

Page 1300: ... names 35 4 number per QoS class map 36 33 port 34 2 35 1 precedence of 34 2 QoS 36 8 36 44 resequencing entries 34 15 router 34 2 35 1 router ACLs and VLAN map configuration guidelines 34 36 standard IP configuring for QoS classification 36 44 36 46 standard IPv4 creating 34 10 matching criteria 34 8 support for 1 10 support in hardware 34 22 time ranges 34 17 types supported 34 2 unsupported fea...

Page 1301: ...ximum for MSTP 19 23 19 24 for STP 18 23 18 24 alarms RMON 31 3 allowed VLAN list 13 20 application engines redirecting traffic to 43 1 area border routers See ABRs area routing IS IS 38 67 ISO IGRP 38 67 ARP configuring 38 10 defined 1 6 6 30 38 10 encapsulation 38 11 static cache configuration 38 10 table address resolution 6 30 managing 6 30 ASBRs 38 27 AS path filters BGP 38 57 asymmetrical li...

Page 1302: ...1 19 mismatches 47 9 autonomous system boundary routers See ASBRs autonomous systems in BGP 38 50 Auto RP described 44 6 autosensing port speed 1 4 autostate exclude 11 6 auxiliary VLAN See voice VLAN availability features 1 8 B BackboneFast described 20 7 disabling 20 17 enabling 20 16 support for 1 8 backup interfaces See Flex Links backup links 21 2 banners configuring login 6 18 message of the...

Page 1303: ... 3 2 environment variables 3 20 prompt 3 20 trap door mechanism 3 2 bootstrap router BSR described 44 7 Border Gateway Protocol See BGP BPDU error disabled state 20 2 filtering 20 3 RSTP format 19 12 BPDU filtering described 20 3 disabling 20 15 enabling 20 14 support for 1 8 BPDU guard described 20 2 disabling 20 14 enabling 20 13 support for 1 8 bridged packets ACLs on 34 38 bridge groups See fa...

Page 1304: ...orwarding See CEF Cisco Group Management Protocol See CGMP Cisco IOS DHCP server See DHCP Cisco IOS DHCP server Cisco IOS File System See IFS Cisco IOS IP SLAs 41 1 Cisco Secure ACS attribute value pairs for downloadable ACLs 9 19 attribute value pairs for redirect URL 9 19 Cisco Secure ACS configuration guide 9 60 Cisco StackWise Plus technology 1 3 See also stacks switch CiscoWorks 2000 1 5 33 4...

Page 1305: ...ty list BGP 38 60 community ports 16 2 community strings configuring 33 8 overview 33 4 community VLANs 16 2 16 3 compatibility feature 26 12 compatibility software See stacks switch config text 3 17 configurable leave timer IGMP 24 6 configuration initial defaults 1 17 Express Setup 1 2 configuration examples network 1 20 configuration files archiving B 20 clearing the startup configuration B 20 ...

Page 1306: ...S input queue threshold map for QoS 36 17 CoS output queue threshold map for QoS 36 20 CoS to DSCP map for QoS 36 68 counters clearing interface 11 29 CPU utilization troubleshooting 47 24 crashinfo file 47 21 critical authentication IEEE 802 1x 9 52 critical VLAN 9 22 cross stack EtherChannel configuration guidelines 37 12 configuring on Layer 2 interfaces 37 12 on Layer 3 physical interfaces 37 ...

Page 1307: ...l tunneling 17 11 LLDP 29 4 MAC address table 6 21 MAC address table move update 21 8 MSDP 45 4 MSTP 19 14 multi VRF CE 38 80 MVR 24 20 NTP 6 4 optional spanning tree configuration 20 12 OSPF 38 28 password and privilege level 7 2 PIM 44 10 private VLANs 16 6 RADIUS 7 27 RIP 38 21 RMON 31 3 RSPAN 30 11 SDM template 8 4 SNMP 33 6 SPAN 30 11 SSL 7 53 standard QoS 36 31 STP 18 13 switch stacks 5 21 s...

Page 1308: ...3 7 overview 3 3 relationship to BOOTP 3 4 relay support 1 6 1 15 support for 1 6 DHCP based autoconfiguration and image update configuring 3 11 to 3 14 understanding 3 5 to 3 6 DHCP binding database See DHCP snooping binding database DHCP binding table See DHCP snooping binding database DHCP option 82 circuit ID suboption 22 5 configuration guidelines 22 9 default configuration 22 8 displaying 22...

Page 1309: ...uration 39 16 described 39 6 enabling client function 39 19 enabling DHCPv6 server function 39 17 diagnostic schedule command 48 2 Differentiated Services architecture QoS 36 2 Differentiated Services Code Point 36 2 Diffusing Update Algorithm DUAL 38 37 directed unicast requests 1 6 directories changing B 4 creating and removing B 5 displaying the working B 4 Distance Vector Multicast Routing Pro...

Page 1310: ...domain to DVMRP router 44 51 enabling unicast routing 44 54 interoperability with Cisco devices 44 49 with Cisco IOS software 44 9 mrinfo requests responding to 44 53 neighbors advertising the default route to 44 52 discovery with Probe messages 44 49 displaying information 44 53 prevent peering with nonpruning 44 56 rejecting nonpruning 44 55 overview 44 8 routes adding a metric offset 44 60 adve...

Page 1311: ... states 23 3 priority of ARP ACLs and DHCP snooping entries 23 4 rate limiting of ARP packets configuring 23 10 described 23 4 error disabled state 23 4 statistics clearing 23 15 displaying 23 15 validation checks performing 23 11 dynamic auto trunking mode 13 17 dynamic desirable trunking mode 13 17 Dynamic Host Configuration Protocol See DHCP based autoconfiguration dynamic port VLAN membership ...

Page 1312: ...Layer 2 interfaces 37 12 Layer 3 physical interfaces 37 15 Layer 3 port channel logical interfaces 37 14 default configuration 37 10 described 37 2 displaying status 37 22 forwarding methods 37 8 37 17 IEEE 802 3ad described 37 6 interaction with STP 37 11 with VLANs 37 12 LACP described 37 6 displaying status 37 22 hot standby ports 37 19 interaction with other features 37 7 modes 37 7 port prior...

Page 1313: ...nfo file 47 21 extended range VLANs configuration guidelines 13 11 configuring 13 11 creating 13 12 creating with an internal VLAN ID 13 13 defined 13 1 extended system ID MSTP 19 17 STP 18 4 18 16 extended universal identifier See EUI Extensible Authentication Protocol over LAN 9 1 external BGP See EBGP external neighbors BGP 38 50 F Fa0 port See Ethernet management port internal failover support...

Page 1314: ...ion 47 21 tar creating B 7 displaying the contents of B 7 extracting B 8 image file format B 25 file system displaying available file systems B 2 displaying file information B 3 local file system names B 1 network file system names B 5 setting the default B 3 filtering in a VLAN 34 30 IPv6 traffic 35 3 35 8 non IP traffic 34 28 show and more command output 2 9 filtering show and more command outpu...

Page 1315: ...uration mode 2 2 global leave IGMP 24 13 guest VLAN and IEEE 802 1x 9 20 guide mode 1 3 GUIs See device manager and Network Assistant H hardware limitations and Layer 3 interfaces 11 24 hello time MSTP 19 22 STP 18 22 help for the command line 2 3 hierarchical policy maps 36 9 configuration guidelines 36 34 configuring 36 58 described 36 12 history changing the buffer size 2 5 described 2 5 disabl...

Page 1316: ... SLAs 41 10 ICMP ping executing 47 11 overview 47 11 ICMP Router Discovery Protocol See IRDP ICMPv6 39 4 IDS appliances and ingress RSPAN 30 22 and ingress SPAN 30 15 IEEE 802 1D See STP IEEE 802 1p 15 1 IEEE 802 1Q and trunk ports 11 3 configuration limitations 13 18 encapsulation 13 15 native VLAN for untagged traffic 13 22 tunneling compatibility with other features 17 6 defaults 17 4 described...

Page 1317: ...me value 44 43 pruning groups 44 43 query timeout value 44 42 IGMP filtering configuring 24 25 default configuration 24 25 described 24 24 monitoring 24 29 support for 1 5 IGMP groups configuring filtering 24 28 setting the maximum number 24 27 IGMP helper 44 6 IGMP Immediate Leave configuration guidelines 24 12 described 24 6 enabling 24 11 IGMP profile applying 24 27 configuration mode 24 25 con...

Page 1318: ...atus 11 28 supported 11 8 types of 11 1 interfaces range macro command 11 11 interface types 11 8 Interior Gateway Protocol See IGP internal BGP See IBGP internal neighbors BGP 38 50 Internet Control Message Protocol See ICMP Internet Group Management Protocol See IGMP Internet Protocol version 6 See IPv6 Inter Switch Link See ISL inter VLAN routing 1 14 38 2 Intrusion Detection System See IDS app...

Page 1319: ...ting 44 12 IP multicast boundary 44 46 default configuration 44 10 enabling multicast forwarding 44 13 PIM mode 44 13 group to RP mappings Auto RP 44 6 BSR 44 7 MBONE deleting sdr cache entries 44 62 described 44 45 displaying sdr cache 44 63 enabling sdr listener support 44 46 limiting DVMRP routes advertised 44 57 limiting sdr cache entry lifetime 44 46 SAP packets for conference session announc...

Page 1320: ...measuring network performance 41 2 monitoring 41 13 multioperations scheduling 41 5 object tracking 42 9 operation 41 3 reachability tracking 42 9 responder described 41 3 enabling 41 7 response time 41 4 scheduling 41 5 SNMP support 41 2 supported metrics 41 2 threshold monitoring 41 5 track state 42 9 UDP jitter operation 41 8 IP source guard and DHCP snooping 22 16 and EtherChannels 22 19 and I...

Page 1321: ... 38 26 inter VLAN 38 2 IP addressing classes 38 7 configuring 38 5 IPv6 39 3 IRDP 38 13 Layer 3 interfaces 38 5 MAC address and IP address 38 9 passive interfaces 38 104 protocols distance vector 38 3 dynamic 38 3 link state 38 3 proxy ARP 38 10 redistribution 38 96 reverse address resolution 38 9 routed ports 38 5 static routing 38 3 steps to configure 38 5 subnet mask 38 7 subnet zero 38 7 super...

Page 1322: ...ding static routes 39 6 IPv6 traffic filtering 35 3 IRDP configuring 38 13 definition 38 13 support for 1 15 IS IS addresses 38 67 area routing 38 67 default configuration 38 69 monitoring 38 76 show commands 38 76 system routing 38 67 ISL and IPv6 39 3 and trunk ports 11 3 encapsulation 1 9 13 15 trunking with IEEE 802 1 tunneling 17 5 ISO CLNS clear commands 38 76 dynamic routing protocols 38 67...

Page 1323: ...cast traffic 47 12 usage guidelines 47 13 Layer 3 features 1 14 Layer 3 interfaces assigning IP addresses to 38 7 assigning IPv4 and IPv6 addresses to 39 15 assigning IPv6 addresses to 39 13 changing from Layer 2 mode 38 7 38 83 38 84 types of 38 5 Layer 3 packets classification methods 36 2 LDAP 4 2 Leaking IGMP Reports 21 4 LEDs switch See hardware installation guide Lightweight Directory Access...

Page 1324: ...1 disabling learning on a VLAN 6 29 discovering 6 30 displaying 6 30 displaying in the IP source binding table 22 25 dynamic learning 6 20 removing 6 22 in ACLs 34 28 IP address association 38 9 manually assigning IP address 3 15 static adding 6 27 allowing 6 28 6 29 characteristics of 6 26 dropping 6 28 removing 6 27 MAC address learning 1 6 MAC address learning disabling on a VLAN 6 29 MAC addre...

Page 1325: ... 38 54 38 94 MDA configuration guidelines 9 29 to 9 30 described 1 11 9 29 exceptions with authentication process 9 5 membership mode VLAN port 13 3 messages to users through banners 6 17 metrics in BGP 38 55 metric translations between routing protocols 38 100 metro tags 17 2 MHSRP 40 4 MIBs accessing files with FTP A 4 location of files A 4 overview 33 1 SNMP interaction with 33 4 supported A 1 ...

Page 1326: ...ng source information forwarded by switch 45 11 originated by switch 45 8 received by switch 45 13 default configuration 45 4 dense mode regions sending SA messages to 45 16 specifying the originating address 45 17 filtering incoming SA messages 45 14 SA messages to a peer 45 12 SA requests from a peer 45 10 join latency defined 45 6 meshed groups configuring 45 15 defined 45 15 originating addres...

Page 1327: ...on root switch 19 17 effects on secondary root switch 19 19 unexpected behavior 19 18 IEEE 802 1s implementation 19 6 port role naming change 19 6 terminology 19 5 instances supported 18 10 interface state blocking to forwarding 20 2 interoperability and compatibility among modes 18 11 interoperability with IEEE 802 1D described 19 8 restarting migration process 19 25 IST defined 19 2 master 19 3 ...

Page 1328: ...Multiple HSRP See MHSRP multiple VPN routing forwarding in customer edge devices See multi VRF CE multi VRF CE configuration example 38 87 configuration guidelines 38 80 configuring 38 79 default configuration 38 80 defined 38 77 displaying 38 91 monitoring 38 91 network components 38 79 packet forwarding process 38 79 support for 1 15 MVR and address aliasing 24 20 and IGMPv3 24 21 configuration ...

Page 1329: ... 20 services 1 21 Network Edge Access Topology See NEAT network management CDP 27 1 RMON 31 1 SNMP 33 1 network performance measuring with IP SLAs 41 2 network policy TLV 29 2 29 7 Network Time Protocol See NTP no commands 2 4 nonhierarchical policy maps configuration guidelines 36 34 configuring 36 54 described 36 10 non IP traffic filtering 34 28 nontrunking mode 13 17 normal range VLANs 13 4 co...

Page 1330: ...ptimizing system resources 8 1 options management 1 5 OSPF area parameters configuring 38 32 configuring 38 30 default configuration metrics 38 34 route 38 34 settings 38 28 described 38 26 for IPv6 39 7 interface parameters configuring 38 31 LSA group pacing 38 35 monitoring 38 36 router IDs 38 35 route summarization 38 33 support for 1 14 virtual links 38 33 out of profile markdown 1 14 P packet...

Page 1331: ... 44 35 shortest path tree delaying the use of 44 37 sparse mode join messages and shared tree 44 5 overview 44 5 prune messages 44 5 RPF lookups 44 8 stub routing enabling 44 23 overview 44 5 support for 1 15 versions interoperability 44 11 troubleshooting interoperability problems 44 35 v2 improvements 44 4 PIM DVMRP as snooping method 24 9 ping character output description 47 12 executing 47 11 ...

Page 1332: ...aying statistics 9 65 10 18 downloadable ACLs and redirect URLs configuring 9 60 to 9 62 to 9 62 overview 9 18 to 9 19 EAPOL start frame 9 6 EAP request identity frame 9 6 EAP response identity frame 9 6 enabling 802 1X authentication 10 11 encapsulation 9 3 flexible authentication ordering configuring 9 62 overview 9 28 guest VLAN configuration guidelines 9 21 9 22 described 9 20 host mode 9 13 i...

Page 1333: ...nabling 20 12 mode spanning tree 13 28 support for 1 8 port membership modes VLAN 13 3 port priority MSTP 19 19 STP 18 18 ports 10 Gigabit Ethernet 11 6 access 11 3 blocking 26 7 dynamic access 13 3 IEEE 802 1Q tunnel 13 4 protected 26 6 routed 11 4 secure 26 9 static access 13 3 13 10 switch 11 2 trunks 13 3 13 15 VLAN assignments 13 10 port security aging 26 17 and private VLANs 26 18 and QoS tr...

Page 1334: ...scribed 13 4 isolated 16 2 promiscuous 16 2 primary VLANs 16 1 16 3 promiscuous ports 16 2 secondary VLANs 16 2 subdomains 16 1 traffic in 16 5 privileged EXEC mode 2 2 privilege levels changing the default for lines 7 9 exiting 7 9 logging into 7 9 overview 7 2 7 7 setting a command with 7 8 promiscuous ports configuring 16 13 defined 16 2 protected ports 1 10 26 6 protocol dependent modules EIGR...

Page 1335: ...ed CoS described 36 5 trust IP precedence described 36 5 class maps configuring 36 49 displaying 36 85 configuration guidelines auto QoS 36 26 standard QoS 36 33 configuring aggregate policers 36 65 auto QoS 36 21 default port CoS value 36 38 DSCP maps 36 67 DSCP transparency 36 40 DSCP trust states bordering another domain 36 41 egress queue characteristics 36 77 ingress queue characteristics 36 ...

Page 1336: ...4 mapping tables CoS to DSCP 36 68 displaying 36 85 DSCP to CoS 36 71 DSCP to DSCP mutation 36 72 IP precedence to DSCP 36 69 policed DSCP 36 70 types of 36 13 marked down actions 36 56 36 62 marking described 36 4 36 9 overview 36 2 packet modification 36 20 policers configuring 36 56 36 62 36 66 described 36 9 displaying 36 85 number of 36 35 types of 36 10 policies attaching to an interface 36 ...

Page 1337: ... tree plus See rapid PVST rapid PVST described 18 10 IEEE 802 1Q trunking interoperability 18 11 instances supported 18 10 Rapid Spanning Tree Protocol See RSTP RARP 38 10 RCP configuration files downloading B 18 overview B 16 preparing the server B 17 uploading B 19 image files deleting old image B 38 downloading B 36 preparing the server B 35 uploading B 38 reachability tracking IP SLAs IP host ...

Page 1338: ...NMPv1 33 2 1166 IP addresses 38 7 1305 NTP 6 2 1587 NSSAs 38 27 1757 RMON 31 2 1901 SNMPv2C 33 2 1902 to 1907 SNMPv2 33 2 2236 IP multicast and IGMP 24 2 2273 2275 SNMPv3 33 2 RFC 5176 Compliance 7 21 RIP advertisements 38 20 authentication 38 24 configuring 38 21 default configuration 38 21 described 38 20 for IPv6 39 7 hop counts 38 20 split horizon 38 25 summary addresses 38 25 support for 1 14...

Page 1339: ...ts 30 8 overview 1 16 30 1 received traffic 30 5 session limits 30 12 sessions creating 30 18 defined 30 4 limiting source traffic to specific VLANs 30 20 specifying monitored ports 30 18 with ingress traffic enabled 30 22 source ports 30 6 transmitted traffic 30 6 VLAN based 30 7 RSTP active topology 19 9 BPDU format 19 12 processing 19 13 designated port defined 19 9 designated switch defined 19...

Page 1340: ...ing for EtherChannels 17 9 set request operation 33 4 severity levels defining in system messages 32 9 SFPs monitoring status of 11 28 47 10 numbering of 11 9 security and identification 47 9 status displaying 47 10 shaped round robin See SRR show access lists hw summary command 34 22 show and more command output filtering 2 9 show cdp traffic command 27 5 show configuration command 11 23 show for...

Page 1341: ...33 4 security levels 33 3 setting CPU threshold notification 33 15 status displaying 33 18 system contact and location 33 16 trap manager configuring 33 13 traps described 33 3 33 5 differences from informs 33 5 disabling 33 15 enabling 33 11 enabling MAC address notification 6 22 6 24 6 25 overview 33 1 33 4 types of 33 12 users 33 6 33 9 versions supported 33 2 SNMP and Syslog Over IPv6 39 7 SNM...

Page 1342: ...aped weights on egress queues 36 82 shared weights on egress queues 36 83 shared weights on ingress queues 36 75 described 36 15 shaped mode 36 15 shared mode 36 15 support for 1 14 SSH configuring 7 47 described 1 7 7 46 encryption methods 7 46 switch stack considerations 5 18 7 46 user authentication methods supported 7 46 SSL configuration guidelines 7 53 configuring a secure HTTP client 7 56 c...

Page 1343: ...r number 5 24 priority value 5 25 defined 5 1 displaying information of 5 27 IPv6 39 11 number 5 8 priority value 5 9 provisioning a new member 5 25 replacing 5 17 See also stacks switch stack member number 11 8 stack protocol version 5 12 stacks switch accessing CLI of specific member 5 26 assigning information member number 5 24 priority value 5 25 provisioning a new member 5 25 auto advise 5 14...

Page 1344: ... monitoring 32 2 system prompt consideration 6 14 system wide configuration considerations 5 17 upgrading B 39 version mismatch VM mode automatic upgrades with auto upgrade 5 13 described 5 13 examples 5 14 manual upgrades with auto advise 5 14 upgrades with auto extract 5 13 See also stack master and stack member StackWise Plus technology Cisco 1 3 See also stacks switch standby ip command 40 7 s...

Page 1345: ...rd delay time 18 23 hello time 18 22 maximum aging time 18 23 path cost 18 20 port priority 18 18 root switch 18 16 secondary root switch 18 18 spanning tree mode 18 15 switch priority 18 21 transmit hold count 18 24 counters clearing 18 24 cross stack UplinkFast described 20 5 enabling 20 16 default configuration 18 13 default optional feature configuration 20 12 designated port defined 18 4 desi...

Page 1346: ...ls supported 18 10 redundant connectivity 18 8 root guard described 20 10 enabling 20 18 root port defined 18 3 root port selection on a switch stack 18 3 root switch configuring 18 16 effects of extended system ID 18 4 18 16 election 18 3 unexpected behavior 18 16 shutdown Port Fast enabled port 20 2 stack changes effects of 18 12 status displaying 18 24 superior BPDU 18 3 timers described 18 22 ...

Page 1347: ... 29 2 system message logging default configuration 32 4 defining error message severity levels 32 9 disabling 32 4 displaying the configuration 32 14 enabling 32 5 facility keywords described 32 14 level keywords described 32 10 limiting messages 32 10 message format 32 2 overview 32 1 sequence numbers enabling and disabling 32 8 setting the display destination device 32 5 stack changes effects of...

Page 1348: ...d certificate 7 51 Terminal Access Controller Access Control System Plus See TACACS terminal lines setting a password 7 6 TFTP configuration files downloading B 12 preparing the server B 11 uploading B 12 configuration files in base directory 3 8 configuring for autoconfiguration 3 7 image files deleting B 29 downloading B 27 preparing the server B 26 uploading B 29 limiting access by servers 33 1...

Page 1349: ...problems 47 10 47 12 47 14 CPU utilization 47 24 detecting unidirectional links 28 1 displaying crash information 47 21 PIMv1 and PIMv2 interoperability problems 44 35 setting packet forwarding 47 18 SFP security and identification 47 9 show forward command 47 18 with CiscoWorks 33 4 with debug commands 47 17 with ping 47 11 with system message logging 32 1 with traceroute 47 14 trunk failover See...

Page 1350: ...d ports with IEEE 802 1x 9 11 unicast MAC address filtering 1 6 and adding static addresses 6 28 and broadcast MAC addresses 6 27 and CPU packets 6 27 and multicast addresses 6 27 and router MAC addresses 6 27 configuration guidelines 6 27 described 6 27 unicast storm 26 1 unicast storm control command 26 4 unicast traffic blocking 26 8 UniDirectional Link Detection protocol See UDLD universal sof...

Page 1351: ...command 17 5 VLAN filtering and SPAN 30 7 vlan global configuration command 13 7 VLAN ID discovering 6 30 VLAN link state 11 5 VLAN load balancing on flex links configuration guidelines 21 8 described 21 2 VLAN management domain 14 2 VLAN Management Policy Server See VMPS VLAN map entries order of 34 31 VLAN maps applying 34 35 common uses for 34 35 configuration guidelines 34 31 configuring 34 30...

Page 1352: ...ration 13 28 description 13 27 dynamic port membership described 13 28 reconfirming 13 30 troubleshooting 13 32 mapping MAC addresses to VLANs 13 27 monitoring 13 31 reconfirmation interval changing 13 30 reconfirming membership 13 30 retry count changing 13 31 voice aware 802 1x security port based authentication configuring 9 40 described 9 30 9 40 voice over IP 15 1 voice VLAN Cisco 7960 phone ...

Page 1353: ...scribed 14 1 domain names 14 9 domains 14 2 Layer 2 protocol tunneling 17 8 modes client 14 3 off 14 3 server 14 3 transitions 14 3 transparent 14 3 monitoring 14 18 passwords 14 10 pruning disabling 14 16 enabling 14 16 examples 14 7 overview 14 6 support for 1 9 pruning eligible list changing 13 22 server mode configuring 14 14 statistics 14 18 support for 1 9 Token Ring support 14 4 transparent...

Page 1354: ...res 43 5 web authentication 9 16 configuring 10 17 to described 1 10 web based authentication customizeable web pages 10 6 description 10 1 web based authentication interactions with other features 10 7 Web Cache Communication Protocol See WCCP weighted tail drop See WTD weight thresholds in tracked lists 42 5 wired location service configuring 29 9 displaying 29 10 location TLV 29 3 understanding...

Reviews:

No comments

Related manuals for Catalyst 3130

SonicWALL ESA 4300 Getting Started Manual preview
ESA 4300
Brand: SonicWALL Pages: 34
D-Link 800 - DFL 800 - Security Appliance User Manual preview
800 - DFL 800 - Security Appliance
Brand: D-Link Pages: 469
Resolution RE224GT User Manual preview
RE224GT
Brand: Resolution Pages: 2
Freedom9 freeGuard 100 Command Line Interface Manual preview
freeGuard 100
Brand: Freedom9 Pages: 310

Brands by name

Popular brands

Load more brands